
Facebook points finger at Google and Twitter for data collection - cfadvan
https://techcrunch.com/2018/04/16/them-too/
======
marcell
Contrary to most comments here, it is significant that other companies do.
Facebook competes in the free market. If they scale back on data collection,
that will hurt their offering to advertisers and cost them money that will go
to Google and others. That lost revenue will harm their ability to retain
talent and build new products, and ultimately cost them their user base. “We
don’t track you” is not as compelling a feature as “free video chat across the
globe.”

Facebook doesn’t operate in a vacuum. They can’t scale back data collection
unless others do. Moreover, the United States doesn’t exist in a vacuum
either. Scaling back all US companies will give a leg up to competitors in
more lenient jurisdictions.

~~~
JumpCrisscross
> _Scaling back all US companies will give a leg up to competitors in more
> lenient jurisdictions_

Laws can be written to only apply to American users. That would leave American
companies free to compete on level terms in other countries.

~~~
marcell
Sort of, the issue is companies typically bootstrap in their domestic market.
If laws are restrictive it will kill companies before they even get to the
point of international expansion.

------
headsoup
So Facebook is going with the tu quoque fallacy.

Perhaps the others will be in trouble in future too, but sorry Facebook, it's
_your_ turn now.

~~~
Froyoh
"Look, others are doing it too!"

~~~
Zelphyr
Which was an argument of my kids when they were five. To which I replied then
and I reply now, "That doesn't make it right."

~~~
ianai
This is rapidly becoming political and rule #1 in politics is “politics
doesn’t have to be fair.”

------
shady-lady
I personally don't really care about what information they collect. I do
hugely care who they give that information to & what they do with it.

Haven't heard anything about Google wholesale handing all my data over to
anybody who clicks a couple buttons to sign up to their developer program
though.

I'm guessing Facebook has the technical expertise to allow 3rd parties to run
aggregate (non identifying) queries on the consenting users' data on servers
they control and only allowing certain aggregated data, as well as limiting
the number and type of queries 3rd parties are running.

Guess it's easier to just let anybody have at it to prove how valuable their
platform/data is.

~~~
losteric
Google keeps their data private because they've already secured their
advertising/search territory. Disclosing profiles would only undermine their
competitive advantage.

It seems like Facebook gave away that information in hopes of developing a
more engaging walled garden with 3rd party help, and perhaps some naivety.

> I'm guessing Facebook has the technical expertise to allow 3rd parties to
> run aggregate (non identifying) queries on the consenting users' data on
> servers they control and only allowing certain aggregated data, as well as
> limiting the number and type of queries 3rd parties are running.

This is a _very_ challenging problem - multiple "non-identifying" queries can
actually identify individuals. Differential privacy is the best solution so
far, however it's still challenging to guarantee privacy without lowering
quality far below competitors that don't care about consumers.

~~~
asfasgasg
> Google keeps their data private because they've already secured their
> advertising/search territory.

That is one _possible_ self-interested reason for them to keep the data
private. They could also just care deeply about guarding user data they
collect. This could be for either selfish or unselfish reasons -- it's both
good business and moral. It's very hard to tell from the outside, because
their actions would look largely the same either way.

Personally I think it's pretty naive to believe any company does any thing for
a single reason. There are a constellation of reasons, some more important
than others.

------
hemantv
Hopefully, this starts a meaningful conversation about what other people are
also doing. I am not a fan of Facebook but this might get the ball rolling on
broader legislation similar to GDPR in US.

~~~
tested24
I really hope nothing remotely similar to gdpr is written into legislation in
the US. I do not even know how I would get started writing a website that
would adhere to GDPR requirements

~~~
x0x0
So, on the one hand, I really would like a GDPR equivalent law in the US.

OTOH, anyone who says they clearly understand the implications of GDPR for
their site has either spent a lot of money on lawyers or is lying. Let alone
someone who has implemented it. Privacy by design requires deletion of data
after legitimate interests and/or consent have expired, probably (!!!) in 3rd
party systems. How, precisely, do you implement that?

Can you shadow-delete accounts for some period of time to allow users to
change their minds? If no, what UI do you put on a "delete my account" button
that has absolutely no undo, even in the 24h regrets period?

Do people have GDPR privacy rights over eg comments on YC that may mention
them by nym?

Given the GDPR covers EU residents (not just citizens), as an American can I
buy a plane ticket to Dublin and start requesting full data dumps? What rules
are those provided to me under, and how do you make software that can do that?

~~~
losteric
> OTOH, anyone who says they clearly understand the implications of GDPR for
> their site has either spent a lot of money on lawyers or is lying. Let alone
> someone who has implemented it.

[http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELE...](http://eur-
lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN)

It's long but the language is far easier than American legalese. The
implications depend on your site/service behaviors. An RSS reader is pretty
trivial, interactive social media... less so.

> Privacy by design requires deletion of data after legitimate interests
> and/or consent have expired, probably (!!!) in 3rd party systems. How,
> precisely, do you implement that?

Privacy by design is a _design_ philosophy, it might be a pain to refactor
into an existing system but the design constraints aren't onerous.

If your "3rd party system" is something like AWS, just delete the data. If
you're sending it off to some other service, they do need to be GDPR complaint
(the law covers this situation).

re: legitimate interests, we partitioned our data. Access logs, for example:
one stream gets anonymized for simple analytics, another gets dumped into in-
depth weekly analytics jobs, and the final log stream outputs encrypted auto-
expiring S3 files with strong access control for infosec purposes. When a user
withdraws consent, we just stop logging new information. Truly anonymized data
is OK, our in-depth analytics data is purged within 14 days, and InfoSec is a
justifiable legitimate interest.

> Can you shadow-delete accounts for some period of time to allow users to
> change their minds?

Yes. GDPR does not require instant response. You should be transparent about
what will be kept and how long, a clearly communicated 24h shadow-delete is
completely reasonable.

> Do people have GDPR privacy rights over eg comments on YC that may mention
> them by nym?

This is a good question, I'm also curious about quotes. The recent Google case
suggests both fall under GDPR.

> Given the GDPR covers EU residents (not just citizens), as an American can I
> buy a plane ticket to Dublin and start requesting full data dumps? What
> rules are those provided to me under, and how do you make software that can
> do that?

Assume everyone is covered by GDPR.

~~~
x0x0
> It's long but the language is far easier than American legalese. The
> implications depend on your site/service behaviors. An RSS reader is pretty
> trivial, interactive social media... less so.

Except the GDPR is full of hand-wavy stuff. Who needs a DPO? What is "large
scale" in that context? How exactly do you conduct a legitimate interest
balancing test? Who is your lead regulator and under what criteria as an
American company can you decide?

Also, people have a lot more 3rd party systems than most think. Think
transactional mailers, marketing mailers, billing systems, payroll, zendesk,
etc.

And even an RSS reader is scary. What if someone follows a series of blogs
about HIV treatments, or internal trade union politics? If that means you
could infer the person is poz or is a member of that trade union, you now have
heightened scrutiny data in your possession.

~~~
losteric
> Think transactional mailers, marketing mailers, billing systems, payroll,
> zendesk, etc.

GDPR has explicit provisions for all of these legitimate interests
(notifications, clients, employees, customers). Most of these services are
aware of and planning for GDPR, I wouldn't want to work with any that aren't.

> And even an RSS reader is scary. What if someone follows a series of blogs
> about HIV treatments, or internal trade union politics? If that means you
> could infer the person is poz or is a member of that trade union, you now
> have heightened scrutiny data in your possession.

Right, and I like that! Attempting to derive sensitive information should
require consent, transparency, right to rectification, and stringent data
handling requirements. It sounds like overkill for an RSS reader, but why the
heck does an RSS reader need to do that kind of profiling in the first place?
Maybe that's the right level of scrutiny and prior applications were
unwarranted?

On the other hand, there are no concerns with simply storing the followed
blogs.

> Except the GDPR is full of hand-wavy stuff.

Can't win, legislation is either micromanaged or hand-wavy... it's worth
noting that some of the hand-waving is actually business friendly.

I'm not saying these laws are perfect. There is definitely room for
improvement, but this is still a consumer win over the pre-GDPR wild west.

~~~
x0x0
3rd party: the fact remains that doing deletions, both as a consent withdrawal
and a privacy by design, is extremely complex. Particularly when privacy is
withdrawn before a LI expires. You can hand wave it away as gdpr provides for
this -- which isn't at all responsive to what I said -- but it's difficult to
do nonetheless.

I never said the RSS reader is profiling. They don't have to be. Does the mere
presence of the inescapable user data -- ie what feeds they monitor -- create
heightened scrutiny, because _someone else_ could infer with that data, were
it to be leaked. It well may. I would seriously consider blocking EU users
until this is sorted out.

Worse, the RSS reader could offer suggested feeds, and accidentally find
themselves in possession of such data, entirely accidentally. Even if users
were clearly asked if they wanted to see suggested data, or allow their data
to be used to suggest feeds. They may not intend to derive sensitive data to
possess it.

Or suggest you have a site like YC, and someone puts "hi, I'm poz" in their
description. Tada, sensitive data.

The GDPR should have defined when a DPO is required, what a LI balancing test
is, etc. Alternatively, the orgs could have pretended to be competent and
issued guidance before -- oh right, they haven't issued final guidance yet.
I'm _sure_ 6 weeks is plenty of time.

------
test42
I feel like whoever wrote this article missed the point completely.

For the internet to function, websites need your information. If you want to
log into a website using Facebook login, Facebook needs to know what website
you are logging into.

When you watch a Youtube video on someone else's website, in order for that
data to be sent to you they need to know what your IP address is and they need
to know what website you are viewing the video on.

This is how the internet works. You cannot access something from someone
else's servers without them knowing what your ip address is.

Are we invading people's privacy when we log ip addresses when someone visits
a website hosted on our servers now?

~~~
dgreensp
Agreed, I found Facebook’s explanation perfectly adequate and respectable.
They are basically explaining cookies and embeds/iframes to a non-technical
audience — no more, no less. It makes sense to give other examples like Google
ads and Twitter buttons in this context.

~~~
Alex3917
> They are basically explaining cookies and embeds/iframes to a non-technical
> audience — no more, no less.

Right but the main question was whether they were getting data on people from
data brokers, and they responded by answering a completely different question.

------
Johnny555
Well Facebook, if all of the other companies jumped off a bridge, would you do
it too?

Saying "But they do it too!" is no defense. Though it does make the argument
for stronger regulation.

------
JustSomeNobody
I really dislike the, "well, they do it too!" form of argument. It shows a
tremendous lack of maturity.

------
cwkoss
spiderman-pointing-at-spiderman.jpg

------
thisisit
I am sure Facebook looked at today's internet discourse and thought - If
whatabout-ism works for every discussion out there, why not us? Hence, they
asked - What about Google? What about Twitter? They just dint go the full mile
and asked - What about Amazon? What about those emails? What about "world
peace"?

But, whatabout-ism misses an important point - we cannot get everything all at
once. Everything happens one step at a time.

------
RcouF1uZ4gsC
>That said, other tech companies have gotten off light. Whether it’s because
Apple and Google aren’t CEO’d by their founders any more, or we’ve grown to
see iOS and Android as such underlying platforms that they aren’t responsible
for what third-party developers do, scrutiny has focused on Zuckerberg and
Facebook.

Maybe Zuckerberg should do the same thing Larry Page did. Create a parent
company for Facebook (maybe call it Library), of which Zuckerberg becomes the
CEO. Then find someone else to be the CEO of Facebook. In addition, just like
Alphabet and other "Bets", Library could have other "Books".

Then, instead of Zuckerberg CEO of Facebook, you have Zuckerberg CEO of
Library.

~~~
nkozyra
I think this discounts the ways in which Facebook differs from Google and
Apple as it relates to open, sprawling access to user data.

The alphabet conglomeration didn't obfuscate similar issues, nor would
Zuckerberg following suit. Facebook's issues are related to unfettered access
to a user and their graph(s) and sensitive information. More importantly that
they knew of the risk and did little in response.

Obviously Google and Apple have their own privacy issues to account for, but
it's fundamentally different.

