The bill they are talking about[1] was completely worthless and deserved to be vetoed. All it did was require browsers and mobile OSes to have a "setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the mobile operating system".
It didn't refer to any standard about how this signal should be sent so different browsers could send completely different information.
It didn't put any requirements on businesses who receive this signal. They are free to completely ignore it just like Do-Not-Track, and most will.
Even if a company wanted to comply out of good will it doesn't define even vaguely what people are opting out of by toggling this setting which would lead to confusion as different sites would implement different things, and different browsers and OSes would describe it differently.
Which begs the question, why are we constantly trying to off load personal security to others? Where is your personal responsibility to secure your own information? If you want better privacy, why not just not use Google or Apple? There are several phones and mobile OS's which are hyper focused on privacy. They all come with compromises, but even decent OpSec is hard.
We've become such a lazy society, its depressing.
Thanks for pointing out how worthless this bill was.
For the same reason it's not my job to make sure my food doesn't have arsenic or lead in it, or for that matter to avoid buying from corporations that propagate bird flu.
In many ways, privacy violations fit the public health model better than the user features model - my privacy can be infringed upon through no action of my own if a contact of mine fails to secure theirs. Surely I shouldn't be expected to carefully vet and interview all acquaintances, neighbors, third party partners to my grocery store, security cameras I happen to walk past, and friends of friends to make sure they follow best practices?
Right now you can't drive on public freeways without commercial entities capturing your license plate, and they can retain it as long as they want and do whatever they want with it, as long as it has the potential for profit. That's not the world I want to live in.
Terrible take. Our modern world is hopelessly complicated and we don't ask every citizen to personally defend their physical security from outside threats, nor personally manage their water and food security.
How do you even square these adjacent statements?
> even decent OpSec is hard.
> We've become such a lazy society
The plain and obvious response to our situation is that digital privacy and security should be opt-out, not opt-in. It's not as simple as adding a button that does nothing, but it actually is relatively simple for browser vendors et al to reverse their assumptions.
If you don't agree, are you knocking on doors and teaching your neighbors how to manage their security? I hope you've got a lot of patience.
Its hard to maintain because most people have to give something up in order to get the privacy they want. 99% of the users these days don't care about privacy. Privacy is a "boomer" thing.
Its not hard when you have literally generations of technological knowledge at your fingertips and still want something automated to do all of this for you, without any compromises on your own part - which inevitably leads to:
> We've become such a lazy society
THAT is a terrible take? Putting some onus on the user to get out of their lazyboy chair and do some research?
And your conclusion to OP talking about users taking some actual responsibility for their own privacy is this:
> If you don't agree, are you knocking on doors and teaching your neighbors how to manage their security? I hope you've got a lot of patience.
What was implied in my previous comment is that someone who doesn't know anything about digital privacy and security can't be called lazy for not investing in it. And lots of people know very little about it. "Society is lazy" is in fact a lazy excuse to wash one's hands of a problem and pretend they're better than other people.
> Its hard to maintain because most people have to give something up in order to get the privacy they want. 99% of the users these days don't care about privacy. Privacy is a "boomer" thing.
Its not hard when you have literally generations of technological knowledge at your fingertips and still want something automated to do all of this for you, without any compromises on your own part - which inevitably leads to:
Sorry... I have literally no idea what the point you're making here is. Is it hard or easy? Do people want meaningful privacy or do they not?
Unless by "we" you mean "the EU economic zone" then no, "we" really don't. As an American I have been exposed, for the past 15 years, to the blatant failure of any genuine attempt to protect consumer rights or privacy in the nation where both Android and iOS originated. We, the progenitors of the smartphone, have failed to impose any form of substantial regulation that would seriously enable privacy for the end-user.
It's no coincidence. Phone hardware is only worth so much, but the data it generates is priceless. The secondhand market for information enabled by the NSA and industrial contractors like Palantir provides the intelligence backbone of the global economy. The United States' negligence towards Google and Apple is a proven quid-pro-quo agreement.
I don't have to be an expert. I already have a literal super computer in my pocket:
Bing: "How do I protect my privacy online?"
Results: 11,700,000
I don't need to smart enough to build a rocket to go to Mars. I just need to type a basic query into a search engine. Not only do I get 11M results, I now have an AI assistant telling me how I can do that. The results also list ads from companies who can do that for you, written tutorials on how do that, articles on how to do that and a bunch of videos as well.
Is this the insurmountable obstacle you talk about when you say not everybody is an expert in security and privacy??
Because “personal responsibility” only goes so far. It doesn’t account for how people in a society actually interact.
If your friend doesn’t jump through all of this month’s hoops in BigCorp’s shiny new privacy policy (so lazy for not opting out yet again!) then your privacy might become collateral damage.
My personal opinion is that framing problems as personal responsibility rather than collective action is a conspiracy to stunt actual solutions. It is effective because it shifts blame from offending companies to unknowing individuals.
This bill was about Global Privacy Control (GPC) [1], which sites and mobile apps are required to respect under the California Consumer Privacy Act. The law is enforced by the Office of the California Attorney General [2]. There is a draft specification at the W3C [3].
Disclosure: I am one of the co-founders of GPC and a spec editor.
There's a difference between legal and moral, while building cloud.doshare.me we looked towards different analytics platform that respected privacy by default and behold there weren't many. Even mixpanel claimed to be privacy respecting but in reality it's only legally compliant to privacy, they don't even allow self hosting of their solution. This is overall a very big problem in the tech industry and will continue to be so, unless it's ensured by everyone of us, it's more of a people movement than governmental and UN enforceable situation.
A lot of finger pointing but it’s very light on the specifics. Newsome apparently veto’s it but it doesn’t really go into why. There’s got to be a lot more going on here.
Newsom said he vetoed it because he didn't support legislating an implementation detail -- that all OS/browser makers were required to include support for sending a Do Not Track signal. It sounds like he'd have signed a bill that just said companies were required to respect a Do Not Track signal if one was sent.
> But Newsom said he is opposed to the new bill's mandate on operating systems. "I am concerned, however, about placing a mandate on operating system (OS) developers at this time," the governor wrote. "No major mobile OS incorporates an option for an opt-out signal. By contrast, most Internet browsers either include such an option or, if users choose, they can download a plug-in with the same functionality. To ensure the ongoing usability of mobile devices, it's best if design questions are first addressed by developers, rather than by regulators. For this reason, I cannot sign this bill."
I've read the bill, and the Governor was right to veto it. The bill is terribly written.
The parts about browsers is quite reasonable. One way to implement the required signal would be for the browser to add a header to HTTP requests that indicates the desire to opt-out.
The problem is the requirement that operating systems do a similar thing for any communications to businesses. Here's how it is phrased in the bill:
> A business shall not develop or maintain a mobile operating system that does not include a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the mobile operating system
What does it mean by "interacts through the mobile operating system"?
Say I install some app. When the user uses that app the app opens a TCP connection to some a server of some business and the user interacts with that server through the app. All that communication between the app and server does go through the operating system, namely via the app making API calls to the operating system's network services.
Does that count as the user interacting "through the mobile operating system"?
If it does, then how is the operating system supposed to send a signal? I suppose that if the app happens to be using HTTP or some other protocol that the OS happens to recognize it could try to inject some signal into that. That likely would be very error prone, but it is theoretically possible.
But what if the app is using end-to-end encryption? Then all the OS sees is encrypted data.
Maybe that part of the bill is meant to apply to situations where the user is interacting using the programs that are part of the operating system? That would be more sensible. If that's what they mean the bill should be re-written to say that.
It's not like going into detail about such things would make the bill unwieldy. The PDF of the bill is 4 pages and 1 of those is a page for signatures of various people acknowledging they received it, 1 is the legislative counsel's digest of the bill, and one is a page for the governor to sign. That leaves 1 page for the bill itself.
Here is the entire text of that page:
>The people of the State of California do enact as follows:
> SECTION 1. Section 1798.136 is added to the Civil Code, to read:
> 1798.136. (a) (1) Unless otherwise prohibited by federal law, a business shall not develop or maintain a browser that does not include a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the browser.
> (2) The setting required by paragraph (1) shall be easy for a reasonable person to locate and configure.
> (b) (1) A business shall not develop or maintain a mobile operating system that does not include a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the mobile operating system.
> (2) This subdivision shall become operative six months after the adoption of regulations by the California Privacy Protection Agency that outline the requirements and technical specifications for an opt-out preference signal to be used by a mobile operating system.
> (c) The California Privacy Protection Agency may adopt regulations as necessary to implement and administer this section, including, but not limited to, ensuring that the setting described by subdivision (a) is easy for a reasonable person to locate and configure and updating the definitions of “browser” and “mobile operating system” to address changes in technology, data collection, obstacles to implementation, or privacy concerns.
> (d) As used in this section:
> (1) “Browser” means an interactive software application that is primarily used by consumers to access internet websites.
> (2) “Mobile operating system” means an operating system in use on a smartphone or tablet.
> (3) “Opt-out preference signal” means a signal that complies with this title and that communicates the consumer’s choice to opt out of the sale and sharing of the consumer’s personal information or to limit the use of the consumer’s sensitive personal information.
> (e) This section shall become operative on January 1, 2026.
> SEC. 2. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
Regulations are needed, but also antitrust laws that are easy and quick to enforce. Right now we waste time in years of lawsuits for a slap on the wrist. These companies are a problem just due to their size - we don’t need to examine their practices to know that their big staffing and capital makes competition impossible in many areas. We need to break them up or at least impose a giant tax for anyone making 100 billion or more in revenue.
This sounds like a variation of “do not track”, a concept invented by ad networks like Google and Facebook to give the pretense of caring about privacy.
DNT was then either ignored, or directly used as a tracking vector.
Even the advertising networks that did “respect it” stopped respecting it the moment it became popular (iirc multiple networks said they would not respect it if it was not off by default, or if users were asked ahead of time rather than it being a functionally hidden setting)
DNT was introduced by Firefox, and Internet Explorer was the first browser from a major tech company that added support for it, so no, it wasn't "invented by Google and Facebook".
The only real problem with DNT is that there's no law requiring it to be respected. A solution to that problem is to pass such laws (which is exactly what this story is about!).
The bill they are talking about[1] was completely worthless and deserved to be vetoed. All it did was require browsers and mobile OSes to have a "setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the mobile operating system".
It didn't refer to any standard about how this signal should be sent so different browsers could send completely different information.
It didn't put any requirements on businesses who receive this signal. They are free to completely ignore it just like Do-Not-Track, and most will.
Even if a company wanted to comply out of good will it doesn't define even vaguely what people are opting out of by toggling this setting which would lead to confusion as different sites would implement different things, and different browsers and OSes would describe it differently.
It was literally mandating a dummy button.
[1] https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml...
> They are free to completely ignore it just like Do-Not-Track, and most will.
That is not correct. Please see my comment here: https://news.ycombinator.com/item?id=41711728
"enforced" in one location on the entire globe.... so yes... the original statement is correct.
Thanks, what an awful article. I gave up after eight paragraphs in and it had said absolutely nothing.
Which begs the question, why are we constantly trying to off load personal security to others? Where is your personal responsibility to secure your own information? If you want better privacy, why not just not use Google or Apple? There are several phones and mobile OS's which are hyper focused on privacy. They all come with compromises, but even decent OpSec is hard.
We've become such a lazy society, its depressing.
Thanks for pointing out how worthless this bill was.
For the same reason it's not my job to make sure my food doesn't have arsenic or lead in it, or for that matter to avoid buying from corporations that propagate bird flu.
In many ways, privacy violations fit the public health model better than the user features model - my privacy can be infringed upon through no action of my own if a contact of mine fails to secure theirs. Surely I shouldn't be expected to carefully vet and interview all acquaintances, neighbors, third party partners to my grocery store, security cameras I happen to walk past, and friends of friends to make sure they follow best practices?
Right now you can't drive on public freeways without commercial entities capturing your license plate, and they can retain it as long as they want and do whatever they want with it, as long as it has the potential for profit. That's not the world I want to live in.
Terrible take. Our modern world is hopelessly complicated and we don't ask every citizen to personally defend their physical security from outside threats, nor personally manage their water and food security.
How do you even square these adjacent statements?
> even decent OpSec is hard.
> We've become such a lazy society
The plain and obvious response to our situation is that digital privacy and security should be opt-out, not opt-in. It's not as simple as adding a button that does nothing, but it actually is relatively simple for browser vendors et al to reverse their assumptions.
If you don't agree, are you knocking on doors and teaching your neighbors how to manage their security? I hope you've got a lot of patience.
I think you missed the point.
> even decent OpSec is hard.
Its hard to maintain because most people have to give something up in order to get the privacy they want. 99% of the users these days don't care about privacy. Privacy is a "boomer" thing.
Its not hard when you have literally generations of technological knowledge at your fingertips and still want something automated to do all of this for you, without any compromises on your own part - which inevitably leads to:
> We've become such a lazy society
THAT is a terrible take? Putting some onus on the user to get out of their lazyboy chair and do some research?
And your conclusion to OP talking about users taking some actual responsibility for their own privacy is this:
> If you don't agree, are you knocking on doors and teaching your neighbors how to manage their security? I hope you've got a lot of patience.
Seriously. Thanks for confirming OP's point:
> We've become such a lazy society
> Seriously. Thanks for confirming OP's point
What was implied in my previous comment is that someone who doesn't know anything about digital privacy and security can't be called lazy for not investing in it. And lots of people know very little about it. "Society is lazy" is in fact a lazy excuse to wash one's hands of a problem and pretend they're better than other people.
> Its hard to maintain because most people have to give something up in order to get the privacy they want. 99% of the users these days don't care about privacy. Privacy is a "boomer" thing.
Its not hard when you have literally generations of technological knowledge at your fingertips and still want something automated to do all of this for you, without any compromises on your own part - which inevitably leads to:
Sorry... I have literally no idea what the point you're making here is. Is it hard or easy? Do people want meaningful privacy or do they not?
Because not everyone is an expert in security and privacy and yet benefits from having some. This is why we regulate things.
> This is why we regulate things.
Unless by "we" you mean "the EU economic zone" then no, "we" really don't. As an American I have been exposed, for the past 15 years, to the blatant failure of any genuine attempt to protect consumer rights or privacy in the nation where both Android and iOS originated. We, the progenitors of the smartphone, have failed to impose any form of substantial regulation that would seriously enable privacy for the end-user.
It's no coincidence. Phone hardware is only worth so much, but the data it generates is priceless. The secondhand market for information enabled by the NSA and industrial contractors like Palantir provides the intelligence backbone of the global economy. The United States' negligence towards Google and Apple is a proven quid-pro-quo agreement.
I don't have to be an expert. I already have a literal super computer in my pocket:
Bing: "How do I protect my privacy online?" Results: 11,700,000
I don't need to smart enough to build a rocket to go to Mars. I just need to type a basic query into a search engine. Not only do I get 11M results, I now have an AI assistant telling me how I can do that. The results also list ads from companies who can do that for you, written tutorials on how do that, articles on how to do that and a bunch of videos as well.
Is this the insurmountable obstacle you talk about when you say not everybody is an expert in security and privacy??
C'mon man.
Searching up how to protect your privacy online and then clicking on a targeted ad is, well, basically my point.
Ironically enough your username is from a short story in which some hackers take down someone with supposedly very tight security.
Because “personal responsibility” only goes so far. It doesn’t account for how people in a society actually interact.
If your friend doesn’t jump through all of this month’s hoops in BigCorp’s shiny new privacy policy (so lazy for not opting out yet again!) then your privacy might become collateral damage.
My personal opinion is that framing problems as personal responsibility rather than collective action is a conspiracy to stunt actual solutions. It is effective because it shifts blame from offending companies to unknowing individuals.
This bill was about Global Privacy Control (GPC) [1], which sites and mobile apps are required to respect under the California Consumer Privacy Act. The law is enforced by the Office of the California Attorney General [2]. There is a draft specification at the W3C [3].
Disclosure: I am one of the co-founders of GPC and a spec editor.
[1] https://globalprivacycontrol.org/.
[2] https://oag.ca.gov/news/press-releases/attorney-general-bont....
[3] https://privacycg.github.io/gpc-spec/.
There's a difference between legal and moral, while building cloud.doshare.me we looked towards different analytics platform that respected privacy by default and behold there weren't many. Even mixpanel claimed to be privacy respecting but in reality it's only legally compliant to privacy, they don't even allow self hosting of their solution. This is overall a very big problem in the tech industry and will continue to be so, unless it's ensured by everyone of us, it's more of a people movement than governmental and UN enforceable situation.
A lot of finger pointing but it’s very light on the specifics. Newsome apparently veto’s it but it doesn’t really go into why. There’s got to be a lot more going on here.
Anyone know?
Newsom said he vetoed it because he didn't support legislating an implementation detail -- that all OS/browser makers were required to include support for sending a Do Not Track signal. It sounds like he'd have signed a bill that just said companies were required to respect a Do Not Track signal if one was sent.
> But Newsom said he is opposed to the new bill's mandate on operating systems. "I am concerned, however, about placing a mandate on operating system (OS) developers at this time," the governor wrote. "No major mobile OS incorporates an option for an opt-out signal. By contrast, most Internet browsers either include such an option or, if users choose, they can download a plug-in with the same functionality. To ensure the ongoing usability of mobile devices, it's best if design questions are first addressed by developers, rather than by regulators. For this reason, I cannot sign this bill."
See: https://archive.is/tNlCR
So this is DNT. As he said, browsers already support this. This article made it sound like they don’t? This is why I’m so confused.
https://archive.is/ptp7j
I've read the bill, and the Governor was right to veto it. The bill is terribly written.
The parts about browsers is quite reasonable. One way to implement the required signal would be for the browser to add a header to HTTP requests that indicates the desire to opt-out.
The problem is the requirement that operating systems do a similar thing for any communications to businesses. Here's how it is phrased in the bill:
> A business shall not develop or maintain a mobile operating system that does not include a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the mobile operating system
What does it mean by "interacts through the mobile operating system"?
Say I install some app. When the user uses that app the app opens a TCP connection to some a server of some business and the user interacts with that server through the app. All that communication between the app and server does go through the operating system, namely via the app making API calls to the operating system's network services.
Does that count as the user interacting "through the mobile operating system"?
If it does, then how is the operating system supposed to send a signal? I suppose that if the app happens to be using HTTP or some other protocol that the OS happens to recognize it could try to inject some signal into that. That likely would be very error prone, but it is theoretically possible.
But what if the app is using end-to-end encryption? Then all the OS sees is encrypted data.
Maybe that part of the bill is meant to apply to situations where the user is interacting using the programs that are part of the operating system? That would be more sensible. If that's what they mean the bill should be re-written to say that.
It's not like going into detail about such things would make the bill unwieldy. The PDF of the bill is 4 pages and 1 of those is a page for signatures of various people acknowledging they received it, 1 is the legislative counsel's digest of the bill, and one is a page for the governor to sign. That leaves 1 page for the bill itself.
Here is the entire text of that page:
>The people of the State of California do enact as follows:
> SECTION 1. Section 1798.136 is added to the Civil Code, to read:
> 1798.136. (a) (1) Unless otherwise prohibited by federal law, a business shall not develop or maintain a browser that does not include a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the browser.
> (2) The setting required by paragraph (1) shall be easy for a reasonable person to locate and configure.
> (b) (1) A business shall not develop or maintain a mobile operating system that does not include a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the mobile operating system.
> (2) This subdivision shall become operative six months after the adoption of regulations by the California Privacy Protection Agency that outline the requirements and technical specifications for an opt-out preference signal to be used by a mobile operating system.
> (c) The California Privacy Protection Agency may adopt regulations as necessary to implement and administer this section, including, but not limited to, ensuring that the setting described by subdivision (a) is easy for a reasonable person to locate and configure and updating the definitions of “browser” and “mobile operating system” to address changes in technology, data collection, obstacles to implementation, or privacy concerns.
> (d) As used in this section:
> (1) “Browser” means an interactive software application that is primarily used by consumers to access internet websites.
> (2) “Mobile operating system” means an operating system in use on a smartphone or tablet.
> (3) “Opt-out preference signal” means a signal that complies with this title and that communicates the consumer’s choice to opt out of the sale and sharing of the consumer’s personal information or to limit the use of the consumer’s sensitive personal information.
> (e) This section shall become operative on January 1, 2026.
> SEC. 2. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
Regulations are needed, but also antitrust laws that are easy and quick to enforce. Right now we waste time in years of lawsuits for a slap on the wrist. These companies are a problem just due to their size - we don’t need to examine their practices to know that their big staffing and capital makes competition impossible in many areas. We need to break them up or at least impose a giant tax for anyone making 100 billion or more in revenue.
This sounds like a variation of “do not track”, a concept invented by ad networks like Google and Facebook to give the pretense of caring about privacy.
DNT was then either ignored, or directly used as a tracking vector.
Even the advertising networks that did “respect it” stopped respecting it the moment it became popular (iirc multiple networks said they would not respect it if it was not off by default, or if users were asked ahead of time rather than it being a functionally hidden setting)
DNT was introduced by Firefox, and Internet Explorer was the first browser from a major tech company that added support for it, so no, it wasn't "invented by Google and Facebook".
The only real problem with DNT is that there's no law requiring it to be respected. A solution to that problem is to pass such laws (which is exactly what this story is about!).
Global Privacy Control is the new DNT. Unlike DNT, it is legally enforceable, at least in California.
https://globalprivacycontrol.org
[dead]