Hacker News new | comments | ask | show | jobs | submit login
Why no one really quits Google or Facebook (techcrunch.com)
33 points by BeqaP 11 days ago | hide | past | web | favorite | 48 comments

It's not that hard to do without Google, except for search. My phone has all Google user-facing services removed. Mail is on an Sonic IMAP server and accessed with K-9 mail. Browsing is is with Fennec. Apps come from F-Droid. Navigation is based on Open Street Map. GPS assistance comes from Mozilla's location provider. No Facebook on mobile. Messaging is SMS and email.

On desktop, documents are in Libre Office. Privacy Badger blocks most of the junk. Browsing is with Firefox. Mail is via Thunderbird, talking to the same IMAP server. Haven't looked at Facebook this week yet.

ISP is Sonic.net, which just moves bits, and doesn't MITM anything. They're pro net neutrality.

Who needs Google?

This article suggests that completely cutting Google out of your life is actually really really hard and breaks a lot of things unexpectedly:


If you think its easy, you've probably only cut out the most obvious vectors.

Part of the issue the article notes is: once you start with Google (or any large, interconnected service ecosystem), there's quite a bit of activation-energy cost to leaving it.

Consider Drive as an example. You can download the entire contents of your Drive at any time. Where do you upload it to? How many services will provide a clean and easy way to import all Drive documents? Will they maintain folder hierarchy? Individual files in Drive can also be shared with zero, a few, or all users with a given URL---can your new collaborative document editing tool be set up to manage that state? Is it automatable, or something you'll have to set up by hand for 10s - 100s - 1000s of documents?

This is the kind of thing an enterprise can pay someone to sort out, but individual users really have to care about leaving a service family (that one assumes at some point in the past they were already happy with the privacy / security tradeoff) to invest the time and effort to do so without data or functionality loss.

I didn't "leave". I didn't "enter" the Google ecosystem.

Based on the article title ("Why no one really quits Google or Facebook"), your experience doesn't align with the scenario the article is talking about; it's scoped to people who already adopted these service ecosystems.

The people who feel that they cannot quit Facebook seem to think that quitting Facebook means replacing it with something else. Most people who have quit do not move 2000 contacts to new platforms - they simply stop using Facebook.

> " They are willing to give up privacy for free email. "

How exactly does Google/GMail violate the users' privacy with email?

They process the messages, show hyper-targeted ads. End of story.

But is there a Cambridge Analytica for GMail? Can some "app" exfiltrate the emails? Or the contacts of users?

What you describe sounds exactly like giving up privacy to me, even if it doesn't sound like giving up privacy to you.

And then when you add in all the other tracking that Google does of your web history, search history, location data, that is pretty much all your privacy gone.

Let's say I pay an assistant to help with my email. Even though they are in my employ, I'm still giving up my privacy for the service. Google gives us email service in exchange for that peek in to our private lives.

"An assistant to help with my X" is a pretty solid, concise description of Google's service suite, complete with the observation about privacy.

In essence, yes. Except the human assistant could technically be coerced to spill the beans on you. Via bribes or blackmail, etc.

Gmail dosen't. The ads you see have nothing to do with your mail activity. They haven't for a while now. Not saying Google is a paragon of privacy, mind you.


I never understood how scanning emails to show ads is a privacy violation? No information about you is leaking to anyone.

I think it's the whole _scanning emails_. The information is already leaked at that point.

Leaked to whom though? That's what I don't get. No human is involved in the process and your information is in the hands of the same company as before.

That's a lot of trust in a black box coded by humans. What's going on under the hood with their Smart Compose? Smart Reply? Smart Labels? It all requires processing very very personal information, and you simply can't vet whether it's all handled securely.

Sure, you're trusting their code is bug free. That's just (lack of) faith on your end. The fact that you decide not to trust their competence certainly does not logically imply that they are invading your privacy. It just means you need to trust their competence or take your business to some company you deem more competent. (Though exactly which company would be more competent in infosec is quite the question, but I digress.)

No, it's a lot more than just trusting that their code is bug-free. It's trusting that they're actually only doing what they claim to be doing with your data.

The only solution is to have the code open sourced with reproducible builds and a checksum to verify it against. Pretty much every GApp has a free, libre, open-source alternative that respects your privacy in this way.

Even that: if you lack trust on your part, that does not imply what someone else is doing is an invasion of your privacy. If you claim someone is invading your privacy, that is an accusation... a serious one at that. To support it you need to actually describe how that is happening, not merely how you have problems trusting people who deal with your information. I don't see how this is not obvious.

It's why GDPR came into being, and California's recent data privacy law. We have no reason to have faith in these companies to keep our data safe, or to use it properly. After 10+ years of having our credit card numbers, social security numbers, emails, passwords, and so on leaked again and again, I fail to see how one wouldn't have trust issues at this point.

I never said you can't have trust issues or that GDPR isn't necessary, I'm saying neither of those implies they are invading your privacy when they show you ads based on your emails. This should be pretty clear?

The root of the issue is that if they _are_ invading your privacy, you wouldn't be able to tell.


Yes, and if they aren't, you wouldn't be able to tell either, so all that means is you're willing to recklessly make unjustified accusations to defame a company without actual evidence.

Well, we already know they require reading your emails to power their Smart features. That's enough of an invasion of my privacy to use a FOSS alternative, and I'll always be an advocate for this.

Which makes sense, but reading emails to provide smart features is not an automatic loss of privacy.

Google runs the SmartBot2000 software for you. If you use FOSS but run it on AWS EC2, you still need to trust the software, manage the upgrades (or trust the auto upgrade feature, trust the maintainers), and trust AWS for not fucking with your VM.

We have a few physical servers. And probably always will. We run our own email, but also use gmail too. Because sometimes our email breaks, sometimes [understandably fewer times] gmail breaks (or is not available, such as in China). And we will probably always run our email, but it's a lot of work, and it's not for everybody. And even though postfix, dovecot and K9/thunderbird/roundcube are all fine, they are not as smart as gmail. (but usually snappier)

You need decades of experience to set up a secure email host. GMail does it for people in exchange for showing them ads. (uBlock FTW, BTW)

NSA/Prism is a valid reason to use your own mailserver, but then again, keeping up with TLS/OpenSSL issues is a valid reason to use a non-self-hosted solution (as they do it for you, though gmail accepts unencrypted SMTP :/).

And of course, at the end of the day, there's ProtonMail!

Very true! I personally use both ProtonMail and Tutanota, and give my thanks to Proton for opening their OpenPGP library. I don't think the source to their servers is open, but that's not necessary since:

1) you can't verify they're actually running that code anyway

2) it's end-to-end encrypted so as long as the client-side code is indeed doing its part, your message could be sent to everyone on the planet without any fear of anyone figuring out its plaintext.

Ok so then you need to invent a new word for what is lost when companies further cross the line from [using your data in a totally internal and in fact internal to just your account]. Because it seems like a big step from treating your data as a tool to affect your experience to selling it to other companies to do whatever they want with. What is the primary word associated with that step if not "privacy"?

Yes, developers can request permission to access your inbox "offline" (i.e. at any time, with a long-term access token). The scope is clearly identified in the OAuth authentication process, and the consent screen clearly asks for permission to (IIRC) "read, write, and delete emails." There are a few well-known applications (Earny and Unroll.me come to mind, off the top of my head) that are known to work with consumer research operations with the resulting data.

I am so far willing to give up some small amount of privacy for free email, though I'd also pay Google for it because it is simply the best email hosting I could find. I don't want to host my own email, hosting email sucks. I've tried other email hosters and they just weren't as good. They also have security in place that takes care of all the big things in my threat model.

So when it comes to email... yeah, it's not as private as it could be, but it's about the best I can find for everything else. It ain't perfect, but it's the best option for me right now. Maybe it won't be in a year or two?

That hasn't been the case for nearly five years... Gmail messages are NOT used for any ad targeting.

They process the messages

That's SVspeak for

they read your emails

Yes, yes. I know it's a machine.

Any email host reads you emails. And not everyone is up to the task of hosting their own emails.

lmao, or: it is actually hard to quit these companies even if you're educated, well-informed, and set to do it. Aside from many articles[1] written precisely about this, casual conversations with anyone who tries to exercise their consumer agency and giving them up talk about why it's hard to do.

Has this author ever spoken to anyone who's tried using a smartphone or OS that isn't Apple or Google? "People love free stuff" isn't a sufficient explanation, it reads like someone trying to blame consumers, to say nothing of the ethical implications behind the conscious, deliberate decisions behind each of the scandals they're happy to wave away.

[1]: https://gizmodo.com/c/goodbye-big-five

I believe this article mentions that the ecosystems are hard to switch away from once adopted.

> But after more than a decade of abuse, we should look deeper at our analysis and perhaps conclude that these issues aren’t abuse at all, but rather a bargain, a negotiation, and one that people are quite willing to live with.

No. We shouldn't conclude anything. The author gives the mass market way too much credit in knowing the extent of tracking, data-harvesting, data-sharing, MITM access (ie, ISPs, cell companies), the lack of transparency, the lack of accountability, the backdoor collusion with government and an entrenched news media that has a vested interest in protecting their ad revenue.

In the grand sleazy scale of things, they are nearly ignorant compared to knowledgeable: basing their consumerism on PR statements, selfies and memes. It remains for most of them... A Brave New World.

Would a solution to Facebook's monopoly be allowing other companies to interface into their systems and databases as it's more of a public good than a private one people can reasonably opt out of?

So I'd expect something like a company coming out allowing you to do everything Facebook does and use the same data with events and everything, but that does not ask you to give away your data.

The irony, of course, is that when you open TechCrunch in the EU the first thing you see is a GDPR disclaimer saying “hey we’re gonna collect your data to do whatever we want with”, which 95% of consumers will just click through. This isn’t a Google or Facebook problem as much as it is an internet problem.

clickbaity title, it's article actually about lazy people, I quit Facebook completely and pretty much Google besides search in browser, so not sure what's the point of article

I am not lazy, but cannot quit Facebook, as it is a valuable resource for events and keeping contact with people, both close and far.

> Indeed, this is the very foundation for the GDPR policy in Europe: users should have a choice about how their data is used, and be fully-informed on its uses in order to make the right decision for them.

I still fundamentally disagree with Europe's stance on data ownership. If I collect data on a person in a public location, I believe I own that data, not the person. If a person walks into my store and I take a picture of them, I don't believe I've "stolen" anything from them, nor do they have the right to demand I give them a copy of the picture I took and delete the picture from my hard drive. This fantasy world where everyone should be able to be perfectly anonymous and erase all evidence of their existence anytime they want is a bad idea. There has to be a balance between publicly available information and private information. If you are in a public location, I should be able to glean information from observations.

This was ok before the aggregation came. My presence on the street at point X,Y at time T is public information and I don't object to it being captured once, say, by a tourist taking a photo. But aggregated over a week at 10 second intervals? That's a breach of privacy.

Quantity makes a huge difference.

If you take a picture of a person naked on a beach without their permission, is it ok to use that picture as you like?

Why should I need their permission when it is a public location? If they don't want to be photographed naked in public, don't go around naked in public.

If I'm a skilled artist and I see a person naked in public without their permission, am I allowed to recall those thoughts and recreate the image in my mind onto paper using my artistic dexterity? Or am I breaking some privacy law by doing so?

> If you take a picture of a person naked on a beach without their permission, is it ok to use that picture as you like?

Sounds like a straw man argument. People voluntarily upload/submit their data to Google, Facebook, etc

They do, but with the intent to share it with their friends, not to have Facebook/Google use them for completely different purposes.

>If I collect data on a person in a public location, I believe I own that data, not the person.

Where do you define 'a public location' in terms of internet use?

> There has to be a balance between publicly available information and private information.

You're arguing that more data should be public so you can privatize it?

It's a reasonable space to have disagreement in, which is why US and EU law differs here.

I think the question of who owns it is normative, since ownership itself is just a legal/social construct. The question is which policy leads to a better world. On that front, I tend to agree with you. There are few people who will be materially happier or better off from GDPR, and it does close off some analysis that would be beneficial to business. If business is hurt and no one is helped, I call that a net negative.

But, it is the law of the land, and unlikely to change in the near future. Lots of things are suboptimal and I’m not sure GDPR is very close to the top of my list. So you get over it and move on.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact