I still can't figure out why my browsing data being sold is objectively a bad thing. I don't see how it makes my day-to-day worse in any way. There are plenty of smart people who feel that it's bad, so maybe I'm just missing something, and I'm open to sound logic that convinces me that it's going to make my life worse.
Also, the example they make at the bottom asking the reader to imagine hundreds of people following them around and watching their every move is a bit disingenuous. It's more like a handful of people following millions. At that point in time, you're not much more than a data point.
Some people object to the way the data is used for behavioral ad targeting, because it's "creepy" -- it causes companies to reveal that they know things about you, without making it clear who gave them that information or how they gathered it. This can be surprising, and possibly unsettling.
Personally I'm not terribly bothered by the targeted ads themselves, but I see them as one symptom of a deeper problem. The data being used and sold is not data that I volunteered; much of it is data that is leaked unintentionally as a side effect of technical design of the web and other information systems. (This includes data like "the person who is visiting site A today also visited site B several times last week.") These leaks make it hard to know or control how much we reveal about ourselves (and to whom) when we use these systems.
Even if you aren't concerned with any specific information you may accidentally disclose today, you should still be interested in ways that our software and networks could be designed to give users better knowledge and control over these disclosures, because (a) other people are legitimately concerned about this, and (b) you may have reason to be concerned in the future.
It's about control and regaining control of your browsing habits, namely giving users the capability of opting out of global surveillance networks.
Many advertisers screamed (and are still screaming) bloody murder over Do Not Track settings being on by default, and this is a message to send to them: your screams are irrelevant and you have no right to track me.
I have control of my browsing habits. That's my point - I'm not terribly worried about if companies see what I do, so it doesn't change my behavior. Thus, I don't see how this point shows that tracking makes my life worse.
Are you saying that it is ok to globally disregard privacy, profile users, sell their data/profile without them knowing or getting a part of this profit because it doesn't make your life worse ?
I don't think I said anything about global disregard. I asked why I should personally care. It seems like there are a lot of people trying to tell me I should care, but I did not once say that others should not care.
Well the reasoning is quite simple actually, if you care for freedom then you should care for privacy. Without privacy there's no freedom possible.
Maybe read some of the many posts around about privacy and freedom and rebuttal of the "I don't do anything wrong so I don't have to hide" argument:
you could start with the schneier's blog: https://www.schneier.com/blog/archives/2006/05/the_value_of_...
But let me try to make a point of why you should personally care even though you don't know or understand why. This is a case of closing the barn door after the horse is gone, if you later learn the hard way you should have cared and go the extra step of protecting your data, you couldn't go back and get your data back.
And the sad reality is that if you have to learn this way, it means that history has indeed repeated itself again and you're enjoying living under a tyranny.
Well the reasoning is quite simple actually, if you care for freedom then you should care for privacy.
Sorry, but this sounds like the cr*p touted around by politicians and over zealous "patriots", along the lines of "if you don't support the war then you are not a patriot and therefore must support the terrorists".
Despite what most on HN would like to believe, outside of the tech community most people don't care about their privacy being invaded, and the OP is entitled to his opinion of not caring just as you (and I) are too overly caring. I believe that is the true definition of freedom, to be able to make ones own choice?
And if I am? Everyone has varying degrees of privacy preference. Who's to say that any end of the spectrum is wrong or right? Mine just happens to fall on the more liberal end.
You're right, there is a spectrum of preference. But just because some are ok with it, doesn't mean all of us. Why encapsulate everyone under the same policy of track everything?
On the Do Not Track, I think turning it on by default is a bad idea. It gives companies no incentive to follow it and abide by it. (Yes, they have no reason to abide by it right now either). There is no law that says they have to abide by it, but it seems to me they might be more willing to abide by DNT if those that are tracking conscious were to turn it on, rather than it to be turned on by itself. They wouldn't lose as many people to track if it was opt in instead of opt out.
As i mentioned to another commentor, I don't think we should encapsulate everyone under the same policies nor do I think everyone should feel the same. I believe it's OK for people to want a lot of privacy. However, through this whole NSA discussion, I've seen a large amount of discussion on HN basically saying that anyone who doesn't desire a high level of privacy is wrong or ignorant. That's certainly what Zuider's comment about the possibility of me saying "I'm not doing anything wrong..." asserts. I think it's more ignorant to believe that everyone needs to have the same values and beliefs as you regarding privacy.
> There are plenty of smart people who feel that it's bad
Please do not forget that intelligence isn't all-pervasive in a person. Privacy tends to be a trigger issue for many intelligent people on a forum like Hacker News.
1) I don't agree with this. If I walk into (or around) a Best Buy and they capture my movement on a security camera, are they stealing from me? Technically, they are recording data of my movement. Also, stealing generally infers that the victim is left without the stolen item. That's why we don't call piracy stealing. So, if anything, trackers are 'pirating' my browsing information and possibly reselling it. Truthfully, I wasn't doing anything with that information before, so my life hasn't changed for better or worse because of this. No proof of bad thing here.
2) It is a useful standard. I avoid being nit-picky about the little things, and so I like to make a distinction between things that are worth worrying about. If ~$273 is taken from my bank account over my entire lifetime (based on average lifetime), I'm really not going to worry about it. If data tracking is on the same side of the distinction as taking 1 cent from my bank account, I'm fine with that.
1) we'll take another example, let's say you have your own religious views and those get collected in a database, seemingly no harm done here. Then comes a newly elected government with different religious views who decides people holding the same religious views as yours should wear a distinctive sign to warn the public, then to gather those people in camps, then starts mass killing those people on an industrial scale. This happened before, if it were to happen again in the future you would have no way of hiding facts about you as everything has been collected about you for years.
Wow....you just took web analytics and tracking and somehow morphed it into the holocaust. That's probably the biggest slippery slope argument I've ever seen in my life.
This is obviously an extreme example, but it's valid nonetheless. nazi germany had to build the database (thanks IBM) they needed, a future nazi, fascists or the like government wouldn't have to, those databases already exists in much more details nazi germany would have dreamed of (facebook seems to know you're gay before you do or your family does [1]).
But this nazi example is one everybody can relate to because we're all familiar with it. But if this is too strong we could go a bit further in history and talked about richelieu "If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged." and the current state of us law [2].
That's probably because you don't grasp what can be done with this data, and for how long this data will be around. The bottom line is in the relation between privacy and freedom.
There's a few point to raise here:
how do you object or prevent the sale of your data ?
how much of the money from the sale of your data went to your pockets ?
what control do you have on your sold data over time ?
Then it's not only about you and your life, ever heard of first they came [1]?
I'll ignore your belittling comment and ask you to clarify what exactly you suppose will be done with the data about my browsing habits. I'll return the sentiment, however, and suggest that maybe you don't grasp that there are people who do understand and are not quite as scared as you. I generally don't live my life in fear, regardless of what dangers loom around the corner, known or unknown. This is the second time you've correlated internet browsing tracking to Nazi Germany and the Holocaust. It amazes me that you even use the internet with such enormously exaggerated fears.
I'll go further to suggest that you are unaware that knowledge, intellect, understanding, and the capability to grasp these concepts is in no way correlated with susceptibility to fear and worry.
Because it potentially encourages using the data in a technically wrong way. What I mean by "wrong" has nothing to do with morality. I mean "wrong" as in people who think they can predict behavior will over-interpret the data in a technically incorrect way and try to apply that model causing real harm. That might mean giving insurance companies an excuse to over-interpret health data to increase rates or law makers legislating discriminatory laws based on bad data analysis. It gives scam artists extra ammunition to peddle their crap.
While I agree that many are blowing this out of proportion, there are data analysis tools that can transform a few isolated data points into a complete profile quite quickly.
There are hundreds of companies that track you actually and they sell that data to many, many others. In an average hour of browsing, about 40 will try to track you. What you browse & search is very personal and very revealing - it's dangerous that anyone have that data and use it to determine what prices to charge you for goods, for insurance or whether you should even be offered a policy, or more e.g. searching for "pressure cooker" and "backpacks" led to a visit from six FBI agents to a writer. https://medium.com/something-like-falling/2e7d13e54724 ...there are tons more examples I could provide!
That's ironic since counterterrorism[1] is the supposed primary mission of the NSA surveillance enabled by FISC / PATRIOT Act.
[1] Provided that you think a simple Googling of "backpack" and "pressure cooker" in the days following the Boston Marathon Attack implies a probable link to terrorism.
Thanks for the update to the pressure cooker/backpack article - nevertheless there was a police visit based on his googling which is a bit scary. There are many dangers you could imagine if what you search could be used against you (assuming it's not private).
For example banks and insurance companies want to know everything possible about you. So do potential employers. Profiling people and putting them into categories and calculating their risk profiles makes their position weaker.
For example: Google "lump in the testicles" and browse medical sites. Then wait one week and try to get mortgage or insurance.
Except companies like Mozilla and Google (even Microsoft) don't give that data to those companies, and have no incentive to do so. Indeed, to a company like Google that would be corporate suicide as it would undermine their main source of revenue. Google's money comes from being a middle man, they want to keep their competitive advantage (your data to target ads) secret more than you do.
1) "Google [...] doesn't give that data to those companies". What about selling that data? That's in line with what you call "being a middle man" I think.
2) "[they] have no incentive to do so". They have no incentive in trumpeting that they are doing it. But without having read their ToS, I'm sure they got that covered.
Of course this is pure speculation and I have exactly zero proof that this is the case. I would actually never have believed those claims 6 months ago, but today, I wouldn't be surprised.
So you admit not even having read the ToS, but now you're ready to believe that it happens, despite the fact that (for example) Google has a fairly straightforward privacy policy that enumerates what they use data for: http://www.google.com/policies/privacy/
As the person who originally replied to you mentioned: it'd be political suicide for Google to provide the information they use for their own ad targeting to others, even for a fee, beyond users' explicit consent. It'd also be business suicide, given that it would allow people to cut Google out of the loop, rather than using Google as the advertising platform.
> 1) "Google [...] doesn't give that data to those companies". What about selling that data? That's in line with what you call "being a middle man" I think.
1) Nobody really actually wants to buy that data in the first place. Companies that buy ads just want to sell you shit, they really, really don't care about you in the slightest. Sorry, but your personal information by itself isn't actually worth a damn thing. Hell, if companies were willing to pay for my browsing history I'd sell it to them myself.
2) Why on earth would Google sell one of its advantages? If Google sold data Facebook or Microsoft would buy all of it in a snap and Google would be screwed.
lots of toolbar companies and plugin companies sell your search data to websites like magnetic.com for search re-targetting. So even if they dont sell directly there are still many ways they can get there dirty hands on your data.
What hannibal5 says: Trackers are there after you're off of Google's site(they know whether you've been bad or good, so be good for goodness' sake), and Firefox doesn't need to phone home to Mozilla for your browser to enable others to track you.
In other words, neither Google nor Mozilla has to be involved to track you.
Let me lay out a specific scenario.
It's easy enough for insurance companies (or a 3rd party who's willing to sell that data to an insurance company) to run genuinely informative health sites that have good rankings on Google's SERP, and thus get high clickthrough. Such a site can on clickthrough set a cookie on your client for you, and/or fingerprint your browser (c.f., EFF's panopticlick), and/or use an ETag as a 'cookieless cookie'/browser identifier.
Once they've got a way to identify past behavior for a browser (i.e., look up health concerns for an identifier), they have something to sell to insurers.
Okay, well, clicking on an organic result is a weak signal of health risk / pre-existing condition, all you know is they ended up on a page.
Suppose you, as an insurer, want a stronger signal of whether the person using that browser has a health risk/pre-existing condition. Just put out some AdWords. Here's where Google really helps a website build valuable, saleworthy data.
Search for something:
https://www.google.nl/#q=breast+check
Click adwords ad for breastcancer.org
Opens a page to: http://www.breastcancer.org/symptoms/testing/types/self_exam/bse_steps?gclid=CMC0rI74uLkCFQSS3godSSAA_Q
With this value in the HTTP request's Referer header:
http://www.google.nl/aclk?sa=l&ai=CA_XBGe0qUqOhD4e--QbWkoHoBqzGitEBlN6ongr-x6YMCAAQAVCVu9RFYJGEk4X8F6AB7qeO_wPIAQGqBCBP0MOny_HlmSNBJ-QDgpzV0OqbNNjg7FAjv3nX9hy9u4AH-tdx&sig=AOD64_1DSbXWQm-KpW0fMRFiY3lcjn3kQg&rct=j&q=breast+check&ved=0CCwQ0Qw&adurl=http://www.breastcancer.org/symptoms/testing/types/self_exam/bse_steps.jsp
I was logged into my Google account while I did this.
Google empties the Referer for organic results always (if I've read&remembered correctly, for a few years they scrubbed Referer only for logged-in users, as a privacy boon). But they still leave it for their paying advertisers!
So, if you run breastcancer.org and put out some ads and are selling your data to insurers, you now can link search terms to impressions to clickthroughs to a browser identifier. Then you just need to offer a low-latency service that serves the insurer a list of health conditions for which a particular browser seems to be at-risk for.
Note that all of this works end-to-end, so SSL/TLS doesn't prevent the host serving a clickthrough from sharing data.
The part where your browser is identifiable (uses etags, sends cookies, presents a consistent fingerprint) is the weakest link.
Disclaimer: I have no reason to believe breastcancer.org is anything but altruistic, I just needed to find a medical condition for which there was a clickable AdWords ad and which is expensive to treat.
Is there any evidence that your example could impact somebody today? Sure, it's just a matter of the right (wrong) people connecting the dots... but is anyone currently doing that?
Isn't the fact that such a vulnerability exists reason enough to not allow it to happen? I mean, at that point, you're basically trusting the Bad Guys to not do bad things. Look at internet security circa late 1990's to get an idea of how that works.
Nitroglycerin can be used to make things blow up. It can also be used to help prevent heart attacks. Should we completely ban nitroglycerin simply because it can be used to blow things up? I mean, we're basically trusting people to not use it to blow things up.
Does that really occur? If so, then I'd agree that would be a good reason to be against tracking, but I haven't seen hard evidence to show this happens.
This link has nothing to do with your original scenario of googling for "testicular cancer" and subsequently getting denied for insurance or a mortgage. It's about social media. Social media != anonymized search data.
There is a huge difference between publicly stating for the whole world to see that you have cancer by posting it to Facebook and searching google and browsing webmd and an insurer somehow surfacing that search and browsing intent and then acting on it. You backed up nothing.
Also, the example they make at the bottom asking the reader to imagine hundreds of people following them around and watching their every move is a bit disingenuous. It's more like a handful of people following millions. At that point in time, you're not much more than a data point.