After you leave, he writes down, on a piece of paper, your name (he knows you, after all), when you arrived, how long you took to choose what to buy, what you bought, and how you paid - bills, credit card, etc. He also writes down if you looked happy, nervous, what you were wearing, if you were with someone, and anything else he can see.
He then seals this paper in an envelope, and at night, when no-one is around to see, sells a whole bag of such envelopes to the mining/merchant/transportation conglomerate from the neighboring town, for little more than pocket-change.
Would you consider such a person a good neighbor?
I would say that's even worse. By giving bread away for free, he's making it impossible for other bakeries to compete unless they do the same thing.
This is why there are no serious competitors to services like Facebook or GMail. It's impossible to compete with free unless you monetize the data.
I say this as someone who pays for ProtonMail. Do you think it's possible to convince friends and family to start paying for email as well when they already get it for free?
If there are enough people who are ready to pay for their bread and prevent selling out their private information -- then it would allow such privacy respecting bakeries to exist.
Or worse, sometimes they do take your money, but it's impossible to verify whether or not they kept your information out, until the next data leak, when you discover that they didn't.
But some users start to worry when that information is getting sold to third-party providers. Information sales are easier to audit.
The vast majority of users don't understand what is happening, and the few that are aware have decided that it's not worth the fuss, because they have correctly internalized that they basically have no real choice in the matter.
This sort of data collection is almost never optional, and when it is, the settings are deliberately hidden and obfuscated behind the worst kind of dark patterns.
If properly informed about what data is collected, and given a real choice about opting out, that doesn't reset every two seconds or hobble the service (what gdpr theoretically requires), I think the majority of users would be concerned and would opt out of as much as possible.
Free markets don’t exist.
A great example of this is car insurance companies. I had a friend who is a very careful driver and was looking to maximize his cost savings, so agreed to use an app that would track things like hard braking, average speed, etc, and at first he was complaining about how stupid the definitions for hard breaking were, then after months of data the insurance company actually raised his rates with the justification that his driving times were during peak traffic hours (you know, when everyone drives to work and back) and therefor he was a higher risk.
I told him before he started that would be the outcome. Simply because I extrapolated the insurance companies wanted to be able to use data they defined to make extra money. Not working? Redefine the data.
Not to mention the fact they are probably also making a bit Morea on top selling it to a third party (and even in anonymized, I think we all know how easy it is these days to deanonymize data)
People will start caring because it will affect them, but I'd they don't start caring now it will largely be too late or at least a much harder battle.
Obviously we are not quite there yet. You friend has learned a lesson, many here are paying money so that they could say "hey siri/google".
Easier yes, more profitable no. Selling direct advertising is the most profitable of all: the money all goes to the site without 20 trackers and 8 seconds of auction-waiting on each of your pages, resulting in a better experience for everybody.
This doesn't prove that direct selling is more profitable. Sure there is no ad network taking a 40% cut but sites also need to run their own in house sales staff then.
And I'm pretty sure that per-unit it is indeed more profitable.
He's not going to make enough from simply selling data to invest in talented bakers and quality ingredients, so his bread will be visibly at the lowest tier of quality. Other bakeries will compete on baking bread that is actually edible.
However, computers mean that the analogy breaks down. The data is selling for more than the cost of the service.
But only to a point, I think it's actually become somewhat overrated as a principle. Many of the most valuable subpopulations of any market are made up of people who know perfectly well how financial reality works, and that things that aren't free to offer need to get paid for somehow. There was a period where often "free" really was essentially free, because it was VCs pissing away money, and it was perfectly rational to use it. Or there were volunteer efforts while people tried things. Much of that of course was not sustainable, and the compromises that come with it long term are a lot more visible and widely known now. There is backlash to be seen against "free" models in plenty of areas. Sure, much of the market may make the bargain, but that isn't the same thing as there being no market for something that has a higher sticker price but offers privacy and quality alongside that.
>Do you think it's possible to convince friends and family to start paying for email as well when they already get it for free?
Yeah, pretty trivially, so long as their needs are normal. Email is just such a fundamentally light service for most usage that it can be covered easily. These days I do most of my domains through Gandi.net for example, and each domain includes 5 mailboxes at 3 gigs a pop. In actual practice is just hasn't been hard to sell friends and family on the value of having their own domain for email. It looks good/personalized, it means they can have the exact handle they want rather then firstname.lastname@example.org, tying into that they can have easier mailbox splits, it means they can keep their email if they move to a different service, and $16/year or less simply does not break the bank. I've set up a lot of friends and family at this point, and nobody has ever had any difficulty grasping the advantages of any of these in this day and age. Many have for example lost old email accounts before due to moving services, and "this can be yours for the rest of your life regardless of where you go" is quite compelling. It's not even just companies going out of business, it's not hard to pull up stories of Google alglorithms banning accounts for unrelated stuff for example, and it being nearly impossible to rectify.
The real obstacle isn't some minimal payment, it's that it's seen as more technically challenging, or they've simply never considered it at all.
I have a question. How is it the customers data? The data is about a transaction that happened in the bakers store. It's all information that was plain for the baker to see. The baker did the work to collect it.
In fact, all the information is about the interaction directly with the baker. How is this not the bakers data?
Can someone walk into my store and somehow give me something that belongs to them against my will? And then impose requirements on me about what I can do with it? Or it only belongs to them at the point I write it down?
Now I start to agree that there are concerns at the point in a computing scenario when people are gathering data that isn't a part of the transaction actually taking place without the person knowing. But shouldn't that be on the browsers to deal with?
Translating this analogy back to tech inverts your argument: It's my phone, and it's my computer. Thus any data collected from or generated on these devices is mine. I'm just letting a company use these hardware resources temporarily to deliver a service.
Mozilla and apple claim to want to protect your privacy, but their browsers continue to sell you down the river
You can argue all you want that nothing was 'taken' from you, yet at the end of the day you will not be able to take a single step without your corporate masters knowing about it.
Ie. I use no google products. Yet by just surfing the web and being tracked through google’s products or by emailing people with gmail, google has almost as much information on me as if I were their user.
I disagree. If he is not transparent about what he does with his customers privacy, he is still a "bad neighbor" as the OP put it.
Even if he makes everyone sign a contract which explains his actions before giving them the bread (GDPR-style), the transaction would still be sketchy to me. IMO, to be as fair as possible to the customer, the contract would have to be very clear and concise. Otherwise, the wording of the contract could easily take advantage of the customer's lack of time, short attention span, or poor reading comprehension.
Maybe it's a bit more like a baker that only gives you free bread once you've come to his store to shake hands and listen to the sales pitch of 10 of his business friends. And then after all that he still quietly spies on you and sells whatever he can glean about you, to people you've never met.
Facebook and Google do this sort of data collection on an unprecedented scale that humans really have a hard time wrapping their heads around.
The sheer power that comes from data collection done on such a scale is tremendous.
Comparing it to a little bit of data collection by a single individual is grossly misleading.
In engineering, I've heard this idea expressed in the rule of thumb that the best solutions change with each increase in order of magnitude.
I think this is why I find myself more sensitive to these issues than some of my colleagues. Even if corporate surveillance is harmless under the current political climate, history doesn't stand still.
Its not clear what the actual harm of damage that I suffer from these transaction or even if there is any.
The baristas get confused when I tell them, every time they bug me about signing up, that 10¢ off a coffee isn't enough if Starbucks wants me to help them with market research.
1. prevent you (or anyone else) using your handle to post submissions or comments
2. delete all posted submissions and comments in addition to option 1 above; this is a little futile as HN has been indexed and replicated elsewhere
EDIT: the following is incorrect, as pointed out by jacobsheehy.
I will note that both are possible without any assistance from HN, though perhaps option 2 could be made easier.
"Easy to sign up yourself and impossible to remove yourself" - the perfect dark pattern. All we need to ask now is "Why"...
You can't think of anything worse than not having a delete account button on a pseudonymous list of article comments?
> All we need to ask now is "Why"
HN already employs someone to manage this little discussion site, and he seems to have the bandwidth to handle an occasional delete request by hand. Why assume there's a more nefarious reason for not investing resources into automating that process?
Why is HN somehow outside of critique of Dark Patterns?
> HN already employs someone to manage this little discussion site, and he seems to have the bandwidth to handle an occasional delete request by hand. Why assume there's a more nefarious reason for not investing resources into automating that process?
The "little discussion site" is a feeder venue for the venture capitalist side. The words, "Strategic Operations" come to mind.
And I don't have to come up with "assumptions" of nefarious reasons. The fact is, that deletion is not available to us without significant dark patterns. Every other site has this to maintain data and/or users. Why would I expect HN not to be in this category when every other one is?
I believe you own the copyright to each comment though, but does GDPR cover PII only or all other data as well?
Threads would be confusing if non-leaf nodes were to be removed.
They also appear to rely on consent. Consent can be withdrawn at any time (Article 7(3)) and the personal data must then not be further processed.
YC could change the legal basis for processing to, say, legitimate interests. This would allow them to claim that comments are an integral part of HN and shouldn't be removed as it would cause disruption.
btw I’m using HN as a convenient example; i don’t consider the maintainers to be naughty.
No. Consent is opt-in only. It must be "freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her" (Recital 11)
>And you could withdraw consent by simply deleting the cookie. You’d still have your “account” and related comments
The data would remain on HN, and thus would still be processed by YC. If deleting the cookie deleted the data then that would be okay, but it doesn't.
>; I can’t figure out if the comments themselves are “personal data”. I feel like they ought not be though the linkage of author to commend might be.
Personal data is any data about an identified or identifiable individual. So not every comment would - by itself - be personal data. But some would be, and the corpus of comments by an individual might be considered personal data in the whole.
>btw I’m using HN as a convenient example; i don’t consider the maintainers to be naughty.
I find it frankly incredulous that YC doesn't know about the GDPR, and yet they refuse to comply. Does that not qualify as "naughty"?
What is scaring me is companies that have a different business model using the same techniques to sell your information. Today I noticed that Dropbox.com login does not work with the Ghostery ad blocker enabled. Ghostery blocked a total of 48 items on Dropbox.com, including 22 trackers. For a company that I pay $100/yr and trust with all my personal files, that number should be 0, everything else is a breach of my trust.
My list of web sites that I actually visit gets smaller and smaller. I have a shortlist and for most of them I pay to remove ads if they have the option and I have all kinds of ad-blocking installed both on the network level and browser level.
Right now I pay for a local news paper, youtube premium (then ad-block the crap out of it), resetera and di.fm (music). HN doesn't have ads afaik and if it does or try to track me it's blocked. I'd pay for a tracking-free version if that was necessary though.
But I do read a lot of books, approximately two a week :)
I also play games quite a bit.
And I know I can't escape tracking entirely (ip tracking ++) but can be damn sure I will try my hardest!
I'm sure there are exceptions to this general observation, but I haven't found many (apart from some rare VPNs)
They voluntarily delivered content to my device, in my home. What I do with it after that is my business and no one else's.
It's not freeloading in any sense if I serve my breakfast cereal from mason jars instead of the box. It's not if I tear out pages I don't want to see from a book or if I dump the ad leaflet from the newspaper or credit card offers in the trash. It's not freeloading if I mute the radio during political attack ads. Why should it be any different on my computer screen?
My grandma got an iPad, and was using the calculator app to do her finances. I had a chuckle when I saw she had suck a sticky note over the ad. :-) Do you really see that as freeloading?
Its my house, my stuff, I can do with it exactly as I please, and there is absolutely no sense in which those companies have a "right" to my attention or in which I have some moral obligation to give it. To suggest otherwise sounds like a plot from a science fiction movie. I think Black Mirror had an episode like that.
99% of the places I don't feel bad for "freeloading". It was probably a poor choice of a word.
"We just don't collect X data, ever."
I don't know if I would trust it, but it would be the only one that I would have even a tidbit of faith in / think that it represents a good faith offer.
If they do collect it, I just assume it is being stored in the name of selling it. At this point it seems to be a foregone conclusion.
Any comments from lawyers?
Even if you trust a company with your private data, and even if you are fully informed about the data that they collect and what they use it for, you will have no control over what happens to that data eventually.
In US dollars.
I hate it when the only option is accept or when I get redirected to a 3rd party website which tells me I need to enable 3rd party cookies for them to not track me... well fuck you guys, I don’t want to enable them.
My solution so far is: Ghostery + DuckDuckGo + uBlock Origins + PiHole. Any other suggestions are welcomed.
I guess that is on purpose to annoy me to click “Accept all” anyway. I don’t expect that they value my choice either.
Think about it. For all I know tomorrow the policy could say "You agree to pay the site all your savings?" This sort of prior blank-check consent seems to lead to absurd scenarios when thought about.
The purpose is probably just to add legal obfuscation and extra cost burdens in the process of suing a company over privacy issues. It costs them little to add legalese like this to their policy, and may possibly create some gargantuan burden of effort in the future to argue that it’s not enforceable, just further reducing the number of would-be lawsuits to challenge them.
fast forward to today, and it feels like the west is developing into the USSR, but without the threats to life, just the “hide everything about you” part. it also feels like a partly nativist europe vs the rest of the world.
now it seems i have to escape yet again to parts of asia where they don’t worry about stuff like this.
at the last minute i’m reminded that this is just the HN bubble, and outside Europe people still act normal and don’t care about this stuff.
You can object to that, sure, but no sane company is going to open themselves up to lawsuits just because a few users are upset about it.
What are we supposed to do about these? They have been added to comply with GDPR but clearly don’t.
Of course it has to be (and should be) updatable. The privacy landscape changes over time.
The way these things are, is actually perfect. It means, you can ignore it entirely because the company has complete discretion on whether to abide or not. The only thing you have to go by, is reputational considerations (which doesn't recover your lost privacy), and absolute legal requirements that exist outside of any policy statement, eg GDPR, COPPA, HIPAA.
Exactly. Why Atlas Obscura even uses language about "agreement" ("[...], you are agreeing to such modifications.") is beyond me. It might even result in more legal exposure and restrict their freedom to move within the limits of the GDPR to rely on user consent (provided they even want to comply with the GDPR as a Delaware Corp).
And then there's Amazon. I desperately want Amazon to stop showing me personalized recommendations--I don't actually mind the tracking, but I feel as though recommendations push me into a filter bubble. As far as I can tell, there is zero way to do this whatsoever.
There is no privacy popup for me.
I am in the US, so EU laws are not applicable here.
I blame EU GDPR laws for the popup that Rainer Müller suffered from.
The web has not had this many pop-ups since the 1990s.
They could have made a simple pop-up, in simple language with two clear options and an optional dropdown showing all the "providers" but then again that would have been too user friendly.
Maybe GDPR should be revised to address these things, maybe even provide a template with 5 different color schemes that everyone should be forced to use.
These pop-ups are required by GDPR. If your site doesn't have a pop-up you risk losing 20M Euro.