ICO (...) pause our investigation because of COVID-19
yeah, covid19 ate my homework, cause this only became apparent to ICO, in March/April 2020. They are f... useless.
Privacy pressure group Noyb has filed a legal complaint against Google on behalf of an Austrian citizen, claiming the Android Advertising ID on every Android device is "personal data" as defined by the EU's GDPR and that this data is illegally processed. Based in Vienna, Austria, Noyb is a nonprofit founded by Max Schrems, a …
It's also about generalising an issue to avoid holding specific companies to account. If Google has a unique tracking ID that users do not give consent to, then Google should be held accountable for *their* abuse of GDPR. Let's not bury this in an investigation of real-time bidding and the adtech industry.
This article is a pretty neat example how a simple "don't track me" sentence can be muddied with "but we don't know who you are" and "you can change it at any time" and probably "you gave your informed consent on page 153 of the T&C's"
You're missing the point.
The article also says that ID changing is only effective long term if it's done regularly and often. The problem is that other information can be used to eventually associate multiple advertising IDs with a single identity, so long as the ID isn't changed too often. The problem is that on Android you have to have an advertising ID and Google make sure that it is always unique, which is what makes such an association possible. Consequently, Google doesn't control whether other parties process for that association, and in fact is constructively assisting them in doing so by giving them access to a guaranteed-unique advertising ID. Doing such processing is probably illegal, and Google is choosing to be complicit with it.
Apple's system (if reported accurately here) means that you can have an ID that is not unique (all zeros), and therefore other processing cannot associate them together into a single identity.
In all honesty, governments need to decide if targeted advertising is legal or not
All of this grey area crap is just vacilliating around the real question. Should you be able to gather data for people for the purposes of monetising them.
If the answer is yes, then accept that it means companies hold data on all individuals if they use devices or services offered by those companies, if not, then we've got to be prepared to pay monthly for phones, email, websites etc.
"In all honesty, governments need to decide if targeted advertising is legal or not"
In all honesty, governments can have access to the data, if they decide they need it, so governments have a source of tracking info that costs them nothing and is managed for them by somebody else who likely does a better job of it than most governments will.
Don't expect laws against it any time soon by a government near you.
In all honesty, everything you said is wrong.
"governments need to decide if targeted advertising is legal or not [...] All of this grey area crap is just vacilliating around the real question. Should you be able to gather data for people for the purposes of monetising them."
There is a grey area, and it's important. Gathering information about what someone does on your platform so you can make recommendations to them on that platform usually doesn't draw much ire. For example, I don't care if Amazon records a history of things I buy and uses it to suggest products while I'm logged into the same account. The problems occur when that data is released or when collection isn't obvious. I'm not happy for Amazon to start selling that information to others, nor am I happy for Amazon to collect information about my browsing elsewhere or when I'm not logged into an account with them. It's a control thing. If Amazon only collects things I do on their platform and connects it to the logged-in account, then I can stop them doing that by not using their platform or anonymize it by using multiple accounts. If they do other things, I have no certainty about what is happening and certainly no control over any of it.
"If the answer is yes, then accept that it means companies hold data on all individuals if they use devices or services offered by those companies"
So if the answer to a very generalized question is yes, we basically give up on all controls? Because a lot of the question isn't about something that clean cut. A lot of the concern is about what the companies do with the data, how they collect it, and how much information and control the consumer has. These are the important questions, but you fail to mention them at all.
"if not, then we've got to be prepared to pay monthly for phones, email, websites etc."
Wrong. We pay for phones. It's called the purchase price and it's quite high. The software comes on those phones, just like there's firmware on your microwave. You don't decide you have to pay a subscription for your microwave, nor would you accept it monetizing you. The same applies to phones. While removal of some of the profitable ways to monetize users might mean more sites have to switch to a subscription model, it isn't guaranteed. Advertising wouldn't be made illegal--advertising tailored to the content or of a general nature is fine. Collecting information in an open and transparent way about what is collected, how, and what is done with it likewise would work. What you're serving us is a false dichotomy, and a very popular one among people who violate our privacy. You're telling us that having our data strip-mined is necessary to an internet of free services. Well, that's not true for all free services, it may prove false for many others about which we have no information, and for those that are left, we might be willing to pay that price.
I would rather no one knew what i was browsing or buying and i definitely do NOT want targed ads. Infact i do not want ANY Adds.
If I google for something then i expect to see a list of items linked to my search (not what i have searched for or bought before).
As you said, if you are already paying a LOT of money for a phone then why do you have to pay (suffer the pain) of advertising (targetted or not) from Google etc.
You're using software. Software costs money to create, and then it costs orders of magnitude more money to maintain.
If you're not willing to pay for that yourself, then you don't really get to complain when those who are paying for it decide to insert their own agenda.
The cost of the software should (and almost certainly is) included in the price of the phone. It's part of the R&D costs inherent in almost everything you buy (even a milk carton needed to be designed by someone who was paid to do so). It costs money to develop the software for your car, washing machine & microwave - but you do not pay separately for that, nor is it leased to you for a monthly fee. If you want to upgrade, it's up to you whether to pay whatever the cost of an upgrade is - although if the upgrade is necessary in order to fix a significant bug, then SOGA will dictate whether the supplier must do it free of charge.
"I would rather no one knew what i was browsing or buying and i definitely do NOT want targed ads. Infact i do not want ANY Adds."
I don't like ads either. You and I are perfectly within our rights to try to avoid ads. However, it's quite a hard argument to make that advertising itself violates our rights. If we get everybody to agree, we can try, but I am not going to put much effort into an anti-advertising push. I will put that energy into anti-tracking policy, though, because that causes a lot more harm to everybody and is already legally dubious. The result may be that there are still ads, but they are tailored only to the current environment or to small amounts of data you've knowingly decided to let the advertisers use. Should we get that, I would view it as a profound victory.
I can agree wholeheartedly with what DoubleLayer said, but go further: unless I explicitly decide to open an account with an online provider (e.g. Amazon, for the sake or argument) then any relationship with me ends when the purchase is delivered: all data save perhaps a legal minimum recording the purchase for guarantee purposes should be deleted. The example might be a bricks and mortar store where I walk out having handed over cash and with the goods and a receipt in my hand. No further contact.
If I do choose to have an account, then the provider may record that which I purchased, and other of its products that I may have viewed but not purchased. It should not use that information for advertising beyond on-page in-site suggestions, and most definitely sell it to other sellers.
In either case, where I came from and what I looked at there is none of their bloody business.
I agree, but think they are in part two problems/solutions.
Shopping for most is fine for them to let the retailer know they are shopping, a repeat customer, and what they are shopping for.
Shopping for some may wish to stay entirely anonymous.
So the option to be, is nice. It's rather hard if using a credit card, but even options exist for anonymising those (single use cards etc).
Having both options, does not mean the other "camp" is wrong. It also does not mean either camp want 100% tracking! :)
I agree, and I think my previous restrictions implement that. Namely, the retailer can record the shopping history of people and associate it with the account, but they cannot release that information and they cannot further track. It would be nice for them to offer accountless purchases, but even if they choose not to, a person can get anonymous shopping by setting up multiple accounts. Well, they can get untracked shopping; buying online is almost intrinsically attached to some identifiers because you have to pay and cash doesn't work and you have to get delivery of anything physical.
There is a grey area, and it's important. Gathering information about what someone does on your platform so you can make recommendations to them on that platform usually doesn't draw much ire. For example, I don't care if Amazon records a history of things I buy and uses it to suggest products while I'm logged into the same account.
Yes, and this is a well established, acceptable thing for a seller to do. Back in the old days when we had local grocers and butchers who'd deliver, their account book would be a record of who had bought what, and when, and for how much. Amazon does deviate from that to some extent, being also a market place and payment broker.
Wrong. We pay for phones. It's called the purchase price and it's quite high.
I'm afraid that's not quite right any more, at least not always so. For example, Facebook pay money to phone manufacturers to have the Facebook app pre-installed, subsidising the cost of the phone. Apple, who are making more money out of services these days and less from selling hardware, will price their hardware according to the revenue they can expect to get from the services they build into the hardware.
Ever wondered why an Alexa is so cheap?
Basically, manufacturers now are busily looking at excuses to internet connect everything, because then they might be able to monetise the "thing" that's been sold beyond the original purchase. An IoT security system for a house is a dream for the manufacturer. It tells the manufacturer when the house is occupied or not. Such data, aggregated, is valuable information for TV advertisers, energy companies, etc.
Basically, anything that can have an excuse to be Internet connected and is somehow desirable to the householder in its own right for being connected, is primed to be laden down with all manner of sensors to determine whose in the house and when. Give it a WiFi and Bluetooth sniffer, IR motion detect, audio sensing, the lot, regardless of whether those help it do its overt function. Put weight sensors under the shelves of fridges, so that you can tell when the weekly shop has been done...
I'm well aware that phones do a lot of tracking. My point was that they don't need to, and we don't need the alternative to be a subscription price for the use of the phone. Most companies make plenty of profit on the phone purchases, and then they are willing to make extra profit off the user data. If one is made illegal, they'll be fine. Even those few who sell their phones at a loss will just have to increase their prices to deal with the fact that a predatory practice of theirs isn't allowed anymore. I am fine with that.
Market and advertising data analysis is something that has always been done, even pre-Internet, though it was far less targeted, and couldn't be done down to the level of an individual. For example, a lot of effort went (and still does) go into working out whose watching what adverts on TV. So, people were still "monetised", but it was more of a herd thing, not an individual thing.
The difference now is that the device that delivers content is reporting back to the content provider in a very detailed way. Previously, pre-Internet, such information would be gathered using surveys, looking at magazine subscriber lists, asking the newspaper boy which houses took the Times, etc.
There is an adjacent legal issue associated with your point though. Many of the Internet's woes are attributed to the high probability of there being no real consequences for online bullies, paedophiles, fraudsters, etc. Governments are getting increasingly annoyed by this, and a possible ultimate outcome could be that it become illegal to offer Internet services (where they can upload content) to users without recording (but not displaying) their proven legal ID first.
The thinking is that if someone posts some child porn to a private group on Facebook, once the content is identified the company can easily give the police the poster's name, address, etc. and they're arrested and prosecuted in very short order. The court case can then proceed with a high degree of certainty that their identity as the originator of the content is correct.
Obviously there's a lot of hows and wherefores about bringing in such a thing. But I think something like that is ultimately where the Internet is headed.
I said this was adjacent to what you were pondering. If a service provider were obliged to know exactly who you were whilst you were using that service, that blows the whole "advertising ID" thing out of the water. I think it highly unlikely that people would be willing to use a service like Facebook if it meant that they were being monetised in a very personal, this-is-who-you-are-and-where-you-live way.
On the other hand, using a web service like Google Maps would still be possible anonymously (i.e. no need to record the user's legal ID). Such a service isn't a conduit for objectionable or illegal content, it's simply a maps service.
So I suspect that, long term, we'll see a move away from ad-funded web services like Facebook, Twitter, and whatnot, towards equivalents where you have to pay to use them. The payment solves the where-does-the-money-come-from problem, means that the service provider doesn't need advertising or analytics to fund itself (thus keeping users happy), and is also a pretty good solution to the legal ID issue (your credit card number is a pretty good starting point for a legal ID). That move for such web services might also mean that other services like Maps and Search also become subscription funded too.
And we've been there before. Pre-Internet services like Compuserve weren't free. We had to pay for them.
Do such legal requirements, if they were ever to be brought in, move us closer to the objectionable level of control that, for example, the Chinese government has over its citizen's lives? Probably yes. But perhaps that's why people should pay more attention to the workings of their democratic governments, the laws that are being drafted and the oversight that actually happens. There's a good chance that this is where law will go anyway, so it's best to be paying attention to make sure that law remains acceptable if and when it does change.
> Market and advertising data analysis is something that has always been done, even pre-Internet, though it was far less targeted, and couldn't be done down to the level of an individual.
You forget shop customer cards.
It was a lot more crude and done at tiny scale in comparison, but it was done. Also, credit card companies which, for a while went around flogging your data to anyone who wanted to pay for it.
It was wrong then and it is wrong now for the same reason: doing systematic and centralised profiling for an entire population makes that society highly vulnerable to various forms of abuse and attack, totalitarianism being the example we are most familiar with.
Yes I didn't mention shop customer / loyalty cards.
Here in the UK one of the primary motivations for shops to introduce them was that, AFAIK (corrections welcome) it's illegal to record someone's credit card number for the purposes of market research. They're allowed to process credit card details solely for the purposes of payment, and nothing else.
I don't know if a similar legal restriction extends to the credit card companies themselves here in the UK; I was kind of assuming that it did.
It was wrong then and it is wrong now for the same reason: doing systematic and centralised profiling for an entire population makes that society highly vulnerable to various forms of abuse and attack, totalitarianism being the example we are most familiar with.
Systematic and centralised profiling of an entire population and its activities doesn't result in totalitarianism, rather the opposite in fact.
We've had the census every decade and extensive regional and centralised record keeping by all branches of government for all sorts of purposes for centuries here in the UK, and we've still not experienced totalitarianism. For centuries, record keeping and analysis leading to important information has led to necessary decision making by government. I'm not saying it's been perfect, or pretty or even fair - there was the Civil War, various revolts, oppression of some parts of society for some of the time, etc. - but on the whole our system of government, which latterly has become fully democratic (only as of 1928, not even 100 years ago) hasn't been as bad as some of the alternatives and hasn't been terminally caught out for want of information.
In contrast, how many other European states have been overturned in revolutions, basically because the higher ups were ignorant of the true goings on in the streets, in the economy, etc? France had its revolution, mostly because the French government / sovereign had no idea just how desperate things really were getting for ordinary people, leading to a properly nasty spell of totalitarianism. Russia had something similar in 1917 for similar reasons and, arguably, is still under the cosh of totalitarianism today. What let totalitarianism into 1930's Germany was a little different, but ultimately the poor economic conditions that let the Nazis come to power were not measured or taken into account by the other powers that had imposed the ruinous terms of the Versailles treaty at the end of World War 1.
What lets totalitarianism into a otherwise democratic society is weak and failing government. Governments fail, or take catastrophic decisions or delay decisions, usually economic in nature, when they don't have the information telling them "this really, really, matters, do something now or we're finished".
Information is also what keeps totalitarianism in power, except they're rather less polite or open about acquiring information. Totalitarianism didn't rise in Russia, Germany, China or North Korea because the revolutionaries had detailed records of each member of the population.
Another aspect of systematic and detailed profiling of the entire population is that it helps you stamp out corruption. If there is no real way of hiding from the information gathering process, it's pretty hard to be corrupt without that being evident in the records somewhere or other. Whether or not there's then the political will to have the police use that information to suppress corruption is a separate matter. But it's undeniably the case that you can't suppress or eradicate corruption without complete information gathering covering the whole population.
The UK used this to good effect in colonial Hong Kong. There, corruption was significantly suppressed by passing a law that made individuals responsible for proving that their lifestyle was compatible with their declared, official income. If you couldn't do that sufficiently well (e.g. earned HK$2.50, but lived in a mansion) you went to jail. We now have something like that here in the UK today, and there's such a thing as an Unexplained Wealth order.
These things only work at all (to any acceptable degree of judicial correctness) if there is a clear informational basis for defining the cost of a certain standard of living. Without that information, gleaned from extensive data gathering, an UWO would be a very arbitrary thing indeed.
So data gathering helps stamp out corruption, and stamping out corruption removes one of the key factors that, historically, has led to revolution which, quite often than not, has led to totalitarianism.
No, my name isn't Sir Humphrey Appleby.
But he might have spouted something like that in one episode or other...
@"Creating software cost money", not true. before OSS there were plenty of enthusiasts who created software and gave it away for nothing and without including code to spy and monitorise their users.
Where you used to pay was for bespoke business software and for the software to make developement easier. yes there were developers who sold their products but the costs was limited by the audience. Now everyone is using pretty much the same hardware the price is going up rather than down along with the quality.
There used to be many web search services that were free to use and without compulsary advertising or giving up your anonymity but over time they disppeared and/or were bought up/litigated out of existance.
All the truely free software, without stings attached, has disappeared. I would suggest since the enthusiasts were unable to fight the litigation power of the companies that stole the subject.
If you think about it then what exactly did Microsoft, Google etc create beyond their monopoly on home computing. Apple used to be innovators but that hasn't been the case for decades. None of the big names actually created anything beyond more ways to fleece their customers for little return.
IMHO home computing was stolen from the enthusiasts, now development is just another job with the majority of the profits going to the people who create nothing but still insist upon grabbing more profit at any cost to their users.
If we take Google as an example they started with webseach and where there used to be many it became just one, then with the advertisers they perverted the innocense of the web to make it what it is today, a mine field of corruption and profiteering that users have to attempt to get through inorder be able to still to use what used to be free.
The trump election and Brexit were won not by truth but corruption and lies spread via the unregulated internet social networks, where previously public manipulation of that level had to done via the press it could now be done via the internet for much less tracable money and without the same level of regulation.
After years of what would be punishable abuse if the content had been published in the press rather than on the internet the regulators are coming for Google and abusers spout the same rubbish that they did with press regulation, it is all lies you finally got caught and now you finally have to pay the price for your years of abuse.
Corruption is a good consideration, but you don't fix corruption at high government levels with detailed data collection on the average citizen. In fact, that gives you extra methods to maintain corruption, because people might only get privacy if they have sufficient connections, and they now have a massive database which can be sold to lots of people with cash to spend.
You attribute totalitarianism to revolution, and you're often correct. However, it doesn't always work that way. There have been many countries where someone came to power in an election that was somewhat democratic (sometimes with a lot of voter intimidation, but not always), but then turned the country into a totalitarian nightmare. The European example that is most well-known is Italy. Examples can be found elsewhere though, from early 1900s Japan to modern-day Venezuela. The dictators who eventually became beyond democratic removal were able to do that by leveraging powers of previous governments. That's one reason we want lots of limits on governments, but it's not enough to relocate those powers to a business or military area, because then you've just moved the problem around. Tracking citizens would be very useful to a dictatorship, as you've pointed out and as countries like China prove every day.
In my opinion, what leads to totalitarianism is access to power. If a revolution creates a power vacuum, then it is now easier to take over, so people will try. If you destroy a country, there will be a lot of displeasure, meaning that power is easier to get with popular support, so people will try. And if you make the government or anything else all-powerful, then you have increased the potential rewards of controlling that thing, so people will try.
"in the case of non-account holders, Google does not have the means to verify the identity of data subjects from an Advertising ID" - so they do have the means for 99.9999999% of Android users.
"you may immediately cease the processing of personal data related to your Advertising ID by resetting your Advertising ID." - and then immediately start the processing of personal data with the new advertising ID generated immediately afterwards.
'"in the case of non-account holders, Google does not have the means to verify the identity of data subjects from an Advertising ID" - so they do have the means for 99.9999999% of Android users.'
I agree that Google probably can identify people, but that's not what they said.
Legal statements are risky. No matter what you say, someone will try to use it against you; the less you say, the better. Google gave a very narrow answer, no doubt choosing their least-unfavorable case and hoping to limit the conversation. If their answer were less narrow, maybe they would have to admit something, but it wasn't.
It does not need to verify any identity whatsoever. It has the AdvertisingID, and a request to stop. It stops, and that's it.
This "verify identity" bullshit is just to protect its revenue stream. It is not required for the user, it does not bring any essential service to the user, and the right thing to do would be to say : "Okay, we have stopped collecting data on that ID. If you wish to resume, you may reset your AdvertisingID".
But that would cut into its bottom line, so fuck the user, we keep collecting.
Once again Max Schrems is putting his finger on the point that hurts. I sincerely hope he wins this case.
I run this on startup:
# When the Google ad is changed, the following files are changed:
# The following 2 fields in finsky.xml are changed:
# <string name="adid-cached-value">xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</string>
# <long name="adid-cached-timestamp-ms" value="SSSSSSSSSSsss" />
# x - Represents the new ad id
# S - Represents the epoch timestamp date in seconds when the ad-id was changed.
# s - Represents the epoch timestamp date milliseconds when the ad-id was changed.
rm -fv /data/data/com.google.android.gms/shared_prefs/adid_settings.xml
presumably they will be presented in Evidence and Mr Ryan will be called as an Expert Witness?
Thank-you! I'm sure some will consider that I wrote your post!
It happens around here - major cockups, or stupid opinions fine, but to download other posts without saying why is, indeed, annoying...
I want to know what I got wrong, so I can learn!
Maybe it was my formatting? (not my fault, El Reg does that!)
Maybe it was considered showing off? (I was just pasting from my "stop snoopers" startup file. There are loads of other enties.. available on request")
Maybe someone doesn't like seeing unix commands?
Maybe an ad-flinger-slurper?
Maybe it was one of my ex's?
Oh, another El Reg tradition... Never talk about voting. It will guarantee both of us downvotes! Have an upvote anyway! :-)
As I've said before, it's the Phantom Down-voter of Olde London Town.
It looks like a bot, but it's not, you can follow so many threads on el reg and there'll be posts with 101 up votes and just a single down vote. On some threads it's a single down vote on every post. It's quite sad if you think about it, that someone's only joy in life is down voting people for no reason whatsoever.
Sending hugs and kisses to you PDoOLT, and a pint, cheer up lad/lass!
If you're not the PDoOLT don't you dare down vote this post!
Under their Ads Id API, the call to bool for Tracking is separate and the call to getID() will get the ID directly. It really was not designed to have an opt out option.
Adding that it'll take a lot of Ads Id numbers to get their tracking work, the App Dev might be better off skipping the ads Id right from the start.
Doesn't really work for the rest of the population though, does it? My mother, aunt, grandfather, etc. should never need to either have a sys admin nor become one. We are the 1% in this case, and tbh I'm fucking tired of it, I should be able to buy a phone that doesn't track me, not go through all the shit of finding a phone that's supported by some alternate rom, and adding & updating the hosts file, etc, etc, etc. there's drinking to be done, I haven't time for this crap!
Hence the down vote.
From TFA sub-head: "Google says it cannot identify a user from the ID"
It's an ID, isn't it? It IDENTIFIES (reduces count of possible identities to 1) a user. Just because Google can't match it to the user's legal name, SSN|NI number, post|zip code (it says...) does not mean that the user is any less identified with the advertising ID. If what they mean is they cannot de-anonymize the advertising ID, then (a) that's different and (b) I'm not sure I believe it.
Post-rant musing: I wonder what happens if I change my legal name to the same string as my Google Ad ID...?