
We value your privacy now, but maybe not later - raimue
https://raimue.blog/2019/01/26/we-value-your-privacy-now-but-maybe-not-later/
======
deogeo
You go to the local baker and buy a loaf of bread.

After you leave, he writes down, on a piece of paper, your name (he knows you,
after all), when you arrived, how long you took to choose what to buy, what
you bought, and how you paid - bills, credit card, etc. He also writes down if
you looked happy, nervous, what you were wearing, if you were with someone,
and anything else he can see.

He then seals this paper in an envelope, and at night, when no-one is around
to see, sells a whole bag of such envelopes to the
mining/merchant/transportation conglomerate from the neighboring town, for
little more than pocket-change.

Would you consider such a person a good neighbor?

~~~
mLuby
No, but someone giving bread away for free and doing that wouldn't be so
clearly bad. I think the difference is the obvious exchange of value (money
for bread) in the first case suggests that's the entirety of the transaction.
So the baker additionally "taking" the customer's data feels like stealing.
But in the second case, it feels more acceptable that the exchange is (data
for bread) since we all know there's no free lunch. There's a reason when you
give someone something for free they ask "what's the catch?".

~~~
ludocode
> No, but someone giving bread away for free and doing that wouldn't be so
> clearly bad.

I would say that's even worse. By giving bread away for free, he's making it
impossible for other bakeries to compete unless they do the same thing.

This is why there are no serious competitors to services like Facebook or
GMail. It's impossible to compete with free unless you monetize the data.

I say this as someone who pays for ProtonMail. Do you think it's possible to
convince friends and family to start paying for email as well when they
already get it for free?

~~~
dennisgorelik
If your privacy is important to you, then you would go to the baker that does
not sell your private information and charges money for bread.

If there are enough people who are ready to pay for their bread and prevent
selling out their private information -- then it would allow such privacy
respecting bakeries to exist.

~~~
Dylan16807
Because auditing is garbage and there's no way to know who isn't collecting
this information.

~~~
dennisgorelik
Collecting information is not really a concern for the vast majority of users.

But some users start to worry when that information is getting sold to third-
party providers. Information sales are easier to audit.

~~~
Dylan16807
Collected information almost always turns into transferred information at some
point. Knowing they don't sell anything now doesn't help you in five years
when the company has a change of heart or a change of ownership.

------
albertgoeswoof
From the HN privacy policy:

Changes to Y Combinator’s Privacy Policy:

The Site and our operations may change from time to time. As a result, at
times it may be necessary for Y Combinator to make changes to this Privacy
Policy. Y Combinator reserves the right to update or modify this Privacy
Policy at any time and from time to time without prior notice. Please review
this policy periodically, and especially before you provide any Personal Data.
This Privacy Policy was last updated on the date indicated above. Your
continued use of the Site after any changes or revisions to this Privacy
Policy shall indicate your agreement with the terms of such revised Privacy
Policy.

~~~
Despegar
Speaking of HN, how do you delete your account from it?

~~~
frutiger
What do you want to achieve by deleting your account? I can see basically two
options:

1\. prevent you (or anyone else) using your handle to post submissions or
comments

2\. delete all posted submissions and comments in addition to option 1 above;
this is a little futile as HN has been indexed and replicated elsewhere

EDIT: the following is incorrect, as pointed out by jacobsheehy.

I will note that both are possible without any assistance from HN, though
perhaps option 2 could be made easier.

~~~
jacobsheehy
Deleting content does not seem possible on HN, but you're implying that it is?
Once you have posted something and walked away, you cannot delete it from HN.

~~~
frutiger
You’re absolutely right, I had never noticed this before. The delete link
disappears after some time.

------
andr
I can understand that quite a few companies' commercial product is your
personal information (e.g. Facebook, Twitter, and even news media nowadays).

What is scaring me is companies that have a different business model using the
same techniques to sell your information. Today I noticed that Dropbox.com
login does not work with the Ghostery ad blocker enabled. Ghostery blocked a
total of 48 items on Dropbox.com, including 22 trackers. For a company that I
pay $100/yr and trust with all my personal files, that number should be 0,
everything else is a breach of my trust.

~~~
thoughtstheseus
Yeah, unfortunately, spying on people is the norm. I have little confidence
these business models will work in the long-run. Hopefully.

------
tyfon
When I see "We value your privacy" I know instantly something shady is going
on. The only thing I'll accept is a "Accept" and "Reject all" button next to
each other without further clicks.

My list of web sites that I actually visit gets smaller and smaller. I have a
shortlist and for most of them I pay to remove ads if they have the option and
I have all kinds of ad-blocking installed both on the network level and
browser level.

~~~
friendly_chap
You are absolutely right, but the sad reality is that we are a small minority.
Perhaps we can influence the world by education though.

~~~
FiveSquared
Well education is a lost cause due to the masses being overworked/
overstressed / overwhelmed/undereducated /etc. I have seen people who write
down their password in paper and carry them around. If people can’t remover
secure passwords, how are they gonna protect their privacy?

------
duxup
It really seems like the only good privacy policy is

"We just don't collect X data, ever."

I don't know if I would trust it, but it would be the only one that I would
have even a tidbit of faith in / think that it represents a good faith offer.

If they do collect it, I just assume it is being stored in the name of selling
it. At this point it seems to be a foregone conclusion.

------
Animats
A contract which allows one party to change the terms may not be a valid
contract at all. There's a legal truism, "an agreement to agree is not an
agreement."[1] This comes up regularly in "letter of intent" cases. The rules
vary by state. New York is very negative on "agreements to agree".[2] Putting
a phrase like that in a contract may weaken the position of the party putting
it there.

Any comments from lawyers?

[1] [https://www.blaney.com/articles/agreements-to-agree-do-
they-...](https://www.blaney.com/articles/agreements-to-agree-do-they-bind-
you-or-not-court-decisions-resting-on-specific-provisions-1) [2]
[https://scarincihollenbeck.com/law-firm-
insights/agreement-t...](https://scarincihollenbeck.com/law-firm-
insights/agreement-to-agree-ny/)

------
twblalock
Privacy policies can change at any time, but that's not the only problem.
Companies that hold your private data can be hacked. They can be acquired by
new owners who don't care about privacy.

Even if you trust a company with your private data, and even if you are fully
informed about the data that they collect and what they use it for, you will
have no control over what happens to that data eventually.

------
phoe-krk
Of course we value your privacy.

In US dollars.

------
martimarkov
I really want to see companies getting fined for breaking the GDPR. Even
better would be if they got a few companies to a bankruptcy lvl. Mainly so we
get rid of the dark patterns. Just have 3 options: Accept All, Reject All,
Custom

I hate it when the only option is accept or when I get redirected to a 3rd
party website which tells me I need to enable 3rd party cookies for them to
not track me... well fuck you guys, I don’t want to enable them.

My solution so far is: Ghostery + DuckDuckGo + uBlock Origins + PiHole. Any
other suggestions are welcomed.

------
cygned
I noticed that some of these often-used cookie accept overlays take an awful
long time to apply my choice (up to a minute) when I opt out of all non-
required cookies.

I guess that is on purpose to annoy me to click “Accept all” anyway. I don’t
expect that they value my choice either.

------
alexandercrohde
Serious question -- how can this be legal?

Think about it. For all I know tomorrow the policy could say "You agree to pay
the site all your savings?" This sort of prior blank-check consent seems to
lead to absurd scenarios when thought about.

~~~
mlthoughts2018
I’m willing to bet it’s not enforceable, and in court it would not hold up for
a company to claim their new privacy policy was intrinsically consented to by
virtue of site usage alone.

The purpose is probably just to add legal obfuscation and extra cost burdens
in the process of suing a company over privacy issues. It costs them little to
add legalese like this to their policy, and may possibly create some
gargantuan burden of effort in the future to argue that it’s not enforceable,
just further reducing the number of would-be lawsuits to challenge them.

------
kmlx
the last time i’ve seen such a drive for privacy was during the USSR, where
the state wiuld actually kill or at least torture you. so you had to hide
everything from them. this led to a broken society, where everyone lied to
eachother over the most basic things (e.g. going out, eating a loaf of bread
etc). that’s one of the reasons i escaped to the western world, where
transparency was the norm, where no one cared what you had for breakfast,
where there was no real threat to your life due to over exposure.

fast forward to today, and it feels like the west is developing into the USSR,
but without the threats to life, just the “hide everything about you” part. it
also feels like a partly nativist europe vs the rest of the world.

now it seems i have to escape yet again to parts of asia where they don’t
worry about stuff like this.

edit: at the last minute i’m reminded that this is just the HN bubble, and
outside Europe people still act normal and don’t care about this stuff.

------
Felz
As someone who recently put together a privacy policy myself, I can assure you
that an updating clause is standard practice for both privacy policies and
terms of service. The documents are really mostly for minimizing liability.

You can object to that, sure, but no sane company is going to open themselves
up to lawsuits just because a few users are upset about it.

------
albertgoeswoof
The other thing that is driving me crazy is the dark patterns employed to get
you to click accept. Sometimes the reject button has deliberately had the
onclick/hover changes removed so it doesn’t feel like a working button, other
times it’s buried 3 levels deep etc.

What are we supposed to do about these? They have been added to comply with
GDPR but clearly don’t.

~~~
duxup
What is funny is that time and again we've found that ... companies will still
do what they want it even if "accidentally".

------
techslave
> Would you agree to a contract that can be changed by the other party at any
> time in any way?

A privacy policy is not a contract.

Of course it has to be (and should be) updatable. The privacy landscape
changes over time.

The way these things are, is actually perfect. It means, you can ignore it
entirely because the company has complete discretion on whether to abide or
not. The only thing you have to go by, is reputational considerations (which
doesn't recover your lost privacy), and absolute legal requirements that exist
outside of any policy statement, eg GDPR, COPPA, HIPAA.

~~~
groestl
> A privacy policy is not a contract

Exactly. Why Atlas Obscura even uses language about "agreement" ("[...], you
are agreeing to such modifications.") is beyond me. It might even result in
more legal exposure and restrict their freedom to move within the limits of
the GDPR to rely on user consent (provided they even want to comply with the
GDPR as a Delaware Corp).

------
benatkin
I guessed that the title was about startups that value privacy but still
collect too much data. When they get acquired by a typical giant corporation,
they don't value privacy but still have lots of data. The modification clause
is what enables them to misuse peoples' data.

------
vecnotron
this is illegal under GDPR for two reasons: opt-in gained with privacy policy
v1 are not valid if gets updated. and you need to opt in by choice not because
is the only option

~~~
Wowfunhappy
Is it just my limited understanding, or are a majority of companies blatantly
violating GDPR?

I was reading through Vox's privacy policy the other day, on a whim. (I'm in
the US, but I was connected to a UK VPN at the time--so if the policy does
explicitly change depending on country, they should have thought I was in the
EU.) The cookie policy can be summarized as: "We use cookies to track you. If
you don't want us to use cookies to track you, you can opt out by setting your
browser to block all cookies." Never mind that this would cause a wide range
of functionality to not work.

And then there's Amazon. I desperately want Amazon to stop showing me
personalized recommendations--I don't actually mind the tracking, but I feel
as though recommendations push me into a filter bubble. As far as I can tell,
there is zero way to do this whatsoever.

------
dennisgorelik
I just opened atlasobscura.com

There is no privacy popup for me. I am in the US, so EU laws are not
applicable here.

I blame EU GDPR laws for the popup that Rainer Müller suffered from.

~~~
rebuilder
IOW you don't even get notice they're tracking you. Is that an improvement?

------
deanCommie
GDPR execution has been a dumpster fire of usability dark patterns and user
hostile design.

The web has not had this many pop-ups since the 1990s.

~~~
sakisv
The problem is not with the pop-ups, but with how many dark patterns are
involved in getting your consent.

They could have made a simple pop-up, in simple language with two clear
options and an optional dropdown showing all the "providers" but then again
that would have been too user friendly.

Maybe GDPR should be revised to address these things, maybe even provide a
template with 5 different color schemes that everyone should be forced to use.

~~~
fabrika
The problem for the majority of the visitors are pop-ups. Everyone just clicks
the green button. No time to read two clear options or bother with dropdowns.
That's how people behave.

These pop-ups are required by GDPR. If your site doesn't have a pop-up you
risk losing 20M Euro.

