50 replies
1d6h
We are fortunate to have lived through a brief period where the internet was truly a global network. A person in the Netherlands or Nigeria [1] could access the best technology services the world had to offer. People could more or less interact freely across borders.
Obviously this is coming to an end. Every fiefdom wants their cut and their say, to the point where the internet being a global network is obviously becoming inviable. It was fun while it lasted.
[1]: https://www.reuters.com/technology/nigerias-consumer-watchdo...
These laws have been created for good reasons, and US tech companies have had free reign to trample on people's privacy rights for a very long time.
If a company acts in a honorable way, there's nothing to fear and they can easily do business world wide. It's when companies do things that are shady and should've been outlawed from the start that they run into trouble. The main issue here is that the US has the least restrictive laws and allows its citizens' privacy to be grossly invaded, which means these companies now feel like they're being unnecessarily restricted.
If the US had stricter laws, this would be a non-issue and you wouldn't hear anyone about it. It's all very myopic and US-centered to focus on the company's freedom to do as it pleases. What about the users' freedom to live without being spied upon? Free market rules don't apply - the network effects are too big to really say "you can take your business elsewhere if you don't like it". Also it's a transparency issue - it's too hard to tell from the outside how your data will be handled to make an informed decision about what companies to deal with. Especially because all of them treat your data like they own it, as a cash cow.
The Dutch DPA is not accusing Uber of doing anything nefarious. They are mad that Uber, as an American company, can be compelled by the US government to hand over data. Ultimately, their beef is not with US companies, it’s with the US government.
This is all wildly ironic because the EU is constantly trying to spy on their own citizens and undermine encryption. The EU is just upset that the US is able to do it instead of them.
This is just companies being caught in a geopolitical spat between competing powers. The EU keeps moving the goalposts on what constitutes “safe” transfers (we’re on the 5th round of this). So there’s no way for companies to be compliant unless the US government changes its laws. So right now it’s just a lever to extract money from US corporations via never ending fines.
The US government and the EU need to sort this out. Blaming the companies shows a total lack of understanding of the real situation. I get that we all hate big tech now, but there’s literally no way to comply in good faith with these competing EU cash grabs over the shifting specifics of how you can transfer data to US servers.
That's a nonsensical load of hyperbole, pardon my French. It's not particularly difficult to be careful with personal data, it's just inconvenient and prevents all kinds of uses that can make you money - which is why US corporations would prefer to not implement it. But if you want to do business in the EU, you need to play by their rules. Simple.
I have soberly explained the actual situation to you. I know it’s impossible to have a rational conversation about privacy on HN and my comments go against the narrative everyone has stuck in their heads here, but I urge you to look further into this issue.
This is an ongoing geopolitical spat and compliance in good faith is currently impossible.
I have spoken to many lawyers about this. Any US company operating in the EU is at risk of constant fines no matter what you do, due to this geopolitical issue.
So why don't the poor trillion-dollar supranational corporations do anything about it?
I can tell you why: they are happy about this. And you can often find they sign their support for these laws in the US.
--- start quote ---
The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.
The CLOUD Act received support from Department of Justice and of major technology companies like Microsoft, AWS, Apple, and Google.
https://en.wikipedia.org/wiki/CLOUD_Act?wprov=sfti1#
--- end quote ---
Boohoo cry me a river about the plight of these poor hapless companies.
At my company, we do business in the EU. It's a wide market with many opportunities. We're extremely careful with personal data: we do not intentionally collect user data, we do not share data with any third-party (and certainly never sell it)!
Importantly though, the law does not suffice with "careful". We *think* we have our bases covered and are careful to try to ensure they are but we're not sure how to *know* our bases are covered. There's the fear that some logs that we believe are anonymous might be considered identifying by some data scientist armed with techniques we've never heard of. There's the concern that some third-party library might dynamically pull in a font-set that comes from a US-based CDN based on some user configuration that we don't foresee. There's the anxiety of asking "Did we forget something? Is the DNS server in us-east-1?" when trying to roll out new features.
These are all strawmen, but they represent the kind of anxiety we feel. Having done our best to respect the requirements and the spirit in which they were written, there's the fear that we were imperfect in our awareness and that that something could cost us a fine that would have gone to someone's salary.
I would very much condemn the indiscriminate collecting, reuse, and selling of personal data, but I would also caution that those of us wanting to play by the rules find them lacking in precision.
No idea why you would feel the anxiety. If you're found lacking, you will forest get s notification from the DPA asking you to remedy the situation. You wont even be fined
Government spying on citizens is one thing. Companies is another. GDPR applies mostly to the latter, and in practice, today, most people in Europe aren't being harmed by their governments spying on them, but they are being harmed by private business abusing personal data.
I would much rather companies “spy” on me than the government.
but the us can, and perhaps did in the past, and perhaps will in the future, be able to access all that data nonetheless. it's not a dicotomy
That's a pretty outdated preference in the current age in the West.
I'd prefer if neither was the case. In the US, you can be certain that both are true.
"These cannibals keep eating people because their country's laws allow it. It's not right to blame the cannibals, the governments should figure it out."
Except in this case people love being eaten and keep volunteering to be eaten by the cannibals.
There is no actual OR theoretical harm from the companies. Only theoretical harm in the event the US government decides to spy on an EU citizen.
The correct analogy: “There’s cannibals in both countries governments. Country A claims Uber hasn’t done enough to protect from Country B’s government cannibals.
This ignores the shifting rules around proper data transfers to the US, but you wanted a pithy logical fallacy, so there you go.
I am assuming you refer to a law proposal that was rejected, but did you know americans were sponsoring and pushing that law proposal to spy on chats? Yeah same CP people.
Also there is a GIANT difference for a country to "spy" on their own citizens and USA spying on foreigners , a country has a consitution and lwas that protect the citizens freedom where USA has no laws that protect foreigners freedom so the NSA guys could watch an EU citizens photos, read their emails since they are not from USA they are lesser humans.
The people advocating for more privacy in the EU and pushing legislation like GDPR aren’t necessarily the same people who want to weaken encryption. Lots of things going on in the EU at the same time.
I agree though that it can be hard for a US company to comply with GDPR as every country seems to interpret it slightly differently. The same difficulty is coming on the AI legislation side.
Since the company getting fined is also the company that spied on police car positions in the US I don't think that this type of shady behaviour helped in showing good faith in this case.
This is a wrong phrasing of the problem: The US is not, and has never been, a safe haven to transfer personal data to. However, it would significantly impact trade (and policing) concerns between the EU and the US if that statement were to be treated seriously. This is why the European Commission and the Parliament have repeatedly tried to create a framework which allows transfer of data despite the US' insistence on secret access to the data without due process (aka secret courts, which cannot be due process by any reasonable definition). European courts, again repeatedly, have taken the stipulations in various laws guaranteeing rights to citizens seriously, and keep striking down the badly made frameworks. It's not "shifting goal posts", but rather "not willing to accept the political costs of respecting citizens' rights".
"What about the users' freedom to live without being spied upon?" Pretty simple, don't use Uber.
Facebook showed this to be a stupid premise. You don't have to use a company to "interact with it" on the internet.
I'm not going to address your comment at the object level; I'm just going to point out that you've missed the point of my comment entirely. My comment is descriptive (the internet is going to become nationally siloed) not normative (a moral judgement on the conditions that are leading to this state of affairs).
EU citizens: We don't want our data in the US, where it can be siphoned off to other companies.
US company: siphons data
EU: You can't do that.
HN commenter: Damn these fiefdoms wanting their cut, what has the internet become? I pine for a simpler time, when I could do anything I wanted with data against people's will and nobody could stop me, that truly was the golden age.
He was saying that Uber will no longer operate in NL/EU, the pining was for "equal access to US services", not your data. FWIW, I am annoyed myself about having to accept GDPR popups on every website I visit, so I too pine for a day where US companies have nothing to do with "EU citizens".
Right, but the reason EU citizens don't have equal access to US services is because EU citizens decided that the services they use need to be careful with the EU citizens' data. US services said "nah, that sounds too hard, I'm outta here" instead.
What US services left? Only ones I know of are a couple of US centric newspapers. Virtually everyone stay in the EU market.
Hahaha, that will not happen. And if Uber against all odds actually leaves some other company will swoop in and take their market. Personally I prefer Bolt over Uber for rides here in Sweden.
Imagine how much poorer the world will be when one fewer jitney cab company operates in the Netherlands.
Uber’s right to do what ever the f they want stops at my right to control information pertaining to me.
What’s freedom? GPL? BSD? Swinging a fist? Not getting hit on the nose?
Freedom to some means creating a startup that willfully ignores regulations in virtually every market while playing a funding ponzi game until finally handing the consequences off to the foolish public (IPO).
We don't say "Ponzi scheme" here, we say "disrupting traditional markets" and "investment opportunity"
Or just “funding rounds”
You've missed the point of my comment. It has no normative claims, unlike your angry invective about rights. I'm just pointing out that the inevitable consequence of these new regulatory regimes is a nationally siloed internet. You can feel however you want about it; maybe that's a good thing from your perspective. But it's happening
Access to tech is different from handling of personal data though -- the EU GDPR laws around that are clear and fair
People have a right to know where their personal data is going, what is being stored, what it is being used for and should have a mechanism to correct it and delete
The wider challenge is how that is handled in a compliant way with LLMs and generative tools which vendors do not seem to be taking particularly seriously yet
I'm curious as to why people would want to train LLMs on personal identifying information. What's the benefit of an LLM that has a large collection of names, addresses, dates of birth etc.?
Free-form text like Reddit posts contains a whole load of PII. Since there is absolutely no regard for what goes into a LLM, naturally, they also contain this PII.
That's not something that I've encountered on Reddit - I've mostly seen people deliberately not using their real names.
If there is indeed a lot of personal identifying information from Europeans on Reddit, then they'd better get ready for a GDPR investigation.
Well, I'm not sure that I'd equate "freedom" with companies exploiting people's personal identifying information and selling it for their own profit. Personally, I don't want my information that's protected by GDPR in my own country to be smuggled into another country where there's almost no legal protection for someone's data/privacy.
Free as in corporate freedom to extract and abuse your personal information
Quite - it reminds me of the "freedom" to own slaves, but obviously not nearly as abusive.
And this freedom was ended by companies like Google and Facebook who abused this freedom forcing governments to act. Internet was at its worst right before GDPR. I don't think we will ever get back to the old free Internet and instead we will have this power balance between big corps and governments.
Like with any new frontier. There's age of exploration, then the age of exploitation, and in the latter. Even if the former is usually funded by commercial interests, it's in the latter that they finally suck out everything that's nice and fair and fun about the venture. We're at this stage now with the Internet.
- Some ignorant bloke at the end of the British empire, probably
Point, but IIRC the end of the British Empire was met with a mix of "We didn't want it anyway it was so expensive"* and "We lost an empire but gained a continent".
(The latter followed by lots of pikachu surprise face because they weren't in charge of said continent).
* Not only an Aesop reference, but also an actual claim I've repeatedly encountered
Why exactly would physical products have to comply with local laws when exported to other countries and not online services? Do you also call it "fiefdom wanting their cut and their say"? Do you disagree with the concept of laws altogether?
The thing that made a global internet possible is that it was understood that sending bits over a wire is different from shipping physical goods. The customs regime for physical goods is prohibitively expensive for bits.
I'm not interested in arguing if eliminating free transit of data is a good idea or not; I'm just pointing out the inevitable consequence of the current trends.
The US still does not have legislation to protect Personal Data like the GDPR.
That did not prevent the corrupt European Commission to issue a third variant of the Shield to still allow american corporation to send data of EU citizens to the US, despite the Schrems2 ruling.
You mean, the epicenter of that global network transformed it into a tool of influence and surveilance? [1] Or maybe that the companies participating in that global network saw interest in walling that global network ? [2] [3] Or maybe that global network is being reshaped by a few dominant actors so much that outside regulation becomes necessary? [4] [5]
No, of course not; it must be local barons trying to scrap a bit of power, not at all a reaction to massive abuses from the industry.
[1]: https://en.wikipedia.org/wiki/PRISM [2]: https://www.eff.org/fr/deeplinks/2013/05/google-abandons-ope... [3]: https://blockthrough.com/blog/the-walled-gardens-of-the-ad-t... [4]: https://www.theverge.com/c/23998379/google-search-seo-algori... [5]: https://en.wikipedia.org/wiki/Facebook%E2%80%93Cambridge_Ana...
Local & capable internet is the future. I don't want my country influenced by US/EU politics all the time.
It was fun for companies to freely steal people's data and sell it to the highest bidder. I'm glad this is slowly coming to an end.
I'm not sure I like Meta's and the influence of other foreign companies on European culture too. We were more free before them.