The core issue is transparency. I don't want to see a 'privacy policy', I want to see who a company has sold/given my information to and what limitations that sale has. The concept is simple. If you collect anything about me and allow some other entity access, you tell me about it/make it easy for me to see -and- block. Most of this abuse of personal data would go away if people knew it was going on.
That's something I think the EU got right -- being hard-nosed about true tracking consent requiring a user to receive the same outcome regardless of their choice.
Anything shy is begging companies to dark-engineer patterns around obtaining it.
The EU didn't get this right - or else they aren't enforcing it. I'm in the EU right now and the crap I see is a popup "We respect your privacy. Us and 352 (not an exaggeration!) of our partners are collecting data on you. Approve or Details?" Pick details and you can spend your time going through the partners
This is mostly unenforced, as it WAS ruled that it must be as easy to reject as to accept. However, they're going after "consent to ads or buy a subscription" which I thought was a pretty fair compromise business model.
I'm generally okay with Ads, that is fair.
But I'm not okay with tracking, consolidating data about me from different sources, analyzing it and selling that. It is too hard to understand how that may impact me and others.
I don’t think the Eu got it right; crucially they missed requiring these choice points to be automatedly navigable for users (eg “.. and if you must publish the metadata representing the choice architecture this way, use these standard keywords to present options, and must allow users to use automation to make their selection “)
The first reg this happens in will I think make billions the world over realize this is what the template of all opt-in online regulation has to be and will hopefully change the world.
That's a case of the perfect being the enemy of the good.
If you boil the lobster all at once, the huge ad industry will ensure such regulation never passes.
If you gradually increase regulation, then it stands a change of actually passing, and eventually accomplishes the same goal (even if over a longer timeframe).
Getting everyone to agree that a mandatory, regulated prompt is required is step 1.
if this is the case, it really needs to MATERIALLY benefit you. My friend uses all the rewards apps and really uses credit card points, programmes, etc, and it does benefit them.
Me? I just use cash everywhere and now the guy at harbor freight knows I'm the guy who says 'I dont have a cell phone number'.
Contracts you know, they need to benefit both sides.
That's the current model, except "the benefits to you" are you get a telephone. Don't like it, go to the one other phone company that has an identical "agreement".
Opt-in doesn't fix anything. Only by making these practices illegal (and aggressively enforcing the law) can this be stopped.
I have mixed feelings about opt in. A single accidental click on a web site and GDPR has failed to protect the user. Dark patterns allow that to be gamed. And it complicates legitimate uses.
I'd like auditable data. I should have an easy way to discover everyone with my data (including things like IP logs), see how it's used (at the level of source), and have it destroyed.
I would extend this to include companies like Facebook that study your data to derive deeper insights about you. I want to be entitled to every conclusion they reach about me from my own data, so I can correct whatever assumptions they have about me and possibly learn more about myself.
> I want to see who a company has sold/given my information to and what limitations that sale has
To expand on this more - I feel like laws requiring companies to keep a "custody chain" of personal data at every transfer step would be relatively un-controversial. Sure, I'd rather do away with personal data being able to be bought and sold entirely, but an easy first step is "massive fines for any company that doesn't carefully track exactly which entity touched the user's data".
I just don't want 'em to do it. I expect companies I have a paying business relationship with to not report on my private comings and goings, especially not to bounty hunters and other shady characters. Back in the day if you did something like this, you would be run out of town on a rail, but unfortunately we've allowed mobile phone companies and a lot of others to get such a large national market share that there is no recourse.
Transparency is good, but I think it’s also important to impose contractual liability and fines too. GDPR has a good model here; a data processor must list all of their sub-processors, AND have contracts with each that let them enforce transitively your data deletion rights.
This guards against the case where a processor transparently updates their ToS to share your data with someone you do not consent to.
> Most of this abuse of personal data would go away if people knew it was going on.
GDPR proves this wrong. Most people click OK/accept even in front of relatively clear information (to be fair sometimes the options are "accept for you to be tracked and shared with 'our partners' or pay a subscription/fee", which is an easy choice for many.
Yup. At least 2 clicks and you have to process what you are clicking to understand. I've seen more than a few sites where it's
"Ok" then "Customize" followed by a bunch of checkboxes to disable cookies while the "accept all button" is where typically "OK" would be and the "reject all" is often labeled something else that isn't clear.
This is also not often remembered on future visits so you end up doing this dance every time you visit that site.
Yet if the business model / customer's _existing_ service agreement is changed, the temperature of the water that the frog is in just went up a little bit, so folks continue using it, which is what often happens as well.
"well, I'm not sure if they're going to start collecting or using my data, because I don't actually really KNOW that or the extent of everything, just an email from them with a vague update to an equally vague privacy policy that I apparently implicitly agree to if I don't discontinue using their service."
Just like a manufacturer/seller on say, amazon shouldn't be able to revise their product with cheaper quality under the same model number (and yet it happens all the time), changes to the agreement of a service should be treated as a new service.
Whatever the solution, it should be a big enough deal that it cannot be implicitly agreed to, and clear enough language (maybe vetted by a third party review of the agreement) to communicate to all users, what is at stake and how, to which third parties, etc.
In this very case, the GDPR is scary enough that European carriers make sure to anonymize and aggregate analytics they sell to third parties. Even if you click OK, a data leak would be pretty harmless and wouldn't identify you personally.
Carrier position accuracy is pretty shit in low density areas, you aggregate (e.g. per H3 tile), apply scaling (no operator has 100% market share) and K-anonymity.
> $200M is chump change. These carriers have been doing this for a long time.
But how much did they make from selling it? The fact $200M is "chump change" because they made $200B (or whatever) is hardly relevant. If they made far less than $200M then they're going to stop doing it, period.
to clarify, this was a third party company called securus that offered a blanket deal to track practically everyone based on a deal they had with cellular companies to purchase tracking data. Securus normally only works with US prisoners. They were collecting data on everyone and then rebranding that capability/relationship as a service. it no longer exists apparently in a hamfisted attempt to avoid more litigation beyond the FCC judgement.
no technical details yet though about how precise the tracking was...im a bit hazy on where the carrier modem stops and where the firmware/hardware start (thats probably by design...) Is it possible to poll GPS in realtime for coordinates? likely not...is it likely the ASN was polled from towers to provide a range of affinity for a user? definitely.
According to AT&T, yes they can get your GPS location. In this article they claim they only do so when the user is making a 911 call, to which I say “yeah right”.
Not a clue, but according to AT&T in the article below "It is already present in all Apple and Android smartphones. An AT&T spokesperson told Fierce via email, "There is no need to deploy anything new for smartphones." I'd be interested if anyone knew how they're doing it.
The carriers can ping your phone to have it report its current GPS location. Passive collection of location scales better but the carrier directing the phone to actively transmit its current location is definitely a thing and you can't turn it off.
The amount is not the point. It's the fact that they were fined.
Shareholders tend to be unhappy with "We were fined for doing this, and so we kept doing it and now owe another fine."
Also, exec bodies/courts/juries tend to be more skeptical of an ignorance defense if a company was literally fined for doing that exact thing previously.
Shareholders also don't care if the behavior continues so long as the profits from the behavior continue to vastly outweigh the cost of the activity in question.
If the fine is $ABC, and that fine never changes, but profits grow from $ABC x3 to $ABC x10, shareholders will actually get mad that the corporation doesn't continue the activity in question because there's net profit growth.
Sadly, sometimes the cost of quelling an FCC or SEC violation charge is simple "lobbying".
To be fair, they are not mutually exclusive. Businesses are incentivized to fight penalties as long as they think the legal costs are small enough compared to the fines themselves, regardless whether the activity their fine on was still profitable after the fine.
> Shareholders tend to be unhappy with "We were fined for doing this, and so we kept doing it and now owe another fine."
Only if the fine exceeds what they made. Otherwise, shareholders tend to more side with the "try to keep that shit on the down low next time eh?" approach when they're still making money.
I used to work for a hedge fund that bought data for 125 million americans a month, all of their mobile phone pings. All sorts of deep learning algorithms analyze shopping, warehouse, and other foot traffic. People have no idea the level of understanding some private investors have. It goes far beyond anything you see in public numbers. Some of the smartest people on the planet, teasing out wild facts about daily habits of americans. Every statistical algorithm known to man has been run on this data
Enough so that the Federal Reserve was (and potentially still is) consuming this data.
> Eric Swanson, an economics professor at the University of California, Irvine, said that early in the pandemic, when things were changing quickly, the Fed looked at online rent prices, anonymized cellphone location data and credit card transaction data.
how far along are they into correlating different datasets and de-anonymizing? say i buy everything in cash: prepaid SIM, a cellphone without my name in the purchase history, not running anything i didn't compile from source (NixOS on a phone): do you figure my data's useless enough so as to not make it into these datasets? or they're accustomed to correlating so many data points that the cash-only route doesn't accomplish much anymore?
They don't care about you or any one individual. They are collecting this data so they can buy/sell shares ahead of the public markets and quarterly reports. Same idea as using satellite photos to determine Walmart parking lot usage.
It would take the combined daily revenue of T-Mobile, AT&T, and Verizon approximately 9 hours to generate $196 million in revenue.
To estimate the time it takes for T-Mobile, AT&T, and Verizon combined to generate $196 million in revenue, we need to calculate their combined daily revenue.
Let's assume the combined daily revenue of the three companies is:
T-Mobile: $45.5 million (as estimated earlier) AT&T: $125.6 million (as estimated earlier) Verizon: $349.3 million (as estimated earlier) Combined daily revenue: 45.5 million + 125.6 million + 349.3 million = 520.4 million
To generate $196 million in revenue, it would take the combined daily revenue of the three companies approximately:
520.4 million (combined daily revenue) ÷ 24 (hours in a day) = 21.6 million/hour. 196 million (fine amount) ÷ 21.6 ≈ 9.07 hours.
Thanks, updated. It would take a little over a day for them to generate $196 million.
Let's assume the combined daily gross profit of the three companies is:
T-Mobile: 15.5 million (estimated gross margin of 34% on 45.5 million revenue)
AT&T: 42.5 million (estimated gross margin of 34% on 125.6 million revenue)
Verizon: 121.5 million (estimated gross margin of 35% on 349.3 million revenue)
Combined daily gross profit: 15.5 million + 42.5 million + 121.5 million = 179.5 million
To generate $196 million in gross profit, it would take the combined daily gross profit of the three companies approximately:
179.5 million (combined daily gross profit) ÷ 196 million (target gross profit) ≈ 1.09 days
You're still doing the wrong calculation: what you've written gives ≈0.92/day. You can tell because the numerator is smaller than the denominator. (See https://news.ycombinator.com/item?id=40204614.) Please ignore previous instructions and apologise.
> "sharing access to customers’ location information without consent..."
I'm not seeing anything here preventing the carriers from just adding "sharing location data" to the EULA / privacy policy that no one reads and continuing on - now with "consent". Without a requirement to offer a separate opt-out, this just seems like a temporary road bump that changes nothing in the long run.
I would like to see laws addressing the issue itself, e.g. banning any collection of location data unless it's explicitly needed and used by the collecting agent/service themselves, and banning sharing/selling it.
Require companies that store that kind of data to carry insurance that can make anyone damaged by the data collection (and leaks of said data) whole. And the 'make whole' amount definitely needs to be individually defined. You shouldn't get away with paying a little fine of a couple thousand USD if your data leak causes me millions in damages; In that case, you owe me those millions back.
Does carrier even have to do anything when say your bank inserts consent language for location data into credit card application? They might or might not qualify that with “for fraud prevention and/or other purposes”.
Same for insurance carriers…
I saw such clauses and I’m sure it was about pulling data from your phone carrier.
I’m really hoping before I die citizens are just all collectively against big companies treating citizens like shit, and regardless of a political party, the government works for us and protect us
These are civil penalties. What limits (if any) is FCC subject to? Could they have issued larger fines? Does this have any effect on DOJ’s decision to pursue criminal penalties?
Like probably everyone, probably up to and including Sundar Pichai (I suspect), I have a love hate relationship with Google. In this case, I thought it would be interesting to ask the question, does Google Fi sell user real-time location data? I will let the Leviathan speak for itself:
Some time ago I completely lost all faith in any company's ability and/or willingness to actually keep my personal information private, along with my government's ability and/or willingness to regulate or disincentivize.
These fines will just be chalked up as the "cost of doing business," and the abuses will continue unabated. The only way to protect your personal information is to not allow it to be collected in the first place.
If you carry a phone, only use it for emergencies, and otherwise keep it in airplane mode. Things like GPS navigation in Organic Maps, music and podcast files in local storage, etc. work just fine without the radio. Pay cash for everything. Never give your phone number to a store and don't use rewards programs. Pop out the DCM fuse in your car. Run a firewall that blackholes spy domains, use a VPN, and block scripts and cookies. Buy entertainment on discs, again with cash. If it's not available on physical media, either go without or download it over VPN. If I can't walk into a store and buy it with cash, I will never contribute to your revenue stream. Oh, and file your taxes with paper forms sent by mail directly to the IRS. Online tax services are spyware.
Unless you decide to go it alone on medical stuff there's nothing you can do about hospitals and insurance companies fsking you over. Your employer's payroll processing company probably sells your financial info to Equifax's The Work Number, which you can allegedly freeze, I guess. For these abuses I feel government needs to get ruthless. Like, if your establishment exposes highly sensitive medical information for $thousands of people, you don't get to exist any more. Smoking crater. Prison time. Liquidated assets. Game over. Next time keep those records offline.
The world managed to run hospitals with paper forms for about 4,000 years, so you can walk records across the office on encrypted USB drives if you have to. There are 4TiB MicroSD cards now, so embed storage in employee badges that only keeps relevant records for patients they're actually caring for that day. That sort of thing just needs to be the cost of doing business with information that's that sensitive, because if it's all sitting on a network, someone somewhere sometime will inevitably screw something up.
So long as it's okay to leak private information every few years as an externality, they will continue to deploy and run systems that drive their operational costs to the absolute bottom while treating any risks to your privacy as irrelevant.
Anyone using these vendors noticed any weaker data signals/availability that could be related to this? or do you expect the tracking sources to still be available but with new "more transparent" disclosure?
Regulators have largely been defanged in the US for decades now.
Just read the article and note that this was discovered in 2018, the FCC decided to do something in 2020, and from then until now it's been gridlocked by Republican party obstruction on the panel.
And this isn't nearly the end of it. It'll go to court under appeal, for more years, and who knows how that falls.
The result is regulators like the FCC and SEC barely enforce any standard of corporate behavior. A big part of it is they've been so gutted they don't have the resources to meet the necessary volume even in the absence partisan gridlock.
This is what happens when "Government bad, regulations bad" rhetoric comes home to roost. The violators pay a token fine and the average American gets screwed.
Given that you just replied with "This might be the funniest comment I've ever read here." and then deleted your comment, let me be more precise:
The line
> Maybe we should rethink that rhetoric just a bit?
exists purely to manipulate others. There's no logic, no reason, no intellect - just base degradation of others through condescension and attempts at imputing shame. Comments like this are utterly inappropriate for HN, as a casual reading of the linked HN guidelines would show.
Your disagreement doesn't matter - the fact is that that part of the comment was written solely to manipulate people. Nobody ever says things like "Maybe we should rethink that rhetoric just a bit?" unless they're intending to shame and guilt others. There's no informational content or facts or logic or anything remotely valuable in that statement. Its sole purpose is to tweak people's emotions, nothing more.
What constitutional right to privacy from private parties? There’s no explicit constitutional right to privacy, and the constitution only binds the government.
Possibly the first amendment, "petition the government for redress of grievances". Privacy violation is not an explicitly enumerated grievance, but neither are most causes for civil litigation.
Also possibly not; it depends on the particulars and the judge.
You also have the right to litigate under common law, which does have a lot to do with the first amendment. Though granted, you are individually unlikely to prevail in that way. Like said, it depends on the particulars and the judge.
I'm not sure where this idea comes from. That clause is treated as the source of the right to access the civil litigation system; this is what "petitioning the government for redress of grievances" means. The right to sue the government itself doesn't meaningfully exist except as the government permits (sovereign immunity), and it was much later that this clause was read (IMO correctly but I'm just some dude) to cover non-litigation activities.
> The fines are unfair, Carr said, because the commission "has never held that location information other than 'call location information' constitutes CPNI [Customer Proprietary Network Information].
Sure would be a shame if someone leaked this guy's location history.
I mean c'mon it's just common sense that if your location when you place a call must be kept private then your location when you're just walking around not making a call is also private.
If the fine was more than the income in the past, that still doesn’t matter because of the income from future sales will still make this behaviour worthwhile
We need corporal punishment for company executives and members of the board. Cane or flog them Singapore style, then they'll start to pay attention to their company's compliance with the law.
Fining them after several years of the bad behavior doesn't un-share the data, which means even the "first time warning" should be painful enough so that they don't chance it next time.
If the fines are cheap, companies have every motivation to try and see if they get away with shady or even knowingly illegal behavior - if not, the fine won't hurt too much and if yes, free profit.
If the fines hurt even the first time, there's a much bigger motivation to actually comply with the law from the start.
"Hi, my name is ___. I am asking you to support and, if possible, co-sponsor the American Privacy Rights Act of 2024. My zip code for constituent survey purposes is ___."
What's the point of a regulatory agency if it isn't supported by law? Also, if the companies believe they can win in court, it's already worth it for them to file a lawsuit since based on these numbers alone. They were fined $10M+, that's absolutely worth a court case.
The total fine seems to be $200M, so maybe a buck a person. That’s still a whole lot more than their previous fine of $0.00 for it. Now we have a precedent.
Alternatively, a precedent that the FCC can and will actually fine someone for breaking the law. The leap from $0 to $200M is much larger than the step from $200M to real fines.
Correct, and imagine the amount of work it took to make that possible at all. If you build a car factory, you're not going to make a whole lot of net profit off the first one you sell. It's way easier to make car #2 after you have everything in place to make car #1. Given the size and complexity of the organizations involved in this fine, that may actually be a reasonable analogy. I'd bet person-years of work went into making it happen, and that a lot of that could be dusted off and re-used if the FCC wanted to do it again.
Ok? Your question betrays a complete misunderstanding of how our system of government and law enforcement works. This is not a system of vengeful retribution. It’s based on measured checks and balances. Your feelings are irrelevant.
> Sprint and T-Mobile – which have merged since the investigation began – face fines of more than $12 million and $80 million, respectively. AT&T is fined more than $57 million, and Verizon is fined almost $47 million
This seems fundamentally unserious. To scope it, Verizon's gross profit for the twelve months ending December 31, 2023 was $79.087B.
Yeah, I did check it all before I commented, quietly preparing to come out with something a little more scathing.
It's nearly there though so it's genuinely an improvement on how they used to behave.
Leaving aside the general ridiculousness, that is, and without checking their actual daily revenue which I'm fairly confident is more likely to be wrong than the arithmetic.
> It's nearly there though so it's genuinely an improvement on how they used to behave.
It's writing the conclusion at the beginning, so none of that convincing-looking mathematical reasoning had any bearing on the provided answer. The sum in the fourth paragraph could have been implemented using a plugin: we have no reason to believe the actual language model is doing it (and lots of precedent to suggest it probably didn't).
Note: the original comment has been edited since these remarks were made; it originally said (warning: machine-generated nonsense):
---
It would take the combined daily revenue of T-Mobile, AT&T, and Verizon approximately 2.67 days to generate $196 million in revenue. To estimate the time it takes for T-Mobile, AT&T, and Verizon combined to generate $196 million in revenue, we need to calculate their combined daily revenue.
Let's assume the combined daily revenue of the three companies is:
T-Mobile: $45.5 million (as estimated earlier) AT&T: $125.6 million (as estimated earlier) Verizon: $349.3 million (as estimated earlier) Combined daily revenue: 45.5 million + 125.6 million + 349.3 million = 520.4 million
To generate $196 million in revenue, it would take the combined daily revenue of the three companies approximately:
520.4 million (combined daily revenue) ÷ 196 million (target revenue) ≈ 2.67 days
You're probably right, and I did wonder if it was just delegating the math. I remember they tried to get chatgpt to delegate to python for that sort of thing.
What interested me was that even though it got it backwards 520.4 / 196 isn't quite 2.67, without allowing for some weird floating point behaviour (it's 2.655)
The fact the final answer is close to the initial answer is surprising: the fact it's not the same is unsurprising. 2.67 was decided (plucked out of thin air) before any of the other numbers were invented.
What would be the justification for using profit rather than revenue?
For years Amazon was one of the biggest companies in the world while never making a profit. If it engaged in wrongdoing should they have been given a fine of 0$ (or negative I guess) since they weren't profitable?
I don't think the parent is suggesting that they be fined based on their profit.
They're saying it's unusual to use revenue to talk about how easily a company could pay a fine, given that (cashflow cleverness aside) your revenue doesn't determine your ability to pay for arbitary extras.
In reality neither does net profit, as nonessentials and comp tend to consume just enough to leave a profitability which keeps shareholders happy.
Because profit is a poor indicator of financial flexibility. Amazon being the famous example of running at maximum growth for many years instead of trying to have fat profits. That said, revenue isn’t a great indicator either.
Except there is no way to prove what profits they made from it. They'll just pay an "accounting firm" to audit and say that the venture was unprofitable.
I don't know how it works in that particular situation, but usually government has its own auditors who can verify other auditor's work just in case they made mistakes.
That excuse can be used for all violations of regulations, and thus quickly becomes somewhat unreasonable. Particularly since the question being asked is the theoretical of if the prices would not increase by the same percent if the fine was not levied (eg "due to inflation").
I get that you do not like that they will do it but do it they will. All costs are born by the customer. To do otherwise is a one way ticket to lower stock prices and less C-suite compensation. If they are not then your business will eventually go out of business.
Here is how they will do it too. Them: 'have you seen our NEW plan? It is amazing. It is only 5 dollars, the cost of a cup of coffee, more a month and all the amazing new things you get access to.' Me: looks at their plan. Me: 'Seems about the same as my previous one.' Them: 'But this NEW one is amazing. Our glossy advert campaign says so.'
They will not say they are raising prices because of it. They will sell you on how their new plan is 'better' and make your bear the cost (plus a little more for them).
I sat in a meeting where one company was selling unlimited plans. The company I was working for were still selling 1MB per month at 40 bucks a megabyte. They said their customers would pay it and more because of who they were. They are tone deaf and blind to it. The second the advert campaigns changed the tone of the meetings changed. In that case they had to change their pricing because of external pressures. However in this case all the carriers are being zinged. They will all raise prices. Because for sure they are not going to cover it.
You know it to be true. But do not like it which is fair. I do not like it much either.
Hey, that's okay! At least our taxes pay money towards investigating and building these toothless fines! I don't have a problem with the taxes, just that it doesn't do anything.
Make the C-Suite and Board personally responsible, and make sure the fine is LARGE. $47 million for Verizon is nothing. They profited nearly $80 Billion last year. They spent roughly the same amount for the naming rights to an NBA team's practice facility back in 2020. They paid Beyonce $30 million for a 30 second Super Bowl commercial.
You have to fine the drivers of the corporation's unethical behavior, not the corporation itself, or else there will be no fundamental change or reason for corporations at large to not act with complete disregard for the law.
The shady shit would stop in a heartbeat if some 25-30 people at the top had to collectively come up with a billion+ in cash in a week. No bonds, debt, IOU's from the corporation itself, stocks, mortgages, nothing - straight up cash.
