"Ironically, nudging and "dark patterns" of design were once enthusiastically endorsed by governments, legitimising the techniques of manipulation."
The government imprisons people as well, but this isn't legitimizing the idea of kidnapping.
Seven European consumer organisations have filed a blockbuster complaint arguing that Google's location tracking in Android lacks a valid legal basis in the European Union. At the heart of the complaint is that the user control of location tracking falls far short of what's required by the union's General Data Protection …
"And that's not even considering that every citizen has a voice in choosing its government in a democracy."
They actually don't. Since you're bringing up US politics, in virtually every election, the largest constituent has been those who have abstained as they thought none of the politicians were fit for office. Their voices are however routinely ignored by NPCs.
"At the heart of the complaint is that the user control of location tracking falls far short of what's required by the union's General Data Protection Regulation (GDPR)"
Who'd have thought that providing a control that claims to stop location tracking without actually stopping location tracking would have been objectionable?
If you are some paranoid nutter that cares about this sort of thing, then don't turn it on. If you do. You can permently pause it, and if you want to delete all the previously collected data, you can also do so. If only Apple did ANY of this. With iPhone location tracking, it's mandatory with no option to turn it off, it's part of using the iPhone agreement and used to improve apple maps, and the data may be shared with partners. Go read the apple privacy policy.
The Google settings are pretty reasonable, if you don't like them, don't use them. I find it handy for time billing. Knowing where I was when
You are preaching to the wrong crowd brother. Seriously, if you are so utterly and personally inept at life stuff that you need Google to help you with this "I find it handy for time billing. Knowing where I was when" then you really do get what you deserve.
The rest of us... I think we'd be just as happy without all of the subliminal tracking and data slurping thanks.
"
If you are some paranoid nutter that cares about this sort of thing, then don't turn it on
"
Paranoid? I may well want to use it for some things, but if you leave it on all the time it means that potentially anyone could get hold of your location history since you started carrying a Google device around with you. Maybe you think that's harmless - but what happens when your insurance goes up because they see that you regularly drive on statistically more dangerous roads, or visit places that are deemed a "lifestyle risk"? Or your employer can look to see where you went on that day you said you were sick (but really went to a job interview), or your nutty ex uses it to follow you around, or a burglar uses it to ensure that all household members a far away?
The correct way would be to leave it off unless I start using an application where I specifically want it to know my location.
"The correct way would be to leave it off unless I start using an application where I specifically want it to know my location."
When you buy a phone you should be able to use its location features without sharing your location to advertiser's and without being tricked into doing so by deceptive wording.
If you accept Google being tricky you hand too much power to them in return for to little to consumers. The more power Google have, the more money they take from you via the advertising costs that form part of the price of what you buy.
If Google give you a location tool in return for location data and you are fairly informed about the cost benefit this is deemed ok by GDPR. This is not the case because you are not faily informed. Neither the cost nor what you get in return. s. I don't think consumers are aware of the hidden cost of Google's tracking to product prices so I support the EU govt fighting on our behalf.
All Google have to do to comply is be honest.
If they are incapable of honest trading they should be fined.
To be fair paused=off in that sense. if it renamed it to off it would still do the same thing just have a different name. It doesn't automatically re-enable itself after a set period of time for instance.
You pause the location history on the dashboard, but that doesn't mean Google can't track you.
By naming it 'pause' instead of 'off', it's probably the one thing Google are (slightly) honest about.
No, location history cannot be turned off on the device.
It is a setting of the user's account under Web and only available through the online account management through the web browser. And you can only pause it, you cannot turn it off.
If you turn off tracking on the phone, it does not affect location history.
The Anonymous Coward is talking utter horsecrap.
There are two location histories, you can only turn one of them off, and that makes no difference whatsoever to Google's ability to track your location history.
Sorry to say it BUT, all you are doing is just pausing the software, NOT stopping it. With Google you have no say with their software, it is in their terms and conditions. Basically there are no free lunches while Google is around.
Possibly worth pointing out that there is a little message at the bottom of this page that says:
We use cookies to improve performance, for analytics and for advertising. You can manage your preferences at any time by visiting our cookie policy.
If you vist the cookie policy page, you'll find 7 separate places where you are told you may opt out, 3 of them belong to Google and some of the others seem merely lead to lengthy expositions of privacy policy with hard-to-find allusions to opting-out. And those opt-outs almost inevitably will involve other cookies being stored. So, kettle, pot, etc.
The real problem is that there still isn't any real alternative to advertising to fund Internet services and it's not clear people would want to use one that involved actual money. Perhaps leaning on Google over privacy might encourage them to find a way.
The basic fault with all these "GDPR updated" cookie policies is that they are all still opt-out in best case and more often just some advise on how you can dive down into your browser's cookie mgmt to clean up after each visit. So it's a looong way to opt-in based on the GDPR grouping cookies. And we still have the old "By continuing [whatever actions] you consent to our cookie policy".
Some "4%" fines are really needed.
"The real problem is that there still isn't any real alternative to advertising to fund Internet services"
The real problem is the insistence of the ad companies to engage in ubiquitous surveillance as part of their business model. You can absolutely do advertising without spying on everybody, it's just less lucrative.
That said, if the ad companies cannot do advertising without spying, then I say let them all die. The internet got along fine before advertising, and it will get along fine (in very many ways, a whole lot better) without it now.
Also, the notion that it's "advertising or nothing" is a false choice. There is a whole spectrum of other means of raising revenue.
"Perhaps leaning on Google over privacy might encourage them to find a way."
That will not happen. Google's entire reason for being is to gather as much data as possible and use it to serve up ads. Saying that they might find another way is no different than saying that they might find a way to go out of business. Google is an advertising company, after all.
That said, if the ad companies cannot do advertising without spying
Well - there's just been a case in France where the regulator found that how the ad industry collects and tracks information (and obtains consent to do so) is illegal under the GDPR because they bundle many services together under on banner so "informed consent" isn't obtained for each usage.
Which means that ad brokers and exchanges are, in fact, illegal[1] as currently constituted in Europe.
Which is a Good Thing(TM).
[1] Well - the data collection and retention is illegal. And without the data, the current methods of ad real-time-bidding doesn't work - so essentially, all the ad exchanges involved would go out of business. Which is a Very Very Good Thing(TM)
"The real problem is the insistence of the ad companies to engage in ubiquitous surveillance as part of their business model. You can absolutely do advertising without spying on everybody, it's just less lucrative."
I'm not even sure about that. In the old days of dead-tree publications, there was no ad tracking, everyone saw the same ads. That was actually a lot more lucrative. People actually bought local newspapers etc to look at the ads, and if you had an advert in a newspaper, that meant you were a big trustworthy company. Now it seems to mean you are a bottom-feeding, clickbaity scammer.
"You can absolutely do advertising without spying on everybody, it's just less lucrative."
Need a citation for that - on a specialist site like "the register" then surely knowing its content and therefore its intended audience is enough to know what ads to run. You don't need to track/personalise/etc me to show me an ad.
They can still make their megabucks advertising. It's only the "personalised" advertising that would be curtailed. They get premium rates for such ads, but I'm sure they can figure out how to charge enough to keep the electrons flowing for ads based on currently deprecated data like the actual search phrase entered into google or maps.
But it doesn't have to be targeted. To be honest, I've disabled all tracking on my devices - to the extent that I have around 45,000 tracking domains set to 0.0.0.0 (unroutable) in my hosts file and the quality of the ads hasn't suffered, in fact it has improved, I get random ads instead of ads for products I've already bought.
The problem with hosts files is they don't allow wildcards. So when they point to you a dynamically made up server name, ie a43c56.adhack.com, it won't match. There are two better ways to do it. You can do wildcard matching in a proxy.pac file. You can create your own internal dns server, and create fake zone files that point *.doubleclick.net to 0.0.0.0. I like the second one because it automatically applies to all of my devices, tablets, phones, etc on the local network.
Yes, I did the same thing when I read this story. First of all I couldn't find their privacy policy anywhere - no links to it until i realised it was hidden under the "cookie policy banner". Then it incorrectly uses the stupidly titled exemption of "legitimate business interests" which absolutely does not mean "as long as we want to do it we can".
Then there is no free consent given and no single place to easily opt out (opting out is subcontracted to the providers)
The privacy policy says "As you interact with our Website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies"
"The Register may collect, process and use your personal data (including your name, postal address, email address, telephone number, mobile number and technical data including your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this Website"
"We may transfer your personal data outside the European Economic Area (EEA)."
I'd say that the bigger issue on Android is spyware apps and libraries that are hidden, can not be disabled by normal means, and can not be prevented from running in the background. These usually operate under the excuse of offering weather services, lockscreen themes, app usage feedback, local news, marketing feedback, cloud sync, and various feed updates. Their primary goal is to periodically make a query that reveals GPS, IP address, phone ID, and phone status. Even if GPS is off, the IP address can be correlated with other phone requests where GPS was on.
Check your cellular data usage. Notice how there are 10+ apps on Android using background data for no good reason. Apps that don't even use the Internet, like games and launchers, are using cell data in the background "for marketing feedback."
"Check your cellular data usage. Notice how there are 10+ apps on Android using background data for no good reason."
There aren't any such apps on my phone! But then, I use a firewall (as everyone should) to ensure that no apps (or the OS itself) can communicate without my permission, I'm VERY cautious about what apps I will install, and I keep the fewest number of apps installed that I can.
"But then, I use a firewall (as everyone should) to ensure that no apps (or the OS itself) can communicate without my permission"
You do realize that even apps fully firewalled from any network access are completely free to load a webpage in a browser window for you (and it will be the browser doing the net access, not them)...? And that in that process they are able to send whatever data they feel like to the server they load? And that you won't necessarily _see_ said page at all...?
You've obviously not used this kind of firewall.
What's being talked about here is an outgoing firewall where the user is typically asked to permit or block each individual network connection as it is requested (by the operating system, or an app, or JavaScript inside a web page). So loading a page in a browser could result in several prompts requesting connections to different domains - ad servers, tracking servers etc. and you can choose which succeed and which are blocked.
Now that's a bit chatty so you can usually set up permanent rules to allow or block. Really effective for removing adverts and usurping tracking attempts.
"You do realize that even apps fully firewalled from any network access are completely free to load a webpage in a browser window for you (and it will be the browser doing the net access, not them)...?"
Of course! But web access is firewalled off too, so that doesn't matter.
I've recently bought a bluetooth widget (NIX colorimeter) and for the app to talk to the device you have to give it permission to access location. WTF ? Why does it need location permission to talk to a bluetooth device ?
"Why does it need location permission to talk to a bluetooth device ?"
This is because Bluetooth can be used to determine location. From the Android developer's guide:
A location permission is required because Bluetooth scans can be used to gather information about the location of the user. This information may come from the user's own devices, as well as Bluetooth beacons in use at locations such as shops and transit facilities.
This highlights a pretty serious problem with the Android permission scheme -- it's too coarse and some of the permissions are required for unexpected reasons. I've been wishing that they'd fix this whole mess from the first time that I was exposed to it.
Requiring location permission to use Bluetooth is understandable from one point of view, but it makes little sense in the larger scheme of things -- if the permission is required for the reason they cite, then the permission would logically be required for a whole host of other things as well, none of which are more than tangentially related to location. Requiring this permission for such a wide array of things renders the permission a bit pointless, as users will rapidly learn they have to just accept it in order to do most of what they want to do.
Requiring this permission for such a wide array of things renders the permission a bit pointless, as users will rapidly learn they have to just accept it in order to do most of what they want to do.
Exactly the point of it methinks.
They are training you to press the 'accept' button on location tracking, so that you will just automatically accept it when a popup that matters prompts for it.
"They are training you to press the 'accept' button on location tracking, "
Oh boy, this is tinfoil hat time. It serves as a warning from Google that this app is using something that may be able to track you and you have to agree to that. Web Beacons can be used for tracking very easily and in some areas are quite prevalent.
Therefore Google can either make you think you aren't being tracked because you only have Bluetooth on due to an app needing access to it and then they get headlines saying "apps are utilising a loophole in bluetooth to allow tracking" or they know that by allowing bluetooth access on an app they can track using that so you must also give permission for that as well. You don't need to allow that app to have access to GPS to use bluetooth!
" It serves as a warning from Google that this app is using something that may be able to track you and you have to agree to that."
Yes, that's the intention. But because the Android permissions system is so utterly awful, that's not the effect. The actual effect is that users are encouraged to ignore the permissions request and just allow everything.
The problem with the Bluetooth-related locations permission is that it's too coarse, as using the permission in that way means that the permission will be asked for with the majority of apps, whether they engage in location tracking or not. That's training people to just click "accept" without thinking.
A better way to do it is to make the location permission required for apps that actually use location services (which is what users assume it means, even though it doesn't), and have a different mechanism to warn users about possible loopholes. For using Bluetooth, for example, rather than asking for location permission (which is a misleading thing to do), it would be better to just put up a warning that apps that can access Bluetooth could leverage that access to determine your location.
"A better way to do it is to make the location permission required for apps that actually use location services (which is what users assume it means, even though it doesn't), and have a different mechanism to warn users about possible loopholes"
But it is not really possible to tell whether an app is using Bluetooth for location tracking or for just connecting to a peripheral. So by giving a 'warning' what you are actually suggesting in your comment is that is so people can safely ignore it as it isn't relevant. So the app that does do tracking via Bluetooth, or worse pretends it is a peripheral connector but is actually gathering tracking data and reselling it gets let off the hook because they know most people will ignore the warning. That's why you have to explicitly allow location tracking as it makes you think about those risks and agree to them.
" So by giving a 'warning' what you are actually suggesting in your comment is that is so people can safely ignore it as it isn't relevant."
This is true, but what is the alternative? Google's approach has the exact same problem, except that it is encouraging people to ignore a permission that, in other circumstances, has a more urgent meaning.
The point of my suggestion is to both eliminate the confusion that the current permission causes, and to try to avoid encouraging people to simply accept all permissions because they're always asked for no matter what anyway.
"Garmin Connect" is a prime example of software requiring more information than is necessary for it's function.
If you ask Garmin support on the phone about the use of it's adult smart watches by children, they say yes, they're fine for children. If you then buy one, you discover that the only way to use a lot of the devices functionality (like keeping accurate time) is to either lie about the child's age, or create your an account with your own details, and couple the device to that.
I'm not about to teach my child to lie, so Garmin have some exercise stats which will indicate that I have mid morning playtime and weekly PE lessons. Isn't irony something you do to your shirties?
For some reason the kids versions of the smart watches are partially crippled.
As Bluetooth beacons, wifi, GPS and cellular data are all used to track someone position, all of them now work together, and are dangerous from a privacy perspective.
Obviously there could be legitimate uses - i.e. those applications that use GPS to map last Bluetooth communications to help you find your car could be OK - as long as the data stays on the phone and is not transmitted and stored to the mothership.
"and are dangerous from a privacy perspective."
Yes. This is a major part of why I generally don't allow apps to communicate to the outside world -- apps can gather all sorts of sensitive information without your knowledge, and the Android permissions system is essentially worthless in terms of helping to mitigate that.
So my second-to-final defense is to firewall all apps off, so that even if they're collecting information, they can't send it anywhere. (My final defense is that all communications to/from my phone goes through a VPN to my home server, where my router and firewall rules can be a bit more comprehensive.)
@Snowy, on your android device perhaps, but not on any of the (probably hundreds) I've seen used or supported over the years.
the only thing i've seen that comes close to that is some of the fitbit style things want BT and location on to do their "sync" thing and then they're perfectly happy without location.
This is only needed if you let the fitbit battery die for example. It will ask for location and bluetooth to sync but that's the fitbit app, not android, doing the asking.
Genuine question, as i'm wholly unknowledgable ( and too lazy to google ) on matters regarding GDPR.
Are the 4% fines levied on both Google AND the advertisers (agencies and brands) in such breaches?
If not they ought to be. Legitimate businesses would soon change their ways if they were also fined for unwelcome adverts finding there way to me and others.
GDPR is about data "controllers" and "processors":
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en
Both can be fined if they don't abide to the rules - but an advertiser may be none of them, as they can never gather, store or process personal data. For example, if Google lets you chose a target (say "single white male nerd between 30 and 40, living in a city > 100,000, income above X, good credit score, Star Wars fan, buys online"), and Google does the targeting, the advertiser never see the actual personal data. so it isn't nor the controller nor the processor - Google is both.
If, as in the CA scandal, data are actually transferred, both can be fined.
However, GDPR is not a law against the advertising industry - it's to protect personal data.
Evidently, the slant the ads industry took in the past years toward targeted behavioral advertisement (plus using "influencers" to hide the ad origin...) is built on data hoarding, and won't work well without it.
"Google does the targeting, the advertiser never see the actual personal data. so it isn't nor the controller nor the processor - Google is both."
Technically, Google is just the controller in the example you give, there is no processor.
The controller is responsible for compliance with the principles of processing of personal data under it's control. If an processor were acting on Google's behalf, it would act only on Google's instruction, so the big G carries the can (unless the processor acts outside of those instructions).
It would be more likely if there were sharing of identifiable information with an advertiser, that both are controllers (rather than controller-processor) and so both are equally responsible for their own processing activities.
I agree, the business models that ad industry and consumer web services like Google have put in place are heavily dependent on data slurping. When regulation under GDPR and other DP laws start to have an effect, they may use that to move to a more freemium type of model for some services, or charge more for products e.g. Android devices, if that source of revenue is to be undercut.
That depends on the structure of Google - i.e. if the collecting and processing entities are legal entities on their own or not - i.e. what separation may still exists between Google and DoubleClick.
IMHO Google & C. are very careful about not leaking PII to advertiser, because the "value" is exactly in fully controlling them and just sell services built on them.
I believe Facebook was more furious CA could "steal" its data than it used them for nefarious activities.
About the business model, I prefer to pay for a product than let them hoard my data, especially since one day the can be used against me. I already pay for my mail server, web site, and storage, exactly to keep my data away from Google & C.
Yes, Google might still be able to track me via cellular network but since I'm not using Internet on my phone, they have no way to push the advertising on me. At least for the moment!
Also, on my computer, I use Gmail exclusively in a different standalone browser so all that's left for them to push ads on me is search (where I can ignore them) and YouTube where they are so annoying that I swear to never buy whatever they're advertising. In the end, since I'm not purchasing anything over the Internet the data they collect is pretty useless so I guess those companies putting the ads are being robbed of their money since they can't really reach me.
I know there are ad-blockers I could use but I'm honest and if a site is ticking me off with aggressive ads, I quit right away and never go back.
No. Waze is not the answer. Nor is any other non-google mapping app if you want to use things like Android Auto, or associated Auto apps. They *all* link to Google Maps.
Sure, you can install and use Waze standalone (and if that's the choice, I'd have HERE, since it has a proper useful driving-mode, unlike the POS google Maps "driving mode" which seems elusive on all versions of Android I've ended up with). But then you've broken the google grip on your device, and things using maps don't/can't integrate.
But, in a move to piss off google - and handset manufacturers general - I've discovered that devoting an old MOTOG as my sat nav solution works perfectly. So my phone stays in my pocket ...
Android Auto?
Happily our household runs an approx 10 year old car so it lacks such bells & whistles & I just use a dedicated SatNav and temporarily stick it to windscreen corner if going somewhere new where I don't know the way.
This has bonus of locating satnav in a useful position - unlike car "inbuilt" satnavs which always need you to look away from the road more.
I have seen such stuff when being chauffeur for infirm relatives using their car.
My solution is to keep phone charged from USB charger plugged into lighter socket so bypassing the USB ports the car provides that tries to pull in android auto etc.
The answer is to use an app on your device which uses offline map data. I've successfully used an app which uses offline openstreetmap data in Italy, Spain, France, Norway, the US and the UK.
I use Mapfactor Navigator, but there are other apps to choose from.
fuse
/fjuːz/
noun
noun: fuse; plural noun: fuses; noun: fuze; plural noun: fuzes
1.
a length of material along which a small flame moves to explode a bomb or firework, meanwhile allowing time for those who light it to move to a safe distance.
"a bomb on a short fuse"
a device in a bomb that controls the timing of the explosion.
I wonder if EU citizens in the UK after Brexit are still covered under GDPR for products purchased in UK. If so then whats to stop UK citizens from claiming European data protection profiles.
As to the old "you get the governement you deserve" in light of the sudden changes to UK voting (new ID requirements) then one wonders if the brexit vote might have been discovered to have included "extra" votes, thus making the government something other than that chosen by those with an "offical" franchise.
Signing up with Polar to get the full functionality of one of their fitness devices is exactly the same - you must agree to everything before you can do anything, nothing is optional. If you want to use their fitness trackers in total isolation then you're good. But you can't connect to anything without first installing a mobile or desktop app. And agreeing to:
- Handing over all your personal details (lots of mandatory data collected)
- Your data being exported outside the EU for processing
- Your data being used to verify your identity, investigate fraud and 'misuse'
- Your data being used for activities not directly related to fitness tracking
- Your data being made available to subcontractors
Some of this you can subsequently revoke but only by contacting customer services...