back to article Facebook, Google, Microsoft scolded for tricking people into spilling their private info

Five consumer privacy groups have asked the European Data Protection Board to investigate how Facebook, Google, and Microsoft design their software to see whether it complies with the General Data Protection Regulation (GDPR). Essentially, the tech giants are accused of crafting their user interfaces so that netizens are …

  1. Voland's right hand Silver badge

    None of them does

    They all require a consent to marketing and selling data to provide a service. There is no opt-in.

    Out of all Internet outfits I have seen so far the only compliant is Kaspersky - separate consent for marketing, separate consent for data and everything works even if you decline to grant it.

    1. Voyna i Mor Silver badge

      Re: None of them does

      Tut-tut. Didn't you know Kaspersky is evil?

      The US government, that would never countenance malware or surveillance, and a right wing Polish MEP told me so, who am I to doubt them?

      (I'm one of the weirdos who uses paid-for BlackBerry services on my phone. They don't seem to want to sell my data either. Perhaps there's a business model here.)

      1. GIRZiM

        Re: BlackBerry [...] don't seem to want to sell my data either.

        That's because Blackberry is a front for GCHQ

        Okay, I'm exaggerating there but, not only is the CEO on record as having stated that the company is ready to break encryption and hand over user data any time governments request it but it has prior form - that the decrypted content of BBM messages had been handed to governments (including the UK) was not only announced years ago but it was admitted that it had been happening for years already as well.

        And once its in government hands, it's as good as left on an unencrypted USB key on the table in a pub/on a train/somewhere else mindbogglingly "wtf were they doing there!?" - before you know it, you have a week to pay the ransom or else your privates will be exposed to public scrutiny (or your partner will be informed of precisely what you've been getting up to on the photocopier in the stock room at lunchtime for the last six months).

        1. DropBear Silver badge
          Facepalm

          Re: BlackBerry [...] don't seem to want to sell my data either.

          Unfortunately most sites really do work like "you may or may not want to fiddle with some settings, but ultimately everything we decide to call 'necessary' will be forced on you and all you can do is click 'I agree' or go away".

          Google is currently harassing me with a "click ok to acknowledge we will continue to do whatever we want to do to you - just to be clear, it's an acknowledgement of taking notice, we are not asking you for permission to do it" note-wall "obstacle" (which I continue to DOM-delete each time) on multiple of its own services while Search / Mail / YouTube sees me as logged in and leaves me alone - go figure...

          Disqus is currently insisting it has the God-given right to record my IP and hell knows what else as "necessary" and I must consent or else fuck off. Seeing as how the half of the internet that isn't using Facebook for comments is using Disqus, that used to be a bit of an issue until I got fed up and taught my blocker to bypass it.

          Frankly, I'd really like to see most of these mammoths hit with max penalty several times and taken down several dozen notches in attitude - the smaller sites actually tend to turn out to be the more civilized ones in my experience. Ultimately though, if you're not a fan of cookies in general and wipe pretty much all of them each session you end up clicking through a forest each time you go to any website, again and again...

        2. Primus Secundus Tertius Silver badge

          Re: BlackBerry [...] don't seem to want to sell my data either.

          @GIRZiM

          Once the info is in government hands it is subject to Freedom of Information requests; unlike data in private hands especially US megacorp hands.

          1. GIRZiM

            Re: Once the info is in government hands it is subject to Freedom of Information requests

            That may well be the case, yes, but subject to a request does not mean that request be required to be honoured: there are all sorts of get-out clauses government has recourse to, not least being the age old "Oh, the cat's eaten it!" or whatever pitiful fabrication they come up with to explain why, no, you may not have that information; and, if not, they can always simply lie about what they have, if they even feel the need to go to the effort (they can legitimately send you some whilst declaring that it is incomplete for <some reason you can't dispute because 'national security'>).

            By and large I imagine that most people making requests see everything held about them because, by and large, most of us are uninteresting and the data held simply dully bureaucratic - name, D.o.B., address, inside-leg measurement, which political party we vote for, that sort of thing.

            But the idea that any government that wants to withhold information will nevertheless feel bound to honour any and every F.o.I. request because it would be very very naughty of it not to is, frankly, the stuff of fairytales - if they tell you they have nothing on you (now piss off and stop bothering them) then that is the news as far as you are concerned and it's unlikely you'll ever prove otherwise; even should you do so and 'investigations rigorously pursued' and 'lessons learned', no-one will ever be held to account unless it be some lowly junior whose future is sacrificed for the greater good of the responsible parties (no, I'm not cynical, I'm experienced and realistic).

            Be all that as it may, however, yes, you're absolutely right, it's six of one, half a dozen of the other and I don't much like the look of the megacorps; added to which, I don't trust them to look after the data properly any more than I do some civil servant taking their work home for the weekend not to forget it in the station bar.

            But, my original point was really about Blackberry not being a company I would trust with my data because they made all their claims about being on the side of the customer/user and protecting their data with the most sophisticatedly secure solution in the world, only for it to transpire that they had secretly been sharing it with governments, so, they can't be trusted - the 'front for GCHQ' thing was just a bit of playful hyperbole to get your attention ;-)

    2. Jamesit

      Re: None of them does

      "They all require a consent to marketing and selling data to provide a service. There is no opt-in."

      You opt-in by using the service. To opt-out, don't use the service

      Easier said than done though.

      Privacy needs to be easier to protect

      1. Pseu Donyme

        Re: None of them does

        >You opt-in by using the service.

        Under the GDPR it doesn't work like that: making the provision of a service conditional on consent to process personal data invalidates the consent (Article 7(4), recitals 42-43 : https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679 )

      2. Voland's right hand Silver badge

        Re: None of them does

        You opt-in by using the service. To opt-out, don't use the service

        Not GDPR compliant. A requirement to process data and god forbid requirement to use data for marketing purposes invalidate GDPR concent. That is 4% global turnover per customer/visitor/user.

  2. Mephistro Silver badge
    Flame

    As all the sites listed are opt-out...

    ... none of them is GDPR compliant, and all those company statements are just dilatory tactics, to stretch the private data smorgasbord for a few years more. I hope the courts throw the book at them.

  3. Anonymous Coward
    Anonymous Coward

    They missed the real bad-guys

    I actually do opt out now, and if you use one of the trustE one's which seem quite common, MOST of them you can only opt out on their site, and their opt out box doesn't actually work (redirects you to itself over and over, often the page says "click here to opt out" then the same page with "you're opted out" and then "click here to opt out".

    MySQL's one let me opt out then gave me a LINK to complete the opt out process, but indicated it'd completed (citing some only allow it over http)

    Check out Tumblr's (not sure why I found out, it was either curated porn or to laugh at sub-human people)

    TUMBLR: https://i.imgur.com/m4nXr0K.png YES REALLY absolutely fucking seriously, that is what you must uncheck to opt out - and to the autistic fuck who wants to show off some javascript prowess and not realise it fails to show either prowess, or something you'd even want to brag about (like "people who sleep with me turn gay" - not good!): yeah right click and open the console then use jquery to mass-uncheck them <--- because you know this if you want to opt out automatically.

    MySQL: https://i.imgur.com/VtgPrNG.png

    AC because those I called "sub-human" for short, are like career landmines, ( https://i.imgur.com/VncXCYe.png <-- REAL - and that's the tip of the iceberg of that world)

    1. Martin Gregorie Silver badge

      Re: They missed another too...

      Amazon!

      I notice that avoiding the Prime tax seems to be getting harder and harder.

      The last time I bought anything from them I read the page carefully, was certain I'd selected normal free delivery, not Prime, but Noooo...

      The next checkout page showed Prime trial selected. Then it wouldn't let me go back to the previous page. Again, I'm sure that used to be possible (change of mind on delivery date, etc).

      I ended up completing the transaction and using my account page to cancel the Prime trial.

      At least that worked.

      This time.

      I wonder how long it takes to close that loophole.

    2. Anonymous Coward
      Anonymous Coward

      Re: They missed the real bad-guys

      > TUMBLR

      Seems weird that the Tumbler list is in alphabetical order, with one exception. "Oath (EMEA) Limited" which seems to have been manually moved to the bottom of the list.

      Seems like they really don't want to you opt out of Oath for some reason.

      Guessing Oath pays them the most money>

      1. Zippy's Sausage Factory

        Re: They missed the real bad-guys

        @Anonymous Coward

        Oath owns Tumblr these days, I thought? So trying to hide their own opt outs would be an obvious trick...

      2. Loyal Commenter Silver badge

        Re: They missed the real bad-guys

        Seems like they really don't want to you opt out of Oath for some reason.

        Funny that, IIRC Oath have acquired Yahoo!, who puleld exactly the same trick a few days before GDPR came into force.

    3. Rafael #872397
      Mushroom

      Re: They missed the real bad-guys

      The real bad guys are those who design complex forms with the buttons "Submit" and "Cancel" very close to each other. Click "Cancel" by mistake and then you have to enter everything again.

      Won't somebody think about the children and the fat-fingered users such as myself?

    4. Anonymous Coward
      Anonymous Coward

      Re: They missed the real bad-guys

      Good idea Tumblr!

      I might add a form like that to our website.

      Though, I like to mix the confirm and cancel buttons up by making cancel in a big green button and to the right, and confirm to the left in a small red button.

      1. Loyal Commenter Silver badge

        Re: They missed the real bad-guys

        Though, I like to mix the confirm and cancel buttons up by making cancel in a big green button and to the right, and confirm to the left in a small red button.

        If you're doing it properly, you make the confirm button a small grey non-underlined hyperlink at the bottom of the page, in the middle of a paragraph of text.

    5. Anonymous Coward
      Anonymous Coward

      Re: They missed the real bad-guys

      Would the downvoter please state their "gender"?

  4. Blockchain commentard Silver badge

    You can't opt out of Windows 10 user data grab unless you install something else and in the real world, the muggles know no better.

  5. Anonymous Coward
    Anonymous Coward

    No no no no, NOT Microsoft. They've got ethics:

    https://www.bloomberg.com/news/articles/2018-04-30/if-microsoft-finds-another-linkedin-deal-chairman-is-all-in

    https://www.bloomberg.com/news/articles/2017-09-28/microsoft-ceo-urges-tech-to-focus-on-self-policing-not-regulation-fears

    https://www.theinquirer.net/inquirer/news/3028147/updategate-microsoft-is-forcing-windows-10-build-1709-to-users-who-opted-out

    https://www.computerworld.com/article/2917799/microsoft-windows/microsoft-fleshes-out-windows-as-a-service-revenue-strategy.html

    1. GIRZiM

      Re: No no no no, NOT Microsoft. They've got ethics:

      Yeah, but they got them along with the acquisition of a disruptively ethical startup - and we all knows what happens to the products/services of companies MS acquire.

  6. Anonymous Coward
    Anonymous Coward

    Well that Recent over-the-wire Update to non-365 versions of Microsoft Office 2016

    ... appears to have added a new Service "Microsoft Office Click to Run" which wasn't there previously.

    It starts on Windows boot and is constantly connected and phoning home to multiple Microsoft Stasi Servers. And now Microsoft Excel, Word etc won't start if you disable this "Cick to Run" Service.

    I certainly didn't give my consent for Microsoft to Slurp/exfiltrate my data in way.

    I wonder what their response would be if I demanded under GDPR that they to Cease and Desist ?

    1. alain williams Silver badge

      Re: Well that Recent over-the-wire Update to non-365 versions of Microsoft Office 2016

      I wonder what their response would be if I demanded under GDPR that they to Cease and Desist ?

      Please do try this. Then let us know how you get on.

    2. Anonymous Coward
      Anonymous Coward

      Re: Well that Recent over-the-wire Update to non-365 versions of Microsoft Office 2016

      Wow, you're going to love this then:

      https://lmgsecurity.com/exposing-the-secret-office-365-forensics-tool/

      > Now, investigators have access to a stockpile of granular activity data going back six months—even if audit logging was not enabled.

      Wonder if that's GDPR compliant?

      /s

      1. Anonymous Coward
        Anonymous Coward

        Re: Well that Recent over-the-wire Update to non-365 versions of Microsoft Office 2016

        Actually, there's IMHO so much wrong with the whole EEC/EU version of Microsoft Office 365 services that I don't quite know where to start.

        If you have data to protect you ought to really avoid the use of Microsoft products altogether, not just from a privacy perspective but also from the view of operational costs. It can be secured, but there are solutions out there that are more cost effective and safer by default, even if you take into account that their Enterprise management approach isn't quite as sophisticated.

        IMHO, of course, but this is from practical experience.

  7. Winkypop Silver badge
    Big Brother

    It appears that "use" = acceptance with these guys

    Ya pays ya money*, ya takes ya chances.

    * In this case your ID

  8. Pseu Donyme

    The default should be no slurp whatsoever. Moreover, no active measures on the part of the would-be slurper to induce the end-user to change that i.e. a facility to opt-in may exist, but the end-user must find and use it on their own.

    1. bombastic bob Silver badge
      Unhappy

      The default should be no slurp whatsoever

      ack, but the evil genie is out of the bottle now.

      1. Orv Silver badge
        Coat

        Re: The default should be no slurp whatsoever

        We (collectively) chose this anti-pattern when, back in the 1990s, we decided it was unethical for sites to erect paywalls and they should be shamed out of it or subverted whenever possible. (Information wants to be free, man! You can't OWN it!) Now everyone is conditioned not to pay for anything on the Internet, which has led directly to this kind of data slurping as a way to make revenue.

        1. JohnFen Silver badge

          Re: The default should be no slurp whatsoever

          That this argument is nonsense is indicated by all the websites that continue to use paywalls.

          Also, you're presenting a false dichotomy. Ignoring the fact that there are ways of generating revenue that don't require data slurping or paywalls, there's nothing to stop sites from offering users a choice -- pay and don't be subject to spying, or use it for free and be spied on.

          I'm not aware of any sites that actually offer this choice, though.

          1. Orv Silver badge

            Re: The default should be no slurp whatsoever

            I've had several sites (Wired is one, I think) that popped up a page asking me to either disable my ad blocker or pay. Funny thing was, I wasn't using an ad blocker, just Privacy Badger.

  9. Anonymous Coward
    Anonymous Coward

    not only "the giants"

    I've noticed FUD on numerous site that have to, now, give up this juicy "revenue stream". Wherever it was simple to click "no, I don't want to be spied on", I did. Where it took more than a couple of clicks to confirm my choice, I just leave the site. But, of course, those "couple of clicks" is all it takes for the majority to not bother - and click the highlighted: "yeah, fuck me any way you like". Nothing new here.

  10. Anonymous Coward
    Anonymous Coward

    Can anyone, someone tell me one example where Facebook have used face ID to stop or detect a fake profile? Codswallop.

  11. Pascal Monett Silver badge

    "we are committed to GDPR compliance across our cloud services"

    Well of course you are, to the letter of the law.

    And the law doesn't say that you have to be objective and present all the arguments for/against, now does it ?

    So they are committed to being compliant, but they will continue to cajole and harass you to get your consent in any legal way they can.

    1. SImon Hobson Silver badge

      Re: "we are committed to GDPR compliance across our cloud services"

      And the law doesn't say that you have to be objective and present all the arguments for/against, now does it ?

      But if they present a very biased appearance - ie presenting all the reasons you should allow it but ignoring all the negatives - then that is not informed consent. That's the reason the regulations specify that consent must be informed - ie it's not OK to hide the real purpose behind a gazzillion pages of dense legalese while presenting a misleading summary that prompts the user to accept without knowing what they are accepting.

    2. Teiwaz Silver badge

      Re: "we are committed to GDPR compliance across our cloud services"

      Well, of course. Stock corporate reply,

      the lawyers are confident there's nothing that can lead to successful prosecution, or confident they can muddy the waters for decades

      Much like 'fully committed to assist the Police Investigation' - the contents of three buildings have been shredded and staff flung to offices on the four corners of the earth.

  12. DrXym Silver badge

    They've been doing this for years

    These social media platforms default to the settings they *want* rather than what a new person might want and then bury the settings away in corners of the design where they are hard to find.

    They certainly never help somebody lock it all down with a few clicks. No, all the settings are nested and individually applied. And usually the settings come with warnings that functionality or bad things will be crippled if you don't enable them.

    I am quite certain that the likes of Facebook even run A+B testing where users are split into groups receiving a page designed one way vs another and the winner is the one which puts off the most people from changing their privacy settings.

  13. BebopWeBop Silver badge

    "Feedback from both the research community and our users, along with extensive UI testing, helps us subvert users’ privacy preferences

    TFTFY

  14. Anonymous Coward
    Anonymous Coward

    Bloomberg is bad too...

    Their optout popup is white text on a black background. And a black and white slider between options labelled 'Out' and 'In'. No explanation of what 'Out' vs 'In' means. And impossible to tell whether the white or black end of the slider means selected. GDPR-compliant my a***!

  15. JohnFen Silver badge

    Yup, and they're not alone

    If you want to know how prevalent manipulative and deceptive techniques are, just spend some time reading articles in the leading UX developer sites. They're absolutely chilling and infuriating.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019