187 comments

[ 4.7 ms ] story [ 245 ms ] thread
This article is pretty vague. What does it even mean to ban Facebook "from using data from WhatsApp users"?

Facebook "uses data from WhatsApp users" to support basic features like authentication, is that banned now? What about sending a WhatsApp message to a contact, doesn't that "use data from WhatsApp users"? Facebook has to look up some internal user ID (user data), then route the message to their devices, probably by device ID (also user data). How do you do that if using data banned?

I suspect there's more to it but this particular article isn't telling the story in a particularly clear or helpful manner. Hopefully the actual injunction is not as vague.

From Spiegel:

"Am Dienstag gab Caspars Behörde bekannt, dass sie eine Anordnung erlassen hat, die es Facebook – also der Mutterfirma von WhatsApp – verbietet, personenbezogene Daten von WhatsApp zu »eigenen Zwecken« zu verarbeiten.

Gemeint ist damit, dass Facebook jene Daten zum Beispiel nicht für sein Anzeigengeschäft nutzen darf. "

Roughly translated as: Whatsapp is not allowed to share personal user data with Facebook for Facebooks own use, for example Facebook cannot collect data for the purpose of advertisement (and my guess is any other form of monetization). Facebook says further down in the article they currently don't share data between the services for those purposes.

I also think you're confused about the scope. It's no problem that WhatsApp uses its own userdata, the problem is WhatsApp sharing data with Facebook, which is a distinct service.

https://www.spiegel.de/netzwelt/apps/whatsapp-hamburger-date...

Ah, that makes sense. Thanks for the details!
Still super vague. What exactly will be mandated? By what metric are they supposed to identify "German" users? And what if those German users talk to "non-German users"? Will those chats and the corresponding meta-data also be protected?

Our private data leaks all over the place, EU regulation in that regard is like a game of whac-a-mole. In a globalized online world this will only work if there's international legislation.

Another Source - https://www.bloomberg.com/news/articles/2021-05-11/facebook-...

> Johannes Caspar, who heads Hamburg’s privacy authority, issued a three-month emergency ban, prohibiting Facebook from continuing with the data collection. He also asked a panel of European Union data regulators to take action and issue a ruling across the 27-nation bloc. The new WhatsApp terms enabling the data scoop are invalid because they are intransparent, inconsistent and overly broad, he said.

> Facebook’s WhatsApp unit called Caspar’s claims “wrong” and said the order won’t stop the roll-out of the new terms.

I don't understand how Facebook says this order will not stop the roll-out. Are they implying that the authority has no power to implement/enforce the ban?

They incorrectly assumed (like much of the media) that this update was about sharing data of personal messages with Facebook, when it is in fact not.
It is, but not yet in the EU.

It literally says : we will share everything with Facebook as soon as the EU allows. Right now we do not. But we might.

I mean it’s written there.

Where does it literally say that?
I quote from their website

———

Today, WhatsApp does not share your personal information with Facebook to improve your Facebook product experiences or provide you more relevant Facebook ad experiences on Facebook. This is a result of discussions with the Irish Data Protection Commission and other Data Protection Authorities in Europe. We're always working on new ways to improve how you experience WhatsApp and the other Facebook Company Products you use. Should we choose to share such data with the Facebook Companies for this purpose in the future, we will only do so when we reach an understanding with the Irish Data Protection Commission on a future mechanism to enable such use. We'll keep you updated on new experiences we offer and our information practices.

——————

This is legalese for pretty much what I posted. In particular, the keep you update here does not necessarily mean you get to agree to a new privacy policy, as the current policy does not include a commitment not to share data (for ads etc) with facebook in the first place. This statement is deviously placed outside the privacy policy!

Also further up they say that they associate the whatsapp profile with any facebook profile in the household/net/vicinity. To be clear, they do this now. Not in the future.

Oh just on case you are unsure what will happen with all this, it’s the following:

In the near future, they will start sharing all that juicy data with facebook based on some made up precedent, new technical justification, some claim to pseudonymity, or discussion with some Irish politician or whatnot.

After being found out, they will then eventually apologize, do better next time and pay the fine, which pales in comparison to the profit gained from that data.

Just as they are now replying to an order from a data protection official with: ‘Lol nope‘

Just don't use Facebook or Facebook Companies products? Like probably most people don't?
Just not be such a contemptible company? Like probably most other companies aren't?
Yeah, sure, but why use them if they choose to be such.
They've managed to become essential communication infrastructure. Exposure of these services to you, but also exposure of your data to these companies is unavoidable.

The neighbourhood watch uses WhatsApp as its primary communication channel, friends are posting group activity photo's and are reminiscing about past activities on Instagram, all the internet your elderly uncle knows is Facebook, all the local used goods sales go through Facebook, some of the best consumer grade VR sets are owned and sold by Facebook, many modern websites are built on Facebook's React, any new novel app that is released gets copied within months by Facebook.

There is no choice `preparetobeassimilated.mp3`

This is 100% on the regulatory bodies who just let this happen, and still are. They just don't seem to understand the gravity of the situation.

Totally agree.

I was happily using WhatsApp (and had even paid beforehand when they were only charging what they needed to operate).

I invested a lot of effort to onboard family members.

Everything was fine, until Facebook purchased WhatsApp by paying about 40 USD per user.

Now I have to invest a similar amount of effort in getting people to move to Signal.

> Should we choose to share such data with the Facebook Companies for this purpose in the future, we will only do so when we reach an understanding with the Irish Data Protection Commission on a future mechanism to enable such use

Where's the documentation that this happened? Surely there would be some declaration from the Irish Data Protection Commission if this was happening.

IIRC this was exactly the policy the EU required for allowing the acquisition in the first place.
Right? And then they went ahead and did it anyway
Facebook even said it wasn't possible IIRC.
Whatsapp already had a separate privacy policy for the European region (https://www.whatsapp.com/legal/updates/privacy-policy-eea?la...)

Apparently that was too permissive. I guess they had to try?

The privacy policy mildly states that they do not share personal data with facebook for ads right now.

But it also says they might do so at any time, at the latest when the EU okays it.

So yeah, at the very least it is too vague to be a proper privacy policy allowing informed consent

Fantastic news and really ideally the whole purchase should be reversed (and obviously more ideally never allowed to happen in the first place)
To take this further, we also need to reverse other purchases like Instagram, YouTube, Twitch, Zenimax, Doubleclick, PA Semi, and so on. We also need a new vocabulary and new concepts. We shouldn't rely on traditional notions of monopoly market share or "consumer harm" to decide when an acquisition/merger/stake should be allowed. We need a new definition to prevent gigantic conglomerates with immense market power, and then we need to enforce that law aggressively, in splitting up existing companies and scrutinizing future deals.
Reasonably anticipated future consumer harm sounds like a good model to me, IMO.

For instance, if we can reasonably assume an acquisition will lead to the potential for future harm through accumulation of power, influence, data, etc, that should be sufficient to block it.

Mergers are in and of themselves simply recognizing an efficiency of scale. It should be possible for a business to achieve success without that shortcut, broadly speaking. Once they're big enough already, that is.

This seems to tie in nicely to the recent narrative that efficiency is the opposite of resiliency, and that maybe not all efficiencies are good.

We need the old vocabulary back.

Much smaller companies used to get split up, but with globalization our understanding of what a large company or what a monopoly is changed.

When it comes to these things countries nowadays are more hands-off than they ever were. Further, advocates of these 'hands-off' approaches like to pretend we'd be returning to some ideal of old that brought prosperity and countries 'meddling' in the 'free market' is some modern fallacy, which is just revisionist history.

Edit: While the above is more personal observation than based on any hard data, there appears to be research supporting my position. This is looking like a good overview: https://som.yale.edu/faculty-research-centers/centers-initia...

Yes, some mere 10 years later politicians in the EU realize that FB should never have been allowed to take over WA/Instragram. The problem is, the politicians in charge at the time did probably not even use a smartphone and had no idea about the tech sphere.

In my opinion, FAMG (FAANG minus Apple and Netflix plus Microsoft) must be broken up. They all do use their market power to prevent competition, and they continue to use their money to buy competitors and/or startups that could compete one day.

Interesting you could utter "use their market power to.." and somehow leave Apple out. While Apple literally is the greatest walled garden which ever existed.
Apple is also a candidate, however I wouldn't know into what departments to split it. At least with the others, this answer becomes pretty easy.
The aspect I find most interesting and internationally relevant is that as these local rulings proliferate, they kinda make it visible to what degree companies finance their operations by selling user data. The more the business model relies on this, the more likely companies are to get hit with a ruling like this — and it's not just the ruling that's interesting, but also what Facebook's reaction will be. If they stop offering or reduce WhatsApp services in Germany (or India), that's a great indicator that the service isn't profitable without the sale (or other commercial exploitation, Facebook is an ad company after all) of large amounts of user data.
Reducing service can also be a strong-armed way to force customers to advocate for them.

"Want to keep talking to grandma? Better tell your government to leave us alone"

I am actually using this argument in the inverse: “hey grandma, do you still wanna see baby pictures, please install <other-messenger>”
If only grandma could use Signal, etc. The problem is that Telegram has by far the best UI and UX IMO, and yet we cannot trust it. Then there are applications which we could trust more (like Signal) but they are ridiculously hard to use and lack many features. Actually, I would say FB Messenger also sucks a lot and apparently FB does not care.
not accurate.

I was able to get grandma on Signal precisely because it was the little secret between us. She knew that a signal coming in was from me, and only me. I was using it to talk to her. And she thought it was cool that we talked via signal to her before any other family member caught on the signal craze.

I was able to get my SO to use signal on the same principle. Pick the people in your life that care about you - and care back. You are available via signal, while you ingnore whatsapp et al. You answer right away on signal whereas on other stuff, you wait.

Its funny how far along you can take a feature-lacking app provided its simple for others to use, and there is an emotional attachment in its use.

You could also customize the notification sound for incoming messages in whatsapp and mute (or just use a short plop sound for) anyone else for grandma. Now grandma can focus on learning to use only one app for all her grand children and will find all the pictures from all her relatives in one place and will more likely be able to even forward pictures to other people on her whatsapp. Assuming Grandmas in their 80s.
But then grandma is using WhatsApp, which is what we're trying to avoid. The point is not that it's possible to make her use WhatsApp. The point is that it's possible to make her use a better alternative.
But how is it better for Grandma? Does she really care on her own or did you talk to her until she accepted that she cannot receive messages from you unless she uses Signal?
She likely wouldn't know to care. But she most likely trusts the judgment of her grandson (mine does) in what's best.
I didnt have to spell out instructions.

I just told her to dowload the app.

At its core, signal is still a messenger app. Its not hard to use. I dont think you realize how powerful are simple things like "good morning" and "i love you" to your family and loved ones. Give a little of it, and see the results.

Signal is an E2EE messenger app with as little shared metadata as possible. Unless Grandma uses the "Status" feature, or wants to know at what time a message was received or read, it provides the same features as Whatsapp with an increase in privacy. It's fair to say that it's a better alternative in her case.
In the global and indirect sense, it's for better for grandma in the same sense as it is better for the whole of society and the entire world. Privacy is something well worth preserving instead of selling to a large corporation and/or overreaching governments.

In the local and direct sense, it is no worse for grandma, and that is the point everyone is arguing. It will work for her use case while also being better in the global sense.

If you need to keep conversations across 2 messengers, that's at least less convenient. But noone seems to see that and everyone else around here is living in their idealistic bubble.

I'm also a privacy advocate, but there are downsides that you need to acknowledge.

Sure, I acknowledge this as a (small) downside, but it is at least no larger a downside than not having control over your conversations or being part of a dragnet to be spied upon by corporations and governments alike.

I would however have trouble with the implication that having this stance is the consequence of being in an idealistic bubble, though perhaps you did not mean that.

I appreciate that. "Idealistic bubble" was a bit harsh.
I don't know, my grand parents (80+ years) get along well with Signal. We have been using it actively over the past years and they can text, call, videocall and share pictures without issues. I am sure the UI can be improved, but it's not unusable at all.
That whole UX issue really needs more explanation. For low-tech usage: you open signal, you select who you want to talk to, you see/type a message. The interface is almost the same as WhatsApp which people of all ages use every day. What's "ridiculously hard to use" here?
I trust Telegram, with its open API and third-party clients, more than a company that bans alternative clients. Why do they want me to use their client? Does it have some alterations from the source code?
Is Grandma happy that none of the pictures are saved to her camera roll? This seems to be a gaping lack of a feature amongst people I know.
> Is Grandma happy that none of the pictures are saved to her camera roll?

Why would they be? If I mail you a bunch of pictures in an envelope, they don't magically convert to negatives and transfer themselves to the roll of film inside your analog camera.

<rant>

Snark aside, "camera roll" must be one of the most confusing attempts at "user-friendly" abstractions I've seen in widely-deployed software, especially with so many apps shipping their own implementations (in addition to the OS/camera gallery), some of which mix together some combination of pictures downloaded to (but not taken by) the phone, pictures existing only in the cloud, pictures existing only in a different app's cloud...

There's skeuomorphism, and there's building a bad abstraction on top of a limitation of ancient tech, seemingly forgetting the ~10+ year period between analog cameras and smartphones with good imaging sensors, where everyone got used to digital cameras shooting photos to a "memory card". My non-tech-savvy relatives are definitely more confused about "camera rolls" in their phones than they were about managing JPGs on SD cards using standard desktop OS filesystem tools.

Hell, number one support request I get from family these days is, "How do I copy ${these photos from a "camera roll" of some app} to ${OS gallery app} and to ${this USB stick}? We want to show all photos of ${grandchild} to ${neighbor} without Internet. And we want to have them in ${a folder on a PC} so it's safe, and we can view it on a large screen." The process isn't that involved, just confusing, and somewhat different for every other app. It's like vendors really don't want people to store their photos as files anymore :).

</rant>

> Why would they be?

Because they were saved to the central photo place with WhatsApp, and she likes seeing all of her photos there.

> It's like vendors really don't want people to store their photos as files anymore

In case you haven't noticed, there seems to be an active effort to do away with the notion of files. Because making things more abstract is supposed to reduce confusion somehow.

Dude, files are hard.
Files are OPEN.

You can do whatever you want with a bunch of bits and a spec that tells you what they mean. Even utilize different software/hardware to consume and manipulate them, which is the last thing your software/hardware vendor wants you to do.

Did anyone really think doing away with files ever had anything to do with simplicity? Another magical thing you can do with a bunch of bits is build abstractions over them to simplify their manipulations as much as you want. It's vendor lock-in and it's not only awful but evil too.

You don't understand. Ordinary people don't understand what a file is, what it can do for them etc.

Result is they can't find them, lose them, don't have backups etc. I have interacted with users who hadn't grasped before they could make folders themselves.

Ask your mother or your sister.

Some people are unable to refill the windshield wiper fluid of their car. Some people cannot reattach a button. I think we shouldn't continue to tolerate such incompetence from the general population, or at least charge them an arm and a leg as punishment.

But unfortunately, vendors have caught up and noticed that "an arm and a leg" is lots of money, so if they could just make it a tiny bit harder...

The plan in motion is, in the name of "making reattaching a button simpler", prevent anyone able to reattach a button on their own from doing it, so the shirt manufacturer makes more bank.

Me being able to freely manipulate my own data according to my capacity has NOTHING to do with providing uninterested/incapable people with tools that hide complexity.

> Ask your mother or your sister.

Mine can work with files just fine. They teach this stuff in schools over here.

That’s an anti-feature, unless you’re only getting family photos. What people really need is cloud sync plus a good interface to browse and search photos.
My local equivalent to grandma doesn't know what a camera roll is. When she wants to see family pictures, she goes in the family conversation and scrolls through messages until she finds them.

It might not be the "best" way but I'm not sure there is one. Instead of browsing content by type ("all photos") and scrolling until she finds what she wants, she browses by context ("all stuff involving family") and scrolls until she finds photos. She is not totally comfortable with the idea that a photo is a bunch of bytes that can be read from multiple places. She prefers going back to the place the content comes from, because that's just easier.

Of course one way is better in some situations, and the other is better in others. But not putting photos in the camera roll has one advantage: it doesn't store them in a storage that's probably unencrypted and readable offline by someone with physical access

That is only going to work if you are prepared to be seen as unhelpful. The likelihood is that she'll just as someone else to show her the photos and complain about you while doing so. Personally I'd be fine with that, but it depends upon your family dynamic.

I took a similar tack over malware & backups some years ago. I was spending far too much time being family tech support in "oh shit" moments, trying to remove crap from people's laptops and other, then (when I gave up doing it that way) hunting down all their files and backing them up before hosing and reinstalling the OS, hunting out the correct drivers, and each time giving advice on keeping backups, avoiding malware, telling them that they must keep any driver discs (or generate them from the machine) when they get a new device so they can be identified & reinstalled later, etc, each time being completely ignored because once things were restored they completely forgot the issue. Once I stopped rolling over and being infinitely and immediately helpful, instead saying "without the backups and such I asked you to keep it might take a few hours to sort this out, I can do it for you but I probably can't fit it in for a couple of weeks" most stopped asking me to help - not because they see my time as having value or because they've started to get less dim about letting malware in, but because I'm seen as grumpy and unhelpful.

That's exactly what they are doing right now...https://www.welivesecurity.com/2021/05/11/whatsapp-limit-fea...
That happened before though and it didn't work out. I don't know why it should be different that time.

Also, telegram is used a lot in Germany (compared to other countries) and together with Signal & others it got used much more recently. I don't think Whatsapp has much leverage here.

Not sure if Telegram is better for the users though.

Telegram is not end to end encrypted, and thus is not really "secure" in the sense that we mean when we say "secure messenger".
This probably won't fly in Germany as Germans are very privacy cautious. Germany is a hole in the Google Street View Europe coverage because of this.

They can limit some functionality and the Germans might be O.K. with it, however the margin in functionality would be someone else's opportunity.

Germans are NOT privacy conscious or cautious - see SCHUFA, Rundfunkbeitrag debt collection, countless Inkasso, Payback, applying for apartment rental, invasive copyright predators. They simply hate anything which smells internet. Germans hate the internet.
You are both kind of right. I would say that we Germans like our privacy perhaps more than some others, but that we do have many blind spots and are generally not well educated about the issues with Facebook and similar. There is also a difference between the uninformed young user (useds) and the people, who have been around long enough and have an attention span long enough to recognize the patterns.
When I was traveling across Europe, I had hard time taking photos of regular houses that I liked. People will get out and ask why I was photographing.

Maybe it is the way it is because Germans like it that way, not everyone needs to have photo of their house. Not necessarily hating the internet.

Also, I hated the fact that Germany did not have Street View, used it extensively at other places to pick neighbourhoods to go or not to go.

When I asked people I met how comes you don’t have Street View here, they all said that they liked their privacy and it has to do with the times when the government was watching everyone, so they are more cautious about it.

That's just what they tend to think. From a closer outside view Germans are not too picky with their data. As someone mentioned above, to many private companies who are allowed to access, process and use your data.
Germans say they like their privacy. Germans also use WhatsApp, Facebook, Google Chrome and Windows.

Germans may be more likely than Americans to think of "privacy" as something they want to be protected, but that doesn't at all translate to a cultural understanding of data protection. We don't want to be "spied on" but that only translates into an expectation of legislature, not into much real activism.

There was a short-lived popular support of the Pirate Party around free culture, privacy and transparency but as someone involved at the time I have to confess for most people this was mostly fueled by fears of losing the ability to listen to music and watch videos prior to the rise of Netflix and music streaming services.

There's an old cultural cliché of Germany being personified by a tired man with a nightcap as a joke about Germans being politically unmotivated but regardless of why that continues to be the case, it still very much describes how it feels if you try to motivate Germans about any issue beyond a few performative protests.

I'd say that Germans are repeatedly goated into hating or fearing one thing or another because media randomly pick up talking points from activists and then try to outdo each other by running that story to death while stirring up a public outcry. Google Street View was just unlucky enough to fall victim to one of these public bashing cycles.
Google Street View would've been illegal anyway. It's legal to take pictures of public spaces, but only if taken from the height of the average human.

Street View had cameras that were quite a bit taller and could see over fences and hedges.

Google Street View is actually legal in Germany. The European Court of Human Rights has finally ruled that taking pictures of houses does not violate any personal rights. Faces and car license plates are blurred, so these don't pose any issues either.
The court ruling only applies if the pictures are taken at eye level, which is why older street view images can't be accessed (the first time they rolled it out, they used cameras at a height of over 3m).

This was an expected judgement all the time.

The height restriction is as people have a reasonable expectation of privacy behind their hedges or fences in their own backyard.

> This probably won't fly in Germany as Germans are very privacy cautious.

After having lived in Germany for ~7 years this statement always makes me laugh.

Some examples:

* Names on doorbells (yes, visible from the street).

* People using "loyalty cards" left and right, letting the merchants track their behaviour even if they pay with cash.

* Giving a stack of papers (including ID copy, salary statements etc) to a real estate owner to apply for a rental.

> * Names on doorbells (yes, visible from the street).

You need these because somehow the concept of apartment numbers does not exist. As a result, mail and food delivery in large apartment buildings is interesting as well.

It seems pretty bizarre compared to all other countries I've ever sent mail to.

> * People using "loyalty cards" left and right, letting the merchants track their behaviour even if they pay with cash.

I'd argue that there is a pretty bimodal distribution of the population when it comes to privacy: Some people don't care at all and will use these cards, while others will fight every single bit of data stored about them tooth and nail.

> * Giving a stack of papers (including ID copy, salary statements etc) to a real estate owner to apply for a rental.

What's the problem here? Paper is inherently safe, unlike digital data. /s

Well, at least faxes have been officially declared equally safe (or unsafe) as email, which hopefully will finally kill them off as the communications technology of choice of the administration.

Truth is, once registered at an address in Germany one is fully transparent to and trackable by all domestic actors - public, malicious, predatory. Any privacy hysteria in Germany boils down to one of: "Americans will watch us" or "Slavs will steal our possesions". Then there is the cherry on the top "Slavs will use American system to steal our possesions".
Well, the Little Father Of The Russians -- pretty much an Über-Slav, no? -- already used American and British systems to steal a British referendum and an American election, so the cherry-on-top Germans seem to be the ones who got it right.
The same happened at a smaller scale when Chinese regulators ruled loot boxes must disclose their loot tables. Even though they aren’t guaranteed to be identical in other countries, a great deal was learned about how such games operate.
The real problem is that its never enough for these companies. Charge me some monthly fee for whatsapp and I'll pay, but no, that's not enough for them.
I mean that was literally their business model until Facebook purchased them. It was a successful stand-alone company!

And now look at it. The bad drives out the good.

What does “successful” mean to you? Are you claiming they were profitable? Of so, what’s the source?
That is one of the regulations that should be applied to adtech companies: Adtech companies should be required to offer a paid version of all their products with a price that covers the costs of producing the service (including a decent profit margin but not including tracking/adtech components of the free version) but with strong guarantees that customers [1] opting to pay are not tracked, not shown ads and their data is in no other way monetized or sold to third parties.

[1] as opposed to products...

You say that. But back when WhatsApp actually was a paid app nobody bothered paying.
"Germany's leading data protection regulator for Facebook has banned the social network from using data from WhatsApp users."

Not to be pedantic, but the parent comment is making a common mistake by using the term "selling" to refer to the way that "tech" companies like Facebook/WhatsApp sell users out.

Facebook/WhatsApp does not need to "sell" data. They can honestly say they do not sell data, and that is exactly what they say in their public communications, hoping to fool readers who believe "selling user data" is the problem. (Maybe they give data away instead. Researchers, API users, and others have had signifcant access in the past. Regulating only commercial exploitation might not prohibit those transfers.)

What they do sell is access to users.

Thus what we want to regulate is not "selling" but "using".^1 (Ideally we want to regulate collection as well, but this does not account for data already collected.)

Read the press release from the HmbDfPI. There is nothing about selling, only about collecting and using.

https://datenschutz-hamburg.de/assets/pdf/2021-05-11-press-r...

1. One instance where we might want to prohibit sale (or transfer) of data is in mergers and acquisitions. If, e.g, the user entrusts company A with data, then if company A goes bankrupt, company B should not be able to acquire the data without the user's express permission.

It's a little more complicated with the WhatsApp business tools, this isn't normal adtech stuff. Search the web for "whatsapp crm integration".
That's why I put the "(or other commercial exploitation, Facebook is an ad company after all)" there. And the difference, as you already note yourself, is splitting hairs. It's the kind of thing you find in a novel, making a deal with the devil who then goes to trick you on a technicality.

They're selling the fact that they have the data. They're selling limited access to the data. It's just exploiting the resource to the maximum gain; if they sold the user data itself they'd be selling the crown jewels and obsolete themselves.

(comment deleted)
It's very far from a technicality, the meaning is totally different. Nobody would claim a TV station is selling it's viewer's data and yet they are willing to make this deceptive claim about tech companies, even though the "argument" is exactly the same.
This is not splitting hairs!

Ask your grand parents, non tech savvy friends, ... if they are okay with Facebook selling their data to anyone. They will object heavily!

Then ask them if they are okay with Facebook using their data to show them more relevant ads. Many will be okay with that.

Then again, ask them if they feel okay being "tracked" - guess what, nobody likes that.

What I'm trying to say is that I think theres a middle ground in targeted advertising, where there's still enough money to be made and still most people feel like they're getting a fair deal (in paying with their data).

> I think theres a middle ground

What you've highlighted is a lack of education about what different abuses mean. There is no difference between tracking and targeted advertising as it exists today. There is no difference between selling your data and "using it to show more relevant ads" as it is today. The fact that some people mistakenly believe there are differences is tragic and the fact that a company can lie to everyone in this way is a travesty.

Data doesn't mean just transactional records, any aggregation derived is absolutely data too.

If my chat messages help Facebook understand my consumption preferences and if they are using that in the chat platform or somewhere else to show me an advert customized using that information gleaned about me using my private messages or browsing behavior, then absolutely they are selling data about me.

It does not matter customer is getting my data along with 500 other people and cannot identify me personally.

It does not matter if they are also selling the ad space as well. An advertising firm benefits from this kind of targeting for which they will pay premium price over competing ad spaces. The base value derived is from any eyeballs on the copy( any traditional advert) and the premium is for my eyeballs on the copy at the right time.

The difference is that the customer doesn't get any data on this case, not even anonymised.

Generally "sell" implies that the thing being sold is transferred in some way, but that's not happening here. The data remains with Facebook.

It's like going to a restaurant and buying a meal. They didn't sell you the oven, they just used it to make your food.

> If they stop offering or reduce WhatsApp services in Germany (or India), that's a great indicator that the service isn't profitable without the sale (or other commercial exploitation, Facebook is an ad company after all) of large amounts of user data.

Don't we already know that about WhatsApp though? What other revenue source does it have?

Well, there's no other visible revenue source currently, but (a) we don't know what the ad/user data revenue looks like down to the finer details¹, and (b) theoretically they could have planned to turn it into a subscription service (pretty unlikely, but who knows…)

¹ some information could be gleaned from public filings, but the more interesting question is the relationship between amount of data extracted and revenue gained; any public filings only show the status quo.

> theoretically they could have planned to turn it into a subscription service (pretty unlikely, but who knows…)

WhatsApp originally was a subscription service; when I first signed up, it cost $1 per year.

They dropped the fee in 2016[1], and now Facebook is trying[2] to go back to the subscription model for business.

1. https://www.independent.co.uk/life-style/gadgets-and-tech/ne...

2. https://www.cnbc.com/2020/10/22/facebook-to-charge-for-whats...

Oh, interesting, thanks, I didn't actually know that.
Well it used to cost like $1 per year and that covered operating expenses many times over, yet..
I wonder what is the true server cost of one user to the system. Of course, the initial costs and human costs are quite high, but in a running system, what could be the cost?

They are E2E, so it is unlikely that the servers need to do any heavy processing. I see that I unused about 3GB of data for about a year, and with 3GB costing $0.30 even at AWS extortion prices, $1 seems like a good estimate.

which they waived very often. I had whatsapp when there was officially a $1 per year cost of subscription, but the first year was free - and then the next, and the next, the "fees" kept getting waived. Then facebook acquired them, and removed the mention of fees altogether.
In that case they could easily adjust pricing to match each country and put a positive spin on it. Let people in Europe pay €5 a year, but tell them that they are finasing 5 users in Africa.
Erm yea they still wouldn't pay for this as long as other free alternatives are available. Messengers are a commodity product in terms of functionality.

If the captive audience walks elsewhere the messengers dies (see Yahoo Messenger, MSN, AOL, the 250 different ones Google had at some point or other...)

People paid for WhatsApp before Facebook bought it and it was successfull. That is a fact spyware peddlers and their fanboys can't argue away.

> Messengers are a commodity product in terms of functionality.

They also where when whats app was a paid service. Yet the complaint against signal, etc. is that they are unusable because they are not nearly as full featured, hard to use and that people would rather continue to use WhatsApp for the network effect alone.

It wasn't really paid. They claimed it was but everyone I know always got the charge waived, which makes sense when you learn it was only ever meant to be a scaling break (see my other comment).
I paid that Euro a couple of times.
Huh, TIL! It'd be interesting to see what percentage of users got waivers vs charges over time.
I found one charge of 0.89 Eur in April 2013. Probably the first year was free and then I paid once. Maybe they charged me just a single time after all. Quite a bargain to be honest (before the Facebook acquisition at least).
Yeah, I guess you're right.

It just seems silly that people won't pay something as low as $5 - $10 per year for a service they use daily, while paying for multiple streaming services, cable TV or cell phone plans where they mostly use the data.

Sure $10 doesn't represent the same value across the world, but I don't see an issue in letting the western world pay more. US users is already worth more to Facebook than someone in Africa.

No it didn't. The only reason they charged, or claimed they would charge, was to slow down growth when they were falling behind with their server scaling efforts. The founders of WhatsApp discuss this in an interview somewhere. It was an anti growth hack, not a business model.
Never thought to think about it this way - back in the day I just assumed they are most likely just trying to get more visibility with the news of the app going behind a paywall making conversation - and then later playing the "ok you win -card" and reversing the decision (with the customers are more important than money feels). Though back then there was no Signal or any other real mainstream usable alternative, and also Zuck hadn't bought them out yet I believe.

But you might be right, if the snowball was about to go out of control this would have been a smart way to throttle growth, a little uncertainty would do the trick and is also conveniently quickly forgotten without significant PR loss. Good angle!

I don’t think you can “talk to” or warn companies like Facebook. You just shut them down bring them to their knees. You’ve to do to them what Apple App Store is doing to them.

I think all these warnings and then those rare pocket change fines are nothing but slaps on the wrists that Facebooks of the world might be allocating in their annual expenses predictably.

But convenience comes in the way and Facebook knows it.

As for India, Facebook will be fine as long as it shares data with the Govt. Hell, it might even become official communication app in India endorsed by no less than the glorious PM while hugging tightly his “dear friend Mark” on stage.

That's the thing that really gets me. GDPR fines can be anywhere from 2-4% of annual revenue (not profit, revenue), yet none have even come close. I guarantee you if you took 4% of Facebook's gross revenue right off the top, they'd notice.

For 2020, their gross revenue was just shy of $86B, so, 2-4% of that would be about $1.7-3.4B. Considering that 2020 EBITDA was $39.5B, that would represent 4-8% of their profits.

Tell me that's not going to affect the stock price. Because that's what you need to do to actually get these companies to do something is materially affect their stock price and piss off the shareholders.

Almost no organisation / judge / regulator / ... will hit someone with the full fine immediately. This is an incentive to comply not an attempt at killing the company. It seems to work since I haven't heard of gdpr ruling being repeated for the same offence so far. I expect the fine would just go up.
Taking away a few percent of a company's profit, while still leaving a quite substantial profit margin is not "killing the company." There needs to be some teeth behind these fines to make companies respect them. You may not have heard of repeat fines for the same offense, but all that shows is that they fix things after they're pointed out. Wouldn't it be better if they thought about how they're handling peoples' data before they got caught doing it wrong?

Somebody needs to be made an example of, and a company like Facebook that not only can absorb the hit but is not well known for respecting peoples' privacy is a great target, IMO.

If the fine was $1.7-3.4B, you can expect facebook to spend $1.6999-3.3999B on undoing that (or have already spent preventing that, e.g. front pages on newspapers for Apple's ATT feature in iOS 14.5). Looking at a forces perspective, facebook has more weight/ incentive behind it because they stand to lose a lot of money, Zuckerberg will be managing the situation. Governments works with none of these pressures or systems. Yesterday, I got back a complaint I submitted to the ICO (information commissioners office) in February 2021, asking for more information/ data. Responding to my complaint in that quality should've only taken less than 5 minutes.
Some weeks ago, I saw a comment on HN[0] that made me think. It presented an argument for current level of fines for all kinds of white-collar mischief being sufficient. The reasoning as I remember it was along the lines of:

- The fines are usually attached to an order to stop the activity in question. This leads to the misbehavior being corrected, because a company continuing their practice against the order will be committing much serious offense.

- Such "slap in the wrist" fine clearly establishes a particular practice to be illegal, which influences decision making process in other companies. When considering whether to walk a legal tightrope, there's a world of difference between theoretical liability and a clear example of someone else landing in hot water for doing that same thing.

Put like that, it sounds reasonable to me if fines start at a low level (regardless of the public's opinion of the offender).

I'm posting it here not because I agree[1], but in hopes that someone can point to evidence for or against this approach working. Do companies continue to do the things they were fined for in the jurisdictions they were fined for? Are other companies opting to engage in a behavior after someone else in the same jurisdiction was fined for it?

--

[0] - Can't find it now :(.

[1] - I have no opinion just yet. I thought about it a little, and I realized that from game theory point of view, you'd expect a company threatened with the 2-4% annual revenue level fine to put up an expensive fight, not to protect the behavior in question, but to contest the fine itself. This adds another point in favor of this view.

> Such "slap in the wrist" fine clearly establishes a particular practice to be illegal, which influences decision making process in other companies.

> Put like that, it sounds reasonable to me if fines start at a low level

This is fine if you want a low level of compliance from businesses. I.e. if you want them to ask for forgiveness later and preferably not get caught. Because slap-on-the-wrist fines are not something that will ever appear in a risk calculation in any meaningful amount, illegal behaviour will be tolerated within the company, and only corrected upon getting caught once. Because only the subsequent fine might hurt. Meaning that you entice all your companies in covert illegal behaviour.

If, on the other hand, the first fine really hurts, you get deterrence. Meaning that catching a fine is seen as a business risk, and the company will try to avoid getting fined in proportion to the amount. Behaviour will be more legal-by-default and seeking permission.

Which one is desired is a matter of public policy, and it isn't binary in the amount and may be different for different laws and behaviours. I am personally preferring the latter.

Consider the use of fines in changing private people's behavior. Get a $5 fine for parking in a fire lane? You're probably not going to think twice about it. Get a $500 fine? Or they take a % of your income? You will think hard before parking where you're not supposed to.
I think parent's point was: a $5 fine for the first time anyone ever parks in a fire lane would be reasonable (not the first ever parking ticket, but the first of that particular type). It may have been obvious already that it's wrong, but now it's been tested in the courts the precendent is much stronger. So long as fines for things violating obvious legal precendent are closer to that $500 mark then that would be enough to stop further offenses (by original party and others).

Like the parent comment, I'm not saying I agree or that this represents the actual situation here.

Sounds a lot like the saying that it's easy to keep honest people honest. But that's about keeping people to rules that, for all practical concerns, have been there forever. Regulation is often dealing with quite the opposite. When you decide one day that it's not ok anymore for a chemicals plant to just dump spent reagents in the river it's about changing behavior, not about preventing bad habits to form. That makes it much harder.

Another question is how closely the behavior in question is related to the income streams: the chemical plant won't sell less if they avoid unprocessed dumping. Chances are they can even convert part of their waste into sellable side-products. And if a hotel chain had a little side income from selling Wifi communication metadata to ad networks they could stop doing so any time without changing the tiniest thing in their core business besides some minor numbers in the balance sheet. But Facebook doesn't have any business outside of ad targeting and telling them to stop some forms of data collection almost seems like an attempt at winning over Henry Morgan to peaceful cargo transport.

> Put like that, it sounds reasonable to me if fines start at a low level (regardless of the public's opinion of the offender).

The real reason fines are never crippling is because they would not be paid, there would be endless back and forth in courts for what could be decades, with the authorities always being less prepared and less funded for such a battle. So they take what they can get away with. Then there's the aspect of giving a large fine and hitting vital interests of a major company from another country... You're inviting some form of nation level retaliation sooner or later.

All the calculated proceeds resulting from an illegal activity should be clawed back if this is to ever solve anything. Keep in mind that we're not talking about actions that are suddenly declared illegal, we're talking about actions that were illegal all along and the company was officially found guilty of that. Not guaranteeing an overall loss for the company if they're caught means the worst that can happen is they lose some of the profit. This is literally just "the cost of doing business" and proliferates.

> The real reason fines are never crippling is because they would not be paid

And then Facebook, Whatsapp and Instagram cease to be a thing in Germany.

At least, that would be nice, but the politicians that would impose that are probably too attached to their instagram dog photos.

A crippling kind of fine would have to be applied by the EU, not by one country. The EU is a big enough market that withdrawing would do even more damage since the company still has to pay the fine but without a good chink of their market, which they now handed off to rivals or newcomers. Look at VW who hasn't withdrawn from the US market despite the absolutely massive fines.

The difference is the US never shies away from leveraging their top position in a way the EU is simply not able to. So while the EU will leave VW out to dry when they're caught with their hand in the cookie jar, the US is all but guaranteed to apply as much pressure as it takes to protect their interests. I have seen the process repeatedly and nobody will ever be allowed to hit any US interest without massive retaliation. The proof is in front of you, there's no single instance of a major fine payed by a US company in the EU. The largest fine was the one applied to Apple (~$15bn), it's still being contested, and Apple pretty much just agreed to pay a part of the taxes they owed instead (not all, and not the fine).

The fine FB got for the way they lied about the WhatsApp deal was... $122m.

Are you sure you can apply it like that? My understanding is that there is no Facebook Global that you can fine citing these revenues but some local braanch Facebook CountryName will get the fine with only local revenue. Therefore expecting fines of 1.7-3.4B is somewhat unrealistic I beleive.
I'm sure they report their revenue like that, so, yeah, probably?
The courts are not going to push up towards the upper limit of that unless someone does something extremely shockingly bad, because otherwise they have no room for a graduated response if something worse comes along.

It'll take time - if politicians see the fines that get applied are too modest, hopefully there will be steps taken to firm up the criteria or increase the amounts.

> You’ve to do to them what Apple App Store is doing to them.

What them? The Apple/Google duopoly is fucking everybody. There was a recent post on HN about Panic shutting down its iOS text editor because of AppStore restrictions.

The ad move by Apple is the ultimate example; They shut down third-party tracking, while their own tracking machine continues uninterrupted. Do you think if China requested your data from Apple, they wouldn’t give in silently? Dream on.

I mean I would actually expect if any government where Apple does significant business demanded my user data they would give it silently. Like we're talking about entities whose authority is ultimately backed by violence. Nobody should be obligated to put themselves in harms way for anyone else. It is of course very noble if they do but not something that can be expected.
They might decide ridiculing the incompetent government is worth the PR, e.g., their shows with the US gov. Of course, you're correct that as soon as those govs show some teeth, Apple would change course very fast.

Ultimately, if the biggest monopolies of violence can get your data by just requesting it, you won't gain much from having "privacy." It's better to focus on economics, and use custom hardware and software if you want privacy.

> They might decide ridiculing the incompetent government is worth the PR, e.g., their shows with the US gov.

I hope you are not referring to judicial checks on executive power as "incompetence".

> You’ve to do to them what Apple App Store is doing to them.

What a weird use of “you’ve”. Is this common in certain areas?

How does Facebook "sell user data"?

When I buy ads on Facebook I cannot access any user's data.

Do they have another product offering where I can buy user data? I dont see anything like that.

> How does Facebook "sell user data"? @jp555

https://www.androidauthority.com/signal-ads-banned-facebook-...

That article showcases what Signal was trying to show Facebook's users.

The data accumulated cannot be purchased, but the power of that harvested data certainly can be.

I might gave this wrong, but only the users saw their own data in the ads they were served. Signal can choose lots of parameters for who should see their ads, but they dont get to see who those people are.
In this case, they plan to transfer user data into another division of their company. They have bought WhatsApp LLC, with cash and shares in hand, and got (among other things) user data in return. This is a pretty clear case of selling user data of such a company, isn't it? (Note that GP never claimed that Facebook itself sold any data just that they exploit data commercially - they have given third parties extensive access to user data in the past though)

Anyway, these discussions on the technicality of the term "selling data" vs "selling access to users using data" is just means to deflect from the real problem. It doesn't get away by rephrasing.

You don't call up Facebook and ask for a few TB of data. You use ad targeting services which are essentially an abstraction on top of a personal data aggregation and analysis system.
Right, Facebook’s ability to make money comes from how well it keeps user data secret, so it can sell abstracted access to advertisers.
It's selling data with extra steps, still selling data.
That's just obtuse. It’s clearly not selling user data at all. When I buy FB ads I cannot not get any user data. I can pick they type of user I want to see my advert, but I cannot know who they are.

If you have a FB account you can try this and see for yourself right now for a few bucks.

But maybe I'm wrong. Can tell me how they do sell user data?

You're correct. If they sold the data, then they would sell themselves out of their own market.
Look for Cambridge Analytica.

If you think the behavior ended with the scandal, I've got the Golden Gate Bridge and the Eiffel Tower to sell you, two for one :)

Unless we have German police personally looking over shoulders wherever WhatsApps data is handled, i don't see how this exchange of information can be prevented.
I think it's more that they can be fined heavily should it ever be found out.
So is this is the start of finally bypassing Ireland?
Wondering what the UK will do..
What can Facebook argue against here? They are going back on what they guaranteed to allow the acquisition.
The same bullshit they usually do to make them look like the poor victims
This works in WA's favor in some contexts. I have a fresh wave of friends who tell me I should reinstall WA, because they "don't do data sharing in Germany".

I note that their terms still say that they do share data; they just have a PR line outside the terms that says they'll do it as soon as they "reach an agreement" with regulators.

I further note that their entire business model for WA depends on sharing data for advertising. Trusting them on their PR agent's word not to share data is the fox guarding the hen house.

Why do people insist so much about using Facebook's apps? This reads just like an addict giving bad excuses for their relapse...
The problem is Whatsapp has strong network effects unlike Facebook itself. Most people would be able to quit Facebook and it wouldn't make much of a difference to their lives, whereas cutting off Whatsapp would mean a daily inconvenience when you want to talk to the people closest to you.
> would mean a daily inconvenience when you want to talk to the people closest to you

I did exactly that and it wasn't hard at all. I still have a phone number which they can call or text. I let them know the alternatives I was reachable on, and they installed them. My family group chat is now on Telegram, my wife who still uses whatsapp says the WA family chat is basically dead.

Even when I was in contact with a recruiter for the job I'm currently in it wasn't that hard. She said I'll 'App you' which means to send a message via WA. I quickly said something like ah sorry I'm not on WA but you can Telegram or just text me instead. And you know what she said? Ok. And then we texted.

If it's really that big of an inconvenience for those closest to you, you have to wonder how close they really are.

> My family group chat is now on Telegram

Good for you, and your family, but that's simply not possible in lots of situations. My father and I tried to convert our family chat to Signal. Didn't work. I have no way to convince my coworkers to switch away from Whatsapp: they simply don't see privacy issues in the same light as I do.

It's unfortunate, but at least for the time being it's simply not happening.

> My father and I tried to convert our family chat to Signal. Didn't work.

Oh damn, did they just continue the whatsapp chat without you two in it?

> convince my coworkers to switch away from Whatsapp

You don't have to convince them to switch away from WA. You personally just need to switch away from WA. The reason it worked in my case is because I just simply stated I wasn't going to use it anymore and that they could reach me in different ways. The value is in the network effect, at the start they used Telegram just for me. But since they already had Telegram open for the group chat, they might as well use it for PM's to each other.

> at least for the time being it's simply not happening

There's really nothing that will change though. WA will keep working, WA will keep becoming more shit, and 99% of people will still not care as long as it works. The only difference is the people that you can reach through the medium.

> If it's really that big of an inconvenience for those closest to you, you have to wonder how close they really are.

You are in an incredibly fortunate position if you only ever have to communicate with people or groups of people who find you so significant they will change things to ensure they can reach you.

I am involved in a couple of volunteer groups with about 50 members. Everything is planned and discussed in WhatsApp groups. I am a junior member with no special value to the group and if I declined to participate via WA I would just be ignored. I.E. If I stopped using WhatsApp I would no longer have any hobbies. Great result.

Likewise where I live there is a massive housing shortage, 100 applicants for a flat is not unusual. If the agent wanted to use WhatsApp and I refused, he would just ignore me.

That's the question that has been bugging me forever and the only answer is network effect.

Facebook apps _suck_.

Prime example I like to use is Facebook groups - the most popular forums in the world right now and in terms of UX it could be outdone by a forum from 2004: there's no sorting, no indexing, search is non-functional, no proper formatting, no proper moderation tools, no sorting of filterting or categories - it's just insane!

Nothing facebook touches is designed with UX in mind and that's by design. That goes for majority of free user services that are powered by selling user data unfortunately.

Oh my god yes, Facebook groups do suck. I've seen so much tension in groups related to my hobby because beginners tend to ask the same questions over and over again which is fine, but since all the posts are put together in the same feed instead of having categories, the more experienced hobbysts are getting sick of seeing these kind of posts and lash it out on the beginners.

There's constant drama about this, the blame is always put on other people and never on the fact that they use a shitty platform.

Facebook doesn't really want you searching or sorting. Facebook wants you asking again, creating new pages all the time, etc.

Their incentives are misaligned.

IDK if you are just talking about Facebook apps themselves, but I would say that WhatsApp and Instagram are very well written apps in terms of UX. Some of the best apps on my iPhone I would argue.
I don't use Facebook itself but WhatsApp is required software for everyone in my country. Everybody uses it and there's just no way to communicate efficiently with anyone without it. People buy phones just to use WhatsApp.
EU should completely ban Facebook and WhatsApp entirely. EU should say fuck that rotten person called Zuckerberg. From tomorrow all ISPs will block all Facebook products.
Personally, I'm already blocking Facebook through nextdns.
> From tomorrow all ISPs will block all Facebook products.

That actually happened in my country. Lasted a few days, nothing of substance happened in response. Few people installed alternatives.

> From tomorrow all ISPs will block all Facebook products.

This is not how EU does things.

The way EU does things is getting tiresome. I'd love if we could blackhole their ASes.

> “As the Hamburg DPA’s claims are wrong, the order will not impact the continued roll-out of the update.“

... blocking the assets of criminals does not impact civil liberties

> A spokesperson for WhatsApp said: “As the Hamburg DPA’s claims are wrong, the order will not impact the continued roll-out of the update.

The amount of Facebook’s arrogance at play here is just staggering.

Quite. Who are mere German public officials to question the rectitude of an organisation as august as Facebook?
To be fair, it seems like the German public office have not done their work and have some thing incorrect. As such, it doesn't apply.
That German authority interprets the law in some way, Facebook interprets it in some other way. i assume the courts will decide. Seems reasonable to me.
When it comes to my data, I’d rather not have them use it until forbidden. I want it to be not Used until explicitly allowed
What kind of wannabe authoritarian regime bans a company from using data it owns?
A "regime" that values the privacy of its citizens over the profits of a multinational?
Ah yes, just like the vaccine passports they will be implementing because they value "privacy". Sure.
The legal situation is that Facebook doesn’t own any of this data. It has collected it, but the data is owned and controlled by individual users, and they have the right to say what Facebook should be allowed to do with it.
A legitimate democratically elected national government in a continental union that conditioned its anti-trust approval of the acquisition of WhatsApp by Facebook precisely on personal data not being used in that way.

That "kind of wannabe authoritarian regime". HTH!

Just because you were legitimately elected doesn't make you not authoritarian. Plenty of authoritarian regimes came into power legitimately, and then abused that power with popular support because the people thought it sounded like a good idea at the time.

Anti-Trust is generally smoke and mirrors anyway - I can't think of any antitrust that actually did anything useful. AT&T was broken up, and then 5 of the companies merged back into it over time. Standard Oil was broken up and now we have Exxon (yay...). Microsoft was hit because they bundled IE with Windows but now they have IE, and Edge still bundled with Windows 10.

Isn't that like a huge news? By reading the article it seems like it's not such a big deal...

On the other hand, facebook seems like it's deader than dead, it's just the agglomeration of whatsapp, instagram and occulus now.

I'm curious if the Trump election problem is one the reason why facebook is dying.

This cat and mouse game will continue forever as I don't expect governments that give Facebook a clean chit in exchange of data sharing to do much policing. The only real power lies in our hands. Many of us change/mute the channel when the ads come on, do the same effectively online by blocking ads and if that is not possible, by _never_ clicking on ads. The whole point is to sell and if we ensure that we don't pass any signal back in terms of how we are deciding, the point of ad spends themselves will be in question. The only effective wakeup call for such scum companies is their revenue taking a hit.
If German users would switch. WhatsApp is the main Messanger in Germany, and a lot of the people who live here are not that interested in privacy (although there is still a relatively large piece who is). It‘s too abstract for some people how their data is used. The Government needs to explain more and not just create rules which people find annoying to follow.