One thing that strikes me reading this, is that the only thing that's changed is that Google won't disallow it. But I think it would make more sense if the ICO actually just went after the companies doing fingerprinting directly, instead of being angry at Google for not enforcing things for them.
There is a subtle but important difference here.
If governments enforce policy by bullying HSBC/Google/E.ON to enforce policies for them, there is no legal opportunity for companies and individuals to argue for their sake. You'll just be shut out of your bank/advertising/electricity for doing something "wrong".
If instead UK ICO would bring a legal case against an individual or company applying fingerprinting (and I'm no advocate of fingerprinting, but that's besides the point) then they can defend themselves in court.
> if the ICO actually just went after the companies doing fingerprinting directly, instead of being angry at Google for not enforcing things for them
Google isn't just a hapless bystander here, they are enabling and profiting from the practice. Big tech companies all build these billion people villages and heavily tax every person inside but when "outside law" is broken then "outside authorities" should fix it for free.
The rules could be simple: you have a problem in your village, either you enforce the laws there, or national authorities will do it and charge you (the company) for the service.
When Amazon allows any of the millions of ephemeral clone-storefronts to sell shady or illegal stuff, would you rather have the authorities spend years chasing ghosts or have Amazon change their rules to make sure such illegality and abuse aren't possible in their marketplace?
> When Amazon allows any of the millions of ephemeral clone-storefronts to sell shady or illegal stuff, would you rather have the authorities spend years chasing ghosts or have Amazon change their rules to make sure such illegality and abuse aren't possible in their marketplace?
I'm fine with a law saying Amazon is liable for fake storefronts etc. Sounds reasonable. I'd also favor requiring e.g. Uber or Airbnb to provide authorities with data to prevent tax fraud from operators in such marketplaces.
But to me saying Google's advertising product should enforce how the individual websites work [fingerprinting], is to me more in the direction of "an electricity provider should enforce how people live their lives in any home provided by such electricity…"
> Google's advertising product should enforce how the individual websites work
"Google's advertising product" should do no such thing, the websites can go right ahead implementing whatever they dream of. Google "the company that develops the OS for my phone and the web browser" on the other hand is responsible for what tools and features it gives to those websites or apps to use on my device and without my explicit permission.
For example Google doesn't allow them to have root on your device, or covertly activate your microphone or camera. Why aren't you asking "who's Google to police what websites can do with my device, camera, and mic"?
> is to me more in the direction of "an electricity provider should enforce how people live their lives in any home provided by such electricity…"
Quite the opposite, Google or the electricity provider should enforce nothing on you or me. The analogy is more like the electricity provider allowing anyone to access information about what you do using that electricity. Why would the electricity provider have access to that information in the first place, and why would they be allowed to create interfaces that share that info with their partners?
If you're fine with Google allowing sites to collect this information from you, would you also be fine if your electricity provider allowed sites to collect info about how you use the electricity?
> But to me saying Google's advertising product should enforce how the individual websites work [fingerprinting], is to me more in the direction of "an electricity provider should enforce how people live their lives in any home provided by such electricity…"
That's a wild analogy.
You're talking there about what I do in my home without impacting anyone else.
With google here we're talking about companies tracking users in a way likely to be illegal.
> But to me saying Google's advertising product should enforce how the individual websites work [fingerprinting],
I completely disagree, and I'm someone whose interests would be best served by agreeing with you (my marketing agency spends a lot on advertising, and if the ad platforms don't have to enforce this sort of bad behaviour from other advertisers then prices could potentially fall as their expenses would)
Google's ad network isn't just dumb pipes for information like an ISP or an electricity provider, they're actively charging companies money in order to send whatever information to be displayed and code to be executed those companies want them to onto the screens of people that they're actively targeting. It should absolutely be Google's (or whatever ad network's) responsibility to not allow bad actors to use their services to spread viruses/malware, nor to allow even worse privacy evasion that they're already doing themselves such as allowing fingerprinting.
Isn't Google's relevancy here a result of their connection to the Chrome browser? The analogy vis-à-vis electricity is more like a vacuum cleaner manufacturer than power provider, although even that's weak because this is fundamentally about personal information being miscategorized as a commodity.
Google literally added all of the random APIs into Chrome that fingerprinting depends on.
If you trust Google then they are a bystander. If you don't then they orchestrated this entire situation over the last decade or so in order to cement the dominance of their advertising business.
Most of those "random APIs" have good reasons for being there that have nothing to do with fingerprinting. For instance:
Your browser needs to be able to render text in different fonts, which means that without paranoid design (and maybe with it) code running there can tell what fonts you have installed.
A web app may want to tell you when something happened in your time zone even though it happened somewhere else. So there's value in having code running in your browser be able to tell what time zone you're in.
Different browsers, and different versions of the same browser, have different bugs. So there's value in letting code running in your browser know what version of what browser you're running. (Note that this information has been exposed by browsers, though not always very honestly, since before Google even existed.)
Browser/device fingerprinting has been possible since before Google ever shipped a browser.
I wouldn't be surprised to learn that Google has made design decisions in Chrome motivated by not making fingerprinting too difficult. I also wouldn't be surprised to find that they've done the exact reverse. Maybe they've done both. But the possibility of browser fingerprinting isn't the result of some galaxy-brained conspiracy by Google; that was there all along because when browsers first gained the ability to run code the people building the browsers never thought of the danger, and by the time someone did it was already too late.
What makes you think the UK ICO won’t bring legal cases against individuals or companies applying fingerprinting? They literally say in this guidance that they consider it against the regulations for companies to do this even though google now allows it. Having dealt with regulators a fair bit that’s pretty much as clear cut a warning as you can get that they will go after people who do this. Now, will they be fast? No. Will they go after the worst offenders? Maybe, maybe not. Will they only do it if someone makes a complaint? Perhaps. But this note is literally them saying to companies “don’t think you can do this just because google now says it’s ok”.
> What makes you think the UK ICO won’t bring legal cases against individuals or companies applying fingerprinting?
The vast majority of consent flows ("cookie banners") out there are not compliant and they do absolutely nothing about it. It's very unlikely this would be any different.
I really don't understand this comment. They're not expecting google to enforce anything, and they are talking about going after individual companies.
> If governments enforce policy by bullying HSBC/Google/E.ON to enforce policies for them, there is no legal opportunity for companies and individuals to argue for their sake
Companies are in no way stopped from fingerprinting just because of google.
> When the new policy comes into force on 16 February 2025, organisations using Google’s advertising technology will be able to deploy fingerprinting without being in breach of Google’s own policies. Given Google’s position and scale in the online advertising ecosystem, this is significant.
But when I read this it seems like they are unhappy with Google no longer enforcing their view of fingerprinting:
We think this change is irresponsible. [...] We are continuing to
engage with Google on this U-turn in its position and the departure it
represents from our expectation of a privacy-friendly internet.
They (ICO) are saying two things, they're saying that regardless of Google's policy they will go after companies they find to be using fingerprinting to bypass a user's right to privacy (this is the part you've focussed on), and they're also saying that Google should cancel this change and return to having it banned as their policy, with the implication that Google actively policies their own policy and would therefore prevent people from doing fingerprinting without ICO having to get involved (which is what the person you originally replied to was focussing on).
Their comment that you said you didn't understand made complete sense in the context of that aspect of the ICO's post, but you seemed to not see a link between the ICO wanting Google to reinstate the ban and seeing that as Google policing that subject on their network.
> and would therefore prevent people from doing fingerprinting without ICO having to get involved (which is what the person you originally replied to was focussing on).
But that simply isn't true in the broad sense. It would stop some or even a large number of people from doing it in one area, but it doesn't stop it happening.
> but you seemed to not see a link between the ICO wanting Google to reinstate the ban and seeing that as Google policing that subject on their network.
I obviously see the link there.
The comment said several things, which really doesn't line up with the post. It accused the ICO of going after google rather than businesses and said that stopped businesses being able to test it in the courts.
However businesses can implement fingerprinting, the ICO can act and this can be tested.
The comment likened this to bullying companies into enforcing policies, and said it left them with no legal recourse. But there are no threats, no action from the ICO against google (except "will engage with google"), businesses can still implement these things and it can go to court.
Let's go through it and why I don't understand their point.
> One thing that strikes me reading this, is that the only thing that's changed is that Google won't disallow it.
Yep, this is right, google are changing a policy which will give a lot of businesses the ability to do something that the ICO thinks is extremely unlikely to be lawful.
> But I think it would make more sense if the ICO actually just went after the companies doing fingerprinting directly,
This is what they're saying they'll do
> instead of being angry at Google for not enforcing things for them.
Angry seems like an odd statement here. They call it irresponsible, and I think justify that. I think they could go further since this will likely result in google profiting
> There is a subtle but important difference here.
> If governments enforce policy by bullying HSBC/Google/E.ON to enforce policies for them, there is no legal opportunity for companies and individuals to argue for their sake. You'll just be shut out of your bank/advertising/electricity for doing something "wrong".
> If instead UK ICO would bring a legal case against an individual or company applying fingerprinting (and I'm no advocate of fingerprinting, but that's besides the point) then they can defend themselves in court.
And as I say there's nothing stopping this getting tested in court.
This is a pretty bland post. It's the ICO saying there's a change coming and a warning to businesses that this doesn't mean it's actually allowed, just that google will stop banning it on their network. They're saying they'll come after businesses breaking the rules.
What should they have done? Posted nothing? Not mentioned google?
Two separate issues. There needs to be regulation to stop Google from doing or allowing fingerprinting, and there also needs to be regulation to help people against one-sided decisions like that.
You don't get to be that big and make your own rules.
That's the problem with allowing a company the reach and keep dominating market position. You need to involve them in regulation enforcement. In a fair market Google could rightfully say that's none of our business.
> it would make more sense if the ICO actually just went after the companies doing fingerprinting directly, instead of being angry at Google
I think it’s quite the opposite - Google enabling illegal use of their services should make their offering unfit for market. Being a monopolist in the space, it’s Google’s responsibility to ensure users are safe when exposed to their services.
This just doesn't make sense. Google wont disallow fingerprinting on companies using ITS advertising technology. I think accountability gets exhausted pretty quickly on this just by thinking about the implications. If UK gov (or any other) enforces a blanket ban on google ads to prevent this problem, where exactly does the issue lie ? This is not like someone selling syringes being accountable for someone putting toxins into the syringe, this is someone who already has a line into a main blood vessel saying they wont prevent someone from putting toxins in. Big, Big difference, they have the privilege of access and wont prevent other people abusing it. This is on google, pure and simple
There's a gazillion of companies outside UK legislation; if they only went against companies doing fingerprinting, only those subject to their legislation would refrain from doing it
That argument works better against having Google be the enforcer than in favour: Google's rules are (as I understand it in this case) global, why should the UK's rules be made to apply to, say, a Japanese-language-only app sold only in the Japan?
(For all I know Japan has similar rules, the point isn't the specific country, but that this would be the UK projecting power internationally that it shouldn't be).
Google can choose to only have it against the rules for adverts served to UK (or UK and EU and any other country with strong privacy laws), and still have better ability to target the bad actors (as they can choose to either fully ban, or just ban from advertising to those countries, any company that breaks the rule regardless of whether they're in or outside ICO's jurisdiction).
I suppose this is why we need to break up Google, so even the most unaware person on the world can realize that they are the biggest advertising network on the planet. THEIR PRODUCT IS ADVERTISING. TARGETED ADVERTISING. This is what they do. That is where their money is made.
I have no opinion about this particular case at hand, but decades of observations of how governments, esp. in Europe, "regulate" IT by targetting a few big players, and Google always first in line despite that company has been _historically_ the most careful with users data, have convinced me that this has little to do with protection of citizens privacy and much more to do with forcing those whole encompassing corporations to cooperate with governments own surveillance agendas.
Firstly regulators go after the big players because they have finite resources and that’s the easiest way for them to have a lot of leverage versus trying to play whack a mole with thousands of tiny companies who can easily shut down and change name in the event of a regulatory action.
Secondly the idea that google are particularly singled out flies in the face of the significant actions by european data regulators against meta and all the other big tech companies.
Thirdly the idea that google are particularly careful with users data is pretty laughable.
> the idea that google are particularly careful with users data is pretty laughable
Either you don't know what you are talking about, or we attach very different meanings behind some of these words. Let me rephrase : of all companies, institutions or associations that I've been able to glance from the inside in my already quite long carrier, Google was by far the one where user data was the most secured, from unlegitimate access from the outside world or from the employees alike.
Also, of all the big internet corporations, I've read many stories about facebook or microsoft (amongst others) cooperating with the most repressive regimes. On rare occasion where I could read about some big corp prefering to loose a market rather than user trust, each time it was either Apple or Google. Granted, it was many years ago; But already after Google was regularly presented by EU "opinion makers" like the most evil of corporations.
Witnessing this and the ensuing downward trajectory of morale in big IT corporations, I half-jokingly developped the theory that maybe corporations are like little children: they behave just as well as they are expected to. If you constantly tell them that they are immoral and stupid, then they become just that.
It handles task running (wipe local test db, run linting scripts, etc), environment variables and 'virtual environments', as well as replacing stuff like asdf, nvm, pyenv and rbenv.
Still somewhat early days, tasks are experimental. But looks very promising and the stuff I've tried to far (tasks) works really well.
I second mise, it's been a nice replacement for direnv, asdf and makefiles for my use case. Much faster, still compatible with the old configuration files when needed and all in one tool for the new projects. Awesome.
I’ve switched recently from asdf for managing language & tool versions and the ergonomics are much nicer (eg one command vs having to manually install plugins, etc., more logical commands) It’s also noticeably faster.
Regarding the env vars features, a couple of relevant Mise issues around people trying to integrate env var secrets using SOPS, 1Password, etc.
Seconded. I changed from pyenv to mise because pyenv was slowing down my shell startup (probably the shims, which mise doesn't use by default), and I'm slowly using mise for more stuff. Right now, I'm using it to auto-turn on virtual environments and add project scripts to the PATH, and it works very well.
I haven't felt the need to use it as a task runner yet, but that's probably because I'm used to having a bunch of shell and Python scripts in a `scripts` folder.
Not sure if this works with artifacts pushed to GHCR (Github Container Registry), for example Docker containers. I think not.
But it's still a good step towards more integrity in the software supply chain.
We’re thrilled to announce the general availability of GitHub Artifact Attestations! Artifact Attestations allow you to guarantee the integrity of artifacts built inside GitHub Actions by creating and verifying signed attestations.
Would you say that this is still a good fit for company-internal docker images?
I.e. a packaged rails app that's deployed in production using docker (to basically verify that we only deploy images built in CI [Github Actions])
Or would something more lightweight, like the Notary project[1], be a better fit for internal use?
(I know signing and provenance are different things, though for internal purposes, we can kind of infer provenance from just seeing a signed container, assuming we've locked down the build environment properly)
- Make the scrubbed headers configurable (if it isn't already). For example, our token header is called `X-Session-Token` and is passed on every request. Would your current regex scrub this?
- Maybe clarify that the seat (pricing) is for recorders, not for people viewing them (which I think is a reasonable choice).
- Would be nice to configure auto-deletion of Jams after X days. We'd probably go with 180 days.
- Would be neat if the Sentry integration had configurable fields (at the team level set which ones are visible, and set fixed values for some of them). For example, I don't want anyone to set the project (that's the triage step in Linear), and I want only some teams to be selectable, I'd like to skip the 'effort' altogether, etc.
- Make it possible to configure the text body of the Linear issue, with placeholders for content. For example, we'd like to skip the full-screen (non-cropped), maybe show window size or add other metadata that is often relevant to us.
One question:
- For integration with Linear, you are asking for write access to the workspace. Maybe explain why that's needed, and what it means? Same for read (though this seems more reasonable, an explanation would still be useful)
- Yep, your header would be scrubbed by our default definition. And also: yes definitely, configurable scrubbing is on our radar/an inevitability. Sensible defaults has been our goal, but we're definitely aware that any given keyword may be sensitive to one company but not be to another! (e.g, an address in the context of a healthcare org's patients may be sensitive, but likely wouldn't be considered sensitive for an MLS search product)
- Re: Sentry — Makes sense! There's likely a lot of team-level configuration we can add for integrations over time
- Re: Linear — that's a good question. We used to have much deeper integration with some third parties, so I think we may be able to tighten up some of those scopes. I created a ticket for us to follow up on this, thank you!
Quick follow up on the integration with Linear: just confirmed that we do not need write scopes on the workspace. The fix will be in production by next week :)
I meant to write "Would be neat if the *Linear* integration had configurable fields (at the team level set which ones are visible, and set fixed values for some of them). For example, I don't want anyone to set the project (that's the triage step in Linear), and I want only some teams to be selectable, I'd like to skip the 'effort' altogether, etc."
- Bloom filters for queries ('needle in haystack' problem)
- Native OpenTelemetry support
- Updated helm charts
- Lambda/Promtail support dropping labels
- Docs improvements
Personally, I'm thrilled that the problem with high-cardinality labels will [hopefully] get addressed after 6 years (that's the top item, with bloom filters).
The architecture Loki has chosen is great for keeping costs down and using simple blob-storage (S3) for data. However, it makes it hard to quickly query unique keys such as trace IDs or user IDs. But bloom filters will hopefully will do the job.
I raised the needle in haystack problem back in 2018, so it's great to see this landing:
The goal is to use a standardized test framework to ease writing of tests in XZ.
Much of the functionality remains untested, so it will be helpful for long term project stability to have more tests
-- Jia, 2022-06-17
I think the liberal immigration policy might play a role here. Sweden has taken a huge amount in the past 15 years, twenty percent of the population are immigrants.
Obviously, most of them are not criminals. But on a group level, they are more likely to commit crimes. About 2x compared to Swedes, after adjusting for income, age and education (it's higher before adjusting, obviously).
Digging deeper, there are large differences between groups.
For example, the group men (compared to women) are much more likely to commit crimes. Another factor that stands out is geography. People from East Asia have similar crime-rates as Swedes, while people from Africa are 5-10x as likely to commit crimes (compared to Swedes).
This holds for most categories, including violent crimes, sexual crimes and a bunch of other groups.
Here is the landing page from the Swedish National Council for Crime Prevention, a governmental agency:
There is a subtle but important difference here.
If governments enforce policy by bullying HSBC/Google/E.ON to enforce policies for them, there is no legal opportunity for companies and individuals to argue for their sake. You'll just be shut out of your bank/advertising/electricity for doing something "wrong".
If instead UK ICO would bring a legal case against an individual or company applying fingerprinting (and I'm no advocate of fingerprinting, but that's besides the point) then they can defend themselves in court.