The biggest problem is when you combine intrusive massive surveillance with a ultra-powerful entity that can be capricious, malicious, and often abuses and punishes its underlings. This is why I am far more concerned (as a selfish American, thinking for now only about the concerns of Americans) about the FBI having unlimited surveillance powers than the NSA: the FBI has a history of committing crime, horrifying suppression of speech, dissents, political movements, of destroying the lives of innocents, etc. The FBI can knock on your door with guns and throw in you a cage for decades. It has massive power over us so it is important we do not give it massive information about us at the same time.
The same is true with bosses. One technique to deal with this is to try and firewall the information off away from the powerful. This is what we did to the FBI before parallel construction (bills that say data will be collected "only for terrorism" -- a lie, obviously, as it always is, but one that made the collection palatable). The article focuses on this approach, which is in my view a lost cause, but a lost cause worth fighting for nonetheless.
The other approach is to take away power from bosses. Right now a boss has complete and total power over his employees without labor unions or worker protections (i.e. the current state of affairs in the US). It is this combination with the information that is so disgusting and dystopian. So we could, instead, talk about taking away the power, rather than taking away the information -- which would have the added benefit of solving many other social problems along the way.
I think that you and others are too cynical, although I agree that it might become worse before it gets any better. If we look at history we can see that other societies had the will, if not the means, to engage in data mining on the scale that ours does through the internet and massive analysis through machine learning/statistics. The Stasi is an example of an organization that certainly displayed the will to violate privacy as much as possible.
But it also becomes apparent that the privacy violating priorities of those organizations and societies can change, in an almost Hegelian dialectic manner, to protecting privacy. These days counter culture is still going strong in Germany, relative to other parts of Europe. People that belong to a counter culture will resist tools that exert control over them, such as extensive surveillance, by definition. This is in addition to the fact that Germany is more privacy friendly than most of its European neighbours.
Things can and do change over time. Through history a pendulum swings from one extreme to another. We just need to wait until something goes horrendously wrong with the way our privacy is currently being violated before it starts to swing in the other direction.
IMO, the fight should focus on things like secretly turning on the microphone on your internet connected device (cellphone etc) and listing in. That's the kind of situation where we could get useful long term precedent and most people would agree with the intent.
Because, if we are not careful that can quietly change and AI will make listing to every conversation anyone has in the county a real possibility.
Not sure I'd want to be unable to mask the camera and mic being active either.
for your use case, you might consider tape that's the same color as the material surrounding the light. though, that'd be a huge inconvenience to apply in the heat of the moment, and it'd somewhat defeat the purpose of an easy indicator if you had to peel it back every time you wanted to check the light. though... you might also worry about recording when it's in your pocket, in which case you'd still have to pull it out to look at it.
i know that police will often try to interfere with recording despite the legal precedents, but it seems pretty well accepted at this point that recording police activity is completely lawful as long as you're not interfering with said activity. again, i know police have blatantly disregarded that in practice, but it's something.
oh, another low tech option for surreptitious recording: finger over the light. still gotta remember to do it, but again, it's something.
Are we sure mass recording isn't already happening? It wasn't that long ago that the idea of bulk metadata collection was thought of as tinfoil hat material by many.
There are quite a few ways to do it.
I am not so worried about that as I am about the cost. Consider: You could always get the dirt on someone if you were willing to drop a few grand on a private dick. That created a bit of friction - you had to really want to get at that person. But what if you can get all the dirt you could ever use for just $1, or some trivial cost? Someone so inclined could go on a fishing expedition on a whim. Your HR department could routinely do everyone in the company, and every supplier and customer, because why not? That's the way this will be weaponized.
Everyone should have access to quality healthcare (as a birth/emigration right); tax everyone, single payer (the government) negotiates with doctors in an area for the best price; everyone that needs a service done picks from among the open local doctors and just gets treated. No secondary bills, no annoying billing department, just treatment.
Second would be to actually have a national ID, and among other things, to have (an abstracted) public shipping address for registered mail to reach that person. First Class (normal post) would be able to lookup the address as part of the service. Anyone could thus mail to #NATIONALID# and not need to worry about where someone has moved or re-located.
Third is enforcing market competition for basic supplies (of all kinds, but I'll focus on housing since that's a major concern on HN). This would mean that if there isn't enough housing in an area people want to be, more would be encouraged, and if that isn't enough to match demand special arrangements would be called for to do things like buy out whole neighborhoods (at once) at something like 2-5 times current market value per unit and re-develop an area to a correctly targeted density.
I think Zeynep Tufekci described the situation really well with the title of her recent Ted Talk: "We're building a dystopia just to make people click on ads".
> I think we have already lost the
> battle over data mining
It's not a combative question - I'm genuinely interested as to whether I've misinterpreted GDPR requirements or not? From what I've seen, as a lot of personal data is willingly traded by people, and the greyness around "legitimate interests" of the controller, the landscape wont look massively different (just perhaps a more invasive privacy notice on first visit?)
Firstly, I am elbow deep in the recruitment sector, and GDPR is a Major Fucking Deal for everyone. Software companies in the recruitment space are spending a huge amount of time and treasure making sure they are on top of the game for GDPR. Recruitment consultancies are too. The industry is taking it super seriously. Recruitment is (amazingly, and contrary to what people tend to believe) generally pretty good about this sort of stuff (with almost all shady shit coming from individual recruiters with too little oversight), so maybe the industry is over-reacting, but I don't think so.
Secondly, I am pretty aware of a lot of shady internet marketing and retargetting type shit. I don't know how that industry is reacting because I'm not close enough, but I'm pretty sure they should be in a panic if they're not.
The law as I understand it will make it difficult for companies to use catch-all privacy policies without being specific, and companies will have to make an explicit case for -- for example -- reselling your data to advertising companies if that's not explicitly what you signed up for.
One of the benefits of recruitment is we tend to have a lot of touchpoints to gather informed consent, whether through the points in an ATS, expressions of interest, candidate contact and follow ups.
It's serious, don't get me wrong, but I think given the grey areas in definitions that there are (and the rationales developed for collecting information in the first place), if you're a responsible data controller in the first place, the impact will only be felt in a few ways.
For the purposes of advertising, it's always been sketchy to "sell" data to an ad company. Most of the time it's owned data passed along and processed by them on behalf of the original acquirer (something comparatively easy to get consent for, because it also ties into personalisation) for retargeting. Initial targeting is going to be the hard part, as the right to be forgotten is going to be hard to manage across multiple DSPs.
Analytics is going to be a *, as we'll need to delay any analytics firing until someone's opted in, but this will become blind after a while once someone's opted in or out. Persisting this option will, perversely, mean having to store more personal data around choices, but hey ho.
It is also not feasible. Sure, you can stop doing that, but there are millions of other 'tells' that you will give up through your actions online that can predict this information. Machine learning will pick up features you cannot control or even imagine that will accurately predict whether or not you are on the job hunt, no matter what you do to hide it short of just disconnecting from the Internet. Which is likely a tell itself.
Surveillance capitalism and government spying on the populace (enabled by the former) has gone far enough, to acquiesce to a degree like that is to give them an inch, and if you give them an inch, they will take a mile and we'll be back to where we started.
Yes it is. No less than if you got their postal address from their CV, parked outside their house and watched who came and went. After all they volunteered their details and the street outside their house is public... right?
This continuum fallacy stuff really just makes privacy advocates look like kooks.
You have to use the language other people use if you want to convince them, and normal people do not draw an equivalence between someone googling their name, and someone staking out their house, because there is an ocean between them.
You've clearly not read the article, in which a judge says that planting a tracking device on a car is materially different than tailing it.
It's possible it won't make changes but, hey, ya neva no wot can appen.
The FBI is nowhere near as evil an organisation as the Gestapo, the NKVD, and so on. Using Nazi allegories all the time limits your ability to escalate rhetoric when they actually do something Nazi-like.
Let's say we've lost so far, but certainly we can change. Europe, for example, has much stronger protections than the U.S. Laws cleaned up the environment in cities, brought a revolution in civil rights to billions .... certainly we can provide privacy to end users if we put our minds to it. (I'm not saying it will be easy.)
you could end up with job seekers that are just seeding for predatory lawsuits, or people end up squatting on a company to get whatever they can regardless of what cost/value impact they are having on the company, terrible for both businesses and competitive job seekers alike
even if they made a law that says "you can't fire people for things discovered using data mining" you now run into the situation of having to provide some reason for firing someone, which is a messy situation, because you shouldn't need to provide proof or reasoning for no longer wanting to work with someone, it would make it dangerous to work with anyone that showed any potential risk for making things difficult, and we don't want to make it more risky and expensive for people to get jobs
This is obviously untrue. You can be fired for any reason, anytime. Whether what you're doing is at work or not. Your boss can see you at a protest and fire you. Your boss can call you at 2am on your personal line and fire you if you don't pick up the phone. Your boss can fire you for not liking the right music or restaurants, or for refusing to go to certain parties (it's just not a good culture fit).
> clearly having employees be able to harness some law and create a kind of capture on the employer wouldn't be ideal
No, it wouldn't be ideal, but it would be very, very good. Asking for something ideal is a little Utopian, so I'll take the massive improvement you are suggesting.
>people end up squatting on a company to get whatever they can regardless of what cost/value impact they are having on the company
You have just described most bosses and corporate owners.
>you now run into the situation of having to provide some reason for firing someone, which is a messy situation, because you shouldn't need to provide proof or reasoning for no longer wanting to work with someone
This is how it works in nearly every developed country in the world, and how it used to work in the US. It works just fine. There is no need to give bosses ultimate complete power over all aspects of their employee's lives. There is no reasonable justification for it I have ever seen except ideological devotion to the unquestioned authority and power of the wealthy.
I believe the paragraph you are referring to was a statement of fact, not an approbation. I've read it as: "here's what US employers can do, and why it sucks big time".
The focus should be on how disturbing it is that a company is using metrics like "independence from employer brand" to take the power out of the hands of the worker and put it into the hands of the corporation who already wields so much power and influence over our society.
Programmers are lucky, a last bastion of decent treatment by corporations. Companies like HiQ are looking to tip the scale back in favor of the corporation, run by people like Mark Weidick who want to be a useful and well kept pet and identify as a "Silicon Valley entrepreneur. Hollywood wanna-be." (twitter)
I fear secretive preemptive firing and hiring. "Talks" from your manager, based on encroachments into your private internet browser. This will force developers to combine their personal identity with their corporate identity (which far too many developers do already wearing their respective companies t-shirt like a big walking free advertisement) and curate their online life to reflect how grateful they are to the lords of their fiefdom.
Hah, maybe in the Bay area - in the rest of the world we're treated like scum, just the same as everyone else.
1. Is it always ok for someone to build a bot to do something which can be legally done by hand? Example: Building a LinkedIn scraper that tracks all public data. Or using a GPS tracker to track a car, instead of manually following it
2. Is it anti-competitive practice, and a violation of anti-trust laws, for LinkedIn to allow the general public, and other companies like Google, access to its public data, but ban others such as HiQ?
On question 1, I tend to lean towards LinkedIn's position. Just because something can be legally done by hand, shouldn't automatically mean that we should allow it to be done at massive scale by automated scripts. I wouldn't want companies having the right to surveil the movements of every citizen 24/7, just because they have the right to follow someone on foot, and I think a similar argument can be made against HiQ.
On question 2 though, I agree with HiQ. LinkedIn's attempt to ban HiQ doesn't seem like an attempt to protect their users, but rather, an anti-competitive attempt to kill off a potential competitor, and secure the market for themselves.
I feel like there's an inherent contradiction there, and the right thing to do isn't to "lean into" the contradiction, but rather to resolve it in the other direction. That is: we probably need to change what is legal for private individuals to do, if we want to effect change in what is legal for automation to do.
After all, at its most basic, we've got "automation" like Mechanical Turk, or people who you can hire to stand in a line for you to buy a new iPhone. Any law against automation won't work out if exceptions like that still exist; and those exceptions can't be stopped except by changing what deals it is legal for a human to make.
It can't be solved this way, because somethings can not be made illegal or if they can, they cannot be enforced at the individual doing it manually level.
Some individual can always sit at a street corner and read the license plates of the cars that pass. How one can make that illegal?
But systematically mass-collecting such data could easily be made illegal.
>After all, at its most basic, we've got "automation" like Mechanical Turk, or people who you can hire to stand in a line for you to buy a new iPhone.
That still has costs and limitations -- so it's nowhere near any competition for automation.
I'd say making their automated version illegal is a good starting point.
Have you heard of conspiracy laws?
We disincentivize gangs from using drug mules, by making it hard for them to find willing drug mules, by making it illegal to be a willing drug mule—the drug mule will, if they were complicit in the act, be charged with conspiracy to commit a felony.
This (apparently) works to decrease the prevalence of drug-muling, even though it's very hard to detect drug mules (which is the whole point of drug mules.) The law only really gets applied when you end up finding a mule through some other investigation (i.e. busting the gang itself.) But that still happens often enough to scare all the other potential willing drug mules.
This is how I'd see individuals sitting on street-corners counting license plates being charged: not for doing anything that is illegal prima facie, but rather for their willing complicity in a conspiracy to commit the novel crime of, say, building a database through espionage/surveillance without a license.
In other words: if the company's business model is based on a crime, then they're a criminal organization; and it's illegal to profit from dealings with a criminal organization, so you're doing something illegal by doing what they say, even if the thing they're asking you to do isn't illegal.
It is already illegal for a private individual to follow you 24/7. That is harassment. An extant law can, with modifications, potentially be applied to the GPS tracker scenario -- we only need apply the same rules binding individuals to their scripts as well.
- Should data truly intended to be public be scrapable by HiQ (or anyone)? The answer has to be yes.
- Should you be able to use "public" data to seek out essentially private information behind the user's back (like what HiQ is doing)? The answer has to be no.
On this latter question, there is a notion of continuous consent and discoverability. There should be a feedback trail all the way back to the original provider of data (the user) about who is accessing the data and for what purpose, even if (or especially because) it is public; and this fact should be made known to the accessor.
There has to be a semblance of symmetry in how a public exchange of information should take place. Both the provider and the accessor should be in the open if it is truly public. Then the user can take actions to affirmatively provide continuous consent or withdraw.
I'd say no. Technology is a multiplier, and if the same thing that took painstaking work and devoting resources to be done manually can be done automatically, it can be the difference between a democracy and a police state.
(E.g. the police targeting some suspects by tailing them and have some people listen to their conversations, and everybody in the country monitored 24/7).
The kind of crappy arguments usually taken as OK in courts however see this otherwise, as if 1000x automated something is the same as 1x.
I think we as the society are ultimately responsible for setting certain "rights" in stone. For instance, should the government be able to record everything anyone says "in a public place", even while on the phone or having a "private conversation" (but in public) with a friend, through highly advanced CCTV cameras?
Sure you could argue that "because it's a public place, then yes, we can conclude that the government should be allowed to do that". But that doesn't necessarily have to end the discussion. We, the society, can decide that "HELL NO, that's not acceptable, and we'll put anyone who tries to do that in prison."
That doesn't mean it's legal for private entities to do so, nor is necessarily legal for such data to be, for example, aggregated nation-wide.
See https://www.theatlantic.com/politics/archive/2014/02/mass-su... for Conor Friedersdorf's article which is attributed with bringing down the last attempt for a "Homeland Security" database of where you were last summer.
Moving the obscurity would constitute modification of private property and should require either a valid documented probable cause or a warrant for the search.
I think it's well within a website's rights to control who scrapes them. The problem with LinkedIn (and other social media sites) is that they don't let their users control this, in turn. It should be up to each user to decide whether they want to appear in search engines, and which ones.
It's pretty bizarre that this was never brought up in the article. The idea that users should control their own information was entirely ignored.
Funny that you put it that way; when computers were in their infancy, people would scoff along the lines of, "...and they spent all that money/time teaching the damned thing to do something that you could get anyone off the street to do for $0.50/hr..."
Of course, before computers were invented in the first place 'computer' was a job description for a person who computes. How things change in...what, 50-80 years?
On question 1, I think you are really on the money. Concise.
We're used to thinking in terms of principles when it comes to our principles, especially laws. Realistically though, our moral codes are not like physics. They're approximations that seem to work for the most part, for the situations we know about. Being a somewhat anal retentive species, we don't generally like this. It feels like the principles are unsound.
This is a thorny question. What if I build a scraper that requires me to press a button in an app to actually run a scrape? Is that "by hand"? This seems hard to effectively regulate without sliding into a criminalization of a lot of benign things programmers do on the web.
However, whether this all is actionable and accurate is another and unfortunately later question. The promoters and customers of that approach might want to read this chapter in the CIA's Psychology of Intelligence Analysis:
Chapter 5: Do You Really Need More Information?
But then they might not have a product to sell or buy.
No, not everyone is like me and ignores LinkedIn while actively and happily employed, but I imagine enough people are and that it’s not so hard to build models of other user types that work as advertised (as long as they have access to the public data).
HiQ is a threat to LinkedIn on two fronts: as a direct competitor and as a reason for some people to opt out of using the service (though it appears LinkedIn offers similar services, so perhaps the threat is more the Streisand effect at work). That doesn’t mean HiQ should be locked out of the data of course, but it makes for an interesting and complicated situation.
For a big market with small bets (ads) this makes sense. For a small market with big bets (employment) it doesn’t make sense, to me at least.
It doesn't matter if it's not always right, it only matters if it's better than what they have at the moment (ie: almost nothing).
Like the quoted bank said in the article, improving retention by 1% can lower costs by 100 mil per year. Offering a raise to people polishing their Linked in page sounds like low hanging fruit to me.
And of course, employees will try to game the system, which will become smarter and so on.
As I said, there are markets, large markets like ad auctions, where this approach makes sense. But for HR, I'd have to see this being a demonstrable success story before I'd touch it. I think there are better and easier approaches to retention like treating your employees well rather than looking at a statistics dashboard and following its sage if soul-less advice.
Remember, we live in a world where coffee shops and Jimmy Johns (sandwich shop) decided that they needed to subject their employees to pretty draconian non-compete agreements.
You will no longer be allowed to collect and store personal data without content.
(Disclosure: I used to work for Microsoft, which now owns LinkedIn, although I like to think I'd have this opinion either way)
So they are saying that anybody should be allowed to scrape anything found online, and use that data for any purpose?
In this case it can be argued they use the data against the physical's person about who the data is.
So they wouldn't object if banks or credit companies would use the data to reject non-desirable people.
The real chilling effect is from the lack of actual privacy on the data it's self; and the existing asymmetry of power in the employee / employee model as we know it today.
Messenger asks nicely to upload your whole address book, and since half your college buddies clicked yes they know when and where you studied, and who you knew, and your parents landline thus some idea of their location (and how wealthy it is). Ditto your colleagues at each place you worked, who all still have your old corporate email, and some have newer info...
And that's before anyone posts anything on facebook.
They have the data, yes. But they will ruin society before having any idea on how to use it.
Most importantly. They can not correlate that with my IP or my browsing history. So that information is beyond useless when trying to track me and only slightly useful for researching the society in which I grew up (which facebook isn't interested in anyway).
When I make the mistake of buying something online in a browser logged into facebook, then I get adds for a week trying to sell me what I just bought... this does not lead to me buying another one! And all this strategy seems to need is basic cookies, not a shadow profile.
That depends if they know that you visit websites which are also visited a lot by other males between the age group of 20 to 30, then they can almost assume that you are a male between 20 - 30.
No tracking needed. Much better accuracy and return.
The days of just targeting you based on the content site are over, now demographics and your search/click history plays a role too.
Maybe they have a few percent better accuracy than guessing at random. And that might be worth a few billions. But on an individual level they just don't have the slightest clue.
edit: State of the art tracking seems to be "look at what products user x has looked at, show the exact same product everywhere after he/she probably bought it".
Now if you do have and use a facebook account that is another thing.
Can you give some sources for your claim?
I guess the most tangible data point is when google allowed you to look at what google thought if you (gender, age, interests etc.) and how bad they are at it unless you actually use their services.
It is obvious they would be far better of targeting sites than users without accounts. But that is not where their competitive edge is so they downplay that. Also, I guess they are big enough to not care about people without accounts.
They can't even detect fake and duplicate accounts, which would be trivial in comparison.
They almost certainly can, but due to capitalism, they have a business interest in not really removing these accounts.
After all, when you ask for a raise you're in a wonderful negotiating position when your value is clearly quantified. When you mine/collect the information yourself, you get to choose how and when you present it. Thus you are selling the information to your boss and reaping the rewards yourself.
* EPIC: https://epic.org/amicus/cfaa/linkedin/
My public information on LinkedIn is public - to market myself. I didn't make it public so that another company could store it in their own databases, analyse it and sell it to "my boss".
This is a discussion touched upon in the article "What were the public squares and private rooms of the web? Who got to determine access? Should data be protected as speech?"
Anyway, as mentioned in another comment, the highly unethical work HiQ is doing will be hard to capitalize on with the GDPR coming up.
> highly unethical
How is a company leveraging intentionally public data unethical? That's quite a stretch. Stop making your information public if you don't want people or companies to look at it. It's as simple as that.
If you want to talk about unethical practices, let's talk about financial companies selling your transaction data to advertisers and insurance agencies, or social networking platforms re-purposing the content of your direct messages, or ISPs selling your browsing history. Those are actual things which have a reasonable expectation of privacy. These are actual instances of problematic PII abuse and what laws like GDPR are intending to curb.
My Boss is going to find out I volunteer at soup kitchens and help old ladies across the street. Oh, and I also love his favorite band and agree with him politically and didn't even have to gratuitously mention this around the office like a big suck up. A promotion is just around the corner!
Wasn't it just last week we saw articles on the front page almost every day about how we can't trust information from the Internet because Facebook and Google are big lying spying monopolies and sell clicks to anyone and don't responsibly curate like they are supposed to and we should all go back to reading the newspaper to get the real facts on life? Ya, pretty sure that was the gist of them. Anyway, hopefully my boss didn't read any of those. We'll just leave him believing that data mining and scraping and twitter sentiment analysis have super secret powers to reveal the hidden truth about the world.
That's a benefit to the employer, that probably is not a benefit to you, since you would likely want to quit on your own terms.
Another quick example is knowing that your employees are researching how to unionize, and thus knowing to bring in anti-union resources.
I'm sure there are more.