Ask Slashdot: How Is It Even Legal For Websites To Gather And Sell Users' Data?

Long-time Slashdot reader dryriver sees it like this: Lets say that I follow a person named John D. around for days without permission, make note of what John D. does and where he buys with timestamps accurate to the second without John D. knowing it is happening, analyze what kind of personality traits John D. has, enter that data into an electronic database where it is stored forever, and also make the data purchaseable to any third party who is interested.

Would I be breaking the law if John D. has not given me explicit permission to do this? Very likely. If this is the case for "meatspace data gathering", how can websites justify gathering information about visitors, and selling that information to third parties?
How would you answer this question? Attempt your own best explantions in the comments. How is your country balancing the need for online privacy with actual laws governing what can and can't be collected?

How is it even legal for web sites to gather and sell users' data?

Private detective

[alvinrod]

Lets say that I follow a person named John D. around for days without permission, make note of what John D. does and where he buys with timestamps accurate to the second without John D. knowing it is happening, analyze what kind of personality traits John D. has, enter that data into an electronic database where it is stored forever, and also make the data purchaseable to any third party who is interested.

That sounds a bit like a private detective, with the exception that they typically work for a specific client.

Also, if you stop to think about it, going to a website it like going to some person's private establishment. I'm visiting their server, so it's their rules. Stores no doubt track my purchases, and some even have cameras on presence that record my every action. If I have a problem with it, I can take my business elsewhere.

Sure, terms of service could be more explicit, but most people wouldn't bother to read them or would just click through like they did when they signed up for a Facebook account or half of the other shit they use online.

Re:Private detective

[Jane+Q.+Public]

Not really.

Example 1: Facebook and Twitter track you on every web page you ever visit with Facebook or Twitter "share" icons (or "like" in the case of Facebook). They don't tell you that. (In fact they track people who have never been to Facebook or agreed to a damned thing.)

Example 2: It is illegal in the United States to track people who are less than 13 years old, without explicit parental consent. Yet not only to Google, Facebook, and Twitter do this on a massive scale, they don't care about the law and don't even try to abide by it.

The latter is BIG. The fine per violation is significant. If it were actually enforced, those companies would be out of business very quickly.

How would this be illegal?

[jimduchek]

What makes you think any of what you described in 'meatspace' is illegal? It's not, in the US, anyway. PERHAPS could be considered under harassment or stalking laws if it was very blatent, but if you are in public, you are subject to anyone recording/photographing you and what you are doing, pretty much.

Re:How would this be illegal?

[PopeRatzo]

What seems to be missing from most of the analysis here is that you specifically took actions which told them X, Y or Z, so it's a bit much to be complaining later after you've let the horse out that the barn door is open.

You made a logical leap. If I ask google about "treatment for liver cancer", am I "telling" them anything? Or is their algorithm making an assumption about me?

Can you cite the part in the Google user agreement where I waive my right to privacy regarding health issues?

Let's extend the thought experiment: If I google, "how to quit smoking", and then I get a notice that my insurance premiums are going up because I'm a smoker, has my privacy been violated? Did I agree to allow Google to share the assumption that I am a smoker with my insurance company? What if I'm googling that information because I'm trying to convince my neighbor to quit?

We conflate being online with being in public because we've been conditioned to do so by corporate behavior, but it doesn't necessarily have to be that way. We're already seeing laws being passed in parts of the world that are more protective of people's personal information when online.

They are not gathering data,

[Grand+Facade]

They are enhancing the customers experience.

They're not following you to observe what you do.

[aussersterne]

You are going to their house and doing what you do, and they're just making note of what you did in their living room.

Not "following them around without permission"

[SlaveToTheGrind]

The real-world analogy would be more like keeping track of someone's location and activities who entered your retail store, then using/selling that data as they see fit. People may not like that, but I don't think there's any serious theory that it would be illegal. (Let's ignore for a moment the places in that retail store where you'd have a reasonable expectation of privacy like changing rooms, since that's outside the scope of the submitter's doe-eyed question.)

In the same way, you visit someone's website, you play by their rules. This doesn't seem particularly complicated or surprising.

Re:Not "following them around without permission"

[Kjella]

Well... while I can't fault your logic, I think your summary understates just how much previously private information we're now exposing. For example take newspapers, my dad still gets one in the dead tree format. Nobody knows what articles he reads or how long he's read it in total and outside the paperboy nobody knows if he's picked it up at all. With online newspapers they know exactly when and what you've read and with JavaScript probably how long it took, how often you scrolled the page and overall created way more data on whoever read the semi-critical article on the Party. Same goes for video games, TV series and whatnot... it used to happen on your computer, now there's a log in the cloud.

The Traveling Salesperson analogy

[williamyf]

Imagine you phonecall a company and say:
Send me a travelling Salesperson, please. Or a delivery service and say, please deliver a newspaper to my office.

They answer: "sure, but there are some conditions for that convenience, please, for the next 8 minutes listen carefully to them."

You do not listen, instead, put the phone on the table, set your watch to 7 minutes, and go brew a tea.

You return, and when the operator asks: "Do you agree to our terms?" You say "yes"

It turns out that the terms include the salesperson or deliveryperson staying in your office long after the transaction is concluded (you place your order or get your newspaper), taking notes of many of the things you do, correlating those notes with those of other delivery companies/salespeople/third parties and a long and creepy et cetera.

But hey, you neglected to hear the terms of their service, because those terms were boring, and instead you went for tea.

Having corrected the analogy used by dryriver, the correct question to ask slashdot is:

Are the terms of service used by most websites even legal?

Seems to be a blind spot in people

[Solandri]

People seem to think at the individual level, not at the group level. I first ran across this in the 1990s playing Everquest. In response to complaints about griefers harassing regular players, they came up with an anti-harassment policy. You could be banned for targeting a player and harassing them. This had the opposite effect than intended. Griefers didn't target specific players. They tended to hang out in an area and try to ruin the day of anyone who came into the area. On the other hand, people who got fed up with the griefers and tried to drive them out of an area were targeting a specific player. And so the anti-harassment policy ended up protecting griefers, while getting anti-griefers banned.

For some reason people seem to judge the harm of bad behaviors in terms of the average harm done to an individual, rather than to the overall harm done to society. A spammer sends out a hundred million spam emails, and people say "what's the big deal? It only takes you 3 seconds to realize it's spam and delete it." But 3 seconds times 100 million is 9.5 years of cumulative wasted time and productivity. Likewise, people handling private customer data don't take it seriously, since each individual's data is probably only worth a few dollars. Nobody cares if they lose a few dollars, right? But multiply it by several hundred million people and you're doing serious economic damage if you take it without permission or let it get stolen by hackers.

Yes, the submitter's feelings aren't laws. Laws wr

[raymorris]

The submitter seems to have some misunderstanding about how law works. "Very likely illegal"? What law would be violated? The submitter doesn't seem to quite understand that laws are written down, and given numbers for easy reference. For example, web sites must comply with US Code 2257. Unless the submitter can point to USC [number], they have a *feeling*, not a law.

I used to work as a private investigator and I did follow people. I had to be very diligent about documenting what I saw, because a PI is not supposed to tell the client or court what they *think*, only exactly what they *saw*. As a PI, I couldn't say "he's boning his secretary". I had to say "at 6:35 PM the subject entered hotel room #123 with a blonde woman of medium height. Both parties left the hotel room at 7:40". I can't speculate about what they did in the hotel room (could be discussing his campaign for governor of Arkansas), so I have to be specific about what I saw to allow others to decide how to interpret the facts.

Re: That would probably mean you're a private eye

[saloomy]

No, it isn't inadmissible if you overhear something. There is no expectation of privacy in the jail cell where others can hear you.

Just like that cell, you have no expectation of privacy in public. It is very legal to follow someone in public spaces and record what they do, and use that information for financial gain. Want proof?

Hedge funds pay people ( and dispatch) interns to count the number of people outside of an Apple store, and record their gender and approx. age to gauge the excitement the public feels about a new iPhone, in hopes of gathering data on real market demand on launch days. The same rules for mass-targeting like that are also allowed with individuals. When CEOs or activist investors are seen walking into a company headquarters, it can have a positive effect on the stock when it gets reported.

All of this is legal because "there is no expectation of privacy" in public.

Now, a website isn't a public space, but the operator dictates what he does with the information in his private space. If you go to someones house for dinner, and he invites a third party (Mark Zuck), and Mark records the fact that you showed up, that isn't against the law. You agree'd to enter the house and be subject to its operators' terms of use when you navigated there. If you are unhappy with those terms, don't visit the site. Do not however, try and infringe on the operators freedoms because you do not like how he chooses to exercise them.