Things like this make me very, very angry! So many missteps over the years. So many things bungled. So many dark patterns to fool users. Yet, where is the mass exodus of employees from Facebook? If you're still working in any company that Facebook owns in the technology or privacy or legal front, don't you realize what harm you're contributing to? And you're still ok with that? Don't you have a choice?
I'm appalled that thousands of people still work for this company by choice.
Even though you never hear the counterpoint on HN, it’s important to remember that FB’s behaviors are not necessarily objectively bad - people can have different views on these things.
I agree that people can have different views on these things for various reasons. But I don't see how "FB's behaviors are not necessarily objectively bad", unless one considers only the profit motive as prime without giving any thought to other factors. Can you expand on that?
Well, for one thing, nothing is objectively good or bad. Value judgments come from people, and people have widely varying perspectives.
For another, the reason there's no mass exodus from Facebook is that Facebook users do not perceive the company as harming them. They perceive it as a useful service for staying in touch with friends and family. The utility it provides outweighs privacy concerns, because most people do not care about digital privacy. They care that no one is watching them go to the bathroom or have sex, but they do not care whether advertisers can target them based on aggregated information.
Thank you. Seems like you associate objectivity with popularity. Like in if all/most people consider something good/evil then it is objectively good/evil. I wasn't aware of this view.
It is about taking responsibility. That it not hurt right now does not absolve us from that.
As an example, look into how Nazi Germany and the GDR used collected data. That is the reason why Germany has very strict privacy laws nowadays. But people like to forget about this by now...
Taking all behaviors as a whole, from operating the network to the nefarious things they do to make money, many would argue that they are not bad. Preferred over the actual alternatives (e.g. unstable networks, not existing at all, etc) for many in fact.
While I am not a user and don't condone their practices, lots of people are happy and willing participants. Whether they need to be protected from themselves ala seat belts and cigarettes is a societal decision, but right now it's clear the citizenry has a favorable view of them even despite the onslaught from legislators and overarching media narratives.
Going on a tangent here...But I've been thinking about this. At some point it's going to come to a head between these two views of FB if the squeakiest wheels also influence laws. If you rock people's comfy boat too much, there will be backlash.
>But I don't see how "FB's behaviors are not necessarily objectively bad", unless one considers only the profit motive as prime without giving any thought to other factors. Can you expand on that?
Anti-Disclaimer: I do not work for Facebook nor have I ever have in the past.
I think the challenge on expanding on that is that you have not made a case for why it is objectively bad. Your posture is one of an assumption that everyone here understands and has the facts that you have. So it is hard to answer your question without knowing what you are thinking.
Additionally, I am wondering why the question is specifically about FB devs, as opposed to Google's? Or frankly, so many other companies who are likely making money in similar ways. Guessing that should include Yelp, LinkedIn, etc (not sure, though). Are we targeting FB merely because they're very effective?
For me, I have said it here and in person before: I do not see a problem so far in what Facebook is doing. I mean, I have quite a lot of personal issues with Facebook, which is why I have never had an account. Over 10 years ago when my friends in college asked why I did not have an account, my response was always "Why would I want a private company to know who my friends are? That is information that is precious." However, that's my personal issue, and my stance is and has always been that if a particular user is OK with Facebook having that information in exchange for their services, there is no ethical/moral dilemma. It is a transaction, and neither party is being coerced. So I have never been in favor of legislation that limits this relationship.
Now it should not be hard to understand that for me, if I've lived a fine life all this time without Facebook, any kind of argument that "not joining Facebook is not a realistic option" will not receive my sympathies.
The basic data collection is fairly transparent: Everything you provide to them (content, contacts, etc) is available to them. No user should be surprised that they utilize this information. It is the default assumption for any online service. If you use your Facebook account to log into other sites, it should be obvious that Facebook has that info. With regards to the more "shadowy" aspects (e.g. cookies tracking you across sites, etc), a point could be made, but honestly none of this is shadowy any more - it's been in the press repeatedly for years. Once again, if the users don't care, I don't see how it can be "objectively bad".
People tend to invoke the user's ignorance: Most users are not tech savvy and cannot be expected to know how all this works - so they cannot reasonably know they are making a bad bargain. I am not sympathetic to this. The reason is that in all the years Facebook has been in existence, I have talked to and educated many average folks about the potential downsides of giving a private company so much information about you. Everyone I spoke to was quite OK with the whole concept. Not one person felt it was problematic. So not only do I not have a reason to think FB is "objectively bad", I cannot even invoke social proof! Whatever bad people keep claiming is coming out of FB is something most of the population does not think is bad.
I have few sympathies for the (very few) people who are whining about it, because their behavior is similar to irresponsible adults who continually make bad decisions and have lives wrecked as a result, and then expect to get bailed out. Like not buying earthquake insurance in an earthquake zone and then demanding compensation when they lose their house.
Facebook did not become what they did by being clever against their users. They got there by working with them. Any discussion of issues about Facebook without implicating the users who happily helped them is biased.
Finally, and perhaps the most controversial part of my comment: Let's not kid ourselves. People are upset about this because it helped Trump more than any real concern about our privacy. Had a more likeable candidate (Obama, etc) used data from CA to help win an election, I would expect a fraction of the coverage this is getting right now. In fact, I think Obama did heavily utilize these services in 2008 and 2012 - just not as effectively as Trump's campaign did. If anything, Trump's campaign was merely more effective.
I recently converted to your camp of thinking. Facebook is the manifestation of the ignorance, not the source of it. Recently I had conversations with female friends who said this directly to me: "I don't care if Facebook logs my sensitive messages and my nudes are leaked as a result of that."
Privacy to the average person is like hell to the non-Christian.
yes, sadly people in the tech space don’t put a lot of thought in the consequences of their actions in the long term. Ie do we really need more engagement in video games even if customers forget to eat??
Given the turnover rate of employees in the valley, I think most employees currently working for Facebook probably joined with a similar perception of it as people have today. Which is to say: most people who find Facebook's business practises incompatible with their ethics filtered themselves out before applying.
The devs are basically soldiers following the chain of command. The devs aren't going to do much unless they are threatened themselves because they get to enjoy rich, comfy lives as a result of their association to FB. It's easy to put blinders on to the rest of the harm they are contributing to when they don't really suffer from the impact of their work (or convince themselves they are doing the right thing).
As a modern analogy, imagine Erdogan's military and bodyguards. With all the global news on the matter, it's evident they are causing a lot of oppression to many people and basically contributing to a dictatorship, yet they still do as they are told from the top because their own benefit depends on it. Hell, he even got them to suppress a coup threatening his own power.
In order for FB to really change, it needs to change from the top. Otherwise, it's a massive effort to convince everyone at the bottom to push back against the top and threaten their own job security. The reality is Zuck, Andreessen, and the other board members at the top don't care to change, because changing for the benefit of their users also means less riches for themselves.
An employee Exodus would require a drastic surprise for those paying close attention to the company.
For various reasons, I would estimate Google and Microsoft have historically had the possibility of recruiting from about half the senior Engineers in my niche.. Facebook and Amazon are a bit lower, maybe as low as a quarter.
For companies bought by these companies there is a general readjustment as up to about half the engineers who would have refused a job offer from them leave while trying to take the most value in vesting schedules and line up something elsewhere.
The "Exoduses" from incompatible buyouts don't really make headlines because 50% over ~3 years with replacement is hard to see from the outside and most tech mergers are catastrophes if both companies' lines were actually supposed to remain profitable.
Exactly my feelings. Until devs and support staff stop contributing to the harm, I'll continue to fight their policies. For me, real social is happening on E2EE messaging with Wickr and Signal.
Zuck specifically answered questions covering shadow profiles during his inquisition. They exist and are used even if that user is not a Facebook user. It’s not an unknown.
Do you have a source for that? I watched the both hearings end to end and I only recall shadow profiles being mentioned once, and the answer was "I’m not familiar with that"...
It depends on what you mean by "profile". I've got a feeling you're using a very specific definition and we're not going to come to an agreement. For me, a shadow profile is a set of data that can be correlated with you personally after the fact if you do decide to sign up for an account.
I can agree with you on that definition and have yet to see evidence that they do what you say.
I think we need to distinguish what data collection means...just because you have a Facebook cookie in your browser which causes the browser to fire a request everytime there is a call to facebooks domains and therefore send meta information about OS, Browser, IP, etc (which is hard to turn off without reinventing the web) doesn’t mean FB (just like any other website that uses cookies) does anything with that meta data or stores it at all.
I think we need to be careful about judging what they technically do and what they actually do!
Many people in this debate default to assuming the worst...which is never a useful position to take. I would suggest assuming the good intent on FBs behalf and then reverse engineer from there
Why is assuming the worst not a useful position to take? In particular when it comes to a corporation that doesn't have my best interests as its primary concern (if at all)?
I'd argue that, in general, assuming the worst is probably the best starting point. Trust is earned, not the default.
Only if the personal data is necessary to provide the service. And "my business model makes it necessary" doesn't cut it. Otherwise you need consent, but you can't DoS if it's denied.
I'd phrase it the other way around: you can't impose certain clauses in the contract (in this case, an obligation to consent to certain kinds of processing of personal data). Laws forbidding certain contract clauses are nothing new.
So I’m required to develop a bad version of my product for the small subset who don’t consent?
Sounds a ton like the Windows Reduced Edition fiasco all over again but at a much more massive scale - forcing by law the development of a product almost no one wants.
You don't need consent for the cases when processing personal data is necessary to provide a feature for the user. For example, if you have a "find my friends near me" feature, you don't have to ask for consent to use the user's location for that purpose.
So there's never a reason why the product must be worse for any particular subset of users.
When you need to ask consent is when you're trying to use personal data in ways that aren't directly related to providing features for that user. Like, for example, ads.
And you can't develop a bad version to "punish" users who don't consent to those unrelated uses of their personal data, because then the consent wouldn't be freely given.
I for one would gleefully welcome it sinking. I'd probably throw a large party to many people if, by that time, we have a great privacy focused alternative too (preferably decentralized).
Facebook has become a social justice issue (to steal a strong phrase).
Just after that Terms screen I got three real consent screens (including one about ads tracking and one about face recognition). I think this screen is only about the TOS update.
Did you archive your data before deleting? If so, how did it work?
I haven't signed in for years, but I have stuff on there going back to high school (back when you had to have an education email address to make an account, now that I think about it) which I'm sure would be fun to look through down the road.
I downloaded the archive and then deleted my account. There were some pictures and videos I’d forgotten about which was nice, but given I’d already stopped using it, why leave the account around?
What about memes pages?
that's the only reason I keep my account. Also, I don't even see adds with and Ad-blocker. What are they going to try to sell me, a meme page subscription?
They aren't trying to sell you anything. They are selling you to others.
They are selling you to not just advertisers but selling your profile to companies that are able to use your profiled information to make their own decisions about things.
It's not just about advertisements. Imagine if you didn't serve a single advertisement and instead bought profiling information about people. You could use that profile information to make business or political decisions regardless of whether an advertisement was sold.
You could influence politics because you "know" your target audience.
Say, for example, the US presidential election or Brexit. Those are just the most high profile places for your profile to be used without ever having presenting advertisement to you.
I've been (down voted) for saying this before: it is not just ads that they are selling.
The big money is going to be selling your profile to everyone, including insurers - health, auto, home, etc. Good luck getting a good deal when they know how much you drink and the food you eat.
To the government - eventually that guaranteed Social Security and 401k will be means tested, and it appears you're spending on luxuries that disqualify you.the possibilities are endless.
And I know for a fact that there are more than a few HN readers who work for companies mediating this data.
> Good luck getting a good deal when they know how much you drink and the food you eat.
That would go both ways, right? With the extra information, insurance companies would be _more_ keen on insuring those who behave in a way that makes insurance payouts less likely.
I wouldn't hold my breath, though. My car insurance was set at about $900/year by my insurer for 5 or 6 years. In that time, they never once lowered the price, even though I had one or two tickets expire, had a perfect driving record during that time, and my car lost about half its value due to aging.
Only when I finally decided to get a new quote from my credit union - about $400 for the year (less than half I'd been paying for years) - did my current insurer offer to reduce to the close to that price which is what I would have been paying had I been a new customer with my current record.
In other words, corporations will find a way to extract the maximum possible from everyone.
> What about memes pages? that's the only reason I keep my account.
Directly go to reddit or 4chan. Everything on facebook is 7 day old trash from reddit.
> Also, I don't even see adds with and Ad-blocker. What are they going to try to sell me, a meme page subscription?
You don't see it does not mean facebook does not track you and is not interested in selling stuff to you. It will just use your data to sell stuff to your family members.
If you scroll down the twitter thread, you can see clicking "other options" instead of "accept" gives you a screen saying "if you don't want to accept the new TOS, click here to download a copy of your data and delete your account"
Even if you can't access the link, you can definitively send them an email citing the appropriate GDPR articles and demand a way to delete the account without approving anything.
The 4% is a maximum fine, not a minimum. But indeed the regulators could choose to go quite high against a violator that is as persistently obstinate as Facebook despite having their level of resources and expertise.
Let's not beat around the bush: the GDPR was created mostly because of Facebook. So if anyone is going to get the maximum penalty to be made an example of, it's going to be them.
VPN in and delete your account? I've no personal experience to know if this is the wrong use case but I've seen it recommended enough on HN now to think its the right solution for this issue.
I imagine that doing this would have a downside: if they think you are outside the EU, they are not obligated to fully delete your data - it would live forever as soft-deleted, which may not be what you want if your intention is to protest against tracking.
The purpose of the suggested VPN was to send your traffic to FB from outside the EU. That would then make it so FB didn't prompt you with new EU TOS, so you could click through (since you wouldn't be governed by GDPR). But the catch is that the traffic outside the EU wouldn't be governed by GDPR there is also no recourse if they don't hard delete( of course it would be hard to verfiy if they did like you pointed out).
Interesting. It seems like after the senate hearings, Facebook is trying to communicate to its users that sending them your data is a necessary part of using their services.
That's what I would do: quit Europe. FB is part of life of millions of people. They would cancel this GDPR thing in a day to save their FB experience. Or at least add an exception to GDPR for FB.
For US & Canada this was $86.65 in the last 4 quarters.
For Europe this was $34.95.
Keep in mind they likely don't target ads using just one person's data: accuracy can be improved by looking at the data of similar people, and looking at the data of friends and family. It isn't as simple as offering a $10/month plan to keep your privacy, because they want everyone's data.
"Your data is worthless, everyone's data is priceless."
GDPR doesn't cover enough of the population using Facebook to warrant such a change to their business model where you can use the service without them using your data. They believe they are entrenched enough to just require this (and likely are for many EU residents).
I'm really curious to find out if the GDPR privacy stance (I'm American, not well traveled, and with no non american social circle) is like the 'no JavaScript' community. Vastly over represented in the tech community and not really representative of the population as a whole.
In other words, are 99% of European citizens going to just click through what ever annoying prompts they have to in order to get to their facebook (thats what I would do) or is there an actual widespread cultural difference in the EU that would stop large segments from agreeing to this.
To give you an idea, I work at a school. Every member of teaching staff all of admin, site-services and IT have had GDPR training. Getting consent for photos, for school trips, referral to outside agencies is a substantial issue, as is leaving student records on desks, keeping files with PII on encrypted sticks etc.
In the case of a permission slip - the school already holds lots of info that the school collects under the 'Public Task or 'Legal Obligation' bases.
The slip then contains additional information that is only collect because the kid is going on a trip, but is necessary for the trip. This would be collected under the Contract basis 'If you want to go on this trip, the following info is necessary'.
If the school also wants to take photos of the child on the trip, for example, then the parent will be asked for consent.
So to answer your question, the parent (assuming the child is under 16) could ask for:
1. The photo consent to be removed - in which case the trip must continue
2. The info pertaining to the school trip to be removed (in which case the kid would no longer be going on the trip)
But they cannot request the core data that the school holds to be removed, unless they take their kid to another school.
The click-through is itself likely violating the regulation. All it takes is for someone to complain; it's not enough for 99% of people to click through.
EU courts take notice when someone files a complaint. In the past, great people like Max Schrems have taken the mantle. I'd certainly support him or anyone else planning to follow up on his work.
I think the current population that wants GDPR privacy stance is small but feared to be influential by Facebook.
It also coincides with FB's recent privacy breach news and overall general public dissatisfaction with FB's policies.
I know a lot of folks who simply don't use FB and are realizing that it's "really not free" in liability terms.
So does this turn into a groundswell? Probably not, I agree with you. However, it does put some fences up that is probably causing FB to feel a bit more nervous. GDPR may be the first of many such efforts...
In reality, caring so much about their privacy seems to be a German/Nordic thing. There was no public outcry that led to GDPR , it seems to have popped up more through bureaucracy rather than popular demand. I think most europeans are just as oblivious/indifferent to privacy issues as americans, and we don't even have the CA scandal here. So yes, 99% will just press accept and forget about it. It's mainly the vocal proponents that you hear.
In business circles there appears to be widespread panic about GDPR.
Amongst "ordinary" people, there is a growing sense of unease about data collection - reflected in the "Facebook must be listening to my phone because they overheard a conversation I was having and now I'm seeing ads for it".
I believe people are starting to understand the implications of data collection and are quite unhappy about it.
At least for some, it's the result of experiences with and/or knowledge about Stalinism, the Nazis, et al. For those, it doesn't matter what 99% of the people do, we don't derive the value of something from how many people do or think it, we derive the value of people from what they think and do in relations to these questions. It's fine to be "not well traveled", but I wouldn't put my hand into machinery I don't 100% understand. That you don't see what is the lioness and what are the cubs is not relevant to the lioness.
Are you talking with real knowledge of the facts, or is this a guess?
Because my guess would be that it would be cheaper to adhere to the rules rather than let a competitor grow big in Europe and eat their market elsewhere.
Its a guess. Facebook also controls many of the "competitors" currently. Its also not about not being compliant, they want their customers, its just not worth reevaluating core aspects of the business when they believe people will sign whatever they have to to continue using Facebook.
As far as I know, the GDPR stipulates that you cannot deny people access to you service if they do not opt-in to tracking, unless the service you provide is very specifically a tracking service.
Tracking is not the primary service Facebook provides to their users, so the GDPR will not allow them to bar access for users who do not opt-in to being tracked.
No, because this ToS thing is not actually a GDPR-compliant opt-in. It's a routine ToS update, with a few tracking things tacked at the end of it.
Companies have always been able to deny users access if they don't accept a ToS, but clicking "I Accept" to the ToS shown in the screenshots is not a GDPR opt-in, and I cannot stress that enough. It is just a ToS update, which does not cover GDPR-compliant opt-in to tracking. The tracking questions following it are also not GDPR-compliant.
They will have to ask properly for opt-in when the 25th rolls around, or they will face fines for non-compliance.
FB is trying to muddy the waters with this ToS update, probably to fool people into thinking "well, I already accepted a bunch of stuff a couple of weeks ago, I'll just accept this GDPR thing as well". It seems that you've bought in to their misinformation campaign.
The GDPR stipulates that you cannot make access to your service contingent on opting in to tracking, unless you service cannot possibly function without tracking. Strava would be a good example, it cannot possibly work without tracking a user's GPS location.
But FB works just fine with no tracking at all. The only thing that would be compromised is be FB's business model, and that's just tough luck, they'll have to come up with something better, a model that doesn't infringing on people's privacy.
Source: I work for a telco/ISP and we are extremely aware of GDPR and the consequences, and we've been working diligently for ~2 years to make our entire business GDPR-compliant. Training courses and tests of our understanding of the rules are mandatory for everyone, from customer support to CEO.
I originally was of your mindset as well (FB is in breach of compliance right now) but could not find any mention in the GDPR articles or recitals of "denial of access", "availability", etc. to back my views up. I would tend to agree with you if I could find a source for the stipulation in your 6th paragraph.
"Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1. See Recital 42’s reference to “without detriment”, Recital 43’s discussion of “freely given” consent, and Article 7(2) prohibition of conditionality. See also the UK Information Commissioner’s Office’s draft guidance on consent, 31 March 2017, p. 21, which clearly prohibits so-called “tracking walls”."
And how would Europe make an American company offer services to Europeans? Is there a legal pathway to do this or would their court summons be used to level out chairs in FB HQ?
They have a very easy choice actually. Either abide by the rules if they want to service EU citizens, or GTFO. If they want to give up a couple hundred million users and hand them over to the GDPR-compliant competition, that's their choice. It would be monumentally stupid, though. FB needs EU users a lot more than EU users need FB, but they're trying very hard to spin the press to make it appear the other way around.
It's like when McDonalds or a similar tax-dodging company threatens to leave a country if they face being forced to actually pay the taxes they owe. Leave millions and millions in profit right there on the table for their competitors to grab? Yeah right, ain't gonna happen.
http://news.bbc.co.uk/2/hi/8327185.stm - McDonalds pulled out of Iceland when it became to expensive. I wonder if the EU is going to price itself out of international technology. The affect would be less than ideal for a continent that preaches globalization
They pulled out of one of the smallest markets they could find, as a PR move to "show that they mean business". They had three restaurants in the entire country, and they pulled out because of the financial crisis, not because of taxes. That's hardly a sign that they would pull out of France, Germany or even Denmark.
If by "international technology" you mean "blatant disregard for privacy", then good riddance. We don't need that sort of "technology".
Absolutely. I would not miss them at all here in Denmark, either. We have so many better cafés and fast food restaurants. We absolutely would not miss their bland junk.
I agree that Facebook isn't really "technology" and that losing it would probably be a net positive. I am worried that Europe will set a precedent that will discourage internet technologies from doing business in Europe disconnecting them from the world.
If American tech companies ever pull out of Europe, other startups will quickly fill the void. After all, it's not like the technology isn't available in Europe. Somebody just needs to build a product using it.
That would be great for diversity, not to mention provide a fertile playground for much-needed alternatives. Too bad it probably won't happen.
They can't force Facebook to provide any service, but they can present them with an ultimatum: decouple use of the platform from consent for use of personal data for tracking, don't offer said service, or pay a fine.
> GDPR doesn't cover enough of the population using Facebook to warrant such a change to their business model where you can use the service without them using your data.
The real question isn't population, it's revenue per user. An typical American or a European will draw a lot more revenue to Facebook than a typical person from a 3rd world country accessing Facebook through "Free Basics."
My educated guess is that Europe is Facebook's #2 market behind the US, and there's enough revenue there for them to change their business model.
Mark's attitude during the Cambridge Analytica issue very well reflected the fact that: Users are not going to stop using FB, so why bother much about bending the company rules, instead bend the users.
I should have been more clear in my comment, I was referring to international high speed trains. Including mandatory registration of passengers and keeping the data for X years. Presumably these passenger manifests are also exchanged with other countries.
But even regional services include oodles of cameras, including on the trains. There's tracking of passengers and their destination. There are heavily armed guards/police/soldiers in many European train stations.
Hmmm...those trains I step onto are (a) typically high speed and (b) quite often "international", though the concept really doesn't make much sense in the Schengen Area.
Are you talking about the Eurostar service from London (I remember the Waterloo station, though I hear it has moved to St. Pancras). That's the only one I can think of that fits your description.
The Thalys from Cologne to Paris via Belgium is/was also simple walk on walk off with normal train stations.
The Thalys has security theatre with luggage x-ray in several locations, including Paris and Antwerp. It's currently not active 24/7, but it will be soon.
On the TGV from Luxembourg to France, there were no barriers. And nobody ever asked me for my ID; in one of the legs, they didn't even check our tickets.
I don't doubt they keep those manifests, but I've found very little actual control.
Brussels does have troops going around, which is unsettling, but I never saw them inside the actual station, nor stopping people entering it, even after that poor devil immolated himself last year.
Curious. Is that very recent? I was in Amsterdam last year and while I remember the ticket validators, I don't remember them being mandatory; I think we've even passed them to cross the station to the other side, to catch the ferry.
In Utrecht they recently closed the main corridor from one end of the station to the other (which, unlike the Amsterdam station, also splits the city in half).
Fortunately, they left a relatively narrow outside corridor open. Still feels odd to have to check in and out again when you're coming from or to some of the main busses, or take a detour.
Living in the UK, I've not really seen any invasive security, beyond a ticket turnstile at train stations, or anywhere in Europe. Is this a thing in the US?
I regularly travel to Peru. For years now, it has been the policy of the Peruvian aviation authority that you may not board flights to the US with bottles of water purchased after the security checkpoint.
They have queues set up at the gate to rifle through your knickers in search of contraband dihydrogen monoxide, and will force you to dump any you have, and/or deny you boarding if you don't comply obsequiously enough.
Flying to Mexico (or anywhere else) and then the States? Or even Europe? You're fine. Even when you board the flight that will land in the States, your water is welcome. It's only direct flights to the US, and it's only (in my experience) enforced on outbound flights, from Lima. I've never encountered this anywhere else, and I've visited dozens of countries, and did a several months long RTW a few years ago.
Once you've spent 6-10 hours in a can at cruising altitude, with only the occasional thimbleful of water a few times, because of this kind of invasive idiocy, you might have a broader perspective on how much of aviation security is theater.
EDIT: That's just one example of the absurdity I've encountered in my travels. Another: being told that my carry-on sized backpack was somehow a material threat to the plane I was trying to board, and that it needed to be checked in the hold.
What am I supposed to do there? Logic my way out of my paid fare? Into one of $country's TSA-alike's interrogation rooms?
This nonsense is endemic to air travel, over the last decade particularly, and it's only getting worse.
Istanbul is not exactly Europe, and from what I hear from US friends they get special treatment there. Someone (from the US) I know swapped planes in Istanbul and said never again.
I doubt they released this without consulting the relevant data agencies in the EU. And TBH there is nothing shocking here, just a confirmation of what everybody knows is already happening.
I 'm also in the EU and this makes perfect sense to me: if you can't accept seeing some ads then you can't use the free service. I highly doubt people are willing to pay $5 cash / quarter to use it, but i would like to see FB giving that option, just to see how miserably it fails.
According to GDPR, you cannot make access to your service require opt-in to tracking, unless your service very specifically cannot work in any way without tracking. And no, your business model not working because you cannot track users anymore is not the same as your service not working. Find a better business model.
Facebook would still work just fine without the tracking, as proven by the fact that you can switch off targeted ads and everything still works fine.
I'm actually much more interested in what Google collects about me. At least for me, it's somewhat transparent that Facebook tries to slurp up all they can, but it's much less clear with Google, that seems to try to downplay that they are in fact also, heavily reliant on your data.
Does anyone know if Google has made any statements on this?
If you'd like to see what Google has about you, you can visit https://www.google.com/settings/takeout (or search for "Google Takeout"). Google has maintained and updated its own solution to export data it has collected from you, the user.
While I do trust Google more than I trust Facebook, I also actively avoid giving information to Google (through various practices).
If websites are going to ask for consent to tracking or deny access to the service only allowing to take the data, delete account and leave, the whole thing will become meaningless. Users will just learn to blindly accept everything, as this is a huge annoyance to them.
I'm not sure why you keep spreading this FUD. The GDPR applies to all personal data, not just tracking data, and Facebook is useless without your personal data. IOW, FB can make access contingent upon agreeing to data collection.
From my understanding user will have to consent both to personal and tracking data separately. So yes, users will agree to sharing the personal data - (name, age, gender etc), as this is essential for the service, in this case social network, to work.
However, tracking data for ad purposes will need separate consent as this data is not essential for the service to work.
Otherwise GDPR would be another dead letter, wouldn't it?
It is not FUD. I work at a major telco/ISP, specifically on ensuring GDPR compliance for a number of applications.
Personal information that is deliberately and freely made public by the owner of that data (ie. you, the user) is free to use, both for the service on which you make it public, and for anyone who happens to read it on your publicly visible profile/wall.
The reasoning is that you made a deliberate choice to make this information public, meaning you have given consent to public viewing of said data.
What this Facebook issue is about, is the collection of personal data that you have not made publicly accessible, because it is private to you. FB is using this data to tailor ads and to modify your feed, giving you politics you agree with, suggesting pages for you to join, and so on. FB is also profiling you and inferring your private information, and using that to track you across the web (on every single web page with an FB "like" button, for instance). They have a disturbingly detailed profile on all of their users, including highly sensitive data such as political standing, sexual preferences, medical history, even possible infidelity.
FB is perfectly usable without giving them access to any other personal information than a fake date of birth and a throwaway email account. It is perfectly usable with "targeted ads" turned off. It is perfectly usable without the "optimized news feed", it can just default back to a chronological feed instead.
The violation of their users' privacy is not essential to the service FB provides to their users.
Yeah, they're fairly clear that you can't make service conditional on marketing et al consent.
> When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
I can't see that argument going well: Since they let users opt-out of targeted advertising, which is probably the only thing "tracking" is useful for, they tacitly admit that "tracking" is not necessary for them to providing their service.
Just because they chose a specific business model doesn't mean it's necessary. Nobody says the lunch must be free, just that not every avenue of funding is allowed.
I'd have to quote too much. Essentially you only have six allowed reasons for processing personal data (article 6). The only ones that could apply are (a) consent or (b) necessary for performance of contract.
(b) isn't applicable because it only applies when it's directly necessary to provide for that particular user (like processing a CC number when paying for a product). That you business model generally needs it is not enough (see the ICO FAQ on the issue[1]).
(a) Consent is valid, but it must be freely given, that is, the provision on the service can't be conditional on the consent (article 7 (4)).
The GDPR talks about "executing a contract, which includes the provision of services" (not the exact wording, but something like that). So if you define "using the social network in return for having targeted ads displayed" as the contract, it is necessary.
> just that not every avenue of funding is allowed
Funding by targeted ads isn't illegal last time I checked.
Performance of the contract does not mean whatever they want it to mean. Here's the ICO FAQ on the GDPR (emphasis mine):
"The processing must be necessary to deliver your side of the contract with this particular person. If the processing is only necessary to maintain your business model more generally, this lawful basis will not apply and you should consider another lawful basis, such as legitimate interests."
> Funding by targeted ads isn't illegal last time I checked.
It is if you don't get consent. And you can't make that consent required to provide a service, since then it won't be "freely given", as per Article 7.
Yes, I that's the way I read it (from Recital 43), and the ICO seems to agree:
"Avoid making consent to processing a precondition of a service (...) If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis."
That would be interesting! That would probably mean they'd need to ban me, since I use an ad-blocker, right?
What about someone who uploads a lot of pictures but doesn't have many friends? That person might be using more resources than the ad revenue they generated...
> That would probably mean they'd need to ban me, since I use an ad-blocker, right?
Are you saying they should be forced by law to block you?
> What about someone who uploads a lot of pictures but doesn't have many friends? That person might be using more resources than the ad revenue they generated...
That is a flat-fee/pricing issue, just like someone binge watching Netflix might be using more resources than they generate in revenue. It isn't relevant to the discussion.
> "We require tracking to pay for the costs of providing this free service".
> No such thing as a free lunch.
Please square that with the fact (which I already pointed out) that they already provide their free service without targeting, based on user settings.
They can't using tracking to "pay the costs of providing this free service" without ad targeting (unless they're selling the tracking data, which they publicly deny).
I'm making an educated guess that mere declarations of necessity tracking are not sufficient legal justification for it in the EU.
Consent isn't required for data collection that is necessary for the service to work. However, you have to be prepared to defend in court that it IS necessary.
As such, trackers in 3rd-party advertising network code probably won't count as necessary; it's necessary for the ad network, but it is not necessary for the website displaying the advertisements, as proven by ad-blockers.
Likewise, the facebook like button and other "plugin" components aren't "necessary", they merely add value to the existing content / features, and must therefor be entirely opt-in.
At least, that's my understanding, which is entirely too facile to be taken as legal advice.
EDIT: As petercooper pointed out below, in addition to proving necessity, you must still also prove in court that you have balanced the necessity against users' rights and interests. As such, I no longer feel confident to say I even have a clue as to what is legal and what is not, for FB or for anyone else, until there's a big enough court case to set precedent.
> but it is not necessary for the website displaying the advertisements, as proven by ad-blockers.
when I was a child I stole a toy from Wal-Mart. Wal-Mart is still around. Therefore, Wal-Mart's entire existence as a store does not depend on any kind of anti-theft measures, and it should be illegal for them to film my entrance and exit.
This is an interesting choice of counter-argument. Firstly three things:
1) Laws don't exist in isolation
2) Long standing law says theft is illegal and stores can take steps to limit it.
3) This new law (GDPR) says you can't take users details and use them unless necessary to provide your service.
With this new GDPR law it's the little guy, the user, that get protection from something of value being taken from them and exploited - their personal details.
So, extending the above counter-argument it is also true to say that like Walmart, the singular 'theft' of personal details might not be terminal for the user. But just like the law recognises the theft of material goods and it's potential harm (even in the case of a singal instance), it now recognises the 'taking' of personal data as harmful (also even a single instance).
Extending the argument further, the GDPR takes the stance that one entity has been taking something of value from another without true compensation for the value of that something.
When we realise that what has been taken from users has value and that users haven't been fairly compensated for that value, it becomes obvious that a set of entities have based a business model on profiting off another set without fair compensation.
The GDPR now limits that behaviour and business model to return balance to the 'contract' between the two parties. Users get to use a service by providing the minimum needed for that service to be provided.
Actually, filming entrance and exits is probably necessary for them to have insurance against theft, which probably is necessary for them to continue operating.
Further, some stores put locks on items and displays that others do not. These are also required for the store to continue offering such services.
You, as an individual, may not have undermined the store. However, you, as an individual among many, may be the reason why certain stores are not able to function as other stores do.
EDIT: to clarify my point, I don't think the GDPR takes how revenue is obtained into account. The revenue model itself must still conform to user consent. The analogy of Walmart to ad-blockers is interesting, though slightly off when one behavior is illegal and the other is not.
But thats not what facebook is doing. Facebook is tracking your every move between stores, public and private spaces, using that information to infer vast knowledge about your likes, dislikes, sexual orientation, income level, political belief, religion, friends and friends of friends. Seeing who you talk to, how long and about what, and then selling that information to anyone, along with access your newsfeed.
My understanding is that Facebook doesn’t actually sell data to advertisers. By this I mean you can’t go to Facebook and say, “I would like to buy data for 10,000 18-24 year old males in New York City, how much?” Instead you say, “I have an ad I want to show to 10,000 18-24 year old males in NYC, how much?” Facebook then handles serving the ad for you and sends you data about how succufull your campaigne was, when people click on the ad and visit your website you obviously can collect data from them there. This is subtle difference and one I think few people have been articulating, probally in part because it makes you sound like a shill for Facebook.
This actually makes more sense finically for Facebook, if they did the first thing people would only have to buy data once, and worse they could resell the data to third parties decreasing Facebook’s control of the market. Instead by retaining control of the data Facebook can charge an advertiser for every ad they show, making more money. Ironically this also better protects peoples privacy because Facebook isn’t actually giving the data away.
Unfortunately, if I run an ad targeting 18-24 year old males in New York City, and my ad manages to collect IP addresses, I have effectively purchased information about anyone who sees my ad.
It's certainly not a complete profile, and may have ranges of categorizations (i.e. 18-24 years old) BUT as an advertiser, I probably wouldn't need or want data more specific than that anyway.
Unfortunately you can’t collect IP addrssses from people who saw your ad though, because FB doesn’t let you :)
You can of course though collect them if people actually click on them and come to your website! This is also the case for non targeted ads mind you as it’s simply how the web works
I don't think the GDPR's "necessary to work" clause considers profit models. I believe, (again, IANAL) that "necessary to work" is really "necessary for a feature to function"; how a company derives revenue from the service doesn't come into account.
It would be interesting to see revenue as a necessity be tested in court, since there are open-source social networks that don't rely on user tracking or data sales to the extent that Facebook does it.
On the contrary, commercial interests, including things like direct marketing, are considered acceptable "legitimate interests" under the GDPR, assuming the practice follows industry standards, ethics, and are legal.
However, they need to pass two other tests, a "necessity" test that determines that the processing of information is necessary to serve the interest, and, most crucially, a "balancing" test which balances the commercial interest against the user's interests, rights, and freedoms. It's this latter part where more onerous advertising practices will falter.
Interesting... the "necessity" test was what I was referring to for "necessary to work". However, I wasn't aware of the "balancing" test.
Also, does Facebook's ad network really constitute "direct marketing"? I had imagined that to be more of an email blast about a new FB feature, rather than collect-your-usage-data-and-sell-marketing-slots-to-you.
Now that I type that out, I guess it does make more sense. However, I really am not a big fan of the common-law approach to the "balancing" test. Basically, whoever has the most money and faces the most lenient judge wins. Everyone else is left guessing what the hell is legal and what isn't, when a clear set of rules would be much easier to fairly apply to everyone.
> However, you have to be prepared to defend in court that it IS necessary.
I'm pretty sure Facebook has the resources to have hired competent lawyers to advise them on that, and the money to afford preparation and execution of a strong court presentation of their viewpoint.
And Facebook probably had more information on what is necessary for the system Facebook provides to work than people trying to guess that from the outside.
It is, of course, possible, and, perhaps even likely, that a court will disagree with what they argue, and force a change—but it may be, from a PR perspective, worth the cost of non-compliance sanctions to have any decrease in utility resulting from changes they will be compelled to make to be very visibly forced on them by orders that they vigorously fought rather than self-initiated, so that European authorities and the GDPR get the blame for any reduced quality.
Then you’d be permitted to do so. Facebook Messenger’s chat with your friends service does not depend on tracking, for example, so this argument doesn’t apply to Facebook.
What do you mean by "does not depend on tracking"? Do you mean that you can conceive of a way to implement the service as it appears to the user, without tracking? Because Facebook can certainly inject tracking into their chat app. Given Facebook, I assume it's already the case that if I type "let's get married" and then erase those words and never send them, that Facebook's going to start showing me advertisements for how to pop the question.
You assume that, I assume that, these thoughts are a few digits shy of the decimal point of the percentage of people in the world who understand this. It's not commonly known that Facebook track your every conscious and unconscious interactions with their sites, apps, and every other site that has one of their tracking pixels/logins. It's even less commonly known that they gather data from numerous data brokers to enhance the data they have on you.
Tracking is not required to deliver a text message between two contacts who approved each other.
Facebook might declare otherwise, but since SMS and IRC both stand as counterexamples of successful text chat services that do not inherently depend on tracking, they would likely lose their case.
Define "doesn't depend on" because I could easily make the argument that Messenger's chat does require tracking location for example to increase security and to fight spam. By not opting in to tracking of location, you degrading the quality of the service and affecting other people.
i.e. Without this tracking, the quality of Messenger is affected, and therefore, by definition, the service cannot be provided without it.
That's fine, but then FB can only use that location for increasing security and fighting spam. Slurping information based on an excuse and then using it for something else is explicitly prohibited by the GDPR.
Required means for example that you need a shipping address to ship a product. Not that you need location data in order to build a profile used for various undeclared, vague purposes - or for an unrelated purpose. I don't use fb in order to watch ads. Fb shows ads on order to finance the service. They can offer a paid option to cover the cost of serving pictures of adorable kittens.
What do you consider legal under GDPR? A lot of people think it's some kind of "revenge gun", but for what exactly? I wonder what people expected that would happen.
Here's the program so far: EU targets Google, US then targets German automakers with emissions-gate, EU targets US tech companies with global revenue fines and data restrictions (Google + Facebook = $180b in revenue in the near future, an EU targeted pot of gold meant to be an offset for Ireland's tax policies).
Next up: the US targets Germany's auto industry - a backbone to their economy - with tariffs or other import restrictions, seeking to damage BMW, Mercedes, and Volkswagen in any and all ways possible. Easy cover: Germany having the world's largest current account surplus, at 8% of GDP. Recourse after that: more restrictions, regulations, targeting of US tech giants in the EU, and tariffs on various US products.
France says: Germany and its trade policies are a problem, seeks to reduce German dominance while trying to remain more neutral with the US:
That would be fun indeed. But i think it's just one of those internet outrages, which at some point turns around and bites back , and in a few months people will be outraged certain aspects of GDPR itself.
what? seriously? Do EU citizens have some kind of legal right to Facebook access, now? It's illegal for Facebook to not serve people they can't sell to advertisers?
I'd love it if Facebook were nationalized (or destroyed), but none of the coverage of the GDPR made it sound like it was going in that direction. I thought it was just another stupid "click here to acknowledge our cookies" rule that was going to spam up the internet.
There is no legal right to Facebook, but if Facebook wants to do business here, it has to abide by our rules. And our rules are very simple, you cannot deny service because the user doesn't allow tracking if tracking is not necessary for your service to work. And it isn't in this case, it's only necessary to deliver higher paying ads.
Since they are being selective on the users they accept based on being tracked, they are now on track for another EU fine.
It's disconcerting to me that under the GDPR, online businesses appear to be losing the ability to deny services to a user who knowingly, and with clear consent, chooses to take personal responsibility over the data they provide to said businesses.
Regardless of whether this is for the "greater good", this is deeply unsettling territory.
You're not allow to operate that way in most other businesses anyway. You can't sell leaded paint, even if clearly marked. You can't sell unsafe cars, even if you tell people that even low speed impacts will kill them.
There's a ton of stuff you can't do, even with clear consent, because otherwise people who lack the means to understand the compromises or afford the safer choices will suffer.
You could easily argue that tracking users behaviour is a safety issue. But fair enough, how about the loan business, you aren't allowed to charge overly high interest on loans. That's neither a safety or environmental issue.
Predatory interest rates frankly don't concern or particularly bother me. I think, for me, that only becomes a point of concern if a person is simply mentally unfit to make such decisions for themselves. In such cases the general guidance that someone else deemed fit should be responsible for that person's decisions applies, which goes back to the point you made earlier.
Even when those usurious, predatory rates are disproportionately charged to poorer people, who can afford to bear them less? Because that's how it works: price discrimination against the people least able to bear it.
But, hey. Why should I care, if I'm not getting charged those rates, right?
Given that a significant component to the determination of interest rates is risk, I don’t think one could reasonably expect a non-public system of lending to operate any other way.
We’re getting pretty off-topic though, so if you’d like to talk more, go ahead and shoot me an email (r at ovao dot la).
Risk management and predation are categorically different things. If that's not an intuitively obvious notion, I'm not sure what more dialogue will accomplish.
And if those ads tip an election based on psychological pressure points chosen on the basis of your preferences? That's an even bigger risk than safety and environmental issues in my book.
It has been repeatedly demonstrated that machine learning can reliably predict when, for example, a bipolar person is going to enter a manic phase.
Should ad companies be able to model someone's mental illness and show them ads for gambling sites, or whatever, when their brain is acutely more susceptible to them?
I think we're underestimating the global health issue due to online advertisement (alcohol, smoking, or just bad eating habits). And I'm not speaking of attention disorder of so-called 'multitask kids' caused by social media that have business models based on ads, and do everything to grab your attention
False equivalence. Lead paint has the ability to harm others beyond the person making the purchase. Comparing Facebook to lead paint regulations is ridiculous.
This is nothing more than a digital drug law: “You can’t choose what services you consume because we are determined to protect you from yourself, like it or not.”
How did you determine "knowingly, and with clear consent"?
I guess I'd agree that if someone wrote a 5 page paper describing all the ways that Facebook harvests their data and what might be done with it afterwards then they should be allowed to do what they want? But I suspect most people would be like "uhhh, I think they, um, know what pages I liked? And maybe they use that for ads?"
I'm not referring to Facebook specifically. The dialog that Facebook's displaying to EU users (according to the tweet) isn't actually very clear in itself about what they're asking users for.
"Clear consent", in my mind, would be something along the lines of "we use tracking cookies and tracking on widgets third-party websites embed, as well as the data you provide to us in terms of posts, comments, photos and other content to personalize the ads you see". If you accept those terms, well, then you certainly can't be surprised when Facebook — or whoever — does precisely that.
Your phrasing is confusing. Why would the business want to deny services to a user who chooses to take personal responsibility over the data they provide?
Sorry if it wasn't clear. I'm suggesting that a business should have some right to deny service to a user who chooses not to participate in tracking, so long as it's made abundantly and plainly clear to said user that they'd be tracked, and that the user consents to that.
Based on my interpretation, the GDPR simply precludes that possibility.
I assume if you made a business where the user can sell their behavioral data for a service in return, and if the whole goal of the business was selling data in return for a service, then I would interpret the data collection to be strictly required for the business goal and thus legal under the GDPR (given explicit consent).
The official goal of Facebook is not "buying your data" but "providing a social network". Thus, targeted ads are not strictly necessary for providing that service.
I think the data must be actually necessary for the thing you're providing to the user. So if you're paying cash in exchange for data, that wouldn't be allowed, because you don't need someone's data in order to give them cash.
I fail to see why. Without clauses like this, you'd be at the same place you were before, "Either agree to all of our completely invasive and probably unrelated terms, or go pound sand." The GDPR is shifting the balance of power back so that users do have some bargaining, not just the take it or leave it that's been so prevalent for so long.
I think the issue is that it really hasn't been a "take it or leave it" environment in the past years. Things have been done against the interest of user privacy by burying the explanations in long privacy policies filled with legalese, and in the general underhandedness of data exchange between multiple parties. The inability to remove data you've provided to a website, too, I think is problematic in ways.
I'm a big proponent of user control, and a similarly big proponent of businesses taking much greater responsibility for the data they collect (my data was part of the Equifax breach, so I certainly get it). I am, however, leery about laws that essentially bind a business's hands in terms of how they can and cannot monetize on users, even when as there's A) clarity and B) honest, plain and upfront disclosure about how they do that.
If a business tells me to agree to onerous terms to which I could never agree or to go pound sand, I'll gladly go pound sand. As a consumer, I lose no power there whatsoever.
You lose the power to participate in Facebook-only groups, which are surprisingly prevalent in some places. I have very limited access to two communities here in Montreal that I'd otherwise get a lot of value out of, because their only online communication system is via Facebook.
I've told Facebook to pound sand for roughly their entire existence - never had an account even though I had the chance right after they expand beyond Harvard - and am considering whether life circumstances will increasingly force me (in practical rather than literal terms) to sign up.
A company in that semi-mandatory position deserves lots of binding rules to protect the rights of unwilling users, just as is true for electric companies since you rarely have much choice there.
Plus, I don't think Facebook's massive wall of several huge interlinked policies with soft-pedaled descriptions of what they do meets either of your A and B criteria, especially not when it's modally interrupting the user.
"I think the issue is that it really hasn't been a "take it or leave it" environment in the past years."
What? Yes it has.
"I am, however, leery about laws that essentially bind a business's hands in terms of how they can and cannot monetize on users, even when as there's A) clarity and B) honest, plain and upfront disclosure about how they do that."
I'm not, mainly because business has been shown that they absolutely cannot be trusted with that. They have abused the privilege, and so they had their toy taken away. If you want to be upset at someone for that, blame the businesses for not reigning in themselves, not the governments for doing what their populaces wanted.
Not to mention, A and B almost never, ever exist.
"If a business tells me to agree to onerous terms to which I could never agree or to go pound sand, I'll gladly go pound sand. As a consumer, I lose no power there whatsoever."
You've lost all power in that relationship, because you have no power to bargain. You have no power to negotiate. And while you'll gladly go pound sand, not everyone is in a position to do so.
Can you give me an example of someone who isn’t in a position to — in simple terms — take their business elsewhere when it comes to dealing with some sort of online company with whom they’re voluntarily sharing data?
Lack of alternatives, for one. Second would be someone for whom the rest of their social network is on Facebook, and they use Facebook as a primary communications source. I know nobody would be willing to sign up for another network or use another messenger just because I don't want to use FB messenger. I cannot get behind the idea that ostracizing yourself from there rest of your friends and family is an acceptable thing.
Turn it around; why should Facebook be allowed to have "take it or leave it" terms? Why should we as a society allow that? And don't just say, "It's their business;" I don't find that to be a compelling reason. Why should users not have the control over their data that the GDPR brings?
I believe users should have control of their data. I don’t have any issue with the GDPR in that respect, and that’s not what I’ve taken issue with. When you say “no thanks”, that’s a user exercising control over their data, and is an action which necessarily involves no governmental body.
I take issue with this specific stipulation that — even with clear and upfront user consent — a business simply cannot operate in ways that are A) not opposed to the safety or health of their users and B) potentially necessary to succeed in the markets in which they participate.
"I believe users should have control of their data."
If you believe the only way they should be able to do that is to become a digital hermit, then you don't really believe that.
"When you say “no thanks”, that’s a user exercising control over their data, and is an action which necessarily involves no governmental body."
What about Facebook's shadow profiles?
"a business simply cannot operate in ways that are A) not opposed to the safety or health of their users"
There is nothing about the GDPR that opposes this. Not a one.
"B) potentially necessary to succeed in the markets in which they participate."
This most assuredly is not part of the GDPR. If the only reason your business has a chance of succeeding is by ignoring user privacy and ignoring the safety of user data, your business does not deserve to succeed.
I'm sorry, but we can't have a productive discussion if you're simply going to mischaracterize what I've said and make false assertions as to what my own beliefs are.
I've been cordial to this point, but if cordiality isn't there on both sides, there's no point.
I've not mischaracterized what you've said. While you can say you believe that a user should have control over their data, if the only way you believe that should be exercised is through the "take it or leave it" model, then, in practice, that's not giving users control over their data.
Your account has been suspended for the foreseeable future for breaking the terms of service.
No we will not tell you what you did. You already know what you did.
Our automated systems found your policy violation and acted appropriately. They are beyond your comprehension or refutation.
You may not talk to a person regarding your dismissal. It is against policy to discuss active or closed issues.
You have no recourse other than social media or tech websites, and beg. And we still will likely not care.
--Care of US tech companies.
....So, you want to live with rules for companies that allow this kind of egregious and arbitrary actions? I sure as hell don't. Want to see what this stuff devolves to? Look no further than Comcast and ilk.
It's like seat belts. You cannot sell a car without seat belt regardless of customer's choice. The customer's choice come later whether or not he wants to put on the seat belt.
They aren't, though. There are other ways of making money. Like charging people. If people won't pay, well, worst things could befall the Union than Facebook leaving.
Why can't they charge you in data? If they present the deal to users as, "let us track your data, and in return you get to use facebook", is that not a trade that should be allowed? Isn't part of being able to 'be in control' of your data being allowed to sell it yourself?
I think the key point is being clear about the trade. I think FORCING all websites to only be paid for by cash is bad; you should be able to trade your own data for access to a service.
Because "In the EU, personal information cannot be conceived as a mere economic asset: according to
the case law of the European Court of Human Rights, the processing of personal data requires protection to ensure a person's enjoyment of the right to respect for private life and freedom of expression and association".
Well, first, ads are not the problem, tracking is. Also, they can make money from tracking, but they have to convince people to consent - more like a donation than a payment.
But yes, the EU does get involved in plenty of business decisions, just like governments everywhere. Usually when an industry is misbehaving and violating what is established (e.g. by the ECHR) as the rights of individuals.
Given their de facto monopoly I'm not sure "There is no legal right to Facebook" is correct anymore. It's sort of like the internet where if you were denied access you'd have a significant disadvantage in society - it could easily be argued that denying access to Facebook gives you a similar disadvantage.
At the end of the day this will need to be decided in courts.
Personally, I'd really not like to see a precedent set for a company entering a market, doing very well, and then being legally compelled to provide their product as some sort of legal right to an entire population. It might be a different story if said company is employing anti-competitive practices, but telling somebody that they're now legally obligated to serve a community because they're just too good at what they do, or so popular that nobody else can best them, seems a little too authoritarian for my taste.
Oh, they're allowed to withdraw from the market, or decouple the privacy-invasive bits and find a way to make that work financially when users don't opt in to those. Nobody's forcing them to serve Europe if they insist on being this awful regarding mandatory tracking. They're free to allow space for a competitor to grow with a different attitude toward privacy.
Right, I'm not talking about withdrawing from the market, I'm talking about remaining in the market and being allowed, as a private company providing a private service, to freely associate.
I have no qualms with a competitor starting up to serve those denied by Facebook, but let's not muddy the water by equivocating a monopoly as a result of anti-competitive practices with one that forms simply because nobody wants to use anything else.
Restrictions on how private parties can provide a private service are ubiquitous in every market. In the US, home-cooked meal startups get shut down because their uninspected kitchen doesn't meet commercial standards. In Ethiopia, you need a local entity with an IT license (seriously) to import a Dell server that you've already purchased. In Canada, you can't agree to an employment contract that allows for zero-notice zero-compensation firing when you didn't do something extreme like steal. Etc.
I don't think most of the people who find Facebook convenient for coordinating groups actually choose the tracking knowingly and willingly (at best begrudgingly), nor do they choose to exclude the people who object more proactively to those things even when that's the effect.
Society's legislative and regulatory choices have a valid role to fix negative externalities of what economic actors would otherwise naturally do. Natural monopolies/oligopolies like electric companies, highway operators, and Facebook are all worth regulating for roughly the same reasons - even according to Orthodox free-market undergraduate microeconomics 101.
> Restrictions on how private parties can provide a private service are ubiquitous in every market...
I'm speaking more about "ought" than "is" here. I don't see any reason why Facebook should have to choose between serving everybody, regardless of the regulatory burden that it places on them, and taking a hike from the global market entirely. I'm not saying that they won't be forced to do so anyway.
> ...I don't think most of the people who find Facebook convenient for coordinating groups actually choose the tracking knowingly and willingly (at best begrudgingly)...
And yet, they've probably chosen it all the same. In the hypothetical scenario where somebody has a metaphorical (or literal) gun to somebody's head, forcing them to use Facebook, I don't see how Facebook themselves can be blamed for this, and simply chalking this sort of thing up as a "negative externality" and saddling Facebook with the burden seems to be weaselly way of making Facebook to the will of somebody who just can't bear to give it up.
You can't always get what you want. Some of us would do well to internalize this a bit.
What is facebook's business? Targeted advertising. They don't sell you a friends management system for $0, they sell targeted ads to people who expect to receive targeted ads, and tracking is necessary for that.
The same can be said about google's search service. The search still works, but adsense and adwords won't work without your private info. And google can claim it doesn't sell search, they sell ads.
It's not strictly about which services you are selling, it is about which services you are providing, and Facebook absolutely provide a social network website/app. Google absolutely provides search and email.
How this reads: How are you offended by attempts to curb terrorism? How are you offended by attempts to save the children?
We can agree on intent and disagree on practice. I disagree with the GDPR in practice, but agree with its intent. I think there are many other ways to tackle these problems, and this is probably the worst one (especially to start with assuming this is the first really enforced one).
Voting to leave doesn’t automatically mean one has to dislike all laws from the EU. It’s ok to want to leave the EU whilst also liking some aspects of what it brings us. As a person who voted remain this has been one of the most frustrating things about the whole Brexit situation, it’s like it has to be a binary status: one either loves the EU and everything about it or you hate the EU and membership brings no benefits at all.
I don’t think it’s ironic that you like this law, I think it’s understandable that you would if you have privacy concerns and, given T. May’s choices over the years, you were unlikely to get it without membership to the EU.
I couldn't agree more; I too get frustated by the degeneration of most public debate. Personally I was very much on the fence, leaning net Leave on the meta level (major constitutional change should not happen without a popular mandate) but net Remain on the object level (especially on things like digital rights, where the UK has a long and sordid history of tin-pot authoritarianism long predating T. May).
It is not essential that they sort my feed, though. Everything still works perfectly fine with a simple chronological feed.
None of the tracking they do is essential to the service they ostensibly provide to their users, namely as a microblogging/discussion/sharing platform.
Why do you think ranking is important? A simple chronological news feed should be perfectly fine.
Sure, rank search results based on how many users a given group has, and put the most popular ones at the top. That doesn't require violating anyone's privacy.
And they are certainly allowed to do ranking. But they can only do it on non-PII data, on data that has been deliberately made public, and on data which people have consented to its collection and storage with unequivocal opt-in.
In that case Facebook should offer user a choice between paying for the service directly or letting advertiser to do that. I doubt that any nontrivial amount of users would choose to pay even $100/year so that wouldn't change anything for Facebook. However it could be enough to comply with weird EU regulation.
Do mean that a government is less trustworthy than an independendent corporation? That a corporation will better look after the interests of its citizens than a government?
> Do mean that a government is less trustworthy than an independendent corporation? That a corporation will better look after the interests of its citizens than a government?
Quite frequently, yes to both questions. Choice is key and many often feel more empowered to individually choose their company than their government.
How does that square with it being an implicit goal of most companies to own their entire market, eliminating that choice?
When there isn't meaningful competition in a market, it's specious to point to the abstract possibility of competition as an argument for sucking it up and cozying up to the monopolist, who has structured your arrangement with them to limit your freedom and recourse as much as practicable.
A profit motive doesn't magically make the human foibles that the "Gubmint is baaad" crowd insists will lead to the end of human freedom — and puppies, too — more manageable, or less dangerous to the rest of us.
> How does that square with it being an implicit goal of most companies to own their entire market, eliminating that choice?
Oversight. If you want meaningful competition and don't have it due to harmful monopolization, that's the government's problem to solve. Nobody's asking for self-regulating companies here. It's very important to understand which forces can or cannot actually eliminate competition and choice. If there is a path towards choice, I'll take it. Often that path is unclear of course.
The government which we're "stuck" with, and which we shouldn't trust because it's actively dangerous to our freedoms, is what's supposed to protect those freedoms from predatory companies?
Which is why I argue they are oftentimes less trustworthy than corporations due to the latter's more limited scope. I'm not clear on the argument you are making here. Regardless, the one I am making is that companies are often more trustworthy than governments (the original question) especially since there is technically a level higher in the authority hierarchy.
And I'm saying that, in my experience, that position seems to be more an article of faith for people of a certain ideological bent, than a demonstrable reality.
Maybe my premises and categories blind me to that risk in some way; I'll certainly cede that possibility. I'd be curious to see people who think the way you're describing do the same, vis à vis theirs.
That's the trouble with articles of faith, though: for the people who hold them, they're axioms; for the rest of us, they're implicit, unsupported premises to someone else's argument.
As a US citizen, and a former service member, and I can confirm that most independent businesses and corporations are more trustworthy than the US government.
Personally, I see a lot of similarities between "big" government and "big" business in terms of potential for abuse and massive bureaucracy and neither is particularly trustworthy (they are both composed of individual human beings with motives and desires). The major difference is that the government can abuse its power in the name of the "public good". Plus every business is beholden to the market and will go out of business if it does not provide what the public wants. What I am worried about is that we soon have a situation where the regulators that are intended to protect the consumer from abuse, prevent newer more ethical competitors from gaining market share. This happens a lot in the US where big business and big government form a sort of symbiotic relationship to maintain the status quo
I really do agree with you, a Facebook account isn't a right you have. You can just not use Facebook if you disagree with their terms of service.
The only problem is: Facebooks terms of service isn't really reasonable, and most people won't understand the implications. As I understand the GDPR one of the goals is to give users a set of rights, in regards to their data. These right cannot, under any circumstances, be violated, just as you can't bond yourself into slavery or sign away your right to free speech.
Facebook and others are currently trying to find loophole, like with the cookie-law, except this time the EU did it's homework and companies won't get of with such simple solutions. Really if Facebook believe they can't do business in the EU after the 25th of May, due to the GDPR, then they shouldn't. Just close of all EU activities. Of cause I understand why they won't, the company would lose a good chunk of it's value, but it will anyway if it can't find a way to legally operate under the GDPR.
No, that says: If you choose to exercise your free speech on this one particular area, then the consequence will be severe. The result will be that most people would opt to follow the NDA, but you're still allow to say whatever you want.
> what? seriously? Do EU citizens have some kind of legal right to Facebook access, now? It's illegal for Facebook to not serve people they can't sell to advertisers?
Facebook doesn't have a right to track people in the EU without gaining their consent to it in a way that complies with EU law.
EU citizens have a legal right to expect that Facebook will comply with European consumer protection laws.
If Facebook doesn't want to properly comply with EU regulations, they're free to totally withdraw from the EU market. Otherwise, it can expect penalties for its willful noncompliance.
With how insanely in depth some of the restrictions are, I'll honestly be surprised if this isn't the route a lot of companies end up taking to GDPR compliance.
You mean completely flouting the regulations and muddying the waters by putting up ToS compliance popups that don't have anything to do with GDPR, in order to fool their users?
That is very explicitly not allowed by the GDPR. You cannot make access to your service contingent on opting in. The consent has to be given freely, otherwise FB will be in violation of the regulation.
Consent must also be given explicitly, you cannot have a pre-checked "yes" checkbox or an "accept and continue" button.
Consent can also be given in a legally binding contract. A website ToS is very much not able to override the GDPR.
So you’re saying I’m required to develop two separate versions of my product? One for the users I can actually make money off and another for people who opt to get my product for free against my will?
You cannot base your business model on violating the privacy of EU citizens. That's just too bad, you'll have to find a non-scumbag way to fund your endeavors. You can absolutely still make money off ads, but you cannot target them based on personal information.
You are of course perfectly in your right to block all EU IP ranges, if you think that's a better solution, although cutting off 500 million potential customers is a bit harsh.
In short, EU citizens have absolutely no obligation to support your flawed business model.
I wish, but knowing the general public they’ll just see this as yet another screen to click through to get their daily dose of bullshit memes, game invitations from their “friends” and other bullshit.
No, facebook desperately needs to keep users and keep tracking them, so they are abusing network effect monopoly into giving people a choice either accept any tracking facebook wants or lose all the connections and all the time you invested into the platform. Which is not much of a choice, obviously.
Facebook knows it is in the wrong. Facebook announced last year they weren't going to use Ireland as part of its tax dodging scheme. Otherwise GPDR rulings could just extract global money out of the Ireland tax funnel.
Later in the thread, he mentions that the consent they ask for doesn't really comply with the GDPR principles.
> This appears to breach several important principles of the #GDPR, including the principle of purpose limitation, freely given, non-conditional consent, and of transparency. In other words, if Facebook attempts to collect consent in this manner, that consent will be unlawful.
It may be that FB's lawyers come at it with a more American view whereby it's legal if it complies with the letter of the law. I suspect the Euro legal system tends to build a fence around the Torah, so to speak.
What does it even mean to be conditional? Is the EU saying that FB has to provide their service to Europeans? Does the EU also require that businesses sell their services and products at a loss? Doesn't FB have some right to deny usage of their service to those who choose not to abide by FB's policies? Whether it's disapproval of tracking or behavior violations, it seems like FB should be able to say they don't want to provide their service to particular individuals.
They can choose to not provide service to EU citizens. If they provide service to EU citizens, then with that comes limitations on what rights the have under EU law to pick and choose which EU citizens they want to provide service to.
Their choices are to either be GDPR-complient, or to completely bar all EU users from accessing Facebook. They cannot use tracking opt-in as a requirement for access.
American here; I just don't quite understand the premise. "Here is what you are giving us, and here is what you're getting in return" seems perfectly legit to me. If this interpretation of the law is correct, then the government is essentially saying the "in return" portion has to be eliminated. Which seems to be against the idea of trade.
One of the points of the GDPR is that you cannot make usage of your service contingent on giving up your privacy, unless your service very specifically requires the user to give up personal details in order to it to even function.
Strava is a good example, it does not work without GPS position, otherwise it cannot track your bike routes.
But Facebook does not require tracking to work. It does not require you to give them any personal details at all in order to work. It would work just fine even if everyone gave them fake emails, phone numbers, birth dates and even fake names. Thus they cannot make giving up privacy a requirement for using their service.
Besides that, this ToS update thing is absolutely not GDPR compliant. It does not list the things personal data will be used for. It hides the opt-out (to the face tracking) behind a dark pattern small "options" text and makes the default action opt-in. The list goes on.
This is simply an effort from FB to muddy the waters and sow doubt about opt-in and GDPR consequences.
They will have to provide proper GDPR opt-in screens come the 25th, or they will be fined for non-compliance.
Thank you for the clarification. That makes sense, although I'm not 100% sure I agree that it doesn't need the information to function. It could be de-identified for the individual, sure. But to actually use the service you need to connect with others, whose identities you must know something about. By following pages or celebrities or whatever you indicate that you are interested in their subject material. So in order to properly use the application you must give up something.
Yes, but clicking "like" on a celebrity's FB page is not personally identifiable information. You cannot use to it discover the person's identity.
To connect to other users on a service, I don't need to know any personal details about them, only their chosen username, which can be completely random and have no relation to their identity.
I disagree what FB would work fine if you gave it no data or fake data!
The whole point of FB is for people to exchange data about themselves with their friends and family! If people don’t share any data or just fake data FB doesn’t work.
For them to offer their service they also have to make money, so they run ads to do that. And to make the ads useful to people they need data for targeting!
And now they allow users to either agree to this deal or download their data, delete Facebook and do whatever they want.
Facebook would work perfectly fine with fake data and without privacy violations.
I can sign up with a fake date of birth and a throwaway email account, under a generic name (remove any identifying unique spelling or middle names, for instance) or a completely fake name. And I could still connect with friends and family, provided I know the names they've chosen to use on FB.
According to the GDPR, anything you share publicly is basically fair game. So if you post something in a public post on your public wall, anyone can view and use that data for whatever they want.
The issue is all of the secret data FB collects. They have disturbingly extensive profiles of every one of their users, including political standpoint, which phase of life they're in (eg. "stable established adult" or somesuch), their sexual preferences, sports teams, club memberships, medical history, the list goes on and on. They get this from your non-public account information and from tracking you across websites you visit.
That is the issue here, the tracking and storage of personal information that people want to keep private. FB's tracking and privacy violations are not vital to the service they provide. Their business model may depend on (targeted) ads and privacy violations, but that is not an excuse. You cannot base your business model on breaking laws and hoping to get away with it.
FB isn't "allowing" users to either agree to the ToS or go pound sand, they're basically saying "fuck you, we'll exploit your private information as much as we want, and you don't have a choice". They're doing this to muddy the waters and make people think "oh I already agreed to this, make it go away", when the actual GDPR consent form pops up after the 25th.
But users do have a choice. The GDPR very specifically says that you cannot make access to your service contingent on opting in to private data collection and tracking, because consent has to be given freely, ie. not under threat of access denial.
You can only do this if your service cannot possibly work without the collection of personal data. Something like Strava (which tracks bike rides via GPS) cannot function without collecting GPS locations. So they have a good argument that they cannot provide their service, if users do not opt in to location tracking. But they have to very clearly state what they will use this collected data for, and they cannot change it later without collecting new freely given consent from their users.
I don't know if you are trolling or serious...I guess I and about 2B others might be using facebook differently than you then?
I also don't find any of the data that FB or Google have of me "disturbingly extensive" or that they have been "breaking laws" to get it.
I give them data so they can provide value to my life...it's as simple as that! If that deal doesn't work for you then you simply shouldn't use their products..nothing wrong with that.
I also personally prefer targeted ads over un-targeted ones btw. And I like using these services without having to pay for it...its a good deal!
I also want to add that, while you repeat popular believes, I have yet to see evidence for many/all of them and I would prefer you would either stay with the known facts or be more explicit about whats a personal opinion/internet myth. thanks
I work at a telco/ISP, where I am directly responsible for multiple web-accessible and internal applications that have to be GDPR-compliant. I assure you that I am absolutely not trolling. As a professional, I take the GDPR extremely seriously, and in my private life I am very interested in keeping my private information private.
Have you downloaded FB's data dump of you? That is only the bare surface of what they collect. They do not give you access to the underlying profiling and the social graph they have built on your information. All you are getting is chat logs, uploaded photos/videos, a list of contacts/friends and some simple keywords. That's not even scratching the surface of the data model FB has on every single user.
The data you think you're giving them and the data they actually have are orders of magnitude apart.
The "well you can just choose not to use them" argument falls completely flat when you realize that many businesses and organizations have no internet presence outside of Facebook. They've set up a Facebook page because "everyone has Facebook, right?". If you cannot see the problem with that, then I'm not sure what to say.
I am aware that they use the data I put in in form of friends, posts, etc to inform ML models. And it makes sense that they don’t deliver those when I download my data!
Frankly I would argue that the ML models they create from usage data are theirs! Regardless of how useful they would be to me as a individual to download or not.
Now about the FB tracking pixels and the data they collect, I consented to those when I used the third parties websites they were in and accepted their TOS...and I have a choice to not use those sites or if I choose to block the pixel from firing via technical methods.
FB tracking pixels are on less then .1% of all websites...so I also don’t buy that arguments that Facebook follows anyone around, because it’s simply not true!
So there is two ways to do it for third parties: get user consent before starting to use the website or use their advanced API and delay firing of the pixels until users have consentent later in the process...like for example on the checkout page!
> They do not give you access to the underlying profiling and the social graph they have built on your information.
There are hints of it though. I noticed in my most recent data dump there was a list of "contacts." Some of those were people who I was never Facebook friends with and included contact information (e.g. alternate emails) that I never had.
It seems like this data was built off of people's phone contact lists. It definitely seems like my contact list was the root of mine.
Are you suggesting that somehow any law is inherently wrong if it regulates trade at all? Trade is a means to the end of having healthy, productive populations. It's not something to prioritize above all else, especially in cases where trade hurts the well-being of populations.
In the specific case of Facebook, near-zero of the users actually understand either what they are giving or the full extent of what they are getting or not (especially since the latter changes constantly as FB alters their policies and algorithms etc). So, it's more like "give us stuff you don't understand with ramifications you haven't thought about, and you get a complex, somewhat unpredictable, changing service." This is nothing like the theoretical trade between two participants with equal power and complete information.
Using strictly my interpretation of what I read above, if the person decides not to allow their information to be used by the service, the service is not allowed to deny them use. That's the part I think is an issue, and of course I may be misinterpreting.
I have purchased a house, and used a mortgage to do so. In getting that mortgage, I was presented with reams and reams of paper that I had to agree to and sign. The basic facts of the loan, however, were mandated by the government that they be disclosed to me in as simple and straightforward terms as possible. That mandate for disclosure should be sufficient for a person to decide to do business with a service, regardless of the nature of what is being transacted. If what I read here is accurate, it's akin to me saying "No, I won't sign any of this. Now give me my keys."
In your bank analogy, the mortgage terms would say you have to let the bank install a camera in your bedroom. No camera, no keys.
The bank is not required to give you a mortgage. The regulation says that if they want to offer one, they can't include "No camera, no keys" as a condition.
No, that business model is still perfectly valid, but the users have to give their unequivocal consent for the business to do this, and the user have to give it freely, ie. you cannot say "you have to opt in to giving us all of your personal data, before you are allowed to use Facebook."
Add to that: the EU is specifically excluding police and security services from GDPR. It's basically making the states the exclusive owners of private data.
The European regulatory view is often 'outcomes based' rather than the American 'rules based'. What I mean is that in the European approach, you might follow the rules, but fail in the outcome or 'the spirit' of the law. In that case, you have still broken the law. If you allow a gross generalisation, European regulators point to perverse outcomes in the US where morality is subverted by the law as a reason why this approach is better. There is however a much higher compliance cost in the EU than in the US due to this approach.
That sounds backwards to me. Mainland European legal systems are based on civil law, which heavily emphasizes letter rather than spirit. (As opposed to the common law traditions found in most of the Anglosphere.)
I would be absolutely shocked if Facebook didn't have european legal professionals hired to deal with this instead of having their American lawyers try to interpret foreign law.
Maybe, but my experience with US companies is that surprisingly large companies sometimes think they'll get away with just doing stuff that's legal under US law and pretend the EU is just another US state.
E.g. I spent 3 years at Yahoo (more than a decade ago now) wrangling with US product managers that found it incredibly hard to accept that the "workarounds" they kept proposing for EU requirements for payments systems were highly illegal in the European countries we operated in, as a means to cut effort. My team existed pretty much only to form a protective layer between the US payments team and the European business because the European business didn't trust them to not pull a fast one to save time, because they didn't understand the seriousness of the requirements.
But in many European countries, the courts takes a very dim view on that kind of attitude.
My guess is that GDPR is not yet in effect thus they can use this to get consent in advance. After GDPR is in place these will be changed to comply with it.
I'm appalled that thousands of people still work for this company by choice.