[winternett]

These problems should be addressed at the OS and device level first. Policing app makers is not enough, and there are far too many app makers involved in a revolving door of deniability at the individual application level.

Device and OS makers should transparently and clearly define what features can be accessed by apps, and allow them to easily be administered and disabled easily by device users... Period. Then penalties for abuse and misuse can be addressed for app makers with severe fines.

Any device a consumer buys should never be used to undermine them financially nor ever in terms of their personal privacy beyond basic analytics. That's a well known principle that should never be redefined.

With all of the other advancements in technology to monitor and track individuals that are out there, we should not be personally paying for devices that monitor us and report on us to private companies or anyone else for that matter.

[advisedwang]

> Device and OS makers should ...

It sounds like you expect them to do this without intervention.

Device and OS makers are not doing this now, and have had plenty of opportunity to do so. If anything the device/OS situation is getting worse - just look at windows requiring accounts, recommending apps and sending telemetry or ChromeOS embedding Google into your device.

So we do need an external force like the FTC to make change happen.

[winternett]

It's meant as a target for what the focus and outcome of what the FTC's work should reflect.

We've already been through several attempts of analysis of policy for app makers, a lot of time has been wasted. Companies already have huge volumes of data on consumers even if gathering was to be shut down now.

Regulation should also address deletion of personally identifiable information that they've already gathered with a well defined policy for moving forward. This issue is far beyond the point where regulatory action should have been taken.

[pessimizer]

> Companies already have huge volumes of data on consumers even if gathering was to be shut down now.

This is a thing that I keep telling people that no one seems to realize. If by some miracle all of the surveillance stopped now, the data already collected would still be effective for some future bad actor to use 10-20 years from now. I don't think that most companies would keep the data for that long, or many for even very long after some theoretical regulation, but they would certainly sell it to someone who would, and the NSA will be interested in copies of what it doesn't have.

If, 20 years from now, in a new town with new friends and a new job, living under a new government, it becomes important that people don't know you are gay, you're out of luck.

[swatcoder]

FYI: your common sense idea conflicts directly with other HN members' comparably sensible idea that devices are the property of their owners and shouldn't have any vendor or regulatory constraints on how they're used and what runs on them. And of course the middle ground people will say that users can just have the option to unlock their devices, and contrarians will respond to say that any unlock feature becomes a vulnerability to plain-as-day social engineering and therefore defeats the purpose. etc etc

You never know which comments get attention, but you might just see your upvote count bounce all over the place today!

[pessimizer]

A rooted OS can still be on your side, and it's still the burden of the OS to structure how it protects and informs you about what the programs installed on it are doing. This still requires regulation, because the people who produce hardware don't share with the public (and with the people with the skills and interest to create non-user-hostile software) the information necessary to run that hardware, artificially restricting the market to their business partners.

The problem is that the government doesn't want you to have control over your phone either.

[tgflynn]

> because the people who produce hardware don't share with the public (and with the people with the skills and interest to create non-user-hostile software) the information necessary to run that hardware, artificially restricting the market to their business partners.

That's a claim that needs some supporting evidence.

To my knowledge the vast majority of hardware documentation is publicly available.

[salawat]

I'd like a copy of the following :

  -Broadcom processors/GPU's documentation/specifications
  -John Deere's ECM/BCM datasheets/specs
  -Nvidia's firmware documentation
  -Full, unredacted documentation of 'all' opcodes in x86_64 from Intel

I assure you. Your knowledge is dead wrong.

[pessimizer]

Do you think that people aren't porting Linux to phones the second they come out is because they don't have the time, skills or desire? It's because they have to reverse engineer everything.

[winternett]

Understandable, Allowing phones to be rooted is an essential freedom that should be protected as well to protect the art of individual innovation and in driving constructive (positive) market competition.

I'm okay with imaginary online point fluctuations, it's a small price to pay. Thank goodness it's not a reflection of anything real like my personal savings... hah.

[indymike]

> Device and OS makers should transparently and clearly define what features can be accessed by apps, and allow them to easily be administered and disabled easily by device users... Period. Then penalties for abuse and misuse can be addressed for app makers with severe fines.

The problem is that the device and os makers are also app makers, and often can circumvent the protections forced down the chain with private apis and hidden features. Yes, app makers can do evil things, but so to can those vendors below them in the stack.

Also, trying to blame and fine will eventually eliminate open source and free solutions because it will force members of open source projects to accept liability.

[winternett]

Regulation can be defined to exempt certain aspects of app making. It's not just an on/off switch.

That being said, even an open source developer can potentially conduct info gathering and/or do serious damage to any consumer that installs their app, so in many cases, there would be no offense cited if there isn't malintent or negligence involved.

We're far past the point where regulation should have been in place. A serious example should be set to create a proper message about this type of activity by private companies and individuals. It is really not necessary for private companies to gather this personal info on individuals for any app. It should be in everyone's best interest to end this espionage-for-profit activity, even if it devastates the opportunistic industry that activity created.

[Ensorceled]

> These problems should be addressed at the OS and device level first. Policing app makers is not enough,

I read the FTC press release and it talks about companies in general and data in general and doesn't even mention apps, devices, websites or advertisers.

Not sure why you think they are only going to be policing app makers?

[drc500free]

> Any device a consumer buys should never be used to undermine them financially nor ever in terms of their personal privacy beyond basic analytics. That's a well known principle that should never be redefined.

What does it mean to "undermine them financially"? Offering just enough of a discount that they'll purchase a product that they probably shouldn't?

What are "basic analytics"? What other kind of analytics are they contrasted against, and what would make them no longer basic?

[winternett]

Narrow scope scenarios don't properly serve the discussion.

If Dunkin Donuts (a coffee shop) runs an app and gathers data about your purchases linked to you name and ID, they can any time later sell that data to life and health insurance companies, which in turn can use that data to justify charging you higher rates when you sign up to a life insurance or health care plan. That may not be happening now, but it could easily be rampant in the future in thousands of ways, and it's just a minor example of how people can be undermined financially by personal data overreach within private companies.

Social media companies have a lot more data than that if they consistently track users by location (under the false guise of targeted marketing), and there's no real public awareness nor understanding of these issues to this day.

[saagarjha]

What kinds of things do you expect to be gated behind permissions? How do you plan to educate users on how to grant these in an informed way?

[jmole]

It's not just about gating things behind permissions, it's also about exposing them in a reasonable way.

Looking through the list of apps that want to "Control my computer using Accessibility Features", the attack surface is just too damn high: https://imgur.com/a/1CBpSWQ

[winternett]

Well now... That's a whole term paper that someone would normally be paid to write...

Methods like encrypting files, creating proper storage segmentation/isolation for each individual app, ending the process of adding "bloatware" to devices, allowing for concrete disabling of cameras and microphone feature access to all apps (and also ensuring that app makers don't break app functionality when those features are disabled), eliminating in-app purchasing, ensuring that app stores clearly define app pricing and app maker credibility.

Those things are just some of the first steps that need to be taken. Educating users is not involved in those steps. The way apps are installed and operated these days is far more confusing than making changes in order to protect their privacy as a default setting.

TikTok and Facebook don't need access to cameras and phones when the apps aren't actively triggered by a user to record something... Somehow the apps require the permissions to be enabled entirely while the apps is being used.

Every company should be required to comprehensively report on what data they track and be bound to responsibility to uphold that to a government watchdog with extreme punishment for mis-use.

We also have to understand that when we speak about devices, we're not just talking about phones, we're increasingly talking about cars, thermostats, home security systems, TVs and many other consumer bought devices that give companies an infinite measure of methods on which they can wire tap consumers, and then sell that data, or even later use towards more harmful purposes like corporate espionage and extortion.

Microphones and cameras were found recently to be hidden in Televisions when consumers had no idea they were, as an example of how far info overreach has gone.

I'd recommend looking deeply into the integration and use of LIDAR on phones... Most people don't even know that/if it is a feature on their phone and on certain cars... It can be leveraged in many deeply invasive ways on individual device users if it is accessed by social media companies, or even worse if a data breach occurs.

First, They (The FTC) should hire proper consultants to properly present the issues involved (Both cynics and optimists), and not just lean on basic understanding, there are a wide range of devices and features, combined with tons of different apps and use cases for them. Resolution is not a simple issue that can be summarized within a few posts online.