Note to non-EU users: Techcrunch is completely blocking the page with a popup asking me to share my location and behavioral data (for advertising purposes) with a probably very long list of companies (something called "Oath" family).
The logos shown are for Yahoo, Aol, Autoblog, Huffpost and Engadget.
Nah. I'll skip as always :D
I've just tried it out, works great. I'm not using quite as strict a filter as you are, basically Oath sites, medium and known paywalled sites. I will add to it as I go :)
1st popup page: Some text about Oath with big "OK" button and same size "Manage Options" link. By clicking OK you agree to everything.
2nd popup page when clicking "Manage Options" link: Some more text about Oath with big "OK" button and tiny "Manage Options" link next to a headline. I have no idea what happens when I click OK here. Is the same as the "OK" button on the first page? I didn't manage anything here yet so I guess it could mean agree to everything again. On the other hand there are some settings you can change on the next screen (you don't know that at this point though), so maybe "OK" now means continue and use these settings? You have to trust that they are opt-in rather than opt-out, otherwise you need to check the settings.
3rd popup page when clicking manage "Manage Options" link: Some text about Oath partners with links within the text. The big button is called "Done" now but at this point it is not clear what exactly that means because there was nothing to manage yet. Clicking the link to show partners displays a list of 10 essential partners (Amazon, Google, ebay etc.) with links to 10 data privacy policies that you apparently automatically have to agree with. A bit hard to notice but there's another tab for IAB partner with 224 more partners. At least they aren't enabled by default.
I guess "Done" means use these options and it brings you back to the 2nd popup. I actually have no idea at which point I disagreed or disabled something, I just got trained to click a bunch of "OK" buttons with unclear meaning.
I say "supposedly", because the first partner I clicked on led me to the "I'm not a robot" captcha.
After which I just closed the window. Guess I'll not read the article after all.
How on earth they expect this to fly under the GDPR, expecially considering that "[t]hese partners may access your device to collect data for ad selection, delivery and measurement", is beyond me.
Oath, noun - profane or obscene expression usually of surprise or anger.
Anyway, I'll just read the comments here and that'll be enough for me.
I hope their practices come under fire from the EU before long.
And it remains to be seen whether that is legal.
My take on it is it is BS and a cost/benefit analysis.
The way they set up their pop up is plain evil, trying to deceive the user. In the end, it is almost impossible to find the opt-out options, and you have to agree to share your data with the largest ad-networks anyway, otherwise you can not use the website.
The privacy "dash board" doesn't even work without error.
Even if you are not in a country where you are presented with that these pop-ups, the way this is handled should really make you think long and hard about the ethics of the companies behind oauth and techncrunch!
Anybody who takes your privacy seriously won’t even have to ask for consent, because there is nothing to ask for
Example abound: finding out where people are the most frustrated (high exit rates), what content drives the most interest (page views), what content is missing or inaccurate (high bounce rate and low visit duration for visitors coming from Google), how they are using the site (browsing patterns from page to page), etc. etc.
Preventing all forms of tracking will definitely result in lower quality websites across the board, so like with all things there has to be a middle-ground found.
Furthermore it should be possible to sell ad space without directly embedding potentially malicious stuff from foreign whose content might change on such a granular level even you as the site owner cannot verify what is served to your visitors.
It is possible to use webfonts without loading it from a foreign servers.
It is possible to verify real users without training the AI models of monopolist webcompanies.
It is possible to link to your Facebook page without embedding a Facebook tracker in an icon.
It is possible to get comments without giving these to other parties.
These are all decisions you take when you decide whether you really value your users privacy.
Of course sometimes you don’t have much of a choice, but I saw sites which decided against all points raised above, and list about 30 trackers that are enabled per default and still claim they value their users privacy. So not only do you not value my privacy, but you also lie to me.
I avoid sites like these like the pest and will close that tab before reading anything.
Honest question: How?
In increasing order of strictness and complexity:
- Use hidden/visible field shenanigans
- Ask questions your audience should be able to answer (chess-captchas, maths-questions, etc.)
- Require registration with e-mail validation
- Require registration with SMS validation
- Make that part of the site invitation-only
- Use some kind of trust-based system (e.g.: users can invite other users)
- Manually approve stuff
- Ask for ID scans and manually check them
- Combinations of the above
Unless you are a juicy enough target (not many sites are), just a few measures will get you to that good-enough point. Of course, implementing any of the above will be harder than slapping a recaptcha and calling it a day ;)
Once that stops to work I can bump it up a notch.
Although "Handle very private information instead" is an uncommon twist.
There are multiple solutions to this:
- find a CAPTCHA solution you trust and host it yourself
- build your own
If you say you trust google, you should write: We value your security and privacy, but seriously we have no idea what parts of our page really do
It might lead to lower-engagement websites, but that's a different thing. It might improve the quality of your website to stop trying to optimise my engagement with it.
That can certainly be argued.
It can also be argued that websites optimizing for “engagement”, blindly, in a completely data-driven way, end up implementing tons of dark UX patterns.
And that’s certainly no benefit to the user.
I feel like people have some kind of allergic reaction to sitting down with people and actually getting a person's perspective. It's slow. It takes time. It costs money. But you know, UX professionals do this. In fact, product designers do this.
I think the model where we'll just watch everyone all the time and treat them like lab rats and that somehow the "data" is going to give us insights is a) creepy b) misleading and c) lazy.
Can you imagine if your toaster (company) watched your entire daily routine in order to "optimize" it? Fffuuu....
They may also tell you things that you don't want to hear: that your website doesn't have good content, your navigation sucks in the following ways, etc. This sort of feedback makes you look incompetent when you collate it and then send it in a report to a manager.
- sketch out the new design
- add the UX interview report as supporting evidence to the design
- send the design (rather than the report) to the manager.
Total reversal of the situation. You have documented evidence of your proactive approach.
(edited for formatting)
In fact I don't want to engage with most of them.
If google search takes me to the site and I find info that I need in 5 seconds, tats a good thing not a bad one.
It's kinda like if someone were to survey their audience before a concert on what they should play, that wouldn't lead to better art. Have you ever seen a youtuber talk about how they would prefer to make videos about X, but the audience wants Y, so they're half-assing this other thing instead? Not only does this not lead to improvement, I think the major improvement would be to remove all things produced in such a extrinsicially motivated way, and replace them with nothing.
> Your stuff will start to puff up. Your paragraphs will start to get rotund with all the things you could say if you really wanted, but you can only hint. That's bad. It's bad intellectually and I think it's bad morally. It means that you become.. your contract is no longer with your readers. What I try and do, and the reason I write in longhand and write in isolation, is to say "The only person I have a deal with is the person who might read this. And I'll give them my best, and I don't care what the editor thinks, the advertising department thinks, friends and colleagues think." You try and live, as it were, as if none of these people counted. "What's the best account I can give for customers of this." Most of Washington punditry is nothing of the kind, it's... private letters written to other pundits and appearing in public space.
-- Christopher Hitchens, https://www.youtube.com/watch?v=bsvq4PYdt40&t=35m46s
Say what you would say even if the whole world was against it. I don't live by that all the time either, but I'd rather fall short of that motto than live up to something easy and pointless.
Sure, when I see a page has a lot of hits, and I look at it and think I was being a bit lazy and people who search for that deserve better, I work on it some. If someone told me that the site doesn't work in a certain browser, I would try to fix it if easily possible, and so on. Just like an artist wouldn't say "I don't care, I only care about my music" when the venue they're playing at has no roads leading to it, and no electricity. But that goes without saying, for me that's like a painter making sure their canvas is okay.
This idea that I need to know much more, stuff like which path on the site most people are taking... no. I'm all for other people doing it, as long as privacy basics are respected, but the idea that everybody needs this to make something of quality, that I absolutely protest.
Show me one great thing that was produced that way, by someone or a group just following what people want (which is not the same as people working together as thinking individuals), just one? I can probably easily find you lots that were produced against the violent resistance of contemporaries, or even discovered as treasures of humanity posthumously.
Going just by what is the most popular, I would have ended up a Harry Potter fan rather than an Hannah Arendt fan. I would be watching SNL, instead of missing Bill Hicks. I would probably still care about movies and games instead of reading books and listening to music of the 20th century and realizing just how little value and depth what we currently accept as state of the art even has. I can't even imagine what a wasteland my mind would be if I had followed the masses rather than my instincts at every turn.
The biggest sites we know that currenly optimize for people staying long on pages prove my point so much, I had to avoid that to even get any opportunity to rant. Google search results that get worse, or Youtube and Facebook which are infamous for promoting low-quality or outright toxic and deceptive things that increase engagement. Or Amazon with fake reviews, and so on. It's not working. Just like the idea of ranking comments by clicking buttons to improve the quality of discussions doesn't really work and is much more useful for abuse than use.
Last but not least, I'd rather see a website where I hate every aspect of it, but that was made by a real person with real thoughts in their head, than anything else. Play from your heart, not from your analytics package and what you think the numbers mean.
-- Friedrich Nietzsche
> Do not preach the straight and narrow way while going joyously upon the wide one. Preach the wide one, or do not preach at all; but do not fool yourself by saying you would like to help usher in a free society, but you cannot sacrifice an armchair for it. Say honestly, "I love arm-chairs better than free men, and pursue them because I choose; not because circumstances make me. I love hats, large, large hats, with many feathers and great bows; and I would rather have those hats than trouble myself about social dreams that will never be accomplished in my day. The world worships hats, and I wish to worship with them."
> But if you choose the liberty and pride and strength of the single soul, and the free fraternization of men, as the purpose which your life is to make manifest then do not sell it for tinsel. Think that your soul is strong and will hold its way; and slowly, through bitter struggle perhaps the strength will grow. And the foregoing of possessions for which others barter the last possibility of freedom will become easy.
> At the end of life you may close your eyes saying: "I have not been dominated by the Dominant Idea of my Age; I have chosen mine own allegiance, and served it. I have proved by a lifetime that there is that in man which saves him from the absolute tyranny of Circumstance, which in the end conquers and remoulds Circumstance, the immortal fire of Individual Will, which is the salvation of the Future."
-- Voltairine de Cleyre
I once read a story in our school text book, I wish I knew the author. It was about some new kind of prison without walls, but instead prisoners had an implant that gave them increasing shocks up to incapacitating them if they moved too far away from the prison. This one prisoner kept trying to escape, at one point getting so far that a truck driver brought him to a doctor, who then called the police IIRC, and at the end, the prison director was talking to the prisoner, asking why do you keep trying, you know it's absolutely impossible, why not just accept it? And the prisoner said, because when I accept it, you won. Right now, I win. We never read that story in class, but it impressed the fuck out of me. Life is short and fickle either way, might as well live it as me, right? And if everybody saved themselves, maybe the world would be saved, but even if the world goes to shit, I can still save myself. That is, only I can ruin myself. I can be shut up, but I can't be made to say "yes". I can't say that's good enough, but that's a good start.
> Finally, it is the act itself that matters. When instrumental reason is the sole guide to action, the acts it justifies are robbed of their inherent meanings and thus exist in an ethical vacuum. I recently heard an officer of a great university publicly defend an important policy decision he had made, one that many of the university's students and faculty opposed on moral grounds, with the words: "We could have taken a moral stand, but what good would that have done?" But the moral good of a moral act inheres in the act itself. That is why an act can itself ennoble or corrupt the person who performs it. The victory of instrumental reason in our time has brought about the virtual disappearance of this insight and thus perforce the delegitimation of the very idea of nobility.
-- Joseph Weizenbaum, "Computer Power and Human Reason: From Judgment To Calculation" (1976)
And while punk may be generally dead, as long as it still exists in China, nobody is allowed to give up! https://www.youtube.com/watch?v=Bk4EspwLpzc
Godspeed to you. Or as that one scroller text in an Amiga demo said: grab life by the balls, like a ninja!
"I was curious how often this go-to one liner was used. I scraped every reported notification to the California attorney general, a requirement under state law in the event of a breach or security lapse, stitched them together, and converted it into machine-readable text.
About one-third of all 285 data breach notifications had some variation of the line."
Don't bother providing a link to either you data source or your code, the ability for someone to independently verify the validity of this claim and its results isn't important, we'll just "trust" you.
But lets be clear, they explained nothing and hand waved around what they did.
In an article that is indirectly about bugs in software, I want to be sure that the "simple" methodology doesn't have bugs. This is easily shown by the author by just providing the scripts and methods they used. Choosing not to is lazy.
Here's some simple questions that that "sourced" passage doesn't answer.
1. Where/how exactly did you get the info from the CA Attorney General?
I searched and found this https://oag.ca.gov/privacy/databreach/list which extends back to 2012. Did you just download and parse the PDFs because some have two notifications listed, some have one. Some could probably have more. Are they counted as one entity or multiple?
2. "Stitched them together" Well that can just mean anything. Considering that PDF Parsing is still seen to be painful to most (https://stackoverflow.com/questions/22675690/if-identifying-...) there are errors that can be introduced here.
3. How did you handle string repetitions in the same document? If I put "We take your privacy seriously" at the start and the end, is that n = 1 or n = 2?
4. Assuming that 285 (of 1559 line entries) of the ones you parsed are single line entries (That sometimes contain multiple breaches and notifications) the author stopped at the 20th of January 2018 for some reason.... Why then?
I could go on and yes these are pretty pedantic questions. None of which are design to accusatory or suggest anything untoward about the author and what they wrote.
But you know what, all of this is answerable if they post their source and their source code. I can take a look and get a better picture of the full-arsed or half-arsed effort that went in to this article. (Sometimes half-arsed is okay, sometimes it's not)
If a tech website can't "do better than what [I]sic just quoted", then I circle back to the initial statement.
"Man does it represent the piss poor state of Tech writers and their articles."
The publications where you might read about the problem are likely contributers to it.
From the EU, before you read about companies abusing your privacy you first go through their "consent" page, maliciously designed to prevent readers from preventing "the Oauth family" from giving whatever data they can get on you to advertisers.
Then you get to read the article:
"I’ve never understood exactly what it means when a company says it values my privacy. If that were the case, data hungry companies like Google and Facebook, which sell data about you to advertisers, wouldn’t even exist."
... TC's modus operandi & business model appears to be the same.
On many occasions I have read an article bemoaning fake news that was framed by "native ads," pretending to be articles, and promoting fake science (one wierd trick), apocalypse cults and worse.
Yeah, you value it so much that you sell it on because it is actually valuable.
I wonder what the tracking cookies show about bounce from those messages.. Probably not a lot but.
Edit: Oh I misread the OP.. We _take_ your privacy and security! laughs
They put sensitive information like username, orderid in the URL which is then shared with all the third-parties on that page, simply because referrers are not sanitized.
- Without user-consent
- More dangerously without the companies knowing it too.
On reporting, the companies do not want to fix these issues.
Shameless plug: You can find some of such cases, which I've been trying to highlight to the companies:
"We take your privacy and security seriously" from some rando company doesn't even make me roll my eyes because of how desensitized I am to that whole concept. It's genuinely appalling how often banks have no clue of who has access to what data inside their organization: tons of people having accesses they shouldn't and nobody keeps track of it? Of course. Database copies stored in random hard drives sitting on tables? Why, naturally! Attestation processes? What's that? We're not talking about small entities either. These people would be years away from something not too hard like an iso27001 certification.
In short: all of our data is in an incredibly precarious situation and we're fucked forever. I don't get outraged at leaks nowadays, I just laugh at it.
edit: interestingly enough, in my experience pharmas care far more about data security than banks do (I assume that is because they have more shit to hide).
He gives you a smile as he starts his speech. "Before we continue, we at Coffee City want you to know we deeply value your privacy. We need your permission to store your information, improve your coffee experience, personalize your coffee suggestions and share it with our partners. Do you consent?"
You don't fucking value my privacy. I get some serious doublespeak vibes. If you valued my privacy you'd leave me the fuck alone and stop saving information about me.
IMO GDPR doesn't go far enough. Even these popups are wasting my valuable time and invade my privacy due to the ease it is to accidentally consent to some stupid bullshit while navigating the 20 windows needed to reject all consent.
We should outlaw even asking for consent to store personal information for any user that didn't log into your site. If I do not have an account with you, I'm not your user, we don't have an extended relationship and you have no business storing information about me.
 Your personal data is a currency, spend wisely.
It'll only open if you create an account, log in and agree to every sip you take being recorded and measured.
Sure, it's possible to prise the lid off manually or use a special shutter-blocker, but you often end up with a broken cup. And coffee shop owners call you a thief and find ways to thwart your blocker.
I think that actually is a violation of GDPR, not that it's any less common to encounter.
I really like, and have copied, Tesla's note to security researchers. https://www.tesla.com/about/security
I had to clean up one breach a few years ago. It was, gulp, a breach of HIPAA-covered health info. We wrote to our customers saying
"We're sorry. We unintentionally sent your blahblah sheet to the wrong hospital. We have spoken to the person at that hospital who received it and confirmed that they erased your information. Again, we apologize. If you have questions don't hesitate to call us at xxx-xxx-xxxx"
We could have blamed the the third-party vendor who actually made the mistake. We could have spewed oxymorons. But this message was successful and true: nobody sued us and the govt didn't write us up.
The breach, admittedly, was only a few dozen records. It could have been much worse.
A lesson for tech people: when you have a breach DRAFT THE PUBLIC STATEMENT RIGHT AWAY so you can hand it to your executives and crisis PR people. That way your company has a chance of doing it right.
To take a community college course, the application online form is asking pretty much every piece of your info, birthday, SSN, family income, ethnicity, future plan, current situation, home address, many personal preference, phone, email, immigration status, marriage status, gender, education background, military background, job experience, you name it. Nearly all of them are mandatory. Anyone can get hold of this record pretty much owns you.
Why do they need all this for just taking a course that I'm going to pay by credit card?
This is not uncommon in other areas, in the future we may need provide our DNA code as an attachment? talking about privacy protection is a joke these days.
I assumed, like most colleges, I would just be de-enrolled before the semester started. Instead, they kept me in and sold my info to a collection agency!
I never gave them my credit card number or checking account info, but they had my contact info and social security number. They hounded me for months and made all sorts of fancy threats. But luckily they never seemed to be able to add an entry on my credit report. I dropped it because I was hoping that it was just an oversight and didn't want to fight it, but maybe they wouldn't have been able to prove I purchased anything anyway.
I can't believe that if someone knows just your SSN only, they can put you on the hook for massive amounts of debt. I only gave them a temporary address not associated with me, and clicked through an EULA. I honestly assumed that I had not yet committed to going into debt, just by creating an account.
And this is a state-endowed community college.
Do these seem like reasonable terms? 
- By Registering for classes at SUNY Broome Community
College, I acknowledge and agree to:
- Pay prompty all charges owned to SUNY Broome Community
- Take responsibility for all costs of collecting unpaid
charges, including but not limited to collection agency
fees, attorney fees, and court costs.
- Permit SUNY Broome and/or its agents to contact
me using any method available including but not
limited to the use of email, text and automated dialer
systems; also any information furnished to SUNY Broome
Community Colege may be used to contact me including my
cell phone number, home number or work number.
As soon as you enroll in classes, you're on the hook for $4500 + fees?
I could understand maybe not refunding certain fees, but I have never heard of a college that just advances you that much money immediately, and then tries collecting on it.
So some 17 year old could just sign up for classes, without ever confirming anything or giving any payment info, and they are instantly in debt for over $5000?
This was NOT a student loan I signed up for.
No entry was made on NSLDS, and the government never got involved.
And no pull was made on my credit report.
As far as I can tell, they seemed to just be accepting anyone who enters a social security number to sign up for classes, and then selling it directly to a collection agency.
If I ever admitted to the collection agency that I was in debt, maybe that would have been enough for them to actually amend my credit report. It seemed strange that they were willing to talk to me for hours, but I think they were just trying to get enough info out of me and convince me to more explicitly admit that I owed them money.
I imagine that if someone knows your SSN and wanted to harass you, Broome Community College would be very useful for that.
So, yeah, there are some scammers out there you might not expect. And I can see how all of that extra info I gave them could have been used to collect on a very dubious "debt".
I also one time had a Blue Apron sales person at my campus give me a free month of service, with no credit card required. After the first month, this company called me and said they needed me to update my credit card info, but I never gave them a credit card.
After looking into it, it turned out that the salesman had given them a temporary credit card in my name so that he could get the referral fee. Luckily all I got was a free month of meals when he scammed the company. But the one-time email at my vanity domain that I gave the salesman started getting phishing emails. But I'm pretty sure the salesman had permission from the college to solicit to students.
What is privacy issue exactly about ?
I see regular posts on HN about it. Is it about storing user-data on my end or sharing the user-data with third party or not taking the user consent.
P.S. - Trying to understand the root cause because I work with a startup building SAAS and would like to avoid such mistakes.
Do not store user data on your end unless you absolutely have to.
Do not give user data to third parties unless you absolutely have to.
Do not do anything without the user explicitly or implicitly consenting to it.
Example: You have to momentarily store the users IP address in order to serve their request for a website. Remove the IP address as soon as you served their request, because you don’t absolutely need it any more.
Example: You have to hand user data over to your ISP (and their ISP etc) in order to serve their request for a website. Do not hand this data over to Facebook, Google, your mum or anybody else, because you don’t absolutely need to.
Example: If someone is visiting your website, it is fair to assume implicit consent to the above two bits. However, if you provide a service where they can store data on your server (e.g. Dropbox), you should inform the user on how the data is stored so that they can sensibly consent to this (or not). So if you’re storing data unencrypted, inform the user that this is the case. If you’re storing data in your mum’s basement, inform the user that this is the case. If you’re storing data in some country with strange laws, inform the user that this is the case.
What about if we:
1. Save data anonymously.
2. If we have to save some data, we give them an option to access what we have saved. something like 'Data Settings'.
2) If they do consent, consider every individual part of data you save. Do not save complete user sessions, instead, before doing anything, decide what you want to test, which information you require to do so and then save only this information. E.g. (using the example elsewhere) if you want to check how long people stay on individual pages, collect a signal on each page how long the user stayed on this page (and nothing else).
3) Anonymize the data as quickly as possible. For the example above, do not store data for each user how long they stayed on each page. Instead, have one counter per page which is incremented by the time the user stayed on the page (and the individual time subsequently immediately discarded). This way you can still figure out which pages are left early but you cannot tie this data to any individual user.
4) If you want to look at individual user sessions, pay people to use the website while you stand behind them (physically), do not collect data from random customers.
So in principle, it is not about storing user-data nor is it about sharing that data. It is about determining who has the moral right to act on what data. And in order to have that debate on those moral rights, people need to know what happens wuth their online traces. As long as what really happens is shrouded in secrecy, legalese, or click-through patterns, there can be no meaningful debate.
Therefore I am not surprised and won't be holding my breath.
GDPR was meant to allow users to refuse consent without detriment, and to not to force consent to use the service. Oath clearly violates GDPR, yet regulators have done nothing in 10 months.