
Germany vs. Facebook: Like Button Declared Illegal, Sites Threatened With Fine - flardinois
http://siliconfilter.com/germany-vs-facebook-like-button-declared-illegal-sites-threatened-with-fine/
======
Atropos
I'm from Germany and I'm currently writing a dissertation (similiar to PhD) on
data protection law. My take on the situation:

1) Are the european data protection laws "perfect" or reasonable? No, they
can't be, the most relevant directive is from the year 1995.

2) Do Google or Facebook comply with the European data protection standard? No
way. Do they even try? No. There is something called the "Safe Harbor
Directive" (<http://en.wikipedia.org/wiki/Safe_Harbor_Principles>) which
Facebook and Google have declared to uphold. However they "self-certify" and
in reality it is more like a "scam". For example Facebook is boasting about a
"TRUSTe" certificate, which is practically a
joke.(<http://en.wikipedia.org/wiki/TRUSTe>)

However the story about the 50,000€ fine is just for publicity. Google has
lost cases in civil court against consumer protection agencies about their
privacy policy, but to date there has never been a fine by a government
agency. Furthermore just because the law says "up to 50,000" as a maximum
sentence doesn't mean you could realistically go that high.

------
philp
The situation is actually quite a bit different from what was presented in the
siliconfilter article. I looked into a couple of more established local media
outlets and it turns out that this fine does not apply to all of Germany. Mr.
Weichert strictly targets sites from Schleswig-Holstein ( Population: 2,8M ).
This is the only state where he has 'some' legislative power and it remains to
be seen how we would be able to target sites from his specific district. I'm
sure you can appreciate the technical difficulty. This is also not a new law
but a highly controversial interpretation of existing privacy law. There is a
tremendous backlash and open opposition coming from high-ranking German
politicians regarding this fine. All in all the whole thing looks more like a
PR-stunt, it's highly unlikely that website-owners will ever be fined in the
near future for Facebook buttons.

~~~
philp
I'm German btw. Don't want anybody to think I learned that gruesome language
for the fun of it...

~~~
cageface
Mark Twain wrote a satirical but very funny critique of German:

<http://www.crossmyt.com/hc/linghebr/awfgrmlg.html>

~~~
gnosis
While we're on the subject...

 _An American woman visiting Berlin - intent on hearing Bismarck speak -
obtained two tickets for the Reichstag visitors' gallery and enlisted an
interpreter to accompany her.

Soon after their arrival, Bismarck rose and began to speak. The interpreter,
however, simply sat listening with intense concentration. The woman, anxious
for him to begin translating, nudged and budged him, to no avail.

Finally, unable to control herself any longer, the woman burst out: "What is
he saying!?" "Patience, madam," the interpreter replied. "I am waiting for the
verb."_

------
Creyels
The article is kind of misleading. After reading the original FAZ article (I
am german and a site owner) I learned that because Weichert is the head of the
Independent Centre for Privacy Protection of the northern German state of
Schleswig-Holstein, he only has the competence to threat site owners within
"Schleswig-Holstein" (Population: 2,8mio).

~~~
ugh
With only a few exceptions, privacy and data protection is handled on the
state (or Länder) level in Germany. (One exception to this is the federal
government and its data protection.)

He would have to convince his fifteen colleagues to make this a Germany-wide
thing. Handling this on the federal level is not even possible in Germany, the
federal data protection appointee has nothing to say about such matters.

~~~
consonaut
But the TMG as well as the BDSG are federal laws and after reading his paper I
would agree with his view of them.

It would only take someone to go to their local data protection supervisor
(Datenschutzbeauftragten) and complain about being tracked by the facebook
like button on a site hosted in germany, the data protection supervisor would
have to issue a fine (if he agrees with that interpretation of the law) and it
would go to court, since the owner of the website would naturally dispute it.

Difficult to say how the court would rule.

~~~
ugh
Those data protection appointees (and the people who are working for them) are
the enforcement arm of the data protection laws.

The laws are not (only) enforced by the police but by specialized offices –
just like tax law (with the tax office and tax investigators) or food law
(with food inspectors).

This is like the police (which is organized in a similar way) in Bavaria
deciding to enforce a federal law in a certain way. Whatever the police in
Bavaria decides to do doesn’t have to have any consequences for the police in
other states. (Suffice it to say, the police in other states isn’t going to be
very happy when they hear about the Bavarian police interpreting a law in an
odd way.)

It’s the courts that have to decide in the end what is correct and incorrect
enforcement.

------
josscrowcroft
This seems like one of those "Oh man, what a crazy country!" stories - and
sure, the €50,000 file is pretty nuts - but the more I read about it, the more
I think that challenging one company's dominance is potentially a good thing.

If nobody ever speaks up and says "Hey, hang on - how much info are we giving
them, really?" it'd be far too easy for companies to take advantage..

Having said that ... this won't stick. By this virtue, sites would have to
remove G+ buttons too, and Google Analytics (which profiles 'anonymous' users
even more heavily than FB)

~~~
philp
Being German I have to say I really appreciate my countries concern with
privacy. ( Despite this rather ridiculous attempt to protect it ) The mega-
corporations that are hoarding our data have a habit of being as in-
transparent about privacy as possible ( Google excluded, maybe ). Government
entities are in a unique position to enact legislation that levels the playing
field and puts consumers back in charge of their data. I'm hopeful that future
generations will demand unrestricted control over their personal data as a
basic human right.

~~~
blauwbilgorgel
How do you see the difference between Opt-in and Opt-out?

For example, I never asked for Google Streetview to photograph my property, so
in that sense they might have violated my privacy.

But clicking a Like! button is like giving implicit approval to send some
relevant data to Facebook.

If you were a German Facebook fan, would this law make it impossible to place
a Like! button on your own site, when you and your visitors clearly want it?

Is it possible to voluntarily wave away the right to privacy or is it really
an all-or-nothing deal?

Edit: It seems that you get logged without ever clicking the button, or lack a
Facebook account...

The paper "Facebook Tracks and Traces Everyone: Like This!" mentions 3 valid
privacy violations by Facebook.

    
    
      informational self-determination: the individual should 
      be able to decide which data are disclosed to whom and 
      for what purpose.
    
      contextual integrity: data has to be treated according to
      the norms applicable to the context in which 
      the data was disclosed.
    
      data transfer without consent: data should not be 
      transferred to another context without the individual's
      consent
    

Abstract:

    
    
      [the Like button] is also used to place cookies on the 
      user’s computer,  regardless whether a user actually uses 
      the button when visiting a website. As an alternative 
      business model this allows Facebook to track and trace 
      users and to process their data. It appears that 
      non-Facebook members can also be traced via the Like 
      button.

<http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1717563>

Ah, well. Back to a custom Facebook Share button for me.

~~~
philp
I'm not sure if you were addressing me but I'll go ahead and respond anyways.

I don't think privacy should be an 'all-or-nothing' proposition; waving away
your right to privacy should not be a decision an individual has to make.
Ever.

I believe that what the majority of users want when interacting with internet
platforms like Google, Facebook, etc. is a responsible use of their data; a
reasonable balance between giving up information and receiving benefits in
exchange.

From that perspective I would argue that Facebook collecting data from you
simply by 'browsing-by' a like button is unacceptable. But I wouldn't go as
far as to say that everything is fair after you've given alleged, implicit
permission by clicking a button either. It's about a reasonable expectation
the user has about what kind of terms he's entering into by 'like-ing'
something. Is it okay for Facebook to have a look at what site your coming
form? Associate your account with this like? Maybe. Would it be acceptable for
Facebook to go through your history and look at the most recent porn sites you
showed interest in? Probably not. That goes at the notion of contextual
integrity you mentioned. The line is blurry but it certainly exists.

Another important consideration for me is who has access to the data that is
collected. Larry Page famously answered to Paul Buchheit that there 'are no
privacy issues' when faced with thousands of complaints concerning Gmail. I
don't really mind machines going over the contents of my email in an effort to
target ads at me. It's creppy to some but if you understand the underlying
technology I would side with Larry and say that, really, there are no privacy
violations. It's about the trust you have in a corporation when it comes to
handling your data. Transparency goes a long way.

Give me your thoughts.

P.S: I don't think an individual or a corporation could successfully operate
on the internet while strictly adhering to the three standards you mention.
Getting explicit consent for every data transaction that occurs when using the
internet would make that medium virtually unusable. We have to make certain,
maybe gullible, assumptions about the companies and individuals we interact
with to navigate everyday life; you do it every time you enter into a contract
without studying the fine print.

A custom Facebook Share button sounds like a terrific idea, open-source it! :)

------
bugsy
It's not a Like button, it's a privacy invading web tracker in the guise of a
Like button, a disguise intended to colonize by trickery.

Germany's actions are the right thing to do.

~~~
notahacker
Worse than Google Analytics, ad networks loading graphics on remote sites,
tracking cookies, or any other form of remote tracking system that's been
around since the emergence of the commercial web and arguably is part of its
design?

------
sp332
Actually, doesn't the JS in the (official) embed code send that data to
Facebook even if you _don't_ click the button? source:
<http://sharemenot.cs.washington.edu/Overview.html>

------
jpiasetz
I'm all for stronger privacy laws however banning analytics and forcing Google
to pixelate houses does more harm then good.

Laws like that give people a false sense of privacy. House is still visible
from the street and private info can still be tracked online.

Privacy advocate should focus on education and making sure it's explained what
is shared with who. If it's clear what you're sharing by signing up to a
service and everyone understand what that means we would all be better off.

------
mtogo
If you're worried about this kind of tracking, install the Ghostery addon for
Firefox, Safari, or Opera. It blocks like buttons, +1 buttons, google
analytics, kissmetrics, and a few hundred other trackers.

------
Permit
This seems a bit too much for me, personally. Does Germany take issue with
Google Analytics as well? They take all kinds of data about users and send it
back to US servers.

If I was hosting a site in Germany, I'd probably tend to switch hosting before
I removed the "Like" button from my website.

~~~
icebraining
_> Does Germany take issue with Google Analytics as well?_

I hope so. Subjecting users to tracking by Google without their consent (you
have no way to know that website X is tracking before it does) seems very
abusive to me. Nothing prevents webmasters from installing tracking software
on their own servers.

------
Perceval
Why is Schleswig-Holstein always causing Europe problems? Shouldn't they have
learned their lesson? <http://en.wikipedia.org/wiki/Schleswig-
Holstein_Question>

~~~
tomjen3
The lesson no longer applies. After two world wars, europe has no stomach left
for more.

------
hussong
Jeff Jarvis went ahead and talked to Facebook to get some background on the
issue: [http://www.buzzmachine.com/2011/08/19/disliking-like-in-
germ...](http://www.buzzmachine.com/2011/08/19/disliking-like-in-germany/)

------
jonalexr
I was thinking about this a couple of days ago - with Like buttons appearing
all over the internet, Facebook has the ability to log what sites you visit,
when you visit them, etc. Question is, do they? To what extent?

~~~
finiteloop
The purpose of the Like button is to enable you to share stuff back to
Facebook when you click on it. We anonymize all logging data collected as a
byproduct of serving the Like button and other social plugins within 90 days
of their collection. See <https://www.facebook.com/help/?faq=186325668085084>.

Bret Taylor CTO, Facebook

~~~
sneak
What happens within that 90 days? Why not anonymize it within 90 seconds?

------
nettdata
I like this.

------
coderdude
It's always funny when a little country like Germany or France wants to "ban
the Internet" or something. It's kind of cute.

Edit: Man, I sure have offended a lot of people. I really didn't mean to make
it seem like you're insignificant, or that the decisions you make are
ridiculous and not well thought out when it comes to the Web. I think you guys
are doing a great job!

Keep up all this good work and maybe one day we'll relinquish our control of
the root name servers over to you.

~~~
drzaiusapelord
Little? Germany is one of the world's massive economies.

Whats cute is Americans who think regulating business is something we should
never do and privacy laws are bullshit. Sorry, but it looks like the rest of
the world isn't so lassiz-faire.

~~~
tzs
Not all privacy laws are bullshit...but this one sure seems to be. The "Like"
button (and the "1+" button, and the buttons to submit to Reddit, HN, and the
like, which would all be covered) are completely optional for the visitor to
the site. They don't have to click them unless they want to.

The same argument they are using against these buttons applies to off-site
hyperlinks in general. Are those going to be banned in the name of privacy?

~~~
potatolicious
The "Like" button is not a hyperlink. A hyperlink doesn't reveal your identity
to the target site unless you click on it - the Like button _will_ ping
Facebook about your presence _even if you don't click_.

So yes, there are _major_ legitimate privacy concerns about this. I'd hope you
weren't aware of this, otherwise this would be an incredibly disingenuous
argument to make.

