Hacker News new | past | comments | ask | show | jobs | submit login
Salesforce CEO Benioff calls for national privacy law (salesforce.com)
318 points by jeffthechimp on May 16, 2018 | hide | past | web | favorite | 155 comments

This is absolutely hilarious. This dude owns company that builds an array of products around identifying your users, storing as much information about them as possible, and then making that information as actionable as it can.

>A national privacy law would require that companies disclose how they collect your information, use your information, and offer a right-to-be-forgotten, Benioff explained. “If you want to delete your information, you could hit that button and be sure your data is gone forever.”

Okay, want to start by adding that button the Salesforce DMP Page? Right now, it looks like the best I can do is get an opt-out cookie that expires in 6 months [0]. I'll wait.

[0] https://www.salesforce.com/products/marketing-cloud/sfmc/sal...

Edit: I was being facetious. I know exactly why he said this and I don't expect Salesforce to do this until they legally have to. I just hope the irony wasn't lost on anyone.

It's plenty reasonable to be skeptical of the public utterances of CEOs, but it's not necessarily true that his words are hollow because his company is not currently compliant with the law he's proposing. As long as competitors are free to ignore this proposed privacy requirement it probably makes no competitive sense for his company to comply with it. In that case, it's perfectly logical to agitate for a law, which would let you adhere to stricter privacy requirements confident that your competition has to do so as well.

This is a classic case of a well established company lobbying for regulations to keep newcomers out of their sector.

> This is a classic case of a well established company lobbying for regulations to keep newcomers out of their sector.

No it's not because SF won't be allowed to do it either. It's like a power company advocating for the banning of coal while still using it because its the cheapest option. You can participate in a practice to stay competitive while advocating for the banning of that practice.

The point is newcomers have a disadvantage against any type of regulation they need to comply to - simply because they often have less funding/resources than a giant company. This happens in practice all the time.

>newcomers have a disadvantage against any type of regulation they need to comply to

This is unquestionably true, but it is an awful excuse to not enact any regulations. Honestly, what do people expect is the answer if the free market has already shown to fail to address this problem and we are ruling out regulation because is increases the barrier to entry?

I'm not against all regulations - some can be useful - they just need to be implemented with great caution - ideally in a way that is very easy and clear to implement. In theory I don't see how regulations could avoid security breaches anyway (which I think is a greater problem). It'd be interesting to fine large companies with security breaches to encourage better tech, but then they'd never report it.

Security breaches aren't the problem with harvesting private individuals' data. It's a matter of ownership and sovereignty, in the large and small.

How harmful a security breach is depends on how much private data about users was stored though. So even though security breaches will still happen, they will cause less harm if less sensitive data is leaked as a result.

When you say "regulations", I hear "market protections", "rule of law", and "fair and impartial judiciary".

"regulations could avoid security breaches anyway"

Translucent Databases 2nd Ed: Confusion, Misdirection, Randomness, Sharing, Authentication And Steganography To Defend Privacy http://a.co/c78Gij0

TL;DR: All demographic records are stored encrypted, are no longer retrievable if you lose the signing key. Think "proper password storage" extended to all things.

Bonus: Support for GDPR "right to be forgotten" for free. Just erase the key(s).

I'm starting a chemical manufacturing business, but regulations are putting an undue burden on me by not letting me just dump waste product into the nearest river. Dow Chemical Company didn't have to abide by all these regulations when they were founded in 1897, it's not fair!

Edit: To be clear, I'm not saying anything about the necessity of any regulations. I'm just saying that when evaluating possible future regulations, viewing just in the light of incumbent/newcomer dynamics alone will give you absurd results.

There are many regulations that will burden you by having to record, audit, etc, where/when/why/how you are dumping waste, to help assure you aren't dumping it into a river.

Dow, having established cash flow and infrastructure, can trivially bear whatever these costs. These regulations were even created because Dow themselves (et al), somewhere in the middle of their life, optimized their profit by dumping in rivers.

You personally know the environmental harm and grave illegality [0] of improperly disposing of waste products, and your company is small enough that you can be sure everybody is of similar mind - you're focused on solving technical problems, having not yet been taken over by beancount-maximizers. But you still must pay the costs of the overbearing "compliance" paperwork designed around large amoral entities, perhaps even having to hire a dedicated government bureaucrat fresh out of law school. This is the gatekeeping-legislation dynamic people complain about.

[0] Which given your corporate size and lack of TBTF, would be a criminal penalty rather than a civil wrist slap.

It's dangerous to assume there isn't such a thing as pointless regulations that actually harm consumers by making a useful service/product more out of reach.

Your comparison is laughable. Try competing with Comcast and AT&T.

Comcast and AT&T are slightly different, in that they have government granted advantages (not just usage rights to infrastructure, and infrastructure access which is much harder or impossible to achieve now, but in some cases the government paid for that infrastructure before handing it over), not just the benefit of coming up prior to regulation and already having practices in place to deal with regulation.

Isn't this exactly the reason Stripe became successful. It was a real problem, with well thought out regulation from previous abuse, that most people avoided because they wanted an easy path to riches.

A newcomer could be bigger. Lots of money looking for high margin businesses to operate in.

In theory, but surprisingly not in practice. Often the most innovative ideas come from scrappy businesses without tons of funding off the bat. Look at healthcare insurance - not a lot of newcomers, despite some very high profit margins.

Health insurance or insurance in general is a low margin business, and whatever margin they have is mostly through investing the premiums they collected before paying it out in claims. Most insurers pay more in claims than they get in premiums making up the losses with their investment, that's because they price their policies to undercut competitors that might not have access to such a large pool of money. So you can see how a newcomer can have hard time becoming a profitable insurance business.

To borrow your metaphor, I'd say it's more like an oil company investing in solar, and advocating for it's future, because it knows it's current business will not last forever. Getting on the front of this allows Salesforce good PR, and lets them have a role, however small, in shaping the regulations to come.

Any business leader who has studied the tobacco industry would do this.

The amount of data they have is non trivial and the insights from it are surely non trivial. Even if they have to delete the data due to privacy laws, they've still learned and come out on top. Newer competitors will never have the opportunity to gain such insights.

This becomes even more true as machine learning becomes more and more important. The first movers have a strict advantage over later entrants simply because of the amount of data.

A strong law like the GPDR would actually shake things up - a lot.

As it is, the large players like Facebook, google, Salesforce and a bunch of others like our banks, credit card companies, internet providers are all extremely well established.

A GPDR-like law would open up entirely new ways of doing business partly because these companies could no longer do business the way they are. “Free” services could no longer make their money by selling your data.

We could end up with a more “honest” set of services. Like a social network that’s actually free or paid for by individual contributions.

A GPDR-like law would open up entirely new ways of doing business partly because these companies could no longer do business the way they are. “Free” services could no longer make their money by selling your data.

You're completely disregarding the fact that it takes significant resources to comply with a law like GDPR. Insurance to defray the costs of potential litigation and fines, development time, ongoing compliance (audits etc.), legal expenses, and on and on. Most startups simply can't afford this.

So you may wind up with more "honest" services, but there will be far fewer of them and they'll have more power and leverage than they ever have before because of the lack of competitors and artificial, enormous regulatory barriers to entry. GDPR is a startup killer.

I'm not disregarding the cost of compliance. In fact it's implicit in my argument. Some business models would no longer make sense. Others would look more attractive. It would increase the cost of, or completely do away with, doing things certain ways which naturally opens the door to doing things differently. Yes, there likely would be fewer services initially.

"Insurance to defray the costs of potential litigation and fines, development time, ongoing compliance...GDPR is a startup killer"

That doesn't have to be the case. The law could easily carve-out a "safe harbor" of sorts for companies that commit to not gathering or storing any but the most basic information about their visitors.

"... there will be far fewer of them and they'll have more power..."

Or existing companies could loose a lot of power and leverage because their business-model doesn't makes sense. New ones could pop-up in their place.

I'm more than willing to give up tyrants like Facebook and Equifax for the right to control my own private data.

Privacy is good, long live disruption!

I'm more than willing to give up tyrants like Facebook and Equifax for the right to control my own private data.

You’re missing the point. These “tyrants” can fully afford to comply (while paying scores of legal staff to scour the law to find and exploit every possible loophole), but startups can’t. That means no competitors will be able to emerge and challenge them. These companies will still be able to do much of whatever they want simply because consumers won’t have a choice. GDRP consolidates market power in the hands of entrenched competitors that can afford to comply.

Privacy is good, long live disruption!

Privacy is good. Killing the ability for startups to compete is bad.

Wait, but if those hypothetically competitive startups can only compete because they can trample my privacy, why the heck do I want them?

I mean, it’s not like Facebook and Google aren’t already big enough to smother would-be competition in the cradle. In the other scenario competition may still be smothered, but I still get some regulatory privacy protections.

EDIT: Also, as a matter of principle, I’d gladly see dozens of startups burn if it meant broad privacy protection were enacted.

Wait, but if those hypothetically competitive startups can only compete because they can trample my privacy, why the heck do I want them?

GDPR compliance and "trampling your privacy" are not remotely related. GDPR is massive overkill and unnecessarily burdensome.

I’d gladly see dozens of startups burn if it meant broad privacy protection were enacted.

EU startups will burn - not dozens though, hundreds or thousands of them - and even more will never get the funding to start because no one wants to invest in a business that can be killed instantly by massive fines at the whim of the government. US startups will thrive because they are not subject to GDPR if they don't target EU customers, even if there is some incidental EU traffic to their sites. I don't have to protect your information GDPR style on my US site, even if you are from Germany, as long as I'm not actively trying to get people from the EU to my site. But most sites outside the EU will just block EU traffic anyway (which is what we decided to do). So enjoy your new, smaller Internet with companies that will "trample your privacy" anyway because you have no competitors to go to for their services. Yes, you will be informed about what they're doing in vague terms, and yes you will have given them "informed consent"....but is it really consent if you have to give it because there are no alternatives?

I think you're disregarding that these are huge companies whose business models and moats would be significantly disrupted by a GDPR-like law. To quote GoT, chaos is a ladder. This could help new innovative companies compete, at least in the short term, against these established behemoths.

This could help new innovative companies compete, at least in the short term, against these established behemoths.

Again, most “new innovative” companies can’t afford to comply with laws like GDPR.

I have seen this narrative parrotted quite frequently, but it's false. GDPR isn't as crushing as people currently feel it is, but it will force companies to adopt better policies to avoid problems. Startups right now are best positioned to make the transition whereas the behemoths will be forced into significant spends on legal fees or insurance - not to mention scandals such as the Facebook debacle that has so many people up in arms.

Disruption is startup paradise.

Having just lead the GDPR effort at my company, I disagree. It's absolutely a burden. It slows down sales and makes customer relationships more difficult and expensive. Any custom integration we do needs to have a custom data processing agreement put into place and reviewed by a lawyer. I now find myself paying lots of new fees to various places: the ITA, DPA, the Swiss data authority, and organizations like ISSA. It forced us to get a more expensive insurance policy.

On top of that, the technical controls were actually expensive to implement. The issue is not that consent is hard to revoke or that data is hard to delete. It's that everything needs to be auditable. Under a strict reading, you need to have an audit trail of every processing activity. Anytime a user profile is edited for any reason, even just an automated removal of whitespace, is supposed to be auditable and made notifiable to the user. Anytime you refresh a user's Instagram stats, you need to have an audit of that. Most companies don't go this far, but it's a huge risk to do anything less because we don't know what fines are going to look like in practice yet.

Plus the fact that we just spent $15k in legal fees going over our new privacy policy, data protection policy, updated MSA, updated order form, new user agreement, etc, I can say with confidence that it is indeed expensive and burdensome.

I have seen this narrative parrotted quite frequently, but it's false. GDPR isn't as crushing as people currently feel it is

You’re saying this based on what exactly? Have you actually been in charge of trying to comply? I have. For us, it was going to be a 7 figure endeavor (upfront, and then 6 figures/yr for ongoing compliance, insurance, etc.) and we are pretty small (a few million visitors/mo spread across several sites). We made the decision to just block EU traffic, even though we have been advised that GDPR probably doesn’t apply to us anyway. I can’t have one of the 28 countries that GDPR applies to randomly decide that it applies to me because they’re a little short on tax revenue that month, then have an expensive legal fight that will end in a multimillion-dollar fine anyway.

Citation needed

We're a small business and it cost us about $50k to become compliant, if you add up the legal fees and hours spent on technology. We are also forced to get a more expensive insurance policy.

Citation needed for what? For proving that GDPR compliance is expensive?





Those were just on the first page of Google. There are hundreds of others. That's not even counting my own experience with it.

That's an idealist view on how this is going to play out. My contrarian view is that these large firms will have the staff to understand how to comply with these laws without having to substantively change.

For example, Facebook is going to force everyone to opt-in to accept the status quo while remaining in GDPR compliance:


Good luck doing that if you are a startup!

I expect they'll be ruled as unable to rely on that coerced consent in the end, given how strictly the requirements for acceptable consent are defined. But they will be able to delay such a final ruling for quite a while with appeals, and maybe make arguments to mitigate the possible fines down to a lower level of any.

facebook doesnt sell data. facebook sells attention and billboard space. you pay facebook, facebook runs your ad on their platform, and gives you some paramaters for which people are targeted. the data never leaves facebooks black box.

Except the data did leave with Cambridge Analytica

facebook has two kinds of data

- data you give it (birthday, religion, likes)

- data it learns about you. (ad tracking, habits, demographics)

facebook built a developer tool that let app developers ASK USERS for "data you gave it"

users clicked YES when prompted with the question, GIVING the app developers the data. Cambridge Analytica NEVER got to touch "data facebook learned about you."

the way the developer tools were designed, when you gave the app access to your facebook account, it could look at things YOUR FRIENDS had made avaliable to YOU. The app could act as you, and see what you see. You can never see "data facebook learned about your friends."

The issue is, people couldnt trust their friends not to click "SHARE DATA." The issue is IF its inappropriate for apps I install to see data shared with me by my friends. Once facebook learned this ability was being misused, they shut it down, back in 2014.

Salesforce-hosted data can be largely exempted from GDPR because Article 17 allows for the retention of customer billing and accounting data (which are often stored in Salesforce CRM and ERP back office system).

Regulations that create positive obligations -- "you must do this" -- create barriers to entry, because it costs money to do that. But I'm not sure it's the same with regulations that create negative obligations, because not doing stuff is usually free, except when the negative obligation is actually a positive obligation "to prevent xyz".

Except for the fact that the requirements to become compliant with such a law, including removing past data, could cripple Salesforce

That almost never happens. It's not in the gov's interest to tank successful companies that employ a bunch of people - and large companies are in the best position to give personal feedback to politicians to customize the process so its particularly easy for them. That's how regulatory capture starts.

I think at this point, consumer are more interested in their rights being protected than in more competition.

How would this keep newcomers out?

Salesforce relied on things this 'privacy law' would make illegal in order to get where they are today. This law would prevent other companies from following in their footsteps.

That’s really not true at all. DMP was a very recent acquisition, as was Marketing Cloud and Pardot.

Core Salesforce is a company data store often requiring human data input. It’s where your information goes when you fill out a “Contact us” form on somebody’s website.

How is that relevant? Say a law like this comes into effect, then they'll need to change their practices / delete that data etc. So going forward they won't have that advantage over an upstart, they'll need to compete in the same market.

They have the advantage of size and resources.

If the starting table stakes to get started becomes GDPR-style compliance infrastructure that takes 3 engineering man years to implement properly, then new companies will happen less, which means less future competition for the incumbent.

Salesforce is a company that operates in Europe. They already have to comply with GDPR (and have already spent tons of dev time on scrambling to comply). They're ready for GDPR, and so they're probably betting they're ready for whatever (likely weaker) US law inspired by GDPR that would come along. Any new competitors, on the other hand (or any non-multinational competitors) would have to scramble and pay heavy costs to "catch up".

It's using the legal system as a tool for their competitive advantage -- force everyone to do the thing you're already doing.

> Say a law like this comes into effect, then they'll need to change their practices / delete that data etc.

Oh honey.

Yes. We are learning from our mistakes.

Are those things we want other companies to be doing, though?

>> Salesforce relied on things this 'privacy law' would make illegal in order to get where they are today. This law would prevent other companies from following in their footsteps.

> Are those things we want other companies to be doing, though?

Apparently if someone got successful doing something bad once, we're supposed to be OK with people doing that bad thing forever, lest we risk some "regulatory capture" boogeyman.

The solution to regulatory capture is an actual solution to regulatory capture, not a general aversion to regulation.

There is almost no solution to regulatory capture - more gov to solve it does not work in practice, particularly because after these commissions are founded are idealistic principles, the public stops paying attention and often doesn't have the breadth of knowledge to understand how regulations could be used to prevent healthy competition. The way it unfolds, turns out, is very predictable. It limits the tools/services that could otherwise be offered and often keeps progress in that industry frozen in time almost, the existing companies frozen in place too.

Cost ($$, time, etc) of compliance impacts newcomers more than incumbents.

Higher cost to do business by requiring compliance with regulations.

I think the cost is small compared to the externalized cost to each person who's data has been leaked, lost or misused.

OH NO! Someone might lose a few dollars because they can't vacuum up my personal data and sell it for their personal gain! Heaven forbid!

Thank you for your sarcasm, its been very valuable.

^This * 100.

Not only that but increased regulation often favors incumbents because it increases the cost of competing which has a higher burden on a lean, new entrant.

Personally, my favorite is Larry and Sergey. I wrote an essay about one problem: http://yuhongbao.blogspot.ca/2018/04/google-doubleclick-mozi...

This is Benioff shutting the door behind him. It lets him seize the moral high ground, while making it more expensive for startups to try to imitate them. A few million bucks on navigating complex multi-jurisdictional compliance issues is nothing for them. It's a non-starter for a small team of innovators.

Few things terrify incumbents more than a fast moving nimble and smart team of innovators. e.g. FB paying $19bn for WhatsApp.

You know what? Fine. I don't care which incumbents will be okay in a world with better laws around privacy. I want better laws around privacy.

And I give less than zero shits about any startup whose business model necessitates violating my privacy--if privacy laws create barriers to entry, that's absolutely fine. The rights to privacy that some new laws could give us is simply more important than that.

The concern seems to be less about creating barriers to entry than it is about entrenching incumbents.

A legal regime that does the former without doing the latter? Sign me up. One that does both? Well, I guess I do still get privacy laws, but are they worth a damn if the latter is among their effects?

It's not the privacy part of the law that's hard for companies. Most companies do not abuse your data.

The GDPR is very expensive. Every data processing activity needs to be auditable, every customer relationship needs a data processing agreement (and each new custom one needs to be reviewed by legal), we now pay fees to all sorts of data protection authorities. On top of that, it forced us into a new, more expensive insurance policy.

> we now pay fees to all sorts of data protection authorities

What fees? In the UK you have to register with the authority (as UK companies did before) and that fee had a max of £2900 per year for companies with a turnover greater than £36million or more than 250 members of staff

Orgs under that limit pay £35 - £60 depending on size. Non profits pay zero, companies who only process data for things like staff admin pay zero, there are other exclusions

Hey I think we're all with you. You have to admit though, it is interesting watching the side-effects.

Have you ever met Marc Benioff or anyone whose ever worked closely with him? It's pretty commonly believed among those who have that he wants to take some sort of political office at some point in the near future, and that's more important to him that continuing to expand Salesforce.

The bar is pretty low right now. Who hasn't recently entertained that idea, even one moment to go that route (which seems to be leading to Nowhereland).

s/Marc Benioff/Donald Trump/ and you'd see that this is not a defense or an indicator of any sort of good intent, it's just an unrelated bit of trivia.

I think that the point being made is that he's saying this to position himself in such a way as having a politically mindful voice, which is relevant considering what he's saying.

But consider the company's perspective.

If you're engaging in unethical behavior that has a market, and you want to stop the behavior, withdrawing from the market definitely doesn't stop it. It encourages a new player to step up and have an advantage over you, and worse, repeat that unethical behavior.

"You know ... I make a lot of money from grazing my sheep on the commons[1], but it's really not sustainable to have this free-for-all. If everyone can just graze the grass with no restriction, the roots will get eaten up and there won't be a future stock to use. I propose that we segment it out so all the plots have an owner, who will have an incentive to limit grazing, and then compensate the people who lose their right to graze..."

'This is absolutely hilarious. This dude has a huge herd and makes a fortune selling sheep that were fattened from grazing the commons.'

[1] Yes, I know that the story that the "tragedy of the commons" parable is based on is fake, and they actually had sensible customs to prevent the free-for-all; this is just for illustrative purposes.

Well.. a privacy law banning everyone except those who are grandfathered in to collect data..

They will help create the legislation so that it benefits their company and makes it harder for differentiated competitors. It also forces you to have more capital in order to implement those practices (which salesforce has), which means only big companies can compete.

This is unfortunate. As more and more big tech companies do this, the tech industry is turning more and more into the bad guy, and something I didn't want to be involved in.

I don't know, maybe he's being authentic and is seeing a problem, but the way the industry has been headed just makes me not trust it.

> This is unfortunate. As more and more big tech companies do this, the tech industry is turning more and more into the bad guy, and something I didn't want to be involved in.

This is true of most established industries like Pharmaceuticals, Chemical, Nuclear, Mining, and Automotive.

I'm not disagreeing, I was just hoping we could be better.

>>> This dude owns company that builds an array of products around identifying your users, storing as much information about them as possible

I get where youre coming from and Salesforce does it's share of this, but they aren't Google or Facebook deriving most of their profit from user data.

Their app is used mainly to drive and automate business process in a system that can serve the entire organization. A lot of business (the run the business part) run a very high percentage of their business on Salesforce - including some of the biggest companies in the world.

They make their money from subscriptions, the appExchange, and services.

I'm sure they collect data (and some of their marketing/lead generation software I'm sure collects data), but it might be a little much to say that the entire product is built around collecting user data.

On top of that, Salesforce does a TON to portray themselves as an extremely liberal company - from diversity initiatives and minority outreach to widely marketing their charitable contributions. So at least on the surface they are consistent with their messaging.

Not a shill - just sharing what I know from companies where I've worked that used salesforce in one way or another.

> Not a shill - just sharing what I know from companies where I've worked that used salesforce in one way or another.

Right, and as I've told others, you either don't know what Salesforce DMP is or you don't know what a DMP is. To say Salesforce's only offering is the CRM aspect of their product is just wrong.

No need to get into the you don’t know this or don’t understand that, man.

I’ve done my share of implementations and marketing cloud is just one of their product groupings and it isn’t even the one that is used the most. In fact, most organizations (esp big ones) usually have differential tools for the marketing piece.

They offer other data services, but again even in orgs that have purchased them I haven’t seen them used that much.

There are so many other parts of Salesforce that are extensively used outside of marketing, that I’m not sure how their crm is not the main thing.

I even said I’m my post that they definitely do the data collecting etc, just that it’s not their primary source of revenue like fb et al.

I don't even know what we're talking about now.

Marketing Cloud is Salesforce's email marketing platform, formerly ExactTarget before being acquired.

My Joke was that I'd love to see Benioff put a "export my data and forget about me" button on Salesforce DMP (formly Krux)'s site.

> They offer other data services, but again even in orgs that have purchased them I haven’t seen them used that much.

And on that note, let's wrap this up.

I mean I’m not making any groundbreaking claims here. Simply stating that Salesforces core product is definitely not their marketing software or their data offerings such as data.com.

They make their money primarily off od subscriptions- not sure why that statement is so controversial.

And that last point you quoted was specifically made to illustrate that their data services aren’t even that popular. Companies that buy it often dont even use it.

Why would they do that unless their competitors are mandated to also?

Advertisement and info gathering beyond a certain point (which we probably passed long ago) is simply an arms race/prisoners dilemma. All the companies would be better off or at least no worse off if they all mutually scaled down their efforts, but it's to no one's advantage to scale down their own efforts. Why ridicule the players in a prisoners dilemma for trying to jointly move to a superior outcome?

This only applies, if you treat privacy as limiting information collected. If you take the view that privacy is a peocess integrity issue instead (all data is effectively personal, the goal is to make sure access to it is transparent and restricted) him asking for such law makes much more sense

> Set your browser to do not track - we respect this signal regardless of the presence of a cookie.

Sounds like you have a fairly easy way to remain opted out. Either that or using the never ending amount of adblockers to block trackers specifically?

Actually they probably have this button or they are adding it very soon, because it is required in Europe under GDPR.

He's not saying companies can't keep a CRM system to keep track of leads and customers. What he means is the sneaky and hidden ways in which FB, Google and other advertising based tech companies track your every action on the web, create a profile for you without your explicit permission and selling that information or access to it to advertisers, etc.

Then you clearly don't know what Salesforce DMP is (the product I referenced in my OP) or what a DMP is. Research it and I think you'll have a better understanding of my comment.

Salesforce is a public company, which means the CEO has a legal duty to optimize for maximum benefit for the shareholders of said company under the law.

"Change the law so I don't have to do scummy things," is actually fairly rational.

> Salesforce is a public company, which means the CEO has a legal duty to optimize for maximum benefit for the shareholders of said company under the law.

That's a common misconception. It's not true.

Not Statute, but case law. See eBay vs. Newmark. Unless I'm misinterpreting something about it, in which case, can you explain? (Genuine question there.)

The opinion is quite readable. Essentially the judge says that he's only applying that standard (called the Unocal test) on "defensive actions by a target corporation’s board of directors in a takeover context". On the action that didn't fit that profile, despite being potentially harmful to eBay, he deferred to their best judgment.

I'm no lawyer, but the way I read that decision is: do what you think best, just don't purposefully mine the field against one of your shareholders.


Literally every one of those goes against current case law, which can be seen in eBay v. Newmark; plus "LMGTFY" isn't really an explanation.

I think it is instructive that while eBay was able to void the Craigslist poison pill provision in court, they have not been able to, for example, sue Craigslist into increasing revenue and profit by charging a per-listing fee on "for sale" items. To my knowledge eBay hasn't even tried that--no doubt because they know it would be futile.

The practical question is not necessarily whether Craigslist has a duty to maximize shareholder value, but rather, to what extent can shareholders use the courts to second-guess the business decisions of corporate management? As the links in the Google search above attest, decades of precedent seems to suggest: almost no extent at all.

To look at another high-profile example, Apple CEO Tim Cook--in a shareholders meeting!--said "When we work on making our devices accessible by the blind, I don't consider the bloody ROI. If you want me to do things only for ROI reasons, you should get out of this stock." While it made some news, I don't recall a shareholder lawsuit forcing Tim out of Apple for refusing to maximize shareholder value.

Even if that were true and it were also true that privacy features would harm shareholders, then lobbying to make those privacy features mandatory would itself be acting against shareholder interests.

There is no such legal duty. His only duty is to engage in lawful business. And not to get fired by his board.

Case law states otherwise; see eBay vs. Newmark and Dodge vs. Ford Motor Company.

eBay v Newmark hinges very much on the specifics of the contract, and how it was structured to create this sort of duty on Craigslist's part to eBay, rather than being some general bit of case law that codifies the tired — and wrong — "'fiduciary duty' == 'maximizing shareholder profits'" trope.

We can have a great, and factually-based discussion on whether Newmark, et al violated their contractual duty, under the terms of that specific contract; extrapolating from that to "but fiduciary duuuuty!" (for these narrowly-construed notions of "fiduciary duty") is unsupported by the facts, or the case law.

Dodge v Ford is also, afaik, generally considered a weak precedent for the notion — which was specifically articulated by the state supreme court, and therefore doesn't bind peer state courts, or any Federal courts. ("Persuasive precedent" != "binding precedent".)

Several states' courts have also rejected the same argument in later cases. "The general legal position today is that the business judgment that directors may exercise is expansive. Management decisions will not be challenged where one can point to any rational link to benefiting the corporation as a whole." [1]


[1] https://en.wikipedia.org/wiki/Dodge_v._Ford_Motor_Co.

In eBay v Newmark, the full quote you're looking for:

"[Newmark and Buckmaster] did prove that they personally believe craigslist should not be about the business of stockholder wealth maximization, now or in the future. As an abstract matter, there is nothing inappropriate about an organization seeking to aid local, national, and global communities by providing a website for online classifieds that is largely devoid of monetized elements. Indeed, I personally appreciate and admire [Newmark's and Buckmaster's] desire to be of service to communities. The corporate form in which craigslist operates, however, is not an appropriate vehicle for purely philanthropic ends, at least not when there are other stockholders interested in realizing a return on their investment. Jim and Craig opted to form craigslist, Inc. as a for-profit Delaware corporation and voluntarily accepted millions of dollars from eBay as part of a transaction whereby eBay became a stockholder. Having chosen a for-profit corporate form, the craigslist directors are bound by the fiduciary duties and standards that accompany that form. Those standards include acting to promote the value of the corporation for the benefit of its stockholders."

I think the money quote in eBay v Newmark is more like:

"Throughout this dispute, I have repeatedly read and listened to what look and sound like breach of contract arguments, which eBay uses not to prove Jim and Craig breached a contract, but rather to prove Jim and Craig breached their fiduciary duties. This has been an odd exercise, and I admit I am puzzled by eBay’s decision not to bring a breach of contract claim or, more promising perhaps, a claim for breach of the implied covenant, considering eBay expended significant effort arguing that the 2008 Board Actions violated both the technical provisions and the spirit of the SPA and the Shareholders’ Agreement. The fact remains, however, that eBay asserted neither a breach of contract claim nor a claim for breach of the implied covenant."

The presiding judge in this very case — whom an article I read on it described as, "one of the most influential corporate jurists in the country" — doesn't think eBay's theory of the case is the right one. It's the only one they brought (to the exclusion of the arguments he thought more apt), though, so he can't rule on them.

That is: eBay structured their minority shareholder agreement with Newmark, et al, and then their case over breach of that agreement, to make it look like a fiduciary duty claim, without offering the court a more accurate alternative.

It's, IMO, a bit specious to take something that was structured specifically so as to be construed in a way that is at odds with the reality of the situation — as specifically cited by the most relevant authority possible, in context — as evidence of the conclusion they (eBay) want you to reach.

EDIT: Though not entirely apt, it's a bit like a prosecutor bringing only a murder charge against a defendant, and not offering the jury the choice to convict instead on a "lesser included offense" like manslaughter, or negligent homicide, or something. Yes, there's clearly a tort in play here, but eBay's insistence that it's this specific tort doesn't make it so.

The court wasn't backed into a corner. If it wasn't a breach of fiduciary duty the case would have been won by the Newmark -- they can't just say, "They did something wrong so we have to punish them somehow, and you only gave us one option." That isn't how the law works.

The section you quoted makes clear that whether or not it was a breach of contract, it certainly was a breach of fiduciary duty because those duties were the sole basis of the complaint.

Precisely because eBay, knowing they were buying into a frugal-first operation like Craigslist, specifically structured the deal such that it was owed this duty. That Craig and Jim took the money under those terms is on them, as is their failure to honor the terms of the contractual duty they owed eBay for its minority stake, specifically including all the ways they tried to weasel out of the deal — for which eBay did have a legitimate cause.

From what I've read, if eBay had not bought that stake under those specific terms, there wouldn't have been a case here. (Or at least not this case.)

Again, IANAL, but I think that makes it more of a contractual duty case. A dog wearing a bill and wings, with a collar that quacks, is apparently a duck — if your lawyer is good enough…

So "Those standards include acting to promote the value of the corporation for the benefit of its stockholders" doesn't read the same to me as must maximize shareholder value at all legal cost.

There's a lot of space between incorporating as a for-profit corporation and then not seriously pursuing profits and the trope that if some action is not maximizing profits right now, you're not allowed to do it. For example, corporations do routinely make charitable contributions.

It's not a black and white issue. Companies, including Salesforce, do things like give money to charities. This isn't any kind of violation because on their investor relations page, they talk about the values of the company which includes giving to charities and upholding high ethical standards.

If Benioff starts talking about the importance of privacy and can make an argument that it aligns well with the ethical standards of the company, then he's probably safe.

He doesn't have to always do the thing that's most profitable as long as he isn't straying outside of the guidelines that have been set for investors.

Giving money to charities is still a profit-based activity, in that it requires generating profit to be able to give some away [0].

The issue that seems to be at stake with eBay vs. Newmark is that a company seems to be prevented from leaving a significant amount of possible profit on the table in order to provide direct amorphous distributed good - in craigslist's case the common person not having to be subject to (graphical) psychological manipulation when viewing classified ads.

A contrasting example is of Bill Gates's modern philanthropy efforts. It's certainly great that he's using that Microsoft lucre to make the world a better place. But IMHO it would have made the world an even better place if Microsoft had relaxed their business practices and not put us all through hell in the 90s.

The first approach leaves wealth and self-determination at the edges, while the latter suffers from the standard problems of top-down redistribution.

Practically, the root of the problem in the craigslist case is that they incorporated as for-profit and simply had an informal goal to begin with. A single stakeholder then sold their share to a purely profit-interested entity, which used that minority share to push craigslist down their own desired path (in addition to siphoning trade secrets). It seems like the only thing craigslist could have done is to formalize their philosophy-of-value when eBay wished to buy the shares, or ideally prior.

[0] Which allows the charity to be quantified. Presumably a shareholder would have a fiduciary duty claim if the board decided to give away 100% of profits.

> it requires generating profit to be able to give some away

Even unprofitable companies give to charities. Uber, for example, does this.

Giving money to charities is marketing with tax benefits.

That's a very cynical take.

Often very true though.

The previous poster wrote about a duty to "optimize for maximum benefit for the shareholders ". What does this even mean? Dividends? Stock price? Longevity of company? It's way too vague to be meaningful.

I disagree with the people here who call out Benioff's hypocrisy in making this statement.

It's not uncommon or hypocritical for companies to be in favour of regulation that would prohibit things that they currently do. The whole point is that if Salesforce would currently start respecting privacy more than they'd be legally required to, for plain ethical reasons, but other companies don't do the same, then they have a competitive disadvantage. If the law requires them to do so, they can be more ethical while the playing field is level.

Of course there's still a strong and fair open discussion on how far a company should go in the "totally unethical but technically legal" arena of evil shit. But I don't see much of that discussion in this thread.

Companies often welcome regulation. I once read somewhere that when cigarette companies were forbidden to advertise in the EU, their profits went up. All of them were only advertising to compete with the others, it was an arms race without end. When the entire arms race got outlawed, cost shrunk but income did not change. Smokers didn't suddenly switch brand because they didn't see bad jokes about camels every commercial block.

I also disagree with the argument that this is a call for regulation to keep newcomers out. It's true that bigco's rooting for regulation often do this for anticompetitive reasons and it's abysmal, but I really don't see how increased privacy controls such as the GDPR (but in more places) prevents incumbents from outperforming and outmarketing the big shots. You need to come with a stronger argument about how such regulation affects Salesforce less than a tiny startup. Assuming it's decent regulation, of course - I fully agree if this ends up being a legal minefield.

But eg the GDPR is decent regulation that is really not that hard to abide to unless you're genuinely evil (I say this as the owner of a small EU-based startup). The world could use more of that stuff.

People might be missing the point.

You always start ahead in a contract negotiation when you're the one writing the first draft. It's no different here having an adtech/martech company kick off a privacy discussion; Salesforce wants the upper hand because it's easier to know the ways around the legalese when you're the one writing it.

The key is to say "you're right" to Benioff and then draft the law entirely without his influence.

"You always start ahead in a contract negotiation when you're the one writing the first draft." Never heard that but I like it. I am aware of it, just never heard it put into words like that. Thanks!

Both the UN and the EU consider privacy a fundamental human right. We shouldn't be looking for a law, we should be looking for a Constitutional Amendment.

> Both the UN and the EU consider privacy a fundamental human right

Privacy and free speech exist in natural conflict. Between the two, I prefer our society which enshrines the latter over the former to the European model which does the reverse.

Absolutely wrong. The two do not exist in any sort of conflict whatsoever.

> The two do not exist in any sort of conflict whatsoever

The "right to be forgotten” debate [1] neatly encapsulates this conflict. Journalists' rights to pry versus citizens' rights to avoid being pried on is another example [2].

This is a balancing act. Excessive privacy restricts what third parties can talk about. Unrestricted speech means anyone can say everything they know (or know to be false) about others' private lives. There are multiple equilibria. But acknowledging the trade-off is a pre-requisite to writing good law.

[1] https://en.wikipedia.org/wiki/Right_to_be_forgotten

[2] https://www.economist.com/node/18621060

Free speech is not the same as violating someone's privacy (whether as a journalist or a doxxer).

You're begging the question in both your definition of free speech and assuming a certain bundle of privacy rights.

There's plenty to debate on what speech freedoms people should have and what privacy rights people should have, but it's silly to claim that there's no conflict between them conceptually; if you're stating that there's no conflict, you're assuming a certain set of each, which is just you defining the problem a certain way so that you can say it is solved. If other people don't agree with your definition of the problem, then your solution doesn't hold for them.

Fair enough.

I'm drawing a distinction between free speech (specifically parrhesia, which is orthogonal to privacy) and freedom to learn anything about anyone (which is antithetical to privacy). In journalism they are combined, usually to good effect; in doxxing the combination is bad.

Freedom of Speech is not literally being able to say anything. Few people would agree that doxxing or harassment would fall under Freedom of Speech, for instance.

So is reporting on the president's financial dealings harassment or journalism? The fact that people are debating this suggests some sort of conflict.

The President is a public person, who's finances are relevant to the running of the country. Your finances, however, are relevant to no one but yourself and your family.

It would be improper to limit individuals in their interactions with other individuals or corporations via an amendment. A law is the proper place for that type of restriction.

You are getting reflexively downvoted, but it's not so clear cut.

On the one hand, slavery was banned by 13th amendment.

On the middle handle, alcohol was banned (18th) and then unbanned (21st) by amendment.

On the other hand, nearly everything else in the Constitution is about the function of government and the rights of individuals with respect to government, not the rights of individuals with respect to other individuals.

We should arguably guarantee a right to privacy in the Constitution first, as we should have the same protections from government as well. (As our other human rights are generally protected via the Constitution.) Then, if it is viewed as improper to do so via Amendment, additional laws can be passed to apply it to private entities as well, much as the Civil Rights Act of 1964 builds on the 14th Amendment.

To clarify: your argument is that by precedent with existing amendments, the US Constitution should be limited to interactions with the state?

Of course he does. Big businesses like SalesForce will benefit the most from the regulation and he gets the glory of virtue signaling about it.

I get these cynical responses, but ultimately don't many HN readers - me included - want this kind of law too? Why are people so hung up about the guy's motivations?

seems like a case of letting perfect be the enemy of good

Seeing what is happening with GDPR currently is cause to be cynical.

Lawmakers tend to copy & reference laws from other places as case studies. So if one law shows up somewhere, that law tends to start spreading around like it's a meme.

Beware label vs. content. Good intentions, or their colour, pave many routes to Hell.

Absolutely. It helps manifesting monopolies because smaller companies can’t afford to compete anymore.

The CEO of a massive public company that lives on data is calling for new regulations that his company will be better equipped to deal with than competitors will? Color me shocked.

Just to clarify, Salesforce doesn't live on data. Salesforce primary business is CRM tools, where the data belongs to Salesforce customers. Salesforce is not tricking its customers' customers in giving them data for one purpose and then using it for another purpose and selling it to advertisers. Salesforce simply makes money from the CRM license. Not through data trading.

Regulatory capture would be the result of any regulation on FB.

I'm not convinced that Benioff is devious enough to have this ulterior motive.

But clearly, social networks have become the new CRM for many small-mid size businesses... and on that front FB represents a threat.

Facebook is definitely not a threat to Salesforce small business. Hubspot, Insightly, and other small focused offerings plus Pad of Paper and Excel are the real competition for small CRM / Marketing buyers.

Can we have opt out for government agencies as well? I posted the other day that many county and state governments let you search their data bases for a wealth of information and you can damn well bet they sell or provide bulk access.

While I know it cannot be reasonably expected that "government" forget us in this manner it certainly could be forced to limit access to data that is identifiable back to an individual without their permission

Example of the details offered, by address or name of owner http://www.cobbassessor.org/cobbga/search/commonsearch.aspx?...

Many governments are providing access to the sort of data you link out of a desire / mandate for transparency. As an undergrad journalism major, one of our assignments was to dig up as much information as we could from public records about the school’s dean (he was a willing participant). The purpose of the exercise was to impress upon us how much information was available through public records.

The difference now is that those records are digital and don’t require (in most cases) flipping through actual paper documents.

The question of privacy vs. transparency is an active area of conversation now, particularly because people like yourself are discovering that you never had privacy around some transactions in the first place. Also, machine readability has changed the threat model somewhat.

In general, however, I’d guess that transparency and open access to many kinds of data will continue to be the way the law leans.

> In some ways, you could say that Facebook has become the new cigarettes in our industry. That is, it's a technology that is addictive, it may not be that great for you and it might be something you don't want to go back to.

I watched Bernioff repeat, over and over, about how much he loved Facebook, for about 30 minutes. This was in 2010 at the Moscone center in San Francisco, right before he introduced Chatter.

Is 8 years not long enough for someone to change their opinion or at least have their economic incentives change?

This seems slightly ironic from Salesforce. I am pretty sure companies that use Salesforce will also be doing as much tracking of their users as they know how to and feeding that data into Salesforce.

I think the big problem is not privacy violations, per se, but that, with computers and the internet, one never knows what information about you is being stored and sold to others. The majority of states make it illegal to tape a conversation without consent of the other person. I support those laws. Also ones where businesses have to post they are using video surveillance. It would be great if the government or some other group would develop well defined levels of privacy with good names and icons so companies can easily describe their policies to the public. Like movie ratings. Not the best. Wish we did not need them. But works OK. I'll avoid companies that sell my location information to anyone who will pay.

Passing laws where people somehow own what other people and companies know about you is not a good idea. I saw your dog poop on my lawn and you did not pick it up. Can I tell my neighbors about that? What about posting on Nextdoor? Local newspaper? A tweet? If I libel or slander someone, we have laws against that. It seems to me that telling a truth you know about someone should not be at the discretion of the someone. People just need to know when they are being observed, what is being observed, and by who (or what), so they can act accordingly. Not sure how to get to that space in this smartphone world.

Could we link to the canonical url [1] instead of the tracking shortened url please?

[1] https://www.salesforce.com/company/news-press/stories/2018/5...

Sure thing, we've updated the link from https://sforce.co/2wKldaR.

I think it's fair we should implement some sort of Consumer DRM law, where explicit permission be granted to reproduce our private data.

Copyright, not DRM. You should own your personal information, until 70 years after your death.

Copyright doesn't apply to facts, only expression.

A restated diary of your life with sub-second and sub-metre accuracy would not violate copyright law. (The initial collection ... might, though if not "an original work of authorship", that case is difficult to make..)

What GP and you are looking for is privacy-specific legislation (or court interpretations).

Can they please also come up with a reasonable standard to communicate the privacy policies, i.e. https://news.ycombinator.com/item?id=17067787


Well, that's a substantive criticism.

Do you have other examples? I haven't heard much about him.

Although, it might a wildly unpopular opinion here, if US does not innovate in AI, someone else (and you know who) will and US will have to follow the suit. Regulations are healthy as long as they are well understood and not over-reaching.

Sounds like he wants to have regulation for all the aspects where their company innovate

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact