
Facebook now denying access unless EU users opt-in to tracking - fredley
https://twitter.com/johnnyryan/status/993827965594202112
======
newscracker
Things like this make me very, very angry! So many missteps over the years. So
many things bungled. So many dark patterns to fool users. Yet, where is the
mass exodus of employees from Facebook? If you're still working in any company
that Facebook owns in the technology or privacy or legal front, don't you
realize what harm you're contributing to? And you're still ok with that? Don't
you have a choice?

I'm appalled that thousands of people still work for this company by choice.

~~~
pgwhalen
Even though you never hear the counterpoint on HN, it’s important to remember
that FB’s behaviors are not necessarily objectively bad - people can have
different views on these things.

~~~
newscracker
I agree that people can have different views on these things for various
reasons. But I don't see how "FB's behaviors are not necessarily objectively
bad", unless one considers only the profit motive as prime without giving any
thought to other factors. Can you expand on that?

~~~
exolymph
Well, for one thing, nothing is objectively good or bad. Value judgments come
from people, and people have widely varying perspectives.

For another, the reason there's no mass exodus from Facebook is that Facebook
users do not perceive the company as harming them. They perceive it as a
useful service for staying in touch with friends and family. The utility it
provides outweighs privacy concerns, because most people do not care about
digital privacy. They care that no one is watching them go to the bathroom or
have sex, but they do not care whether advertisers can target them based on
aggregated information.

~~~
Domenic_S
> _nothing is objectively good or bad_

Just pointing out that this assertion is unjustifiably presented as fact.

~~~
dorgo
can you expand on this? How is good or bad not subjective?

~~~
Domenic_S
I'm not really interested in expanding directly, but if you're curious,
answering that question is an entire field of study called _ethics_.

[https://en.wikipedia.org/wiki/Ethics](https://en.wikipedia.org/wiki/Ethics)

~~~
dorgo
Thank you. Seems like you associate objectivity with popularity. Like in if
all/most people consider something good/evil then it is objectively good/evil.
I wasn't aware of this view.

[https://en.wikipedia.org/wiki/Good_and_evil](https://en.wikipedia.org/wiki/Good_and_evil)

"... and that what is truly good or evil can be determined by examining what
is commonly considered to be evil amongst all humans."

------
EastSmith
It is clear that FB does not plan to be GDPR compliant [1]

[https://medium.com/@bozhobg/facebook-doesnt-plan-to-be-
gdpr-...](https://medium.com/@bozhobg/facebook-doesnt-plan-to-be-gdpr-
compliant-7f775231c497)

~~~
donatj
Denial of service is a perfectly valid route to GDPR compliance.

~~~
icebraining
Only if the personal data is necessary to provide the service. And "my
business model makes it necessary" doesn't cut it. Otherwise you need consent,
but you can't DoS if it's denied.

EDIT: removed wrong link.

~~~
donatj
I can't deny you service if you don't agree to my terms of service? That seems
to fundamentally break contract law.

~~~
icebraining
I'd phrase it the other way around: you can't impose certain clauses in the
contract (in this case, an obligation to consent to certain kinds of
processing of personal data). Laws forbidding certain contract clauses are
nothing new.

~~~
donatj
So I’m _required_ to develop a bad version of my product for the small subset
who don’t consent?

Sounds a ton like the Windows Reduced Edition fiasco all over again but at a
much more massive scale - forcing by law the development of a product almost
no one wants.

~~~
icebraining
You don't need consent for the cases when processing personal data is
necessary to provide a feature for the user. For example, if you have a "find
my friends near me" feature, you don't have to ask for consent to use the
user's location for that purpose.

So there's never a reason why the product must be worse for any particular
subset of users.

When you need to ask consent is when you're trying to use personal data in
ways that aren't directly related to providing features for that user. Like,
for example, ads.

And you can't develop a bad version to "punish" users who don't consent to
those unrelated uses of their personal data, because then the consent wouldn't
be freely given.

------
hadrien01
Just after that Terms screen I got three real consent screens (including one
about ads tracking and one about face recognition). I think this screen is
only about the TOS update.

~~~
Nullabillity
Weird. I only got the facial recognition screen and the "accept ToS or delete
your account" one.

~~~
jacquesm
I guess the option 'continue to use the service without tracking' was too hard
to implement technically. Or maybe nobody thought of that.

~~~
JadeNB
> I guess the option 'continue to use the service without tracking' was too
> hard to implement technically.

Given how deeply tracking is built into their business and technical model, I
wouldn't be surprised if it really _was_ too difficult to implement.

------
carrja99
Believe me folks, just delete facebook. I've been so much happier since I did.

~~~
juxncxrlos
What about memes pages? that's the only reason I keep my account. Also, I
don't even see adds with and Ad-blocker. What are they going to try to sell
me, a meme page subscription?

~~~
inetknght
They aren't trying to sell you anything. They are selling you to others.

They are selling you to not just advertisers but selling your _profile_ to
companies that are able to use your profiled information to make their own
decisions about things.

It's not just about advertisements. Imagine if you didn't serve a single
advertisement and instead bought profiling information about people. You could
use that profile information to make business or political decisions
regardless of whether an advertisement was sold.

You could influence politics because you "know" your target audience.

Say, for example, the US presidential election or Brexit. Those are just the
most high profile places for your profile to be used without ever having
presenting advertisement to you.

Net neutrality is another one.

~~~
hiram112
I've been (down voted) for saying this before: it is not just ads that they
are selling.

The big money is going to be selling your _profile_ to everyone, including
insurers - health, auto, home, etc. Good luck getting a good deal when they
know how much you drink and the food you eat.

To the government - eventually that guaranteed Social Security and 401k will
be means tested, and it appears you're spending on luxuries that disqualify
you.the possibilities are endless.

And I know for a fact that there are more than a few HN readers who work for
companies mediating this data.

~~~
Bromskloss
> Good luck getting a good deal when they know how much you drink and the food
> you eat.

That would go both ways, right? With the extra information, insurance
companies would be _more_ keen on insuring those who behave in a way that
makes insurance payouts less likely.

~~~
hiram112
You'd think, right?

I wouldn't hold my breath, though. My car insurance was set at about $900/year
by my insurer for 5 or 6 years. In that time, they never once lowered the
price, even though I had one or two tickets expire, had a perfect driving
record during that time, and my car lost about half its value due to aging.

Only when I finally decided to get a new quote from my credit union - about
$400 for the year (less than half I'd been paying for years) - did my current
insurer _offer_ to reduce to the close to that price which is what I would
have been paying had I been a new customer with my current record.

In other words, corporations will find a way to extract the maximum possible
from everyone.

------
tonyjstark
Is it possible to delete my facebook account without consenting to usage of my
data? So can I access the delete page without consent?

~~~
icebraining
You can try:
[https://www.facebook.com/help/delete_account](https://www.facebook.com/help/delete_account)

------
willsinclair
Interesting. It seems like after the senate hearings, Facebook is trying to
communicate to its users that sending them your data is a necessary part of
using their services.

~~~
bonsai80
Yup. Perhaps this will eventually be a screen for the user to choose:

Button 1: Agree and proceed. Button 2: Set up credit card billing. Button 3:
Close account.

~~~
thisacctforreal
The Average Revenue per User can be found in their earnings report (linked
above by ihumanable):
[https://s21.q4cdn.com/399680738/files/doc_financials/2018/Q1...](https://s21.q4cdn.com/399680738/files/doc_financials/2018/Q1/Q1-2018-Earnings-
Presentation-\(1\).pdf)

For US & Canada this was $86.65 in the last 4 quarters.

For Europe this was $34.95.

Keep in mind they likely don't target ads using just one person's data:
accuracy can be improved by looking at the data of similar people, and looking
at the data of friends and family. It isn't as simple as offering a $10/month
plan to keep your privacy, because they want everyone's data.

"Your data is worthless, everyone's data is priceless."

------
ClassAndBurn
GDPR doesn't cover enough of the population using Facebook to warrant such a
change to their business model where you can use the service without them
using your data. They believe they are entrenched enough to just require this
(and likely are for many EU residents).

~~~
purple-again
I'm really curious to find out if the GDPR privacy stance (I'm American, not
well traveled, and with no non american social circle) is like the 'no
JavaScript' community. Vastly over represented in the tech community and not
really representative of the population as a whole.

In other words, are 99% of European citizens going to just click through what
ever annoying prompts they have to in order to get to their facebook (thats
what I would do) or is there an actual widespread cultural difference in the
EU that would stop large segments from agreeing to this.

~~~
Angostura
There are _so_ many people undergoing GDPR workplace training at the moment
that I think people _may_ stop and think

~~~
tedunangst
So many people or so many people in the web service tech industry that
frequents HN?

~~~
Angostura
To give you an idea, I work at a school. Every member of teaching staff all of
admin, site-services and IT have had GDPR training. Getting consent for
photos, for school trips, referral to outside agencies is a substantial issue,
as is leaving student records on desks, keeping files with PII on encrypted
sticks etc.

This is a school.

~~~
tedunangst
That's interesting. So now a student can come back and demand you delete their
permission slip for a field trip?

~~~
Angostura
Schools collect data under several of the possible lawful bases

[https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/lawful-basis-for-processing/)

In the case of a permission slip - the school already holds lots of info that
the school collects under the 'Public Task or 'Legal Obligation' bases.

The slip then contains additional information that is only collect because the
kid is going on a trip, but is necessary for the trip. This would be collected
under the Contract basis 'If you want to go on this trip, the following info
is necessary'.

If the school also wants to take photos of the child on the trip, for example,
then the parent will be asked for consent.

So to answer your question, the parent (assuming the child is under 16) could
ask for:

1\. The photo consent to be removed - in which case the trip must continue

2\. The info pertaining to the school trip to be removed (in which case the
kid would no longer be going on the trip)

But they cannot request the core data that the school holds to be removed,
unless they take their kid to another school.

------
bprasanna
Mark's attitude during the Cambridge Analytica issue very well reflected the
fact that: Users are not going to stop using FB, so why bother much about
bending the company rules, instead bend the users.

------
Havoc
Do you consent to this cavity search? (Required to board plane)

~~~
star-castle
That's basically how it works in the US, yes.

~~~
Tharkun
Not just the US. Most of the western world has incredibly invasive security
theatre in airports and train stations now.

~~~
mpweiher
Huh? When I get on a train in Germany, I open the door and step inside. The
train station is usually even simpler.

~~~
icebraining
Same at least in Portugal, Spain, Belgium, the Netherlands, Luxembourg and
France.

~~~
Tharkun
I should have been more clear in my comment, I was referring to international
high speed trains. Including mandatory registration of passengers and keeping
the data for X years. Presumably these passenger manifests are also exchanged
with other countries.

But even regional services include oodles of cameras, including on the trains.
There's tracking of passengers and their destination. There are heavily armed
guards/police/soldiers in many European train stations.

~~~
mpweiher
Hmmm...those trains I step onto are (a) typically high speed and (b) quite
often "international", though the concept really doesn't make much sense in
the Schengen Area.

Are you talking about the Eurostar service from London (I remember the
Waterloo station, though I hear it has moved to St. Pancras). That's the only
one I can think of that fits your description.

The Thalys from Cologne to Paris via Belgium is/was also simple walk on walk
off with normal train stations.

~~~
Tharkun
The Thalys has security theatre with luggage x-ray in several locations,
including Paris and Antwerp. It's currently not active 24/7, but it will be
soon.

------
zerostar07
I doubt they released this without consulting the relevant data agencies in
the EU. And TBH there is nothing shocking here, just a confirmation of what
everybody knows is already happening.

I 'm also in the EU and this makes perfect sense to me: if you can't accept
seeing some ads then you can't use the free service. I highly doubt people are
willing to pay $5 cash / quarter to use it, but i would like to see FB giving
that option, just to see how miserably it fails.

~~~
KozmoNau7
According to GDPR, you cannot make access to your service require opt-in to
tracking, unless your service very specifically cannot work in any way without
tracking. And no, your business model not working because you cannot track
users anymore _is not_ the same as your service not working. Find a better
business model.

Facebook would still work just fine without the tracking, as proven by the
fact that you can switch off targeted ads and everything still works fine.

------
Tehnix
I'm actually much more interested in what Google collects about me. At least
for me, it's somewhat transparent that Facebook tries to slurp up all they
can, but it's much less clear with Google, that seems to try to downplay that
they are in fact also, heavily reliant on your data.

Does anyone know if Google has made any statements on this?

~~~
newscracker
If you'd like to see what Google has about you, you can visit
[https://www.google.com/settings/takeout](https://www.google.com/settings/takeout)
(or search for "Google Takeout"). Google has maintained and updated its own
solution to export data it has collected from you, the user.

While I do trust Google more than I trust Facebook, I also actively avoid
giving information to Google (through various practices).

------
zzzcpan
If websites are going to ask for consent to tracking or deny access to the
service only allowing to take the data, delete account and leave, the whole
thing will become meaningless. Users will just learn to blindly accept
everything, as this is a huge annoyance to them.

~~~
KozmoNau7
The GDPR does _not_ allow you to make access contingent on PII data
collection, unless your service cannot possibly work without it.

~~~
gamblor956
I'm not sure why you keep spreading this FUD. The GDPR applies to all personal
data, not just tracking data, and Facebook is useless without your personal
data. IOW, FB can make access contingent upon agreeing to data collection.

~~~
drucik
From my understanding user will have to consent both to personal and tracking
data separately. So yes, users will agree to sharing the personal data -
(name, age, gender etc), as this is essential for the service, in this case
social network, to work. However, tracking data for ad purposes will need
separate consent as this data is not essential for the service to work.
Otherwise GDPR would be another dead letter, wouldn't it?

------
mtgx
I'm pretty sure that's illegal under GDPR.

~~~
star-castle
what? seriously? Do EU citizens have some kind of legal right to Facebook
access, now? It's illegal for Facebook to not serve people they can't sell to
advertisers?

I'd love it if Facebook were nationalized (or destroyed), but none of the
coverage of the GDPR made it sound like it was going in that direction. I
thought it was just another stupid "click here to acknowledge our cookies"
rule that was going to spam up the internet.

~~~
gonmf
There is no legal right to Facebook, but if Facebook wants to do business
here, it has to abide by our rules. And our rules are very simple, you cannot
deny service because the user doesn't allow tracking if tracking is not
necessary for your service to work. And it isn't in this case, it's only
necessary to deliver higher paying ads.

Since they are being selective on the users they accept based on being
tracked, they are now on track for another EU fine.

~~~
ovao
It's disconcerting to me that under the GDPR, online businesses appear to be
losing the ability to deny services to a user who knowingly, and with clear
consent, chooses to take personal responsibility over the data they provide to
said businesses.

Regardless of whether this is for the "greater good", this is deeply
unsettling territory.

~~~
mrweasel
You're not allow to operate that way in most other businesses anyway. You
can't sell leaded paint, even if clearly marked. You can't sell unsafe cars,
even if you tell people that even low speed impacts will kill them.

There's a ton of stuff you can't do, even with clear consent, because
otherwise people who lack the means to understand the compromises or afford
the safer choices will suffer.

~~~
tlrobinson
Those are safety/environmental issues. Showing you ads based on your
preferences is not.

~~~
mrweasel
You could easily argue that tracking users behaviour is a safety issue. But
fair enough, how about the loan business, you aren't allowed to charge overly
high interest on loans. That's neither a safety or environmental issue.

~~~
ovao
Predatory interest rates frankly don't concern or particularly bother me. I
think, for me, that only becomes a point of concern if a person is simply
mentally unfit to make such decisions for themselves. In such cases the
general guidance that someone else deemed fit should be responsible for that
person's decisions applies, which goes back to the point you made earlier.

~~~
rosser
Even when those usurious, predatory rates are disproportionately charged to
poorer people, who can afford to bear them less? Because that's how it works:
price discrimination against the people least able to bear it.

But, hey. Why should I care, if _I 'm_ not getting charged those rates, right?

~~~
ovao
Given that a significant component to the determination of interest rates is
risk, I don’t think one could reasonably expect a non-public system of lending
to operate any other way.

We’re getting pretty off-topic though, so if you’d like to talk more, go ahead
and shoot me an email (r at ovao dot la).

~~~
rosser
Risk management and predation are _categorically_ different things. If that's
not an intuitively obvious notion, I'm not sure what more dialogue will
accomplish.

------
summerdown2
I wonder how this will co-exist with

a) Tracking non-facebook users via Facebook icons on web pages, and

b) Storing the information of non-users such as photos other people take,
phone books other people upload, etc?

------
donatj
With how insanely in depth some of the restrictions are, I'll honestly be
surprised if this isn't the route a lot of companies end up taking to GDPR
compliance.

~~~
KozmoNau7
You mean completely flouting the regulations and muddying the waters by
putting up ToS compliance popups that don't have anything to do with GDPR, in
order to fool their users?

~~~
donatj
I simply mean having a contract indemnifying the company against GDPR, e.g.
the user giving consent, to simply use the site.

Same as the cookie situation Europe has, but more so.

~~~
KozmoNau7
That is very explicitly not allowed by the GDPR. You cannot make access to
your service contingent on opting in. The consent has to be given freely,
otherwise FB will be in violation of the regulation.

Consent must also be given explicitly, you cannot have a pre-checked "yes"
checkbox or an "accept and continue" button.

Consent can also be given in a legally binding contract. A website ToS is very
much _not_ able to override the GDPR.

~~~
donatj
So you’re saying I’m required to develop two separate versions of my product?
One for the users I can actually make money off and another for people who opt
to get my product for free against my will?

~~~
KozmoNau7
You cannot base your business model on violating the privacy of EU citizens.
That's just too bad, you'll have to find a non-scumbag way to fund your
endeavors. You can absolutely still make money off ads, but you cannot target
them based on personal information.

You are of course perfectly in your right to block all EU IP ranges, if you
think that's a better solution, although cutting off 500 million potential
customers is a bit harsh.

In short, EU citizens have absolutely no obligation to support your flawed
business model.

------
shmerl
Hopefully it will encourage some people to ditch FB.

~~~
drivingmenuts
> Hopefully it will encourage some people to ditch FB.

I know my reasons for wanting to ditch FB personally (I'm about 50/50 on
that), but I'm curious as to your reasons for wanting others to dump it.

~~~
shmerl
There was a good article about it, but Observer swallowed it.

Here is what remained:
[https://web.archive.org/web/20151011192709/http://observer.c...](https://web.archive.org/web/20151011192709/http://observer.com/2011/12/in-
which-eben-moglen-like-legit-yells-at-me-for-being-on-facebook/)

Basically, anyone using it, encourages more people to use it, thus causing
further damage.

------
brightball
So basically Facebook is saying that if we can’t make money from you, you
can’t have an account.

~~~
wang_li
Seems perfectly reasonable, doesn't it?

~~~
zzzcpan
No, facebook desperately needs to keep users and keep tracking them, so they
are abusing network effect monopoly into giving people a choice either accept
any tracking facebook wants or lose all the connections and all the time you
invested into the platform. Which is not much of a choice, obviously.

------
tinus_hn
If that means they will no longer track me if I’m not a Facebook user, I’m all
for it!

------
kevin_b_er
Facebook knows it is in the wrong. Facebook announced last year they weren't
going to use Ireland as part of its tax dodging scheme. Otherwise GPDR rulings
could just extract global money out of the Ireland tax funnel.

------
gagabity
Whats behind that Options link?

------
jacquesm
Blackmail isn't opt-in.

------
Lionsion
IIRC, the GDPR is very explicit about what constitutes valid consent, so
things like pre-checked check-boxes aren't valid.

Is "consent" gained by a screen with only an "I agree" button even kosher by
it?

~~~
ben509
It may be that FB's lawyers come at it with a more American view whereby it's
legal if it complies with the letter of the law. I suspect the Euro legal
system tends to build a fence around the Torah, so to speak.

~~~
dbbk
It doesn't seem to comply with the letter of the law though, based on the
requirement of "freely given, non-conditional consent".

~~~
wang_li
What does it even mean to be conditional? Is the EU saying that FB has to
provide their service to Europeans? Does the EU also require that businesses
sell their services and products at a loss? Doesn't FB have some right to deny
usage of their service to those who choose not to abide by FB's policies?
Whether it's disapproval of tracking or behavior violations, it seems like FB
should be able to say they don't want to provide their service to particular
individuals.

~~~
vidarh
They can choose to not provide service to EU citizens. If they provide service
to EU citizens, then with that comes limitations on what rights the have under
EU law to pick and choose which EU citizens they want to provide service to.

Nobody is forcing them to serve the EU market.

~~~
KozmoNau7
Their choices are to either be GDPR-complient, or to completely bar _all_ EU
users from accessing Facebook. They cannot use tracking opt-in as a
requirement for access.

~~~
cabaalis
American here; I just don't quite understand the premise. "Here is what you
are giving us, and here is what you're getting in return" seems perfectly
legit to me. If this interpretation of the law is correct, then the government
is essentially saying the "in return" portion has to be eliminated. Which
seems to be against the idea of trade.

~~~
KozmoNau7
One of the points of the GDPR is that you cannot make usage of your service
contingent on giving up your privacy, unless your service very specifically
requires the user to give up personal details in order to it to even function.

Strava is a good example, it does not work without GPS position, otherwise it
cannot track your bike routes.

But Facebook does not require tracking to work. It does not require you to
give them any personal details at all in order to work. It would work just
fine even if everyone gave them fake emails, phone numbers, birth dates and
even fake names. Thus they cannot make giving up privacy a requirement for
using their service.

Besides that, this ToS update thing is absolutely _not_ GDPR compliant. It
does not list the things personal data will be used for. It hides the opt-out
(to the face tracking) behind a dark pattern small "options" text and makes
the default action opt-in. The list goes on.

This is simply an effort from FB to muddy the waters and sow doubt about opt-
in and GDPR consequences.

They _will_ have to provide _proper_ GDPR opt-in screens come the 25th, or
they will be fined for non-compliance.

~~~
cabaalis
Thank you for the clarification. That makes sense, although I'm not 100% sure
I agree that it doesn't need the information to function. It could be de-
identified for the individual, sure. But to actually use the service you need
to connect with others, whose identities you must know something about. By
following pages or celebrities or whatever you indicate that you are
interested in their subject material. So in order to properly use the
application you must give up something.

~~~
KozmoNau7
Yes, but clicking "like" on a celebrity's FB page is not personally
identifiable information. You cannot use to it discover the person's identity.

To connect to other users on a service, I don't need to know any personal
details about them, only their chosen username, which can be completely random
and have no relation to their identity.

