A few days ago, I posted "Unicorns aren't ad-supported" on HN.[1] There, I pointed out that, of a list of the top 50 "unicorns", non-public startups with > $1bn valuations, only three (Snapchat, Pintrest, and Vice) are ad-supported. This dot-com boom isn't driven by ads. It's driven by companies that provide a product or service for which their customers pay them. The companies that make their money from ads are from the previous dot-com boom.
Ad-blocking and tracker-blocking thus won't hurt the growth companies in Silicon Valley. YC could get behind ad-blocking without reducing the value of their portfolio. The concept that "the user is the product, not the customer" is now outdated. There are still companies which rely on it. They are vulnerable. Google still hasn't come up with a major revenue-generating product other than ads.
I agree that selling an actual product or service[1] the proper way to build a respectable and sustainable business.
As for making the user the product[2], advertising is merely the most obvious and publicly visible way stolen user data can be exploited for profit. For example, I doubt Experian is using the search information they get from webmd[3] for targeted advertising.
[1] an actual service; abusing copyright to bypass first sale and other forms of rent-seeking doesn't count
So,,, at what point does this become accepted (as opposed to tolerated) business practice? Or, more optimistic, no longer tolerated. At one point it was ok to say, "This is all new and still being worked out." But, it is no longer new. It is very worked out. Entire sectors of the economy (and legal system) are devoted to knowing more about consumers then they sometimes know about themselves. The entire industry is being built on bait-and-switch and obfuscation practices. And, the tech industry, the supposed knight in shining armor come to save humanity from itself, is leading the way. Someone, at some point, needs to call a spade a spade. We need to own this, if this is our new society. Or stop closing our eyes, if it isn't.
"If a business model wouldn’t work if users had to opt in, it deserves to fail." (last line of the article)
Since the invisible hand of the free internet appears to be arthritic, a more visible hand (fist?) is necessary. And we have it in the way of request blockers such as uBlock Origin, wich can compleltely block Facebook's and Google's tracking in their tracks. As more and more people turn to subversive solutions such as privacy oriented request blockers and ad blockers, we may finally turn things around.
My hope is on an open source browser that is entirely privacy oriented, easy to use and adopt by non-technical users.
The last line from the article you quote is spot on.
Why are alleged "services" provided for "free"?
One group will tell you it's because advertisers are picking up the costs for "content". Another group will tell you that it's because no user (cf. advertiser) would pay if a "fee" were charged to use the www.
Of course, no "free" business model will dare test the theory of the later group, so I guess we'll never know how the user values these "services". Instead the investors and advertisers set the value. Grossly inflated.
In the early days of the internet as I remember it the real (non-hardware) costs for the internet were tolls on telephone calls (dial-up). Organizations picked up the tab for employees who used the internetwork. Tuition-paying students also got access.
Then came UUnet and "ISP's". And then people had their own personal computer, at home, with a network card.
As far as I'm concerned, the internet connection fee is still the only real cost.
I think the browser you allude to is possible. But I think some changes in thinking in how information is structured and presented on the www is needed. If we let the www be shaped solely by web developers with a lust for layers of abstraction and increased complexity and being given carte blanche to run code on others' computers, then it forces the "browser" to be something that is far too complex and too much trouble for any open source volunteer programmer to deal with.
Make the www easier to parse and then the www "browser" becomes easier to replicate. This is only my opinion. Others would certainly disagree.
I believe we need a multi-pronged approach to retaking the internet from the forces that dominate it now. One prong is a resistance movement, such as I suggest above. Another is to innovate on better ways to finance content and services on the web, be it micropayments or something else. And another is to find a way to counter or eliminate the perverse incentives that drive clickbait, garbage content and viral shallowness. It is not accidental that I allude to Adam Smith's invisible hand above. He and others knew the key was to understanding the feedback loops. The internet's feedback loop is broken. Clicks and quantity drive revenue, not quality.
And yes, my username is a reference to Star Trek, a show which is probably too socialist for the heavily anarcho-capitalist-leaning libertarian crowd here on HN (See the link in my reply to username223).
I'm working on setting up a website where we can raise awareness, change hearts and minds, and support efforts that help us retake the internet. I cannot do it alone, even with my evil goatee. Email me if you'd like to help.
Indeed. I find data collection good - just not for the things we're collecting it now. Ad industry works against civilization. But the same information could be used to improve our lives on a global scale.
I do have a Facebook account, primarily because I am studying abroad and I need to keep in touch with my family and close friends and Facebook is, thus far, the best way to share what is going on in my life. It kind of allow me to "broadcast" my life events.
Now, I really dislike what I just read.
I wonder if tech companies have a moral obligation to disclose to the user what are the terms of the contracts.
While ToS and Privacy Policy are public documents, I don't think they are close to anything readable for the layman. They are mostly pile of legal garbage and it is virtually impossible to go through them everytime you sign-up for a service.
That is why I would like to put the emphasis on clarity here. What if?
What if technology companies were forced to disclose clearly what signing-up for their product entails with respect to user privacy. I am thinking of something alongside this:
"""
Hello r0naa,
Welcome on Facebook, we hope that you will have a great experience here.
Facebook will allow you to:
- easily communicate with your friends
- share photos, videos and play games with your friends
- keep in touch with distant relatives
On the other hand, we will:
- keep a record of the messages you send to your friends
- keep a permanent record of the photos you have shared on Facebook
- keep a log of all the websites you have visited that contain a "like" button.
Moreover, you should be aware that we will disclose all your personal data to the US government if we are issued a NS letter.
Hope you have a great day,
"""
To be clear, I am not saying that this is the right solution. Only, I believe it is pretty obvious that there is a problem and that a lot of people who are not technically literate are not able to make a informed choice about whether or not they want to give up their privacy, even partially.
I hope it will spawn an interesting discussion, feel free to share your ideas and suggestions.
Nothing in that disclosure would dissuade (or even give pause to) any of the people I know who use Facebook.
"keep a permanent record of the messages you send to your friends"
"keep a permanent record of the photos you have shared on Facebook"
That's great! A free backup.
"keep a log of all the websites you have visited that contain a "like" button."
That's great! So I'll get feeds that better reflect my interests.
I haven't used Facebook since the EFF experimental app that showed all the actual, real information (real names in the graph) FB leaked to any game you clicked 'OK' to. But noone else cares, FB is still growing, and that's OK.
I'm OK with the way Google handles my personal information (doing the match making with advertisers and keeping my details private), and enjoy the benefits this enables.
It's not just that privacy policies / ToS are using complex legal language. The real problem is that they are so broad.
For example, just about every privacy policy states that information collected can be used to improve the company's products & services, or to help develop new ones. That effectively gives the company free reign to do whatever they like with your data. Who knows that products they may decide to offer?
A company could release a new product tomorrow that sells your individual browsing data to the highest bidder, and that would be covered by this clause. Also remember that almost all policies state that they can be updated without notice too. Do No Evil today, Evil tomorrow...
Before I click the "go away" button, I interpret the wall of text as "we'll do whatever we want, and if you disagree, you can try to sue us, but the PR campaign will be what matters, not the legal stuff."
I thought the fact that messages and photos are kept was a feature. As in, I can scroll back a decade in my photo albums and look at pictures from my high school graduation.
It's unfortunate we have to be tracked so much to use the services, but I guess if it's not free then we're the product; This site does a pretty good job of providing the tl;dr of TOS https://tosdr.org/
Sometimes I feel like ignorance is bliss though, especially with how much information these popular services actually collect from us
The only rule is: What a company can do and what they can't do. If it's possible, assume it's being done and protect yourself accordingly (i.e proxies, blockers, host files, etc.)
I dunno. I automatically assume that everything that passes any third-party site unencrypted can be intercepted, retained and subsequently disclosed to advertisers, government, or whatever else. This especially applies to for-profit companies for which I'm not a paying client but the commodity being sold. I mean, I don't need to read TOS to assume this, it's just common sense to me.
Oh that's the case for pretty much anyone on HN I am sure. I was explicitly referring to the rest of the population that is largely illiterate when it comes to technology (they just consume).
There are similar warnings on products like food, drugs etc...
Glad to see Chromebooks mentioned. I for one consider Chrome to be Google's last attempt to extract those last pieces of information from the desktop which it can't get from having tracking on 99% of the pages found on the internet.
That and subvert internet standards by giving Google the ability to push their own HTML on server and client in real-time, forcing other browser to follow their lead or be declared "legacy" or "outdated" in front of users on Google-websites.
I consider Chrome to probably be the worst thing which has happened to the modern web. It's much worse than IE ever was.
On a real laptop you have the freedom to chose a privacy-respecting browser, but Chromebooks are even worse in the sense that there's only one browser, you can't chose any other, and the browser there is spying on you real-time.
That these devices are not illegal to use in a education-context is really astounding to me.
Edit: My initial comment was incorrect, corrected version below.
Chrome Sync encrypts sync data on the client. By default the encryption passphrase is your Google Account password. This allows Google to read the data, as described here: https://support.google.com/chrome/answer/1181035?hl=en
However, you can set a separate Chrome Sync encryption passphrase in settings. This second passphrase is never sent to Google at all and allows you to use Chrome Sync without Google reading the data. It should be obvious why this is not the default, as requiring a second passphrase is a very significant decrease in usability, but it's there if you want it.
My initial comment was incorrect and has been updated. However, have you actually tried the scenario you describe? In the past, when I have changed my Google account password and logged into a new computer, I have had to enter my previous account password on the new computer to decrypt the data before Sync would work. Indeed, if you look in Chrome Sync's settings, you will see text that looks like this: "All data was encrypted with your Google password as of Jan 17, 2015", letting you know which version of your password to use.
I’ve last used Chrome around 2012, and at that time it would work after resetting the account password. In fact, I still don’t know which account password I had used.
So at least at some point in time Google did store all this data.
It seems to have been quite leaky in the past, and that doesn’t make Google any more trustworthy.
Solution: Use Firefox. Also, Firefox at least allows Cookies on localhost or other local domains.
Anyway, Google may not store any bit of my browser history in the US anyway, so I should probably go to court against them.
I run benchmark regularly concerning privacy exposure, and I ran one this summer to find out all 3rd parties for a sample of high traffic web sites.
I collected and sorted the results by [3rd party, 1st party] pairs: this allows to see at a glance the most ubiquitous 3rd parties out there, i.e. those which have the ability to build a profile of your browsing habits.[1]
Facebook (through `facebook.net`) was definitely at the top in the benchmark, when using EasyList, EasyPrivacy, Peter Lowe's.[2]
I personally doubt a majority of users care that there is a Facebook like widget on any page, except maybe for a handful of sites for those with a Facebook account. So disabling Facebook globally with exceptions where needed is a top advice to reduce privacy exposure.[3]
Sounds like a situation that could be polluted with something like what Moxie Marlinspike did with googlesharing, in an effort to bury the signal in the noise.
Stalkers gonna stalk, makers gonna make, founders gonna found. We nerds always knew that the Facebook, Google, etc. images were tracking beacons, and their business model was, to paraphrase Eric Schmidt, to get as close as possible to the creepy line. Fortunately, it is/was easy to opt out by DNS-blocking a few hosts. If this behavior becomes common, back-end data sharing and syncing will become the norm, and something like ToR will become necessary, then local encryption, then...
But who ever said fighting crime was easy?
EDIT: "And I have no doubt that the vast majority of engineers, designers, and policy makers working in Silicon Valley want to do the right thing."
How can I even pretend to believe that the author believes that? They mostly don't know what the "right thing" is, don't think of their behavior in moral terms, and wouldn't dent their salaries to act morally.
Blog posts are just too boring most of the time. We need more direct quotes from the people toeing the creepy line.
That is the behavior that should be tracked. What do you think these "engineers, designers and policy makers" get up to each day? Maybe lots of "pretending to believe" they are doing something meaningful?
The problem is that most of the victims are accomplices to the crime, but even more so the makers and founders who make out on ad revenue.
Advertising is our C8: https://news.ycombinator.com/item?id=10047706. That comment net 48 votes so I am cautiously hopeful. I say "net" because everytime I call out the moral failing of the ad "business model", I get downvotes. The salaries of too many people here are underwriten by ads.
I'm not aware of the technical details of how the user is tracked. Is it possible to be tracked even if the user has logged out of the social network website (based on the browser or machine being used)?
When you are "logged in" to Facebook, your browser stores a unique token in a cookie that can identify you. That unique token is sent with every request the browser sends to FB, even requests you don't initiate directly.
These hidden requests happen all the time, like when a web developer embeds a FB like button on a page. The like button is actually generated and served by FB's servers (check your browser's dev console), and the request to show the button itself gets that cookie sent along with it regardless of whether you press it.
The tricky bit is that "logging out" might not actually be enough. I don't use FB so can't say for sure, but it is certainly possible to implement "log out" such that you can't see restricted resources or pages, but still have an identifying cookie on your machine. In this case the cookie itself would store a flag marking you as "logged in" or "logged out", but the cookie would still identify you all the same.
I like to always use incognito browsing sessions when logging into Facebook. At some point I cleared all my cookies too.
I remember a while back an article was posted about how to uniquely identify users without cookies though. I don't recall the exact method though, or if in this scenario it would require javascript and not just a link to a like button.
I'm not sure incognito browsing actually helps much.
User tracking isn't a 100% accurate science, and your browser name, browser version, operating system, OS version, IP address, screen resolution, etc. are still getting sent along and they don't change by going incognito. It's no big deal for Facebook to just assume it's still you if the only thing that's changed is that you're no longer sending the same session cookie.
Protecting against 2nd and 3rd party tracking was never the goal. "Incognito"/"Private Browsing" mode on browsers was a feature to protect against leaving local browsing records.
It's often nicknamed "pr0n mode" for that reasons, by people that didn't want pr0n websites showing up in their browser history.
Basically you're using the specs the browser sends about the computer - OS, screen size, add-ons installed.. this gets pretty unique. I've been able to identify friends on a local site just by knowing them and their computers.
Was able to find it. Actually it's using etags. They work even if you disable cookies. Perfect identification, similar to cookies. Sites were using it before it came to light:
You don't even need ETags - if the server sends out a unique (or mostly unique) "Last-Modified" header, the browser will return the cookie in "If-Modified-Since".
Is it also possible that the user be tracked or is being tracked based on the machine used to access the internet (maybe over time for one to one mapping of user to machine)? Just curious.
Good explanation. I don't know if it'd be worthwhile to track logged-out users though.
Lumping it in with the same data that came from the last logged-in user would make the data less valuable, because there's far less of a guarantee of which user the data was collected from (imagine people using Facebook on a library computer, then logging out and 20 more people using the computer before someone else logs in).
I'm sure there'd be some use for the data though, so I'm sure Facebook will gather it if they don't already have plans to. They could just earmark it with the probability that it applies to the given user.
Or just lump it all together as anonymous data, I'm sure there's value in that too.
Is this a problem? Who stays logged into Facebook?
My browser does an auto fill for my user name and password, I login for 10 minutes to see postings from my brother, grandson, neices, etc. and then logoff.
Never occurred to me to stay logged into FB. In the same way, I like to use a separate web browser for just using Google and twitter. Small easy steps for maintaining a modicum of privacy.
That isn't relevant. There are login cookies and there are tracking cookies. Unless one arranges for the tracking cookies to be deleted regularly, one will be tracked even if not logged in.
It's a huge UI problem, but browsers should probably default to the behavior that you are leaning over to one side and hopping on one foot to get. Then you need a UI for selectively turning on sharing of information between sites.
The advanced mode in uBlock is a big step forward for users that want to bother with it, but I'm not sure it is even solvable for users that don't want to bother.
Not really, because those are good old links that don't contact a 3rd party server before being clicked. The standard Like buttons connect on page load, instead of on click.
Another point to think about is that if facebook (or any of these other sites tracking you through social media buttons) receives a subpoena, it likely has nearly your entire browsing history on file since so many sites have those button.
Ad-blocking and tracker-blocking thus won't hurt the growth companies in Silicon Valley. YC could get behind ad-blocking without reducing the value of their portfolio. The concept that "the user is the product, not the customer" is now outdated. There are still companies which rely on it. They are vulnerable. Google still hasn't come up with a major revenue-generating product other than ads.
[1] https://news.ycombinator.com/item?id=10372789