A company recently demoed to me that they have the ability to see the work history, credit report, and bank balance of a visitor that visits a site with some tracking code, in under 500ms. They use this information for a product that qualifies leads for sales teams, so the sales team knows who is a waste of time to go after and who isn't.
Creeps me the fuck out, and the owners seem to have no ethical qualms about buying, selling, and using this data.
None of it is accurate and almost all of it is modeled from sparse, low quality training sets. Banks are not selling PII’ed account balance data to shady aggregators.
To me, the more interesting and outrageous story is how many aggregators are able to sell garbage data so successfully.
You know how some banks have a service which tells you how you spend your money? With graphs, 20% on power, 15% on food, etc?
That service is provided by a third party, who is given the data anonymized. A unique id number assigned. Yet it's trivial to deanonymize, and that's what happens.
All that is required is one buy with a points card, an airmiles card, and you are forever relinked to your data. It's how points cards make cash on the side, how air miles do. Exact time, date, amount, location of purchase is a great sync method.
If you pay for your phone with any form of traceable payment, they know who you are, your address, etc. From this immense data is gleamed, such as lot value, neighborhood, and so on. Companies can even get current location and geofence you, being alerted if you move in/out of a certain location.
Mobile phone companies sell this data/service via an easy api. Companies relink a phone from the app level via IMEI and number, which is sold to aggregators along with phone data (contacts, etc). The telco api links to real identity.
Once linked, forever linked.
Most people love free apps, and give up messages/sms, contacts, and more to save a dollar on an app. From this immense relationship data is gleamed, including likely employer and social circke.
Even if you are careful with your app permissions, certainly many acquaintances of yours aren't, so you get linked to their social circle, often with contact name/address.
That's probably the signal. But as one of the parent posters said, the # of folks who use such budgeting apps is quite small. For advertising, small samples are useless, so this data has to be modeled to the full US population.
For that, this very biased training set. And almost always the independent variables used for modeling are 7-10 standard demographics.
Seems like Plaid would be f’d six ways til Sunday if it got out that they were selling consumer data to 3rd parties, no? A huge part of their business model is based on trust and doing that would completely burn it.
Sorry, maybe “third party” isn’t the correct term. Let me try to lay out my point a bit more clearly:
Plaid’s business model is — Company A needs a consumer’s data from Bank B. Plaid takes the consumer’s banking credentials, gets the data, and sells it to Company A.
At no point in this process does Plaid go and sell this data to another unrelated Company C. The lawsuit cited was about Plaid not sufficiently explaining its position between Company A and Bank B to the consumer. It was not about Plaid going and selling the data to the highest bidder.
The value prop of Plaid, Yodlee, et al is that they can do this with one(-ish) API surface for tens of thousands of financial institutions. In their efforts to ensure Bob down the street won’t be sold any data, they do treat each customer (of the API, not the end users they pull data on behalf of) as an isolated tenant.
How do you think they made money? It certainly wasn't from licensing their SDK that intentionally spoofed 3rd patry banks in a way that deliberately misled users into assuming they were logging in with the bank directly instead of handing Plaid an access token that allows them to exfiltrate arbitrary transaction histories.
Any time you hear yourself utter the words "Wouldn't x be f'd if word got out that y"... You need to stop and consider that there is an entire industry around reputation management, and PR crisis management that is leverageable by the deep pocketed in order to keep their name out of news items, and that the favorite acquisition of the absurdly deep pocketed is the media outlet/platform.
Think. The world is full of scummy people looking to make a buck, and a much more pauce number eho worry about doing so honestly. Until you meet one of the rare ones who falls on their sword for their ideals, never assume the guy on the other side of the table is one until proven through deed.
They make money through the fees they charge companies that pay for their service, so that they can get banking data from their consumers. Those fees are not cheap, so I do imagine they are doing most of the work to sustain the business right now.
I’m not saying “you should trust Plaid with your data” — absolutely, 100% not that. I imagine that’s how I’m being interpreted, hence all the downvotes.
What I’m saying is that at the present time, it does not seem to me that Plaid would be incentivized to do something that they explicitly say they are not doing. Plaid’s business model is, trust us to get your customers data and deliver it to you, and only you, safely. Selling it to Bob down the street on top of that would threaten their primary business model. And today, that primary business model is doing very well! So why threaten it?
Now, someday in the future, maybe that business model has stagnated, and line still needs to go up, so someone may get greedy and that may change. In fact, this is even likely to happen! But there will be signals that it is coming.
Even re: the issue of misleading users that they are not their bank — after they got slapped down on that one, their strategy changed. There is a new set of regulations around disclosure around these things, and Plaid is pushing them pretty hard. My guess is they had some hand in drafting these regs and are hoping to use a higher regulatory burden to build a moat against competitors.
But honestly, I’m kind of surprised at the lack of nuance in understanding how Plaid works, especially here on HN.
Pretty much no corporation in the last 40 years has suffered the consequences of their actions. Boeing has killed how many people and it's taking an act of Congress to even start talking about some consequences later, maybe.
> None of it is accurate and almost all of it is modeled from sparse, low quality training sets. Banks are not selling PII’ed account balance data to shady aggregators.
Part of the problem though is that much of this data is persistent, across order-of-human-lifetime.
How often does your employer salary history have to be obtained to be useful? Maybe once every 10 years?
I have zero faith that in jurisdictions without national laws prohibiting it (and laws that prevent usage of extra-national data) that's not happening.
Maybe they are using garbage data, but at least for the credit checks, he was running them on-demand at $0.75 a pop. He also mentioned browser fingerprint databases that he has purchased. Half of his job seemed to be processing and importing different databases that he had purchased.
I use an app called PayTM for online payments. It shows me notifications that I have rent pending on a flat which i rent when I have NEVER used it to pay rent ever. It also shows me that I have pending electricity bills. It also picks up and shows me data on how much credit card payment is due when I have never used it to pay credit card bills.
All of this information can come only through cooperation between banks, credit reporting companies, utilities etc.
Second. Had to get a spam blocker because I was getting like 5-10 calls/day from “debt consolidation” companies which is a significant distraction
The spam blocker is pretty powerful though, you aren’t getting past it unless you are in my contacts or have a # flagged as affiliated with a reputable business
> Banks are not selling PII’ed account balance data to shady aggregators.
Banks might not be directly selling the transaction history, but they report the customer transaction history to Equifax and similar credit scoring agencies. Equifax certainly does onsell that to shady credit companies, which has happened to me twice with letters in both cases stating in the footprint in a very small font size and in a very pale hue of grey «provided by Equifax».
integrate something like this with license plate data, property records, person recognition, and realtime location. when a self-driving automobile detects that it's out of control and unable to avoid imminent liability, it can make a cost-benefit analysis of each prospective casualty by querying an API that provides an avoidance score for each consumer and property in the vicinity. based on this score the client automobile will be able to identify a route of least liability. consumers may be encouraged to integrate with these services by assigning unidentified things a score of zero.
Don't give them ideas. Given the thing's we've been seeing, you just know some nepo-CEO somewhere will read this and think it is A) their idea, and B) brilliant.
The first time I saw a session replay of all the mouse movements and input of a user on their own fucking computer that some marketing website-spyware had recorded was the moment I decided the Internet was a mistake.
An intern at my company built a proof-of-concept of this within a month, under a mistaken direction to build "analytics tools". When the intern presented this to the team, everyone was horrified and we never brought it up again after the intern left.
It was already common then, I gather—the ex-developer-product-owner guy who showed it to me (in the course of doing something else) didn’t seem to think it was remarkable, just an assumed capability. I don’t recall the name of the product, but it’d record all the input and page content for an entire session, you could watch it play back like a video. Exactly like standing over someone’s shoulder while they used their computer. Creepy as fuck, but some genius renamed “spyware” to “telemetry” and that was enough to get every developer on board because we’re super insecure and will jump at the chance to pretend we’re building Mars rovers or something else real while we make yet another “app” the world doesn’t need (I suppose that’s why that label was so successful at changing attitudes, anyway)
Click-mapping came earlier, and there may have been a few places mouse-movement and cross-page-load session tracking some sessions, but I don’t think it was a “just turn it on and leave it on” thing for even most large sites. And a lot of early heat maps came from user studies, which is the right way to do that.
[edit] also, that just happened to be the first time I’d seen a single session represented that way, rather than aggregates. Again, it wasn’t some brand-new thing then, it’d been around long enough to have multiple companies offering it as a service, not just an internal tool at a couple giants.
We had one of these, Hotjar I think. To their (smallest possible) credit, there's 0 legible text in the replays, you basically only see the rough UI outlines and everything else is redacted. Wouldn't be surprised if it featured a keylogger though.
I asked our data team what the fuck they need this level of tracking for, and they said "wasn't us, it was marketing that requested it".
So I ask many of the marketing people, and they just say "oh we thought it could be useful!" Without actually clarifying the "how" or "why".
I removed that shit with a quickness after that, and no one's complained so far (duh)
I love the GDPR if nothing else because it scares the - excuse the vulgarity and ableism - retarded decision makers into not doing idiotic shit like this. For any kind of bullshit like this I just bring up GDPR as a shield these days and none of it goes through
> So I ask many of the marketing people, and they just say "oh we thought it could be useful!" Without actually clarifying the "how" or "why".
This stuff bugs me so much; it all feels so cargo-culty. Even ignoring privacy, I wonder how much money and computing power is burned on buying and collecting data that nobody needs and that doesn't actually serve any significant business purpose.
I had a similar experience once where a vendor demoed their tracking tech for advertising. This was in France (before GDPR) and they had partnered with many apps (Weather apps and such) to access user locations. I don't remember the size of their target but it was a big chunk of the French population.
They showed a map of Paris showing the day of a particular user from leaving their home, which route they took, how long they stood in front of which store and how long the spend inside others etc.
My boss at the time found the whole thing very exciting...
While out hiking one day, I started thinking about buying a small ladder for the kitchen. When I got home that evening, I started seeing ads for ladders even though I had not searched for ladders, spoke to anyone about ladders, or even texted anyone about them. It was just a thought I had while hiking. Was it a coincidence or something else?
Finally figured it out a day later when reviewing my hike on the Fitbit app. At the end of my hike I forgot to shutoff route tracking. On my way home, I had stopped by Walmart to grab a few things and while there, looked at their ladders. I could see on the app the path I took through the store, including when I stopped for a few minutes in front of the ladders. That was enough data to trigger ads for ladders for the next couple of days.
We leak data about ourselves constantly without realizing how much we're doing it or where it ends up going. Lots of it is also circumstantial and makes me wonder what erroneous ideas some of these databases might have accumulated over the years and who gets to see that "information". What happens if you walk through a part of town where there's an activist rally for "We Love Kitten Torture" going on? Do you forever get tagged in a bunch of databases as an animal torturer?
"A visitor" as in "any visitor"? Or rather "a visitor", i.e. a specific one, about whom they already possess all this data and it's just a look up?
The latter I absolutely believe. The former I'd file under sci-fi marketing tales that anyone with some amount of knowledge about web technologies wouldn't fall for.
Overheard a convo from our sales team "I reached out to a few people, just waiting for them to do more than 5 seconds of Google searching of us before we reach back out"
Nothing like this exists for data on the general public and it would be illegal anyways. Either one of you is not aware of what that product actually isn't, or are being intentionally deceitful and spreading FUD.
It's basically same as classic approach of correlating salaries with ZIP codes, just with more parameters. Which sort of works statistically, because there are correlations - but is nothing more than a hallucination at individual visitor scale.
That seems more realistic. But even if a marketer theoretically had access to atomic level detail on every single prospect, there's not much they can do to manufacture demand.
Humans are kind of smart and resistant to manipulation. Especially the ones with money.
Finally. We all “know” that corporations will always choose profits over literally anything else. Glad to see the come back of the FTC. It seems we only get meaningful progress when there’s strong regulation.
Other notable examples: the EPA. There was a time when people had to wear gas masks out doors in some cities because the pollution was so bad before regulations and enforcement came into place. Similar stories with CFC emissions.
The development of the Internet has been accelerated under mostly conservative leadership which has been walking back regulations. And while much innovation has happened in that time I think a great deal more could have been achieved if it weren’t focused on this kind of profit-at-all-costs environment it’s been simmering in.
I live in a high rise in a major US metro (not NYC). A building across the way installed a new HVAC handler that whines at a relatively high pitch (think industrial shop vac) 24/7. One of my favorite parts of fall is being able to have the windows open and have lovely fresh air, but I can hardly hear myself think. And we're a good 100m away from the thing!
This is to say nothing of the traffic noise or garbage trucks or whatnot--but a building appliance? I thought surely that must be regulated, or at least controllable. It's unreal the lack of attention people pay to it.
Maybe there is a law on the books that the building owner is violating. I'm not sure where you'd look or what you could do about it, but the NYC equivalent would be calling 311 to file a noise complaint.
While it is true, better regulations are needed to get control of some of these companies, those same companies are going to attempt to buy off politicians and whoever possible. It's not going to be any kind of easy battle or quick fix, and the public is going to have to get more involved, to make sure the needed laws and regulation get passed.
Many people fear that a corrupt or authoritarian regime might misuse data to cause harm. However, the reality is that such regimes tend to carry out harmful actions regardless of the data they collect. Data can make their efforts more efficient, but the real danger lies in the regime's intent, not necessarily the data itself.
Exactly, historical authoritarian states got by just fine by reading the mail and listening to conversations. You don't need to know which fragrance I bought last week to oppress me, and it wouldn't help anyway
But they broadly didnt actually get along just fine... Almost without exception they have falleb, commonly due to internal resistance. Making that internal resistabce harder via enhanced surveillance is the issue that could make future scenarios even worse.
The most defined example would probably be Apartheid South Africa. Despite being in a weak position, having few resources, and dealing with constant losses, the ANC were so successful in harassing the National Party over three decades that the National Party finally ceded power in 1993. This was enabled by radio broadcasts, fast printing, and starting in the late 1970s digital espionage. Information and the spread of information was tightly controlled by the National Party, which is one of the three major reasons why it took so long and why slow erosion was the only viability rather than full immediate revolution.
Do you have a link for the first one? I don't think that has happened (although it could under Texas law as I understand it)
Is there an actual case where data described in the article was used for anything like what you're suggesting?
The actual cases involve people reporting each other (a man reporting a woman he is dating for example).
Sounds to me like blaming the acid rain on the acid detectors
Ads don't do that. Maybe you're thinking of organic posts, which are not ads? Or do you have examples of "extremist" ads?
Having worked on this stuff, I can tell you that the data relevant to extremist rabbit holes is not what the FTC is talking about. Facebook learns enough from which posts you click on to know which extremist content to suggest (and then they intentionally do not suggest it)
The necessity to engage people for the advertising business model to work does do this. People are naturally engaged by outraged, the algorithms “figure this out,” and systematically produce outrage. No ads, no existential need to arbitrarily increase engagement.
Consumerism makes society less conflict. This idea was implemented by propaganda in 30's by Edward Bernays. Propaganda was later changed to term public relations after connection with Nazism during WW2.
I'm sick of needing to spend weeks researching which couch or mattress to buy because corporations will happily sell me a terrible couch for $3,000 that only cost them $50 to make. It'll fall apart in a year or two, conveniently after the warranty expires, but hey, their profits are going up so who cares about the buyer?
I'm sick of events like the Boar's Head listeria outbreak killing 10 people happening with regularity now. Last year it was eye drops causing blindness. The companies don't care beyond the lawsuits they'll face, who cares if people die as long as their profits go up?
I'm sick of oil companies lying about the environmental harms they cause. Their profits are going up, so why should they care about climate change or the tainted groundwater their fracking causes?
I'm sick of seeing ads and billboards for corporations everywhere I go. I'm sick of being tracked because corporations can make x% more money with my data than they can without it. Installing uBlock Origin is easy, but we now have facial recognition systems with physical cameras in the real world. Can't do anything about those unless I just never leave my home.
I'm sick of people defending this behavior by asking "what tangible harm have you experienced?". The tangible harm is that I'm fucking tired. I'm tired of living in a society that requires expending so much mental energy just to exist.
I should be able to just trust (within reason, of course) that a $1,000 mattress will work for X years without needing to research whether the company is decent or known to be awful. I should be able to buy chocolate from the grocery store without needing to research whether the corporation (or any of its 24 parents and subsidiaries) used slave labor to produce it. I shouldn't need to worry about bottled water being stolen from aquifers by corporations that will simply move on after destroying the communities that depend on that water.
I vote, because it's all I can do, but that accomplishes nothing because we're stuck in a two-party system that won't let me vote for a candidate far enough left to actually fix things. Instead we continue to maintain the status quo, because corporations have more money and political power than civilians.
I'm well aware that this reads like an overdramatic manifesto. I'm just sick of everything feeling like it's getting worse all the time, and it seems pretty causally linked to the rise of corporations. Is it too much to ask that I be able to live without them invading _every single aspect of my life_? I don't think it is, but I think we're too far gone at this point for it to ever change.
100 years ago well before the invention of so-called surveillance capitalism, people were making soft drinks out of radium, and inhaling asbestos.
Many things are better since then. Some new things are probably worse, but every reasonable measure of human welfare suggests we are better off than we were previously.
Something some subset of us are worried about right now, whether it’s WiFi or 5G or Covid vaccines, will turn out to have had horrible consequences and you can’t really fault the rest of us that we didn’t listen to the crazies.
Just embrace panglossian optimism because the alternative is to just be angry and exhausted and indignant all the time and then you’re no fun at parties.
When you go across a long enough timeline variations occur. Nothing over time in human history is a constant linear improvement. We may be better off than we were in 1924 in terms of health and safety, but we're definitely not better off than we were in 1994. Legislation hasn't kept up with chemical science and social engineering, and enforcement has been tentative as fights between executive power and judiciary power create years long arguments that get in the way of preventing harm. For example Red 40 is a dye that's well known to cause cancer with a high degree of certainty (not probability, certainty), while the artificial sweetener sucralose is genotoxic. You go drink a can of Faygo Cherry and it's got both. The FDA hasn't been able to regulate either because they haven't been legislated the power to do so, are now even more crippled thanks to the overturning of Chevron, and companies keep funding "alternative studies" that they can present to lobbyists.
It's hard not to be angry and exhausted when you have to be a chemical engineer just to know what's even safe to eat.
So tired of people making excuses so that some billionaire can buy another yacht. Can we finally actually start investing in people and putting people first instead of corporations.
> similar tangible harm caused by lack of regulation on data collection?
There’s a spike in teenager suicides, girls in particular. The phenomenon is well researched, it correlates with popularity of social media among teenagers. I believe that’s causation not just correlation, because social media didn’t became popular everywhere at once, they did gradually for different countries/languages, the teenager suicides spike follows.
Restricting data collection will fix that by dismantling the business model. Will be harder for tech companies to convert screen time into profits. Will even flip the motivation developing addictive apps: the more time users will spend there the more bandwidth they consume i.e. profits will turn into costs. Which is good for most people, except employees and stock owners of social media companies.
P.S. Personally, I prefer more radical approach: total ban of advertisements on the internets. Many cities did it for billboards, I don’t see why we shouldn’t do the same online.
Banning online advertisements would essentially cripple small businesses in the US. Even local businesses today rely on online ads for foot traffic. Banning ads would send us back to the economy of the 1950s, where most profit accrues to a number of powerful corporations, and small manufacturers and creators have no market power.
I used data and ran experiments to measure and mitigate teen well being and harm at Instagram. I was not on the team responsible for this, but I worked on organic ranking and was responsible for understanding and measuring the impact of these things. I can say with certainty nobody cares more about teen well being than Meta. It's their future, and the success Instagram over Snapchat is essentially completely due to better positive interventions for well being. We measured this carefully with RCTs and had more data than anyone on the planet.
Overall Instagram is net good for the majority of teens across a wide variety of well being metrics, and net negative for a small percentage. Meta spends hundreds of millions trying to fix those latter, rarer cases.
> where most profit accrues to a number of powerful corporations, and small manufacturers and creators have no market power
You’re describing the status quo with online ads still legal. Amazon has 37.6% share of e-commerce; small manufacturers can’t compete. Google hosts 79% of videos viewed over the internets, and it abuses small creators really bad, with no ways to appeal or contact humans.
One of the reasons how these corporations became that powerful was unrestricted and legal digital surveillance. Another reason, anti-monopoly regulators asleep at their job allowing big tech companies to easily acquire competitors (e.g. Google was competing with YouTube for a year or so with “Google Video” product, failed, then acquired the competitor).
> net good for the majority of teens across a wide variety of well being metrics, and net negative for a small percentage
Many researchers who don’t work for FB were warning for years. Couple years ago some of that internal research was leaked, here’s a copy-paste “Thirty-two percent of teen girls said that when they felt bad about their bodies, Instagram made them feel worse” https://archive.is/qBpaq#selection-915.1-915.113 I would not call 32% “a small percentage”.
Another thing, “negative for just a small percentage” is a poor defense. Even if it’s indeed tiny, it still doesn’t mean the business model should be legal. Imagine a lottery where 0.1% people win $1M, 1% people win $10k, 10% people win $1k, 89.9% don’t win or lose anything, and 0.01% lose their life – don’t you think a business model like that should be illegal?
Do you have any examples where the data was obtained from sources that collected it for ads? As I understand it, the sort of data that is collected for behavioral advertising isn't useful for identity theft and has not been used in that way.
For identity theft you need things like names, addresses, SSN, W2 income, etc
before regulation, we had multiple actual rivers that caught on fire from all the stuff they would dump in it. multiple different times. it’s wild to me how people argue with sincerity that we don’t need to stop them sometimes.
> Based on the data collected, the staff report said many companies assert that there are no children on their platforms because their services were not directed to children or did not allow children to create accounts.
Funny how they have advertising cohorts drilled into every niche interest or happening, but they just can't perfect the technology to determine if someone is a child. Very elusive tech they've definitely been working day and night to implement for years.
Almost like they benefit from acting blissfully ignorant.
>they just can't perfect the technology to determine if someone is a child
Oh they do. It's a very valuable demo and doubtlessly they worked day and night for years to perfect it. They want to shape the malleable minds of lifetime consumers. They have, with great success, for nearly a century.
A lot of people wonder why we study and document things that are already “common knowledge”. This is true of scientific studies as well. What a waste of money, right?
The answer is, until you actually do the work you don’t actually know. Scientists and government officials can’t cite common knowledge. And even if you were right about the conclusion, the details matter. The amount matters. The mechanisms matter.
High-quality studies also lay out a methodology for evaluating, assessing, and ultimately characterizing the issue, so that the impact of policy changes can be properly assessed. Even showing that well-known investigatory methods function adequately for a given problem is of value.
Put another way, "you can't control what you can't measure" (or in this case, characterize more generally).
Nothing because the government wants to do this surveillance itself but can't by law. The availability of corporate surveillance means the government can use it too, so it benefits them.
What do I want them to do? Pass a constitutional amendment that bans government invasions of privacy, legislation that extends those rights to individuals' interactions with private parties, legislation that funds the enforcement of those protections, legislation that creates civil penalties for violating those rights, and funds courts that hear those cases.
What do I expect them to do? Limit super-invasive spying to domestically-controlled companies.
There are plenty of people who "know" things that are actually wrong. This investigation is an important first step for the government to feel confident they know what's going on before exercising state power, which is, you know, a good thing. Vibes- or rumor-based exercise of state power is ill advised.
The Biden FTC has been quite aggressive against all sorts of anti-consumer practices throughout the economy which tend to follow these types of reports. I suspect action is coming relatively soon.
The information Credit Bureaus and Banks store is much scarier. They know your salary every place you've worked and lived. And with all the recent links anyone can find this information on the dark web.
that horse left the barn over a decade ago. my attitude has changed to where I used to do security and privacy work to mitigate risk from a coming corporate cyberpunk dystopia, but now I think the idea of governments getting a monopoly on surveillance is the worst possible outcome.
a real solution would be to legally privilege and disqualify classes of personal information from civil and non-violent criminal legal proceedings based on how they were collected, and PII collection sources material to commercial decisions must be disclosed in offers and contracts.
insurers and creditors would actually have to take risk again instead of being rentiers, police are servants and not governors, and the provenance of PII as evidence would have to be proven as from a legal and prescribed source that included explicit consent. there is no stopping the flow of data collection, but we can improve laws to manage it.
It is not an either/or. You can just disallow to collect personal information and it would be valid for state and advertisers.
Information is power and if insurances and producers know everything about you, you will be squeezed like a poor victim.
On bad days I believe people that overshare information deserve that fate, but there isn't really an argument against just regulating collecting information or make them seriously accountable for this information being leaked with severe financial penalties.
It wouldn't even be hard to regulate. Enforcement wouldn't be easy, but I guess the risk for many companies would just be too high to even try.
I have become more and more inclined to deem the advertising industry considerably worse than the military industrial complex, and I hope that some higher force smites the executives involved with great vengeance and furious anger someday.
For me it's hypocrisy to regulate surveillance of private companies by state. You have option to not use their data collecting technologies. You cannot opt out to surveillance by state!
Let's not play game to makes states good guys and companies the bad boys.
I really hate to defend state surveillance here, but at least that provides me with some (arguably false) sense of security and uninterested crimefighting. The private sector private eyes provide me only with never-ending ad slurry that's been wearing me down by the day.
This will make optimal global pricing an insane world where everything will cost the maximum you can pay but the overall system will collapse as people will consume way less and be more miserable within it.
Under a different administration in the previous 4 years.
Any large institution takes some time to change, senate confirmations for the leads of major agencies don’t occur immediately upon swearing in of a new President - it’s often months later. Then, after that occurs, change from the top down occurs.
Additionally for any sufficiently large group of people it takes a long time to get people to take any sort of collective action, let alone an organization with processes, years long funding and contracts already in place. Then there are sometimes/often legal challenges to the awarding of contracts, the issuing of regulations.
How long do you think this study would’ve taken to execute by itself? Okay now how long do you think it would’ve taken to plan the methodology for what they should do to execute. Before that they have to have a proposal of what they would like to study and then get the money approved / allocated to do the previous work I just mentioned, such as a detailed methodology.
Again, this administration has been in charge of the FTC for only 3 ish years and had to probably rebuild it towards focusing on holding businesses to account.
Not quite sure what else you’re expecting, it takes companies as well many months and even years to change focus, or to deliver a robust product. And that’s generally with an agreed upon a singular focus.
Election year. The assumption is it is simultaneously posturing for current administration, validating its existence and funding to potential new one, and PR for the public.
Before that? I don't remember that much from the past few years, but I think a good chunk of federal agencies were kinda in a weird stalemate ( which is kinda what the US is system is built for anyway ).
> "While not every investigated company committed the same privacy violations, the conclusion is clear: companies prioritized profits over privacy. "
Why wouldn't they? A capitalist shareholder system requires that they do exactly this, to whatever extent it does not impact sales.
It's on citizens to demand regulation, and yet in the US, a probable majority of voting citizens don't like regulation, and think that government is too large or too untrustworthy. Combine that with the control that corporations have over our politicians, and further combine that with low public understanding of the issue, and there is nothing realistic that can be done.
So I consider surveillance capitalism to be permanent in the US. Regardless of the fact that most people don't like being spied on and manipulated constantly. Perhaps some really large, really bad event could galvanize the public, but I doubt it.
You are not kept in the dark. This is not 2016. If you use these companies you know good and god damn well what they are doing. Grow up and take responsibility for using them, or delete your data and get off. Zero sympathy in 2024 for people shocked by this.
Also, you don’t own your data. That idea is itself an absurdity that is already meaningless. Once that is accepted life becomes much simpler. You want stock growth and tech jobs, that’s part of the deal. I didn’t make it and I’m not responsible for it but that’s how it is.
Agreed. Out in public yet encrypted is something I've been playing with as https://exfilcloud.com has no protection against access other than encryption.
Age encryption is open source. I suppose I could open source it as I am not looking to make sell anything with this service. I am mostly looking for feedback.
What would give you the peace of mind to use this with confidence? Considering that Signal, WhatApp, etc are all closed source tied with phone numbers requiring extra identifying info I put this together as an experiment.
This is a valid concern about Signal and it comes up often. I believe any privacy risk around your phone number leaking or being tied to your activity on Signal is sufficiently mitigated by the folks who run the Signal servers (the Signal Foundation) since plaintext phone numbers are only used for initial SMS verification. They are then discarded, apparently. Contact discovery/matching is done on the device only with SHA256 hashes of phone numbers.
And now you can discover/connect with others via usernames that can be changed at any time and hide phone numbers altogether.
I don’t personally use signal or what’s app, but I also don’t seek out extra secure messaging apps.
Right now, if I was to go extra secure, my go to would be something built on the matrix protocol. I would probably spin up my own synapse node for total control. But I am a programmer, technophile, and FOSS nerd, so I may not be your target audience.
That being said, I think I’d have confidence if I could see the code and a signed build with some way to verify that the code I see published by you is in fact the code on my device.
As true as that is, I think the people should still worry 100x more about government surveillance than about commercial surveillance. Commercial surveillance is only trying to sell you something you don't need. In contrast, government surveillance, with or without cooperation from commercial entities, is trying to lock you up for victimless crimes or on flimsy evidence because they have run out of real terrorists to fight. The government's data collection is vastly larger than of anyone else, all paid for by you with your taxes. Encryption, cybersecurity, and minimizing data retention are the primary ways to fight it.
> Commercial surveillance is only trying to sell you something you don't need.
This simply isn't true. Commercial surveillance is a means and method of inserting itself further into your workflows or lives. Just think of all the health and identity related 'features' being rolled out (and celebrated), and how governments are readily capitulating to them. It isn't far fetched or tinfoil to consider that these commercial entities, at some point in the future, can become the arbiters of decisions that affect you.
This isn't even about commercial vs government surveillance, they are equally dangerous, and of both you should be equally wary; governments are far more careful with actions, even with malicious intent, whereas commercial entities with deep pockets are often abstracted away sufficiently to escape blame or consequences. However, governments that delegate to commercial for decision making means that there is little to no difference in the 'type' of surveillance.
Minimizing your own ecosystem lockin is extremely important.
But it's easy enough to just opt out of all that. I don't use fitness or health wearables. I don't have my DNA or ancestry analyzed. I don't use online/telehealth services. Hell I don't even visit the doctor very often. I don't trust healthcare at all because it's very easy for them to use "scare" marketing to get people to pay for all kinds of stuff that (a) they don't need and (b) has very little real benefit and (c) that in most cases is for conditions that common sense and a little self-discipline can avoid.
You're free to think that doctors and health organizations operate on some higher plane of morality but the truth is they are businesses and need to compete for customers just like any other business does.
This should be the top rated comment. This [1] is the tactic that is used by government agencies to actively work around protections afforded by the Constitution of the United States.
Exactly, there is no difference. In fact in some ways it is worse because the government can say with a straight face they aren't collecting your data and monitoring you... they just pay someone else for that service.
Yep, and I keep harping on that one simple point. If that data is collected at all, it will be used. Even with laws protecting it. Look how HiPAA has become something of a joke now between regular breaches and app everything, which skirt as much as they can.
> Commercial surveillance is only trying to sell you something you don't need.
Besides the maximimization of revenue, the profit motive also dictates the reduction of risk.
Consider any application for insurance, membership, coverage...
>government surveillance, is trying to lock you up because they have run out of real terrorists to fight
"Government is surveilling/fighting you because who else" is easily applicable to $EvilCorp monopolies, because its tautological.
I assume that all data the commercial providers have on you, the government can access too if they would like to. Probably the government is even happy they can "outsource" a lot of data collection.
Actually, much of the commercially collected evidence is not strong in court if it is admissible in court at all. One can simply reject it claiming that it is a mis-association, but only if there isn't further objective data that conclusively ties one to the collection. In practice, usually the government finds evidence that is more directly incriminating, and the the commercial evidence is then secondary to the case.
If it were as simple as "selling things" then it would be fine, the problem is it doesn't stop there, it is not about offering things for sale, it is about manipulating you into buying by any means necessary. You are not immune to propaganda.
A company recently demoed to me that they have the ability to see the work history, credit report, and bank balance of a visitor that visits a site with some tracking code, in under 500ms. They use this information for a product that qualifies leads for sales teams, so the sales team knows who is a waste of time to go after and who isn't.
Creeps me the fuck out, and the owners seem to have no ethical qualms about buying, selling, and using this data.
None of it is accurate and almost all of it is modeled from sparse, low quality training sets. Banks are not selling PII’ed account balance data to shady aggregators.
To me, the more interesting and outrageous story is how many aggregators are able to sell garbage data so successfully.
Banks are not selling PII’ed a
You know how some banks have a service which tells you how you spend your money? With graphs, 20% on power, 15% on food, etc?
That service is provided by a third party, who is given the data anonymized. A unique id number assigned. Yet it's trivial to deanonymize, and that's what happens.
All that is required is one buy with a points card, an airmiles card, and you are forever relinked to your data. It's how points cards make cash on the side, how air miles do. Exact time, date, amount, location of purchase is a great sync method.
If you pay for your phone with any form of traceable payment, they know who you are, your address, etc. From this immense data is gleamed, such as lot value, neighborhood, and so on. Companies can even get current location and geofence you, being alerted if you move in/out of a certain location.
Mobile phone companies sell this data/service via an easy api. Companies relink a phone from the app level via IMEI and number, which is sold to aggregators along with phone data (contacts, etc). The telco api links to real identity.
Once linked, forever linked.
Most people love free apps, and give up messages/sms, contacts, and more to save a dollar on an app. From this immense relationship data is gleamed, including likely employer and social circke.
Even if you are careful with your app permissions, certainly many acquaintances of yours aren't, so you get linked to their social circle, often with contact name/address.
This is just the simple stuff.
Source: I've dealt with these companies.
>Banks are not selling PII’ed account balance data to shady aggregators.
But is Plaid?
And banks do sell account balance data, they also sell credit and debit transaction history
> But is Plaid?
Or any of those budgeting apps that integrate with your bank account.
That's probably the signal. But as one of the parent posters said, the # of folks who use such budgeting apps is quite small. For advertising, small samples are useless, so this data has to be modeled to the full US population.
For that, this very biased training set. And almost always the independent variables used for modeling are 7-10 standard demographics.
Seems like Plaid would be f’d six ways til Sunday if it got out that they were selling consumer data to 3rd parties, no? A huge part of their business model is based on trust and doing that would completely burn it.
https://finledger.com/articles/plaid-settled-58-million-laws...
Sorry, maybe “third party” isn’t the correct term. Let me try to lay out my point a bit more clearly:
Plaid’s business model is — Company A needs a consumer’s data from Bank B. Plaid takes the consumer’s banking credentials, gets the data, and sells it to Company A.
At no point in this process does Plaid go and sell this data to another unrelated Company C. The lawsuit cited was about Plaid not sufficiently explaining its position between Company A and Bank B to the consumer. It was not about Plaid going and selling the data to the highest bidder.
The value prop of Plaid, Yodlee, et al is that they can do this with one(-ish) API surface for tens of thousands of financial institutions. In their efforts to ensure Bob down the street won’t be sold any data, they do treat each customer (of the API, not the end users they pull data on behalf of) as an isolated tenant.
How do you think they made money? It certainly wasn't from licensing their SDK that intentionally spoofed 3rd patry banks in a way that deliberately misled users into assuming they were logging in with the bank directly instead of handing Plaid an access token that allows them to exfiltrate arbitrary transaction histories.
Any time you hear yourself utter the words "Wouldn't x be f'd if word got out that y"... You need to stop and consider that there is an entire industry around reputation management, and PR crisis management that is leverageable by the deep pocketed in order to keep their name out of news items, and that the favorite acquisition of the absurdly deep pocketed is the media outlet/platform.
Think. The world is full of scummy people looking to make a buck, and a much more pauce number eho worry about doing so honestly. Until you meet one of the rare ones who falls on their sword for their ideals, never assume the guy on the other side of the table is one until proven through deed.
They make money through the fees they charge companies that pay for their service, so that they can get banking data from their consumers. Those fees are not cheap, so I do imagine they are doing most of the work to sustain the business right now.
I’m not saying “you should trust Plaid with your data” — absolutely, 100% not that. I imagine that’s how I’m being interpreted, hence all the downvotes.
What I’m saying is that at the present time, it does not seem to me that Plaid would be incentivized to do something that they explicitly say they are not doing. Plaid’s business model is, trust us to get your customers data and deliver it to you, and only you, safely. Selling it to Bob down the street on top of that would threaten their primary business model. And today, that primary business model is doing very well! So why threaten it?
Now, someday in the future, maybe that business model has stagnated, and line still needs to go up, so someone may get greedy and that may change. In fact, this is even likely to happen! But there will be signals that it is coming.
Even re: the issue of misleading users that they are not their bank — after they got slapped down on that one, their strategy changed. There is a new set of regulations around disclosure around these things, and Plaid is pushing them pretty hard. My guess is they had some hand in drafting these regs and are hoping to use a higher regulatory burden to build a moat against competitors.
But honestly, I’m kind of surprised at the lack of nuance in understanding how Plaid works, especially here on HN.
Pretty much no corporation in the last 40 years has suffered the consequences of their actions. Boeing has killed how many people and it's taking an act of Congress to even start talking about some consequences later, maybe.
Arthur Andersen went under after its accounting negligence: https://en.m.wikipedia.org/wiki/Arthur_Andersen
A few food companies have failed due to poor quality control: https://www.thestreet.com/retail/another-popular-ice-cream-b...
In fact, many companies go bankrupt every year: https://en.m.wikipedia.org/wiki/Bankruptcy_in_the_United_Sta...
>Pretty much no corporation in the last 40 years has suffered the consequences of their actions.
There's hundreds of regulatory actions taken by governments per year. That's "consequence" by definition.
Fines of a few percent of the revenues generated aren’t enough of a deterrent.
That logic suffices as truth to you?
> None of it is accurate and almost all of it is modeled from sparse, low quality training sets. Banks are not selling PII’ed account balance data to shady aggregators.
Part of the problem though is that much of this data is persistent, across order-of-human-lifetime.
How often does your employer salary history have to be obtained to be useful? Maybe once every 10 years?
I have zero faith that in jurisdictions without national laws prohibiting it (and laws that prevent usage of extra-national data) that's not happening.
Maybe they are using garbage data, but at least for the credit checks, he was running them on-demand at $0.75 a pop. He also mentioned browser fingerprint databases that he has purchased. Half of his job seemed to be processing and importing different databases that he had purchased.
I use an app called PayTM for online payments. It shows me notifications that I have rent pending on a flat which i rent when I have NEVER used it to pay rent ever. It also shows me that I have pending electricity bills. It also picks up and shows me data on how much credit card payment is due when I have never used it to pay credit card bills.
All of this information can come only through cooperation between banks, credit reporting companies, utilities etc.
Any ideas on how I can make my metrics tank predictions for I stop being marketed to so aggressively?
Second. Had to get a spam blocker because I was getting like 5-10 calls/day from “debt consolidation” companies which is a significant distraction
The spam blocker is pretty powerful though, you aren’t getting past it unless you are in my contacts or have a # flagged as affiliated with a reputable business
> Banks are not selling PII’ed account balance data to shady aggregators.
Banks might not be directly selling the transaction history, but they report the customer transaction history to Equifax and similar credit scoring agencies. Equifax certainly does onsell that to shady credit companies, which has happened to me twice with letters in both cases stating in the footprint in a very small font size and in a very pale hue of grey «provided by Equifax».
free startup idea: trolley-solver-as-a-service.
integrate something like this with license plate data, property records, person recognition, and realtime location. when a self-driving automobile detects that it's out of control and unable to avoid imminent liability, it can make a cost-benefit analysis of each prospective casualty by querying an API that provides an avoidance score for each consumer and property in the vicinity. based on this score the client automobile will be able to identify a route of least liability. consumers may be encouraged to integrate with these services by assigning unidentified things a score of zero.
Don't give them ideas. Given the thing's we've been seeing, you just know some nepo-CEO somewhere will read this and think it is A) their idea, and B) brilliant.
Damn, that was harsh.
hire me a patent lawyer
The first time I saw a session replay of all the mouse movements and input of a user on their own fucking computer that some marketing website-spyware had recorded was the moment I decided the Internet was a mistake.
Pretty much every analytics product does this now. Amplitude, Statsig, Posthog, etc.
Not saying it’s a good thing but assume that most websites are recording your session at this point.
Another way for my mouse jiggler to add value.
An intern at my company built a proof-of-concept of this within a month, under a mistaken direction to build "analytics tools". When the intern presented this to the team, everyone was horrified and we never brought it up again after the intern left.
You mean the free product Microsoft Clarity that everyone uses?
Nah, it was some smallish company’s SAAS thingy. This was maybe 2015.
fullstory
It was already common then, I gather—the ex-developer-product-owner guy who showed it to me (in the course of doing something else) didn’t seem to think it was remarkable, just an assumed capability. I don’t recall the name of the product, but it’d record all the input and page content for an entire session, you could watch it play back like a video. Exactly like standing over someone’s shoulder while they used their computer. Creepy as fuck, but some genius renamed “spyware” to “telemetry” and that was enough to get every developer on board because we’re super insecure and will jump at the chance to pretend we’re building Mars rovers or something else real while we make yet another “app” the world doesn’t need (I suppose that’s why that label was so successful at changing attitudes, anyway)
Isn’t this how heatmaps were generated as far back as the late 2000s?
Click-mapping came earlier, and there may have been a few places mouse-movement and cross-page-load session tracking some sessions, but I don’t think it was a “just turn it on and leave it on” thing for even most large sites. And a lot of early heat maps came from user studies, which is the right way to do that.
[edit] also, that just happened to be the first time I’d seen a single session represented that way, rather than aggregates. Again, it wasn’t some brand-new thing then, it’d been around long enough to have multiple companies offering it as a service, not just an internal tool at a couple giants.
Are surveillance cameras in shops any different?
You can usually see the cameras, and many places require that you notify people they're being recorded.
time to make plugins that send fake mouse data, and have that draw nothing but hyper-realistic phalli.
Put this in your AI and smoke it.
We had one of these, Hotjar I think. To their (smallest possible) credit, there's 0 legible text in the replays, you basically only see the rough UI outlines and everything else is redacted. Wouldn't be surprised if it featured a keylogger though.
I asked our data team what the fuck they need this level of tracking for, and they said "wasn't us, it was marketing that requested it".
So I ask many of the marketing people, and they just say "oh we thought it could be useful!" Without actually clarifying the "how" or "why".
I removed that shit with a quickness after that, and no one's complained so far (duh)
I love the GDPR if nothing else because it scares the - excuse the vulgarity and ableism - retarded decision makers into not doing idiotic shit like this. For any kind of bullshit like this I just bring up GDPR as a shield these days and none of it goes through
> So I ask many of the marketing people, and they just say "oh we thought it could be useful!" Without actually clarifying the "how" or "why".
This stuff bugs me so much; it all feels so cargo-culty. Even ignoring privacy, I wonder how much money and computing power is burned on buying and collecting data that nobody needs and that doesn't actually serve any significant business purpose.
What if it was your daughter?
22 years old, height proportional to weight, poor decision making skills.
What about your son?
I've seen this offered to young kids paying rent:
"Flex lets you pay rent on a schedule that works better for your monthly budget and frees up your cash flow."
"Help you pay rent on time. Improve your cash flow. Build your credit history."
I had a similar experience once where a vendor demoed their tracking tech for advertising. This was in France (before GDPR) and they had partnered with many apps (Weather apps and such) to access user locations. I don't remember the size of their target but it was a big chunk of the French population. They showed a map of Paris showing the day of a particular user from leaving their home, which route they took, how long they stood in front of which store and how long the spend inside others etc. My boss at the time found the whole thing very exciting...
While out hiking one day, I started thinking about buying a small ladder for the kitchen. When I got home that evening, I started seeing ads for ladders even though I had not searched for ladders, spoke to anyone about ladders, or even texted anyone about them. It was just a thought I had while hiking. Was it a coincidence or something else?
Finally figured it out a day later when reviewing my hike on the Fitbit app. At the end of my hike I forgot to shutoff route tracking. On my way home, I had stopped by Walmart to grab a few things and while there, looked at their ladders. I could see on the app the path I took through the store, including when I stopped for a few minutes in front of the ladders. That was enough data to trigger ads for ladders for the next couple of days.
We leak data about ourselves constantly without realizing how much we're doing it or where it ends up going. Lots of it is also circumstantial and makes me wonder what erroneous ideas some of these databases might have accumulated over the years and who gets to see that "information". What happens if you walk through a part of town where there's an activist rally for "We Love Kitten Torture" going on? Do you forever get tagged in a bunch of databases as an animal torturer?
We don't leak data about ourselves. Companies specifically collect data about us, and then do whatever they want with it.
"A visitor" as in "any visitor"? Or rather "a visitor", i.e. a specific one, about whom they already possess all this data and it's just a look up?
The latter I absolutely believe. The former I'd file under sci-fi marketing tales that anyone with some amount of knowledge about web technologies wouldn't fall for.
Overheard a convo from our sales team "I reached out to a few people, just waiting for them to do more than 5 seconds of Google searching of us before we reach back out"
Wait.. physical site like a store or a web site? Not that either would make it that much better than the other, but you got me really curious.
This sounds like they are somehow identifying the user and querying theworknumber.
You can get a ton from a worknumber query.
Soon to be combined with palantir face recognition tech. No need to chip your citizenry!
They do get info on those that willingly share, but not the other ones.
Problem is that people share so much that those that do not start to stand out and might get penalized as well.
"Jeffrey Epstein’s Island Visitors Exposed by Data Broker" - https://www.wired.com/story/jeffrey-epstein-island-visitors-...
What data broker would even sell this data?
Name the company please.
Nothing like this exists for data on the general public and it would be illegal anyways. Either one of you is not aware of what that product actually isn't, or are being intentionally deceitful and spreading FUD.
Ever heard of the national public data breach?
https://support.microsoft.com/en-us/topic/national-public-da... does not mention work history, credit reports, or bank balances.
The Experian breaches did. ADP sells recurring payroll as well. Shouldn’t be too hard to cross reference.
[dead]
Just beat them to death.
Jury nullification.
Or vote, or whatever the site rules permit, good luck with that.
Sounds like vaporware. Might be possible for a negligibly small % of visitors. And even then cold outreach is not very effective.
It's basically same as classic approach of correlating salaries with ZIP codes, just with more parameters. Which sort of works statistically, because there are correlations - but is nothing more than a hallucination at individual visitor scale.
That seems more realistic. But even if a marketer theoretically had access to atomic level detail on every single prospect, there's not much they can do to manufacture demand.
Humans are kind of smart and resistant to manipulation. Especially the ones with money.
> Humans are kind of smart and resistant to manipulation. Especially the ones with money.
I'm not sure. I think gaming/gambling industry having a concept of "whales" kind of disproves this.
Finally. We all “know” that corporations will always choose profits over literally anything else. Glad to see the come back of the FTC. It seems we only get meaningful progress when there’s strong regulation.
Other notable examples: the EPA. There was a time when people had to wear gas masks out doors in some cities because the pollution was so bad before regulations and enforcement came into place. Similar stories with CFC emissions.
The development of the Internet has been accelerated under mostly conservative leadership which has been walking back regulations. And while much innovation has happened in that time I think a great deal more could have been achieved if it weren’t focused on this kind of profit-at-all-costs environment it’s been simmering in.
> Other notable examples: the EPA
I wish the EPA hadn't dropped the ball on noise pollution.
I live in a high rise in a major US metro (not NYC). A building across the way installed a new HVAC handler that whines at a relatively high pitch (think industrial shop vac) 24/7. One of my favorite parts of fall is being able to have the windows open and have lovely fresh air, but I can hardly hear myself think. And we're a good 100m away from the thing!
This is to say nothing of the traffic noise or garbage trucks or whatnot--but a building appliance? I thought surely that must be regulated, or at least controllable. It's unreal the lack of attention people pay to it.
Maybe there is a law on the books that the building owner is violating. I'm not sure where you'd look or what you could do about it, but the NYC equivalent would be calling 311 to file a noise complaint.
While it is true, better regulations are needed to get control of some of these companies, those same companies are going to attempt to buy off politicians and whoever possible. It's not going to be any kind of easy battle or quick fix, and the public is going to have to get more involved, to make sure the needed laws and regulation get passed.
People also pick money over privacy. People do not turn down working at these companies. They make a ton of money to implement these systems.
fwiw I refuse to work on such things, as in sure many others in HN do. It probably doesn't make a difference, but I can sleep better at night at least
Needing to wear gas masks outside sounds like a pretty bad, tangible harm caused by a lack of pollution regulation.
Do you have any examples of similar tangible harm caused by lack of regulation on data collection?
Many people fear that a corrupt or authoritarian regime might misuse data to cause harm. However, the reality is that such regimes tend to carry out harmful actions regardless of the data they collect. Data can make their efforts more efficient, but the real danger lies in the regime's intent, not necessarily the data itself.
Exactly, historical authoritarian states got by just fine by reading the mail and listening to conversations. You don't need to know which fragrance I bought last week to oppress me, and it wouldn't help anyway
But they broadly didnt actually get along just fine... Almost without exception they have falleb, commonly due to internal resistance. Making that internal resistabce harder via enhanced surveillance is the issue that could make future scenarios even worse.
[flagged]
The most defined example would probably be Apartheid South Africa. Despite being in a weak position, having few resources, and dealing with constant losses, the ANC were so successful in harassing the National Party over three decades that the National Party finally ceded power in 1993. This was enabled by radio broadcasts, fast printing, and starting in the late 1970s digital espionage. Information and the spread of information was tightly controlled by the National Party, which is one of the three major reasons why it took so long and why slow erosion was the only viability rather than full immediate revolution.
the British North American colonies
People in Texas facing murder charges for traveling to other states to get an abortion.
People facing criminal charges for helping people in Texas learn about what options for managing their own reproductive health and bodies.
Do you have a link for the first one? I don't think that has happened (although it could under Texas law as I understand it)
Is there an actual case where data described in the article was used for anything like what you're suggesting? The actual cases involve people reporting each other (a man reporting a woman he is dating for example).
Sounds to me like blaming the acid rain on the acid detectors
>a man reporting a woman he is dating for example
That sounds like a good reason for any women in Texas to avoid dating any men in Texas.
Targeted advertising dragging people down rabbit holes into extremism
Ads don't do that. Maybe you're thinking of organic posts, which are not ads? Or do you have examples of "extremist" ads?
Having worked on this stuff, I can tell you that the data relevant to extremist rabbit holes is not what the FTC is talking about. Facebook learns enough from which posts you click on to know which extremist content to suggest (and then they intentionally do not suggest it)
The necessity to engage people for the advertising business model to work does do this. People are naturally engaged by outraged, the algorithms “figure this out,” and systematically produce outrage. No ads, no existential need to arbitrarily increase engagement.
Consumerism makes society less conflict. This idea was implemented by propaganda in 30's by Edward Bernays. Propaganda was later changed to term public relations after connection with Nazism during WW2.
I'm sick of needing to spend weeks researching which couch or mattress to buy because corporations will happily sell me a terrible couch for $3,000 that only cost them $50 to make. It'll fall apart in a year or two, conveniently after the warranty expires, but hey, their profits are going up so who cares about the buyer?
I'm sick of events like the Boar's Head listeria outbreak killing 10 people happening with regularity now. Last year it was eye drops causing blindness. The companies don't care beyond the lawsuits they'll face, who cares if people die as long as their profits go up?
I'm sick of oil companies lying about the environmental harms they cause. Their profits are going up, so why should they care about climate change or the tainted groundwater their fracking causes?
I'm sick of seeing ads and billboards for corporations everywhere I go. I'm sick of being tracked because corporations can make x% more money with my data than they can without it. Installing uBlock Origin is easy, but we now have facial recognition systems with physical cameras in the real world. Can't do anything about those unless I just never leave my home.
I'm sick of people defending this behavior by asking "what tangible harm have you experienced?". The tangible harm is that I'm fucking tired. I'm tired of living in a society that requires expending so much mental energy just to exist.
I should be able to just trust (within reason, of course) that a $1,000 mattress will work for X years without needing to research whether the company is decent or known to be awful. I should be able to buy chocolate from the grocery store without needing to research whether the corporation (or any of its 24 parents and subsidiaries) used slave labor to produce it. I shouldn't need to worry about bottled water being stolen from aquifers by corporations that will simply move on after destroying the communities that depend on that water.
I vote, because it's all I can do, but that accomplishes nothing because we're stuck in a two-party system that won't let me vote for a candidate far enough left to actually fix things. Instead we continue to maintain the status quo, because corporations have more money and political power than civilians.
I'm well aware that this reads like an overdramatic manifesto. I'm just sick of everything feeling like it's getting worse all the time, and it seems pretty causally linked to the rise of corporations. Is it too much to ask that I be able to live without them invading _every single aspect of my life_? I don't think it is, but I think we're too far gone at this point for it to ever change.
> I'm well aware that this reads like an overdramatic manifesto.
No, it reads like you are reading my mind. Well said, especially the point that this is _every single aspect_ not just an infraction here and there.
You sound like you're mad as hell, and you aren't going to take it anymore
Try not worrying about as much stuff?
100 years ago well before the invention of so-called surveillance capitalism, people were making soft drinks out of radium, and inhaling asbestos.
Many things are better since then. Some new things are probably worse, but every reasonable measure of human welfare suggests we are better off than we were previously.
Something some subset of us are worried about right now, whether it’s WiFi or 5G or Covid vaccines, will turn out to have had horrible consequences and you can’t really fault the rest of us that we didn’t listen to the crazies.
Just embrace panglossian optimism because the alternative is to just be angry and exhausted and indignant all the time and then you’re no fun at parties.
When you go across a long enough timeline variations occur. Nothing over time in human history is a constant linear improvement. We may be better off than we were in 1924 in terms of health and safety, but we're definitely not better off than we were in 1994. Legislation hasn't kept up with chemical science and social engineering, and enforcement has been tentative as fights between executive power and judiciary power create years long arguments that get in the way of preventing harm. For example Red 40 is a dye that's well known to cause cancer with a high degree of certainty (not probability, certainty), while the artificial sweetener sucralose is genotoxic. You go drink a can of Faygo Cherry and it's got both. The FDA hasn't been able to regulate either because they haven't been legislated the power to do so, are now even more crippled thanks to the overturning of Chevron, and companies keep funding "alternative studies" that they can present to lobbyists.
It's hard not to be angry and exhausted when you have to be a chemical engineer just to know what's even safe to eat.
People like you are part of the problem.
I agree with all of this 110%!!!
So tired of people making excuses so that some billionaire can buy another yacht. Can we finally actually start investing in people and putting people first instead of corporations.
[flagged]
> similar tangible harm caused by lack of regulation on data collection?
There’s a spike in teenager suicides, girls in particular. The phenomenon is well researched, it correlates with popularity of social media among teenagers. I believe that’s causation not just correlation, because social media didn’t became popular everywhere at once, they did gradually for different countries/languages, the teenager suicides spike follows.
Restricting data collection will fix that by dismantling the business model. Will be harder for tech companies to convert screen time into profits. Will even flip the motivation developing addictive apps: the more time users will spend there the more bandwidth they consume i.e. profits will turn into costs. Which is good for most people, except employees and stock owners of social media companies.
P.S. Personally, I prefer more radical approach: total ban of advertisements on the internets. Many cities did it for billboards, I don’t see why we shouldn’t do the same online.
Banning online advertisements would essentially cripple small businesses in the US. Even local businesses today rely on online ads for foot traffic. Banning ads would send us back to the economy of the 1950s, where most profit accrues to a number of powerful corporations, and small manufacturers and creators have no market power.
I used data and ran experiments to measure and mitigate teen well being and harm at Instagram. I was not on the team responsible for this, but I worked on organic ranking and was responsible for understanding and measuring the impact of these things. I can say with certainty nobody cares more about teen well being than Meta. It's their future, and the success Instagram over Snapchat is essentially completely due to better positive interventions for well being. We measured this carefully with RCTs and had more data than anyone on the planet.
Overall Instagram is net good for the majority of teens across a wide variety of well being metrics, and net negative for a small percentage. Meta spends hundreds of millions trying to fix those latter, rarer cases.
> where most profit accrues to a number of powerful corporations, and small manufacturers and creators have no market power
You’re describing the status quo with online ads still legal. Amazon has 37.6% share of e-commerce; small manufacturers can’t compete. Google hosts 79% of videos viewed over the internets, and it abuses small creators really bad, with no ways to appeal or contact humans.
One of the reasons how these corporations became that powerful was unrestricted and legal digital surveillance. Another reason, anti-monopoly regulators asleep at their job allowing big tech companies to easily acquire competitors (e.g. Google was competing with YouTube for a year or so with “Google Video” product, failed, then acquired the competitor).
> net good for the majority of teens across a wide variety of well being metrics, and net negative for a small percentage
Many researchers who don’t work for FB were warning for years. Couple years ago some of that internal research was leaked, here’s a copy-paste “Thirty-two percent of teen girls said that when they felt bad about their bodies, Instagram made them feel worse” https://archive.is/qBpaq#selection-915.1-915.113 I would not call 32% “a small percentage”.
Another thing, “negative for just a small percentage” is a poor defense. Even if it’s indeed tiny, it still doesn’t mean the business model should be legal. Imagine a lottery where 0.1% people win $1M, 1% people win $10k, 10% people win $1k, 89.9% don’t win or lose anything, and 0.01% lose their life – don’t you think a business model like that should be illegal?
Identity theft
Do you have any examples where the data was obtained from sources that collected it for ads? As I understand it, the sort of data that is collected for behavioral advertising isn't useful for identity theft and has not been used in that way.
For identity theft you need things like names, addresses, SSN, W2 income, etc
before regulation, we had multiple actual rivers that caught on fire from all the stuff they would dump in it. multiple different times. it’s wild to me how people argue with sincerity that we don’t need to stop them sometimes.
Report link at beginning of article:
https://www.ftc.gov/news-events/news/press-releases/2024/09/...
https://www.ftc.gov/system/files/ftc_gov/pdf/Social-Media-6b...
Edit: added link to pdf
> Based on the data collected, the staff report said many companies assert that there are no children on their platforms because their services were not directed to children or did not allow children to create accounts.
Funny how they have advertising cohorts drilled into every niche interest or happening, but they just can't perfect the technology to determine if someone is a child. Very elusive tech they've definitely been working day and night to implement for years.
Almost like they benefit from acting blissfully ignorant.
>they just can't perfect the technology to determine if someone is a child
Oh they do. It's a very valuable demo and doubtlessly they worked day and night for years to perfect it. They want to shape the malleable minds of lifetime consumers. They have, with great success, for nearly a century.
A four year investigation to tell us what we already know. The real question is: What is the federal government (or anyone else) going to do about it?
A lot of people wonder why we study and document things that are already “common knowledge”. This is true of scientific studies as well. What a waste of money, right?
The answer is, until you actually do the work you don’t actually know. Scientists and government officials can’t cite common knowledge. And even if you were right about the conclusion, the details matter. The amount matters. The mechanisms matter.
> government officials can’t cite common knowledge
Government officials can cite whatever they want, including stuff they pulled out of their ass, as long as they have the votes.
High-quality studies also lay out a methodology for evaluating, assessing, and ultimately characterizing the issue, so that the impact of policy changes can be properly assessed. Even showing that well-known investigatory methods function adequately for a given problem is of value.
Put another way, "you can't control what you can't measure" (or in this case, characterize more generally).
Nothing because the government wants to do this surveillance itself but can't by law. The availability of corporate surveillance means the government can use it too, so it benefits them.
What do I want them to do? Pass a constitutional amendment that bans government invasions of privacy, legislation that extends those rights to individuals' interactions with private parties, legislation that funds the enforcement of those protections, legislation that creates civil penalties for violating those rights, and funds courts that hear those cases.
What do I expect them to do? Limit super-invasive spying to domestically-controlled companies.
This report gives us a framework for legislation. In no way does it "tell us what we already know".
There are plenty of people who "know" things that are actually wrong. This investigation is an important first step for the government to feel confident they know what's going on before exercising state power, which is, you know, a good thing. Vibes- or rumor-based exercise of state power is ill advised.
The Biden FTC has been quite aggressive against all sorts of anti-consumer practices throughout the economy which tend to follow these types of reports. I suspect action is coming relatively soon.
[dead]
The information Credit Bureaus and Banks store is much scarier. They know your salary every place you've worked and lived. And with all the recent links anyone can find this information on the dark web.
that horse left the barn over a decade ago. my attitude has changed to where I used to do security and privacy work to mitigate risk from a coming corporate cyberpunk dystopia, but now I think the idea of governments getting a monopoly on surveillance is the worst possible outcome.
a real solution would be to legally privilege and disqualify classes of personal information from civil and non-violent criminal legal proceedings based on how they were collected, and PII collection sources material to commercial decisions must be disclosed in offers and contracts.
insurers and creditors would actually have to take risk again instead of being rentiers, police are servants and not governors, and the provenance of PII as evidence would have to be proven as from a legal and prescribed source that included explicit consent. there is no stopping the flow of data collection, but we can improve laws to manage it.
It is not an either/or. You can just disallow to collect personal information and it would be valid for state and advertisers.
Information is power and if insurances and producers know everything about you, you will be squeezed like a poor victim.
On bad days I believe people that overshare information deserve that fate, but there isn't really an argument against just regulating collecting information or make them seriously accountable for this information being leaked with severe financial penalties.
It wouldn't even be hard to regulate. Enforcement wouldn't be easy, but I guess the risk for many companies would just be too high to even try.
I have become more and more inclined to deem the advertising industry considerably worse than the military industrial complex, and I hope that some higher force smites the executives involved with great vengeance and furious anger someday.
For me it's hypocrisy to regulate surveillance of private companies by state. You have option to not use their data collecting technologies. You cannot opt out to surveillance by state!
Let's not play game to makes states good guys and companies the bad boys.
> it's hypocrisy to regulate surveillance of private companies by state
Now do arms.
I really hate to defend state surveillance here, but at least that provides me with some (arguably false) sense of security and uninterested crimefighting. The private sector private eyes provide me only with never-ending ad slurry that's been wearing me down by the day.
Thinking you can simply opt-out of the massive and pervasive data collection that companies engage in is extremely naive.
Let's not play games to make companies the innocent bystanders and states the evil antagonist.
I think hypocrisy is entirely the wrong term here if you do not want corporations to have the same rights as a state.
It is true that the state should not collect this information either for that matter.
This will make optimal global pricing an insane world where everything will cost the maximum you can pay but the overall system will collapse as people will consume way less and be more miserable within it.
And what was the FTC doing all these years?
Under a different administration in the previous 4 years.
Any large institution takes some time to change, senate confirmations for the leads of major agencies don’t occur immediately upon swearing in of a new President - it’s often months later. Then, after that occurs, change from the top down occurs.
Additionally for any sufficiently large group of people it takes a long time to get people to take any sort of collective action, let alone an organization with processes, years long funding and contracts already in place. Then there are sometimes/often legal challenges to the awarding of contracts, the issuing of regulations.
How long do you think this study would’ve taken to execute by itself? Okay now how long do you think it would’ve taken to plan the methodology for what they should do to execute. Before that they have to have a proposal of what they would like to study and then get the money approved / allocated to do the previous work I just mentioned, such as a detailed methodology.
Again, this administration has been in charge of the FTC for only 3 ish years and had to probably rebuild it towards focusing on holding businesses to account.
Not quite sure what else you’re expecting, it takes companies as well many months and even years to change focus, or to deliver a robust product. And that’s generally with an agreed upon a singular focus.
Election year. The assumption is it is simultaneously posturing for current administration, validating its existence and funding to potential new one, and PR for the public.
Before that? I don't remember that much from the past few years, but I think a good chunk of federal agencies were kinda in a weird stalemate ( which is kinda what the US is system is built for anyway ).
> Election year.
This FTC has been extremely active and assertive since 2021, for which I'm thankful. People only pay attention in election years.
Recently they’ve been starting to do shit, but they’ve been dropping the ball for the last 16 years.
> "While not every investigated company committed the same privacy violations, the conclusion is clear: companies prioritized profits over privacy. "
Why wouldn't they? A capitalist shareholder system requires that they do exactly this, to whatever extent it does not impact sales.
It's on citizens to demand regulation, and yet in the US, a probable majority of voting citizens don't like regulation, and think that government is too large or too untrustworthy. Combine that with the control that corporations have over our politicians, and further combine that with low public understanding of the issue, and there is nothing realistic that can be done.
So I consider surveillance capitalism to be permanent in the US. Regardless of the fact that most people don't like being spied on and manipulated constantly. Perhaps some really large, really bad event could galvanize the public, but I doubt it.
You are not kept in the dark. This is not 2016. If you use these companies you know good and god damn well what they are doing. Grow up and take responsibility for using them, or delete your data and get off. Zero sympathy in 2024 for people shocked by this.
Also, you don’t own your data. That idea is itself an absurdity that is already meaningless. Once that is accepted life becomes much simpler. You want stock growth and tech jobs, that’s part of the deal. I didn’t make it and I’m not responsible for it but that’s how it is.
The microsecond Kamala is in office Lina Khan is axed, that's my election prediction.
Damn...
Agreed. Out in public yet encrypted is something I've been playing with as https://exfilcloud.com has no protection against access other than encryption.
This looks kinda sus. Why would or should anyone use this, @exfildotcloud?
Good question. All encryption happens in the browser. I may release the code but it's really just Go Age WASM with a KV backend.
What's suspicious?
Closed source, and the HN account just for this purpose/service.
Second the closed source nature. Believing that something closed source is actually encrypting messages is the same as believing in “trust me bro”
Tho, you can be open source without being FOSS if you want to give customers the ability to verify what you’re doing without giving away your IP.
Thank you.
Age encryption is open source. I suppose I could open source it as I am not looking to make sell anything with this service. I am mostly looking for feedback.
What would give you the peace of mind to use this with confidence? Considering that Signal, WhatApp, etc are all closed source tied with phone numbers requiring extra identifying info I put this together as an experiment.
I will start on releasing the code and build.
> I will start on releasing the code and build
Good! This is a great way to get more feedback and potentially more users. I'd encourage you to make it easy for folks to self-host.
You can still maintain control and the ability to make it a paid service, even if you choose an AGPL license.
> Signal, WhatApp, etc are all closed source
False. Signal is open source. See https://news.ycombinator.com/item?id=38585458
Except a server-side anti-spam component, apparently? See https://en.wikipedia.org/wiki/Signal_(software)#Licensing
> tied with phone numbers
This is a valid concern about Signal and it comes up often. I believe any privacy risk around your phone number leaking or being tied to your activity on Signal is sufficiently mitigated by the folks who run the Signal servers (the Signal Foundation) since plaintext phone numbers are only used for initial SMS verification. They are then discarded, apparently. Contact discovery/matching is done on the device only with SHA256 hashes of phone numbers.
And now you can discover/connect with others via usernames that can be changed at any time and hide phone numbers altogether.
Hmm, but https://support.signal.org/hc/en-us/articles/360007061452-Do... disagrees with https://en.wikipedia.org/wiki/Signal_(software)#Contact_disc... ... that's not good.
I don’t personally use signal or what’s app, but I also don’t seek out extra secure messaging apps.
Right now, if I was to go extra secure, my go to would be something built on the matrix protocol. I would probably spin up my own synapse node for total control. But I am a programmer, technophile, and FOSS nerd, so I may not be your target audience.
That being said, I think I’d have confidence if I could see the code and a signed build with some way to verify that the code I see published by you is in fact the code on my device.
As true as that is, I think the people should still worry 100x more about government surveillance than about commercial surveillance. Commercial surveillance is only trying to sell you something you don't need. In contrast, government surveillance, with or without cooperation from commercial entities, is trying to lock you up for victimless crimes or on flimsy evidence because they have run out of real terrorists to fight. The government's data collection is vastly larger than of anyone else, all paid for by you with your taxes. Encryption, cybersecurity, and minimizing data retention are the primary ways to fight it.
> Commercial surveillance is only trying to sell you something you don't need.
This simply isn't true. Commercial surveillance is a means and method of inserting itself further into your workflows or lives. Just think of all the health and identity related 'features' being rolled out (and celebrated), and how governments are readily capitulating to them. It isn't far fetched or tinfoil to consider that these commercial entities, at some point in the future, can become the arbiters of decisions that affect you.
This isn't even about commercial vs government surveillance, they are equally dangerous, and of both you should be equally wary; governments are far more careful with actions, even with malicious intent, whereas commercial entities with deep pockets are often abstracted away sufficiently to escape blame or consequences. However, governments that delegate to commercial for decision making means that there is little to no difference in the 'type' of surveillance.
Minimizing your own ecosystem lockin is extremely important.
> health and identity related 'features'
But it's easy enough to just opt out of all that. I don't use fitness or health wearables. I don't have my DNA or ancestry analyzed. I don't use online/telehealth services. Hell I don't even visit the doctor very often. I don't trust healthcare at all because it's very easy for them to use "scare" marketing to get people to pay for all kinds of stuff that (a) they don't need and (b) has very little real benefit and (c) that in most cases is for conditions that common sense and a little self-discipline can avoid.
You're free to think that doctors and health organizations operate on some higher plane of morality but the truth is they are businesses and need to compete for customers just like any other business does.
When the government is allowed to buy information which would otherwise require a warrant, private surveillance becomes government surveillance.
This should be the top rated comment. This [1] is the tactic that is used by government agencies to actively work around protections afforded by the Constitution of the United States.
[1] https://www.washingtonpost.com/outlook/2021/04/26/constituti...
Exactly, there is no difference. In fact in some ways it is worse because the government can say with a straight face they aren't collecting your data and monitoring you... they just pay someone else for that service.
Yep, and I keep harping on that one simple point. If that data is collected at all, it will be used. Even with laws protecting it. Look how HiPAA has become something of a joke now between regular breaches and app everything, which skirt as much as they can.
They lean on social media companies to violate your 1st amendment rights and then buy from them to violate your 4th.
> Commercial surveillance is only trying to sell you something you don't need.
Besides the maximimization of revenue, the profit motive also dictates the reduction of risk. Consider any application for insurance, membership, coverage...
>government surveillance, is trying to lock you up because they have run out of real terrorists to fight
"Government is surveilling/fighting you because who else" is easily applicable to $EvilCorp monopolies, because its tautological.
I assume that all data the commercial providers have on you, the government can access too if they would like to. Probably the government is even happy they can "outsource" a lot of data collection.
Actually, much of the commercially collected evidence is not strong in court if it is admissible in court at all. One can simply reject it claiming that it is a mis-association, but only if there isn't further objective data that conclusively ties one to the collection. In practice, usually the government finds evidence that is more directly incriminating, and the the commercial evidence is then secondary to the case.
This exactly.
I’m glad I’m not the only one who thinks like this.
If it were as simple as "selling things" then it would be fine, the problem is it doesn't stop there, it is not about offering things for sale, it is about manipulating you into buying by any means necessary. You are not immune to propaganda.
No, I'd actually much rather the government be the one doing the tracking than private companies beholden only to greedy shareholders and their whims.
I mean, I'd rather nobody track anyone but that's no longer a reality, so if we're picking sides here I'm definitely pro-gov't.
Commercial is just Government by another name. walks like a duck, quacks like a duck. Is granted duckhood by the Ur-Duck.