
Internet Companies: Confusing Consumers for Profit - DiabloD3
https://www.eff.org/deeplinks/2015/10/internet-companies-confusing-consumers-profit
======
Animats
A few days ago, I posted "Unicorns aren't ad-supported" on HN.[1] There, I
pointed out that, of a list of the top 50 "unicorns", non-public startups with
> $1bn valuations, only three (Snapchat, Pintrest, and Vice) are ad-supported.
This dot-com boom isn't driven by ads. It's driven by companies that provide a
product or service for which their customers pay them. The companies that make
their money from ads are from the _previous_ dot-com boom.

Ad-blocking and tracker-blocking thus won't hurt the growth companies in
Silicon Valley. YC could get behind ad-blocking without reducing the value of
their portfolio. The concept that "the user is the product, not the customer"
is now outdated. There are still companies which rely on it. They are
vulnerable. Google still hasn't come up with a major revenue-generating
product other than ads.

[1]
[https://news.ycombinator.com/item?id=10372789](https://news.ycombinator.com/item?id=10372789)

~~~
pdkl95
I agree that selling an actual product or service[1] the proper way to build a
respectable and sustainable business.

As for making the user the product[2], advertising is merely the most obvious
and publicly visible way stolen user data can be exploited for profit. For
example, I doubt Experian is using the search information they get from
webmd[3] for targeted advertising.

[1] an actual service; abusing copyright to bypass first sale and other forms
of rent-seeking doesn't count

[2] obBalkan:
[https://projectbullrun.org/surveillance/2015/video-2015.html...](https://projectbullrun.org/surveillance/2015/video-2015.html#balkan)

[3] [http://motherboard.vice.com/read/looking-up-symptoms-
online-...](http://motherboard.vice.com/read/looking-up-symptoms-online-these-
companies-are-collecting-your-data)

------
oneJob
So,,, at what point does this become accepted (as opposed to tolerated)
business practice? Or, more optimistic, no longer tolerated. At one point it
was ok to say, "This is all new and still being worked out." But, it is no
longer new. It is very worked out. Entire sectors of the economy (and legal
system) are devoted to knowing more about consumers then they sometimes know
about themselves. The entire industry is being built on bait-and-switch and
obfuscation practices. And, the tech industry, the supposed knight in shining
armor come to save humanity from itself, is leading the way. Someone, at some
point, needs to call a spade a spade. We need to own this, if this is our new
society. Or stop closing our eyes, if it isn't.

~~~
eevilspock
_" If a business model wouldn’t work if users had to opt in, it deserves to
fail."_ (last line of the article)

Since the invisible hand of the free internet appears to be arthritic, a more
visible hand (fist?) is necessary. And we have it in the way of request
blockers such as uBlock Origin, wich can compleltely block Facebook's and
Google's tracking in their tracks. As more and more people turn to subversive
solutions such as privacy oriented request blockers and ad blockers, we may
finally turn things around.

My hope is on an open source browser that is entirely privacy oriented, easy
to use and adopt by non-technical users.

~~~
ised
The last line from the article you quote is spot on.

Why are alleged "services" provided for "free"?

One group will tell you it's because advertisers are picking up the costs for
"content". Another group will tell you that it's because no user (cf.
advertiser) would pay if a "fee" were charged to use the www.

Of course, no "free" business model will dare test the theory of the later
group, so I guess we'll never know how the user values these "services".
Instead the investors and advertisers set the value. Grossly inflated.

In the early days of the internet as I remember it the real (non-hardware)
costs for the internet were tolls on telephone calls (dial-up). Organizations
picked up the tab for employees who used the internetwork. Tuition-paying
students also got access.

Then came UUnet and "ISP's". And then people had their own personal computer,
at home, with a network card.

As far as I'm concerned, the internet connection fee is still the only real
cost.

I think the browser you allude to is possible. But I think some changes in
thinking in how information is structured and presented on the www is needed.
If we let the www be shaped solely by web developers with a lust for layers of
abstraction and increased complexity and being given carte blanche to run code
on others' computers, then it forces the "browser" to be something that is far
too complex and too much trouble for any open source volunteer programmer to
deal with.

Make the www easier to parse and then the www "browser" becomes easier to
replicate. This is only my opinion. Others would certainly disagree.

~~~
eevilspock
I believe we need a multi-pronged approach to _retaking the internet_ from the
forces that dominate it now. One prong is a resistance movement, such as I
suggest above. Another is to innovate on better ways to finance content and
services on the web, be it micropayments or something else. And another is to
find a way to counter or eliminate the perverse incentives that drive
clickbait, garbage content and viral shallowness. It is not accidental that I
allude to Adam Smith's invisible hand above. He and others knew the key was to
understanding the feedback loops. The internet's feedback loop is broken.
Clicks and quantity drive revenue, not quality.

And yes, my username is a reference to Star Trek, a show which is probably too
socialist for the heavily anarcho-capitalist-leaning libertarian crowd here on
HN (See the link in my reply to username223).

I'm working on setting up a website where we can raise awareness, change
hearts and minds, and support efforts that help us retake the internet. I
cannot do it alone, even with my evil goatee. Email me if you'd like to help.

~~~
bootload
_" my username is a reference to Star Trek"_

Goatie, S2 OTS.

------
r0naa
I do have a Facebook account, primarily because I am studying abroad and I
need to keep in touch with my family and close friends and Facebook is, thus
far, the best way to share what is going on in my life. It kind of allow me to
"broadcast" my life events.

Now, I really dislike what I just read.

I wonder if tech companies have a moral obligation to disclose to the user
what are the terms of the contracts.

While ToS and Privacy Policy are public documents, I don't think they are
close to anything readable for the layman. They are mostly pile of legal
garbage and it is virtually impossible to go through them everytime you sign-
up for a service.

That is why I would like to put the emphasis on clarity here. What if?

What if technology companies were forced to disclose _clearly_ what signing-up
for their product entails with respect to user privacy. I am thinking of
something alongside this:

""" Hello r0naa,

Welcome on Facebook, we hope that you will have a great experience here.

Facebook will allow you to: \- easily communicate with your friends

\- share photos, videos and play games with your friends

\- keep in touch with distant relatives

On the other hand, we will:

\- keep a record of the messages you send to your friends

\- keep a permanent record of the photos you have shared on Facebook

\- keep a log of all the websites you have visited that contain a "like"
button.

Moreover, you should be aware that we will disclose all your personal data to
the US government if we are issued a NS letter.

Hope you have a great day,

"""

To be clear, I am not saying that this is the right solution. Only, I believe
it is pretty obvious that there is a problem and that a lot of people who are
not technically literate are not able to make a informed choice about whether
or not they want to give up their privacy, even partially.

I hope it will spawn an interesting discussion, feel free to share your ideas
and suggestions.

~~~
joosters
It's not just that privacy policies / ToS are using complex legal language.
The real problem is that they are so broad.

For example, just about every privacy policy states that information collected
can be used to improve the company's products & services, or to help develop
new ones. That effectively gives the company free reign to do _whatever they
like_ with your data. Who knows that products they may decide to offer?

A company could release a new product tomorrow that sells your individual
browsing data to the highest bidder, and that would be covered by this clause.
Also remember that almost all policies state that they can be updated without
notice too. Do No Evil today, Evil tomorrow...

~~~
username223
> The real problem is that they are so broad.

Before I click the "go away" button, I interpret the wall of text as "we'll do
whatever we want, and if you disagree, you can try to sue us, but the PR
campaign will be what matters, not the legal stuff."

------
josteink
Glad to see Chromebooks mentioned. I for one consider Chrome to be Google's
last attempt to extract those last pieces of information from the desktop
which it can't get from having tracking on 99% of the pages found on the
internet.

That and subvert internet standards by giving Google the ability to push their
own HTML on server and client in real-time, forcing other browser to follow
their lead or be declared "legacy" or "outdated" in front of users on Google-
websites.

I consider Chrome to probably be the worst thing which has happened to the
modern web. It's much worse than IE ever was.

On a real laptop you have the freedom to chose a privacy-respecting browser,
but Chromebooks are even worse in the sense that there's only one browser, you
can't chose any other, and the browser there is spying on you real-time.

That these devices are not _illegal_ to use in a education-context is really
astounding to me.

------
modeless
Edit: My initial comment was incorrect, corrected version below.

Chrome Sync encrypts sync data on the client. By default the encryption
passphrase is your Google Account password. This allows Google to read the
data, as described here:
[https://support.google.com/chrome/answer/1181035?hl=en](https://support.google.com/chrome/answer/1181035?hl=en)

However, you can set a separate Chrome Sync encryption passphrase in settings.
This second passphrase is never sent to Google at all and allows you to use
Chrome Sync without Google reading the data. It should be obvious why this is
not the default, as requiring a second passphrase is a very significant
decrease in usability, but it's there if you want it.

~~~
kuschku
Then how is this scenario possible:

Set up Google account with password "abc" on PC1, use chrome, set bookmark.

Go to PC2, select "reset password" and reset Google account password to "123".
Login to chrome with "123". The bookmark from before appears.

~~~
modeless
My initial comment was incorrect and has been updated. However, have you
actually tried the scenario you describe? In the past, when I have changed my
Google account password and logged into a new computer, I have had to enter my
previous account password on the new computer to decrypt the data before Sync
would work. Indeed, if you look in Chrome Sync's settings, you will see text
that looks like this: "All data was encrypted with your Google password as of
Jan 17, 2015", letting you know which version of your password to use.

~~~
kuschku
I’ve last used Chrome around 2012, and at that time it would work after
resetting the account password. In fact, I still don’t know which account
password I had used.

So at least at some point in time Google did store all this data.

It seems to have been quite leaky in the past, and that doesn’t make Google
any more trustworthy.

Solution: Use Firefox. Also, Firefox at least allows Cookies on localhost or
other local domains.

Anyway, Google may not store any bit of my browser history in the US anyway,
so I should probably go to court against them.

------
gorhill
I run benchmark regularly concerning privacy exposure, and I ran one this
summer to find out all 3rd parties for a sample of high traffic web sites.

I collected and sorted the results by [3rd party, 1st party] pairs: this
allows to see at a glance the most ubiquitous 3rd parties out there, i.e.
those which have the ability to build a profile of your browsing habits.[1]

Facebook (through `facebook.net`) was definitely at the top in the benchmark,
when using EasyList, EasyPrivacy, Peter Lowe's.[2]

I personally doubt a majority of users care that there is a Facebook _like_
widget on any page, except maybe for a handful of sites for those with a
Facebook account. So disabling Facebook globally with exceptions where needed
is a top advice to reduce privacy exposure.[3]

[1] [https://github.com/gorhill/uBlock/wiki/Blocking-mode#easy-
mo...](https://github.com/gorhill/uBlock/wiki/Blocking-mode#easy-mode)

[2] Followed by `googletagservices.com`, `twitter.com`.

[3] [https://github.com/gorhill/uBlock/wiki/Dynamic-
filtering:-to...](https://github.com/gorhill/uBlock/wiki/Dynamic-
filtering:-to-easily-reduce-privacy-exposure)

------
darrikmazey
Sounds like a situation that could be polluted with something like what Moxie
Marlinspike did with googlesharing, in an effort to bury the signal in the
noise.

------
username223
Stalkers gonna stalk, makers gonna make, founders gonna found. We nerds always
knew that the Facebook, Google, etc. images were tracking beacons, and their
business model was, to paraphrase Eric Schmidt, to get as close as possible to
the creepy line. Fortunately, it is/was easy to opt out by DNS-blocking a few
hosts. If this behavior becomes common, back-end data sharing and syncing will
become the norm, and something like ToR will become necessary, then local
encryption, then...

But who ever said fighting crime was easy?

EDIT: "And I have no doubt that the vast majority of engineers, designers, and
policy makers working in Silicon Valley want to do the right thing."

How can I even pretend to believe that the author believes that? They mostly
don't know what the "right thing" is, don't think of their behavior in moral
terms, and wouldn't dent their salaries to act morally.

~~~
ised
"...as close as possible to the creepy line."

Great stuff.

Blog posts are just too boring most of the time. We need more direct quotes
from the people toeing the creepy line.

That is the behavior that should be tracked. What do you think these
"engineers, designers and policy makers" get up to each day? Maybe lots of
"pretending to believe" they are doing something meaningful?

------
archangel11235
I'm not aware of the technical details of how the user is tracked. Is it
possible to be tracked even if the user has logged out of the social network
website (based on the browser or machine being used)?

~~~
stanleydrew
The technical details are simple.

When you are "logged in" to Facebook, your browser stores a unique token in a
cookie that can identify you. That unique token is sent with _every request_
the browser sends to FB, even requests you don't initiate directly.

These hidden requests happen all the time, like when a web developer embeds a
FB like button on a page. The like button is actually generated and served by
FB's servers (check your browser's dev console), and the request to show the
button itself gets that cookie sent along with it regardless of whether you
press it.

The tricky bit is that "logging out" might not actually be enough. I don't use
FB so can't say for sure, but it is certainly possible to implement "log out"
such that you can't see restricted resources or pages, but still have an
identifying cookie on your machine. In this case the cookie itself would store
a flag marking you as "logged in" or "logged out", but the cookie would still
identify you all the same.

~~~
sbov
I like to always use incognito browsing sessions when logging into Facebook.
At some point I cleared all my cookies too.

I remember a while back an article was posted about how to uniquely identify
users without cookies though. I don't recall the exact method though, or if in
this scenario it would require javascript and not just a link to a like
button.

~~~
kaybe
Basically you're using the specs the browser sends about the computer - OS,
screen size, add-ons installed.. this gets pretty unique. I've been able to
identify friends on a local site just by knowing them and their computers.

Check yourself here:

[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

~~~
sbov
Was able to find it. Actually it's using etags. They work even if you disable
cookies. Perfect identification, similar to cookies. Sites were using it
before it came to light:

[https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags](https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags)

~~~
pdkl95
You don't even need ETags - if the server sends out a unique (or mostly
unique) "Last-Modified" header, the browser will return the cookie in "If-
Modified-Since".

------
mark_l_watson
Is this a problem? Who stays logged into Facebook?

My browser does an auto fill for my user name and password, I login for 10
minutes to see postings from my brother, grandson, neices, etc. and then
logoff.

Never occurred to me to stay logged into FB. In the same way, I like to use a
separate web browser for just using Google and twitter. Small easy steps for
maintaining a modicum of privacy.

~~~
jessaustin
_Who stays logged into Facebook?_

That isn't relevant. There are login cookies and there are tracking cookies.
Unless one arranges for the tracking cookies to be deleted regularly, one will
be tracked even if not logged in.

~~~
mark_l_watson
Thanks, good point: I should use incognito mode.

------
dstyrb
Anyone else find it ironic that the site has a twitter, facebook, g+, diaspora
share bar hovering on the right hand side?

~~~
Strom
Not really, because those are good old links that don't contact a 3rd party
server before being clicked. The standard Like buttons connect on page load,
instead of on click.

------
Nursie
>> Starting this month, Facebook will use them to track your visit to every
Web page that displays the buttons—even if you don’t click on anything.

This is why I have had everything from facebook.com or fbcdn blocked on any
sire other than facebook.com for some time.

------
jstalin
Another point to think about is that if facebook (or any of these other sites
tracking you through social media buttons) receives a subpoena, it likely has
nearly your entire browsing history on file since so many sites have those
button.

------
JustSomeNobody
One thing to do is stop cloud seeding.

Another is to block trackers.

Another is to demand sensible advertising.

Your personal information is a currency. You get to spend it how you wish. But
just like any other currency, you must protect it yourself.

------
JustSomeNobody
Need to think of a particularly evil way to game this and embarrass FB.

------
polakallen
This title has at least two valid semantic interpretations. I'm mildly
disappointed.

<bad assumption redacted>

I'd argue that Facebook's moves create wealth, and are better for people in
the long run. The opt-out policy allows this type of system to exist.

------
runn1ng
Just display a warning notice on every page, where the user has to click "Yes,
I agree with the tracking cookie". That will solve the problem.

