The real problem is that the states aren’t very interested in allowing the people to have their privacy rights. Each respective state could put a complete stop to privacy invasions overnight if they wanted to.
1.) Pass a law that prohibits the collection and storage of any location or other private information (other than your own). Make the violation of those laws be felonies and punishable by immediate arrest and incarceration.
2.) In one day, arrest Bill Gates, the CEO of Google, the CEO of Apple, and any other CEO who continues collecting private information after the law is passed. Show these guys all doing the perp walk as they are loaded in to police cars, on the evening news.
3.) Keep all of these CEOs in Jail without bail until their respective companies have pushed out software changes to stop all of the spying. Bill Gates can call Microsoft and say “look, I want out of here ASAP. How soon can you complete the pushouts and purge all of the databases of private information?”.
4.) After these executives get out of jail, continue with their prosecutions. Make sure that both the company and its CEO pay heavy fines and for the CEO, felony convictions. Make the deterrents be big and public.
5.) Make the trading in people’ s private information a felony crime also. Go after the CEO of any company that buys or sells private information.
Most of the spying and tracking of people would go away within a few days after taking the steps above. So we could stop the spying and tracking almost overnight, if we wanted. Our politicians choose not to put a stop to it. Allowing these privacy invasions is not a problem. It’s a choice.
a company that you have chosen to do business with may have a legitimate reason to collect information that would otherwise be private (for example they may legitimately need to contact you!)
a company may be required by law to collect information that you would otherwise choose to keep private (there are things that you can’t do anonymously but blame the government for that, not the company)
and, in the case of the first bullet point, a company may choose to outsource some or all of its operations such that it needs to share some of the collected information with its suppliers. (I hate outsourcing because it means that you are contacted by and affected by companies that you have never even heard of but do we really want to go as far as making outsourcing illegal, at least to the extent that it would necessitate sharing of your private information?)
That’s a bit harsh, isn’t it? since he stepped down as CEO 24 years ago and hasn’t had any involvement with Microsoft in the last 4 years.
There is a difference. If you track me and use the data by your own to train your own AI or just to know everything about me, it’s also tracking, but not sharing or selling. Sharing is an action when you give my data to other parties with known or unknown or even no restrictions. Selling is sharing that costs money (money restriction).
How would I define tracking:
Collecting personal data with information attached to a profile. A profile begins when data can be attached together via any identifier. That can be a name, an ID, an account or similar.
It has to be an action that is not done by users. Creating an account, writing posts and so on is creating data attached to a profile, but no tracking, because it’s done by hand of the user.
Collecting data like a generic counter (how often people open a specific page) is no user tracking (the counter tracks the web page).
Tracking is always about personal data (unlike data collecting in general).
To make an example - counting how often people open a specific page:
A +1 data is not tracking (but data collecting). An array of IPs is tracking where the array length shows the page count. A page count in account profile is also tracking, because the account is created by users, the counter is not and is connected to the profile.
An edge case is on discourse forum software. There is a discussion counter. This is also available on private messages where just two people communicate together. This counter is not personal, because it’s a +1 counter and not account bound. But since only 2 people are communicating, one person can track how often the other person opens that page. It can be even used to look at what time the other person is active (at the time when the counter goes one up - requires activity of the first person). So it’s a kind of tracking, but not as invasive as the problematic form of surveillance capitalism.
We have HIPPA laws to protect our medical records. And yet our medical records are complete enough that those who really do need the information in your medical records (like your own insurance company) can get to the information. But they can’t sell that information nor use it in exploitive ways. The exact same kinds of laws could be passed to cover all other information about you. The banks (for example) should not be allowed to share your financial information with their business partners (people who want to sell things to you if you have enough money based on your bank account balances). The law protects their legal right to do that.
The point is that the lack of will from our political leaders is the only cause that these other privacy violations in our society are allowed to exist. If the law punishes those who trade in your private information, then there will not be a market for your private information.
Google and Apple should be broken up by the courts as AT&T once was. In the break up, the court should order that at least one new company should offer terms of service that completely honor your privacy. All of the other new companies should be ordered to make all advertising on your phone be a strictky opt-in fearure with no clever means to trick you in to opting-in allowed. So then, the so-called free services would dry up and likely disappear. But then, people would start paying for previously free services that they miss having. Some people would then opt-in to the advertising to avoid having to pay for those services. Then people like myself could choose not to opt-in to any advertising or tracking, and pay for any services that I value and want to keep. If all information about you was protected as well as your medical records are protected. That gives us back some rights that have recently been stolen from us.
Yeah, but personal medical information has been leaked because of FB pixels placed on medical web sites. Also medical provider networks have been cracked and personal medical information stolen.
That’s true but “do not track”, in any form, is hardly going to solve that.
The best defence against a data breach is “do not collect” but there are legitimate scenarios where data is collected, medical or otherwise. In that case, the best defence is “do not make accessible from the internet”.
A bill recently passed that impacts on this topic.
(You will note that, in the intervening months, Firefox has actually dropped support for DNT.)
Firefox seems to comply already. Setting is present. Setting works (signal is present).
Brave is confusing. The signal is present but I can’t find the setting that controls it!
Edit: For Brave, the answer is that it is on by default but you can disable it by visiting brave://flags/#brave-global-privacy-control-enabled
which I personally think is not in the spirit of compliance (per the bill’s text that it should be “easy for a reasonable person to locate”).
Epiphany does not appear to comply. The signal is not present and I can’t find a setting for it.
It is acknowledged that I may not be running the latest version of any browser.
What I was really looking for was a specific setting that exclusively controls the Sec-GPC request header i.e. to make it on par with the other two browsers that I tested. My reading of the description of ITP is that it is silent on GPC. That doesn’t absolutely mean that it doesn’t affect GPC but if the documentation and the GUI both don’t mention GPC then that would not comply with “easy to locate”.
ITP seems to be enabled by default (I have it enabled) and yet the Sec-GPC signal is not sent. So I think that ITP just isn’t the right setting.
There is a potential loophole here. Imagine that the privacy signal is bundled with dozens or even more than a hundred other pro-privacy or other settings but in order to make a web site work, due to problems with up to N-1 other settings, you have to turn off the whole bundle. Hence you are being forced to turn off the privacy signal just to get the web site to work even though the privacy signal is not per se a problem for the web site. (NB: Per the documentation, ITP, as the name implies, does control an absolute mass of techniques and browser behaviours.)
So an ideal implementation gives you via the Settings GUI a specific setting that just says “Do not sell or share my data” (per the legislation) and that setting exclusively controls the presence or absence of the Sec-GPC header in every HTTP request. That is … send a clear signal. Make it a clear connection between user intent and what is received by the web server.
The ITP documentation does mention that they removed DNT, as Firefox did.
However none of the above really addresses the question of whether ITP (or Epiphany as a whole) “complies” because the bill does not go into any detail as to what specifically a browser must do in order to send the signal. This is only going to work fully if all browsers send the same signal.