I mean terms of service are not that hard to read. Facebook's TOS is only 4k words long. It is not particularly dense or full of legalese. I have written source code comments a tenth that length for a single function. That is not many words to describe the plethora of implications of using their service.
Go ahead and have a glance at it. What would you remove from it that wouldn't cause a significant gap?
Some example clauses:
> For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.
(They have to put this. If they didn't, they would get sued by someone who shared a video and then was mad that other people could see it.)
> Facebook users provide their real names and information, and we need your help to keep it that way. Here are some commitments you make to us relating to registering and maintaining the security of your account:
>
> You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.
(Not exactly dense legalese. It is good to ban impersonation, and it is right that they should include such a ban in their terms.)
> We’ll notify you before we make changes to these terms and give you the opportunity to review and comment on the revised terms before continuing to use our Services.
(Seems reasonable to me. Many years ago, people used to complain that the terms changed without notice, so FB committed to not doing that any more.)
I don't know. This whole "terms of service are impossible to read except by a lawyer" meme just doesn't hold water for me.
Great. So far so good. Where was the part where I agreed they could harvest my profile information because a friend filled out a quiz/questionnaire/etc.?
When you use an application, the application may ask for your permission to access your content and information as well as content and information that others have shared with you. We require applications to respect your privacy, and your agreement with that application will control how the application can use, store, and transfer that content and information. (To learn more about Platform, including how you can control what information other people may share with applications, read our Data Policy and Platform Page.)
You gave access to your friends, who then authorised access to the application.
Let's see what the readability of the FB TOS is, using a random Googled analyzer, in this case https://readable.io:
Readability Grade Levels
A grade level (based on the USA education system) is equivalent to the number of years of education a person has had. A score of around 10-12 is roughly the reading level on completion of high school. Text to be read by the general public should aim for a grade level of around 8.
Flesch-Kincaid Grade Level 12.6
Gunning Fog Index 13.9
Coleman-Liau Index 11.8
SMOG Index 14.9
Automated Readability Index 12.4
Average Grade Level 13.1
The whole point is that you cannot meaningfully consent to give out information about your friend since they’d have to consent to that. Even acknowledging they exist and are your friends is already information. To make matters worse, the v1 API would happily hand out information about your friends, such as their likes without _their_ consent. Not your privacy is breached - theirs is. And there’s no way user A can meaningfully consent to have user B’s information exposed.
That's just not how it works. Apps could for example request access to all messages. Let's make that a physical world example: I write you a letter that contains private details. Are you free to share this letter with third parties? The established legal precedent is clearly "no, not at all." Another example: I allow you to peek into my diary. I shared my private thoughts with you. Are you now allowed to go out and trumpet those out in the world? No, not by any standard. So the default assumption is that things shared privately are private, not public. There are cases where a higher good allows to breach that assumption, but "financial gain" has never been accepted as a higher good in such cases.
Failing to honor that assumption is facebooks fault here.
Actually, that is how it works. Unless there is an NDA in place between you and I, I can share anything you choose to share with me, especially in the context of a social network where we both agreed to and are bound by the same TOS where we authorized exactly this kind of sharing.
There is a setting to globally disable and enable all apps. If you disable it, no apps can see you, even if your friends use the app. Facebook actually has tons of settings - discoverability is a big problem
And they change all the time, often resetting defaults. And without notice. Playing “respect
my privacy” whack a mole with a billion dollar company grows old quickly.
This is silly. We do not know that the overall construction methodology had anything to do with the bridge's collapse. Does the Nipigon River Bridge's collapse show how cable-stayed bridges can go wrong?
The author is a history professor, not an engineer, and it shows with the faffery about metonyms of ecological development in South Florida near the end. If the issue here was with the ABC methodology (as opposed to a misapplication of it), we'll soon learn, but I doubt it. In the mean time, the only person who stands to gain from this FUD is the author.
I agree the author is being much too hasty to jump to conclusions. At its core this is essentially a fear piece for something that hasn’t been proven to have done anything yet.
> How do you automate personal data discovery, especially for already existing data?
You attach an owner id to every record, and make sure all your systems can dump all information they store according to owner id. To the extent existing systems don't, you fix them.
Hrm, did you expect me to design the output of an entire industry in an HN comment? I didn't say it was easy to do. But it is what must be done. My goal was not to provide code, but an outline, a very rough sketch, rough to the extent that it could fit in a pair of sentences. I guess in that sense the owl metaphor is accurate!
We've had two years to work on this. At my company, we've had entire teams spending significant fractions of their time over the last year prepping. As a result, we'll be ready when the switch flips.
I agree we are not using the same definition of data discovery. In my use case, you know a priori which user provided the data, you just need to plumb the information through to all downstream systems. This seems sufficient for GDPR as I understand it. I had not read your entire comment and did not realize you were promoting a system to try to do something like this automatically. I did not realize the initial question was rhetorical.
FWIW I would be worried about relying on such a system! But based on the description it seems helpful. What does it do about derivative data that doesn't directly contain any PII?
Hopefully if you are a company that small, you haven't had time to develop multiple data warehouses. You can write up a script to query your single warehouse to get the necessary data. You won't create a unique response for each letter, except for filling in all the user's personal information. Instead, you'll write a letter like:
Here is a listing of everything you have a right to know about our company and processes under GDPR:
<huge info dump>
Here is all of the personal data we have about you:
<very long CSV file>
Ideally, the most time-consuming part of responding, after the first such letter, will be verifying the user's identity.
You probably need a lawyer to help you write the document the first time, and to update it when you make new partnerships or develop major new pipelines for data. You probably don't need a lawyer every time you receive such a letter.
You probably don't need a lawyer every time you receive such a letter.
For routine enquiries, maybe not. For a letter like this, from someone who is clearly intending to trip you up and cause trouble, our lawyer is the first call I'm making, every time.
And that initial conversation is already going to cost me hundreds of pounds and a half-day of work, even if I already have reasonable answers to anything we are actually required to respond with under the GDPR here.
> For a letter like this . . . our lawyer is the first call I'm making
/shrug It's your money. You could do that, or you could even light it on fire if you wish. It's no skin off my back. If your company is profitable enough to eat this self-imposed overhead, then its owners will just make less money. If it's not, then leaner competitors will replace it. I'm fine with either outcome.
In this area, we have no idea which overheads are actually going to prove justified and which are just throwing money away. That's one of my main points here. As I've argued several times on HN recently, a big part of the problem is that if you're running a small business that isn't handling large amounts of personal data but obviously is going to be subject to the GDPR like everyone else, there is no clear indication of what you have to do to be considered reasonably compliant.
The GDPR itself is very heavy and has little in the way of moderation for small-scale data controllers/processors, so in practice it's going to come down to interpretation by regulators (and potentially anyone who has rights under the GDPR and wants to make trouble, as in the example we're discussing). If you don't do enough, you potentially face even greater overheads due to formal audits, financial penalties, etc. If you do too much, then as you rightly point out, you leave yourself at a disadvantage compared to competition who don't do as much (and this remains the case even if that competition is knowingly breaking the law as a result, and that in turn doesn't matter if they face no meaningful penalties for it).
> we have no idea which overheads are actually going to prove justified and which are just throwing money away
Life is risk. I contend that if you make a good faith effort to comply with this law (i.e. consult with a lawyer, once, to develop those eight documents you mentioned in another part of this thread) and generally practice good private information hygiene (wipe out old data, don't log private info, don't retain logs or emails too long, etc.), you're probably going to be fine. This is probably not going to be in the "inner loop" of risks your small business faces.
In every regulation, there are winners and losers. Some of the losers didn't do anything wrong, but are just losing because that's the nature of designing laws that factor in disparate interests. At this point, it's the law, and your only choice is how you're going to handle it. And my contention is that, if your small business is receiving letters like this with any regularity, calling a lawyer and spending half a day on it each time is not among the reasonable spectrum of risk-mitigating responses.
To be fair, the EU introduced a two-year transition period with the express purpose that businesses should update their processes and basically identify and prepare for potential problems such as this one.
This transition period is ending this summer. Why is this discussion taking place now?
I'm involved in GDPR-compliance taskforce in our company, and I can answer this question.
GDPR is very broad and open to interpretations, which will happen only when someone got caught, i.e. during first legal battles.
So, transition period does not really help, be that 2 years or 4. We need to see how this law gonna be enforced by regulators, and which common IT practices constitute breaking the law and which are not.
This transition period is ending this summer. Why is this discussion taking place now?
Because no-one thought to inform most of the businesses affected by it before, and awareness has only grown in recent weeks (and even then probably only among business people who frequent forums like HN where the subject has come up).
> (and even then probably only among business people who frequent forums like HN where the subject has come up).
Every business I've worked with over the last couple of years of consulting have had sessions on GDPR entirely without any technically minded people having to bring it up.
I'm sure there will be people caught by surprise, by what I've seen has been very promising.
Every business I've worked with over the last couple of years of consulting
OK, but if you're going into a business and consulting, that already suggests both a certain scale and a degree of awareness within those businesses, so this isn't likely to be a representative sample.
I'm not consulting on the GDPR, and my clients range from 2-person companies to 2000 people with most of them being much closer to the low end than the high, so while it certainly will be a biased selection in other respects (e.g. they're companies with a certain degree of technical complexity) I don't think it says much about awareness (other than already having more tech staff) or scale.
Additionally, most companies without much technical infrastructure are less likely to be affected much in the first place.
Unfortunately, that guidance still doesn't provide specific, actionable advice in even a lot of everyday areas, as we've seen in just about every HN discussion on the GDPR in recent weeks when recurring themes like backups or log files or payment processing services come up.
Also, having "fucking reams of advice" is not a good thing. To be practically useful for the kind of organisation we're talking about, advice needs to be clear and concise. A starting point that will take days just to read through and understand isn't very helpful.
Ha. With my friends, if we have one of these "we don't know" scenarios, and my friend tries to take out their phone to look it up, I tell them to put that goddamned thing away. Knowing is not fun. Reasoning is fun, asking around is fun, guessing is fun, bullshitting is fun. If you don't need to know, don't look it up!
Would you rather get to know someone through many conversations and shared experiences, or by reading a (hypothetical, futuristic) brain scan? And so with the world.
Go ahead and have a glance at it. What would you remove from it that wouldn't cause a significant gap?
Some example clauses:
> For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.
(They have to put this. If they didn't, they would get sued by someone who shared a video and then was mad that other people could see it.)
> Facebook users provide their real names and information, and we need your help to keep it that way. Here are some commitments you make to us relating to registering and maintaining the security of your account:
>
> You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.
(Not exactly dense legalese. It is good to ban impersonation, and it is right that they should include such a ban in their terms.)
> We’ll notify you before we make changes to these terms and give you the opportunity to review and comment on the revised terms before continuing to use our Services.
(Seems reasonable to me. Many years ago, people used to complain that the terms changed without notice, so FB committed to not doing that any more.)
I don't know. This whole "terms of service are impossible to read except by a lawyer" meme just doesn't hold water for me.