Hacker News new | past | comments | ask | show | jobs | submit login
We value your privacy now, but maybe not later (raimue.blog)
239 points by raimue on Jan 26, 2019 | hide | past | web | favorite | 103 comments

You go to the local baker and buy a loaf of bread.

After you leave, he writes down, on a piece of paper, your name (he knows you, after all), when you arrived, how long you took to choose what to buy, what you bought, and how you paid - bills, credit card, etc. He also writes down if you looked happy, nervous, what you were wearing, if you were with someone, and anything else he can see.

He then seals this paper in an envelope, and at night, when no-one is around to see, sells a whole bag of such envelopes to the mining/merchant/transportation conglomerate from the neighboring town, for little more than pocket-change.

Would you consider such a person a good neighbor?

No, but someone giving bread away for free and doing that wouldn't be so clearly bad. I think the difference is the obvious exchange of value (money for bread) in the first case suggests that's the entirety of the transaction. So the baker additionally "taking" the customer's data feels like stealing. But in the second case, it feels more acceptable that the exchange is (data for bread) since we all know there's no free lunch. There's a reason when you give someone something for free they ask "what's the catch?".

> No, but someone giving bread away for free and doing that wouldn't be so clearly bad.

I would say that's even worse. By giving bread away for free, he's making it impossible for other bakeries to compete unless they do the same thing.

This is why there are no serious competitors to services like Facebook or GMail. It's impossible to compete with free unless you monetize the data.

I say this as someone who pays for ProtonMail. Do you think it's possible to convince friends and family to start paying for email as well when they already get it for free?

If your privacy is important to you, then you would go to the baker that does not sell your private information and charges money for bread.

If there are enough people who are ready to pay for their bread and prevent selling out their private information -- then it would allow such privacy respecting bakeries to exist.

In this hypothetical scenario, there are no bakers who charge money for bread, and the information broker bakers refuse to take your money in lieu of putting your information in the bag with the others.

Or worse, sometimes they do take your money, but it's impossible to verify whether or not they kept your information out, until the next data leak, when you discover that they didn't.

Because auditing is garbage and there's no way to know who isn't collecting this information.

Collecting information is not really a concern for the vast majority of users.

But some users start to worry when that information is getting sold to third-party providers. Information sales are easier to audit.

Collected information almost always turns into transferred information at some point. Knowing they don't sell anything now doesn't help you in five years when the company has a change of heart or a change of ownership.

I don't think it's true that the vast majority of users aren't concerned.

The vast majority of users don't understand what is happening, and the few that are aware have decided that it's not worth the fuss, because they have correctly internalized that they basically have no real choice in the matter.

This sort of data collection is almost never optional, and when it is, the settings are deliberately hidden and obfuscated behind the worst kind of dark patterns.

If properly informed about what data is collected, and given a real choice about opting out, that doesn't reset every two seconds or hobble the service (what gdpr theoretically requires), I think the majority of users would be concerned and would opt out of as much as possible.

Nah - that’s why monopolies are bad for the society: in any scenario where the company managed to become a monopoly, they’ve by that time accumulated so many resources that they later on use in order to stiffle the competition.

Free markets don’t exist.

That’a fine if you know that’s what this free baker is doing.

For me, it's not just the cost of email but also the fact that I use several useful services that only work with Gmail. Of course, this means further compromises in privacy, so maybe not the best choice, but that's where I'm at now.

I think it's a matter of time until people start valuing privacy enough to overcome the threshold to pay for email. For us, our thresholds were lower due to our knowledge in the tech space.

This seems unlikely. Most people only have things to hide from their family, friends and neighbours. They don't care about whatever data Google, Facebook, Visa or their government might collect about them, and will prefer free services no matter what the privacy cost is.

They will when it starts affecting their medical insurance, interactions with the legal system,etc...

But it won't. Very, very few people actually run into any trouble because of their disregard for privacy.

I think you are wrong. You are both talking in the future tense but you seem to be doing thinking what is now will be the same later, and it won't be. Companies are starting to catch on, many forced to evolve or die but many are simply looking for extra margins, and they will exploit any technology they can.

A great example of this is car insurance companies. I had a friend who is a very careful driver and was looking to maximize his cost savings, so agreed to use an app that would track things like hard braking, average speed, etc, and at first he was complaining about how stupid the definitions for hard breaking were, then after months of data the insurance company actually raised his rates with the justification that his driving times were during peak traffic hours (you know, when everyone drives to work and back) and therefor he was a higher risk.

I told him before he started that would be the outcome. Simply because I extrapolated the insurance companies wanted to be able to use data they defined to make extra money. Not working? Redefine the data.

Not to mention the fact they are probably also making a bit Morea on top selling it to a third party (and even in anonymized, I think we all know how easy it is these days to deanonymize data)

People will start caring because it will affect them, but I'd they don't start caring now it will largely be too late or at least a much harder battle.

Am not saying it is not happening already, but some sort of critical mass has not been reached. I am not sure how to quantify this mass.

Obviously we are not quite there yet. You friend has learned a lesson, many here are paying money so that they could say "hey siri/google".

You don't pay for email? ?

I refuse to believe it is impossible to earn money by showing ads without allowing full scale tracking. It’s just easier and more profitable to not care.

It’s just easier and more profitable to not care

Easier yes, more profitable no. Selling direct advertising is the most profitable of all: the money all goes to the site without 20 trackers and 8 seconds of auction-waiting on each of your pages, resulting in a better experience for everybody.

> the money all goes to the site without 20 trackers and 8 seconds of auction-waiting on each of your pages, resulting in a better experience for everybody

This doesn't prove that direct selling is more profitable. Sure there is no ad network taking a 40% cut but sites also need to run their own in house sales staff then.

I'm sure an enterprising programmer or two could whip up a self-serve ad facility the same as they have with any other ecommerce plugin.

And I'm pretty sure that per-unit it is indeed more profitable.

>By giving bread away for free, he's making it impossible for other bakeries to compete unless they do the same thing.

He's not going to make enough from simply selling data to invest in talented bakers and quality ingredients, so his bread will be visibly at the lowest tier of quality. Other bakeries will compete on baking bread that is actually edible.

I don’t follow. Because clearly google and Facebook (the bakers in this analogy) are incredibly profitable and pay top dollar for top talent.

This used to be true, when material ingredients cost significant money, and one baker could only make so many loaves a day.

However, computers mean that the analogy breaks down. The data is selling for more than the cost of the service.

Edit/Preface: I made this post just in response to the point about email, but I think there's a broad contention here. Regarding email, just be clear, I think it's a poorer example then many because it really can be offered for a song. The complex bits are highly amortizable, it's standardized/static/federated, and the fundamental storage/memory/cpu/bandwidth per normal user is nearly zilch. Business models are a lot more flexible with all that. There are other services where it's a lot more arguable that "free" does mess up the market.

But only to a point, I think it's actually become somewhat overrated as a principle. Many of the most valuable subpopulations of any market are made up of people who know perfectly well how financial reality works, and that things that aren't free to offer need to get paid for somehow. There was a period where often "free" really was essentially free, because it was VCs pissing away money, and it was perfectly rational to use it. Or there were volunteer efforts while people tried things. Much of that of course was not sustainable, and the compromises that come with it long term are a lot more visible and widely known now. There is backlash to be seen against "free" models in plenty of areas. Sure, much of the market may make the bargain, but that isn't the same thing as there being no market for something that has a higher sticker price but offers privacy and quality alongside that.

--Original Post--

>Do you think it's possible to convince friends and family to start paying for email as well when they already get it for free?

Yeah, pretty trivially, so long as their needs are normal. Email is just such a fundamentally light service for most usage that it can be covered easily. These days I do most of my domains through Gandi.net for example, and each domain includes 5 mailboxes at 3 gigs a pop. In actual practice is just hasn't been hard to sell friends and family on the value of having their own domain for email. It looks good/personalized, it means they can have the exact handle they want rather then johndoe5712038123871@gmail.com, tying into that they can have easier mailbox splits, it means they can keep their email if they move to a different service, and $16/year or less simply does not break the bank. I've set up a lot of friends and family at this point, and nobody has ever had any difficulty grasping the advantages of any of these in this day and age. Many have for example lost old email accounts before due to moving services, and "this can be yours for the rest of your life regardless of where you go" is quite compelling. It's not even just companies going out of business, it's not hard to pull up stories of Google alglorithms banning accounts for unrelated stuff for example, and it being nearly impossible to rectify.

The real obstacle isn't some minimal payment, it's that it's seen as more technically challenging, or they've simply never considered it at all.

"the customer's data"

I have a question. How is it the customers data? The data is about a transaction that happened in the bakers store. It's all information that was plain for the baker to see. The baker did the work to collect it.

In fact, all the information is about the interaction directly with the baker. How is this not the bakers data?

Can someone walk into my store and somehow give me something that belongs to them against my will? And then impose requirements on me about what I can do with it? Or it only belongs to them at the point I write it down?

Now I start to agree that there are concerns at the point in a computing scenario when people are gathering data that isn't a part of the transaction actually taking place without the person knowing. But shouldn't that be on the browsers to deal with?

> I have a question. How is it the customers data? The data is about a transaction that happened in the bakers store.

Translating this analogy back to tech inverts your argument: It's my phone, and it's my computer. Thus any data collected from or generated on these devices is mine. I'm just letting a company use these hardware resources temporarily to deliver a service.

That's exactly what I've been saying. If you actually cared about your privacy, you don't need a cookie law popup on every page, you just need to get the browser to stop sending cookies.

Mozilla and apple claim to want to protect your privacy, but their browsers continue to sell you down the river

I refuse to look at being informed upon from a purely capitalist perspective. A perspective that reduces such essential and intangible concepts like privacy, down to mere questions of property - what belongs to whom.

You can argue all you want that nothing was 'taken' from you, yet at the end of the day you will not be able to take a single step without your corporate masters knowing about it.

Mobile phone carriers take your money and still sell your data. Same for some credit card companies.

And the lack of clarity. The People You May Know things on FB is due to contacts being shared, which is pressed into the user. https://www.usatoday.com/story/tech/columnist/2017/07/30/why...

In my case I’m not buying bread nor being given the bread. I just browsed the neighboring store and this baker still has those details on me.

Ie. I use no google products. Yet by just surfing the web and being tracked through google’s products or by emailing people with gmail, google has almost as much information on me as if I were their user.

And yet when I buy products on Amazon, I still get tracked. (And to boot, they actually seem to be the hardest ones to opt out of tracking, or at least turn off the user-visible personalized recommendations.)

I don’t think the distinction is in whether or not the bread is free, it’s in whether or not that the data collection is disclosed as a non-monetary cost to the bread.

> No, but someone giving bread away for free and doing that wouldn't be so clearly bad.

I disagree. If he is not transparent about what he does with his customers privacy, he is still a "bad neighbor" as the OP put it.

Even if he makes everyone sign a contract which explains his actions before giving them the bread (GDPR-style), the transaction would still be sketchy to me. IMO, to be as fair as possible to the customer, the contract would have to be very clear and concise. Otherwise, the wording of the contract could easily take advantage of the customer's lack of time, short attention span, or poor reading comprehension.

But FB is not giving anything away for free. They are selling your attention on to advertisers. While it's not a cash transaction between you and FB, it is a barter agreement with you. It's not correct to cast FB in the role of selfless baker giving away free bread.

The parent's example accounts for this. Gratis, you use Facebook; they sell your information. That's why people, before they hear about Facebook's revenue model, ask, "What's the catch?"

No. You use Facebook, they already make money by providing access to your eyeballs to advertisers. Selling your information is an additional take. In either case, all I was saying is that the analogy with a baker giving you food to stay alive for free, is a little too generous to be applied to FB.

Maybe it's a bit more like a baker that only gives you free bread once you've come to his store to shake hands and listen to the sales pitch of 10 of his business friends. And then after all that he still quietly spies on you and sells whatever he can glean about you, to people you've never met.

What you're missing is the scale.

Facebook and Google do this sort of data collection on an unprecedented scale that humans really have a hard time wrapping their heads around.

The sheer power that comes from data collection done on such a scale is tremendous.

Comparing it to a little bit of data collection by a single individual is grossly misleading.

Yet even when it's a single individual it feels, at best, incredibly shady.

Exactly this. Comparing similar activities but at vastly different scales will often lead to misleading conclusions.

In engineering, I've heard this idea expressed in the rule of thumb that the best solutions change with each increase in order of magnitude.

Exactly, the analogy would be better the baker following you every time you step out and following everywhere and writting down every window you look, what you buy, how much you pay, taking your adress book and copying the phones of every one of your contacts on it an then call them saying "xx just got free bread! Pass by our store and get yours today!"

I was born in Soviet Ukraine. Under such a dictatorship, this is not just a bad neighbour but someone who is actively dangerous to your continued existence. Because even innocent transgressions against the state can carry fatal consequences "keeping quiet" is taught early and often and loyalty is highly valued from friends and family.

I think this is why I find myself more sensitive to these issues than some of my colleagues. Even if corporate surveillance is harmless under the current political climate, history doesn't stand still.

If he sell the bread for free and good enough then yeah I would consider get my bread from him.

Its not clear what the actual harm of damage that I suffer from these transaction or even if there is any.

I'd say most people wouldn't...but then they'll turn around, head into a Starbucks and pay with the mobile app on their phone...

The baristas get confused when I tell them, every time they bug me about signing up, that 10¢ off a coffee isn't enough if Starbucks wants me to help them with market research.

I have the same sentiment when I end up running into a 7-11 and they ask me "do you have our app?". No I do not have your app and no a slurpee every month will not convince me to install it either. I can not believe the amount of people who just install in without question.

From the HN privacy policy:

Changes to Y Combinator’s Privacy Policy:

The Site and our operations may change from time to time. As a result, at times it may be necessary for Y Combinator to make changes to this Privacy Policy. Y Combinator reserves the right to update or modify this Privacy Policy at any time and from time to time without prior notice. Please review this policy periodically, and especially before you provide any Personal Data. This Privacy Policy was last updated on the date indicated above. Your continued use of the Site after any changes or revisions to this Privacy Policy shall indicate your agreement with the terms of such revised Privacy Policy.

They have the cookie and they know on which version of the privacy policy we accepted.

Can't they be arsed to show the updated privacy policy when it is put in place, on our next visit?

I'm happy they don't do that. I have my browser set to delete cookies. For many websites that means that I have to click through multiple such "one-time on next visit" banners/popups/whatever each time I visit them.

Speaking of HN, how do you delete your account from it?

What do you want to achieve by deleting your account? I can see basically two options:

1. prevent you (or anyone else) using your handle to post submissions or comments

2. delete all posted submissions and comments in addition to option 1 above; this is a little futile as HN has been indexed and replicated elsewhere

EDIT: the following is incorrect, as pointed out by jacobsheehy.

I will note that both are possible without any assistance from HN, though perhaps option 2 could be made easier.

Deleting content does not seem possible on HN, but you're implying that it is? Once you have posted something and walked away, you cannot delete it from HN.

You’re absolutely right, I had never noticed this before. The delete link disappears after some time.

Surely full delete should be possible under GDPR?

Email hn@ycombinator.com . Dang is really helpful ;)

In other words, the only option is to deal with what we were bemoaning about Dropbox Premium thread yesterday. "Talk to a human who may or may not do it."

"Easy to sign up yourself and impossible to remove yourself" - the perfect dark pattern. All we need to ask now is "Why"...

> the perfect dark pattern

You can't think of anything worse than not having a delete account button on a pseudonymous list of article comments?

> All we need to ask now is "Why"

HN already employs someone to manage this little discussion site, and he seems to have the bandwidth to handle an occasional delete request by hand. Why assume there's a more nefarious reason for not investing resources into automating that process?

> You can't think of anything worse than not having a delete account button on a pseudonymous list of article comments?

Why is HN somehow outside of critique of Dark Patterns?

> HN already employs someone to manage this little discussion site, and he seems to have the bandwidth to handle an occasional delete request by hand. Why assume there's a more nefarious reason for not investing resources into automating that process?

The "little discussion site" is a feeder venue for the venture capitalist side. The words, "Strategic Operations" come to mind.

And I don't have to come up with "assumptions" of nefarious reasons. The fact is, that deletion is not available to us without significant dark patterns. Every other site has this to maintain data and/or users. Why would I expect HN not to be in this category when every other one is?

What would count as your data? Given that your comments are part of threads, perhaps the comments should remain but the user (of all deleted comments by anyone) should be null?

I believe you own the copyright to each comment though, but does GDPR cover PII only or all other data as well?

Threads would be confusing if non-leaf nodes were to be removed.

The GDPR covers "personal data", which is a broader concept than PII, but it only covers personal data and not anything else (i.e. copyright).

The YC privacy policy seems to me to patently be in violation of the GDPR. Namely Article 13(2)(a), (b), (c), and (d). It's arguable whether 13(1)(a) and (f) are being complied with as well.

They also appear to rely on consent. Consent can be withdrawn at any time (Article 7(3)) and the personal data must then not be further processed.

YC could change the legal basis for processing to, say, legitimate interests. This would allow them to claim that comments are an integral part of HN and shouldn't be removed as it would cause disruption.

This is interesting. I wonder if you could get away with saying that by storing the cookie you are consenting, in particular as this is _hacker_ news. And you could withdraw consent by simply deleting the cookie. You’d still have your “account” and related comments; I can’t figure out if the comments themselves are “personal data”. I feel like they ought not be though the linkage of author to commend might be.

btw I’m using HN as a convenient example; i don’t consider the maintainers to be naughty.

> I wonder if you could get away with saying that by storing the cookie you are consenting

No. Consent is opt-in only. It must be "freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her" (Recital 11)

>And you could withdraw consent by simply deleting the cookie. You’d still have your “account” and related comments

The data would remain on HN, and thus would still be processed by YC. If deleting the cookie deleted the data then that would be okay, but it doesn't.

>; I can’t figure out if the comments themselves are “personal data”. I feel like they ought not be though the linkage of author to commend might be.

Personal data is any data about an identified or identifiable individual. So not every comment would - by itself - be personal data. But some would be, and the corpus of comments by an individual might be considered personal data in the whole.

>btw I’m using HN as a convenient example; i don’t consider the maintainers to be naughty.

I find it frankly incredulous that YC doesn't know about the GDPR, and yet they refuse to comply. Does that not qualify as "naughty"?

They are small potatoes and may simply not care about European fines as afaik they have no presence in Europe. Next year they will be subject to CCPA and if they care to support that, GDPR will pretty much be supportd too.

I can understand that quite a few companies' commercial product is your personal information (e.g. Facebook, Twitter, and even news media nowadays).

What is scaring me is companies that have a different business model using the same techniques to sell your information. Today I noticed that Dropbox.com login does not work with the Ghostery ad blocker enabled. Ghostery blocked a total of 48 items on Dropbox.com, including 22 trackers. For a company that I pay $100/yr and trust with all my personal files, that number should be 0, everything else is a breach of my trust.

Yeah, unfortunately, spying on people is the norm. I have little confidence these business models will work in the long-run. Hopefully.

When I see "We value your privacy" I know instantly something shady is going on. The only thing I'll accept is a "Accept" and "Reject all" button next to each other without further clicks.

My list of web sites that I actually visit gets smaller and smaller. I have a shortlist and for most of them I pay to remove ads if they have the option and I have all kinds of ad-blocking installed both on the network level and browser level.

You are absolutely right, but the sad reality is that we are a small minority. Perhaps we can influence the world by education though.

Well education is a lost cause due to the masses being overworked/ overstressed / overwhelmed/undereducated /etc. I have seen people who write down their password in paper and carry them around. If people can’t remover secure passwords, how are they gonna protect their privacy?

Time to go back to books and newspapers for information? :)

No there are still websites that you can pay for and I pay whenever I can.

Right now I pay for a local news paper, youtube premium (then ad-block the crap out of it), resetera and di.fm (music). HN doesn't have ads afaik and if it does or try to track me it's blocked. I'd pay for a tracking-free version if that was necessary though.

But I do read a lot of books, approximately two a week :) I also play games quite a bit.

And I know I can't escape tracking entirely (ip tracking ++) but can be damn sure I will try my hardest!

Paying doesn't appear to help one bit. They track you just like before, only now they know your real identity.

I'm sure there are exceptions to this general observation, but I haven't found many (apart from some rare VPNs)

Yes but then I don't have to feel bad for blocking all ads. If I get value out of a site I don't want to freeload.

In what sense is an adblocker freeloading?

They voluntarily delivered content to my device, in my home. What I do with it after that is my business and no one else's.

It's not freeloading in any sense if I serve my breakfast cereal from mason jars instead of the box. It's not if I tear out pages I don't want to see from a book or if I dump the ad leaflet from the newspaper or credit card offers in the trash. It's not freeloading if I mute the radio during political attack ads. Why should it be any different on my computer screen?

My grandma got an iPad, and was using the calculator app to do her finances. I had a chuckle when I saw she had suck a sticky note over the ad. :-) Do you really see that as freeloading?

Its my house, my stuff, I can do with it exactly as I please, and there is absolutely no sense in which those companies have a "right" to my attention or in which I have some moral obligation to give it. To suggest otherwise sounds like a plot from a science fiction movie. I think Black Mirror had an episode like that.

No it's not freeloading.. What I mean is that some sites actually provide value to me so I want to pay them back somehow, but not with ad revenue.

99% of the places I don't feel bad for "freeloading". It was probably a poor choice of a word.

It really seems like the only good privacy policy is

"We just don't collect X data, ever."

I don't know if I would trust it, but it would be the only one that I would have even a tidbit of faith in / think that it represents a good faith offer.

If they do collect it, I just assume it is being stored in the name of selling it. At this point it seems to be a foregone conclusion.

A contract which allows one party to change the terms may not be a valid contract at all. There's a legal truism, "an agreement to agree is not an agreement."[1] This comes up regularly in "letter of intent" cases. The rules vary by state. New York is very negative on "agreements to agree".[2] Putting a phrase like that in a contract may weaken the position of the party putting it there.

Any comments from lawyers?

[1] https://www.blaney.com/articles/agreements-to-agree-do-they-... [2] https://scarincihollenbeck.com/law-firm-insights/agreement-t...

Privacy policies can change at any time, but that's not the only problem. Companies that hold your private data can be hacked. They can be acquired by new owners who don't care about privacy.

Even if you trust a company with your private data, and even if you are fully informed about the data that they collect and what they use it for, you will have no control over what happens to that data eventually.

Of course we value your privacy.

In US dollars.

I really want to see companies getting fined for breaking the GDPR. Even better would be if they got a few companies to a bankruptcy lvl. Mainly so we get rid of the dark patterns. Just have 3 options: Accept All, Reject All, Custom

I hate it when the only option is accept or when I get redirected to a 3rd party website which tells me I need to enable 3rd party cookies for them to not track me... well fuck you guys, I don’t want to enable them.

My solution so far is: Ghostery + DuckDuckGo + uBlock Origins + PiHole. Any other suggestions are welcomed.

I noticed that some of these often-used cookie accept overlays take an awful long time to apply my choice (up to a minute) when I opt out of all non-required cookies.

I guess that is on purpose to annoy me to click “Accept all” anyway. I don’t expect that they value my choice either.

Serious question -- how can this be legal?

Think about it. For all I know tomorrow the policy could say "You agree to pay the site all your savings?" This sort of prior blank-check consent seems to lead to absurd scenarios when thought about.

I’m willing to bet it’s not enforceable, and in court it would not hold up for a company to claim their new privacy policy was intrinsically consented to by virtue of site usage alone.

The purpose is probably just to add legal obfuscation and extra cost burdens in the process of suing a company over privacy issues. It costs them little to add legalese like this to their policy, and may possibly create some gargantuan burden of effort in the future to argue that it’s not enforceable, just further reducing the number of would-be lawsuits to challenge them.

How can this be legal? Maybe it isn't; you have to file GDPR complaints.

the last time i’ve seen such a drive for privacy was during the USSR, where the state wiuld actually kill or at least torture you. so you had to hide everything from them. this led to a broken society, where everyone lied to eachother over the most basic things (e.g. going out, eating a loaf of bread etc). that’s one of the reasons i escaped to the western world, where transparency was the norm, where no one cared what you had for breakfast, where there was no real threat to your life due to over exposure.

fast forward to today, and it feels like the west is developing into the USSR, but without the threats to life, just the “hide everything about you” part. it also feels like a partly nativist europe vs the rest of the world.

now it seems i have to escape yet again to parts of asia where they don’t worry about stuff like this.

edit: at the last minute i’m reminded that this is just the HN bubble, and outside Europe people still act normal and don’t care about this stuff.

As someone who recently put together a privacy policy myself, I can assure you that an updating clause is standard practice for both privacy policies and terms of service. The documents are really mostly for minimizing liability.

You can object to that, sure, but no sane company is going to open themselves up to lawsuits just because a few users are upset about it.

The other thing that is driving me crazy is the dark patterns employed to get you to click accept. Sometimes the reject button has deliberately had the onclick/hover changes removed so it doesn’t feel like a working button, other times it’s buried 3 levels deep etc.

What are we supposed to do about these? They have been added to comply with GDPR but clearly don’t.

What is funny is that time and again we've found that ... companies will still do what they want it even if "accidentally".

> Would you agree to a contract that can be changed by the other party at any time in any way?

A privacy policy is not a contract.

Of course it has to be (and should be) updatable. The privacy landscape changes over time.

The way these things are, is actually perfect. It means, you can ignore it entirely because the company has complete discretion on whether to abide or not. The only thing you have to go by, is reputational considerations (which doesn't recover your lost privacy), and absolute legal requirements that exist outside of any policy statement, eg GDPR, COPPA, HIPAA.

> A privacy policy is not a contract

Exactly. Why Atlas Obscura even uses language about "agreement" ("[...], you are agreeing to such modifications.") is beyond me. It might even result in more legal exposure and restrict their freedom to move within the limits of the GDPR to rely on user consent (provided they even want to comply with the GDPR as a Delaware Corp).

I guessed that the title was about startups that value privacy but still collect too much data. When they get acquired by a typical giant corporation, they don't value privacy but still have lots of data. The modification clause is what enables them to misuse peoples' data.

this is illegal under GDPR for two reasons: opt-in gained with privacy policy v1 are not valid if gets updated. and you need to opt in by choice not because is the only option

Is it just my limited understanding, or are a majority of companies blatantly violating GDPR?

I was reading through Vox's privacy policy the other day, on a whim. (I'm in the US, but I was connected to a UK VPN at the time--so if the policy does explicitly change depending on country, they should have thought I was in the EU.) The cookie policy can be summarized as: "We use cookies to track you. If you don't want us to use cookies to track you, you can opt out by setting your browser to block all cookies." Never mind that this would cause a wide range of functionality to not work.

And then there's Amazon. I desperately want Amazon to stop showing me personalized recommendations--I don't actually mind the tracking, but I feel as though recommendations push me into a filter bubble. As far as I can tell, there is zero way to do this whatsoever.

If you want to use a gopro on your phone you MuST agree to give then your location data. It's the only option.

Wouldn't leaving the site be a valid way to opt out?

I just opened atlasobscura.com

There is no privacy popup for me. I am in the US, so EU laws are not applicable here.

I blame EU GDPR laws for the popup that Rainer Müller suffered from.

IOW you don't even get notice they're tracking you. Is that an improvement?

Thanks, that is indeed an interesting detail. However, you have to assume they use your data the same way, they just do not ask for your consent.

GDPR execution has been a dumpster fire of usability dark patterns and user hostile design.

The web has not had this many pop-ups since the 1990s.

The problem is not with the pop-ups, but with how many dark patterns are involved in getting your consent.

They could have made a simple pop-up, in simple language with two clear options and an optional dropdown showing all the "providers" but then again that would have been too user friendly.

Maybe GDPR should be revised to address these things, maybe even provide a template with 5 different color schemes that everyone should be forced to use.

The problem for the majority of the visitors are pop-ups. Everyone just clicks the green button. No time to read two clear options or bother with dropdowns. That's how people behave.

These pop-ups are required by GDPR. If your site doesn't have a pop-up you risk losing 20M Euro.

This has very little to do with the GDPR. The GDPR allows the use of cookies under various provisions, and does not necessarily require user consent. These popups are about the ePrivacy directive (aka "cookie law"): https://en.m.wikipedia.org/wiki/Privacy_and_Electronic_Commu...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact