Discussed multiple times in the last couple of months. There seems to be nothing new in this submission, it's just somebody churning away at the content marketing mill.
Big tech - and Meta's approach to user data security - has long felt too powerful for Europe's data protection authorities to control. Given this, Norway's success is showing other European countries the way, and this points to a significant improvement in EU citizen personal data protection in the coming years.
Could someone provide insights into the implications of a hypothetical Schrems III for EU-based SaaS companies that host their servers in the US, particularly those containing Personally Identifiable Information (PII) like email addresses? Essentially, would Schrems III mean that we'd need to immediately move our servers to EU soil, or risk fines?
Whether your servers are in the US or not, if you do business in the EU, EU rules apply. It might be that you will legally not be able to offer your services in the EU, if you have servers in the US, because those can the accessed by US authorities at any time, without you even learning about it.
It is probably safer to have servers in the EU, if you want to do business in the EU. Servers in the EU not provided by any US hoster, since that hoster is vulnerable to being ordered in the US to transfer data from EU to the US.
What has less value than pocket change? Because that's what this fine is to Meta or Big Tech in general. And how exactly is Norway pointing the way when other EU states such as Italy, Ireland, France etc have imposed similar fines to Alphabet and/or Meta in the past?
I want to ask here: Is there any study/experiment about what way say offline in proximity of our Android mobile devices leads to ads in Google?
My collegue made an experiment with his wife. Put their phones down, talk about different kinds of CRMs and DID NOT SEARCH for that stuff. Lo and behold, ads about different kinds of CRMs start popping up.
I'm skeptical to these things and initially didn't believe. Then people I ask confirm - hey, yeah, I was only talking about it, now I get those ads! He said he was talking non-English, however CRM software names are english.
Coincidance?
I would love to hear some experiment results in this direction.
"A widespread myth regarding online advertising is that Google and Facebook are listening to us speak and showing ads on this basis. This is not true, even if it often seems to be.
There is a good explanation for this misconception. All of us have probably been part of a discussion on a specific topic—only to see online ads on the same topic immediately afterward. This is not a case of Google recording your speech and using it to target advertising.
The most common reason is that people take keener note of matters that they have just discussed. If your phone is showing you ads for holidays in Maui, you probably ignore them. However, if you have just spent time with your cousin in a café, discussing places to visit in Maui during your holiday, the same ad will grab you in a different way.
Another explanation is that your friend has been browsing for Internet content relevant to your discussion, even if you haven't. So, if you discussed haggis with your colleagues during your coffee break and you see a Facebook ad for delicious haggis in the afternoon, there is no conspiracy. Inspired by your discussion, your colleague has gone online for a genuine haggis recipe, from the same address space as your workstation. Sometimes, the most peculiar things have perfectly logical explanations."
I am so tired of these memes. The network traffic out of common social media mobile apps is fully studied and understood. You can even inspect it yourself if you like, using an access point, an http reverse proxy, a self-generated CA (manually installed on device), and some netfilter rules. AFAIK the social media apps aren't doing cert pinning, but even if they are you can find the pins in the apk and patch your own in over top.
It would be obvious if they were exfiltrating audio data. They are not.
While I agree with you I think it's pretty easy to do the processing on device, encrypt the relevant topics and communicate them in innocent looking calls?
And it's pretty simple to see when an app is doing audio recording (there's even an indicator in the corner of the screen on newer androids), what is being processed, what is encrypted and with what keys, and then decrypted, and what is being sent and received.
It's a computer program, it's not magic, you can take it apart down to individual system calls, and with popular apps, people actually do that.
I think no hard evidence has ever come from theories like this. And like the sibling comment said, considering how much scrutiny major social media apps (and the Android OS) is under from security researchers - surely someone would have noticed by know.
But. I also think this shows how spookily good the surveillance ad tech really is, and to what extent the major players (Alphabet, Meta etc) keep track of people. Non-techy people attribute it to microphones and dictation, while in reality it is just enormous amount of old school digital behaviour tracking.
(And a dash or two of frequency illusion bias of course, people tend to ignore the "hot single moms in your area" or super general ads with less impressive targeting)
An average user with an adblock gets hundreds, maybe even thousands of ads every day, for new cars, clutch replacements, diapers, washing detergent, shadow raid vpn, local political party, mcdowells, kentucky fried pizza, sex toys, 1:9 baluns, cisco console cables... and they don't even notice most of them.
And then something happens, your washing machine fails, you talk about it, open google, get ads for tampax, ignore them, find service, fix it and forget about everything. Then you watch stranger things, google the reviews, get an ad for yard fences, ignore that and forget about that too. Then you talk with your wife how you're out of detergent, turn on youtube and get a detergent ad... "wait, we were just talking about that? how did they know?! microphones, spying, conspiracy!".
I often hear different variations of this story, but I have never seen it well documented. I have not seen an online ad in over three years since I switched to Graphene OS without any adware on my devices.
Facebook is a $815 Billion company. This is merely a slap on the wrist. Honest question, why not 100x? They can and will pay, and other governments can follow and end this lizard way of doing business
It's when these matters start moving from civil to criminal and directors fear criminal proceedings that enforcement is taken seriously by organisations that apply every decision through the lens of is the fine the cost of doing business?
This isn't a user privacy breach. Recommending posts is a core functionality of social media. People understand that the site learns your interest. It's not a privacy breach if TikTok learns you like watching piano videos. Nor is it a privacy breach if X learns you like to see posts from artists.
The issue at hand isn't their recommender system for content, it's that they use the same recommender system for ads, which is apparently illegal in Norway.
As I understand it, it's legal to offer recommender systems for personalized content suggestions, but you cannot do the same for personalized ads.
Just because its been imposed as a "standard" for so long before anyone objected doesn't make it a core functionality of social media. Sites don't need to learn my interest by profiling me like the Stasi.
Just because you don’t like it doesn’t mean it’s not the core functionality. If you don’t want a personalized feed why are you using Facebook in the first place? They don’t really do anything else.
When reporting fines for large companies in media, these should also be expressed as percentage of daily/yearly profits or revenues, to highlight the fact that most of the time they won't have any effect.
Of course they care about $30 million per year. That's enough to fund a good-sized full-time team just to work on this one single problem.
You can't go idly throwing away $30 million a year, even if you're Facebook. Yes, they can get away with it once or twice, but if that is your approach to unnecessary $30 million costs, you're not going to last very long.
The benefit is that you still profit from actions that break the law.
If it's possible to stop breaking the law in a way that the revenue drop is smaller than $30M a year, they'll possibly do it at some point. However, it's possible that the drop would be bigger, in which case the $30M/y fine is just cost of doing business.
If you find a $100 bill on the street, do you pick it up, or do you just assume it can't be real because surely someone else would have picked it up already if it was real?
There's a staggering amount of inefficiencies in large corporations. Just because a corpo is doing something a certain way right now, doesn't mean it's necessarily the result of a higly optimized process or rational risk/benefit analysis.
Norway is only 5 million people - if every country in the world did it the fine would be more like $30 billion per annum, which is about a quarter of Facebook's revenue.
Still, agreed would be better if it was a more punitive fine!
Metas profit for 2022 was 23 billion. Assuming 3 billion users that’s like $8 per user per year of profit. Thats actually quite insane how much value they extract out of each of us.
I'd also guess that profitability is not spread evenly across all users, and certainly not across all countries.
I'd guess a good chunk of us are worth £0 (or even negative) and then there is a long tail of increasing valuable users who interact with adverts and services.
I actually think they care about $30M, especially as this just might start a slew of copycats, or similar suits in Norway.
It is better for them to do something big enough to hurt, but not big enough to get all of Meta's guns blazing. This will accepted, and we can start from there with the next step (applying this same ruling to a hundred other users, or in a hundred other courts)
A million here, a million there, and before you know it you are talking about real money - Everett Dirksen
Small steps. Norway population (5.5 million) is equivalent to 0.07% of the total world population. Meta's revenue would be proportional, and so would be the fine. To avoid inconveniencing foreigners, Norwegian advertisers would have to pony up $98,500 every day.
To frame it differently: if all GDPR countries were to fine similarly it'd scale up to $3-4 billion annually and that would start to hurt a little.
META is trying to fight this in the courts (with no success). At some point other countries will see that it is watertight and they'll follow Norways line. In my opinion META can do what Norway tells them to do or end up not being in the EU, either forced out or leaving themselves. I can't see any other outcome.
I hear this argument every-single-time some fine against bigcorp.
Someone should sum all those fines, maybe then it will have a dent?
Moreover revenue is useless in this context, we should compare with profit anyways. And maybe profit against Norway particulary or any other country in question.
If you make it clear to the court that you’re just willing to treat the fine as a tax and pay it indefinitely without having any intention of altering your behavior, I’m sure they’ll start imposing other penalties after some time
If we boldly link market cap and individual net worth, then this is like someone with a net worth of $1m being fined 12 cents per day. From Meta's point of view, what makes this more than just an additional tax?
Well we shouldn’t do that because thats a deeply naive way to think about market values, people don’t really think about wealth taxes, and you’re confusing taxes with fines.
What you should compare it to is the net income derived from Norway.
Do big-tech companies actually pay these fines?
In cash? By daily bank transfer? Direct debit?
And to whom? Margrethe, the Queen of Denmark? Or to some bank? Or are
bank notes scattered to wind in Copenhagen square so the people can
stuff them into their pockets?
Or do the governments of countries whose laws are broken have a
nod-and-wink tacit agreement that "fines" are just numbers for the
press to print and assuage our sense of outrage. Aren't we just
starting to use numbers like this as abstract tokens of justice?
I'd like to see Zuck made to personally lug an enormous pirate's chest
of treasure up to the gates of Copenhagen, or face blood-eagling at
dawn.
Tangential, but it's a hilarious stereotype of Americans how they just bunch together the whole of Northern Europe. I'm a Finn, and in 9/10 cases when an American learns this, they tell me about their travels in Sweden or Norway.
Can't help but think the correct protocol here is to respond to them "Oh you're American? Nice, I've been to Mexico!"
In fairness if you're an American from Uruguay you wouldn't have a lot of interest in the internal political boundaries of that area like an Estadounidense would.
(though I suppose you could be an Estadounidense from the Estados Unidos Mexicanos - it's really not the best continent for disambiguation!!)
I made no such assumption; merely pointed out that the original post is about Norway, but the commenter appeared to have confused it with Denmark. Could happen to anybody, really... ;)
What do you mean? Big tech companies pay fines much the same way regular companies pay fines. Going to court and other foreplay notwithstanding, it's generally just a bank transfer to the relevant authority. If you messed up on taxes you usually pay to the tax authority of that country, for many other matters it's often whatever the equivalent of the ministry of finance is. Of course this differs from country to country, but this is a pretty straightforward matter in general. I'm not sure where the confusion comes from?
The fines are paid to the Data Protection Authority in Norway. You can read their own press here: https://www.datatilsynet.no/en/news/ The kind of tit-for-tat you’re insinuating rarely happens, if ever. I would expect the fines to enter the state’s finances the same way other a fine for speeding does.
Echoing other comments about how Norway and Denmark are separate countries.
The next question is - if we're hoping to seriously talk about the
effectiveness of fines against hostile and uncooperative foreign
companies, how does the Norwegian DPA use that money to further remedy
the harms inflicted on the people?
That's not a lot of money in the scheme of things. but handing it out
amongst everyone doesn't seem useful.
The obvious danger is that the DPA becomes a self-fulfilling entity,
in perpetual growth of power and reach, and quite happy if Meta
continue to transgress.
Shouldn't Europe use this money to invest in its own social networking
infrastructure, thus providing a double-whammy against Meta's
misdeeds?
That's a really interesting list of cases and fines. They seem really
active and mostly to operate internally in De^H^H Norway.
What to do with that money?
Some of the listed companies clearly got fined because their software
engineering is rubbish and they made genuine mistakes. Maybe use the
money to pay for (and force) those companies to have their programmers
trained in better privacy related SE skills?
They operate a number of programs to help companies and government organizations to do the right thing wrt privacy. Both awareness building, providing open resources, but also having advisors that one can call and get case by case guidance (free of charge for small things). Of course GDPR has been a priority for a long time, but recent focused efforts also exist around AI. Example (should translate OK to English):
https://www.datatilsynet.no/regelverk-og-verktoy/sandkasse-f...
Bank transfer would be normal. In some countries a particularly awkward Naughty Company could probably do it in coins if they wanted to (depends on legal tender rules).
https://news.ycombinator.com/item?id=37403583
https://news.ycombinator.com/item?id=37173344
https://news.ycombinator.com/item?id=37045185
https://news.ycombinator.com/item?id=36756101
https://news.ycombinator.com/item?id=37403633