The screens will not give Facebook users the option to hit "decline." Instead, they will guide users to either "accept and continue" or "manage data setting."
Also known as "Hobson's Choice": a free choice in which only one thing is offered.
I think they're already losing their influence. As people mentioned already, many people have their accounts but simply don't use them anymore. I only use it for keeping in touch with some friends via Messenger these days, and where possible I try to just use WhatsApp/Telegram for that anyway. Some of the most active people I see on my news feed are actually my relatives in their 40s-50s+ or early teens. I guess these people are just discovering the world of social media, whereas the people that have grown up with Facebook don't see the use it in anymore.
Even outside of me and my friends, I mostly just hear of people using it to connect directly with people, like joining some Facebook groups for specific discussions.
But this is not the point. Once you have an account, you create a bucket, a magnet, and an entry in their database.
You exist.
They don't need you to participate. They need your email or your phone number that can link you to the rest of the matrix. With a mobile app, they get your phone number automatically.
Everything else you post is icing on the cake. They don't need your relationship status. They don't need your address. Maybe your phone number will link to one, but they don't need it to be accurate.
Now you're part of the data pool. You're one more audience member. You're fueling facebook and their profits.
You're being sold.
Not only that, non-participation grants a false sense of security. As does the data they ask for; as if the data you post is all that they know or that is being shared. As do all their privacy settings. As does deleting your account. Facebook might mark you as deleted, but your data has already been used, sold, and transferred to 3rd parties, none of whom are inclined to delete your data.
If the data hasn't changed, and you haven't changed, then deleting yourself from facebook doesn't change anything.
The number of facebook user accounts never goes down with new bots getting accounts constantly but people activty logging in and sharing, posting or caring is down.
You are suffering from confirmation bias at this point. What data apart, apart from your anecdotal experience, do you have which shows that sharing and caring about FB post is down?
You seem great at diagnosing why what we're saying doesn't make sense, but you don't have anything to back whatever your point is.
Since we don't have access to Facebook logs and can't know how many times people sign in and to what percentage are bots wandering around the site, we can only talk about our impressions.
FB earnings are up and their monthly active users are rising. That suggests that your single anecdotal experience of your friends not using fb is incorrect.
Also, OP was the first one to make the assertion that fb is losing users and thus the onus falls on him to prove vs. me trying to disprove it.
I know it is not the answer you want to hear but FB is doing well in terms of their user growth. Get over it.
I don't have a dog in the fight, I'm just pointing out you are both trying to back up assertions with no direct data. Facebook earnings could easily be from increased from ads even over decreased users. And users increasing doesn't really tell me if that's up or down from previous.
I think a lot of lawyers are poring over provision 42 of GDPR these days:
"(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. [...] For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment."
Are people free to leave Facebook?
Me, I need an account with Google for my job. Will they now only be allowed to demand I consent to the parts of the data processing necessary to provide the services I use? Or in other words, since I don't rely on their advertising, does GDPR mandate that opt-in to tracking for ads must be optional?
GDPR, Article 4: ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Your employer will agree to their terms on your behalf, and if you are not comfortable with either that process or the terms, you are welcome to terminate your employment. This is no different from companies accepting ToS/EULA from any other technology vendor.
FWIW, Google's commercial terms are not the same as consumer terms ... again, like every other software vendor.
> Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
My understanding is that the end user is not the subject in a commercial contract. The licensing entity (the business) is the end user and as a result, if they accept the terms, which them apply to all employees, it's irrelevant whether the consumer terms apply to the employees' individual cases or not because they're no the licensee/subject.
Again, this is how things generally work in commercial contracts outside of GDPR (including Safe Harbor and EU/95/46 before it), and I don't see why this would be different.
> We use cookies to enhance your visit to our site and to bring you advertisements that might interest you. Read our Privacy and Cookie Policies to find out more.
You are confusing the writer of the article with the newspaper management. The writer can very well have a valid point while the newspaper management sees things differently. In fact, the writer may very well make this point because the newspaper management sees differently and yet, the article is published.
The entire text-media industry has been transformed by Facebook and Google into this state. Anything that used to be a newspaper is now a DFP content-farm with all the shitty third-party js they can manage to cram in there. Sites with paid subscriptions seem just as bad on the inside.
The only other business model I’ve seen work is “be owned by a billionaire”.
This action directly violates GDPR, the consent is not freely given and as such not valid. Trackwall is not acceptible, that's why "freely given" is written in Article 7.4.
Bottom line, even if you give them consent in such forced manner, they will pay the fine if they use the data. Not only that, I bet that in this moment there is a lawyer preparing class action against FB for forcing the consent (And they will win! After 25th of May, FB is breaking the EU law). Max Schrems gave FB hard time before and I bet he is just waiting for new chance, this is his site https://noyb.eu/ , check it and check how many donations he got. I am stockpiling myself with popcorns as this is going to be fun to watch. I really thought that FB is going to be smarter, probably Zuck got another of his tantrums and did another really stupid business mistake, that will cost him a lot.
But, as FB user, please consider something else: Facebook is trying to downplay your rights, which directly proves that don't care about you. Do you really want to continue using such service? Do you really value yourself so low that you are prepared to bend over?
Just to back it up, I have missed this in news, Max Schrems already tryed (with class action of 25000 FB users), but had no legislation to back it up, with GDPR he got the green light:
"Europeans will in future be able to bring US-style class actions for (alleged) privacy violations, instead of having to sue individually and expensively. It’s thanks to a little-known clause of the EU’s GDPR, which comes into force in May."
And maybe for non-EU users, don't complain about GDPR, back it up, you will give your legislators a powerfull signal and you might also get the protection of your fundamential human right.
This does not discuss whether nonusers will be asked to opt-in. Curious how GDPR will change tracking people w/out FB accounts.
IANAL. The only argument I'm aware of that data controllers can make for processing data without consent is if there is a legitimate interest: if the data controller needs to process the data in fulfillment of a contract/service. I wonder how this will play out for non-users. It would seem there's no legitimate interest there.
"In order to provide tagging service to our users, a key platform feature, we are required to maintain and process data about individuals with which Facebook, Inc. does not have a pre-existing business relationship ("Non-Users"). Failure to do so would cause substantive harm to our service, and should therefore be exempted from gathering consent from Non-Users under Article 21, Section 5 of the GDPR."
Something like that, I expect, although I'm not a lawyer either.
Processing without consent doesn't work for multiple parties.
You can't claim that because you need to provide service for someone else you need to process data of non-users.
The users of which you collect data is required to be part of the service or contract to fulfill unless you have a damn good reason not to and "we need to provide this service because we go belly up otherwise" won't fly, IMO. A legitimate interest would be stuff like "we will make backups of our data, ensuring that deletion requests are carried out upon restore, to continue providing service in case of disaster" or "we will log your IP temporarily because we need to provide essential network and information security"
You can already see it on many sites. They're basically just a more forceful version of cookie notifications with language about third party tracking thrown in that force you to say "OK" or tell you to leave. Here's an example:
FB, as with all third party trackers, isn't the one actually responsible for notifying you about the use of their pixels etc. on third party sites. The site operator using it is. See https://developers.facebook.com/docs/privacy
if there's a hosted image from a facebook domain (e.g. a like button), unless that image is loaded after consent is given, facebook can already associate that users' IP address with having visited that web site by nature of sending the image over. in other words, facebook is tracking pre-consent (unless those images are loaded post-hoc, which is just not happening in today's world)
as a result, it's fundamentally impossible to consent before visiting a particular website, because there's no way to know what other domains will be triggered by visiting that website.
the only way i've found to defeat this behavior is by using ublock's origin's default deny policy which prevents all 3rd party domains from being accessed by default. it's a bit of a usability pain as one often has to add e.g. stack overflow's CDN to use its website "well", but does prevent visiting a website which has an embedded image hosted on a FB domain from being loaded, which defeats the more nefarious FB tracking.
Yeah, but that's easy enough to deal with. You simply don't load any third party stuff (or allow them to see your content) until they click "OK". Some simple javascript is all it takes to delay loading of everything not on the current server.
So basically prior to serving any content, you do an IP check. If they are from a GDPR country, you serve the delay loading script. If they aren't, you just load as normal. Pretty straightforward. I don't think you'd want to do it universally for all users, as you'd be at a competitive disadvantage to other sites. But you can easily enough just do it for EU countries. The other option is to just block them entirely if you have no need for EU traffic. Many sites - US local businesses etc. have no use for EU traffic or the liability that comes with it.
On a side note, with all the walled garden stuff that will be going on due to GDPR, I'll be interested to see how badly the SERPs get fractured, since every site will have a different scheme to require consent and not all of them will have people behind them that are savvy enough to make it not ask Googlebot for affirmative consent. This will put smaller businesses in the EU that don't have the resources to hire someone to deal with these issues at a serious disadvantage if they can no longer be indexed.
what you've suggested seems OK technically, but i feel like you're making an assumption that originating source of traffic determines citizenship of the user.
it could very well be that an EU citizen in Asia or the US is collected upon given your algorithm. if that's the case, are you not in violation of GDPR?
but, at the risk of rabbit-holing, your suggestion would be a pretty fundamental change to how the web works. in effect, you'd be moving toward a splintered web, where content is basically region locked.
to be fair, i don't have anything else to offer here; it just doesn't seem so easy to me.
but, at the risk of rabbit-holing, your suggestion would be a pretty fundamental change to how the web works. in effect, you'd be moving toward a splintered web, where content is basically region locked.
I think you're spot on, but that was the danger of implementing heavy-handed legislation like GDPR all along. I believe that EU citizens are going to find themselves locked out of a whole world of content. But that's the world they've chosen to create for themselves. Further, if the overwhelming support that GDPR has on HN is representative of that of the entire EU population, they welcome this newly splintered world and its consequences - both good and bad (though I believe that this support is the product of the mistaken belief that the world will simply play ball and be dictated to by the EU, rather than the rest of the world simply taking their ball and going home).
Hmm. I'm not sure about that. If Apple and Google won't pull out of China even though China makes them do all sorts of business stuff they disagree with, I highly doubt they (web companies) would pull out of the entire EU.
It would be absolutely incredible if Facebook et al "took their ball and went home" throwing away 500 million customers.
Google did effectively pull out of China in 2010 [1].
But in the case of the GDPR, it probably helps Google and Facebook more than it hurts them -- they can afford to jump through all of its hoops while smaller competitors might have trouble. It's essentially a barrier to entry.
Of course not, because Apple, Google, Facebook et al have the resources to spend millions on attorneys to implement the GDPR. My comment comes from the perspective of an operator of several small sites that get a total of a few million visitors per month combined. I'm not spending millions on attorneys, and EU traffic is only incidental to my sites anyway, so I am indeed taking my ball and going home.
This will make a difference for some users on some of the forums I run, as they will be banned with an apology and an invitation to come back if they ever move out of the EU. But it's not worth taking on the liability of potentially millions of dollars in fines for accidental non-compliance with a heavy handed, massively complex law that is up for different interpretations in the courts of no less than 28 unique countries. Unless you're in the EU or are a multi-billion dollar company with a large legal department, accepting EU traffic post-GDPR is an act of insanity.
Are you hosted in Europe, and/or do you do business from the EU?
No? Don't bother instituting a stupid ban like that, then. And stop scaremongering.
GDPR applies to businesses.
Besides, compliance isn't too bad for something like a forum. Just purge the relevant user records and posts, if requested to or when a user deletes their account.
Source: I am doing GDPR compliance on web applications for a major telco.
I have a business. And yes, I have spoken to GSPR compliance people, so GDPR has already cost me enough money. Compliance is a murky proposition at best, since this law can be interpreted in different ways in 28 different countries - all of whom will be looking for ways to maximize the fines they collect under it from foreign companies.
Since you are in the GDPR compliance space, surely you know that it does apply not just to businesses that are hosted in the EU or do business there. Rather, anyone that knowingly accepts traffic/data from the EU is vulnerable to it.
You seem to have complected extensive indiscriminate data collection with simple advertising and the more fundamental point of connecting and serving people.
You can use a combination of advertising and payment to fund services that connect people and facilitate commerce without extensive privacy destroying data collection. This model worked fine previously and it will work fine in the future. If anything hardware and tools are damn near amazing compared to the bygone past.
I struggle to think of any service in the world that is impossible or even challenging to replace. If anyone decides to take their ball and go home they will be replaced by a competitor who will use that extra revenue to improve their positions in other market to the original fools detriment.
There is in fact no reason to believe other markets including the US wont ultimately discover the merits of protecting their citizens privacy considering that in the US perhaps 171k work in the advertising industry out of 300 millions.
How the 0.02% can do an effective job without trampling the rights of the 99.98% is an exercise I leave to them and if they can't figure it out, then I hope the food stamp program still exists so they wont have to stand outside 7-11 with placards reading "will lie for food".
>"the mistaken belief that the world will simply play ball and be dictated to by the EU, rather than the rest of the world simply taking their ball and going home"
And leave millions and millions in profit on the table for everyone else?
That the same argument used against changing the tax codes so companies would actually have to pay taxes in the countries in which they do business, by closing the loopholes.
They're not going to throw away profitable markets just like that. And if they do, good riddance.
if there's a hosted image from a facebook domain (e.g. a like button), unless that image is loaded after consent is given, facebook can already associate that users' IP address with having visited that web site by nature of sending the image over. in other words, facebook is tracking pre-consent
This just leads to a bunch of questions: where an image is loaded from FB by a site, who is the data controller? Surely it's the primary site, not FB? In that case, then is FB a data processor (and subject to more restrictions)? If FB is a controller in its own right then how does FB gather consent in this case?
You're actually wrong. It is the responsibility of the website to notify the user. Facebook has placed in its policies a rule that says that you cannot use its code/buttons/images on your site without obtaining consent by the user for FB to place cookies there. They have a reasonable expectation that you have complied with this, or the image/whatever would not have been caused to load by your site.
Otherwise, think of the havoc. You decide that you want to get Facebook in trouble. So you place a Facebook button on your site and don't notify users or ask consent. Then you go call regulators. In this case, you'd find yourself in trouble, not Facebook.
it's the controller's (in this case FB is def a controller) responsibility to ensure that their use of data has a legal basis
You're correct. They are ensuring it by placing it in their terms for the use of their code/images on other sites. Nowhere in the GDPR does it say that every third party whose content may be placed on a site must themselves obtain consent. What exactly do you envision? That each page you load have 40 different consent dialogs show up?
How about most sites don't load resources from 40 different sites. Alternatively how about facebook ask for the users consent once to track them all over the web and remember that users choice.
On ingress the data could be deleted if it didn't correspond to a user that had given consent.
FB doesn't get to use the data unless it's consented by the end user.
It is distinctly not GDPR compliant for FB to claim that their TOS requires consent so it's not their problem. Feel free to read the discussion about co-controllers (called as joint controllers) and particularly the A29WG guidance.
Again, under your (incorrect) interpretation of the GDPR, what exactly do you envision? That each page you load have 40 different consent dialogs show up - one for each tracker and external image that is on the page? Some have hundreds.
For each external tracker, you will have to consent that use. By name. Per discussions you can find via google, even naming a well-defined class of 3rd party controllers is not enough; they have to be individually named.
The fact that some page may have hundreds of co-controllers is immaterial, unless you envision "we don't want to" as a defense to the privacy regulators.
I think we'll have to agree to disagree. I expect that EU users won't be spending all their time on the web issuing 50 approvals for each page they load. You may so despise ad-supported services that this is your dream for the world, but unfortunately for your dream (and fortunately for all users that actually want to be able to use the Web), even the heavy-handed GDPR does not mandate this.
I don't know why you think me relating a correct understanding of the GDPR is my endorsement (or not!) . This is what the GDPR requires. You've cited no sources for disagreeing with the formulation of the GDPR as pushed by the very privacy orgs who are in charge of it in 6 weeks.
True! I don't think I ever claimed otherwise, just that they have to be individually consented. And nothing prevents someone from adding an approve all button, but it cannot be the default.
One of the main points of the GDPR is that this sort of treatment is unlikely to be legal any more, to the extent that it ever was. Processing based on consent is now going to require active consent that can't be opted-in by default or hidden away in legal wording no-one ever reads. It's going to be tough to argue that tracking someone who isn't connected to your business/organisation has any of the acceptable bases other than consent. And without some clear basis, processing is going to be prohibited by default.
I wonder how many companies are waiting to see how this will be enforced before making the change. If GDPR is really actively enforced and causes some real pain to companies, then I expect your prediction will be accurate. If it isn't, I expect a lot of sites will do something less than what GDPR says.
I'm curious what about that notification is "hidden away in legal wording" or doesn't "require active consent". You have to agree with it to make that go away.
At least the way my multi-national employer is interpreting it, under GDPR you can't get away with "click here if you agree with our privacy policy". You have to explicitly say everything that is tracked, everything that is stored, how long, and why it is required for use. If it's not required for use, you can't ask for it and you can't store it unless the person explicitly says yes. If they say no, you have to let them use it anyway, without the tracking and without the storing.
> If they say no, you have to let them use it anyway, without the tracking and without the storing.
This is the part I'm most excited about. (Or would be if I lived in the EU.) I'll be very interested to see how that works out. I'd love to see something like that in the US.
I have to wonder whether at some point the EU is going to become so aggressive that the big US tech firms really do start calling their bluff. Stronger legal privacy protections may be long overdue in our modern, online world, but that particular measure is transparently aimed at undermining entire business models that have supported services evidently valuable to literally billions of people around the world, and that may be a bridge too far.
If the likes of Facebook and Google all turned off their services across the EU for a day, and replaced them with a SOPA-blackout-style message explaining that they can't afford to continue providing services without the ad model that pays for them, a lot of people would notice, and the EU probably wouldn't get nearly as easy a ride afterwards. I don't know how much damage would be caused if those same big tech firms cut off EU citizens permanently, but for better or worse, very many people now rely on the likes of Facebook and Google Mail for their everyday lives, and I'm betting the damage would be worse to the EU citizens than it would be to Facebook's and Google's financial statements (assuming the alternative is that they continue to operate but with a heavily damaged business model).
> but that particular measure is transparently aimed at undermining entire business models
Yes, but that's the entire point. That's why this regulation exists That's why it has so many fans here on HN.
Not sure if there's a qualitatively different way of achieving the same goal with a different method. There probably isn't, so it boils down to a careful balancing act - how to damage those business models without going overboard and having all US companies show EU the finger.
> If they say no, you have to let them use it anyway, without the tracking and without the storing.
That part of what he said is incorrect. The EU may be able to do alot of things, but they can't make me give you access to private documents on my server that is not based in the EU if I don't want to. You can simply tell them to go away if they disagree with your terms, or you can block all EU users from the beginning.
This might not be a great long term strategy, I'm expecting one or two buzzfeed-like websites to be put up against the wall and shot over this. I've always dealt with the cookie notifications by using ublock to simply block that element, I never click "ok". I've never had a website actually stop me from using it when I do this until google changed their search page a few weeks ago.
If you're running a website with one of these, I strongly suggest you make sure you record whether people accept and actually boot them off the site of they don't. GDPR article 7 section one requires a website to be able to demonstrate that I have given consent, and recital 32 requires that that consent be specific and unambiguous. It's doubtful that "by continuing to use this site you agree..." statements will be satisfactory, especially if you start the tracking the instant they hit the page, before they can click that ok button.
I've always dealt with the cookie notifications by using ublock to simply block that element, I never click "ok". I've never had a website actually stop me from using it when I do this until google changed their search page a few weeks ago.
I imagine that you simply won't be able to use websites anymore if you are from the EU and don't give consent. You'll just be told to go away.
As are non-EU citizens while in the EU, in some cases, and possibly even non-EU citizens not in the EU while using a service centered on providing them with e.g. travel arrangements in the EU. As a lawyer specializing in GDPR recently told me.
Even investigative data journalists are going to have a lot of fun with the consequences of GDPR if she's right.
In that case, you won't have any reason to believe that they are an EU citizen unless and until they indicate otherwise, and there are provisions within the GDPR for it not to apply in those cases where you are not intentionally obtaining data from EU citizens. On my sites that don't get alot of EU traffic anyway, I'm simply blocking EU IPs, and on all registration forms, I've removed EU countries from the country selection for residence, and put a notice that says "You may not register for this website if your country is not listed above".
>there are provisions within the GDPR for it not to apply in those cases where you are not intentionally obtaining data from EU citizens.
I read the entire document a few weeks back and recall no such provisions. Could you cite one for me? I'm trying to be as informed on this as possible.
Article 3, "Territorial scope", lays out where GDPR applies, and it contains no derogations for "but I didn't know they were european, honest". It is not, in fact, specifically about european citizens. It covers the processing of data for "natural persons in the Union", which is a bit unclear to me but I interpret it as covering anyone physically located in a country that forms a Supervisory Authority under section 51.
How this will ultimately interact with your websites and/or businesses if you are not based in the EU is unclear at this time.
It's a massive document so I'm not going to go through and find it, but here's an interpretation of what I'm talking about [1]:
"The reach of GDPR is broad but is not unlimited. The mere fact that a U.S.-based website can be accessed in the EEA isn’t enough. If the company does not have a physical presence in the EEA, it must be determined whether that company engages in more than incidental contact with EEA residents."
So if someone is going out of their way to mask the fact that they are from the EU, and you aren't otherwise seeking out EU users, you're not going to get in trouble for that. One issue I have with it though is that translation may trigger GDPR exposure, and since Spain is part of the EU, many sites aimed at Spanish speakers (but not aimed at the EU) may have this beast of a law apply to them. I operate a few sites that have Spanish content, so that is deeply troubling.
Given that there is an entire continent whose people speak mostly Spanish (and with the remaining Portuguese speakers vastly outnumbering the ones in Portugal, too), I don't believe that providing a service in Spanish will go far as evidence that you're targeting EU citizens specifically.
This thread is now too deep for me to respond to your comment.
"The reach of GDPR is broad but is not unlimited. The mere fact that a U.S.-based website can be accessed in the EEA isn’t enough. If the company does not have a physical presence in the EEA, it must be determined whether that company engages in more than incidental contact with EEA residents."
This statement seems to have misinterpreted article 27, which states that if your processing is merely occasional, or if you are occasionally a processor for an EU controller, you need not specify a designated representative to the EU.
But the exception you think exists pretty much doesn't. It's got a small exception for occasional sharing of data without consent when it relates to active legal proceedings.
Naturally the EU has no jurisdiction over you if you don't live in the EU and you aren't based in the EU. They may be able to apply pressure on your partners though, be that advertising companies or others. This may flow through to you, in time. We're already seeing Facebook come under pressure to provide US citizens with the same protections that the GDPR provides EU residents.
The experts that I talked to in this space in deciding to close my sites to EU IPs have all said that the GDPR probably doesn't apply to incidental traffic - especially if someone is actively trying to hide the fact that they are in a GDPR area. But nobody can guarantee a single thing, because it's so broadly written and is up for unique interpretations in each of dozens of foreign countries. It meets the very definition of a bad law - too broad and will cause decreased economic opportunity for those that are subjected to it.
FYI you can reply to other posts when the thread is this deep by clicking on the "X minutes ago" thing on the comment your want to reply to.
Experts say a lot of things on GDPR, one of the really interesting things about reading it myself is that I've found a lot of them seem to be wrong. I've heard a few people talking about a "social media exception" that doesn't seem to exist, for example.
It's possible that there have been preliminary rulings on GDPR that I'm not aware of, because I'm not a lawyer. So I'm not by any means declaring that your experts are definitely wrong, but I am nigh on certain that their source of information for making such statements is not the GDPR text itself.
I disagree that GDPR is an overly broad law by the way. The GDPR text is actually fairly specific. It encompasses a large domain, but it clearly defines that domain (Article 9 is an example of a large but specific definition, although it is only one of multiple such articles) and tells you clearly what you need to do within that domain to be compliant.
People just /think/ it's overly broad because it impacts a lot of tech companies and none of them have actually read the text. The human brain interprets this as "inspecific", whereas it's actually carefully targeted at a handful of specific things that lots of tech companies are doing (or not doing).
> This thread is now too deep for me to respond to your comment.
It probably wasn't depth that blocked you. It was probably time. There is a short interval after a comment is posted during which the reply link is not available in the thread. (You can still reply without waiting, but you have to figure out how to get a reply button instead of a reply link. The reply button doesn't have the delay).
> This statement seems to have misinterpreted article 27
I believe that statement is summarizing recital 23, not attempting to interpret article 27.
that part is true, the part about ads isn't. Also AFAIK GDPR doesn't let the companies to glue all possible data processing purposes into one consent and indefinitely - there should be a clear message also on the timeline of data processing, what data is collected (not just cookies) and informing that I can withdraw my consent at any time.
The screenshotted example is nothing new, I've seen that specific thing at least 6 months ago. I don't think it has anything to do with GDPR, and as others have already mentioned it is not likely to be legal under it.
I just added the "Facebook Container" extension to my Firefox browser. I am hoping it will prevent most of Facebook's tracking, but I do know that it probably won't block all the tracking.
FYI, uBlock (without 'Origin') is not the recommended one. The original is maintained by gorhill and it's available from https://github.com/gorhill/uBlock
I recommend Privacy Badger, sponsored by the EFF, which is supposed to block trackers. I prefer it over Ghostery, which is backed by some company.
uBlock Origin is great for blocking Ads though. If you really need to block scripts, there's NoScript.
I recommend using at least the adblocker and the tracker blocker, even if only to reduce memory usage of the browser and take back a couple of CPU cycles from your computer stolen by pesky ads.
uBlock Origin + Privacy Badger are my combo of choice. They play nicely together, and are easy enough to deal with that my non-web-savvy father-in-law surfs comfortably with them. Privacy Badger's most glaring weakness is that it takes a new install of the plugin awhile to learn that Facebook, fbcdn, etc are up to no good, but once it catches on, it’s great.
Privacy Badger is also based on AdBlock Plus's code, which is a weakness in itself. The entire reason uBlock Origin exists is because of inefficiencies with ABP that the author thought could be avoided.
I just check the privacy list options in uBlock Origin.
There are other ways that facebook can track you, ublock does counter a lot of it but there is a constant stream of innovations and work arounds by tracking companies to keep a hold on you. I think the financial motivation for them to keep tracking you outweighs the effort ublock can put into stopping that. The firefox container is a legitimately novel approach to stopping the problem though I'm certain it will be attacked as well... I think starting from a stance of distrust gives them a lot more power to combat tracking efforts.
Strange to disparage uBlock Origin while praising Facebook Container, because the latter is weaker than the former.
uBlock Origin with either "Fanboy's Third Party Social" or "Fanboy's Social Blocking List" selected will block all third-party connections to Facebook servers, period. Of course Facebook can still spy on you via other spy companies, but the "EasyPrivacy" list cuts that down a lot too.
On the other hand, Facebook Container still happily connect to Facebook servers from third-party websites, leaking your IP, useragent, the URL of the webpage you're viewing, headers containing fingerprinting information like fonts , etc. Facebook Container does one thing and one thing only: strip off the Facebook cookie. But this is almost worthless from an information theoretic perspective, because Facebook can trivially de-anonymize you through IP/timestamp/header correlation.
> Facebook Container still happily connect to Facebook servers from third-party websites
What? How do you open a non-Facebook website in the Facebook container? When you open external links on Facebook, from the Facebook container, they open in the normal container.
I noticed their 'opt out for interest based ads' was through a cookie set by some consortium of creeps companies. at the time I remember thinking its like 'if I dont want you to track and follow me all over the internet then I need to allow you to track me and follow me all over the place so you know who I am.. Riiight'. plus that setting resets if you delete the cookie. so I dont know how will that work with the container. perhaps somebody who knows more can enlighten me.
honestly given that FB is after my healthcare data, my patience has worn quite thin with them. IMHO the creep factor and unintended consequences are way to many.
Considering that Facebook makes its revenue from ads and that providing relevant ads needs data and tracking, this move is not so bad.
Users that don’t accept the terms or use various tech to block this, would receive misappropriated ads. Bad ads make companies lose revenue while annoying the users with extremely irrelevant info.
This method should be extremely effective in removing false positives.
Personal observation: ads are never going to go away and I personally prefer receiving ads about some local beer brand and not about lipstick or sake in Japan.
Why can't we simply choose relevant ad categories that we would prefer to see? Why do the options need to be (i) see random advertisements that are likely irrelevant, or (ii) allow us to track your every move, including your location, each site you visit with the Facebook widget, your message and call history, and your every click.
Or non-Facebook related, why can't my smart TV just let me choose PC Gaming, Technology, and Concert advertisements as highest priority. I might actually look forward to watching an Oculus or Vive advertisement, instead of putting the TV on mute, or leaving the room when I see another health insurance commercial for someone 60+.
Why can't ads be relevant to the content of the page like they used to be in the good old days?
As an example of stupid targeted ads: I bought a Casper mattress a couple of months ago and pretty much every single ad I've seen since then (on devices where I don't have them blocked) has been for mattresses. How many mattresses does the internet think I need?
If I'm reading about something on the internet it's generally because I'm interested in it. Why not try to sell me something related to that rather than something I already bought!?
1. I bought one of those spinning face brushes for my girlfriend. A few minutes after purchasing online, I started seeing advertisements from that same store, for the same exact brush. Literally 90% of the page views were showing that advertisement.
2. I was browsing Airbnb accommodation for a trip to let's say Mexico. I was checking apartments on and off for weeks. I didn't see any Airbnb advertisements during that time. The minute I book that accommodation, Airbnb starts showing advertisements for rooms in Mexico.
3. I'm browsing barbers in a new city. No advertisements until I book an appointment with one online. Then, I start seeing advertisements for the same barbershop. Now, that has potential, but the advertisements stopped after a week. Why do I need to book a second hair appointment in the same week? Why not recognize I booked a men's haircut, and start showing me ads in a few weeks?
For all the tracking, privacy invasion, and fancy "machine learning", advertising sure is dumb.
Maybe it's optimizing for the wrong thing. Maybe the goal of targeted advertising is to find the people who were about to buy something anyways, shove an ad for it in front of them just in time, and take a cut[1]:
> Our results indicate that more sophisticated targeting algorithms might not gain, and might even harm, the advertiser as those seeing the ad would convert in the absence of advertising.
There are a bunch of ad-tech people on this site; maybe some of them could chime in and share how many more sales they make using total surveillance versus basic keyword-in-page.
A little over two years ago, I Googled the name of a local Dodge/RAM dealership (on my iPad, thus no ad blocker) so I could browse their selection online before I ventured over there. That afternoon, I bought a new truck (from that dealership).
For almost A YEAR afterwards, I would constantly see ads about RAM trucks and various dealerships in my area (including the one I Googled and bought the truck from) when browsing the web on my iPad. Not every ad, of course, but certainly often enough that I would notice it a couple times a week and just laugh and shake my head at the dealerships who were just throwing their ad dollars away.
My guess, some people buy a mattress and end up unhappy with it, return it, and buy something else. This is enough people that it's worth showing mattress ads to all recent mattress buyers.
I've wondered this for a long time. As someone who pretty much despises ads, I'd be willing to just tell advertisers what I want to see and turn off adblock rather than have them guess what I want to see(which is usually either something I don't want to buy or something I've already purchased).
If they would just ask me what my interests are and stop allowing shady/malicious ads, I'd probably just turn off adblock.
I would have loved to get properly targeted ads, but even with all of Google and Facebook's data, my ads are all complete and utter crap. Right now Facebook is showing me ads in Thai language selling me a visa to visit Japan as a tourist. I don't speak Thai and I already live in Japan. Facebook knows this. Why am I getting these horrible ads?
The online ad business is just complete and utter bullshit. They have all this data and have utterly failed at using even the most basic data points ("where does he live?" "what language does he speak?"). And all they can think of is "hmm probably need more data"
I think the most basic and simple solution is to target ads not on the user but on the webpage and it's contents.
If the webpage is written in french (or visible as such) that reviews computer hardware, pick hardware ads first and if available in french. That is IMO a reasonable assumption to make and I don't believe that a lot of users will be mistargeted that hard.
Bigger publishers like newspapers could run ads depending on section, ie the politics section shows political ads and the weather section shows a raincoat ad.
The only downside I see is that localized ads don't work as well (ie, "local restaurant has cheap burgers" and "99+ women in <your area> want to talk to you on tinder!!!!"). Such places could put their ads on relevant pages though, ie the internet page of a local newspaper or the local communities' internet presence.
Fluff Busting Purity (formerly Facebook Purity). Nukes everything; maintainer is hugely on the ball, rolling out fixes for FB's breaking bugs within hours (and occasionally within minutes). If it's not in your browser's extensions/addons "store", you can find it at https://www.fbpurity.com/
Ive heard but can't confirm that ABP sells the ability for ad servers to be white listed.
Ublock + enabling various lists is better. Check out Umatrix.
Nicely juxtapositioned with the Independent's ad for their Facebook Bitcoin group. Facebook groups really are the antithesis of the Internet, being closed and unindexable.
Anyway perhaps these no-decline 'permission' screens will cause a few people to reconsider their presence on Facebook. After all the company's Chief Privacy Officer endorses it! “People can choose to not be on Facebook if they want"
Heh, funny.
Unfortunately also nonsense. A CFO also exists and not because a company doesn't handle finances responsibly. Or a CEO implies no engineering?
Australians may wish to refer it to the ACCC if Facebook offers them a "take it or leave" choice. Even if the laws regarding unfair consumer contracts turn out not to apply, it would be interesting to get the ACCC's formal response on it.
I'm a member of a facebook group for Irish game developers. Very good group, pretty much the only reason I use fb. Though I am logged on all day as I dont want to miss anything on it.
I tabled the idea of the group leaving fb for somewhere else, as now would be the time people would be receptive to that idea.
The consensus was, nah, dont bother, this is fine... welp.
Unrelated to your post for the most part, but just to clarify for readers; tabling an idea in American English is to postpone a decision (potentially indefinitely), while in British English this is the exact opposite and means that the idea is being presented for review at the current moment.
I've lived in America most of my life, but I've only ever heard (or assumed?) the latter usage, which I assumed related to the phrase "is on the table". I wonder what the origin of the former is.
edit: I suppose it comes from how optimistically/pessimistically you view someone saying that a decision is on the table, I guess. Funny.
This whole Facebook debacle has certainly helped me see some "bubbles" more clearly. I've encountered plenty of people who hadn't even heard of the recent Facebook privacy issues, let alone actually care. There are plenty of people who don't even follow the main news headlines, let alone pay attention when it gets political or technical.
Some of us are old enough to remember the web and other services before they had ads. I remember quite well when the first started showing up, people called them "banners", and it was infuriating.
I never accepted the change in the expectation that everything will now be ad supported. That's a fundamental, massive shift. You can still say no that imposition, it's not actually baked into any of the technology, just a bunch of bloat glued on afterwards.
Good question - though half of the internet has been built by pretending to offer your service for free. So either we keep doing that or we have to admit that our whole industry has been lying to their users.
The mental model for most people for so called free media is broadcast tv.
Yes there are ads. Yes I dislike those ads but they pay for the tv programming and broadcast.
No, broadcast tv does not keep a massive dossier on me or even know I exist.
Almost nobody expected nor understood that they are now "free from having privacy." It's not usual nor expected nor was it ever made clear. It was also done where there was no consent (shadow profiles for people without facebook accounts) and where consent was expressly withdrawn ("I now know what facebook does and would like you to close my account and delete all data and all backups of data relating to me"). Wildly evil stuff going on there, argue about what the law "says" all you like it's foul and should be illegal. It probably is illegal too if you haven't got billions to buy out of the problem. Que the apologists...
There are plenty of other media consumption businesses paid by advertising where you aren't being monitored in a manner the stasi could only dream of. Free printed newspapers supported by advertising have been around my entire life. This was the expectation.
Could facebook and google have grown if they had stated on their front page, every login that they were keeping records of everywhere you went on the internet? They wouldn't have got any traction whatsoever so they lied. Android will keep track of everywhere you go physically and add that to our file on you. Apple are better is just such BS you have to be a huge fanboy to swallow it.
Everyone concerned should be facing criminal charges for that kind of lying. Trying to claim they didn't know they were lying at the time and it was a bait and switch fraud instead.
Why would they allow someone using the service if they didn't get something back?
That's a good question, but once GDPR is in effect, the law is going to require that all consent is genuine, informed, active consent. A consequence of that is that someone must be able to withhold their consent without suffering for it, unless the thing they're consenting to is essential to whatever else they're doing.
If you're thinking this fundamentally undermines the current business model of sites like Facebook, you're probably right, and given the political rhetoric around the GDPR, it's possible that this was the intention of the EU from the start.
Ad revenue is essential to Facebook running. My guess is that FB will continue to work even without this other data just given what they know on the site.
Ad revenue may be essential to Facebook being commercially viable, but it's not required at all to provide the social networking features that users actually want.
My guess is that FB will continue to work even without this other data just given what they know on the site.
But if they have data acquired with users' consent for social networking purposes, they won't be allowed to process that data for purposes such as targeting ads without consent.
Also known as "Hobson's Choice": a free choice in which only one thing is offered.
https://en.wikipedia.org/wiki/Hobson%27s_choice
Naturally the vast majority will just click through and accept the defaults.
But what if a small number does not? Could Facebook see 6% or 4% or 2% attrition because of this?
2% attrition of 2.2 billion users is like the entire population of California and Oregon.
This many people leaving the network makes it a little less connected and a little less valuable for the 98% who remain.
That's a lot of people wandering about, discovering new alternatives to connect with their friends and family.
Facebook will be with us for a long time, but reducing their influence would be a big net positive.