One thing that strikes me reading this, is that the only thing that's changed is that Google won't disallow it. But I think it would make more sense if the ICO actually just went after the companies doing fingerprinting directly, instead of being angry at Google for not enforcing things for them.
There is a subtle but important difference here.
If governments enforce policy by bullying HSBC/Google/E.ON to enforce policies for them, there is no legal opportunity for companies and individuals to argue for their sake. You'll just be shut out of your bank/advertising/electricity for doing something "wrong".
If instead UK ICO would bring a legal case against an individual or company applying fingerprinting (and I'm no advocate of fingerprinting, but that's besides the point) then they can defend themselves in court.
> if the ICO actually just went after the companies doing fingerprinting directly, instead of being angry at Google for not enforcing things for them
Google isn't just a hapless bystander here, they are enabling and profiting from the practice. Big tech companies all build these billion people villages and heavily tax every person inside but when "outside law" is broken then "outside authorities" should fix it for free.
The rules could be simple: you have a problem in your village, either you enforce the laws there, or national authorities will do it and charge you (the company) for the service.
When Amazon allows any of the millions of ephemeral clone-storefronts to sell shady or illegal stuff, would you rather have the authorities spend years chasing ghosts or have Amazon change their rules to make sure such illegality and abuse aren't possible in their marketplace?
> When Amazon allows any of the millions of ephemeral clone-storefronts to sell shady or illegal stuff, would you rather have the authorities spend years chasing ghosts or have Amazon change their rules to make sure such illegality and abuse aren't possible in their marketplace?
I'm fine with a law saying Amazon is liable for fake storefronts etc. Sounds reasonable. I'd also favor requiring e.g. Uber or Airbnb to provide authorities with data to prevent tax fraud from operators in such marketplaces.
But to me saying Google's advertising product should enforce how the individual websites work [fingerprinting], is to me more in the direction of "an electricity provider should enforce how people live their lives in any home provided by such electricity…"
> Google's advertising product should enforce how the individual websites work
"Google's advertising product" should do no such thing, the websites can go right ahead implementing whatever they dream of. Google "the company that develops the OS for my phone and the web browser" on the other hand is responsible for what tools and features it gives to those websites or apps to use on my device and without my explicit permission.
For example Google doesn't allow them to have root on your device, or covertly activate your microphone or camera. Why aren't you asking "who's Google to police what websites can do with my device, camera, and mic"?
> is to me more in the direction of "an electricity provider should enforce how people live their lives in any home provided by such electricity…"
Quite the opposite, Google or the electricity provider should enforce nothing on you or me. The analogy is more like the electricity provider allowing anyone to access information about what you do using that electricity. Why would the electricity provider have access to that information in the first place, and why would they be allowed to create interfaces that share that info with their partners?
If you're fine with Google allowing sites to collect this information from you, would you also be fine if your electricity provider allowed sites to collect info about how you use the electricity?
> But to me saying Google's advertising product should enforce how the individual websites work [fingerprinting], is to me more in the direction of "an electricity provider should enforce how people live their lives in any home provided by such electricity…"
That's a wild analogy.
You're talking there about what I do in my home without impacting anyone else.
With google here we're talking about companies tracking users in a way likely to be illegal.
> But to me saying Google's advertising product should enforce how the individual websites work [fingerprinting],
I completely disagree, and I'm someone whose interests would be best served by agreeing with you (my marketing agency spends a lot on advertising, and if the ad platforms don't have to enforce this sort of bad behaviour from other advertisers then prices could potentially fall as their expenses would)
Google's ad network isn't just dumb pipes for information like an ISP or an electricity provider, they're actively charging companies money in order to send whatever information to be displayed and code to be executed those companies want them to onto the screens of people that they're actively targeting. It should absolutely be Google's (or whatever ad network's) responsibility to not allow bad actors to use their services to spread viruses/malware, nor to allow even worse privacy evasion that they're already doing themselves such as allowing fingerprinting.
Isn't Google's relevancy here a result of their connection to the Chrome browser? The analogy vis-à-vis electricity is more like a vacuum cleaner manufacturer than power provider, although even that's weak because this is fundamentally about personal information being miscategorized as a commodity.
Google literally added all of the random APIs into Chrome that fingerprinting depends on.
If you trust Google then they are a bystander. If you don't then they orchestrated this entire situation over the last decade or so in order to cement the dominance of their advertising business.
Most of those "random APIs" have good reasons for being there that have nothing to do with fingerprinting. For instance:
Your browser needs to be able to render text in different fonts, which means that without paranoid design (and maybe with it) code running there can tell what fonts you have installed.
A web app may want to tell you when something happened in your time zone even though it happened somewhere else. So there's value in having code running in your browser be able to tell what time zone you're in.
Different browsers, and different versions of the same browser, have different bugs. So there's value in letting code running in your browser know what version of what browser you're running. (Note that this information has been exposed by browsers, though not always very honestly, since before Google even existed.)
Browser/device fingerprinting has been possible since before Google ever shipped a browser.
I wouldn't be surprised to learn that Google has made design decisions in Chrome motivated by not making fingerprinting too difficult. I also wouldn't be surprised to find that they've done the exact reverse. Maybe they've done both. But the possibility of browser fingerprinting isn't the result of some galaxy-brained conspiracy by Google; that was there all along because when browsers first gained the ability to run code the people building the browsers never thought of the danger, and by the time someone did it was already too late.
What makes you think the UK ICO won’t bring legal cases against individuals or companies applying fingerprinting? They literally say in this guidance that they consider it against the regulations for companies to do this even though google now allows it. Having dealt with regulators a fair bit that’s pretty much as clear cut a warning as you can get that they will go after people who do this. Now, will they be fast? No. Will they go after the worst offenders? Maybe, maybe not. Will they only do it if someone makes a complaint? Perhaps. But this note is literally them saying to companies “don’t think you can do this just because google now says it’s ok”.
> What makes you think the UK ICO won’t bring legal cases against individuals or companies applying fingerprinting?
The vast majority of consent flows ("cookie banners") out there are not compliant and they do absolutely nothing about it. It's very unlikely this would be any different.
I really don't understand this comment. They're not expecting google to enforce anything, and they are talking about going after individual companies.
> If governments enforce policy by bullying HSBC/Google/E.ON to enforce policies for them, there is no legal opportunity for companies and individuals to argue for their sake
Companies are in no way stopped from fingerprinting just because of google.
> When the new policy comes into force on 16 February 2025, organisations using Google’s advertising technology will be able to deploy fingerprinting without being in breach of Google’s own policies. Given Google’s position and scale in the online advertising ecosystem, this is significant.
But when I read this it seems like they are unhappy with Google no longer enforcing their view of fingerprinting:
We think this change is irresponsible. [...] We are continuing to
engage with Google on this U-turn in its position and the departure it
represents from our expectation of a privacy-friendly internet.
They (ICO) are saying two things, they're saying that regardless of Google's policy they will go after companies they find to be using fingerprinting to bypass a user's right to privacy (this is the part you've focussed on), and they're also saying that Google should cancel this change and return to having it banned as their policy, with the implication that Google actively policies their own policy and would therefore prevent people from doing fingerprinting without ICO having to get involved (which is what the person you originally replied to was focussing on).
Their comment that you said you didn't understand made complete sense in the context of that aspect of the ICO's post, but you seemed to not see a link between the ICO wanting Google to reinstate the ban and seeing that as Google policing that subject on their network.
> and would therefore prevent people from doing fingerprinting without ICO having to get involved (which is what the person you originally replied to was focussing on).
But that simply isn't true in the broad sense. It would stop some or even a large number of people from doing it in one area, but it doesn't stop it happening.
> but you seemed to not see a link between the ICO wanting Google to reinstate the ban and seeing that as Google policing that subject on their network.
I obviously see the link there.
The comment said several things, which really doesn't line up with the post. It accused the ICO of going after google rather than businesses and said that stopped businesses being able to test it in the courts.
However businesses can implement fingerprinting, the ICO can act and this can be tested.
The comment likened this to bullying companies into enforcing policies, and said it left them with no legal recourse. But there are no threats, no action from the ICO against google (except "will engage with google"), businesses can still implement these things and it can go to court.
Let's go through it and why I don't understand their point.
> One thing that strikes me reading this, is that the only thing that's changed is that Google won't disallow it.
Yep, this is right, google are changing a policy which will give a lot of businesses the ability to do something that the ICO thinks is extremely unlikely to be lawful.
> But I think it would make more sense if the ICO actually just went after the companies doing fingerprinting directly,
This is what they're saying they'll do
> instead of being angry at Google for not enforcing things for them.
Angry seems like an odd statement here. They call it irresponsible, and I think justify that. I think they could go further since this will likely result in google profiting
> There is a subtle but important difference here.
> If governments enforce policy by bullying HSBC/Google/E.ON to enforce policies for them, there is no legal opportunity for companies and individuals to argue for their sake. You'll just be shut out of your bank/advertising/electricity for doing something "wrong".
> If instead UK ICO would bring a legal case against an individual or company applying fingerprinting (and I'm no advocate of fingerprinting, but that's besides the point) then they can defend themselves in court.
And as I say there's nothing stopping this getting tested in court.
This is a pretty bland post. It's the ICO saying there's a change coming and a warning to businesses that this doesn't mean it's actually allowed, just that google will stop banning it on their network. They're saying they'll come after businesses breaking the rules.
What should they have done? Posted nothing? Not mentioned google?
Two separate issues. There needs to be regulation to stop Google from doing or allowing fingerprinting, and there also needs to be regulation to help people against one-sided decisions like that.
You don't get to be that big and make your own rules.
That's the problem with allowing a company the reach and keep dominating market position. You need to involve them in regulation enforcement. In a fair market Google could rightfully say that's none of our business.
> it would make more sense if the ICO actually just went after the companies doing fingerprinting directly, instead of being angry at Google
I think it’s quite the opposite - Google enabling illegal use of their services should make their offering unfit for market. Being a monopolist in the space, it’s Google’s responsibility to ensure users are safe when exposed to their services.
This just doesn't make sense. Google wont disallow fingerprinting on companies using ITS advertising technology. I think accountability gets exhausted pretty quickly on this just by thinking about the implications. If UK gov (or any other) enforces a blanket ban on google ads to prevent this problem, where exactly does the issue lie ? This is not like someone selling syringes being accountable for someone putting toxins into the syringe, this is someone who already has a line into a main blood vessel saying they wont prevent someone from putting toxins in. Big, Big difference, they have the privilege of access and wont prevent other people abusing it. This is on google, pure and simple
There's a gazillion of companies outside UK legislation; if they only went against companies doing fingerprinting, only those subject to their legislation would refrain from doing it
That argument works better against having Google be the enforcer than in favour: Google's rules are (as I understand it in this case) global, why should the UK's rules be made to apply to, say, a Japanese-language-only app sold only in the Japan?
(For all I know Japan has similar rules, the point isn't the specific country, but that this would be the UK projecting power internationally that it shouldn't be).
Google can choose to only have it against the rules for adverts served to UK (or UK and EU and any other country with strong privacy laws), and still have better ability to target the bad actors (as they can choose to either fully ban, or just ban from advertising to those countries, any company that breaks the rule regardless of whether they're in or outside ICO's jurisdiction).
I suppose this is why we need to break up Google, so even the most unaware person on the world can realize that they are the biggest advertising network on the planet. THEIR PRODUCT IS ADVERTISING. TARGETED ADVERTISING. This is what they do. That is where their money is made.
I have no opinion about this particular case at hand, but decades of observations of how governments, esp. in Europe, "regulate" IT by targetting a few big players, and Google always first in line despite that company has been _historically_ the most careful with users data, have convinced me that this has little to do with protection of citizens privacy and much more to do with forcing those whole encompassing corporations to cooperate with governments own surveillance agendas.
Firstly regulators go after the big players because they have finite resources and that’s the easiest way for them to have a lot of leverage versus trying to play whack a mole with thousands of tiny companies who can easily shut down and change name in the event of a regulatory action.
Secondly the idea that google are particularly singled out flies in the face of the significant actions by european data regulators against meta and all the other big tech companies.
Thirdly the idea that google are particularly careful with users data is pretty laughable.
> the idea that google are particularly careful with users data is pretty laughable
Either you don't know what you are talking about, or we attach very different meanings behind some of these words. Let me rephrase : of all companies, institutions or associations that I've been able to glance from the inside in my already quite long carrier, Google was by far the one where user data was the most secured, from unlegitimate access from the outside world or from the employees alike.
Also, of all the big internet corporations, I've read many stories about facebook or microsoft (amongst others) cooperating with the most repressive regimes. On rare occasion where I could read about some big corp prefering to loose a market rather than user trust, each time it was either Apple or Google. Granted, it was many years ago; But already after Google was regularly presented by EU "opinion makers" like the most evil of corporations.
Witnessing this and the ensuing downward trajectory of morale in big IT corporations, I half-jokingly developped the theory that maybe corporations are like little children: they behave just as well as they are expected to. If you constantly tell them that they are immoral and stupid, then they become just that.
"The Information Commissioner's Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. ICO is an executive non-departmental public body, sponsored by the Department for Science, Innovation and Technology."
https://www.gov.uk/government/organisations/information-comm...
Enforcement action by the IÇO is as rare as hen’s teeth, and when they do enforce, it’s a mild slap on the wrist for large businesses, and “put you out of business” for small businesses. Lose 2,000,000 sets of customer information because you accidentally left it public? Reprimand. Don’t do it again. 1000 spam calls? £100k fine. Go to prison.
If you have a U.K. Ltd company, you must pay them their annual fee.
Quite the gig they have. Do next to nothing, collect a tax on every business in the country.
>If you have a U.K. Ltd company, you must pay them their annual fee.
Businesses that only use data for routine purposes like staff administration, accounts and advertising are exempt. The data protection fee only applies to businesses engaged in higher-risk data processing. The fee for a non-exempt business with turnover of <£632,000 is £40 per year.
The primary purpose of ICO enforcement is to ensure compliance. The general principle is that the sanction administered should be of the lowest level necessary to ensure compliance.
In your examples, the Electoral Commission suffered a breach due to a chain of vulnerabilities exploited by a sophisticated actor. In response to the ICO investigation, the Electoral Commission implemented a major overhaul of their security procedures including a formal process to manage and monitor patching and MFA. The ICO were satisfied that the EC had come into compliance and would remain compliant, so no fine was applied.
>> Businesses that only use data for routine purposes like staff administration, accounts and advertising are exempt
In theory only. I was a one man band with zero consumer data handling, and they insisted I pay the fee. Back when I had faith in institutions, I reported some really grievous mishandling of consumer data to them, several times, and they were not remotely interested.
sounds just and deserved to me, fine spammers into nonexistence
> Quite the gig they have. Do next to nothing
Maybe you are right that there are serious problems with them (electoral commission failure should have been punished), but demolishing small scale spammers is already an useful service. I would fund it if I would be able to taking decision.
I would be happy to pay 1000 £ if that means that last person who spammed me goes bankrupt and to prison (for say 50 days).
> a mild slap on the wrist for large businesses, and “put you out of business” for small businesses
first one should be fixed if it is a problem so large spammers are also fined into nonexistence
and yes, I support putting their CEO into prison for 50 days if any part of their company does spam
Agreed - my main problem with them is the asymmetry of their enforcement actions. I think the fine for the spammers I gave as an example was just and appropriate, but again and again, if you look at any large organisation, they almost always just get a reprimand, or a fine that’s just a cost of doing business - if they are investigated at all. I reported a large IT supplier who are currently embroiled in a different scandal in the U.K. many years ago, because they were playing fast and loose with medical records. No action, no investigation, nothing.
I was absolute fuming when I got my letter from them demanding I pay them money. I knew I was closing my company down in the coming years and ignored them in the end. It's crazy this is allowed to be honest.
Well, that's what you get if you lower taxes on businesses. Otherwise some brick and mortar shop might rightfully complain why do I have to pay taxes for regulating companies that ruin my business.
Is it public knowledge how much FAANG companies pay?
>Is it public knowledge how much FAANG companies pay?
The highest tier of fee is £2,900 per year, but you're looking at the wrong regulator - major tech companies invariably use Ireland or Luxembourg as their European headquarters, so most or all of their data processing activities (and subsequent investigation or enforcement) would take place under that jurisdiction.
Yeah, when I got the ICO fee extortion letter, they were put in my total scam category. Even when I realised they had some actual official purpose in collecting fees, I still viewed them as a scam, so they have a PR issue more than anything.
Personally I do wish they would intervene more, but if you consider how broad GDPR/DPA18 is I honestly don't think they can enforce it in the way a normal person would expect. Either it's a legislative issue (i.e., legislate better) or we accept these attempts at "balance". It's usually not the institutions weakness it's the legislation or the framework in which they exist.
Consider one example - you "process" (collecting, using, storing, viewing - literally anything) personal data in an electronic system without the latest security patch. Are you breaking GDPR/DPA18? Easily done, especially for sensitive data. "...taking into account the state of the art, the costs of implementation, ... the risk of varying likelihood and severity for the rights .. of natural persons ... the processor shall implement appropaite technical ... measures to ensure a level of security approapite to the risk" (DPA18 Art 32).
I imagine a large number of companies flout the above without realising. Especially when processing any information regarding health, criminal offense data, race, religion, philosophical beliefs etc, which is "special category data" and requires strong protections.
> I imagine a large number of companies flout the above without realising.
Most companies flout the 101 of GDPR.
Do you have a registry of the personal data processes you do? Are you able to hand it in less than 48h after receiving a request for them?
Do you do risk assessments when thinking about implementing a new data process?
And it's not only about electronic data. Paper files are concerned.
Yes it can feel like a lot but if you're handling people's personal data you should not be playing around. And if it's too hard, maybe "just" don't process personal data at all. Before GDPR we were already at a point where people just siphoned and stored people's data "in case it is useful later". Now some legislation is in place to make you think about why and how you get and store this kind of data, putting a price on doing it. It's a plus for the public.
Too bad if it does not help sell ads, scams or just abuse people.
I don’t have a problem with the fines for the spam texters, if anything it should be higher, but not punishing the electoral commission for that is utterly insane.
I absolutely agree that the enforcement is significantly lacking and this "regulator" is useless, but I'm wondering why you are angry that someone got a fine for SMS spam? Some enforcement is still better than no enforcement at all as long as the underlying basis is just, and there should be zero sympathy for spammers out there.
Interesting so UK cannot impose rules on companies that operate and making billions in revenue in UK because "UK small". But when both a much smaller economy than UK like Australia imposes a rule on big tech like the news law, it is much different in challenging big tech.
I saw a post a few weeks ago on HN asking what's the point (in general) of using a UK legal firm when legal firms in US/EU/India exist (!).
And so the dance takes on a new rhythm. These well-meaning advertising execs, working diligently to support their struggling stakeholders, now have a new string to their bow. And the rest of us, the targets of their magnanimous demand-creation algorithms, we will have 'new and improved' ways to learn about and connect with out favourite brands, outrageous headlines and memetic schemes.
And then there are the sneakier ones; those who dwell in digital shadow, hiding from the luminous glare of corporate glory. What will these funny fellows do, when the fingerprinters tap on their windows and ask for their papers? What of their intent, and the glasses they wear to shield their eyes from the money-grubbing rays?
This came up on reddit a few years ago and maybe here. There was a case that effectively determined that cdns were not gdpr compliant.
And then everyone ignored this outcome because of the implications. Ofc there is the "legitimate interests" line. Vague enough for a judge to apply as they see fit, but one judge messed up at least one time.
Cloudflare captcha? Does such thing exist? They have Turnstyle which I never had problems on my computers (only Firefox installed). I did have problems on a niche phone running an outdated mobile Firefox, but I believe they might have been solved.
Edit: Yes, seems to work now. After I complained on HN earlier their CTO asked me to send a trace. I did so and a couple of months later the problem was gone. Whether that was causal or incidental I have no idea.
Quick note: the article header should say “ICO” and not ISO.
I didn’t know about this change n in policy from Google but, in summary, it doesn’t change the legal positioning on fingerprinting as something that can fall under PII collection under UK data protection legislation. I do worry that the change from Google will make practical enforcement more difficult, however.
There was a historical moment (2012ish, you can search HN and find it) where they changed the motto. They changed it from "don't do evil" to "googlers shouldn't do evil" changing the emphasis away from the organisation to the employee.
They moved a core principle to an employee guideline!
I had to do a separate search for what "ICO" means/is because it's not within 4 clicks of landing on the site. "Information Commissioner's Office", in case anyone is wondering.
I called the ICO a few years ago asking how to comply with an ex-employee GDPR data request for access to their emails. Their recommendation: read them all to determine which contained personal data.
When I told them I (as a 5 person business) obviously don't have time to go through 1000s of old emails they reacted with surprise to the amount of emails. I guess they don't send many. They didn't offer any other solution.
As others have mentioned this org is a tax on all UK business.
Yeah, this. The easiest way to comply with the GDPR is not to store personal data. The second easiest is to delete it as soon as it is no longer required (this includes from backups!)
Do you actually want those emails to be unearthed during a lawsuit 5 years from now?
At least one firm I worked with had a mandatory 180-day delete of any correspondence not specifically tagged for archival, and the stated reason was to prevent all their random conversations being exposed during discovery if they were prosecuted.
Every single company out there uses fingerprinting and breaches the GDPR in one way or another - it's normal business practice. It's effectively impossible to run a business nowadays complying with the GDPR when your competition doesn't.
Fingerprinting is done client-side using browser APIs e.g. WebMidi.
The fingerprint is then associated with a user's email address or login identifier and then sent either client-side or these days server-side to Google Ads.
Outside of the IP, the server can only know data that the client collects and sends (and even the IP isn't much, because most ISPs give dynamic IPs these days, plus VPNs etc).
and there is information added during the routing - not just information from client - from the intermediates.
And you also have to consider the power of patterns - where one piece isn't enough to see the picture, but if you have enough pieces you can ( jigsaw identification ).
A huge number of people. In 2023 they made around $80 billion of profit on $300 billion of revenue. Their ad network, search engine (Google), web browser (Chrome), mobile OS (Android), videos website (YouTube) and email service (Gmail) are all either leaders in user numbers or close to being (actually I think they might be #1 in all of those categories...)
There is a subtle but important difference here.
If governments enforce policy by bullying HSBC/Google/E.ON to enforce policies for them, there is no legal opportunity for companies and individuals to argue for their sake. You'll just be shut out of your bank/advertising/electricity for doing something "wrong".
If instead UK ICO would bring a legal case against an individual or company applying fingerprinting (and I'm no advocate of fingerprinting, but that's besides the point) then they can defend themselves in court.