Rendered at 18:39:23 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
Johnbot 4 hours ago [-]
A lot of geolocation data on the market is anonymized, following medium-lived unique IDs that aren't able to be mapped to other identifiers. The problem with that is that if you have precise locations, or enough samples that you can apply statistics to find precise locations, in many cases you can de-anonymize the IDs. You can purchase address and resident listings from a number of different data vendors, and by checking where the device returns to at night you can figure its home address. Then if you find information on the residents (work locations, schools, etc.), you see if said device goes where each resident of the home address is likely to go, and you now have a pretty good idea of exactly who the device belongs to.
rockskon 3 hours ago [-]
There is no such thing as anonymized location data when you have the location of something where and when they sleep and work.
It's a rhetorical fiction the ad industry tells itself.
Terr_ 1 hours ago [-]
Right, there's probably no other phone in the world that typically stops for hours within 1000 feet of my bed and typically stops on Monday-Friday within 1000 feet of my work-desk.
mapt 3 minutes ago [-]
Now think what Lavrenti Beria and an LLM could have done with that.
1 hours ago [-]
Forgeties79 3 hours ago [-]
And with LLM’s now it’s easier than ever to piece the parts together. Companies were doing it before we even knew what LLM’s were capable of.
Edit: It's a rhetorical fiction the ad industry tells us.
3 hours ago [-]
3 hours ago [-]
teraflop 2 hours ago [-]
We should have learned this lesson 20 years ago when researchers were able to deanonymize a lot of the Netflix Prize dataset, which contained nothing except movie ratings and their associated dates.
If movie ratings are vulnerable to pattern-matching from noisy external sources, then it should be obvious that location data is enormously more vulnerable.
vovanidze 3 hours ago [-]
exactly. calling it 'anonymized' is pure security theater once you have enough data points to map out someones daily routine.
waiting for legislation or eulas to fix this is a lost cause since adtech always finds a loophole. the fix has to be architectural. moving toward stateless proxies that strip device identifiers at the edge before they even hit upstream servers. if the payload never touches a persistent db there is literally nothing to de-anonymize. stateless infra is the only sane way forward
microtonal 3 hours ago [-]
To be honest, I feel like this is where iOS and Android are failing us. Why is every app allowed to embed a bunch of trackers? Only blocking cross-app tracking on user request as iOS does is not enough (and data of different apps/websites can be correlated externally).
rolph 2 hours ago [-]
im not sure about allowed. perhaps required may be closer.
why would someone include tech that makes people think twice about using the app, unless it is required if you want to "sell" in a particular venue.
if your developing geolocation based apps, location tracking is a core function.
a calender, absolutely does not require location tracking beyond what side of the prime meridian are you on.
nickburns 2 hours ago [-]
> if your developing geolocation based apps, location tracking is a core function.
But the subsequent sale of that data is not—is the discussion here.
rolph 30 minutes ago [-]
and the reason why that data is available for sale, starts with forced collection of data, if you want to participate in an app store as a developer.
you cant sell what you dont have unless you lie lower than a rug.
fix the data collection problem and a second order effect of no data for sale emerges.
chimeracoder 30 minutes ago [-]
> To be honest, I feel like this is where iOS and Android are failing us. Why is every app allowed to embed a bunch of trackers? Only blocking cross-app tracking on user request as iOS does is not enough (and data of different apps/websites can be correlated externally).
Even if Google and Apple both want to commit to fighting this, it becomes a game of whack-a-mole, because there are all sorts of different ways to track users that the platforms can't control.
As an easy example: every time you share an Instagram post/video/reel, they generate a unique link that is tracked back to you so they can track your social graph by seeing which users end up viewing that link. (TikTok does the same thing, although they at least make it more obvious by showing that in the UI with "____ shared this video with you").
CPLX 2 hours ago [-]
Because we don’t enforce antitrust law in this country and the people that make those decisions profit from the ads.
uxhacker 33 minutes ago [-]
How is this legal under the GPDR? There is clear examples in the citizenlab document of a user been tracked inside of the EU from outside.
Is there not also a requirement for clean consent? Ie a weather app can’t track your precise location?
sroussey 3 hours ago [-]
Companies exist that de-anonymize other data brokers data. Lets the other data brokers claim they have anonymized data while end end users get everything.
ImPostingOnHN 3 hours ago [-]
you could probably run a anonymization company at the same time you run a de-anonymization company
gessha 1 hours ago [-]
Best of both worlds - legal and profitable \s
jandrewrogers 3 hours ago [-]
Location and identity are inextricably linked. You can't destroy identity without also destroying location and location is critical for myriad purposes.
The analytic reconstruction of identity from location is far more sophisticated than the scenarios people imagine. You don't need to know where they live to figure out who they are. Every human leaves a fingerprint in space-time.
nickburns 3 hours ago [-]
> and location is critical for myriad purposes.
It's not though.
Critical for myriad elective purposes? Sure.
jandrewrogers 2 hours ago [-]
Only if you consider the entire concept of logistics in civilization as "elective".
xphos 2 hours ago [-]
Seems hyperbolic we had logistics that functioned extremely well before we had customer location data for sale on 3rd party sites.
philipallstar 35 minutes ago [-]
If you re-read the comment they didn't say that selling it was intrinsic.
nickburns 2 hours ago [-]
I don't follow what you mean by 'logistics in civilization' as that's pretty vague and amorphous.
Could you be more specific with maybe a single example of where my physical geographic location is electronically critical for a purpose that isn't elective/optional/avoidable?
(And I'm not just trying to be obtuse. I think you're touching on at least part of the 'heart' of both this conversation and that of digital ID verification.)
quickthrowman 2 hours ago [-]
How does tracking the movements of individual humans aid shipping and logistics, other than providing traffic data to freight companies? How did we manage to have global supply chains prior to GPS being invented?
Edit: I assume I am missing a crucial part of logistics that you’re familiar with, genuinely curious.
3 hours ago [-]
ninalanyon 2 hours ago [-]
In what sense can the latitude and longitude of my house be called anonymous data?
kube-system 2 hours ago [-]
Ultimately, a map is anonymous data containing lat/lon of everyone's house
Alone, these points are not deanonymizing, it's when there's other data associated.
1121redblackgo 3 hours ago [-]
Yep. With side channel/one order of thinking above the laws, its trivial to get around said laws. Need better laws.
malfist 3 hours ago [-]
> A lot of geolocation data on the market is anonymized
A lot isn't good enough.
groos 28 minutes ago [-]
Most people don't realize how bad geolocated data is for a free society. I can buy data from a broker, geo-fence your house address, and then I'm able to see all the places where you went, who you associate with, and identify all you associate with by tracking them to addresses. All of this happens with anonymized device identifiers. It is the wet dream of a company such as Palantir and all governments who desire absolute control over their populations.
ch4s3 4 hours ago [-]
IMO we should ban gathering this data without a warrant or specific contractual agreement between the device owner and entity aggregating the data. As much as congress loves to claim the interstate commerce theory of everything, this seems like a slam dunk.
Dwedit 4 hours ago [-]
Contractual agreement? Nobody reads things like EULAs or terms of service. It's probably in there already.
ch4s3 4 hours ago [-]
I should have been a bit more clear. We should ban retention for any purposes where it is not explicitly required for the intended function and clearly agreed to by all parties. Think somethig like strava or asset tracking. You know it stores gps data, and why.
ryandrake 3 hours ago [-]
There is no such things as "clearly agreed to by all parties" when it comes to end users. Companies provide a one-sided, "take it or leave it" EULA, and if you don't agree to everything in it, you don't use the product. There is no meeting of the minds, there is no negotiation, and there is no actual agreement. It's a rule book dictated by one side.
pocksuppet 3 hours ago [-]
Then it's not a valid contract and therefore does not absolve them of criminal liability for stalking you.
kube-system 2 hours ago [-]
Contracts of adhesion can be valid contracts. The ability to negotiate or equal bargaining power is not a required element of a contract.
Furthermore, you cannot contract away criminal liability if any exists.
lukeschlather 2 hours ago [-]
Even attempting to use a contract of adhesion to justify selling GPS location data to a third party should be a criminal act.
kube-system 2 hours ago [-]
Yes, the US is in desperate need of better privacy laws.
celeritascelery 2 hours ago [-]
You click on “accept terms and conditions” which means you agree to the contact.
ch4s3 3 hours ago [-]
You can't just bury literally anything in an EULA. There's a fair amount of case law establishing that EULAs clauses that are surprising or illegal aren't enforceable.
pwg 3 hours ago [-]
That fact does not change the point of the individual to which you replied. Regardless of whether the clauses in the EULA are 100% legal, some mixture or 100% illegal, the entire EULA is a "one sided rule-book dictated completely by one side". You, the person held to the EULA's rules, do not get to negotiate on the individual points. You simply have a "take it or go away" set of options.
kube-system 2 hours ago [-]
You're talking about contracts of adhesion and they are overwhelmingly common for B2C agreements. Most red-lining of contracts only happens in high-value B2B transactions where the sums of money involved are enough that it makes sense to bring lawyers into the loop.
when you already pay for the device and a contract, then surprise now that you have skin and flesh in the game, you HAVE TO agree to this EULA or your property is a brick and we keep your money.
that is defined as extortion, but labled as onboarding.
kube-system 2 hours ago [-]
Courts do look poorly upon this -- to have a valid contract of adhesion there is some degree of advanced notice required and ability to reject it.
stavros 3 hours ago [-]
There is the GDPR.
toofy 4 hours ago [-]
if it were up to me i’d require a hand signed contract that explicitly, up front and in plain english gives permission and is not transferable to any “partners”.
teeray 1 hours ago [-]
Instead of “I accept”, you’re given a quiz
rubyfan 4 hours ago [-]
Right, privacy terms are written to be vague and permissive. Even if you read them you can’t usually understand how the data will be used or opt out.
rubyfan 4 hours ago [-]
I think we should make this type of tracking opt-out by default. We should also ban the sale of its use to third parties and its use for purposes other than the specific functionality which required it to be enabled in the first place.
gruez 4 hours ago [-]
>I think we should make this type of tracking opt-out by default
GP states correctly that they believe the default 'choice' of a user should be 'opting-out' of location tracking.
3 hours ago [-]
wakawaka28 31 minutes ago [-]
Every EULA already covers this basically. The real problems are: people agree to it, and the government can do an end-run around the constitution by simply purchasing data or hiring contractors.
troupo 4 hours ago [-]
> IMO we should ban gathering this data without
GDPR tried. And the narrative around GDPR was deliberately completely derailed by adtech.
Lack of enforcement didn't help either
ch4s3 4 hours ago [-]
GDPR like all EU regulation is needlessly complicated and aimed at a compliance model that seems designed for SAP.
microtonal 3 hours ago [-]
The compliance model is very simple. Do not collect data. Problem solved. If you need to collect data (e.g. because you are a webshop), only collect the minimum necessary.
The problem is not the GDPR, the problem is the surveillance industry that wants to grab as much data as possible and try to do as much malicious compliance as possible.
jandrewrogers 2 hours ago [-]
Designing around GDPR compliance shows up all over the place in industrial data collection. It doesn't only affect surveillance webslop.
The costs are often worse on industrial side because the data is so much larger and faster than web or mobile data.
gwerbin 2 hours ago [-]
What do you mean by "industrial" in this case?
jandrewrogers 1 hours ago [-]
Telemetry from machines and data from environmental sensors that is collected for operational purposes (safety, efficiency, reliability) in industrial applications. Old school engineering systems that in modern times have expansive network-connected sensors that may even have onboard classifiers to reduce the quantity of data.
The trouble started when lawyers correctly noticed that these are incidentally capable surveillance systems even though that isn't how we use them or what they were designed for.
pocksuppet 3 hours ago [-]
Have you read it? It's not that bad, unless you're thinking like an adtech programmer trying to find the exact edge case for the maximal amount of tracking you're allowed to do, because such a bright line does not exist and that fact infuriates adtech professionals. It is vague because reality is vague and complex; each specific case of alleged violation has to be interpreted by multiple humans; there is no algorithm.
ch4s3 3 hours ago [-]
The law mandates a data protection officer with specific duties. It also establishes a board that "issue guidelines, recommendations, and best practices" which is where administrative complication and nonsense always creeps in.
jandrewrogers 3 hours ago [-]
It is regulation that imagines companies are a government bureaucracy.
I have read GDPR and don't work in adtech. It is vague and it is pretty easy to find pathological scenarios that don't make much sense or impose an unusually high burden for no benefit. Every European law firm seems to agree with this assessment despite what proponents assert. Consequently, it forces a lot of expensive defensive activity in practice.
To some extent, it was just a failure of imagination on the part of GDPR's authors. Many things are not nearly as simple as it seems to assume and it bleeds into data models that have nothing to do with people.
It is what it is but no one should pretend it is not a burden for companies that have nothing to do with adtech or even data about people.
troupo 3 hours ago [-]
You can literally read the entire "complicated" regulation in one sitting in an afternoon. There's literally nothing complex or complicated about it.
Congrats on gullibly believing the ad tech narrative.
ryandrake 3 hours ago [-]
The "GDPR is complicated" meme has been circulating among software developers since probably before it was even written. It's so wild that HN dunks on it so much: Here we have a societal problem in computing we've been complaining about for decades, someone offers an incremental but imperfect regulation to start taking steps to correct it, and everyone hates it!
IX-103 16 minutes ago [-]
The GDPR is vague and unworkable as written. It fundamentally restricts all data processing with a few, vague exceptions.
What is data processing essential for the services being provided? Many publishers assumed that getting paid was an essential part of providing a service, and it was not until 3 months before the implementation deadline that the committee clarified that getting paid is not included when you are being paid by a third party.
How are you to know whether or not the user is an EU citizen (and thus subject to the GDPR)? Is making that determination a service essential for providing your service? The answers apparently were "You don't" and "No", which would effectively make companies assume that the GDPR applies to everyone on the planet.
The GDPR also is fundamentally opposed to how things currently work in the internet, making almost all advertising on the web illegal overnight. It was too big of a change to happen at once, so it effectively only loosely enforced in practice.
I like the idea of the GDPR, but the implementation sucks.
pocksuppet 3 hours ago [-]
Same with the California age input box.
lukeschlather 2 hours ago [-]
The problem with the age input box is that we don't have the GDPR. We're mandating that people give accurate age information to advertisers, and it's legal for advertisers to sell detailed dossiers on people including their age and target advertising using the age. This is why Meta wrote the age input box legislation, they want to make everyone legally required to provide Meta with their age.
ch4s3 3 hours ago [-]
Being able to read something in one sitting doesn't make it simple or obvious. The law establishes a board that gets to set new requirements.
stavros 3 hours ago [-]
As someone who has to implement it, it's really not bad at all: Ask the user for consent to use their data, and don't be misleading about it. That's it.
The rest of the "It'S So LaRgE AnD UndErSpEciFieD" is just FUD. The regulators don't just slap fines, they work with you to get you to comply, and they just want to see that you're putting in the effort instead of messing them about.
I have literally never been surprised by the GDPR. Whenever I thought "surely this is allowed" it was, whenever I thought "this can't be allowed", it wasn't. For everything in the middle, nobody will punish you for an honest mistake.
kentm 43 seconds ago [-]
Also, "Be able to track a user's data and delete it on a request."
This is not too hard if you do proper engineering work ahead of time and are purposeful about how you move and manage data (step 1 is just not collecting it unless its vital). But the industry encourages us to be very bad about that because we gotta "move fast and break things or you're not gonna make it."
ch4s3 45 minutes ago [-]
> for everything in the middle, nobody will punish you for an honest mistake.
How do you know that? Again the law establishes a rules making body that can at any time change or add rules, and as far as I can tell there's no public review process.
stavros 28 minutes ago [-]
Which body is this? The EDPB?
redwall_hp 3 hours ago [-]
Anti GDPR people: "it's so complicated not being able to walk into someone's house and take their things! Which things can I not take? How about this? And now I need a lawyer if I take someone's things? Ridiculous!"
Just don't spy on people.
stavros 3 hours ago [-]
Yeah that's pretty much what it feels like, or sometimes it's "what if someone's stuff is lying on the street? Can I take it then?" and the regulator is kind of like "look around and ask if it belongs to anyone, and if not, sure".
romaniv 3 hours ago [-]
The problem with all these discussions about banning stuff is that privacy is always on the back foot. It's by design. People who want to surveil and manipulate us are actively investigating new ways of doing it, they get paid for it and they risk nothing in the long run. All of these discussions about specifics are just reactions. They aren't even reactions to the surveillance itself, but rather to a discovery by someone that a new surveillance machine has been constructed and launched.
So the current feedback process involves: construction → exploitation → reporting → public awareness → legislation. This is too slow. Moreover, operating in this environment is exhausting.
We need a different feedback loop altogether. I'm not sure which one would work best, but something different needs to be considered.
jjk166 1 hours ago [-]
Yeah, abuse of privacy should be the crime, the same way theft is. How exactly the crime is committed shouldn't matter. Companies can have every right to make a compelling argument that what they did was not an abuse of privacy when they are defending themselves in court.
And critically, it is not someone becoming aware of private information that is the abuse of privacy, it is exploiting that private information which is the abuse. There may be countless legitimate technical reasons you need to collect data, but there can not possibly be a technical justification for selling it.
reenorap 38 minutes ago [-]
I'm of the opinion now that posting videos online without the explicit permission of EVERYONE in the video should be illegal. It's one thing to take a video and keep it on your phone but if you share it outside of your family and only your family, then it needs to have the expressed consent of everyone whose face is on it otherwise it should be a crime.
The previous views on privacy didn't take into account the fact that everyone now has video cameras and people are incentivized to violate privacy to make money as influencers. I think people's privacies need to be protected and I think that means making laws around it much, much stricter. This includes things like location data, it shouldn't be sold or exposed at all.
wakawaka28 33 minutes ago [-]
So, no videos of festivals or politicians speaking? How about legally recorded conversations or anything else exposing corruption? Body cam footage? Harassment is already a crime. Take care not to come up with oppressive laws to deal with a nuisance.
linkjuice4all 3 hours ago [-]
Let’s just stretch copyright to cover movement/location as a protected creative expression. It’s somewhat ridiculous but we’ve already established case law and technology for handling/mishandling protected assets.
gruez 2 hours ago [-]
Then they add a clause to the ToS with "you grant us and our affiliates a worldwide, non-exclusive, royalty-free, sublicensable and transferable license to your location..."
kidnoodle 33 minutes ago [-]
I had a theory that the way to solve this was a location intelligence data union which sold safely anonymised aggregates and shared the profits, while also litigating on behalf of members under available legislation to stop other people using their data.
Alas, I was stymied by not having any cash to work on it, and the unit economics were not very VC friendly (at least I assume that’s one of the reasons why I didn’t get any traction from VCs).
pnw 27 minutes ago [-]
The examples show Android devices. How does Webloc track iOS devices given Apple doesn't allow unique IDs and allows the user to disable the ad ID? I wish these articles would go into a bit more detail for the technical reader.
uxhacker 4 hours ago [-]
More details are available here, including screenshots of the tool.
There needs to be a believeable legal framework behind this.
Imagine a option on your iPhone that says “Enable this to allow geo-location tracking for organisations registered under the NOADSJUSTPUBLICGOOD Act” - then any wifi endpoint could locate you as long based on signal strength etc and that data could only be made available to people registered under the act.
Would we see new understanding of how people move around in cities, would we see better traffic information, Inthink so - as long as people believe that there are real teeth to the laws and they enforced loudly and publically.
We should embrace the benefits of a society wide epidemiology experiment - the benefits for public health are incredible. (Add to that supply chain logistics on open ledgers and many of the new things that just were not possible before and the future of open transparent but well regulated democracies is bright.
Let me know if you spot one.
titzer 3 hours ago [-]
These people really have no idea at the level of data collection from Google's rootkit on Android known as "Google Play Services".
kristianpaul 2 hours ago [-]
Haven't read the article yet but having more NTRIP public endpoint could help a lot to this precise location
Eextra953 3 hours ago [-]
Does anyone know of any groups that are organizing and lobbying to get things like this into law? I know about the EFF but they seem to be more focused on documenting and reporting instead of lobbying and getting things passed.
Cider9986 2 hours ago [-]
Restore the fourth, Brennan Center, EPIC, Freedom of the press foundation.
dminor 3 hours ago [-]
Senator Wyden has been pretty focused on it. I think it's going to take some changes in Congress before it happens though.
Cider9986 2 hours ago [-]
Massie and McGovern in the house as well.
glitchc 3 hours ago [-]
How about we just ban the collection of precise geolocation? Wouldn't that be a better solution?
davebren 3 hours ago [-]
You can have legitimate use cases where it's a core functionality of the application to store it, so the user obviously knows it's being collected and agrees by using it.
warkdarrior 36 minutes ago [-]
So you want to ban all mapping apps and all fitness apps?
Mithriil 3 hours ago [-]
I would expect such a law to be lobbied to death.
erelong 50 minutes ago [-]
Alternatively, opt out of services that sell it
shevy-java 1 hours ago [-]
Soon Geolocation will be tied to Age! Then you can meet locals and congratulate them on their birthday. The movie Minority Report was way too timid in its prediction here. Age up everything! \o/
wolvoleo 4 hours ago [-]
Just ban the sale of any kind of adtracking. That way we can get rid of the cookiewalls too.
Missed opportunity by the EU when they wrote GDPR.
GJim 1 hours ago [-]
> Missed opportunity by the EU when they wrote GDPR.
Not really.
There are legitimate reasons why I might wish to be tracked or give my personal data to a company. As long as I'm asked to give clear, opt-in informed consent, this is perfectly fine. This is the very essence of the GDPR!
Instead, direct your ire to the scummy adtech industry who are constantly asking to invade my privacy and smell my knickers trying to work out what I ate for lunch. Another law to ban the adtech industry would be welcome from me, though would meet fierce resistance from the likes of Google.
The GDPR is well written.
wolvoleo 26 minutes ago [-]
> There are legitimate reasons why I might wish to be tracked or give my personal data to a company. As long as I'm asked to give clear, opt-in informed consent, this is perfectly fine. This is the very essence of the GDPR!
In thise cases they don't even need to ask for your permission.
> Instead, direct your ire to the scummy adtech industry who are constantly asking to invade my privacy and smell my knickers trying to work out what I ate for lunch. Another law to ban the adtech industry would be welcome from me, though would meet fierce resistance from the likes of Google.
No, the EU should have done more to prevent this. They didn't want to kill a billions-of-euros industry. But they should have.
troupo 4 hours ago [-]
GDPR literally prohibits the sale of user data and tracking without user consent (because yes, you want to give people the possibility to opt in for a variety of reasons).
GDPR has literally nothing to do with cookie popups. That was, and is, adtech
em-bee 3 hours ago [-]
prohibits [...] without user consent
that's what causes the popups.
it should prohibit it outright, consent or not.
SoftTalker 3 hours ago [-]
But the only reason the popups are needed is the adtech tracking cookies. You don't need a popup for cookies that are related to essential site functionality.
em-bee 3 hours ago [-]
yes, so if ad tracking is forbidden outright then asking for permission to do it is invalid too.
GJim 1 hours ago [-]
We certainly do need another law to ban the adtech industry..... Though no doubt that would prompt a _shitstorm_ from Google, Elon and chums.
wolvoleo 4 minutes ago [-]
I see only positives there.
nathanlied 18 minutes ago [-]
I can live with the tears of Google and Elon, frankly.
The adtech industry has, time and again, proven they cannot self-regulate to any decent capacity. At this point, the only reasonable course of action is to shackle them down with such heavy legislative burdens they're rendered de facto extinct.
I will not mourn their loss.
pocksuppet 3 hours ago [-]
I think they are saying GDPR did not ban websites from noisily asking for consent and trying to trick you into giving consent.
wolvoleo 2 minutes ago [-]
Well they did but that is not policed.
For example, giving consent should be the same difficulty as denying it. So one click consent means there must be also one click non-consent. But this is policed very poorly.
I think they should just ban adtech altogether, at least any form of targeted advertising, individual pricing (which is already illegal in many EU countries) and ideally also deep market research.
lotu 3 hours ago [-]
My job was building cookie walls in response to GDPR. It might not have been the “intent” but it certainly was the consequence of that law.
lifestyleguru 4 hours ago [-]
Smartphones, mobile apps, mobile networks, and WiFi stopped being your friends around 2015-2016. Now it's just a matter of how much data can be harvested from device sensors in real time until reaching a pain point which doesn't exist.
Cider9986 2 hours ago [-]
WiFi isn't that bad, we have mac address randomization[1] and VPNs. Cellular is obscenely bad, though.
If anyone's interested in this the book "The Age of Surveillance Capitalism" is rather revealing of the sheer scale of this.
mystraline 2 hours ago [-]
Yep.
And the FLOSS/Linux phone hardware attempts have frankly sucked.
I was hoping that my PinePhone Pro would actually be usable. But no, its a PineDoorstop.
Proper Linux would be a great 3rd choice. But yeah. We've got a duopoly and not much we can do about it.
9991 42 minutes ago [-]
GrapheneOS is a proper Linux. The hardware isn't open, but otherwise it's quite nice and clearly designed for the end-user's benefit, in stark contrast to the more widely-adopted alternative mobile OSes.
It looks like a cookie prompt, so I assume "Lifespan" refers to cookie expiration and "retention" to how long the data (including geolocation) is retained on the spyware company's servers.
It's a rhetorical fiction the ad industry tells itself.
Edit: It's a rhetorical fiction the ad industry tells us.
https://arxiv.org/abs/cs/0610105
If movie ratings are vulnerable to pattern-matching from noisy external sources, then it should be obvious that location data is enormously more vulnerable.
waiting for legislation or eulas to fix this is a lost cause since adtech always finds a loophole. the fix has to be architectural. moving toward stateless proxies that strip device identifiers at the edge before they even hit upstream servers. if the payload never touches a persistent db there is literally nothing to de-anonymize. stateless infra is the only sane way forward
why would someone include tech that makes people think twice about using the app, unless it is required if you want to "sell" in a particular venue.
if your developing geolocation based apps, location tracking is a core function.
a calender, absolutely does not require location tracking beyond what side of the prime meridian are you on.
But the subsequent sale of that data is not—is the discussion here.
you cant sell what you dont have unless you lie lower than a rug.
fix the data collection problem and a second order effect of no data for sale emerges.
Even if Google and Apple both want to commit to fighting this, it becomes a game of whack-a-mole, because there are all sorts of different ways to track users that the platforms can't control.
As an easy example: every time you share an Instagram post/video/reel, they generate a unique link that is tracked back to you so they can track your social graph by seeing which users end up viewing that link. (TikTok does the same thing, although they at least make it more obvious by showing that in the UI with "____ shared this video with you").
Is there not also a requirement for clean consent? Ie a weather app can’t track your precise location?
The analytic reconstruction of identity from location is far more sophisticated than the scenarios people imagine. You don't need to know where they live to figure out who they are. Every human leaves a fingerprint in space-time.
It's not though.
Critical for myriad elective purposes? Sure.
Could you be more specific with maybe a single example of where my physical geographic location is electronically critical for a purpose that isn't elective/optional/avoidable?
(And I'm not just trying to be obtuse. I think you're touching on at least part of the 'heart' of both this conversation and that of digital ID verification.)
Edit: I assume I am missing a crucial part of logistics that you’re familiar with, genuinely curious.
Alone, these points are not deanonymizing, it's when there's other data associated.
A lot isn't good enough.
Furthermore, you cannot contract away criminal liability if any exists.
that is defined as extortion, but labled as onboarding.
That's opt-in, not opt-out.
https://en.wiktionary.org/wiki/opt-out
GDPR tried. And the narrative around GDPR was deliberately completely derailed by adtech.
Lack of enforcement didn't help either
The problem is not the GDPR, the problem is the surveillance industry that wants to grab as much data as possible and try to do as much malicious compliance as possible.
The costs are often worse on industrial side because the data is so much larger and faster than web or mobile data.
The trouble started when lawyers correctly noticed that these are incidentally capable surveillance systems even though that isn't how we use them or what they were designed for.
I have read GDPR and don't work in adtech. It is vague and it is pretty easy to find pathological scenarios that don't make much sense or impose an unusually high burden for no benefit. Every European law firm seems to agree with this assessment despite what proponents assert. Consequently, it forces a lot of expensive defensive activity in practice.
To some extent, it was just a failure of imagination on the part of GDPR's authors. Many things are not nearly as simple as it seems to assume and it bleeds into data models that have nothing to do with people.
It is what it is but no one should pretend it is not a burden for companies that have nothing to do with adtech or even data about people.
Congrats on gullibly believing the ad tech narrative.
What is data processing essential for the services being provided? Many publishers assumed that getting paid was an essential part of providing a service, and it was not until 3 months before the implementation deadline that the committee clarified that getting paid is not included when you are being paid by a third party.
How are you to know whether or not the user is an EU citizen (and thus subject to the GDPR)? Is making that determination a service essential for providing your service? The answers apparently were "You don't" and "No", which would effectively make companies assume that the GDPR applies to everyone on the planet.
The GDPR also is fundamentally opposed to how things currently work in the internet, making almost all advertising on the web illegal overnight. It was too big of a change to happen at once, so it effectively only loosely enforced in practice.
I like the idea of the GDPR, but the implementation sucks.
The rest of the "It'S So LaRgE AnD UndErSpEciFieD" is just FUD. The regulators don't just slap fines, they work with you to get you to comply, and they just want to see that you're putting in the effort instead of messing them about.
I have literally never been surprised by the GDPR. Whenever I thought "surely this is allowed" it was, whenever I thought "this can't be allowed", it wasn't. For everything in the middle, nobody will punish you for an honest mistake.
This is not too hard if you do proper engineering work ahead of time and are purposeful about how you move and manage data (step 1 is just not collecting it unless its vital). But the industry encourages us to be very bad about that because we gotta "move fast and break things or you're not gonna make it."
How do you know that? Again the law establishes a rules making body that can at any time change or add rules, and as far as I can tell there's no public review process.
Just don't spy on people.
So the current feedback process involves: construction → exploitation → reporting → public awareness → legislation. This is too slow. Moreover, operating in this environment is exhausting.
We need a different feedback loop altogether. I'm not sure which one would work best, but something different needs to be considered.
And critically, it is not someone becoming aware of private information that is the abuse of privacy, it is exploiting that private information which is the abuse. There may be countless legitimate technical reasons you need to collect data, but there can not possibly be a technical justification for selling it.
The previous views on privacy didn't take into account the fact that everyone now has video cameras and people are incentivized to violate privacy to make money as influencers. I think people's privacies need to be protected and I think that means making laws around it much, much stricter. This includes things like location data, it shouldn't be sold or exposed at all.
Alas, I was stymied by not having any cash to work on it, and the unit economics were not very VC friendly (at least I assume that’s one of the reasons why I didn’t get any traction from VCs).
https://citizenlab.ca/research/analysis-of-penlinks-ad-based...
Imagine a option on your iPhone that says “Enable this to allow geo-location tracking for organisations registered under the NOADSJUSTPUBLICGOOD Act” - then any wifi endpoint could locate you as long based on signal strength etc and that data could only be made available to people registered under the act.
Would we see new understanding of how people move around in cities, would we see better traffic information, Inthink so - as long as people believe that there are real teeth to the laws and they enforced loudly and publically.
We should embrace the benefits of a society wide epidemiology experiment - the benefits for public health are incredible. (Add to that supply chain logistics on open ledgers and many of the new things that just were not possible before and the future of open transparent but well regulated democracies is bright.
Let me know if you spot one.
Missed opportunity by the EU when they wrote GDPR.
Not really.
There are legitimate reasons why I might wish to be tracked or give my personal data to a company. As long as I'm asked to give clear, opt-in informed consent, this is perfectly fine. This is the very essence of the GDPR!
Instead, direct your ire to the scummy adtech industry who are constantly asking to invade my privacy and smell my knickers trying to work out what I ate for lunch. Another law to ban the adtech industry would be welcome from me, though would meet fierce resistance from the likes of Google.
The GDPR is well written.
In thise cases they don't even need to ask for your permission.
> Instead, direct your ire to the scummy adtech industry who are constantly asking to invade my privacy and smell my knickers trying to work out what I ate for lunch. Another law to ban the adtech industry would be welcome from me, though would meet fierce resistance from the likes of Google.
No, the EU should have done more to prevent this. They didn't want to kill a billions-of-euros industry. But they should have.
GDPR has literally nothing to do with cookie popups. That was, and is, adtech
that's what causes the popups.
it should prohibit it outright, consent or not.
The adtech industry has, time and again, proven they cannot self-regulate to any decent capacity. At this point, the only reasonable course of action is to shackle them down with such heavy legislative burdens they're rendered de facto extinct.
I will not mourn their loss.
For example, giving consent should be the same difficulty as denying it. So one click consent means there must be also one click non-consent. But this is policed very poorly.
I think they should just ban adtech altogether, at least any form of targeted advertising, individual pricing (which is already illegal in many EU countries) and ideally also deep market research.
[1] https://grapheneos.org/usage#wifi-privacy
And the FLOSS/Linux phone hardware attempts have frankly sucked.
I was hoping that my PinePhone Pro would actually be usable. But no, its a PineDoorstop.
Proper Linux would be a great 3rd choice. But yeah. We've got a duopoly and not much we can do about it.
Data Retention: Standard Retention (4320 days)