>"But some trade group executives also warned that any attempt to curb the use of consumer data would put the business model of the ad-supported internet at risk."
Yes the "ad-supported internet" may be at risk. So what? Is it unreasonable to think that this model might not actually be sustainable long term?
Why should this business model be any less vulnerable than any other business model? Note to Big Tech - public opinion also has the power to "disrupt."
Furthermore, it is possible to run ads without collecting creepy amounts of data on everybody.
Ads themselves are not so problematic. But the idea that companies have to collect amounts of data that make the Stasi look like a bunch of privacy activists is very much problematic.
Agreed. It's funny you mention the Stasi. When touring the old Stasi headquarters in Berlin its tough not to think about how 25 years later a company has amassed much more data on private citizens than Stasi could ever imagined.
>The United States does not have a consumer privacy law like the General Data Protection Regulation. But after years of pushing for similar legislation, privacy groups said that recent events were giving them new momentum — and they were looking to Europe for inspiration.
>“With the new European law, regulators for the first time have real enforcement tools,” said Jeffrey Chester, the executive director of the Center for Digital Democracy, a nonprofit group in Washington. “We now have a way to hold these companies accountable.”
I'm super excited about the prospect of GDPR in America.
Effectively, you will have it, because it applies to European residents, and it is difficult for companies to know for sure that you aren’t a European resident.
They can if they are willing to, but I doubt many companies are willing to.
"This is a tough one; spend a year rebuilding our backend and terms of services or shut ourselves out from a market of almost 500 million people (not including the UK) probably forever?"
Hopefully it will also change the "move fast & proper security is an afterthought" model of startups.
Years ago(in CS degree before professional work), I used to wonder & be amazed by how fast new companies(mainly U.S.) moved so quickly.
It wasn't because they had some secret sauce or 10x devs, it was because all they did was focus solely on features & take shortcuts. Their customers data security was an afterthought - e.g. production DBs open to anyone in company(even the world in some cases(mongo)), no auditing or logging of data access.
Maybe YC(& other accelerators) will make a security expert available to these people...because young adults with 0 professional experience will probably not consider security & rely on the defaults of whatever stack they're using to be good enough. Even less consideration will be given when they're fed & surrounded by a grow fast at all costs mentality.
Good security in their products needs thought & critical analysis put into it & I'm not sure new devs appreciate it.
> young adults with 0 professional experience will probably not consider security & rely on the defaults of whatever stack they're using to be good enough.
I typed up a response with a few of my experiences, but it's probably wiser to not share those anecdotes at this time.
Suffice to say I've had the exact opposite experience, where the only people who cared about security and stability in any capacity were the youngins, and the veterans dismissed any and all suggestions for improvement regardless of how diplomatically (or not) they were worded.
The one anecdote I do feel comfortable sharing is in regards to stability, not security, but it's fairly similar to what I've encountered security-wise.
Once, I inherited a legacy codebase very tightly coupled to a legacy platform. I managed to shove an abstraction layer in there, which was then used to port the same codebase between three very different platforms.
The biggest problem that I had was in maintaining the very specific, somewhat unintuitive, completely undocumented behavior of the original codebase. Which was of course very tightly coupled to by downstream processes. But after getting the API in there, I was able to run the code on its own and that meant that I could start writing automated tests.
I listed off the biggest pain points whenever changes were made and the most critical behaviors that actually generated revenue, and put them all under test. Everything that commonly went wrong (and there was a lot thanks to some unreliable domain-specific tooling) was now automatically validated whenever changes were made.
When I showed one of my bosses (the owner of the company and someone in a former technical role) he was less than impressed. I was told off for avoiding my job, and instructed to test it manually like a real programmer.
It's not likely to change that until customers start to actually care about security. And by actually care, I mean start making purchasing decisions based on that. Startups have limited resources, and that will never change. The nature of limited resources is to spend those resources on the tasks that will move the needle the most. Until security tasks start moving the needle, they'll get ignored.
One way to make customers start caring about security? Regulation. In a very small startup with a serious shortage of resources, we're currently planning our GDPR compliance. And we're not doing it because we think privacy is important (though we do), we're doing it because customers are telling us that we need it before they can sign up. If customers aren't going to think security is important on their own (and they aren't), passing laws that force them to think it's important is the only way to change the situation.
> how fast new companies(mainly U.S.) moved so quickly.
I've worked in startup/mid size companies outside U.S and from what i've seen its totally inaccurate to say that startups outside U.S move slowly because they take privacy/security more seriously.
The reason I mentioned US specifically was because VC funding to support hyper growth was historically & (still is) way more common there than elsewhere in the world(Western Europe specifically). A condition which seems to almost mandate the grow fast at all costs mentality.
It doesn't preclude anywhere else in the world from being lax about security.
I also have worked for multiple small/mid companies in Western Europe and, anecdotally for me, data & thoughts to security are held in much higher regard.
Not really true. People want to be safe and secure, but they often don't have enough money. For example: Last summer I visited Georgia and Armenia. What I saw in ordinary flats was basically screaming "I will catch fire soon" - but richer places had security taken care of just like your or my own house, even though it's not really a requirement.
If it was a requirement (theoretically it is
, but it's not enforced), most places would have no electricity at all. Same with cars: these people drive really old junk (literally) cars that are visibly (often seriously) crashed and you wouldn't be able to use them in other places, but they don't have an alternative. They'd like a nice and safe car like everyone does (and they buy them if they have enough money), but it's either this or nothing, no regulator can change that.
>>>Hopefully it will also change the "move fast & proper security is an afterthought" model of startups.
In short: starting startups will become more difficult. One of the things most taxing and scary for people in our society, starting your own business, but also one of the things most needed and useful (who else creates jobs and Big Cos later?!) will become harder to do.
Yeah, let's just blow all concerns about privacy in the wind. Think of the jobs! While we're at it we might also want to abolish building codes, to combat high rents. And what about OSHA? Clearly safety rules for workers just make it harder to start hardware companies!
Everything truly important for customers will become an advantage for the provider in the free market and it will improve. Including privacy.
Governmental attempts to short-circuit that process are at best misguided at at worst harmful. They create ossified markets where established players rule and innovation and competition are nonexistent.
Natural consequences - but hard to accept when one just takes the rallying cry du-jour in arms. "Think of the children!"
You assume consumers with perfect information unselfishly optimizing for the long term good of all people and a market with true competition. None of which is true in reality.
I don't assume anything. I just observe the "freer" markets like computers, entertainment and software and marvel at the rich choices, advances and quality present in spite of no regulations requiring for them.
And then I look at any heavily regulated markets and I shudder at the prices, lack of choice, crappy quality and how horrible stuff happens in spite of regulations supposed to prevent it.
So I draw a logical conclusion: Free Markets beat Regulations pretty much every time.
So.. How exactly is "regulation" currently stymieing competitors to Facebook and Google with better privacy protections?
Because I can think of quite a lot of reasons not to start a search engine or social network. Yet "regulation" is nowhere on that list, because I can't think of a single one that warrants any concern compared to the technical and market challenges.
Take DuckDuckGo as one example of a privacy-focused competitor to the behemoths: Are they loudly complaining that they'd long have dethroned google with their better privacy protections if only regulation X wasn't stopping them?
Your list also doesn't make any sense. Computers, entertainment and software seem to be about as regulated as online platforms, in that I can once again not think of any serious regulation in the US that would stop me from making a movie.
Pharmaceuticals are generally accepted to be among the most regulated products. Yet I would rate their progress to be somewhat comparable to that of "entertainment". Which isn't really a comparison that makes any sense, but if you can just wing it so can I.
It's quite obvious that the vast majority of people think it's a bad idea for political parties to have access to the photos they posted on Facebook just because one of their friends took some quiz. Why, then, should we believe in the magic of the market to find a solution to this clear interest, when we can also avail ourselves of the mechanism invented to solve such collective action problems, namely government? What are the possible downsides to banning invasive advertisement and data analytics by political campaigns, except a mild loss in revenue for the platforms, and whatever loss the campaigns suffer from no longer knowing my sexual orientation?
Facebook and Google were not the first social network and search engine, respectively. And still they won the market, dethroning established players.
I know it's not very intuitive, but free markets and competition work. Unless your freeze them with (usually brain-dead) regulations.
Governments have a role, of course, but when you call them to solve everything, to protect us from ourselves and you give them every power imaginable - you are creating a monster.
A monster which will step on every right you thought you had and take anything they want from you "for your own good".
I don't know any. And the fact that no competitor with better privacy came along makes me wonder if the public really values privacy as you or me do.
But that is not how the regulatory burden kills startups. It's not one specific thing: it's the sum of all of them.
Have you started a startup? I have, and I can tell you the toughest part of that was before even deciding! The very though of leaving my cushy job and colleagues kept up at night. Every single fear of some bureaucratic burden I had to obey (on top of technical and marketing challenges) pushed the balance to "no".
Every rumor, every tax, every rule I heard about pushed me think this was a bad idea. Any extra task which in itself seems harmless can break the proverbial camel's back...
The Equifax thing didn't result in regulation and that was an actual scandal with real ramification not a pile-on by a press seeking to vilify an ad financed competitor.
Funny how the Times is using silly metafilter vernacular now:
"the consumer surveillance model" -- it's the same business model that's been supporting news publication for more than a century.
As for the GDPR it's similar to the recent digital tax proposal and numerous other initiatives by the EU intended to attack US businesses, the US government doesn't share that motivation and it must condemn and push against these EU actions.
>It's the same business model that's been supporting publication for more than a century.
I think there's an enormous difference between advertising in print, advertising on the internet, and what is currently the status quo, which is active surveillance of all information consumed and every movement that individuals make across the internet and in the real world by data linked through GPS/ cell phone location, credit card purchases, etc.
I'm aware that this is the new reality, but comparing it to print advertising (or even pop up ads of the early internet) is disingenuous at best.
> comparing it to print advertising is disingenuous at best.
Right. First, print advertising could only target the entire subscriber base. Second, they had a limited amount of data on you based on voluntary surveys and census tracts, not a list of every single thing you read, and where you are every minute of every day. Finally, print publications actually cared about reuse/misuse of their address lists. The list they sold you would include some addresses they controlled, so if you resold or reused it, they would catch you.
There are ways to deliver effective ads with a whole lot less surveillance.
I think western countries are finally realizing that there are national security implications to having all this information about their citizen’s private lives available for the asking.
The kgb would have dreamed about having this much intelligence on the American public and thanks to Facebook, the fsb could get it through a stupid personality quiz.
Guys, seriously. Why is this a surprise for people? Facebook is a corporation that literally lives from analysing and selling data about everyone, even people who have not signed up for Facebook, WhatsUp or Instagram accounts.
Facebook android application asks you for the following permissions when you install it:
This app has access to:
Device & app history
retrieve running apps
Identity
find accounts on the device
add or remove accounts
read your own contact card
Calendar
read calendar events plus confidential information
add or modify calendar events and send email to guests without owners' knowledge
Contacts
find accounts on the device
read your contacts
modify your contacts
Location
approximate location (network-based)
precise location (GPS and network-based)
SMS
read your text messages (SMS or MMS)
Phone
directly call phone numbers
read call log
read phone status and identity
write call log
Photos/Media/Files
read the contents of your USB storage
modify or delete the contents of your USB storage
Storage
read the contents of your USB storage
modify or delete the contents of your USB storage
Camera
take pictures and videos
Microphone
record audio
Wi-Fi connection information
view Wi-Fi connections
Device ID & call information
read phone status and identity
Other
download files without notification
adjust your wallpaper size
receive data from Internet
view network connections
create accounts and set passwords
read battery statistics
send sticky broadcast
change network connectivity
connect and disconnect from Wi-Fi
expand/collapse status bar
full network access
change your audio settings
read sync settings
run at startup
reorder running apps
set wallpaper
draw over other apps
control vibration
prevent device from sleeping
toggle sync on and off
install shortcuts
read Google service configuration
It does literally ask you to grant access to your text messages and call logs. Why would anyone expect Facebook NOT to use that data? You all cant be such native, right?
The problem is not allowing a company access to your data. The problem is how it's used.
Just because you allowed another company to handle your data should not give them carte blanche to do whatever with it they want.
This is exactly why Europe created the GDPR.. to prevent your personal data from being processed by companies in unintended ways, or sharing your information with 3rd parties without your consent, and heavy fines for breaking these rules.
Just allowing a company access to your data and giving up at that point is the attitude that people are trying to change, because that's not the way the world should work.
Maybe we should pause and think what value does Facebook provide to the users? Is that value worth the $400B? Given how much we are connected through all kinds of channels, the answer is a clear no. Sure you can say their advertising business is worth that, but if they don't provide their users that much value it's not going to last.
This is definitely the right attitude, and I’d add the critical step of talking about these issues with people who don’t know about them. It’s frustrating, it can be alienating and it definitely takes time, but it can pay off. Nothing beats building a useful tool (like Signal), but even useful tools require publicity.
Yes the "ad-supported internet" may be at risk. So what? Is it unreasonable to think that this model might not actually be sustainable long term?
Why should this business model be any less vulnerable than any other business model? Note to Big Tech - public opinion also has the power to "disrupt."