It's not time to grant people agency over their data

[Maxmars]

I won't belabor the political celebrity to whom this 'decision' is attributed, nor the fact that it concerns California state law.

But It kind of disappoints me (in an idealistic sense) that the justification offered for the veto isn't being truly challenged by our media... at all.

From ArsTechnica: Calif. Governor vetoes bill requiring opt-out signals for sale of user data
Subtitled: Gavin Newsom said he opposes mandate on mobile operating system developers.

This is a tale of the California legislature producing a new mandate for those designing websites and mobile operating systems.  The mandate would not incur any direct "cost" to those affected... but it would make their "name-selling" revenue shrink - probably by a lot.

The bill approved by the State Legislature last month would have required an opt-out signal "that communicates the consumer's choice to opt out of the sale and sharing of the consumer's personal information or to limit the use of the consumer's sensitive personal information." It would have made it illegal for a business to offer a web browser or mobile operating system without a setting that lets consumers "send an opt-out preference signal to businesses with which the consumer interacts."

I'm hearing "No 'opting out' for us users... their names should be for sale..."

But why?  Why can't users exercise their own agency over the disposition of data they provide?  Why is any users identity a "commodity of trade" despite it being "their" identity?

But Newsom said he is opposed to the new bill's mandate on operating systems. "I am concerned, however, about placing a mandate on operating system (OS) developers at this time," the governor wrote. "No major mobile OS incorporates an option for an opt-out signal. By contrast, most Internet browsers either include such an option or, if users choose, they can download a plug-in with the same functionality. To ensure the ongoing usability of mobile devices, it's best if design questions are first addressed by developers, rather than by regulators. For this reason, I cannot sign this bill."

Vetoes can be overridden with a two-thirds vote in each chamber. The bill was approved 59–12 in the Assembly and 31–7 in the Senate. But the State Legislature hasn't overridden a veto in decades.

Since no major mobile OS has incorporated that option... it would be "wrong?"

It's such a non-answer that it begs the question... exactly which lobbyists got to him, or his party leadership?  Shall we guess?

"It's troubling the power that companies such as Google appear to have over the governor's office," said Justin Kloczko, tech and privacy advocate for Consumer Watchdog, a nonprofit group in California. "What the governor didn't mention is that Google Chrome, Apple Safari and Microsoft Edge don't offer a global opt-out and they make up for nearly 90 percent of the browser market share. That's what matters. And people don't want to install plug-ins. Safari, which is the default browsers on iPhones, doesn't even accept a plug-in."

Consumer Reports Policy Analyst Matt Schwartz said that "industry worked overtime to squash this bill, as it empowered Californians to better protect their privacy, undermining the commercial surveillance business model of these tech companies. We strongly disagree with the idea expressed in the governor's veto statement that it should be left to operating systems to provide privacy choices for consumers. They've shown time and again they won't meaningfully do so until forced."

Consumer Reports is one of the groups behind Global Privacy Control (GPC), an opt-out signal that creators hope will become legally binding under the CCPA or other privacy laws. Makers of Global Privacy Control say it is superior to the older Do Not Track (DNT) signal because the California attorney general "determined that the AG could not require businesses to comply with DNT requests because the requests do not clearly convey users' intent to opt out of the sale of their data."

Thanks for reading...  Privacy was never dead... it was only buried under political grime.

[ArMaP]

In Europe we have the GDPR that controls what kind of information any organisation can get from the users, and in some cases even an IP address is considered "personal" and "identifiable" data, subject to the GDPR.

Besides that, in Portugal we have the right to know what information any organisation/person has about us if they are in digital format.

But, obviously, that doesn't mean some organisations/people can do whatever they want, as we would need to know they were doing it.

[Maxmars]

This is never given as much attention as I would like.

The idea that we as 'users' of internet 'services' are somehow automatically 'fair game' insofar as monetizing our identities seems to me an abuse.
Somehow the mentality that supports the selling of user information makes a barter where no offer of trade was actually agreed to by the user.

Nowadays the multipage litany of user 'agreements' we are legally leveraged into accepting actually codifies the abuse and indemnifies the abusers.

It encourages me that Europe's approach to personal sovereignty in these matters is more sensitive to the fact that commerce isn't a 'ruling force,' whereas here in the States, commerce seems to be treated as a god.

[ArMaP]

Nowadays the multipage litany of user 'agreements' we are legally leveraged into accepting actually codifies the abuse and indemnifies the abusers.

Even when using a private browser mode or whatever they are called by each browser maker I always take the time to chose not to accept any unnecessary cookies for the sites' "partners".
For example, CNN does not give an option to chose which cookies we accept, but CNN Portugal does, and it shows:
- 140 suppliers that want to store cookies on my device;
- 87 that want to use cookies for advertising;
- 107 for creating personalised advertising profiles;
- 104 for selecting personalised advertising profiles;
- 35 for creating personalised content distributing profiles;
- 29 for selecting personalised content profiles;
- 93 for measuring the advertising performance;
- 93 for measuring the content performance;
- 73 for understanding the audiences by combining information from different sources;
- 79 for developing the services provided;
- 19 for using limited data to select content;

All of the above are not from CNN Portugal itself, they are third party cookies.
They also have a list of those third parties and what their cookies are used for.

Most cookies store geolocation, probabilistic identifiers (identifiers based on browser, operating system, screen size, etc.), privacy options, device language settings and time zone and a cookie with an unique identifier that can be use to recognise the device on other sites.

One is Roq.ad GmbH, that presents itself as "an identity solutions provider for a post third-party cookie world". Their cookies last one year.

Another one is RTB House S.A. that "creates truly personalized marketing campaigns powered by Deep Learning technology that cut through the online noise". Their cookies last 565 days.

The amount of companies wanting our data is huge, because it is a huge business.

[Maxmars]

Yes... I too have noted the world of "cookie" and "tracking" data directly imprinted onto my computer... with only my 'general understanding' of how and why they are used.

Also, if you are diligent and 'exclude' certain cookies, java scripts, etc. you can't actually access website features, face disrupted functionality, or your downright blocked.  As if the third-parties were more important than the user... sad that.  I think it might telegraph the possibility that much of the internets' infrastructure has been seized by a relative few.  Which shouldn't be a problem - except they hide and refuse to be up-front about what they do.  Weak sauce.

I know it's a huge business... but I still never see anyone exposing "why" and "how much" when it comes to our information and its trade value... as if it were a "secret" currency.

[ArMaP]

Also, if you are diligent and 'exclude' certain cookies, java scripts, etc. you can't actually access website features, face disrupted functionality, or your downright blocked.

I've seen some US sites presenting the screen for the choice of cookies and, if we choose to deny them, present a new page saying we cannot access the site.

[UltraBudgie]

It's all rather harrowing, if you retain a 20th century concept of 'privacy'. And the public debate seems to be framed at a very superficial level, reinforcing public ignorance of the true extent to which they are tracked, monitored, and analyzed.







This FTC staff report, released this month, is well worth reading, if you have the stomach for it.
A Look Behind the Screens: Examining the Data Practices of Social Media and Video Streaming Services [PDF]

...and of course this isn't even getting into data collection at the transport or device levels.

[ArMaP]

Although against their rules, I have 5 Facebook accounts, with different names.
For accounts I chose to ignore some adverts, for other accounts I ignore other adverts.
The result is that I get different "targeted" adverts, and in one of the accounts I even started getting adverts as if I was a gay man from Eastern Europe (they only got the "man" part right).

[Maxmars]

Although against their rules, I have 5 Facebook accounts, with different names.
For accounts I chose to ignore some adverts, for other accounts I ignore other adverts.
The result is that I get different "targeted" adverts, and in one of the accounts I even started getting adverts as if I was a gay man from Eastern Europe (they only got the "man" part right).

Yes... I have come to the opinion that Facebook is far from what they claim it is.

They seem to be focused on (and experimenting with) 'analyzing' human contact, rather than a simple platform for the exchange of ideas and conversations.

I resisted ever "getting into it."