Very common. Every Autograph Collection, Luxury Collection, JW Marriott, Marriott, Westin, W, St Regis, Le Meridien, etc has daily housekeeping - and many of those brands / collections have turn down service too.
As someone who just GA'd an Azure service - things aren't all that different in Azure. Not sure how AWS does service launches but it would be interesting to contrast with GCP and Azure.
As I recall it Cambridge Analytica was a ton of OAuth apps (mostly games and quizzes) requesting all or most account permissions and then sharing this account data (the access for which had been expressly (foolishly) granted by the user) with a third-party data aggregator, namely Cambridge Analytica. Only this re-sharing of data with a third party was against Facebook Terms of Service.
I would not classify Cambridge Analytica as research. They were a data broker that used the data for political polling.
> The New York Times and The Observer reported that the company had acquired and used personal data about Facebook users from an external researcher who had told Facebook he was collecting it for academic purposes.
The data was collected through an app called "This Is Your Digital Life", developed by data scientist Aleksandr Kogan and his company Global Science Research in 2013.[2] The app consisted of a series of questions to build psychological profiles on users, and collected the personal data of the users' Facebook friends via Facebook's Open Graph platform.[2] The app harvested the data of up to 87 million Facebook profiles
This "research" and data access wouldn't be allowed under the DSA, because (i) the researcher didn't provide any data protection safeguards, (ii) his university (and data protection officer) didn't assume legal liability for his research, (iii) his research isn't focused on systemic risks to society.
The article for this post is about the EU's Digital Services Act (DSA). Since the original comment argues against research access to data by arguing that "Cambridge Analytica was research as well," another poster chimed in to rebut that assertion by arguing that Aleksandr Kogan's research would not have been allowed access to user data under the DSA and thus, that specific legal concern is moot.
kogan "research" harvested data through application and he was outside of eu.
so even it was happening today, whatever he did is irrelevant to EU/DSA unless they plan to chase everybody across the globe. somewhat like ofcom going after 4chan
That's precisely what the EU is doing with Clearview AI [0].
> Max Schrems: “We even run cross-border criminal procedures for stolen bikes, so we hope that the public prosecutor also takes action when the personal data of billions of people was stolen – as has been confirmed by multiple authorities.”
It's a Sev 0 actually (as one would expect - this isn't a big secret). I was on the engineering bridge call earlier for a bit.
The Azure service I work on was minimally impacted (our customer facing dashboard could not load, but APIs and data layer were not impacted) but we found a workaround.
My wife and I watched the episode about infertility with our little niece who kept asking when she'd have a cousin. Despite its subtlety it completely broke me. It addresses the subject in the best of ways. Well here we are 7 IVF cycles later and still trying.
Can i take a moment to say I admire the strength that it takes to try 7 cycles. We gave up at 5, it became too heart breaking. Keep positive mate, I wish the best for you.
I'll provide an alternative narrative:
Additional seats at a significant premium are created for international students to allow subsidizing tuition for domestic students and offering of additional services on campus, research positions etc
If you get rid of international students then domestic student tuition will increase and/or campus services offered will decline.
Universities do not want to decrease their endowment. They want to find ways to grow it. And another goal is to increase the international reputation of their institutions. Here international students act like a kind of missionary.
This narrative describes public companies focused on growth and brand instead of schools focused on offering the best education possible in their country.
They have lost their way. They have been corrupted by bribes heaped upon them by rich international people buying their children advantage.
Aren't those spots for international students often created because international students pay the full (or even more than full) cost, thereby subsidizing other operations at the university. Sometimes international students pay more than out of stage students too.
Depending on the financial model, eliminating spots for international students may in fact have the adverse affect of also eliminating spots for domestic students.
These tracking "pixels" are used across the entire ad tech industry. It is very pervasive. Amazon, Twitter / X, Facebook / Meta, Pinterest, Snap, TikTok...
It's not just pixels. They strongly encourage site owners to send (normalised and hashed) personal data from every interaction to them, with the promise of better targeting for the site's ads. You cannot block this or opt out because it's server-side.
> You cannot block this or opt out because it's server-side.
Facebook’s latest approach is to give people instructions on setting up a relay server in their own infrastructure so that privacy software that blocks third-party tracking still works, even when it looks at IP addresses to detect things like CNAME cloaking.
I recently told my bank I don't agree to their new privacy terms. I sent them all 26 pages, marked up with various red lines crossing out the objectionable clauses. One was about tracking pixels, web beacons and the like.
There was also much worse stuff contained like behavioral profiling and sharing my data with outside advertising conglomerates.
After-the-fact opt out mechanisms were described for a lot of it, but I explained very clearly that I am not consenting in the first place. The fact they provide an opt out for some of the most shameful portions reinforces that they don't need consent in the first place to provide me with banking services. I don't know who in their right mind would accept such terms. Unfortunately most individuals I know wouldn't have a clue what the jargon means or how it affects them.
A meeting was set up with my bank manager, and to underscore my point I brought in the original, aged-parchment paperwork I signed over two decades ago to open the account. That was only 5 pages long by comparison.
I also brought in a screenshot from Facebook that proved the bank uploaded some information about me to them in a Custom Audience customer list (a tool offered to advertisers that perversely deputizes them in Meta's quest to ingest all of our personal information). They have no business telling Meta or other third parties who I bank with (which is what the hashed uploaded lists are used to match & confirm).
The manager was quite understanding of my concerns and agreed none of what I objected to is legitimately needed to provide me with banking. I politely explained if they expected me to agree to this garbage I would take my personal and business deposits elsewhere.
I was pragmatic, and realize they're not going to reprogram their whole web portal just for me, but told them if they were going to go ahead and embed web beacons and the like in pages served up to me, or engage in more aggressive privacy violations, then they're doing so without my consent (an important distinction if I suffer damages down the line). In the end, my redlined version of their policy was affixed to my file to document that I do not in fact accept their terms, and they got to keep me as a customer. Not as good as a countersigned revised agreement, but enough to indicate my intent should consensus ad idem come into question.
I realize this was a lot of time and effort (and some risk of further nuisance if it failed and my accounts had to be closed), expended for something most people don't seem to care about. But the growing trend of companies outside tech adopting all our worst dark patterns really gets my gears grinding.
The story goes to show that if you choose to push back, sometimes you can win.
Good job Europe, keep blazing a trail which I hope my country eventually decides to follow.
I think if class-actions come up in the future they have a pretty good case. It seems to me there's a good chance of getting the ball rolling on this stuff - the world is becoming much more aware of the risks associated with online privacy.
Really, the banking industry should be some of the most aware. They lose millions, maybe billions, to fraud and identity theft. The fact they engage with it and enable it demonstrates how strong the suits are and how little they understand.
Want to stop identity theft? Stop leaking personal data to hundreds of third parties. We don't know if they're running their shitty analytics on a Raspberry Pi taped under someone's cubicle. There's a reason we keep having data breaches.
Mainly, they'd have a much harder time basing a defense on having had my consent, should I have cause to sue them down the line.
> they didn't sign any of your changes
I didn't sign any new agreements of theirs, either.
The manager did of course check that all the relevant knobs and dials in their system able to be turned off were set as such.
And it caused them some minor grief. If enough of us were to push back like this, the grief might grow sufficiently for them to do something about (like maybe recognize nobody wants these godawful policies and there's a great business opportunity for companies that decide to build a brand premised on customer respect).
I see, its better than nothing indeed. The only grief you can cause them that actually matters is moving your money though, but I'm not sure there's any bank that doesn't do similar tracking.
>>Good job Europe, keep blazing a trail which I hope my country eventually decides to follow.
While GDPR had some good intentions the way it implemented in practice just makes things more difficult for consumers and changes little.
For example in Poland one of the major banks still forces you to accept them sharing your information with advertising partners.
The main effect of the regulation is that you waste 30 seconds on every call to a business you make for listening about stuff about their privacy policy and the on every form you have to consent to something or be denied service.
I hate how it spurred every website under the sun to ask for cookie consent. My gut says that practice (or at least its breadth) stems from a misunderstanding of the legislated requirements.
> you have to consent to something or be denied service
I hate this too.
But I hope consumers start to recognize it isn't always the case. Just because contracts are laid out on screens nowadays instead of paper, doesn't mean they're immutable and must uniformly be accepted as-is. We've been shepherded into a culture of just agreeing to whatever crap is placed in front of us. This is one reason I refuse to use DocuSign and always insist on paper or PDF's. I recognize not everyone has bargaining power, and I was fortunate in my case.
Interestingly, where there is unequal bargaining power, that fact itself can on occasion bite back against the company. Eg. In my jurisdiction, it obliges the judge to interpret any ambiguity of terms in favour of the party with less agency.
I generally think companies are overestimating how well some of the more unscrupulous terms we're seeing these days will hold up under the test of litigation.
> My gut says that practice (or at least its breadth) stems from a misunderstanding of the legislated requirements.
Sorta yes. The "cookie law" is the EU ePrivacy Directive (not the same as the GDPR, it predates the GDPR by around a decade) and doesn't directly talk about cookies. Rather, it talks about any means in which a remote server can store data on your PC (which includes cookies, but also things like LocalStorage - the law is resilient to innovation).
Basically if you want to store data for things that aren't obviously necessary to provide service, you need to ask for consent to store this information (getting consent for using and sharing information obtained by using these cookies is a separate matter, that's what the GDPR is for). So a shopping cart or a session cookie don't need consent banners, since those get filled out in accordance with things users expect (if you login, it's expected that the site knows who you are in future requests, if you add an item to a shopping cart, it's expected to be kept somewhere and to be cross referenced. Rejecting a cookie consent banner can also place a cookie for this same reason; users expect to not be shown that popup again if they said no.)
Cookie banners are effectively an attempt to maliciously comply with this directive combined with legal paranoia. The second one is easier to explain; if you need consent to store some cookies, then legal is just gonna tell you that you need consent to store any cookies, no matter how trivial. This is standard legal paranoia, which leads to sites that don't place tracking cookies getting consent banners.
The first is more malicious; browsers can send indicators to servers that they don't want to be tracked at all. That's the DNT header or the GPC header. They are basically the same thing, except the GPC header allegedly has more legal backing - to my knowledge there's no evidence that DNT doesn't work for this purpose and in fact, GPC is worse at protecting against tracking. GPC only opts out against selling data, DNT opts out against tracking for any purpose whatsoever.
Advertisers habitually ignore/use these headers for fingerprinting, but a German court has decided that the DNT header has full legal backing as a "I don't want to be tracked" indicator in a case against LinkedIn and that spamming users with consent popups if these headers are present is essentially pestering them to relinquish consent that isn't going to be given. The GPC Header has no such protections, but might be more amenable to the (worse) Californian privacy laws. Advertisers and other companies like to pretend that the DNT header has no legal backing, but it does. Cookie banners could entirely be handled on the browser side, but browsers and advertisers refuse to take this idea seriously because it'd lead to mass rejection of tracking. (Due to perverse incentives at this point; both Mozilla and Google own/are ad companies respectively. This is why Mozilla quietly killed the DNT header at the start of the year, in favor of the GPC header.)
On the contrary, GDPR actually says that it’s illegal to condition content or services on the acceptance of tracking, if anything is provided after accepting optional tracking, it must also be available if declining tracking. This is very easy for a layman to understand when reading GDPR.
With GDPR it matters how countries incorporate it in their law and that doesn't work in practice.
>>GDPR actually says that it’s illegal to condition content or services on the acceptance of tracking
Good intentions, doesn't work.
You call a bank, they read a contract to you for 5 minutes you spot some sharing with partners (who knows who they are) there, you try to protest saying "ok but let's make sure it's not for advertisement" and the answer is "I can't do anything that's the contract you either accept or we can't open an account for you".
>>This is very easy for a layman to understand when reading GDPR.
What matters are laws of specific countries that implement it and what results are in practice. That's why I wrote about good intentions and real effects.
So your argument for why GDPR is bad is that it is not being followed by all that it applies to... I mean, what do you expect as a response to that besides "That is stupid"?
My point is that it's written in a way that makes malicious compliance possible.
One way to improve it would be to make it clear you can't require any consent before providing your service. It's either necessary or don't ask for it. As it is in Poland you are now served a long form at every opportunity and you have to agree to some part of it or be denied service. Online or when calling you get to listen to a long formula about privacy policy and who administer your data every time you call a bank or most other institutions. It made everyday life worse.
There is no way for me to verify that a given entity is following the contract anyway. GDPR could easily be transparent for consumers/clients. Instead it resulted in additional burden.
reply