Hacker News new | ask | show | jobs
by lcnPylGDnU4H9OF 666 days ago
> Every new web API should guarantee that it doesn't provide more fingerprinting data or hides the data behind a permission.

FWIW, it's practically impossible to provide that guarantee because the API necessarily provides at least the data point of, "Did they select an option in the permission notification?" ("If yes, what option was selected?" etc.)

It's often said that the only solution to this is regulation and there seems to be a good case for that perspective.
4 comments
SpaghettiCthulu 666 days ago
> FWIW, it's practically impossible to provide that guarantee because the API necessarily provides at least the data point of, "Did they select an option in the permission notification?" ("If yes, what option was selected?" etc.)

Wrong. The status of permissions should not be visible to the page in most cases. Instead, fake data should be returned from them. That would be practical.

link
autoexec 666 days ago
It's always better to give no data (aside from leaving them with "we couldn't collect that data") than it is to give fake data because that fake data will be used against you just as often as real data would. Don't hand companies extra ammo to use against you, or think that you're safe just because they've written an incorrect assumption about you on the bullet. You're still going to be taking the hit.
link
lcnPylGDnU4H9OF 665 days ago
This gives me the idea to add features to target specific types of advertisements and pages for clicks and visits. Actively try to use the data in your favor to convince whatever algorithm that you’re a healthy eater with an active lifestyle.

To your point, unfocused fake data can be harmful to the faker but it seems focused fake data can work against the collectors.

link
autoexec 664 days ago
It really might in some ways, but it's risky. Nobody is using the data they collect on us to help us. They use it against us to help themselves. You could limit the harm caused by one system, but expose yourself to new harms by another. It's also a safe bet that faced with conflicting data, companies and their algorithms will favor whatever information they think would make them the most money. It's still worth considering though, especially if you can get privileged information on how a specific system is using people's data.
link
paulryanrogers 666 days ago
I've heard that fake data, like from AdNausium, just becomes noise as the advertisers know the patterns to filter them out.

Assuming that's true, it seems to waste everyone's time and bits to fake it instead of just not answering or a minimal denial.

link
autoexec 666 days ago
> I've heard that fake data, like from AdNausium, just becomes noise as the advertisers know the patterns to filter them out.

It's actually much worse. That fake data is dangerous because data brokers don't really care how accurate their data is. Even the fake data AdNausium stuffs into your dossier will be used against you eventually, just like the real data will be. If you get turned down for a job, or your health insurance rates go up, or you have to pay more for something than you would have otherwise, you won't even be told that it was because of data someone collected/sold/bought. You sure won't be told if it was fake or real data and you won't be given any opportunity to correct it.

link
greiskul 666 days ago
> If you get turned down for a job, or your health insurance rates go up, or you have to pay more for something than you would have otherwise

It must suck to live in a capitalist dystopia. Dunno why Americans put up with it.

link
adastra22 666 days ago
We don’t. Individualized health insurance rates like that are illegal.
link
autoexec 666 days ago
We do.

> Insurers contend that they use the information to spot health issues in their clients — and flag them so they get services they need. And companies like LexisNexis say the data shouldn't be used to set prices. But as a research scientist from one company told me: "I can't say it hasn't happened." source: https://www.propublica.org/article/health-insurers-are-vacuu...

See also:

> Is it legal? As explained by William McGeveran, University of Minnesota professor of law, and Craig Konnoth, University of Colorado associate professor of law, it is — largely because federal law hasn’t kept pace with the modern, technological world in which we live. source: https://www.chicagotribune.com/2018/08/29/help-squad-health-...

Another important takeaway from that second article is that none of your "protected" HIPAA data is prevented from being sold as long as it's "anonymized" which is a total joke since it's often trivial to re-identify anonymized data. It's about as secure as requiring companies to ROT13 your data before they sell it. It will be used to identify and target you individually.

link
digging 665 days ago
> Dunno why Americans put up with it.

Have you seen the guns that enforce it?

link
chrisweekly 666 days ago
Where do you live, that sucks less?
link
justinclift 666 days ago
Australia seems significantly better in most quality of life metrics. Many EU countries as well.

The UK doesn't seem so good any more from recent reports though. :(

link
zx8080 666 days ago
It's the democracy. The big capital one.

/s

link
HappMacDonald 664 days ago
> That fake data is dangerous because data brokers don't really care how accurate their data is.

This makes me think that people could make bank by doing nothing at all but generating 100% fabricated data to sell to brokers then. Why bother even collecting it, just have some GPT clone hallucinate some gigabytes of formatted BS. xD

link
XlA5vEKsMISoIln 666 days ago
> API necessarily provides at least the data point of, "Did they select an option in the permission notification?"

If a bird app (or, heck, pancake recipe site) asked for WebRTC or GPU access I would be rightfully suspicious. It's a shame these things don't happen.

link
chgs 665 days ago
They do ask for location data, and it tends to mostly work - sites like openstreetmap will ask for it when you press the right button for example, which makes sense.

There is a risk that it ends up like cookie banners, and the adtech industry manages to brainwash the world into thinking that the government is the bad guy and they just want some harmless data to share with their 1,345 best friends and they are “forced” to show these. Despite there being no requirement at all to track data, and they break the law with it anyway so why bother.

link
USiBqidmOOkAqRb 665 days ago
This is a poorly explored avenue. I think a lot of these more advanced APIs ought to be permitted to "installed" PWAs. Maybe it could even look like permissions menu for apps in phone OSes.

I was a bit dismayed when mozillians in the bugtracker dismissed the idea of requiring consent to initialize WebRTC. F'k it, scan the local network.

link
codedokode 665 days ago
> FWIW, it's practically impossible to provide that guarantee because the API necessarily provides at least the data point of, "Did they select an option in the permission notification?" ("If yes, what option was selected?" etc.)

If 99% of users will have permission disabled then it has little value, and only those who enabled it can be tracked. I don't give permissions to sites so this will not apply to me.

Also, the status of permission (1 bit) provides less information than API it protects (for example, list of installed fonts or GPU name) so it is a win.

link
thescriptkiddie 666 days ago
One solution to this is to have the option to feed the application fake but plausible data. Android (or maybe some Android fork I was using) used to have this option for dealing with apps that insist on asking for location permission for no reason.
link