Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How Is It Even Legal For Websites To Gather And Sell Users' Data?

Posted by EditorDavid on from the we-need-to-stalk dept.

Long-time Slashdot reader dryriver sees it like this: Lets say that I follow a person named John D. around for days without permission, make note of what John D. does and where he buys with timestamps accurate to the second without John D. knowing it is happening, analyze what kind of personality traits John D. has, enter that data into an electronic database where it is stored forever, and also make the data purchaseable to any third party who is interested.

Would I be breaking the law if John D. has not given me explicit permission to do this? Very likely. If this is the case for "meatspace data gathering", how can websites justify gathering information about visitors, and selling that information to third parties?
How would you answer this question? Attempt your own best explantions in the comments. How is your country balancing the need for online privacy with actual laws governing what can and can't be collected?

How is it even legal for web sites to gather and sell users' data?

34 of 216 comments (clear)

  1. That would probably mean you're a private eye by Anonymous Coward · · Score: 3, Insightful

    They're completely legal.

    1. Re: That would probably mean you're a private eye by JustAnotherOldGuy · · Score: 2

      Pretty sure if a company hired private detectives to follow millions of consumers around, documenting their daily habits, there would be a legal challenge.

      They could challenge it all they want and they'd lose in court. As someone else pointed out, exactly what law is being broken by observing and recording public interactions?

      --
      Just cruising through this digital world at 33 1/3 rpm...
    2. Re: That would probably mean you're a private eye by saloomy · · Score: 4, Interesting

      No, it isn't inadmissible if you overhear something. There is no expectation of privacy in the jail cell where others can hear you.

      Just like that cell, you have no expectation of privacy in public. It is very legal to follow someone in public spaces and record what they do, and use that information for financial gain. Want proof?

      Hedge funds pay people ( and dispatch) interns to count the number of people outside of an Apple store, and record their gender and approx. age to gauge the excitement the public feels about a new iPhone, in hopes of gathering data on real market demand on launch days. The same rules for mass-targeting like that are also allowed with individuals. When CEOs or activist investors are seen walking into a company headquarters, it can have a positive effect on the stock when it gets reported.

      All of this is legal because "there is no expectation of privacy" in public.

      Now, a website isn't a public space, but the operator dictates what he does with the information in his private space. If you go to someones house for dinner, and he invites a third party (Mark Zuck), and Mark records the fact that you showed up, that isn't against the law. You agree'd to enter the house and be subject to its operators' terms of use when you navigated there. If you are unhappy with those terms, don't visit the site. Do not however, try and infringe on the operators freedoms because you do not like how he chooses to exercise them.

  2. Legal is relative to jurisdiction by misnohmer · · Score: 3, Insightful

    One can't answer your question unless you specify "legal in jurisdiction X". For example Europe has GDPR, USA or Canada or Mexico or China does not, but they have other laws.

    So I guess I would answer your question with "Legal where?" and a disclaimer "IANAL". ;-)

    1. Re:Legal is relative to jurisdiction by Tom+Veil · · Score: 2

      "Legal where?"

      Post says "How is your country balancing the need." So the "where" is "wherever you are."

      If you need something more specific than that, I'll have to wait till Slashdot gives me that location data I paid them for.

      --

      There's nothing you have that they can't take away: Absolute zero, Gentle Jack, bottom line.

  3. Private detective by alvinrod · · Score: 5, Insightful

    Lets say that I follow a person named John D. around for days without permission, make note of what John D. does and where he buys with timestamps accurate to the second without John D. knowing it is happening, analyze what kind of personality traits John D. has, enter that data into an electronic database where it is stored forever, and also make the data purchaseable to any third party who is interested.

    That sounds a bit like a private detective, with the exception that they typically work for a specific client.

    Also, if you stop to think about it, going to a website it like going to some person's private establishment. I'm visiting their server, so it's their rules. Stores no doubt track my purchases, and some even have cameras on presence that record my every action. If I have a problem with it, I can take my business elsewhere.

    Sure, terms of service could be more explicit, but most people wouldn't bother to read them or would just click through like they did when they signed up for a Facebook account or half of the other shit they use online.

    1. Re:Private detective by Jane+Q.+Public · · Score: 4, Insightful

      Not really.

      Example 1: Facebook and Twitter track you on every web page you ever visit with Facebook or Twitter "share" icons (or "like" in the case of Facebook). They don't tell you that. (In fact they track people who have never been to Facebook or agreed to a damned thing.)

      Example 2: It is illegal in the United States to track people who are less than 13 years old, without explicit parental consent. Yet not only to Google, Facebook, and Twitter do this on a massive scale, they don't care about the law and don't even try to abide by it.

      The latter is BIG. The fine per violation is significant. If it were actually enforced, those companies would be out of business very quickly.

    2. Re:Private detective by phantomfive · · Score: 2

      Example 2: It is illegal in the United States to track people who are less than 13 years old, without explicit parental consent. Yet not only to Google, Facebook, and Twitter do this on a massive scale, they don't care about the law and don't even try to abide by it.

      Well I don't care if they go out of business.

      --
      "First they came for the slanderers and i said nothing."
  4. How would this be illegal? by jimduchek · · Score: 5, Insightful

    What makes you think any of what you described in 'meatspace' is illegal? It's not, in the US, anyway. PERHAPS could be considered under harassment or stalking laws if it was very blatent, but if you are in public, you are subject to anyone recording/photographing you and what you are doing, pretty much.

    --
    If I'm not back again this time tomorrow...
    1. Re:How would this be illegal? by PopeRatzo · · Score: 2

      but if you are in public, you are subject to anyone recording/photographing you and what you are doing, pretty much.

      There are exceptions, but you are correct. It becomes confusing when you start to take apart what being "in public" means. When I am on a website, I might be sitting in my home. Am I in public? Not all online behaviors and environments are analogous to meat space.

      So I guess the answer is, "it's complicated, but we better have this conversation in a meaningful way and get it sorted."

      --
      You are welcome on my lawn.
    2. Re:How would this be illegal? by LynnwoodRooster · · Score: 3, Insightful

      Would the company whose website you are visiting have the right to watch what you're doing? It would be analogous to walking into a grocery store and having the cashier watch you walk up and down the aisles, and note what products you chose - and which you did not.

      --
      Browsing at +1 - no ACs, I ignore their posts. So refreshing!
    3. Re:How would this be illegal? by kiviQr · · Score: 2, Interesting

      I am using HTTPS/secure connection - how am I in public?

    4. Re:How would this be illegal? by PopeRatzo · · Score: 4, Interesting

      What seems to be missing from most of the analysis here is that you specifically took actions which told them X, Y or Z, so it's a bit much to be complaining later after you've let the horse out that the barn door is open.

      You made a logical leap. If I ask google about "treatment for liver cancer", am I "telling" them anything? Or is their algorithm making an assumption about me?

      Can you cite the part in the Google user agreement where I waive my right to privacy regarding health issues?

      Let's extend the thought experiment: If I google, "how to quit smoking", and then I get a notice that my insurance premiums are going up because I'm a smoker, has my privacy been violated? Did I agree to allow Google to share the assumption that I am a smoker with my insurance company? What if I'm googling that information because I'm trying to convince my neighbor to quit?

      We conflate being online with being in public because we've been conditioned to do so by corporate behavior, but it doesn't necessarily have to be that way. We're already seeing laws being passed in parts of the world that are more protective of people's personal information when online.

      --
      You are welcome on my lawn.
  5. They are not gathering data, by Grand+Facade · · Score: 4, Funny

    They are enhancing the customers experience.

    --
    Rick B.
  6. USA Laws by Shikaku · · Score: 2

    USA Laws are limited by these 2 main laws that limit it by age (under 13) and healthcare respectively: COPPA https://www.ftc.gov/enforcemen... and HIPAA https://www.hhs.gov/hipaa/for-...

    And then it's not really limited anymore except by state. Which a summary exists here: https://en.wikipedia.org/wiki/...

  7. They're not following you to observe what you do. by aussersterne · · Score: 4, Insightful

    You are going to their house and doing what you do, and they're just making note of what you did in their living room.

    --
    STOP . AMERICA . NOW
  8. Not "following them around without permission" by SlaveToTheGrind · · Score: 4, Insightful

    The real-world analogy would be more like keeping track of someone's location and activities who entered your retail store, then using/selling that data as they see fit. People may not like that, but I don't think there's any serious theory that it would be illegal. (Let's ignore for a moment the places in that retail store where you'd have a reasonable expectation of privacy like changing rooms, since that's outside the scope of the submitter's doe-eyed question.)

    In the same way, you visit someone's website, you play by their rules. This doesn't seem particularly complicated or surprising.

    1. Re:Not "following them around without permission" by Kjella · · Score: 4, Insightful

      Well... while I can't fault your logic, I think your summary understates just how much previously private information we're now exposing. For example take newspapers, my dad still gets one in the dead tree format. Nobody knows what articles he reads or how long he's read it in total and outside the paperboy nobody knows if he's picked it up at all. With online newspapers they know exactly when and what you've read and with JavaScript probably how long it took, how often you scrolled the page and overall created way more data on whoever read the semi-critical article on the Party. Same goes for video games, TV series and whatnot... it used to happen on your computer, now there's a log in the cloud.

      --
      Live today, because you never know what tomorrow brings
    2. Re:Not "following them around without permission" by CrimsonAvenger · · Score: 2

      For example take newspapers, my dad still gets one in the dead tree format. Nobody knows what articles he reads or how long he's read it in total and outside the paperboy nobody knows if he's picked it up at all.

      Hmm...one of my neighbors gets the dead tree newspapers. I don't have a clue what they read of the paper, but I DO know whether it's been picked up daily, since I walk by their house every morning with the dog. And I've occasionally known when they were on vacation when they forgot to stop paper delivery while they were out of town (five or six papers in the front yard is usually a good clue).

      And while I don't know what they read, I do know what they could have read - it's not like every newspaper in the world has every story in the world....

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
  9. Public space? by LynnwoodRooster · · Score: 2

    No reasonable expectation of privacy. Perfectly legal.

    --
    Browsing at +1 - no ACs, I ignore their posts. So refreshing!
    1. Re:Public space? by TimothyHollins · · Score: 2

      If it's a public space you have no right to exclude visitors that do not agree to your terms. You only have the right to enforce terms in your own private space. You can't go into a market square and start kicking people out. And if it's private space, then it's private for the user as well, meaning you cannot record it without consent.

      So which one is it?

  10. Block it as best you can & live with what's le by spywhere · · Score: 2

    I use uBlock Origin, Ghostery and a Hosts file to block as much Web advertising and tracking as possible.
    This makes the leaks obvious: one random item I browsed will follow me around in ads on several sites.

    Of course, Amazon knows exactly what I want, and Google knows I go to (legal) cannabis dispensaries on my vacations, but I can live with that.

  11. You are confusing the impractical with illegal by Anonymous Coward · · Score: 2, Insightful

    It's not necessarily illegal to follow someone around without there permission to the extent you are not entering private property illegally and trespassing. Basically assuming nobody tells you to say leave a store following someone onto private property of a nature open to the public it is going to be legal. There may be statues against harassment, but those are going to be more specific. There may also be laws against practicing investigations without proper licenses. However following someone around and making notes about them is not in and of itself necessarily either of these things. It's merely impractical to make such a business model work and so nobody has done it until more recently and really only to the extent it is automated via technology via cameras, cell phones, etc.

  12. ...and then there's the copyright issue by coats · · Score: 2, Interesting

    The copyright-absolutist position is this: My life is *my* performance before God and all mankind. As soon as it is recorded, that recording is a copyright work for which I own the copyright (unless there is a specific written contract to the contrary), according to US Code Title 17. And use of that work without my permission for commercial gain is felony copyright infringement. Felony copyright infringement is exactly the behavior all these data-gatherers are doing. FWIW.

    --
    "My opinions are my own, and I've got *lots* of them!"
  13. The Traveling Salesperson analogy by williamyf · · Score: 5, Interesting

    Imagine you phonecall a company and say:
    Send me a travelling Salesperson, please. Or a delivery service and say, please deliver a newspaper to my office.

    They answer: "sure, but there are some conditions for that convenience, please, for the next 8 minutes listen carefully to them."

    You do not listen, instead, put the phone on the table, set your watch to 7 minutes, and go brew a tea.

    You return, and when the operator asks: "Do you agree to our terms?" You say "yes"

    It turns out that the terms include the salesperson or deliveryperson staying in your office long after the transaction is concluded (you place your order or get your newspaper), taking notes of many of the things you do, correlating those notes with those of other delivery companies/salespeople/third parties and a long and creepy et cetera.

    But hey, you neglected to hear the terms of their service, because those terms were boring, and instead you went for tea.

    Having corrected the analogy used by dryriver, the correct question to ask slashdot is:

    Are the terms of service used by most websites even legal?

    --
    *** Suerte a todos y Feliz dia!
  14. Well, we've been electing anti-regulation by rsilvergun · · Score: 3, Insightful

    pro-business and pro-corporate leaders for nearly 50 years now. If the people in charge of regulation don't believe in regulation then we don't get regulation.

    Seriously, it's not complicated.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  15. Re:Most authorize it, but there's a bigger issue.. by _Sharp'r_ · · Score: 2

    In a free country, everything is legal which is not explicitly illegal. So nothing has to be "made legal" unless it was previously made illegal.

    In this specific case, the information you choose to send to a website from your computer is completely under your control. You don't even have to hook your computer up to someone else's network if you really don't want anyone to know anything about what you do with it. They aren't pointing TEMPEST gear at your windows, you're voluntarily sending them information from your computer to their server.

    --
    The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
  16. Seems to be a blind spot in people by Solandri · · Score: 4, Insightful

    People seem to think at the individual level, not at the group level. I first ran across this in the 1990s playing Everquest. In response to complaints about griefers harassing regular players, they came up with an anti-harassment policy. You could be banned for targeting a player and harassing them. This had the opposite effect than intended. Griefers didn't target specific players. They tended to hang out in an area and try to ruin the day of anyone who came into the area. On the other hand, people who got fed up with the griefers and tried to drive them out of an area were targeting a specific player. And so the anti-harassment policy ended up protecting griefers, while getting anti-griefers banned.

    For some reason people seem to judge the harm of bad behaviors in terms of the average harm done to an individual, rather than to the overall harm done to society. A spammer sends out a hundred million spam emails, and people say "what's the big deal? It only takes you 3 seconds to realize it's spam and delete it." But 3 seconds times 100 million is 9.5 years of cumulative wasted time and productivity. Likewise, people handling private customer data don't take it seriously, since each individual's data is probably only worth a few dollars. Nobody cares if they lose a few dollars, right? But multiply it by several hundred million people and you're doing serious economic damage if you take it without permission or let it get stolen by hackers.

  17. The wrong metaphor by Kamineko · · Score: 2

    You've got the wrong metaphor.

    Open up the session monitor in your browser of choice and you'll see it as a series of requests. Now the metaphor is much clearer: you're ringing them up, and asking them things. Your browser, on your behalf, is sending the data that lets the session persist and allows inferences to be drawn.

    *ring ring*
    ACME: This is ACME products, how can I help you?
    John: Hi, I'm John, can you show me products related to 'shoes'?
    ACME: Okay, here are leather shoes, casual shoes, trainers.
    John: This is John again. I want casual shoes.
    ACME: Mens or womens?
    John: This is John again. Mens please. Brown, size 10.
    ACME: Here are some styles of mens shoes in that colour. - writes down that John may be male, adult -
    John: This is John again. Thank you I'd like to buy these ones.
    ACME: Okay John, done. Would you like to see some women's shoes?
    John: This is John again. Yes, women's, adult, formal.
    ACME: Okay John, here are some formal women's shoes - writes down that John may be married to a woman, employed -
    John: This is John again, bye.
    *click*

    I think the idea that this is 'users' data' to be misleading. It's the company's data regarding a request from a user. If I keep track of how many red or green apples I sell and in which months of the year and whether the seller is male or female or tall or short, that's sales data.

  18. On your computing device? by BankRobberMBA · · Score: 2

    Serious question.

    If all online services did not leave tracking cookies/spyware/etc on your computer, would you be ok with all of the other data accumulation and trading that happened?

  19. Signed away by BankRobberMBA · · Score: 2

    Jurisdiction and liability can't be signed away, but privacy absolutely can. In fact you can give it away for free, just make your your private information public, and bang! You're there.

    1. Re:Signed away by jouassou · · Score: 2

      Depends on your country. In many European countries, legal rights cannot be signed away, because that would be quite prone to abuse. Instead, if you signed a contract where you gave away any legal rights, then that part of the contract is simply considered illegal and void.

  20. Re:They're not following you to observe what you d by Can'tNot · · Score: 2

    No, all of those social media buttons and ad banners and "free" analytics tools and fonts, etc., those are mechanisms to spy on you. That's how they follow you around, well outside of their living rooms.

  21. Yes, the submitter's feelings aren't laws. Laws wr by raymorris · · Score: 5, Informative

    The submitter seems to have some misunderstanding about how law works. "Very likely illegal"? What law would be violated? The submitter doesn't seem to quite understand that laws are written down, and given numbers for easy reference. For example, web sites must comply with US Code 2257. Unless the submitter can point to USC [number], they have a *feeling*, not a law.

    I used to work as a private investigator and I did follow people. I had to be very diligent about documenting what I saw, because a PI is not supposed to tell the client or court what they *think*, only exactly what they *saw*. As a PI, I couldn't say "he's boning his secretary". I had to say "at 6:35 PM the subject entered hotel room #123 with a blonde woman of medium height. Both parties left the hotel room at 7:40". I can't speculate about what they did in the hotel room (could be discussing his campaign for governor of Arkansas), so I have to be specific about what I saw to allow others to decide how to interpret the facts.