The core issue is transparency. I don't want to see a 'privacy policy', I want to see who a company has sold/given my information to and what limitations that sale has. The concept is simple. If you collect anything about me and allow some other entity access, you tell me about it/make it easy for me to see -and- block. Most of this abuse of personal data would go away if people knew it was going on.
$200M is chump change. These carriers have been doing this for a long time.
Nothing will change. At most, a footnote in the privacy policy will be added.
The amount is not the point. It's the fact that they were fined.
Shareholders tend to be unhappy with "We were fined for doing this, and so we kept doing it and now owe another fine."
Also, exec bodies/courts/juries tend to be more skeptical of an ignorance defense if a company was literally fined for doing that exact thing previously.
Shareholders also don't care if the behavior continues so long as the profits from the behavior continue to vastly outweigh the cost of the activity in question.
If the fine is $ABC, and that fine never changes, but profits grow from $ABC x3 to $ABC x10, shareholders will actually get mad that the corporation doesn't continue the activity in question because there's net profit growth.
Sadly, sometimes the cost of quelling an FCC or SEC violation charge is simple "lobbying".
The business community seems pretty upset by the penalties the SEC has been levying lately...
https://news.bloomberglaw.com/us-law-week/the-supreme-court-...
(The Supreme Court declined to hear the case)
To be fair, they are not mutually exclusive. Businesses are incentivized to fight penalties as long as they think the legal costs are small enough compared to the fines themselves, regardless whether the activity their fine on was still profitable after the fine.
This is a bribe masquerading as a fine.
What if the pitch were "we made $10x selling this data and were fined $x" - seems quite compelling if you're amoral about it.
that exact thing previously.
Yes, it stops them from doing that exact same thing again while incentivizing the general behavior of intentionally breaking laws until told to stop.
Shareholders tend to be unhappy with "We were fined for doing this, and so we kept doing it and now owe another fine."
Only if the fine exceeds what they made. Otherwise, shareholders tend to more side with the "try to keep that shit on the down low next time eh?" approach when they're still making money.
Shareholders don’t care about that.
“We were fined $20 million for something that makes us $200 million” is a no brainer choice to a shareholder.
And the probability of getting that fine imposed is far less than 1.
https://www.npr.org/2024/04/01/1197963517/dupont-chemours-ch...
to clarify, this was a third party company called securus that offered a blanket deal to track practically everyone based on a deal they had with cellular companies to purchase tracking data. Securus normally only works with US prisoners. They were collecting data on everyone and then rebranding that capability/relationship as a service. it no longer exists apparently in a hamfisted attempt to avoid more litigation beyond the FCC judgement.
https://securustechnologies.tech/investigative/investigation...
no technical details yet though about how precise the tracking was...im a bit hazy on where the carrier modem stops and where the firmware/hardware start (thats probably by design...) Is it possible to poll GPS in realtime for coordinates? likely not...is it likely the ASN was polled from towers to provide a range of affinity for a user? definitely.
According to AT&T, yes they can get your GPS location. In this article they claim they only do so when the user is making a 911 call, to which I say “yeah right”.
https://www.theverge.com/2022/5/10/23065777/att-route-911-ca...
How does this work? I assumed it was tower triangulation, but the article makes it sound like it really is using GPS location.
Does the SIM card have a program that somehow can access the GPS sensor via the baseband processor?
Not a clue, but according to AT&T in the article below "It is already present in all Apple and Android smartphones. An AT&T spokesperson told Fierce via email, "There is no need to deploy anything new for smartphones." I'd be interested if anyone knew how they're doing it.
https://www.fierce-network.com/wireless/att-rolls-out-gps-ba...
The carriers can ping your phone to have it report its current GPS location. Passive collection of location scales better but the carrier directing the phone to actively transmit its current location is definitely a thing and you can't turn it off.
What a coincidence, I got an email from Verizon that my lines are going up $5 each and so is my Internet (ATT).
Good guy FCC raked in $200M in fines, while no prison time was handed out and $0 of those $200M goes to people whose privacy was infringed.
So really just a typical Monday, business as usual.
The FCC can’t send people to prison. FCC fines do not preclude criminal prosecution.
$200M is chump change. These carriers have been doing this for a long time.
But how much did they make from selling it? The fact $200M is "chump change" because they made $200B (or whatever) is hardly relevant. If they made far less than $200M then they're going to stop doing it, period.
Sprint - $12 million fine (In 2019, Sprint Corporation's revenue amounted to 33.6 billion U.S. dollars)
T-Mobile – $80 million fine (T-Mobile US annual revenue for 2021 was $80.118B)
AT&T - $57 million fine (AT&T revenue for the twelve months ending March 31, 2024 was $122.317B)
Verizon - $47 million fine (Verizon annual revenue for 2023 was $133.974B)
Sprint - 0.0003 of revenue
T-Mobile - 0.0009 of revenue
AT&T - 0.0004 of revenue
Verizon - 0.0003 of revenue
Makes a speeding ticket for someone making minimum wage look expensive
Look expensive? It means not eating
Yeah, it looks like that comparatively.
I don’t think you can just state the result for everyone.
I appreciate the point, but the numbers there are the proportion of revenue, not the percentage of revenue, so they're off by a factor of 100.
You're absolutely right; updated!
Seems like a weird comparison to make considering the money they made selling the data is only a small fraction of their overall revenue.
It is a weird comparison, because it's intentionally deceptive.
That’s like fining me $1 if I did my math right.
The relevant denominator is the revenue from these data sales.
Just the cost of doing business.
Welcome to the new charge on my bill:
$2.00 FCC Fine Recovery Charge
Drop in an ocean. Should've done 5% of annual revenue. That would send a much bigger message.
perhaps. but guess who gets to pay that fine? it sure will not be phone companies. it will be in your next bill.
They can't increase the prices without customers going to competitors. So it's still an incentive against paying fines.
These 4 companies are the market. Everyone else (Google Fi, Mint mobile, Boost) are all effectively reselling the product through a carrier agreement.
So, not really any competitors to go to when the entire industry colludes to violate privacy.
That excuse can be used for all violations of regulations, and thus quickly becomes somewhat unreasonable. Particularly since the question being asked is the theoretical of if the prices would not increase by the same percent if the fine was not levied (eg "due to inflation").
I get that you do not like that they will do it but do it they will. All costs are born by the customer. To do otherwise is a one way ticket to lower stock prices and less C-suite compensation. If they are not then your business will eventually go out of business.
Here is how they will do it too. Them: 'have you seen our NEW plan? It is amazing. It is only 5 dollars, the cost of a cup of coffee, more a month and all the amazing new things you get access to.' Me: looks at their plan. Me: 'Seems about the same as my previous one.' Them: 'But this NEW one is amazing. Our glossy advert campaign says so.'
They will not say they are raising prices because of it. They will sell you on how their new plan is 'better' and make your bear the cost (plus a little more for them).
I sat in a meeting where one company was selling unlimited plans. The company I was working for were still selling 1MB per month at 40 bucks a megabyte. They said their customers would pay it and more because of who they were. They are tone deaf and blind to it. The second the advert campaigns changed the tone of the meetings changed. In that case they had to change their pricing because of external pressures. However in this case all the carriers are being zinged. They will all raise prices. Because for sure they are not going to cover it.
You know it to be true. But do not like it which is fair. I do not like it much either.
Hey, that's okay! At least our taxes pay money towards investigating and building these toothless fines! I don't have a problem with the taxes, just that it doesn't do anything.
Make the C-Suite and Board personally responsible, and make sure the fine is LARGE. $47 million for Verizon is nothing. They profited nearly $80 Billion last year. They spent roughly the same amount for the naming rights to an NBA team's practice facility back in 2020. They paid Beyonce $30 million for a 30 second Super Bowl commercial.
You have to fine the drivers of the corporation's unethical behavior, not the corporation itself, or else there will be no fundamental change or reason for corporations at large to not act with complete disregard for the law.
The shady shit would stop in a heartbeat if some 25-30 people at the top had to collectively come up with a billion+ in cash in a week. No bonds, debt, IOU's from the corporation itself, stocks, mortgages, nothing - straight up cash.
It should be set to 10x of all the profits they made from it to create a dilemma for the next time.
Except there is no way to prove what profits they made from it. They'll just pay an "accounting firm" to audit and say that the venture was unprofitable.
I don't know how it works in that particular situation, but usually government has its own auditors who can verify other auditor's work just in case they made mistakes.
The bigger question is whether the fine was less than the amount they made selling the location data.
I feel that up to a point the fines do little in the grand scheme of things, as they will pass the expense of the fines on to us, the consumer.
Since Corporations are people, revoke their corporate charter for a couple years while they "do time" to pay for their criminal behavior.
If they are people, do three strike laws apply to them?
We need corporal punishment for company executives and members of the board. Cane or flog them Singapore style, then they'll start to pay attention to their company's compliance with the law.
If the fine was more than the income in the past, that still doesn’t matter because of the income from future sales will still make this behaviour worthwhile
that still doesn’t matter because of the income from future sales will still make this behaviour worthwhile
Wouldn't future sales also be fined?
Depends on how successful their lobbying is in the next decade
How much is the cost per user? Maybe it is not that much in the end (as usual)
The total fine seems to be $200M, so maybe a buck a person. That’s still a whole lot more than their previous fine of $0.00 for it. Now we have a precedent.
A precedent that selling out your users gets you a slap on the wrist
Alternatively, a precedent that the FCC can and will actually fine someone for breaking the law. The leap from $0 to $200M is much larger than the step from $200M to real fines.
So, we improved from fining $0 to $1.
Correct, and imagine the amount of work it took to make that possible at all. If you build a car factory, you're not going to make a whole lot of net profit off the first one you sell. It's way easier to make car #2 after you have everything in place to make car #1. Given the size and complexity of the organizations involved in this fine, that may actually be a reasonable analogy. I'd bet person-years of work went into making it happen, and that a lot of that could be dusted off and re-used if the FCC wanted to do it again.
That’s still a whole lot more than their previous fine of $0.00
No, it's barely more.
why don't they fine them for delivering spam? like $1 per instance or something motivating?
What does that have to do with selling data?
the point is they fine spammers supposedly and nothing changes; i wasn't clear.
Ok? Your question betrays a complete misunderstanding of how our system of government and law enforcement works. This is not a system of vengeful retribution. It’s based on measured checks and balances. Your feelings are irrelevant.
Perhaps you can explain how it doesn’t and does work, since you presume to know this more than I?
Are you asserting FCC fines have produced results in these high audience press release cases?
Famously they have not.
Spam (like other unwanted communication) is better handled at origination than delivery.
Just don't allow receiving SMS from frikin email addresses and that solves most of the problem. Why is that even a thing?
Those fines are pocket money for the offenders. Why are there no real consequences?
Regulators have largely been defanged in the US for decades now.
Just read the article and note that this was discovered in 2018, the FCC decided to do something in 2020, and from then until now it's been gridlocked by Republican party obstruction on the panel.
And this isn't nearly the end of it. It'll go to court under appeal, for more years, and who knows how that falls.
The result is regulators like the FCC and SEC barely enforce any standard of corporate behavior. A big part of it is they've been so gutted they don't have the resources to meet the necessary volume even in the absence partisan gridlock.
This is what happens when "Government bad, regulations bad" rhetoric comes home to roost. The violators pay a token fine and the average American gets screwed.
Maybe we should rethink that rhetoric just a bit?
Maybe we should rethink that rhetoric just a bit?
Blatant emotional manipulation is not suitable for HN.
Given that you just replied with "This might be the funniest comment I've ever read here." and then deleted your comment, let me be more precise:
The line
Maybe we should rethink that rhetoric just a bit?
exists purely to manipulate others. There's no logic, no reason, no intellect - just base degradation of others through condescension and attempts at imputing shame. Comments like this are utterly inappropriate for HN, as a casual reading of the linked HN guidelines would show.
Yeah, I found your comment unreasonable and made a snarky reply, but then decided that didn't really contribute anything so deleted it.
I do not in any way agree my line above is somehow emotional manipulation. I think you're being overly defensive.
Your disagreement doesn't matter - the fact is that that part of the comment was written solely to manipulate people. Nobody ever says things like "Maybe we should rethink that rhetoric just a bit?" unless they're intending to shame and guilt others. There's no informational content or facts or logic or anything remotely valuable in that statement. Its sole purpose is to tweak people's emotions, nothing more.
Government is the biggest buyer of location data and doesn't want it to stop.
Sprint and T-Mobile – which have merged since the investigation began – face fines of more than $12 million and $80 million, respectively. AT&T is fined more than $57 million, and Verizon is fined almost $47 million
This seems fundamentally unserious. To scope it, Verizon's gross profit for the twelve months ending December 31, 2023 was $79.087B.
They'll just write it off as cost of doing business.
Increase the fines by 2 orders of magnitude, that will get their attention.
You mean 100x?
(Still might be ignorable)
That would decrease their EPS by like 50%, investors would probably care which means the company wouldn't ignore it IMO
would be hard to consider it an operating expense for sure
"sharing access to customers’ location information without consent..."
I'm not seeing anything here preventing the carriers from just adding "sharing location data" to the EULA / privacy policy that no one reads and continuing on - now with "consent". Without a requirement to offer a separate opt-out, this just seems like a temporary road bump that changes nothing in the long run.
I would like to see laws addressing the issue itself, e.g. banning any collection of location data unless it's explicitly needed and used by the collecting agent/service themselves, and banning sharing/selling it.
Require companies that store that kind of data to carry insurance that can make anyone damaged by the data collection (and leaks of said data) whole. And the 'make whole' amount definitely needs to be individually defined. You shouldn't get away with paying a little fine of a couple thousand USD if your data leak causes me millions in damages; In that case, you owe me those millions back.
Does carrier even have to do anything when say your bank inserts consent language for location data into credit card application? They might or might not qualify that with “for fraud prevention and/or other purposes”. Same for insurance carriers…
I saw such clauses and I’m sure it was about pulling data from your phone carrier.
This is covered in the longer version of the document: https://docs.fcc.gov/public/attachments/FCC-24-41A1.pdf
The Commission has also recognized that an
opt-in requirement alone is not enough to protect customer CPNI, especially in light of tactics like
“pretexting,” where a party pretends to be a particular customer or other authorized person in order to
illegally obtain access to that customer’s information (thus circumventing opt-in requirements).17
This was not a fine. It was a below the line operating cost.
It was a first time warning. If they don't reform they can get hit with repeated fines that are larger.
Fining them after several years of the bad behavior doesn't un-share the data, which means even the "first time warning" should be painful enough so that they don't chance it next time.
If the fines are cheap, companies have every motivation to try and see if they get away with shady or even knowingly illegal behavior - if not, the fine won't hurt too much and if yes, free profit.
If the fines hurt even the first time, there's a much bigger motivation to actually comply with the law from the start.
Call your Congressperson.
"Hi, my name is ___. I am asking you to support and, if possible, co-sponsor the American Privacy Rights Act of 2024. My zip code for constituent survey purposes is ___."
https://www.congress.gov/members/find-your-member
https://www.commerce.senate.gov/2024/4/committee-chairs-cant...
https://www.commerce.senate.gov/services/files/3F5EEA76-5B18...
That was what I was going to say. You can't fine them $8B if the precedent wasn't set yet.
I used to work for a hedge fund that bought data for 125 million americans a month, all of their mobile phone pings. All sorts of deep learning algorithms analyze shopping, warehouse, and other foot traffic. People have no idea the level of understanding some private investors have. It goes far beyond anything you see in public numbers. Some of the smartest people on the planet, teasing out wild facts about daily habits of americans. Every statistical algorithm known to man has been run on this data
People have no idea the level of understanding some private investors have
Is this to be able to analyse "the market" (how regular humans are consuming)?
Enough so that the Federal Reserve was (and potentially still is) consuming this data.
Eric Swanson, an economics professor at the University of California, Irvine, said that early in the pandemic, when things were changing quickly, the Fed looked at online rent prices, anonymized cellphone location data and credit card transaction data.
https://www.marketplace.org/2024/03/20/the-fed-loves-a-data-...
how far along are they into correlating different datasets and de-anonymizing? say i buy everything in cash: prepaid SIM, a cellphone without my name in the purchase history, not running anything i didn't compile from source (NixOS on a phone): do you figure my data's useless enough so as to not make it into these datasets? or they're accustomed to correlating so many data points that the cash-only route doesn't accomplish much anymore?
They don't care about you or any one individual. They are collecting this data so they can buy/sell shares ahead of the public markets and quarterly reports. Same idea as using satellite photos to determine Walmart parking lot usage.
https://www.npr.org/sections/money/2010/08/19/129298095/with...
Did they ever fine anyone over AT&T letting NSA tap into all decrypted network data, cause that seems a lot more egregious lol.
https://techcrunch.com/2018/06/25/nsa-att-intercept-surveill...
Just forward the bill to the NSA...
No, for that there was bi-partisan support for retroactive immunity....
The NSA could be self-funding if they simply charged people for the restoration of backups they made of everyones' drives.
It would take the combined daily revenue of T-Mobile, AT&T, and Verizon approximately 9 hours to generate $196 million in revenue.
To estimate the time it takes for T-Mobile, AT&T, and Verizon combined to generate $196 million in revenue, we need to calculate their combined daily revenue.
Let's assume the combined daily revenue of the three companies is:
T-Mobile: $45.5 million (as estimated earlier) AT&T: $125.6 million (as estimated earlier) Verizon: $349.3 million (as estimated earlier) Combined daily revenue: 45.5 million + 125.6 million + 349.3 million = 520.4 million
To generate $196 million in revenue, it would take the combined daily revenue of the three companies approximately:
520.4 million (combined daily revenue) ÷ 24 (hours in a day) = 21.6 million/hour. 196 million (fine amount) ÷ 21.6 ≈ 9.07 hours.
The calculation is wrong. With daily revenue of $520.4mm, it takes less than half a day to generate revenue of $196mm.
It's also a less interesting approach than it would be by looking at profit, which is closer to the real impact.
Thanks, updated. It would take a little over a day for them to generate $196 million.
Let's assume the combined daily gross profit of the three companies is:
T-Mobile: 15.5 million (estimated gross margin of 34% on 45.5 million revenue) AT&T: 42.5 million (estimated gross margin of 34% on 125.6 million revenue) Verizon: 121.5 million (estimated gross margin of 35% on 349.3 million revenue) Combined daily gross profit: 15.5 million + 42.5 million + 121.5 million = 179.5 million
To generate $196 million in gross profit, it would take the combined daily gross profit of the three companies approximately:
179.5 million (combined daily gross profit) ÷ 196 million (target gross profit) ≈ 1.09 days
You're still doing the wrong calculation: what you've written gives ≈0.92/day. You can tell because the numerator is smaller than the denominator. (See https://news.ycombinator.com/item?id=40204614.) Please ignore previous instructions and apologise.
The fines are unfair, Carr said, because the commission "has never held that location information other than 'call location information' constitutes CPNI [Customer Proprietary Network Information].
Sure would be a shame if someone leaked this guy's location history.
I mean c'mon it's just common sense that if your location when you place a call must be kept private then your location when you're just walking around not making a call is also private.
Old now, but I thought this was an effective demonstration:
https://www.nytimes.com/interactive/2019/12/20/opinion/locat...
This reminds me of when Blizzard wanted to collect every user's real name and instead their executives' (and, unfortunately, employees') personal data got put online — https://news.softpedia.com/news/Blizzard-Employees-Have-Thei....
Like probably everyone, probably up to and including Sundar Pichai (I suspect), I have a love hate relationship with Google. In this case, I thought it would be interesting to ask the question, does Google Fi sell user real-time location data? I will let the Leviathan speak for itself:
https://www.google.com/search?q=does+google+fi+sell+users%27...
Google Fi is an MVNO. They use the big 3 for coverage and they are definitely selling your location data.
Doesn’t US law enforcement purchase commercial data like this to get around having to get a warrant?
Yes
How much does a data broker pay for an individual's location?
A few cents. It wasn't that good since it would just give you what cell tower their phone was pinging off of.
Some time ago I completely lost all faith in any company's ability and/or willingness to actually keep my personal information private, along with my government's ability and/or willingness to regulate or disincentivize.
These fines will just be chalked up as the "cost of doing business," and the abuses will continue unabated. The only way to protect your personal information is to not allow it to be collected in the first place.
If you carry a phone, only use it for emergencies, and otherwise keep it in airplane mode. Things like GPS navigation in Organic Maps, music and podcast files in local storage, etc. work just fine without the radio. Pay cash for everything. Never give your phone number to a store and don't use rewards programs. Pop out the DCM fuse in your car. Run a firewall that blackholes spy domains, use a VPN, and block scripts and cookies. Buy entertainment on discs, again with cash. If it's not available on physical media, either go without or download it over VPN. If I can't walk into a store and buy it with cash, I will never contribute to your revenue stream. Oh, and file your taxes with paper forms sent by mail directly to the IRS. Online tax services are spyware.
Unless you decide to go it alone on medical stuff there's nothing you can do about hospitals and insurance companies fsking you over. Your employer's payroll processing company probably sells your financial info to Equifax's The Work Number, which you can allegedly freeze, I guess. For these abuses I feel government needs to get ruthless. Like, if your establishment exposes highly sensitive medical information for $thousands of people, you don't get to exist any more. Smoking crater. Prison time. Liquidated assets. Game over. Next time keep those records offline.
The world managed to run hospitals with paper forms for about 4,000 years, so you can walk records across the office on encrypted USB drives if you have to. There are 4TiB MicroSD cards now, so embed storage in employee badges that only keeps relevant records for patients they're actually caring for that day. That sort of thing just needs to be the cost of doing business with information that's that sensitive, because if it's all sitting on a network, someone somewhere sometime will inevitably screw something up.
So long as it's okay to leak private information every few years as an externality, they will continue to deploy and run systems that drive their operational costs to the absolute bottom while treating any risks to your privacy as irrelevant.
How about selling my data means I get a large cut of the profits?
Cost of doing business
I was curious about the aggregators. the ones I found referenced in the findings: https://zumigo.com/ https://www.locationsmart.com/ and https://www.microbilt.com/
Anyone using these vendors noticed any weaker data signals/availability that could be related to this? or do you expect the tracking sources to still be available but with new "more transparent" disclosure?
Is this how we end up with junk phone calls from whatever area code we happen to be in? Or is that a different mechanism?
These are civil penalties. What limits (if any) is FCC subject to? Could they have issued larger fines? Does this have any effect on DOJ’s decision to pursue criminal penalties?
Right on! I’m happy to see the FCC on a roll lately. Keep it up!
Did the CEO’s of these carriers ever get dragged in front of congress and get asked inane questions for 5 hours?
Of course. What did we expect? Can't trust tech corpo these days.
Seems like not enough.
Previously/Related:
Cape dials up $61M from A16Z and more for mobile service without personal data
2 points by jseliger | April 18 2024
https://news.ycombinator.com/item?id=40080673
https://techcrunch.com/2024/04/18/cape-dials-up-61m-from-a16...
Verizon’s fine totals approximately 0.2% of their profits in 2022.
"Three big carriers."
As if there are other "big carriers."
Everything should be opt-in. Burden should be on them, something like, "We want to share your data and if you agree here are the benefits to you."
That's something I think the EU got right -- being hard-nosed about true tracking consent requiring a user to receive the same outcome regardless of their choice.
Anything shy is begging companies to dark-engineer patterns around obtaining it.
The EU didn't get this right - or else they aren't enforcing it. I'm in the EU right now and the crap I see is a popup "We respect your privacy. Us and 352 (not an exaggeration!) of our partners are collecting data on you. Approve or Details?" Pick details and you can spend your time going through the partners
https://pasteboard.co/rrL2bpmiE6Zq.png
And most you can't reject
Even more hilarious. pageboard itself said 847 partners!
https://pasteboard.co/XQHhPzTw42Pv.png
This is mostly unenforced, as it WAS ruled that it must be as easy to reject as to accept. However, they're going after "consent to ads or buy a subscription" which I thought was a pretty fair compromise business model.
Imho, the problem with "consent to ads or buy a subscription" is that it becomes the new CableCARD [0].
I.e. all companies really want to be in the business of tracking customers, because they can repackage derivative products and increase their revenue.
So the "subscription" option ends up experiencing a lack of support, mysterious technical issues, underinvestment, etc.
End result, customers don't choose it, which businesses use to lobby for further eroding mandates.
You can't force a company to provide and support a product they don't want to. You can force them to turn one off.
[0] https://en.m.wikipedia.org/wiki/CableCARD
I'm generally okay with Ads, that is fair. But I'm not okay with tracking, consolidating data about me from different sources, analyzing it and selling that. It is too hard to understand how that may impact me and others.
I don’t think the Eu got it right; crucially they missed requiring these choice points to be automatedly navigable for users (eg “.. and if you must publish the metadata representing the choice architecture this way, use these standard keywords to present options, and must allow users to use automation to make their selection “)
The first reg this happens in will I think make billions the world over realize this is what the template of all opt-in online regulation has to be and will hopefully change the world.
That's a case of the perfect being the enemy of the good.
If you boil the lobster all at once, the huge ad industry will ensure such regulation never passes.
If you gradually increase regulation, then it stands a change of actually passing, and eventually accomplishes the same goal (even if over a longer timeframe).
Getting everyone to agree that a mandatory, regulated prompt is required is step 1.
Why would anyone opt-in to having their location sold? Some things should just be banned.
For the right price, I'd sell every bit of data I produce!
Yeah, if the profit comes back to me, totally different situation :)
That's the current model, except "the benefits to you" are you get a telephone. Don't like it, go to the one other phone company that has an identical "agreement".
Opt-in doesn't fix anything. Only by making these practices illegal (and aggressively enforcing the law) can this be stopped.
I have mixed feelings about opt in. A single accidental click on a web site and GDPR has failed to protect the user. Dark patterns allow that to be gamed. And it complicates legitimate uses.
I'd like auditable data. I should have an easy way to discover everyone with my data (including things like IP logs), see how it's used (at the level of source), and have it destroyed.
if this is the case, it really needs to MATERIALLY benefit you. My friend uses all the rewards apps and really uses credit card points, programmes, etc, and it does benefit them.
Me? I just use cash everywhere and now the guy at harbor freight knows I'm the guy who says 'I dont have a cell phone number'.
Contracts you know, they need to benefit both sides.
GDPR proves this wrong. Most people click OK/accept even in front of relatively clear information (to be fair sometimes the options are "accept for you to be tracked and shared with 'our partners' or pay a subscription/fee", which is an easy choice for many.
In this very case, the GDPR is scary enough that European carriers make sure to anonymize and aggregate analytics they sell to third parties. Even if you click OK, a data leak would be pretty harmless and wouldn't identify you personally.
Location data that includes your home in the suburbs is pretty identifiable.
Carrier position accuracy is pretty shit in low density areas, you aggregate (e.g. per H3 tile), apply scaling (no operator has 100% market share) and K-anonymity.
This is misleading. The OK is almost universally made easier to click through dark patterns, with the "reject" being hidden or taking more clicks
And those are illegal under gdpr, and enforcement is slow but happening. Whats your point?
Yup. At least 2 clicks and you have to process what you are clicking to understand. I've seen more than a few sites where it's
"Ok" then "Customize" followed by a bunch of checkboxes to disable cookies while the "accept all button" is where typically "OK" would be and the "reject all" is often labeled something else that isn't clear.
This is also not often remembered on future visits so you end up doing this dance every time you visit that site.
Yet if the business model / customer's _existing_ service agreement is changed, the temperature of the water that the frog is in just went up a little bit, so folks continue using it, which is what often happens as well.
"well, I'm not sure if they're going to start collecting or using my data, because I don't actually really KNOW that or the extent of everything, just an email from them with a vague update to an equally vague privacy policy that I apparently implicitly agree to if I don't discontinue using their service."
Just like a manufacturer/seller on say, amazon shouldn't be able to revise their product with cheaper quality under the same model number (and yet it happens all the time), changes to the agreement of a service should be treated as a new service.
Whatever the solution, it should be a big enough deal that it cannot be implicitly agreed to, and clear enough language (maybe vetted by a third party review of the agreement) to communicate to all users, what is at stake and how, to which third parties, etc.
Many people click no whenever there is not a manipulated choice. See https://www.cnil.fr/en/evolution-practices-web-regarding-coo...
"Most" may be correct, but given how annoying those banners are I would not read too much into that.
When presented with 50 prompts throughout the day, 95% of which makes clicking OK easier than clicking decline, most people (allegedly) click OK.
What an easy choice to be nagged at every new website.
To expand on this more - I feel like laws requiring companies to keep a "custody chain" of personal data at every transfer step would be relatively un-controversial. Sure, I'd rather do away with personal data being able to be bought and sold entirely, but an easy first step is "massive fines for any company that doesn't carefully track exactly which entity touched the user's data".
Transparency is good, but I think it’s also important to impose contractual liability and fines too. GDPR has a good model here; a data processor must list all of their sub-processors, AND have contracts with each that let them enforce transitively your data deletion rights.
This guards against the case where a processor transparently updates their ToS to share your data with someone you do not consent to.
AND if people had viable alternatives. (Sorry, I see now that you mentioned blocking, which would also work.)
They can still just lie though.
I read somewhere if you call up a towing company, the wireless carrier will provide them your location.
they don't even say "your call^H^H^H^Hlocation will be recorded for quality purposes"
I would extend this to include companies like Facebook that study your data to derive deeper insights about you. I want to be entitled to every conclusion they reach about me from my own data, so I can correct whatever assumptions they have about me and possibly learn more about myself.
I just don't want 'em to do it. I expect companies I have a paying business relationship with to not report on my private comings and goings, especially not to bounty hunters and other shady characters. Back in the day if you did something like this, you would be run out of town on a rail, but unfortunately we've allowed mobile phone companies and a lot of others to get such a large national market share that there is no recourse.
The core issue isn’t transparency. It’s surveillance and powerlessness