Once again we continue to look at data privacy and identity theft in the wrong way in my opinion. To me the solution is very simple. If you are reselling my data, allowing access to my data, or deriving data / servives from my data that identifies me in any way and then selling that to a third party for a profit or giving it to them as part of a license so that they can generate profit from it (including ad targeting or analytics) then when I visit your site or use your service there should be a big box in simple to understand English, not legalese or a lengthy EULA, that says "we [do one of the things listed above], are you ok with that?" If I say "no", then you cannot descriminate against me and you cannot do those things. You still have to let me use your site or service; you still have to provide me with identical services; etc. You can still show me ads (non-personalized), charge me a bit more money commensurate with the value of my data, or introduce a different monetization method, but you can't deny me service all together.
Further, if you collect my data, YOU are liable for it. Breaches should not be the user's problem. Meaning, if someone walks off with the contents of your database containing my PII using anything less than a crazy number of zero days, you are liable for a set financial penalty per user's info lost (in the way HIPAA does it) and / or you are liable in perpetuity for protecting against identity theft with an insurance policy. I don't need to prove attribution. If I ever have a problem that could plausibly be linked back to the data exposure, you are liable for damages.
Finally, it should not be the user's problem to clean up identity theft, ever. If a bank opens an account in my name without properly authenticating me, that is the bank's problem, not mine. It should be up to them to conclusively prove it was me that did it, not up to me to prove that I didn't. Does this mean it will be more complicated to open up various accounts and credit? Yes. Does it mean that there will be lost business for these institutions? Yup. Tough luck; that is the price we have to pay.
The entire point of this should be to heavily disincentivize collection of PII unless absolutely necessary for core business function.
So it sounds like you're okay with Google collecting all your data because your description doesn't cover them
> If you are reselling my data
Google doesn't resell data
> allowing access to my data,
Google doesn't allow access to user data
> or deriving data / servives from my data that identifies me in any way
Google doesn't let people be identified from the data they collect.
> and then selling that to a third party for a profit or giving it to them as part of a license so that they can generate profit from it
Google doesn't sell data to a third party for profit.
I'm 100% for a law that prevents that scammier companies who do all the things above to stop doing those things. Just pointing this doesn't cover HN's most hated company.
I would argue that makes what they're doing ok. I know this is a really unpopular opinion on HN but I think google is actually a really good example of ethical data collection. Sure they scrape up just about everything they can get, but they hold onto it themselves and have repeatedly demonstrated that (unlike facebook etc) they try hard to protect it and won't let an arbitrary 3rd party access it. They just let advertisers target demographics, so long as you don't actually click an ad your data is never accessible to advertisers.
Someone has to pay the devs to make their services, someone has to pay for the server farms (and the electricity to run them), someone has to pay for their open-source efforts, etc. They have to make their money somehow and people have demonstrated over and over again that they're unwilling to pay for services like gmail (remember when hotmail used to charge a monthly fee for email service if you wanted more than like, 500mb or something?)
There is no such thing as ethical data collection, as long as that data contains personal information about individuals. The very act of collecting data is problematic because, as history has shown us, data troves cannot be protected long-term and that eventually the company and others will abuse that data.
This already happened to Google. Not only they got hacked, but various governments successfully get access to all that data both by asking and by taking.
Fair enough. This is why we have lawyers and subject matter experts (which I am not). I am just expressing a general sentiment. Codifying that into an actionable set of laws and regulations requires much more work.
This the same line of reasoning I've used in the past. I just wish more people would get on board, to be honest. It's a painfully hard battle to get people to adopt the mentality of minimal exposure, and to see the real value in it. It's always AFTER they get slammed by some unfortunate event that it becomes a priority.
People don't realize the real value of their own information, I suppose. It's probably the same reason there are so many people who say they don't mind being surveilled because "they have nothing to hide." It's only after they've seen their freedoms restricted that they realize they should have cared more.
"Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."
In my view, there should be an automatic penalty paid to the victim. There is something like this for copying of music recordings. If you are caught with my information, you owe me 10000 bucks.
I'm not super on board with that disclaimer, as I think it weakens the argument that widely reselling PII is a socially unacceptable action. There are some rational reasons to resell PII to a different party (usually inter-subsidiary data sharing) but I am absolutely on board with reinforcing the liability.
Maybe the law needs to be shifted to a point where if a company collects some PII information from a user and that information is found in a breach then it is incumbent on the company to prove they were not the source of the breach to avoid being legally exposed.
I think it'd be nice if we all started viewing PII as dangerous, companies could invest the risk in collecting data on users, but it should be the default that companies try and avoid collecting as much data as possible.
Sorry, but I don't get why you must be entitled to having me serve you if I happen to have a server that serves other people. Just because I allow some people to visit my server does not imply that I am obligated to let you in. Because this a private property and owner have a right to decide who gets in on his private property. Unless you advocate for abolishing private property that is.
I don't see why people who opt out of paying the toll should be allowed to use the service. Nobody complains if a walled garden membership fee costs dollars why should data be different as long as you're aware up front of what is collected and that it's the method of payment?
> I don't see why people who opt out of paying the toll should be allowed to use the service.
Nothing wrong with charging for access to a service. If the web service isn't free, then don't give access to people who haven't paid for it. If the site isn't free, then require payment before serving the web page. This is reasonable.
What happens instead is:
1. I make an HTTP request
2. The server sends me the page with the content I want for free
3. The page comes bundled with ads and tracking malware
That's unacceptable. They shouldn't be allowed to "charge" anyone by including javascript malware to collect and sell private information. If they add useless noise to the content in the form of ads, users are entirely within their rights to delete them. People can rip out and trash the ads of a printed magazine.
They don't want to do the reasonable thing because they'd make less money that way. That's not our problem though. They need to deal with it and stop abusing our trust or one day people will make laws to criminalize it.
> why should data be different as long as you're aware up front of what is collected and that it's the method of payment?
Because nobody knows what that data is going to be used for once it's in a database and up for sale. Nobody is made aware "up front" of the risks of data collection. It's impossible to determine the long term impact of this. It could amount to nothing. It could end up being leaked because of some intermediary's poor information security practices. A government could get access to it and start building dossiers on people or share it with other governments.
At that point, they can simply charge their users a small fee. I remember reading once that Facebook makes something like $12/yr/user by exploiting their privacy.
I'd gladly pay $15/yr to use that service if I knew they weren't tracking my personal info and the service was ad-free. As it stands, I haven't been on the platform for nearly a decade now, and I'd return tomorrow if this were truly an option (and I actually knew I could trust them to honor the agreement).
IMO, that's how you strike a balance - use for free and we exploit your privacy, or pay a fee (preferably regulated to be similar to the average profit made on a user's private information) and no data will be collected or stored on you, except as is necessary to make the site work (for instance, setting times to your local timezone).
Ha! Facebook currently doesn't get any income off of me since any information about me is years out of date due to my concerns of how they handle data. I'd come back for $15/yr merely as a nice convenient way to keep open communication with relatives.
My thoughts exactly. I haven't been on any social media in probably 6-7 years now, and I got serious about my privacy a couple years ago, but I'd gladly pay that small fee just to keep in touch with people that are otherwise a bit difficult to contact, honestly.
You sidestepped my question though, why shouldn't they be allowed to refuse service if the toll is clearly explained? There are plenty of users who are content to receive $free services in exchange for their data, why shouldn't they be allowed to spend their data if they want to and why shouldn't services be allowed to cater exclusively to them? I'm not trying to come off aggressively so I apologize if I have, but to me this just seems like you're unhappy with how other people are choosing to transact. If $free services are so dominant in the market, not saying they are but now I'm speaking hypothetically, that people like yourself can't find alternatives then isn't that really just an indication that the traditional business model has been thoroughly outcompeted and should be moved away from since it's nonviable by comparison?
>why shouldn't they be allowed to spend their data if they want to
I think they should be allowed to. I just think companies should be required to provide consumers a choice.
>why shouldn't services be allowed to cater exclusively to them?
Because many of the companies that exploit their users are monopolies. There are no real competitors to YouTube, Facebook, Google, etc. (yes, I know alternatives exist, but when you have 99% of users on your platform, the others don't quite matter).
Since there's yet to be any regulation to stop this monopolistic aspect, the next easiest thing would be to force them to adopt a slightly different, relatively painless business model.
I don't think you came off as aggressive - don't worry. People should, imo, be free to choose how they want to transact. On the flipside, though, a standard business model would be a benefit to all - those who care about privacy get what they want, those who don't see zero changes. The companies will make the same money off of either, so the only real cost is in developing the tools necessary to accept payments. Those aren't particularly hard to integrate into most websites, though.
>isn't that really just an indication that the traditional business model has been thoroughly outcompeted and should be moved away from since it's nonviable by comparison?
I'm not so sure. I've never seen a YouTube alternative with even 1/50th as many videos which has some kind of cash-based revenue model. I've NEVER seen a search engine which does that, and the same is true for social media (among other things, this isn't meant to be an all-inclusive list, of course).
I'm a bit of a privacy nut, so feel free to disregard this next part, but I honestly think targeted advertising is the source of a huge number of problems. For instance, it's used for highly targeted political ads, which I believe is the root of a lot of the division in the US political scene. This got so bad that Google felt the need to ban their tools being used for highly-specific targeted political ads. Unfortunately, others have not followed suit here.
Your shitty business model isn't morally entitled to be viable. If you can't figure out how to operate a business without hoovering up tons of PII, then your business deserves to die.
This can easily be turned on its head though. Clearly, your desire for privacy is far larger than everyone else. Why should they have to suffer for your desire. You could use privacy oriented services instead.
> Clearly, your desire for privacy is far larger than everyone else.
Is it? How do you know? Most people don't have even a partial understanding of the risks associated with personal information collection. Most people don't even read terms of service and privacy policies. How many users even know what a cookie is?
The fact is people trust the service providers with the data. They assume that their data will be used responsibly for their benefit. Recent history shows that this assumption is completely unfounded.
> Why should they have to suffer for your desire. You could use privacy oriented services instead.
The fact is the vast majority of services are not and never will be privacy-oriented. Paid service or not, they'd make more money if they sold people's private information. Not doing that is a wasted opportunity to them, it's as if they were actively choosing to make less money. So instead of excluding people who don't agree with surveillance capitalism, it should be impossible to collect any information to begin with.
Besides, we should not be ostracized and be forced to live off-grid as if we were in some cyberpunk story just because we value our privacy.
You don't need to live off grid. You just have will get more expensive tools and services because of the smaller size of your niche and the lack of ad money.there's a seemingly sizable crowd out here that is highly invested in such. Would targeting them make as much money? Probably not. But would this be a sustainable market?
'Your PII' is also the PII of other people. Consider Facebook's 'shadow profiles' of people who don't use its service, constructed from the address books, shared photos, and other information of Facebook users around them.
If you don't force that then users will simply say "well I really love Instagram..." and click ok. An average user can't place a value on their privacy because they can't see the long term threat from using these services. This is where we need regulations in the same way that we needed cigarette regulations back in the day to deal with long term health threats.
Further, if you collect my data, YOU are liable for it. Breaches should not be the user's problem. Meaning, if someone walks off with the contents of your database containing my PII using anything less than a crazy number of zero days, you are liable for a set financial penalty per user's info lost (in the way HIPAA does it) and / or you are liable in perpetuity for protecting against identity theft with an insurance policy. I don't need to prove attribution. If I ever have a problem that could plausibly be linked back to the data exposure, you are liable for damages.
Finally, it should not be the user's problem to clean up identity theft, ever. If a bank opens an account in my name without properly authenticating me, that is the bank's problem, not mine. It should be up to them to conclusively prove it was me that did it, not up to me to prove that I didn't. Does this mean it will be more complicated to open up various accounts and credit? Yes. Does it mean that there will be lost business for these institutions? Yup. Tough luck; that is the price we have to pay.
The entire point of this should be to heavily disincentivize collection of PII unless absolutely necessary for core business function.