I personally think telemetry/analytics in terms of how someone's own site/app/service is used is a distinct issue to the kind of ubiquitous monitoring used by ad networks. Of course they both raise privacy concerns up to a point, but if you're using something that is running on a remote system anyway then I don't think it's realistic or particularly helpful to try to stop the operators seeing what their own system is doing.
For me, that's a very different thing to putting web bugs or tracker scripts or fingerprinting hacks all over other sites, and doing so covertly so that users are being tracked by third parties that they have no knowledge they are dealing with at all.
There's also a middle ground where you have something that is installed locally but phoning home covertly and potentially sending data the user thought was private, or an analogous situation with web sites/apps where you've got something like a form that the user might expect to be private until they explicitly submit it but which is actually sending everything ever entered even if it's subsequently edited or deleted before the user intends to continue. In these cases, I think the ethical position (and possibly also the legal one) probably depends on why the data is being sent, exactly how it's used, and what a typical user would reasonably expect to be happening or not happening.
That's funny, my recollection is that we managed pretty well without the spying for at least a decade, and yet during that time the Web grew from an academic/enthusiast medium into a mass communication medium. It turned out that countless people were willing to contribute without trying to exploit others for profit as their only motive.
Indeed, social media today, arguably including sites like this one, is still built almost entirely from contributions given freely by normal people. It's just that today, instead of everyone getting some web space as part of their normal ISP package and making their own home page or blog, we have a relatively small number of large, mostly ad-funded, mostly data-hoarding giants centralising our basic hosting instead. That has some advantages, of course, but also a very high price to pay for anyone who values privacy and security online.
I have nothing against seeking an efficient justice system that is practically accessible to and affordable by those with relatively minor grievances. Here in the UK, we use tribunals that serve a similar purpose in some situations, as well as a small claims court system, though if I've understood you correctly then our mechanisms have more power to make binding decisions themselves than the Finnish authorities you mentioned.
However, these national differences don't make vague law any better, nor excessively broad law, nor regulations that require disproportionate effort and cost for compliance.
The irony is that the EU already has a different mechanism, directives, to use in cases where the differences in national legal systems mean a particular change should be interpreted carefully according to each member state's laws and practices. But the EU tends not to use those when regulations will do, and thus we are where we are on this issue (and previous consumer protection regulations, and the GDPR, and so on).
Like many laws originating in the EU, it probably had some noble intentions behind it. Maybe this time it really was trying to limit the ability of scam web sites operating outside EU jurisdictions to harm people when the operators couldn't be pursued directly under EU law.
Sadly, the EU often exhibits a combination of ignorance, apathy and carelessness when it comes to making the actual laws, and consequently it often causes large amounts of collateral damage. I suspect in many cases those responsible genuinely don't know or understand what they've done, but that doesn't really help if you're hit by the damage.
Interesting... Given that the UK legal systems don't seem to have the fundamental problem that class actions try to solve in the US, would you mind elaborating a little on what is actually happening here and why?
So you think that people who already put in time and work for free to make something useful and give it away for others to enjoy then have some sort of obligation to do the same again, just because someone else broke what they already did once? #entitledmuch
I've never really got the using-tabs-as-bookmarks thing. To me they've naturally filled different roles for as long as we've had them. But then I've used browsers for as long as there have been browsers, way back when bookmarking was a great innovation and browsers didn't provide tabs yet. If you've only ever used tabbed browsing then I can see why you wouldn't make the same distinction as someone like me.
Interesting analogy with the Start Menu. For me, the biggest UI advance in Windows 7 was the introduction of the new style of task bar and jump lists. On Windows machines, I've barely touched the Start menu since. Instead, I invariably have icons for all my main applications pinned to the task bar, and then important files, directories, etc. pinned on the jump lists for many of those. I guess I browse the web in much the same way.
What's the problem with managing over 1,000 bookmarks with the way they've traditionally worked? I probably have at least that many, and they're neatly organised in folders that I've built up over the years. This has the same downsides as any hierarchical filing system, and possibilities to link bookmarks from multiple places in the tree and to search the whole tree would be welcome enhancements, but the basic functionality works fine as far as it goes.
Hopefully now that the mainline has dropped support for legacy extensions this will motivate a few more devs to update, otherwise they are loosing most of their install base.
Unfortunately, it looks like a lot of the extension developers have instead pulled their extensions entirely, updated the description to say something like "Sorry, doesn't work with 57, thanks for the support until now", or more worryingly updated the description to say something like "Sorry, this can't work with 57 because the WebExtensions infrastructure can't do it".
Of course, that's just my own anecdotal experience. I've talked to plenty of people who seem to have no problem with most or all of the extensions they use, so maybe I've just been (very) unlucky in the particular extensions I have found useful until now.
What's wrong with the way bookmarks have worked forever? By far my most used control in every browser I've used since the days of Netscape Navigator has been a bookmark toolbar that is set up like a menu of the sites I actually want to visit.
Maybe I'm weird, but most of the extensions and new controls in modern browsers seem to be useful primarily to turn off other modern developments that I don't want. For me, that last big UI improvements in browsers were introducing tabs and search boxes, and we've had those for so long that the earliest known source code was found in hieroglyphs on a cave wall.
Just give me good bookmarks, tabbed browsing, and a simple address bar and search bar with the basic controls for back/refresh/etc. and I've got a simple, effective browser UI that will do the job nicely, thanks.
It also enables them to delete or redirect the help for older versions of software you paid for, pushing users into upgrades they otherwise didn't want or need. Like almost any phone-home software that isn't doing it as part of a genuine communications feature, it's just one more way to artificially limit the life of something that would otherwise carry on working just fine.
That's just the fine that can be imposed by regulators. It doesn't preclude individuals suing for damages in their own rights (and remember that in somewhere like the UK, there's no direct equivalent to class action suits, and typically the loser is going to pay costs for both sides in a civil suit like this). It also doesn't preclude being charged with any criminal offences that member states may wish to create in addition to the regulatory penalties.
If these corporations were actually people, they would be feed to the dogs.
If they do have another event on a similar scale once the GDPR has come into effect in Europe next year, being fed to the dogs might be the least of their problems. The penalties for a major compliance failure can be up to 4% of annual global turnover. Going by the figures mentioned in TFS, it looks like that would wipe out Equifax's entire net income for between one and two quarters. That's just the financial penalty from the regulators in the EU, and doesn't take into account any additional criminal sanctions that member states might choose to impose.
Agreed. I am increasingly of the opinion that any product sold that includes any form of sensor or communications device that is not both obvious and fundamental to its intended purpose should be required to carry prominent disclosure. The level of disclosure could be related to the risk, for example whether these components were on-by-default, whether they had any clear and robust indication that they were and/or had been in use, whether they could be reliably switched off by the user, and the nature of any information being transmitted or received via any communications elements.
In the worst cases, I wouldn't object to rules of the kind we insist on for cigarette packets and the like in many countries now, with a prescribed and significant amount of the entire packaging given over to warnings that must be shown in specific formats and must include specific wording about the dangers. For completeness, any violations of those transparency rules should probably also not give the benefit of the doubt to the manufacturer when it comes to applying penalties, because no-one accidentally includes a microphone and phone-home SIM card in their new range of TVs.
Then see if customers still want to buy "smart" TVs, "connected" cars, and so on.
That's a common, defeatist, and ultimately self-fulfilling argument.
The GP was right. Stores are selling what they can convince people to buy, because they want the money. If pitching so-called smart TVs as better than normal ones and thus being able to sell them successfully at a higher price works, that's what they'll do.
On the other hand, if enough potential customers ask about products without the junk or start asking tricky questions about the realities of these devices that waste the sales people's time, and particularly if those potential customers are then leaving the store without making a purchase, the stores will go back to demanding simpler units that they can sell. And if customers are giving their money to people who supply good, "dumb" TVs today then the stores and manufacturers offering that option also have a direct incentive to continue.
Voting with your wallet is possibly the most successful form of lobbying for change that humanity has yet conceived.
Because marketing >> technical specs, at least to the vast majority of potential customers who aren't knowledgeable enough about the tech specs to know what they're looking at and understand the implications. To be fair, since people keep buying this junk, it appears that the manufacturers are simply producing what the market wants.
I think the only real solution to this is better education. We need geeks to be telling their less technical friends and family about how fragile and/or dangerous all these "smart" extras are, and why (as just about everyone reading this on Slashdot presumably agrees) it's a much better plan to get a good screen and good audio and good content sources for your needs, but not necessarily all in the same box.
This is the real nightmare scenario for IoT privacy violations.
There are already devices on the market that come with their own independent connections to a wireless data network, and the trend seems to be accelerating. If we're talking about devices that are also connected to anything on your home network and/or that have safety or privacy implications, I'm not sure this is a healthy trend at all. We need much stronger regulation in terms of security, privacy, longevity, and transparency, and meaningful enforcement with substantial penalties, for this to be a sensible direction from the owner's point of view.
That doesn't explain why many companies tried telecommuting, found the results disappointing, and went back to requiring everyone to come to the office.
This seems far more likely to be the real explanation. Remote working has benefits, sometimes for both employer and employee, but it also has costs and it's possible that when companies that do it succeed it is despite the remote work rather than because of it.
The interesting questions IMHO are why some organisations seem to do much better with a lot of remote work than others. Is it about the nature of the organisation's work, so maybe some things are more amenable to being done remotely? Is it about the staff hired and their work ethic? Is it that some stages in a task require a lot of interaction that is more effective with everyone in the same place but other stages can be done just as well or even better from a distance and with fewer interruptions? Is it a case of needing the right processes and communication tools to support remote working, which some organisations have provided where others have not?
It's a tiny shift really. Facebook already reduced the number of organic views that you'd get for posts to professional pages by at least an order of magnitude a long time ago.
If you use Facebook as a channel to reach your customers/fans/whatever, the game has been pay-to-play for a long time, and the only thing that matters is still whether or not you get a good return on your investment, just like any other advertising. Watch your numbers, and if Facebook isn't giving you good enough exposure, pull your funding and spend it somewhere else, whether that's Google ads for your business or posters for your local church fair to up in local stores.
My "little knowledge" comes from about ten years working in relevant areas professionally and knowing how these protocols work down to the bit, but whatever.
The subject of this thread was authentication as a defence against malware injection. Obviously you're welcome to discuss other things, but they're not really on topic in this part of the discussion, and so far you appear to be trying to make some sort of dogmatic point rather than addressing the issue that everyone else is talking about.
In any case, nothing about authentication precludes the use of proxies, only the ability for proxies to silently pretend to be someone they are not. Those transparent proxies you seem so keen on are exactly the kind of threat the rest of us are considering, because a transparent proxy with access to unauthenticated traffic with no integrity controls can modify that traffic covertly to inject anything from ads to drive-by downloads. And as you point out yourself, if you are willing to trust a proxy, you can still set it up to work transparently if you're willing to install a new CA.
As you might have put it, the best of both worlds: choice, but yours and not your ISP's, your WiFi provider's or your local network impersonation artist's.
Slashdot Mirror
They had that option in settings all along. It was the part where you declined the upgrade from Windows 7. :-)
Interesting, thanks. I'd missed that one.
I personally think telemetry/analytics in terms of how someone's own site/app/service is used is a distinct issue to the kind of ubiquitous monitoring used by ad networks. Of course they both raise privacy concerns up to a point, but if you're using something that is running on a remote system anyway then I don't think it's realistic or particularly helpful to try to stop the operators seeing what their own system is doing.
For me, that's a very different thing to putting web bugs or tracker scripts or fingerprinting hacks all over other sites, and doing so covertly so that users are being tracked by third parties that they have no knowledge they are dealing with at all.
There's also a middle ground where you have something that is installed locally but phoning home covertly and potentially sending data the user thought was private, or an analogous situation with web sites/apps where you've got something like a form that the user might expect to be private until they explicitly submit it but which is actually sending everything ever entered even if it's subsequently edited or deleted before the user intends to continue. In these cases, I think the ethical position (and possibly also the legal one) probably depends on why the data is being sent, exactly how it's used, and what a typical user would reasonably expect to be happening or not happening.
That's funny, my recollection is that we managed pretty well without the spying for at least a decade, and yet during that time the Web grew from an academic/enthusiast medium into a mass communication medium. It turned out that countless people were willing to contribute without trying to exploit others for profit as their only motive.
Indeed, social media today, arguably including sites like this one, is still built almost entirely from contributions given freely by normal people. It's just that today, instead of everyone getting some web space as part of their normal ISP package and making their own home page or blog, we have a relatively small number of large, mostly ad-funded, mostly data-hoarding giants centralising our basic hosting instead. That has some advantages, of course, but also a very high price to pay for anyone who values privacy and security online.
I have nothing against seeking an efficient justice system that is practically accessible to and affordable by those with relatively minor grievances. Here in the UK, we use tribunals that serve a similar purpose in some situations, as well as a small claims court system, though if I've understood you correctly then our mechanisms have more power to make binding decisions themselves than the Finnish authorities you mentioned.
However, these national differences don't make vague law any better, nor excessively broad law, nor regulations that require disproportionate effort and cost for compliance.
The irony is that the EU already has a different mechanism, directives, to use in cases where the differences in national legal systems mean a particular change should be interpreted carefully according to each member state's laws and practices. But the EU tends not to use those when regulations will do, and thus we are where we are on this issue (and previous consumer protection regulations, and the GDPR, and so on).
Like many laws originating in the EU, it probably had some noble intentions behind it. Maybe this time it really was trying to limit the ability of scam web sites operating outside EU jurisdictions to harm people when the operators couldn't be pursued directly under EU law.
Sadly, the EU often exhibits a combination of ignorance, apathy and carelessness when it comes to making the actual laws, and consequently it often causes large amounts of collateral damage. I suspect in many cases those responsible genuinely don't know or understand what they've done, but that doesn't really help if you're hit by the damage.
Interesting... Given that the UK legal systems don't seem to have the fundamental problem that class actions try to solve in the US, would you mind elaborating a little on what is actually happening here and why?
So you think that people who already put in time and work for free to make something useful and give it away for others to enjoy then have some sort of obligation to do the same again, just because someone else broke what they already did once? #entitledmuch
I've never really got the using-tabs-as-bookmarks thing. To me they've naturally filled different roles for as long as we've had them. But then I've used browsers for as long as there have been browsers, way back when bookmarking was a great innovation and browsers didn't provide tabs yet. If you've only ever used tabbed browsing then I can see why you wouldn't make the same distinction as someone like me.
Interesting analogy with the Start Menu. For me, the biggest UI advance in Windows 7 was the introduction of the new style of task bar and jump lists. On Windows machines, I've barely touched the Start menu since. Instead, I invariably have icons for all my main applications pinned to the task bar, and then important files, directories, etc. pinned on the jump lists for many of those. I guess I browse the web in much the same way.
What's the problem with managing over 1,000 bookmarks with the way they've traditionally worked? I probably have at least that many, and they're neatly organised in folders that I've built up over the years. This has the same downsides as any hierarchical filing system, and possibilities to link bookmarks from multiple places in the tree and to search the whole tree would be welcome enhancements, but the basic functionality works fine as far as it goes.
Hopefully now that the mainline has dropped support for legacy extensions this will motivate a few more devs to update, otherwise they are loosing most of their install base.
Unfortunately, it looks like a lot of the extension developers have instead pulled their extensions entirely, updated the description to say something like "Sorry, doesn't work with 57, thanks for the support until now", or more worryingly updated the description to say something like "Sorry, this can't work with 57 because the WebExtensions infrastructure can't do it".
Of course, that's just my own anecdotal experience. I've talked to plenty of people who seem to have no problem with most or all of the extensions they use, so maybe I've just been (very) unlucky in the particular extensions I have found useful until now.
What's wrong with the way bookmarks have worked forever? By far my most used control in every browser I've used since the days of Netscape Navigator has been a bookmark toolbar that is set up like a menu of the sites I actually want to visit.
Maybe I'm weird, but most of the extensions and new controls in modern browsers seem to be useful primarily to turn off other modern developments that I don't want. For me, that last big UI improvements in browsers were introducing tabs and search boxes, and we've had those for so long that the earliest known source code was found in hieroglyphs on a cave wall.
Just give me good bookmarks, tabbed browsing, and a simple address bar and search bar with the basic controls for back/refresh/etc. and I've got a simple, effective browser UI that will do the job nicely, thanks.
Finally tally: about 2/3 of my regularly used extensions don't work with 57 and don't currently seem to have a similar replacement available.
Sadly, a performance boost just isn't work losing that much functionality for me. :-(
It also enables them to delete or redirect the help for older versions of software you paid for, pushing users into upgrades they otherwise didn't want or need. Like almost any phone-home software that isn't doing it as part of a genuine communications feature, it's just one more way to artificially limit the life of something that would otherwise carry on working just fine.
That's just the fine that can be imposed by regulators. It doesn't preclude individuals suing for damages in their own rights (and remember that in somewhere like the UK, there's no direct equivalent to class action suits, and typically the loser is going to pay costs for both sides in a civil suit like this). It also doesn't preclude being charged with any criminal offences that member states may wish to create in addition to the regulatory penalties.
If these corporations were actually people, they would be feed to the dogs.
If they do have another event on a similar scale once the GDPR has come into effect in Europe next year, being fed to the dogs might be the least of their problems. The penalties for a major compliance failure can be up to 4% of annual global turnover. Going by the figures mentioned in TFS, it looks like that would wipe out Equifax's entire net income for between one and two quarters. That's just the financial penalty from the regulators in the EU, and doesn't take into account any additional criminal sanctions that member states might choose to impose.
Um... Running with the herd is a very effective way to make money.
You just have to stop running before most of the heard when you get near the cliff. :-)
Agreed. I am increasingly of the opinion that any product sold that includes any form of sensor or communications device that is not both obvious and fundamental to its intended purpose should be required to carry prominent disclosure. The level of disclosure could be related to the risk, for example whether these components were on-by-default, whether they had any clear and robust indication that they were and/or had been in use, whether they could be reliably switched off by the user, and the nature of any information being transmitted or received via any communications elements.
In the worst cases, I wouldn't object to rules of the kind we insist on for cigarette packets and the like in many countries now, with a prescribed and significant amount of the entire packaging given over to warnings that must be shown in specific formats and must include specific wording about the dangers. For completeness, any violations of those transparency rules should probably also not give the benefit of the doubt to the manufacturer when it comes to applying penalties, because no-one accidentally includes a microphone and phone-home SIM card in their new range of TVs.
Then see if customers still want to buy "smart" TVs, "connected" cars, and so on.
They won't be any cheaper.
They might even be more expensive, because the price isn't being partially subsidised by all the junk.
They might still be better value for money, though.
That's a common, defeatist, and ultimately self-fulfilling argument.
The GP was right. Stores are selling what they can convince people to buy, because they want the money. If pitching so-called smart TVs as better than normal ones and thus being able to sell them successfully at a higher price works, that's what they'll do.
On the other hand, if enough potential customers ask about products without the junk or start asking tricky questions about the realities of these devices that waste the sales people's time, and particularly if those potential customers are then leaving the store without making a purchase, the stores will go back to demanding simpler units that they can sell. And if customers are giving their money to people who supply good, "dumb" TVs today then the stores and manufacturers offering that option also have a direct incentive to continue.
Voting with your wallet is possibly the most successful form of lobbying for change that humanity has yet conceived.
I'm not sure why everyone doesn't do this.
Because marketing >> technical specs, at least to the vast majority of potential customers who aren't knowledgeable enough about the tech specs to know what they're looking at and understand the implications. To be fair, since people keep buying this junk, it appears that the manufacturers are simply producing what the market wants.
I think the only real solution to this is better education. We need geeks to be telling their less technical friends and family about how fragile and/or dangerous all these "smart" extras are, and why (as just about everyone reading this on Slashdot presumably agrees) it's a much better plan to get a good screen and good audio and good content sources for your needs, but not necessarily all in the same box.
This is the real nightmare scenario for IoT privacy violations.
There are already devices on the market that come with their own independent connections to a wireless data network, and the trend seems to be accelerating. If we're talking about devices that are also connected to anything on your home network and/or that have safety or privacy implications, I'm not sure this is a healthy trend at all. We need much stronger regulation in terms of security, privacy, longevity, and transparency, and meaningful enforcement with substantial penalties, for this to be a sensible direction from the owner's point of view.
That doesn't explain why many companies tried telecommuting, found the results disappointing, and went back to requiring everyone to come to the office.
This seems far more likely to be the real explanation. Remote working has benefits, sometimes for both employer and employee, but it also has costs and it's possible that when companies that do it succeed it is despite the remote work rather than because of it.
The interesting questions IMHO are why some organisations seem to do much better with a lot of remote work than others. Is it about the nature of the organisation's work, so maybe some things are more amenable to being done remotely? Is it about the staff hired and their work ethic? Is it that some stages in a task require a lot of interaction that is more effective with everyone in the same place but other stages can be done just as well or even better from a distance and with fewer interruptions? Is it a case of needing the right processes and communication tools to support remote working, which some organisations have provided where others have not?
It's a tiny shift really. Facebook already reduced the number of organic views that you'd get for posts to professional pages by at least an order of magnitude a long time ago.
If you use Facebook as a channel to reach your customers/fans/whatever, the game has been pay-to-play for a long time, and the only thing that matters is still whether or not you get a good return on your investment, just like any other advertising. Watch your numbers, and if Facebook isn't giving you good enough exposure, pull your funding and spend it somewhere else, whether that's Google ads for your business or posters for your local church fair to up in local stores.
My "little knowledge" comes from about ten years working in relevant areas professionally and knowing how these protocols work down to the bit, but whatever.
The subject of this thread was authentication as a defence against malware injection. Obviously you're welcome to discuss other things, but they're not really on topic in this part of the discussion, and so far you appear to be trying to make some sort of dogmatic point rather than addressing the issue that everyone else is talking about.
In any case, nothing about authentication precludes the use of proxies, only the ability for proxies to silently pretend to be someone they are not. Those transparent proxies you seem so keen on are exactly the kind of threat the rest of us are considering, because a transparent proxy with access to unauthenticated traffic with no integrity controls can modify that traffic covertly to inject anything from ads to drive-by downloads. And as you point out yourself, if you are willing to trust a proxy, you can still set it up to work transparently if you're willing to install a new CA.
As you might have put it, the best of both worlds: choice, but yours and not your ISP's, your WiFi provider's or your local network impersonation artist's.