Assuming every Internet user was as literate as the author of these TOS and knew full well how much data was being collected and how their data is going to be used, no one would sign the agree button.
The big tech companies know this too well. It is the bane of their existence. They will do any thing in their power to keep their users ignorant and unaware of these terms.
Well basic web analytics can come from the http logs. Should we tell people we're logging their HTTP request before we allow them to use our system?
Web Analytics and privacy seem to be the buzzword theme for people to blog about. I get it, there is lots of interest in this area since some companies have been clearly taking the mick on this front. However, it seems to me, lots of people are just going on their high horse for nothing. This blog post has a postscript about paying users for the info, on this subject someone tried to sue Google for using captcha for machine learning training. The judge said it was ridicous idea to expect to get paid for 2 seconds worth of work and we wouldn't expect it in person.
At this point in the internet, with the amount of public scandals about data and data collection there has to be some level of awareness of what happens when you go onto a website. The whole informed consent is craziness which we wouldn't apply to any other industry. We don't have informed consent for tracking that happens by supermarkets. We don't have informed consent for the public CCTV systems. Why? Because the reality is, no one cares expect those few that inform themselves.
This informed consent nonsense created the cookie banner hassle, seriously I hate that law as a user but not as the person implementing. Implementing it is super easy and done once. As a user, I need to click yes on so many sites it's unreal. And the cookie banner law is basically unenforcable. So people like this author are literally just making the internet worse and not better.
Informed consent is the talk of someone who wants to sound right but not make a difference. The real difference is in the processing of data and that is where GDPR really comes into play, it makes dealing with data something you're now careful about. GDPR as a consumer I love it (except the extra banners), as someone who has to implement it, I hate it. And that is how a data law should be. Easy for the consumer hard for the companies.
Rather than throw the whole thing out because the premise was once applied poorly, the legislation could restrict the actions taken with said logs. PII and the selling and collating of said information from multiple sources stand out to me.
"This website requests permission to connect your information collected from web page views with your user account"
"This website requests permission to sell information gleaned from your web page views to third parties."
Implemented at the browser level, with the ability to set preferences like with location and do-not-track cookies, doesn't seem so far-fetched.
With log analysis for security purposes being generally permitted. Presumably popular servers would quickly default to a level of logging that complies with a more reasonable middle ground than "log and analyze absolutely everything you can think of."
Imperfect, but sounds like a good place to start to me. Frankly, people like you who want to just minimize the concern and pretend privacy is a fringe interest are exactly the problem with our industry. I think most people a) don't have any clue what's going on and/or b) assume, perhaps rightly, that the battle is long since lost. But it doesn't need to be.
> Rather than throw the whole thing out because the premise was once applied poorly, the legislation could restrict the actions taken with said logs. PII and the selling and collating of said information from multiple sources stand out to me.
I would say the premise of informed consent on this scale is flawed. Informed consent means they need to be informed, to inform someone you need to teach them. There are very few people who are actually interested in learning all the stuff that is required for informed consent. And there are people who literally would never be able to give informed consent because they are not smart enough to become informed. Are these people to be deined internet access? Are we only going to allow people of a certain level of intelligence on the internet so they can be informed?
Honestly, if you asked people if they would rather be shown ads they're interested in and ads they're not interested in. With it only being a choice of one or the other and neither is not a choice, people would rather have the ads their interested in. Seems like a lot of people are trying to solve a problem for the masses that isn't a problem for the masses.
Most people don't care if a website knows they used the website, they care if their data is used to overthrow the goverment. So really, we just need to deal with the stopping it from being possible to use to overthrow the goverment.
Please God, no. The cookie pop-ups are bad enough. We don't need every site that uses analytics (almost all of them) to add a pop-up for informed consent to count my visit.
Nothing will change in USA. Even TelaDoc & Livongo send sensitive analytics from their apps to multiple 3rd parties violating HIPAA and CMIA and they just don't care. OCR don't take action. California DOJ don't take action. Maximum HIPAA fine is $1.5M. Although HIPAA violations can lead to jail time it is so rare that it is a negligible risk.
Why this focus on web analytics? Facebook, Google and ads (as used on websites) are far worse from a privacy perspective and can't be blocked/avoided as easily. And the page publisher isn't at fault if all the evil tracking and data retention happens on the side of the analytics provider without consent or influence of the publisher.
If web browser development hadn't been hijacked by the most guilty of tracking and privacy invasion corporations, blocking analytics, ads and cookie banners could be a simple matter of easy per-site browser settings.
Very few websites are truly owned by the creators, and webmasters have forever added countless bells and whistles onto their website without a care in the world, until now. Now people are more privacy conscious (which is a good thing). Personally I like to get my analytics from AWStats[0] which offers a really raw look at your visitors and even allows you to see each visitor along with attached metadata like useragent, timestamp etc. I like the fact AWStats is not a traditional analytics application, but specifically a log-file-analyzer and it even captures those users who have JS disabled who are trying to avoid analytics scripts.
As for the privacy of AWStats: people are going to leave behind logs, no matter what you do to avoid that. It's a fact of life of the web. What is more invasive of privacy would be recording the mouse or keystrokes using some JS; that's where I draw the line.
While people have become more privacy conscious, as far as I can tell it hasn’t actually had any effect on an appreciable amount of user’s habits (well, at least we’ve gone from 15% to 25% of users using an ad blocker in the last 5 years). Either people say the care but in actuality have it lower on their priority list than things like the web working smoothly and getting things for free, or consumers feel hopeless to actually have any control over the situation and are hoping for government intervention. (I personally lean towards the issue being that it’s hard to beat free. While theoretically people might pay 6 bucks a year for a facebook style service if it existed, network effects make getting such a service started close to impossible. Such maps out to all the free stuff supported by advertising.)
I agree with the general consensus of this thread that gathering stats for website specific use isn’t an issue, and that the issue is the big aggregators like google and facebook that are plugged into websites everywhere. The big thing I don’t have the numbers for is how refusing to use a google style service impacts ad revenue. About 15 minutes of searching hasn’t gotten me any closer to figuring it out either.
The problem with "consent" is that the pop-ups are really annoying for the UX and 99% of the users would rather just automatically accept anything data-processing related than having to deal with the pop-up.
I personally think the solution is to not allow 3rd party sharing of information, but 1st party should be allowed without explicit consent. For example, I visit local-small-shop.com and I can reasonably understand if they track visitor analytics such as number of visitors, referrer and earnings stats IF they keep all this data to themselves and use it to improve their website, not if they sell/trade the data to other third-parties, especially not if this data can be linked to me or me device specifically.
In other words, I don't care that Reddit knows what subreddits I browse on their site, but I do care if they share this data with other platforms or entities.
I think that the core of web privacy is neither anonymity nor the limitation of recorded data but the handling and protection of such data. In a perfect world it shouldn't matter what website X knows something about John Doe, if this data is completely private, safe and enclosed within the legitimate uses/scope of that website.
No, it should just be illegal to share analytics with a third party. Done.
I run a website. First party analytics are useful because they let me know what people are clicking on, which lets me know what features people find useful. But no one else needs to see my analytics. I don't want some third party to figure out that people are clicking on X or Y and build up some kind of profile of my users. More to the point, even if I could get paid for selling that kind of data, it should be illegal for me to do so, because it harms my users without their knowing.
This. The problem with Analytics right now is that everyone is focusing on so called privacy, where it would be better described as invisible / anonymous tracking.
That is like customers walking into my shop in Real Life and I am not allowed to look at them because of "privacy". I cant even know if he is a returning customer since I cant look at him. I mean if you come here for coffee everyday I would at least know you whether like Latte or Espresso.
So in typical Tech Fashion we went from one extreme of collecting too much and sharing too much to another extreme of not collecting anything to the point we know nothing.
There should be a privacy policy listed I guess, but I don’t see why you would need affirmative consent, and if 3rd party sharing is illegal, the privacy policy will be short and boring: we monitor you to improve our services.
Yes, but in practice that’s only for a small number of sites that do things like facilitate anonymous messaging. Basically everyone else needs to be able to do things like “notice DOS attacks” and other logging of suspicious behavior. It is actually kind of hard to not monitor at least a little so only specialized sites try.
I think that Drew's point is actually quite radical. Any tracking where the reader hasn't agreed - even simple IP addresses - is wrong.
I'm not sure that I agree, but I'm intrigued: Would the world be better or worse off if we went back to Neilsen ratings (i.e., paying people to figure out what they liked to look at) as our way of assessing interest? Maybe it would?
25 comments
[ 2.9 ms ] story [ 31.3 ms ] threadThe big tech companies know this too well. It is the bane of their existence. They will do any thing in their power to keep their users ignorant and unaware of these terms.
Web Analytics and privacy seem to be the buzzword theme for people to blog about. I get it, there is lots of interest in this area since some companies have been clearly taking the mick on this front. However, it seems to me, lots of people are just going on their high horse for nothing. This blog post has a postscript about paying users for the info, on this subject someone tried to sue Google for using captcha for machine learning training. The judge said it was ridicous idea to expect to get paid for 2 seconds worth of work and we wouldn't expect it in person.
At this point in the internet, with the amount of public scandals about data and data collection there has to be some level of awareness of what happens when you go onto a website. The whole informed consent is craziness which we wouldn't apply to any other industry. We don't have informed consent for tracking that happens by supermarkets. We don't have informed consent for the public CCTV systems. Why? Because the reality is, no one cares expect those few that inform themselves.
This informed consent nonsense created the cookie banner hassle, seriously I hate that law as a user but not as the person implementing. Implementing it is super easy and done once. As a user, I need to click yes on so many sites it's unreal. And the cookie banner law is basically unenforcable. So people like this author are literally just making the internet worse and not better.
Informed consent is the talk of someone who wants to sound right but not make a difference. The real difference is in the processing of data and that is where GDPR really comes into play, it makes dealing with data something you're now careful about. GDPR as a consumer I love it (except the extra banners), as someone who has to implement it, I hate it. And that is how a data law should be. Easy for the consumer hard for the companies.
"This website requests permission to connect your information collected from web page views with your user account"
"This website requests permission to sell information gleaned from your web page views to third parties."
Implemented at the browser level, with the ability to set preferences like with location and do-not-track cookies, doesn't seem so far-fetched.
With log analysis for security purposes being generally permitted. Presumably popular servers would quickly default to a level of logging that complies with a more reasonable middle ground than "log and analyze absolutely everything you can think of."
Imperfect, but sounds like a good place to start to me. Frankly, people like you who want to just minimize the concern and pretend privacy is a fringe interest are exactly the problem with our industry. I think most people a) don't have any clue what's going on and/or b) assume, perhaps rightly, that the battle is long since lost. But it doesn't need to be.
I would say the premise of informed consent on this scale is flawed. Informed consent means they need to be informed, to inform someone you need to teach them. There are very few people who are actually interested in learning all the stuff that is required for informed consent. And there are people who literally would never be able to give informed consent because they are not smart enough to become informed. Are these people to be deined internet access? Are we only going to allow people of a certain level of intelligence on the internet so they can be informed?
Honestly, if you asked people if they would rather be shown ads they're interested in and ads they're not interested in. With it only being a choice of one or the other and neither is not a choice, people would rather have the ads their interested in. Seems like a lot of people are trying to solve a problem for the masses that isn't a problem for the masses.
Most people don't care if a website knows they used the website, they care if their data is used to overthrow the goverment. So really, we just need to deal with the stopping it from being possible to use to overthrow the goverment.
"By entering this yard you consent to 24/7 monitoring even after you leave our property, and you may be searched at any time..."
I wrote a bit about this at https://zirfrs.medium.com/health-tech-scumbags-episode-1-675....
If web browser development hadn't been hijacked by the most guilty of tracking and privacy invasion corporations, blocking analytics, ads and cookie banners could be a simple matter of easy per-site browser settings.
As for the privacy of AWStats: people are going to leave behind logs, no matter what you do to avoid that. It's a fact of life of the web. What is more invasive of privacy would be recording the mouse or keystrokes using some JS; that's where I draw the line.
[0] https://www.awstats.org/
I agree with the general consensus of this thread that gathering stats for website specific use isn’t an issue, and that the issue is the big aggregators like google and facebook that are plugged into websites everywhere. The big thing I don’t have the numbers for is how refusing to use a google style service impacts ad revenue. About 15 minutes of searching hasn’t gotten me any closer to figuring it out either.
I personally think the solution is to not allow 3rd party sharing of information, but 1st party should be allowed without explicit consent. For example, I visit local-small-shop.com and I can reasonably understand if they track visitor analytics such as number of visitors, referrer and earnings stats IF they keep all this data to themselves and use it to improve their website, not if they sell/trade the data to other third-parties, especially not if this data can be linked to me or me device specifically.
In other words, I don't care that Reddit knows what subreddits I browse on their site, but I do care if they share this data with other platforms or entities.
I think that the core of web privacy is neither anonymity nor the limitation of recorded data but the handling and protection of such data. In a perfect world it shouldn't matter what website X knows something about John Doe, if this data is completely private, safe and enclosed within the legitimate uses/scope of that website.
I run a website. First party analytics are useful because they let me know what people are clicking on, which lets me know what features people find useful. But no one else needs to see my analytics. I don't want some third party to figure out that people are clicking on X or Y and build up some kind of profile of my users. More to the point, even if I could get paid for selling that kind of data, it should be illegal for me to do so, because it harms my users without their knowing.
That is like customers walking into my shop in Real Life and I am not allowed to look at them because of "privacy". I cant even know if he is a returning customer since I cant look at him. I mean if you come here for coffee everyday I would at least know you whether like Latte or Espresso.
So in typical Tech Fashion we went from one extreme of collecting too much and sharing too much to another extreme of not collecting anything to the point we know nothing.
I'm not sure that I agree, but I'm intrigued: Would the world be better or worse off if we went back to Neilsen ratings (i.e., paying people to figure out what they liked to look at) as our way of assessing interest? Maybe it would?
Banks sell your credit card data, which is very easily de-anonymisable.
Insurers price policies for you based on their previous clients data, and will use yours for the future clients too.
Any loyalty program with a customer ID mines the hell out of your data.
You probably agree to all of these; somewhere on page 23 of the contract.
I’m not saying it’s good, only that I get don’t follow academic guidelines either, with impunity.