[HN Gopher] Grindr EUR6.5M fined for not collecting users' valid...
___________________________________________________________________
Grindr EUR6.5M fined for not collecting users' valid consent for
sharing data
Author : j_san
Score : 212 points
Date : 2021-12-23 10:57 UTC (12 hours ago)
(HTM) web link (gdprhub.eu)
(TXT) w3m dump (gdprhub.eu)
| crazy1van wrote:
| Unfortunately, data collection and data sales (either of the data
| directly or via targeted ads) is how many modern internet
| companies generate revenue. It's easy to claim that they should
| just charge money directly for their product but their would-be
| customers seem to rather pay with their data than a monthly fee.
|
| In fact, anecdotally, it's often the vocal critics of data-funded
| tech companies who post an archive.is version of every paywalled
| article.
| xemoka wrote:
| Oh man, that's such a false equivalency. Because someone thinks
| journalism should be done in the open, particularly when the
| topic of commentary, doesn't mean they want their private
| information (location, sex partners, whatever) sold to the
| highest bidder without their informed consent.
| cblconfederate wrote:
| that is attacking a strawman that the comment did not make.
| It IS a paradox that people want information to be free but
| not if other people use it for advertising.
| tmarice wrote:
| Grindr is incorporated in the US, I'm not sure how they plan to
| enforce this fine.
| kristopolous wrote:
| IANAL but the lawyers I've worked with have said unpaid
| violations lead to cutting off business relations until fines
| are satisfied.
|
| I'm sure it's more complicated but the general idea is economic
| coercion.
|
| Now given that, the class of proximity based apps are all
| regional (such as dating, dog walking, delivery, etc).
|
| I have no idea if Grindr has a market penetration in Europe to
| make it worthwhile. Companies have been known to completely
| vacate markets instead of honor fines or fees.
| fulafel wrote:
| Maybe someone for Norway can pitch in about how this works.
|
| Even though Norway is not a EU country, it's part of the EEA
| and various other treaties with the EU and hence they ended up
| implementing GDPR, it seems possible that they end up being
| having authority to enact EU/EEA wide enforcement actions.
| simion314 wrote:
| >Grindr is incorporated in the US, I'm not sure how they plan
| to enforce this fine.
|
| You put the company on a black list, then banks or other
| companies in EU or that have business in EU can't send them
| money or work with them, I am assuming they offer some
| subscriptions and other paid features so the banks not working
| with them will hurt.
| ryanlol wrote:
| As if grindr doesn't collect any payments in Europe or have
| executives who enjoy their ability to travel.
| leodriesch wrote:
| The EU operations of Grindr have to follow European laws and
| will therefore have to pay the fee or leave the European
| market.
|
| If they won't leave or pay, the EU could possibly force app
| stores to remove the app from their region or something
| similar.
| keewee7 wrote:
| Maybe it's time that frameworks like Django and Rails make it
| easier to be GDPR compliant from day 1. ASP.NET Core has APIs and
| templates for this:
|
| https://docs.microsoft.com/en-us/aspnet/core/security/gdpr?v...
| nlitened wrote:
| Maybe it's time companies stop hoarding and reselling users'
| personal data.
|
| These built-in templates for cookie popups are a joke, IMO.
| donarb wrote:
| > Maybe it's time that frameworks like Django and Rails make it
| easier to be GDPR compliant from day 1
|
| The first step in being GDPR compliant is not installing a
| tracking library in your project. Web frameworks have no
| control over that.
| vorticalbox wrote:
| 6,500,000 NOK is $734,246 or PS546,715
|
| Edit: top of the article had an incorrect amount.
| arendtio wrote:
| Last sentence under 1.2.4.3
|
| > As such, it considered that a fine of EUR6,500,000 (NOK
| 65,000,000) was appropriate and dissuasive.
| dustymcp wrote:
| It was euro ?
| pluies wrote:
| At the time of writing, TFA mentioned a fine of 6,500,000NOK
| in the first paragraph rather than 65,000,000NOK - probably
| where the confusion comes from.
|
| The HN headline is also "wrong" (or at least imprecise) - the
| fine amount is in NOK, so the euro figure is ~6.418 million
| depending on exchange rates.
| detaro wrote:
| you missed a zero.
| bonyt wrote:
| 65,000,000 NOK is 6,492,207 EUR
| Izmaki wrote:
| The article brief had a 0 too few at first, but it has since
| been corrected.
| [deleted]
| Agamus wrote:
| "Seeing as data is indeed a commodity, we'd like some money
| also."
| jacquesm wrote:
| That's a complete misrepresentation of the way this fine has
| been structured.
| vmception wrote:
| Brings a more coherent meaning to Value Added Tax
| gr4yb34rd wrote:
| The thing that always bothered me most about Grindr is the fact
| they do not allow any connectivity from VPNs, even if you have an
| upgraded account. This doesn't seem to jive well with the need
| for privacy or anonymity in places where it's dangerous to be
| gay.
| switch007 wrote:
| Works with Mullvad (most of the time)
| mistrial9 wrote:
| From a systems point of view, the "boiling over" of agitated
| Grindrs data is no surprise as the source of obvious data abuse,
| similar to the way that the data on compulsive gamblers is used
| and abused, I suspect. Yet this is only a tip of an iceburg.
|
| In My Own Opoinion - this "surveillance capitalism" is a huge,
| stinking cancer on free society and is only getting started..
| history will show this is absolutely true. "I have nothing to
| hide" people can get a free Grindr subscription for all I care..
| this is a rotten situation.
| Hamuko wrote:
| The most surprising thing about this to me is that Norway, which
| is not in the European Union, is also enforcing GDPR.
| lutoma wrote:
| As far as the average person is concerned, EEA members like
| Norway are practically in the EU. You've got free movement,
| open borders due to the Schengen area, and so on. Meanwhile all
| the exemptions from EU law mostly concern comparatively niche
| areas like fishing.
| polote wrote:
| "Although not a member of the EU, Norway is a member of the
| European Economic Area (EEA). The GDPR was incorporated into
| the EEA agreement and became applicable in Norway on 20 July
| 2018. Norway is thus bound by the GDPR in the same manner as EU
| Member States."
|
| https://www.lexology.com/library/detail.aspx?g=34dfb199-c9ab...
| Vespasian wrote:
| Norway is a member of the EEA and often closely aligned with EU
| policies
| breakfastduck wrote:
| I'd say GDPR is generally one of the best things to come out of
| the EU. I would love to see more countries at least align with
| it.
| dade_ wrote:
| Good. Grindr is probably the best example of extremely high brand
| & network value vs shockingly poor security & application
| quality. The company demonstrates zero integrity and needs to be
| shut down or fined to death. It would send a proper warning to
| the industry, though long overdue.
| deepstack wrote:
| Why people use apps website for personal stuff like that is
| beyond me. Just because some hip looking company is making an
| app/website doesn't mean it is secure or good data custodian.
| scrollaway wrote:
| What's your alternative?
|
| Clearly people use the app because the app answers a user
| need. So what's your answer to the user need?
| e0a74c wrote:
| We also got laid before the invention of the smartphone,
| you know...
| officeplant wrote:
| We're also deep in a pandemic where olden times means of
| socialization are pretty restricted. I'm not gonna walk
| into a bar in 2021 to be assaulted by smoke, sound, and
| covid. Just the smoke and sound has been enough to keep
| me out of them for over a decade now.
| e0a74c wrote:
| Each to their own, I guess. I liked our dirty old ways
| and the fact that no Silicon Valley creep could spy on
| our intimate relations.
| denton-scratch wrote:
| Smoking in bars is also forbidden here. Many pubs don't
| play music; and in these COVID times, I often find
| there's just one other person in there, reading a paper.
| officeplant wrote:
| >I often find there's just one other person in there,
| reading a paper.
|
| That sounds pleasant. Smoking restrictions here vary
| greatly on a city by city basis. Unfortunately the bar
| scene in my city likes to pretend we aren't in a pandemic
| and only a few have decided to brave a smaller customer
| base and ban smoking.
| scrollaway wrote:
| And we also lived fulfilling lives before the invention
| of the smartphone, tv, printing press, sewer system or
| agriculture. What exactly is your point?
|
| There's a user need. In this case it addresses the needs
| of a minority that's been, until recently, highly
| oppressed. You don't get to just say "things were fine
| before this existed".
|
| When something imperfect solves a real problem you don't
| get to just say "oh just don't use it", especially when
| it's not a problem YOU have. Talk about privilege!
| e0a74c wrote:
| > You don't get to just say (...)
|
| I get to say whatever I want to say within the confines
| of the law and so do you.
|
| > What exactly is your point?
|
| That it's still possible to get laid without a shady
| middleman/app
| breakfastduck wrote:
| You're suggesting that just 'not using it' is simply not an
| option or?
| dade_ wrote:
| There are alternatives, but due to their bad business
| practices ( such as illegally collecting and selling their
| massive database of user data, and probably things I'd
| never think of) impossible to overtake. Consider existing
| brand awareness, and ongoing massive marketing spend.
| hn_throwaway_99 wrote:
| I highly doubt any of the primary other gay dating apps
| have significantly better data collection practices.
| 999900000999 wrote:
| I think what's particularly scary about Grindr is just how
| much trouble even being on an app like that can get someone
| in. For example, a colleague of mine is from a country where
| being LGBT is not really tolerated, in the United States he
| uses Grindr.
|
| I can imagine an oppressive government buying dating app data
| to blackmail their users. I noticed in the Tinder TOS thread
| people complaining about how impossible it is to meet folks
| in real life.
|
| You can still have friends, friends have friends you can go
| out with. I'd say from a mental health POV you should be
| doing social things anyway.
| morbia wrote:
| With respect, that is easy to say when ~50% of the
| population is a potential partner and is easily
| determinable. When you are gay and the majority of guys are
| straight, finding partners organically is near impossible
| (unless you're in a gay bar or something).
|
| I'm not condoning Grindr's actions or that people shouldn't
| use it with care, but it really has become a key part of
| LGBT networking in the modern era.
| 999900000999 wrote:
| I think it depends on where you are, the city I live in
| has a very large gay scene. So I've had guys just try to
| chat me up while I'm at a restaurant or something, I
| don't mind.
|
| The only time it was a bit weird is when a co-worker told
| me I look like his husband, not okay to say at work.
| morbia wrote:
| Arguing that guys shouldn't use grindr because it puts
| them in danger and then saying they should chat people up
| in real life seems bizarre to me. Even in my fairly
| liberal western country assuming a random guy in a normal
| bar is gay could put me at risk. Why take that chance
| when apps full of gay guys exist?
| cblconfederate wrote:
| As you just said, it is not easy for people to meet
| people in a culture where looks and small talk with
| romantic intent is frowned upon, puts peoples jobs in
| danger and is generally already going extinct. Plus
| grindr is used for hookups, and it makes it a lot easier,
| something that does not have a safe equivalent in real
| life.
| satyrnein wrote:
| _a co-worker told me I look like his husband_
|
| A female coworker told me that once, didn't seem that
| weird.
| 3np wrote:
| > not okay to say at work
|
| I wasn't there so I wouldn't know the tone and context,
| which can make a difference but... In general, how's that
| problematic?
|
| Also, strangers talking to you does not mean they're
| sexually or romantically interested in you. Some people
| are just platonically social. Moreso in some places than
| others.
| dade_ wrote:
| To get laid, now. It's impressive in that regard.
| hungryforcodes wrote:
| How else are you supposed to get laid? I don't get this
| comment.
| e0a74c wrote:
| By gauging the situation and, where appropriate, behaving
| in a slightly playful, attentive and flirtatious manner
| towards anyone that catches your fancy (not limited to bar
| patrons btw.)
| secondcoming wrote:
| Grindr is/was considered a poor quality brand from an
| advertising perspective. Nobody wants their ads to appear next
| to graphic images
| hn_throwaway_99 wrote:
| Not true, depending on the product. I'm sure the PreP ads I
| see on Grindr have no problem advertising on a gay hookup
| app.
|
| But more to the point, Grindr got in trouble specifically for
| selling data to advertising networks presumably so they could
| also be targeted _outside_ Grindr. Knowing someone 's sex,
| sexual orientation, location, age and hobbies is great
| targeting data.
| secondcoming wrote:
| Fair enough, but Grindr was on every agency blacklist I
| came across when I worked in adtech.
| bonyt wrote:
| For those confused about the fine amount, here is the quote from
| the original source:
|
| > In light of all the relevant criteria of Article 83 described
| above in sections 6.3-6.4, we consider that the imposition of a
| fine of NOK 65 000 000 is effective, proportionate and dissuasive
| in the present case.
|
| https://www.datatilsynet.no/contentassets/8ad827efefcb489ab1...
|
| This is approximately 6.49M EUR.
| Hamuko wrote:
| Originally they were going for a 100,000,000 NOK fine, but
| lowered it down to 65,000,000.
|
| > _The NO DPA reviewed the fine announced in its draft decision
| (10,000,000 EUR) on the basis that the revenue of Grindr (seems
| to-this part is redacted) seems different and that Grindr has
| made with the aim to remedy the deficiencies in their previous
| CMP._
|
| Draft decision:
| https://gdprhub.eu/index.php?title=Datatilsynet_-_DT-20/0213...
| tgsovlerkhgsel wrote:
| One thing I'm wondering with these fines is whether they are
| actually "dissuasive".
|
| In particular, the revenue limit seems problematic. For a
| "normal" company whose profit margin is a relatively small
| fraction of revenue, 4% of revenue is huge. But for highly
| profitable large tech companies that make money primarily from
| ads, it may not be possible to issue a dissuasive fine if it is
| capped to 4% of revenue. Maybe "4% of revenue, or 200% of profit,
| whichever is higher" would be a better limit.
| jacquesm wrote:
| The first fine, usually not. But that fine indicates that
| regulators have reached a level of pretty serious frustration
| at a company not doing enough. Second fines are at the level
| that you'll be talking about them in the board room on how you
| managed to mess this up so colossally. I haven't seen any third
| fines yet, but I'm pretty sure we'll see one in 2022 or 2023.
| And likely the company that is in luck will go right out of
| business.
|
| And after that I expect compliance will be a much easier
| subject. So far the whole roll-out has been exactly as I
| expected it to be.
| [deleted]
| lobocinza wrote:
| Somewhat related. Not long after creating a Tinder account using
| an unique mail address I received a phishing mail on that
| address.
| denton-scratch wrote:
| > I received a phishing mail
|
| I was on Tinder for about a week. I was receiving dating spam
| for a year - not "a phishing email". Hopefully Tinder will be
| the next up against the wall. They're shameless.
| jacquesm wrote:
| The sooner companies start to realize that personal data is a
| liability rather than an asset the better. Happy to see this
| fine, but as far as I'm concerned given the kind of data we're
| talking about here it should have been higher.
| ryandrake wrote:
| I remember someone here putting it this way: treat user data
| like uranium, not oil. Both are valuable, but you don't want to
| just collect and store an unlimited amount of uranium. Collect
| the bare minimum user data you need to operate your business
| and then dispose of it when it's no longer needed.
| zitterbewegung wrote:
| Great minds think alike .
|
| I've thought of this way in a broader sense.
|
| If you have any data from user data to internal data from
| various LOB it should be : Data is the new uranium.
| cik2e wrote:
| But, to use your analogy, why would companies treat user data
| like uranium when risk/reward is like that of oil?
|
| Grinder surely made much more from data sales than the
| 6.something million Erous it was find. The paltry fines under
| GDPR do nothing to dissuade this behavio. That's been a
| recurring theme in previous HN discussions on this topic.
|
| Right now, I would posit that these low penalties are for
| show. Governments don't want to lose the economic benefit of
| having these companies operate in the EU and the general
| public can be satisfied that their governments are on top of
| the issue.
| MauranKilom wrote:
| > Grinder surely made much more from data sales than the
| 6.something million Erous it was find.
|
| ...sure, but they also had business expenses. Fining them
| for all the revenue would more or less instantly kill the
| company, which is hardly the goal.
| cik2e wrote:
| I've got an estimate here that says Grindr is doing 31
| million dollars net on over 100 mil revenue per year. I
| am by no means in favor of running these companies into
| the ground. The fines are definitely a balancing act. But
| it seems at the present moment the expected value of
| breaking the rules is substantily higher than 0.
|
| https://www.reuters.com/article/us-health-coronavirus-
| ppp-gr...
| jacquesm wrote:
| Wait until they try this again. It may not be the
| Norwegian DPA that acts the next time around, it could be
| the UK DPO, the Dutch AP or any one of a whole raft of
| others, and they'll all take into account that they were
| already fined once before. This fine is level '2',
| apparently you ignored the first warning so now you get a
| major but not crippling fine. The next one will not be at
| that level, there is a pretty clear progression for
| repeat fines.
|
| One case, a hospital first got a warning, then a small
| fine and then a mid six figure fine for a case involving
| a single patient. You can rely on them having learned
| their lesson and that there will not be a third fine.
| jacquesm wrote:
| That's a _very_ good analogy, I like it.
| dfxm12 wrote:
| What does it mean for data to be no longer needed when one of
| your income streams is to sell user data?
| jacquesm wrote:
| If you keep it around to sell then you are likely violating
| the 'legal basis for processing' part of the GDPR. Data can
| only be used for the purpose for which it was originally
| collected, selling the data to others to use without that
| exact same goal can not be such a purpose, and even then
| you will have to be quite careful that you maintain
| control. Various EU data brokers (Schober, for instance)
| have found ways to do this in a controlled manner usually
| by anonymizing the data or by selling it only in aggregate
| form.
|
| But selling it raw with the personal identifying
| information of the data subject is almost always a complete
| no-go.
| adrianN wrote:
| GDPR only requires informed consent to allow selling of
| data as far as I know. Am I wrong about that?
| jacquesm wrote:
| Yes, you are wrong about that.
| yulaow wrote:
| GDPR requires informed consent for ANY type of storing or
| managing any kind of personal data or data which can be
| linked to personal data (eg email which can contain name
| and surname of the person behind an account), and you
| must be explicit on what you do and you cannot give the
| data to another entity without re-requiring consent for
| that specific purpose and declaring who will be exactly
| the new controller of that data.
| SCHiM wrote:
| It means that democratic societies have decided that that
| type of business practice is undesirable, and should go
| away.
| numpad0 wrote:
| I guess the implication is you should market like you would
| for electricity, that is, metered subscriptions only.
| Terry_Roll wrote:
| You can collect as much data as you like, its what you do
| with it that counts.
| _jal wrote:
| I mean, you can say that about residentially-stored
| explosives, too.
|
| This isn't about what one _can_ do, it is about what is
| prudent. Grindr just learned a lesson about the difference.
| hwers wrote:
| Unless you get a leak and people find out and your
| reputation is ruined.
| phoe-krk wrote:
| I don't think your statement holds true in practice.
| Collecting data that you then don't do _anything_ with, in
| theory or even in practice, is also something that GDPR
| penalizes, since there 's no need for you to collect it if
| you claim you don't do anything with it.
| Terry_Roll wrote:
| Not doing something with the data is also a function,
| just like Nulls are a value, so yes you are right that
| collecting the data and not doing anything with it could
| be viewed negatively when up before data commissioners.
| Its interesting watching how the IT industry views GDPR
| and the advice given out by various law firms. You see
| unlike maths which is pure, language is vague and open to
| interpretation, the trick is convincing the decision
| maker ie data commissioner or judge that your
| interpretation is the correct one and not just an
| incorrect herd mentality sweeping the IT industry, which
| you see in the comments posted here and elsewhere.
| [deleted]
| mrweasel wrote:
| Right It's the storing and sharing part that's a liability.
| leodriesch wrote:
| I think the less data you collect the less impact a leak or
| rogue employee can have.
|
| Imagine if Hacker News would leak its user database. I
| assume there is not much in there, so the impact would
| pretty much be non existent.
| jacquesm wrote:
| That depends. If that user database included IP addresses
| I can see plenty of ways in which it could have major
| impact.
| ftyers wrote:
| I read it on Idlewords:
| https://idlewords.com/talks/haunted_by_data.htm. Pretty much
| all the talks there are fantastic!
| kryogen1c wrote:
| neat, this analogy travels pretty far - user data is
| radioactive.
|
| theres a background amount of radiation. its everywhere, even
| in higher amounts than youd expect like bananas and
| airplanes. no amount is safe, but the risks are neglibly
| small when exposure is minimized. concentrated amounts can be
| safe when exposure is controlled and managed with oversight
| programs in place. disasters can be managed with disaster
| programs, but its still possible that unforseen problems can
| cause big issues. unregulated handling can poison local
| populations. corporate influence on government can be a
| problrm.
|
| what a comparison! there should be an award for this.
| [deleted]
| rvnx wrote:
| Isn't the typical storage and handling for Uranium quite
| safe and even safer than oil ?
|
| Triuranium octoxide (Yellowcake):
|
| Yellowcake is as radiologically harmless as natural
| potassium-carrying minerals or thorium-oxide mantles used
| in paraffin fuel lanterns.
| pessimizer wrote:
| It can't be safer than oil, because nobody who wants to
| make a dirty bomb is trying to steal your oil.
| Kye wrote:
| In this growing analogy, developers collecting data
| mindlessly are descendants of Early Anthropocene humans
| discovering entombed nuclear fuel and not understanding
| or ignoring the dire warnings outside.
| imwillofficial wrote:
| Think nuclear reactors, not yellowcake.
| TheSpiceIsLife wrote:
| Ah, the _linear no threshold_ theory of radiation.
|
| If background radiation is _everywhere_ , how can there be
| _no safe dose_.
|
| It's a fun analogy, but reinforces an incorrect assumption.
| kryogen1c wrote:
| > Ah, the linear no threshold theory of radiation.
|
| i wasnt aware this was contested. its what i was taught
| in the us nuclear navy.
|
| > If background radiation is everywhere, how can there be
| no safe dose.
|
| this is not a self-evident refutation and is a bad
| argument. cancer is the 2nd leading cause of death in the
| US, meaning there is an even higher nonlethal occurance
| of cancer. this is not all radiations doing, but its
| hardly obvious that bathing in radiation your whole life
| is a "safe dose"
| formerly_proven wrote:
| LNT is controversial because there is not enough data to
| support it. The data that we do have doesn't support any
| low-dose model conclusively as far as I know. The upside
| of this is the effects have to be very small, so it
| basically doesn't matter, because the risk of low-doses
| is _effectively zero_ regardless the theory. The problem
| with LNT in terms of science communication is it 's easy
| to make it sound as-if the risk isn't effectively zero.
| kryogen1c wrote:
| > it basically doesn't matter, because the risk of low-
| doses is effectively zero regardless
|
| this is exactly what i said in my original comment.
|
| I looked up competing LNT models. TIL about radiation
| hormesis. theoretically, near-zero but >0 levels of
| radiation activate dormant repair mechanisms that not
| only repair radiation damage, but also non-radiation
| damage; this results in a healthier host. interesting.
|
| having thought about this for all of 30 seconds, i wonder
| if both models arent simultaneously correct. if most
| radiation damage is repairable, activating dormant repair
| mechanisms with tiny amounts of radiation would be a net
| benefit. however, if there exists any possible
| irrepairable damage in any cell anywhere on your body
| regardless of otherwise functioning repair processes -
| which i dont know to be true but seems likely - then LNT
| could also be true concurrently with radiation hormesis.
| joshklein wrote:
| The reason there is no safe dose is because even
| background levels of radiation will cause eventual health
| consequences, just not before another cause of death.
| xwolfi wrote:
| Well depend what safe means. Maybe we d spend less energy
| in copy redundancy at the cellular level if werent
| bombarded non stop ?
| dspillett wrote:
| _> If background radiation is everywhere, how can there
| be no safe dose._
|
| Easy: there is no _absolutely_ safe dose.
|
| At normal background levels the chance of it causing you
| significant trouble before something else has long since
| killed you off in some other way is _practically_ zero so
| there effectively a "safe enough" dose. But if you are
| very very unlucky background levels _could_ cause you an
| embuggerance that becomes life changing or life ending.
|
| It is more complicated than safe doses of most (but
| obviously not all) drugs/poisons/etc, because for most of
| the latter they are purged from your system in fairly
| short order assuming you survive the initial hit, so the
| next hit if there is one of equal strength is likely to
| have much the same effect. Radiation tends to hang around
| a lot longer so repeated exposure to higher levels builds
| up so the safe dose has to be stated "over time" rather
| than being simplified to a fixed dose perhaps related to
| your mass.
|
| There was a village (unfortunately I can't find the
| reference in a quick search ATM) where there was/is an
| unusually high incidence of thyroid cancer which was
| thought to be a genetic pre-disposition as the population
| stated from a fairly small gene pool, but is now thought
| to be because the background radiation in the area is a
| bit higher than elsewhere due to the makeup of the local
| ground rocks. The difference is nothing to worry about if
| passing through or visiting regularly, in fact the
| difference is small enough not to be a _major_ concern to
| the locals, but a lifetime of the extra exposure is
| enough to at least be visible in certain health stats.
| rileymat2 wrote:
| Can't it be like playing Russian roulette with a gun that
| has billions of chambers? The gun is always unsafe, but
| you will probably be fine?
|
| The higher the level, the more full chambers?
| aidenn0 wrote:
| That's also the linear no threshold model.
|
| The risk of dying increases linearly with the number of
| bullets you load.
|
| A different model suggests that very low levels are
| either benign or even helpful.
| ziddoap wrote:
| > _A different model suggests that very low levels are
| either benign or even helpful._
|
| Ah, the classic shoot yourself with small caliber bullets
| to build up an immunity against the larger caliber ones!
| api wrote:
| The radiation hormesis idea is controversial but that is
| a bad argument against it. Molecular scale events
| interacting with molecular scale DNA repair machinery is
| a different physical context than bullets.
|
| The body is hit by natural radiation all the time and so
| it has mechanisms for this. Not so much for macroscopic
| projectiles.
|
| The question is how these mechanisms behave and whether a
| small amount of radiation stimulates them... and then how
| much, for how long, etc. It's a complex model with
| multiple systems and feedback loops.
| ziddoap wrote:
| > _The radiation hormesis idea is controversial but that
| is a bad argument against it_
|
| Jokes don't translate well in ASCII, sorry. It's a (I
| thought) well known meme.
| dspillett wrote:
| _> A different model suggests that very low levels are
| either benign_
|
| Nothing in what others have said suggests low levels are
| deadly or even likely to be damaging, at leas not over
| the time frame of a human life as defined by the many
| things that can take us out.
|
| _> or even helpful._
|
| A larger amount of something being damaging does not rule
| out a small amount being helpful, there just comes a
| point when the potential danger starts to outweigh the
| potential benefits. Water is very beneficial, necessary
| in fact, but too much of it over a short time will kill
| you.
| emn13 wrote:
| I can't find any solid supporting sources that provide
| any evidence that there exists a positively safe dosage,
| but even the linear-no-threshold models suggest the
| effects of low dosages are small enough to be hard to
| measure; i.e. which model is correct is practically
| irrelevant for low enough (e.g. 1-10 mSv?) dosages.
| datavirtue wrote:
| The data is power and can equate to money quite easily. This
| means that people are not going to handle data responsibly
| unless forced to do so.
|
| Most companies have zero data controls and it ends up getting
| passed around everywhere and saved off by employees for their
| own personal use.
|
| It's like waving money in front of people when you have no
| way to determine if it gets stolen or by whom.
|
| I was raised in a family bookeeping business that handled all
| of the vital business data for hundreds of clients. Data
| protection and privacy (respect for clients) were always job
| #1.
|
| This came to be my philosophy for all user data in any
| context. A philosophy that very few people share--and the
| rise of the web seems to have reversed any possibility of
| such a philosophy taking hold as user data became a form of
| currency.
| spaetzleesser wrote:
| As usual this fine is not enough as deterrent.
| stackbutterflow wrote:
| What if half of the fine was given to the user(s)?
|
| That way users would have an incentive to sue companies (i.e
| get rich quick). That way personal data would really have to be
| considered a liability if companies don't want to start giving
| millions to their users left and right.
| GordonS wrote:
| Grindr has around 4 million daily users, and up to 30 million
| registered users in total. Even a fine of this size would be
| meaningless once divided between the users.
| stackbutterflow wrote:
| I meant giving a million dollar per user. People would try
| to sue them en masse. They would have no choice but to be
| very strict about what they do with our data.
| GordonS wrote:
| Give millions of users a million dollars each? That
| seems... not very practical!
| klyrs wrote:
| As much as I want to punish this, the actual outcome of
| heavy-handed fines would probably result in the company
| selling off all its assets... whoops there goes the
| database into the hands of an even less scrupulous actor.
| jacquesm wrote:
| You can't do that without the buyer being subject to the
| same restrictions as the original company.
| charcircuit wrote:
| Or you could see it as operating in the EU is a liability. If
| you don't handle data in just the way they like they will come
| after you.
| darkwater wrote:
| We can live without data hoarding companies, thanks.
| Vespasian wrote:
| Sure, like any law in any place.
|
| EU member states and representatives decided that not having
| certain business models is preferably. Them leaving the
| single market is a welcome result.
| jacquesm wrote:
| The EU is merely leading the way here, you can expect all of
| the developed world to have similar data protection laws on
| the books sooner or later. And if you think that treating
| data in the proper way is hard then you probably shouldn't be
| in business at all. Operating in the EU is not a liability if
| you treat your users data in a respectful and responsible
| way. Common sense alone would answer your questions on what
| is and what isn't allowed in the vast majority of the cases.
|
| That this doesn't align with the free-for-all that was the
| WWW for the first two and a half decades doesn't change that,
| morality isn't all that hard and each and every company that
| crosses those lines is very much aware of it. These are not
| accidental misinterpretations of the law by any stretch of
| the imagination, they are wilful abuse.
| Mirioron wrote:
| How are websites and apps going to make money though? Like
| it or not, the reason the internet became this popular is
| because of all the free stuff on it. If everything was
| behind subscription fees it possibly would never have taken
| off. I don't think I would've ever used Google if they had
| charged a fee for the service.
|
| This would effectively make political interests entrenched
| even more on the internet, because they'll see it as
| worthwhile to make free services. They get to feed you
| politically slanted ideas - just like free political
| newspapers.
|
| > _Operating in the EU is not a liability if you treat your
| users data in a respectful and responsible way. Common
| sense alone would answer your questions on what is and what
| isn 't allowed in the vast majority of the cases._
|
| Relying on common sense is playing with fire. Common sense
| says that with this many people using the services of these
| companies that people are okay with what these companies
| are doing. That's not what GDPR says and that's not
| something I had any vote on or anything like that.
|
| You might prefer the cable TV model, but I prefer YouTube.
| I like that I don't have to pay anything to go look at a
| large variety of topics. Far more than any paid service
| would ever provide.
| jacquesm wrote:
| Advertising worked fine before tracking. Selling your
| users data, especially this kind of data is a thing that
| more than negates the value your users derived from your
| service, in some places it might get you killed.
|
| There are many ways for websites and apps to make money,
| and if you can't then maybe you simply shouldn't.
| Mirioron wrote:
| Advertising without tracking doesn't work. Only a small
| set of businesses can really advertise online without
| tracking. Any business that is in a specific area or
| doesn't use English will find it a bad deal, because most
| of their ads will be shown to people who don't understand
| the language or aren't in the area.
|
| Even _with_ tracking ads get the language component wrong
| frequently. Unskippable ads in a language you can 't
| understand is even worse than normal.
| jacquesm wrote:
| Many billions of dollars are spent annually on
| advertising without tracking: every ad in print and the
| vast bulk of all radio and TV advertising are not tracked
| at all. The web was the first medium were advertising
| tracking could be done and it is simply an arms race, if
| everybody stopped doing it then it would work just as
| well as it does today (and it would be a damn sight less
| annoying).
| dmitriid wrote:
| > Advertising without tracking doesn't work.
|
| It does.
|
| Moreover, the benefits of tracking _for advertising_ are
| yet to be proven. Can 't find it on mobile, but there
| have already been businesses giving up an tracked
| advertising because it had all the efficacy of shouting
| in a sandstorm.
| s1artibartfast wrote:
| >Selling your users data, especially this kind of data is
| a thing that more than negates the value your users
| derived from your service, in some places it might get
| you killed. There are many ways for websites and apps to
| make money, and if you can't then maybe you simply
| shouldn't.
|
| This is too general of a statement. The majority of
| people in the US don't care about digital privacy and do
| get positive value.
| dmitriid wrote:
| > How are websites and apps going to make money though?
|
| Ah yes. The unsolved issue of businesses making money
| without wholesale collection and sale of user data.
|
| No business ever made money until collecting and selling
| user data became possible.
| Mirioron wrote:
| Except that these are businesses giving away a free
| product which has been _immensely_ useful. Starting out I
| wouldn 't have paid for almost any of the services that I
| use on a daily basis.
| dmitriid wrote:
| > Except that these are businesses giving away a free
| product which has been immensely useful
|
| And that somehow makes it okay to collect personal data
| wholesale without consent and sell it to the highest
| bidder?
| charcircuit wrote:
| >And if you think that treating data in the proper way is
| hard then you probably shouldn't be in business at all.
|
| The EUs definition of the proper way isn't a universal
| definition and it conflicts with the way I view that data
| should be treated.
| jacquesm wrote:
| How you view it is irrelevant: it's the law.
| KronisLV wrote:
| > The EU is merely leading the way here, you can expect all
| of the developed world to have similar data protection laws
| on the books sooner or later.
|
| While i do believe in being privacy conscious, i don't
| believe that this will be the case anytime soon (or at
| least until a generational shift happens). No business is
| interested in having to suddenly comply with such
| regulations and essentially no longer being able to utilize
| the data of individuals however they please.
|
| Ergo, corporate interests will probably lead to lots of
| lobbying in this regard, just look at what happened with
| net neutrality and the advertising around it.
|
| > Operating in the EU is not a liability if you treat your
| users data in a respectful and responsible way.
|
| I think that all of this boils down to profit margins and
| viewing people as just numbers on a sheet somewhere, to
| extract wealth from. Just look at how scummy many of the
| cookie banner implementations are, designers being paid to
| implement as many dark patterns as possible, at least up
| until lawsuits started.
| dmitriid wrote:
| > No business is interested in having to suddenly comply
| with such regulations
|
| jesus christ. enough with this bullshit.
|
| Data protection laws had been a thing in European
| countries for a decade before GDPR.
|
| GDPR itself gave everyone two years to comply.
|
| GDPR was published in 2016, _five years ago_.
|
| There's no effing "suddenly". If this is "suddenly" for
| your business, and your business still hasn't figured out
| how to not collect (and probably sell) user data
| wholesale, your business deserves to be sued out of
| existence.
|
| > Just look at how scummy many of the cookie banner
| implementations are
|
| Yes. And all of those cookie banners are _illegal_ under
| GDPR.
| jacquesm wrote:
| I get you're pissed off but it is probably more
| productive to keep a lid on it and stay constructive.
| jacquesm wrote:
| Think of it as the law catching up with technology.
|
| > No business is interested in having to suddenly comply
| with such regulations and essentially no longer being
| able to utilize the data of individuals however they
| please.
|
| Indeed, hence the need for regulation.
|
| > Ergo, corporate interests will probably lead to lots of
| lobbying in this regard, just look at what happened with
| net neutrality and the advertising around it.
|
| Sure. But since EU citizens will be enjoying those
| protections and US citizens will not eventually this will
| translate into an advantage for companies doing business
| from the EU and into the US. For that reason alone there
| will be a big incentive for the US to make a law that is
| symmetrical to remove this advantage.
|
| > I think that all of this boils down to profit margins
| and viewing people as just numbers on a sheet somewhere,
| to extract wealth from.
|
| This is a big factor, but not the only factor: data that
| is in isolation worthless can become very valuable or
| even dangerous when combined with other worthless or
| innocent data. There are plenty of examples of this. The
| balance clearly lies in protecting consumers from the
| fall-out of these and the more purposeful abuses. This is
| a matter of raising consciousness about what rights you
| already have, not necessarily of giving you new ones.
|
| > Just look at how scummy many of the cookie banner
| implementations are, designers being paid to implement as
| many dark patterns as possible, at least up until
| lawsuits started.
|
| Agreed. The EU did the right thing with the GDPR, it laid
| bare how many companies were outright scandalous in how
| they were dealing with the data that they were entrusted
| with, they were bad stewards and it is good to see this
| level of enforcement because that means that companies
| will wise up to it and find better - and cleaner - ways
| of monetizing their products and services. Once they have
| those they will realize that regulatory capture can be
| theirs if they lobby for these rights to be extended to
| everybody.
|
| The EU is too large a market to miss out on.
| Mirioron wrote:
| > _Sure. But since EU citizens will be enjoying those
| protections and US citizens will not eventually this will
| translate into an advantage for companies doing business
| from the EU and into the US. For that reason alone there
| will be a big incentive for the US to make a law that is
| symmetrical to remove this advantage._
|
| Except it's literally the other way around. EU companies
| will be at a disadvantage because they cannot use the
| data to neither improve their service or to monetize it
| in some way.
|
| > _The EU is too large a market to miss out on._
|
| Is it? Then what does that make China and the US? Or the
| rest of Asia? They don't seem to make nearly as many
| rules that require a service to change the entirety of
| their monetization system. If companies have to agree to
| EU terms then why wouldn't they do the same to China?
| After all, it's too big a market to ignore.
|
| The EU keeps making more rules for all kinds of things.
| Eventually this is going to catch up with us - if it
| hasn't already done so. The EU isn't exactly the tech
| center of the world nor does it seem to have a great
| trajectory or bright future. When it comes to tech all we
| seem to have is cars. Everything else is foreign
| developed, designed, and manufactured.
| mmarq wrote:
| > Except it's literally the other way around. EU
| companies will be at a disadvantage because they cannot
| use the data to neither improve their service or to
| monetize it in some way.
|
| As if ROHS weren't printed on each single piece of
| hardware produced on the planet.
| Nextgrid wrote:
| > since EU citizens will be enjoying those protections
| and US citizens will not eventually this will translate
| into an advantage for companies doing business from the
| EU and into the US. For that reason alone there will be a
| big incentive for the US to make a law that is
| symmetrical to remove this advantage.
|
| Given the lack of similar regulation in the US despite
| the situation being so bad that unsolicited spam
| subsidises the postal service and that even government
| agencies sell user data I'm not sure there is a desire
| for this from the general population.
|
| It doesn't help that politicians rely on a lot of what
| would breach the GDPR to help their reelection such as
| targeted advertising and unsolicited (and often
| misleading - pretending to be written by the official
| itself) email and phone campaigns.
| dmitriid wrote:
| > Given the lack of similar regulation in the US
|
| CCPA
| bcrosby95 wrote:
| Um, CCPA is a thing. It's not as stringent as GDPR, but I
| would call it "similar" regulation. This stuff tends to
| happen at the state level in the USA.
| jacquesm wrote:
| Politicians are data subjects too. They are in this boat
| right along with everybody else.
| datavirtue wrote:
| I noticed that some companies, increasingly common, are
| throwing up banners that will not go away, and have no
| deny button.
|
| The banner is stuck on the screen and usually has a
| button captioned: Learn more, instead of the cancel or
| deny button.
|
| I just want the damn banner out of my face. How long
| before browsers automatically hide (default deny cookies)
| the banner and give the user a way to expose it if they
| wish?
|
| I feel abused and manipulated as a user when they use
| these dark patterns--which the law, to my knowledge,
| expressly prohibits.
| darrenf wrote:
| > _No business is interested in having to suddenly comply
| with such regulations_
|
| Just to pick up on this clause - it really needn't have
| been sudden. The regulation was adopted just over 2 years
| before enforcement kicked in[0], and of course it was
| written and debated for a while prior to that. In the UK
| the ICO researched the implications (for what were then
| just proposals) back in 2013[1]
|
| [0] https://en.wikipedia.org/wiki/General_Data_Protection
| _Regula...
|
| [1] https://ico.org.uk/media/1042341/implications-
| european-commi... (PDF)
| jacquesm wrote:
| And before that we had the DPD, which companies routinely
| ignored because they would never get fined. That's the
| only part of the GDPR that made companies take notice:
| the fact that the GDPR has some pretty impressive teeth.
| I'm actually quite surprised at the restraint on display
| so far by regulators, but I'm also quite sure that it is
| a matter of time before a repeat offender will be shown
| just how powerful this law is.
| mmarq wrote:
| Regulators are contacting businesses which they suspect
| are in breach of GDPR to give them the chance to become
| compliant (I was in companies that received such
| communications). If the company is in good faith, they'll
| fix whatever the regulator found or explain why haven't
| breached the law. These cases don't get discussed in the
| media probably because they aren't published anywhere.
|
| Before a company gets a fine, at least for now, it must
| do some really crazy stuff and/or refuse to cooperate
| with the regulators.
| breakfastduck wrote:
| What aspect of GDPR is troublesome to you?
|
| Because 'dont abuse your ownership of personal data' is
| pretty much what it boils down to.
| cblconfederate wrote:
| The idea that some data is owned, and that people can
| obtain ownership of data that belongs to other entities is
| as moronic as claiming that the CO2 i breathed is owned by
| me. Data is data, it's not PII or whatever stupid
| contraptiion lawyers came up with to keep themselves busy
|
| If EU wanted to ban tracked ads, it should make a law bans
| tracked ads, that simple. Not only it would instantly
| achieve the desired effect (which GDPR did NOT), it would
| level the playing field for more ethical companies to
| thrive within the EU.
| breakfastduck wrote:
| You are totally misinterpreting _what_ GDPR is _for_ , so
| it makes sense you'd be unable to recognize the benefits.
|
| Data IS owned, by the person the data pertains to. And
| companies should _not_ be able to capture that data, sell
| it and share it without explicit consent. Which GDPR
| _does_ achieve.
| cblconfederate wrote:
| > Data IS owned, by the person the data pertains to
|
| This is an almost undefined concept. Data is not
| copyright, they are observations. Plus for many kinds of
| data ownership is hard to define, e.g. genetic data which
| is largely shared by all of us.
| jacquesm wrote:
| You can try as hard as you can to wriggle out from
| understanding what this is all about but it is actually
| pretty clear: data supplied by an individual is the
| property of that individual, they have the right to
| informed consent on what it is used for, they can ask you
| to delete it, they can ask you to update it or review it.
| In some cases other laws (for instance: tax law) can make
| it mandatory for you to keep certain records, for which
| there are exceptions.
|
| That's basically it. So it's not an 'undefined concept',
| it is extremely clear and the text of the law is actually
| quite legible so there is no real reason not to be
| informed about this if it affects you in any way (which
| it likely does).
| lmkg wrote:
| I have certifications in data privacy.
|
| The idea that data is "property" or that it is "owned" by
| anyone is not codified in law. And as an analogy for how
| GDPR works, I think it's more harmful than helpful. I see
| GDPR as _rejecting_ the idea that data has an owner, more
| than anything.
|
| GDPR says that the data subject has rights to data about
| them. If you want to put a label on it, I would say that
| legally they are a _stakeholder_ in their own data. One
| stakeholder of several. Not necessarily the most
| prominent one. GDPR gives you a seat at the table, but it
| doesn 't actually put you in charge, the way that
| "ownership" implies.
|
| The company that collects & processes the data is still
| the one making decisions like: What data is being
| collected? What is it used for? What is the Legal Basis
| for data collection? What Processors will the data be
| sent to? What countries will the data be processed in?
| They have a lot of leeway in how they answer these
| questions and still be compliant with GDPR.
|
| So for that reason, my view is that GDPR says there are
| multiple stakeholders will different rights to how the
| data is handled. Which if anything is a rejection of the
| idea that the data has an owner. Certainly you have
| rights to the data, but some of those rights have limits,
| and the Controller still has right as well.
| breakfastduck wrote:
| Yes but that's a necessity to support lawful contracts
| between a person and an organization e.g. a loan
| provider.
|
| The data subject, as I think, is the _owner_. They have
| rights over how and when their data is used & e.g. have
| a right to be forgotten.
|
| They do not, however, always have the power to exercise
| their 'full' rights in cases where they've entered a
| binding contract. Such as trying to exercise the 'right
| to be forgotten' with a company who provided a loan
| they've defaulted on. They do however have the right
| through law to instruct the controller to use the data in
| the _bare minimum_ ways they need to reasonably execute
| the contract.
|
| A reasonable data protection legislation _needs_ to side
| with the controller in some situations else it would be
| otherwise incompatible with modern society / law.
|
| It certainly does help more than harm imo, especially
| when it comes to marketing / advertising.
| jacquesm wrote:
| Fair enough, but from a practical point of view treating
| the data as owned by the supplier of the data (when it is
| about them) gets you 95% of the way, the remainder can be
| explained by the concept of 'control of the data'.
| cblconfederate wrote:
| most of the data relevant to gdpr legal cases are not
| supplied by the user, they are collected indirectly.
| breakfastduck wrote:
| I mean this is just false.
| jacquesm wrote:
| This is contrary to what I have seen in my day to day
| practice over the last couple of years. Now, of course it
| is possible that my sample size is too small (about 120
| companies over that period) but I highly doubt that.
|
| Data collected indirectly to would for instance be data
| used to 'enrich' a profile, for instance by buying it
| from a third party. That data would still show up in a
| DSAR, but it would likely not be private data because no
| company is stupid enough in the current climate to sell
| that without a very good legal review. Data collected
| surreptitiously (for instance, GPS location information,
| device IDs and such) count as user supplied for the
| purpose of the GDPR, and collecting that without consent
| and disclosing that you are collecting it _and_ supplying
| a legal basis for processing is illegal.
| breakfastduck wrote:
| It's not undefined in places where we have strict data
| protection laws, even pre GDPR.
|
| I think you're trying as hard as possible to
| misunderstand it.
| charcircuit wrote:
| >What aspect of GDPR is troublesome to you?
|
| It tries to restrict data. Information wants to be free. It
| has no owner.
| MauranKilom wrote:
| Then would you mind posting a dump of your email archive
| here? Or does that data have an owner?
| charcircuit wrote:
| You can't upload files here and why should I do the work
| to dump it and give this potentially valuable information
| to you for free?
| jacquesm wrote:
| That's called a cop-out.
| breakfastduck wrote:
| Fantastic way of putting it.
| denton-scratch wrote:
| > It has no owner.
|
| It's not about ownership. It's about my right to keep
| private information private. It's a right granted by law:
| the GDPR.
|
| > Information wants to be free
|
| That slogan originates in a sentence that contrasts
| "information wants to be expensive" (because it's so
| valuable) with "information wants to be free" (because
| it's so cheap to distribute). It's not like saying
| "televisions want to be free, so I think I'll steal one".
|
| I suspect that many of the GDPR-haters here aren't people
| who depend on selling PII for their living; I suspect
| they're just jealous.
| jen20 wrote:
| > many of the GDPR-haters here aren't people who depend
| on selling PII for their living
|
| And if they are, they should be ashamed of themselves
| (though likely not capable of that) and shunned by all
| members of the industry with any ethical compass.
| denton-scratch wrote:
| Agreed.
|
| But to clarify: I meant to include people who aren't
| directly PII sellers, just workers whose employer happens
| to sell PII, and even website operators with an ad-
| network on their site. They're just trying to earn a
| living, and I'm sure most of them are capable of shame.
|
| A website operator who runs Google ads and scripts on
| their website isn't evil. They're just "awaiting
| instruction".
| Mordisquitos wrote:
| Should we therefore decriminalise unauthorised computer
| access and publication of data "owned" by any business or
| organisation?
| breakfastduck wrote:
| Data _should_ be restricted, when it pertains to an
| individual who wants it to be restricted - basically
| everyone in the EU.
| jacquesm wrote:
| What is this, Slashdot ca 1996?
|
| Private information in fact does have an owner: the user
| that it reflects on.
| charcircuit wrote:
| Once you share information it is no longer private unless
| you put that person under an NDA or something similar.
|
| If you meant personal information then that doesn't make
| sense either. No one owns the fact that George Washington
| was male. It is just a statement that could be true or
| false. George Washington has no control over me spreading
| this information. Especially since he is dead.
| jacquesm wrote:
| You have a completely unique idea about the meaning of
| 'privacy', you may want to adjust your definition to the
| one that the rest of the world works so that we can have
| meaningful conversations.
|
| George Washington's gender is of no consideration
| whatsoever in this discussion, so bringing it up is a
| variation on the theme of the strawman.
| charcircuit wrote:
| >You have a completely unique idea about the meaning of
| 'privacy'
|
| I used the word private, but not privacy. I'm not 100%
| sure what you are getting at.
|
| >so bringing it up is a variation on the theme of the
| strawman.
|
| It was an example of data pertaining to someone. I
| brought it up since I didn't think the word private made
| sense.
| jacquesm wrote:
| The GDPR, which is what you are commenting on is all
| about privacy and private data shared with companies for
| the goal of processing with a specific purpose in mind.
|
| Privacy and private are very well defined terms in that
| context, and you are adding a unique spin on it that
| makes fruitful discussion impossible.
|
| 'information wants to be free' is a dumb line that got
| passed around a lot in the 90's by people who thought
| that they were being clever, but it turns out that there
| is lots of information that doesn't want to be free at
| all, and some of that information is about you and you
| also don't want it to be free.
|
| Your example is nonsensical, and does not further the
| discussion either.
| denton-scratch wrote:
| GDPR enforcement is pretty gentle. For the first offence you
| will just get a warning. Grindr's fine is a warning that you
| should heed such warnings.
|
| Yes, operating in the EU is a liability; operating anywhere
| that has laws is a liability. And the risks of operating
| somewhere that doesn't have laws is an even greater
| liability.
| michaelbuckbee wrote:
| I feel that "just the way they like" is honestly a pretty low
| bar to clear and in general are common sense and respectful
| things that you should be doing with user data in the first
| place.
|
| - Tell people up front what you will do with their data
|
| - Let them opt out
|
| - Track what services your own service uses (Ex: your website
| -> google analytics)
|
| - If people want to know what data you have about them tell
| them
|
| - If people want you to delete their data (and there is no
| legal obligation to keep it) delete their data
|
| - Take reasonable steps to keep user data safe
|
| In this case Grindr was passing (per the article):
| advertising ID, IP address, GPS, location, gender, age,
| device information and app name to a bunch of Ad Services
| with "no control".
|
| So beyond just "handling data" Grindr was getting paid (ads)
| for sharing your data to companies that could then also turn
| around and do whatever they wanted with that data.
| charcircuit wrote:
| >common sense and respectful things that you should be
| doing with user data in the first place
|
| It's disrespectful to be nosey into what people are doing
| or to give them orders on what they can or can't do.
|
| >So beyond just "handling data" Grindr was getting paid
| (ads) for sharing your data to companies that could then
| also turn around and do whatever they wanted with that
| data.
|
| Good on them. They figured out a way to make money using
| information that they collected.
| netizen-936824 wrote:
| >It's disrespectful to be nosey into what people are
| doing
|
| >Good on them. They figured out a way to make money using
| information that they collected.
|
| These two statements don't jive. Its disrespectful to be
| nosey, but its fine if people buy data and be nosey into
| other peoples lives? That's quite absurd
| charcircuit wrote:
| >These two statements don't jive.
|
| The first statement is about a user being nosey into what
| a company does with the data. There is an expectation for
| dating services to collect data like age, gender, etc
| about a user. I wouldn't really call them nosey. Since
| it's kind of expected for them to get that information
| from you. Is a dentist being nosey if they ask for your
| dental history?
| Mordisquitos wrote:
| > It's disrespectful to be nosey into what people are
| doing or to give them orders on what they can or can't
| do.
|
| Not just disrespectful, I would even say it's _immoral_
| given the unbalance of power involved. That 's why we
| need GDPR: to protect people from businesses being nosey
| into what they are doing against their consent, and also
| to protect people from businesses telling them what they
| can and cannot decide about their own data.
| Toby1VC wrote:
| I've been of the thinking that there's no smart need to be a
| try-hard regarding hoarding private information, or mostly in
| general really but that can be debated. When you reform your
| endevour to get profit in the short term because for some
| reason that's what you need, it likely will be left not
| properly guided and it will crash or make others crash. (I
| prefer) [Durable] Quality over meaningless get-by's that will
| be irrelevant decades from now, but that maybe bought you some
| time so hey ok.
| michaelbuckbee wrote:
| The phrase that I've found works best in communicating with non
| technical folks is "toxic asset".
| olalonde wrote:
| I'd rather let people freely decide what they want to do with
| their data. But this is no longer possible in Europe
| unfortunately.
| jacquesm wrote:
| It's the opposite, actually. I have no idea how you came to
| this conclusion.
| olalonde wrote:
| You can't give your data to a company which is not
| compliant with GDPR (for all practical purposes).
| dmitriid wrote:
| nlitened wrote:
| I wonder if jail time for developers knowingly implementing lax
| systems for exchanging personal data could help?
|
| This way most developers would refuse to write systems that
| could potentially get them in trouble, until their employer
| transparently ensures that no laws are broken. Some kind of
| engineering ethics.
| jacquesm wrote:
| Yes, but then you'd have to prove when this stuff was written
| because otherwise there are going to be a lot of engineers
| retro-actively in the field of fire.
| nlitened wrote:
| Git blame their signed commits. If no records available,
| chief engineer gets the blame. I mean, that should be
| trivially enforceable -- same as getting to know who
| performed a botched surgery.
| jacquesm wrote:
| I can see a lot of chief engineers moving to Somalia in
| that case :)
| headmelted wrote:
| It's a slap on the wrist.
|
| 100x this fine would have been appropriate. Anything less just
| encourages other companies to treat privacy and data security
| as a joke.
| jacquesm wrote:
| Look at repeat offenses and how fast they go up. Level 1:
| don't do this, or we'll fine you. Level 2: here is your first
| fine, don't do this again or we'll fine you for real. Level
| 3: Ok, you clearly need something that will move the needle,
| here is fine you can't ignore. Level 4: you ignored it again,
| here is a fine that will put you out of business. So far
| we've only seen level 2 and one or two level 3 fines. Nobody
| has thought it wise to test the next levels up, it's a bit
| like the GPL in that respect.
| bcrosby95 wrote:
| That would be more than the full value of the company. Seems
| a little steep for the first fine.
| headmelted wrote:
| EUR650 million does not seem steep at all for the offence,
| given the consequences for those involved.
|
| It's not _supposed_ to be a tax, it's supposed to be a
| disincentive.
| halostatue wrote:
| I work with retail tech and provide both "connector" middleware
| and product solutions.
|
| When we have products that we produce that are required to keep
| customer data, we figure out what the _minimum_ amount of data
| required is to deliver the value required _to the end customer_
| and do our best not to expose any more data than that.
|
| For everything else, the goal is for our systems to hold _zero_
| end customer data and _minimal_ employee data. We don't want
| the liability. We do a lot of security engineering around what
| we do, but we want to make sure that we aren't the source of a
| data breach on behalf of our customers because we aren't
| holding the data in the first place.
| yoaviram wrote:
| There's another way to make the collection of personal
| information less economical, which we can all contribute to.
| Send GDPR and CCPA data requests. Each request incurs some
| small but not insignificant cost for the company to handle it.
| This is because the process is hard to automate. Don't spam
| companies just for the sake of sending requests, but do get in
| the habit of using them to reduce your exposure.
|
| Disclosure: I'm one of the founders of YourDigitalRights.org, a
| free service that makes it easy to send these sort of requests.
| jacquesm wrote:
| I'm all for that but only if you suspect that a company is
| abusing your data. Otherwise it amounts to a DDOS attack and
| that should be reserved for those that deserve it, not to
| place a burden on otherwise compliant companies.
|
| But if you suspect that a company is abusing your data,
| selling it, enriching it with data that they shouldn't have:
| fire away.
| lettergram wrote:
| A fine of this size indicates to me they should harvest and
| sell more data to increase profits. Tens of millions would
| still probably be worth it to Grindr.
|
| Imagine your a government who doesn't like homosexuals. Pay a
| fee - $5-$10m and you'll get a list of users globally. Probably
| with travel patterns. Next time they enter the country, arrest
| or block visas before they enter.
|
| Nah, this fine (which I don't even know if they'll pay) is the
| cost of doing business.
| jacquesm wrote:
| These fines tend to go up with repeat performances. Sooner or
| later some company will be fined right out of business and
| then we'll see whether the remainder will catch on that
| playing games with regulators is a losing one.
| madeofpalk wrote:
| playing games with _functional_ regulators is a losing one.
| rvnx wrote:
| Wait a second, it's not Grindr gathering and selling a list
| of homosexuals interested into sex.
|
| It's the users themselves who actively register on Grindr to
| announce their services and picture on the platform.
|
| If this activity is illegal in the country of the user, the
| best Grindr can do, is to prevent users from these countries
| from registering on the platform based on their national ID,
| but that's basically it.
| netizen-936824 wrote:
| And what if the country want info on people outside the
| country. They may want to be sure that they can catch the
| homosexuals when they come to visit or prevent them from
| visiting (friends family etc) altogether. Whether or not
| the person signed up in the first place, nobody should be
| able to buy the data
| retrac wrote:
| You don't have to be living in a country where
| homosexuality is illegal to not want your presence on a
| dating app - straight or gay - to be public knowledge.
|
| Speaking from unfortunate experience about half the men on
| Grindr do not put up identifying pictures. Many are in
| relationships with men and are cheating. And many present
| publicly as heterosexual or are married to women.
|
| It's a blackmailer's jackpot.
| jacquesm wrote:
| Right along with
| https://en.wikipedia.org/wiki/Ashley_Madison_data_breach
| celeduc wrote:
| Firstly, yes, Grindr is _mostly_ men looking for sex, but
| they 're not all homosexuals and they're not all looking
| for sex; many are just there to flirt, others to troll. But
| Grindr is definitely gathering and selling lists: it's what
| they do.
|
| Secondly, with the word "services" you're implying that the
| users are _whores_.
|
| Thirdly, there are an infinite number of ways that Grindr
| _could_ protect its users through the design of their app:
| from purely technical measures such as end-to-end
| encryption, or through careful informed consent about
| shared data and protection of people who are legally or
| functionally incapable of such consent.
|
| But from your statements you just want to blame the users
| because you disapprove of them. I'm sure you can do better
| than that.
| TheSpiceIsLife wrote:
| The users aren't gathering aggregated data of millions of
| other users and selling it.
| dspillett wrote:
| Or just more lazily selling it en-mass for the buyers to
| aggregate and otherwise process, along with anything
| they've picked up elsewhere.
| j_san wrote:
| The Norwegian Data Protection Authority imposed a fine of
| EUR6,500,000 on Grindr for not collecting users' valid consent
| for sharing data with third parties for profiling and advertising
| purposes from the Grindr App.
|
| Particularly interesting is that it is not allowed under GDPR to
| have a free version of an app with the condition that it shares
| personal data (in this case for targeting and profiling for ads)
| as the consent of the user is not freely given in this case - in
| a "Take it or leave it" situation, consent cannot be seen as
| freely given.
|
| Link to the section "Consent as a condition to access the service
| ":
| https://gdprhub.eu/index.php?title=Datatilsynet_(Norway)_-_2...
| [deleted]
| KarlKemp wrote:
| I was about to mention how well-written Norwegian legal texts
| are until I noticed the "edit" links. So, instead, I'll say
| this is a well-written wiki article.
| oytis wrote:
| Interesting indeed, it is what several German online newspapers
| do - they let you choose between a free version with tracking
| and a paid one without one. I find this argument a bit weird
| though:
|
| > Sharing Grindr's users personal data with advertising
| partners for online behavioural advertising purposes was not
| necessary for the performance of the Grindr's services.
|
| Charging money for your services is also not necessary for the
| performance of the said services. Still businesses are luckily
| still allowed to charge money. Why can't data be considered as
| a means of payment in this case?
| cjfd wrote:
| The 'data is payment' thing sounds terrible. What if it
| really goes south and this data is involved in some identity
| theft? Then the criminal justice system needs to get involved
| at enormous cost to tax payers. Therefore, there actually is
| an interest of the state that all this data should not be
| roaming around freely.
| sdoering wrote:
| Interesting, because said practice from German news sites
| seems to have the blessing of the data privacy authorities.
| Sadly I can't find the source. It must have been one of the
| data privacy newsletters I receive.
|
| So the Norge argument here would go further and I would like
| to see this challenged to the European Court as this would
| provide a final verdict.
|
| Currently I feel that different countries see these things
| quite a bit different.
|
| On the other hand it would only mean that you can't have a
| free version refinanced through advertising, but would need
| to find other ways of converting users into paying customers
| while still providing a striped down free app for generating
| reach.
| belorn wrote:
| > Why can't data be considered as a means of payment in this
| case?
|
| One of the biggest reason would be that using data as payment
| has demonstrated to push out companies that don't want to
| collect data. Data as a mean of payment is less clear to the
| consumer about the costs, and there is no real good way to
| inform the public outside of an massive investment into the
| general education that focus on privacy, data laws, how data
| is gathered, why it is gathered, how it get traded and used,
| and what the outcomes are. The value added through data is
| also not taxed which creates an unfair advantage compared to
| other payment methods.
| nickpp wrote:
| It's quite amazing that something most people see quite
| worthless ("my data") is suddenly seen by the society as
| priceless (since I can't buy it with money).
| tgsovlerkhgsel wrote:
| Why can't organs be considered as a means of payment?
|
| Not sarcasm - I think that while it's obviously a different
| scale, the reasons are similar and boil down to "we don't
| want that as a society" and "the environment this creates is
| not conductive to a free and informed rational decision".
| Many people don't understand the value of their data and the
| risk it poses, there is an information imbalance, there is a
| power imbalance (the company sets the terms, and you only get
| to take it or leave it).
|
| The pre-GDPR situation also showed that the market doesn't
| really work, because everyone was collecting your data,
| people have limited energy and incentive to care because it
| doesn't cause immediately visible pain. It's similar to
| workplace safety - we don't allow employers to create easily
| avoidable dangerous situation in exchange for extra pay
| either, for similar reasons.
|
| Most importantly, data grabbing is not necessary for
| advertising, it's just slightly more profitable and thus
| everyone does it, eventually pushing the "good" (privacy-
| friendly) players out of the market. If we want to change
| that, we need a de-facto ban (which a properly implemented
| GDPR would be, because so many people will click "No" if
| given a truly free choice that showing the popup won't be
| worth it).
| nickpp wrote:
| Are you implying that my online data is as important to me
| as an actual organ?! Because it certainly doesn't feel that
| way.
| jsjsbdkj wrote:
| If it's data about your sexual orientation, HIV status,
| and who you've been talking to it may be extremely
| important.
| Vespasian wrote:
| Because society decided that it shouldn't be.
|
| It's a political decision that charging money (or displaying
| not personalized ads) is preferably.
| nickpp wrote:
| This hurts most people with less money to pay, as they
| can't access the service otherwise.
| sippeangelo wrote:
| It exploits most people with less money to pay, as
| they're not privileged enough to access the service
| otherwise.
| Vespasian wrote:
| It communicates that European societies (through their elected
| representatives) disapprove of the "paid for with your data"
| business model.
|
| Yes this is limiting the free market but it's a conscious
| decision.
|
| It's still allowed to process data for your own analytics (e.g.
| to improve your offer) and make use of third party services.
| What the GDPR aims to prevent is your data being shared with
| the whole world way beyond the entity with which you originally
| interacted.
|
| If that means services cannot finance themselves through
| advertising anymore then so be it.
| NelsonMinar wrote:
| Grindr is a repeat offender, globally.
|
| In 2018 researchers found that Grindr was sharing users' HIV
| status and location with marketing companies:
| https://www.buzzfeednews.com/article/azeenghorayshi/grindr-h...
|
| Just this year there was a scandal where an anti-gay church fired
| one of its officials because a homophobic publication somehow got
| access to his Grindr account and his location data. The details
| on how the data got out are not clear.
| https://www.vice.com/en/article/pkbxp8/grindr-location-data-...
| temptemptemp111 wrote:
___________________________________________________________________
(page generated 2021-12-23 23:02 UTC)