And other entries from the same guy can be posted without any problems. FB is saying that their "security systems" detected the link "to be unsafe", but comparing source of that particular post with other posts, I don't see any significant difference (except for the text, of course). Sounds like the text itself contains information which is unsafe (for FB).
I also cannot share this on FB. Amazing. The fact that FB is censoring this content deserves its own HN exposure. It is an article about international law with nothing offensive, but FB blocks it.... this is going further than I'd have thought FB would ever do. The future doesn't look so bright for social media.
This was a mistake due to this specific blog post sharing some design elements as some spammy blogspot posts and it was fixed. If we really wanted to censor this story wouldn't we block all criticism of Facebook and not a pretty straightforward and well-reasoned analysis of Safe Harbor? Wouldn't we block the "I declare that I am a wizard and Facebook can't use my content blah blah" memes?
But someone downthread said the .co.uk version was not blocked (before you unblocked the .com). Are you implying the .co.uk version did not have the same "design elements"?
As to your proposed argument, I think selectively blocking well-reasoned analysis by law professors and letting memes go unblocked makes the most sense for your company.
Probably because this post was getting lots of links for a domain that is otherwise rarely seen on FB? You can read about the challenges of spam-fighting at scale (and people actually getting paid to write Haskell) here: http://www.wired.com/2015/09/facebooks-new-anti-spam-system-...
> Are you implying the .co.uk version did not have the same "design elements"?
Classifiers do weird things, and features you don't expect to be significant can suddenly have a much larger than intended effect. The domain name, as a feature, must've thrown it over the edge.
It's like that Google+ post where a picture of a couple of black people got tagged as "gorillas" by their auto-tagging ML system. No, Google isn't racist, their classifier just hates their PR department.
Interesting... other blog posts by the same author on the same blog were not blocked, just this one particular post. I find it not a coincidence that the post mentioned Facebook quite a bit, and thus it was blocked. I am doubtful this was due to "design elements" without more details.
Thanks for fixing this. I personally did not assume this was necessarily censorship, but don't be surprised by the reaction of users though, I think you'll see more of these reactions for a while, after the Safe Harbor ruling.
You are surprised facebook is censoring content on a massive scale? Wake up sheeple! Move to a decentralized, open-source platform like diaspora* if that type of thing bothers you, do away with facebook like we dropped myspace
I can understand some degree of censorship like pornography, very explicit violence, etc. But this is just an article about a very public issue. FB has no problems with other divisive issues getting shared, so I'm quite surprised to see this level of blatant censorship on this particular article.
The corporation is owned by the same entities that own the mainstream media outlets, if something goes against their agenda, facebook with outright censor it or prevent others from seeing it.
It will give the contents of the blog, but not sure how modern browsers will render it as is. However if you save to a file with an .html extension then open in browser it should look fine.
Using .co.uk extension on the blogspot URL instead of .com may also work, as another commenter has suggested.
It's quite telling that FB would block links that talk about FB in a negative way. The one true test of the long term viability of any medium is whether or not that medium is managed hands-off to the point that discussing the medium itself critically does not lead to the discussion being squelched. FB it appears does not pass that test.
It would be interesting to see what other links that discuss FB can not be shared there and even more interesting at what level of FB the directive initiating this blockage originated.
Hmm, does it still block it if you paste in a link that 301 redirects to the target? What about a page which at submission time returns a 200 and is changed to redirect to the article later on?
In general, this is a very good thing. The main outcome will be that more engineers will be needed to do more work to ensure that data is handled more carefully. The cost will be slightly reduced profits at companies that handle large volumes of data globally. What's bad about that?
Perhaps US politicians should then consider being a Safe Harbour for data themselves. I'm sure that if the US would not have, for example, used their anti-terror apparatus to spy on foreign oil companies [0] and have some more respect for other countries [1] (most NSA criticism focuses on US citizens), things might have been different. I'm very glad the EU is standing up for itself, it should do the same when it comes to TTIP.
This isn't just an impediment to businesses that deal in selling "sensitive private data". It's an impediment to any business that has any data about its customers (e.g. delivery addresses).
Then treat personal data as radioactive. Don't store it. Don't collect it if you don't need it. If you have it, try to get rid of it, and delete it ASAP.
EDIT:
Also, "Why does this shopping website require me to re-input the shipping address every time I want to buy something? Why can't it remember it like every website used to?"
Actually its fine if you make the user explicitly give you permission to store it for them. If they 'opt in' then its all good, and if they don't well they will have to re-enter it every time they order but they will be ok with that.
It would be interesting to put some teeth in the "no sharing" rules about collected private information.
In general one is allowed to store data for a limited time for specific purposes. A delivery address, for instance, is vital to deliver a package to.
You could probably even keep a names and addresses database so long as it was something you needed to keep in order to conduct business with the customer.
Routine data mining, asking for irrelevant info, selling it on to third parties, not so much.
Maybe it's just me, but these rules are contradictory. The sentences seem explicitly designed to make that so.
For instance, your email address and birthday, for, say, amazon.com, could easily be argued to "need to be kept in order to conduct business". After all, your email ... amazon spams it ... that's certainly part of the business they conduct (and frankly, they'd be more expensive if they didn't do that, so there's easy arguments that it'd be harder to do business if they didn't). Your birthday ... same. They spam you harder on your birthday ... also part of their business.
Laws like this won't protect anything. The simple fact is you can't have easy to use sites like google, facebook, amazon and the many millions of easy webshops and have protection of private data, it just wouldn't work as well. Since people prove time and time again that they want the webshops and "private" chats far more than they want privacy, there is no way to win this fight. Everything is decided already (and already today kids don't have anywhere near the expectation of privacy that adults have, this will get worse), there's just a few decades of denial remaining.
Take the single account (real name policy) on facebook. We all know that's the reason facebook comments don't work like youtube comments do. That's why not every second post on facebook is about hitler. That's why it's easy to find people on facebook. And so on. You can't drop it and expect the same functionality, and people have proven with their feet (/mouse) that they want the functionality more than they want multi-name policy.
>> that's certainly part of the business they conduct (and frankly, they'd be more expensive if they didn't do that, so there's easy arguments that it'd be harder to do business if they didn't). Your birthday ... same. They spam you harder on your birthday ... also part of their business.
Perhaps then I should have said to conduct transactions.
There is a substantive difference between holding information enough to allow people to buy stuff from you, and holding it to advertise, which usually requires extra permissions.
>> Laws like this won't protect anything.
This is too early to say. They may well protect lots of things, and they certainly can (for instance) be used as a place to start attacking ubiquitous tracking and tracing from.
>> The simple fact is you can't have easy to use sites like google, facebook, amazon and the many millions of easy webshops and have protection of private data, it just wouldn't work as well.
Then perhaps that's OK, because some things are actually more important than commerce. This stuff might have to be hard to get right.
Except that the law doesn't say "Whatever the company claims is needed for their business". There are courts and judges who decide if a particular bit of information is actually necessary.
> EDIT: Also, "Why does this shopping website require me to re-input the shipping address every time I want to buy something? Why can't it remember it like every website used to?"
The option to not have my mailing address stored is a feature not a bug to me (and I guess other people that move regularly).
EDIT indeed many smaller shopping websites in the UK don't even attempt to store this sort of data -- presumably because they don't think that they can definitely comply with data protection laws.
Yes this type of data is in the EU area considered as belonging to the customer not to business. The US and the various European countries have totally incompatible legal views on data protection so it should hardly be a surprise that eventually the EU is going to say that US companies have to follow the local laws.
Nope, more useless EU bureaucracy (stupid cookie popup) just to pretend that the NSA won't get (be given) the data by EU governments. Everyone thinks the cookie law is dumb, but there it is, constantly reminding everyone of their folly.
In terms of state level spying. I understand that currently GCHQ hands everything over to the NSA. However, I can vote and lobby in my country to have proper safeguards on how our domestic spy agencies work. I can't vote or lobby in the US to add safeguards to the NSA there. Therefore I want as a first step that my data stays in the UK.
And besides this the rules for how private companies can handle my data are totally different in the UK to the US. In the UK private data comes with fairly strict obligations under the data protection acts and leaking (even accidentally or due to insufficient safeguards preventing malicious actions) can be punished robustly. As I understand it in the US the laws are rather different.
Artificially creating additional work by imposing additional requirements does not necessarily improve the situation just because it employs people to do that work, whether you personally like those requirements or not.
The parable of the broken window weighs what is seen (the payment to the glazier) with what is not seen (the missed payments to other things that could've been purchased had the window not been broken).
In the case of safe harbour, the window was already broken. Data being passed from Europe to the US was not being handled correctly, despite the promises inherent in Safe Harbor.
If protections had already been in place (i.e. if data service providers were actually adhering to the promises of safe harbour) then service providers have already fixed the window. Those that were safeguarding data correctly have no further engineering work to do (although there might be further regulatory/compliance effort to prove it depending on how individual nations implement the stopgap safeguard laws to replace Safe Harbor).
The only engineering work required to "fix the window" is work that should already have been done according to the safe harbour agreements, and threads like this prove how broken Safe Harbor was to begin with.
In contrast to the parable you are citing, the only thing broken in this case is the privacy of european citizens.
The ruling to declare "Safe" Harbor invalid is not breaking anything but a step to fix a system that is systematically violating constitutional rights.
In the light of US companies not effectively safeguarding european data against access by US authorities, judgements are needed to rectify the situation.
This is a good thing, IMO. It's like having a shoddy builder who builds a poorly insulated house and then screams - hey, your house will be more expensive if I build it properly. But the builder has plenty of profits with which to take the hit. Consumers are already trading off their data for services (like Facebook). If the costs were so high that Facebook or Google needed to pass on real costs to consumers, there might be an issue. But the costs won't be that high. It's just a bit more work to build it right.
...which in many cases doesn't exist yet. In particular, Europe lags significantly in "on-line" services.
Obviously it would solve some problems if this were not the case. However, given that for now it is the case, the price of enforcing a total ban on exporting personal data outside Europe would be closing down vast numbers of on-line European small businesses that aren't intentionally doing anything unreasonable or customer-hostile. Clearly this isn't going to be accepted readily by anyone involved.
A more realistic result when the dust has settled might be yet another disclosure that businesses are required to make prominently when someone buys or signs up for something, in order to be deemed to have explicit consent from the data subject to export the data. This appears at first sight to be a reasonable way to handle the ruling, and in principle I think it's hard to argue with requiring a business to disclose fairly what they're really doing with personal data. Indeed, I've noticed that in recent years organisations like my insurers have started adding terms that explicitly say they're going to export personal data and foreign governments might get access to it, and that if you want to deal with them at all then you have to accept that. (I'm not sure how I feel about such conditions when having the insurance is mandatory by law, as for example with motor insurance for drivers, and based on my experience so far it looks like literally everyone offering such insurance is now imposing similar conditions.)
Then again, for on-line businesses at least, isn't that what privacy policies have evolved to deal with? Separate to this case, under the new consumer protection rules, it seems likely that such policies would now be considered to fall under the same general rules about fairness and transparency as the main terms of a consumer contract. Assuming that is true, I'm not sure there is a huge advantage in cluttering up on-line order/sign-up forms with explicit wording about routine things, while there is certainly a disadvantage in making such forms any more complicated than they need to be. The question then becomes one of reasonable expectations about what a normal customer would consider routine.
I suppose that brings us back to approximately where we came in, other than the fact that it's now a matter of public record that the US government itself was violating those reasonable expectations and opened Pandora's box. Somehow I suspect that if some sort of basic disclosure/consent on sign-up doesn't deal with this issue, it will be addressed by adjusting the relevant European-level legislation so that disclosure to allied governments in the interests of national security is a blanket exemption, and enough people won't know or care about the implications that this will pass even though privacy advocates would surely oppose it.
There is suddenly a good business case for them to exist, and hence probably more funding available now
> it will be addressed by adjusting the relevant European-level legislation
The judgment was based on the Charter of Fundamental Rights of the European Union, and is basically the EU's Bill of Rights. Legislation isn't so flexible here.
> that disclosure to allied governments
Is the USA allied to many EU governments or the EU? It has tapped the phones right at the top of the German government.
There is one key issue that is routinely ignored. The US and other countries have two sets of data protection rules that govern police and security services. One set of rules for residents of that country (e.g. US persons) or domestic data and another much less stringent set or rules for everyone else.
So even if data protection rules were perfectly adequate in every single country on this planet, there would still be justified concern about transferring data across borders.
That's a situation that must change, and it can change without taking away the bowl of sweets from security agencies altogether (which will never happen).
> The US and other countries have two sets of data protection rules that govern police and security services. One set of rules for residents of that country (e.g. US persons) or domestic data and another much less stringent set or rules for everyone else.
This is going to be generally true of most countries. If it weren't the case, most forms of espionage would be subject to prosecution in the spy's home state.
I think there's a bit of a rush to panic about data balkanisation here; remember, this is not a ruling that applies directly to Facebook, but to the information commissioner of Ireland.
There's no new policy and no court orders to do particular things. What's likely to happen is an extensive legal limbo. We may even end up with a special Snowden version of the cookie warning: "Data stored on this system is subject to mass surveillance and may be accessed by the security services without a warrant or due process".
IANAL, but I don't think it's that unclear; the ruling essentially said the Safe Harbour is void, and so the US is now just like any other non-EU country regarding the Directive, for which there probably already exists jurisprudence.
I don't believe such a ruling will be allowed to stand for long, if it really is effectively a blanket ban that can't be overridden by reasonable consent. Enforcing something like that really would have the potential to block international trade on an economy-damaging scale.
Icebraining has it right - it's actually struck down Safe Harbour, which means that the US is considered an unsafe destination for personal data until such time as national rulings to the contrary are made, and those rulings could well be subject to challenge at the EU level themselves.
> Since the Court refers frequently to the primary law rules in the Charter, there’s no real chance to escape what it says by signing new treaties (even the planned TTIP or TiSA)
Oh good, I was worried a little about that one.
> Undoubtedly (as the CJEU accepted) national security interests are legitimate, but in the context of defining adequacy, they do not justify mass surveillance or insufficient safeguards.
Another good thing. I wasn't sure if this ruling affects spy agencies, too, or just companies.
Question: If Facebook manages data within Europe, what are the safeguards in place to ensure that there won't be mass surveillance, e.g. face recognition, shadow profiles, friend graph browsing?
That's use of the data to which you've "consented" by their EULA. "Mass surveillance" specifically refers to warrantless bulk access to that data by security agencies.
(Shadow profiles are plainly a violation of data protection law; do they exist for EU users?)
