Hacker News new | past | comments | ask | show | jobs | submit login

No, people went to an online pharmacy, unrelated to Facebook. That pharmacy sent the information to Facebook, including information about what kind of medication that was purchased. Of course, the main fault was with the pharmacy, but that is another, related, story. The main point here is that Facebook had promised to filter and not store sensitive information, but that filter apparently didn't work, possibly because that filter didn't handle information in Swedish.

So, even if you never ever had been even close to Facebook, Facebook could have the information that you just ordered some Emergency Contraceptives.




I understand. It feels almost like magic that a script could figure out that kind of thing from any site? I guess it’s mostly just blindly uploading things from forms?

This is a massive GDPR breach of the site in question though. I really don’t fault Facebook much. Anyone who ever includes any FB script is reaponsible for exactly what it does.


> I really don’t fault Facebook much. Anyone who ever includes any FB script is responsible for exactly what it does.

Many people don't understand the implications of using FB scripts, whereas FB does.


Sure. There is perhaps a moral/ethical responsibility. But there are laws against sharing sensitive info and I don't think "I didn't know FB scripts did that" helps. FB's entire business is gobbling up user data. And pharmacies business is to know who they share sensitive data with. I don't think it's too much to ask to require siteowners to understand what the scripts they use are actually doing, at least if they deal with sensitive data.

For example, I don't think pharmacies should do any kind of advertising on FB, or do any kind of campaign tracking/conversion measuring etc on the same site they accept user data. As will all GDPR violations, if just a few large pharmacies were fined out of existence, I bet the rest would quickly fall in line.


While I agree that the main fault was with the pharmacies, they should certainly not send any patient information to anyone, I think you can at least partly blame Facebook since they had promised to filter out anything sensitive.


That sounds impossible even for one language. A better description I might trust wouldn’t include “filter out”. Filter out!? Like activities that aren’t “filtered out” would somehow be blanket acceptable?

Wouldn’t it be easier to just use an FB api to send one ping when a transaction completes, e.g with a campaign ID? Why would fb ever be uploading what’s stored in a form field that they don’t know what it means? It makes no sense?


Many analytics and tracking pkgs will capture every single form field and upload them as a standard default, and only mask out things that match cc regexes etc

Yes it's immensely stupid


What the hell would someone even do with such data? I get that you can figure out addresses/phone numbers/emails nad correlate individuals etc. But what about all the other fields? If someone says "It's sold in bulk to companies who try to datamine whether the field values '48', 'yes' and 'Other' makes it more/less likely for you to buy car insurance in the future" I'd be...completely unsurprised


I think owning information that you should not possess could in theory be just as punishable as sharing the information in the first place. Especially if done on a massive scale.

This already holds for csam imagery.


If you visit a pharmacy website to buy prescription meds you have to enter PII. If you then also visit various pages on that site for various meds for various diseases it can quite easily be correlated that you have said diseases. The fact that Facebook was involved can be completely unknown to you as a user, you don't even have to have a Facebook account.


> If you visit a pharmacy website to buy prescription meds you have to enter PII.

Yes. And they are responsible for where that information ends up, regardless of how and where they advertise. So basically, anyone running any website at all should be really careful to not add any third party (e.g. Facebook) scripts to their page. I'd rather run a business not knowing whether my ad campaigns work at all, than run one where I don't know if I'm liable for breaking laws.


Analogy: if you have a photo sharing website, like Flickr, then from those photos (and the combination of different photos) Flickr can in theory derive a lot of sensitive information; does that make it somehow stupid or irresponsible to post photos to Flickr? I'd say that depends completely on how we expect Flickr to behave.

It's like visiting a physical pharmacy. In theory, somebody could be spying on the people who enter and leave the place, keeping a giant database with frequency, faces, etc. The question whether it is stupid to enter a pharmacy in person should be answered with: "No, we have laws that protect us against malevolent actors".


> It's like visiting a physical pharmacy. In theory, somebody could be spying on the people who enter and leave the place

People do this in the US with Planned Parenthood clinics and parking 4K cameras outside/across the street and license plate recorders/scanners.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: