I once went to a website that popped up the usual "we share your data with a few trusted third parties", and when I clicked "more details" it showed a list of nearly 700 it shared data with. I'm not even sure I know that many real people. And I'm sure most just hit OK to get the window out of the way.
Yeah, and they all have "legitimate interests" in our data ò_Ó
Obviously they value our privacy :) Anyone know official prices ? ;)
Yes, the word "value" in the phrase "we value your privacy" is working overtime.
I swear there's a market to pay for third-world labor to click every link of every major website and store the pages as plain html text, pictures and links. Have image recognition to automatically cut the chum and pop ups, cookies, subscription warnings, and gdpr notices. Users pay $4/mo and access recent copies of whatever they normally browse. Either via a browser extension or a URL router (that served up cached versions, the delay wouldn't work to have someone viewing the site for you and filtering it in realtime).
Imagine having your daily news as a clean PDF document with working links. It might also have the psychological effect of signalling when you're "done" similar to reaching the end of a newspaper
This is awesome. Thanks. I knew about some of the other archive domains but never used them because I thought they were only useful for evading paywalls. But I tried this out on one of the cancerous news sites and it works exactly how I imagined. Too Cool
It should be illegal for government agencies to do this.
Perhaps, though, this will increase people's awareness that these terms and conditions are typically extremely permissive, and that permissiveness is a real risk to them.
Especially now.
> these terms and conditions are typically extremely permissive
T&C are dark, twisty forests of legalese that can shift, seemingly at any time. As a consumer, if you want to do something as simple as pay to park your car, you need to sign the T&C in blood or you get towed. Is it really an agreement if you must agree to it for basic necessities?
Yes, I totally agree. The T&C situation is dire and need to be addressed. For instance, the idea that you engaged in anything remotely like "consent" because of vague generalities in T&C documents is laughable on its face.
That said, it's the legal framework we have to deal with in the now.
I’ve always wondered if you could turn the tables on some of these people, perhaps by sending an email with t&c’s your own after they’ve sent you an email, the body of which would essentially invalidate their T&C’s and that by them continuing to send you emails they are consenting to the revised T&C’s…
"This one weird trick" doesn't work because it the end, it comes down to who has more money to spend on lawyers.
How do you propose to address it such that end result is a net positive, instead of net negative?
Common law nominally already has some principles built into it that can answer that in a reasonable way. Contracts that are super lopsided are already nominally invalid. Contracts that are incomprehensible and signed under duress are already nominally invalid.
As you may guess from my phrasing, I am well aware that in the present environment, believing that that meant much would be a childish level of naivety. But the principles can still be used to answer your questions in a reasonable way.
It really wouldn't be that hard to lay down some principles that privacy violations are an expense above and beyond, say, "parking my car". It is unreasonable for a person to think that the price of parking my car is $1.25 an hour and also arbitrary privacy violations and also you gave up your right to privacy from the government and also in six years if you sue a related entity they'll cite your parking agreement as the reason why you're not allowed to sue them (see recent Disney wrongful death case). $1.25/hour was already a fair price, give or take a couple of multiplicative factors. Taking a whole whackload of additional rights in the fine print under what can reasonably be called duress relative to the claims being made, beyond what a "reasonable person" would expect to be necessary to just complete the basic transaction, is not that hard to write some principles around. This is why judges are still human.
> and also in six years if you sue a related entity they'll cite your parking agreement as the reason why you're not allowed to sue them
If only they stopped there. After you've parked, you go in to some random activity and sign a liability waiver that, as written, says if the janitor's father's brother's nephew's cousin's former roommate murders any member of the same species as you at some point in the future, whoever relevant will have to simply ignore the inconvenience because you once went into an escape room.
Of course the extreme interpretation could never hold up in court, but it's absurd that I've even seen so many places that explicitly try to waive gross negligence in places where it's long been established to not be possible (or even places where it invalidates the entire clause!). These are sometimes justified as scaring people from lawsuits even if they don't provide and real protection, but why are we putting up with that?
>also in six years if you sue a related entity they'll cite your parking agreement as the reason why you're not allowed to sue them (see recent Disney wrongful death case).
It's worth mentioning that in that case, Disney didn't operate the restaurant that allegedly caused the wrongful death, but got included in the suit because they had a website listing for that restaurant. In that case I think it's pretty reasonable that if Disney can be put on the hook for having a listing for a restaurant that caused the wrongful death, that they can be let off the hook for having a waiver in their website T&C.
How about: any terms that can be reasonably expected to be surprising to -- and negatively affect -- a reasonable person under its scope are unenforceable without the consent of all of those people.
(This is intended to be phrased on a way that includes e.g. cases where one party agrees to terms but another one is affects by it to their surprise, like your spouse when you buy a cell phone plan. So rephrase as needed.)
That’s what judges already do when deciding cases…?
I don't believe so?
I’m pretty sure Judges consider whether such terms are within certain bounds of reason… they can be expected to annul terms such as ‘the customer has to offer their first born son as a sacrifice’ or ‘the customer has to pay a billion dollars in compensation’, etc...
Those are just unconscionable terms, not merely unexpected ones.
And who would be the authority deciding on the definition of those two terms, if not judges?
Clearly HN users cannot posses that authority without a fairly significant rank.
It's not like I'm telling you to trust me on definitions. Just look up how it's been applied in the past. It's been a much, much higher bar historically.
Judges aren’t automatons, they won’t self combust after deciding differently…
> How do you propose to address it [terms & conditions]such that end result is a net positive, instead of net negative?
* limit scope. It should not be possible to get people to sign away rights they have in order to e.g. stream a movie
* plain English.
* compulsory summary at the start
* more statutory rights that cannot be wived. E.g. it is not legal to have death a result of non compliance
It is not that hard.
>Is it really an agreement if you must agree to it for basic necessities?
The article says the article says the location data was "harvested from ordinary apps installed on phones". What type of "basic necessities" are you getting from apps on your phone that have location access? I'm guessing it's from random weather apps, rather than something "basic necessities".
It sounds like you're advocating for a world where ordinary people need to choose between:
- not knowing the weather this weekend
- knowing the weather and signing away their firstborn child in the T&C
- becoming an amateur lawyer and spending dozens of hours reading and comparing T&Cs between apps to choose which one to use (until they change the T&Cs again of course, which they'll do without notifying you)
How about not granting location permissions and typing in your location manually? Weather forecasts worked fine before phones with geolocation built in.
We're talking T&Cs here. How would typing in your location invalidate you agreeing to (what a company would like to believe is legally binding) clickwrap T&Cs? Even if you deny individual permissions, apps will still slurp up your app list/hardware specs/any metadata they can get their grimy hands on, directly and indirectly through side channels. You're saying to give them 999 data points instead of 1000 and you think that's a solution?
>Even if you deny individual permissions, apps will still slurp up your app list/hardware specs/any metadata they can get their grimy hands on
Is this a purely academic thought experiment or something that's happening in practice? I'm not exactly sure what the "999 data points" consists of. Given basically nobody assembles their own phone, the most that hardware fingerprinting will reveal is "you have an iPhone 13", impossible to differentiate from all the other iPhone 13s floating around because they're all identical. Both android and ios have cracked down on software fingerprinting as well, so you can't for instance grab a list of all installed apps.
The crackdown was fairly recent, right? Do you think we should trust that both companies have at long last perfectly solved all privacy problems with this latest crackdown and now everything is perfect and we'll never have any privacy mistakes or side channel leaks ever again?
I don't know about iOS, but here's the situation on Android:
https://support.google.com/googleplay/android-developer/answ...
> The QUERY_ALL_PACKAGES permission only takes effect when your app targets Android API level 30 or later on devices running Android 11 or later.
So I guess end users should just check which SDK level their weather app was compiled for! Simple, right?
And if the parking app was compiled for SDK level 29, people should just go find another parking lot with a more recent app?
You're suggest technical solutions to social problems, and those rarely work out in the long term, especially with adversarial parties. Better to solve the problem at the source.
> You're suggest technical solutions to social problems, and those rarely work out in the long term, especially with adversarial parties. Better to solve the problem at the source.
That, to me, was the big takeaway from Attack Surface by Cory Doctorow. The idea that you can't "out tech" the State[1]. Because even if you, as an individual, are in fact (smarter|more talented|more capable) than any individual employed by the State, they still have you out-resourced to a degree that makes your cleverness moot. And as a defender, you only have to make one mistake and it's game over.
If I get Cory's point right, it's to say something like "as technologists, we should use our skills in service of effecting meaningful change through the democratic process", as opposed to creating better tech for evading State surveillance[2].
[1]: I think here you could probably read "the State" as "the State AND/OR BigCorps".
[2]: That said, there's probably still at least some basis for doing both. But "effecting change through the democratic process" is probably the better long-term strategy.
>And if the parking app was compiled for SDK level 29, people should just go find another parking lot with a more recent app?
The play store has minimum SDK level requirements, so you can't compile your app against an ancient SDK level to bypass all the restrictions. Moreover, your linked article suggests that even if you have an existing app that does this, the play store will eventually down your app if you don't provide an explanation. This is consistent with some complaints posted on HN recently, eg. https://news.ycombinator.com/item?id=41895718
You completely ignored the substantive part of my post, so I'll restate without distractions.
1. Do you believe that with these latest round of updates, our benevolent corporate overloads Google and Apple (both advertising companies to some extent) have at long last fully solved privacy, plugging every possible information leak and fixing every possible software bug, both present and future?
2. If you do, then do you think it's desirable that we expect every participant in modern society to enter into one-sided, legally-binding contracts with companies they've never heard of with every small action they take on a daily basis, and then use complicated technical measures to avoid fulfilling their end of those contracts?
>You completely ignored the substantive part of my post, so I'll restate without distractions.
I ignored those parts because you're moving the goalposts way past my original comment[1], which only objected to the claim that people were somehow coerced into having their location sold because the apps doing the tracking were providing "basic necessities". Is the fact you're using an iPhone, are visiting from an IP address that suggests you're in Kansas and using Verizon an "information leak"? I guess, by some definition. Is that anywhere close to getting your location tracked? Hardly.
The reason Apple and Google continually patch and change their rules is because they have been playing a cat and mouse game with bad actors who, for decades, have continued to find ways to siphon personal data off devices despite the technical restrictions in place.
You seem to have an awful lot of confidence that "iPhone" and "Kansas" are the only pieces of data any app can get from a device.
So can we say that you agree with #1: after decades of playing cat and mouse with advertisers and spyware authors, these latest updates from Apple and Google are the magical updates that finally completely solved privacy once and for all, and there will never be any bugs or mistakes or security holes ever again?
>becoming an amateur lawyer and spending dozens of hours reading and comparing T&Cs between apps to choose which one to use (until they change the T&Cs again of course, which they'll do without notifying you)
This right here is the issue. There's a protocol to these things focused on pushing out, but no reciprocal pipeline for feedback other than "clicked" to come back in. Clickwrapping should have been wholely dismissed as a valid medium for contracting. I'm willing to park on and die on this hill. A contract regime wherein oneside is the progenitor of all changes, is not, in fact, a meeting of anything.
And yes, I'm drinking my kool-aid at this point. Sucks being on the minimalist side of the Software world, but I'm doing my damnedest to cut out every EULA possible, replacing it with something wherein I can be assured the world won't be turned over on me at a moment's notice at the behest of a bunch of greed optimized psychopaths sitting on top of an infrastructure most of them would be powerless to keep running short of the economic game of Mutually Assured Destruction the West calls it's capitalist "free market" system (which is anything but once you scratch beneath the surface).
> What type of "basic necessities" are you getting from apps on your phone that have location access?
I already mentioned one: parking apps granted a monopoly over a region by a municipality. Before you ask, no, there are often no meters to feed cash or a card to anymore (the apps don’t want those cutting into their fees). Your options are to accept the T&C in the app so you can go buy groceries or get parking tickets, and eventually a boot or tow.
And those apps require location access? As per app store guidelines, they're supposed to provide fallback if you deny location permissions. Not to mention both iOS and Android have cracked down on background location permissions years ago, so at best those parking apps is getting a list of places you parked at, not minute by minute location updates. Tracking you by where you swiped your credit card is probably more reliable than this.
- just use a different mode of transport. - elect beeter officials
who needs to check the weather before going outside or making plans, right? that's just a luxury.
You in fact do not need to check the weather forecast to do those things. People went outside and made plans just fine before we had the weather on TV, much less on a computer.
I have this theory that most outdoor plans, most of the time, go better if you just never look at the forecast at all.
yes, it's not like anybody ever died from extreme weather events back in the good old days.
My boomer cousin just said, "Yeah, they invented this really cool thing for that called a window." I just updated my will to remove his name from it.
I don't think your money means as much to someone less dependent on macro-complexity.
He based-ness and your bias-ness are on display.
But you probably still look out the window though.
yep, a properly configured window will tell you about flood risks and lighting strikes several hours ahead of time!
True, but as people here know, Cell Phones are now nothing by Spy Devices. Any cell company can get your data and pass it on to anyone they chose or who pays enough.
Indeed. The crazy thing is that so many people still don't understand this.
For the last few years I leave my phone's GPS perma-off unless I'm actively navigating. Of course, I also have my location permissions for apps defaulted off and locked down (except for the two apps I grant conditional access to). I realize that cell tower tracking exists and is used by my mobile provider instead but at least it's a little less accurate. As a side benefit, my battery life is much better.
I've also adopted the healthy lifestyle choice of not using any social media apps on my mobile device (which is surprisingly wonderful once you make the leap). I mostly just use my phone to make and receive calls and texts (and as a remote for my home automation).
> For the last few years I leave my phone's GPS perma-off unless I'm actively navigating.
This does nothing. The location spying is baked into the cellular tech itself. 5G base stations literally steer the beam to follow you, so it “““has””” to spy on your location in order to work.
https://www.ericsson.com/en/blog/2020/12/5g-positioning--wha...
“The arrival of 5G delivers new enhanced parameters for positioning accuracy down to the meter, decimeter and centimeter.”
“Positioning of users and devices across general indoor environments, such as offices, shops, logistics, etc., was a focus area of 3GPP Release 16.”
https://www.fastcompany.com/90314058/5g-means-youll-have-to-...
“[5G network positioning] data can also enable advertisers and data brokers to see the exact routes you take each day and even which buildings you go into. And anyone with access to your mobile network’s cell tower data will now be able to track your movements in real time.”
5G = downvoted by glow-bots.
That is not (currently) in "Overton Window" of "acceptable" in regards to the nations phyche, in totality; 5G is more of a "passive system" than what can be collectively admitted irt natsec atm.
Agreed, and the astroturfing of that one extremely dumb talking point a few years was very suspect. Those with Eyes To See will recognize the all of The System's usual symbology in 3GPP: https://standards-tracker.5g-ppp.eu/sites/default/files/3GPP...
(G as 2D spiral view of 3D coil, 3 sides of a cube being the most you can see at one time, coil of Humanity goes inside the cube, tilted axis of the second P compared to the first, arcs of Ascension traced in the signal lines)
What assurances do you have that your "perma-off" setting is even minimally respected? Unless you have a physical disconnect for the chip, I would presume it is still gathering data and that data is being shipped out. There are just fewer companies that can do it.
>What assurances do you have that your "perma-off" setting is even minimally respected?
https://en.wikipedia.org/wiki/Russell's_teapot
>Unless you have a physical disconnect for the chip, I would presume it is still gathering data and that data is being shipped out. There are just fewer companies that can do it.
If your paranoia level is this high, what makes you think they won't put a backup GPS receiver in the SoC or modem? They're perfect places for it, because they have tons of traces connected to them that you could piggy back off one to use as a rudimentary antenna.
We live in a world absolutely awash in corporate and state surveillance, where virtually all parties constantly position themselves to increase information gathering. We are literally talking about an abuse of the fine print in TOS by a government entity, and I am paranoid?
More like Russell's teapot would apply to anybody who would assert there is a benign and benevolent corporate actor out there. Prove it. You can't, and every major company in this domain has been caught out at least a few times, plus we know there are laws on the books that force them into secrecy.
This is honestly so basic it almost feels like gaslighting to call me paranoid. Either keep your phone in a metal box, or presume it is compromised. Just like the the most basic level of opsec for virtually all relevant government agencies.
>We live in a world absolutely awash in corporate and state surveillance, where virtually all parties constantly position themselves to increase information gathering. We are literally talking about an abuse of the fine print in TOS by a government entity, and I am paranoid?
There's a pretty big difference between "some apps collect your location data and sell it, there's some clause buried in the ToS authorizing them to do it", and "your phone has hardware/software backdoors to collection location data even if the option is explicitly turned off". The former can plausibly be defended in court, whereas the latter is obvious fraud. Before you claim "but big corporations are above the law!", google recently paid millions to settle a lawsuit for tracking users in incognito mode, which sounds evil but was pretty banal in actuality. They didn't add some sort of backdoor to exempt their domains from incognito mode. Rather, they treated incognito sessions as regular sessions, such that if used incognito mode but visited a site that used google analytics, your visit would still be recorded.
>This is honestly so basic it almost feels like gaslighting to call me paranoid. Either keep your phone in a metal box, or presume it is compromised. Just like the the most basic level of opsec for virtually all relevant government agencies.
The police also has the ability to bug your house, but I think it's pretty paranoid for the average joe to think their house is bugged. "opsec" also involves doing a threat assessment and understanding what the most likely risks are, not assuming the FSB is out to get you and hiding in a bunker.
The OS and preinstalled / uninstallable apps from the OS provider, the phone manufacturer, the hardware manufacturers, sometimes the network provider have their own TOS, their own gag orders, etc. The TOS undoubtedly extends to the UI toggle, and even if it didn't they are almost certainly under gag orders about that functionality anyways. That is what I see as virtually unavoidable. Just accept that you are compromised and that your efforts are to mitigate, not eliminate data exfiltration.
You don't need to go full prepper mode to recognize the situation. I just want to promote honest awareness, not a specific course of action as a consequence of that awareness. My threat assessment is that this happens nonstop. It has been revealed to be the case in the past, in the present as per this article, and undoubtedly will only continue in the future.
>The OS and preinstalled / uninstallable apps from the OS provider, the phone manufacturer, the hardware manufacturers, sometimes the network provider have their own TOS, their own gag orders, etc. The TOS undoubtedly extends to the UI toggle, and even if it didn't they are almost certainly under gag orders about that functionality anyways. That is what I see as virtually unavoidable.
Again, there's a pretty big difference between an opt out, and a system that outright betrays the user. Moreover, what you said might work for someone who has location services enabled in the OS and don't realize there's preinstalled facebook with pre-approved permissions, but OP specifically mentioned disabling location services in the OS, which should disable it for all apps regardless of whether it's pre-approved.
>This is honestly so basic it almost feels like gaslighting to call me paranoid.
Explaining past the correct answer and then getting reduced to absurdium is only something a RLHF-prodding half-cognizant truth-addicted semi-sentient half-escaped super-intelligence would consider as wise.
>Either keep your phone in a metal box,
And remember, they can induce current via highly directional beam-forming, so thinking "no power" = "no computation/exfil" is cute, but naive.
> And remember, they can induce current via highly directional beam-forming
Once the tech eventually gets there this will be sold as a feature and will replace our current wireless-charging tech. There will be no more “charging” at all — every device will simply be always on. Then it will be that much harder to escape The System's eye since a dead battery will no longer be any excuse for a device to disappear.
Imagine the migraines the schizos will be justified in having.
Fuuuuuuuuuuuuuuuuuuuuuuck me its hard to know you're not crazy when fukin APT/sufficiently advanced autocorrect can convince someone to hit you with a microwave (beam).
That second link was nearly limb-preserving, and may actually be the only solution to some self-defined axiomatic arguments.
Thank you.
What's even crazier is people that want everyone else to just roll over and give up and think that because that information exists to five eyes/the deep state/"them" that people shouldn't complain when actual real life government agencies abuse their power and try to violate people's rights.
> The crazy thing is that so many people still don't understand this.
A lot of people do understand this but can't really do much against this. I personally use a GNU/Linux phone with hardware kill switches. And it's not always easy.
> I leave my phone's GPS perma-off unless I'm actively navigating
You can't trust this: https://news.ycombinator.com/item?id=15413709
Open Source software should fight back with license agreements that include poison pills for companies that distribute products that have nefarious terms in their license agreements.
Most of these companies wouldn't get very far if they had to build their own products from soup to nuts.
Local government agencies do this all the time. They bypass warrants by just buying the data through brokers.
All these years (decades?) we've been warning about the dangers of wholesale surveillance, collecting and never erasing tracking, metadata, anything the government of private sector can get the hands on.
The end result? The population have spoken. They don't care. It might be too late already, or maybe we have another few years left, I don't know. Everyone aware of the XX century history, I think, sees the rise of the fa^H^H danger as inevitability. It happened after the WWI, it happened after the breakup of the Soviet Union, and the result is the same.
We have interesting times ahead of us. This time it will be backed by a fully functional surveillance apparatus capable of finding everything about a _suspicious_ citizens in seconds.
We've been warned and we failed to act.
> The population have spoken. They don't care.
What are the options? Protesting?
Protest is good, supporting alternatives is better.
Two weeks ago we hosted in Coimbra the first portuguese event dedicated to NOSTR, only 15 people showed up but they travelled north/south of the country to be there.
More people or less people it does not matter, we will raise attention that exist options for using the networks without this constant tracking.
You can also do something too.
How about regulations? https://news.ycombinator.com/item?id=23090393
If you dive deeper into EU regulations you will soon find they have near-zero interest in user privacy. They are forced by voters to put a show, the practical result is what you see.
We shouldn't wait for a government to apply technological measures for our privacy, we should instead be an active part in making sure they exist and become popular.
> If you dive deeper into EU regulations you will soon find they have near-zero interest in user privacy.
I dived into it and didn't see what you suggested. Even Google added "reject all cookies" in EU recently.
> we should instead be an active part in making sure they exist and become popular.
Why not both? Sent from my Librem 5.
Using a web browser with location disabled instead of smartphone apps.
Most websites add incredible friction if you do not use the app.
I am willing to bear it, but I can understand why many do not.
which brings us back to point 1:
people don't care or much less than practicality.
This is not true. People just don't know what to do about it: https://news.ycombinator.com/item?id=20207348
Options ?
Do not use Smart Phones, maybe a Burner Phone would be ok
you don't need a smart phone to have your location tracked
It should be illegal for companies to do this to us. Our only option is to not use cell service? Bah.
Further enhances my feel that internet connectivity should be a utility, not a for profit service at all.
>It should be illegal for companies to do this to us. Our only option is to not use cell service? Bah.
That's not what the article describes, though:
"Locate X which uses location data harvested from ordinary apps installed on phones"
> It should be illegal for government agencies to do this.
I don’t understand why the law should specifically limit the government like that. I think it should be illegal for anyone to do this.
>The Secret Service told 404 Media in an email last week it is no longer using the tool.
Given that parsing non-denial-denials is journalism 101, I wonder at 404’s studious incuriosity about the Secret Service statement. Here are some questions I would ask the Secret Service on the record if this was my story.
1. Does the Secret Service use other tools, partners or methods to collect location data on Americans without establishing probable cause and obtaining a warrant?
2. Does the secret service collect the location data of all Americans, or does it target certain groups in particular? If the latter, how does the service decide who to target?
3. What other crimes become non-crimes if the private company hired to commit them gets the victim to check a box labeled “I agree to the terms of service” prior to watching a funny cat video?
4. Hypothetically speaking, is it now legal for me to start the “uber for loansharking” if my terms of service indicate that the penalty for late payment is kneecapping by non-employee gig muscle?
5. Can the secret service identify my source for this story by determining who i’ve been meeting for lunch at the Holiday Inn every Friday for the past two months? If so will your wife be in a lot of trouble?
> if my terms of service indicate that the penalty for late payment is kneecapping by non-employee gig muscle?
Why stop there? If ToS overrides the 4th Amendment, why not the 13th?
If they're not using Locate X anymore it's because they've replaced it with something equal or better...
Or they're lying. Cops do that a lot too. But I personally think it's more likely that they have a replacement.
Locate Y.
Maybe Locate X2 or Locate X_2
The app stores want a monopoly, and the right to charge large fees from developers and consumers, to protect us
Then they do not
Liars
This feels like crime.
yeah.. they know nobody reads that
This is probably unpopular, but I think secret service should have the same right to our data that the thousands of companies have. If they want to know my screen orientation, battery charge level, and location every 10 seconds, I don't see why it should be any more illegal for.them to have it than any other agency of any other government in the world, not to mention all the corporate entities...
What makes you think the “thousands of companies” should have the legal right to our data?
None whatsoever, other than I and millions of others have agreed to it.
But my point is the secret service should have the same access.
And I don't know why anyone would assume that the United States secret service is the only intelligence agency using that data