Not a ton of depth in the letter itself, but I like the angle they take. It's not all about privacy or data security.
"In addition to the clear privacy issues caused by surveillance-based advertising, it is also detrimental to the business landscape."
"In the surveillance-based advertising model, a few actors can obtain competitive advantages by collecting data from across websites and services and dominant platform actors can abuse their positions by giving preference to their own services."
In many senses, Google & FB have achieved what net neutrality wanted to prevent ISPs from doing. In the developing world, FB has actually achieved it. If AOL had succeeded, we would have ended up approximately here.
The browsers intent may be to remove cross-site tracking, but we all know that Google Ads will still follow people around the web through latent signals (even if wrapped in something like FLOC), and other parties like KISSmetrics will continue the fingerprinting cat and mouse game.
Yes, FLOC and similar technologies, are another way to track users, but this time in the browser. We really do not see that as being any better. In many ways it is really worse.
> Google Ads will still follow people around the web through latent signals
I'm not sure what you mean by this?
Google Ads has committed "once third-party cookies are phased out, we will not build alternate identifiers to track individuals as they browse across the web, nor will we use them in our products." -- https://blog.google/products/ads-commerce/a-more-privacy-fir...
> even if wrapped in something like FLOC
FLoC doesn't allow "a few actors [to] obtain competitive advantages by collecting data from across websites" since everyone sees the same number of identifying cohort bits.
> other parties like KISSmetrics will continue the fingerprinting cat and mouse game
Historically, the TOR browser was pretty much the only one that took fingerprinting prevention seriously, but it's now a substantial focus for Safari/Firefox/Chrome. I do think fingerprinting groups will continue to have things that work when third-party cookies go away, but I don't expect it to persist that long after? I also would not be surprised to see a regulation here, since I (not a lawyer) don't think fingerprinting is compatible with the GDPR or the other regulations it's inspiring around the world.
I agree FLoC is tracking (though not at the individual level). The question we've been discussing, however, is the effect on competition in particular: https://news.ycombinator.com/item?id=27763345
Clearly not allowing anyone to track is good for competition. Now there are certain companies that collect data from multiple sources. That gives them a benefit compared to others. But what I do not understand is how they can do it? How can you accept that your company spies on its users and collects data on them? How can you say it is OK?
Regarding your "earn to give", I feel like I want to play devil's advocate and ask why not cut your salary in half by working or volunteering on more humanitarian projects and charities? Not sure the pay would exactly be half less, maybe even more, maybe less, but the net positive of what you do may be greater? (I say that, as if we can measure such impacts :p)
I've considered doing directly valuable work, have tried things along these lines in the past, and may try them again in the future. For now though, I think earning to give is a much better fit for me: https://www.jefftk.com/p/earning-to-give-transcript
I guess the start of it gave that impression in particular. It is great you are giving so much of your salary to charity, but the fact that is the first thing you write as an explanation of why you do what you do does send a signal.
I also have a feeling you are trying to explain to yourself why the things Google is doing is not bad. So you twist things a bit here and there to make your point.
In any case, you are not in a position, I assume, to influence what Google does. Google is on a path that a lot of us do not like. We do not like being tracked and we do not like profiles being built on us. We want that to stop. You try to convince us it is not so bad, but the feeling I get is that you are just as much trying to convince yourself, but obviously I am not you, so this is just based on a feeling.
> I agree FLoC is tracking (though not at the individual level).
FLoC significantly increases the entropy in a user's fingerprint (typically by 15 bits iirc). This improves existing individual tracking mechanisms that use a fingerprinting-based approach. FLoC therefore enables further individual tracking, and browsers that take privacy seriously should disable it.
FLOC is tracking in your browser. How is that not individual? Not that it matters. Tracking is wrong whether you are able to track an individual or not. This is not just about privacy.
All the major browsers already locally track the sites you visit so they can maintain your browsing history, turn links purple, etc. What FLoC adds is that it locally computes a low-cardinality anonymized summary of your browsing history, and makes it available to sites.
So in other words FLOC makes the browser spyware. Clearly the browser history is useful for the user. That is why it is there. The browser company has no right to take that history and turn it into an ad profile. It is just plain wrong.
Be careful not to confuse one cross-site tracking techniques with cross-site tracking. Ask about company behaviors that may be of interest, not specific mechanisms. You can always ask about the mechanisms later.
"Will you use information about users from third-party sites when making decisions about how to interact with them?"
"Will you use data about offline purchases made by users when deciding how to interact with those users?"
The thing with information is that once it is shared, it can't be unshared. Sure, blocking cross-site tracking would ostensibly make monopolistic accumulation of new data more difficult, but except for the most decay prone information, there is already a comprehensive profile established for a good chunk of the users, which can be milked for a good while. This is not even taking into account of backchannel acquisition of the missing data (i.e. through brokers) with the sweet sweet profits already made, potency of which is enhanced when joined with existing data (and therefore still creating monopolistic dynamics).
So will Facebook (and several others) if you take no steps of your own to block them. It's an escalating war of cat and mouse. You'll block them, they'll find a new way around it, you'll block them some more, they'll find another way. Eventually the only answer will be to shut down the Internet because it's become just too broken to use anymore.
The simpler answer is to just ban it. The law doesn't need to be technically detailed or envision every single technological adaptation: it just needs to be sufficient for a judge to be able to recognise it when a prosecutor describes it and a defence lawyer attempts to pull the wool over their eyes. It needs to be focused on outcomes.
Once banned, Google and Facebook will submit. They will attempt to lobby against the reforms, eventually saying "it will prevent legitimate business: it represents a small fraction of our revenue, but we are selflessly lobbying on their behalf to ask you to implement this technically specific law to reign us in". Ignore them. You don't listen to the hitman when they comment on homicide laws.
And ensure that the penalties amount to a ban. The US congress and courts can and do terminate human lives. Whatever penalty they propose on abstract legal entities is not too harsh; even if they completely dismantled Google and destroyed all of their economic value, it is nothing compared to the things we do to natural living breathing humans in response to criminal behavior.
Profitable companies will submit to a law that aims to control their behavior.
> law doesn't need to be technically detailed or envision every single technological adaptation: it just needs to be sufficient for a judge to be able to recognise it when a prosecutor describes it and a defence lawyer attempts to pull the wool over their eyes
This is a terrible philosophy for legislating. It undermines the rule of law, i.e. that you should ex ante be able to determine if what you're doing is legal or not.
What you're describing is rule making. Congress regularly does this, in passing a law that requires such and such agency propose (or even implement) rules that achieve this or that within so many days.
This is fundamental to the rule of law. Judges and juries apply the law to the facts. Civilians can ask the government to review their plans in advance and make a ruling.
We don't say murder laws are bad because there's no way to know in advance if "bashing someone's head in with a pipe who dies a month later" counts as murder.
Every important criminal law includes the idea of intent. Killing someone with a car because you sneezed is very different from intentionally running them over in the eyes of the law.
Yes, but intent alone isn't sufficient. We need a precise, side-effect light definition of the kinds of activities we want to ban and by whom. To date, I haven't seen that.
Passing a law which bans "surveillance-based advertising" with little more specificity is a recipe for disaster.
I think banning it is the wrong approach. Data ownership should be regulated that personal info belongs to the person it is about. Companies need to pay for it if they want to store it over a certain time period. They also have to face large fines when they leak personal info.
Imagine how quickly companies would only save minimal personalized data.
I think this is one of the big misinformation being propagated. That somehow you would not be able to get GMail or other services if Google is not allowed to collect information. The reality is that Google did just fine before they did surveillance-based ads and they can do just fine when they stop doing them as well. There are other ad systems and Google can do just fine using normal ads.
That being said, there are great alternatives to GMail that you can use, both free and paid. FastMail, Proton Mail, Tutanote and Vivaldi.net mail are just a few options you might want to try out.
Google started as a search engine. Their results were accurate and there were no ads. Gradually they started doing ads on search results, related to the search itself. This was better than what many of the competitors at the time were doing, which was for paid searches to be at the top.
Gradually Google became more and more an ad company. In 2007 they bought DoubleClick that was one of the leading ad companies on the Internet. This was part of them moving towards providing ads not only on search results, but on sites as well. At the time most ads were site or context sensitive.
So Google has been making money off ads for a long time. More or less from the beginning. The big change, however, was the move to surveillance-based ads, where the ads depends not on the site or page you are viewing, but on the person viewing the ad. That is where it went all wrong.
Sure, Google started as a Search Engine, but it's monetization strategy has always been to serve ads. According to Wikipedia it first released Google AdWords in 2000. It became a public company in 2004.
Gmail can still exist without Google in its current form, or without Google entirely. It is likely one of those services that does not require surveillance to remain profitable, and competitors would be falling over themselves to claim the data and domain names if Google claimed otherwise. Losing integration to other Google services would likely win more hearts than gutpunch users.
can't they just advertise based on what's in the email rather than keeping a profile on you? Not a lot of people want to see google go away, we just want them to stop being asses and get broken up.
I'm not sure if you're being intentionally obtuse or not. GA phones home with vast information about user, and builds a profile of them. That profile is correlated across sites to personalize search results and sell ads.
Please omit personal swipes from your HN comments. Your post would be fine without the first sentence.
Note this site guideline, including the last bit: "Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith."
I'm not being intentionally obtuse, but I also don't know all of Google's advertising business. I didn't think Google Analytics did that? What makes you think it does?
(GA sends a message to Google, but I had thought that it was not linked to your behavior on other sites via GA?)
Googe Analytics consultant here (not Google employee).
1. Google Analytics' primary identity signal is a first-party cookie. this is not shared between domains. There is no technical way to link identity between domains with different cookie values.
1a. Google Analytics has built-in library functions to allow site owners to share first-party cookie values between a whitelisted set of domains. This effectively lets one company with multiple sites share a first-party identifier, but still not let anyone (Google or otherwise) link that identity to identities set on other sites.
1b. BUT. But. BUT. Google is rolling out "Google Signals" for Google Analytics, which will use your Google Account as the identity signal instead for users who are logged in to Chrome. This, obviously, lets your identity be correlated across sites.
(Personally, I suspect that the availability of this feature played a part in Google's decision to let Chrome follow the industry towards blocking third-party cookies. But this is a baseless opinion, one step removed from a conspiracy theory.)
2. Google Analytics can link their identifier (the first-party cookie or Google Signals) to your DoubleClick profile via DoubleClick's third-party cookie. The checkbox that does this is unchecked by default. There are many other features of GA that encourage or require you to check this checkbox.
2a. Google's documentation (including legal contracts!) places limits in the data exchanged between the two profiles. Data exchanged does include demographic and interest information from DoubleClick's profile into GA. This is one of the big reasons why people click the checkbox.
To my knowledge, GA data is not used to inform the DoubleClick profile. GA data can be used to build an "audience" in various Google ad platforms, and direct ads to those people specifically, or to use as the basis for a "look-alike audience."
3. Google is a Processor under GDPR for Google Analytics, and a Controller under GDPR for Google Ads. To a first approximation, this means they make the specific legal claim that they do not use GA data for their own purposes. Linking Analytics and Ads data is... complicated and frankly I still haven't gotten an explanation of its legal status that I fully understand.
In my personal opinion, I don't think Google actually uses Google Analytics data. Most Analytics implementations are tire fires, and they can get all the data from other more reliable sources, like Publisher data or Chrome. Given that they have based on their entire GDPR compliance strategy for Analytics on being a Processor, I don't think the risk/reward is there.
(apologies for lack of copy-editing, the thunder's about to take my internet away)
Interesting insight. Their privacy policy suggests they are able to do this however[1]:
"When you’re not signed in to a Google Account, we store the information we collect with unique identifiers tied to the browser, application, or device you’re using."
What is stopping, legally, them from taking e.g. HTTP Headers from independent connections and linking them together through fingerprinting? Maybe this is not implemented in Google Analytics, but that is certainly not the only connection made to Google on most websites (see e.g. gstatic and Firebase). Since there is practically no technical barrier, it seems that the vague privacy policy leads to the only question being what the 'unique identifiers' are exactly.
Am I missing something, or does this not address the fact that https://whatsmybrowser.info/ will always yield the same thing whether a connection is made to GA, Firebase, YouTube or Blogger? That seems to have to do with connection timing and caching, not with what the connection itself leaks.
I thought the parent was talking about using information about the network connection to link users across sites hosted by the same entity?
If you're talking about fingerprinting in general, that is also something that all the browsers are working on. I'm most familiar with Chrome's strategy, which is to first switch APIs that provide a lot of entropy from something you get by default to something you have to actively request, figure out how to provide similar functionality more privately, and then enforce a privacy budget that does not allow collecting enough information to identify users: https://www.chromium.org/Home/chromium-privacy/privacy-sandb...
Is Google going to give back the $100B is made from cross site tracking in the past?
Is Google going to consider YouTube, Gmail, Maps, and Android Location history different sites, or is "having an effective monopoly an exemption to crosss-site tracking prohibition?
Does anything in the proposal prevent server-side cross-site tracking? (No.)
Is Google going to stop buying third party tracking data like credit card transactions?
All the browsers have said that they consider general-purpose cross-site tracking to be deprecated, not just cookies. They are working on removing other forms of linking users across sites, including the browser cache, link decoration, and fingerprinting.
Setting aside whether FLoC is private enough, how can you say it is not more private? Today, with third party cookies, many companies have almost your entire browsing history through a combination of direct tracking and cookie matching.
With FLoC this information stays on your device, and only a summary is made available to sites.
I'm not sure which part of the post you're referring to when you say that FLoC isn't more private than the status quo; is it the "FLoC will expose your data. More than ever." section? That has "Now every website will get to see an ID that was generated from your behaviour on every other website", but this is not what Chrome has said:
"Websites can exclude a page from the FLoC calculation by setting a Permissions-Policy header interest-cohort=() for that page. For pages that haven't been excluded, a page visit will be included in the browser's FLoC calculation if document.interestCohort() is used on the page. During the current FLoC origin trial, a page will also be included in the calculation if Chrome detects that the page loads ads or ads-related resources." -- https://web.dev/floc/#do-websites-have-to-participate-and-sh...
Suddenly the tracking includes all sites and pages. That is not an improvement. Having an opt out or even an opt in is not the solution here. We have all seen how that works.
The tracking just has to stop. Google can generate plenty of revenue without tracking us. They were in fact making plenty before they moved from context sensitive ads to surveillance-based ads.
Your statement below is both funny and misleading at the same time and I guess it is also why opt-in is often such a misleading term.
So you start with all pages that have ads, meaning most all pages that are tracked today. Then you add to that by "opt-in". Now, most sites are not built by hand. The tools they use may thus "opt-in" for them. Also, this method may make it harder to block the tracking, so you end up tracking more in practice, which is obviously why this is being introduced, as so many have chosen to use tracker blocking of some kind.
Your statement on "opt-in" really needs be reiterated. In many cases you are left with options like: do you want to use this product? Then you have to "opt-in". Great examples are Windows 10, that insists on you logging in with Microsoft. Similarly many products require you to "opt-in" to use them.
We need this to stop. Ban surveillance-based ads now!
But it doesn't! They are proposing, in the stable version, to include only pages that opt in by calling the FLoC API.
For the origin trial in particular, to avoid a chicken-and-egg issue, they are also including pages that have ads. Since ads today make extensive use of third-party cookies for cross-site tracking, This is still not anything like "all sites and pages".
The argument is bad for privacy, since the business solution to that problem is the same for other IP antitrust: mandating non-discriminatory licensing to anyone who wants access to the data.
I can see where you're coming from, but I think common carrier type action is pretty unlikely here.
Besides controversy, it's too technically hairy to legislate. There's also no reason. "Surveillance advertising" isn't a necessary service.
The reason I like the angle of this letter is that it isn't stand-alone. It's providing another perspective to the pile. Data centric advertising is monopoly & centralisation prone. They're extracting a lot of value out of the digital economy and this chokes out a lot of potential economic activity.
It doesn't negate or replace privacy, data security, general creepiness or other rationales. What they're literally calling for is a ban. How this affects politicians, if it does, is providing them an additional persona of affected groups. Businesses .
I think there's a simpler way to achieve this. Force companies who leak personal data to pay reasonable damages to all the individuals involved, on the scale of 10-100 dollars, depending on how much personal info has been leaked.
That would make businesses very quickly reassess how much data they need to keep, and how careful they need to be with it, without requiring any really radical legislation.
I don't think that's gonna cut it, but definitely on the right track. Its going to require some kind of legislation, or an insurance requirement that renders the insurers as de-facto regulators. This is still crazy hard due to the possibility of regulatory arbitrage, just open shop in Anguilla or wherever.
Without the auditing, compliance, and domain experts to verify and implement this, its going to be extremely hard to create and levy these penalties in any meaningful way. Using (legally) vague terms like "leak" "personal" "data" and "involved", a quick trip to the local courtroom will obviate a lot of the fines for well connected C-execs and legal teams.
Data integrity needs to be baked into the equation from the start. Until it is a business requirement to ensure proper system architecture practices, data integrity, and auditing, I don't see a snowball's chance of reaching sanity. Really, we've only barely defined the problem. Businesses have compliance departments that are totally subservient to business needs and would much rather resort to gaslighting stakeholders with silver-bullet checkbox security technology processes shaded in at the board room.
On the other side, we are now ushering in a fascinating golden age of the security rodeo. There is astonishing growth in this industry, enjoy unending contracts for Red and Blue alike. It could soon really begin to look like a Gibson novel.
The problem is it is not easy to asses the security risk of small businesses in a cost effective way for insurance companies. It's really hard to come up with a set of regulations here that protects users data and doesn't completely disadvantage startups and small businesses.
Well, in this instance I would argue that the current state of affairs also completely disadvantages startups and small businesses.
Kaseya has a whole portfolio of services marketed to small, medium and startup business (as well as larger) that their customers bought in order to enable them to leverage this business model in the first place. They've since burned countless providers, torching their relationship with customers, shutting down countless businesses of all sizes all across the planet. What is the cost to them of this? Worst case scenario, they fold and change the sign. The people in charge of not screwing up will be snatched from doom by their network. I would hope they do better next time, but why would that be any more likely than just another over par round of golf?
I definitely agree that it is not easy to asses the security risk of small businesses in a cost effective way for insurance companies or to develop some kind of regulatory structure.
The alternative to not doing this is accepting this unstable chaos-monkey in perpetuity. If there is no business requirement for effective controls, there wont be any.
Kaseya's people can walk and start another tire fire and surely everyone else will sweep up and move on, but these problems are everybody's problems. There is no IT infrastructure that does not require effective controls.
If we don't improve this problem, things are gonna get weird.
We do not regulate how a coffee shop does accounts in the same way we regulate a bank.
Many regulations only apply to companies bigger than 50 employees, more than billion of turnover, data on over 1 million people, etc. Or in a spesific market.
Yeah, rather than targeting advertising I'd prefer to get to the actual point, and target mass surveillance and collection of huge troves of personal data no matter the purpose.
Ban monetizing data (no selling, no pay-for-access, no derived products) and make leaks guaranteed to be expensive, so companies only keep what they have to to operate, with some large multiplier attached to the leak fine if it was related to banned activities.
Done.
The advertising is a symptom, it's not the disease.
Right, but the alternative in question is banning surveillance-based advertising. I'd prefer to curb surveillance itself, having the side-effect of eliminating surveillance-based advertising.
Separately, yes, I'd like to see practically all public advertising banned (billboards are blight), and while I'd have to think on it some more before supporting a blanket ban on all advertising (I'm not sure it's workable, for one thing) I'd also not be sad if I woke up one morning and learned that such a law had been passed.
Yeah, I don't think our opinions diverge too much on that. My ideal world wouldn't feature much of either of them—I think well-marked, in some standard and easy-to-spot way, ads in publications aren't so terrible, for instance, provided it's made clear up-front, say with some kind of cigarette-box style notice or warning, that there are ads in it. Though, again, if paid advertising just went away, in all forms, entirely, tomorrow I wouldn't be sad about it. But, as far as online ads go, it's the surveillance part that bothers me more than there being any ads at all, and that worries me way beyond its use in advertising.
I know we're comparing relative evils here, but that's interesting. I think my main concerns with surveillance are the chilling effects it has on those who would break the law for ethical reasons. But ultimately I think the tangible negative effects that surveillance has on most people are indirect. That's not to say they aren't important. But as important as advertising?
Advertising causes a great deal of surveillance, but it causes a lot of other issues, many of which affect almost everyone, very directly, and in some tangible ways. At a basic level, we're being lied to constantly in ways that hurt our self esteem, break our concentration, introduce us to new fears and angers: the exact intention of which is to create problems for us so that it can persuade us that giving them money will solve our problems. Advertising tells us our partners aren't hot enough, we aren't cool enough, our houses aren't big enough, our cars aren't fast enough, that we aren't doing enough for X cause. It tells us that our financial future is insecure, that we're missing out, that we're at risk for disease, floods, and car accidents. If a parent or partner told us these things, we'd call it emotional abuse, but from advertisers it's both accepted and commonplace. And it affects us deeply: we're overmedicated, overfed, overworked, and over-indebted.
And that's just the direct effects. When you consider the kinds of content that advertising funds, it's almost universally harmful. News that prioritizes clicks over information by inciting anger and fear. Informational resources that avoid speaking truth to power because power advertises. Social media that courts flame wars, conspiracy theories, and echo chambers because they all provoke engagement. Everything advertising funds is fast, shallow and emotional, because slow, deep and rational doesn't promote clicks.
Why even look for a compromise here? Easy to spot ads aren't better: they're still people shoving a lie in our face. There's nothing of value here. Ads are a tumor: even if we can find some part of it that's benign, there's no part that shouldn't be excised.
I'm curious how you would see "ban monetizing data" play out in the case of an e-commerce company. Can they still run A/B tests? Show you products that they think you will want to buy based on your purchase history?
If I were writing the rules, I'd exclude anything that looks routing-like. "IP address A sees version 1, IP address B sees version 2, with some amount of ephemeral data involved to support pinning" is fine. Basic hit-counter type stats are fine. (though I think A/B tests are abusive crap and would love to see them go away, on a personal level, I don't think they necessarily qualify as spying, though the way they're practiced right now probably does tend collect & retain enough information that they absolutely are, but might not with some modification)
> Show you products that they think you will want to buy based on your purchase history?
No. Maybe with some kind of opt-in or otherwise making that something the user has to intentionally ask for. But if you're not using others' purchasing data to decide what those might be (and that would definitely be off-limits) then that's not very different from just having categories your users can browse.
It'd obviously be a tough rule to craft. In some hypothetical world where I'm the Tzar of writing and enforcing this, I'd tend to allow leeway for companies using data that could be essentially a totally-anonymous incrementing counter (as in this case) to choose how to present their site, based on what's currently being looked at or requested but not on the browsing or purchase history of a particular user. It's using a person's own activity to target, manipulate, or "monetize" them that I find especially objectionable—and the data that's hoarded in the name of those abilities, simply dangerous in ways that the hoarding companies aren't made to account for (a huge negative externality, basically). In general I think if companies want market research they should pay for market research, not just run a dragnet spying operation against their customers. If they want something other than market research out of those data, then they probably ought to just be shut down (or, at least, that part of their business should be)
[EDIT] FWIW I don't think these kinds of rules should only apply to tech companies. Physical stores ("loyalty" cards, tracking shoppers' cell phones, that stuff) and banks and similar also shouldn't be able to spy on people, nor to sell or otherwise use data collected as a necessary part of their business against people. A store may reasonably have surveillance cameras, but ought not be able to sell the footage to another company to train & test its gait-recognition software, nor use facial recognition to track how often I visit the store or what I look at. That kind of thing.
Taking cost vs. benefit into account, I would default to "no". This one in particular seems like a "neat little feature", but "neat" does not cut it if it threatens to make legislation against surveillance-based advertising less effective.
I'm not sure many customers will miss it, if they really notice. Yes it can be a bit helpful, but many other things in the world would be "a bit helpful" and yet are nowhere near justifying their cost and effect (e.g. we stopped using radioactive chemicals in substantial amounts for everyday products very, very quickly).
I've gotten useful leads on products to research maybe buying from those type of ads before, but I only ever see them on sites I've whitelisted in my adblocker specifically because they're sites I buy things from (and a rare few sites I trust to be respectful about advertising placement). They're useful when they're done right tho.
I'm confused by your ad blocker comment, because most listings like this won't be recognized as ads. They look like product suggestions, and they are entirely first party.
(On the other hand, I think the law as you're proposing it would cover them)
Facebook et al want the privacy discussion to revolve around “keeping your personal data safe” but that is just bald-faced propaganda that covers up the fundamental issue. It’s not like Facebook’s digital model of my behavior is really “mine” and they are just borrowing it or protecting it. They don’t even care about my data in the singular.
What they do have is a giant corpus of behavioral data spanning everyone on the planet. Companies can (statistically) detect that you are going to get a divorce, or that you are going to be pregnant. They know everyone who has been to jail, our sexual fantasies, how likely it is that our children will go to college.
Right now we say they sell ads, but you could just as correctly say that they take advantage of this incredible, unprecedented information advantage to directly change the world in their favor and in the favor of whoever can pay. It used to be used to sell clothing and frippery, but already SM is plastered with ads for political campaigns and brain-altering drugs. Their cultural hegemony will only increase over time, as the data gets better and the methods become more effective.
In this regime, what does it even mean for Facebook to “leak my data”? If anything I’d rather it was out in the open. (Although I’d much rather it didn’t exist!)
I generally think along your lines, but I think there is an actually a fundamental question here: do we care about privacy?
My feeling is that surveillance states are more or less the norm, and it tends to become controversial as a sort of stand-in for other issues. So, for instance, the DDR's extreme surveillance apparatus becomes a sort of explanation for why this relatively bland state was actually a historic example of evil.
In england, there's a (very mild) controversy about the use of secret police to surveil activists - it became controversial because several of them had sexual relationships, and even children, while in their undercover role. One of the curious features of all this was who merited attention. One group of vegan restaurant connoisseurs, who met on fridays to review welsh vegan diners, discovered that one of their members was a police officer, for example.
This surveillance, which really had no bounds, including the surveillance of sitting government ministers (always labour, fwiw), is actually very typical, historically speaking.
So, while I'm broadly in agreement with you when it comes to the dangers of surveillance, I think we've all had and lost this argument in the past, and the fact is, if the state historically wanted to destroy or persecute a specific group, paper records were always enough. That means that if you want to make meaningful progress in the face of this information asymmetry, you have to find wedge issues.
"We have lost this argument in the past so what are we talking about" is a dangerous attitude in this context. Helping the 'average citizen' understand the extent of surveillance and facing the consequences is an ongoing process. Public awareness is still very low about these issues, but the norms are changing - many, including myself are working hard on framing the issue in a way that reaches wider audiences. We cannot just put up our hands and accept that this battle is lost and the power imbalance is too entrenched to be changed. If you are interested in recent studies that demonstrate that people who become aware of the privacy issues do care about them, email me.
I just feel like when you have a problem like this, where the interests of business and state are aligned (data collection is useful for both), taking a principled stance allows people to marginalize you.
Obviously, people don't like invasive data collection. People don't like wars either. People generally have the kind of common sense that institutions and businesses lack.
My feeling is that you don't win fights like this by making a principled stance, then trying to get the public on board. You do it by finding wedge issues, where the argument is so strong that opposition is very difficult, then using victories there to build momentum for the next fight. That's what the civil rights movement did. That's what you have to do if you're fighting from a weaker position, and I think privacy will always be a weak value in western-style democracies because there are just so many compelling incentives for actors to erode privacy, and the threat of losing privacy is generally abstract, and only felt by already marginalized groups.
I do not understand where you get the impression that the interest of business and state are aligned when it comes to data collection. I would say that in a lot of cases, it is rather the opposite. You seem to assume that the state always has access to the data collected. That is likely not true. There are laws that limit state´s use of data without cause. That seems to be missing for Big Tech, which is why we need regulation.
A few years ago the Norwegian Spy Chief was taking questions from the media. He actually pointed out that we should be more worried about the data collection of private companies than that of the Norwegian state. Their data collection was regulated and small in scope. Big tech data collection is seemingly neither.
Data collected by Big Tech can be misused by others. In many ways this is a significant security risk. Not just from data breaches, but also that people can be manipulated in groups. This is a significant problem and the easiest way to resolve it is to stop the tracking and ban surveillance-based ads.
Well, a state is the entity that has sovereignty in a given country. So in principle, it always has access to all of the resources of that country, even though in practice it's bound by all sorts of laws and customs. Also in practice, these laws and customs tend to have exceptions in exigent circumstances.
Personally, I think dividing between the state and business is simplistic. Most businesses and most states have a symbiotic and codependent relationship, that is more or less explicit depending on the country you're talking about, but that's by the by. In practice, states generally have access to collected data through subpeonas.
I do not know which country you come from and maybe what you describe is correct in your country. I can say that it is not in my countries, Norway and Iceland and this has not been my experience running an international company either.
In any case, I think mixing the two is not helpful in any shape or form. What we need is to regulate what private companies can do. I think that is enough scope for this particular discussion and I think this is such an important matter that it needs to be addressed.
Unless you're a sheep farmer or something (in which case, you still rely on the state for security) you need an enormous number of state services to run even a very simple business, but on a more basic level, property rights are defined and guaranteed by the state, currency is produced and given value by the state, employment relations and legal structures also, and so on.
Yeah but what is a leak ? Do you consider it a leak when a data transfer to another company is intentional ?
Companies like Google are probably secured like fortress and will probably not leak data anytime soon (lets hope) so your idea wont have any effect against giants that takes security seriously.
However, I really like your point and you'll probably have a good side effect on middle size companies. But giants are a giant part of the problem.
> someone who's not me or a direct party to a transaction or conversation
It sounds to me like this definition strongly promotes consolidation. The bigger a party is, the more information it would be allowed to have and the more ways it can use it to cross-sell.
> If I do business with my hair stylist then the credit card processor should not have any right whatsoever to do anything with the facts...
Should the credit card company be allowed to use the information about your transaction to assess how likely it is that someone has stolen your card?
> Should the credit card company be allowed to use the information about your transaction to assess how likely it is that someone has stolen your card?
I've been called by the credit card company many times for failed transactions that I've authorized. When fraud did occur then I was not contacted by my card company and I had only noticed the fraud because I actively monitor my card.
The credit card company should be able to determine what it wants without providing the information to any other entity. No, I do not think that the credit card company should be permitted to sell the information about my transaction under the guise of determining how likely it is that someone has stolen my card.
> I've been called by the credit card company many times for failed transactions that I've authorized. When fraud did occur then I was not contacted by my card company and I had only noticed the fraud because I actively monitor my card.
Yes, credit card antifraud has both false positives and false negatives. It's not clear to me whether you're going from there to saying that it is useless?
> I do not think that the credit card company should be permitted to sell the information about my transaction under the guise of determining how likely it is that someone has stolen my card.
I think I misunderstood you earlier. When you wrote "the credit card processor should not have any right whatsoever to do anything with the facts..." I thought you meant that they shouldn't be allowed to use the credit card data to do anything, including fraud prevention, not just that they shouldn't be allowed to sell it?
Well, my suggestion is kind of aiming to be as pragmatic and unambitious as possible, so the fact it doesn't have an effect against giants who spend a lot of money on security is part of the pragmatism - it means you split the opposition a bill like this would face. The big companies would see it as a way to expand their moat, and so, they'd probably lobby for it, or at least, you could convince them not to lobby against it.
If you can build a big coalition of people for whom privacy is something important, then you can start making ambitious policy proposals because you'll have the voters to back it up. Before that point, I think you have to try for easy wins.
Johnny Ryan is having another go this time in Hamburg.
"Online advertising causes the world's biggest data breach. We are going to court to stop it." https://www.iccl.ie/rtb-june-2021/
As he eloquently explains there, and in detail, RTB auctions "broadcasts private information about what you are doing online, and where you are, to many other companies in order to solicit their bids for the opportunity to show you their ad."
This is what happened with pollution.
Leaks were common. But it cost to fix.
Then regulations came in to fine any leakage. It works, but is always the lowest priority for any company. Because it's a profit drain not profit growth.
If my information gets leaked and my identity compromised, you think $10-100 is reasonable compensation? I like the idea but I don't think we can put any sort of numbers on damages like this before it happens.
Every time there is a leak, you have to prove you've suffered damages.
That's hard to prove: even if someone commited massive fraud with your identify, you dont know if the data came from this leak, or from 10 other leaks.
Setting a minimum would mean thay you can immediately fine conpanies for loosing millions of records in one lawsuit, instead of a million suits proving that each particular claimant was harmed
> Force companies who leak personal data to pay reasonable damages to all the individuals involved
Companies like Google and Facebook already leak.
Proof: start an ad campaign on e.g. Facebook targeted at people who have trait X, but sell a product Y not related to X. For people who click on the ad and buy your product Y, you now know they have trait X. And you can now also link that to their address info.
Run an ad campaign in a magazine dedicated to a sensitive topic, selling something by mail-order. For people who write to you and buy your product, now you know they are interested in that sensitive topic.
(Disclosure: I work on ads at Google, speaking only for myself)
Hey, mad respect at you for bein' able to discuss this without sounding like an advertising shill, and for bein' open about your place of employment and for coverin' your butt by makin' your comments known to be yours and not your employers'. Wish more folks could do that. Good job of "adulting" there. ;)
As a (sometimes) "consumer", I personally don't mind companies I'm doing business with gathering some data to better serve me as a customer. It's actually kinda their job. And I don't even mind when they advertise related products/services at me (but not the product/service I just bought please). And I don't mind one little bit bein' advertised at (respectfully) when I'm on a site where I'm obviously lookin' to buy something. My main problem is that too often there's a degree of uncomfortable overreach with building (and worse yet, sharing around) a detailed profile of my travels on the web that is beyond unnecessary and unreasonable. I don't honestly trust most personal friends with as much information about me as some freakin' advertisers would seem to want to database and index about me. It's gotten honestly out of control, and I don't know what else to do anymore except use every tool my browser has available to block as much of it as I can actively.
True. Google or Facebook's ability to obtain, analyze, cross-reference, retain and leverage this type of information makes them billions of times more powerful than a small company selling gardening tools, however.
>Force companies who leak personal data to pay reasonable damages to all the individuals involved
Doesn't this just consolidate power among FAAG even more? They can pay these fines and they don't often leak data- if ever. That's another thing- define leaking data. Sharing with 3rd parties? It's vague enough for them to beat that in court.
We do somehow need to get back to advertising the old fashioned way rather than this surveillance capitalism arms-race.
> We do somehow need to get back to advertising the old fashioned way rather than this surveillance capitalism arms-race.
Old fashioned ads were targeted based on the thing they were attached to. For instance, if you read the sports pages of a newspaper sold in your city, you probably got ads of presumed interest to people in your city who are interested in sports.
To restore that kind of system, you would need to focus on those kinds of issues: making advertising first party, distinguishing between parts of a site without distinguishing between users.
But once you've done that, you're still left with first parties that can spy on you and use that data in non-advertising ways, or even presumably for direct marketing (if you have some kind of an account).
I think it's better to focus on the surveillance. If they can't surveil you, then they can't use surveillance advertising. As you point out, focusing on leaks is irrelevant because I don't really feel better that only Google knows everything about me. Focusing on advertising doesn't stop them collecting data, it just limits how they can use it. If we don't want the data to exist, collecting it should be prohibited.
This looks like Vivaldi supporting a recommendation made by a consumer advocacy group in Norway (Norwegian Consumer Council / Forbrukerradet), and boosting their report. You can read the original report at: https://www.forbrukerradet.no/wp-content/uploads/2021/06/202...
Cohort based targetting such as FLoC, PARAKEET and ATT will further embed the power of Big Tech. But I'm sure the HN community realizes this.
The question is: in the face of GAFAM moats and large lobbying efforts, how else might these coalitions and smaller/emerging companies get regulators' attention?
Physical storefronts have over time learned how to optimise their presentation to achieve higher conversion. Initially it was experimentation with layouts, with time they added cameras which helped understand customer behaviours.
This expertise is commonly outsourced to physical marketing companies who dispatch "merchandisers" to your store to help optimise your layout to fall in line with the layouts they have designed based on the experience they have doing this for many different stores.
Some companies would actively seek out target customers, give them cash to conduct surveys for market research.
The barrier to retail taking this to an extreme is physical obstruction and money. It takes time to experiment with layouts, you have to pay people for their insight. It isn't practical to have a Moogle which has cameras analyzing most physical storefronts around the world.
It's a really complex issue as online retailers do make money from online advertising companies and it often matters to them, but the proliferation of the chosen advertising providers few means that everywhere you go they have a presence listening for your user actions.
With that said, these companies don't really want to know you, they just want to ensure they are able to serve relevant ads to someone like you. Collecting personal data is a consequence of there being no other way to group data into uniquely identifying profiles and get those insights on the interests of those profiles.
More often, these companies explicitly don't want to know you. Personal information is a massive liability.
Attempts to anonymise the data are difficult as you will need some kind of unique primary identifier, but you can infer a lot about an identity from seemingly unimportant things like browser resolution.
They don’t want to know us, but they appear to have very few limits on what they’re willing to do to sell ads. So far we’re basically counting on our interests and theirs being coincidentally similar, I would not bet on that in the long run. Better to handcuff them before they decide that doing something incredibly unseemly is necessary for ad sales.
> these companies don't really want to know you, they just want to ensure they are able to serve relevant ads to someone like you.
"Relevant" is their PR-speak, but really it's just whether you're in the desired target audience. If I target an ad that discourages people from voting to vegetarians or people who like Fox News, that ad is not necessarily more relevant to them.
One thing I've wrestled with with the rise of online news and its effects on physical newspapers is how much I miss certain things about the physical newspapers. I don't miss the physical format, but I do think the old-school paper newspapers were much more enjoyable to read than most online equivalents.
At some point I realized that one major issue is that advertising in many of the paper copies was based around content area: if I went to the performing arts section, for example, it would be filled with ads for performing arts events. I loved this as it was actually useful and informative to me. I went to that section looking for performing arts, and that's what I got.
In online news, though, if I go to a performing arts, I don't get informative, unintrusive ads for performing arts events in my area, I get bombarded with random ads for things unrelated to what I'm looking at. Even if, say, earlier in the day I was looking for shoes, I don't want to see ads for shoes if I'm browsing performing arts, I'm interested in performing arts.
What you're talking about is a broader observation about identification of individuals per se versus patterns of interests and behaviors. However, I'd argue that a major failure of online advertising (with very important exceptions, including Google, DuckDuckGo, and many other places) is the recognition that what matters for ads is interest at any given moment, and not interests at any other time. I suppose someone might say "but a good ad is something that gives you what you are interested in even if you might not recognize it" but this is really difficult to get right, especially given that my interests in a given moment can shift from minute to minute.
If I'm moving from, say, shoe shopping to, say, performing arts, I'm deliberately moving my attention away from the former to the latter. Showing me ads for shoes is something that's specifically going against my current attentional goals. It's like saying "hey Honey, I'm done in the kitchen and am going to go into the garage to work on something" and then having some random stranger show up and pull you back in the kitchen.
This seems to be a fundamental screwup with a lot of online advertising: the failure to recognize that I'm functionally a different person from moment to moment, and when I move from one page to another there's a reason for that.
Email surveillance is maybe going even further in a worse direction, in that it's even more decontextualized and time-independent. Part of the brilliance of Google search ads, and things like DuckDuckGo, is that they catch you exactly in that moment when you're looking for something on a specific topic. Newspapers and everywhere else needs to take better advantage of that paradigm. Show me what I'm looking for now, don't take a shotgun guess at what I might want based on what I was doing in the past.
It's doubtful that any of us are in a position to know if they are or not.
Let's assume, for the sake of argument, that 100% of major email providers have stated they do not sell ads based on email content.
Next we have to either: take their word for it or have the means to verify their claims.
Taking their word for it is difficult because many major email providers have a spotty relationship with honesty. This issue of honesty is not necessarily very different from other large corporations and in truth might be a factor in what made them a large corporation in the first place.
(As First Baron Thurlow is claimed to have said: "Did you ever expect a corporation to have a conscience, when it has no soul to be damned, and no body to be kicked?")
And so we would instead need the means to verify the claims of these major email providers. I'm unsure of how to reasonably do that.
►Perhaps allow Qui Tam claims for privacy issues combined with a statutorily defined "cost" for each false claim instance?
Qui tam allows, for example, private citizens to file suit against bad-actor govt contractors in the name of the govt. The "whistleblower" then receives a share of recovered proceeds.
Here, if a statutory "cost" was defined for every false claim related to using the content of email messages (say $1 per message) then this might provide a way to help verify that the major email providers are being truthful in what they claim regarding their use of content in messages.
Email providers would know their employees are on the lookout for a big payday and might honor their public promises. And if they don't, a few large qui tam lawsuits would quickly get their attention (or drive them into bankruptcy).
The problem is with the match of partial virtual profiles with individual-specific identities.
That A uses a profile to visit www sites about code optimization, leisure mathematics, statistic software and StackOverflow, and commercial information about some IDE is shown, that may be welcome.
That A uses another profile to visit www sites about baking cakes, nutriment science and ethnic restaurants, and information about some IDE is shown, that is unwelcome as an understatement.
That A is Adrian Oberweller of Tamaxa, MT and his individual-specific identity is associated with his private concerns, that is "you must be joking" swinging at the edge between dystopia and ridiculous.
What happens when partial profiles are matched to the wrong person? Like, it's very likely these systems are going to match different people in the same household/network because... how can they even separate different people with different interests and a single person using many profiles?
I suspect all our "valuable user data" is tainted by default and its monetary value is an illusion. We do know that the systems are overzealous, and the algorithms driving those systems are far from perfect (and in case of ML models, high chances of it being non-deterministic, to boot).
A friend recently got some of those ISP copyright strikes because the fiancee of his sister got relocated to his house for a few days and decided to leech from the network to download some AAA videogames. Of course the strikes were to my friend's name, because they have no way to know some stranger did it instead.
I can easily see my data profile saying I'm into horoscopes and that voodoo because my mother browses that stuff all day from the network assigned to my name. I'm sure there are attempts to defeat incognito/private tabs by bundling all "indecisive" data to the main profile in a given IP, so a large household can be a completely schizophrenic data profile with data mixed from a lot of users in that household. Imagine someone in your house has been using some extremist or taboo site. If that data is mixed up with yours, and a person with bad intent wants to take advantage of leaked data they obtained on you...they have a pretty strong weapon to assassinate your image. "You can't deny it, it's in the data. Your cousin did it? Oh what an ignoble attempt to save your butt, how lowly!". Since you have no way to plausibly deny it, it can be a strong blackmail weapon. Maybe stronger than medical data leaks in this weirdly political climate we got now.
> Of course the strikes were to my friend's name, because they have no way to know some stranger did it instead.
For the anecdote, in France, we have a pretty stupid law (that was pushed by our really strong culture industry lobbies) where you can be pursued for downloading copyrighted content but also for not having secured your home network hardly enough so you can’t argue that’s it’s your neighbor over your wifi.
But it’s only a little part of what our culture mafia achieved here, we also have to pay a tax on every device with storage that is redistributed to « copyright owners ».
We have the same tax here. Pretty insulting when I'm a content creator myself (and I'd never pirate the artists it's protecting, I think they are all terrible), but not many ways left to import without bigger costs (customs).
You could as well be wary of the possibility of misinterpretation of your own actual actions, which is consistent with the fear of a dim non-intelligence mixing up your data and others' data.
The same dim non-intelligence, that one spawn of which seems e.g. to think that since you bought a car last month you should be proposed more cars, that dim non-intelligence may decide that since you watched videos of author Tom you subscribe to the ideas of Tom, that if you read the G. you are a junkie and if you read the S. you believe senator Beast has dignity, that if you... I was about to write "if you are studying material about new vaccines before booking inoculation then you must be a vaccine opposer, believing in witchcraft, credulous of any voice, a conspiracy theorist and an irresponsible sociopath": no, this actually I witnessed in real life, acted by adult professionals. So you figure the profiling a dumb algorithm can do.
"The new prejudice factory" may be out of lack of wits, it may be out of "economizing" - like when the order to kill all intellectuals was specified by "you will recognize them: they are those who wear glasses". To some it is not worth their while to discriminate.
One would normally go baesyan to formulate some hypothesis _with the single intent to put them into discussion under the filter of intelligence_, never to take them as plausible. Once.
It is a world increasing in complexity within societies which are abandoning the sense of complexity.
I think this is quite tricky to pin down. For example, consider an e-commerce site like Amazon. They know your purchase history, reviews you've given or liked, and products you've viewed or put in your shopping cart but not purchased. Which information about your history would they be allowed to use to show you products you might be interested in buying?
They also have lots of information about users in aggregate ("people who bought this also bought x") which they got by collecting data about their users. Can they use this?
Personally, I'm not bothered by Amazon doing this on their site when I'm there, and I even disable my adblocker on Amazon but limited to Amazon because I'm there to buy a product or service. Advertising at me if it doesn't get in the way of that quest is appropriate there.
Covering my entire webpage I'm trying to research something else at with a full-page Amazon ad for a product I already bought just because I expressed interest in that product by buying it is not okay. Thus, I block all ads elsewhere to avoid that sorta thing.
Works pretty well for me, but it's sad I should have to jump through as many hoops as I have to to avoid such crapware being forced upon me. Ads I'm not wanting literally steal a portion of my allotted bandwidth and give me less than zero value in return. Perhaps advertisers should start paying us for our valuable time, attention, and bandwidth?
> Personally, I'm not bothered by Amazon doing this on their site when I'm there
You may not be, but this is within what they cover in the report Vivaldi is recommending: https://www.forbrukerradet.no/wp-content/uploads/2021/06/202... (it's a good read, and there are a lot of things they object to even with only first-party tracking)
> Perhaps advertisers should start paying us for our valuable time, attention, and bandwidth?
They don't pay you directly, but they pay the site you're visiting, and in most cases that's why the site is able to afford to create the content you're reading and show it to you for free.
> …"<link to pdf report> (it's a good read, and there are a lot of things they object to even with only first-party tracking)"
Edit: It is a sorta good read… Just be nice if these sorta situations could more easily find some kinda valid balance instead of always escalating outta control to both extremes until laws have to get made… Lawmakers are rarely to be trusted to get these sorts of situations right anymore…
I've been using the Internet and networks long enough to understand how this stuff works. There's a certain degree of tracking that is literally unavoidable (without semi-extreme measures like TOR for one example at least) simply by the nature of how networks work. I know that by using any service online at all, I'm necessarily parting with some data about myself. Any data that's collected in that transactional networking sense I'm kinda largely okay with because it's just part of how things work by their very nature.
The stuff that bothers me is the excess of spyware, hundreds of kilobytes of tracking scripts, invisible pixels, browser fingerprinting, and other shady junk that's been bolted on by advertisers with no concern whatsoever for any harm it may bring to the network, the consumers, or often even themselves, as long as they make enough to cover the costs and make a profit. I understand the logic of it, but I don't necessarily agree with it in many cases. For me it's really all about how respectfully the entire situation is handled. Advertise at me in respectful ways, you probably don't get blocked (at least by me). Abuse me in any way, and I tend to get uppity with my adblocker and start thinkin' hard if I even need your site or service at all.
> "They don't pay you directly, but they pay the site you're visiting, and in most cases that's why the site is able to afford to create the content you're reading and show it to you for free."
See, the sites that aren't abusive with their advertising though actually find their way out of my adblocker for that exact reason. Because I'm fine with them making money ethically. Sites/services that implement abusive advertising practices not only get the ads blocked, but often get themselves blocked out of my "sites of interest". ;)
Maybe not by default, but if they asked the users and explained what is this used for, it is likely users would say yes to the use case you described as it objectively improves their user experience when using Amazon (granted, ads/recommendations would need to be meaningful and designed in a way to actually improve the experience of the average user with a way to completely turn them off for a user who doesn't want it).
Problem is when a company use data that the user did not explicitly opt-into sharing with them, to then diminish their user experience of consuming the web by for example stuffing tons of targeted ads on every major site on the web, leading to barely usable sites and intelligence insulting outcomes.
You're betting this definition wouldn't have any serious unintended consequences?
A hypothetical example: suppose it becomes a legal nightmare to have even heavily censored webserver request logs retained for any period of time if your company does any advertising at all. That is, even if you have no intent or even ability to use those logs for advertising purposes, it might be a lot of work to prove that to the law, unless you take the hopefully-easier route of literally never advertising. "Boo hoo, companies have to prove they're not breaking the law", you might say; as is usually the case with these kinds of regulations, demonstrable compliance might be totally practical for bigger companies but a massive barrier for smaller companies, which on the margin means the difference between success and failure for quite a few businesses that would've otherwise created a lot of value.
That specific scenario probably wouldn't happen, I hope, but that's far from the only plausible failure mode! I would like to believe that we can figure out a good definition with relatively little value destroyed in the fallout if a law like this comes into effect, but it's almost certainly not going to be a single sentence.
Let's say a streaming music service collects information on what you have listened to and how long. Is that surveillance? What if they use it to back a page where you can see what you've been listening to recently? If they start recommending new artists based on your listening history?
this is by definition surveillance -- a "...monitoring of behavior, activities, or information for the purpose of information gathering, managing, or directing." [0]
to possibly downplay it or imply otherwise because the collected information may (or may not) benefit the user is just spin.
Nothing inherently wrong with those features. The problem is some corporation owns this data, not us. It would be fine if it was some local software instead.
The person running the store remembering you and treating you differently based on your history is within what they're covering here, yes. In the report that Vivaldi is recommending (https://www.forbrukerradet.no/wp-content/uploads/2021/06/202...) they consider both first-party and third-party tracking to be part of "surveillance-based advertising". For example, a site showing ads for users based on what topics they tend to view weighted by how much they interact with each one. There's nothing about having to "deploy it across the whole internet" before it counts; activity on a single site is still (described as) surveillance.
still, this seems more like in the physical store you getting tracked with cameras, reward cards and so on and things getting rearranged on the shelves etc. just for you. I consider this surveillance.
I consider it less surveillance-y if a single employee is remembering me. Although I do sometime wish I could delete some embarrassing moments at the store, but I guess, as long as they don't gossip about it between employees... :)
A very experienced expert lawyer who should know, and knows adtech well says "Section 3 of the DPA? Advertising using data that would reveal an identifiable living individual ? It’s a bit more complex than that as processes to protect such data being used should also be included."
Any ad which uses data about an individual, without full transparency about the data being used, to target them as an individual OR where such data is collected and stored and associated with an explicit or implicit identity.
“Data about an individual” is too vague, as is “to target them.” Would this ban search-based advertising? What about using an IP address to guess at a language?
I think this can be done. I just don’t have the domain expertise to do it, and haven’t seen a proposed definition that made sense. The only intuition I have is around ephemeral versus permanent profiling.
don't browsers send a header telling the server what language they expect?
I live in Belgium where there's 3 national languages, and my preference isn't even one of them. Please us whatever language my browser tells you to (English)
For search based advertising we use the search query and location (taken from the country the user chooses in settings - and that can be "None" in which case we just use the search query). The language of the search query could be used rather than IP. Key for us is to never store IP and never pass on any part of it.
> Key for us is to never store IP and never pass on any part of it
I think this might hold the key. The law likely doesn’t need to try to regulate advertising per se, but instead the types of data advertisers are allowed to retain (or access).
Maybe a first step is creating a definition of an advertiser, requiring registration (not licensing) and the annual filing of the inputs their algorithm uses? All inputs, even the most banal? This assumes defining advertiser and algorithm and inputs is easier than what we’re trying to ban.
It could be as simple as 'using data that the user did not explicitly opt-into sharing'. Agreeing to terms&conditions doesn't count as it is not explicit.
>In this context, we use the term ‘surveillance-based advertising’ as a blanket
>term for digital advertising that is targeted at individuals or consumer
>segments, usually through tracking and profiling based on personal data.
This is ridiculous. If I am trying to advertise an Elixer IDE, then I don't want my advertisements shown to any random person on the internet. The majority of users on the internet are not even developers. I want to be able to advertise to a consumer segment which consists of people who are interested in Elixir. "Surveillance" is essential to internet advertising.
> If I am trying to advertise an Elixer IDE, then I don't want my advertisements shown to any random person on the internet.
The definition in the report is poor. Yes, you always need to advertise to a segment. No, you don't have to spy on users to do it.
How? Make a website about something and select advertisements that are relevant to the sort of people who are probably interested in the topic of the website. ReadTheDocs has already spun off an ad business that advertises tech stuff to readers of ReadTheDocs because it's reasonable to assume that is the audience that is perusing ReadTheDocs pages.
Assuming you are running an ad network you kind of have to in order to prevent ad fraud. Also by reducing that data you know about someone's interests is the knowledge that they have visited a site at least you will not be able to pick as good of an ad compared to if you had more data.
What's the fraud scenario? Page owners presenting fraudulent visitor/click-through numbers to advertisers?
In that scenario, it seems like advertisers would pick up on that pretty quickly when they realize the conversion rate on that supposed traffic is terrible and doesn't warrant the inflated price. In the case they're using an ad network, the network could ban the page owner from their network if they see this pattern from them. Since page owners are materially benefiting from the network, proof of identity should be (probably is? I don't work in the space) applied between the page owner and network to prevent repeat fraud via identity laundering.
> you will not be able to pick as good of an ad compared to if you had more data.
In theory I lean towards agreeing. I was arguing for tech-powered hyper-personalized ads back when I was studying advertising 2008-2012 (and did a bit of "stealth marketing" in that period where I built relationships with bloggers to share our product before the term "influencer" had hit the mainstream vocabulary).
In practice, advertisers do not personalize ads. Facebook has become pretty good about selecting ads that map to my interests thanks to the reach of their spy network, but the ads themselves still aren't personalized at all (they take my interests into account, but not my spending history to realize that I don't have the budget for what they're trying to sell me) and my conversion to a sale because of them is still very, very low.
We sell and host our own advertising which is content-based (office furniture ads on office design content) and think it is a good solution.
Instead of selling space by impressions or clicks, we use length of time (monthly) and find it to be a good way to prevent ourselves from trying to game impressions with clickbait or clicks with fake users.
Sibling commenter identified an alternative as to charge for (presumably a proportion of) ads in a timeframe. That seems to satisfactorily mitigate almost everything:
1. Clicks are not charged for, so increasing clicks does not change the cost.
2. The only question available is how much you pay and how much you make. Page owner's rival could attempt to confuse you but there's not actually a difference between paying $1000 for 0.1% of ads shown in July, getting 100 clicks out of 10000 impressions and making $2000 vs paying $1000 for 0.1% of ads shown in July, getting 10000 clicks out of 19900 impressions and making $2000.
3. Shorter 2: Numbers are irrelevant unless they have a dollars/euro/yen/pound sign before them.
4. Clicks to not come out of the advertisers budget.
5. Surveillance advertising enables this fraud by attempting to distinguish between real and fake traffic. If you are paying for something that is robust to that, then the fraud is irrelevant. In particular, it doesn't matter if 0.1% of ads displayed to bots are yours and 0.1% of ads displayed to humans are yours if you've paid for 0.1% of ads to be displayed to be yours using a random rotation.
The only thing like any of these hacks that seems relevant is that a very crafty adversary might be able to determine your traffic rate and identify the timeframe they need to request to particularly target a certain ad, making more of the 0.1% of displays get shown to a bot. But this is easily handled by using a secure random rotation rather than say a round robin rotation. In any case, I can independently verify the efficiency of my spend by getting a sim card that the ad network doesn't know about and repeatedly reloading the page for a month. If I receive only 0.01% of displays because some third party or the network is trying to defraud me I now have pure evidence that they aren't upholding their side of the deal. If they try to verify humanity before deciding what to do, then they can just say "no, we identified these requests as coming from a bot and graciously didn't display your ad to them". What can you do? The existence of surveillance is not in the interest of the advertiser who is concerned about fraud.
(If you don't trust your network, any fraud on their part isn't going to get solved of course. But then having less data is an advantage. There will be fewer variables so it will be easier to catch, and the capital requirements will be simpler --- code and business partners vs code, business partners and user surveillance data --- so it will be easier for a trustworthy competitor to emerge.)
Sell ads based on time periods. "Your ad displayed here for 1 week for this much $$$". Then the only thing that matters is the ROI and it doesn't matter how many bots have clicked on it.
That's actually the way most advertising used to work before all this surveillance stuff started, and still the way it works with some (ethical) advertisers.
This approach sounds much harder for an ad network to pull off and sounds like it would add a lot of risk and complication. For example, what if a web master decides they don't want to have ads on their site anymore. Whoever just paid for that space gets screwed.
> "This approach sounds much harder for an ad network to pull off and sounds like it would add a lot of risk and complication.
Harder to pull off than advertising at people who might actually want to see the ads? More risk and complication than the growing backlash against advertising in general entirely because of shady advertising practices? More risk and complication than having to keep track of various countries' and states' laws re; privacy?
> "For example, what if a web master decides they don't want to have ads on their site anymore. Whoever just paid for that space gets screwed."
Existing contract law already covers this in most places. If you paid for ads to be displayed for a certain time period and they are not, then there's been a contract violation.
This can all be sorted by contracts? The ad network pays out only after the ad has fully ran for 7 days, and if the webmaster removes the ad or similar they don't get paid and the advertiser gets refunded. Enforcing this is trivial by the ad network or a neutral third-party scraping the websites running the ads to confirm the ads are displayed properly.
The problem with abuse is not special to ad networks. All sites (once they reach a certain size) have to deal with it. Surveillance is needed to handle abuse of your service.
Let's say you run a website with a sign on page. In order to log in a user typically you will run the password through an algorithm like argon2. Verifying a password for an account consumes CPU resources. A malicious may decide to DOS your site by just spamming this endpoint with bogus password to make you waste your time.
An easy fix with surveillance is to rate limit people based off their IP address. Without surveillance though there is not much you can do. Scale up your infrastructure to try and out scale the attack? Implement a global rate limit that locks regular users from being able to sign in?
If someone abuses your doorbell the solution isn't to install a hidden DNA and body scanner in front of your door. Also suggesting that an IP based rate limiter is the same as the surveillance in question is very disingenuous.
Pick a more sensitive area than your IDE, say medicine targeting erectile dysfunction, sexual or religious preferences, etc. You may find that being allowed to collect that data, especially covertly, just to save some money suddenly doesn't look reasonble at all.
But surely I should be allowed to covertly collect any data about you if it enables some savings for me. After 15 comments insiting it's OK you should only approve of this.
>If someone abuses your doorbell the solution isn't to install a hidden DNA and body scanner in front of your door.
The first thing I would do is look outside to collect information on who in outside thereby infringing their privacy.
>Also suggesting that an IP based rate limiter is the same as the surveillance in question is very disingenuous
Recording people's IPs is definitely surveillance.
>say medicine targeting erectile dysfunction, sexual or religious preferences, etc.
We may be able to connect drug sellers or churches with people if we know that information.
>But surely I should be allowed to covertly collect any data about you if it enables some savings for me.
> The first thing I would do is look outside to collect information on who in outside thereby infringing their privacy.
Looking at someone doesn't infringe on their privacy. Taking a picture of that someone and storing it in a permanent fashion, might. To prevent abuse/DOS you only need to do the first (which does not constitute "surveillance" or loss of privacy), not the second.
> Recording people's IPs is definitely surveillance.
It's not surveillance if you are not tracking anything else other than IPs (i.e. no other behavioural data associated to it).
Either way, you still have not provided an example where surveillance is required to prevent abuse: I can simply store hashes of "bad IPs" (or ASNs) to blacklist... no need to store any information that could lead to an actual person (like an actual IP address).
We'll there's your problem. First you show a complete lack of understanding of the issue, from its basic concepts to the practical manifestation and consequences, and then you conclude that it must not be a real issue.
This technique can be used to justify anything. Burning books? Sure, it's like burning extra processed wood, totally okay, go right ahead.
Ignorance is not a defense.
Also can you send me your medical data and search history? I mean you're OK with sharing this data and said nothing about it being ok only if I can do it covertly. Better yet, give me your name and address and I'll just grab that myself so it's not too much of a bother for you. It's just so I can serve cheaper better targeted ads to you.
I mean refusing and backing out now would just be hypocritical and completely undermine the case you so unsuccessfully try to make wouldn't it?
Is is not surveillance - at the very least not in the relevant sense - if you maintain a temporary list of IPs you have seen in the past minute or hour.
This is your best argument why we have to track and profile every human on the planet around the clock?
>if you maintain a temporary list of IPs you have seen in the past minute or hour.
This is totally surveillance. Just because we delete data after a while, it doesn't mean I didn't surveil you, nor does it mean I haven't used that data I got from you for my own benefit.
>This is your best argument why we have to track and profile every human on the planet around the clock?
You just asked for an example. If you are suggesting that my argument is to prevent abuse of systems I would say that it justifies tracking every person on the planet.
It is not. I connected from some IP because I wanted to use your website, at the very least you have to remember my IP address for some time to send me your website back. And if I want to access your website and it will be only available if you store my IP address for a few minutes to fight off attacks, then this is a use of my IP address that I welcome because it is for my benefit. And if you really want to, just store hashes of the IP addresses [1].
Just because we delete data after a while, it doesn't mean I didn't surveil you [...]
Sure, surveillance is not defined by the amount of time you store some data. If you store my shipping address for years it is not surveillance, if you store my IP address for one second to add an entry to my record in your database that I just visited the website it might be surveillance even if you do not permanently record my IP address. But I never claimed that the amount of time you store some information is a or the relevant criterion
[...] nor does it mean I haven't used that data I got from you for my own benefit.
Also irrelevant. If you store my IP address for a short time or my shipping address for a long time in order to send me the website I requested or my order than this benefits you because you will make some profit from my order.
Relevant for whether something is surveillance or not is whether I approve what you are doing. If you track my position day and night in order to show me ads for businesses nearby it is surveillance unless I specifically requested this. If you track my position because I am using a fitness app and requested to record my run, then it is not surveillance.
[1] For IPv4 this is of course essentially pointless. But maybe you could come up with a more elaborate schema than simple hashes, maybe salt them and rotate the salt every few minutes or whatever. But you will probably not gain much besides added complexity.
An IP address being used in the course of providing the service is not surveillance. That's like saying "Amazon knowing where to ship my package is surveillance." It's a bad argument, in my opinion.
Regardless, consider a DDoS attack. If every new request is coming from a different IP address, how do you continue providing service to your legitimate customers while blocking that malicious attack? Knowing the attacker's IP addresses doesn't do you any good... because they can just keep using new IP addresses, and blocking the old ones doesn't do any good.
This is where heavily surveillance-based systems like Google CAPTCHA often come into play, and I have very mixed feelings about those.
There are some non-surveillance-based captchas like this one[0] that I saw on HN awhile back, and I hope those become successful.
>That's like saying "Amazon knowing where to ship my package is surveillance."
To complete the metaphor Amazon would use the address you gave them to help improve their business in some sense without asking you if it's okay. Similar to how web masters don't ask if it's okay if they write what pages we access into logs is okay.
>Knowing the attacker's IP addresses doesn't do you any good... because they can just keep using new IP addresses, and blocking the old ones doesn't do any good.
Then we should try to find any patterns with the traffic that we can use to try and filter it out. This is a place where fingerprinting is useful.
>friendlycaptcha
This just slows down bot spam instead of testing if someone is a bot. Someone posting spam to your site once a minute is still annoying.
Amazon using shipping addresses in isolation to improve their business is not what people are concerned about here. It's perfectly legitimate for Amazon to say "we're getting a lot of orders from this list of zip codes, let's open some warehouses there". That doesn't infringe on anyone's individual privacy; the action is not tied directly to a single person, and especially not to further data collection/collation.
I've read your other replies to this thread and your argument does not seem to be made in good faith. This whole thread is about surveillance based advertising being bad. In no way is using an IP address in a firewall a form of surveillance. It isn't. The IP address isn't being associated with any other data, it's just some numbers floating in space, disconnected from any human being. There is no association with that IP address of what you like and don't like, what you have purchased, what links you have clicked, or anything else. It's just in a firewall, and that firewall rule could be blocking an entire CIDR block, especially in the case of IPv6. But even if it were surveillance, that's irrelevant to this discussion about the ethics of surveillance-based advertising.
I'm not going to waste my time further on this thread after making this one last point.
> This just slows down bot spam instead of testing if someone is a bot. Someone posting spam to your site once a minute is still annoying.
Google CAPTCHA is trivially bypassed all the time. Do you really think it isn't? Sometimes using services like Amazon Mechanical Turk, sometimes using simple computer vision. It doesn't test whether someone/something is a bot either... it just tests whether they can pass the CAPTCHA. It certainly doesn't test whether they're part of a DDoS, nor does it test their intentions to find whether they are good or malicious. It's just a CAPTCHA, but it also uses a lot of surveillance... and as I said, I have mixed feelings about that. I didn't mean for this to become the point of the thread, it is definitely off topic.
The idea of Proof of Work CAPTCHAs is that you can actually make it more expensive for an attacker to solve those than it would be for the attacker to solve Google CAPTCHAs. Obviously, this is still an area of debate and research.
>your argument does not seem to be made in good faith
I'm not exactly sure what this means. I used to be all for total privacy, but I found that future to not be sustainable. Perhaps I'm just jaded, but privacy just gets in the way.
>This whole thread is about surveillance based advertising being bad.
Well this part of the thread isn't. It's talking about how surveillance improves services by allowing them to deal with abuse.
>In no way is using an IP address in a firewall a form of surveillance. It isn't. The IP address isn't being associated with any other data, it's just some numbers floating in space, disconnected from any human being.
Wrong. I am using your IP as part of a scheme to fingerprint you. I want my rate limit to limit each person separately. An IP address is just a somewhat decent way to approximate that.
>The idea of Proof of Work CAPTCHAs is that you can actually make it more expensive for an attacker to solve those than it would be for the attacker to solve Google CAPTCHAs.
This has to be carefully balanced with the user experience. No user in going to want to wait 5 minutes to post when they can just have a Google account with a good reputation and just click a checkbox.
I used to be all for total privacy, but I found that future to not be sustainable. Perhaps I'm just jaded, but privacy just gets in the way.
That's not your decision, I decide what matters to me, whether I want my privacy or this nebulous sustainability, whatever this is suppose to be.
Wrong. I am using your IP as part of a scheme to fingerprint you. I want my rate limit to limit each person separately. An IP address is just a somewhat decent way to approximate that.
Then let me turn this around, if using my IP address in this scenario is surveillance, then don't do it. If it is necessary, then ask me for permission, can we use your IP address to fight off attacks and ensure the availability of our website or do you prefer that the website might not always be available due to attacks? And the same applies if you want to rate limit all users, offer the choice between not using your website or opting in for IP based rate limiting. It's that easy.
This is ridiculous. If I am trying to advertise an Elixer IDE, then I don't want my advertisements shown to any random person on the internet. The majority of users on the internet are not even developers. I want to be able to advertise to a consumer segment which consists of people who are interested in Elixir. "Surveillance" is essential to internet advertising.
This is ridiculous. And it is your problem. Why should I allow any company to track and profile me and everyone else only so that you can save on your advertising budget?
Because I don't want to waste the time of people who aren't interested in my ad in seeing my ad. It's a waste of money for me. The ad network will not be able to make money from having them click the ad. The user's time will be wasted because they are not interested in what I am selling. It's a lose lose lose situation. I want to create more win win win situations where everyone benefits. Tracking and profiling is needed to increase the rate that this happens.
> "Because I don't want to waste the time of people who aren't interested in my ad in seeing my ad."
And that there is why sites like https://readthedocs.org/ do this strange thing called ethical advertising. Instead of spying on me, they advertise things at me I am genuinely interested in, intuited by the fact that I'm reading technical documentation, and they do it in an unobtrusive way, rather than splat themselves in front of the content I'm trying to read such that I can't even read it at all.
You wanna advertise at me? Come find me on sites where your product is a good fit for my interests and advertise at me respectfully rather than supporting a corporate surveillance state that I want no part of. I for one will continue to block ads everywhere I browse except those that manage to respect me as a fellow human.
You could target the same people by buying ad space in like-minded “venues”. There’s a gaping hole in the market for good “content-linked” advertising, searching, aggregation and so on. Link to content, not people. Work with customers who’re already self selecting, rather than following people around all the time.
As a side-line, this’d probably cut back on a lot of click-bait trash articles. It, likely, would help bring the signal-boise level of the internet at large back to something more useful.
This is DDG’s model, right? Instead of stalking me all around the internet to find out I’m looking for a new car in order to show me adverts for a new car they show me the advert when I search “best new cars 2021” which is probably a pretty solid indicator that I’m looking for a car that doesn’t involve any tracking.
Because I don't want to waste the time of people who aren't interested in my ad in seeing my ad.
Than don't run ads. Essentially nobody is interested in seeing ads, targeted or not.
It's a waste of money for me. The ad network will not be able to make money from having them click the ad.
I don't give a fuck how much money it costs you or if the ad network goes bankrupt, why should I?
The user's time will be wasted because they are not interested in what I am selling.
As I said, then don't run ads if you actually care about wasting user time. Even if you have a conversion rate of 10 % you are still wasting time for the other 90 %.
It's a lose lose lose situation.
I would consider it a win if all ad companies go bankrupt and I never have to see an ad again.
I want to create more win win win situations where everyone benefits. Tracking and profiling is needed to increase the rate that this happens.
This is not win win win, this is win win win LOSE - a few users get a product they want, you get some sales, the ad network gets your ad budget, and everyone else gets nothing but being tracked and profiled.
>The user's time will be wasted because they are not interested in what I am selling.
I'm not interested in what you're selling. In general, I'm 100% not interested in anything anyone is selling through advertisements. Where can I indicate this, so that advertisers stop wasting their money on me?
Too bad that advertisers are busy breaking my adblocker again and again. Why could they be doing this? Surely they wouldn't want to waste money by showing me their ineffective advertisements, right...?
Advertise on search. Someone searches for IDE or something similar...show the ad. It's better than running around profiling people and showing them ads for things based on that profile. No tracking needed.
> I want to be able to advertise to a consumer segment which consists of people who are interested in Elixir
And, as the person being advertised to, I absolutely want you not to be able to do that. Why do your desires trump mine?
Surveillance is not essential to internet advertising. Because it’s not essential for advertising. Newspaper ads didn’t come with such invasive models, nor did radio adverts, or even TV ads.
If advertisers on the internet can’t figure out how to make a surveillance free advertising model work, then I’d much prefer those businesses to die.
No it's not. It's the same situation that's existed in advertising for decades already. Want to advertise your automotive parts? Advertise in Popular Mechanics. Some fancy clothing? Advertise in Vogue.
Now, you just advertise in appropriate blogs.
If there are no appropriate publications for important topics, hey! Guess what! They have their business model back!
Maybe not, but you could show it to people whose context reveal that they might be interested – e.g. searching for "IDE" or "Elixir", reading about developer tools, etc.
This is known as contextual advertising.
Surveillance is not essential to internet advertising – in fact neither ROI, effectiveness or perceived relevance (when compared to all alternatives, including contextual advertising) has never been proven.
> don't want my advertisements shown to any random person on the internet
Indeed, win-win that ads are targeted. Easily done on search engines because the query shows intent. Less obvious on the wider web but then perhaps it's the advertisers job to identify their market rather than rely on ad-network datapoints on visitors.
CPM/CPC ad payments are of course ripe for abuse by automation. CPA not so much.
Could potentially argue that the surveillance is essentially to make targeting more convenient for advertisers rather than being implicitly required to advertise. Market forces and ROI are surely the best measurement which CPA does a better job of doing. The problem with CPA is the trust required in order for the ad network to be paid.
>"Surveillance" is essential to internet advertising.
I think you are missing the point. As a user, my basic response to "my job is harder if I don't do surveillance" is I don't care. If you say that you can't do a certain type of advertising without surveillance, then my response is find another job. There are lots of interesting problems out there to work on for fun and profit. Find another one.
Or, stay in advertising and target ads based on what I am doing right now. If I read an online journal about mountaineering, show me ads for mountaineering equipment. Sure, it may be less effective (and boring), but us users are fine with that.
Advertisers don't have a right to take away my privacy so they can do what they want. This disconnect keeps coming up over and over. Just because an industry has become large does not inherently make it appropriate.
Mate, you want one thing so world wide spying is ok for you ? So r. lack in imagination !
Just try to imagine what would be WWW (or other "medium") without that data hoarding... You want to ad IDE, for devs, for particular lang ? Just give money straight to forum of your interests owner. And...... DONE ! Or journal, paper, zine or whatever but do it directly.
That businesses curently DO NOT EXIST becose everything goes to Google ! And - biggest stupididy of last two centuries - to "businesesee that "model" enables". Just self serving monopoly giving away penies.
You see ? Your "survivalence is necessaary" is just lack of imagination. Literaly, current "system" prohibits new inventions and development.
Becouse where are money there are new companies/startups created. End where money are filtered via giant sucker there not much improvement can be build.
> This is ridiculous. If I am trying to advertise an Elixer IDE, then I don't want my advertisements shown to any random person on the internet.
> I want to be able to advertise to a consumer segment
This sounds like a you problem.
And you shouldn't get to push surveillance on me to solve it.
I don't want to be advertised at at all, let alone be stalked round the web so you can do it better.
I don't care at all that any advertising I see might be better targeted, it's all an annoyance as far as I'm concerned anyway. The idea that I should be happier if I'm getting 'relevant' ads, like I should thank you for surveilling me so you can spam me better, is absolutely laughable.
Then just post about your IDE on Elixir forums. I'm not interested in seeing any ads on the Internet, and I certainly don't want ad companies that are following me on random websites to know that I'm a programmer who is interested in Elixir or any other data about me.
Not all users of Elixir hang out on Elixir forums. There are plenty that spend the majority of their time on the internet elsewhere.
>and I certainly don't want ad companies that are following me on random websites to know that I'm a programmer who is interested in Elixir or any other data about me.
Why not? Systems can become more efficient if they know you better.
>Why not? Systems can become more efficient if they know you better.
Because I didn't give them permission. I've no issue with anyone who willingly trades their privacy/digital footprint in return for services.
I don't want to. I will happily pay money for services I want. But, in all practical ways, the choice has been taken from me. It's impossible to have an online life without Google, Facebook, and myriad others hoovering up my every digital footstep.
And before someone says "ad-blockers" - I use them. And I decline cookie consent on every site I visit. It's tiresome, but I do it. Though even that marks me out: a signal in the noise. Even the act of trying to reject the surveillance economy helps that industry segment me.
> And I decline cookie consent on every site I visit. It's tiresome, but I do it.
I don't think this is really worthwhile. It's akin to reporting every Google/fb ad as "I don't want to see this/this isn't relevant to me". Easier to just block ads/cookie consents from ever appearing, and set cookies to automatically delete after tab closure.
> Why not? Systems can become more efficient if they know you better.
Not op but I've not clicked a single ad intentionally since Ads exist on the internet. I don't consider them a trusted source for recommendation and why should I? Why should anybody? Ads violate my attention and that's what they're made for. They do not help you find the best product. They want you to find THEIR product. Everybody knows that.
The privacy issues are the dangerous topping here.
> …"I've not clicked a single ad intentionally since Ads exist on the internet."
You and me both. I actually actively block ads on the Internet except on the very few sites that have earned my trust (https://readthedocs.org/, DuckDuckGo, etc) or sites where the advertising is directly connected to my existing purpose (to buy a thing) such as Amazon, eBay, Humble Bundle, etc. Everywhere else gets the block because they simply can't be trusted anymore.
> You are in the minority then. I personally have clicked on ads and have found products that I was interested in.
You don't happen to work in the industry? Because I know nobody who clicks on Ads. Maybe some of them do but they don't admit it which says a lot about doing it.
The only people I've ever met who said things like you did work for the advertisement industry since they're the only ones who believe that. They have to.
> I am not saying you should. Ads just allow people to get the word out about something.
How is this a justification for the intrusive, secretive and sometimes even abusive behaviour? There are other ways to "get the word out" out there. Healthy ways.
> This is a poor mindset. If you go to a public place are all of the people there violating your attention because you can see and hear them?
Sure they do if they jump right in front of my face and yell about some product I might be interested because I just came out of a shop and they've been watching me doing it and writing down how I look.
k, so how about if instead of "Elixer" it was specific religious topics? Or other things that have legal measures for/against them in various parts of the world.
Such data can be combined with other bits of information to uniquely identify me on the web. And there may be other facts about me and my online activity that I don't want third parties to associate with my identity.
I will employ a spy/cop to follow you everywhere and log everything you do in detail, would you consider it a surveillance? Of course, he will refrain from listening to you talking and won't enter your home. But everywhere else he will follow you at a distance.
This is essentially what is going on in the internet. Metadata collection = Surveillance.
The analogy breaks at the point "won't enter your home". Current surveillance tech does exactly the analogous of that. It's rather like having a cop sitting at home pinky-promising not to listen or storing any conversation.
Maybe it's even worse. There are third-party analytics tools which send out any key-stroke you do, even if you don't submit any form.
It has become the new normal. Take todays article in Ars Technica on Audacity (https://arstechnica.com/gadgets/2021/07/no-open-source-audac...). The author has no complaint about the fact that a tool for local editing of audio files reaches out to the internet to send data about the user and seemingly defends this on grounds that it is opt-in. That's fine but that code is needlessly there. There's no reason whatsoever for it. And I am tired of being told that surveillance is for my benefit. No, it's not. It's solely for the benefit of the surveillor.
Oh no, hes going to be reading every email you send and receive, every message and everything you do. D9nt worry though, he wont do anything unless he finds anything illegal.
This is no longer the era of one company monopoly like the old days. We are now in Big Tech dominance, not monopoly. No one needs a monopoly any longer. Regulatory and technological moats leading to consolidation is good enough.
Opposition to online surveillance always makes me wonder why nobody has attempted to create adversarial browsers or plug-ins.
I'm not aware of how difficult it would be technically, but wouldn't a good solution to be simply throw troves of noise at Google Amazon and Facebook to drown out the actual signal?
For example, how valuable would online advertising even be if 20% of all users were continously clicking through the ads and opening the landing pages in a virtual browser that the user never even sees?
What about opening every search result at random and simply closing the page again after a few seconds?
Is there some reason this kind of idea is infeasible or illegal?
People actually have created adversarial browser extension checkout AdNaseum (https://adnauseam.io/) which will click every single ad on a page, as well as acting as an adblocker that is based on ublock.
In addition the TrackMeNot (https://trackmenot.io/) extension will randomly create search requests in the background constantly generating useless noise.
If you combine them you get a wonderful situation where random searches are performed and then all the ads on the search result are clicked. I've currently clicked on 2210 ads today while just having it open in another tab on my browser.
> if 20% of all users were continously clicking through the ads and opening the landing pages in a virtual browser that the user never even sees?
Those adoption figures are wildly, unreasonably optimistic. I doubt you could get 20% of HN readers in this thread to install such an extension; you'd be lucky if you got 2%.
Why not go to the logical conclusion and ban advertising?
Why not have a yellow pages of cool stuff with proper discovery mechanisms instead. Anyone who's interested in new stuff can go and see what's new, what's happening, like reading the news.
Remember when you'd check the app store on your phone for cool stuff? Just have that, for everything.
Advertising is mind pollution, it's exhaust fumes for your mind and it's a giant industry that wastes everyone's time playing zero sum games too, ugh.
"In a population survey conducted by YouGov on behalf of the Norwegian Consumer Council, just one out of ten respondents were positive to commercial actors collecting personal information about them online, while only one out of five thought that serving ads based on personal information is acceptable. This resembles similar surveys from both sides of the Atlantic, and indicates that consumers do not regard commercial surveillance as an acceptable trade-off for the possibility of seeing tailored ads."
In light of the evidence, should surveillance-based ads be opt-in (default, no need to figure out and change settings) or opt-out. Currently, tech companies make these ads opt-out. By default the ads are enabled. To disable them, the user must find, understand and change settings. Of course, most users do not ever change default settings. Many users may not even be aware that there are such things as settings.
I think you will find that there is a certain part of the population that has bought into the story that surveillance-based ads are somewhat needed for the Internet to work. It is just a story. We have seen from GDPR that you cannot leave any holes. Lets not do it this time.
Instead of arguing what current business models that would break, I think we should take a step back and ask:
What legal and moral basis warrants "surveillance-based advertising"?
The premise of GDPR in the EU has been that "surveillance-based advertising" needs to be balanced with user rights.
If we come to the conclusion that this balance cannot be achieved (e.g. because users are not savvy enough to safeguard their rights, because data sticks around forever, because data can be sold etc.), then it's a straightforward step to prohibit tracking entirely.
There's a fundamental disconnect which causes people to ask what business models fixing a social ill would break. We should not be tolerating social ills to prop up the businesses that cause them.
If we really believe that the free market will result in positive outcomes, then creating rules against negative outcomes like surveillance shouldn't cause any problems, since they shouldn't be a problem for a free market that will arrive there anyway. Wasn't it Reagan who said, "Trust, but verify?"
1. Web content creators are funded by advertisers.
2. Tracking-based advertising generates more clicks than non-tracking based advertising.
3. Generating more clicks gives web content creators a bigger budget to create, resulting in more web content.
Therefore: It's not surveillance-based advertising if all data is stored and processed locally in a way the website cannot read– ideally with a free and open source machine learning system. Like FLoC, but implemented better in a way the site cannot read.
I read the open letter. I learned about businesses that support user privacy and I will be supporting them with my wallet. (already use Mailfence and Duckduckgo )
Break up big tech into <10 000 employee companies.
Make GDPR fines a percentage of global revenue.
Hold companies liable for data breaches.
Stop handing out software patents like toilet paper.
End planned obsolescence of tech products like phones.
Technology went from a tool to empower and enrich people's lives to a tool to oppress and silence in a few short decades. Either people realize the monster it has turned into or the conjoining of government and tech companies will create a dystopia that will make the dictatorships of the previous millennia look like heaven on earth.
Frankly, I don't think this goes far enough: "Ban advertising" would be better.
Almost every problem with the internet right now is caused by advertising if you dig through the chain of causality. From social media patterns that addict you to conflict and conspiracy, to popups, adware and spam, to constant attacks on our attention even when we're driving and could literally kill someone with inattention, to spreading dissatisfaction, fear, and poor financial advice, advertising is the root of much evil. And at its core, advertising is just never a good thing, in any context.
Proponents of advertising will say, "How do people find out about products and services?" but advertising is an extremely poor answer to that question: there's an inherent conflict of interest when the people selling a product are the primary source of information about the product. In the worst case, this leads to advertisers just lying to consumers and manipulating people's emotion. In the very best case, advertisers present information only about their own product, which doesn't allow consumers to make educated decisions--it's arguably not lying but the effect is the same. You might say, "Why would advertisers be obligated to provide information about competitors?" and you're right, they aren't, but we aren't trying to establish blame or responsibility here, we're trying to find a solution that's good for consumers, and advertising just isn't that.
A better solution is independent review sites. Consumer Reports[1] is a paid service, so you aren't the product. More specialized sites exist for all sorts of product areas: I'm a rock climber, and when I want a new piece of rock climbing gear, the first places I look at are Outdoor Gear Lab[2] and Weigh My Rack [3]. There's Labdoor[4] for supplements, Psychology Today[5] for therapists, WireCutter[6] for electronics, etc. But even here advertising has poisoned the water: many of these sites receive compensation from sellers, not from buyers, which has resulted in some dark patterns. It's not a perfect solution, but it would work a lot better if advertising were banned, and these conflicts of interest were removed.
Another solution is simpler and older, and it's exactly what I was doing in my previous post: word-of-mouth. That's arguably one of the best solutions, because while it's low-bandwidth, it's high fidelity: people don't go out of their way to promote a product unless it was actually quite good for them.
The other thing proponents of advertising will say is that advertising is necessary to fund existing sites, particularly content sites. On Hacker News, this often comes from someone who makes their money from advertising, directly or indirectly.
The thing is, the idea that people only produce content or software when it's profitable to do so reflects a very narrow view of the world. It's just not true. I'm old enough to remember the internet of the 90s, and in that time the internet was full of resources which were simply given away for free without advertising, which I'll refer to roughly as "old internet". Many old internet resources have yet to be reproduced in the new internet: Sheldon Brown's page[7] is still the best resource on bikes (the advertising was added after his death). Erowid[8] remains the most comprehensive resource on drugs. Sites like Wikipedia have somewhat drunk the advertising poison--and were better before.
And that leads me to my third reason advertising should be banned: it's infectious. Advertising is Scott Alexander's Moloch[9]--if one entity does it, then all their competitors have to do it in order to compete. The entire purpose of the free market is supposedly that it results in the best outcomes, but this is clearly a hack that prevents that from happening: we want companies to compete by producing the best goods and services at the lowest cost, but when you allow advertising, companies can (and do) compete by manipulating consumers into buying inferior goods at higher costs. Advertising is an anticompetitive business practice that undermines the entire purpose of a free market.
Banning advertising is only a bad thing for bad companies: good companies would only stand to benefit. Banning advertising would free good companies to spend their resources on producing the best products and services at the lowest cost: every cent companies spend on advertising now is wasted money. Sure, some companies would go under without advertising. Good riddance: if your company can't sell products and services without ramming them down consumer's throats, your products/services aren't of value.
Contrary to the advertiser's paternalistic views, the efficient market hypothesis means that people understand their own problems and can find solutions to them without your help. The world would be better off without advertising.
You need some amount of advertising. If you invented the cure for AIDS tomorrow, how are you going to tell everyone about it? Word-of-mouth works, but only so far. Perhaps over time, people will naturally Google "cancer cures" but will your business still be solvent by then?
If you want to talk about leveling the playing field, you have to be more strategic with your legislation. Don't ban advertising. Ban spending on advertising above some limit. No one benefits from Coca-Cola showing yet another commercial on TV other than the commercial producers - society certainly doesn't benefit though. Make companies spend their ad dollars wisely.
> You need some amount of advertising. If you invented the cure for AIDS tomorrow, how are you going to tell everyone about it? Word-of-mouth works, but only so far. Perhaps over time, people will naturally Google "cancer cures" but will your business still be solvent by then?
This example is actually a perfect example of why you don't need advertising for things people really need. Do you really think that one of the largest advancements in medical history would not be on the front page of every major news site? Do you really think that patients with cancer and their oncologists won't research the latest cures for cancer?
> If you want to talk about leveling the playing field, you have to be more strategic with your legislation. Don't ban advertising. Ban spending on advertising above some limit. No one benefits from Coca-Cola showing yet another commercial on TV other than the commercial producers - society certainly doesn't benefit though. Make companies spend their ad dollars wisely.
Society doesn't benefit from Coca-Cola--on the contrary, Coca-Cola is actively harmful, and there isn't an amount of spending on advertising Coca-Cola that would be reasonable. This is an example of why advertising is harmful: it's propping up a business model that actively causes people diabetes, obesity, tooth decay, etc. Without advertising, do you think people would be googling, "sugary drinks"? Probably not: and the resulting bankruptcy of a corporation poisoning us would be a good thing.
This made me think of indy games! With zero advertising and through word of mouth alone (And I guess steam reviews!) you can make an amazingly successful game. Minecraft being the biggest example.
Highly progressive taxation seems to me a better practice, along with specific prohibitions and/or penalties. I'd floated this suggestion about six weeks ago:
Taxation will reduce overall amounts of advertising. Taxes raise costs. Quantities of price-elastic goods or activities decrease if taxed. Ergo: an advertising tax results in less advertising.
Individually targeted advertising is regulable through both practice and rights. Government can require or restrict technology. Government can give rights (of privacy, of control over personal information), or remove them (the ability of third parties to exchange, sell, or otherwise utilise personal information other than at the express direction of the subject of that information, say).
(I agree largely with your characterisation of advertising. I do believe that there are certain categories and types which are less overtly socially harmful. Those largely represent small corners of the present advertising market.)
I'm really not sure why you think a blanket prohibition would be more difficult than taxation. If we can define what advertising is well enough to tax it, then we can define what advertising is well enough to ban it. Arguing for taxes versus fines is almost semantic--but I think there's a social element where things which are taxed rather than fined are "normal".
Capitalism requires advertising because it needs an accelerant of consumption. If consumption stagnates, a capitalist economy enters a financial crisis that can result in the system's overthrow.
I am for banning advertising on its merits, to slow the growth of consumption for environmental reasons, and because I believe capitalism is a harmful system that should be replaced.
What is an ad, exactly? You cite Consumer Reports as a model - they have affiliate links on their reviews. Is that an ad? Is a sponsored social media post? A celebrity endorsement? Free products given to athletes in the hopes that they will be seen using it? Logos on clothing? Is the standard just "I know it when I see it"?
Also (in the US) it almost certain runs afoul of the First Amendment.
> What is an ad, exactly? You cite Consumer Reports as a model - they have affiliate links on their reviews. Is that an ad?
I agree that Consumer Reports does include some advertising, but it's not necessary for their business model to work--consumer reports predated the internet by over 50 years, so it certainly predated affiliate links. At least at some points their primary source of income was subscriptions, and judging by how hard it is to get at most of their reviews without a subscription, that continues to be a significant revenue stream for them.
> Is a sponsored social media post? A celebrity endorsement? Free products given to athletes in the hopes that they will be seen using it? Logos on clothing? Is the standard just "I know it when I see it"?
While I agree that we need a clear definition of an ad to encode this to law, I don't buy this feigned confusion as a valid argument that we can't or shouldn't legislate against ads. Obviously we need to work out a clearer definition than "I know it when I see it" to legislate effectively, but it's absurd to claim that I need to present a fully-written legal code in order to present a valid opinion on Hacker News.
We may disagree about free products given to athletes in the hopes that they'll be seen wearing them, for example. But if you claim not to know that a 30 second video clip in the middle of your TV show telling you that you should drink Budweiser to pick up chicks is both an ad and a harmful lie, you're not arguing in good faith. This argument is just throwing FUD about implementation details: you're not responding in any way to my statement of the problem, or presenting any fundamental criticism of my proposed solution.
The first implementation of this law wouldn't be perfect. We'd need to iterate on it. But even a ban against a very narrow definition of ads would be extremely beneficial.
Since you haven't even disagreed with my statement of the problem, perhaps you agree that advertising is bad, and would like to draft some sample legislation that solves that problem to your satisfaction?
> Also (in the US) it almost certain runs afoul of the First Amendment.
While current judicial precedent defines corporations as people, that's clearly a terrible mistake. Corporations aren't people and as such the first amendment does not apply to them. Yes, I know, there's some grey area where restricting the rights of corporations might restrict the rights of individuals: remember what I said about implementation details?
Overturning judicial precedent is a legal hurdle to get over to get rid of advertising, but it isn't a logical problem with the solution. Just because something is difficult to do doesn't mean it's not worth doing.
> This argument is just throwing FUD about implementation details: you're not responding in any way to my statement of the problem, or presenting any fundamental criticism of my proposed solution.
On the contrary, these are fundamental questions that would need convincing answers for this discussion to move much further beyond what you have already articulated.
Your statement of the problem concludes that "advertising is just never a good thing, in any context." Your proposed solution is to ban all advertising, allow "some companies to go under", but "good riddance" to them.
These are extreme views, supported only by your fond memories of Ye Olde Internet, with little substance for us all to discuss.
> On the contrary, these are fundamental questions that would need convincing answers for this discussion to move much further beyond what you have already articulated.
Let's be clear here: I'm happy to discuss details of what I think would be good legislation here. Don't accuse me of not wanting the discussion to move forward.
The discussion doesn't move forward from the assumption "it's unworkable". It also doesn't move forward from people downvoting without explanation.
> These are extreme views, supported only by your fond memories of Ye Olde Internet, with little substance for us all to discuss.
1. The view I'm responding to is that corporations are people and therefore the corporate right to lie and manipulate the public in harmful ways is protected under free speech. Why is THAT not an extreme view in your mind?
2. "supported only by your fond memories of Ye Old Internet" ignores nearly my entire post. Which of the following passages is "fond memories of Ye Old Internet"?
> Almost every problem with the internet right now is caused by advertising if you dig through the chain of causality. From social media patterns that addict you to conflict and conspiracy, to popups, adware and spam, to constant attacks on our attention even when we're driving and could literally kill someone with inattention, to spreading dissatisfaction, fear, and poor financial advice, advertising is the root of much evil.
> And that leads me to my third reason advertising should be banned: it's infectious. Advertising is Scott Alexander's Moloch[9]--if one entity does it, then all their competitors have to do it in order to compete. The entire purpose of the free market is supposedly that it results in the best outcomes, but this is clearly a hack that prevents that from happening: we want companies to compete by producing the best goods and services at the lowest cost, but when you allow advertising, companies can (and do) compete by manipulating consumers into buying inferior goods at higher costs. Advertising is an anticompetitive business practice that undermines the entire purpose of a free market.
Again, you don't get to accuse me of not pushing the conversation forward by not providing enough substance, when you ignore most of what I say. It's you that's trying to shut down the conversation by pretending I've given you nothing to respond to. Respond to what I've already said if you want to have a conversation.
> But if you claim not to know that a 30 second video clip in the middle of your TV show...
The obvious cases are not what make this unworkable, it's the edges. Is a paid product placement an ad? Is simply furnishing clothes for the actors to wear on set an ad? Your original suggestion was that this letter didn't go far enough, and that we need to ban advertising altogether. But it actually seems like what you actually mean is that some additional forms of ads you find objectionable should be banned.
I personally have no problem with ads if it means I don't have to pay for stuff with money. But you asked why people downvoted you, and that was my answer.
There are two very large logical leaps you've made here:
1. You've leaped from "we haven't discussed what details would make this work" to "it's unworkable". As I said before: obviously details need to be worked out. Your answer to why people downvoted me is basically that I didn't draft fully-formed legislation before presenting the idea on HN. If you'd like to discuss details, I'd be happy to do so, but saying "it's unworkable" outright without hearing those details, or worse, downvoting without explanation, are not ways to continue that discussion.
2. You've leaped from "the edge cases are unworkable" to "all the cases are unworkable". Are you willing to admit that a law against the case we've both agreed is obvious would be workable?
"In addition to the clear privacy issues caused by surveillance-based advertising, it is also detrimental to the business landscape."
"In the surveillance-based advertising model, a few actors can obtain competitive advantages by collecting data from across websites and services and dominant platform actors can abuse their positions by giving preference to their own services."
In many senses, Google & FB have achieved what net neutrality wanted to prevent ISPs from doing. In the developing world, FB has actually achieved it. If AOL had succeeded, we would have ended up approximately here.