Hacker News new | past | comments | ask | show | jobs | submit login
How Apps on Android Share Data with Facebook (2018) (privacyinternational.org)
326 points by allwynpfr 17 days ago | hide | past | web | favorite | 106 comments

This is not just facebook. This is what all the DMPs[1] in advertising do, and charge millions of dollars for it. There is BlueKai from Oracle, one from Adobe, and various others. The core proposition is to collect as much data about the user to understand the interests (profiling) and then target that user or users like him to get a better conversion rate.

Why facebook emerged as a big player in this field was because the other companies were really expensive for consumer apps and hence they were used only by the biggest players. Facebook made it cheap, automated the process and allowed for targeting without even telling the advertisers what audience needs to be targeted. All at the cost startups and smbs could afford. Google also does the same. Infact all the big advertising networks do it, or utilize a DMP to do it on their behalf.

I realize that this discussion is about privacy, and in that regard, it should not be allowed by any company. However, this is just the tip of the iceberg. Almost all the big players in travel have huge customer profiles on us, gained by our credit card transactions, credit history, data from insurance and other friendly companies (you scratch my back and I scratch yours) and various other practices which frequently compromise on user's privacy. I dont know how one can solve this though.

[1] http://www.bluekai.com/files/DMP_Demystified_Whitepaper_Blue...

[2] https://www.adobe.com/analytics/audience-manager.html

From BlueKai/Oracle:

> Behaviorally-targeted advertising is 2.7 times as effective as non-targeted advertising.

Really? That's it? We're paying for a multi-billion-dollar surveillance apparatus to make ads 2.7 times as effective as the part of the website you automatically ignore, or the part of the newspaper you immediately throw in the trash?

Those are kind of sucky examples of advertising, really.

Better ones (in the sense of advertisers thinking they work better and being willing to pay more for them; not in terms of them being “better” ethically) would include YouTube pre-roll ads, product placement in movies and TV, and billboards on boring stretches of road (as observed by the passengers in a car, not the driver.)

> YouTube pre-roll ads

God those are so awful. I wasn't running adblock on youtube, but that shit made me install one. I could be listening to a nice playlist and suddenly some ad at 200% volume blares in my ear "YOU NEED TO BUY THIS TOOTHPASTE" or whatever. I wouldn't mind being forced to watch ads before being allowed to watch other videos, but let me bank watch time. Tell me how much time I have left before the next ad and let me watch enough ads that I don't see any in the next e.g. 3 hours. Or okay let's say the ads I get depend on the videos I watch, then put the ads on my tab and let me watch them later. Whatever arrangement works, just let me control when the ads happen, because right now it's maximum obnoxious.

> some ad at 200% volume

Advertisers are shameless, and will exploit anything until they are smacked down by laws. Congress and the FCC had to step in and regulate commercials' volume on TV (https://www.fcc.gov/media/policy/loud-commercials), and I suspect the same will have to happen online as well.

youtube-dl is the only thing that makes the site usable these days. It gets rid of ads and pop-ups, and decreases "engagement" by forcing you to copy the link over to the terminal to download and watch a video. It's even better than how people watched TV back in the day, by recording it to VHS tapes, then fast-forward through the ads.

> just let me control when the ads happen

That is exactly what would make YouTube ads useless, from the advertisers' perspective.

The key to "impressonability", from advertisers' PoV, is attention. You need to actually be looking at the ad. You don't have to think you're looking at the ad—you might think you're just looking at the "seconds until you can skip" timer—but you're looking (and listening) all the same, at least peripherally, and advertisers think that that's time they have power over you, in at least some subliminal sense.

But if you let users bunch up twenty ads in a row? They're going to queue them up and then go get a drink. The audience won't be looking; won't be listening. The ability to control ads inherently means the ability to ignore ads. Ignored ads aren't impressions.

The only valuable ad is an ad that sits on your attention stack on top of something that was getting your full attention, such that you have to (still with full attention) pop the ad from the stack to return your attention to the previous stack frame. Whether that's an ad in a newspaper between two columns where you have to pass "through" the ad content to find the next article; or an ad on YouTube where you have to wait; or a Google Sponsored link you have to read "past" to find the regular links; or a modal ad on a website that only appears five seconds after (the heuristic on the site says) you've started reading the content. The goal is to put the ad where your active attention is, such that the ad "impresses" upon your attention, however fleetingly. Anything else is a failed ad.

And yes, it's obnoxious. But that's... what advertising is. Those are the only ads that are really doing their job. The ads that don't end up on top of your attention stack? Subtract those from your perception of the field—they're just cargo-cult attempts to advertise that persist because it's really hard to measure the success of ad campaigns. What's left when you subtract those nice, unobtrusive ads, is what advertising as a field is really "about." It's what advertising would be, exclusively, if they got better at measuring things. And it's awful.

Actually, it would be somewhat consensual if it were a setting with a time lock after the first change (e.g. you explicitly commit to the settings you choose for a set time). And there's zero issue with limiting ad distribution, you don't have to allow for queuing 20 ads in a row, just like your human cattle isn't obliged to keep the volume on and their eyes peeled.

It's just that ads are irrelevant, disruptive, and non-consensual at the same time. The whole "ad impressions as subliminal messages" idea is a normalized form of non-consensual (senti-)mental assault or penetration, depending on whether it results in a headache or a purchase.

> would include YouTube pre-roll ads

Youtube has started showing me two ads. The [skip ad] button has turned into [skip ads]. This means the second advertiser misses out if the first ad sucks, because there's no way to skip the first ad alone.

Reminds me of this thread: https://twitter.com/random_walker/status/1078674128255754240 If you need micro-targeted advertising for your product, then your product probably sucks.

Also this classic by Maciej Cegłowski: https://idlewords.com/talks/what_happens_next_will_amaze_you...

Like when I buy <non-consumable-item> online I see ads for <non-consumable-item> for weeks after.

Amusingly, uBlock blocks the bluekai link because you know: "||bluekai.com^"

yeah but the DMPs were the ones who should have been hauled in front of Congress

right now, legislatures are asking the wrong questions to the wrong people

The CEO of the wrong company to ask can legitimately say "we don't record you I have no idea why you suddenly started seeing ads about that thing you were talking about"

I guess this is something new even for legislatures and they have been slow to catch up as well.

Regarding asking the question to CEO, well, his company made that decision to integrate the SDK/Cookie with the product so he is partly accountable. It is a different scenario that he would not know anything specific about how the process works.

I think this is going to continue until both a few of the app developers and some of the DMPs get bankrupted through GDPR fines for not obtaining proper consent.

The entire business model is infeasible under GDPR.

You don’t have to collect that much data from users in a given market (Europe), if you’ve already collected [and continue to collect] so much other data from users in other markets (America) that you’ve built up predictive models that only need a few hints in order to map a user to one of a well-known constellation of “profiles” that advertisers target their ads towards.

Basically, GDPR only prevents DMPs from training their models using your app’s data (i.e. exfiltrating the user’s personal details from the client to a backend.) If, on the other hand, the DMP comes to you with an advertising library that runs entirely client-side and embeds a pre-trained model; where, when you call this library, it decides what profile of theirs a user slots into by doing things like e.g. “young or old based on how they type on a touch keyboard” (but in a much more clever ML-dictated fashion)... then there’s no violation here. You’re using the user’s personal data to derive a category to place them into; but you’re not recording or sending the user’s personal data anywhere.

And when you, as an app, turn around and make a request to an ad network for ad media to display based on that profile, that’s not a violation of GDPR either: the derived profile is no longer information about a particular user, but is rather just a group that the user belongs to, with each profiling group being so large that that assertion-of-fact doesn’t help to de-anonymize the user any more than saying “they’re a human being” does—it’s not information that could be mapped back to the individual user. So it’s fine to send out.

It can be taken a level further, as well; such “statistics that convert to a profile” can be aggregated into one per-app profile. At that point, you’re doing exactly what magazine publishers do: looking at the audience for a given magazine, building a summary profile of said audience, and then selling ad space to advertisers who want to target that summary profile.

Of course, that same library will probably do a region check, and in the case that you’re not in the GDPR-affected area of the world, it will skip its (slightly crap) client-side detection logic and instead feed all your clicks and taps back to its (much smarter) backend, just like the previous version of the library was doing unilaterally.

Derived user data is still user data?

Up to the point where the client sends something mathematically indistinguishable from random noise to the server. At which point it's useless except for yet-to-be-discovered quantum effects. Which will then be outlawed.

Either way, the whole advertising revenue model is sickening pile of "they technically didn't object and it's not technically illegal", luckily it will die along with DRM and copyright. In the meantime I sincerely wish all parties who profit from it a stomachache proportional to their standard of living.

Just wait until people read up on cookie onboarding. This is how some apps and sites that don't show ads or sell things can make money. They are literally selling your data.

The irony is, I've seen quite a bit of industry chatter whenever the topic of 3rd party DMP audience segments comes up, and the general vibe is they are not at all accurate. And this is why so many large companies are investing in 1p and even 2p data. 1p in particular, depending on their business model, can give them the data they need to remain competitive in a post-GDPR world, assuming they can obtain consent and/or prove legitimate interest.

NoRoot Firewall: I got a global Block rule for 31.13..

The exact same thing applies for all iOS devices. Web banking, airlines, almost every game. There very few exceptions of the most common apps, e.g. Dropbox, Skype, stock apps. Facebook is cancer. It gets into the body and never leaves. Unless you firewall or hosts block their IPs.

Just a friendly reminder, because I see this line of reasoning too often in here. We're not the average Joe. Just because we can circumvent those techniques doesn't mean that everyone can, or for that matter they even bother to. Most people can't even understand the repercussions of profiling.

I very well understan that, and unfortunately:

1) not many people see the evil of Facebook's immoral actions

2) not many people (even in here) are aware that they can firewall their Android devices.

I hadn't heard of NoRoot firewall, thanks for mentioning! Is the 31.13.. the range of addresses owned by FB?

Isn't this the nightmare scenario the GPL was created to fight against, a device that is not acting in the users interest but against it, with tons of private APIs [1], complete lack of transparency, deceptive language and hoovering up user data to send to others. And the kicker is this is happening on the supposedly 'open' Android platform. Take that Stallman.

Its really disappointing to see how the software ecosystem has degenerated into these shady mercenaries with zero compass. The only thing that can temper this crazy greed fueled appetite for surveillance is regulations and prosecutions because what some of these articles describe is venal and corrupt to restore some sense of propriety and civilization values.

[1] https://techcrunch.com/2019/03/25/android-users-security-and...

Android and the apps (in this sense) are not 'open source' and, regardless, 'open source' is not the same thing as 'Free'. Richard Stallman is known for his hatred of the term 'open source' (as it generally causes a misunderstanding such as yours).

I have come across fair share of blog posts on how horrendous this is getting in the current age of big data and app economy. This behaviour is warranted by how VCs, PEs, and potential acquirers value a company... by number of users an app tracks. Boils down to battle for eye-balls all the way down because ads are guaranteed revenue stream that scales in-propotion to number-of-users * user-engagement, I guess.

I think everyone agrees there's a market for a simple-to-use solution.

Folks at https://GuardianApp.com are doing just that for iOS. For Android, apps like NoRootFirewall, NetGuard, Glasswire exist and other solutions like XPrivacyLua require root, or flashing LineageOS/ChromeheadOS and/or de-googling the phone voids the warranty. Most of the 2 Billion Android user-base wouldn't go anywhere near these.

A stop-gap then might be to provide a zero-touch / firction-free Firewall/VPN app that's "free" and one that's anti-surveillance and anti-censorship, but is also transparent, in that it enables end-user to inspect the traffic flowing in and out of their devices.

The challenge is no one wants to pay the internet provider and a random VPN app for a censorship-free / surveillance-free internet but they might gladly pay the internet provider extra premium if they offered the same experience. I know my dad wants this, but he wouldn't pay two entities for the same service.

May be what https://puri.sm is doing is the eventual end-game, but I think they're trying too hard. May be its time for an Android phone-manufacturer to launch a privacy focused phone. OnePlus reached its heights by placing itself as a Nexus/Pixel killer offering vanilla Android experience... so may be there's a market for privacy focused phone too, or may be https://e.foundation might pull this miracle off and become mainstream enough to matter.

Eventually, though, governments have to step in and bring forth regulations that prevents relentless surveillance of the end-user, similar to how wire-tapping phone-calls is illegal.

I want the features these things offer without the requirement to use a VPN. That gives too much trust to the VPN operator. All of this can operate on device at the OS/IP stack layer. I use Little Snitch on the Mac and it works great.

> All of this can operate on device at the OS/IP stack layer.

I think, on Android, with root you could do a lot more and not have to use VPNs at all.

> That gives too much trust to the VPN operator.

Local VPN apps like NetGuard are open-source, btw. And server VPNs like ProtonVPN have no-logs policy. I'm curious, what other guarantees are you looking for?

Guarantees? None. I don't want all my traffic routed through some random VPN company's servers. Small companies are probably also judgement-proof, as even if they really harmed you, what could you gain by suing them? Why would I want to use a VPN to enforce access controls my OS can do just as well?

I don't think little-snitch can tackle anti-censorship or can really prevent ISPs from snooping up on you? VPNs like Orbot might be required then.

Doesn’t apple disallow these types of apps? AdGuard has to discontinue their VPN based ad blocker due to Apple’s chance of policy [0]. I’m not sure why guardian app is any different? Looks like MalwareBytes had the same issue, which would be more inline with GuardianApp’s stated goal of being a firewall. I don’t see how this app will be allowed.

0: https://adguard.com/en/blog/adguard-pro-discontinued/

that doesn't sound like Apple is protecting my privacy like they claim . it sounds the exact opposite of protecting privacy

Personally I disagree, from the perspective of an average user. While you and I are able to tell the difference between an adblocker and a nefarious vpn collecting all my data under the guise of adblocking. For the average user, they have absolutely no idea and don’t care, which is why disallowing vpn-based Adblock makes sense to me from an average user privacy standpoint.

By that arguement Apple should disallow all Appa. Any app could be a scan.

Those ad-blocking local VPNs lead to terrible battery life. And nobody can know what they are doing behind the scenes. I agree with Apple blocking them. I just wish they had a public API for developers to offer apps that block the resolution of DNS names, just like they allow ad-blockers in Safari. They already have it, but it is restricted to supervised devices used inside organizations: https://developer.apple.com/documentation/networkextension/c...

Why would the local VPNs drain battery? Isn't VPN just an encrypted pipe through which traffic from your phone is routed? If some app or the other is not using the network, why would the VPN be even at work (hence draining the battery)? Or, are you suggesting that the local VPN apps are poorly implemented?

Good question, and in fact your logic totally makes sense. But my personal experience differs. I used to use both AdGuard Pro and Weblock and they both used up to 10-15% of battery life (as indicated in the Settings app). I’m not sure why this was happening. One possible explanation is that the VPN binary running in the background prevents the phone from entering some battery saving configurations it normally enters when there is no network activity, perhaps. I don’t know how VPN clients are handled behind the scenes, so if someone could chime in that would be great.

Thanks. Yeah probably being run in the bg all the time might be the reason along with encryption CPU overhead. Some apps might have also been poorly implemented.


> May be its time for an Android phone-manufacturer to launch a privacy focused phone.

LOL, they don't need it. Privacy focused phone doesn't generate money from user data. There's two ways: dumbphone or Apple.

see post above yours. Apple is not protecting your privacy. in fact they are explicitly disallowing your privacy to be protected.

The only way to crack down on this is to prevent apps sending any data at all and to minimise the use of proprietary software. As soon as your personal data leaves your phone and hits someone else's server they will sell it.

Its a bit of a hard problem which we tried to solve using a permissions system but its a hassle because its hard to tell if a permission is being used legitimately and the average user just hits accept on anything because they don't know how to verify if something seems right.

The GDPR was a step in the right direction where it allows you to say no to tracking and still use the service as normal.

I think it's not good enough to merely prevent it from happening with sandboxing or permissions, that's a very technically-oriented way of solving the problem (and obviously what most of us here on HN would go to first).

But merely preventing it on a technical level creates this race where companies and startups are always finding new ways to violate our privacy, while we stumble after trying to patch the latest evil, hoping that it's even possible to patch this time. Stop ajax calls to third party domains? What if they start piping it though the first party server? etc.

There fundamentally needs to be laws and principles in place that sets clear lines as to what's okay and not, it shouldn't come down to "whatever is technically possible". You may NOT take my personal data, my contact list, my browsing habits, and sell them to a third party, even if it's hidden somewhere deep in your T&S. No human actually wants you to do that, if you offered somebody on the street five bucks for their phone contact list they wouldn't say yes. It's only possible because you are doing these evil things hidden from view.

> No human actually wants you to do that, if you offered somebody on the street five bucks for their phone contact list they wouldn't say yes.

There is an argument i have with a guy who stands on the street offering 'free coffee'. So i ask for a voucher, and he explains i have to download an app. I am not convinced that is truly free.

Plenty of people will just tell you their password if you ask them nicely (https://www.google.com/amp/s/nakedsecurity.sophos.com/2015/0...) so I'm pretty sure they'd give up their contact list.

There are a lot of humans that are OK with that. The average person do not value privacy that much. There are a lot of people willing to trade data/usage patters for a free app. On the proposition "Pay $5/month or pay $0 but let me track you" a lot of people will choose the 2nd.

they may choose the 2nd option, but it's unknown if they would continue if told what the ramifications are. People chose brexit without knowing its ramifications, because they did not understand fully their choice. I suspect those who opt for tracking is also making this mistake.

I doubt it, as a tech savy user I know the ramifications but still going to for the 2nd option. Why ? Because the ramifications is largely inconsequential or not harmful enough for me to care

And this is the problem. You know the ramifications for you as an individual are fairly small, but this is a problem of scale. Billions of people handing over their data allows the creation of much more sophisticated and insidious models. The costs of your decisions are externalized to society as a whole and will affect you one day. You just don't see that.

It is the classic tragedy of the commons. Everyone doing whatever is best for themselves leads to the absolute worst outcome for everyone (including yourself) in the end. E.g you running 50 kWh of AC per day is pretty inconsequential. 2 billion people doing the same is not.

So then what is the effect on me ?

> The only way to crack down on this is to prevent apps sending any data at all and to minimise the use of proprietary software.

You're asking for legislative controls which, at the end of the day, can still be bypassed either flat out illegally or via legal grey areas. At best it's remedied after the act or prevents only the most obvious misuse. When you give politicians the mandate to control something often they're too technologically/process incompetent to get it right and to make sure the solution is in your interest.

You want to abate this practice? Exit social media (...and life will improve), use RSS for mass information consumption (I've been doing it for ~10 years now - I can pour through what would normally be a days sifting/reading in 15 minutes while taking the first dump of the day) and use a browser with extensions that give you more fine grained control i.e. Firefox with NoScript.

Be in control of your world.

Preventing apps from sending data doesn't solve the issue as long as you can use Googles analytics.

You can abuse the analytics event system by encrypting data and submitting it as a string attached to analytic events. These can't be differentiated from normal click tracking.

Server side you can then pull this data out via api and unencrypted it.

Unfortunately, the permissions are rooted in the old server-centric UNIX model where users of the machine were generally trusted with all sorts of identifying information (eg ifconfig("8")). Those permissions were then augmented by a surveillance company, for surveillance companies (at least on the Android side).

When it comes down to it, even things like phone number, MAC, or current access IP address (as opposed to VPN egress address) are highly security sensitive information. There should be no way for apps to get access to these things, and if they insist on obtaining access, the ability to fake out that data should be the baseline of any modern OS.

Wouldn't it be sufficient to change the Google advertising ID (AAID) to some random ID? It render all this data gathering useless.

"You have zero privacy anyway. Get over it."

Scott McNealy, former chairman of Sun Microsystems.

The typical "accept reality and get over it" mentality has repeatedly and consistently been used throughout history to justify plunder. One might even wonder if it ever has been used for anything else.

There was a time when legal businessmen, with sincerity, claimed that a dark skin color made you deserve to be slave.

"When plunder becomes a way of life for a group of men in society, over the course of time they create for themselves a legal system that authorizes it and a moral code that glorifies it." ~ Frederic Bastiat

Normalization of Deviance - we as the community of technical folks who have the engineering knowledge to tackle and highlight and help solve these issues should not follow that normalization. It's very dangerous.

We need to continue highlighting unacceptable practices to drive privacy improvements in legislation.

And we should establish ethics boards and education (ethical software engineering) amongst ourselves to stop building shady things.

Ah yes. We should just accept body builders mugging us whenever we step outside because the reality is they are stronger than us.

The reason strong bad men don't rob us constantly us because other strong men are legally permitted to do violence unto them. I don't think that's a model that works for the Internet.

Instead I think we should take Mr McNealy's words as prescient. Even if you protect your privacy, people you know are still willing to tag you in photos or upload their contact lists.

Instead of pretending that we can remain private online perhaps we should be thinking about how to compartmentalise our online identities so that the whole 'us' can't be revealed by an inadvertent mouse click.

TLDR: Scott was right, so let's work out what to do next.


Yes, I would prefer to see solution that adapting to zero privacy life. Instead of trying to stop the flow of information.

The important point here to note is that it shares this data even if you don't use / don't have a facebook account

I'd be very interested to know how this compares to apps on iOS. Can someone shed some light?

Most of these frameworks are built for iOS first and Android second (you can quickly glance at their marketing material to find proof). There are also no restrictions (policy or system-wise) that prevent these SDKs from uploading data about your profile as well.

It's unfortunate that Android is singled out here - it'll lure iOS users into false sense of privacy.

It is more difficult for apps to know your identity in other apps on iOS. Although Apple has bungled it quite a few times these frameworks are supposed to use an identifier that you can reset and change to be per-developer. Also if the framework goes over the line, which might be defined as ‘bad publicity happens’, Apple might come down hard and simply ban the whole thing (no app that includes the framework gets approved).

As I developer I didn't really see much of a difference - most of profile matching I've seen these SDKs do is via social logins and not via device identifiers. The OSes currently are very close in what you can get to identify the user.

Most of this is entirely possible on iOS and I would be surprised if the Facebook SDK didn't do the exact same thing.

Can’t you, at least, activate limited ads tracking in iOS so that each app get a different "phoneID" making cross profiling more difficult?

The process is the same. You integrate the SDK and it will keep sending the data. No permission needed either. For a user, he would not even know what SDKs are integrated with the app, as it is never mentioned anywhere and no way to check it either.

This is so misleading. Almost all SDKs do this and this also happens on iOS too. If you have an SDK on iOS, there is nothing the OS can do to stop tracking of the users.

Also, the author literally says that Google tracks even more apps vs. FB but still chooses to use FB in their headline. Sigh.

Is there any solution to ban facebook from your android phone like you can from a browser like firefox through a facebook container? I would imagine something like a firewall that keeps your phone from being able to connect to URLs or IPs owned by Facebook.

I use Exodus Privacy [1] to learn more about what SDKs and permissions are used by the app before even installing it, and as a last line of defense, NetGuard [2] which is an open-source VPN-based firewall that lets you block requests to some servers on a per-app basis (some features are paid).

[1] https://reports.exodus-privacy.eu.org/en/

[2] https://www.netguard.me/

Well, using exodus privacy to look up some apps that I use has just opened up a portal to hell for me! I had no idea about the depth of the tracking that was happening - I foolishly thought it was only browsing issues I needed to worry about until reading this thread and then looking on there.

Thanks for opening my eyes to this!

This doesn’t tell you about any data sharing that happens serverside.

You can download an app which changes your DNS settings (without root it creates a local VPN) then point it to a server that blackholes Facebook

I would recommend blockada. Its open source.

Blockada doesn't do DoH or DoT yet. You should try https://getintra.org and use it with AdGuard DNS [0]

[0] https://news.ycombinator.com/item?id=18788410

Also, it gives you a real eye opener as to what apps are sending out..

You can ban Facebook from your phone by choosing not use it.

I like the idea of your device giving out fake advertising id's out.

There's more than ad-ids to fingerprinting a user [0]. For instance, MAC addresses (wifi, Bluetooth), IMEI, GPU based fingerprinting techniques, scanning for apps installed, WiFi networks connected to, location, and so on. You need to fake a lot of things to be scot-free from this madness. It's ashtonishing, really [1].

[0] https://panopticlick.eff.org/

[1] https://copperhead.co/android/docs/usage_guide

Has anyone found the list of tested apps and their results? I've followed many of the links but find more articles/versions

Maybe this is what you are looking for ? I looked into certain apps (Shazam, Duolingo etc.,) and its quite interesting.


Yes thanks. I looked at this page but perhaps it didn't render fully on the platform I first saw it on.

Are you looking for something equivalent to http://exodus-privacy.eu.org/ ?

Does Facebook share data back with the app? For example, your name, etc...

Question: it's been almost a year now since GDPR has come into effect. Has there been evidence that people from the EU have been able to completely withdraw themselves from the user-tracking universe?

I doubt it. We need some prosecutions of Oath, Vox and so on before they start implementing the consent request properly.

Oath is the business embodiment of cancer, it needs to be sued out of existence. It provides absolutely zero value and just makes the internet more toxic.

It should be implemented in a "global" way. Instead of filling in no tracking forms for each website, they should be forced to honor DNT (do not track) header. Similarly on OS level, it should be possible to say to all apps that I don't want any tracking.

No, because the mills of justice grind slowly (translated German proverb), and because the DPAs are horrendously under-funded and overloaded.

However, I do have the impression that the situation has already started improving significantly, and as the fines and other enforcement actions start happening, these practices will become less attractive (as in "I don't want this in my company because my competitor had it and got bankrupted by the fines").

A nice aspect of GDPR is the civil enforcement, allowing NGOs to sue on behalf of individuals whose data was abused. This helps resolve the problem that the DPAs are useless and it is infeasible for you to sue Facebook. NOYB.eu is one of the NGOs doing some work in that area (mostly pushing the DPAs to do their job by filing complaints, for now) that has led to fines.

> A nice aspect of GDPR is the civil enforcement, allowing NGOs to sue on behalf of individuals whose data was abused.

Is there a practical way to demonstrate, in a court of law, that one's data has been stored/used/traded in an illegal way?

For example, assume I use a specifically generated unique email address when signing up to one service. After a while I get spam on that email address from a different company. Can I use this as evidence in a lawsuit? How strong will the case be? Would it help if I ask a trusted party (notary) to deal with the generated email address (so nobody ever sees it except the notary and the company)? What options do I have in collecting evidence?

In a civil suit, you'd typically need "preponderance of the evidence", i.e. you have to convince the judge that it's more likely than not.

In practice, the worst data sellers will pretend to act legally, so they'll often admit in some fine print what they're doing.

Also, if the judge asks the representative of the company whether the company is selling your data, the possible answers are "yes", "I don't know", or "no". The former two mean you win. The latter means the representative risks jail time if it later comes out that the company did sell the data.

yes. websites across the world have been banning whole EU countries like there’s no tomorrow. but on the plus side we now we know how it feels for the Chinese and their firewall. only ours is called GDPR. to put this in context: there are more websites accessible from Hong Kong than from the EU.

> there are more websites accessible from Hong Kong than from the EU.

After a quick search, I couldn't find a source that claims that any website is blocked in Hong Kong, and several that claim that no website is blocked.

The Internet connection is monitored, there's pressure and self-censorship, but there's no blocked access to websites. It's easy to be bigger than zero.

EDIT: The biggest collection of the websites I could find lists 1129 that are still blocking access to EU citizens, and 252 that stopped (presumably, once they've become GDPR compliant): https://data.verifiedjoseph.com/dataset/websites-not-availab...

>The Internet connection is monitored[...]

While I agree that there is pressure from pro-Chinese Government henchmen to intimidate free press in HK, I am curious as to where you get this assertion that the internet is monitored. That would imply some kind of government surveillance. I have never heard of any systematic internet monitoring in HK of the kind done in other countries, like mainland China.

I know for a fact the great firewall does not extend to Hong Kong. We can deploy APIs there AND use HTTPS/ communicate with the outside world/ use Google services. How insane.

there's no censorship, direct or indirect, in HK. that is why there is less of the Internet in the EU than in HK.

Which means the shitty companies are removed from the market and websites and companies that respect their users stop getting undercut by their unethical competition.

Well, I guess the really shitty companies simply ignore the GDPR. They might even use some shady business construct to move money and data between companies, while shielding themselves from the regulator.

there are right now companies from the EU that don't respect GDPR.

this is not a right/wrong issue. like most of reality, it's full of grey.

I've not come across a single website that has banned me access to it based on the EU GDPR (except maybe I think some news site that was linked on here once?)

Care to share some examples?

I regularly come across those that are blocking EU users. Guitar Center is a pretty big one: https://www.guitarcenter.com

The Chinese regime blocks sites that are critical of the Chinese regime.

GDPR on the other hand has absolutely no political selectivity. It's just a bunch of self selected US sites that can't be bothered to properly implement GDPR (until they get their own version of it).

That makes your claim about the number of websites accessible from Hong Kong about as relevant for freedom of speech as the lack of chlorinated chickens in Europe's supermakets for the variety of food we get to eat.

Whats the sole purpose behind this?

Same as any other ads or analytics sdk (google, branch.io, etc...)

getting data to target ads. Apps gladly integrate them, because they can get better analytics on how the app functions and is used, but also for marketing attribution (comes back to ads.)

I find the outrage at Facebook for this to be a bit obnoxious. Are we equally as outraged at every app that has Google Analytics implemented? It's sending your data to Google, even if you don't have an account!

I'm not sure about you, but yes, I'm def outraged by analytics gathered without user's consent, sometimes complete with fingerprinting, as well.

I tolerate WebRTC blocker, Canvas Blocker, DecentralEyes, FPI, PrivacyBadger, HttpsEverywhere, uMatrix, and NoScript on Firefox and painfully deal with all the broken websites, despite the costs. It is worth it ten times over.

Usually to track conversion rate of posts and other similar metrics

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact