Maybe it's my unenlightened American perspective coming out here, but why is this a big deal?
You chose to use the Facebook service, you chose to provide this information to them, and you chose to agree to their terms of service.
Facebook isn't a government agency, it's a private organization that has persuaded people to give it armloads of data about themselves, and uses that for whatever completely legal purposes it so desires. It's not like they are taking out credit card applications or anything on behalf of these users.
What is it about this completely voluntary relationship that is so inherently evil? I really don't get the harsh kickbacks and complaints against things like "Facebook keeps records of pokes even if the user 'removes' them". So what? How is that something that is litigation or 'outcry' worthy?
How much of this data is just persistent in the system because they operate at a scale where data deletion or removal just cannot feasibly be accomplished[1]? Much like google - 'we dont delete anything'. Why should they legally or otherwise be required to verify something is actually deleted, instead of simply ensuring it's inaccessible in their system? Why is nobody complaining about NTFS or ext3/4 not actually zeroing out the file space when you delete something, and instead just 'marking it deleted' or 'removing the pointer in the inode'? How is that fundamentally any different at all?
Please, educate me, because I really don't get it.
You have to look beyond the law to what its purpose is - to prevent companies from exploiting your personal information, and to force them to tell you what data they hold. Facebook are exploiting your browser history, without telling you. And are refusing to even own up to it.
I don't believe that 99% of Facebook users would tick a box that said 'Please record every webpage I visit and store it for your own future use. I do not want access to, nor the right to remove, this data.' Voluntary or not, there's a right to at least see the data that anyone holds on you. Note that you don't have the right to remove data.
This is EXACTLY why data protection laws are there. At the time they were enacted it was largely credit reference agencies, public bodies and direct marketing businesses which were in the spotlight. Had they been written today they would be aimed firmly at Facebook, Google and Apple.
But if you, as a customer of those websites, agree to them knowing you are there, and they chose to share that with others, what right does the government have to prevent that?
Why is this not a 'just don't use the service if you don't like it' deal?
Credit bureaus are significantly different - you have literally no choice in that manner; Facebook isn't providing data to be used in that type of decision though. If some secret, 'I cant see it but they show my boss' data existed, and that was used when applying for a job or something, I could understand that perspective.
This, however, is no more than a guy standing outside a row of stores, taking notes during the day of what people go in what stores, and how big their bags are when they come out. Is that illegal in Europe as well?
Edit because I can't seem to reply to comments below:
That's fascinating. If even that sort of behavior is illegal in Europe, it makes the outcry against what Facebook is doing make more sense.
>But if you, as a customer of those websites, agree to them knowing you are there, and they chose to share that with others, what right does the government have to prevent that?
>Why is this not a 'just don't use the service if you don't like it' deal?
This philosophy goes both ways.
Facebook decided to do business in other countries and to do so they are bound to respect the laws of those countries. If they don't like those laws their are perfectly free to stop operating there and let other companies take their share of the market.
Some countries go further than these pan-European rules and for instance require you to delete the data on request.
Facebook having a Dublin subsidiary is going to hurt big time.
The reason why you can't respond to some comments is because of HNs anti flame-war measures, a cool-off period is active before a reply link appears. There are some tricks to get around that, I'm sure you'll be able to figure it out.
Yes. Usually, you cannot build a database (digital or paper) about people without their permission, and without allowing people to get access to their records, and allowing them to get their records deleted.
Then there are exceptions (e.g. you have implicit permission to build a database of the members of an association, or you have a contract with the person and what you record is "adequate"), or cases where you need to get an extra authorization from the data protection authority for example if what you record is sensitive (political affiliations, religious beliefs, sexual orientation, etc.).
> Yes. Usually, you cannot build a database (digital or paper) about people without their permission, and without allowing people to get access to their records, and allowing them to get their records deleted.
In Finland you also have to have a public "registry declaration" available that tells what data you gather and what you do with it. Though quite a lot of websites violate that law due to laziness.
Why is this not a 'just don't use the service if you don't
like it' deal?
Because people are ignorant/lazy/desperate and need to be protected against themselves. That's one of the things we want our governments to do: to protect us when we overlook something in the complex reality of our daily lives, without caring for why we overlooked it.
You can't sell yourself into slavery, you can't sell an organ and you can't sell the right to your private information without retaining the right to have that information disclosed to you. If you want to do business in the EU, be prepared to disclose any piece of data you have on a user, if he requests you to do so.
That's one of the things we want our governments to do: to protect us when we overlook something in the complex reality of our daily lives, without caring for why we overlooked it.
Maybe you want, I don't.
Facebook's complexity pales in comparison to the complexities of the government.
To respond to the last sentence : Yes, things like that can be illegal. As an example, in France it is forbidden to count the number of people who get in & out of a subway at a given station.
I guess it's really a strong difference of culture between Europe and America : laws are made in Europe to make sure that people should not have to make the effort of guessing if a company will mess with their data or not. The company has to make that effort.
> As an example, in France it is forbidden to count the
> number of people who get in & out of a subway at a given
> station.
That seems lame. That number is highly anonymous. How does a statement like "between 8am and 9am 250 people boarded the subway, and 130 people exited the subway" affect a person's privacy?
In July 2009, civil society groups opposed the implementation of intelligent advertising LCD screens in a Parisian subway station.[163] These screens not only broadcast messages but can also count the number of people passing by and measure the time spent looking at the screen thanks to a face scanning sensor. Since these actions, the French data protection Authority, the CNIL, has issued a report considering that this technology must take into consideration the data protection rights of individuals as provided under the Data Protection Law: individuals must receive proper notice and the devices must be notified to the CNIL.
European law tends to work on the assumption that it's up to the owner of a technology to show how it will safeguard against the abuse of it. Failure to do so in the past has had disastrous consequences in some parts of Europe.
And that was before large scale facerecognition software that could be employed to determine not only how many people are walking by the device but also who. Now doing this in real time with a large crowd is still not technically feasible but at some point we will probably cross that line.
Good to know there is at least one country where you'll be safe from that.
Good to know there is at least one country where you'll be safe from that.
Well, until it gets so cheap that there's no way to know whose glasses or contacts are recording and compiling information about you as part of their lifelog. This sort of thing is like the tide coming in: legislation against it can only ultimately be effective by severe restrictions on allowed technologies for the people of the country.
Well, until it gets so cheap there's no way to know whose glasses or jacket contains a gun capable of shooting you dead on the street. This sort of thing is like the tide coming in: legislation against it can only ultimately be effective by severe restriction on allowed technologies for the people of the country.
Substitute whatever anti-social mechanism you prefer.
The drone wars are coming: pilotless aircraft, possibly autonomous, from the size of a small car to the size of a gnat, with intel or lethal payloads.
Bioweapons or nukes. We've had suitcase nukes for a few decades, fortunately they haven't been used. Suitcase-sized conventional explosives are rather frequently deployed in some parts. Weaponized chemicals or biological agents are another option.
It's trivially possible to adulter drugs or drinks. Some of the oldest laws on the books deal with food and alcohol purity.
Having the technical capability to do something doesn't mean it must needs be accepted. Legal sanctions may be swimming upstream at times, but other norms (social, cultural, religions. technological) generally help keep us from tearing one another to pieces, most of the time.
I certainly suspect that most people make a distinction between shooting someone, and videotaping someone. This leads me to believe that surreptitious surveillance would be a far more widespread problem than random shootings.
If the <i>use</i> of any of that data -- for profiling, legal process, advertising, contact, etc. -- is prohibited, and the action of performing the surveillance exposes the entity to plausible legal consequences and/or obligations (notification, deletion requests, etc.), then its practice will be limited. Undisclosed phone recording in some states, for example (not admissible in legal processes, a violation of law of itself, etc.).
Much crime is economically motivated (not all, but much). Part of criminal theory revolves around making crime more expensive (to greater or lesser success, depending). There's an economic study of criminal activity as well.
Businesses tend not to undertake activities for which there isn't a net economic benefit. Shareholder obligations and all that. So yes, with an appropriate legal framework in place, it's quite likely that incentives for engaging in certain behaviors will be limited.
Undisclosed phone recording in some states, for example (not admissible in legal processes, a violation of law of itself, etc.).
Laws like this are a legacy of a time before it was easier to just record everything that happens to a person or in an area than to make decisions about what to record. We're still in the tail end of that era, but only just.
Much crime is economically motivated (not all, but much).
It's estimated that the average American commits three felonies a day (but if you start thinking about this topic and the people around you, it will escalate sharply, since failure to report a felony you know about is itself a felony...). Given this, I think we can safely say that the vast majority of crime in the US is completely incidental and unknowingly committed. Even if laws about recording other people (like police and audio callers) remain on the books, the ubiquity and silence of continuous recording will mean that it falls into the list of things that people do all the time that the state technically bans.
Hm. This comment reads like something straight out of an SF novel and yet I can't shake the feeling that it is just around the corner. Interesting times indeed. Thank you for opening my eyes a bit further. Gargoyles seemed like a fun thing when Neal Stephenson wrote about it and Steve Mann (http://en.wikipedia.org/wiki/Steve_Mann) was experimenting in that direction.
I never expected it to possibly hit the mainstream this quickly though, and especially not with some of the possibilities that you are hinting at.
Sure, lots of easy things are illegal. But people and corporations have incentives to keep legal even when it would be very easy to commit the crime anyways. Enforcement has the job of catching people that are committing easy crimes, and discouraging them from doing so in the first place.
If it's lame, then someone who wants to count must instead throw up his hands in exasperation as they obey the law and don't count.
Until a few years ago it was illegal to sell liquor on Sunday in Colorado. That was lame, but I never saw a liquor store open on Sunday. If any did, they'd probably get fairly good public support and letters to the editor in favor, but they would still lose their liquor license.
I was criticizing the law (or at least an example of how a law is being applied) that you used as an example, because it seems to be that it goes far beyond just protecting personal privacy.
You seem to be stating in response that the law must be followed while it is in place. I'm unsure what your driving point is as I wasn't even advocating civil disobedience of said law.
"Why is this not a 'just don't use the service if you don't like it' deal?"
Because that's the law in Europe (according to the complainer). It doesn't matter that you're free to not use the service, the law says that if you do use it you have certain rights.
You're free to not use any service anywhere in the world. But if you do use a service in some jurisdiction, that service is subject to the law in that jurisdiction.
Facebook, being Big Boys (TM), must follow the law of the land. If they do business in Europe, that law (it seems) will be more favorable to consumers than they're used to here. Tough.
Personally, I think they'll get away with it. Corporations are becoming their own law. Facebook may have made that calculation too.
Get away with it? I doubt it. The EU digital agenda states, among others:
"The right to privacy and to the protection of personal data are fundamental rights in the EU which must be – also online - effectively enforced using the widest range of means: from the wide application of the principle of "Privacy by Design" in the relevant ICT technologies, to dissuasive sanctions wherever necessary."
No, such anonymous data is not restricted by the laws Max Schrem is invoking. The scope of the European Data Protection Directive is limited to personal data, and it explicitly says "the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable."
you don't get it, right? You already ARE a customer even BEFORE you agree to something which they don't abide. They use YOU even if you don't like it ..
No, if they don't abide by the laws, their purposes are not completely legal. Just like you cannot completely voluntarily sell yourself into slavery under US law, there are certain inalienable rights that cannot be given up under european law, and control over your personal data is one of them. That is the point of it.
Particularly those parts in which certain large information business organizations were subject to hostile takeovers, rendering prior understandings of data acquisition and use obsolete.
I'm thinking in particular of, say, the German Bundesrepublic and Vichy France. Though you might argue that the former was sanctioned by democratic processes, I suspect even you would be hard pressed to say the same of the latter.
If nothing else, it'll keep you off HN for a few hours, which would be a net benefit for the rest of us. With a low p-value, you might actually accumulate a few drams of wisdom.
I think taking the discussion to rights is just a bad idea in the first place. Stick with what's in the law, and argue morality without appealing to rights.
The rights are in European law. They're called 'fundamental rights' and are quite explicit. EU citizens have a lot of individual constitutional rights that Americans do not. They're fundamental because they can't be signed or bargained away, and the reason for that is to reduce the inventive of firms or governments to employ trickery to that end.
I really wonder how much of that is because the EU is made up of many countries and these countries want to protect their own. It's kind of similar to how the breach disclosure rules are significantly different from state to state.
The other thing that I wonder is how much of the US not having the strict laws is due to Corporate Personhood. I honestly don't know, I'm just throwing it out there.
On corporate personhood - not a big favtor as far as I know. It exists in a lot of European countries much as it does here. A lot of the EU rights are rooted in the social contract ideas of Rousseau and the like, tempered by experience of war, the iron curtain and so on.
The crux of the issue as far as I see it is that Facebook aren't exactly being open and transparent about the data that they're holding on you, or how it's being used. If you don't know that, there's no tradeoff being made. And in a lot of cases, there's data being gathered about people who haven't opted in.
Seriously, read through the list of complaints:
Shadow Profiles Facebook is collecting data about people without their knowledge. This information is used to substitute existing profiles and to create profiles of non-users.
Messages Messages (incl. Chat-Messages) are stored by Facebook even after the user “deleted” them. This means that all direct communication on Facebook can never be deleted.
Data Security In its terms, Facebook says that it does not guarantee any level of data security.
Applications Applications of “friends” can access data of the user. There is no guarantee that these applications are following European privacy standards.
I mean, really? None of these give you any pause for thought whatsoever?
Messages: This is the implementation issue and one of rights anyway. If I send a message to a friend, what right do I have to delete it from their in-box or sent items if they save a copy of it? The deletion is a view deletion, not a physical deletion. A large number of deletes work this way (at least initially they go to an archive and then are either time removed or can be manually removed).
Data Security: Anyone who says your data secure is bluffing. Your data is never secure, and people need to stop thinking it is. It's out there. Backups, in transit, in DB, on file system. There is going to be whole. Think about it. Encrypted backups - they are never updated and eventually that encryption is going to be easy to crack. FB could be taking the answer to the extreme, but it is actually a smart answer.
Applications: FB doesn't develop them. It would be similar to MS guaranteeing apps written by third parties. It can't do it. Apple can't even do it. Linux doesn't do it.
FB has it's issues. It's constant update of privacy and not letting the user to choose to expose what data they want. But this is no different than any other system thrown out there.
FB isn't the only one creating shadow profiles (how many tracking websites are out there that companies use to determine site usage). Do you think they are really being transparent? Don't you think the shadow companies could build a shadow profile if they wanted to?
My issues with FB is that when they release new features or alter settings ability they make it the least secure possible.
If they are violating the laws, then they need to be reprimanded for it. But this just has the feel of the MS monopoly issue. Where people are only going after them because they are so big when others are out there doing it as well.
Those "completely legal purposes" are only "completely legal" in the US. In the US, the owners of the computer own the data about yourself [1]. In Europe, the data protection acts go the opposite: you own the data about yourself. Furthermore, in Europe, data collection about people has to fall under certain legally sanctioned reasons [2].
Notes:
1 - this can cause surprises when companies go bankrupt and the bankruptcy courts allow the sale of the data (about you) to proceed without your knowledge or consent. It is very rare for you to be notified (such as in the current Borders bankruptcy), or the privacy policies of the dearly departed company to be honored by the courts.
2 - Just because you are willing to give the data to me does not necessarily make it legal.
Because EU citizens have a legal right to privacy; in the EU, your personal data belongs to you, and this ownership cannot simply be waived contractually.
From the EU charter of fundamental rights, which has constitutional force: Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority
I wouldn't bet on Facebook in this case. you will see more of this, since most people in the EU speak English and are avid consumers of broadband, but are not especially sympathetic to the American philosophy of contract law.
As far as I can see, there is not much risk involved in asking Facebook/Google/Dropbox/Yahoo/Microsoft/Whatever to give you "your" data, as per European law. Then look at it and see what is wrong with it. Then file a complaint.
What can they do? It's the law.
Then make the thing public, disclose all your communication with your target, post the story to Hacker News and Reddit, maybe even get picked up by some important blogger or newspaper. Would look good on your resume to fight Google, wouldn't it?
It would look good to be hired for that purpose, and win. Litigious lawyers can easily end up looking petulant, though; if the complaint is trivial or frivolous, the lawyer in question risks being regarded as a bottom feeder. It's better to bring something new to the table, like a winning argument that hasn't been employed before. Of course, I may not be so idealistic in a few years' time :-)
I'm honestly unclear about this: Does Facebook actually have any operations in the EU, or does it merely not ban Europeans from accessing its servers in America?
Users signing up in Europe will form a contract with Facebook Ireland Limited, who are registered and operate under EU law. It's not just a legal entity either, there's a pretty sizable engineering and support presence.
Ireland isn't the tax haven, although it has a very low corporate tax rate of 12.5 %. They are in Ireland to channel cash to tax havens, such as Bermuda and the Cayman Islands, using the 'double Irish' and 'Dutch sandwich' tax avoidance techniques
Ireland also has a lot of high tech companies. If you watch the video you'll see they have several floors of staff, not just a brass plate. It's possible Facebook et al. are in Ireland for more than the tax breaks.
Dublin, Hamburg, London, Madrid, Milan, Paris, Stockholm.
Even if they didn't actually have physical offices in Europe, there are any number of situations in which Facebook may end up subjecting itself to some European laws. Consider:
* Taking advertising from European companies.
* Partnering with European developers on its platform.
* Using the services of European companies (datacenters, bandwidth, marketing...).
* Employing European employees, whether as ordinary employees or contractors.
* Attempting to enforce trademarks or copyrights in Europe.
In addition, if they wish European corporations to use Facebook to communicate with their customers, they need to not do anything that would expose those corporations to potential liability under European law.
There are a half-billion people in EU territory. They are on average relatively well-educated and wealthy consumers. That'd be one hell of a market to cut yourself off from financially.
>I really don't get the harsh kickbacks and complaints against things like "Facebook keeps records of pokes even if the user 'removes' them". So what? How is that something that is litigation or 'outcry' worthy?
Under US contract law, misrepresentation is sufficient cause to rescind an otherwise binding contract. The contract users enter into with Facebook is to accept their terms of service in exchange for being provided with a certain service. If the user can make a case that the service was misadvertised, e.g. by promising a "delete poke" functionality that was not, in fact, provided as expected, then this can be construed as a breach of contract on Facebook's part.
Misrepresentation is similar to neglect in that it's typically necessary for lawyers to argue and juries to decide. In this actual case, to repeat count's analogy, why aren't filesystem users complaining that their deleted data isn't "really deleted" (ignoring that such FS software is probably a no-warranty thing)? I've had to recover rm'd data a number of times myself. I don't think "deletion" has ever meant an expectation of "completely wipe out any traces of" in the digital world. I wouldn't put it past a lawyer to be able to convince a jury otherwise though, but it'd set a dangerous precedent.
In a filesystem, the data isn't scrubbed but it's marked as space that can be overwritten. While the completely removal doesn't happen at once, it's slated for complete removal at some undetermined time in the future. In the case of Facebook, they are making a conscious decision that they do not want this data to ever disappear. I doubt very much that there are policies to remove data marked as 'deleted' after a set time period, or plans to implement something like that in the future. They keep the data around because it is still useful to them, even though it is no longer useful to the user.
And besides that, it is not the manufacturer of the filesystem that is in control, but the person that installed it, likely the same person that is deleting the files.
For web based services the rules change dramatically, because you are no longer in control of the data. Because the past has shown that companies seem to have a hard time to play nice with the data they store on behalf of their unsuspecting users there now is in some parts of the world a government entity tasked with precisely that: making sure that users right with respect to their data are respected.
If you don't like the way your filesystem deletes the data you can always cut up the platters.
Above and beyond that, any non-trivial web architecture is going to involve multiple tiers of data and caching.
A given text object will exist in the primary database, in its replicas or clusters, and in backups. If the outfit is at all legitimate, multiple backups representing frequent points in time, stored in multiple locations.
A binary object (say an image, video, or audio file) may exist in its originally uploaded format, several variants of different size, resolution, sampling rate, etc., and is often served through some sort of a content distribution network (CDN), which will have its own content management interface. Some of these are surprisingly primitive -- web-based forms in which a few score objects might be entered at a time, if you're lucky. Even script-driven purge methods are frequently limited as to the number of objects which can be included in a single request, and the number of outstanding requests which may be pending.
Given the large numbers of individual objects, scaling variations, redundancy, etc., deletion overhead can easily scale to tens to hundreds of millions of objects in a relatively short period of time (days to weeks). Dealing with all of this is fairly non-trivial. Especially if the site architecture didn't take these needs into consideration.
To Facebook's benefit, of course. I'm sure that Facebook would never think of using any user data flagged as 'deleted' in any sort of data mining...
Facebook also has no incentive to spend the time to figure how to do deletions because the data is valuable to them. Why would they spent time and effort to make it possible to lose this valuable data?
But if you delete something from the primary database, then I would assume it will eventually get deleted from others too. While it might never be intentionally deleted from backups, the backups will be overwritten with newer ones eventually.
(I'm talking about facebook here, not about the web in general)
That depends on how the databases are architected and tiered.
If they're proper slaves / replications of one another, then yes.
If, as is commonly the case especially for marketing data, periodic cuts or dumps of the data are made at various points in time, and there's no mechanism for propagating deletions throughout the chain, then no, you're not assured of deletion. This isn't likely to be the case for a site's primary database, but could very well be the case for derived datasets. I can think of instances with, say, credit bureau reports in which erroneous data must be repeatedly deleted because it keeps getting re-injected into the system.
To what extent is this just a property of Paxos that lacking delete synchronicity can cause data unavailability or differing levels of data availability? Moreover, how would affect the Paxos read/write synchronicity? Would you have to disable read caching on the geographic layer?
I'm sorry but this seems like a huge ignorance on the part of you on how DSes are designed. These issues are important.
Data creation is possible and easy, especially in append only filesystems. Data updates can be done immutably by doing creates and rewriting the pointer structure, which obviously destroys cache fetch for highwater mark objects but doesn't affect cache marks for global id'd objects.
Have you actually read the Paxos papers and the rest of the literature on this?
It's not the same thing, I believe. When an OS deletes a file, it's actually deleted as far as the OS is concerned (thus they do make a best effort). When FB "deletes" something, they only make it unavailable to you, but they retain the option of using it themselves.
That's a good point, actually. Do we know for a fact if FB keeps the data available for use in their own algorithms/processes, even if they don't allow it's display?
Bullshit, it is not "completely voluntary". When everyone is using a communication service and there is no alternative. They claim to have a billion users.
Short it is a monopoly, they have a lot of power and when you start to abuse it, like forcing users to accept your unfair terms of service, the government comes into play.
I never heard that Google doesn't remove stuff when you remove them inside your service. They advertise the huge space on Gmail by "never have to delete anything", that is completely different.
> Why is nobody complaining about NTFS or ext3/4 not actually zeroing out the file space?
It is 100% completely voluntary. Nobody is forcing you to use Facebook. It is not even remotely close to the only communication service. I don't personally use Facebook and have no problem leading an active social and business life. Sure, a large portion of my friends use Facebook, but they also make phone calls, send text messages, email (through multiple different services), LinkedIn, Flickr, etc etc etc.
So how does Facebook have no alternatives?
If you don't like the product, or you don't like the way its run, or you don't like the way it handles your data, or you don't like the color of the log in button, then its simple. Don't use it.
As the original poster said, it is a private organization, and therefore you have a choice. This isn't social security, this isn't taxes. I can (and don't) use Facebook, but much to my dismay, I still pay my outrageous taxes.
This weeks' Monopoly is last weeks' MySpace when users choose to go elsewhere.
Perhaps true in the US but not so in Europe. My 16-year old cousin in Denmark (the worlds most FB connected country in the world, 3M users out of 5M population) told me that it's basically impossible to have a social life without being on Facebook (at her age).
Facebook also caters very much to US culture. E.g. In middle school and high school you move between different classrooms so you make lots of different friends that way. In Denmark you sit with the same 20-30 kids every day for 10 years. It's a very different type of social conditioning.
So - if you're the outlier in the class who isn't connected and the party invites go out on FB, guess what? You have volunteered to get ostracized.
I see where your cousin is coming from by thinking that if she isn't on Facebook, she's ostracized, however people tell me the same thing when trying to get me to sign up.
Thankfully, since I never actively used any social networks as a kid, they never became a crutch for me, and any time there's a party worth going to, I'll know about it either through text, a call, or (what most kids seem to avoid these days) face to face social interactions with my friends.
Of course, signing up for Facebook is completely voluntary in a legal sense. No-one can strong-arm you into creating an account.
My point is that social pressure can often make people do things that they don't really want to do. And sadly, many people do not have the courage to stand up to their peers and tell them no.
It's more common in US culture to do that, and largely encouraged by US societal norms, but that isn't always the case in other cultures. This is based on my experience growing up outside of the US (and also spending time in high school and college in the US).
You are not using it?
This is maybe the reason why you don't understand this.
For most people like me it is a tool to communicate to over 150 people and they expect me to have it. With most of them i can't communicate with mail any more.
Facebook himself says it's Messaging is replacing Mail for young people, now they have to act responsible about it.
It is like a telephone number you give to all your friends and someone says "Hey when you don't like something about it, just don't use it". You are invested in these things, it is not that easy.
>You are invested in these things, it is not that easy.
By analogy with predatory lending, i'd name it predatory social network lock-in. Hook 'em while they're young, while they don't know any better and while they not able to analyze consequences, ie. while they not able to make an informed decision.
> You are not using it? This is maybe the reason why you don't understand this.
Is this not word for word what a drug addict says to somebody who's clean?
I've used social networks and found all they did was replace real life social interaction with fake, scrubbed online interactions. I was never one of those "DELETE YOUR FACEBOOK PROFILE AND RUN" fad followers, I just found that I was able to get by and communicate just fine without it.
I remember a while back when there was some commotion about Google not necessarily deleting your emails even when you delete them off Gmail. What they did was they kept your email for an amount of time for ad purposes.
Just did some research while writing this post and it seems that Google changed their ToC for Gmail from deleting emails within 60 days of being deleted by the user to "make reasonable efforts to remove deleted information from our systems as quickly as is practical".
Though the hacker who attacked his wife's account deleted all mail, Google were able to restore the messages -- first the current year's mails, and eventually the full history of the account.
This implies that, though deleted, the data persisted on Google's systems. This is actually a really good system design (most data destruction is accidental deletion by a user, not hacking, and a robust recovery system is a feature). It does raise certain troubling questions, and it would behoove Google (and any other SAAS service provider) to establish a clear policy as to what the grace period during which deleted data may be recovered is.
I've had my own experience where, shall we say, legal obligations made it expedient to remove certain content from our systems. Use of a CDN and extensive caching means that there's no longer a single point of existence for any given piece of data, and explicitly flushing large volumes of content from our systems was, if not horrendously complex at least non-trivial.
EULAs are not intended to be properly read. Every $BIGNAME has a lengthy EULA, to the point where it's just a click-through. No reasonable person can be expected to read every tech EULA, let alone understand all its provisions.
Even then, whenever EULAs get updated, rare is the company that highlights the change - most expect you to reread and figure out the difference for yourself. You also have no choice but to agree or lose your existing body of work - it's a unilateral license change, not a mutual change of contract terms.
The whole "but you voluntarily agreed to their terms!" concept is a canard which disguises how obfuscatory and misdirectional the EULA process is. It's the difference between "consent" and "informed consent", which is significant.
example: my favourite EULA to date was one in a Windows OS installer, which weighed in at 3000 words... which you could only read in a box four lines high.
Still, it doesn't beat the 'voluntary' license where you can't read the license until you unseal the box, but unsealing the box indicates you agree with the license.
As far as I know, those unwrapping-consent EULAs are not legal (at least in Europe).
And I seem to remember that some court in some county decided that EULAs in general are not legally binding (to consumers at least) any more since no one can be reasonably expected to read them.
Through Like button and widgets FB also tracks people who are not their users and never consented to that in any form. Does this sound OK too from your "unenlightened American perspective"?
Arguably this lies outside of the complain ___domain, but it does
relate directly to the "not a big deal" stance. I find it
*shocking* that people accept it as a perfect norm what would
never fly in a physical world.
How many business owners wouldn't mind a post office retaining
a copy of their every mail? And furthermore using it to better
the type of junk mail being sent to the company.
Or how many regular folks would be OK with their alumni club
installing surveillance cameras in public and private places
to track their movement? Still not a big deal, eh?
Why do then things change when the very same businesses and people go online?
a) Facebook is creating shadow profiles of people who don't use it and definitely in no was agreed to that.
b) Same thing with EULA's that go "too far" and other things. Countries make laws to decide what is reasonable. Same with the work force. Thankfully there are things like minimum wage laws that prevent people from getting work for next to no money etc. Sometimes things need regulation.
c) Especially with regards to the part about holding onto "deleted data" it means once something is on facebook you can never get rid of it. It has a chance of getting leaked or hacked/stolen or requested by the government etc. Also there are laws about what data can be used about you opt ins and opt outs for people's safety which facebook may be violating
"What is it about this completely voluntary relationship that is so inherently evil?"
I'm not going to argue it's inherently evil but,
You are right that the service is completely voluntary. However, the opportunity cost associated with not having a Facebook account has been rising by virtue of the network effect and 3rd party services requiring a Facebook account to access functionality.
The fear is: as (if) Facebook becomes more and more a part of society, the cost of not having a Facebook account becomes high enough to make it practically compulsory to have a Facebook account. And if at this point Facebook acts as it does now, well then it's time to start worrying.
Picking up a hoe and tilling a field is completely voluntary, so why did slaves choose to do so? Because not doing so was too costly.
Duress is not voluntary. If it's impossible to get by without a Facebook account, then that's just a less violent form of duress. Lots of ostensibly voluntary transactions between free agents are actually quite duressed.
>You chose to use the Facebook service, you chose to provide this information to them, and you chose to agree to their terms of service. Please, educate me, because I really don't get it.
This isn't right for two reasons:
1. Under EU law there are certain rights that you can not sign away in a contract. They are yours and you keep them no matter what any bit of paper or click-through license says. This might seem disingenuous, signing to say you'll give them something but not doing so, but the law is actually the other way around: they should not be asking you to sign that right away in the first place.
2. It would seem that facebook are not only tracking people who sign-up. See http://yro.slashdot.org/story/11/10/18/1429223/facebook-is-b... (or search for "facebook shadow profiles"). This is most definitely against the data protection act in the UK, and they haven't even asked those people to sign away the right to not have that data stored unnecessarily.
Although I agree with the basic principle that if you don't like what Facebook does, the best course of action is to not use Facebook, the argument that, in essence, a private company is free to do whatever it wants is absurd.
What Facebook is doing is illegal in the EU (or at least, its legality is in dispute).
Whether or not you agree with those regulations or think they are absurd is another matter entirely, and quite irrelevant, since you don't make the laws and can't even vote for the people who make them (because you're from a different part of the world).
Part of the complaint is that even those who don't use Facebook or opt in to its terms (like me) are still publicly tagged in photos (without my consent) and tracked across the internet (through "like" buttons).
So while I agree, simply avoiding Facebook doesn't solve the problem.
Primary example: the Like button. Even when I'm not logged into Facebook the button tracks where I go. I never checked a box to have the like button shown to me.
Also, agreeing to use a website does NOT give the website the ability to break the law. Otherwise, we could have drug-trafficking sites completely in the open with a box saying "By checking this box, you understand that we sell extremely illegal drugs, and that you will not take any action against this site."
Sure. That's why he suggested blocking the Facebook ___domain. I have a Facebook account that I use regularly, so I block the Like buttons with Ghostery.
I agree. But Facebook isn't the only offender here; 3rd parties are also tracking your movements. The problem won't go away when Facebook relents; users are always going to have to defend themselves.
Spying on people is still evil if it is a government institution or a private one.
Zuck: They "trust me"
Zuck: Dumb fucks
People don't choose to be tracked on other websites by facebook. People don't even read the terms service. Most people just want to read what their friends write, and look at pictures of cats.
It's very easy. All countries (except Somalia) regulate their markets. For example in the US if there are more than 500 investors in your company you are required to disclose certain information (I read about that regarding Facebook: http://dealbook.nytimes.com/2011/01/03/facebook-and-the-500-...)
In the EU companies are required to disclose data about individuals to those individuals.
In both cases what happened was that policymakers tried to work against a (potential) market failure they (fore)saw.
>All countries (except Somalia) regulate their markets.
if you know anybody who's worked in Somalia, you'd know about regulations there. It is just a little bit faster and less traditional when cease-and-desist is delivered using AK-47, and regulations change frequently as one "General" is replaced by another.
>Why is nobody complaining about NTFS or ext3/4 not actually zeroing out the file space when you delete something, and instead just 'marking it deleted' or 'removing the pointer in the inode'?
you have obviously never dealt with DoD or anybody close to it or even just with a serious enterprise/bank.
Actually, I have.
Shredding, NIST, the whole nine. Facebook isn't protecting classified nuclear secrets, or the keys to the financial kingdom, it's protecting pictures of cats and drunk college parties. And outside of a few special places, such as the DoD, NOBODY CARES about the file system issues.
the kind that can prevent you from getting that job you want 15 years afterwards? Facebook may be a private company, but would you want them (or anyone) disgorging all their data on you that they've ever had in response to a government subpoena - for a background check or a security clearance, for example?
What this all information is gathered for? One of main known goals is "personalized shopping experience" in marketing speak. For some people to be presented while shopping with prices 50% higher than they would be otherwise just because analysis of the information gathered about them would show that they would buy at this price would be equivalent to losing the keys to their personal financial kingdom.
For one thing you are wrong to assume they are completely legal. Big companies with big legal departments regularly make mistakes... its human nature, but I think with big businesses the problem is exaggerated by the implicit assumption that they must be legal if they are big.
Now the fact that they collect this data and people voluntarily agree to it is precisely the evil part. People agree without realising what they are agreeing to. There is a more general problem here which isn't Facebook though - its that EULAs and fine print are given legal weight when nobody reads them and this is common knowledge.
Now... to tie this altogether I never realised Facebook would store my deleted messages that might have been in the agreement I "made" with them when I ticked that check box and pressed okay years ago. Now, flagging for deletion is fine, in their case though it costs them expensive storage space - maybe its cheaper than the processor time to delete things - either way its irrelevant because they shouldn't do this because the Data Protection Act says that information should be kept for no longer than is necessary.
I don't know if they have any need to comply with UK/EU law to allow accounts for people who live here - I don't think they do, but I would hope US law has something similar...
Facebook break the law, there's no opt out. Just like they can't opt out of sending you the complete collection of personal information they hold (for a nominal fee). Poor Facebook '-(
Essentially, the problem is that these voluntary relationships become not-so-voluntary as the privacy-compromising tools become more necessary to participate in society.
Yes, I pretty much agree with this. I am sure many IT companies could technically be in trouble with the Data Protection Act in the UK alone for very similar breaches as Facebook and I am sure many companies would not even be able to provide a CD containing a nice break down of all data about a user (even though they are legally obliged to do so).
However, I find it interesting why people get paranoid about the mindless jibber-jabber on facebook compared to the immense and more presice data google stores about individuals... and I imagine getting a CD out of google would be far harder than from facebook (by the looks of things).
Google are clever by being 'open' and allowing people to download 'some' of the data they hold about peoeple, but I am sure they would be as reluctant as facebook to make everything accesible.
Where do you draw the line? ISP's aren't government agencies, either; should we stop going on the internet altogether? Neither are telephone companies. Should we abandon the telephone?
And were they government agencies, would the privacy concerns just have dissipated?
I think what it boils down to is: what is a right and what is a privilege? Is it that Facebook is a privilege, but my privacy remains my right?
Is there anything to 'right' and 'privilege' beyond legal context?
Your first problem is "completely legal" -- you seem to assume that American law is controlling. Unfortunately, legal is place sensitive.
In order to do business in the EU you generally have to comply with their laws. One of the privileges the EU generally grants their citizens is that companies must, on demand, produce all data they store about that person. Why should this be true? Because EU citizens living in democracies want it to be so.
If fb doesn't like it they are free to not do business there. Otherwise, they have to comply.
You chose to use the Facebook service, you chose to provide this information to them, and you chose to agree to their terms of service.
Facebook isn't a government agency, it's a private organization that has persuaded people to give it armloads of data about themselves, and uses that for whatever completely legal purposes it so desires. It's not like they are taking out credit card applications or anything on behalf of these users.
What is it about this completely voluntary relationship that is so inherently evil? I really don't get the harsh kickbacks and complaints against things like "Facebook keeps records of pokes even if the user 'removes' them". So what? How is that something that is litigation or 'outcry' worthy?
How much of this data is just persistent in the system because they operate at a scale where data deletion or removal just cannot feasibly be accomplished[1]? Much like google - 'we dont delete anything'. Why should they legally or otherwise be required to verify something is actually deleted, instead of simply ensuring it's inaccessible in their system? Why is nobody complaining about NTFS or ext3/4 not actually zeroing out the file space when you delete something, and instead just 'marking it deleted' or 'removing the pointer in the inode'? How is that fundamentally any different at all?
Please, educate me, because I really don't get it.