[HN Gopher] Open letter: Ban surveillance-based advertising ___________________________________________________________________ Open letter: Ban surveillance-based advertising Author : velmu Score : 385 points Date : 2021-07-07 08:51 UTC (14 hours ago) (HTM) web link (vivaldi.com) (TXT) w3m dump (vivaldi.com) | mdp2021 wrote: | The problem is with the match of partial virtual profiles with | individual-specific identities. | | That A uses a profile to visit www sites about code optimization, | leisure mathematics, statistic software and StackOverflow, and | commercial information about some IDE is shown, that may be | welcome. | | That A uses another profile to visit www sites about baking | cakes, nutriment science and ethnic restaurants, and information | about some IDE is shown, that is unwelcome as an understatement. | | That A is Adrian Oberweller of Tamaxa, MT and his individual- | specific identity is associated with his private concerns, that | is "you must be joking" swinging at the edge between dystopia and | ridiculous. | falsaberN1 wrote: | This makes me think. | | What happens when partial profiles are matched to the wrong | person? Like, it's very likely these systems are going to match | different people in the same household/network because... how | can they even separate different people with different | interests and a single person using many profiles? | | I suspect all our "valuable user data" is tainted by default | and its monetary value is an illusion. We do know that the | systems are overzealous, and the algorithms driving those | systems are far from perfect (and in case of ML models, high | chances of it being non-deterministic, to boot). | | A friend recently got some of those ISP copyright strikes | because the fiancee of his sister got relocated to his house | for a few days and decided to leech from the network to | download some AAA videogames. Of course the strikes were to my | friend's name, because they have no way to know some stranger | did it instead. | | I can easily see my data profile saying I'm into horoscopes and | that voodoo because my mother browses that stuff all day from | the network assigned to my name. I'm sure there are attempts to | defeat incognito/private tabs by bundling all "indecisive" data | to the main profile in a given IP, so a large household can be | a completely schizophrenic data profile with data mixed from a | lot of users in that household. Imagine someone in your house | has been using some extremist or taboo site. If that data is | mixed up with yours, and a person with bad intent wants to take | advantage of leaked data they obtained on you...they have a | pretty strong weapon to assassinate your image. "You can't deny | it, it's in the data. Your cousin did it? Oh what an ignoble | attempt to save your butt, how lowly!". Since you have no way | to plausibly deny it, it can be a strong blackmail weapon. | Maybe stronger than medical data leaks in this weirdly | political climate we got now. | pjerem wrote: | > Of course the strikes were to my friend's name, because | they have no way to know some stranger did it instead. | | For the anecdote, in France, we have a pretty stupid law | (that was pushed by our really strong culture industry | lobbies) where you can be pursued for downloading copyrighted | content but also for not having secured your home network | hardly enough so you can't argue that's it's your neighbor | over your wifi. | | But it's only a little part of what our culture mafia | achieved here, we also have to pay a tax on every device with | storage that is redistributed to << copyright owners >>. | falsaberN1 wrote: | We have the same tax here. Pretty insulting when I'm a | content creator myself (and I'd never pirate the artists | it's protecting, I think they are all _terrible_ ), but not | many ways left to import without bigger costs (customs). | ColinHayhurst wrote: | Cohort based targetting such as FLoC, PARAKEET and ATT will | further embed the power of Big Tech. But I'm sure the HN | community realizes this. | | The question is: in the face of GAFAM moats and large lobbying | efforts, how else might these coalitions and smaller/emerging | companies get regulators' attention? | | Disclosure: we are part of this coalition of 14 businesses | offering browsers, search, mail, analytics, and other web | services and add our view here as a search engine | https://blog.mojeek.com/2021/07/time-to-ban-surveillance-bas... | eivarv wrote: | More context: https://www.forbrukerradet.no/side/new-report- | details-threat... | ColinHayhurst wrote: | And HN discussion on that: | https://news.ycombinator.com/item?id=27619030 | apatheticonion wrote: | Physical storefronts have over time learned how to optimise their | presentation to achieve higher conversion. Initially it was | experimentation with layouts, with time they added cameras which | helped understand customer behaviours. | | This expertise is commonly outsourced to physical marketing | companies who dispatch "merchandisers" to your store to help | optimise your layout to fall in line with the layouts they have | designed based on the experience they have doing this for many | different stores. | | Some companies would actively seek out target customers, give | them cash to conduct surveys for market research. | | The barrier to retail taking this to an extreme is physical | obstruction and money. It takes time to experiment with layouts, | you have to pay people for their insight. It isn't practical to | have a Moogle which has cameras analyzing most physical | storefronts around the world. | | It's a really complex issue as online retailers do make money | from online advertising companies and it often matters to them, | but the proliferation of the chosen advertising providers few | means that everywhere you go they have a presence listening for | your user actions. | | With that said, these companies don't really want to know you, | they just want to ensure they are able to serve relevant ads to | someone like you. Collecting personal data is a consequence of | there being no other way to group data into uniquely identifying | profiles and get those insights on the interests of those | profiles. | | More often, these companies explicitly don't want to know you. | Personal information is a massive liability. | | Attempts to anonymise the data are difficult as you will need | some kind of unique primary identifier, but you can infer a lot | about an identity from seemingly unimportant things like browser | resolution. | ashtonkem wrote: | They don't want to know us, but they appear to have very few | limits on what they're willing to do to sell ads. So far we're | basically counting on our interests and theirs being | coincidentally similar, I would not bet on that in the long | run. Better to handcuff them before they decide that doing | something incredibly unseemly is necessary for ad sales. | bordercases wrote: | > More often, these companies explicitly don't want to know | you. Personal information is a massive liability. | | Data accrued can be sold as an asset to other firms which don't | directly compete with the firm that accrued the data, or even | compliment the value prospect of that firm. Amazon to US Gov. | Search engines to banks. Facebook to Linkedin. Etc. | | This increases the threat surface that your data creates, | beyond whatever firm you think you can trust for having mundane | motives. | natmaka wrote: | > Physical storefronts ((...)) with time they added cameras | which helped understand customer behaviours. | | R. Doisneau, a French photograph, may have in a way be a | precursor | https://www.christies.com/lot/lot-4572128/?intobjectid=45721... | | > you can infer a lot about an identity from seemingly | unimportant things like browser resolution | | Oblink: EFF's "Cover tour tracks" | https://coveryourtracks.eff.org/ | derbOac wrote: | One thing I've wrestled with with the rise of online news and | its effects on physical newspapers is how much I miss certain | things about the physical newspapers. I don't miss the physical | format, but I do think the old-school paper newspapers were | much more enjoyable to read than most online equivalents. | | At some point I realized that one major issue is that | advertising in many of the paper copies was based around | content area: if I went to the performing arts section, for | example, it would be filled with ads for performing arts | events. I loved this as it was actually useful and informative | to me. I went to that section looking for performing arts, and | that's what I got. | | In online news, though, if I go to a performing arts, I don't | get informative, unintrusive ads for performing arts events in | my area, I get bombarded with random ads for things unrelated | to what I'm looking at. Even if, say, earlier in the day I was | looking for shoes, I don't want to see ads for shoes if I'm | browsing performing arts, I'm interested in performing arts. | | What you're talking about is a broader observation about | identification of individuals per se versus patterns of | interests and behaviors. However, I'd argue that a major | failure of online advertising (with very important exceptions, | including Google, DuckDuckGo, and many other places) is the | recognition that what matters for ads is interest at any given | moment, and not interests at any other time. I suppose someone | might say "but a good ad is something that gives you what you | are interested in even if you might not recognize it" but this | is really difficult to get right, especially given that my | interests in a given moment can shift from minute to minute. | | If I'm moving from, say, shoe shopping to, say, performing | arts, I'm deliberately moving my attention away from the former | to the latter. Showing me ads for shoes is something that's | specifically going against my current attentional goals. It's | like saying "hey Honey, I'm done in the kitchen and am going to | go into the garage to work on something" and then having some | random stranger show up and pull you back in the kitchen. | | This seems to be a fundamental screwup with a lot of online | advertising: the failure to recognize that I'm functionally a | different person from moment to moment, and when I move from | one page to another there's a reason for that. | | Email surveillance is maybe going even further in a worse | direction, in that it's even more decontextualized and time- | independent. Part of the brilliance of Google search ads, and | things like DuckDuckGo, is that they catch you exactly in that | moment when you're looking for something on a specific topic. | Newspapers and everywhere else needs to take better advantage | of that paradigm. Show me what I'm looking for now, don't take | a shotgun guess at what I might want based on what I was doing | in the past. | jefftk wrote: | _> Email surveillance is maybe going even further in a worse | direction, in that it 's even more decontextualized and time- | independent._ | | Are any major email providers still selling ads targeted by | the content of messages? | techlaw wrote: | It's doubtful that any of us are in a position to know if | they are or not. | | Let's assume, for the sake of argument, that 100% of major | email providers have stated they do not sell ads based on | email content. | | Next we have to either: take their word for it or have the | means to verify their claims. | | Taking their word for it is difficult because many major | email providers have a spotty relationship with honesty. | This issue of honesty is not necessarily very different | from other large corporations and in truth might be a | factor in what made them a large corporation in the first | place. | | (As First Baron Thurlow is claimed to have said: "Did you | ever expect a corporation to have a conscience, when it has | no soul to be damned, and no body to be kicked?") | | And so we would instead need the means to verify the claims | of these major email providers. I'm unsure of how to | reasonably do that. | | >Perhaps allow Qui Tam claims for privacy issues combined | with a statutorily defined "cost" for each false claim | instance? | | Qui tam allows, for example, private citizens to file suit | against bad-actor govt contractors in the name of the govt. | The "whistleblower" then receives a share of recovered | proceeds. | | Here, if a statutory "cost" was defined for every false | claim related to using the content of email messages (say | $1 per message) then this might provide a way to help | verify that the major email providers are being truthful in | what they claim regarding their use of content in messages. | | Email providers would know their employees are on the | lookout for a big payday and might honor their public | promises. And if they don't, a few large qui tam lawsuits | would quickly get their attention (or drive them into | bankruptcy). | Vinnl wrote: | > these companies don't really want to know you, they just want | to ensure they are able to serve relevant ads to someone like | you. | | "Relevant" is their PR-speak, but really it's just whether | you're in the desired target audience. If I target an ad that | discourages people from voting to vegetarians or people who | like Fox News, that ad is not necessarily more relevant to | them. | JumpCrisscross wrote: | Do we have a good proposed legal definition of surveillance-based | advertising? | criddell wrote: | I think it's advertising targeted to a group (where a group | size of one is an individual). | | Some of the unintended side effects (which aren't necessarily | bad) include ending virtually all store loyalty programs. | jefftk wrote: | I think this is quite tricky to pin down. For example, consider | an e-commerce site like Amazon. They know your purchase | history, reviews you've given or liked, and products you've | viewed or put in your shopping cart but not purchased. Which | information about your history would they be allowed to use to | show you products you might be interested in buying? | | They also have lots of information about users in aggregate | ("people who bought this also bought x") which they got by | collecting data about their users. Can they use this? | blooalien wrote: | Personally, I'm not bothered by Amazon doing this _on their | site when I 'm there_, and I even disable my adblocker _on | Amazon but limited to Amazon_ because I 'm _there to buy a | product or service_. Advertising at me if it doesn 't get in | the way of that quest is appropriate there. | | Covering my entire webpage I'm trying to research _something | else_ at with a full-page Amazon ad for a product I _already | bought_ just because I expressed interest in that product by | _buying it_ is _not_ okay. Thus, I block all ads elsewhere to | avoid that sorta thing. | | Works pretty well for me, but it's sad I should have to jump | through as many hoops as I have to to avoid such crapware | being forced upon me. Ads I'm not wanting literally _steal_ a | portion of my allotted bandwidth and give me _less than zero_ | value in return. Perhaps advertisers should start _paying us_ | for our valuable time, attention, and bandwidth? | jefftk wrote: | _> Personally, I 'm not bothered by Amazon doing this on | their site when I'm there_ | | You may not be, but this is within what they cover in the | report Vivaldi is recommending: | https://www.forbrukerradet.no/wp- | content/uploads/2021/06/202... (it's a good read, and there | are a lot of things they object to even with only first- | party tracking) | | _> Perhaps advertisers should start paying us for our | valuable time, attention, and bandwidth?_ | | They don't pay you directly, but they pay the site you're | visiting, and in most cases that's why the site is able to | afford to create the content you're reading and show it to | you for free. | blooalien wrote: | > ..."<link to pdf report> (it's a good read, and there | are a lot of things they object to even with only first- | party tracking)" | | Edit: It _is_ a sorta good read... Just be nice if these | sorta situations could more easily find some kinda valid | balance instead of always escalating outta control to | both extremes until laws have to get made... Lawmakers | are rarely to be trusted to get these sorts of situations | right anymore... | | I've been using the Internet and networks long enough to | understand how this stuff works. There's a certain degree | of tracking that is _literally unavoidable_ (without | semi-extreme measures like TOR for one example at least) | simply by the nature of how networks work. I know that by | using any service online at all, I 'm necessarily parting | with some data about myself. Any data that's collected in | that transactional networking sense I'm kinda largely | okay with because it's just part of how things work by | their very nature. | | The stuff that bothers me is the excess of spyware, | hundreds of kilobytes of tracking scripts, invisible | pixels, browser fingerprinting, and other shady junk | that's been bolted on by advertisers with no concern | whatsoever for any harm it may bring to the network, the | consumers, or often even themselves, as long as they make | enough to cover the costs and make a profit. I understand | the logic of it, but I don't necessarily agree with it in | many cases. For me it's really all about how respectfully | the entire situation is handled. Advertise at me in | respectful ways, you probably don't get blocked (at least | by me). Abuse me in _any_ way, and I tend to get uppity | with my adblocker and start thinkin ' hard if I even | _need_ your site or service at all. | | > "They don't pay you directly, but they pay the site | you're visiting, and in most cases that's why the site is | able to afford to create the content you're reading and | show it to you for free." | | See, the sites that aren't _abusive_ with their | advertising though actually find their way out of my | adblocker for that _exact_ reason. Because I 'm fine with | them making money ethically. Sites/services that | implement _abusive_ advertising practices not only get | the ads blocked, but often get themselves blocked out of | my "sites of interest". ;) | matheusmoreira wrote: | If it collects _any_ data at all, it 's surveillance. Anything | else is a loophole. | tomjen3 wrote: | That is nearly impossible to avoid. Go to your local store | enough times and they might remember you, even when no data | is retained at all. | scotu wrote: | do you mean the people at the store remember you? kinda | different than collecting data and deploying it across the | whole internet wouldn't you say? | jefftk wrote: | The person running the store remembering you and treating | you differently based on your history is within what | they're covering here, yes. In the report that Vivaldi is | recommending (https://www.forbrukerradet.no/wp- | content/uploads/2021/06/202...) they consider both first- | party and third-party tracking to be part of | "surveillance-based advertising". For example, a site | showing ads for users based on what topics they tend to | view weighted by how much they interact with each one. | There's nothing about having to "deploy it across the | whole internet" before it counts; activity on a single | site is still (described as) surveillance. | scotu wrote: | still, this seems more like in the physical store you | getting tracked with cameras, reward cards and so on and | things getting rearranged on the shelves etc. just for | you. I consider this surveillance. | | I consider it less surveillance-y if a single employee is | remembering me. Although I do sometime wish I could | delete some embarrassing moments at the store, but I | guess, as long as they don't gossip about it between | employees... :) | convexfunction wrote: | You're betting this definition wouldn't have any serious | unintended consequences? | | A hypothetical example: suppose it becomes a legal nightmare | to have even heavily censored webserver request logs retained | for any period of time if your company does any advertising | at all. That is, even if you have no intent or even ability | to use those logs for advertising purposes, it might be a lot | of work to prove that to the law, unless you take the | hopefully-easier route of literally never advertising. "Boo | hoo, companies have to prove they're not breaking the law", | you might say; as is usually the case with these kinds of | regulations, demonstrable compliance might be totally | practical for bigger companies but a massive barrier for | smaller companies, which on the margin means the difference | between success and failure for quite a few businesses that | would've otherwise created a lot of value. | | That specific scenario probably wouldn't happen, I hope, but | that's far from the only plausible failure mode! I would like | to believe that we can figure out a good definition with | relatively little value destroyed in the fallout if a law | like this comes into effect, but it's almost certainly not | going to be a single sentence. | [deleted] | JumpCrisscross wrote: | > _If it collects any data at all, it 's surveillance_ | | Great, we just banned TCP. | 411111111111111 wrote: | Exposing is not the same as collecting though... | | I'd definitely consider a system which collects all | information that are exposed in a TCP stream a surveillance | tool | swiley wrote: | That's why we have TOR. Which allows you to use TCP without | revealing the two TCP endpoints to anyone else. | jefftk wrote: | Let's say a streaming music service collects information on | what you have listened to and how long. Is that surveillance? | What if they use it to back a page where you can see what | you've been listening to recently? If they start recommending | new artists based on your listening history? | charcircuit wrote: | The report defines it as | | >In this context, we use the term 'surveillance-based | advertising' as a blanket | | >term for digital advertising that is targeted at individuals | or consumer | | >segments, usually through tracking and profiling based on | personal data. | | This is ridiculous. If I am trying to advertise an Elixer IDE, | then I don't want my advertisements shown to any random person | on the internet. The majority of users on the internet are not | even developers. I want to be able to advertise to a consumer | segment which consists of people who are interested in Elixir. | "Surveillance" is essential to internet advertising. | tomjen3 wrote: | That shouldn't be that hard. Doesn't Elexir have a forum, | user groups or other place where people self-select for | interest in that? | | Surely you can buy ads in subreddits, or on specific tags on | Stack Overflow? | eivarv wrote: | Maybe not, but you could show it to people whose context | reveal that they might be interested - e.g. searching for | "IDE" or "Elixir", reading about developer tools, etc. | | This is known as contextual advertising. | | Surveillance is not essential to internet advertising - in | fact neither ROI, effectiveness or perceived relevance (when | compared to all alternatives, including contextual | advertising) has never been proven. | Nursie wrote: | > This is ridiculous. If I am trying to advertise an Elixer | IDE, then I don't want my advertisements shown to any random | person on the internet. | | > I want to be able to advertise to a consumer segment | | This sounds like a _you_ problem. | | And _you_ shouldn 't get to push surveillance on me to solve | it. | | I don't want to be advertised at _at all_ , let alone be | stalked round the web so you can do it better. | | I don't care at all that any advertising I see might be | better targeted, it's all an annoyance as far as I'm | concerned anyway. The idea that I should be happier if I'm | getting 'relevant' ads, like I should thank you for | surveilling me so you can spam me better, is absolutely | laughable. | ashtonkem wrote: | And I don't want you to know my means of employment online. I | believe that my right to privacy trumps your economic | interest. | indigochill wrote: | > If I am trying to advertise an Elixer IDE, then I don't | want my advertisements shown to any random person on the | internet. | | The definition in the report is poor. Yes, you always need to | advertise to a segment. No, you don't have to spy on users to | do it. | | How? Make a website about something and select advertisements | that are relevant to the sort of people who are probably | interested in the topic of the website. ReadTheDocs has | already spun off an ad business that advertises tech stuff to | readers of ReadTheDocs because it's reasonable to assume that | is the audience that is perusing ReadTheDocs pages. | charcircuit wrote: | >No, you don't have to spy on users to do it. | | Assuming you are running an ad network you kind of have to | in order to prevent ad fraud. Also by reducing that data | you know about someone's interests is the knowledge that | they have visited a site at least you will not be able to | pick as good of an ad compared to if you had more data. | indigochill wrote: | What's the fraud scenario? Page owners presenting | fraudulent visitor/click-through numbers to advertisers? | | In that scenario, it seems like advertisers would pick up | on that pretty quickly when they realize the conversion | rate on that supposed traffic is terrible and doesn't | warrant the inflated price. In the case they're using an | ad network, the network could ban the page owner from | their network if they see this pattern from them. Since | page owners are materially benefiting from the network, | proof of identity should be (probably is? I don't work in | the space) applied between the page owner and network to | prevent repeat fraud via identity laundering. | | > you will not be able to pick as good of an ad compared | to if you had more data. | | In theory I lean towards agreeing. I was arguing for | tech-powered hyper-personalized ads back when I was | studying advertising 2008-2012 (and did a bit of "stealth | marketing" in that period where I built relationships | with bloggers to share our product before the term | "influencer" had hit the mainstream vocabulary). | | In practice, advertisers do not personalize ads. Facebook | has become pretty good about selecting ads that map to my | interests thanks to the reach of their spy network, but | the ads themselves still aren't personalized at all (they | take my interests into account, but not my spending | history to realize that I don't have the budget for what | they're trying to sell me) and my conversion to a sale | because of them is still very, very low. | stevesearer wrote: | We sell and host our own advertising which is content- | based (office furniture ads on office design content) and | think it is a good solution. | | Instead of selling space by impressions or clicks, we use | length of time (monthly) and find it to be a good way to | prevent ourselves from trying to game impressions with | clickbait or clicks with fake users. | michaelt wrote: | _> What 's the fraud scenario?_ | | 1. Page owner / Ad network / Ad space auction market | middleman fakes clicks to get click revenue | | 2. Page owner's rival fakes clicks to devalue ad spots | | 3. Advertiser's agency fakes clicks to make numbers go up | | 4. Advertiser's rivals fake clicks, to waste advertiser's | budget | | 5. Ad networks 'accidentally' classifying legitimate | clicks as fraud, to reduce payouts to page owners. | b3morales wrote: | How are these mitigated by pervasive end user tracking | and surveillance? | Nextgrid wrote: | Sell ads based on time periods. "Your ad displayed here | for 1 week for this much $$$". Then the only thing that | matters is the ROI and it doesn't matter how many bots | have clicked on it. | charcircuit wrote: | This approach sounds much harder for an ad network to | pull off and sounds like it would add a lot of risk and | complication. For example, what if a web master decides | they don't want to have ads on their site anymore. | Whoever just paid for that space gets screwed. | Nextgrid wrote: | This can all be sorted by contracts? The ad network pays | out only after the ad has fully ran for 7 days, and if | the webmaster removes the ad or similar they don't get | paid and the advertiser gets refunded. Enforcing this is | trivial by the ad network or a neutral third-party | scraping the websites running the ads to confirm the ads | are displayed properly. | blooalien wrote: | > "This approach sounds much harder for an ad network to | pull off and sounds like it would add a lot of risk and | complication. | | Harder to pull off than advertising at people who might | actually _want_ to see the ads? More risk and | complication than the growing backlash against | advertising in general _entirely because_ of shady | advertising practices? More risk and complication than | having to keep track of various countries ' and states' | laws re; privacy? | | > "For example, what if a web master decides they don't | want to have ads on their site anymore. Whoever just paid | for that space gets screwed." | | Existing contract law already covers this in most places. | If you paid for ads to be displayed for a certain time | period and they are not, then there's been a contract | violation. | blooalien wrote: | That's actually the way _most_ advertising _used_ to work | before all this surveillance stuff started, and _still_ | the way it works with _some_ (ethical) advertisers. | danbruc wrote: | That is the problem of the ad network. If they have to | deal with fraud then find a way to solve this but not at | the cost of everyone. | charcircuit wrote: | The problem with abuse is not special to ad networks. All | sites (once they reach a certain size) have to deal with | it. Surveillance is needed to handle abuse of your | service. | danbruc wrote: | _Surveillance is needed to handle abuse of your service._ | | Provide one example that can not be solved without | surveillance. | charcircuit wrote: | Let's say you run a website with a sign on page. In order | to log in a user typically you will run the password | through an algorithm like argon2. Verifying a password | for an account consumes CPU resources. A malicious may | decide to DOS your site by just spamming this endpoint | with bogus password to make you waste your time. | | An easy fix with surveillance is to rate limit people | based off their IP address. Without surveillance though | there is not much you can do. Scale up your | infrastructure to try and out scale the attack? Implement | a global rate limit that locks regular users from being | able to sign in? | coder543 wrote: | An IP address being used in the course of providing the | service is not surveillance. That's like saying "Amazon | knowing where to ship my package is surveillance." It's a | bad argument, in my opinion. | | Regardless, consider a DDoS attack. If every new request | is coming from a different IP address, how do you | continue providing service to your legitimate customers | while blocking that malicious attack? Knowing the | attacker's IP addresses doesn't do you any good... | because they can just keep using new IP addresses, and | blocking the old ones doesn't do any good. | | This is where heavily surveillance-based systems like | Google CAPTCHA often come into play, and I have very | mixed feelings about those. | | There are some non-surveillance-based captchas like this | one[0] that I saw on HN awhile back, and I hope those | become successful. | | [0]: https://friendlycaptcha.com/ | charcircuit wrote: | >That's like saying "Amazon knowing where to ship my | package is surveillance." | | To complete the metaphor Amazon would use the address you | gave them to help improve their business in some sense | without asking you if it's okay. Similar to how web | masters don't ask if it's okay if they write what pages | we access into logs is okay. | | >Knowing the attacker's IP addresses doesn't do you any | good... because they can just keep using new IP | addresses, and blocking the old ones doesn't do any good. | | Then we should try to find any patterns with the traffic | that we can use to try and filter it out. This is a place | where fingerprinting is useful. | | >friendlycaptcha | | This just slows down bot spam instead of testing if | someone is a bot. Someone posting spam to your site once | a minute is still annoying. | coder543 wrote: | I've read your other replies to this thread and your | argument does not seem to be made in good faith. This | whole thread is about surveillance based _advertising_ | being bad. In no way is using an IP address in a firewall | a form of surveillance. It isn 't. The IP address isn't | being associated with any other data, it's just some | numbers floating in space, disconnected from any human | being. There is no association with that IP address of | what you like and don't like, what you have purchased, | what links you have clicked, or anything else. It's just | in a firewall, and that firewall rule could be blocking | an entire CIDR block, especially in the case of IPv6. But | even if it were surveillance, that's irrelevant to this | discussion about the ethics of surveillance-based | advertising. | | I'm not going to waste my time further on this thread | after making this one last point. | | > This just slows down bot spam instead of testing if | someone is a bot. Someone posting spam to your site once | a minute is still annoying. | | Google CAPTCHA is trivially bypassed all the time. Do you | really think it isn't? Sometimes using services like | Amazon Mechanical Turk, sometimes using simple computer | vision. It doesn't test whether someone/something is a | bot either... it just tests whether they can pass the | CAPTCHA. It certainly doesn't test whether they're part | of a DDoS, nor does it test their intentions to find | whether they are good or malicious. It's just a CAPTCHA, | but it also uses a lot of surveillance... and as I said, | I have mixed feelings about that. I didn't mean for this | to become the point of the thread, it is definitely off | topic. | | The idea of Proof of Work CAPTCHAs is that you can | actually make it _more expensive_ for an attacker to | solve those than it would be for the attacker to solve | Google CAPTCHAs. Obviously, this is still an area of | debate and research. | charcircuit wrote: | >your argument does not seem to be made in good faith | | I'm not exactly sure what this means. I used to be all | for total privacy, but I found that future to not be | sustainable. Perhaps I'm just jaded, but privacy just | gets in the way. | | >This whole thread is about surveillance based | advertising being bad. | | Well this part of the thread isn't. It's talking about | how surveillance improves services by allowing them to | deal with abuse. | | >In no way is using an IP address in a firewall a form of | surveillance. It isn't. The IP address isn't being | associated with any other data, it's just some numbers | floating in space, disconnected from any human being. | | Wrong. I am using your IP as part of a scheme to | fingerprint you. I want my rate limit to limit each | person separately. An IP address is just a somewhat | decent way to approximate that. | | >The idea of Proof of Work CAPTCHAs is that you can | actually make it more expensive for an attacker to solve | those than it would be for the attacker to solve Google | CAPTCHAs. | | This has to be carefully balanced with the user | experience. No user in going to want to wait 5 minutes to | post when they can just have a Google account with a good | reputation and just click a checkbox. | danbruc wrote: | _I used to be all for total privacy, but I found that | future to not be sustainable. Perhaps I 'm just jaded, | but privacy just gets in the way._ | | That's not your decision, I decide what matters to me, | whether I want my privacy or this nebulous | sustainability, whatever this is suppose to be. | | _Wrong. I am using your IP as part of a scheme to | fingerprint you. I want my rate limit to limit each | person separately. An IP address is just a somewhat | decent way to approximate that._ | | Then let me turn this around, if using my IP address in | this scenario is surveillance, then don't do it. If it is | necessary, then ask me for permission, can we use your IP | address to fight off attacks and ensure the availability | of our website or do you prefer that the website might | not always be available due to attacks? And the same | applies if you want to rate limit all users, offer the | choice between not using your website or opting in for IP | based rate limiting. It's that easy. | b3morales wrote: | Amazon using shipping addresses in isolation to improve | their business is not what people are concerned about | here. It's perfectly legitimate for Amazon to say "we're | getting a lot of orders from this list of zip codes, | let's open some warehouses there". That doesn't infringe | on anyone's individual privacy; the action is not tied | directly to a single person, and especially not to | further data collection/collation. | danbruc wrote: | Is is not surveillance - at the very least not in the | relevant sense - if you maintain a temporary list of IPs | you have seen in the past minute or hour. | | This is your best argument why we have to track and | profile every human on the planet around the clock? | charcircuit wrote: | >if you maintain a temporary list of IPs you have seen in | the past minute or hour. | | This is totally surveillance. Just because we delete data | after a while, it doesn't mean I didn't surveil you, nor | does it mean I haven't used that data I got from you for | my own benefit. | | >This is your best argument why we have to track and | profile every human on the planet around the clock? You | just asked for an example. If you are suggesting that my | argument is to prevent abuse of systems I would say that | it justifies tracking every person on the planet. | danbruc wrote: | _This is totally surveillance._ | | It is not. I connected from some IP because I wanted to | use your website, at the very least you have to remember | my IP address for some time to send me your website back. | And if I want to access your website and it will be only | available if you store my IP address for a few minutes to | fight off attacks, then this is a use of my IP address | that I welcome because it is for my benefit. And if you | really want to, just store hashes of the IP addresses | [1]. | | _Just because we delete data after a while, it doesn 't | mean I didn't surveil you [...]_ | | Sure, surveillance is not defined by the amount of time | you store some data. If you store my shipping address for | years it is not surveillance, if you store my IP address | for one second to add an entry to my record in your | database that I just visited the website it might be | surveillance even if you do not permanently record my IP | address. But I never claimed that the amount of time you | store some information is a or the relevant criterion | | _[...] nor does it mean I haven 't used that data I got | from you for my own benefit._ | | Also irrelevant. If you store my IP address for a short | time or my shipping address for a long time in order to | send me the website I requested or my order than this | benefits you because you will make some profit from my | order. | | Relevant for whether something is surveillance or not is | whether I approve what you are doing. If you track my | position day and night in order to show me ads for | businesses nearby it is surveillance unless I | specifically requested this. If you track my position | because I am using a fitness app and requested to record | my run, then it is not surveillance. | | [1] For IPv4 this is of course essentially pointless. But | maybe you could come up with a more elaborate schema than | simple hashes, maybe salt them and rotate the salt every | few minutes or whatever. But you will probably not gain | much besides added complexity. | buran77 wrote: | If someone abuses your doorbell the solution isn't to | install a hidden DNA and body scanner in front of your | door. Also suggesting that an IP based rate limiter is | the same as the surveillance in question is very | disingenuous. | | Pick a more sensitive area than your IDE, say medicine | targeting erectile dysfunction, sexual or religious | preferences, etc. You may find that being allowed to | collect that data, especially covertly, just to save some | money suddenly doesn't look reasonble at all. | | But surely I should be allowed to _covertly_ collect any | data about you if it enables some savings for me. After | 15 comments insiting it 's OK you should only approve of | this. | charcircuit wrote: | >If someone abuses your doorbell the solution isn't to | install a hidden DNA and body scanner in front of your | door. | | The first thing I would do is look outside to collect | information on who in outside thereby infringing their | privacy. | | >Also suggesting that an IP based rate limiter is the | same as the surveillance in question is very disingenuous | | Recording people's IPs is definitely surveillance. | | >say medicine targeting erectile dysfunction, sexual or | religious preferences, etc. We may be able to connect | drug sellers or churches with people if we know that | information. | | >But surely I should be allowed to covertly collect any | data about you if it enables some savings for me. | | Sure you can. Go ahead. | buran77 wrote: | > Sure you can. Go ahead | | We'll there's your problem. First you show a complete | lack of understanding of the issue, from its basic | concepts to the practical manifestation and consequences, | and then you conclude that it must not be a real issue. | | This technique can be used to justify anything. Burning | books? Sure, it's like burning extra processed wood, | totally okay, go right ahead. | | Ignorance is not a defense. | | Also can you send me your medical data and search | history? I mean you're OK with sharing this data and said | nothing about it being ok only if I can do it covertly. | Better yet, give me your name and address and I'll just | grab that myself so it's not too much of a bother for | you. It's just so I can serve cheaper better targeted ads | to you. | | I mean refusing and backing out now would just be | hypocritical and completely undermine the case you so | unsuccessfully try to make wouldn't it? | dkshdkjshdk wrote: | > The first thing I would do is look outside to collect | information on who in outside thereby infringing their | privacy. | | Looking at someone doesn't infringe on their privacy. | Taking a picture of that someone and storing it in a | permanent fashion, might. To prevent abuse/DOS you only | need to do the first (which does not constitute | "surveillance" or loss of privacy), not the second. | | > Recording people's IPs is definitely surveillance. | | It's not surveillance if you are not tracking anything | else other than IPs (i.e. no other behavioural data | associated to it). | | Either way, you still have not provided an example where | surveillance is _required_ to prevent abuse: I can simply | store hashes of "bad IPs" (or ASNs) to blacklist... no | need to store any information that could lead to an | actual person (like an actual IP address). | eingaeKaiy8ujie wrote: | Then just post about your IDE on Elixir forums. I'm not | interested in seeing any ads on the Internet, and I certainly | don't want ad companies that are following me on random | websites to know that I'm a programmer who is interested in | Elixir or any other data about me. | charcircuit wrote: | >Then just post about your IDE on Elixir forums. | | Not all users of Elixir hang out on Elixir forums. There | are plenty that spend the majority of their time on the | internet elsewhere. | | >and I certainly don't want ad companies that are following | me on random websites to know that I'm a programmer who is | interested in Elixir or any other data about me. | | Why not? Systems can become more efficient if they know you | better. | spinningslate wrote: | >Why not? Systems can become more efficient if they know | you better. | | Because I didn't give them permission. I've no issue with | anyone who willingly trades their privacy/digital | footprint in return for services. | | I don't want to. I will happily pay money for services I | want. But, in all practical ways, the choice has been | taken from me. It's impossible to have an online life | without Google, Facebook, and myriad others hoovering up | my every digital footstep. | | And before someone says "ad-blockers" - I use them. And I | decline cookie consent on every site I visit. It's | tiresome, but I do it. Though even that marks me out: a | signal in the noise. Even the act of trying to reject the | surveillance economy helps that industry segment me. | | It's obscene, and something needs done about it. | Marsymars wrote: | > And I decline cookie consent on every site I visit. | It's tiresome, but I do it. | | I don't think this is really worthwhile. It's akin to | reporting every Google/fb ad as "I don't want to see | this/this isn't relevant to me". Easier to just block | ads/cookie consents from ever appearing, and set cookies | to automatically delete after tab closure. | eingaeKaiy8ujie wrote: | >Why not? | | Because it's a privacy risk. Such information can be used | to identify me and used against me. | charcircuit wrote: | >Such information can be used to identify me | | Good. We can make things more efficient. | | >used against me | | How could someone for example knowing you like Elixer use | that knowledge against you? It's not a big deal. | eingaeKaiy8ujie wrote: | Such data can be combined with other bits of information | to uniquely identify me on the web. And there may be | other facts about me and my online activity that I don't | want third parties to associate with my identity. | justinclift wrote: | k, so how about if instead of "Elixer" it was specific | religious topics? Or other things that have legal | measures for/against them in various parts of the world. | RNAlfons wrote: | > Why not? Systems can become more efficient if they know | you better. | | Not op but I've not clicked a single ad intentionally | since Ads exist on the internet. I don't consider them a | trusted source for recommendation and why should I? Why | should anybody? Ads violate my attention and that's what | they're made for. They do not help you find the best | product. They want you to find THEIR product. Everybody | knows that. | | The privacy issues are the dangerous topping here. | blooalien wrote: | > ..."I've not clicked a single ad intentionally since | Ads exist on the internet." | | You and me both. I actually actively block ads on the | Internet except on the very _few_ sites that have earned | my trust (https://readthedocs.org/, DuckDuckGo, etc) or | sites where the advertising is directly connected to my | existing purpose (to buy a thing) such as Amazon, eBay, | Humble Bundle, etc. Everywhere else gets the block | because they simply can't be trusted anymore. | charcircuit wrote: | >Not op but I've not clicked a single ad intentionally | since Ads exist on the internet. | | You are in the minority then. I personally have clicked | on ads and have found products that I was interested in. | | >I don't consider them a trusted source for | recommendation and why should I? | | I am not saying you should. Ads just allow people to get | the word out about something. | | >Ads violate my attention and that's what they're made | for. | | This is a poor mindset. If you go to a public place are | all of the people there violating your attention because | you can see and hear them? | RNAlfons wrote: | > You are in the minority then. I personally have clicked | on ads and have found products that I was interested in. | | You don't happen to work in the industry? Because I know | nobody who clicks on Ads. Maybe some of them do but they | don't admit it which says a lot about doing it. | | The only people I've ever met who said things like you | did work for the advertisement industry since they're the | only ones who believe that. They have to. | | > I am not saying you should. Ads just allow people to | get the word out about something. | | How is this a justification for the intrusive, secretive | and sometimes even abusive behaviour? There are other | ways to "get the word out" out there. Healthy ways. | | > This is a poor mindset. If you go to a public place are | all of the people there violating your attention because | you can see and hear them? | | Sure they do if they jump right in front of my face and | yell about some product I might be interested because I | just came out of a shop and they've been watching me | doing it and writing down how I look. | ricardo81 wrote: | > don't want my advertisements shown to any random person on | the internet | | Indeed, win-win that ads are targeted. Easily done on search | engines because the query shows intent. Less obvious on the | wider web but then perhaps it's the advertisers job to | identify their market rather than rely on ad-network | datapoints on visitors. | | CPM/CPC ad payments are of course ripe for abuse by | automation. CPA not so much. | | Could potentially argue that the surveillance is essentially | to make targeting more convenient for advertisers rather than | being implicitly required to advertise. Market forces and ROI | are surely the best measurement which CPA does a better job | of doing. The problem with CPA is the trust required in order | for the ad network to be paid. | Woodi wrote: | Radiculous ! | | Mate, you want one thing so world wide spying is ok for you ? | So r. lack in imagination ! | | Just try to imagine what would be WWW (or other "medium") | without that data hoarding... You want to ad IDE, for devs, | for particular lang ? Just give money straight to forum of | your interests _owner_. And...... DONE ! Or journal, paper, | zine or whatever but do it _directly_. | | That businesses curently DO NOT EXIST becose everything goes | to Google ! And - biggest stupididy of last two centuries - | to "businesesee that "model" enables". Just self serving | monopoly giving away penies. | | You see ? Your "survivalence is necessaary" is just lack of | imagination. Literaly, current "system" prohibits new | inventions and development. | | Becouse where are money there are new companies/startups | created. End where money are filtered via giant sucker there | not much improvement can be build. | rotebeete wrote: | > The majority of users on the internet are not even | developers. | | Then just advertise on sites that usually have developers?! | ncallaway wrote: | > I want to be able to advertise to a consumer segment which | consists of people who are interested in Elixir | | And, as the person being advertised to, I absolutely want you | not to be able to do that. Why do your desires trump mine? | | Surveillance is not essential to internet advertising. | Because it's not essential for advertising. Newspaper ads | didn't come with such invasive models, nor did radio adverts, | or even TV ads. | | If advertisers on the internet can't figure out how to make a | surveillance free advertising model work, then I'd much | prefer those businesses to die. | lallysingh wrote: | No it's not. It's the same situation that's existed in | advertising for decades already. Want to advertise your | automotive parts? Advertise in Popular Mechanics. Some fancy | clothing? Advertise in Vogue. | | Now, you just advertise in appropriate blogs. | | If there are no appropriate publications for important | topics, hey! Guess what! They have their business model back! | danbruc wrote: | _This is ridiculous. If I am trying to advertise an Elixer | IDE, then I don 't want my advertisements shown to any random | person on the internet. The majority of users on the internet | are not even developers. I want to be able to advertise to a | consumer segment which consists of people who are interested | in Elixir. "Surveillance" is essential to internet | advertising._ | | This is ridiculous. And it is your problem. Why should I | allow any company to track and profile me and everyone else | only so that you can save on your advertising budget? | charcircuit wrote: | Because I don't want to waste the time of people who aren't | interested in my ad in seeing my ad. It's a waste of money | for me. The ad network will not be able to make money from | having them click the ad. The user's time will be wasted | because they are not interested in what I am selling. It's | a lose lose lose situation. I want to create more win win | win situations where everyone benefits. Tracking and | profiling is needed to increase the rate that this happens. | ashtonkem wrote: | You're asking us to give up our rights for your | convenience. | MereInterest wrote: | And the downsides of that tracking/profiling fall | entirely on the person being surveilled. | blooalien wrote: | > "Because I don't want to waste the time of people who | aren't interested in my ad in seeing my ad." | | And that there is why sites like https://readthedocs.org/ | do this strange thing called _ethical_ advertising. | Instead of spying on me, they advertise things at me I | _am_ genuinely interested in, intuited by the fact that I | 'm reading technical documentation, _and_ they do it in | an _unobtrusive_ way, rather than splat themselves in | front of the content I 'm trying to read such that I | can't even read it at all. | | You wanna advertise at me? Come find me on sites where | your product is a good fit for my interests and advertise | at me _respectfully_ rather than supporting a corporate | surveillance state that I want _no part of_. I for one | will continue to block ads _everywhere_ I browse _except_ | those that manage to respect _me_ as a fellow human. | the_other wrote: | You could target the same people by buying ad space in | like-minded "venues". There's a gaping hole in the market | for good "content-linked" advertising, searching, | aggregation and so on. Link to content, not people. Work | with customers who're already self selecting, rather than | following people around all the time. | | As a side-line, this'd probably cut back on a lot of | click-bait trash articles. It, likely, would help bring | the signal-boise level of the internet at large back to | something more useful. | | Well, I can dream, anyway.. | elliekelly wrote: | This is DDG's model, right? Instead of stalking me all | around the internet to find out I'm looking for a new car | in order to show me adverts for a new car they show me | the advert when I search "best new cars 2021" which is | probably a pretty solid indicator that I'm looking for a | car that doesn't involve any tracking. | stevesearer wrote: | This is what we do at https://officesnapshots.com and it | works pretty well: office furniture ads on office design | content. | blooalien wrote: | Yeah, this! See? You get it! Why's it so _hard_ for | others to understand? | danbruc wrote: | _Because I don 't want to waste the time of people who | aren't interested in my ad in seeing my ad._ | | Than don't run ads. Essentially nobody is interested in | seeing ads, targeted or not. | | _It 's a waste of money for me. The ad network will not | be able to make money from having them click the ad._ | | I don't give a fuck how much money it costs you or if the | ad network goes bankrupt, why should I? | | _The user 's time will be wasted because they are not | interested in what I am selling._ | | As I said, then don't run ads if you actually care about | wasting user time. Even if you have a conversion rate of | 10 % you are still wasting time for the other 90 %. | | _It 's a lose lose lose situation._ | | I would consider it a win if all ad companies go bankrupt | and I never have to see an ad again. | | _I want to create more win win win situations where | everyone benefits. Tracking and profiling is needed to | increase the rate that this happens._ | | This is not win win win, this is win win win LOSE - a few | users get a product they want, you get some sales, the ad | network gets your ad budget, and everyone else gets | nothing but being tracked and profiled. | layoutIfNeeded wrote: | >The user's time will be wasted because they are not | interested in what I am selling. | | I'm not interested in what you're selling. In general, | I'm 100% not interested in anything anyone is selling | through advertisements. Where can I indicate this, so | that advertisers stop wasting their money on me? | charcircuit wrote: | Use an adblocker. | layoutIfNeeded wrote: | Too bad that advertisers are busy breaking my adblocker | again and again. Why could they be doing this? Surely | they wouldn't want to waste money by showing me their | ineffective advertisements, right...? | datavirtue wrote: | Advertise on search. Someone searches for IDE or | something similar...show the ad. It's better than running | around profiling people and showing them ads for things | based on that profile. No tracking needed. | Yizahi wrote: | I will employ a spy/cop to follow you everywhere and log | everything you do in detail, would you consider it a | surveillance? Of course, he will refrain from listening to you | talking and won't enter your home. But everywhere else he will | follow you at a distance. | | This is essentially what is going on in the internet. Metadata | collection = Surveillance. | djbebs wrote: | Oh no, hes going to be reading every email you send and | receive, every message and everything you do. D9nt worry | though, he wont do anything unless he finds anything illegal. | markzzerella wrote: | If metadata is good enough to kill people it's dangerous | enough to stop collecting en masse. | chopin wrote: | The analogy breaks at the point "won't enter your home". | Current surveillance tech does exactly the analogous of that. | It's rather like having a cop sitting at home pinky-promising | not to listen or storing any conversation. | | Maybe it's even worse. There are third-party analytics tools | which send out any key-stroke you do, even if you don't | submit any form. | | It has become the new normal. Take todays article in Ars | Technica on Audacity | (https://arstechnica.com/gadgets/2021/07/no-open-source- | audac...). The author has no complaint about the fact that a | tool for local editing of audio files reaches out to the | internet to send data about the user and seemingly defends | this on grounds that it is opt-in. That's fine but that code | is needlessly there. There's no reason whatsoever for it. And | I am tired of being told that surveillance is for my benefit. | No, it's not. It's solely for the benefit of the surveillor. | ColinHayhurst wrote: | Good question. IANAL but how about this? | | Any ad which uses data about an individual, without full | transparency about the data being used, to target them as an | individual OR where such data is collected and stored and | associated with an explicit or implicit identity. | JumpCrisscross wrote: | "Data about an individual" is too vague, as is "to target | them." Would this ban search-based advertising? What about | using an IP address to guess at a language? | | I think this can be done. I just don't have the domain | expertise to do it, and haven't seen a proposed definition | that made sense. The only intuition I have is around | ephemeral versus permanent profiling. | deallocator wrote: | don't browsers send a header telling the server what | language they expect? I live in Belgium where there's 3 | national languages, and my preference isn't even one of | them. Please us whatever language my browser tells you to | (English) | ColinHayhurst wrote: | Agreed and agreed. | | For search based advertising we use the search query and | location (taken from the country the user chooses in | settings - and that can be "None" in which case we just use | the search query). The language of the search query could | be used rather than IP. Key for us is to never store IP and | never pass on any part of it. | JumpCrisscross wrote: | > _Key for us is to never store IP and never pass on any | part of it_ | | I think this might hold the key. The law likely doesn't | need to try to regulate advertising _per se_ , but | instead the types of data advertisers are allowed to | retain (or access). | | Maybe a first step is creating a definition of an | advertiser, requiring registration (not licensing) and | the annual filing of the inputs their algorithm uses? All | inputs, even the most banal? This assumes defining | advertiser and algorithm and inputs is easier than what | we're trying to ban. | adolph wrote: | I have the same question and a followup: What is the difference | between "surveillance-based advertising" and observation-based | advertising? | ColinHayhurst wrote: | A very experienced expert lawyer who should know, and knows | adtech well says "Section 3 of the DPA? Advertising using data | that would reveal an identifiable living individual ? It's a | bit more complex than that as processes to protect such data | being used should also be included." | | DPA is I assume Data Protection Act (UK): | https://www.legislation.gov.uk/ukpga/2018/12/contents/enacte... | codecutter wrote: | I read the open letter. I learned about businesses that support | user privacy and I will be supporting them with my wallet. | (already use Mailfence and Duckduckgo ) | 1vuio0pswjnm7 wrote: | "In a population survey conducted by YouGov on behalf of the | Norwegian Consumer Council, just one out of ten respondents were | positive to commercial actors collecting personal information | about them online, while only one out of five thought that | serving ads based on personal information is acceptable. This | resembles similar surveys from both sides of the Atlantic, and | indicates that consumers do not regard commercial surveillance as | an acceptable trade-off for the possibility of seeing tailored | ads." | | https://www.forbrukerradet.no/wp-content/uploads/2021/06/202... | | In light of the evidence, should surveillance-based ads be opt-in | (default, no need to figure out and change settings) or opt-out. | Currently, tech companies make these ads opt-out. By default the | ads are enabled. To disable them, the user must find, understand | and change settings. Of course, most users do not ever change | default settings. Many users may not even be aware that there are | such things as settings. | Jonsvt wrote: | I think you will find that there is a certain part of the | population that has bought into the story that surveillance- | based ads are somewhat needed for the Internet to work. It is | just a story. We have seen from GDPR that you cannot leave any | holes. Lets not do it this time. | deregulateMed wrote: | There's something beautiful about Google lead FOSS software being | the source of privacy software. | | But hey that's why we support FOSS. A bad dictator means it's | time to fork. If Chrome was proprietary, we'd be locked in a | Walled Prison. | Santosh83 wrote: | This is no longer the era of one company monopoly like the old | days. We are now in Big Tech dominance, not monopoly. No one | needs a monopoly any longer. Regulatory and technological moats | leading to consolidation is good enough. | type0 wrote: | > If Chrome was proprietary | | Chrome is proprietary, it's Chromium that isn't | dalbasal wrote: | Not a ton of depth in the letter itself, but I like the angle | they take. It's not all about privacy or data security. | | " _In addition to the clear privacy issues caused by | surveillance-based advertising, it is also detrimental to the | business landscape._ " | | " _In the surveillance-based advertising model, a few actors can | obtain competitive advantages by collecting data from across | websites and services and dominant platform actors can abuse | their positions by giving preference to their own services._ " | | In many senses, Google & FB have achieved what net neutrality | wanted to prevent ISPs from doing. In the developing world, FB | _has_ actually achieved it. If AOL had succeeded, we would have | ended up approximately here. | jefftk wrote: | _> a few actors can obtain competitive advantages by collecting | data from across websites..._ | | This is going away: all the major browsers have said they are | going to block cross-site tracking. | | (Disclosure: I work on ads at Google, speaking only for myself) | BiteCode_dev wrote: | Google analytics won't track cross site ? | jefftk wrote: | Does Google Analytics even track cross-site today? Looking | at it in developer tools I only see it using first-party | cookies. | | But anyway, Google Analytics won't be able to do it because | nobody will be able to do it. For example, here is Chrome's | project to remove cross-site tracking: | https://www.chromium.org/Home/chromium-privacy/privacy- | sandb... | | (Still speaking only for myself) | binarymax wrote: | I'm not sure if you're being intentionally obtuse or not. | GA phones home with vast information about user, and | builds a profile of them. That profile is correlated | across sites to personalize search results and sell ads. | dang wrote: | Please omit personal swipes from your HN comments. Your | post would be fine without the first sentence. | | Note this site guideline, including the last bit: " | _Please respond to the strongest plausible interpretation | of what someone says, not a weaker one that 's easier to | criticize. Assume good faith._" | | https://news.ycombinator.com/newsguidelines.html | jefftk wrote: | I'm not being intentionally obtuse, but I also don't know | all of Google's advertising business. I didn't think | Google Analytics did that? What makes you think it does? | | (GA sends a message to Google, but I had thought that it | was not linked to your behavior on other sites via GA?) | LegitShady wrote: | google analytics tells you the interest of your audience. | how do you think it does this without correlating you to | a profile they've built? | lmkg wrote: | Googe Analytics consultant here (not Google employee). | | 1. Google Analytics' primary identity signal is a first- | party cookie. this is not shared between domains. There | is no technical way to link identity between domains with | different cookie values. | | 1a. Google Analytics has built-in library functions to | allow site owners to share first-party cookie values | between a whitelisted set of domains. This effectively | lets one _company_ with multiple _sites_ share a first- | party identifier, but still not let anyone (Google or | otherwise) link that identity to identities set on other | sites. | | 1b. BUT. But. _BUT_. Google is rolling out "Google | Signals" for Google Analytics, which will use your Google | Account as the identity signal instead for users who are | logged in to Chrome. This, obviously, lets your identity | be correlated across sites. | | (Personally, I suspect that the availability of this | feature played a part in Google's decision to let Chrome | follow the industry towards blocking third-party cookies. | But this is a baseless opinion, one step removed from a | conspiracy theory.) | | 2. Google Analytics can link their identifier (the first- | party cookie or Google Signals) to your DoubleClick | profile via DoubleClick's third-party cookie. The | checkbox that does this is unchecked by default. There | are many other features of GA that encourage or require | you to check this checkbox. | | 2a. Google's documentation (including legal contracts!) | places limits in the data exchanged between the two | profiles. Data exchanged _does_ include demographic and | interest information from DoubleClick 's profile into GA. | This is one of the big reasons why people click the | checkbox. | | To my knowledge, GA data is _not_ used to inform the | DoubleClick profile. GA data can be used to build an | "audience" in various Google ad platforms, and direct ads | to those people specifically, or to use as the basis for | a "look-alike audience." | | 3. Google is a _Processor_ under GDPR for Google | Analytics, and a _Controller_ under GDPR for Google Ads. | To a first approximation, this means they make the | specific legal claim that they do not use GA data for | their own purposes. Linking Analytics and Ads data is... | complicated and frankly I still haven 't gotten an | explanation of its legal status that I fully understand. | | In my personal opinion, I don't think Google actually | uses Google Analytics data. Most Analytics | implementations are tire fires, and they can get all the | data from other more reliable sources, like Publisher | data or Chrome. Given that they have based on their | entire GDPR compliance strategy for Analytics on being a | Processor, I don't think the risk/reward is there. | | (apologies for lack of copy-editing, the thunder's about | to take my internet away) | alisonkisk wrote: | Is Google going to give back the $100B is made from cross | site tracking in the past? | | Is Google going to consider YouTube, Gmail, Maps, and | Android Location history different sites, or is "having | an effective monopoly an exemption to crosss-site | tracking prohibition? | | Does _anything_ in the proposal prevent server-side | cross-site tracking? (No.) | | Is Google going to stop buying third party tracking data | like credit card transactions? | neolog wrote: | No it isn't, Google will still track me across the web. | blooalien wrote: | So will Facebook (and several others) if you take no steps | of your own to block them. It's an escalating war of cat | and mouse. You'll block them, they'll find a new way around | it, you'll block them some more, they'll find another way. | Eventually the only answer will be to shut down the | Internet because it's become just too broken to use | anymore. | squiggleblaz wrote: | The simpler answer is to just ban it. The law doesn't | need to be technically detailed or envision every single | technological adaptation: it just needs to be sufficient | for a judge to be able to recognise it when a prosecutor | describes it and a defence lawyer attempts to pull the | wool over their eyes. It needs to be focused on outcomes. | | Once banned, Google and Facebook will submit. They will | attempt to lobby against the reforms, eventually saying | "it will prevent legitimate business: it represents a | small fraction of our revenue, but we are selflessly | lobbying on their behalf to ask you to implement this | technically specific law to reign us in". Ignore them. | You don't listen to the hitman when they comment on | homicide laws. | | And ensure that the penalties amount to a ban. The US | congress and courts can and do terminate human lives. | Whatever penalty they propose on abstract legal entities | is not too harsh; even if they completely dismantled | Google and destroyed all of their economic value, it is | nothing compared to the things we do to natural living | breathing humans in response to criminal behavior. | | Profitable companies will submit to a law that aims to | control their behavior. | JumpCrisscross wrote: | > _law doesn 't need to be technically detailed or | envision every single technological adaptation: it just | needs to be sufficient for a judge to be able to | recognise it when a prosecutor describes it and a defence | lawyer attempts to pull the wool over their eyes_ | | This is a terrible philosophy for legislating. It | undermines the rule of law, _i.e._ that you should _ex | ante_ be able to determine if what you 're doing is legal | or not. | | What you're describing is rule making. Congress regularly | does this, in passing a law that requires such and such | agency propose (or even implement) rules that achieve | this or that within so many days. | alisonkisk wrote: | This is fundamental to the rule of law. Judges and juries | apply the law to the facts. Civilians can ask the | government to review their plans in advance and make a | ruling. | | We don't say murder laws are bad because there's no way | to know in advance if "bashing someone's head in with a | pipe who dies a month later" counts as murder. | insulanus wrote: | Every important criminal law includes the idea of intent. | Killing someone with a car because you sneezed is very | different from intentionally running them over in the | eyes of the law. | JumpCrisscross wrote: | > _criminal law includes the idea of intent_ | | Yes, but intent alone isn't sufficient. We need a | precise, side-effect light definition of the kinds of | activities we want to ban and by whom. To date, I haven't | seen that. | | Passing a law which bans "surveillance-based advertising" | with little more specificity is a recipe for disaster. | blooalien wrote: | > "This is going away: all the major browsers have said they | are going to block cross-site tracking." | | That's mighty pleasing news to hear. A step in the right | direction for sure. Here's hoping it's the beginning of a | trend. | acituan wrote: | The thing with information is that once it is shared, it | can't be unshared. Sure, blocking cross-site tracking would | ostensibly make monopolistic accumulation of _new data_ more | difficult, but except for the most decay prone information, | there is already a comprehensive profile established for a | good chunk of the users, which can be milked for a good | while. This is not even taking into account of backchannel | acquisition of the missing data (i.e. through brokers) with | the sweet sweet profits already made, potency of which is | enhanced when joined with existing data (and therefore still | creating monopolistic dynamics). | NicoJuicy wrote: | It can be made useless if you don't have a identifier. | _jal wrote: | Be careful not to confuse one cross-site tracking techniques | with cross-site tracking. Ask about company behaviors that | may be of interest, not specific mechanisms. You can always | ask about the mechanisms later. | | "Will you use information about users from third-party sites | when making decisions about how to interact with them?" | | "Will you use data about offline purchases made by users when | deciding how to interact with those users?" | | Etc. | dreyfan wrote: | Nobody needs cookies to track users cross-site. Cookies are | just convenient. | jefftk wrote: | All the browsers have said that they consider general- | purpose cross-site tracking to be deprecated, not just | cookies. They are working on removing other forms of | linking users across sites, including the browser cache, | link decoration, and fingerprinting. | Jonsvt wrote: | And some of them, such as Google, are working on FLOC... | This has got to stop now. | binarymax wrote: | The browsers _intent_ may be to remove cross-site tracking, | but we all know that Google Ads will still follow people | around the web through latent signals (even if wrapped in | something like FLOC), and other parties like KISSmetrics will | continue the fingerprinting cat and mouse game. | jefftk wrote: | _> Google Ads will still follow people around the web | through latent signals_ | | I'm not sure what you mean by this? | | Google Ads has committed "once third-party cookies are | phased out, we will not build alternate identifiers to | track individuals as they browse across the web, nor will | we use them in our products." -- | https://blog.google/products/ads-commerce/a-more-privacy- | fir... | | _> even if wrapped in something like FLOC_ | | FLoC doesn't allow "a few actors [to] obtain competitive | advantages by collecting data from across websites" since | everyone sees the same number of identifying cohort bits. | | _> other parties like KISSmetrics will continue the | fingerprinting cat and mouse game_ | | Historically, the TOR browser was pretty much the only one | that took fingerprinting prevention seriously, but it's now | a substantial focus for Safari/Firefox/Chrome. I do think | fingerprinting groups will continue to have things that | work when third-party cookies go away, but I don't expect | it to persist that long after? I also would not be | surprised to see a regulation here, since I (not a lawyer) | don't think fingerprinting is compatible with the GDPR or | the other regulations it's inspiring around the world. | | (Still speaking only for myself) | Jonsvt wrote: | The point is the FLOC is surveillance as well. You are | still profiling users. This has got to stop. | | https://vivaldi.com/blog/no-google-vivaldi-users-will- | not-ge... | Jonsvt wrote: | Yes, FLOC and similar technologies, are another way to | track users, but this time in the browser. We really do not | see that as being any better. In many ways it is really | worse. | | https://vivaldi.com/blog/no-google-vivaldi-users-will-not- | ge... | alisonkisk wrote: | The argument is bad for privacy, since the business solution to | that problem is the same for other IP antitrust: mandating non- | discriminatory licensing to anyone who wants access to the | data. | jefftk wrote: | This looks like Vivaldi supporting a recommendation made by a | consumer advocacy group in Norway (Norwegian Consumer Council / | Forbrukerradet), and boosting their report. You can read the | original report at: https://www.forbrukerradet.no/wp- | content/uploads/2021/06/202... | Jonsvt wrote: | This is very much a recommended read for everyone. | uniqueuid wrote: | Instead of arguing what current business models that would break, | I think we should take a step back and ask: | | What legal and moral basis warrants "surveillance-based | advertising"? | | The premise of GDPR in the EU has been that "surveillance-based | advertising" needs to be _balanced_ with user rights. | | If we come to the conclusion that this balance cannot be achieved | (e.g. because users are not savvy enough to safeguard their | rights, because data sticks around forever, because data can be | sold etc.), then it's a straightforward step to prohibit tracking | entirely. | kerkeslager wrote: | There's a fundamental disconnect which causes people to ask | what business models fixing a social ill would break. We should | not be tolerating social ills to prop up the businesses that | cause them. | | If we really believe that the free market will result in | positive outcomes, then creating rules against negative | outcomes like surveillance shouldn't cause any problems, since | they shouldn't be a problem for a free market that will arrive | there anyway. Wasn't it Reagan who said, "Trust, but verify?" | Ensorceled wrote: | Also, what old business models might return (like newspaper and | other content based advertising) and what new business models | might emerge. | pmoriarty wrote: | Surveillance-based advertising is just the tip of the iceberg. | | All unsolicited advertising should be banned. | pasabagi wrote: | I think there's a simpler way to achieve this. Force companies | who leak personal data to pay reasonable damages to all the | individuals involved, on the scale of 10-100 dollars, depending | on how much personal info has been leaked. | | That would make businesses very quickly reassess how much data | they need to keep, and how careful they need to be with it, | without requiring any really radical legislation. | beervirus wrote: | Leaks are not even my main concern. I don't want anyone spying | on me, even if they're really conscientious about data | protection. | 2OEH8eoCRo0 wrote: | >Force companies who leak personal data to pay reasonable | damages to all the individuals involved | | Doesn't this just consolidate power among FAAG even more? They | can pay these fines and they don't often leak data- if ever. | That's another thing- define leaking data. Sharing with 3rd | parties? It's vague enough for them to beat that in court. | | We do somehow need to get back to advertising the old fashioned | way rather than this surveillance capitalism arms-race. | squiggleblaz wrote: | > We do somehow need to get back to advertising the old | fashioned way rather than this surveillance capitalism arms- | race. | | Old fashioned ads were targeted based on the thing they were | attached to. For instance, if you read the sports pages of a | newspaper sold in your city, you probably got ads of presumed | interest to people in your city who are interested in sports. | | To restore that kind of system, you would need to focus on | those kinds of issues: making advertising first party, | distinguishing between parts of a site without distinguishing | between users. | | But once you've done that, you're still left with first | parties that can spy on you and use that data in non- | advertising ways, or even presumably for direct marketing (if | you have some kind of an account). | | I think it's better to focus on the surveillance. If they | can't surveil you, then they can't use surveillance | advertising. As you point out, focusing on leaks is | irrelevant because I don't really feel better that only | Google knows everything about me. Focusing on advertising | doesn't stop them collecting data, it just limits how they | can use it. If we don't want the data to exist, collecting it | should be prohibited. | lolsal wrote: | If my information gets leaked and my identity compromised, you | think $10-100 is reasonable compensation? I like the idea but I | don't think we can put any sort of numbers on damages like this | before it happens. | ClumsyPilot wrote: | We need a minimal sum to enable lawsuita. | | Every time there is a leak, you have to prove you've suffered | damages. | | That's hard to prove: even if someone commited massive fraud | with your identify, you dont know if the data came from this | leak, or from 10 other leaks. | | Setting a minimum would mean thay you can immediately fine | conpanies for loosing millions of records in one lawsuit, | instead of a million suits proving that each particular | claimant was harmed | dalbasal wrote: | I don't think the letter writers' goal is data security. | Jonsvt wrote: | This is not a question of leaks. The data is already in the | wrong hands and actively being misused. | amelius wrote: | > Force companies who leak personal data to pay reasonable | damages to all the individuals involved | | Companies like Google and Facebook _already_ leak. | | Proof: start an ad campaign on e.g. Facebook targeted at people | who have trait X, but sell a product Y not related to X. For | people who click on the ad and buy your product Y, you now know | they have trait X. And you can now also link that to their | address info. | jefftk wrote: | Run an ad campaign in a magazine dedicated to a sensitive | topic, selling something by mail-order. For people who write | to you and buy your product, now you know they are interested | in that sensitive topic. | | (Disclosure: I work on ads at Google, speaking only for | myself) | amelius wrote: | Well, you've just found _another_ leak ;) | | By the way, scale matters too. | blooalien wrote: | Hey, mad respect at you for bein' able to discuss this | without sounding like an advertising shill, and for bein' | open about your place of employment and for coverin' your | butt by makin' your comments known to be _yours_ and not | your employers '. Wish more folks could do that. Good job | of "adulting" there. ;) | | As a (sometimes) "consumer", I personally don't mind | companies I'm doing business with gathering some data to | better serve me as a customer. It's actually kinda their | job. And I don't even mind when they advertise _related_ | products /services at me (but _not_ the product /service _I | just bought_ please). And I don 't mind one little bit | bein' advertised at (respectfully) when I'm on a site where | I'm obviously lookin' to _buy_ something. My main problem | is that too often there 's a degree of uncomfortable | overreach with building (and worse yet, sharing around) a | detailed profile of my travels on the web that is _beyond_ | unnecessary and unreasonable. I don 't honestly trust most | _personal friends_ with as much information about me as | some freakin ' advertisers would seem to want to database | and index about me. It's gotten honestly out of control, | and I don't know what else to do anymore except use every | tool my browser has available to block as much of it as I | can actively. | insulanus wrote: | True. Google or Facebook's ability to obtain, analyze, | cross-reference, retain and leverage this type of | information makes them billions of times more powerful than | a small company selling gardening tools, however. | ColinHayhurst wrote: | Johnny Ryan is having another go this time in Hamburg. "Online | advertising causes the world's biggest data breach. We are | going to court to stop it." https://www.iccl.ie/rtb-june-2021/ | | As he eloquently explains there, and in detail, RTB auctions | "broadcasts private information about what you are doing | online, and where you are, to many other companies in order to | solicit their bids for the opportunity to show you their ad." | handrous wrote: | Yeah, rather than targeting advertising I'd prefer to get to | the actual point, and target mass surveillance and collection | of huge troves of personal data _no matter the purpose_. | | Ban monetizing data (no selling, no pay-for-access, no derived | products) and make leaks guaranteed to be expensive, so | companies only keep what they have to to operate, with some | large multiplier attached to the leak fine if it was related to | banned activities. | | Done. | | The advertising is a symptom, it's not the disease. | jefftk wrote: | I'm curious how you would see "ban monetizing data" play out | in the case of an e-commerce company. Can they still run A/B | tests? Show you products that they think you will want to buy | based on your purchase history? | handrous wrote: | > Can they still run A/B tests? | | If I were writing the rules, I'd exclude anything that | looks routing-like. "IP address A sees version 1, IP | address B sees version 2, with some amount of ephemeral | data involved to support pinning" is fine. Basic hit- | counter type stats are fine. (though I think A/B tests are | abusive crap and would _love_ to see them go away, on a | personal level, I don 't think they _necessarily_ qualify | as spying, though the way they 're practiced right now | probably does tend collect & retain enough information that | they absolutely are, but might not with some modification) | | > Show you products that they think you will want to buy | based on your purchase history? | | No. _Maybe_ with some kind of opt-in or otherwise making | that something the user has to intentionally ask for. But | if you 're not using others' purchasing data to decide what | those might be (and that would _definitely_ be off-limits) | then that 's not very different from just having categories | your users can browse. | jefftk wrote: | What about, on a page about x, showing "users who bought | x often bought y" ads? | handrous wrote: | It'd obviously be a tough rule to craft. In some | hypothetical world where I'm the Tzar of writing and | enforcing this, I'd tend to allow leeway for companies | using data that could be essentially a totally-anonymous | incrementing counter (as in this case) to choose how to | present their site, based on what's _currently being | looked at or requested_ but not on _the browsing or | purchase history of a particular user_. It 's using a | person's own activity to target, manipulate, or | "monetize" them that I find especially objectionable--and | the data that's hoarded in the name of those abilities, | simply dangerous in ways that the hoarding companies | aren't made to account for (a huge negative externality, | basically). In general I think if companies want market | research they should pay for market research, not just | run a dragnet spying operation against their customers. | If they want something other than market research out of | those data, then they probably ought to just be shut down | (or, at least, that part of their business should be) | | [EDIT] FWIW I don't think these kinds of rules should | only apply to tech companies. Physical stores ("loyalty" | cards, tracking shoppers' cell phones, that stuff) and | banks and similar also shouldn't be able to spy on | people, nor to sell or otherwise use data collected as a | necessary part of their business against people. A store | may reasonably have surveillance cameras, but ought not | be able to sell the footage to another company to train & | test its gait-recognition software, nor use facial | recognition to track how often I visit the store or what | I look at. That kind of thing. | blooalien wrote: | I've gotten useful leads on products to research maybe | buying from those type of ads before, but I only ever see | them on sites I've whitelisted in my adblocker | specifically _because_ they 're sites I buy things from | (and a rare few sites I trust to be respectful about | advertising placement). They're useful when they're done | right tho. | jefftk wrote: | I'm confused by your ad blocker comment, because most | listings like this won't be recognized as ads. They look | like product suggestions, and they are entirely first | party. | | (On the other hand, I think the law as you're proposing | it would cover them) | ganbatekudasai wrote: | Taking cost vs. benefit into account, I would default to | "no". This one in particular seems like a "neat little | feature", but "neat" does not cut it if it threatens to | make legislation against surveillance-based advertising | less effective. | | I'm not sure many customers will miss it, if they really | notice. Yes it can be a bit helpful, but many other | things in the world would be "a bit helpful" and yet are | nowhere near justifying their cost and effect (e.g. we | stopped using radioactive chemicals in substantial | amounts for everyday products very, very quickly). | kerkeslager wrote: | A/B testing can be done without collecting any personal | data. | amelius wrote: | > The advertising is a symptom, it's not the disease. | | Advertising also stimulates mass overconsumption. | | If we want to save the planet, advertising is among the top | things we should ban right away. | handrous wrote: | Right, but the alternative in question is banning | _surveillance-based advertising_. I 'd prefer to curb | surveillance itself, having the side-effect of eliminating | surveillance-based advertising. | | Separately, yes, I'd like to see practically all public | advertising banned (billboards are blight), and while I'd | have to think on it some more before _supporting_ a blanket | ban on all advertising (I 'm not sure it's workable, for | one thing) I'd also not be sad if I woke up one morning and | learned that such a law had been passed. | kerkeslager wrote: | From my perspective, both advertising and surveillance | are bad, and both should be banned. | handrous wrote: | Yeah, I don't think our opinions diverge too much on | that. My ideal world wouldn't feature much of either of | them--I think well-marked, in some standard and easy-to- | spot way, ads in publications aren't _so_ terrible, for | instance, provided it 's made clear up-front, say with | some kind of cigarette-box style notice or warning, that | there are ads in it. Though, again, if paid advertising | just went away, in all forms, entirely, tomorrow I | wouldn't be sad about it. But, as far as online ads go, | it's the surveillance part that bothers me more than | there being any ads at all, and that worries me _way_ | beyond its use in advertising. | kerkeslager wrote: | I know we're comparing relative evils here, but that's | interesting. I think my main concerns with surveillance | are the chilling effects it has on those who would break | the law for ethical reasons. But ultimately I think the | tangible negative effects that surveillance has on most | people are indirect. That's not to say they aren't | important. But as important as advertising? | | Advertising causes a great deal of surveillance, but it | causes a lot of other issues, many of which affect almost | everyone, very directly, and in some tangible ways. At a | basic level, we're being lied to constantly in ways that | hurt our self esteem, break our concentration, introduce | us to new fears and angers: the exact intention of which | is to create problems for us so that it can persuade us | that giving them money will solve our problems. | Advertising tells us our partners aren't hot enough, we | aren't cool enough, our houses aren't big enough, our | cars aren't fast enough, that we aren't doing enough for | X cause. It tells us that our financial future is | insecure, that we're missing out, that we're at risk for | disease, floods, and car accidents. If a parent or | partner told us these things, we'd call it emotional | abuse, but from advertisers it's both accepted and | commonplace. And it affects us deeply: we're | overmedicated, overfed, overworked, and over-indebted. | | And that's just the direct effects. When you consider the | kinds of content that advertising funds, it's almost | universally harmful. News that prioritizes clicks over | information by inciting anger and fear. Informational | resources that avoid speaking truth to power because | power advertises. Social media that courts flame wars, | conspiracy theories, and echo chambers because they all | provoke engagement. Everything advertising funds is fast, | shallow and emotional, because slow, deep and rational | doesn't promote clicks. | | Why even look for a compromise here? Easy to spot ads | aren't better: they're still people shoving a lie in our | face. There's nothing of value here. Ads are a tumor: | even if we can find some part of it that's benign, | there's no part that shouldn't be excised. | amelius wrote: | On top of that, ads stimulate overconsumption. | | Also, they distort the free market (not the best product | wins, but the one with the biggest advertising budget) | | And they often target young children. | | The only reason ads exist is because countries measure | the success of their economies by how much is consumed. | blooalien wrote: | > ... "get to the actual point, and target mass surveillance | and collection of huge troves of personal data no matter the | purpose." | | This! Exactly this! | pjerem wrote: | Yeah but what is a leak ? Do you consider it a leak when a data | transfer to another company is intentional ? | | Companies like Google are probably secured like fortress and | will probably not leak data anytime soon (lets hope) so your | idea wont have any effect against giants that takes security | seriously. | | However, I really like your point and you'll probably have a | good side effect on middle size companies. But giants are a | giant part of the problem. | pasabagi wrote: | Well, my suggestion is kind of aiming to be as pragmatic and | unambitious as possible, so the fact it doesn't have an | effect against giants who spend a lot of money on security is | part of the pragmatism - it means you split the opposition a | bill like this would face. The big companies would see it as | a way to expand their moat, and so, they'd probably lobby for | it, or at least, you could convince them not to lobby against | it. | | If you can build a big coalition of people for whom privacy | is something important, then you can start making ambitious | policy proposals because you'll have the voters to back it | up. Before that point, I think you have to try for easy wins. | inetknght wrote: | > _Yeah but what is a leak?_ | | Any time someone who's not me or a direct party to a | transaction or conversation learns something about me then | that is a "leak". | | > _Do you consider it a leak when a data transfer to another | company is intentional?_ | | If I do business with my bank then the bank should have no | right to sell my information to a third party for any reason | whatsoever. | | If I do business with my hair stylist then the credit card | processor should not have any right whatsoever to do anything | with the facts: | | - where was the hair stylist? That's private. | | - who was the hair stylist? That's private. | | - when was I at the hair stylist? That's private. | | - what did the hair stylist sell? That's private. | | - why did I go to the hair stylist? That's private. | | Nobody except my hair stylist and myself should have this | information. | jefftk wrote: | _> someone who 's not me or a direct party to a transaction | or conversation_ | | It sounds to me like this definition strongly promotes | consolidation. The bigger a party is, the more information | it would be allowed to have and the more ways it can use it | to cross-sell. | | _> If I do business with my hair stylist then the credit | card processor should not have any right whatsoever to do | anything with the facts..._ | | Should the credit card company be allowed to use the | information about your transaction to assess how likely it | is that someone has stolen your card? | inetknght wrote: | > _Should the credit card company be allowed to use the | information about your transaction to assess how likely | it is that someone has stolen your card?_ | | I've been called by the credit card company many times | for failed transactions that I've authorized. When fraud | did occur then I was not contacted by my card company and | I had only noticed the fraud because I actively monitor | my card. | | The credit card company should be able to determine what | it wants without providing the information to any other | entity. No, I do not think that the credit card company | should be permitted to sell the information about my | transaction under the guise of determining how likely it | is that someone has stolen my card. | jefftk wrote: | _> I 've been called by the credit card company many | times for failed transactions that I've authorized. When | fraud did occur then I was not contacted by my card | company and I had only noticed the fraud because I | actively monitor my card._ | | Yes, credit card antifraud has both false positives and | false negatives. It's not clear to me whether you're | going from there to saying that it is useless? | | _> I do not think that the credit card company should be | permitted to sell the information about my transaction | under the guise of determining how likely it is that | someone has stolen my card._ | | I think I misunderstood you earlier. When you wrote "the | credit card processor should not have any right | whatsoever to do anything with the facts..." I thought | you meant that they shouldn't be allowed to use the | credit card data to do anything, including fraud | prevention, not just that they shouldn't be allowed to | sell it? | alisonkisk wrote: | Are you also going to make gossip illegal? | | Are customer reviews going to be illegal? | pomian wrote: | This is what happened with pollution. Leaks were common. But it | cost to fix. Then regulations came in to fine any leakage. It | works, but is always the lowest priority for any company. | Because it's a profit drain not profit growth. | zwkrt wrote: | Facebook et al want the privacy discussion to revolve around | "keeping your personal data safe" but that is just bald-faced | propaganda that covers up the fundamental issue. It's not like | Facebook's digital model of my behavior is really "mine" and | they are just borrowing it or protecting it. They don't even | care about my data in the singular. | | What they do have is a giant corpus of behavioral data spanning | everyone on the planet. Companies can (statistically) detect | that you are going to get a divorce, or that you are going to | be pregnant. They know everyone who has been to jail, our | sexual fantasies, how likely it is that our children will go to | college. | | Right now we say they sell ads, but you could just as correctly | say that they take advantage of this incredible, unprecedented | information advantage to directly change the world in their | favor and in the favor of whoever can pay. It used to be used | to sell clothing and frippery, but already SM is plastered with | ads for political campaigns and brain-altering drugs. Their | cultural hegemony will only increase over time, as the data | gets better and the methods become more effective. | | In this regime, what does it even mean for Facebook to "leak my | data"? If anything I'd rather it was out in the open. (Although | I'd much rather it didn't exist!) | cartoonworld wrote: | I don't think that's gonna cut it, but definitely on the right | track. Its going to require some kind of legislation, or an | insurance requirement that renders the insurers as de-facto | regulators. This is still crazy hard due to the possibility of | regulatory arbitrage, just open shop in Anguilla or wherever. | | Without the auditing, compliance, and domain experts to verify | and implement this, its going to be extremely hard to create | and levy these penalties in any meaningful way. Using (legally) | vague terms like "leak" "personal" "data" and "involved", a | quick trip to the local courtroom will obviate a lot of the | fines for well connected C-execs and legal teams. | | Data integrity needs to be baked into the equation from the | start. Until it is a business requirement to ensure proper | system architecture practices, data integrity, and auditing, I | don't see a snowball's chance of reaching sanity. Really, we've | only barely defined the problem. Businesses have compliance | departments that are totally subservient to business needs and | would much rather resort to gaslighting stakeholders with | silver-bullet checkbox security technology processes shaded in | at the board room. | | On the other side, we are now ushering in a fascinating golden | age of the security rodeo. There is astonishing growth in this | industry, enjoy unending contracts for Red and Blue alike. It | could soon really begin to look like a Gibson novel. | shkkmo wrote: | The problem is it is not easy to asses the security risk of | small businesses in a cost effective way for insurance | companies. It's really hard to come up with a set of | regulations here that protects users data and doesn't | completely disadvantage startups and small businesses. | cartoonworld wrote: | Well, in this instance I would argue that the current state | of affairs also completely disadvantages startups and small | businesses. | | Kaseya has a whole portfolio of services marketed to small, | medium and startup business (as well as larger) that their | customers bought in order to enable them to leverage this | business model in the first place. They've since burned | countless providers, torching their relationship with | customers, shutting down countless businesses of all sizes | all across the planet. What is the cost to them of this? | Worst case scenario, they fold and change the sign. The | people in charge of not screwing up will be snatched from | doom by their network. I would hope they do better next | time, but why would that be any more likely than just | another over par round of golf? | | I definitely agree that it is not easy to asses the | security risk of small businesses in a cost effective way | for insurance companies or to develop some kind of | regulatory structure. | | The alternative to not doing this is accepting this | unstable chaos-monkey in perpetuity. If there is no | business requirement for effective controls, there wont be | any. | | Kaseya's people can walk and start another tire fire and | surely everyone else will sweep up and move on, but these | problems are everybody's problems. There is no IT | infrastructure that does not require effective controls. | | If we don't improve this problem, things are gonna get | _weird_. | shkkmo wrote: | I agree and just because something isn't easy doesn't | mean it isn't worth the effort to get right. | ClumsyPilot wrote: | We do not regulate how a coffee shop does accounts in the | same way we regulate a bank. | | Many regulations only apply to companies bigger than 50 | employees, more than billion of turnover, data on over 1 | million people, etc. Or in a spesific market. | alisonkisk wrote: | > open shop in Anguilla or wherever. | | That doesn't grant a GDPR exemption. The "shop" still | operates in jurisdiction. | kerkeslager wrote: | Would any of the people who downvoted my post[1] without comment | care to explain why? | | [1] https://news.ycombinator.com/item?id=27761401 | | EDIT: Didn't think so. | tqi wrote: | It's an unworkable idea. | | What is an ad, exactly? You cite Consumer Reports as a model - | they have affiliate links on their reviews. Is that an ad? Is a | sponsored social media post? A celebrity endorsement? Free | products given to athletes in the hopes that they will be seen | using it? Logos on clothing? Is the standard just "I know it | when I see it"? | | Also (in the US) it almost certain runs afoul of the First | Amendment. | kerkeslager wrote: | > What is an ad, exactly? You cite Consumer Reports as a | model - they have affiliate links on their reviews. Is that | an ad? | | I agree that Consumer Reports does include some advertising, | but it's not necessary for their business model to work-- | consumer reports predated the internet by over 50 years, so | it certainly predated affiliate links. At least at some | points their primary source of income was subscriptions, and | judging by how hard it is to get at most of their reviews | without a subscription, that continues to be a significant | revenue stream for them. | | > Is a sponsored social media post? A celebrity endorsement? | Free products given to athletes in the hopes that they will | be seen using it? Logos on clothing? Is the standard just "I | know it when I see it"? | | While I agree that we need a clear definition of an ad to | encode this to law, I don't buy this feigned confusion as a | valid argument that we can't or shouldn't legislate against | ads. _Obviously_ we need to work out a clearer definition | than "I know it when I see it" to legislate effectively, but | it's absurd to claim that I need to present a fully-written | legal code in order to present a valid opinion on Hacker | News. | | We may disagree about free products given to athletes in the | hopes that they'll be seen wearing them, for example. But if | you claim not to know that a 30 second video clip in the | middle of your TV show telling you that you should drink | Budweiser to pick up chicks is both an ad and a harmful lie, | you're not arguing in good faith. This argument is just | throwing FUD about implementation details: you're not | responding in any way to my statement of the problem, or | presenting any fundamental criticism of my proposed solution. | | The first implementation of this law wouldn't be perfect. | We'd need to iterate on it. But even a ban against a very | narrow definition of ads would be extremely beneficial. | | Since you haven't even disagreed with my statement of the | problem, perhaps you agree that advertising is bad, and would | like to draft some sample legislation that solves that | problem to your satisfaction? | | > Also (in the US) it almost certain runs afoul of the First | Amendment. | | While current judicial precedent defines corporations as | people, that's clearly a terrible mistake. Corporations | aren't people and as such the first amendment does not apply | to them. Yes, I know, there's some grey area where | restricting the rights of corporations might restrict the | rights of individuals: remember what I said about | implementation details? | | Overturning judicial precedent is a legal hurdle to get over | to get rid of advertising, but it isn't a logical problem | with the solution. Just because something is difficult to do | doesn't mean it's not worth doing. | tqi wrote: | > But if you claim not to know that a 30 second video clip | in the middle of your TV show... | | The obvious cases are not what make this unworkable, it's | the edges. Is a paid product placement an ad? Is simply | furnishing clothes for the actors to wear on set an ad? | Your original suggestion was that this letter didn't go far | enough, and that we need to ban advertising altogether. But | it actually seems like what you actually mean is that some | additional forms of ads you find objectionable should be | banned. | | I personally have no problem with ads if it means I don't | have to pay for stuff with money. But you asked why people | downvoted you, and that was my answer. | only_as_i_fall wrote: | Opposition to online surveillance always makes me wonder why | nobody has attempted to create adversarial browsers or plug-ins. | | I'm not aware of how difficult it would be technically, but | wouldn't a good solution to be simply throw troves of noise at | Google Amazon and Facebook to drown out the actual signal? | | For example, how valuable would online advertising even be if 20% | of all users were continously clicking through the ads and | opening the landing pages in a virtual browser that the user | never even sees? | | What about opening every search result at random and simply | closing the page again after a few seconds? | | Is there some reason this kind of idea is infeasible or illegal? | pavel_lishin wrote: | > _if 20% of all users were continously clicking through the | ads and opening the landing pages in a virtual browser that the | user never even sees?_ | | Those adoption figures are wildly, _unreasonably_ optimistic. I | doubt you could get 20% of HN readers in this thread to install | such an extension; you 'd be lucky if you got 2%. | only_as_i_fall wrote: | Probably, but IIRC that's about how many users are estimated | to run ad blockers which was the basis. | | Obviously less people care about privacy than care about | intrusive ads, but if such features were combined you might | get momentum. | hpoe wrote: | People actually have created adversarial browser extension | checkout AdNaseum (https://adnauseam.io/) which will click | every single ad on a page, as well as acting as an adblocker | that is based on ublock. | | In addition the TrackMeNot (https://trackmenot.io/) extension | will randomly create search requests in the background | constantly generating useless noise. | | If you combine them you get a wonderful situation where random | searches are performed and then all the ads on the search | result are clicked. I've currently clicked on 2210 ads today | while just having it open in another tab on my browser. | | Join the fight my friends. | alexashka wrote: | Why not go to the logical conclusion and ban advertising? | | Why not have a yellow pages of cool stuff with proper discovery | mechanisms instead. Anyone who's interested in new stuff can go | and see what's new, what's happening, like reading the news. | | Remember when you'd check the app store on your phone for cool | stuff? Just have that, for everything. | | Advertising is mind pollution, it's exhaust fumes for your mind | and it's a giant industry that wastes everyone's time playing | zero sum games too, ugh. | kerkeslager wrote: | Frankly, I don't think this goes far enough: "Ban advertising" | would be better. | | Almost every problem with the internet right now is caused by | advertising if you dig through the chain of causality. From | social media patterns that addict you to conflict and conspiracy, | to popups, adware and spam, to constant attacks on our attention | even when we're driving and could literally kill someone with | inattention, to spreading dissatisfaction, fear, and poor | financial advice, advertising is the root of much evil. And at | its core, advertising is just never a good thing, in any context. | | Proponents of advertising will say, "How do people find out about | products and services?" but advertising is an extremely poor | answer to that question: there's an inherent conflict of interest | when the people selling a product are the primary source of | information about the product. In the worst case, this leads to | advertisers just lying to consumers and manipulating people's | emotion. In the very best case, advertisers present information | only about their own product, which doesn't allow consumers to | make educated decisions--it's arguably not lying but the effect | is the same. You might say, "Why would advertisers be obligated | to provide information about competitors?" and you're right, they | aren't, but we aren't trying to establish blame or responsibility | here, we're trying to find a solution that's good for consumers, | and advertising just isn't that. | | A better solution is independent review sites. Consumer | Reports[1] is a paid service, so you aren't the product. More | specialized sites exist for all sorts of product areas: I'm a | rock climber, and when I want a new piece of rock climbing gear, | the first places I look at are Outdoor Gear Lab[2] and Weigh My | Rack [3]. There's Labdoor[4] for supplements, Psychology Today[5] | for therapists, WireCutter[6] for electronics, etc. But even here | advertising has poisoned the water: many of these sites receive | compensation from sellers, not from buyers, which has resulted in | some dark patterns. It's not a perfect solution, but it would | work a lot better if advertising were banned, and these conflicts | of interest were removed. | | Another solution is simpler and older, and it's exactly what I | was doing in my previous post: word-of-mouth. That's arguably one | of the best solutions, because while it's low-bandwidth, it's | high fidelity: people don't go out of their way to promote a | product unless it was actually quite good for them. | | The other thing proponents of advertising will say is that | advertising is necessary to fund existing sites, particularly | content sites. On Hacker News, this often comes from someone who | makes their money from advertising, directly or indirectly. | | The thing is, the idea that people only produce content or | software when it's profitable to do so reflects a very narrow | view of the world. It's just not true. I'm old enough to remember | the internet of the 90s, and in that time the internet was _full_ | of resources which were simply given away for free without | advertising, which I 'll refer to roughly as "old internet". Many | old internet resources have yet to be reproduced in the new | internet: Sheldon Brown's page[7] is _still_ the best resource on | bikes (the advertising was added after his death). Erowid[8] | remains the most comprehensive resource on drugs. Sites like | Wikipedia have somewhat drunk the advertising poison--and were | better before. | | And that leads me to my third reason advertising should be | banned: it's infectious. Advertising is Scott Alexander's | Moloch[9]--if one entity does it, then all their competitors have | to do it in order to compete. The entire purpose of the free | market is supposedly that it results in the best outcomes, but | this is clearly a hack that prevents that from happening: we want | companies to compete by producing the best goods and services at | the lowest cost, but when you allow advertising, companies can | (and do) compete by manipulating consumers into buying inferior | goods at higher costs. Advertising is an anticompetitive business | practice that undermines the entire purpose of a free market. | | Banning advertising is only a bad thing for bad companies: good | companies would only stand to benefit. Banning advertising would | free good companies to spend their resources on producing the | best products and services at the lowest cost: every cent | companies spend on advertising now is wasted money. Sure, some | companies would go under without advertising. Good riddance: if | your company can't sell products and services without ramming | them down consumer's throats, your products/services aren't of | value. | | Contrary to the advertiser's paternalistic views, the efficient | market hypothesis means that people understand their own problems | and can find solutions to them without your help. The world would | be better off without advertising. | | [1] https://www.consumerreports.org/cro/index.htm | | [2] https://www.outdoorgearlab.com/ | | [3] https://weighmyrack.com/ | | [4] https://labdoor.com/ | | [5] https://www.psychologytoday.com/us/therapists | | [6] https://www.nytimes.com/wirecutter/ | | [7] https://www.sheldonbrown.com/ | | [8] https://www.erowid.org/ | | [9] https://slatestarcodex.com/2014/07/30/meditations-on-moloch/ | jimbob45 wrote: | You need _some_ amount of advertising. If you invented the cure | for AIDS tomorrow, how are you going to tell everyone about it? | Word-of-mouth works, but only so far. Perhaps over time, people | will naturally Google "cancer cures" but will your business | still be solvent by then? | | If you want to talk about leveling the playing field, you have | to be more strategic with your legislation. Don't ban | advertising. Ban spending on advertising above some limit. No | one benefits from Coca-Cola showing yet another commercial on | TV other than the commercial producers - society certainly | doesn't benefit though. Make companies spend their ad dollars | wisely. | kerkeslager wrote: | Keep in mind that downvotes without explanation are likely | coming from people on Hacker News whose income comes from | advertising. | tehjoker wrote: | Capitalism requires advertising because it needs an accelerant | of consumption. If consumption stagnates, a capitalist economy | enters a financial crisis that can result in the system's | overthrow. | | I am for banning advertising on its merits, to slow the growth | of consumption for environmental reasons, and because I believe | capitalism is a harmful system that should be replaced. | hungryforcodes wrote: | Ban surveillance everything. | hungryforcodes wrote: | I wish that was a moto. ___________________________________________________________________ (page generated 2021-07-07 23:00 UTC)