131b revenue in 2015. So, at 1.3m, a 0.001% fine, aka half a minute of revenue.
Interestingly it doesn't directly fix the problem either (although it wrecks the current free-profit model, yay!), "To settle this matter, Verizon Wireless will pay a fine of $1,350,000 and implement a compliance plan that requires it to obtain customer opt-in consent prior to sharing a customer’s UIDH with a third party to deliver targeted advertising"
But lest anyone think this is a UIDH prohibition, the next line goes on to say customers must at least have the ability to opt-out from internal Verizon usage, meaning the UIDH will be there (unless the customer opts out) and that a persistent, unique identifier that follows the user wherever they go is permitted. This ruling is primarily about Verizon sharing the targeting information: Verizon is still permitted a persistent attack on their users, but they are now only permitted to sell customer data on an opt-in basis. Ad-networks will have to do their own tracking themselves for everyone else.
Hopefully Verizon's profits from this schtick are shorn from this shift, to a degree where they give up this disgraceful corpoate panopticon they've been going to the bank on.
I'm not interested in defending Verizon here, but your math is wrong. Comparing fines (or taxes, the other popular variation of this error) to revenue is meaningless. You need to compare them to profit. The amount of money that they handled but didn't benefit from is irrelevant.
Verizon's profits for 2015 were $4.22bn. That makes it a 0.03% fine.
But that's still not close enough, because this infraction was in "Verizon Wireless", not the entire company. So to really get a sense of its relevance, you need to figure out what the profit of that arm of the business was.
I can't find that number anywhere. Anybody got a hint?
You must also play out the game theory in time, not just an instant. Whatever the fine may be today, should they be caught doing this again, the fine will be (or so the theory goes) much larger. The fine is not just about the negative payment, it's also about the fact that if they do it again in the future, they'll pay out more, making doing it again in the future much less attractive, and also doing anything like the thing they just did much less attractive.
I realize it may emotionally feel good to demand larger fines, but I'm not sure it would have all that great an effect above and beyond what it already has. And the HN gestalt would be among the first to complain about what happens to the workers of Verizon if a fine that actually did greatly hurt them was issued, so "much larger fines" could well go to a negative value to the HN gestalt if a full accounting is done.
There was an interesting Economist article [0] a few years back that suggested a better option might be "penalties that offset the benefits of crime" rather than ones that try to arbitrarily 'punish' the offender. You'd see much larger fines, but they wouldn't be so large as to cause additional, unexpected consequences. The tricky part is improving detection rates, which increases the risk of the action even setting aside the question of fine size.
Compared to cartel price-fixing, Verizon's UIDH insertion is actually much easier to detect. In fact, anyone can do so just by looking at their access logs. I think that, more than fine size, will be the primary reason that they won't try this again. That's not to say they won't play other games, however.
Anyhow, if you really want to change a particular behavior, class action suits offer a much more attractive option where they're possible. They don't really benefit the class members financially (they're not supposed to), but they are one hell of a big stick. And historically, a very effective one at that. Even when companies prevail, they tend to take notice and often change the behavior in question.
Obviously though you'd need to fine a company enough to cover 1) the damages and 2) the risk-adjusted benefit of cheating and hoping to not be caught and 3) a hefty wallop to encourage compliance.
If you only fine for directly provable damages you encourage cheats who find new hidden areas, and if you don't punish all offenders a certain base amount you encourage those who cheat for indirect gain (hard to quantify at trial) such as market share.
And to actually change behavior, attack the leaders directly. Corporate fines mean nothing! They're usually not even relevant to the directors and officers compensation. Prove conspiracy, force the company to withdraw legal aid, and attack their personal assets.
The math is right, you just think the calculation should be based on profit not revenue.
That seems silly - it'd be a huge incentive to misstate profits. A "growth" company would claim zero profit - and probably a net loss. (Negative fine?)
Imagine if someone robbed a bank but argued they should only be forced to pay back a little because they spent most of it on the getaway car which was destroyed in the escape attempt, negating most of the profit.
The correct way to do it is to remove all the gross-profits that the company improperly collected - negate all benefits they got and then add a hefty fine on top.
And as for which piece of the business did the crime - image if I could blame just my hands for picking the lock, thus claiming my body should only be fined lightly... Obviously the fine should go all the way up the chain, multiplied at every level, because there's an expectation of due-diligence and if that's being intentionally ignored it's an affront to the state and the protections granted to legal corporations.
The fine should probably be quintupled at every level because the indiscretion was by a subsidiary and wasn't caught directly or in oversight.
That's not unreasonable in principle, but then it gets more complicated: do you propose to hold the entire company accountable for the actions of a small part of it? If not, then it devolves into the kind of accounting complexity that results in random internet outrage because it's beyond the understanding of most people.
If you do propose to hold the entire company accountable for any action taken in its name, then consider what you are enforcing: this would mean companies would be immediately obliged to disempower their entire staff from making decisions at any level, and require review and approval for all actions, to make sure that nobody ever makes a mistake that could be punitively expensive.
Neither of these is going to turn out to be a simple solution to a complex problem.
Worse, you can't even use a simple rule here, because what do you do about companies that aren't making a profit? Do they effectively have carte blanche to violate the law in order to improve their situation? That's probably not what you want, so you'd end up with some complicated mix of both systems.
That's not unreasonable in principle, but then it gets more complicated: do you propose to hold the entire company accountable for the actions of a small part of it?
Of course.
this would mean companies would be immediately obliged to disempower their entire staff
No.
Their entire staff is already "disempowered" to make decisions that could put the company in legal trouble. Also this is intended, not merely reckless. Do you really believe this was some nobody's idea? Come on!
Please, someone with real legal knowledge could you explain why this is not like Volkswagen.
I suspect that privacy violations are not quantified or else a "class action" would dry any and all the profits.
There's a big difference between "not authorised" (the current reality) and "disempowered". You are not authorised to send emails that place the company in legal jeopardy. You are disempowered from doing so if every email that you send has to be reviewed by a company officer first. The norm today is that you are trusted to not exceed the limits of your authority.
How about every line of code that you write being reviewed by legal to make sure it was within the bounds of the law?
There's plenty of scope here for a far more defensive position on ensuring compliance. That is what you would expect and desire from any attempt to massively increase the liability of errors, no?
In theory it would be great to if the fine was based on the extra profit generated from using the super cookie (compared to using a legal cookie). Next thing to take in to account is the degree/duration of the privacy violation and multiply this number by the number of users who have had their privacy violated.
Deciding this number is beyond my economics skills -- and quite beyond my point -- because I want to say that it is more reasonable to base the fine on the actual violation and not the business as a whole.
I think all fines should have to be handed over to the social security administration. Has two benefits one tends to dissuade law enforcement to go after people just because they have money. Two encourages law enforcement to toss people in jail. Right now larger corporations agree to pay fines in return for officers of the corporation not going to jail. That should change. Corporations not being able to pay a large bride in shareholder money would push things in the correct direction.
That's all well and good until that rich person/corporation has applied some creative accounting to create a net loss on the books, thus negating their fine.
Day-fines calculations here in Germany are calculated from monthly income after tax, with some fixed basic-living deductions. I do not think there is anything more you can deduct from it - but it is clearly intended for persons not corporations.
But with the usual limitation of a maximum of 360 days and the min/max limits being 5/30'000 EUR the absolute amount of a maximum 360-day fine can vary between EUR 1'800 and EUR 10'800'000.
Such systems can be made, they can work and I think they can be made loophole free.
The best numbers I can locate indicate Verizon Wireless is generating well over $20 billion per year in operating income.
Out of their nearly $18b in net income the last four quarters, wireless would pretty much have to be 75%-90% of that. The numbers before the Vodafone / VZ Wireless sale, indicated the wireless division was a huge share of their income.
Hey kid, I'm not interested in whose take is right, but your accusation that I'm wrong is wrong. It's arbitrary, and either pick is just someone's pick- there's no certain way to decide what to track against. Picking revenue or profits is meaningless, either is valid.
I would say, to my defense- if a company is in the red, would a violation mean they get a negative penalty? So is there a linear fee = rate * profit + base penalty, or is it not a linear fee structure you are supposing?
I don't see why a violation would be tied to performance, frankly, but I also would not try and argue that you are "wrong" either, it's just not how I would figure it. I'd also tend towards thinking the choice of a 0.0010% revenue fee, if we want to be accurate about it, rather indicates that it was indeed picked against revenue, rather than merely coincidence, but again I wouldn't claim to be right or that people who wanted to figure it differently were wrong.
> 131b revenue in 2015. So, at 1.3m, a 0.001% fine, aka half a minute of revenue.
Came here to say exactly this — except that it's even worse than your numbers suggest: some form of the UIDH has been in play since at least 2012. If you amortize the fine across the lifetime of the program, a mere $1.3m is an obscenely paltry penalty.
These "fines" will never deter bad behavior until they have some teeth. When VZW takes in more in the time it takes for me to let a call go to voicemail than they were fined for this crap, I think the take-away has to be that the regulatory bodies are pretty much, "That's nice, son. You run along and play now" over it.
Can someone explain why the courts do these type of minimal fines? Having a cup of coffee on the Bart could land me a $250 fine, which is 2x as much proportional of my personal yearly revenue. This seems more harmful than a cup of coffee.
Unless you are making 12.5 million a year, I think you converted wrong. It's likely 20 or 200 times more the proportional amount of your yearly revenue.
As I said, fines aren't assessed as a proportion of the paying party's income. That's just not something taken into account in the vast majority of instances.
I'm not making a value judgement on whether that's good or not. I'm just making a factual statement about the way the US justice system works.
I didn't imply anything about the paying party's income, I stated the impact of the crime. The fine should be proportional to the number affected and to what extreme, not the income of the culprit.
Attention, attention please: parent here again. Thank you all for the upvotes. I was, however, wrong! Thank heavens! I got in touch with the media contact, and he reports that the wording indeed means Verizon is no longer allowed to UIDH 3rd party sites.
I'm very glad to be wrong here. :) Thank you all for your support, and I'm sorry to have spread misinformation so far; it was not my intent!
> 131b revenue in 2015. So, at 1.3m, a 0.001% fine, aka half a minute of revenue.
It's interesting to look at it in political terms. A modern presidential campaign costs about a billion, i.e. less than one day per election. That's $7.50 for each voter in the last election, or likely more than $750 for each "undecided" voter in a competitive state.
And then you learn that lesser politicians provide as much as 40x returns...
I'm not sure if their Rewards program is part of their ad department or not but part of their reward program is that you have to consent to being tracked.
VerizonWireless does all sorts of ahem questionable things to the
network traffic passing through it, particularly unencrypted traffic
like plain HTTP. If you're concerned about image quality, one of their
more insidious but unnoticed intrusions is their on-the-fly
recompression and/or resizing of images.
Always using a VPN (or SSH tunnel) solves most of the problems.
$ ssh me@example.com -4ND 127.0.0.1:1080
But you'll need to make sure ppp(8) ignores the HLDC errors they inject
into long standing sessions. It will work if your settings and chat
script are correct.
Lastly, check your contract; you might be one of the lucky ones who have
the clause stating VPN traffic is not counted towards your bandwidth cap
and/or rate limit.
T-Mobile got called out pretty hard when it was discovered they were downscaling videos [0] under the guise of their "Binge On" program. But hidden tracking cookies are far more disturbing that (noticeably) downscaled images/videos. Ultimately, the people are the consumers of images/videos. Who knows who the consumers of that tracking data might be... Obviously advertisers, but who else? The NSA?
That's a very different situation: they didn't downscale anything — the service used traffic shaping which caused most services to fall down to lower bitrates but they weren't altering content, which is why it still applied to HTTPS – and that wasn't a “discovery” as much as “reading the announcement”. The emails and SMS sent to all of their customers first and those messages included the opt-out link.
In contrast, the super-cookies were only discovered by people noticing unexpected headers in the requests their servers were receiving. There was no pre-announcement and it took publicity to get opt-out instructions.
I think they were relying on video services being able to detect available bandwidth and alter the stream to fit. Netflix does this, for example. If you have a narrow connection, you're probably going to get 240p video.
If the streaming service doesn't do this, you just get a terrible experience (buffering... buffering... buffering...).
That's why streaming on bad (narrow, high latency and/or jitter) connections is a bad idea, no? Download in the background, then view, makes much more sense.
On my desktop, I'd rather wait to get the best quality video that I can get. On mobile though, I probably prefer for video to start NOW at a lower bitrate if need be. It will save bandwidth, and battery, and time and the quality is probably good enough.
It's exactly that. I'm sitting in a waiting room or the departure gate at the airport flipping through Twitter or Instagram and a click on a video. I don't need that 6 second video to play in 4K. That it runs instantly is the most important quality, IMHO.
Band 12 is rolling out pretty quickly and is spectrum that allegedly helps with a lot of issues caused by buildings / dense urban environments / long range / etc. I can't confirm personally since I don't own a device that supports LTE band 12 (purchased before TMo bought this spectrum....) but reports seem to be very positive.
I left out plenty of details, so sorry if the transition wasn't clear
and seamless.
VerizonWireless, whether via a "smart" phone or a dongle (i.e. 3G EVDO
or 4G LTE via USB usually, or PCMCIA historically) operates as a plain
old modem connected to a serial port. To connect with a UNIX system, you
need ppp, either in kernel or in userland. You also need a "chat script"
which is the AT Commands needed to set up the connection.
Once the connection is up, create a SOCKS proxy bound to localhost with
ssh(1) by using the '-D host:port' flag. You could use another type of
secured connection like OpenVPN or IPSec tunnels, but ssh(1) is by far
the easiest.
The one thing I've never figured out is the exact AT Commands necessary
to update the PRL (Preferred Roaming List), but that only needs to be
done every few years if you don't move around the globe too much. The
cell tower leases are usually 20 to 30 years, so they stick around for a
long time. Unfortunately, if your PRL gets too far out of date,
VerizonWireless can prevent connections, so occasionally you need the
verizon software to update it.
To update the PRL you just need to dial 22898, that's all the VZW software does (228 is interactive and requires you actually answer a voice prompt, while *22898 forcibly pushes a new PRL to your device).
If you edit to replace your asterisks with [STAR], your post will make more sense. To the best of my knowledge the only reliably way to get an asterisk to display in an HN post is to use only one. (Maybe sometimes stick it in the middle of the word.) Backslash does nothing useful.
> 16. Termination of Investigation. In express reliance on the covenants and representations in this Consent Decree and to avoid further expenditure of public resources, the Bureau agrees to terminate the Investigation. In consideration for the termination of the Investigation, Verizon Wireless agrees to the terms, conditions, and procedures contained herein.
Verizon has agreed to pay $1.35M and will likely notify the FTC by mail if it makes a change. It has agreed to abide by the law. If you put this in perspective, this is way more than a slap on the wrist. If we assume a gb costs ~$10 and an average user uses ~6gb then:
($1,350,000 fine / $10/gb) / (6gb/user * 12months) = 1875
This is almost very nearly 1900 people! A huge number. Obviously this is back of a napkin, and the actual size of headers is pretty negligible so there isn't any sense in backing that out of the calculation, because the users already paid for the bandwith.
Plus, verizon is literally the only company out of hundreds of providers doing this. Surely between the weight of this fine and the competition the company will go bankrupt soon.
Big win! Say what you want about the FTC but they closed down the investigation saving an untold number to the US tax payer, Verizon is forced to break the bank, and the response time was rapid, 4 years open shut.
The FTC has been super sharp on policing the industry, by allowing the Governement to subsidize huge swathes of infrastructure costs and selling a finite amount of bandwith, they have been able to keep companies on their toes, not allowing any one company to own telephone, wireless, and internet capabilities.
I hope they can keep this up because Verizon is the only bad actor in the entire space, so it is pretty much all taken care of now.
There is a thing in the world called "petty injustice". It's when you get screwed a little bit. Entities like Verizon make a great deal of money on aggregate petty injustice. There is no legal recourse: things like this FTC investigation are (as you intimate) like the buzzing of a fly. A minor cost center (mostly legal fees). And even those minor bites are used to attack regulation as "bad for business". Class-action lawsuits are forbidden by virtually all contracts. The only real recourse is to switch carriers; however even that is not real because they all play by the same rules.
Computers are really the thing that make aggregate petty injustice a workable business model, because doing any computation millions of times with humans would cost far too much. This is one reason why dealing with the problem is actually a hacker/programmer moral imperative.
The last piece of the puzzle is why the FTC, SEC, etc. are so ineffective. These are the police of big business. Why are the police of individuals so harsh and powerful, but the police of business so weak and ineffective? I think it has to do with the politics of ignorance. There is no political pressure on the FTC to do it's job; it's too far removed from any elected official. No-one is going to pick the next president based on who they appoint as FTC chairman. One of the reasons is that the country is divided on regulation itself, which means that a large fraction of people, even the victims of petty injustice, would prefer that Verizon simply get away with it. These are the same people who would interpret a harsher penalty as an "anti-business" Obama/Democrat move, instead of simple enforcement of the law.
It's the 21st century and I think it's time that we enumerated some new rights in the face of unprecedented assaults on our freedoms. There needs to be the equivalent of a "fiduciary responsibility" for communications companies. People should not be allowed to give away their legal rights (the right to file class-action lawsuits). The justice system needs to be reformed, with technology and simplifying policies, to make it much faster and much much cheaper. (Not quite related to this case, but our personal devices that represent a very real extension of our minds should be absolutely protected from intrusion.)
> There is a thing in the world called "petty injustice". It's when you get screwed a little bit. Entities like Verizon make a great deal of money on aggregate petty injustice.
That's a very succinct and clear way of putting it. I wonder if there is an essay or other origin for the particular term you are using?
"Wartime: Understanding and Behavior in the Second World War" (1989) links "petty injustice" to "chickenshit behavior" - "the petty harassment of the weak by the strong; open scrimmage for power and authority and prestige; sadism thinly disguised as necessary discipline; a constant 'paying off of old scores'; and insistence on the letter rather than the spirit of ordinances."
>The only real recourse is to switch carriers; however even that is not real because they all play by the same rules.
The only recourse available within the given legal system. It is the legal system which limits our recourse against aggregated petty injustice, and so if people cared enough, the system could be changed or bypassed. The bigger problem is people just don't care about the many small problems... they really don't care about most big problems either. Some days I look at the apathy and wonder if I should just sign up alongside the likes of Verizon and try to profit off the apathy.
I am encouraging everyone to vote throughout 2016. For approximately $605.7142 per person we could buy verizon, and likely gain a controlling interest with limited participation. Voting is super important part of being American, or in a country that allows citizens to excerise this right, there is really only 1 day out of every 4 years I don't vote.
Also uncompensated are the owners of servers that had to spend a little bit more bandwidth on the billions of HTTP requests that got this header tacked on. For someone that has lots of small requests from mobile devices, say for HTTP server push, this is not a small number. When I first went looking for these on my servers, they were in 10% of requests.
Verizon took a pretty big gamble in 2015[0] and bought spectrum covering more than half of America. So even though taxpayers pay for a lot of the infrastructure so they can be a common carrier and deliver services without manipulation, it was pretty risky to assume most of the populated regions in America will use cellphones in 2016.
Since they broke that agreement, they had to pay. 10b is a big risk to take, and 1.3M is likely to panic the market. So while I am happy to see them go bankrupt, I could only imageine the chaos that would ensue if taxpayers had to try and resell that to someone.
If you asked those 190million people whether they would rather have $60 to sell the bandwith or have the country pay to build them an entire wireless network, legislate on their behalf, and limit most of their future profits tax burden, while allowing them to make a profit, and then inject and sell adverts, no brainer, $60 up front.
They are just a Unicorn company anyway, lets see if selling a core service you got for free into an impenatrable market is a good business. Can't wait to see these guys on http://ourincrediblejourney.tumblr.com
The punishment should fit the crime. If penalties were tied to some sort of assessment of economic gains from the violations, it might start to make companies weigh their actions a bit more...
A lot of threads here are focused on the miniscule fine, but the larger impact is that this is another case study that can be used in the next net neutrality debate. Verizon is giving evidence to the argument that they can't be trusted with network communications, evidence that will surely come back to bite them in the future.
When you did an request for a web page on their network, Verizon would silently add an header to your request with an ID tied to your data plan contract. The point was to enable them to sell analytics services that tracked users from their network across the sites of their clients.
If they can sell you and get paid by you for the privilege, why wouldn't they? Capitalism, as a good and effective market philosophy, is built on all parties being aware of all aspects of the transaction and ideally of all transactions... a perfect market. If such a thing doesn't exist, which it does not, then it's selective fuckery. However, it tends to exhibit less fuckery than most other systems... except when it doesn't.
well, it's more like, "You may be the product even if you're paying. Who knows because nobody will tell you because they're not required to tell you." But yeah, 'you are the product' is probably the most accurate.
It's a cookie that applies across all browsers and devices, and you cannot remove it. There is no way to opt-out of this tracking.
Analytics and ad operators, social media firms, and other data exchanges can identify you using this, and they can use this information for tracking what you say and do online.
Verizon has been in business with these companies to sell your identity to them -- Verizon is effectively including your name, address, Facebook account, and email address with every HTTP request you make. Again, this applies across all browsers and devices, and you cannot opt-out.
In some sense it's a bug in client software, that allows information to be stored for eventual inclusion in future requests (i.e., like a regular browser cookie), but outside the ability of the user to monitor or delete (unlike a regular cookie). For some time people mostly blamed this on Flash, but there are probably other ways for old and/or strangely-configured clients to screw up like this.
Despite all the outrage against Verizon, a small part of me feels sorry for them. Having consulted with large corporations in the past, I know that most (all) of them don't generally have expertise in this kind of thing, and usually outsource it to a variety of digital agencies. My guess is that they will be having a very hard conversation with one or more of their vendors.
I can not believe such a huge company did not consult lawyers and that the guy who was forced to write the code didn't speak to their managers about potential implications (whether it went up the chain is another matter).
Besides that, ignorantia iuris nocet. Governments don't have problems with fining individuals unaware of arcane and complex laws. Why would we feel sorry for unscrupulous corporations?
the guy who was forced to write the code didn't speak to their managers about potential implications
That isn't really the way things work in an agency/Fortune 500 relationship. What really happens is something like:
-> the development manager attempts to translate the implications of said software to an account manager who is directly responsible for client communication
-> the account manager has little idea of what the development manager is talking about, which does not stop them from attempting to translate in turn to the client's marketing team
-> the one tech representative from the client company listens to the translation in abject horror, knowing that any questions they ask will never be adequately answered
-> everyone goes out for drinks on the agency's tab
This isn't a raging critique of the process, it's just what normally happens.
Interestingly it doesn't directly fix the problem either (although it wrecks the current free-profit model, yay!), "To settle this matter, Verizon Wireless will pay a fine of $1,350,000 and implement a compliance plan that requires it to obtain customer opt-in consent prior to sharing a customer’s UIDH with a third party to deliver targeted advertising"
But lest anyone think this is a UIDH prohibition, the next line goes on to say customers must at least have the ability to opt-out from internal Verizon usage, meaning the UIDH will be there (unless the customer opts out) and that a persistent, unique identifier that follows the user wherever they go is permitted. This ruling is primarily about Verizon sharing the targeting information: Verizon is still permitted a persistent attack on their users, but they are now only permitted to sell customer data on an opt-in basis. Ad-networks will have to do their own tracking themselves for everyone else.
Hopefully Verizon's profits from this schtick are shorn from this shift, to a degree where they give up this disgraceful corpoate panopticon they've been going to the bank on.