Time and time we are proven again and again that Facebook has become the emblem of how far technology can go to support pure malicious intention with widespread support.
This thread was removed from the front page of HN real fast, as in—one second it's at the top of the site, the next minute it's gone. Despite being very, very relevant news and lots of discussion going on.
It's disappointing, although not surprising, to know where HN's allegiences lie in this particular fight.
I think the grey text is something else -- like if it was already visited before or you upvoted it or something. I checked on two different browsers and it was gray on one but not on the other, so who knows.
Tech companies in general have beaten low standards and mediocrity into people's heads. Not only are they okay with using these products, they now try to recreate the same low bar set by the greater industry.
IANAL, but my impression of the US legal system vs various (continental) Europe legal systems is the former is completely engrossed with the letter of the law while the latter is much more focused on the spirit of the law.
If FB gets shafted in the processs of discovering this fact of life, all the better.
At the very least, from a "I expect the worst from my government" skeptic POV, one could see this as a good shakedown opportunity from Facebook for massive fines.
The only reason that doesn't happen is either fear of FB or corruption.
facebook is probably laughing harder at this. A few billion in fines, combined with low irish taxation is still not big enough to justify pulling out of the EU market. The EU decided a bit too late to build a chinese-style 'firewall' around european tech and it's not really working. Instead they are playing cat and mouse with big corp, which really shows that these laws were mainly meant to have an apotropaeic effect
Probably. They're the only big guys making a credible effort though. Russia/China won't be doing anything. US & associated lobbying basically IS big tech now.
i don't really mean a censorship firewall, rather an attempt to shoo US companies from the EU market the same way that China is protecting its own companies.
What kind of a fucking firewall is it now? It's not for censorship, it's not for preferential treatment. You keep calling a firewall but can't say what it actually does.
I don't think that's enforceable. You'd need some kind of soul extracting machine, or a soul-over-IP transfer mechanism. Maybe a soul mail-in option. You'd also need to implement some kind of soul storage warehouse. What would you do with all those souls anyway?
The technical feasibility of soul extraction and storage isn't really the problem. It's the act of selling it that's the problem. I mean, we don't 'extract' and 'store' land/real estate, but we do buy and sell it. You can have a claim to land and not need to move it to your warehouse.
Just a title/deed system for souls would suffice. Since there's not a legal framework around the ownership of souls, I'm sure we could encourage its creation by starting a marketplace. Ultimately, however, I suspect 'soul' will finally be defined as "existing, being, with current human perceptions of free will" or somesuch and we will no longer have the ability to sell our souls for the licensing benefits of a product or service.
What rights does owning someone's soul give me over that person? If I sold my soul to the devil, he would have me for an eternity in Hell after I die. However the devil is an eternal being, and human law only applies to mortals. I have to assume that ownership of a soul is revoked after the death of that soul, since human authority is transcended by a higher body of power. If I sold my soul to Mark Zuckerberg, what would he do with that power over my mortal life?
Due to it's non physical nature I don't think we could ever define "soul" scientifically, except perhaps as "the aspect of the human being which is not physical". Is it possible to own something non-physical? There is precedent, such as patenting an algorithm, or owning shares in a software company.
OK what if line 950, subsection B of the TOS agreement, gave Facebook the option to harvest one of your kidneys? Would that be enforceable? The point of the regulation is to make clear consent for personal information to be used. Saying the person clearly agreed to their "personalized advertising contract" by accepting the TOS, which allows them to use all of your personal info is debatable.
Under article 7 GDPR [1], consent has to be given freely. Unless Facebook offered an option to opt-out of this contract, use of the Facebook service was tied to the agreement, which means it probably won't hold up.
It's great that this is happening in front of an Austrian court, because the Austrian Data Protection Agency already has ruled on consent issues, and in those rulings was (IMO) extremely strict on when consent was given freely. In one ToS challenge, the mere potential for confusion was enough to render it invalid.
Edit: Here's one such ruling [2]. Co-mingling checkboxes for processing of data for marketing purposes with actual contractual clauses was ruled as a violation of the GDPR, even though by default, the checkboxes were unchecked. The Agency ruled that the confusing nature of the form could lead subjects to believe that they had to check a checkbox to receive the service.
Also, another relevant local case would be with a popular national newspaper, DerStandard.at. That newspaper offers access in two ways: either (a) you pay for a subscription and receive the service ad-free, or (b) you access the service for free, but consent to receiving ads. This was deemed in compliance with the GDPR, but it was stated that only offering (b) -- ie, exactly what Facebook does -- would not hold up.
The trick is that the legal ground is not based on consent but on performance of a contract, in which case consent, freely given or not, is not required at all.
I understand the trick, I just don't believe that it can play out.
A contract also needs consent. This contract is clearly entered only because Facebook is making it a condition of using the service, and this type of coupling is prohibited.
> This contract is clearly entered only because Facebook is making it a condition of using the service
The contract is entered when a user registers at Facebook. However Facebook seems disagree about what the contract involves. Any sane person (well, 96% of them, as the article claims) would say that the contract is for delivery of means to communicate with other people; Facebook seems to argue that the contract is for delivery of personalized ads.
while they may have a point their arguments are not well articulated
> Europe’s strict privacy laws
actually it's EU's privacy regulation
> Facebook openly admitted that it has been collecting and processing data without users’ consent
They said that they ve been collecting WITH consent, at least with their definition of consent
> To prove that no one ordered advertising from Facebook, we conducted a neutral study by the Austrian Gallup Institute. The result is devastating for Facebook: Only 4% of users want advertising,
... And i bet only 4% want to pay taxes too. polls are not legal documents. Also, "wanted advertising" is very different from "accepted advertising as part of the terms"
> Facebook does not give users a full copy of all their data
I believe facebook does give all their personal data,but maybe they are looking for derived data that facebook has stored for them? that's not personal data and it can be particularly tricky if it has been combined with other people's data , for example to train a neural net
In any case, i don't think facebook cares too much anymore and will just pay another yearly fine for operating in the EU. Even if FB asks for consent in every second page, people will click yes.
Your are funny, you say their arguments are not well articulated, yet you do seem not to be up to point.
You argue they are regulations? European Regulations are law. European Directives and Regulation are the two main legislative
They argue users are using facebook because they want advertising, their primary usage is advertising and for that advertisement they consent to share their data. That's so ridiculous it is funny.
And no, FB does not give all the data, the definition of what data is in the regulation.
Both FB and their Privacy Director are not looking good.
Regulations have to be implemented and integrated into each country's laws. Countries may not have yet implemented GDPR
> their primary usage is advertising
I don't see where FB claimed that advertising is primary usage and others are secondary. i can infer from the text that they parceled as part of the "service promise"
> FB does not give all the data, the definition of what data
Facebook says they are GDPR compliant and i doubt they 'd say that without the consultation of at least one EU data authority (perhaps the irish?).
https://www.facebook.com/business/gdpr
Right, that's correct, even though supplemental legislation is passed in each country following the regulation, including GDPR. IIRC there are 2 EU members that haven't done it yet.
Facebook pretends to be GDPR compliant because they have to.
Obviously, they're not. Try downloading your data. Try deleting your account. It's all really iffy.
Of course they'll say they're compliant. They have to to be able to operate. But they are not. They are operating illegally within the EU and they should be shut down.
You are wrong again, Directives are ratified, Regulations apply verbatim. That said, the GDPR left some detail to each member state.
I am sorry buboard, I don't know whether you are affilated with FB, but that's not just how it works. They indeed, just claim it. That's why you pay for General Counsel.
The GDPR (which is not the only EU privacy law) is fairly described as a “law”, “regulation” is just the formal EU law term for a directly-applicable primary legislative act, which is a kind of law. If you're complaining about the “EU” part, well, the GDPR applies in some non-EU countries too (e.g. in the EEA).
> They said that they ve been collecting WITH consent, at least with their definition of consent
Some data is collected with ostensible consent, some without, and there's still processing to deal with.
> And i bet only 4% want to pay taxes too. polls are not legal documents. Also, "wanted advertising" is very different from "accepted advertising as part of the terms"
Sure, but the GDPR also means you can't forcibly bundle consents together. You need to separately consent to invasive use of data for advertising versus provision of the basic service.
> I believe facebook does give all their personal data
Did this recently change? I seem to recall that Facebook are known for not providing e.g. the data they've got from you browsing other sites with FB cookies unless you went via some difficult legal route.
details, but they are not claiming that data collection is without consent. they claim that they need a separate consent to use that data to show personalized ads
> you can't forcibly bundle consents together
Yeah that is true. still, making an online poll about what people want in general is a ridiculous way to nullify an agreed contract
> you browsing other sites with FB cookies
that would depend on whether these are personally identifying or personal data in general
Also important to mention... serving ads without consent is not ilegal under GDPR, what is illegal is user profiling with the purpose of serving ads.
In practice for Facebook the attraction for their ads platform is precisely that you can target fine grained demographics. So I'm not sure if Facebook can do anything here without a drop in revenue.
if the court gives them another fine (probably yes), FB will probably become a paid service in europe, but then will pay you back with its "ad viewing" program so it can be free again. This would also be compatible with california's new regulations i think
As an EU citizen I believe it's time we shut Facebook off. They've shown no willingness to abide by our law, so I don't see why a criminal company should be allowed to continue to operate here.
I certainly won’t miss them. My biggest concern isn’t even the data privacy issue, but the way they have effectively killed most discussion forums which were actually designed to make communicating clear and effective, as opposed to the unsearchable stream hell of facebook groups.
Yeah, and a comrade major from the FSB has easy and unlimited access to all your conversations and data
A vast majority of political prosecutions for online extremism in Russia were carried out using info that VK subserviently provided to police and special services.
As for access, i assume there are server farms on quite a few countries looking for all kinds of patterns in chats. Until E2E encryption becomes extensively spread, it 's a joke to pretend there 's some kind of user privacy
Facebook has huge overheads because most of their engineering time is spent on all the creepy privacy violating things they develop and the infrastructure to run them.
If we start from scratch without all that it would be possible to make a profitable social network for a couple of bucks per month per user (or a tiered system, so heavy users or “influencers” would pay more while the base tier remains free).
I'm not the parent, but from my pov FB is a net negative for society, so if they are unwilling to play by our laws, then I'd rather see them get the fuck out.
They won't of course, because it leaves the market open for grabs.
If they leave the EU though they don't need to follow European laws or pay European taxes, but that doesn't prevent European users from continuing to use the actual website.
There was a study recently showing that people that do not have Facebook account are happier :) Not to mention their personal data are not being abused.
i don't use facebook and i do agree its bad for egopaths. But i have some friends who use it to communicate with their family back in their countries and it's a valuable service for that reason.
I don't think anyone of us has seen consent request by facebook or google in this form (freely given != 'give consent or you can't use or services, specific/informed/unambiguous != barried in miles of legal giberish,...):
Recital 32
EU GDPR
(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.
Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
Consent should cover all processing activities carried out for the same purpose or purposes.
When the processing has multiple purposes, consent should be given for all of them.
If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
But this is really strange, news like this with 186 pts atm is on 3rd page. Before it are news with 2pts. This doesnt make any sense. Is it a coverup by HN administration?
As an user I feel that GDPR changed nothing. Google, Facebook and whatever else tracks you to the bones did not change one bit (for me).
As a sys-admin, GDPR invented all sorts of jobs. Jobs well intended. But these jobs are filled by people that are neither lawyers nor IT people. Whenever I interact with them I feel like they just want to check some boxes that makes the org compliant and go home. They don't enforce or apply GDPR, they enforce those checkboxes.
Yeah, I bet they're all good boys and girls who couldn't have possibly imagined that all of the secretive ways they go about collecting data could be wrong.
Honestly, if this "loophole" is allowed to exist then the GDPR is not worth the paper it is written on.
The idea that consent should be freely given is ludicrous if it can be overridden by simply including it in a term in the terms and conditions. Facebook could probably write that they can kill or castrate the user at any time and most of their users wouldn't notice it (until the media picked it up).
In the United States time and again legal precedent has been set and reinforced that TOS is not a binding legal agreement but it’s somewhat of a grey area just what it actually is and what can and can’t be considered “fair warning” for being there. The American courts don’t really place a premium on privacy so that’s generally been summarily dispatched with and its ramifications ignored, but other jurisdictions clearly don’t feel the same.
I don’t understand what’s so hard to understand about the fact that ads is what pays for Facebook to exist?
It’s a key part of the offering! You get free access and get to see ads in exchange. Others have tried other business models and failed...that’s how the world works, the better offering wins!
If the problem people have is ads then just make all ads illegal and we can move on. But trying to use GDPR as a lever is silly...it’s not what its intended to do, as much as some people would like it to
IMO, ads should be made illegal, but that's not the point here. Facebook is perfectly free to show ads to people, they are just not free to track people. They are trying to use ads as a justification for tracking here, which is the contested point.
And before you answer that ads without tracking don't pay the bills, that's honestly Facebook's problem.
Every time I start thinking about ads being made illegal, I think about the small businesses who don't already have their brand established. Banning advertising entirely would crush many entrpreneurs for whom advertising is the only reason anyone knows who they are.
There's a big difference between massive companies seeking to keep their brand in your mind and small businesses trying to let you know they even exist.
But how do you ban one without banning both? Its a complicated issue
The need for advertising arises from having substitute goods on imperfect markets.
If consumers knew the perfect good or service that they wanted to buy and exactly whom to buy it from, there wouldn't be a need for advertising. As it is now, information asymmetry creates a demand for advertising, so until people know everything about every market, you're going to have ads.
The alternative to ads is subscription services, which already exist. If people prefered subscription social media to ad based they would flock to those, but they don't.
“The alternative to indentured servitude is free labor, which already exists. If people preferred free labor to indentured service, no one would sign a service contract, but they do.”
-paraphrasing someone 300 years ago, probably.
Sometimes people pick things that are bad; that people choose something doesn’t make it somehow good.
Seems apt to me. Indentured servitude actually seemed reasonable to a lot of people looking to move, you got expensive passage on a ship in exchange for working for a set length of time. Facebook is a platform for social manipulation, in a few hundred years I wouldn’t be at all surprised if we see that social manipulation as a morally intolerable evil. The sort of tracking/aggregating they do is a violation of privacy as extreme as indentured service is on free will.
An analogy is not a comparison. I think an analogy here was made to reinforce the point made, not to in any way claim that Facebook somehow deals with indentured servitude.
Por que no los dos? Sign up for Hulu today! Pay a subscription fee and still get the benefit of tons of ads! Or pay more for our Hulu (No Ads) offering, which still has ads on certain programs.
I'm surprised that FB after all these years hasn't offered something as simple as a paid upgrade for removing ads and maybe better photo storage or something.
Maybe that lack of long-term feature is endemic to the capitalist system/environment, because decade-long growth usually isn't allowed to sacrifice short-term growth. I couldn't imagine a private company like Valve Software making the same decisions.
It's not the ads that are the problem, it's the widespread tracking + use of personal data that large ad networks like facebook perform. That's why they're using the _data protection_ legislature against facebook.
No, that is the users problem. The users determine if FB has the right to exist, as no one is arguing that any corporate entity simply has the right to exist.
I haven't used FB in years, but even I know that if FB didn't exist that another service would fill the gap in the market. The problem is FB plays fast and loose with privacy and security, which should be the focus of criticism for FB, since that negatively affects users. If FB didn't exist, you still run the risk of another player making the exact same mistakes.
> as no one is arguing that any corporate entity simply has the right to exist
Yes, but I do still see people give the "just don't use FaceBook then" argument on every post about this on HN, as if we should just ignore all the problems. Under this insane framework any horrible behavior by a company towards their customers is justified as long as you use their products willingly.
This also ignores the massive existing adoption FaceBook has. If I want to switch to twitter or mastodon or $otherSocialNetwork I have to convince everyone I communicate with on FaceBook to switch too.
The problem here isn't Facebook (even though it certainly has problems), it's that your preferences do not align with the majority of FB's existing users' preferences for social networks. That's my point - the users dictate what exists on the market, and entrants like Snapchat and TikTok show that it is possible for new social networks to attract users off of Facebook.
Existing legality is not necessarily a good cause to dictate if a business should exist or not, as for some markets the law tends to lag society (i.e. federal law and weed dispensaries). This discussion isn't really about legality anyways, it's about market demand.
In this case, you could argue that the "users" is almost equivalent to the people (of EU), because of how widespread the usage of Facebook is. What we see here is that the people is starting to decide that some things that Facebook are doing are not acceptable anymore.
I don’t mind ads. I mind tracking. Basically my demand is that Facebook show me dumb enough ads and use only data I consent to. Im ok with my age and gender and other things being used to target an ad - that’s information I already willingly gave them. But if they show me an ad based on a page I visited with a Facebook script snippet on it, a message about sneakers I sent to a friend, or a post I liked on Instagram they crossed a line regardless of what terms and conditions I accepted.
If ads that work without spying on users don’t pay enough to pay their data center bills then they should shut them down. I’m more than happy to vote for politicians that ensure this. I’m not comfortable saying “I’ll just not use services from companies X and Y because they use shady ads”.
> But if they show me an ad based on a page I visited with a Facebook script snippet on it, a message about sneakers I sent to a friend, or a post I liked on Instagram they crossed a line regardless of what terms and conditions I accepted.
Uh, no, they haven't. YOU are responsible for visiting websites and using their services under terms and conditions you agreed to. YOU are responsible for and capable of not using sites do not agree with. You are getting a service in exchange for being tracked and shown ads. If you don't like it, delete your account, or fix your damn /etc/hosts file to block the (admittedly overwhelming) number of domains FB uses for these purposes.
I'm no fan of Fb. I deleted my account, blocked thousands of domains in my /etc/hosts file, use multiple ad-blockers, etc. etc. Fuckerberg going to prison would make me giddy. But, you don't get to have your mystical cake and eat it, too. You don't dictate how they run, or what data they collect, or how they use it. Get real, dude. Take responsibility for your actions. You agreed to what they do when you read(skipped) the terms of service/privacy policy when you signed up.
This argument would carry more weight if the terms of service and privacy policies were both complete and written in a way that ordinary non-lawyer people could actually understand.
Eh, if I sign up for a credit card for "0% APR!!!" and then don't read the fine print that it's an introductory offer, isn't that a result of my action (or lack thereof)?
That they use fine print or dense legalese doesn't invalidate the fact that it was there for the end-user to read and agree or disagree with. I find that most "ordinary non-lawyer" people can understand these policies if they take the time to actually read them. They're verbose, not arcane.
> I find that most "ordinary non-lawyer" people can understand these policies if they take the time to actually read them.
I find exactly the opposite.
> They're verbose, not arcane.
They're both.
The problem is that people aren't lawyers and don't read them with a lawyer's eye. This frequently leads people to think that the terms are saying things that they aren't saying (by design). People tend to think that these policies are more favorable to the user than they actually are.
Isn’t that what I did when my elected representatives pushed GDPR through though?
The reason there are so few successful services with sensible advertising is simple: it’s too easy to fool people to accepting terrible ads that pay more.
I don’t think users should be expected to know how to edit their hosts file to preserve their integrity. Nor do I think they can be expected to read the ToS (get real).
I want regulation to ensure that idiots cannot agree to ToS that endanger their information or integrity. The GDPR and similar laws, if properly enforced, goes a long way towards that. I especially like the idea that access to the service can’t be conditioned on data collection.
> I don’t think users should be expected to know how to edit their hosts file to preserve their integrity.
Ok, that's fair.
> Nor do I think they can be expected to read the ToS (get real).
I am being real. ToS and Privacy Policies can be, and often are, legally binding. Do I expect people to read them? No. Are they legally subject to whatever they agreed to, regardless of whether or not they actually read it? Yes. The user agreed to the contact. They clicked the damn button. They can deal with the consequences of their haste and/or stupidity.
> I want regulation to ensure that idiots cannot agree to ToS that endanger their information or integrity.
That's a bit different than what your originally wrote, which seemed to be less like a desire for regulation to address this and more like a a desire for a new ToS between FB and you, a singular end-user.
FWIW, I'm also a proponent of the GDPR and CCPA. But I also don't think people can just scot-free break or circumvent contacts they agreed to. Where is the personal accountability for the user? It can't just _not_ exist.
the claim is that they users didn't want to see ads even though they agreed to use the site, so they couldn't have known that ads are required for the site to exist
The article is not against ads generally, but instead Facebook's attempt to circumvent GDPR to continue showing personalised ads.
GDPR should be used for exactly this purpose - it is a protection against companies collecting and using personal data in this way. Facebook has the choice to show ads, just not personalised ones. What is specifically being argued about is that Facebook tried to claim ads were a contractual service (thus exempting them from rules on personal data) - but transparently they aren't.
And if Facebook can't survive in a future where it is forced to respect personal privacy, then may its death be ever sooner.
> The article is not against ads generally, but instead Facebook's attempt to circumvent GDPR to continue showing personalised ads.
And yet Facebook is not alone doing this. While almost all the medium and small sized sites ask for consent nowadays the big players just seem to be immune. My go to example is spiegel.de which is one of Germany's largest newspapers. Full of trackers, full of personalized ads and I have never seen them asking for my consent.
The issue is not advertising, but "to aggregate user interests and track people on the internet".
While advertising is not illegal under the GDPR, collecting an individual's data for marketing or advertising purposes without a "basis" (as defined in the GDPR) is.
The plaintiff is arguing about data privacy, whereas Facebook's lawyer is playing the advertising card as a counter.
The plaintiff is unhappy about the way Facebook uses personal data, while Facebook is arguing they have a legal basis for processing data for personalised advertising purposes in order to fulfil a contract which it entered into the users. (which is a basis in the GDPR).
If they lose this case, do you think it would it leave Facebook a liability for no longer being able to fulfill that contract? I.e. you can’t share my data, now where are my personalized ads that you promised?
IANAL, but I think that clause would become null and void.
User: "hey Facebook where's the personalised ads you promised me?"
Facebook: "that clause was found to be illegal, and we have notified you that it is unenforceable by either party."
Right, and Facebook is arguing that it’s because they have to fulfill a contract. However, GDPR may block them from collecting the data they need to serve personalized ads. This would mean they wouldn’t be able to fulfill the contract.
To phrase my question in another way, would that contract still need to be fulfilled, if they are blocked by GDPR from collecting the data they would need to fulfill it?
The lobbies have been trying to reverse the controller/processor relation from the very start. They have been told time and time again this was not an acceptable interpretation of the GDPR. It's time one of them is made an example in court, with fines stiff enough to discourage any corp from trying this strategy again.
The GDPR is a failure anyway. US tech giants are still globbling up masses of data even if the individual hasn't consented.
For example, the "contacts" permission should be disabled on OS's in the EU as it's impossible to prove the user has constend to sharing that information, yet Google launches an API in chrome to access the users contacts which totally won't be abused.
Alternatively you can gobble up data and "accidentally leak" it through an open MongoDB or AWS instance, will anyone go to jail? Unlikely, nobody really cares.
I doubt Facebook is going to change its ways any time soon, they're simply too big to fail at this point
GDPR enforcement is just beginning. The cases again the big guys have started to be made, but haven't actually made it yet. When they do, things will get interesting...right now we're in limbo...or more precisely in a Wile E. Coyote moment.
