50 comments

[ 3.0 ms ] story [ 103 ms ] thread
A rough translation of the screenshot:

“Your Options:

If you do not agree, you cannot continue using Facebook. You can delete your account and you have the option of downloading your information“

What do you have to consent to?
Their new privacy policy, which includes consent to all of Facebook’s standard data processing, ad targeting, etc. You either accept or leave the platform.
So all the previous rhetoric about users always having known what they were signing up to and things being easily opt-out, what was that?

It's amazing (though not really) that all these companies were quite sure they gave users informed and accurate choices, until real penalties are attached if that isn't quite true...

As much as I appreciate the sheer balls of this, it's clearly not in compliance with the law according to the recitals; consent gained in this fashion is not "freely given." Now personally, I think this approach should be acceptable -- if you don't like it, don't use it. But under the GDPR, that's not the deal.

Be right back, making popcorn.

No balls involved here. They know the number of users that will blindly click accept to whatever policy change popup appears.

So it's standard mo to show users shit, get the clicks, then use the numbers to justify how much people love the platform. The rest of the herd then stands back and says hmmm maybe this is what people "really" want.

Yeah...

No.

There may not be 'balls' here, but this is definitely the most hilariously bad way for Facebook to handle this.

What this is REALLY saying is this:

A) We here at Facebook aren't really about connecting people. We are about marketing, and ad delivery in order to generate revenue.

B) The goal of keeping you connected and communicating with your social graph is so unimportant to us, that we are either technically incapable, or otherwise unwilling to provide service to customer bases that we cannot monetize.

C) We will hold onto, and continue selling any data we have already collected about you, that we really never got informed consent from you on, because we told you it was about us connecting you, and you didn't read the fine print.

So either accept, or here is a copy of your data. Excuse us while we sell what we already have. Ciao!

This will NOT earn Facebook any "Good Faith" points in the court of public opinion, and is adding further fuel to the international fire of "how far will contract law be allowed to usurp fundamental rights?"

Popcorn time indeed!

Do you expect anything else from Facebook?

"People just submitted it. I don't know why. They 'trust me'. Dumb f__ks." -Mark Zuckerberg

(comment deleted)
Consent not freely given is not consent w.r.t. GDPR, so legally I'm not sure what the point is other than baiting the data protection agencies.

So just because you agree doesn't mean it's binding, especially if it's unlawful. E.g. in Germany, contracts presented after purchase are void (EULAs), and you can't sign away your "Urheberrecht", or author's rights - which has interesting implications for copyright licenses. However, the regulators will take a very dim view on such behaviour. I don't know what they're trying to accomplish.

(comment deleted)
It is interesting that Facebook has chosen such an obviously non-compliant approach. Maybe they think thyy will just get away with ignoring the regulation. Or they want just want to see what EU move and user feedback will be as soon as possible, so they can start to prepare/work it.
> As much as I appreciate the sheer balls of this, it's clearly not in compliance with the law according to the recitals; consent gained in this fashion is not "freely given."

I think it's debatable. Yes, if they were denying service unrelated to the consent, that would not be freely given, but everything Facebook does with your account is covered by GDPR, and there doesn't seem to be a clear and explicit rule on the required degree of granularity of consent when multiple functions all require consent.

I actually think this approach might be the safest thing FB can do regarding GDPR other than unilaterally and without recourse dumping every account of a person protected by the GDPR, perhaps while developing a completely new system with a different fundamental design and business model for the EU.

They're doing this with WhatsApp, too.

WhatsApp is a dead-end at this point anyway, as they plan on removing end-to-end encryption. That's why both of WhatsApp's founders and many other employees have started leaving the company.

Any source on that “they plan on removing end-to-end encryption” other than uneducated speculation?
It is speculation, but only to some extent; upon the acquisition they've pledged to preserve the privacy and security of WhatsApp users.

To some extent the announcement of him leaving, following changes to terms of service last year, make if for a very good canary in the coal mine kind of warning, that even if bound by confidentiality or other agreements preventing disclosure, he's leaving $4B behind for "some reason". I'm sure if it was to launch a new venture that'd be fine to disclose...

It means something fishy might be happening, but they don't have to break e2e encryption in order to achieve fishy things.
They're not planning on removing encryption. It was under facebook's ownership that encryption was added to the platform
Citation needed.

I haven't seen this on WhatsApp.

I believe this is the first real test as to how much teeth GDPR will actually have.
Since everything Facebook does requires consent under Article 6 (or, in some cases, Article 9) of the GDPR, what, exactly, should they do otherwise that would not violate clear proscriptions in the GDPR?

This isn't a case where there is non-GDPR functionality that can be severed and provided in the absence of GDPR consent.

(comment deleted)
(comment deleted)
GDPR is quite unclear about..well...almost everything. But, for example, this guy wants to read his own messages, which is a rather popular use of Facebook. If they wanted to comply with GDPR, they could easily present him a dialog asking solely for permission to process the data necessary to show him his messages. Instead, they are asking for his consent to their entire new privacy policy. That policy includes permissions for functions that are not absolutely necessary to do what this user wants to do, such as ad targeting.

This kind of thing is exactly what I have been saying would happen with GDPR. Large companies will say “take all of it or leave it” - and for the most part they’ll get away with it. They have the power to do this, and very little will change for them. The difference is that they are now able to run without fear of startup competitors ever closing in on them, because no startup can get away with this same thing.

The natural effect of GDPR will be to consolidate power and data in the hands of the few companies that can both afford to comply and wield enough power in users’ lives to strong-arm them into giving consent to anything the company wants to do.

As if that isn’t the effect in an unregulated system already.
> wield enough power in users’ lives to strong-arm them into giving consent to anything the company wants to do.

No one is forcing them to use Facebook, if a user feels they have too much invested in Facebook, that's no one else's fault. You're not the customer, you're the product.

No, it won't be - because that sort of strong arming is precisely not compliance. You may argue that they won't be punished for it (I don't think that is likely, but you are right to think it's an option), but you are wrong to say it is a natural consequence of compliance.
A natural effect of a regulation isn't always a natural effect of compliance; non-compliance is a natural effect of some regulations.

High illegal immigration from Mexico is, given geography and existing population demographics, a natural effect of the US’s per-country caps on family-based immigration categories.

To be the advocate of the devil: Facebook might claim that presenting targeted ads to users is their core business - if they stop doing that they will have no source of income.

From what I understand GDPR it allows data processing if this is needed to do the business, as it is in case of Facebook, so if someone refuses to agree for that, such person cannot use FB.

If they renamed themselves to Adbook and explicitly claimed their service is to offer targeted ads instead of being a social network, they might have a case, unfortunately their service is to offer a social network and they don't need to track me or offer ads in order to provide it. They need to do that in order to make money, which is a completely separate issue.
Unfortunately for my gym, their service is to offer exercise equipment and they don't need to charge me a subscription in order to provide it. They need to do that in order to make money, which is a completely separate issue.
You do know there is an enormous difference between paying for a subscription and letting your gym MITM you/pick your pockets for info, etc, right?

For example your gym might have video surveillance, which is fine, but it has to have a sign and they can't use the footage for anything else than for security reasons without asking you first and they have to delete it after a certain amount of time. They don't have to video tape you and then sell the footage to the health store next door in order to advertise to you in order to let you use the gym.

> But, for example, this guy wants to read his own messages, which is a rather popular use of Facebook. If they wanted to comply with GDPR, they could easily present him a dialog asking solely for permission to process the data necessary to show him his messages.

The normal operation of Facebook processes a lot of your information between login attempts, and not in direct response to yoour action; if they haven't gotten consent that satisfies the GDPR for that before May 25, they need to stop processing your information, which means they need to essentially completely disable and isolate your account, not just from you logging in, but from all visibility and interaction initiated by other parties.

While, in the abstract, a service they processes your information only in direct and immediate response to your UI interactions could adopt a granular permission model and seek consent for just what was necessary to handle each control interaction when you interacted with the relevant control (crappy UX, but it's possible), that's not the way Facebook works, nor is it something it seems Facebook could, with reasonable effort, be reengineered into. I'm not even sure pausing aall processing of your data until consent is received without deleting your account is something Facebook could reasonably be reengineered to do.

“Consent or delete your account” doesn't seem all that far from the choices Facebook practically has under the GDPR.

What Facebook did is quite a bit like police coercion to make you confess to perpetrating a crime.
If facebook is making >4% of its revenue from EU, then it's worth risking the fine.
As far as I know they can be fined multiple times until they comply with the law.
Not only that, the fines will get exponentially more severe for repeated non compliance.
The maximum fine is 4% of revenue.
isn't it per infraction, so potentially 4% each time they violate a user?
Interesting that this coincides with his appearance to the EU parliament [0]?

What's most interesting to me, is that whilst many say this is flat out illegal under the GDPR. If after this appearance, i.e some form of lobbying to the EU. Whether it sets a new precedent?

If bigger companies can get away with this sort of action due to lobbying. Then smaller companies/startups will surely lose out as they are unable to match lobbying efforts and will result in not being able to be as competitive.

I'm very interested to see how things progress in the coming weeks. Whether there is an amendment (due to a backdown by Facebook) or this becomes the norm and other larger companies follow.

[0]: https://www.theguardian.com/technology/2018/may/22/european-...

A ‘clever’ strategy would be if they required consent now, before the new rules kick in, and then later made it optional. Most users won’t go back and change the permissions anyway.
The rules have been active for over two years, it's just that they have not been enforceable. So that's not a clever strategy at all.
I don't think it works like this. If your argument for GDPR compliance is that you have your user's consent, it is required that the consent was freely given, when it was collected is orthogonal to that.
GDPR seems like it runs contrary to information theory and will become a crutch for censorship.
Do note that Facebook, like any large company complying with new regulations , have been in contact with EU representatives on their implementation, so the idea that this is a “bold” move on their part or they are doing something obviously illegal just isn’t true.
Saw this yesterday. Deleted my account. Problem solved. Recommended.