Slashdot Mirror
Ask Slashdot: How Is It Even Legal For Websites To Gather And Sell Users' Data?
Long-time Slashdot reader dryriver sees it like this:
Lets say that I follow a person named John D. around for days without permission, make note of what John D. does and where he buys with timestamps accurate to the second without John D. knowing it is happening, analyze what kind of personality traits John D. has, enter that data into an electronic database where it is stored forever, and also make the data purchaseable to any third party who is interested.
Would I be breaking the law if John D. has not given me explicit permission to do this? Very likely. If this is the case for "meatspace data gathering", how can websites justify gathering information about visitors, and selling that information to third parties?
How would you answer this question? Attempt your own best explantions in the comments. How is your country balancing the need for online privacy with actual laws governing what can and can't be collected?
How is it even legal for web sites to gather and sell users' data?
Would I be breaking the law if John D. has not given me explicit permission to do this? Very likely. If this is the case for "meatspace data gathering", how can websites justify gathering information about visitors, and selling that information to third parties?
How would you answer this question? Attempt your own best explantions in the comments. How is your country balancing the need for online privacy with actual laws governing what can and can't be collected?
How is it even legal for web sites to gather and sell users' data?
They're completely legal.
One can't answer your question unless you specify "legal in jurisdiction X". For example Europe has GDPR, USA or Canada or Mexico or China does not, but they have other laws.
So I guess I would answer your question with "Legal where?" and a disclaimer "IANAL". ;-)
Lets say that I follow a person named John D. around for days without permission, make note of what John D. does and where he buys with timestamps accurate to the second without John D. knowing it is happening, analyze what kind of personality traits John D. has, enter that data into an electronic database where it is stored forever, and also make the data purchaseable to any third party who is interested.
That sounds a bit like a private detective, with the exception that they typically work for a specific client.
Also, if you stop to think about it, going to a website it like going to some person's private establishment. I'm visiting their server, so it's their rules. Stores no doubt track my purchases, and some even have cameras on presence that record my every action. If I have a problem with it, I can take my business elsewhere.
Sure, terms of service could be more explicit, but most people wouldn't bother to read them or would just click through like they did when they signed up for a Facebook account or half of the other shit they use online.
.. the rule of law exists in this world. There are two sets of laws, one for the rich and corporations and another for the rest of us. The reality is the internet and technology has made it cheap and easy to collect data on everyone. Even if you wanted privacy it can't exist due to technological advancement. Our technology is making rule of law irrelevant.
The last 20 years the internet enabled software companies to steal peoples game and OS software (drm) and remove their privacy by force because we can't reach them. The only solution is reconstituting corporations legally so they certain behaviors aren't allowed or they lose their charter, but that's unlikely given the free market fundamentalism that grips the world. The only way out would be for society to have a say in how corporations or businesses are run and given the mass stupidity and huge amounts of money arrayed against that outcome it is unlikely.
What makes you think any of what you described in 'meatspace' is illegal? It's not, in the US, anyway. PERHAPS could be considered under harassment or stalking laws if it was very blatent, but if you are in public, you are subject to anyone recording/photographing you and what you are doing, pretty much.
If I'm not back again this time tomorrow...
They are enhancing the customers experience.
Rick B.
USA Laws are limited by these 2 main laws that limit it by age (under 13) and healthcare respectively: COPPA https://www.ftc.gov/enforcemen... and HIPAA https://www.hhs.gov/hipaa/for-...
And then it's not really limited anymore except by state. Which a summary exists here: https://en.wikipedia.org/wiki/...
You are going to their house and doing what you do, and they're just making note of what you did in their living room.
STOP . AMERICA . NOW
The real-world analogy would be more like keeping track of someone's location and activities who entered your retail store, then using/selling that data as they see fit. People may not like that, but I don't think there's any serious theory that it would be illegal. (Let's ignore for a moment the places in that retail store where you'd have a reasonable expectation of privacy like changing rooms, since that's outside the scope of the submitter's doe-eyed question.)
In the same way, you visit someone's website, you play by their rules. This doesn't seem particularly complicated or surprising.
No reasonable expectation of privacy. Perfectly legal.
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
Especially since you agree to their terms of service when you sign up.
The user and their content is the product.
Use an ad company that offers "free" services and the ads will flow.
Domestic spying is now "Benign Information Gathering"
I use uBlock Origin, Ghostery and a Hosts file to block as much Web advertising and tracking as possible.
This makes the leaks obvious: one random item I browsed will follow me around in ads on several sites.
Of course, Amazon knows exactly what I want, and Google knows I go to (legal) cannabis dispensaries on my vacations, but I can live with that.
I guess Kenneth Lay never was convicted of insider trading and stock manipulation which impacted millions of individuals...
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
It's not necessarily illegal to follow someone around without there permission to the extent you are not entering private property illegally and trespassing. Basically assuming nobody tells you to say leave a store following someone onto private property of a nature open to the public it is going to be legal. There may be statues against harassment, but those are going to be more specific. There may also be laws against practicing investigations without proper licenses. However following someone around and making notes about them is not in and of itself necessarily either of these things. It's merely impractical to make such a business model work and so nobody has done it until more recently and really only to the extent it is automated via technology via cameras, cell phones, etc.
The copyright-absolutist position is this: My life is *my* performance before God and all mankind. As soon as it is recorded, that recording is a copyright work for which I own the copyright (unless there is a specific written contract to the contrary), according to US Code Title 17. And use of that work without my permission for commercial gain is felony copyright infringement. Felony copyright infringement is exactly the behavior all these data-gatherers are doing. FWIW.
"My opinions are my own, and I've got *lots* of them!"
And that they can be expecting even before he expects it.
Imagine you phonecall a company and say:
Send me a travelling Salesperson, please. Or a delivery service and say, please deliver a newspaper to my office.
They answer: "sure, but there are some conditions for that convenience, please, for the next 8 minutes listen carefully to them."
You do not listen, instead, put the phone on the table, set your watch to 7 minutes, and go brew a tea.
You return, and when the operator asks: "Do you agree to our terms?" You say "yes"
It turns out that the terms include the salesperson or deliveryperson staying in your office long after the transaction is concluded (you place your order or get your newspaper), taking notes of many of the things you do, correlating those notes with those of other delivery companies/salespeople/third parties and a long and creepy et cetera.
But hey, you neglected to hear the terms of their service, because those terms were boring, and instead you went for tea.
Having corrected the analogy used by dryriver, the correct question to ask slashdot is:
Are the terms of service used by most websites even legal?
*** Suerte a todos y Feliz dia!
pro-business and pro-corporate leaders for nearly 50 years now. If the people in charge of regulation don't believe in regulation then we don't get regulation.
Seriously, it's not complicated.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
if you're out in public and somebody takes your picture you don't own the picture.
If we made every bit of data that involves you copyrightable it wouldn't really help. You don't have the money to litigate dozens of copyright lawsuits. It would just turn into a useful tool for the wealthy to quash criticism against them.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
My country is still debating if Global Warming is real or not, if Evolution is real or not, if Vaccination creates Autism or not, if the Earth is flat or not etc. Online Privacy is too advanced a topic for us right now. Perhaps in a couple of decades we will get there.
Simple answer: It's not users' data. It's data *about* the users.
When you take out a pen and paper and write down the colour of your dog, that data isn't *owned by* your dog. If you kept a record of your customers height and weight on your own hard drive, your customers don't own that data.
If you make a website, and record data about your site's visitors, your visitors don't own that data. It's data *about* them.
In a free country, everything is legal which is not explicitly illegal. So nothing has to be "made legal" unless it was previously made illegal.
In this specific case, the information you choose to send to a website from your computer is completely under your control. You don't even have to hook your computer up to someone else's network if you really don't want anyone to know anything about what you do with it. They aren't pointing TEMPEST gear at your windows, you're voluntarily sending them information from your computer to their server.
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
Per the following someone around parallel, I wonder if this comes under stalking laws?
you give them permission to do so.
even this very site is like that.
see also: https://slashdotmedia.com/priv...
Follow everyone around and collect data on them.
The only thing that covers is your expectation of continued service.
Privacy is covered by law and is not something that can just be signed away because a company would like it that way.
The real problem is simply these companies aren't being challenged in a way that financially hurts. I'd be happy if Facebook couldn't exist due to burden of fines.
well, you do give the website permission by agreeing to their terms of use.
People seem to think at the individual level, not at the group level. I first ran across this in the 1990s playing Everquest. In response to complaints about griefers harassing regular players, they came up with an anti-harassment policy. You could be banned for targeting a player and harassing them. This had the opposite effect than intended. Griefers didn't target specific players. They tended to hang out in an area and try to ruin the day of anyone who came into the area. On the other hand, people who got fed up with the griefers and tried to drive them out of an area were targeting a specific player. And so the anti-harassment policy ended up protecting griefers, while getting anti-griefers banned.
For some reason people seem to judge the harm of bad behaviors in terms of the average harm done to an individual, rather than to the overall harm done to society. A spammer sends out a hundred million spam emails, and people say "what's the big deal? It only takes you 3 seconds to realize it's spam and delete it." But 3 seconds times 100 million is 9.5 years of cumulative wasted time and productivity. Likewise, people handling private customer data don't take it seriously, since each individual's data is probably only worth a few dollars. Nobody cares if they lose a few dollars, right? But multiply it by several hundred million people and you're doing serious economic damage if you take it without permission or let it get stolen by hackers.
He was, in fact, convicted of ten counts of securities fraud. And then he died.
chris watts íë¦ìS ì(TM)ì
We have so much other crap to worry about right now. Everyone takes our data. Heck it's part of our freedom as a species to monitor other people / animals / objects and record things about them. What the fuck is going on that this is all of a sudden a huge concern? What's driving this? Apple? EU? There's got to be some kind of financial motivation behind wanting companies to STOP taking our data. Or is it socialism trying to stop them? I don't get it. What do we get in the end if say none of us could record what other people do using a service we provide? Where's the benefit? So some company doesn't know when to stock for pudding pops during a storm? I mean what is it we're trying to stop here that is so damn harmful. This is coming from a person who fucking hates data being collected by Verizon with their horrible "deep" network cookies, hates answering agreements to share data, always clicks on free/non free software disagree to sharing crash reports. Yeah I don't like it but why the fuck does it matter? Really. I hate this anti freedom approach and trying to pass even more laws to make more things illegal. It only hurts all of us in the end and way more than some company knowing I visited beeg.com 25 times today.
You've got the wrong metaphor.
Open up the session monitor in your browser of choice and you'll see it as a series of requests. Now the metaphor is much clearer: you're ringing them up, and asking them things. Your browser, on your behalf, is sending the data that lets the session persist and allows inferences to be drawn.
*ring ring*
ACME: This is ACME products, how can I help you?
John: Hi, I'm John, can you show me products related to 'shoes'?
ACME: Okay, here are leather shoes, casual shoes, trainers.
John: This is John again. I want casual shoes.
ACME: Mens or womens?
John: This is John again. Mens please. Brown, size 10.
ACME: Here are some styles of mens shoes in that colour. - writes down that John may be male, adult -
John: This is John again. Thank you I'd like to buy these ones.
ACME: Okay John, done. Would you like to see some women's shoes?
John: This is John again. Yes, women's, adult, formal.
ACME: Okay John, here are some formal women's shoes - writes down that John may be married to a woman, employed -
John: This is John again, bye.
*click*
I think the idea that this is 'users' data' to be misleading. It's the company's data regarding a request from a user. If I keep track of how many red or green apples I sell and in which months of the year and whether the seller is male or female or tall or short, that's sales data.
We keep assuming that it's our data. I'm not so sure it is.
Consider a different situation:
A woman has a baby. He grows up to be a famous actor. He doesn't want his birthday published because he believes there is age discrimination in Hollywood. His mom wants to write an autobiography. They each have a valid claim that the date in question is their own personal data.
If I google erectile dysfunction treatment, I think "My request for Google to bring me information on ED is my data," but Google thinks "That request I received for info about ED is my data." Obviously Google winds up with a freakishly gigantic amount of data, so our assumption seems natural, but I'm not 100% sure it's reasonable. Every search is transaction with at least two parties.
I hate and fear the data gathering. That's why I don't have a Facebook account, or Snapchat, Instagram, Pinterest, etc. I do search using Google, though, and I shop on Amazon sometimes, so I guess I don't hate it as much as I tell myself I do.
How is that possible? GP said that only corporations were protected, it was only a crime if you robbed a corporation, not another person...
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
Serious question.
If all online services did not leave tracking cookies/spyware/etc on your computer, would you be ok with all of the other data accumulation and trading that happened?
Before the web, user information was gathered based on TV channels you watched by vans equipped with radio equipment that could detect which channels were active on a TV as they drove through neighborhoods for ratings or licensing purposes: https://www.theguardian.com/no...
Credit card companies, magazine subscriptions, and mail order catalogs requested were also valuable sources of consumer interests
The search engines and social media are simply extending the concept which is how they get paid for all the free software and services you get.
You can skew the AI engines and results somewhat by periodically visiting completely random sites or posting completely random things way out of your normal interests and watch where those interests show up in ads on other web sites. Industrial equipment is my favorite alternate go to.
It's called Surveillance Capitalism. More than just our labor, information about us is an object of economic value. In effect, people have been turned into commodities.
Market research's psychographics classifies us according to our social niche. That information is then used to micro-target specific segments of the market, the segments we occupy. As part of a massive feedback loop, words and phrases we are comfortable with are used in tailor-made messages designed to massage our psyche, and get us to buy whatever they're selling, be it goods, services, logos, ideas or politics.
https://en.wikipedia.org/wiki/Surveillance_capitalism/
Jurisdiction and liability can't be signed away, but privacy absolutely can. In fact you can give it away for free, just make your your private information public, and bang! You're there.
Yes, it seems we're not that good at overcoming simple, sound-bite messaging. For too much of the American electorate, 'simple sells.'
I would pose this question to Equifax and transunion. They have been doing it for decades before the internet was born.
No, all of those social media buttons and ad banners and "free" analytics tools and fonts, etc., those are mechanisms to spy on you. That's how they follow you around, well outside of their living rooms.
In the case of a web-site, it's not like following a person through public. It's like following a customer of yours around your own store.
I don't think you'll find any jurisdiction in which it's illegal, or even frowned upon, to record how customers walk through your store, which shelves they look at, which clothes they try on, which products they pick up. And if you want to sell your customer-usage data to someone, it's yours because it's actually your customer data.
This all comes down to the purple pages. Phone books were illegal, in concept -- a book of everyone's phone number, name, and street address. But it was accepted anyway because you had to know the person's name. But there were the purple pages -- the very same phone book, indexed by street address. So you could look up a street address, and see who lived there. The purple pages were considered illegal -- for privacy reasons -- and were not widely published as a result.
Until they were.
So the only true answer to your question is actually the simplest one: slippery slope.
I expected this question to be about data collected from my computer, not the data I send to the web site.
Ad blockers are a security tool, and the main reason I use them is to keep ad companies from trying to break into my computer. I've come across way too many malicious scripts in ads over the years. Given how many legitimate companies have been caught doing that, is anyone taking that seriously?
I don't own a smartphone at all. I don't even want to know how much questionable yet suspiciously legal data collection is going on in that arena.
The OP compares one physical activity and one digital activity and suggests one might be illegal whilst the other is perfectly legal.
It might be worth taking a brief detour here and considering the way that society determines whether or not a particular activity is legal or illegal. This is a significant simplification, but in general terms we could summarize the core principle of illegality as being a range of activities which cause harm or damage to those disadvantaged by it.
If I steal from you, you are harmed. If I injure you, you are harmed. If I kill you; well, you get the point.
A big part of the apparent disparity between physically stalking someone [or, to simplify again, actions in meatspace] from the digital equivalent stems entirely from the fact that it is very difficult to evidence the harm being caused by digital stalking. That is not to say that digital stalking is harmless.
There are no end of ways that the unregulated actions of private companies such as Facebook and Google can harm you as a private citizen.
With no regulation of what data is collected, how it is analyzed, or who it is sold to, the opportunities for that data to harm you are diverse and significant. You may be unsuccessful in securing your next job if you are blacklisted by recruitment agencies. You may have to pay more for credit, or you may be refused loans, if you cross invisible lines with your digital life. You may be denied health insurance. You may be subject to even more surveillance if data collected on you by a private company is caught up in a government data request dragnet. You may be significantly defrauded if a company with whom you have shared data knowingly and willingly then fails to protect it, allowing you to become a victim of identity theft and associated fraud.
Governments the world over have failed to take steps to address these harms - even though that is the principle on which the concept of law was founded - for two broad reasons. The first is ignorance. As elected leaders demonstrate almost every time they speak, very few of them have a reasonable grasp of just how much harm this data harvesting can cause. The second is self-serving: the agencies charged with protecting citizens rights would much rather be able to issue a subpoena or NSL and get access to all that juicy data for themselves.
The only reason that the activities of companies like Facebook and Google are not illegal is because neither the people nor the government[s] truly understand what they can do. To get even the narrowest of ideas, look at what Christopher Wylie (of Cambridge Analytica) told Congress.
You are going to their house and doing what you do, and they're just making note of what you did in their living room.
No, all of those social media buttons and ad banners and "free" analytics tools and fonts, etc., those are mechanisms to spy on you. That's how they follow you around, well outside of their living rooms.
It's more like each major tech company controls a fleet of cameras. These cameras are absolutely everywhere, on the roads, in the shops, in the fitting booths, in your living room, in your bedroom in your car, at the restaurant where you eat, at the cash register where you pay for your groceries, in the sex shop where you buy your dirty magazines ... everywhere. If you sit down on any toilet to take a dump you'll find cameras belonging to Google, Twitter, Facebook, Pinterest, and a whole legion of tech, advertising and market research companies recording every strained look on your face as you struggle to squeeze out that turd and taping every loud wet fart. Every leaf of used toilet paper is copied in triplicate and carefully archived. Then they sell their records of your activities to anybody willing to pay. You can try to make it harder for them to keep tabs on you by wearing a VPN mask wherever you go and wearing a camera blinding laser AdBlocker laser on your head but that has only limited effect at best.
... Oh, wait, you're probably in the US. Errrm ... Nevermind.
Seriously you guys across the pond should probably just copy the new EU GDPR verbatim and be done with it. That would save you a lot of hassle. It's a great law and although it forces me to do muy job more diligently that actually by and large is a good thing.
Just sayin'.
We suffer more in our imagination than in reality. - Seneca
Is Slashdot so in need of stories that anything gets published? There are such things as dumb questions, no matter what the nice smiling teacher may have said.
Nothing illegal about watching and recording where someone goes. I can watch my neighbors house and make extensive notes about all that goes on. And yes, I can follow you around and document what you do. You may be able to convince a court of a restraining order if I push things to far, but surveillance is not illegal.
It is not illegal in person or on line.
...until they are made illegal.
The submitter seems to have some misunderstanding about how law works. "Very likely illegal"? What law would be violated? The submitter doesn't seem to quite understand that laws are written down, and given numbers for easy reference. For example, web sites must comply with US Code 2257. Unless the submitter can point to USC [number], they have a *feeling*, not a law.
I used to work as a private investigator and I did follow people. I had to be very diligent about documenting what I saw, because a PI is not supposed to tell the client or court what they *think*, only exactly what they *saw*. As a PI, I couldn't say "he's boning his secretary". I had to say "at 6:35 PM the subject entered hotel room #123 with a blonde woman of medium height. Both parties left the hotel room at 7:40". I can't speculate about what they did in the hotel room (could be discussing his campaign for governor of Arkansas), so I have to be specific about what I saw to allow others to decide how to interpret the facts.
You are going to their house and doing what you do, and they're just making note of what you did in their living room.
So... when they send their response to me and they include a 3rd party ad that is malicious and it is executed on my computer are they held liable for serving up a 3rd party ad? If they can do whatever they want while I am connected to their server then they need to be held liable for what they push to my computer.
Article 27 of the GDPR includes a requirement to hire a representative within the customer's country or confederation thereof. Currently, article 27 representative service from VeraSafe starts at $2,700 per year even for the smallest businesses, including those with less than $1 million of annual revenue. If counterparts to GDPR adopted by other countries include a counterpart to article 27, then any small business that sells goods or services internationally may end up spending so much on representative services for each country with which the business trades that these businesses are likely to make a business decision to offer services only in one country or only in a small set of countries.
Other than limiting to which countries goods and services are offered, what solution would you recommend for recovering the cost of representative service pursuant to article 27 of the GDPR or counterparts thereto?
I believe that just about every legitimate website or social media platform has a privacy notice and usually requires explicit acceptance of its Terms of Service Agreement. No one reads them but they provide the legal justification for those sites to collect the information. We consent to that collection.
"Would I be breaking the law if John D. has not given me explicit permission to do this?"
No, you would not be breaking the law.
Repeat after me: "There is no expectation of privacy in public, PERIOD."
Anything that can been observed from a public vantage point can be recorded, noted, drawn, sketched, photographed, etc etc etc.
Just cruising through this digital world at 33 1/3 rpm...
That question has a false premise. In virtually all countries it's legal to occupy public spaces and record all that you see, even if that amounts to trailing a particular person.
2) Any store you patronize must know that you were there. That is inherent in making any transaction. Since the store is their private property, just about everywhere allows them to set up security cameras for loss prevention. Thus, it is straight forward to combine your face with the time you entered, how long you shopped before heading to the cash, what items you purchased, what payment method was used, paper or plastic etc. And once collected, they own that data, so they can in most areas, sell that to whomever they like. You implicitly agree to this when you choose to shop at that location.
3) Same thing applies to your credit card. Visa/Mastercard/American Express/Discover know, usually to the second, when and where you make credit card purchases. For some things, it is obvious what you bought based solely on where you bought it. But for the majority of charges, the data collectors have to infer from other data. (e.g. Visa doesn't know what appears on your grocery list, but can make some shrewd guesses at the liquor store, dealership parts counter, local pizza joint et al) You agreed to this when you signed the card holder agreement#
4) Air Miles and store loyalty cards are among the worst offenders for data collection, analysis and distribution. For any of the ones I know of, it is their core business. Again, you agreed to this when signing the card holder agreement#.
5) Most of this isn't new, this sort of thing has been going on literally for decades. What IS new is that the collected data is being shared more widely than before. It used to be a store wouldn't share its data for fear of giving competitors an edge. But now, everyone is doing it and, most importantly, making enough profit by doing so to make it a good idea from their perspective. Also new is the ever increasing sophistication of the analysis being done.
#Foot note: As far as I know, every card of every kind includes text in its contracts to the effect that merely using the card is legally equivalent to signing the contract.
I need a wheelchair van for my son. Help me get the word out. https://www.gofundme.com/wheelchair-van-for-jj
Well, here's hoping you're right.
How would a company do if they set up face recognition in their store, had AI analyze everything you looked at and bought as you walked around, and shared all that info back into facebook or google or amazon's database on you?
Well, there was a little disclaimer in the lower right of their sliding door, I suppose.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
... the user grants the permissions needed there: you don't read that?!
You know that link on the home page of every site that says "Terms of Service"? Or that long document you clicked "I agree" to when you started using a Web site? You may not have read those documents (and that is what they want), but in those documents, YOU give the Web site explicit permission to track you, and for them to sell your tracking data to whomever they want.
Sure, you just skipped over that. They didn't. They knew you would agree to whatever terms they put in front of you, because you want to use their site for free.
There are a few alternative sites that promise not to share your data, and in exchange, you agree to pay a subscription. How popular are those sites? Nobody goes there, that's why you haven't heard of them.
People, including you, are all too willing to give up your right to control your data, in exchange for free stuff.