Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy

Ask Slashdot: How Is It Even Legal For Websites To Gather And Sell Users' Data? 216

Long-time Slashdot reader dryriver sees it like this: Lets say that I follow a person named John D. around for days without permission, make note of what John D. does and where he buys with timestamps accurate to the second without John D. knowing it is happening, analyze what kind of personality traits John D. has, enter that data into an electronic database where it is stored forever, and also make the data purchaseable to any third party who is interested.

Would I be breaking the law if John D. has not given me explicit permission to do this? Very likely. If this is the case for "meatspace data gathering", how can websites justify gathering information about visitors, and selling that information to third parties?

How would you answer this question? Attempt your own best explantions in the comments. How is your country balancing the need for online privacy with actual laws governing what can and can't be collected?

How is it even legal for web sites to gather and sell users' data?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: How Is It Even Legal For Websites To Gather And Sell Users' Data?

Comments Filter:
  • by Anonymous Coward on Saturday March 02, 2019 @09:37PM (#58206278)
    They're completely legal.
    • by raymorris ( 2726007 ) on Sunday March 03, 2019 @08:46AM (#58207768) Journal

      The submitter seems to have some misunderstanding about how law works. "Very likely illegal"? What law would be violated? The submitter doesn't seem to quite understand that laws are written down, and given numbers for easy reference. For example, web sites must comply with US Code 2257. Unless the submitter can point to USC [number], they have a *feeling*, not a law.

      I used to work as a private investigator and I did follow people. I had to be very diligent about documenting what I saw, because a PI is not supposed to tell the client or court what they *think*, only exactly what they *saw*. As a PI, I couldn't say "he's boning his secretary". I had to say "at 6:35 PM the subject entered hotel room #123 with a blonde woman of medium height. Both parties left the hotel room at 7:40". I can't speculate about what they did in the hotel room (could be discussing his campaign for governor of Arkansas), so I have to be specific about what I saw to allow others to decide how to interpret the facts.

  • by misnohmer ( 1636461 ) on Saturday March 02, 2019 @09:37PM (#58206282)

    One can't answer your question unless you specify "legal in jurisdiction X". For example Europe has GDPR, USA or Canada or Mexico or China does not, but they have other laws.

    So I guess I would answer your question with "Legal where?" and a disclaimer "IANAL". ;-)

    • "Legal where?"

      Post says "How is your country balancing the need." So the "where" is "wherever you are."

      If you need something more specific than that, I'll have to wait till Slashdot gives me that location data I paid them for.

    • by AmiMoJo ( 196126 )

      It's definitely not legal in Europe. GDPR requires explicit opt-in permission for tracking and profiling.

    • In America it would be illegal for an individual to do so if the subject legally objected (restraining order). That's because your interest is assumed to be personal.

      A business entity has an assumed interest of revenue. So it is legal as long as there's no law against it, such as the European privacy laws.

      You can't equate individual actions and business actions, because individual actions do not have a business plan, charter, nor governance to claim a particular interest. Not that they have to be truthful,

  • Private detective (Score:5, Insightful)

    by alvinrod ( 889928 ) on Saturday March 02, 2019 @09:41PM (#58206288)

    Lets say that I follow a person named John D. around for days without permission, make note of what John D. does and where he buys with timestamps accurate to the second without John D. knowing it is happening, analyze what kind of personality traits John D. has, enter that data into an electronic database where it is stored forever, and also make the data purchaseable to any third party who is interested.

    That sounds a bit like a private detective, with the exception that they typically work for a specific client.

    Also, if you stop to think about it, going to a website it like going to some person's private establishment. I'm visiting their server, so it's their rules. Stores no doubt track my purchases, and some even have cameras on presence that record my every action. If I have a problem with it, I can take my business elsewhere.

    Sure, terms of service could be more explicit, but most people wouldn't bother to read them or would just click through like they did when they signed up for a Facebook account or half of the other shit they use online.

    • Sure, terms of service could be more explicit, but most people wouldn't bother to read them or would just click through like they did when they signed up for a Facebook account or half of the other shit they use online.

      They tell you that they will record all your data, and you agree to it. That's why it's legal.

      • by Jane Q. Public ( 1010737 ) on Sunday March 03, 2019 @02:39AM (#58207052)
        Not really.

        Example 1: Facebook and Twitter track you on every web page you ever visit with Facebook or Twitter "share" icons (or "like" in the case of Facebook). They don't tell you that. (In fact they track people who have never been to Facebook or agreed to a damned thing.)

        Example 2: It is illegal in the United States to track people who are less than 13 years old, without explicit parental consent. Yet not only to Google, Facebook, and Twitter do this on a massive scale, they don't care about the law and don't even try to abide by it.

        The latter is BIG. The fine per violation is significant. If it were actually enforced, those companies would be out of business very quickly.
        • Example 2: It is illegal in the United States to track people who are less than 13 years old, without explicit parental consent. Yet not only to Google, Facebook, and Twitter do this on a massive scale, they don't care about the law and don't even try to abide by it.

          Well I don't care if they go out of business.

        • by Anonymous Coward

          Not to worry. Facebook and others let you opt out. You just send in proof that it is really you, SSN, DMV, Passport, etc, and then they will let you go to a special page to log in and get a cookie. As long as you keep that cookie, they know it is you and that wherever you go, you asked to not be tracked.

          They may need to send you a new cookie from time to time to make sure you are still you and don't want to be tracked, so you may need to login again. But they won't ever change the rules, without updating th

          • As long as you keep that cookie, they know it is you and that wherever you go, you asked to not be tracked.

            So they track you in order to....not track you?

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      Also, if you stop to think about it, going to a website it like going to some person's private establishment. I'm visiting their server, so it's their rules. Stores no doubt track my purchases, and some even have cameras on presence that record my every action. If I have a problem with it, I can take my business elsewhere.

      Ideally, yes. In practice, no. What is going on with all the "tracking" servers is comparable to one company installing cameras in every store in your city, then collating your movements from store to store as you go about your business. While store A may not know that, after perusing their goods, I then went and bought from their competitor store B; the ones who are running the cameras in both stores have access to this information. Worse, neither store A nor store B posts anywhere that my actions are

  • .. the rule of law exists in this world. There are two sets of laws, one for the rich and corporations and another for the rest of us. The reality is the internet and technology has made it cheap and easy to collect data on everyone. Even if you wanted privacy it can't exist due to technological advancement. Our technology is making rule of law irrelevant.

    The last 20 years the internet enabled software companies to steal peoples game and OS software (drm) and remove their privacy by force because we c

  • by jimduchek ( 13246 ) on Saturday March 02, 2019 @09:45PM (#58206304) Homepage

    What makes you think any of what you described in 'meatspace' is illegal? It's not, in the US, anyway. PERHAPS could be considered under harassment or stalking laws if it was very blatent, but if you are in public, you are subject to anyone recording/photographing you and what you are doing, pretty much.

    • but if you are in public, you are subject to anyone recording/photographing you and what you are doing, pretty much.

      There are exceptions, but you are correct. It becomes confusing when you start to take apart what being "in public" means. When I am on a website, I might be sitting in my home. Am I in public? Not all online behaviors and environments are analogous to meat space.

      So I guess the answer is, "it's complicated, but we better have this conversation in a meaningful way and get it sorted."

      • by LynnwoodRooster ( 966895 ) on Saturday March 02, 2019 @10:17PM (#58206404) Journal
        Would the company whose website you are visiting have the right to watch what you're doing? It would be analogous to walking into a grocery store and having the cashier watch you walk up and down the aisles, and note what products you chose - and which you did not.
        • by dryeo ( 100693 )

          As an AC up the page pointed out, a better analogy is some company, or rather a couple, running video cameras in all the stores you visit and tracking what you do in every store and putting it together in a way that a cashier following you around one store could never do.
          Still legal, but much more creepy, especially when it is all done without your knowledge.

    • Re: (Score:3, Interesting)

      by kiviQr ( 3443687 )
      I am using HTTPS/secure connection - how am I in public?
  • by Grand Facade ( 35180 ) on Saturday March 02, 2019 @09:49PM (#58206312)

    They are enhancing the customers experience.

    • They are enhancing the customers experience.

      Sounds like a good tag line for a WiFi connected, smartphone controlled vibrator [amazon.com] -- even has a built-in camera.

  • Lets say that I follow a person named John D. around for days without permission, make note of what John D. does and where he buys with timestamps accurate to the second without John D. knowing it is happening

    No, a more apt description would be that John D spends all of his free time at the same Target. He buys all of his stuff there using a Target credit card. He talks to the employees constantly. He hangs out with his friends at the attached Starbucks and has loud conversations with them. He eats at the attached Subway every day. He uses the Target pharmacy for all of his prescriptions.

    Then, he finds out that the employees of that Target know all of this stuff about him and is appalled.

  • by Shikaku ( 1129753 ) on Saturday March 02, 2019 @09:54PM (#58206332)

    USA Laws are limited by these 2 main laws that limit it by age (under 13) and healthcare respectively: COPPA https://www.ftc.gov/enforcemen... [ftc.gov] and HIPAA https://www.hhs.gov/hipaa/for-... [hhs.gov]

    And then it's not really limited anymore except by state. Which a summary exists here: https://en.wikipedia.org/wiki/... [wikipedia.org]

  • by aussersterne ( 212916 ) on Saturday March 02, 2019 @09:54PM (#58206334) Homepage

    You are going to their house and doing what you do, and they're just making note of what you did in their living room.

    • No, all of those social media buttons and ad banners and "free" analytics tools and fonts, etc., those are mechanisms to spy on you. That's how they follow you around, well outside of their living rooms.
      • You are going to their house and doing what you do, and they're just making note of what you did in their living room.

        No, all of those social media buttons and ad banners and "free" analytics tools and fonts, etc., those are mechanisms to spy on you. That's how they follow you around, well outside of their living rooms.

        It's more like each major tech company controls a fleet of cameras. These cameras are absolutely everywhere, on the roads, in the shops, in the fitting booths, in your living room, in your bedroom in your car, at the restaurant where you eat, at the cash register where you pay for your groceries, in the sex shop where you buy your dirty magazines ... everywhere. If you sit down on any toilet to take a dump you'll find cameras belonging to Google, Twitter, Facebook, Pinterest, and a whole legion of tech, adv

    • You are going to their house and doing what you do, and they're just making note of what you did in their living room.

      So... when they send their response to me and they include a 3rd party ad that is malicious and it is executed on my computer are they held liable for serving up a 3rd party ad? If they can do whatever they want while I am connected to their server then they need to be held liable for what they push to my computer.

  • by SlaveToTheGrind ( 546262 ) on Saturday March 02, 2019 @09:54PM (#58206336)

    The real-world analogy would be more like keeping track of someone's location and activities who entered your retail store, then using/selling that data as they see fit. People may not like that, but I don't think there's any serious theory that it would be illegal. (Let's ignore for a moment the places in that retail store where you'd have a reasonable expectation of privacy like changing rooms, since that's outside the scope of the submitter's doe-eyed question.)

    In the same way, you visit someone's website, you play by their rules. This doesn't seem particularly complicated or surprising.

    • by Anonymous Coward

      Except your conception of the interaction is backwards. Websites are sending representatives of the company to your house (or more specifically your computing device). Despite the common terminology, it is entirely unlike going to a retail business. The web is a lot more akin to traveling salesmen, and I doubt most people would be comfortable with a salesman that, once invited in, can never be removed from the premises (and in fact will often invite third parties in through other entrances once inside).

      T

    • by Kjella ( 173770 ) on Saturday March 02, 2019 @11:21PM (#58206562) Homepage

      Well... while I can't fault your logic, I think your summary understates just how much previously private information we're now exposing. For example take newspapers, my dad still gets one in the dead tree format. Nobody knows what articles he reads or how long he's read it in total and outside the paperboy nobody knows if he's picked it up at all. With online newspapers they know exactly when and what you've read and with JavaScript probably how long it took, how often you scrolled the page and overall created way more data on whoever read the semi-critical article on the Party. Same goes for video games, TV series and whatnot... it used to happen on your computer, now there's a log in the cloud.

      • For example take newspapers, my dad still gets one in the dead tree format. Nobody knows what articles he reads or how long he's read it in total and outside the paperboy nobody knows if he's picked it up at all.

        Hmm...one of my neighbors gets the dead tree newspapers. I don't have a clue what they read of the paper, but I DO know whether it's been picked up daily, since I walk by their house every morning with the dog. And I've occasionally known when they were on vacation when they forgot to stop paper

    • don't think there's any serious theory that it would be illegal.

      Under current law, or you think there's no way we could make it illegal??

  • by LynnwoodRooster ( 966895 ) on Saturday March 02, 2019 @09:57PM (#58206342) Journal
    No reasonable expectation of privacy. Perfectly legal.
    • If it's a public space you have no right to exclude visitors that do not agree to your terms. You only have the right to enforce terms in your own private space. You can't go into a market square and start kicking people out. And if it's private space, then it's private for the user as well, meaning you cannot record it without consent.

      So which one is it?

  • Especially since you agree to their terms of service when you sign up.

  • The user and their content is the product.
    Use an ad company that offers "free" services and the ads will flow.
  • by spywhere ( 824072 ) on Saturday March 02, 2019 @10:16PM (#58206400)
    I use uBlock Origin, Ghostery and a Hosts file to block as much Web advertising and tracking as possible.
    This makes the leaks obvious: one random item I browsed will follow me around in ads on several sites.

    Of course, Amazon knows exactly what I want, and Google knows I go to (legal) cannabis dispensaries on my vacations, but I can live with that.
  • by Anonymous Coward

    It's not necessarily illegal to follow someone around without there permission to the extent you are not entering private property illegally and trespassing. Basically assuming nobody tells you to say leave a store following someone onto private property of a nature open to the public it is going to be legal. There may be statues against harassment, but those are going to be more specific. There may also be laws against practicing investigations without proper licenses. However following someone around and

  • by coats ( 1068 ) on Saturday March 02, 2019 @10:27PM (#58206432) Homepage
    The copyright-absolutist position is this: My life is *my* performance before God and all mankind. As soon as it is recorded, that recording is a copyright work for which I own the copyright (unless there is a specific written contract to the contrary), according to US Code Title 17. And use of that work without my permission for commercial gain is felony copyright infringement. Felony copyright infringement is exactly the behavior all these data-gatherers are doing. FWIW.
    • by Anonymous Coward

      This is definitely a misapplication of copyright law, in literally every jurisdiction.
      What you do in public is subject to recording. Angry reactions to glassholes aside, people have the right to photograph you in public.

      • by coats ( 1068 )
        not just a photograph, but a full history that does constitute "performance art", protected under both USCTitle 17 and the Berne Copyright Treaty.
    • if you're out in public and somebody takes your picture you don't own the picture.

      If we made every bit of data that involves you copyrightable it wouldn't really help. You don't have the money to litigate dozens of copyright lawsuits. It would just turn into a useful tool for the wealthy to quash criticism against them.
      • by coats ( 1068 )
        ...but copyright violation for commercial gain is not just a civil-suit issue, it is a felony (a crime), and should be prosecuted by the feds.
  • by williamyf ( 227051 ) on Saturday March 02, 2019 @10:47PM (#58206474)

    Imagine you phonecall a company and say:
    Send me a travelling Salesperson, please. Or a delivery service and say, please deliver a newspaper to my office.

    They answer: "sure, but there are some conditions for that convenience, please, for the next 8 minutes listen carefully to them."

    You do not listen, instead, put the phone on the table, set your watch to 7 minutes, and go brew a tea.

    You return, and when the operator asks: "Do you agree to our terms?" You say "yes"

    It turns out that the terms include the salesperson or deliveryperson staying in your office long after the transaction is concluded (you place your order or get your newspaper), taking notes of many of the things you do, correlating those notes with those of other delivery companies/salespeople/third parties and a long and creepy et cetera.

    But hey, you neglected to hear the terms of their service, because those terms were boring, and instead you went for tea.

    Having corrected the analogy used by dryriver, the correct question to ask slashdot is:

    Are the terms of service used by most websites even legal?

    • The only thing that covers is your expectation of continued service.

      Privacy is covered by law and is not something that can just be signed away because a company would like it that way.

      The real problem is simply these companies aren't being challenged in a way that financially hurts. I'd be happy if Facebook couldn't exist due to burden of fines.

  • by rsilvergun ( 571051 ) on Saturday March 02, 2019 @11:00PM (#58206496)
    pro-business and pro-corporate leaders for nearly 50 years now. If the people in charge of regulation don't believe in regulation then we don't get regulation.

    Seriously, it's not complicated.
  • by Anonymous Coward

    My country is still debating if Global Warming is real or not, if Evolution is real or not, if Vaccination creates Autism or not, if the Earth is flat or not etc. Online Privacy is too advanced a topic for us right now. Perhaps in a couple of decades we will get there.

  • by Anonymous Coward

    Simple answer: It's not users' data. It's data *about* the users.

    When you take out a pen and paper and write down the colour of your dog, that data isn't *owned by* your dog. If you kept a record of your customers height and weight on your own hard drive, your customers don't own that data.

    If you make a website, and record data about your site's visitors, your visitors don't own that data. It's data *about* them.

    • by jwymanm ( 627857 )
      I agree, well put. This is data about something the user did using the service provided. In exchange they get to use the service. I have no idea why people are all of a sudden in a uproar about this. It's been happening forever and it's almost required to make things better for the end user without charging them some flat rate and having them fill out questionnaires they usually just click skip anyway.
  • Per the following someone around parallel, I wonder if this comes under stalking laws?

  • you give them permission to do so.

    even this very site is like that.

    see also: https://slashdotmedia.com/priv... [slashdotmedia.com]

  • Follow everyone around and collect data on them.
  • well, you do give the website permission by agreeing to their terms of use.

  • by Solandri ( 704621 ) on Sunday March 03, 2019 @12:01AM (#58206648)
    People seem to think at the individual level, not at the group level. I first ran across this in the 1990s playing Everquest. In response to complaints about griefers harassing regular players, they came up with an anti-harassment policy. You could be banned for targeting a player and harassing them. This had the opposite effect than intended. Griefers didn't target specific players. They tended to hang out in an area and try to ruin the day of anyone who came into the area. On the other hand, people who got fed up with the griefers and tried to drive them out of an area were targeting a specific player. And so the anti-harassment policy ended up protecting griefers, while getting anti-griefers banned.

    For some reason people seem to judge the harm of bad behaviors in terms of the average harm done to an individual, rather than to the overall harm done to society. A spammer sends out a hundred million spam emails, and people say "what's the big deal? It only takes you 3 seconds to realize it's spam and delete it." But 3 seconds times 100 million is 9.5 years of cumulative wasted time and productivity. Likewise, people handling private customer data don't take it seriously, since each individual's data is probably only worth a few dollars. Nobody cares if they lose a few dollars, right? But multiply it by several hundred million people and you're doing serious economic damage if you take it without permission or let it get stolen by hackers.
  • We have so much other crap to worry about right now. Everyone takes our data. Heck it's part of our freedom as a species to monitor other people / animals / objects and record things about them. What the fuck is going on that this is all of a sudden a huge concern? What's driving this? Apple? EU? There's got to be some kind of financial motivation behind wanting companies to STOP taking our data. Or is it socialism trying to stop them? I don't get it. What do we get in the end if say none of us could record
  • by Kamineko ( 851857 ) on Sunday March 03, 2019 @12:46AM (#58206758)

    You've got the wrong metaphor.

    Open up the session monitor in your browser of choice and you'll see it as a series of requests. Now the metaphor is much clearer: you're ringing them up, and asking them things. Your browser, on your behalf, is sending the data that lets the session persist and allows inferences to be drawn.

    *ring ring*
    ACME: This is ACME products, how can I help you?
    John: Hi, I'm John, can you show me products related to 'shoes'?
    ACME: Okay, here are leather shoes, casual shoes, trainers.
    John: This is John again. I want casual shoes.
    ACME: Mens or womens?
    John: This is John again. Mens please. Brown, size 10.
    ACME: Here are some styles of mens shoes in that colour. - writes down that John may be male, adult -
    John: This is John again. Thank you I'd like to buy these ones.
    ACME: Okay John, done. Would you like to see some women's shoes?
    John: This is John again. Yes, women's, adult, formal.
    ACME: Okay John, here are some formal women's shoes - writes down that John may be married to a woman, employed -
    John: This is John again, bye.
    *click*

    I think the idea that this is 'users' data' to be misleading. It's the company's data regarding a request from a user. If I keep track of how many red or green apples I sell and in which months of the year and whether the seller is male or female or tall or short, that's sales data.

  • Every retailer wants to know more about their target markets to get that competitive advantage.

    Before the web, user information was gathered based on TV channels you watched by vans equipped with radio equipment that could detect which channels were active on a TV as they drove through neighborhoods for ratings or licensing purposes: https://www.theguardian.com/no... [theguardian.com]

    Credit card companies, magazine subscriptions, and mail order catalogs requested were also valuable sources of consumer interests

    The searc

  • It's legal for websites to gather and sell our data because there is no legal right to privacy in the Constitution.

    It's called Surveillance Capitalism. More than just our labor, information about us is an object of economic value. In effect, people have been turned into commodities.

    Market research's psychographics classifies us according to our social niche. That information is then used to micro-target specific segments of the market, the segments we occupy. As part of a massive feedback loop, words a

  • by Anonymous Coward

    I would pose this question to Equifax and transunion. They have been doing it for decades before the internet was born.

  • In the case of a web-site, it's not like following a person through public. It's like following a customer of yours around your own store.

    I don't think you'll find any jurisdiction in which it's illegal, or even frowned upon, to record how customers walk through your store, which shelves they look at, which clothes they try on, which products they pick up. And if you want to sell your customer-usage data to someone, it's yours because it's actually your customer data.

    This all comes down to the purple pages

  • I expected this question to be about data collected from my computer, not the data I send to the web site.

    Ad blockers are a security tool, and the main reason I use them is to keep ad companies from trying to break into my computer. I've come across way too many malicious scripts in ads over the years. Given how many legitimate companies have been caught doing that, is anyone taking that seriously?

    I don't own a smartphone at all. I don't even want to know how much questionable yet suspiciously legal data

  • The OP compares one physical activity and one digital activity and suggests one might be illegal whilst the other is perfectly legal.

    It might be worth taking a brief detour here and considering the way that society determines whether or not a particular activity is legal or illegal. This is a significant simplification, but in general terms we could summarize the core principle of illegality as being a range of activities which cause harm or damage to those disadvantaged by it.

    If I steal from you, you
  • ... Oh, wait, you're probably in the US. Errrm ... Nevermind.

    Seriously you guys across the pond should probably just copy the new EU GDPR verbatim and be done with it. That would save you a lot of hassle. It's a great law and although it forces me to do muy job more diligently that actually by and large is a good thing.

    Just sayin'.

    • Article 27 of the GDPR includes a requirement to hire a representative within the customer's country or confederation thereof. Currently, article 27 representative service from VeraSafe [verasafe.com] starts at $2,700 per year even for the smallest businesses, including those with less than $1 million of annual revenue. If counterparts to GDPR adopted by other countries include a counterpart to article 27, then any small business that sells goods or services internationally may end up spending so much on representative se

  • ...until they are made illegal.

  • "Would I be breaking the law if John D. has not given me explicit permission to do this?"

    No, you would not be breaking the law.

    Repeat after me: "There is no expectation of privacy in public, PERIOD."

    Anything that can been observed from a public vantage point can be recorded, noted, drawn, sketched, photographed, etc etc etc.

  • That question has a false premise. In virtually all countries it's legal to occupy public spaces and record all that you see, even if that amounts to trailing a particular person.
  • 1) Your trip to the store uses public roads, so you are already accepting that other people can see you doing so. A random member of the public is allowed to watch you do so and in every jurisdiction I know of, is allowed to write down what cars he or she sees, along with the direction, speed, license plate and so on.

    2) Any store you patronize must know that you were there. That is inherent in making any transaction. Since the store is their private property, just about everywhere allows them to set up sec

  • ... the user grants the permissions needed there: you don't read that?!
  • You know that link on the home page of every site that says "Terms of Service"? Or that long document you clicked "I agree" to when you started using a Web site? You may not have read those documents (and that is what they want), but in those documents, YOU give the Web site explicit permission to track you, and for them to sell your tracking data to whomever they want.

    Sure, you just skipped over that. They didn't. They knew you would agree to whatever terms they put in front of you, because you want to use

You know you've landed gear-up when it takes full power to taxi.

Working...