100% agree with this and the other post, the biggest red flag is "Meta".
Whoever thought something good and user-first would come out of this wannabe Twitter killer is completely naive.
I expect that federation won't last and there's 2 things that can happen, either Meta decides it's not worth it, or they will find a way to draw out most of federated users and then deal a killing blow to the fediverse.
I was skeptical about being against Meta's Twitter being federated, but now I am totally in favor of it being banned by most instances.
For me the biggest red flag is that they have apps in the EU but what they're doing with this one is so dodgy that they're not even risking entering the EU.
Also, interesting to see a big international company actually back up their "we just won't do europe then"
The way I see it is a mix of all of that, but number 3 is the biggest.
Twitter is not big here. There’s people who use it, sure, but there’s a reason you don’t see that many EU issue trending on Twitter.
Here’s an example out of the top of my head: France is rioting and it barely registered on Twitter.
The biggest European market for Twitter is the UK and it has 19M users, the second biggest is France with 9.5M [1]
The only time I see EU events surging on Twitter is during continental sporting events like Champions League, or Eurovision.
Twitter is just that that big around here.
Instagram on the other hand, I don’t know anyone without an IG account - so that might muddy the waters on this dynamic.
Your point is well taken, and if anything that's a significant understatement. This is one of the most significant protests (or nearly civil war) to occur in France since the Revolution.
> and it barely registered on Twitter.
Indeed. I saw videos of what was happening in Wuhan in late 2019, but tbh it was mostly linked by comments on (where else) HN, so I may not have discovered it via Twitter's own tools.
> Your point is well taken, and if anything that's a significant understatement. This is one of the most significant protests (or nearly civil war) to occur in France since the Revolution.
As someone from Europe who isn't French. It's just another France rioting story. It might be big in France but for the rest of us, it's just looks like another France rioting story which they were doing for the past few months.
It's not just that it's barely registering on Twitter, it's barely registering anywhere because lots of us are just so used to France rioting that it's not really news. It's like mass shootings in the US. I think there was a new one over 4th July holiday period but I am not 100% sure because we're so numb to mass shootings out of the US. They need to do something super wtf like have the police stand outside a classroom while a school shooter is shooting children for us to register.
Yeah, but that may not be accurate. These aren't quite "just more French riots" - they have been unusually serious, violent and destructive. At least, the French seem to think so. (Though this might partly be because it's non-white kids from the banlieu rather than white gilets jaunes from the countryside, I don't know.)
Essentially it's like how the average protest with minorities is treated vs Jan 6....
The former the cops toss tear gas, kettle them and beat them with baton and "rubber" bullets while the latter theres cops literally moving the barricades aside and escorting the rioters around....
Pretty much all videos I've seen of the current riots (mostly filmed via phones from bystanders) in France show a very different picture then racism.
Even that unfortunate incident when they killed the teen was very much reactionary, as people have been throwing Molotov cocktails etc at them for weeks now.
Honestly, i do understand the perspective of the rioters. Not having a chance to improve your life would make me violent too, i think... But framing the police as racists acting out is misguided considering that most of the issues are social in nature and not caused by the police.
And this might be too nitpicky for such an emotional topic, but the term racism gets thrown around way too much. I think it's more akin to classism, as it seems like you're still gonna get discriminated against if you originate from the poor areas, no matter what the color of your skin is.
As a person who has been to many protests I must point out that it's not that the police act exclusively because of racism but rather that thier decisions and choice of tactics are heavily influenced thereby.
Because of thier racism and prejudices they are too quick to use force, tear gas and other "compliance methods" against those they deem undesirable, while they consistently avoid use of such methods at all when they self identify with the protesting group.
That's what's being referred to
It's not overt kkk or Nazi shit, it's the subtle underlying racism that makes them shoot tear gas on the first day into a group of entirely peaceful people, which then result in the escalation to this extreme violence we now see.
It's a well established fact that the police are the source of escalation in many cases, choosing to attack the whole instead of seeking to address the problematic few.
The cops even send in fake protesters to engage in violence so they can then attack the protest. It was caught in Quebec on video, so I highly doubt it doesn't also happen in France where tensions and racism are far more significant. (See agent provocateur)
What is the EU missing out on if Threads never enters it though?
I don't believe Facebook, Instagram, Tik Tok or Twitter were net gains for people. I don't see how Threads might be.
I do honestly believe that if all these services disappeared overnight we would live in a better world. I legit just don't want Threads to enter the EU, ever.
While I wholeheartedly agree that Facebook, Instagram, et al are net negatives for society, I think that it could still be a worrying for the EU if major companies and services simply decide not to do business in the EU. It will be interesting to see if this becomes a trend, if it's a one-off situation, or if it's only a temporary limitation.
EU doesn't decide what product to allow or not. It has regulation, and any decisions are according to those rules, the same for all companies. Which is my point. They have no vendetta against Meta, as evidenced by Facebook and Instagram working fine in EU.
It seems pretty obvious that it's no more dodgy than any other app they have. Despite people crying loudly about how untrue it is and how unfair it is when sites block people in the EU, the EU's regulations require a lot of work to comply with (even in the case where you are already complying with the intent of the regulations). Clearly here Meta's number one priority was getting this app out quickly. There are a ton of pretty basic features missing. If supporting a release in the EU required just weeks of work, I'd expect that they'd have chosen not to delay the release for that. Given the extra scrutiny that Meta is under, I'd put the amount of work required at more like months.
It's reusing Instagram. Instagram is GDPR compliant yet, threads isn't. That tells me they added extra stuff that Instagram doesn't have by default. More dodgy than other apps. And considering how long it takes for anything to happen they could have released and fixed minor unknown issues. The fact they haven't seems they think what they've added is dodgy enough for major fines.
Threads will follow the usual tech trends. It will be enjoyable for users, and Meta will run it at a loss to try to defeat Twitter. If they succeed, they will eventually make it worse for uses to woo advertisers, and then when the advertisers and users are both captured, they will make it awful for both groups in order to maximize their own profit. It will become “enshittified.”
I figured Meta released threads now cause of the 2024 US elections: twitter has reached dead wood status for corporate/political/msm media, facebook hasn't learned its lesson in the eyes of lobbyists (no touch), forget tiktok cause of 'china misinformation incoming', streaming had it's run, Fox lost its main character (and a lawsuit) and nobody watches cable anymore. So where's that sweet $15B in campaign ad funds going?? Threads is being pitched as fresh and an alternative to twitter as well as "separate to FB"...so logical to release now as that the $15B flood gates open around Sep/Oct. I can already see those marketing agencies pivoting with a sigh on not spending it on twitter in a few months. But we'll see if this plays out by then.
I for one keep thinking: "Ah good, that that shit is not here yet." The longer it takes, the better. If they do not enter the EU at all, that would be perfect. But I probably am kidding myself, if I think, that they will never enter the EU. They will wriggle their way around the law somehow and if not, they will calculate and break the law, like they did many times before, in the name of profit.
A more charitable interpretation could be that they just haven't implemented a bunch of stuff that's required by the GDPR -- like being able to export data and deleting your account.
I'm pretty sure they'll launch in the EU eventually.
I would bet over 95% of companies don't comply with GDPR. I know some startups don't serve EU because of this. Facebook is under the microscope of the EU, they probably aren't risking getting fined until they can scale the product and implement the thing they need to lower the fine they would get and make being fined worth it. They are going to get fined most likely, but again 95% of the companies in the world could be fined as well if they were under the spotlight like Facebook is. GDPR compliance is NOT easy at all ask anyone who works in compliance they knows this.
It’s exceptionally easy: one just has to not do shitty things with personal information. Complying if you are doing shitty things with personal information is, by design, impossible - and that is good.
Ok, what if you do a database back up daily and someone requests you to delete their information. You're telling me you go through all those back ups and delete that person's information? If you don't you aren't complying with GDPR.
You don't even have to bet, you can just sample random websites and see how many make it more difficult to deny cookies than to accept. This is already a GDPR violation.
At some point it was definitely more than 95% of websites being shady with their cookie coercion banners.
I would say that no company or person is immune to arbitrary legal attacks. Complaining 100% with law is difficult if not impossible for companies or people with few resources. Laws could ge contradictory and/or inconsistent if you dig deeper.
That is why it is important to have sandboxes and/or laws that are based on size, number of consumers, etc. one thing is to ask for a full GDPR compliance to a bank and much different is for small companies.
What's interesting about the GDPR is that it's ambiguous and vague and it seems like "we're ok with that", whereas in the U.S. ambiguity works against the legislators because a court is supposed to rule on the side of the defense if a law is too vague.
In the EU, it's basically expected that the courts will apply the law on a case-by-case basis, which opens the door to inconsistent application of the law and ultimately to selective prosecution.
In the case of Meta, it definitely seems inconsistently applied (even though I hate Meta and would never trust them again). They simply choose the seemingly worst offender (Meta) and try to kick it out of the EU, while leaving alone the actual worst offender (ByteDance). Prosecution becomes a case of politics rather than justice.
What I don't understand is why products like Facebook and Google Analytics (up to 3?) ship PII to US. The owners have data centers in EU and should be able to process the data enough for it to be OK to send to US.
It is not that difficult for most startups to be mostly GDPR compliant. At least not in comparison with trying to fix it later. In some business areas local law and GDPR clashes though which can be a pain.
You can view profiles and posts, but you can't do anything more on the website. They are working to build a working website, but their focus is on the app.
The UK has a separate data protection law (UK GDPR[1]) which is the more or less same as the EU. The current government held a consultation on possible changes[2], but I would doubt they could actually carry through on making a significant change given their current weak and divided state and the likelihood they will lose in the next general election.
> The UK is working on a separate data protection law and the attitude towards privacy is very different from the EU (hence the rewrite)
This is very speculative. My guess is that changes will be made, but they'll be incremental and some effort will be made to ensure broad alignment with eu GDPR so we don't have another SCC-syle mess (where some major EU to USA data transfers were determined to be illegal.)
They could be gambling on us not enforcing it (having shown signs that we think it's excessive). But others have said this is more about the Digital Markets Act.
They could be gambling on us not enforcing it (having shown signs that we think it's excessive). But others have said this is more about the Digital Markets Act.
*I get a GDPR-looking privacy popup on Threads in the UK so I'm inclined to agree
They're likely not launching in EU because EU requires user data be stored in EU, and their current launch stack is hosted elsewhere, look at this datacenter map of Meta:
They're mostly in the US, and most outside the EU. Given the record timeline from concept to launch for this app, it's normal they can't whip up a datacenter from nothing overnight.
Maybe it's because I grew up on IRC and ICQ, but I just cannot imagine an asynchronous text-based social network to require a full datacenter of the same scale as their video and ad-track platforms.
I kinda assume that Meta could do this if they wanted. Their Instagram and Facebook comments are legal and available in the EU no problem.
- Yes Instagram and Facebook are legal and available in EU (as I noted), but there's one data center in Ireland and one in Denmark as far as I see, and given the massive influx of users to Threads, they probably have no extra capacity on these two datacenters to cover all of EU with a new app, not right now at least. Compare with SEVENTEEN datacenters in the US.
- "Full datacenter" doesn't mean much. When we say "a datacenter" it doesn't mean a building of specific size and capacity. They likely collocate some servers in other people's data centers (in fact many of those are like that).
- IRC and ICQ still require a network of servers. IRC is a protocol that barely changes so you don't need as much centralization as with a product of rapid iteration and innovation as modern social networks. But you still must be quite familiar with IRC splits and lag, which comes with such architecture. If a social network broke as often as IRC did, people would simply not use it, modern audience have higher expectations. Resilience requires redundancy and more resource-intensive architectures.
- Modern social networks have way more people on, than IRC ever did. At the peak of IRC use, around 2004-2005 all networks, all servers, total, had about 10 million users. Today they're just about 350k. Compare with Threads, which gained 30 million+ users in ONE DAY. More users mean you need more servers and beefier servers, and more serious architecture (as things don't scale linearly by magic beyond a threshold).
- IRC has no content to host at all. How'd you publish a photo to the world on IRC? You can't. Or even text? I guess everyone has to be in the channel, or know where to find some logs? ICQ is also mostly peer to peer. If you lose your copy of the chat logs, that's it. At least how it was in the 90s when it was popular and I used it (I hear it's still popular in Russia or something? Dunno). So you can't compare social media with a peer-to-peer ephemeral messaging protocol. The peer-to-peer messaging protocol is a tiny part of what Twitter and Threads do.
- I haven't even mentioned algorithmic timelines and the like, which make the task even more complicated, nothing like IRC.
And then to pay for all these costs of hosting and algorithmic distribution, backup and so on, you need to collect said user data, profile ads, run the ad network UI and so on. That also adds to the cost and resource use of running this service.
We can probably discuss "is all this needed, can't we go back to something like IRC"? And I think about this a lot. The modern social media design is not the best way to do it, it's not the final way. But Meta wanted to clone Twitter, not IRC, and this comes with the cost & system requirements of running something like Twitter.
I find it odd that I'm downvoted. Is the information I stated incorrect? Or simply doesn't align with the narrative in this thread of bashing Meta? I'm simply trying to stay objective. Facebook is as intrusive as it can be, even more than Threads can be I'd say. And it's running fine in EU. So, let's not ignore facts.
The US is not in the list of countries with equivalent protections, in fact most of the world isn't in that list. Which means in effect it should be in EU. Another nearby location that's permitted is UK, but they have no data center there at all.
Not sure I buy this. Some of the EU stuff is good, I think a lot of it goes to far and it's a terrible nightmare to navigate now, never mind in a decade when we're all using software that doesn't exist yet.
Can you say specifically what goes too far? I don't find it onerous or unreasonable at all, but my business model doesn't improve by violating it either.
Even with the best of intentions, these laws can be labyrinthian and ambiguous, and therefore expensive to (try to) observe. And there is still always the risk that you are found guilty of something. For a small or medium business, you are likely to be far enough out of the radar to avoid issues. But as a large company you may easily end up in legal crosshairs, costing millions or billions of euros, even if you ultimately prevail. And if you lose…
These laws being byzantine is the result of almost two decades of legal battles. Meta and Google have batteries of competent lawyers and lobbyists, constantly testing for legal loopholes, interpretations and contesting complaints in European courts.
Privacy laws aren't new, they existed before the GDPR. But they were fractured and not up-to-par with the new digital reality of large scale collection of personal data. These laws are geared exactly against the very business model of Google and Meta: offer free services, be first to market and become a gatekeeper, collect user data as broadly as possible, sell business intelligence and marketing services to actual paying customers.
When Meta states that it can't release Threads due to "unknown legal liabilities" that's a round-about way of admitting that their business model doesn't entirely square with European laws, such as they are.
Finally, as far as size in terms of user base, revenue and expenses go, the likes of Meta, Google and Twitter are very much a league of their own. Given their business model and its profitability, it's inevitable that their goals and motives are at odds with the interests and legal rights of citizens.
People keep saying this and yet it’s never happened despite the GDPR being in place for 5 years now.
As a tech manager for an EU company, I can honestly say that it isn’t that hard to be GDPR compliant.
Even when I worked for a company that did need to collect customer information, we pretty well understood what we could and couldn’t do under GDPR.
This whole “GDPR is dangerous” meme needs to die because businesses aren’t being dragged in court over trivial things because of it. The only people moaning are those who were abusing peoples data to begin with. And those are exactly the types of companies this law is protecting people from.
> As a tech manager for an EU company, I can honestly say that it isn’t that hard to be GDPR compliant
It's pretty easy for a business to be GDPR compliant unless their business model or processes in some way involve collecting and processing or selling personal data of their users. Before GDPR a lot of businesses used this as a nice little second income stream, or just grew used to being able to freely analyze every aspect of their users private data that they could get a hold of. Suddenly they can't do this anymore, and what's actually difficult is not being compliant with GDPR, it's reconciling their business to a new way of working where they have to be considerate of their user's right to privacy.
For example, you have a deeply entrenched analytics system that you base a lot of your decisions on. Suddenly you have to basically gut it, or even throw it out entirely. No matter that's there's plenty of GDPR compliant systems to replace it, they don't feel as effective and it's easy to see why a business would make these changes begrudgingly and with a lot of complaining about how unfair it all is.
That looks to me as though the system is working exactly as intended. When I do business with company 'A' I do not expect or consent to them passing that data on to company 'B'.
That’s the point I’m making though. The law isnt a problem. It’s companies who abused user data that’s the problem.
It’s also worth noting that you can still using customer data for analytics under GDPR. GDPR doesn’t prevent legitimate analytics from happening. It just gives consumers power to be excluded from analytics and to force companies to be transparent about their usage of personal data.
> As a tech manager for an EU company, I can honestly say that it isn’t that hard to be GDPR compliant.
> This whole “GDPR is dangerous” meme needs to die because businesses aren’t being dragged in court over trivial things because of it.
Ah, yes, the one weird trick of GDPR "compliance" by being a smaller, less appealing target to the enforcers.
The "GDPR is dangerous" meme needs to stay alive because it's massively ambiguous and different country's interpretations vary wildly. The types of companies the law is "protecting people from" are non-European ones. It's just economic protectionism in the guise of privacy.
Even if that were true, it isn’t but for the sake of the discussion I’ll humour you, America is far more open and aggressive with its protectionism policies. As is China. So I don’t understand the complaint. You’re either in favour of laws that promote the growth of local economies or you’re not.
But to be clear, the GDPR is not about protectionism. If it feels that way then perhaps you need to have a hard look at whether the bigger problem is the companies that you feel are being persecuted by GDPR and whether the countries they originate should have done more to regulate them to begin with.
I'm neutral on protectionism: I'm in favor of laws that are precise and unambiguous, and not up to the interpretation of whatever courts and enforcement agencies wish to impose.
For example, which of the following statements are true according to the ECJ's interpretation?
American companies cannot run datacenters in Europe, because the CLOUD act might compel them to give up data to American authorities.
Canadian companies cannot run datacenters in Europe, because Canada might pass legislation that compels companies to give up data to Canadian authorities.
American citizens cannot work at datacenters in Europe, because they're subject to U.S. law, and the U.S. might pass legislation to compel them to steal data.
Germany cannot host datacenters, because they lack an independent nuclear triad, meaning that they're subject to U.S. invasion to seize the datacenters.
> I'm in favor of laws that are precise and unambiguous, and not up to the interpretation of whatever courts and enforcement agencies wish to impose.
So am I but unfortunately the topic itself is highly nuanced. If it were that easy to say this type of usage is ok but this type isn’t then we would have been able to put better technological measures in place to keep our data safe.
And let’s be honest, GDPR is hardly an outlier. Most laws end up being nuanced when it comes to cutting edge technology. Whether it is intellectual property laws, computer misuse laws, etc. The only difference here is that innocent people aren’t being harmed by GDPR.
So if you’re going to complain about vague laws harming people, then GDPR is the literal last one you should be concerned about at this point in time.
The only reason people moan about GDPR is because entities like Facebook have brainwashed you into believing it’s bad. They say it’s “anti-business”, “harms innocent companies”, etc. but it’s all BS. And I say this as someone who has had to work inside the GDPR every day since it’s inception.
Now if you want to moan about innocent people being arrested in America for “hacking” because they send bug bounties, or even just click “view source” in Chrome…then I’m all ears. Or complain about how IP laws are being abused to hoard monopolies on obvious ideas. Or about how companies are sucking up other peoples copyrighted content for free to train proprietary GAN. Or about the abuses of DMCA.
The thing is, companies don’t to moan about those things because those abuses empower them. Whereas GDPR levels the playing field. So despite the fact that GDPR has never once been abused and the others frequently are, GDPR is the law that everyone gets pissy about.
This is absolutely not my experience while working in an Ad agency in EU. There are companies like Iubenda which basically handle all the normative side of things, and if required by third parties they also do the compliance checks.
We've had no more than two disputes since the GDPR was passed and they both ended up with a simple "Please remove their data and make sure that X services are deactivated too when the user fills their consent form".
No scary lawyers or multimillionaire suits. I guess that part is reserved for those that consciously decide to ignore the rules.
> Seriously though, GDPR compliance isn’t that hard
Unless compiling data on your users and selling it is your entire business plan.
One of the issue I see it that many companies have been lured into this impression that they need to track everything, in great detail, but it doesn't actually provide that much value. I blame the snake oil sales people in the advertising/remarketing/up-selling/cross-selling business.
This is correct. So many websites don’t actually need to collect any user data. It’s just a distraction, slows down and bloats their site and worsens UX.
I recommend to simply get rid of any tracking. If you want user feedback, ask them or do tests. It’s cheaper and more effective.
So many websites don’t actually need to collect any user data.
Any commercial organisation is going to have customers and therefore customer details and payments data.
Any commercial site needs to record enough logs to investigate events like outages or security threats.
Any site that isn't purely informational and read-only probably works with user-provided data in some way.
People keep writing about GDPR and similar laws as if they only apply to data-harvesting analytics plugins on ad-ridden content farms but the same laws apply to everyone else as well. For many it will be reasonable and indeed necessary to process personal data in order to do whatever the site or app does.
> Any commercial organisation is going to have customers and therefore customer details and payments data.
Necessary for the performance of a contract or to comply with legal obligations.
> Any commercial site needs to record enough logs to investigate events like outages or security threats.
Legitimate interest, and possibly legal compliance if the nature of your site means you have a legal duty to collect those logs or that they could help in the course of an investigation.
> Any site that isn't purely informational and read-only probably works with user-provided data in some way.
If it's a UGC-based website, then collecting some data is necessary as part of the provision of a service or legitimate interest for fraud/spam prevention.
Every single point you mentioned would explicitly be allowed under the GDPR with either compliance with legal obligations, necessity for the performance of a contract or legitimate interest, no consent required even.
There should be no debate that the items I mentioned are allowed under the GDPR because one or more of the lawful bases for processing applies. My point is that on many sites you're still going to be collecting and processing personal data for many legitimate reasons and therefore you still need to have all the policies and provisions in place for that data to be compliant with the data protection regulations. "Just don't collect the data in the first place" is mostly not a very useful argument for how easy it is to comply with the GDPR.
On numerous occasions in GDPR-related discussions I have seen people seriously questioning whether you can keep a basic server log with IP addresses in it of the kind that every web server has generated by default for decades. Often there are suggestions that such logs must be automatically deleted after a short period or the IP addresses masked in order to be compliant. And yet having records of which addresses were doing what on your site can be useful information for security and fraud prevention purposes months or even years after the records were originally created. So who is right? GDPR doesn't actually say and as far as I'm aware neither have any of the relevant data protection authorities yet so if you're running a site with these security concerns but also making an honest attempt to be compliant then you literally have no way to know how far you're allowed to go without crossing a line and upsetting a regulator.
That's just one everyday example that would probably apply to millions of different websites and that has been discussed many times but still with no clear answer. There are many more areas of ambiguity that even a well-intentioned organisation can easily run into. Backups and archives. Soft deletes when a user asks to delete something but you know for a fact that many users subsequently contact your support staff saying they've made a mistake and asking to restore the data. It's a long list with few clear answers.
How are you going to "fix" that "design flaw" when the personal data in question is the result of legally required customer age checks? Evidence needed to support your tax filings? Used to identify and block people who are repeatedly trying to defraud you or breach your security? Subject to a legal hold because it might provide relevant evidence in some legal action between other parties or it's been requested as evidence by some government committee?
Data protection laws like the GDPR might take the position that you should minimise the collection and use of personal data. Many of us might even agree with that position in principle. It can still be complicated to work out what "minimal" actually means if you did have good reasons to collect the personal data in the first place and you might still need to keep the data or some part of it for those purposes or to comply with other laws or regulations.
> How are you going to "fix" that "design flaw" when the personal data in question is the result of legally required customer age checks? Evidence needed to support your tax filings?
This kind of wilfully ignorant argument is extremely tedious and indicative of the fact that you do not understand the actual construction of the GDPR, or choose to misrepresent it.
Let’s put this nonsense to bed once and for all by quoting the Irish summary [1] of articles 17 and 19:
> You have the right to have your data erased, without undue delay, by the data controller, if one of the following grounds applies:
> - Where your personal data are no longer necessary in relation to the purpose for which it was collected or processed.
> - Where you withdraw your consent to the processing and there is no other lawful basis for processing the data.
Information pertinent to tax records is not collected on the basis of consent, and nor is anything else legally required.
This is HN. Please don't post comments with that sort of hostile tone here. Assuming ignorance and/or bad faith does not further constructive or interesting discussion.
I absolutely agree though, this argument is extremely weak, like a developer being asked to step outside their comfort zone locking up and declaring something unknowable levels of complexity so they don't even have to try.
The GDPR is extremely easy to understand. It's not always trivial to comply with, because we all know that enterprises are held together with instant glue, a networking VM in a basement nobody has logged in to for 10 years, at least 3 layers of management between a DPO and feature teams and one all-knowing employee everyone hopes will never leave or take too much vacation because things will slowly crumble in their absence. It's pretty hard to be absolutely compliant in that environment. But if you're a startup, or even solo? You can absolutely design your app to not have these issues in the first place.
I respectfully disagree. And I write that not only as a very experienced developer but also as a director who has been legally responsible for GDPR compliance in more than one relatively small organisation.
The GDPR in its official format in English is 88 printed pages. It contains 173 introductory paragraphs followed by 99 specific Articles some of which span multiple pages by themselves. As is customary for legislation made at EU level a lot of the provisions are written more as statements of intent with considerable ambiguity about concrete implementation that is left to regulators or courts to clarify.
The specific legal basis of "legitimate interests" and the overarching obligations to collect and process data only where it is reasonably necessary are good examples of this openness to interpretation. And yet much of the data processing that most of us would probably agree is reasonable relies on the legitimate interests basis for its lawfulness. Several enforcement actions by regulators have already been brought against data controllers who apparently believed they were acting in compliance but were still found to be infringing the general principles around necessity and proportionality.
I contend that any legal document running to nearly 100 printed pages of densely printed text cannot credibly be described as "easy to understand". Indeed I must have read hundreds more pages of analysis and discussion by legal scholars, professional data protection officers and other experts and there have been plenty of disagreements over interpretation or sometimes outright contradictions between those papers.
Of course the only things that actually matter are the actions of the regulators or other official bodies that interpret the regulations and potentially sanction those who infringe them in specific cases. That means we also have to consider the stated opinions and actions to date of all the different national regulatory authorities and the outcomes of the cases that have been formally considered and resolved so far. And once again it is clear that even among the national regulators who are responsible for the interpretation and implementation of the rules there can be considerable disagreements about how the rules should be interpreted and sometimes which cases should be brought at all.
Now I don't necessarily disagree with some of those outcomes but I do think that if a data controller honestly believed their prohibited actions were in compliance and was subsequently penalised and required to make changes then evidently there is a problem with how accessible/understandable the rules are and those rules demonstrably failed to prevent the unwanted behaviours in those cases until the regulators did take action.
I will take your point, but I'd say you also need to account for how the GDPR has been enforced to this point. I regularly submit complaints to supervisory authorities and I've been employed by a few companies that regularly have meetings with their local SAs for guidance regarding potential pitfalls.
Most enforcement is directed towards total disregard of the GDPR. Data that hasn't been properly deleted after requests, requests that go unanswered, and entities like Meta who think their legitimate interest towers over protected categories of information (i.e. allowing microtargeting based on health). Companies also get away with a lot of easy to see violations (i.e. I've complained about Microsoft doing dark patterns to obscure whether agreeing to data collection is a requirement for a service to work).
Usually you'll be fine if you understand the basic framework and intent.
And I'm not sure how you get to 88 pages. It comes out to 68 pages with very generous margins and a line-height of 22pt on A4 for me.[1] (also, all EU law, including translated judgements, is canonical in all member state languages, FYI)
I will take your point, but I'd say you also need to account for how the GDPR has been enforced to this point. ... Most enforcement is directed towards total disregard of the GDPR.
I agree this is true. And at least here in the UK the regulators appear to be acting in good faith and according to the spirit of the law. However I don't like the principle that not enforcing a bad rule somehow makes it better.
If something doesn't need to be enforced then it doesn't need to be a rule at all. Then it can't be selectively and possibly punitively enforced against someone the authorities take a dislike to or simply because of a bureaucratic mistake caused by incompetence rather than malice.
Moreover having rules that are rarely enforced effectively penalises those who do make a good faith effort to comply but probably would not have suffered any ill effects if they had not done so. They're being penalised by paying extra compliance costs for trying to do "the right thing" and that doesn't seem like a good idea to me. In a business context it is literally giving a direct financial advantage to competitors who bend or outright ignore the rules and get away with it.
Also, legal texts are the always longer than a conceptual tl;dr of them. Covering for all eventualities. It's not a flaw of the legislation itself that some boilerplate is required. Also, a lot of it is contextually relevant (e.g. there's entire sections for regulating specific industries).
Your average contract contains the same boilerplate by percentage.
I don't know where your actual problem is. The GDPR allows holding data for most of these purposes. You intermingled legal obligations with data legal departments would like to hold in the end there. Only one of those is required.
Also, some of these are pure theoretical in the EU. You're not even allowed to photocopy an ID in Germany; age verification is a checkmark someone sets upon verifying the ID is valid and then (metaphorically) handing it back, not a copy of a legal document that you probably don't want deduplicated to random S3 buckets held by all the companies you do business with. They're not exactly resistant to replay attacks, after all.
My point is that knowing which personal data you need to redact and under which circumstances is not always easy. Before you can build a system that does something you first need to identify exactly what something is required.
- Payments, particularly from P2P transactions. If I send you money, and then you request the deletion of your profile, there's plenty of complexity there.
- Enforcement records from illegal content / violating content
- Local data cache for offline mode in mobile apps
I'm not saying all of these apply to "Threads". But there are tons of edge cases to consider that need code changes t o behave as expected.
There's really no complexity there. The right to be forgotten doesn't superseed other laws, and it is required by law in most countries, that transaction data be stored for 5 years plus running year, so in case you request to be forgotten, that can only happen once the mandatory data retainment has expired, which can easily be handled by a "transaction date", and simply run a batch job that matches each user to their transactions (and desire to be forgotten), and once transaction are expired and the user has requested to be forgotten, you simply delete.
> Local data cache for offline mode in mobile apps
The right to be forgotten has a "grace period", so set your cache expiration to less than that amount of time and you're pretty much home safe, or better yet, don't cache GDPR sensitive data and you can pretty much cache for as long as you like.
There's a lot more to payments than raw transaction data. Payments are usually related to the exchange of goods or services. The delivery data of those could be essential for winning a chargeback dispute or a liability for a customer that asked to be forgotten.
such as the ability easily support redaction of personal data?
Errg: sorry folks. I miss read the thread and thought the "such as" was responding to the comment next to it about the design flaw of not being able to delete personal data.
Twenty-eight independent data regulators on a complain-investigate model. I’ve seen folks bury early-stage competitors with regulatory inundation as an effective, if unethical, strategy. Zero chance Musk wouldn’t have armadas of randos complaining raining in on Threads.
For EU-based business: The DPA of your country is responsible for you.
For non-EU-based business: Appoint a representative in the EU. The DPA of that representative's country is responsible for you.
So where do the other 20+ DPAs come in? They might be responsible for your customers - in which case, they'll contact your DPA and sort it out among themselves. You still won't have to become an expert in the nuances of Bulgarian, Swedish and Portuguese privacy law.
> they'll contact your DPA and sort it out among themselves
No, they won’t. They’ll help you coördinate. You won’t have to become an expert in other bodies of law, but you will need to responsive to them, which is time consuming, distracting and—if you’re running a real business—expensive.
I’ve seen this deployed to remarkable efficacy, with asymmetry in defence:deployment cost in excess of 10:1.
If anything, the GDPRs wording of "legitimate interest" makes it too weak, where corporations can justify every use of data that makes them money as legitimate until a court stops them, as happened to Facebook very recently over ad microtargeting.
That companies like Facebook push fancy theories of what is and isn't legitimate interest is not the fault of the law. People will always try to push the limits to see what they can get away with, esp. when there is money to be made. That doesn't mean it will fly - like Facebook has just discovered (and others before them).
Law cannot enumerate every single possible existing and future use case. It outlines the intent - and if there is a grey area somewhere, it will be ultimately tested and decided in court.
There are ways to make this problem less bad though. You have your permissive case and then write a number of examples into the law that show what you do not consider allowed and invite future courts to consider them. Pre-emptive case law (which is a lot cheaper than actual case law), if you will.
Which is exactly what has happened. GDPR (or any other piece of legislation, really) explicitly enumerates some of the situations.
E.g. Recital 47 on Overriding legitimate interest:
"The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."
I.e. Facebook is entitled to use your data for their own direct marketing (e.g. sending you leaflets, sale offers or telemarketing) to you according to this. We can guess how did this provision get there (likely the lobbying has been fierce).
Or Article 22 on automated processing/profiling:
"The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."
A lot of people make all sorts of comments on GDPR (and other regulation) but it is unfortunate that very few have actually *read* what they are commenting on.
It is interesting which special cases are explicitly noted in the GDPR (credit scoring for instance) and which classes of data are specially protected (political alignment, medical data) - and where the lobbying shines through by omission.
I would give the legislators some credit there. While it is certain that the lobbying has been fierce (as with any legislation) and that no law is going to be perfect and make everyone happy, it is a bit of a tall order to expect the lawmakers to anticipate all sorts of crazy business models and legal theories someone could come up with in response to the legislation and prevent them.
That's just not realistic, esp. not when technology is involved which evolves at light speed compared to the comparably glacial tempo of regulatory and legal world.
E.g. GDPR has been proposed in 2012, adopted in 2016 and fully in power since 2018. I.e. the entire process took over 6 years!
Where was e.g. Facebook or Amazon in 2012 and where is it today? What about siphoning of (also personal) data by various AI training systems - is that covered by GDPR too or not as they are not really "stored" in the resulting models? Not something one could ask the legislators in 2012 to anticipate, really.
The goal is ambiguity, so that lawyers and judges can argue about and decide each case individually based on their feelings and public sentiment of the parties involved.
The idea that GDPR is a nightmare to navigate is entirely fud. It's pretty clear and the case law has in the main been established. Most of the time when people are saying that it is a nightmare to navigate what they actually mean is they don't like the privacy protections that it gives to EU data subjects and the implications for the data harvesting they want to do as part of their business.
This level of scrutiny is really excellent. Now we need to apply it to other companies working in the same space.
There is a serious lesson for startups though, if you actively start collecting data, you will, if you survive long enough, begin to have to declare what data you have when you "grow up". For example, if you do anything with photos, you will have to ask for permissions to process location data. even if you throw it away, it still counts as processing. Taken in the wrong light, or explained badly, this will tarnish your brand.
Rant time
Twitter can infer (if they hadn't have sacked all their data scientist people) your sexual preferences, location, and employer.
Google already knows your employer, especially if your work uses any google service. they also know everything you look at, type and interact with on the web. If you have an android phone, then your every move is logged, not only that but shared with your phone manufacturer as well.
Apple hoovers everything you do. I know they say its all for a "magical" experience. But they will and do monetise it. Anyone who says differently is in denial.
let us not talk to deeply about tiktok.
Is threads actually setting out to hoover that data? I doubt it. Have some people filled in their facebook profile with gender, preference, employer, house location and significant spouse(s)? you betcha.
> This level of scrutiny is really excellent. Now we need to apply it to other companies working in the same space.
Facebook is and should be held in the same esteem as those lot. I was talking about threads specifically.
Sure, facebook the app is all up in your junk. But the apple label about "it stealing your health data" is nonsense[1]. Why isn't there a permissions dialogue asking me to share my health data, like fitness apps? Does apple specifically allow Facebook apps to get at my health data unannounced? what about apple pay, is that leaking to facebook as well?
None of the FAANG companies are reliable narrators. Regardless of how good their PR is.
Sure facebook will rat you out to the police, They don't spend anywhere near enough time or money doing actual proper moderation. They also totally suck at making new products (threads is the first new product with any success since messenger, and that sucks donkeycocks.) are they "nobel heros" fuck no. They are just trendy whipping sticks.
> Sure, facebook the app is all up in your junk. But the apple label about "it stealing your health data" is nonsense[1]. Why isn't there a permissions dialogue asking me to share my health data, like fitness apps? Does apple specifically allow Facebook apps to get at my health data unannounced? what about apple pay, is that leaking to facebook as well?
As I said earlier, Tech companies are not reliable narrators.
But, to underscore the point, if apple really are letting facebook harvest this data, surely this undermines their "privacy is our magic sauce" shtick? why are they letting them harvest that data? why, as a platform, are they letting them get away with it?
Ideally the US would adopt GDPR like laws at a federal level, however thats not going to happen because there are too many tech billionaires.
No my problem with Twitter is that the quality of the discourse is poor and getting worse every day.
Which is a direct result of Musk deciding to prioritise blue check comments over others. If you're having to pay to have people listen to you then that means you typically don't have something worth saying.
And we see this manifest in many ways e.g. pages of laughing emojis in response to a tweet.
For me it depends on the advertising. A brand that sells say bags? It’s fine, I love a cool bag.
And then there is the “Play this one stupid game that has everyone hooked!!!” With an unrelated picture. Or “This guy became a millionaire in ONE day!1!” type of advertising.
Advertising works extremely well precisely because most people are aware that many brands with something of value are also willing to pay for ads. Look at Apple.
Facebook changed their algorithm several years ago (2014?) to prioritize paid content over organic comments. This resulted in many companies being force to change how they communicated, as people who followed them were not guaranteed to receive critical information if posted on Facebook.
I guess the biggest difference is that Facebook has had almost 10 years to adjust the algorithm towards paid content, and have users becoming accustomed to the system.
> Facebook changed their algorithm several years ago (2014?) to prioritize paid content over organic comments.
That's a lie.
Instead, "Facebook realized that users were growing wary of misleading teaser headlines, and the company recalibrated its algorithm in 2014 and 2015 to downgrade clickbait and focus on new metrics, such as the amount of time a user spent reading a story or watching a video, and incorporating surveys on what content users found most valuable"
For companies that were depending on the organic reach of their clickbaity or low quality posts for their advertising, this had the effect of forcing them to pay to get that same reach. But it wasn't in any way that facebook was prioritizing paid over organic content.
The average rate of organic content on Facebook is 5%, and has steadily increased the amount of paid content that users get on their feeds compared to organic content.
Feel free to provide a source that show a decrease in advertisements on Facebook.
It's not about any of those things, it's about just being a well-run internet service. Facebook is very good at running a big internet service that billions use, Twitter not so much under new management.
A well-run internet service tries not to keep causing self-inflicted PR disasters. A well-run service is stable, consistently available, doesn't have a large amount of feature churn, and generally has stable leadership making sane decisions about maximising value. None of those things describe Twitter under Musk, but Facebook is a generally well-run company with sound policies and competent leadership.
Just because people here disagree with many of Facebook's decisions doesn't make them any less good. I may think that the focus on VR is a strategic mistake, or that Facebook has a PR problem, but generally they're good stewards of the platform they've created and run it fairly well.
We have 4chan, parts of the fediverse and so on for unfiltered. Threads is for mainstream.
I don’t see that as bad. As someone who was a moderator, sometimes you want that sandwich and not Joe Schmoe stupid verbal trash he thought less than 3 seconds about.
I want to be able to read (former UN weapons nspector) Scott Ritter on twitter. A man with a huge amount of experience and someone who is able to give very informed commentary. On pre-Musk twitter I couldn't read him, now I can. And I could give quite a number of similar examples.
They probably couldn't read him on pre-musk twitter because he was briefly banned. From the Wikipedia page, this is why:
"Ritter rejected the Western media's coverage of the 2022 Russian invasion of Ukraine and has voiced his perspective on multiple podcasts, including Andrew Napolitano's.[42][43] In April 2022, he posted a tweet claiming that the National Police of Ukraine is responsible for the Bucha massacre and calling U.S. President Joe Biden a "war criminal" for "seeking to shift blame for the Bucha murders" to Russia.[44][45] Ritter was suspended from Twitter for violating its rule on "harassment and abuse" after this, but his account was reinstated the next day.[45][46][47]
The U.S. Department of State and Polygraph.info described Ritter as a frequent contributor to Sputnik and RT during the war.[48][49] Polygraph reported that he compared Ukraine to “a rabid dog” that needed to be shot.[49] He has also compared Ukraine's treatment of Russians to Nazi Germany's treatment of Jews.[50]
In July 2022, the Ukrainian Center for Countering Disinformation included Ritter on a list of what it called Russian propagandists.[51][44]"
I responded to the claim that Facebook is "run well" and Twitter is "not run well since Musk". You've extended this simplistic division by implying anything that isn't basic sandwich content must be verbal trash.
Political discussion and controversial topics need to be covered in order for society to progress, to solve problems, to canvas the range of solutions and perspectives. Heated exchanges, passionate disagreements, and ideas we don't like come with the territory. No need to be afraid.
If we fall into the trap of "nothing to see here" via enforcing certain people as truth-tellers and everyone else as "stupid sex-predator anti-vaxxer shills", then we have a problem.
It's much better to trust the average educated person can think for themselves rather than need Corporate sponsored Big Gov to push creepy "anti-misinformation" tactics, censoring, back-dooring and manipulation. That's my point done... what exactly was your point?
can you define "well run"? As in "being a cause of a literal genocide because you couldn't bother to hire a single person to manage the country you're publishing your product in and take any actions to prevent the whole thing" or do we mean "making money" here?
Well, they are questioning the motivation to question the motivation of others. Assuming that this invalidates their point would, however, be a logical fallacy. https://en.m.wikipedia.org/wiki/Tu_quoque
Except that they are not questioning that motivation at all - blanket assertion that the activity is done too much but nothing supposed about anyone's reasons or whyfores.
I think that statement is being incorrectly reduced/interpreted to 'mind your own business' which would be ironic.
In my defense, I said "we" and not "you" for a reason. Also the point I was attempting to make was less "stop doing that" and more "that way madness lies"
So does Threads solve the problem of viewing things logged out?
FB always had this tendency of rate limiting (showing an annoying sign up modal and then eventually silently failing due to HTTP 429 ajax requests- seemingly IP rate limiting). It also seems to not allow viewing of otherwise public info based on user agent (mobile vs desktop)
Zuck seems rather less likely to dig up one of my posts just to say "did your brain fall out" directing the attention of his 100m followers to then also dump on my post.
My problems don't really matter here, where most of my community moves does. And lots of them seem to think the fediverse is to complicated, some that sign up just put the local part of their username into places.
I expect that Meta will filter out a lot more antivax, nazi, MAGA, and racist drivel that I don't want to see which is readily available just about anytime I read the comment on just about any news story.
I don't use Twitter or Facebook or IG so I also won't be using Zuck's new thing. That said, I did a quick straw poll of some non-tech relatives who have not expressed to me any previous opinion either way about Elon Musk and the takeover and got told "Twitter is really weird now and full of ads" and "I can't find anything any more". Anecdotal, but it seems to me twitter would be vulnerable if enough users felt that way. All of the people I spoke with in this very non-scientific and non-representative sample already have instagram accounts so it would be pretty easy for them to move over.
A lot of the prominent accounts seem to be moving. It may be because they want a general public square rather than Elons personal website. It may be because they are worried that the rate limiting etc is going to affect what they do to monitor their reach, understand their audience etc.
Either way I don't think their problems fall into any of the categories you've given exactly, but if the people someone likes to follow on twitter move to threads, the likelihood is that person will move to threads, especially if they are somewhat dissatisfied because the app is becoming weird and stuffed with ads.
I just went unto Threads and I saw quite a bit the sentiment of “I can read stuff again without being limited.” and people asking if so and so had switched.
In my opinion, all the people complaining about privacy policies are barking up the wrong tree. As the saying goes in business, if you have to read the contract, you're already screwed.
The reality is that the privacy policy will almost never be a determining factor in whether somebody will use a service. The Facebook haters on HN were never gonna use a Facebook product anyways, regardless of what the policy said, and the same goes for the people that are happily using threads now. Does the privacy absolutist who refuses to do anything outside of a VM behind Tor exist? Of course, but not in any meaningful amount for it to matter.
The people closely reading terms of services and opting out of arbitration provisions or whatever are wasting their times with busywork. It's doing work that feels meaningful and feels like giving it to the man without actually accomplishing much of anything.
The simple answer is that they don't -- all the health metrics like heart rate, exercise, etc. collected by iOS and Android are both locked behind pretty stringent privacy walls. To get access you'll see (on iOS, not sure about Android) a popup asking for the app to connect to your health info, which I haven't seen happening.
Which social media app has access to your phone's storage of health data? Certainly not the one that's the subject of this post.
Strava, a social media app for exercise, has selective access to "health" data about exercise stored on the phone, but that's the closest I can think of.
That's a huge dose of benefit of the doubt you're giving to the Zuck. Do you for a second believe that granting the Zuck access to your Health & Fitness data that he will stop at just getting the information to geolocate you or would it be more like "let's just suck in all of the data we are given access to and then maybe at a later date we can use it beyond what we originally needed"?
I have an iPhone, I can see which apps access Health & Fitness data, and must in fact explicitly give apps access to that data. Threads does not have access to that data and I can not even find some way to get it to ask me to access that data.
DATA LINKED TO YOU
The following data may be collected and linked to your identity:
Health & Fitness
Purchases
Financial Info
Location
Contact Info
Contacts
User Content
Search History
Browsing History
Identifiers
Usage Data
Sensitive Info
Diagnostics
Other Data
When you read "data linked to you" don't think about the store of health data that's *on your phone.£
Think instead of all the data that all huge number of advertising networks, like the one paying qz.com's bills, that have massive hoards of data about you, without your consent, that gets bought and sold every single day.
This is not a trivial distinction! The health data on an iPhone is secure, and Threads is not getting access to it. What this is talking about is Threads linking up with all the data that all the other advertisers are already doing!
I deleted my Facebook account circa 2012 when I heard what some of their ML engineers were up to at a casual meet up, like geolocation all photos and and doing facial recognition to place which bars everyone had been in over the weekend. Back then, before the deep learning revolution, this was a mind-blowing capability. These days, I have no idea what ad networks are up to but rest assured, by getting all of HN to load the ads that are served from qz.com the advertisers have now gained far more than they did when I installed Threads (because I already have an instagram account and that does all these same things. Five years after deleting my Facebook account I was ready to give in because the rest of the networks had the data anyway).
> Five years after deleting my Facebook account I was ready to give in
Because you became weak and caved does not mean the rest of have to give in as well. I have never created an IG account, nor will I be using Threads. I abhor Meta, and will never allow their apps to be installed on my devices. Your cavalier attitude about your data is your business, and my attitude is polar opposite. You coming in and trying to white knight the Threads listing as "nothing to see here, move along" is just this side of being a Meta shill. Some of us still have principles.
If you care about privacy, then you should care about the specifics of how it is being abused so that you can defend against it. So you should care that the health data is not coming fro, your phone, it's coming from the massive databases of information that Facebook/Meta and toooooooons of other companies have on you and sell trade and swap.
If you care only should maligning Threads, then continue to obscure the threat to privacy and how the massive network of advertisers is monetizing your health data against your will. Because bringing up laws about banning apps from taking your health data from your mobile phone, which is what spawned this thread, will only detract from efforts to improve privacy, because it would do nothing to 8pm rove privacy here.
So instead of insulting me and throwing around fake "white knight" allegations, at least try to keep up with the conversation.
I agree. It’s technically impossible for them to get this data without OS-brokered consent. Apple’s app store privacy card is extremely misleading here, it is based on a self-assessment not what APIs the app accesses. It looks to me like Meta simply checked every box in the self assessment form.
Apple should really communicate more clearly what they mean in these privacy reports, because I don’t think it’s insane to interpret “The following data may be collected and linked to you: … Health & Fitness” in this way.
An incorrect interpretation, sure, but not one you have to be dumb to make.
Here's exactly what it means: Someone at Facebook, when creating the listing for the Threads app on the appstore, told Apple that the app might possibly collect Health data (etc). These labels are entirely based on self reporting by the person doing the upload. That's it, that's the entirety of what these privacy label things mean: the company making the app has made these claims about what it collects.
In this case Facebook appear to have simply ticked every possible box for data collection regardless of whether the app actually does it or not. Note you can't just get health data on iOS without asking, so people would notice if they tried.
My guess is that actually figuring out what they do/don't collect was too hard, so they just said yes to everything.
Why is Apple at fault for what an ad-ridden article claims without evidence?
Seriously I could barely even find the claim you speak of, when every other sentence is punctuated by a half-screen advertisement.
Why accept the claims of such obvious click-bait without evidence? There's no reason to believe anything said in the article, particularly when it's claims can easily be checked and shown to be false.
And yet again, this is not data that is coming from your phone's store of health data.
This is data that is linked to you, and the spamminess of the ads on qz.com is likely doing far more invasion of people's privacy than Threads could even dream of.
This comment thread was about Threads taking health data "from your phone,"
Which is does not do, and which that sceeenshot does not say it does.
This sort of data linking is absolutely pervasive in the web advertising industry, and it is bad. But let's not falsely say it's coming from the store of data on your phone, it's coming from advertising networks like those that pay for qz.com's hosting bills and profits.
I think the ambiguous display of these things on the store, when few other apps show this, is cause for questions and concern. Everything you just said is equally speculative.
> Apple should really communicate more clearly what they mean in these privacy reports
This information is provided by the app developer; in this case Meta are telling Apple they use your health data and Apple is merely showing that information in the App Store.
Yes; my point is that 1% of the people who see this while browsing the App Store understand enough about the HealthKit data access requirements to interpret the language that Apple chooses correctly. And Apple does choose the language here, it’s selected by Meta from a list of Apple-created options.
> my point is that 1% of the people who see this while browsing the App Store understand enough about the HealthKit data access requirements to interpret the language that Apple chooses correctly.
How so? There is no hidden meaning here; Facebook are simply telling Apple that they will access your health information, and Apple is passing that information along. There’s no misinterpretation. The fact that the app doesn’t currently request this information is immaterial – Facebook are saying they will. The straightforward interpretation of the privacy card is the correct one.
I wish iOS would give us the capability to selectively toggle these app privacy permissions on an individual/granular level.
If I want to disable all the toggles and have a non-functioning app, I’d be ok with that. At least I could selectively enable the bare minimum and then have a more deliberate decision regarding how much of my privacy I want to give away, rather than what an app developer might be hungry for (and not actually need).
> a determining factor in whether somebody will use a service
Threads is currently not available in Europe because its privacy policy isn't compliant with EU law, that's literally what the article is about. We're not talking about individual choice here, or absolutists behind Tor. I don't understand what your post has to do with the topic. Clearly we have with privacy legislation at least accomplished that Meta must follow the rules or not operate here.
You're right that individual users agreeing with TOS's is meaningless, but we've been beyond that for years.
That doesn’t sound right. It surely can’t be any worse than Instagram which works fine in the EU. I believe it hasn’t launched there yet because the lawyers haven’t cleared it.
The main difference is Threads is a new product. Unlike Instagram which was released before GDPR was a thing. Sadly, it's way simpler for business to juat avoid the stringent regulated market at launch if you don't want to comply with regulations, then to actually comply.
I don't think the severity of tracking is important when comparing insta vs threads, just the inertia of an old vs new product.
Does that mean we should not anylyze programs if are user friendly, or hostile? Should we not check what hostile activities is company X doing? I read such articles and it gives me the idea what goes in mind of CEOs. This is the reason I have left Facebook. Such stories and comments have real world impact.
I still appreciate these pieces because they help educate people. If it dissuades even a few people from signing up for these apps, or forces another app to adopt a more private approach, all the power to them.
This is true now, but over the long arc a paper trail of complaints lay groundwork for legal and political challenges. Historically that has been the meaningfulness of such busywork —no one cares today, but what if someone does in the future?
Now if you are saying there is no willpower to follow through over the long arc aka this fight is over and lost, then I disagree but could be wrong.
I'm wondering something here, and I humbly ask for feedback: to anyone hyped about Threads, why?
Has Meta ever displayed any particular quality regarding content moderation, freedom of speech, privacy, information control, transparency, or mental health? Not implying Twitter is any better, Musk Tweeted, "It is infinitely preferable to be attacked by strangers on Twitter, than to indulge in the false happiness of hide-the-pain Instagram"
What a sad state of affairs when a form of abuse somehow becomes "infinitely preferable" to another; maybe I'm being overly sensitive, or has the social media bubble fallen into pure insanity?
Im someone who doesn’t have a Facebook account for years, and because I still have the same phone number I had back when I deleted my account I can’t even create a new one. But I still want to check it out when it comes out in the EU.
Just to see what it is like. I will probably not use it, because the lack of proper chronological feed irks me, but as an iOS developer I want to check out new apps all the time to see if they do anything different.
As soon as you do, you will accept (and can not change your mind later) the new terms of service (and privacy policy, that is: what this post is about) which also are designed to prohibit you from developing an alternative app.
Just look at screenshots or videos of how it works to satisfy your curiosity.
Are you suggesting that the Terms of Service you sign when you create an account bars you from ever creating a competitor app?
That sounds like it would not hold up in court. It would be as if Threads could be shut down if a single person on the team had once made a Twitter account.
Twitter doesn't have that provision. Most of the upstart competitors do.
Whether it will hold up in court doesn't really matter if you're dealing with a company that recently had a valuation of greater than $1 trillion who really just wants to make its smaller competitor go away.
Threads collects sensitive personal information about you
The data collected by the Threads app could include your sexual orientation, race and ethnicity, biometric data, trade union membership, pregnancy status, politics, and religious beliefs. This data may potentially be sent to “service providers” and “analytics partners,” which is often code for third-party advertising and marketing firms.
Threads collects data about your employment
Information about your company, your role on your team, your job history, and your performance evaluations may be collected and sent to third parties.
Threads collects data about your body
Details about your health, fitness, and exercise may be hoovered up to be sent to third parties.
Threads collects data about your web activity
Threads may scour your browsing history, web page interactions (including with ads), and the referring web page or source through which you accessed Threads links. This information may be sent to third parties as well.
Threads collects data about your location
Photos, videos, or other recordings of a user’s environment, as well as “IP-address-based location information,” may be collected and sent to third parties.
----
1. How does it access biometric data?
2. How does it access your performance evaluations?
3. How does it access your browsing history?
4. How does it access "photos, videos, or other recordings of a user’s environment"?
If the answer to this is that it extracts information from the things you post, mining the data of your threads over years and extracting a profile, then that isn't that big of a privacy invasion -- especially if you post publicly.
If the answer is that they activate the camera without you knowing, that they bypass security features to access browser history and biometric data, and that they... I don't even know how they'd access performance evaluations, then that's a different question and less of a privacy issue and more of a computer misuse issue.
Does anyone know the answer to this?
Perhaps it's time for phone cameras & microphones to have hardware lights next to them like Macs do.
you're skipping over the fact that any data that you shared under the previous agreement are now subject to the new agreement whether you agree to them or not. if they provided a way to nuke everything you've ever posted because you no longer agree to the new terms, that might be something to discuss.
- "You cant delete Threads without deleting Instagram altogether": but you can deactivate it. What's the difference, and why do I care? Without including that info, you're useless.
- "Threads collects sensitive personal information about you": How? Inferred from the things I post? Well I'll just not post those things.
- "Threads collects data about your employment": Same.
- "Threads collects data about your body": Same. Alternatively, this could come from the Health API, which I have to provide explicit permission for. Such permission was not even asked for.
- "Threads collects data about your web activity": How? It reads referrer headers. So an issue with my User Agent, if it were configured to do that. Which it isn't.
- "Threads collects data about your location". It may reverse-geocode my IP. Okay. And? Literally any analytics service with a map does the same.
This reply is a good example of someone whose perspective is utterly locked in to their own perceived personal threat model (which may or may not accurately understand their own actual threats). This technology, they think, is perfectly acceptable according to their own sense of threats, so why isn't it good enough for literally everyone?
Other people's threat models are so unimaginable, so inconceivable that the commenter "hates" the "hit pieces" that attempt to inform people of risks, people who may face different threats than the hater.
I hope most folks can step out of their own context occasionally and view our current zietgeist from the perspective of a sex worker, or a journalist, or basically anybody who may have perfectly good reasons for electing to maintain their privacy.
What makes you think these rhetorical sex workers have learned anything at all from this piece? A belief you know more than them about what's best for them?
Is it too much to ask how, exactly, other apps safeguard this info? Allegedly, according to the App Store privacy declaration, mastodon collects no user content. Now how does that work? How does one post on a network that doesn't collect user content?
Mastodon doesn’t actively poll the operating system for data about you. You can input data (via posts) and that may be scanned by some system but you actively control all data that you choose to or not to share.
Threads polls just about every bit of data the operating system stores. E.g., on iOS threads reports that they collect data from the health app (“health and fitness”). If you are using the health app to store information about your health and body, Threads wants to get it straight from that app.
It’s not that it’s collecting data, it’s that it is asking for permission to passively collect data from other apps in the background (without you explicitly allowing it each time).
For example, the description of “Health and fitness” is:
> Health and fitness
> Health
> Health and medical data, including but not limited to information from the Clinical Health Records API, HealthKit API, and Movement Disorder API, or from health-related human subject research or any other health or medical data that you provide.
> Fitness
> Fitness and exercise data.
Which indicates that the app can use HealthKit etc to gather information about your health and medical data and exercise data.
I think you are underestimating Meta's modeling capabilities, and their reach outside the app.
You do not need to explicitly talk about employment info, personal information, or permit health api access on Threads for Meta to infer these things "well enough" for advertising.
> - "Threads collects data about your employment": Same.
There are passive ways of doing this. If you take your phone someplace monday-friday, from 8:30 to 5pm, and you have geo-location turned on, it's a pretty good guess they know where you work, and your working hours, minnimum.
You actually can't deactivate your Instagram account. The deactivation feature doesn't do anything; they automatically reactivate your account immediately when you try to use it. It's fake.
This has been the case for several years and I can confirm this was still the case as of last week:
I'm sorry to be callous but you just don't understand how any of this works.
You can't just "not post those things". If we are on good terms I can literally just post "Saw you working the bakery this morning, did you skip your morning jog?" and the system already knows where you work and that you are physically active, no input from you required at all.
Facebook already did this with shadow profiles. Facebook has information about me and I have never posted there, I don't even have an account there.
There are so many more sophisticated, more accurate, and scarier ways to collect data about web activity, location and your body that you don't seem to be aware of.
Threads will also automatically, silently, and without your consent doxx and/or deadname you[1] by digging up your legal name from its massive social network and access to personal information and changing your display name to your legal name. This is horrible for everyone, but it also makes it incredibly dangerous for marginalized people who are often targeted for harassment, doxxing, as well as IRL harassment and stalking by people like GaysAgainstGroomers and LibsOfTikTok, which are, incidentally, being allowed free reign on the platform.
The rapid growth of Threads app while avoiding compliance conflict in the EU is a pivotal moment in data privacy. This blog post describes key lessons on why and how Meta balanced innovation with compliance.
https://www.linkedin.com/feed/update/urn:li:activity:7085094...
The adtech business model is predicated on the maximum invasion of privacy that is permitted by law (and the law has been quite accomodating of "innovation" in this space).
It is a necessary but thankless job to document how they get away with it. My pessimistic take is its not going to move the needle. There is a huge captive audience (the most likely users of threads are existing users of facebook and instagram) that has been socially engineered not to worry about privacy.
Internal cannibalism between surveillance capitalists aside, the true change will only come when authoritative bodies (public sector and other institutions) walk the talk, vocally refuse to use these platforms and throw their weight behind the fediverse.
I must be missing something obvious here. Allegedly Threads has launched to the public by now, which is how all these revelations are being uncovered. But threads.net still points to a generic landing page with a QR code, no obvious way to create an account, sign in, etc. How am I even supposed to access this?
You have a point in that it is somewhat tech-specific. If, e.g., you are in an open source project with 100 people and 20 are on Twitter, 18 of the 20 are raging, manipulative, self-promoting politicians, all with the correct "Twitter Bio" and the correct set of flags.
They use Twitter to intimidate others and promote their clique.
I find that the only people worth reading are the independently minded ones who don't care what others think. In the current climate, they are either journalists or independently wealthy.
Meta's Twitter rival launched in over 100 countries today—but not in the EU
Anything more is simply detail - if a major launch of this sort of service omits the EU we immediately know exactly why.