
Google and Facebook accused of breaking GDPR laws - nemoniac
http://www.bbc.com/news/technology-44252327
======
lloydsparkes
I am reading through the complaints,

The first one: [https://noyb.eu/wp-content/uploads/2018/05/complaint-
android...](https://noyb.eu/wp-content/uploads/2018/05/complaint-android.pdf)

The User sets up a "new" (non Google) phone, and isn't given an option to
decline consent to Googles ToS.

Now how does this work with a physical product? It needs to be compliant on
the 25th of May 2018, but the version of Android may be old and not updated
(given its Android). Even if there was an update waiting to resolve GDPR
related issues, you would need to agree to the ToS to get that update, to
enable opt-out?

In that point of view, it seems a rather unfair complaint. I havn't checked
the other's yet, but I start to feel that perhaps these have been filed too
early, without enough thought and examination, just to get headlines?

~~~
rightos
I'm pretty sure that's incorrect at least today, it's possible to skip through
the initial setup on a stock Android device without adding a Google account or
accepting a ToS.

~~~
ldjb
If there is, they don't make it obvious. Whenever I've tried setting up a
stock Android phone, I've looked for a way to do so without adding a Google
account, but found no such option.

Perhaps it's possible to do so by pressing or holding some obscure sequence of
buttons, but in that case it is reasonable to argue that a 'hidden' option
isn't really an option at all. After all, you can't hide microscopic text on a
paper contract and expect signees to be bound by it.

There may be stock Android phones out there that do provide a clear option to
not use a Google account, but there are certainly many phones that do not.

~~~
codedokode
I am using a chinese noname Android phone without a Google Account. It is
somewhat useable even without Internet connection and without SIM card. For
example, I can use a camera, radio, music player, a dictionary or offline
maps.

~~~
beenBoutIT
China gets your data now.

~~~
codedokode
That's why I thought about either routing all traffic through my server or
replacing proprietary ROM with open source software.

------
ckastner
> "The GDPR explicitly allows any data processing that is strictly necessary
> for the service - but using the data additionally for advertisement or to
> sell it on needs the users' free opt-in consent"

This is the key point. As the saying goes, on Facebook, you aren't the
customer, you are the product.

The GDPR just changed this -- rightfully, in my opinion.

~~~
dmortin
Somebody has to pay for it in the end, so Facebook could simply say "agree to
targeted advertising and use the site for free or do not agree and pay a
monthly fee for the site".

~~~
henrikschroder
Sign me up!

The sad truth though is that the users who are most likely to pay to get rid
of ads, are also the users that are most valuable to advertisers, because
that's a signal they have more money to spend than the rest.

~~~
dmortin
What if they say it's $20 a month? And it's just facebook. Google also asks
for $20, Reddit too, etc.

It won't be cheap.

~~~
xxs
So you are stipulating an account worth is 240USD a year at facebook? Instead
of 20, why won't you say 100, make it round.

Seriously though, behemoths do fall and if facebook ceases to exist there will
be no harm but good in my book.

~~~
dhimes
The number that's been kicked around for he value of North American user is
about $50/year. So $5/month will cover it.

~~~
CaptainZapp
The problem is that even if I pay Facebook this company is so utterly
untrustworthy that I don't believe for one second that they wouldn't run their
data sucking shenanigans on paid accounts.

~~~
gkya
And that's why you want to have regulations. In the case you suggest, you
could ask e.g. EFF if you suspected that they are abusing the contract, to sue
FB in behalf of the users. Or even kick-start a big court case yourself.

------
MarkMc
I think Facebook's lawyers have determined that they can use the 'legitimate
interest' basis for showing targeted ads to their users [0]. This basis does
_not_ require consent from users except as part of the take-it-or-leave-it
initial terms of service.

Here are the parts of the 'legitimate interest' basis which are most useful to
Facebook:

 _The GDPR does not define what factors to take into account when deciding if
your purpose is a legitimate interest. It could be as simple as it being
legitimate to start up a new business activity, or to grow your business._

So Facebook's lawyers can simply say, "It's in our legitimate interest to
maximise advertising revenue".

 _You need to demonstrate that the processing is necessary for the purposes of
the legitimate interests you have identified. This doesn’t mean that it has to
be absolutely essential, but it must be a targeted and proportionate way of
achieving your purpose._

Facebook's lawyers can say, "It is necessary for us to use personal
information about our users, such as their age and location, in order to
maximise our advertising revenue".

 _The GDPR is clear that the interests of the individual could in particular
override your legitimate interests if you intend to process personal data in
ways the individual does not reasonably expect._

Facebook's lawyers can say, "People expect that we use their personal
information such as age and location to determine what ads to show them, so
the interest of the user does not override our legitimate interest of
maximising advertising revenue."

[0] [https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-
interests-basis/)

~~~
lovich
If companies successfully argue that maximising revenue is a legitimate
interest and thus, don't need users consent, then the GPDR will worth less the
paper it was written on.

I would be extremely surprised if the EU goes through all this tome, effort,
and money just to let corporations continue with business as usual

~~~
hshehehjdjdjd
Eu cookie law is one prior example of this. That worked out to “business as
usual” in the end, didn’t it?

~~~
jacquesm
Think of the GDPR as a bug-fix release to remove the loopholes those legal
hackers used.

------
testplzignore
This is the crux of the problems with how companies are interpreting the GDPR.
Every service I've seen with a privacy policy pop up within the last 24 hours
has basically justified all of their current data collecting practices as
being necessary for their business. The spirit of the GDPR is to improve
privacy, not just make Terms of Service pages longer.

~~~
sleepyhead
Actually the spirit of GDPR is also to make Terms of Service shorter by being
clear and understandable. If you as a user is unable to understand what you
are agreeing to then it is a violation of GDPR.

~~~
mirko22
> unable to understand

What if he is not very smart? Or even better, what if he is very dumb?

At which level should those be written then?

~~~
contravariant
The literal text of the GDPR is as follows:

>the request for consent shall be presented in a manner which is clearly
distinguishable from the other matters, in an intelligible and easily
accessible form, using clear and plain language

~~~
mirko22
Yes, and before that it says ` If the data subject's consent is given in the
context of a written declaration which also concerns other matters,` which
means i can use legalese but only if it does not concern other matters in the
same document? :)

~~~
contravariant
You'd hope not, but I also thought the phrasing in that sentence was sloppy.

~~~
mirko22
that’s the whole issue with the regulation unfortunately :(

------
narrator
I am trying to think what the secondary consequences of GDPR are going to be.

If any user can see their data on any service than any government can quickly
plug-in to access all user data on any service. This is like NSA Prism for
everything.

If a user can export their data easily from any service, they can easily
resell their own data for money to services that seek to monetize that data.
They could even rent out their data by the day for model training using the
right to delete.

Account takeovers by hackers will lead to much more severe data breaches,
since all data on that user in the system is easily accessible.

The information apocalypse is made all that more easy because acount takeover
+ deep fakes + lyrebird plus all that easily accessible juicy data =
impersonate anyone.

Data renting will create a way to monetize account takeover. The account
takeover will include all possible information used to identify a person so
how are the data brokers supposed to know it isn't you and how are you
supposed to get your data back once it's out there getting monetized?

~~~
camillomiller
The option to monetize your own data is an amazing idea: a startup that pays
you to upload the data you can download from your google, apple, facebook,
BIGNAME account, basically renting it daily until you revoke consent, then
uses it to do all sort of shit you can with it. You’ll get hypeprofiled and
harassed with all sorts of advertising, but you’re actually getting real money
for that.

~~~
scrollaway
The problem with that model is... how much money is a single profile worth,
really?

I'd love to be proven wrong and for a company to implement this. But as far as
I know, it's not being done because the math doesn't work out. It's too cheap
for regular people to be interested, and an incentive for spamtech to mass
create fake profiles and get paid pennies for it.

In fact, the one variant I am aware of that works is survey sites, but that's
because you get paid _per result_ rather than for your data as a whole. If
you're just renting your data daily, you'd get a lot less.

~~~
akerro
> The problem with that model is... how much money is a single profile worth,
> really?

I remember some estimates, facebook profile with a few years of history is
around 1$, a few profiles from different sites of the same person 5$.

------
brianmcc
Targeted advertising has become such a big deal, and implemented at such high
cost, that I wonder if the trade off is even worth it now. I could imagine
Apple or Samsung simply "sponsoring" Facebook for a week or month at a time
with banners and messaging - tastefully done of course! - and how much less
_hassle_ that would all be, rather than aggregating millions upon millions of
cookies and chasing people around the internet, winding them up, etc.

Targeting ads for anonymous searches, fine: search for cars, see car adverts.
Simple!

I'm sure there is plenty of data that shows how terrible this whole idea is in
terms of wasted ad spend, missed opportunities, so it'll never happen, but
it's a nice dream :-)

~~~
dangerface
Targeted advertising has always seemed pretty dumb, to me most advertising is
done by Coke and their target is every where.

~~~
kinsomo
> Targeted advertising has always seemed pretty dumb, to me most advertising
> is done by Coke and their target is every where.

Doc Searls made a good point: targeted advertising _isn 't_ advertising, it's
really _direct marketing_ (like spam and junk mail).

Coke is doing advertising, but the adtech "targeted" advertisers are just
spamming you using new technology.

[https://blogs.harvard.edu/doc/2018/05/12/gdpr/comment-
page-1...](https://blogs.harvard.edu/doc/2018/05/12/gdpr/comment-page-1/)

------
GordonS
> forcing people to accept wide-ranging data collection in exchange for using
> a service is prohibited under GDPR

Erm... I don't think that's true.

As long as you are open and transparent about what you are doing, and give
users the right to request, update and delete the data you hold on them, then
AFAIK this is allowed

~~~
martin_bech
Nope thats actually true. You cant force say tracking, if its not absolutely
needed, for the product to work. And i think thats why a lot of the popups
have dark patterns, to hide the fact, that you can no opt out to these things.

~~~
GordonS
Hmm, seems you are right, I just found this PDF from the ICO:
[https://ico.org.uk/media/about-the-
ico/consultations/2013551...](https://ico.org.uk/media/about-the-
ico/consultations/2013551/draft-gdpr-consent-guidance-for-
consultation-201703.pdf)

"Avoid making consent a precondition of a service"

"consent requests must be separate from other terms and conditions. Consent
should not be a precondition of signing up to a service unless necessary for
that service"

I assume Facebook et al will simply find a way to make everything 'necessary'.

~~~
mjewtoo
For consent this is true, but there are other legal ways for you to collect
the data. One is legitimate interest, this one is more abstract but requires a
bit more work from you.

I think a lot of the future court cases will be around trying what one can use
legitimate interest for.

[https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/)

~~~
GordonS
Legitimate interest is meant for when it's in the user's best interest... but
I've no doubt that, given sufficient lawyers, Facebook et al could argue
almost any data-hoovering is in their users best interest

------
oblio
Oh, one thing important to note that people might forget/ignore: this is just
the beginning. See:
[https://en.wikipedia.org/wiki/Brussels_effect](https://en.wikipedia.org/wiki/Brussels_effect)

A lot of countries look up to the EU, have trade agreements with it. Unless
the GDPR totally falls flat on its face (unlikely), more and more countries
will realize the benefits of this kind of legislation.

Also the GDPR will act as an icebreaker and it will "soften up" company stance
on this matter. As a result it will be easier for the second line of countries
adopting such laws to demand things from companies.

I'd say: get used to it. It's not going away, it's not going to become easier
to use and sell personal data.

~~~
ocdtrekkie
The Facebook/Cambridge Analytica thing definitely seemed to open up more US
legislators to the idea. Between the EU taking the lead on antitrust against
tech monopolies, and now privacy laws, it honestly makes them look bad: The EU
is doing the job most people would've expected the US to take the lead on back
in the day.

As GDPR will not end the world or pop the tech bubble or whatever, it's
increasingly likely that the US will just go "yeah, we want all that too".

------
camillomiller
If this is what Online Marketing Hell looks like, please tell me where one can
apply for a job as Junior Devil

------
enedil
It was expected that activist groups will say that these two companies are
breaking GDPR, it is not so obvious that they will be actually fined (as the
requests need to be processed by specific institution and might be found
unwarranted).

------
lordlarm
The 'loophole' here would be the definition of 'legitimate intrests', where
businesses can defend not giving users a choice in many of these matters due
to the activity being critical for the service to work or the business to
survive.

I.e. Facebook _could_ argue that users would have to have their data collected
and analysed, as this would enable them to sell ads which in turn is their
core interest.

Another example could be automatic enrollment into newsletters or data
collection/analyzation with the option to opt-out by going to settings. You
don't _have_ to give users the explicit consent checkbox during signup if you
can defend the activity by it being in your legitimate interests.

This article goes into more detail: [https://medium.com/mydata/five-loopholes-
in-the-gdpr-367443c...](https://medium.com/mydata/five-loopholes-in-the-
gdpr-367443c4248b)

~~~
tazjin
Somebody on Reddit posted a list of Tumblr's "partners" that they share data
with by default:
[https://i.imgur.com/YCNvEMa.png](https://i.imgur.com/YCNvEMa.png)

I'm finding it difficult to believe that they can come up with a "legitimate
interest" for all of those that would also actually hold up in court.

~~~
dmitriid
Twitter’s “partners” are the same (you can request a list from your privacy
settings)

~~~
chopin
Google's as well.

------
csomar
And here I'm hoping for the EU GDPR to kick all of these guys in the balls
pretty hard. In the last few hours, I have been getting dozens of emails.
Basically: Take it or leave. Some of them sent an email "if you don't leave,
you are taking it".

And you are not given a choice to download your data or temporarily access
your account to sort out things. Your hands are getting forced to accept the
rules or potentially be locked out of your account.

I'm taking note of these little evil services. And in all fairness, my banking
provider actually gave two options: one is required and the other is optional
(marketing data collection). I was able to unselect it successfully.

------
mikekchar
My big problem with this is that the complaints are too quick (unless Google,
Facebook, et al are stupid, which I don't think they are). First you have to
make a request to see what they are using the data for. _Then_ you can
complain that it is being used for the wrong things. Unless the aforementioned
companies are blatantly saying "We're sharing your data for targeted
advertising without consent", then I think we have to wait a month for _real_
complaints.

~~~
TallGuyShort
Isn't the tracking a claim they make to advertisers, and can I opt out without
declining the entire ToS?

~~~
mikekchar
Edit: Just to be clear. I'm not in the EU, so I can't check the ToS. If they
are being stupid, then that's pretty stupid of them ;-)

The thing is, it is possible that as of today they have stopped tracking. I
agree that it's very unlikely, but unless they actually tell you that they are
tracking you, how would you know? You get ads, but they could be completely
random. Who knows? As of today, maybe all EU residents are getting random ads?
Until you make a request, I think you can't quite complain (again, unless they
are stupid and actually telling that they are tracking you).

~~~
olivierduval
FYI: GDPR provide a framework allowing investigations from the EU... So the EU
might ask to get enough informations on algorithms - and even to audit code -
to check if there's some hidden targeting ads. And then...

------
yostrovs
Considering that large sites with teams of lawyers are failing to follow the
rules, how does a small site run by a few regular folks supposed to comply?

~~~
quohM0Ho
The easiest way to comply is to not collect any PII. That is only a problem
for companies that make data collection their core business.

~~~
rebelde
IP addresses are PII, as defined in the law. Every website you visit gets your
IP. HN has yours now, and now had a headache to deal with.

~~~
xxs
Define retention policies and explain you would keep IP addresses up to xxx
months to ensure service operation/troubleshoot/etc.

Prune the logs.

There you have it.

~~~
rebelde
Sounds like a legal headache for anybody who wants to set up a personal blog
or blog for their company, with a penalty of up to 20 million euros if you get
it wrong.

~~~
FooBarWidget
What? You can setup log rotation in 1 minute. In 3 minutes you can write a
small paragraph that explains you only use IP addresses for security reasons
and only store them for a few weeks.

Also, the claim that you immediately get the maximum fine of 20 million euro
for every small detail that you get wrong, is false:
[https://www.joyfulbikeshedding.com/blog/2018-04-17-should-
no...](https://www.joyfulbikeshedding.com/blog/2018-04-17-should-non-eu-
websites-ban-eu-visitors-under-the-gdpr.html) (claim backed up by a book
written by an IT lawyer)

~~~
rebelde
You overestimate my abilities! You also overestimate the abilities of non-
technical people.

Judge's discretion on the fine, and he probably won't like me.

------
mdekkers
Where do I sign up? I was forced today to accept Facebook's new settings and I
was presented with an option to either allow facebook to process my data for
face recognition or not. Choosing not does not allow you to move forward in
the settings, and it is deeply confusing - there is an "accept and continue"
button, but there is some rather small text that states choosing accept and
continue will enable face recognition. Closing the browser and reopening it at
this point shows the same text, and only the option to accept and continue.
Doing so and then checking settings will show face recognition to be disabled,
but I am no longer sure what I accepted and continued with.

The whole scheme is scammy as anything. The text presented is something along
the lines of "disabling this feature will allow other people to impersonate
you" which at best is nasty fear mongering.

Fuck those assholes.

------
zzzcpan
It appears many companies try not to comply to the spirit of the law. Stack
Overflow, for example, sent an e-mail claiming to have opt-in permissions to
promotional messages, while not actually having them and only providing opt-
out settings:

"With your continued permission, we will send you promotional messages based
on your preferences. To see and change your opt-in preferences, manage your
Email Settings."

I guess with such attitudes it's not going to be enforced much, otherwise
there will be no one left to enforce it on.

------
kisstheblade
Absoultely every site that has had a new GDPR warning is just the same as the
old cookie banner. "By using the site you agree..." Some have updated privacy
pages which describes how you can delete or deny cookies... An absolute joke,
nobody is following the law.

It should be simple. A new banner that asks "allow tracking", yes, no. Either
option allows you to use the site freely.

------
whyagaindavid
Serious question: How is this compatible with new GDPR?
[https://apple.stackexchange.com/questions/144551/how-to-
dele...](https://apple.stackexchange.com/questions/144551/how-to-delete-my-
account-on-icloud-com?rq=1)

------
amelius
Aside, I've found an interesting thread on GDPR in Mastodon (an open-source
"Facebook competitor") here:

[https://github.com/tootsuite/mastodon/issues/7280](https://github.com/tootsuite/mastodon/issues/7280)

------
whyagaindavid
Are they also planning to sue Apple? I can get it activated without creating
account.

------
cromwellian
There seems to be a fundamental dichotomy on HN that is either intellectually
dishonest, or the result of hyperbolic reasoning. Everyone accepts that
services have costs, and so someone has to pay for them. They're either paid
for by user fees, paid for by ads, or paid for by charity (e.g. Wikipedia)

Every time a publisher converts to user fees (paywall), people react angrily.
Yet, people complain loudly over ads too, and others complain loudly over ad
tracking. Now, there's not necessarily overlap between these groups, but there
must be some. So either people want to get away with paying nothing (one form
of dishonestly), or they are virtue signaling over things they don't care as
strongly about as they say (another form of dishonesty), or they are mad at
something else.

I think it's a mix of both. Many people will say they care a lot of privacy
and security, but behave in ways that show they really don't. From poor
operational security, to bad passwords, to continuing business with firms that
have already been hacked and exposed their personal information.

A lot of people complain also loudly over what they imagine is serious harm
being done to them by ad tracking, but I would bet they are more annoyed by
ads themselves, than by the theoretical and abstract (if distant background
threat) of their info being harvested for harm. Because human being's reward
system in their brain favors minimizing immediate pain.

Ads, whether targeted or not, are an annoyance, just like paywall dialogs, and
people would rather see neither. I think this is the real nitty gritty, people
unwilling to put up with the monetary cost of services, the hassle of signing
up and paying, the performance detriments of ads, or the annoyance of having
their attention interrupted by them and this is far and above the concerns
over privacy.

No doubt, many people will say no, I'm wrong, they truly care extremely
strongly about data mining, but I think the people who care that strongly as a
small minority like the people who are rabid anti-vaxxers, or anti-GMO,
hyperbolic fears of tiny risks, not shared by the mainstream.

------
kerng
Solution: Pay a few bucks a year or see ads. What's so difficult about that?
That could solve the problem somewhat at least...

~~~
zerostar07
for europe it would be around $20 i believe.

------
Oras
It's about time to see no-win no-fee services to file a complaint against
companies for GDPR breach. How long will it take?

~~~
GuB-42
It is not how it works in Europe. No-win no-fee is a typical American thing.
We don't have class actions either.

It doesn't mean it won't happen, but that would be unusual.

~~~
chopin
That's not exactly true. There are services which take your cases for delayed
or canceled flights for keeping a percentage of the redeemed money. It must be
said that carriers brought that to themselves by stonewalling customers
despite pretty clear laws. But this is rather an exemption.

Personally I would love to see similar services for GDPR. However the
structuring of the law makes this unlikely, I believe.

------
AndyMcConachie
I'm gonna need more popcorn :)

------
troybanks
I used Hope Fulwood to confirm the infidelity of my ex-wife and i am forever
grateful to him. He helped my hack her phone which he held so dearly and i
found out-numerous dating sites she was registered to, her emails, all her
social network apps and even text messages. I was heartbroken but its better
to know and act upon your knowledge than being played a fool. i will recommend
Hope Fulwood and you can contact him via email...

GMAIL: trusthackerslounge2018 WEBSITE:
[https://trusthackerslounge.wixsite.com/mysite](https://trusthackerslounge.wixsite.com/mysite)

