[HN Gopher] Open letter: Ban surveillance-based advertising
___________________________________________________________________
Open letter: Ban surveillance-based advertising
Author : velmu
Score : 385 points
Date : 2021-07-07 08:51 UTC (14 hours ago)
(HTM) web link (vivaldi.com)
(TXT) w3m dump (vivaldi.com)
| mdp2021 wrote:
| The problem is with the match of partial virtual profiles with
| individual-specific identities.
|
| That A uses a profile to visit www sites about code optimization,
| leisure mathematics, statistic software and StackOverflow, and
| commercial information about some IDE is shown, that may be
| welcome.
|
| That A uses another profile to visit www sites about baking
| cakes, nutriment science and ethnic restaurants, and information
| about some IDE is shown, that is unwelcome as an understatement.
|
| That A is Adrian Oberweller of Tamaxa, MT and his individual-
| specific identity is associated with his private concerns, that
| is "you must be joking" swinging at the edge between dystopia and
| ridiculous.
| falsaberN1 wrote:
| This makes me think.
|
| What happens when partial profiles are matched to the wrong
| person? Like, it's very likely these systems are going to match
| different people in the same household/network because... how
| can they even separate different people with different
| interests and a single person using many profiles?
|
| I suspect all our "valuable user data" is tainted by default
| and its monetary value is an illusion. We do know that the
| systems are overzealous, and the algorithms driving those
| systems are far from perfect (and in case of ML models, high
| chances of it being non-deterministic, to boot).
|
| A friend recently got some of those ISP copyright strikes
| because the fiancee of his sister got relocated to his house
| for a few days and decided to leech from the network to
| download some AAA videogames. Of course the strikes were to my
| friend's name, because they have no way to know some stranger
| did it instead.
|
| I can easily see my data profile saying I'm into horoscopes and
| that voodoo because my mother browses that stuff all day from
| the network assigned to my name. I'm sure there are attempts to
| defeat incognito/private tabs by bundling all "indecisive" data
| to the main profile in a given IP, so a large household can be
| a completely schizophrenic data profile with data mixed from a
| lot of users in that household. Imagine someone in your house
| has been using some extremist or taboo site. If that data is
| mixed up with yours, and a person with bad intent wants to take
| advantage of leaked data they obtained on you...they have a
| pretty strong weapon to assassinate your image. "You can't deny
| it, it's in the data. Your cousin did it? Oh what an ignoble
| attempt to save your butt, how lowly!". Since you have no way
| to plausibly deny it, it can be a strong blackmail weapon.
| Maybe stronger than medical data leaks in this weirdly
| political climate we got now.
| pjerem wrote:
| > Of course the strikes were to my friend's name, because
| they have no way to know some stranger did it instead.
|
| For the anecdote, in France, we have a pretty stupid law
| (that was pushed by our really strong culture industry
| lobbies) where you can be pursued for downloading copyrighted
| content but also for not having secured your home network
| hardly enough so you can't argue that's it's your neighbor
| over your wifi.
|
| But it's only a little part of what our culture mafia
| achieved here, we also have to pay a tax on every device with
| storage that is redistributed to << copyright owners >>.
| falsaberN1 wrote:
| We have the same tax here. Pretty insulting when I'm a
| content creator myself (and I'd never pirate the artists
| it's protecting, I think they are all _terrible_ ), but not
| many ways left to import without bigger costs (customs).
| ColinHayhurst wrote:
| Cohort based targetting such as FLoC, PARAKEET and ATT will
| further embed the power of Big Tech. But I'm sure the HN
| community realizes this.
|
| The question is: in the face of GAFAM moats and large lobbying
| efforts, how else might these coalitions and smaller/emerging
| companies get regulators' attention?
|
| Disclosure: we are part of this coalition of 14 businesses
| offering browsers, search, mail, analytics, and other web
| services and add our view here as a search engine
| https://blog.mojeek.com/2021/07/time-to-ban-surveillance-bas...
| eivarv wrote:
| More context: https://www.forbrukerradet.no/side/new-report-
| details-threat...
| ColinHayhurst wrote:
| And HN discussion on that:
| https://news.ycombinator.com/item?id=27619030
| apatheticonion wrote:
| Physical storefronts have over time learned how to optimise their
| presentation to achieve higher conversion. Initially it was
| experimentation with layouts, with time they added cameras which
| helped understand customer behaviours.
|
| This expertise is commonly outsourced to physical marketing
| companies who dispatch "merchandisers" to your store to help
| optimise your layout to fall in line with the layouts they have
| designed based on the experience they have doing this for many
| different stores.
|
| Some companies would actively seek out target customers, give
| them cash to conduct surveys for market research.
|
| The barrier to retail taking this to an extreme is physical
| obstruction and money. It takes time to experiment with layouts,
| you have to pay people for their insight. It isn't practical to
| have a Moogle which has cameras analyzing most physical
| storefronts around the world.
|
| It's a really complex issue as online retailers do make money
| from online advertising companies and it often matters to them,
| but the proliferation of the chosen advertising providers few
| means that everywhere you go they have a presence listening for
| your user actions.
|
| With that said, these companies don't really want to know you,
| they just want to ensure they are able to serve relevant ads to
| someone like you. Collecting personal data is a consequence of
| there being no other way to group data into uniquely identifying
| profiles and get those insights on the interests of those
| profiles.
|
| More often, these companies explicitly don't want to know you.
| Personal information is a massive liability.
|
| Attempts to anonymise the data are difficult as you will need
| some kind of unique primary identifier, but you can infer a lot
| about an identity from seemingly unimportant things like browser
| resolution.
| ashtonkem wrote:
| They don't want to know us, but they appear to have very few
| limits on what they're willing to do to sell ads. So far we're
| basically counting on our interests and theirs being
| coincidentally similar, I would not bet on that in the long
| run. Better to handcuff them before they decide that doing
| something incredibly unseemly is necessary for ad sales.
| bordercases wrote:
| > More often, these companies explicitly don't want to know
| you. Personal information is a massive liability.
|
| Data accrued can be sold as an asset to other firms which don't
| directly compete with the firm that accrued the data, or even
| compliment the value prospect of that firm. Amazon to US Gov.
| Search engines to banks. Facebook to Linkedin. Etc.
|
| This increases the threat surface that your data creates,
| beyond whatever firm you think you can trust for having mundane
| motives.
| natmaka wrote:
| > Physical storefronts ((...)) with time they added cameras
| which helped understand customer behaviours.
|
| R. Doisneau, a French photograph, may have in a way be a
| precursor
| https://www.christies.com/lot/lot-4572128/?intobjectid=45721...
|
| > you can infer a lot about an identity from seemingly
| unimportant things like browser resolution
|
| Oblink: EFF's "Cover tour tracks"
| https://coveryourtracks.eff.org/
| derbOac wrote:
| One thing I've wrestled with with the rise of online news and
| its effects on physical newspapers is how much I miss certain
| things about the physical newspapers. I don't miss the physical
| format, but I do think the old-school paper newspapers were
| much more enjoyable to read than most online equivalents.
|
| At some point I realized that one major issue is that
| advertising in many of the paper copies was based around
| content area: if I went to the performing arts section, for
| example, it would be filled with ads for performing arts
| events. I loved this as it was actually useful and informative
| to me. I went to that section looking for performing arts, and
| that's what I got.
|
| In online news, though, if I go to a performing arts, I don't
| get informative, unintrusive ads for performing arts events in
| my area, I get bombarded with random ads for things unrelated
| to what I'm looking at. Even if, say, earlier in the day I was
| looking for shoes, I don't want to see ads for shoes if I'm
| browsing performing arts, I'm interested in performing arts.
|
| What you're talking about is a broader observation about
| identification of individuals per se versus patterns of
| interests and behaviors. However, I'd argue that a major
| failure of online advertising (with very important exceptions,
| including Google, DuckDuckGo, and many other places) is the
| recognition that what matters for ads is interest at any given
| moment, and not interests at any other time. I suppose someone
| might say "but a good ad is something that gives you what you
| are interested in even if you might not recognize it" but this
| is really difficult to get right, especially given that my
| interests in a given moment can shift from minute to minute.
|
| If I'm moving from, say, shoe shopping to, say, performing
| arts, I'm deliberately moving my attention away from the former
| to the latter. Showing me ads for shoes is something that's
| specifically going against my current attentional goals. It's
| like saying "hey Honey, I'm done in the kitchen and am going to
| go into the garage to work on something" and then having some
| random stranger show up and pull you back in the kitchen.
|
| This seems to be a fundamental screwup with a lot of online
| advertising: the failure to recognize that I'm functionally a
| different person from moment to moment, and when I move from
| one page to another there's a reason for that.
|
| Email surveillance is maybe going even further in a worse
| direction, in that it's even more decontextualized and time-
| independent. Part of the brilliance of Google search ads, and
| things like DuckDuckGo, is that they catch you exactly in that
| moment when you're looking for something on a specific topic.
| Newspapers and everywhere else needs to take better advantage
| of that paradigm. Show me what I'm looking for now, don't take
| a shotgun guess at what I might want based on what I was doing
| in the past.
| jefftk wrote:
| _> Email surveillance is maybe going even further in a worse
| direction, in that it 's even more decontextualized and time-
| independent._
|
| Are any major email providers still selling ads targeted by
| the content of messages?
| techlaw wrote:
| It's doubtful that any of us are in a position to know if
| they are or not.
|
| Let's assume, for the sake of argument, that 100% of major
| email providers have stated they do not sell ads based on
| email content.
|
| Next we have to either: take their word for it or have the
| means to verify their claims.
|
| Taking their word for it is difficult because many major
| email providers have a spotty relationship with honesty.
| This issue of honesty is not necessarily very different
| from other large corporations and in truth might be a
| factor in what made them a large corporation in the first
| place.
|
| (As First Baron Thurlow is claimed to have said: "Did you
| ever expect a corporation to have a conscience, when it has
| no soul to be damned, and no body to be kicked?")
|
| And so we would instead need the means to verify the claims
| of these major email providers. I'm unsure of how to
| reasonably do that.
|
| >Perhaps allow Qui Tam claims for privacy issues combined
| with a statutorily defined "cost" for each false claim
| instance?
|
| Qui tam allows, for example, private citizens to file suit
| against bad-actor govt contractors in the name of the govt.
| The "whistleblower" then receives a share of recovered
| proceeds.
|
| Here, if a statutory "cost" was defined for every false
| claim related to using the content of email messages (say
| $1 per message) then this might provide a way to help
| verify that the major email providers are being truthful in
| what they claim regarding their use of content in messages.
|
| Email providers would know their employees are on the
| lookout for a big payday and might honor their public
| promises. And if they don't, a few large qui tam lawsuits
| would quickly get their attention (or drive them into
| bankruptcy).
| Vinnl wrote:
| > these companies don't really want to know you, they just want
| to ensure they are able to serve relevant ads to someone like
| you.
|
| "Relevant" is their PR-speak, but really it's just whether
| you're in the desired target audience. If I target an ad that
| discourages people from voting to vegetarians or people who
| like Fox News, that ad is not necessarily more relevant to
| them.
| JumpCrisscross wrote:
| Do we have a good proposed legal definition of surveillance-based
| advertising?
| criddell wrote:
| I think it's advertising targeted to a group (where a group
| size of one is an individual).
|
| Some of the unintended side effects (which aren't necessarily
| bad) include ending virtually all store loyalty programs.
| jefftk wrote:
| I think this is quite tricky to pin down. For example, consider
| an e-commerce site like Amazon. They know your purchase
| history, reviews you've given or liked, and products you've
| viewed or put in your shopping cart but not purchased. Which
| information about your history would they be allowed to use to
| show you products you might be interested in buying?
|
| They also have lots of information about users in aggregate
| ("people who bought this also bought x") which they got by
| collecting data about their users. Can they use this?
| blooalien wrote:
| Personally, I'm not bothered by Amazon doing this _on their
| site when I 'm there_, and I even disable my adblocker _on
| Amazon but limited to Amazon_ because I 'm _there to buy a
| product or service_. Advertising at me if it doesn 't get in
| the way of that quest is appropriate there.
|
| Covering my entire webpage I'm trying to research _something
| else_ at with a full-page Amazon ad for a product I _already
| bought_ just because I expressed interest in that product by
| _buying it_ is _not_ okay. Thus, I block all ads elsewhere to
| avoid that sorta thing.
|
| Works pretty well for me, but it's sad I should have to jump
| through as many hoops as I have to to avoid such crapware
| being forced upon me. Ads I'm not wanting literally _steal_ a
| portion of my allotted bandwidth and give me _less than zero_
| value in return. Perhaps advertisers should start _paying us_
| for our valuable time, attention, and bandwidth?
| jefftk wrote:
| _> Personally, I 'm not bothered by Amazon doing this on
| their site when I'm there_
|
| You may not be, but this is within what they cover in the
| report Vivaldi is recommending:
| https://www.forbrukerradet.no/wp-
| content/uploads/2021/06/202... (it's a good read, and there
| are a lot of things they object to even with only first-
| party tracking)
|
| _> Perhaps advertisers should start paying us for our
| valuable time, attention, and bandwidth?_
|
| They don't pay you directly, but they pay the site you're
| visiting, and in most cases that's why the site is able to
| afford to create the content you're reading and show it to
| you for free.
| blooalien wrote:
| > ..."<link to pdf report> (it's a good read, and there
| are a lot of things they object to even with only first-
| party tracking)"
|
| Edit: It _is_ a sorta good read... Just be nice if these
| sorta situations could more easily find some kinda valid
| balance instead of always escalating outta control to
| both extremes until laws have to get made... Lawmakers
| are rarely to be trusted to get these sorts of situations
| right anymore...
|
| I've been using the Internet and networks long enough to
| understand how this stuff works. There's a certain degree
| of tracking that is _literally unavoidable_ (without
| semi-extreme measures like TOR for one example at least)
| simply by the nature of how networks work. I know that by
| using any service online at all, I 'm necessarily parting
| with some data about myself. Any data that's collected in
| that transactional networking sense I'm kinda largely
| okay with because it's just part of how things work by
| their very nature.
|
| The stuff that bothers me is the excess of spyware,
| hundreds of kilobytes of tracking scripts, invisible
| pixels, browser fingerprinting, and other shady junk
| that's been bolted on by advertisers with no concern
| whatsoever for any harm it may bring to the network, the
| consumers, or often even themselves, as long as they make
| enough to cover the costs and make a profit. I understand
| the logic of it, but I don't necessarily agree with it in
| many cases. For me it's really all about how respectfully
| the entire situation is handled. Advertise at me in
| respectful ways, you probably don't get blocked (at least
| by me). Abuse me in _any_ way, and I tend to get uppity
| with my adblocker and start thinkin ' hard if I even
| _need_ your site or service at all.
|
| > "They don't pay you directly, but they pay the site
| you're visiting, and in most cases that's why the site is
| able to afford to create the content you're reading and
| show it to you for free."
|
| See, the sites that aren't _abusive_ with their
| advertising though actually find their way out of my
| adblocker for that _exact_ reason. Because I 'm fine with
| them making money ethically. Sites/services that
| implement _abusive_ advertising practices not only get
| the ads blocked, but often get themselves blocked out of
| my "sites of interest". ;)
| matheusmoreira wrote:
| If it collects _any_ data at all, it 's surveillance. Anything
| else is a loophole.
| tomjen3 wrote:
| That is nearly impossible to avoid. Go to your local store
| enough times and they might remember you, even when no data
| is retained at all.
| scotu wrote:
| do you mean the people at the store remember you? kinda
| different than collecting data and deploying it across the
| whole internet wouldn't you say?
| jefftk wrote:
| The person running the store remembering you and treating
| you differently based on your history is within what
| they're covering here, yes. In the report that Vivaldi is
| recommending (https://www.forbrukerradet.no/wp-
| content/uploads/2021/06/202...) they consider both first-
| party and third-party tracking to be part of
| "surveillance-based advertising". For example, a site
| showing ads for users based on what topics they tend to
| view weighted by how much they interact with each one.
| There's nothing about having to "deploy it across the
| whole internet" before it counts; activity on a single
| site is still (described as) surveillance.
| scotu wrote:
| still, this seems more like in the physical store you
| getting tracked with cameras, reward cards and so on and
| things getting rearranged on the shelves etc. just for
| you. I consider this surveillance.
|
| I consider it less surveillance-y if a single employee is
| remembering me. Although I do sometime wish I could
| delete some embarrassing moments at the store, but I
| guess, as long as they don't gossip about it between
| employees... :)
| convexfunction wrote:
| You're betting this definition wouldn't have any serious
| unintended consequences?
|
| A hypothetical example: suppose it becomes a legal nightmare
| to have even heavily censored webserver request logs retained
| for any period of time if your company does any advertising
| at all. That is, even if you have no intent or even ability
| to use those logs for advertising purposes, it might be a lot
| of work to prove that to the law, unless you take the
| hopefully-easier route of literally never advertising. "Boo
| hoo, companies have to prove they're not breaking the law",
| you might say; as is usually the case with these kinds of
| regulations, demonstrable compliance might be totally
| practical for bigger companies but a massive barrier for
| smaller companies, which on the margin means the difference
| between success and failure for quite a few businesses that
| would've otherwise created a lot of value.
|
| That specific scenario probably wouldn't happen, I hope, but
| that's far from the only plausible failure mode! I would like
| to believe that we can figure out a good definition with
| relatively little value destroyed in the fallout if a law
| like this comes into effect, but it's almost certainly not
| going to be a single sentence.
| [deleted]
| JumpCrisscross wrote:
| > _If it collects any data at all, it 's surveillance_
|
| Great, we just banned TCP.
| 411111111111111 wrote:
| Exposing is not the same as collecting though...
|
| I'd definitely consider a system which collects all
| information that are exposed in a TCP stream a surveillance
| tool
| swiley wrote:
| That's why we have TOR. Which allows you to use TCP without
| revealing the two TCP endpoints to anyone else.
| jefftk wrote:
| Let's say a streaming music service collects information on
| what you have listened to and how long. Is that surveillance?
| What if they use it to back a page where you can see what
| you've been listening to recently? If they start recommending
| new artists based on your listening history?
| charcircuit wrote:
| The report defines it as
|
| >In this context, we use the term 'surveillance-based
| advertising' as a blanket
|
| >term for digital advertising that is targeted at individuals
| or consumer
|
| >segments, usually through tracking and profiling based on
| personal data.
|
| This is ridiculous. If I am trying to advertise an Elixer IDE,
| then I don't want my advertisements shown to any random person
| on the internet. The majority of users on the internet are not
| even developers. I want to be able to advertise to a consumer
| segment which consists of people who are interested in Elixir.
| "Surveillance" is essential to internet advertising.
| tomjen3 wrote:
| That shouldn't be that hard. Doesn't Elexir have a forum,
| user groups or other place where people self-select for
| interest in that?
|
| Surely you can buy ads in subreddits, or on specific tags on
| Stack Overflow?
| eivarv wrote:
| Maybe not, but you could show it to people whose context
| reveal that they might be interested - e.g. searching for
| "IDE" or "Elixir", reading about developer tools, etc.
|
| This is known as contextual advertising.
|
| Surveillance is not essential to internet advertising - in
| fact neither ROI, effectiveness or perceived relevance (when
| compared to all alternatives, including contextual
| advertising) has never been proven.
| Nursie wrote:
| > This is ridiculous. If I am trying to advertise an Elixer
| IDE, then I don't want my advertisements shown to any random
| person on the internet.
|
| > I want to be able to advertise to a consumer segment
|
| This sounds like a _you_ problem.
|
| And _you_ shouldn 't get to push surveillance on me to solve
| it.
|
| I don't want to be advertised at _at all_ , let alone be
| stalked round the web so you can do it better.
|
| I don't care at all that any advertising I see might be
| better targeted, it's all an annoyance as far as I'm
| concerned anyway. The idea that I should be happier if I'm
| getting 'relevant' ads, like I should thank you for
| surveilling me so you can spam me better, is absolutely
| laughable.
| ashtonkem wrote:
| And I don't want you to know my means of employment online. I
| believe that my right to privacy trumps your economic
| interest.
| indigochill wrote:
| > If I am trying to advertise an Elixer IDE, then I don't
| want my advertisements shown to any random person on the
| internet.
|
| The definition in the report is poor. Yes, you always need to
| advertise to a segment. No, you don't have to spy on users to
| do it.
|
| How? Make a website about something and select advertisements
| that are relevant to the sort of people who are probably
| interested in the topic of the website. ReadTheDocs has
| already spun off an ad business that advertises tech stuff to
| readers of ReadTheDocs because it's reasonable to assume that
| is the audience that is perusing ReadTheDocs pages.
| charcircuit wrote:
| >No, you don't have to spy on users to do it.
|
| Assuming you are running an ad network you kind of have to
| in order to prevent ad fraud. Also by reducing that data
| you know about someone's interests is the knowledge that
| they have visited a site at least you will not be able to
| pick as good of an ad compared to if you had more data.
| indigochill wrote:
| What's the fraud scenario? Page owners presenting
| fraudulent visitor/click-through numbers to advertisers?
|
| In that scenario, it seems like advertisers would pick up
| on that pretty quickly when they realize the conversion
| rate on that supposed traffic is terrible and doesn't
| warrant the inflated price. In the case they're using an
| ad network, the network could ban the page owner from
| their network if they see this pattern from them. Since
| page owners are materially benefiting from the network,
| proof of identity should be (probably is? I don't work in
| the space) applied between the page owner and network to
| prevent repeat fraud via identity laundering.
|
| > you will not be able to pick as good of an ad compared
| to if you had more data.
|
| In theory I lean towards agreeing. I was arguing for
| tech-powered hyper-personalized ads back when I was
| studying advertising 2008-2012 (and did a bit of "stealth
| marketing" in that period where I built relationships
| with bloggers to share our product before the term
| "influencer" had hit the mainstream vocabulary).
|
| In practice, advertisers do not personalize ads. Facebook
| has become pretty good about selecting ads that map to my
| interests thanks to the reach of their spy network, but
| the ads themselves still aren't personalized at all (they
| take my interests into account, but not my spending
| history to realize that I don't have the budget for what
| they're trying to sell me) and my conversion to a sale
| because of them is still very, very low.
| stevesearer wrote:
| We sell and host our own advertising which is content-
| based (office furniture ads on office design content) and
| think it is a good solution.
|
| Instead of selling space by impressions or clicks, we use
| length of time (monthly) and find it to be a good way to
| prevent ourselves from trying to game impressions with
| clickbait or clicks with fake users.
| michaelt wrote:
| _> What 's the fraud scenario?_
|
| 1. Page owner / Ad network / Ad space auction market
| middleman fakes clicks to get click revenue
|
| 2. Page owner's rival fakes clicks to devalue ad spots
|
| 3. Advertiser's agency fakes clicks to make numbers go up
|
| 4. Advertiser's rivals fake clicks, to waste advertiser's
| budget
|
| 5. Ad networks 'accidentally' classifying legitimate
| clicks as fraud, to reduce payouts to page owners.
| b3morales wrote:
| How are these mitigated by pervasive end user tracking
| and surveillance?
| Nextgrid wrote:
| Sell ads based on time periods. "Your ad displayed here
| for 1 week for this much $$$". Then the only thing that
| matters is the ROI and it doesn't matter how many bots
| have clicked on it.
| charcircuit wrote:
| This approach sounds much harder for an ad network to
| pull off and sounds like it would add a lot of risk and
| complication. For example, what if a web master decides
| they don't want to have ads on their site anymore.
| Whoever just paid for that space gets screwed.
| Nextgrid wrote:
| This can all be sorted by contracts? The ad network pays
| out only after the ad has fully ran for 7 days, and if
| the webmaster removes the ad or similar they don't get
| paid and the advertiser gets refunded. Enforcing this is
| trivial by the ad network or a neutral third-party
| scraping the websites running the ads to confirm the ads
| are displayed properly.
| blooalien wrote:
| > "This approach sounds much harder for an ad network to
| pull off and sounds like it would add a lot of risk and
| complication.
|
| Harder to pull off than advertising at people who might
| actually _want_ to see the ads? More risk and
| complication than the growing backlash against
| advertising in general _entirely because_ of shady
| advertising practices? More risk and complication than
| having to keep track of various countries ' and states'
| laws re; privacy?
|
| > "For example, what if a web master decides they don't
| want to have ads on their site anymore. Whoever just paid
| for that space gets screwed."
|
| Existing contract law already covers this in most places.
| If you paid for ads to be displayed for a certain time
| period and they are not, then there's been a contract
| violation.
| blooalien wrote:
| That's actually the way _most_ advertising _used_ to work
| before all this surveillance stuff started, and _still_
| the way it works with _some_ (ethical) advertisers.
| danbruc wrote:
| That is the problem of the ad network. If they have to
| deal with fraud then find a way to solve this but not at
| the cost of everyone.
| charcircuit wrote:
| The problem with abuse is not special to ad networks. All
| sites (once they reach a certain size) have to deal with
| it. Surveillance is needed to handle abuse of your
| service.
| danbruc wrote:
| _Surveillance is needed to handle abuse of your service._
|
| Provide one example that can not be solved without
| surveillance.
| charcircuit wrote:
| Let's say you run a website with a sign on page. In order
| to log in a user typically you will run the password
| through an algorithm like argon2. Verifying a password
| for an account consumes CPU resources. A malicious may
| decide to DOS your site by just spamming this endpoint
| with bogus password to make you waste your time.
|
| An easy fix with surveillance is to rate limit people
| based off their IP address. Without surveillance though
| there is not much you can do. Scale up your
| infrastructure to try and out scale the attack? Implement
| a global rate limit that locks regular users from being
| able to sign in?
| coder543 wrote:
| An IP address being used in the course of providing the
| service is not surveillance. That's like saying "Amazon
| knowing where to ship my package is surveillance." It's a
| bad argument, in my opinion.
|
| Regardless, consider a DDoS attack. If every new request
| is coming from a different IP address, how do you
| continue providing service to your legitimate customers
| while blocking that malicious attack? Knowing the
| attacker's IP addresses doesn't do you any good...
| because they can just keep using new IP addresses, and
| blocking the old ones doesn't do any good.
|
| This is where heavily surveillance-based systems like
| Google CAPTCHA often come into play, and I have very
| mixed feelings about those.
|
| There are some non-surveillance-based captchas like this
| one[0] that I saw on HN awhile back, and I hope those
| become successful.
|
| [0]: https://friendlycaptcha.com/
| charcircuit wrote:
| >That's like saying "Amazon knowing where to ship my
| package is surveillance."
|
| To complete the metaphor Amazon would use the address you
| gave them to help improve their business in some sense
| without asking you if it's okay. Similar to how web
| masters don't ask if it's okay if they write what pages
| we access into logs is okay.
|
| >Knowing the attacker's IP addresses doesn't do you any
| good... because they can just keep using new IP
| addresses, and blocking the old ones doesn't do any good.
|
| Then we should try to find any patterns with the traffic
| that we can use to try and filter it out. This is a place
| where fingerprinting is useful.
|
| >friendlycaptcha
|
| This just slows down bot spam instead of testing if
| someone is a bot. Someone posting spam to your site once
| a minute is still annoying.
| coder543 wrote:
| I've read your other replies to this thread and your
| argument does not seem to be made in good faith. This
| whole thread is about surveillance based _advertising_
| being bad. In no way is using an IP address in a firewall
| a form of surveillance. It isn 't. The IP address isn't
| being associated with any other data, it's just some
| numbers floating in space, disconnected from any human
| being. There is no association with that IP address of
| what you like and don't like, what you have purchased,
| what links you have clicked, or anything else. It's just
| in a firewall, and that firewall rule could be blocking
| an entire CIDR block, especially in the case of IPv6. But
| even if it were surveillance, that's irrelevant to this
| discussion about the ethics of surveillance-based
| advertising.
|
| I'm not going to waste my time further on this thread
| after making this one last point.
|
| > This just slows down bot spam instead of testing if
| someone is a bot. Someone posting spam to your site once
| a minute is still annoying.
|
| Google CAPTCHA is trivially bypassed all the time. Do you
| really think it isn't? Sometimes using services like
| Amazon Mechanical Turk, sometimes using simple computer
| vision. It doesn't test whether someone/something is a
| bot either... it just tests whether they can pass the
| CAPTCHA. It certainly doesn't test whether they're part
| of a DDoS, nor does it test their intentions to find
| whether they are good or malicious. It's just a CAPTCHA,
| but it also uses a lot of surveillance... and as I said,
| I have mixed feelings about that. I didn't mean for this
| to become the point of the thread, it is definitely off
| topic.
|
| The idea of Proof of Work CAPTCHAs is that you can
| actually make it _more expensive_ for an attacker to
| solve those than it would be for the attacker to solve
| Google CAPTCHAs. Obviously, this is still an area of
| debate and research.
| charcircuit wrote:
| >your argument does not seem to be made in good faith
|
| I'm not exactly sure what this means. I used to be all
| for total privacy, but I found that future to not be
| sustainable. Perhaps I'm just jaded, but privacy just
| gets in the way.
|
| >This whole thread is about surveillance based
| advertising being bad.
|
| Well this part of the thread isn't. It's talking about
| how surveillance improves services by allowing them to
| deal with abuse.
|
| >In no way is using an IP address in a firewall a form of
| surveillance. It isn't. The IP address isn't being
| associated with any other data, it's just some numbers
| floating in space, disconnected from any human being.
|
| Wrong. I am using your IP as part of a scheme to
| fingerprint you. I want my rate limit to limit each
| person separately. An IP address is just a somewhat
| decent way to approximate that.
|
| >The idea of Proof of Work CAPTCHAs is that you can
| actually make it more expensive for an attacker to solve
| those than it would be for the attacker to solve Google
| CAPTCHAs.
|
| This has to be carefully balanced with the user
| experience. No user in going to want to wait 5 minutes to
| post when they can just have a Google account with a good
| reputation and just click a checkbox.
| danbruc wrote:
| _I used to be all for total privacy, but I found that
| future to not be sustainable. Perhaps I 'm just jaded,
| but privacy just gets in the way._
|
| That's not your decision, I decide what matters to me,
| whether I want my privacy or this nebulous
| sustainability, whatever this is suppose to be.
|
| _Wrong. I am using your IP as part of a scheme to
| fingerprint you. I want my rate limit to limit each
| person separately. An IP address is just a somewhat
| decent way to approximate that._
|
| Then let me turn this around, if using my IP address in
| this scenario is surveillance, then don't do it. If it is
| necessary, then ask me for permission, can we use your IP
| address to fight off attacks and ensure the availability
| of our website or do you prefer that the website might
| not always be available due to attacks? And the same
| applies if you want to rate limit all users, offer the
| choice between not using your website or opting in for IP
| based rate limiting. It's that easy.
| b3morales wrote:
| Amazon using shipping addresses in isolation to improve
| their business is not what people are concerned about
| here. It's perfectly legitimate for Amazon to say "we're
| getting a lot of orders from this list of zip codes,
| let's open some warehouses there". That doesn't infringe
| on anyone's individual privacy; the action is not tied
| directly to a single person, and especially not to
| further data collection/collation.
| danbruc wrote:
| Is is not surveillance - at the very least not in the
| relevant sense - if you maintain a temporary list of IPs
| you have seen in the past minute or hour.
|
| This is your best argument why we have to track and
| profile every human on the planet around the clock?
| charcircuit wrote:
| >if you maintain a temporary list of IPs you have seen in
| the past minute or hour.
|
| This is totally surveillance. Just because we delete data
| after a while, it doesn't mean I didn't surveil you, nor
| does it mean I haven't used that data I got from you for
| my own benefit.
|
| >This is your best argument why we have to track and
| profile every human on the planet around the clock? You
| just asked for an example. If you are suggesting that my
| argument is to prevent abuse of systems I would say that
| it justifies tracking every person on the planet.
| danbruc wrote:
| _This is totally surveillance._
|
| It is not. I connected from some IP because I wanted to
| use your website, at the very least you have to remember
| my IP address for some time to send me your website back.
| And if I want to access your website and it will be only
| available if you store my IP address for a few minutes to
| fight off attacks, then this is a use of my IP address
| that I welcome because it is for my benefit. And if you
| really want to, just store hashes of the IP addresses
| [1].
|
| _Just because we delete data after a while, it doesn 't
| mean I didn't surveil you [...]_
|
| Sure, surveillance is not defined by the amount of time
| you store some data. If you store my shipping address for
| years it is not surveillance, if you store my IP address
| for one second to add an entry to my record in your
| database that I just visited the website it might be
| surveillance even if you do not permanently record my IP
| address. But I never claimed that the amount of time you
| store some information is a or the relevant criterion
|
| _[...] nor does it mean I haven 't used that data I got
| from you for my own benefit._
|
| Also irrelevant. If you store my IP address for a short
| time or my shipping address for a long time in order to
| send me the website I requested or my order than this
| benefits you because you will make some profit from my
| order.
|
| Relevant for whether something is surveillance or not is
| whether I approve what you are doing. If you track my
| position day and night in order to show me ads for
| businesses nearby it is surveillance unless I
| specifically requested this. If you track my position
| because I am using a fitness app and requested to record
| my run, then it is not surveillance.
|
| [1] For IPv4 this is of course essentially pointless. But
| maybe you could come up with a more elaborate schema than
| simple hashes, maybe salt them and rotate the salt every
| few minutes or whatever. But you will probably not gain
| much besides added complexity.
| buran77 wrote:
| If someone abuses your doorbell the solution isn't to
| install a hidden DNA and body scanner in front of your
| door. Also suggesting that an IP based rate limiter is
| the same as the surveillance in question is very
| disingenuous.
|
| Pick a more sensitive area than your IDE, say medicine
| targeting erectile dysfunction, sexual or religious
| preferences, etc. You may find that being allowed to
| collect that data, especially covertly, just to save some
| money suddenly doesn't look reasonble at all.
|
| But surely I should be allowed to _covertly_ collect any
| data about you if it enables some savings for me. After
| 15 comments insiting it 's OK you should only approve of
| this.
| charcircuit wrote:
| >If someone abuses your doorbell the solution isn't to
| install a hidden DNA and body scanner in front of your
| door.
|
| The first thing I would do is look outside to collect
| information on who in outside thereby infringing their
| privacy.
|
| >Also suggesting that an IP based rate limiter is the
| same as the surveillance in question is very disingenuous
|
| Recording people's IPs is definitely surveillance.
|
| >say medicine targeting erectile dysfunction, sexual or
| religious preferences, etc. We may be able to connect
| drug sellers or churches with people if we know that
| information.
|
| >But surely I should be allowed to covertly collect any
| data about you if it enables some savings for me.
|
| Sure you can. Go ahead.
| buran77 wrote:
| > Sure you can. Go ahead
|
| We'll there's your problem. First you show a complete
| lack of understanding of the issue, from its basic
| concepts to the practical manifestation and consequences,
| and then you conclude that it must not be a real issue.
|
| This technique can be used to justify anything. Burning
| books? Sure, it's like burning extra processed wood,
| totally okay, go right ahead.
|
| Ignorance is not a defense.
|
| Also can you send me your medical data and search
| history? I mean you're OK with sharing this data and said
| nothing about it being ok only if I can do it covertly.
| Better yet, give me your name and address and I'll just
| grab that myself so it's not too much of a bother for
| you. It's just so I can serve cheaper better targeted ads
| to you.
|
| I mean refusing and backing out now would just be
| hypocritical and completely undermine the case you so
| unsuccessfully try to make wouldn't it?
| dkshdkjshdk wrote:
| > The first thing I would do is look outside to collect
| information on who in outside thereby infringing their
| privacy.
|
| Looking at someone doesn't infringe on their privacy.
| Taking a picture of that someone and storing it in a
| permanent fashion, might. To prevent abuse/DOS you only
| need to do the first (which does not constitute
| "surveillance" or loss of privacy), not the second.
|
| > Recording people's IPs is definitely surveillance.
|
| It's not surveillance if you are not tracking anything
| else other than IPs (i.e. no other behavioural data
| associated to it).
|
| Either way, you still have not provided an example where
| surveillance is _required_ to prevent abuse: I can simply
| store hashes of "bad IPs" (or ASNs) to blacklist... no
| need to store any information that could lead to an
| actual person (like an actual IP address).
| eingaeKaiy8ujie wrote:
| Then just post about your IDE on Elixir forums. I'm not
| interested in seeing any ads on the Internet, and I certainly
| don't want ad companies that are following me on random
| websites to know that I'm a programmer who is interested in
| Elixir or any other data about me.
| charcircuit wrote:
| >Then just post about your IDE on Elixir forums.
|
| Not all users of Elixir hang out on Elixir forums. There
| are plenty that spend the majority of their time on the
| internet elsewhere.
|
| >and I certainly don't want ad companies that are following
| me on random websites to know that I'm a programmer who is
| interested in Elixir or any other data about me.
|
| Why not? Systems can become more efficient if they know you
| better.
| spinningslate wrote:
| >Why not? Systems can become more efficient if they know
| you better.
|
| Because I didn't give them permission. I've no issue with
| anyone who willingly trades their privacy/digital
| footprint in return for services.
|
| I don't want to. I will happily pay money for services I
| want. But, in all practical ways, the choice has been
| taken from me. It's impossible to have an online life
| without Google, Facebook, and myriad others hoovering up
| my every digital footstep.
|
| And before someone says "ad-blockers" - I use them. And I
| decline cookie consent on every site I visit. It's
| tiresome, but I do it. Though even that marks me out: a
| signal in the noise. Even the act of trying to reject the
| surveillance economy helps that industry segment me.
|
| It's obscene, and something needs done about it.
| Marsymars wrote:
| > And I decline cookie consent on every site I visit.
| It's tiresome, but I do it.
|
| I don't think this is really worthwhile. It's akin to
| reporting every Google/fb ad as "I don't want to see
| this/this isn't relevant to me". Easier to just block
| ads/cookie consents from ever appearing, and set cookies
| to automatically delete after tab closure.
| eingaeKaiy8ujie wrote:
| >Why not?
|
| Because it's a privacy risk. Such information can be used
| to identify me and used against me.
| charcircuit wrote:
| >Such information can be used to identify me
|
| Good. We can make things more efficient.
|
| >used against me
|
| How could someone for example knowing you like Elixer use
| that knowledge against you? It's not a big deal.
| eingaeKaiy8ujie wrote:
| Such data can be combined with other bits of information
| to uniquely identify me on the web. And there may be
| other facts about me and my online activity that I don't
| want third parties to associate with my identity.
| justinclift wrote:
| k, so how about if instead of "Elixer" it was specific
| religious topics? Or other things that have legal
| measures for/against them in various parts of the world.
| RNAlfons wrote:
| > Why not? Systems can become more efficient if they know
| you better.
|
| Not op but I've not clicked a single ad intentionally
| since Ads exist on the internet. I don't consider them a
| trusted source for recommendation and why should I? Why
| should anybody? Ads violate my attention and that's what
| they're made for. They do not help you find the best
| product. They want you to find THEIR product. Everybody
| knows that.
|
| The privacy issues are the dangerous topping here.
| blooalien wrote:
| > ..."I've not clicked a single ad intentionally since
| Ads exist on the internet."
|
| You and me both. I actually actively block ads on the
| Internet except on the very _few_ sites that have earned
| my trust (https://readthedocs.org/, DuckDuckGo, etc) or
| sites where the advertising is directly connected to my
| existing purpose (to buy a thing) such as Amazon, eBay,
| Humble Bundle, etc. Everywhere else gets the block
| because they simply can't be trusted anymore.
| charcircuit wrote:
| >Not op but I've not clicked a single ad intentionally
| since Ads exist on the internet.
|
| You are in the minority then. I personally have clicked
| on ads and have found products that I was interested in.
|
| >I don't consider them a trusted source for
| recommendation and why should I?
|
| I am not saying you should. Ads just allow people to get
| the word out about something.
|
| >Ads violate my attention and that's what they're made
| for.
|
| This is a poor mindset. If you go to a public place are
| all of the people there violating your attention because
| you can see and hear them?
| RNAlfons wrote:
| > You are in the minority then. I personally have clicked
| on ads and have found products that I was interested in.
|
| You don't happen to work in the industry? Because I know
| nobody who clicks on Ads. Maybe some of them do but they
| don't admit it which says a lot about doing it.
|
| The only people I've ever met who said things like you
| did work for the advertisement industry since they're the
| only ones who believe that. They have to.
|
| > I am not saying you should. Ads just allow people to
| get the word out about something.
|
| How is this a justification for the intrusive, secretive
| and sometimes even abusive behaviour? There are other
| ways to "get the word out" out there. Healthy ways.
|
| > This is a poor mindset. If you go to a public place are
| all of the people there violating your attention because
| you can see and hear them?
|
| Sure they do if they jump right in front of my face and
| yell about some product I might be interested because I
| just came out of a shop and they've been watching me
| doing it and writing down how I look.
| ricardo81 wrote:
| > don't want my advertisements shown to any random person on
| the internet
|
| Indeed, win-win that ads are targeted. Easily done on search
| engines because the query shows intent. Less obvious on the
| wider web but then perhaps it's the advertisers job to
| identify their market rather than rely on ad-network
| datapoints on visitors.
|
| CPM/CPC ad payments are of course ripe for abuse by
| automation. CPA not so much.
|
| Could potentially argue that the surveillance is essentially
| to make targeting more convenient for advertisers rather than
| being implicitly required to advertise. Market forces and ROI
| are surely the best measurement which CPA does a better job
| of doing. The problem with CPA is the trust required in order
| for the ad network to be paid.
| Woodi wrote:
| Radiculous !
|
| Mate, you want one thing so world wide spying is ok for you ?
| So r. lack in imagination !
|
| Just try to imagine what would be WWW (or other "medium")
| without that data hoarding... You want to ad IDE, for devs,
| for particular lang ? Just give money straight to forum of
| your interests _owner_. And...... DONE ! Or journal, paper,
| zine or whatever but do it _directly_.
|
| That businesses curently DO NOT EXIST becose everything goes
| to Google ! And - biggest stupididy of last two centuries -
| to "businesesee that "model" enables". Just self serving
| monopoly giving away penies.
|
| You see ? Your "survivalence is necessaary" is just lack of
| imagination. Literaly, current "system" prohibits new
| inventions and development.
|
| Becouse where are money there are new companies/startups
| created. End where money are filtered via giant sucker there
| not much improvement can be build.
| rotebeete wrote:
| > The majority of users on the internet are not even
| developers.
|
| Then just advertise on sites that usually have developers?!
| ncallaway wrote:
| > I want to be able to advertise to a consumer segment which
| consists of people who are interested in Elixir
|
| And, as the person being advertised to, I absolutely want you
| not to be able to do that. Why do your desires trump mine?
|
| Surveillance is not essential to internet advertising.
| Because it's not essential for advertising. Newspaper ads
| didn't come with such invasive models, nor did radio adverts,
| or even TV ads.
|
| If advertisers on the internet can't figure out how to make a
| surveillance free advertising model work, then I'd much
| prefer those businesses to die.
| lallysingh wrote:
| No it's not. It's the same situation that's existed in
| advertising for decades already. Want to advertise your
| automotive parts? Advertise in Popular Mechanics. Some fancy
| clothing? Advertise in Vogue.
|
| Now, you just advertise in appropriate blogs.
|
| If there are no appropriate publications for important
| topics, hey! Guess what! They have their business model back!
| danbruc wrote:
| _This is ridiculous. If I am trying to advertise an Elixer
| IDE, then I don 't want my advertisements shown to any random
| person on the internet. The majority of users on the internet
| are not even developers. I want to be able to advertise to a
| consumer segment which consists of people who are interested
| in Elixir. "Surveillance" is essential to internet
| advertising._
|
| This is ridiculous. And it is your problem. Why should I
| allow any company to track and profile me and everyone else
| only so that you can save on your advertising budget?
| charcircuit wrote:
| Because I don't want to waste the time of people who aren't
| interested in my ad in seeing my ad. It's a waste of money
| for me. The ad network will not be able to make money from
| having them click the ad. The user's time will be wasted
| because they are not interested in what I am selling. It's
| a lose lose lose situation. I want to create more win win
| win situations where everyone benefits. Tracking and
| profiling is needed to increase the rate that this happens.
| ashtonkem wrote:
| You're asking us to give up our rights for your
| convenience.
| MereInterest wrote:
| And the downsides of that tracking/profiling fall
| entirely on the person being surveilled.
| blooalien wrote:
| > "Because I don't want to waste the time of people who
| aren't interested in my ad in seeing my ad."
|
| And that there is why sites like https://readthedocs.org/
| do this strange thing called _ethical_ advertising.
| Instead of spying on me, they advertise things at me I
| _am_ genuinely interested in, intuited by the fact that I
| 'm reading technical documentation, _and_ they do it in
| an _unobtrusive_ way, rather than splat themselves in
| front of the content I 'm trying to read such that I
| can't even read it at all.
|
| You wanna advertise at me? Come find me on sites where
| your product is a good fit for my interests and advertise
| at me _respectfully_ rather than supporting a corporate
| surveillance state that I want _no part of_. I for one
| will continue to block ads _everywhere_ I browse _except_
| those that manage to respect _me_ as a fellow human.
| the_other wrote:
| You could target the same people by buying ad space in
| like-minded "venues". There's a gaping hole in the market
| for good "content-linked" advertising, searching,
| aggregation and so on. Link to content, not people. Work
| with customers who're already self selecting, rather than
| following people around all the time.
|
| As a side-line, this'd probably cut back on a lot of
| click-bait trash articles. It, likely, would help bring
| the signal-boise level of the internet at large back to
| something more useful.
|
| Well, I can dream, anyway..
| elliekelly wrote:
| This is DDG's model, right? Instead of stalking me all
| around the internet to find out I'm looking for a new car
| in order to show me adverts for a new car they show me
| the advert when I search "best new cars 2021" which is
| probably a pretty solid indicator that I'm looking for a
| car that doesn't involve any tracking.
| stevesearer wrote:
| This is what we do at https://officesnapshots.com and it
| works pretty well: office furniture ads on office design
| content.
| blooalien wrote:
| Yeah, this! See? You get it! Why's it so _hard_ for
| others to understand?
| danbruc wrote:
| _Because I don 't want to waste the time of people who
| aren't interested in my ad in seeing my ad._
|
| Than don't run ads. Essentially nobody is interested in
| seeing ads, targeted or not.
|
| _It 's a waste of money for me. The ad network will not
| be able to make money from having them click the ad._
|
| I don't give a fuck how much money it costs you or if the
| ad network goes bankrupt, why should I?
|
| _The user 's time will be wasted because they are not
| interested in what I am selling._
|
| As I said, then don't run ads if you actually care about
| wasting user time. Even if you have a conversion rate of
| 10 % you are still wasting time for the other 90 %.
|
| _It 's a lose lose lose situation._
|
| I would consider it a win if all ad companies go bankrupt
| and I never have to see an ad again.
|
| _I want to create more win win win situations where
| everyone benefits. Tracking and profiling is needed to
| increase the rate that this happens._
|
| This is not win win win, this is win win win LOSE - a few
| users get a product they want, you get some sales, the ad
| network gets your ad budget, and everyone else gets
| nothing but being tracked and profiled.
| layoutIfNeeded wrote:
| >The user's time will be wasted because they are not
| interested in what I am selling.
|
| I'm not interested in what you're selling. In general,
| I'm 100% not interested in anything anyone is selling
| through advertisements. Where can I indicate this, so
| that advertisers stop wasting their money on me?
| charcircuit wrote:
| Use an adblocker.
| layoutIfNeeded wrote:
| Too bad that advertisers are busy breaking my adblocker
| again and again. Why could they be doing this? Surely
| they wouldn't want to waste money by showing me their
| ineffective advertisements, right...?
| datavirtue wrote:
| Advertise on search. Someone searches for IDE or
| something similar...show the ad. It's better than running
| around profiling people and showing them ads for things
| based on that profile. No tracking needed.
| Yizahi wrote:
| I will employ a spy/cop to follow you everywhere and log
| everything you do in detail, would you consider it a
| surveillance? Of course, he will refrain from listening to you
| talking and won't enter your home. But everywhere else he will
| follow you at a distance.
|
| This is essentially what is going on in the internet. Metadata
| collection = Surveillance.
| djbebs wrote:
| Oh no, hes going to be reading every email you send and
| receive, every message and everything you do. D9nt worry
| though, he wont do anything unless he finds anything illegal.
| markzzerella wrote:
| If metadata is good enough to kill people it's dangerous
| enough to stop collecting en masse.
| chopin wrote:
| The analogy breaks at the point "won't enter your home".
| Current surveillance tech does exactly the analogous of that.
| It's rather like having a cop sitting at home pinky-promising
| not to listen or storing any conversation.
|
| Maybe it's even worse. There are third-party analytics tools
| which send out any key-stroke you do, even if you don't
| submit any form.
|
| It has become the new normal. Take todays article in Ars
| Technica on Audacity
| (https://arstechnica.com/gadgets/2021/07/no-open-source-
| audac...). The author has no complaint about the fact that a
| tool for local editing of audio files reaches out to the
| internet to send data about the user and seemingly defends
| this on grounds that it is opt-in. That's fine but that code
| is needlessly there. There's no reason whatsoever for it. And
| I am tired of being told that surveillance is for my benefit.
| No, it's not. It's solely for the benefit of the surveillor.
| ColinHayhurst wrote:
| Good question. IANAL but how about this?
|
| Any ad which uses data about an individual, without full
| transparency about the data being used, to target them as an
| individual OR where such data is collected and stored and
| associated with an explicit or implicit identity.
| JumpCrisscross wrote:
| "Data about an individual" is too vague, as is "to target
| them." Would this ban search-based advertising? What about
| using an IP address to guess at a language?
|
| I think this can be done. I just don't have the domain
| expertise to do it, and haven't seen a proposed definition
| that made sense. The only intuition I have is around
| ephemeral versus permanent profiling.
| deallocator wrote:
| don't browsers send a header telling the server what
| language they expect? I live in Belgium where there's 3
| national languages, and my preference isn't even one of
| them. Please us whatever language my browser tells you to
| (English)
| ColinHayhurst wrote:
| Agreed and agreed.
|
| For search based advertising we use the search query and
| location (taken from the country the user chooses in
| settings - and that can be "None" in which case we just use
| the search query). The language of the search query could
| be used rather than IP. Key for us is to never store IP and
| never pass on any part of it.
| JumpCrisscross wrote:
| > _Key for us is to never store IP and never pass on any
| part of it_
|
| I think this might hold the key. The law likely doesn't
| need to try to regulate advertising _per se_ , but
| instead the types of data advertisers are allowed to
| retain (or access).
|
| Maybe a first step is creating a definition of an
| advertiser, requiring registration (not licensing) and
| the annual filing of the inputs their algorithm uses? All
| inputs, even the most banal? This assumes defining
| advertiser and algorithm and inputs is easier than what
| we're trying to ban.
| adolph wrote:
| I have the same question and a followup: What is the difference
| between "surveillance-based advertising" and observation-based
| advertising?
| ColinHayhurst wrote:
| A very experienced expert lawyer who should know, and knows
| adtech well says "Section 3 of the DPA? Advertising using data
| that would reveal an identifiable living individual ? It's a
| bit more complex than that as processes to protect such data
| being used should also be included."
|
| DPA is I assume Data Protection Act (UK):
| https://www.legislation.gov.uk/ukpga/2018/12/contents/enacte...
| codecutter wrote:
| I read the open letter. I learned about businesses that support
| user privacy and I will be supporting them with my wallet.
| (already use Mailfence and Duckduckgo )
| 1vuio0pswjnm7 wrote:
| "In a population survey conducted by YouGov on behalf of the
| Norwegian Consumer Council, just one out of ten respondents were
| positive to commercial actors collecting personal information
| about them online, while only one out of five thought that
| serving ads based on personal information is acceptable. This
| resembles similar surveys from both sides of the Atlantic, and
| indicates that consumers do not regard commercial surveillance as
| an acceptable trade-off for the possibility of seeing tailored
| ads."
|
| https://www.forbrukerradet.no/wp-content/uploads/2021/06/202...
|
| In light of the evidence, should surveillance-based ads be opt-in
| (default, no need to figure out and change settings) or opt-out.
| Currently, tech companies make these ads opt-out. By default the
| ads are enabled. To disable them, the user must find, understand
| and change settings. Of course, most users do not ever change
| default settings. Many users may not even be aware that there are
| such things as settings.
| Jonsvt wrote:
| I think you will find that there is a certain part of the
| population that has bought into the story that surveillance-
| based ads are somewhat needed for the Internet to work. It is
| just a story. We have seen from GDPR that you cannot leave any
| holes. Lets not do it this time.
| deregulateMed wrote:
| There's something beautiful about Google lead FOSS software being
| the source of privacy software.
|
| But hey that's why we support FOSS. A bad dictator means it's
| time to fork. If Chrome was proprietary, we'd be locked in a
| Walled Prison.
| Santosh83 wrote:
| This is no longer the era of one company monopoly like the old
| days. We are now in Big Tech dominance, not monopoly. No one
| needs a monopoly any longer. Regulatory and technological moats
| leading to consolidation is good enough.
| type0 wrote:
| > If Chrome was proprietary
|
| Chrome is proprietary, it's Chromium that isn't
| dalbasal wrote:
| Not a ton of depth in the letter itself, but I like the angle
| they take. It's not all about privacy or data security.
|
| " _In addition to the clear privacy issues caused by
| surveillance-based advertising, it is also detrimental to the
| business landscape._ "
|
| " _In the surveillance-based advertising model, a few actors can
| obtain competitive advantages by collecting data from across
| websites and services and dominant platform actors can abuse
| their positions by giving preference to their own services._ "
|
| In many senses, Google & FB have achieved what net neutrality
| wanted to prevent ISPs from doing. In the developing world, FB
| _has_ actually achieved it. If AOL had succeeded, we would have
| ended up approximately here.
| jefftk wrote:
| _> a few actors can obtain competitive advantages by collecting
| data from across websites..._
|
| This is going away: all the major browsers have said they are
| going to block cross-site tracking.
|
| (Disclosure: I work on ads at Google, speaking only for myself)
| BiteCode_dev wrote:
| Google analytics won't track cross site ?
| jefftk wrote:
| Does Google Analytics even track cross-site today? Looking
| at it in developer tools I only see it using first-party
| cookies.
|
| But anyway, Google Analytics won't be able to do it because
| nobody will be able to do it. For example, here is Chrome's
| project to remove cross-site tracking:
| https://www.chromium.org/Home/chromium-privacy/privacy-
| sandb...
|
| (Still speaking only for myself)
| binarymax wrote:
| I'm not sure if you're being intentionally obtuse or not.
| GA phones home with vast information about user, and
| builds a profile of them. That profile is correlated
| across sites to personalize search results and sell ads.
| dang wrote:
| Please omit personal swipes from your HN comments. Your
| post would be fine without the first sentence.
|
| Note this site guideline, including the last bit: "
| _Please respond to the strongest plausible interpretation
| of what someone says, not a weaker one that 's easier to
| criticize. Assume good faith._"
|
| https://news.ycombinator.com/newsguidelines.html
| jefftk wrote:
| I'm not being intentionally obtuse, but I also don't know
| all of Google's advertising business. I didn't think
| Google Analytics did that? What makes you think it does?
|
| (GA sends a message to Google, but I had thought that it
| was not linked to your behavior on other sites via GA?)
| LegitShady wrote:
| google analytics tells you the interest of your audience.
| how do you think it does this without correlating you to
| a profile they've built?
| lmkg wrote:
| Googe Analytics consultant here (not Google employee).
|
| 1. Google Analytics' primary identity signal is a first-
| party cookie. this is not shared between domains. There
| is no technical way to link identity between domains with
| different cookie values.
|
| 1a. Google Analytics has built-in library functions to
| allow site owners to share first-party cookie values
| between a whitelisted set of domains. This effectively
| lets one _company_ with multiple _sites_ share a first-
| party identifier, but still not let anyone (Google or
| otherwise) link that identity to identities set on other
| sites.
|
| 1b. BUT. But. _BUT_. Google is rolling out "Google
| Signals" for Google Analytics, which will use your Google
| Account as the identity signal instead for users who are
| logged in to Chrome. This, obviously, lets your identity
| be correlated across sites.
|
| (Personally, I suspect that the availability of this
| feature played a part in Google's decision to let Chrome
| follow the industry towards blocking third-party cookies.
| But this is a baseless opinion, one step removed from a
| conspiracy theory.)
|
| 2. Google Analytics can link their identifier (the first-
| party cookie or Google Signals) to your DoubleClick
| profile via DoubleClick's third-party cookie. The
| checkbox that does this is unchecked by default. There
| are many other features of GA that encourage or require
| you to check this checkbox.
|
| 2a. Google's documentation (including legal contracts!)
| places limits in the data exchanged between the two
| profiles. Data exchanged _does_ include demographic and
| interest information from DoubleClick 's profile into GA.
| This is one of the big reasons why people click the
| checkbox.
|
| To my knowledge, GA data is _not_ used to inform the
| DoubleClick profile. GA data can be used to build an
| "audience" in various Google ad platforms, and direct ads
| to those people specifically, or to use as the basis for
| a "look-alike audience."
|
| 3. Google is a _Processor_ under GDPR for Google
| Analytics, and a _Controller_ under GDPR for Google Ads.
| To a first approximation, this means they make the
| specific legal claim that they do not use GA data for
| their own purposes. Linking Analytics and Ads data is...
| complicated and frankly I still haven 't gotten an
| explanation of its legal status that I fully understand.
|
| In my personal opinion, I don't think Google actually
| uses Google Analytics data. Most Analytics
| implementations are tire fires, and they can get all the
| data from other more reliable sources, like Publisher
| data or Chrome. Given that they have based on their
| entire GDPR compliance strategy for Analytics on being a
| Processor, I don't think the risk/reward is there.
|
| (apologies for lack of copy-editing, the thunder's about
| to take my internet away)
| alisonkisk wrote:
| Is Google going to give back the $100B is made from cross
| site tracking in the past?
|
| Is Google going to consider YouTube, Gmail, Maps, and
| Android Location history different sites, or is "having
| an effective monopoly an exemption to crosss-site
| tracking prohibition?
|
| Does _anything_ in the proposal prevent server-side
| cross-site tracking? (No.)
|
| Is Google going to stop buying third party tracking data
| like credit card transactions?
| neolog wrote:
| No it isn't, Google will still track me across the web.
| blooalien wrote:
| So will Facebook (and several others) if you take no steps
| of your own to block them. It's an escalating war of cat
| and mouse. You'll block them, they'll find a new way around
| it, you'll block them some more, they'll find another way.
| Eventually the only answer will be to shut down the
| Internet because it's become just too broken to use
| anymore.
| squiggleblaz wrote:
| The simpler answer is to just ban it. The law doesn't
| need to be technically detailed or envision every single
| technological adaptation: it just needs to be sufficient
| for a judge to be able to recognise it when a prosecutor
| describes it and a defence lawyer attempts to pull the
| wool over their eyes. It needs to be focused on outcomes.
|
| Once banned, Google and Facebook will submit. They will
| attempt to lobby against the reforms, eventually saying
| "it will prevent legitimate business: it represents a
| small fraction of our revenue, but we are selflessly
| lobbying on their behalf to ask you to implement this
| technically specific law to reign us in". Ignore them.
| You don't listen to the hitman when they comment on
| homicide laws.
|
| And ensure that the penalties amount to a ban. The US
| congress and courts can and do terminate human lives.
| Whatever penalty they propose on abstract legal entities
| is not too harsh; even if they completely dismantled
| Google and destroyed all of their economic value, it is
| nothing compared to the things we do to natural living
| breathing humans in response to criminal behavior.
|
| Profitable companies will submit to a law that aims to
| control their behavior.
| JumpCrisscross wrote:
| > _law doesn 't need to be technically detailed or
| envision every single technological adaptation: it just
| needs to be sufficient for a judge to be able to
| recognise it when a prosecutor describes it and a defence
| lawyer attempts to pull the wool over their eyes_
|
| This is a terrible philosophy for legislating. It
| undermines the rule of law, _i.e._ that you should _ex
| ante_ be able to determine if what you 're doing is legal
| or not.
|
| What you're describing is rule making. Congress regularly
| does this, in passing a law that requires such and such
| agency propose (or even implement) rules that achieve
| this or that within so many days.
| alisonkisk wrote:
| This is fundamental to the rule of law. Judges and juries
| apply the law to the facts. Civilians can ask the
| government to review their plans in advance and make a
| ruling.
|
| We don't say murder laws are bad because there's no way
| to know in advance if "bashing someone's head in with a
| pipe who dies a month later" counts as murder.
| insulanus wrote:
| Every important criminal law includes the idea of intent.
| Killing someone with a car because you sneezed is very
| different from intentionally running them over in the
| eyes of the law.
| JumpCrisscross wrote:
| > _criminal law includes the idea of intent_
|
| Yes, but intent alone isn't sufficient. We need a
| precise, side-effect light definition of the kinds of
| activities we want to ban and by whom. To date, I haven't
| seen that.
|
| Passing a law which bans "surveillance-based advertising"
| with little more specificity is a recipe for disaster.
| blooalien wrote:
| > "This is going away: all the major browsers have said they
| are going to block cross-site tracking."
|
| That's mighty pleasing news to hear. A step in the right
| direction for sure. Here's hoping it's the beginning of a
| trend.
| acituan wrote:
| The thing with information is that once it is shared, it
| can't be unshared. Sure, blocking cross-site tracking would
| ostensibly make monopolistic accumulation of _new data_ more
| difficult, but except for the most decay prone information,
| there is already a comprehensive profile established for a
| good chunk of the users, which can be milked for a good
| while. This is not even taking into account of backchannel
| acquisition of the missing data (i.e. through brokers) with
| the sweet sweet profits already made, potency of which is
| enhanced when joined with existing data (and therefore still
| creating monopolistic dynamics).
| NicoJuicy wrote:
| It can be made useless if you don't have a identifier.
| _jal wrote:
| Be careful not to confuse one cross-site tracking techniques
| with cross-site tracking. Ask about company behaviors that
| may be of interest, not specific mechanisms. You can always
| ask about the mechanisms later.
|
| "Will you use information about users from third-party sites
| when making decisions about how to interact with them?"
|
| "Will you use data about offline purchases made by users when
| deciding how to interact with those users?"
|
| Etc.
| dreyfan wrote:
| Nobody needs cookies to track users cross-site. Cookies are
| just convenient.
| jefftk wrote:
| All the browsers have said that they consider general-
| purpose cross-site tracking to be deprecated, not just
| cookies. They are working on removing other forms of
| linking users across sites, including the browser cache,
| link decoration, and fingerprinting.
| Jonsvt wrote:
| And some of them, such as Google, are working on FLOC...
| This has got to stop now.
| binarymax wrote:
| The browsers _intent_ may be to remove cross-site tracking,
| but we all know that Google Ads will still follow people
| around the web through latent signals (even if wrapped in
| something like FLOC), and other parties like KISSmetrics will
| continue the fingerprinting cat and mouse game.
| jefftk wrote:
| _> Google Ads will still follow people around the web
| through latent signals_
|
| I'm not sure what you mean by this?
|
| Google Ads has committed "once third-party cookies are
| phased out, we will not build alternate identifiers to
| track individuals as they browse across the web, nor will
| we use them in our products." --
| https://blog.google/products/ads-commerce/a-more-privacy-
| fir...
|
| _> even if wrapped in something like FLOC_
|
| FLoC doesn't allow "a few actors [to] obtain competitive
| advantages by collecting data from across websites" since
| everyone sees the same number of identifying cohort bits.
|
| _> other parties like KISSmetrics will continue the
| fingerprinting cat and mouse game_
|
| Historically, the TOR browser was pretty much the only one
| that took fingerprinting prevention seriously, but it's now
| a substantial focus for Safari/Firefox/Chrome. I do think
| fingerprinting groups will continue to have things that
| work when third-party cookies go away, but I don't expect
| it to persist that long after? I also would not be
| surprised to see a regulation here, since I (not a lawyer)
| don't think fingerprinting is compatible with the GDPR or
| the other regulations it's inspiring around the world.
|
| (Still speaking only for myself)
| Jonsvt wrote:
| The point is the FLOC is surveillance as well. You are
| still profiling users. This has got to stop.
|
| https://vivaldi.com/blog/no-google-vivaldi-users-will-
| not-ge...
| Jonsvt wrote:
| Yes, FLOC and similar technologies, are another way to
| track users, but this time in the browser. We really do not
| see that as being any better. In many ways it is really
| worse.
|
| https://vivaldi.com/blog/no-google-vivaldi-users-will-not-
| ge...
| alisonkisk wrote:
| The argument is bad for privacy, since the business solution to
| that problem is the same for other IP antitrust: mandating non-
| discriminatory licensing to anyone who wants access to the
| data.
| jefftk wrote:
| This looks like Vivaldi supporting a recommendation made by a
| consumer advocacy group in Norway (Norwegian Consumer Council /
| Forbrukerradet), and boosting their report. You can read the
| original report at: https://www.forbrukerradet.no/wp-
| content/uploads/2021/06/202...
| Jonsvt wrote:
| This is very much a recommended read for everyone.
| uniqueuid wrote:
| Instead of arguing what current business models that would break,
| I think we should take a step back and ask:
|
| What legal and moral basis warrants "surveillance-based
| advertising"?
|
| The premise of GDPR in the EU has been that "surveillance-based
| advertising" needs to be _balanced_ with user rights.
|
| If we come to the conclusion that this balance cannot be achieved
| (e.g. because users are not savvy enough to safeguard their
| rights, because data sticks around forever, because data can be
| sold etc.), then it's a straightforward step to prohibit tracking
| entirely.
| kerkeslager wrote:
| There's a fundamental disconnect which causes people to ask
| what business models fixing a social ill would break. We should
| not be tolerating social ills to prop up the businesses that
| cause them.
|
| If we really believe that the free market will result in
| positive outcomes, then creating rules against negative
| outcomes like surveillance shouldn't cause any problems, since
| they shouldn't be a problem for a free market that will arrive
| there anyway. Wasn't it Reagan who said, "Trust, but verify?"
| Ensorceled wrote:
| Also, what old business models might return (like newspaper and
| other content based advertising) and what new business models
| might emerge.
| pmoriarty wrote:
| Surveillance-based advertising is just the tip of the iceberg.
|
| All unsolicited advertising should be banned.
| pasabagi wrote:
| I think there's a simpler way to achieve this. Force companies
| who leak personal data to pay reasonable damages to all the
| individuals involved, on the scale of 10-100 dollars, depending
| on how much personal info has been leaked.
|
| That would make businesses very quickly reassess how much data
| they need to keep, and how careful they need to be with it,
| without requiring any really radical legislation.
| beervirus wrote:
| Leaks are not even my main concern. I don't want anyone spying
| on me, even if they're really conscientious about data
| protection.
| 2OEH8eoCRo0 wrote:
| >Force companies who leak personal data to pay reasonable
| damages to all the individuals involved
|
| Doesn't this just consolidate power among FAAG even more? They
| can pay these fines and they don't often leak data- if ever.
| That's another thing- define leaking data. Sharing with 3rd
| parties? It's vague enough for them to beat that in court.
|
| We do somehow need to get back to advertising the old fashioned
| way rather than this surveillance capitalism arms-race.
| squiggleblaz wrote:
| > We do somehow need to get back to advertising the old
| fashioned way rather than this surveillance capitalism arms-
| race.
|
| Old fashioned ads were targeted based on the thing they were
| attached to. For instance, if you read the sports pages of a
| newspaper sold in your city, you probably got ads of presumed
| interest to people in your city who are interested in sports.
|
| To restore that kind of system, you would need to focus on
| those kinds of issues: making advertising first party,
| distinguishing between parts of a site without distinguishing
| between users.
|
| But once you've done that, you're still left with first
| parties that can spy on you and use that data in non-
| advertising ways, or even presumably for direct marketing (if
| you have some kind of an account).
|
| I think it's better to focus on the surveillance. If they
| can't surveil you, then they can't use surveillance
| advertising. As you point out, focusing on leaks is
| irrelevant because I don't really feel better that only
| Google knows everything about me. Focusing on advertising
| doesn't stop them collecting data, it just limits how they
| can use it. If we don't want the data to exist, collecting it
| should be prohibited.
| lolsal wrote:
| If my information gets leaked and my identity compromised, you
| think $10-100 is reasonable compensation? I like the idea but I
| don't think we can put any sort of numbers on damages like this
| before it happens.
| ClumsyPilot wrote:
| We need a minimal sum to enable lawsuita.
|
| Every time there is a leak, you have to prove you've suffered
| damages.
|
| That's hard to prove: even if someone commited massive fraud
| with your identify, you dont know if the data came from this
| leak, or from 10 other leaks.
|
| Setting a minimum would mean thay you can immediately fine
| conpanies for loosing millions of records in one lawsuit,
| instead of a million suits proving that each particular
| claimant was harmed
| dalbasal wrote:
| I don't think the letter writers' goal is data security.
| Jonsvt wrote:
| This is not a question of leaks. The data is already in the
| wrong hands and actively being misused.
| amelius wrote:
| > Force companies who leak personal data to pay reasonable
| damages to all the individuals involved
|
| Companies like Google and Facebook _already_ leak.
|
| Proof: start an ad campaign on e.g. Facebook targeted at people
| who have trait X, but sell a product Y not related to X. For
| people who click on the ad and buy your product Y, you now know
| they have trait X. And you can now also link that to their
| address info.
| jefftk wrote:
| Run an ad campaign in a magazine dedicated to a sensitive
| topic, selling something by mail-order. For people who write
| to you and buy your product, now you know they are interested
| in that sensitive topic.
|
| (Disclosure: I work on ads at Google, speaking only for
| myself)
| amelius wrote:
| Well, you've just found _another_ leak ;)
|
| By the way, scale matters too.
| blooalien wrote:
| Hey, mad respect at you for bein' able to discuss this
| without sounding like an advertising shill, and for bein'
| open about your place of employment and for coverin' your
| butt by makin' your comments known to be _yours_ and not
| your employers '. Wish more folks could do that. Good job
| of "adulting" there. ;)
|
| As a (sometimes) "consumer", I personally don't mind
| companies I'm doing business with gathering some data to
| better serve me as a customer. It's actually kinda their
| job. And I don't even mind when they advertise _related_
| products /services at me (but _not_ the product /service _I
| just bought_ please). And I don 't mind one little bit
| bein' advertised at (respectfully) when I'm on a site where
| I'm obviously lookin' to _buy_ something. My main problem
| is that too often there 's a degree of uncomfortable
| overreach with building (and worse yet, sharing around) a
| detailed profile of my travels on the web that is _beyond_
| unnecessary and unreasonable. I don 't honestly trust most
| _personal friends_ with as much information about me as
| some freakin ' advertisers would seem to want to database
| and index about me. It's gotten honestly out of control,
| and I don't know what else to do anymore except use every
| tool my browser has available to block as much of it as I
| can actively.
| insulanus wrote:
| True. Google or Facebook's ability to obtain, analyze,
| cross-reference, retain and leverage this type of
| information makes them billions of times more powerful than
| a small company selling gardening tools, however.
| ColinHayhurst wrote:
| Johnny Ryan is having another go this time in Hamburg. "Online
| advertising causes the world's biggest data breach. We are
| going to court to stop it." https://www.iccl.ie/rtb-june-2021/
|
| As he eloquently explains there, and in detail, RTB auctions
| "broadcasts private information about what you are doing
| online, and where you are, to many other companies in order to
| solicit their bids for the opportunity to show you their ad."
| handrous wrote:
| Yeah, rather than targeting advertising I'd prefer to get to
| the actual point, and target mass surveillance and collection
| of huge troves of personal data _no matter the purpose_.
|
| Ban monetizing data (no selling, no pay-for-access, no derived
| products) and make leaks guaranteed to be expensive, so
| companies only keep what they have to to operate, with some
| large multiplier attached to the leak fine if it was related to
| banned activities.
|
| Done.
|
| The advertising is a symptom, it's not the disease.
| jefftk wrote:
| I'm curious how you would see "ban monetizing data" play out
| in the case of an e-commerce company. Can they still run A/B
| tests? Show you products that they think you will want to buy
| based on your purchase history?
| handrous wrote:
| > Can they still run A/B tests?
|
| If I were writing the rules, I'd exclude anything that
| looks routing-like. "IP address A sees version 1, IP
| address B sees version 2, with some amount of ephemeral
| data involved to support pinning" is fine. Basic hit-
| counter type stats are fine. (though I think A/B tests are
| abusive crap and would _love_ to see them go away, on a
| personal level, I don 't think they _necessarily_ qualify
| as spying, though the way they 're practiced right now
| probably does tend collect & retain enough information that
| they absolutely are, but might not with some modification)
|
| > Show you products that they think you will want to buy
| based on your purchase history?
|
| No. _Maybe_ with some kind of opt-in or otherwise making
| that something the user has to intentionally ask for. But
| if you 're not using others' purchasing data to decide what
| those might be (and that would _definitely_ be off-limits)
| then that 's not very different from just having categories
| your users can browse.
| jefftk wrote:
| What about, on a page about x, showing "users who bought
| x often bought y" ads?
| handrous wrote:
| It'd obviously be a tough rule to craft. In some
| hypothetical world where I'm the Tzar of writing and
| enforcing this, I'd tend to allow leeway for companies
| using data that could be essentially a totally-anonymous
| incrementing counter (as in this case) to choose how to
| present their site, based on what's _currently being
| looked at or requested_ but not on _the browsing or
| purchase history of a particular user_. It 's using a
| person's own activity to target, manipulate, or
| "monetize" them that I find especially objectionable--and
| the data that's hoarded in the name of those abilities,
| simply dangerous in ways that the hoarding companies
| aren't made to account for (a huge negative externality,
| basically). In general I think if companies want market
| research they should pay for market research, not just
| run a dragnet spying operation against their customers.
| If they want something other than market research out of
| those data, then they probably ought to just be shut down
| (or, at least, that part of their business should be)
|
| [EDIT] FWIW I don't think these kinds of rules should
| only apply to tech companies. Physical stores ("loyalty"
| cards, tracking shoppers' cell phones, that stuff) and
| banks and similar also shouldn't be able to spy on
| people, nor to sell or otherwise use data collected as a
| necessary part of their business against people. A store
| may reasonably have surveillance cameras, but ought not
| be able to sell the footage to another company to train &
| test its gait-recognition software, nor use facial
| recognition to track how often I visit the store or what
| I look at. That kind of thing.
| blooalien wrote:
| I've gotten useful leads on products to research maybe
| buying from those type of ads before, but I only ever see
| them on sites I've whitelisted in my adblocker
| specifically _because_ they 're sites I buy things from
| (and a rare few sites I trust to be respectful about
| advertising placement). They're useful when they're done
| right tho.
| jefftk wrote:
| I'm confused by your ad blocker comment, because most
| listings like this won't be recognized as ads. They look
| like product suggestions, and they are entirely first
| party.
|
| (On the other hand, I think the law as you're proposing
| it would cover them)
| ganbatekudasai wrote:
| Taking cost vs. benefit into account, I would default to
| "no". This one in particular seems like a "neat little
| feature", but "neat" does not cut it if it threatens to
| make legislation against surveillance-based advertising
| less effective.
|
| I'm not sure many customers will miss it, if they really
| notice. Yes it can be a bit helpful, but many other
| things in the world would be "a bit helpful" and yet are
| nowhere near justifying their cost and effect (e.g. we
| stopped using radioactive chemicals in substantial
| amounts for everyday products very, very quickly).
| kerkeslager wrote:
| A/B testing can be done without collecting any personal
| data.
| amelius wrote:
| > The advertising is a symptom, it's not the disease.
|
| Advertising also stimulates mass overconsumption.
|
| If we want to save the planet, advertising is among the top
| things we should ban right away.
| handrous wrote:
| Right, but the alternative in question is banning
| _surveillance-based advertising_. I 'd prefer to curb
| surveillance itself, having the side-effect of eliminating
| surveillance-based advertising.
|
| Separately, yes, I'd like to see practically all public
| advertising banned (billboards are blight), and while I'd
| have to think on it some more before _supporting_ a blanket
| ban on all advertising (I 'm not sure it's workable, for
| one thing) I'd also not be sad if I woke up one morning and
| learned that such a law had been passed.
| kerkeslager wrote:
| From my perspective, both advertising and surveillance
| are bad, and both should be banned.
| handrous wrote:
| Yeah, I don't think our opinions diverge too much on
| that. My ideal world wouldn't feature much of either of
| them--I think well-marked, in some standard and easy-to-
| spot way, ads in publications aren't _so_ terrible, for
| instance, provided it 's made clear up-front, say with
| some kind of cigarette-box style notice or warning, that
| there are ads in it. Though, again, if paid advertising
| just went away, in all forms, entirely, tomorrow I
| wouldn't be sad about it. But, as far as online ads go,
| it's the surveillance part that bothers me more than
| there being any ads at all, and that worries me _way_
| beyond its use in advertising.
| kerkeslager wrote:
| I know we're comparing relative evils here, but that's
| interesting. I think my main concerns with surveillance
| are the chilling effects it has on those who would break
| the law for ethical reasons. But ultimately I think the
| tangible negative effects that surveillance has on most
| people are indirect. That's not to say they aren't
| important. But as important as advertising?
|
| Advertising causes a great deal of surveillance, but it
| causes a lot of other issues, many of which affect almost
| everyone, very directly, and in some tangible ways. At a
| basic level, we're being lied to constantly in ways that
| hurt our self esteem, break our concentration, introduce
| us to new fears and angers: the exact intention of which
| is to create problems for us so that it can persuade us
| that giving them money will solve our problems.
| Advertising tells us our partners aren't hot enough, we
| aren't cool enough, our houses aren't big enough, our
| cars aren't fast enough, that we aren't doing enough for
| X cause. It tells us that our financial future is
| insecure, that we're missing out, that we're at risk for
| disease, floods, and car accidents. If a parent or
| partner told us these things, we'd call it emotional
| abuse, but from advertisers it's both accepted and
| commonplace. And it affects us deeply: we're
| overmedicated, overfed, overworked, and over-indebted.
|
| And that's just the direct effects. When you consider the
| kinds of content that advertising funds, it's almost
| universally harmful. News that prioritizes clicks over
| information by inciting anger and fear. Informational
| resources that avoid speaking truth to power because
| power advertises. Social media that courts flame wars,
| conspiracy theories, and echo chambers because they all
| provoke engagement. Everything advertising funds is fast,
| shallow and emotional, because slow, deep and rational
| doesn't promote clicks.
|
| Why even look for a compromise here? Easy to spot ads
| aren't better: they're still people shoving a lie in our
| face. There's nothing of value here. Ads are a tumor:
| even if we can find some part of it that's benign,
| there's no part that shouldn't be excised.
| amelius wrote:
| On top of that, ads stimulate overconsumption.
|
| Also, they distort the free market (not the best product
| wins, but the one with the biggest advertising budget)
|
| And they often target young children.
|
| The only reason ads exist is because countries measure
| the success of their economies by how much is consumed.
| blooalien wrote:
| > ... "get to the actual point, and target mass surveillance
| and collection of huge troves of personal data no matter the
| purpose."
|
| This! Exactly this!
| pjerem wrote:
| Yeah but what is a leak ? Do you consider it a leak when a data
| transfer to another company is intentional ?
|
| Companies like Google are probably secured like fortress and
| will probably not leak data anytime soon (lets hope) so your
| idea wont have any effect against giants that takes security
| seriously.
|
| However, I really like your point and you'll probably have a
| good side effect on middle size companies. But giants are a
| giant part of the problem.
| pasabagi wrote:
| Well, my suggestion is kind of aiming to be as pragmatic and
| unambitious as possible, so the fact it doesn't have an
| effect against giants who spend a lot of money on security is
| part of the pragmatism - it means you split the opposition a
| bill like this would face. The big companies would see it as
| a way to expand their moat, and so, they'd probably lobby for
| it, or at least, you could convince them not to lobby against
| it.
|
| If you can build a big coalition of people for whom privacy
| is something important, then you can start making ambitious
| policy proposals because you'll have the voters to back it
| up. Before that point, I think you have to try for easy wins.
| inetknght wrote:
| > _Yeah but what is a leak?_
|
| Any time someone who's not me or a direct party to a
| transaction or conversation learns something about me then
| that is a "leak".
|
| > _Do you consider it a leak when a data transfer to another
| company is intentional?_
|
| If I do business with my bank then the bank should have no
| right to sell my information to a third party for any reason
| whatsoever.
|
| If I do business with my hair stylist then the credit card
| processor should not have any right whatsoever to do anything
| with the facts:
|
| - where was the hair stylist? That's private.
|
| - who was the hair stylist? That's private.
|
| - when was I at the hair stylist? That's private.
|
| - what did the hair stylist sell? That's private.
|
| - why did I go to the hair stylist? That's private.
|
| Nobody except my hair stylist and myself should have this
| information.
| jefftk wrote:
| _> someone who 's not me or a direct party to a transaction
| or conversation_
|
| It sounds to me like this definition strongly promotes
| consolidation. The bigger a party is, the more information
| it would be allowed to have and the more ways it can use it
| to cross-sell.
|
| _> If I do business with my hair stylist then the credit
| card processor should not have any right whatsoever to do
| anything with the facts..._
|
| Should the credit card company be allowed to use the
| information about your transaction to assess how likely it
| is that someone has stolen your card?
| inetknght wrote:
| > _Should the credit card company be allowed to use the
| information about your transaction to assess how likely
| it is that someone has stolen your card?_
|
| I've been called by the credit card company many times
| for failed transactions that I've authorized. When fraud
| did occur then I was not contacted by my card company and
| I had only noticed the fraud because I actively monitor
| my card.
|
| The credit card company should be able to determine what
| it wants without providing the information to any other
| entity. No, I do not think that the credit card company
| should be permitted to sell the information about my
| transaction under the guise of determining how likely it
| is that someone has stolen my card.
| jefftk wrote:
| _> I 've been called by the credit card company many
| times for failed transactions that I've authorized. When
| fraud did occur then I was not contacted by my card
| company and I had only noticed the fraud because I
| actively monitor my card._
|
| Yes, credit card antifraud has both false positives and
| false negatives. It's not clear to me whether you're
| going from there to saying that it is useless?
|
| _> I do not think that the credit card company should be
| permitted to sell the information about my transaction
| under the guise of determining how likely it is that
| someone has stolen my card._
|
| I think I misunderstood you earlier. When you wrote "the
| credit card processor should not have any right
| whatsoever to do anything with the facts..." I thought
| you meant that they shouldn't be allowed to use the
| credit card data to do anything, including fraud
| prevention, not just that they shouldn't be allowed to
| sell it?
| alisonkisk wrote:
| Are you also going to make gossip illegal?
|
| Are customer reviews going to be illegal?
| pomian wrote:
| This is what happened with pollution. Leaks were common. But it
| cost to fix. Then regulations came in to fine any leakage. It
| works, but is always the lowest priority for any company.
| Because it's a profit drain not profit growth.
| zwkrt wrote:
| Facebook et al want the privacy discussion to revolve around
| "keeping your personal data safe" but that is just bald-faced
| propaganda that covers up the fundamental issue. It's not like
| Facebook's digital model of my behavior is really "mine" and
| they are just borrowing it or protecting it. They don't even
| care about my data in the singular.
|
| What they do have is a giant corpus of behavioral data spanning
| everyone on the planet. Companies can (statistically) detect
| that you are going to get a divorce, or that you are going to
| be pregnant. They know everyone who has been to jail, our
| sexual fantasies, how likely it is that our children will go to
| college.
|
| Right now we say they sell ads, but you could just as correctly
| say that they take advantage of this incredible, unprecedented
| information advantage to directly change the world in their
| favor and in the favor of whoever can pay. It used to be used
| to sell clothing and frippery, but already SM is plastered with
| ads for political campaigns and brain-altering drugs. Their
| cultural hegemony will only increase over time, as the data
| gets better and the methods become more effective.
|
| In this regime, what does it even mean for Facebook to "leak my
| data"? If anything I'd rather it was out in the open. (Although
| I'd much rather it didn't exist!)
| cartoonworld wrote:
| I don't think that's gonna cut it, but definitely on the right
| track. Its going to require some kind of legislation, or an
| insurance requirement that renders the insurers as de-facto
| regulators. This is still crazy hard due to the possibility of
| regulatory arbitrage, just open shop in Anguilla or wherever.
|
| Without the auditing, compliance, and domain experts to verify
| and implement this, its going to be extremely hard to create
| and levy these penalties in any meaningful way. Using (legally)
| vague terms like "leak" "personal" "data" and "involved", a
| quick trip to the local courtroom will obviate a lot of the
| fines for well connected C-execs and legal teams.
|
| Data integrity needs to be baked into the equation from the
| start. Until it is a business requirement to ensure proper
| system architecture practices, data integrity, and auditing, I
| don't see a snowball's chance of reaching sanity. Really, we've
| only barely defined the problem. Businesses have compliance
| departments that are totally subservient to business needs and
| would much rather resort to gaslighting stakeholders with
| silver-bullet checkbox security technology processes shaded in
| at the board room.
|
| On the other side, we are now ushering in a fascinating golden
| age of the security rodeo. There is astonishing growth in this
| industry, enjoy unending contracts for Red and Blue alike. It
| could soon really begin to look like a Gibson novel.
| shkkmo wrote:
| The problem is it is not easy to asses the security risk of
| small businesses in a cost effective way for insurance
| companies. It's really hard to come up with a set of
| regulations here that protects users data and doesn't
| completely disadvantage startups and small businesses.
| cartoonworld wrote:
| Well, in this instance I would argue that the current state
| of affairs also completely disadvantages startups and small
| businesses.
|
| Kaseya has a whole portfolio of services marketed to small,
| medium and startup business (as well as larger) that their
| customers bought in order to enable them to leverage this
| business model in the first place. They've since burned
| countless providers, torching their relationship with
| customers, shutting down countless businesses of all sizes
| all across the planet. What is the cost to them of this?
| Worst case scenario, they fold and change the sign. The
| people in charge of not screwing up will be snatched from
| doom by their network. I would hope they do better next
| time, but why would that be any more likely than just
| another over par round of golf?
|
| I definitely agree that it is not easy to asses the
| security risk of small businesses in a cost effective way
| for insurance companies or to develop some kind of
| regulatory structure.
|
| The alternative to not doing this is accepting this
| unstable chaos-monkey in perpetuity. If there is no
| business requirement for effective controls, there wont be
| any.
|
| Kaseya's people can walk and start another tire fire and
| surely everyone else will sweep up and move on, but these
| problems are everybody's problems. There is no IT
| infrastructure that does not require effective controls.
|
| If we don't improve this problem, things are gonna get
| _weird_.
| shkkmo wrote:
| I agree and just because something isn't easy doesn't
| mean it isn't worth the effort to get right.
| ClumsyPilot wrote:
| We do not regulate how a coffee shop does accounts in the
| same way we regulate a bank.
|
| Many regulations only apply to companies bigger than 50
| employees, more than billion of turnover, data on over 1
| million people, etc. Or in a spesific market.
| alisonkisk wrote:
| > open shop in Anguilla or wherever.
|
| That doesn't grant a GDPR exemption. The "shop" still
| operates in jurisdiction.
| kerkeslager wrote:
| Would any of the people who downvoted my post[1] without comment
| care to explain why?
|
| [1] https://news.ycombinator.com/item?id=27761401
|
| EDIT: Didn't think so.
| tqi wrote:
| It's an unworkable idea.
|
| What is an ad, exactly? You cite Consumer Reports as a model -
| they have affiliate links on their reviews. Is that an ad? Is a
| sponsored social media post? A celebrity endorsement? Free
| products given to athletes in the hopes that they will be seen
| using it? Logos on clothing? Is the standard just "I know it
| when I see it"?
|
| Also (in the US) it almost certain runs afoul of the First
| Amendment.
| kerkeslager wrote:
| > What is an ad, exactly? You cite Consumer Reports as a
| model - they have affiliate links on their reviews. Is that
| an ad?
|
| I agree that Consumer Reports does include some advertising,
| but it's not necessary for their business model to work--
| consumer reports predated the internet by over 50 years, so
| it certainly predated affiliate links. At least at some
| points their primary source of income was subscriptions, and
| judging by how hard it is to get at most of their reviews
| without a subscription, that continues to be a significant
| revenue stream for them.
|
| > Is a sponsored social media post? A celebrity endorsement?
| Free products given to athletes in the hopes that they will
| be seen using it? Logos on clothing? Is the standard just "I
| know it when I see it"?
|
| While I agree that we need a clear definition of an ad to
| encode this to law, I don't buy this feigned confusion as a
| valid argument that we can't or shouldn't legislate against
| ads. _Obviously_ we need to work out a clearer definition
| than "I know it when I see it" to legislate effectively, but
| it's absurd to claim that I need to present a fully-written
| legal code in order to present a valid opinion on Hacker
| News.
|
| We may disagree about free products given to athletes in the
| hopes that they'll be seen wearing them, for example. But if
| you claim not to know that a 30 second video clip in the
| middle of your TV show telling you that you should drink
| Budweiser to pick up chicks is both an ad and a harmful lie,
| you're not arguing in good faith. This argument is just
| throwing FUD about implementation details: you're not
| responding in any way to my statement of the problem, or
| presenting any fundamental criticism of my proposed solution.
|
| The first implementation of this law wouldn't be perfect.
| We'd need to iterate on it. But even a ban against a very
| narrow definition of ads would be extremely beneficial.
|
| Since you haven't even disagreed with my statement of the
| problem, perhaps you agree that advertising is bad, and would
| like to draft some sample legislation that solves that
| problem to your satisfaction?
|
| > Also (in the US) it almost certain runs afoul of the First
| Amendment.
|
| While current judicial precedent defines corporations as
| people, that's clearly a terrible mistake. Corporations
| aren't people and as such the first amendment does not apply
| to them. Yes, I know, there's some grey area where
| restricting the rights of corporations might restrict the
| rights of individuals: remember what I said about
| implementation details?
|
| Overturning judicial precedent is a legal hurdle to get over
| to get rid of advertising, but it isn't a logical problem
| with the solution. Just because something is difficult to do
| doesn't mean it's not worth doing.
| tqi wrote:
| > But if you claim not to know that a 30 second video clip
| in the middle of your TV show...
|
| The obvious cases are not what make this unworkable, it's
| the edges. Is a paid product placement an ad? Is simply
| furnishing clothes for the actors to wear on set an ad?
| Your original suggestion was that this letter didn't go far
| enough, and that we need to ban advertising altogether. But
| it actually seems like what you actually mean is that some
| additional forms of ads you find objectionable should be
| banned.
|
| I personally have no problem with ads if it means I don't
| have to pay for stuff with money. But you asked why people
| downvoted you, and that was my answer.
| only_as_i_fall wrote:
| Opposition to online surveillance always makes me wonder why
| nobody has attempted to create adversarial browsers or plug-ins.
|
| I'm not aware of how difficult it would be technically, but
| wouldn't a good solution to be simply throw troves of noise at
| Google Amazon and Facebook to drown out the actual signal?
|
| For example, how valuable would online advertising even be if 20%
| of all users were continously clicking through the ads and
| opening the landing pages in a virtual browser that the user
| never even sees?
|
| What about opening every search result at random and simply
| closing the page again after a few seconds?
|
| Is there some reason this kind of idea is infeasible or illegal?
| pavel_lishin wrote:
| > _if 20% of all users were continously clicking through the
| ads and opening the landing pages in a virtual browser that the
| user never even sees?_
|
| Those adoption figures are wildly, _unreasonably_ optimistic. I
| doubt you could get 20% of HN readers in this thread to install
| such an extension; you 'd be lucky if you got 2%.
| only_as_i_fall wrote:
| Probably, but IIRC that's about how many users are estimated
| to run ad blockers which was the basis.
|
| Obviously less people care about privacy than care about
| intrusive ads, but if such features were combined you might
| get momentum.
| hpoe wrote:
| People actually have created adversarial browser extension
| checkout AdNaseum (https://adnauseam.io/) which will click
| every single ad on a page, as well as acting as an adblocker
| that is based on ublock.
|
| In addition the TrackMeNot (https://trackmenot.io/) extension
| will randomly create search requests in the background
| constantly generating useless noise.
|
| If you combine them you get a wonderful situation where random
| searches are performed and then all the ads on the search
| result are clicked. I've currently clicked on 2210 ads today
| while just having it open in another tab on my browser.
|
| Join the fight my friends.
| alexashka wrote:
| Why not go to the logical conclusion and ban advertising?
|
| Why not have a yellow pages of cool stuff with proper discovery
| mechanisms instead. Anyone who's interested in new stuff can go
| and see what's new, what's happening, like reading the news.
|
| Remember when you'd check the app store on your phone for cool
| stuff? Just have that, for everything.
|
| Advertising is mind pollution, it's exhaust fumes for your mind
| and it's a giant industry that wastes everyone's time playing
| zero sum games too, ugh.
| kerkeslager wrote:
| Frankly, I don't think this goes far enough: "Ban advertising"
| would be better.
|
| Almost every problem with the internet right now is caused by
| advertising if you dig through the chain of causality. From
| social media patterns that addict you to conflict and conspiracy,
| to popups, adware and spam, to constant attacks on our attention
| even when we're driving and could literally kill someone with
| inattention, to spreading dissatisfaction, fear, and poor
| financial advice, advertising is the root of much evil. And at
| its core, advertising is just never a good thing, in any context.
|
| Proponents of advertising will say, "How do people find out about
| products and services?" but advertising is an extremely poor
| answer to that question: there's an inherent conflict of interest
| when the people selling a product are the primary source of
| information about the product. In the worst case, this leads to
| advertisers just lying to consumers and manipulating people's
| emotion. In the very best case, advertisers present information
| only about their own product, which doesn't allow consumers to
| make educated decisions--it's arguably not lying but the effect
| is the same. You might say, "Why would advertisers be obligated
| to provide information about competitors?" and you're right, they
| aren't, but we aren't trying to establish blame or responsibility
| here, we're trying to find a solution that's good for consumers,
| and advertising just isn't that.
|
| A better solution is independent review sites. Consumer
| Reports[1] is a paid service, so you aren't the product. More
| specialized sites exist for all sorts of product areas: I'm a
| rock climber, and when I want a new piece of rock climbing gear,
| the first places I look at are Outdoor Gear Lab[2] and Weigh My
| Rack [3]. There's Labdoor[4] for supplements, Psychology Today[5]
| for therapists, WireCutter[6] for electronics, etc. But even here
| advertising has poisoned the water: many of these sites receive
| compensation from sellers, not from buyers, which has resulted in
| some dark patterns. It's not a perfect solution, but it would
| work a lot better if advertising were banned, and these conflicts
| of interest were removed.
|
| Another solution is simpler and older, and it's exactly what I
| was doing in my previous post: word-of-mouth. That's arguably one
| of the best solutions, because while it's low-bandwidth, it's
| high fidelity: people don't go out of their way to promote a
| product unless it was actually quite good for them.
|
| The other thing proponents of advertising will say is that
| advertising is necessary to fund existing sites, particularly
| content sites. On Hacker News, this often comes from someone who
| makes their money from advertising, directly or indirectly.
|
| The thing is, the idea that people only produce content or
| software when it's profitable to do so reflects a very narrow
| view of the world. It's just not true. I'm old enough to remember
| the internet of the 90s, and in that time the internet was _full_
| of resources which were simply given away for free without
| advertising, which I 'll refer to roughly as "old internet". Many
| old internet resources have yet to be reproduced in the new
| internet: Sheldon Brown's page[7] is _still_ the best resource on
| bikes (the advertising was added after his death). Erowid[8]
| remains the most comprehensive resource on drugs. Sites like
| Wikipedia have somewhat drunk the advertising poison--and were
| better before.
|
| And that leads me to my third reason advertising should be
| banned: it's infectious. Advertising is Scott Alexander's
| Moloch[9]--if one entity does it, then all their competitors have
| to do it in order to compete. The entire purpose of the free
| market is supposedly that it results in the best outcomes, but
| this is clearly a hack that prevents that from happening: we want
| companies to compete by producing the best goods and services at
| the lowest cost, but when you allow advertising, companies can
| (and do) compete by manipulating consumers into buying inferior
| goods at higher costs. Advertising is an anticompetitive business
| practice that undermines the entire purpose of a free market.
|
| Banning advertising is only a bad thing for bad companies: good
| companies would only stand to benefit. Banning advertising would
| free good companies to spend their resources on producing the
| best products and services at the lowest cost: every cent
| companies spend on advertising now is wasted money. Sure, some
| companies would go under without advertising. Good riddance: if
| your company can't sell products and services without ramming
| them down consumer's throats, your products/services aren't of
| value.
|
| Contrary to the advertiser's paternalistic views, the efficient
| market hypothesis means that people understand their own problems
| and can find solutions to them without your help. The world would
| be better off without advertising.
|
| [1] https://www.consumerreports.org/cro/index.htm
|
| [2] https://www.outdoorgearlab.com/
|
| [3] https://weighmyrack.com/
|
| [4] https://labdoor.com/
|
| [5] https://www.psychologytoday.com/us/therapists
|
| [6] https://www.nytimes.com/wirecutter/
|
| [7] https://www.sheldonbrown.com/
|
| [8] https://www.erowid.org/
|
| [9] https://slatestarcodex.com/2014/07/30/meditations-on-moloch/
| jimbob45 wrote:
| You need _some_ amount of advertising. If you invented the cure
| for AIDS tomorrow, how are you going to tell everyone about it?
| Word-of-mouth works, but only so far. Perhaps over time, people
| will naturally Google "cancer cures" but will your business
| still be solvent by then?
|
| If you want to talk about leveling the playing field, you have
| to be more strategic with your legislation. Don't ban
| advertising. Ban spending on advertising above some limit. No
| one benefits from Coca-Cola showing yet another commercial on
| TV other than the commercial producers - society certainly
| doesn't benefit though. Make companies spend their ad dollars
| wisely.
| kerkeslager wrote:
| Keep in mind that downvotes without explanation are likely
| coming from people on Hacker News whose income comes from
| advertising.
| tehjoker wrote:
| Capitalism requires advertising because it needs an accelerant
| of consumption. If consumption stagnates, a capitalist economy
| enters a financial crisis that can result in the system's
| overthrow.
|
| I am for banning advertising on its merits, to slow the growth
| of consumption for environmental reasons, and because I believe
| capitalism is a harmful system that should be replaced.
| hungryforcodes wrote:
| Ban surveillance everything.
| hungryforcodes wrote:
| I wish that was a moto.
___________________________________________________________________
(page generated 2021-07-07 23:00 UTC)