Comment by Nextgrid
5 years ago
Maybe we should consider legal solutions?
There are real-world threats that you can't 100% defend against and yet we are mostly safe because the law is an effective deterrent.
Why not apply the same on the web? How come we have draconian anti-hacking laws (that are sometimes abused), but none of them are used against this tracking where it's essentially the same result as installing spyware?
Strongly this.
Privacy is not a technology problem. It's a business problem. As long as the adtech industry is allowed to thrive, as long as people build companies with ad-based or data-resale-based business models, this will be an endless game of whac-a-mole, with the browsers only ever growing in complexity, and building anything on the web only becoming more difficult.
We have to address the root cause: advertising as a business model. My suggestion: let's apply regulatory measures to kill this business model entirely.
> We have to address the root cause: advertising as a business model.
Isn't the root cause advertising that depends on data sharing, rather than advertising itself? I think it's fine if a site wants to display advertising that it serves from its own domain, without passing on any data to third parties.
The way I see it: advertising as a business model => want for better ads; targeted ads are more effective than untargeted ads, therefore the business model drives increased privacy violations.
I agree that in terms of privacy alone, an intervention point could be to get rid of third-party ad targeting. But advertising itself - not just targeted one - causes so many pathologies on the web that I'm in favor of focusing on the common cause.
2 replies →
It's not just ad-tech. You have full fledged business models based on siphoning off and sell your privacy, like Plaid and Visa. In fact, every CEO asks their company a very important question--how do we weaponize our data? It's a revenue stream for everyone.
One idea I’ve chewed on: Make it a law to have to pay people for their private data. Ie charged by the minute (second would be best) to the tune of minimum wage or an organizations WTP as a salary for 24/7 access. The idea is to price and legislate it at the point where it makes sense for the average citizen/user. Creating the notion of private property and reinforcing it is a fundamental purpose of government.
This would raise many problems: do you pay based on how long you store the data for? Does derived data qualify too (otherwise you can keep the original data for a minute, derive an intermediate data format out of it, then discard the original)? Do you charge for how long is spent processing that data (so they just throw more CPU at it so the data is only processed for milliseconds)?
I don't think this is a solution. Not only is this hard to implement & enforce, but this still ends up legalizing the unwanted processing of consumer's data as long as the processors can pay the fee. Those users should be allowed to decline regardless of how much the processor is willing to pay.
1 reply →
I mean, you fundamentally "pay" with your private data already in the sense that those services use your "payment" in order to offer you the service in the first place.
You could force businesses to put a number on it. But in general websites don't just sit on the money they make from ads - they spend it on hosting costs and whatever other business expenses. Note that I'm not arguing whether some of them are still making a fortune with it - but requiring that users are paid for using a service that incurs costs for the other party is... backwards?
1 reply →
The legal system cannot keep up with the complexity rapid change of software. You will end up with one regulation that says you cannot track users, and another regulation that says you have to prove that you are effectively blocking Iran users from using your product. If you log IPs connecting to your severs you'll be accused of tracking users, and if you don't log IPs you'll be accused of not doing your due diligence in confirming you blocked foreign users.
Is this an actual problem or is this a typical knee-jerk argument people make when someone is talking about regulation? (despite the current situation being so bad that it's hard to imagine regulation making it worse)
Regarding your specific example, the GDPR appears to deal with it easily: any data processing to comply with the law is allowed and does not require explicit consent. This seems to work well (of course, the GDPR is bad because it't not being enforced seriously, but if it was, the scenario you describe wouldn't be a problem)
Also, when I talk about regulation, I'm talking about regulating the intent and/or outcome rather than a particular implementation. If you track someone without their explicit consent for the purposes of targeted advertising or marketing you are in breach of the regulation, regardless of whether you obtained that data online, in the real-world (mobile phone tracking, facial recognition, loyalty cards, etc), by using Tarot cards or even a fortune-telling goldfish.