Hacker News new | comments | show | ask | jobs | submit login
Germany vs. Facebook: Like Button Declared Illegal, Sites Threatened With Fine (siliconfilter.com)
74 points by flardinois 1866 days ago | hide | past | web | 75 comments | favorite

I'm from Germany and I'm currently writing a dissertation (similiar to PhD) on data protection law. My take on the situation:

1) Are the european data protection laws "perfect" or reasonable? No, they can't be, the most relevant directive is from the year 1995.

2) Do Google or Facebook comply with the European data protection standard? No way. Do they even try? No. There is something called the "Safe Harbor Directive" (http://en.wikipedia.org/wiki/Safe_Harbor_Principles) which Facebook and Google have declared to uphold. However they "self-certify" and in reality it is more like a "scam". For example Facebook is boasting about a "TRUSTe" certificate, which is practically a joke.(http://en.wikipedia.org/wiki/TRUSTe)

However the story about the 50,000€ fine is just for publicity. Google has lost cases in civil court against consumer protection agencies about their privacy policy, but to date there has never been a fine by a government agency. Furthermore just because the law says "up to 50,000" as a maximum sentence doesn't mean you could realistically go that high.

The situation is actually quite a bit different from what was presented in the siliconfilter article. I looked into a couple of more established local media outlets and it turns out that this fine does not apply to all of Germany. Mr. Weichert strictly targets sites from Schleswig-Holstein ( Population: 2,8M ). This is the only state where he has 'some' legislative power and it remains to be seen how we would be able to target sites from his specific district. I'm sure you can appreciate the technical difficulty. This is also not a new law but a highly controversial interpretation of existing privacy law. There is a tremendous backlash and open opposition coming from high-ranking German politicians regarding this fine. All in all the whole thing looks more like a PR-stunt, it's highly unlikely that website-owners will ever be fined in the near future for Facebook buttons.

I'm German btw. Don't want anybody to think I learned that gruesome language for the fun of it...

I'm not German, I learned that great language for the fun of it. I wanted to be able to read "Über formal unentscheidbare Sätze der Principia Mathematica und verwandter Systeme, I." after I read Gödel, Escher, Bach when I was in college. And read Böll untranslated. Much better than the English versions imho.

Wow impressive, glad you like the German language :) How do you read Bach though? Is there a notable German Bach other than the composer? What am I missing?

Possibly this: https://secure.wikimedia.org/wikipedia/en/wiki/G%C3%B6del,_E...

(That is, the book "Gödel, Escher, Bach: An Eternal Golden Braid" by Douglas Hofstadter)

Yes, sorry for not adding the whole title; that I read in English :)

Thanks, shabble!

Mark Twain wrote a satirical but very funny critique of German:


While we're on the subject...

An American woman visiting Berlin - intent on hearing Bismarck speak - obtained two tickets for the Reichstag visitors' gallery and enlisted an interpreter to accompany her.

Soon after their arrival, Bismarck rose and began to speak. The interpreter, however, simply sat listening with intense concentration. The woman, anxious for him to begin translating, nudged and budged him, to no avail.

Finally, unable to control herself any longer, the woman burst out: "What is he saying!?" "Patience, madam," the interpreter replied. "I am waiting for the verb."

I must've emailed that to a 100 people by now. Thank you so much for this gem!

I'm American, whats so bad about it? Was easier to learn than French coming from an English speaking background. Not that I think I'm fluent in either.

I wasn't super serious when I said that but comparing German to English ( not that I am fluent ) I have to say that I think English has a simplistic beauty to it that German can't live up to. Whenever someone asks me to translate even the simplest sentence / idiom into German I end up answering, 'you can't really say it that way in German'. German happens to be very particular about the correct choice of words and won't let just mix a bunch of words together like English does. I'll admit that there is some world-class literature / poetry that benefits tremendously from the depths of the German language but I'm neither a poet nor an author, I'm just in it for the practicality. Horribly off-topic btw.

Horribly off-topic btw.

Yes, it is. But, while we're off topic, I have to say I really like how in German, words are generally spelled like they are spoken.

(I was once fluent, but I don't use it enough, so have forgotten most of it. I can understand it very well still and it does, at least partially, come back to me when I visit Germany, thankfully)

That's not true. "V" and "f" are interchangable (e.g. I always forget if it's "haven" or "hafen", which would be pronounced the same), as are "eu" and "äu". "V" at the beginning of a word is pronounced like an English "V" (as in "Viktoriapark"), where it's ambiguous with "w". There are also a large number of French, English and Slavic words that are used in German (for instance I live in "Treptow", which is pronounced as it would be in English, not with a "v" sound on the end). Jumbojet is perhaps the funniest, where the first "j" is pronounced as a "y" and the second as a "j".

In general mastering German is harder than mastering French for an English speaker, despite them being linguistically quite similar. German has retained a lot of features that have been stripped out in various degrees in other Germanic languages, most radically in English, that are difficult for English speakers (case system, almost totally irregular plurals, irregular genders, irregular past participles, irregular usage of "haben" and "sein" in construction of compound tenses and so on).

(I'm an American that's lived in Germany for almost 10 years.)

In general mastering German is harder than mastering French for an English speaker

I've heard lots of people say this. I don't know any French, so can't comment.

I guess I don't notice the letter differences so much. I suppose having German family corrupted my sense of how letters are pronounced ;-)

As for "eu" and "äu", could this be a thing similar to "ss" vs "ß"? In any case, when reading German, I don't find these pairs a problem. Of course when writing German, they obviously are, so I stand corrected on this, though I did say "generally" and not "always". As others have commented, its probably a one-way thing: reading is definitely much much easier than writing.

for instance I live in "Treptow", which is pronounced as it would be in English, not with a "v" sound on the end

Place names don't seem have as regular pronunciation as normal words.

Perhaps based on German pronunciation, but they're not spelled like they are spoken to English people. OBvious examples being things like when the letter 'd' sounds like an English 't', or 'w' sounds as 'v'.

I never actually learned to speak German, did learn French (can speak it fine, with a very English accent). Slightly odd situation though, I was taught to pronounce German extremely authentically (former professional singer), and didn't found it harder to learn German pronunciation than French.

That said I love the German language, some day when I can be bothered I really do want to learn it; can't quite put into words why I love it, but there's something weirdly special about it. Maybe just because of associations I have with it and certain music, like Bach's St John's Passion.

The consonant changes while non-obvious to native english speakers at least are somewhat consistent. Using a different latin character for a sound isn't that big of a deal when learning a language. Once you get to Japanese/Chinese/Korean its normally the least of your concerns. :)

Compare and contrast to English pronunciation of things like: moose goose lose loose hose etc/usw... Quite a disparity between the lot of words despite their similarity.

Sorry for the thread derailment, i'll go sit in the corner and think about my life.

The phonetics are similar enough to English to make sense to someone who speaks both, but in terms of phonetic consistency, I think you're better off with Italian or Spanish (no silent letters, few weird consonant blends, letters are consistently pronounced the same). Or Esperanto, but that doesn't count :P

I wouldn't really know since I grew up speaking German, but I think this only works one way ( written to spoken). The other way ( hearing a word and being able to spell it ) has to be next to impossible for a non-native speaker. How did you learn to speak German?

Ah, this is true, I can read German pretty well, but writing it is.. hard.

How did you learn to speak German?

I originally learnt as a kid, having German family, and actually spoke German before I spoke English, but living in Ireland, I obviously needed English more, so we exclusively spoke English since I started school. I've always known enough German to understand spoken (and make out written) German, but speaking it myself was more difficult (and writing even more so), but mostly because I forget words, rather than not knowing the rules or pronunciations. When I learnt German in school, I was pretty much fluent and non-Germans found it difficult to realize that English was my main language when I spoke German, but I've forgotten most of it due to disuse. I really should relearn it...

I have to say, I always liked how strict German is about how to say things, at least when learning it as a second language. It made it a whole lot easier to learn, rather than a language where there are 10 different ways to say the same thing.

I'm also a big fan of how few tenses are used colloquially--for instance, very few people actually use the future tense. You just have to add a time ("tomorrow", "in 2 years", etc.) to qualify a sentence as referring to the future.

Off topic, perhaps, but interesting nonetheless :). HN values the quality of the discussion over its focus on a given article.

We have threads for a reason.

That is true for some cases, but also not for a lot of others. The German language is a great language as is English; there are a lot of sentences and words which pop in my head in German and I cannot translate them adequately in Dutch (my mother tongue) or English and I have the same with Dutch and English. I think you need to read more literature and analyze the beauty of your language; you are missing out if you only go for 'mixing up words' in a practical manner.

The article is kind of misleading. After reading the original FAZ article (I am german and a site owner) I learned that because Weichert is the head of the Independent Centre for Privacy Protection of the northern German state of Schleswig-Holstein, he only has the competence to threat site owners within "Schleswig-Holstein" (Population: 2,8mio).

With only a few exceptions, privacy and data protection is handled on the state (or Länder) level in Germany. (One exception to this is the federal government and its data protection.)

He would have to convince his fifteen colleagues to make this a Germany-wide thing. Handling this on the federal level is not even possible in Germany, the federal data protection appointee has nothing to say about such matters.

But the TMG as well as the BDSG are federal laws and after reading his paper I would agree with his view of them.

It would only take someone to go to their local data protection supervisor (Datenschutzbeauftragten) and complain about being tracked by the facebook like button on a site hosted in germany, the data protection supervisor would have to issue a fine (if he agrees with that interpretation of the law) and it would go to court, since the owner of the website would naturally dispute it.

Difficult to say how the court would rule.

Those data protection appointees (and the people who are working for them) are the enforcement arm of the data protection laws.

The laws are not (only) enforced by the police but by specialized offices – just like tax law (with the tax office and tax investigators) or food law (with food inspectors).

This is like the police (which is organized in a similar way) in Bavaria deciding to enforce a federal law in a certain way. Whatever the police in Bavaria decides to do doesn’t have to have any consequences for the police in other states. (Suffice it to say, the police in other states isn’t going to be very happy when they hear about the Bavarian police interpreting a law in an odd way.)

It’s the courts that have to decide in the end what is correct and incorrect enforcement.

This seems like one of those "Oh man, what a crazy country!" stories - and sure, the €50,000 file is pretty nuts - but the more I read about it, the more I think that challenging one company's dominance is potentially a good thing.

If nobody ever speaks up and says "Hey, hang on - how much info are we giving them, really?" it'd be far too easy for companies to take advantage..

Having said that ... this won't stick. By this virtue, sites would have to remove G+ buttons too, and Google Analytics (which profiles 'anonymous' users even more heavily than FB)

Being German I have to say I really appreciate my countries concern with privacy. ( Despite this rather ridiculous attempt to protect it ) The mega-corporations that are hoarding our data have a habit of being as in-transparent about privacy as possible ( Google excluded, maybe ). Government entities are in a unique position to enact legislation that levels the playing field and puts consumers back in charge of their data. I'm hopeful that future generations will demand unrestricted control over their personal data as a basic human right.

How do you see the difference between Opt-in and Opt-out?

For example, I never asked for Google Streetview to photograph my property, so in that sense they might have violated my privacy.

But clicking a Like! button is like giving implicit approval to send some relevant data to Facebook.

If you were a German Facebook fan, would this law make it impossible to place a Like! button on your own site, when you and your visitors clearly want it?

Is it possible to voluntarily wave away the right to privacy or is it really an all-or-nothing deal?

Edit: It seems that you get logged without ever clicking the button, or lack a Facebook account...

The paper "Facebook Tracks and Traces Everyone: Like This!" mentions 3 valid privacy violations by Facebook.

  informational self-determination: the individual should 
  be able to decide which data are disclosed to whom and 
  for what purpose.

  contextual integrity: data has to be treated according to
  the norms applicable to the context in which 
  the data was disclosed.

  data transfer without consent: data should not be 
  transferred to another context without the individual's

  [the Like button] is also used to place cookies on the 
  user’s computer,  regardless whether a user actually uses 
  the button when visiting a website. As an alternative 
  business model this allows Facebook to track and trace 
  users and to process their data. It appears that 
  non-Facebook members can also be traced via the Like 

Ah, well. Back to a custom Facebook Share button for me.

It is legally possible to "wave away" your right to privacy. It is somewhat analogous to commercializing your "personality" by giving someone the right to advertise with your name.

However the European data protection standard demands "informed consent", the user needs to be able to understand the scope of his own decision:

Which data is captured and to what purpose? Do third parties get access, to what purpose? To which countries does data get sent and what are the risks associated with it? Will your data be possibly combined with data from other sources to build a more complete profile?

If it is impossible to answer these questions from the information given in the privacy policy etc., you do not have "informed consent" according to the European data protection standards. There also has to be a technical option present to "revoke" your consent for the future.

At the present moment, there is in fact no real solution to use the Facebook-Like button in Germany in a way that is compliant with data protection law. At least I couldn't finde one when I had to write a "memo" for a law firm. However it is somewhat possible to shield the owner of the website from liability.

I'm not sure if you were addressing me but I'll go ahead and respond anyways.

I don't think privacy should be an 'all-or-nothing' proposition; waving away your right to privacy should not be a decision an individual has to make. Ever.

I believe that what the majority of users want when interacting with internet platforms like Google, Facebook, etc. is a responsible use of their data; a reasonable balance between giving up information and receiving benefits in exchange.

From that perspective I would argue that Facebook collecting data from you simply by 'browsing-by' a like button is unacceptable. But I wouldn't go as far as to say that everything is fair after you've given alleged, implicit permission by clicking a button either. It's about a reasonable expectation the user has about what kind of terms he's entering into by 'like-ing' something. Is it okay for Facebook to have a look at what site your coming form? Associate your account with this like? Maybe. Would it be acceptable for Facebook to go through your history and look at the most recent porn sites you showed interest in? Probably not. That goes at the notion of contextual integrity you mentioned. The line is blurry but it certainly exists.

Another important consideration for me is who has access to the data that is collected. Larry Page famously answered to Paul Buchheit that there 'are no privacy issues' when faced with thousands of complaints concerning Gmail. I don't really mind machines going over the contents of my email in an effort to target ads at me. It's creppy to some but if you understand the underlying technology I would side with Larry and say that, really, there are no privacy violations. It's about the trust you have in a corporation when it comes to handling your data. Transparency goes a long way.

Give me your thoughts.

P.S: I don't think an individual or a corporation could successfully operate on the internet while strictly adhering to the three standards you mention. Getting explicit consent for every data transaction that occurs when using the internet would make that medium virtually unusable. We have to make certain, maybe gullible, assumptions about the companies and individuals we interact with to navigate everyday life; you do it every time you enter into a contract without studying the fine print.

A custom Facebook Share button sounds like a terrific idea, open-source it! :)

That might be the key difference. Analytics profiles "anonymous" users.Facebook knows exactly who you are.

I guess if you use a gmail account, a g+ account or some other google account all the tracking stuff can be connected to you.


In Germany there is a big misconception of the internet.

There are few politicians anywhere who do understand the internet.

It's not a Like button, it's a privacy invading web tracker in the guise of a Like button, a disguise intended to colonize by trickery.

Germany's actions are the right thing to do.

Worse than Google Analytics, ad networks loading graphics on remote sites, tracking cookies, or any other form of remote tracking system that's been around since the emergence of the commercial web and arguably is part of its design?

Actually, doesn't the JS in the (official) embed code send that data to Facebook even if you don't click the button? source: http://sharemenot.cs.washington.edu/Overview.html

I'm all for stronger privacy laws however banning analytics and forcing Google to pixelate houses does more harm then good.

Laws like that give people a false sense of privacy. House is still visible from the street and private info can still be tracked online.

Privacy advocate should focus on education and making sure it's explained what is shared with who. If it's clear what you're sharing by signing up to a service and everyone understand what that means we would all be better off.

If you're worried about this kind of tracking, install the Ghostery addon for Firefox, Safari, or Opera. It blocks like buttons, +1 buttons, google analytics, kissmetrics, and a few hundred other trackers.

This seems a bit too much for me, personally. Does Germany take issue with Google Analytics as well? They take all kinds of data about users and send it back to US servers.

If I was hosting a site in Germany, I'd probably tend to switch hosting before I removed the "Like" button from my website.

>Does Germany take issue with Google Analytics as well?

I hope so. Subjecting users to tracking by Google without their consent (you have no way to know that website X is tracking before it does) seems very abusive to me. Nothing prevents webmasters from installing tracking software on their own servers.

Yes: http://thenextweb.com/eu/2011/01/13/german-google-analytics-...

However, I've never heard of someone paying this fine.

As already mentioned, Google Analytics also had to reduce the data send to US servers. It is (more or less) forbidden to generally log IP addresses now (the big web hosters already anonymize their log files - the default apache logfile format is somehow illegal in Germany now).

I am german myself and fully agree with the privacy enforcing people in Germany and EU. Everytime you visit a website where someone added a Like button a whole set of tracking data will be submitted to US servers without a chance for me to forbid this. (Never saw a message "Is it ok for you that I load the Facebook Like button where your data will be transmitted to Facebook?") And after Facebook has a nearly complete profile over my web activities (every 2nd page already has a Like button) practically the US government also has all those data (edit: for fairness: everyone who pays for the data too)

Google Analytics was on a grey zone until this year, it seem to have taken some modification to conform the local law.

Why is Schleswig-Holstein always causing Europe problems? Shouldn't they have learned their lesson? http://en.wikipedia.org/wiki/Schleswig-Holstein_Question

The lesson no longer applies. After two world wars, europe has no stomach left for more.

Jeff Jarvis went ahead and talked to Facebook to get some background on the issue: http://www.buzzmachine.com/2011/08/19/disliking-like-in-germ...

I was thinking about this a couple of days ago - with Like buttons appearing all over the internet, Facebook has the ability to log what sites you visit, when you visit them, etc. Question is, do they? To what extent?

Of course they do. To the maximum extent they can manage. As the saying goes: if you are using a web service for free, you are not their customer, you are their product (or something like that).

Paying is irrelevant. How many websites hide the FB buttons if you subscribe to them?

I meant you don't pay for Facebook. Facebook is collecting the data, not the sites who add the Like button.

The purpose of the Like button is to enable you to share stuff back to Facebook when you click on it. We anonymize all logging data collected as a byproduct of serving the Like button and other social plugins within 90 days of their collection. See https://www.facebook.com/help/?faq=186325668085084.

Bret Taylor CTO, Facebook

What happens within that 90 days? Why not anonymize it within 90 seconds?

I like this.

It's always funny when a little country like Germany or France wants to "ban the Internet" or something. It's kind of cute.

Edit: Man, I sure have offended a lot of people. I really didn't mean to make it seem like you're insignificant, or that the decisions you make are ridiculous and not well thought out when it comes to the Web. I think you guys are doing a great job!

Keep up all this good work and maybe one day we'll relinquish our control of the root name servers over to you.

Little? Germany is one of the world's massive economies.

Whats cute is Americans who think regulating business is something we should never do and privacy laws are bullshit. Sorry, but it looks like the rest of the world isn't so lassiz-faire.

Not all privacy laws are bullshit...but this one sure seems to be. The "Like" button (and the "1+" button, and the buttons to submit to Reddit, HN, and the like, which would all be covered) are completely optional for the visitor to the site. They don't have to click them unless they want to.

The same argument they are using against these buttons applies to off-site hyperlinks in general. Are those going to be banned in the name of privacy?

The "Like" button is not a hyperlink. A hyperlink doesn't reveal your identity to the target site unless you click on it - the Like button will ping Facebook about your presence even if you don't click.

So yes, there are major legitimate privacy concerns about this. I'd hope you weren't aware of this, otherwise this would be an incredibly disingenuous argument to make.

I thought the same in my previous comment, but after a bit of searching, the Like button is not optional at all.

It is capable of tracking both logged-in Facebook users and even users that don't have a Facebook account. It sets a cookie without you clicking it.


  Scenario: The web user does not have a Facebook account  
  after visiting a web site on which Facebook Connect has 
  been implemented, the request for the Like button 
  includes a cookie. This cookie has an expiration date two 
  years from the moment it was issued. However, by browsing 
  across web sites, additional cookies can be placed on the 
  user's computer and these can be added later on in new 

OK, I see that it is not equivalent to a link, because it loads stuff even if you don't click it.

However, is it any worse than an off-site image, or an off-site JavaScript? Those both contact a third-party server. For instance, if I use MathJax on my site, downloaded via a script tag that points to cdn.mathjax.org, would I get in trouble in Europe?

Little as in its size and population, as well as how no one cares what Germany does with their Internet (except for Germans, of course). What's really cute is how people whine about privacy but use the Web. Two things that clash entirely at a fundamental level (the client-server model).

Privacy laws are actually mainly EU wide, which represents more than 300 millions people. Now you could say the US is little compared to China and India, but does it bring much value to the discussion?

EU population is actually over 500 million


So my statement is still valid ;) Thanks for the correction! Think I mixed up things in my memory with the Eurozone, should have checked it.

It's so cheap to use something like this to vent your feelings of superiority. Also "ban the internet or something" doesn't really work for me as meaningful analysis. Clearly similar legislation and the clash of internet ideals vs bureaucracy is not at all limited to "us Euro-trash" wink.

This was certainly not about feelings of superiority. It was more about how every now and then we hear about some country somewhere wanting to do ridiculous things like ban a widget and fine you 50,000 euros if you have it on your site. That doesn't sound retarded to you?

The same way "some country" wants to do "ridiculous things" like fine you six-figures for downloading a MP3?

Mmm... sort of. But you're really stretching it there. I get your point and yeah of course that's totally stupid, but it's also somewhat irrelevant. They both have to do with enormous fines for small infractions and they both have to do with the Web. I said in another comment that it doesn't matter who is doing something stupid -- it's still stupid. But this article wasn't about copyright law in the United States. I make the same comments in those threads as well. Only since this one is about Germany being retarded, they get the special treatment.

If you take the time to put it like this, I would not object, in fact I upvoted you.

Many germans use local mail providers because providers are legally constrained to handle user data better than US providers. EU privacy laws are not such a bad thing. Of course sometimes they are very local judgements happening that makes the news, but that's not like that never happens in the US... Amazon and Texas, does it tell you something?

I think you make a good point. What I said also applies when one of our states makes the same kind of decision. I think it's dumb when Texas does weird stuff like this too, for example.

Those are probably the worst two countries to choose as an example. Germany and France have a huge influence on the EU.

Trolling is not cool, man.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact