Looks interesting and is definitely a required tool to show what websites are doing that average users don’t realize.
Sadly the really bad players detect that this is not a normal user and redirect to a error page.
You will have to try harder to fool them into thinking your headless browser is a real user. Probably your test device is in a server center and they detect the IP isn’t a end user IP.
That's really well done. I tried several ecommerce, airline, travel, etc, sites. I was surprised with the extent of fingerprinting and 3rd party sites.
For example, American Airlines, aa.com: 17 ad trackers, 32
third party cookies, canvas fingerprinting, session keyboard and mouse tracking, data to facebook, linked in, amazon, and more. Ouch.
I'm using uBlock and uMatrix so I'm not surprised. However I've been blocking such with whatever was at hand since javascript started out... In the start it was easy, just don't load javascript. Now it's even easier, just install uBlock and uMatrix and watch the whole modern web break together... :-)
Be sure to load the "This website loads trackers on your computer that are designed to evade third-party cookie blockers." section's details and see the fingerprinting images that are used. Crazy stuff.
I'm surprised that they're not bad with tracking given how bad news sites tend to be. I thought maybe it could be explained by them being a paid site, but the WSJ is too and their analysis was abysmal with 32 trackers, 53 third-party cookies, fingerprinting, and session recording.
> "12 trackers and 6 third-party cookies ... they're not bad ..."
that's still bad, and nytimes uses a bunch of first-party tracking as well. it's just not as bad as the worst ones, but in no way should you excuse them for their own bad behavior.
Looks good, but unfortunate name clash - I assume this is unrelated to the established Blacklight discovery platform used (ironically, considering The Markup's domain) in the Panama Papers exposure?
This does not work with GDPR compliant sites (the few that exist). I wonder if it would make sense to use something similar to [0] to auto-accept, note in the results that there is a consent gate and then list the trackers in the accepted state?
I'm not aware of any court case where downloading and watching movies without the rights owner's permission was considered OK. Instead, the downloader always had to pay a fine.
Theft is legally distinct. It is also morally distinct - the 'owner' of the 'intellectual property' is not deprived of their ownership if someone violates the transactional model by looking without permission.
Copyright infringement is not theft. It is interference with a business model. Please stop saying obviously incorrect things.
Respectfully, fxtentacle’s point didn’t hinge on the technical definition of theft. I think they’re trying to point out that illicit data transfers are punished harshly when an individual does it but are considered standard practice and even (by some) praised when corporations do it.
While I agree with you, public opinion probably does not agree with you. And the rhetoric by rights owners has always been downloading==theft. I've added a link to one such propaganda video to my original comment.
While I agree with you in spirit, I believe penalties for downloading usually have to do with redistribution via BitTorrent. People sometimes forget (or never know in the first place) that when you download via BitTorrent you’re also distributing.
However, I totally agree with the sentiment, and I’ve long felt this way about petty crimes like shoplifting, which are harshly punished and shamed, while on the flip-side you have crimes like wage theft which goes effectively unpunished and is even defended as legitimate by some.
In many jurisdictions, "theft" specifically implies the taking of goods. When you copy a file, the original file still exists. No items get taken, therefore no theft took place. I am not familiar with American law, but I don't expect it to have a definition where watching illegal movies is considered actual theft.
IP companies such as media companies and patent holders often try to spin unlicensed access to media or information as theft because it sounds worse, but in practice the actual crime is "illegal access to intellectual property" or something similar to that.
In Sweden everyone pays a tax on all media like empty DVD's, harddrives, phones and so on. This tax covers the private copying of media like movies and music. It is not illegal in Sweden to borrow a DVD from your friend and copy it. We actually pay a fine to be allowed to do this. The money gets distributed to the content owners by some organisation owned by the record companies.
However it is illegal to mass distribute movies on the net, like bittorrent-style to people you do not know personally. Yes it's a bit hard to define friends but if you find yourself burning copies of CD's in bulk, it's most likely not ok.
Usually the act of copying is not the problem, distribution is.
That's actually legal in my homeland. There are specific conditions (e.g. personal use without economic goals) but it's generally OK. Note however that this applies to downloading from a server where the transfer goes one way. Torrenting would constitute copyright infringement as it is a two way transfer and counts as sharing copyrighted works.
> Instead, the downloader always had to pay a fine.
No. In many places simple copyright violation is not a crime, and so there are no fines. The rights holders can sue for losses. But this isn't a criminal case between the state and an alleged criminal, it's a case between two citizens (although one of them may be a corporate person).
There are things that tip copyright violation into a criminal offence: doing it as part of business (selling the DVDs that you've downloaded), doing it so much it materially affects the rights holders.
> I'm not aware of any court case where downloading and watching movies without the rights owner's permission was considered OK. Instead, the downloader always had to pay a fine.
In Poland downloading music, movies and images is legal. (software is treated specially and just downloading may be illegal)
And I suspect that "always" is untrue also after limiting to USA.
No one has ever been sued for DOWNLOADING a movie.
They get sued for UPLOADING a movie.
Important distinction. Mere possession is not a crime - everything is copyrighted, and it isn't the responsibility of someone holding a copy to know if the person that gave them that copy was authorized to to so.
At least Ars will allow you to disable almost all of that if you subscribe. I mean, they've got to pay their staff somehow, and if it's not subscriptions or ads then how?
Maybe it's naive to think that even when showing Ads or collecting usage data, there has to come a point of questionable returns. I struggle with accepting that showing Ads and collecting usage data involves nearly 40 different collectors/trackers.
I do get the allure of cross-channel tracking and personalized Ads but maybe good enough could be reached differently.
I don't categorically reject Ads and data collection but the current data hunger is insatiable with little visible benefit to me.
We can certainly make new one (or potentially modify consumer protection law) to protect privacy. There's no part of copyright law that makes sense to change that would do the thing GP is asking for. It is an entirely different concept.
I understand that bare facts cannot be copyrighted but IMO, a better test in this case is to ask whether the information has any monetary value? Because once it is under the posession of the data brokers, it's aggregated and traded like chattel.
If you were to add to title 17: "facts are subject to copyright protection if they have monetary value" -- you still have not solved the problem. Again, copyright doesn't apply to the subject of a work, it applies to the one who created it.
Also, your proposed change has made most of Wikipedia illegal.
There are all sorts of “likeness rights” though, which are often lumped with copyrights and trademarks.
A model has rights for her likeness not to be used to promote something without her or him getting paid. It could be put under the same umbrella that no one has rights for my data.
Yes, I agree, this is a more appropriate angle. Someone who invokes their right of publicity is generally making a claim that someone has violated trademark law. This is NOT a modification to copyright law, though -- both rights exist concurrently. A photographer who takes a photo of a trademark retains the copyright to the photo, and the owner of the mark concurrently owns the trade rights to the mark.
To my point -- this idea is entirely a separate concept from copyright law. It is not a modification to copyright law.
Not exactly sure what your argument is, but if you want to know what qualifies as a "creative work", the law conveniently defines it in 17 U.S. Code § 102(a).
When I surf the information superhighway I create a unique data trail which is a unique expression created by me. I therefore claim copyright over the content of that data trail.
Copyright is only applicable at the moment at which facts are compiled into a creative work.
If you actually humanly typed out the sentence: "My time zone is UTC, my IP address is 127.0.0.1, and my default language is set to English" that sentence would be subject to copyright.
However, since the facts themselves are still not subject to copyright, someone can still legally (as far as copyright is concerned) take your sentence and run:
If I take a photograph of any part of reality, I have copyright on the image. I'd say most images contain not much more than a reproduction of reality.
If I type my name into a computer, isn't that a reproduction of reality just live a photograph of me would be?
And I agree with you that pure facts are not copyrightable, but how about Facebook making a guess that I like cats based on my previous click behavior? Isn't that an artistic interpretation of reality which should be copyrightable?
Your name alone is a fact, and wouldn't be subject to copyright. For example, I can say "Donald Trump" in this comment without infringing on any copyright laws.
> how about Facebook making a guess that I like cats based on my previous click behavior? Isn't that an artistic interpretation of reality which should be copyrightable?
Once they record it somewhere, it is!
I'll give you an example:
Take for instance this string value: "fxtentacle is likes cats and I know it because he posted it on HN"
I have generated this string, and under US (and many other countries) copyright laws, I automatically own copyright to it, because it is my artistic interpretation of what I have observed.
You have no copyright to it, because it was my artistic interpretation, despite the fact that you are the subject of the art.
ghostery plugin much more effective if you use chrome it tells you as you visit a site and gives you the option to block it, I don't know why this is ranked 1 on HN
Why would you unify two unrelated things? I think privacy is a right and copyright is so overstretched it literally works against its original intention.
As an aside, the only part of "Intellectual Property" as an idea that I agree with is the right for an author to claim that they authored something. It shoudln't give them a right to control how its distributed or what people do with it. Why would you compare the rights of people to the "rights" of companies? Why would you defend enormous corporations? Disney doesn't have "knowledge". It's not a person.
With privacy, you are generally looking to prevent the redistribution of facts, but only in specific circumstances.
Copyright does a very different thing, where it only prevents the redistribution of more creative expressions, but does so in broad circumstances.
If you take the typical data elements that you want to keep private and apply copyright law to them, I think you'll end up with more problems than solutions. Facts -- like your name -- are something that people need to reproduce just to do basic things, like have a conversation with you. I don't think we need to start all conversations with:
"By starting a conversation with me, you hereby grant and will grant me and affiliated discussion participants a nonexclusive, worldwide, royalty free, fully paid up, transferable, sublicensable, perpetual, irrevocable license to reproduce, mention, perform, vocalize, remember and otherwise use your name for purposes of this conversation"
It sounds silly, but copyright is this broad in scope. It applies to everyone. For the purposes of privacy, you really need a much more narrow paradigm -- something that applies to strangers but not people who you expect to know things about you, like friends, family, or people you are voluntarily sharing with. This is probably why every privacy law on the planet is not an extension of copyright. They are two very different things.
How is collecting, aggregating, redistributing PII prevented today?
I like that you distinguish voluntary sharing, eg with friends and family.
I'll ponder your point about names (identifiers). There are currently semi-legitimate uses, like political campaigns in the USA have voter files for GOTV (ballot chasing). Which is a ridiculous practice. (I've worked on many campaigns.) So instead of accommodating pathological use cases, I'd rather resolve the paradox by eliminating the practice. In the case of GOTV, compulsory voting would greatly improve voter privacy.
I've been waiting for anyone to criticize my thesis by pointing out the government already knows all. My provisional response remains: If someone's making a buck off my data, I want my cut.
In cases like the CA State's DMV reselling PII, my thesis is that treating my data as an asset, and therefore a liability, would deter that behavior. So relying on disincentives vs prohibition.
> How is collecting, aggregating, redistributing PII prevented today?
The handful of privacy laws today (HIPAA, CCPA, GDPR) take a pretty direct approach; they define:
* the types of organizations that are restricted from sharing PII
* the types of collection, retention, and sharing that is allowed and/or prohibited
* the definition of PII -- which specific attributes about a person are protected
> In cases like the CA State's DMV reselling PII, my thesis is that treating my data as an asset, and therefore a liability, would deter that behavior. So relying on disincentives vs prohibition.
It seems to me the CCPA could have prevented that -- if it applied to governments as well as "businesses".
I've been keen to see how the GDPR and CCPA play out. Hopefully better than HIPAA, FERPA, etc.
Providence Hospital in Portland OR (details?) had a big (for the time) data leak about the time I started doing medical records. They settled out of court. I contacted both sides and tried to reach the admins, to ask what fix they settled on.
"Try harder next time."
Terrific.
We geeks creating the infrastructure for electronic medical record interchanges resigned ourselves to the inevitable massive data leak. I spent a lot of effort trying to figure out how to protect patient privacy.
I eventually determined there's only one technical solution, based on strategies from Translucent Databases book. (TLDR: field level encryption for all data at rest, just like proper password storage.)
But there's no social, legal, or cultural protection. And the small legal change (globally unique person identifiers) we'd have to do for the sole workable technical solution is strenuously opposed across the political spectrum.
So. My plan now is to rethink the entire stack. Extend property rights to PII. Let accounting fix what algorithms couldn't.
If someone divines a better plan, I'm totally on board. As in "shut up and take my money". But I'm not holding my breath.
FWIW, one of my besties wrote a book on privacy. My proposal makes his head explode. Apoplectic. So I get the push back. But 15 years later, no one, including him, have a better idea. Better as in feasible, actionable.
That's an interesting idea -- property rights for PII.
Of the four main IP types we have today, PII is probably most similar to trade secrets. Maybe since companies have rights to their secret information -- we could recognize a 5th type of IP for PII, similar to trade secrets, but for individuals?
TLDR: The immortal cells central to cancer research are hers. Unacknowledged. The debt we owe this woman is immeasurable. Yet she and her family have no claim.
How many more Lacks are there?
There's a wide band between a record of my shopping habits and this woman's genetic code. But the principle is the same. If someone's making a buck off my data, I want my cut.
Does anyone know of a way to quantify the cost of ad-trackers in terms of cpu/memory/bandwidth/battery?
How much more responsive would websites be without all the trackers?
How much longer would we keep our phones if they didn't struggle under the weight of all this tracking?
How much less data center capacity would be required?
How much more bandwidth would be available?
You can quantify the impact of ad trackers on system resources by measuring the difference in a site's resource utilization with and without an ad blocker.
Just counting Google Analytics, it added between 200-500ms total load time on my own website. I dropped it for Fathom, which dropped that to about 70ms. A log-based system would drop the overhead to 0, but Fathom is more convenient for me.
There's some good stuff in here, but they're also using a very expansive definition of "tracker" that in some cases I think is just unfair.
For example Adobe TypeKit serves fonts. It's not ad tech at all. The only thing it tracks is how many times a font was served. Adobe does also have ad tracking technology but TypeKit isn't part of it.
Likewise the tool's author seems to misunderstand AWS CloudFront, which is a CDN and does not itself do any tracking nor is it connected to any Amazon ad tech.
TypeKit does indeed send tracking data back to Adobe through the domain p.typekit.net. This is also likely reflected in
Adobe's privacy policy.
Luckily, it is possible to use Content-Security-Policy or client-side scripts to block this domain while allowing use.typekit.net, which simply hosts the font files.
Like I said, they keep track of font usage. The billing is based on usage. That domain sets no cookies and the privacy policy doesn't permit the data to be used for ads: https://www.adobe.com/privacy/policies/adobe-fonts.html It's not ad tech.
I think this is the problem with the "high score" approach to measuring the privacy impact of a site. Number of third-party cookies or "trackers" is not a great proxy for how well a site actually protects your data in ways you care about.
I would also add New Relic as an example of a site that really shouldn't be in a list of "ad tech."
"Tracking" is almost a weasel word these days. What matters is what is tracks. Tracking some things is just fine, IMO.
The problem now is a lack of trust, not the least of which because there's often not that much transparency and very little accountability in the way of law, as well as various actors that constantly try to skirt the line (i.e. Facebook, Google, etc.)
I've observed requests to p.typekit.com that appear to have high-entropy identifiers in GET parameters, so I would still consider it potential user tracking.
> Like I said, they keep track of font usage. The billing is based on usage.
Adobe should be measuring usage based on referrers to their CDN.
> the privacy policy doesn't permit [...]
I'd prefer no tracking at all instead of trusting the goodwill of a company to follow through with its privacy policy.
What is "private data"? Is your hair colour private data? Is the browser you use private data? Why? Or why not? Does it matter if I only record hair colour and the browser you use, or if I combine it with other data?
These kind of things may sound okay superficially, but once you start defining things clearly in a way that can be incorporated in a workable law things get very hard very fast.
Sure, no reason why privacy can't be too. Here's a simple framework to think about Privacy online: Provide an opt-out for tracking, selling / sharing data etc etc.
Actuall, I feel most strongly about those cases where data about me is being saved and I don't even know about it. Because those data collectors who don't even dare to ask for permission are probably the worst ones.
What is "tracking"? Is recording a server log tracking? What if it only records the pathname? What about the "visitor counter" GIFs from the 90s?
So that superhuman app tracks if someone read the message; WhatApp, Telegram, and Signal do that too with their read receipts. Is that tracking? Why? Or why not? And I don't see anything about selling this data in that article btw.
People keep using all these words like "privacy" and "tracking" and "personal data", but my point was you need to clearly define what you mean with that, in a way that's workable. And "every single last bit of data that could possibly be recorded" is not really a workable definition IMO.
These kind of things are what you might call "opposition politics"; it's all very easy to make vague proposals when you're in the opposition, but once you're in government and need to actually start enacting workable realistic laws that take all the various legitimate interests in account (and I think there is some legitimate interest in collecting some data) things get much harder.
> * What is "tracking"? Is recording a server log tracking? What if it only records the pathname? What about the "visitor counter" GIFs from the 90s?*
I'd settle for personally / uniquely identifiable information as tracking.
> WhatsApp, Telegram, and Signal do that too with their read receipts. Is that tracking? Why? Or why not?
1. There's an opt-out.
2. It is clear as a day that the other side can see when you've read the message.
3. Again, services consumed with consent.
> ...my point was you need to clearly define what you mean with that.
Agreed. I think PII (personally identifiable information) is a good start.
> ... it's all very easy to make vague proposals when you're in the opposition
Some organizations have been working long and hard over privacy issues online. There have been very well-defined, valid, and solid proposals from them. We'll see eventually what comes of those.
> ...need to actually start enacting workable realistic laws that take all the various legitimate interests in account things get much harder.
104 comments
[ 4.0 ms ] story [ 173 ms ] threadSadly the really bad players detect that this is not a normal user and redirect to a error page.
You will have to try harder to fool them into thinking your headless browser is a real user. Probably your test device is in a server center and they detect the IP isn’t a end user IP.
Hope you get it working
For example, American Airlines, aa.com: 17 ad trackers, 32 third party cookies, canvas fingerprinting, session keyboard and mouse tracking, data to facebook, linked in, amazon, and more. Ouch.
Astonishing.
Fox News [1] and Breitbart [2] got scarily high scores
[1] https://themarkup.org/blacklight/?url=foxnews.com
[2] https://themarkup.org/blacklight/?url=breitbart.com
40 trackers, 65 third-party cookies
https://themarkup.org/blacklight/?url=aljazeera.com
54 trackers, 148 third-party cookies
https://themarkup.org/blacklight/?url=theonion.com
1 tracker, 0 third-party cookies
24 seconds to load, 585 individual http requests. Crazy. You would think someone there would raise this as an issue.
12 trackers and 6 third-party cookies
I'm surprised that they're not bad with tracking given how bad news sites tend to be. I thought maybe it could be explained by them being a paid site, but the WSJ is too and their analysis was abysmal with 32 trackers, 53 third-party cookies, fingerprinting, and session recording.
that's still bad, and nytimes uses a bunch of first-party tracking as well. it's just not as bad as the worst ones, but in no way should you excuse them for their own bad behavior.
0 Third-party cookies not found.
This is less than half the average of three that we found on popular sites.
https://projectblacklight.org/
https://source.opennews.org/articles/people-and-tech-behind-...
[0]: https://www.i-dont-care-about-cookies.eu/
No.
Copyright infringement is not theft.
Theft is legally distinct. It is also morally distinct - the 'owner' of the 'intellectual property' is not deprived of their ownership if someone violates the transactional model by looking without permission.
Copyright infringement is not theft. It is interference with a business model. Please stop saying obviously incorrect things.
> And the rhetoric by rights owners has always been downloading==theft.
Do you echo every pressure group's rhetoric?
And FWIW, it’s very often an uploader who has to pay a fine for distributing copyrighted work (not theft). Fines for downloading are pretty rare.
However, I totally agree with the sentiment, and I’ve long felt this way about petty crimes like shoplifting, which are harshly punished and shamed, while on the flip-side you have crimes like wage theft which goes effectively unpunished and is even defended as legitimate by some.
IP companies such as media companies and patent holders often try to spin unlicensed access to media or information as theft because it sounds worse, but in practice the actual crime is "illegal access to intellectual property" or something similar to that.
However it is illegal to mass distribute movies on the net, like bittorrent-style to people you do not know personally. Yes it's a bit hard to define friends but if you find yourself burning copies of CD's in bulk, it's most likely not ok.
Usually the act of copying is not the problem, distribution is.
No. In many places simple copyright violation is not a crime, and so there are no fines. The rights holders can sue for losses. But this isn't a criminal case between the state and an alleged criminal, it's a case between two citizens (although one of them may be a corporate person).
There are things that tip copyright violation into a criminal offence: doing it as part of business (selling the DVDs that you've downloaded), doing it so much it materially affects the rights holders.
In Poland downloading music, movies and images is legal. (software is treated specially and just downloading may be illegal)
And I suspect that "always" is untrue also after limiting to USA.
No one has ever been sued for DOWNLOADING a movie. They get sued for UPLOADING a movie.
Important distinction. Mere possession is not a crime - everything is copyrighted, and it isn't the responsibility of someone holding a copy to know if the person that gave them that copy was authorized to to so.
33 Trackers | 60 Third-Party Cookies https://themarkup.org/blacklight/?url=edition.cnn.com
32 Trackers | 53 Third-Party Cookies https://themarkup.org/blacklight/?url=wsj.com
The newspaper business is digging it's own grave.
"This website could be monitoring your keystrokes and mouse clicks."
Absolutely insane.
I do get the allure of cross-channel tracking and personalized Ads but maybe good enough could be reached differently.
I don't categorically reject Ads and data collection but the current data hunger is insatiable with little visible benefit to me.
What value would that be? Fun? If it is a bad movie and I have no fun what value did I extract from it then?
> everyone agrees that this is theft
Oh, how I wish I could download a car
The fact that "John Smith's IP address is 127.0.0.1" is neither creative, nor something John Smith created.
Also, your proposed change has made most of Wikipedia illegal.
A model has rights for her likeness not to be used to promote something without her or him getting paid. It could be put under the same umbrella that no one has rights for my data.
To my point -- this idea is entirely a separate concept from copyright law. It is not a modification to copyright law.
Not exactly sure what your argument is, but if you want to know what qualifies as a "creative work", the law conveniently defines it in 17 U.S. Code § 102(a).
https://www.law.cornell.edu/uscode/text/17/102
If you actually humanly typed out the sentence: "My time zone is UTC, my IP address is 127.0.0.1, and my default language is set to English" that sentence would be subject to copyright.
However, since the facts themselves are still not subject to copyright, someone can still legally (as far as copyright is concerned) take your sentence and run:
Also, there is no need to "claim" copyright to anything. It is automatic.If I type my name into a computer, isn't that a reproduction of reality just live a photograph of me would be?
And I agree with you that pure facts are not copyrightable, but how about Facebook making a guess that I like cats based on my previous click behavior? Isn't that an artistic interpretation of reality which should be copyrightable?
> how about Facebook making a guess that I like cats based on my previous click behavior? Isn't that an artistic interpretation of reality which should be copyrightable?
Once they record it somewhere, it is!
I'll give you an example:
Take for instance this string value: "fxtentacle is likes cats and I know it because he posted it on HN"
I have generated this string, and under US (and many other countries) copyright laws, I automatically own copyright to it, because it is my artistic interpretation of what I have observed.
You have no copyright to it, because it was my artistic interpretation, despite the fact that you are the subject of the art.
As an aside, the only part of "Intellectual Property" as an idea that I agree with is the right for an author to claim that they authored something. It shoudln't give them a right to control how its distributed or what people do with it. Why would you compare the rights of people to the "rights" of companies? Why would you defend enormous corporations? Disney doesn't have "knowledge". It's not a person.
With privacy, you are generally looking to prevent the redistribution of facts, but only in specific circumstances.
Copyright does a very different thing, where it only prevents the redistribution of more creative expressions, but does so in broad circumstances.
If you take the typical data elements that you want to keep private and apply copyright law to them, I think you'll end up with more problems than solutions. Facts -- like your name -- are something that people need to reproduce just to do basic things, like have a conversation with you. I don't think we need to start all conversations with:
"By starting a conversation with me, you hereby grant and will grant me and affiliated discussion participants a nonexclusive, worldwide, royalty free, fully paid up, transferable, sublicensable, perpetual, irrevocable license to reproduce, mention, perform, vocalize, remember and otherwise use your name for purposes of this conversation"
It sounds silly, but copyright is this broad in scope. It applies to everyone. For the purposes of privacy, you really need a much more narrow paradigm -- something that applies to strangers but not people who you expect to know things about you, like friends, family, or people you are voluntarily sharing with. This is probably why every privacy law on the planet is not an extension of copyright. They are two very different things.
How is collecting, aggregating, redistributing PII prevented today?
I like that you distinguish voluntary sharing, eg with friends and family.
I'll ponder your point about names (identifiers). There are currently semi-legitimate uses, like political campaigns in the USA have voter files for GOTV (ballot chasing). Which is a ridiculous practice. (I've worked on many campaigns.) So instead of accommodating pathological use cases, I'd rather resolve the paradox by eliminating the practice. In the case of GOTV, compulsory voting would greatly improve voter privacy.
I've been waiting for anyone to criticize my thesis by pointing out the government already knows all. My provisional response remains: If someone's making a buck off my data, I want my cut.
In cases like the CA State's DMV reselling PII, my thesis is that treating my data as an asset, and therefore a liability, would deter that behavior. So relying on disincentives vs prohibition.
The handful of privacy laws today (HIPAA, CCPA, GDPR) take a pretty direct approach; they define:
* the types of organizations that are restricted from sharing PII
* the types of collection, retention, and sharing that is allowed and/or prohibited
* the definition of PII -- which specific attributes about a person are protected
> In cases like the CA State's DMV reselling PII, my thesis is that treating my data as an asset, and therefore a liability, would deter that behavior. So relying on disincentives vs prohibition.
It seems to me the CCPA could have prevented that -- if it applied to governments as well as "businesses".
Providence Hospital in Portland OR (details?) had a big (for the time) data leak about the time I started doing medical records. They settled out of court. I contacted both sides and tried to reach the admins, to ask what fix they settled on.
"Try harder next time."
Terrific.
We geeks creating the infrastructure for electronic medical record interchanges resigned ourselves to the inevitable massive data leak. I spent a lot of effort trying to figure out how to protect patient privacy.
I eventually determined there's only one technical solution, based on strategies from Translucent Databases book. (TLDR: field level encryption for all data at rest, just like proper password storage.)
But there's no social, legal, or cultural protection. And the small legal change (globally unique person identifiers) we'd have to do for the sole workable technical solution is strenuously opposed across the political spectrum.
So. My plan now is to rethink the entire stack. Extend property rights to PII. Let accounting fix what algorithms couldn't.
If someone divines a better plan, I'm totally on board. As in "shut up and take my money". But I'm not holding my breath.
FWIW, one of my besties wrote a book on privacy. My proposal makes his head explode. Apoplectic. So I get the push back. But 15 years later, no one, including him, have a better idea. Better as in feasible, actionable.
If you've got something, please share.
Of the four main IP types we have today, PII is probably most similar to trade secrets. Maybe since companies have rights to their secret information -- we could recognize a 5th type of IP for PII, similar to trade secrets, but for individuals?
I just can't get over the case of Henrietta Lacks.
https://en.wikipedia.org/wiki/Henrietta_Lacks
TLDR: The immortal cells central to cancer research are hers. Unacknowledged. The debt we owe this woman is immeasurable. Yet she and her family have no claim.
How many more Lacks are there?
There's a wide band between a record of my shopping habits and this woman's genetic code. But the principle is the same. If someone's making a buck off my data, I want my cut.
[1] - https://bugs.chromium.org/p/chromium/issues/detail?id=109042...
I wasn’t surprised that TechCrunch has so many trackers but surprised that a porn site has only one.
https://i.imgur.com/mNrupcC.png
https://themarkup.org/blacklight/?url=thoughtcatalog.com
https://themarkup.org/blacklight/?url=factinate.com
https://themarkup.org/blacklight/?url=sacbee.com
https://themarkup.org/blacklight/?url=mediabiasfactcheck.com
https://themarkup.org/blacklight/?url=www.thestar.com
https://themarkup.org/blacklight/?url=space.com
https://themarkup.org/blacklight/?url=laptopmag.com
https://themarkup.org/blacklight/?url=hollywoodlife.com
https://themarkup.org/blacklight/?url=nfl.com
https://themarkup.org/blacklight/?url=kyma.com
The worst so far: https://themarkup.org/blacklight/?url=thehindu.com
https://themarkup.org/blacklight/?url=m.economictimes.com
For example Adobe TypeKit serves fonts. It's not ad tech at all. The only thing it tracks is how many times a font was served. Adobe does also have ad tracking technology but TypeKit isn't part of it.
Likewise the tool's author seems to misunderstand AWS CloudFront, which is a CDN and does not itself do any tracking nor is it connected to any Amazon ad tech.
https://themarkup.org/blacklight/?url=www.utilitydive.com
Luckily, it is possible to use Content-Security-Policy or client-side scripts to block this domain while allowing use.typekit.net, which simply hosts the font files.
I think this is the problem with the "high score" approach to measuring the privacy impact of a site. Number of third-party cookies or "trackers" is not a great proxy for how well a site actually protects your data in ways you care about.
I would also add New Relic as an example of a site that really shouldn't be in a list of "ad tech."
The problem now is a lack of trust, not the least of which because there's often not that much transparency and very little accountability in the way of law, as well as various actors that constantly try to skirt the line (i.e. Facebook, Google, etc.)
> Like I said, they keep track of font usage. The billing is based on usage.
Adobe should be measuring usage based on referrers to their CDN.
> the privacy policy doesn't permit [...]
I'd prefer no tracking at all instead of trusting the goodwill of a company to follow through with its privacy policy.
These kind of things may sound okay superficially, but once you start defining things clearly in a way that can be incorporated in a workable law things get very hard very fast.
Copyright, on the other hand, is much easier.
Control over my public persona.
Property rights is real simple:
Pay me. If you're making a buck off my data, I want my cut.
1. You consent to being tracked in exchange for services consumed (Google Maps Navigation, for example).
2. You don't consent to it but you're still being tracked. Not only that, the data is then sold to any and every buyer. For example: https://mikeindustries.com/blog/archive/2019/07/superhuman-i...
OP has problems with #2.
> Copyright, on the other hand, is much easier.
Sure, no reason why privacy can't be too. Here's a simple framework to think about Privacy online: Provide an opt-out for tracking, selling / sharing data etc etc.
So that superhuman app tracks if someone read the message; WhatApp, Telegram, and Signal do that too with their read receipts. Is that tracking? Why? Or why not? And I don't see anything about selling this data in that article btw.
People keep using all these words like "privacy" and "tracking" and "personal data", but my point was you need to clearly define what you mean with that, in a way that's workable. And "every single last bit of data that could possibly be recorded" is not really a workable definition IMO.
These kind of things are what you might call "opposition politics"; it's all very easy to make vague proposals when you're in the opposition, but once you're in government and need to actually start enacting workable realistic laws that take all the various legitimate interests in account (and I think there is some legitimate interest in collecting some data) things get much harder.
I'd settle for personally / uniquely identifiable information as tracking.
> WhatsApp, Telegram, and Signal do that too with their read receipts. Is that tracking? Why? Or why not?
1. There's an opt-out.
2. It is clear as a day that the other side can see when you've read the message.
3. Again, services consumed with consent.
> ...my point was you need to clearly define what you mean with that.
Agreed. I think PII (personally identifiable information) is a good start.
> ... it's all very easy to make vague proposals when you're in the opposition
Some organizations have been working long and hard over privacy issues online. There have been very well-defined, valid, and solid proposals from them. We'll see eventually what comes of those.
> ...need to actually start enacting workable realistic laws that take all the various legitimate interests in account things get much harder.
Agreed. You'd love this talk by B Schneier: https://www.youtube.com/watch?v=m3NJ-Ow2Lvg?t=39m39s