[ryandrake]

> What the article describes sounds like what many devs would land on given the browser APIs available.

> To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.

These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects. What the article describes should not be "what many devs would land on" naturally. What many devs should land on is "scanning the user's browser in order to try to fingerprint him without consent is wrong and we cannot do it."

To put it more extreme: If a developer's boss said "We need to build software for a drone that will autonomously fly around and kill infants," The developer's natural reaction should not be: "OK, interesting problem. First we'll need a source of map data, and vision algorithm that identifies infants...." Yet, our industry is full of this "OK, interesting technology!" attitude.

Unfortunately, for every developer who is willing to draw the line on ethical grounds, there's another developer waiting in the recruiting pipeline more than willing to throw away "doing the right thing" if it lands him a six figure salary.

[haswell]

I completely agree.

Fighting against these kinds of directives was a large factor in my own major burnout and ultimately quitting big tech. I was successful for awhile, but it takes a serious toll if you’re an IC constantly fighting against directors and VPs just concerned about solving some perceived business problem regardless of the technical barriers.

Part of the problem is that these projects often address a legitimate issue that has no “good” solution, and that makes pushing back/saying no very difficult if you don’t have enough standing within the company or aren’t willing to put your career on the line.

I’d be willing to bet good money that this LinkedIn thing was framed as an anti-bot/anti-abuse initiative. And those are real issues.

But too many people fail to consider the broader implications of the requested technical implementation.

[sdeframond]

Oh yeah. Must be an anti-fraud/child abuse/money laudering/terrorism/fake news thing. All real problems with no known good solution (to my knowledge, please prove me wrong).

Edit: typos

[turtletontine]

> These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects.

One reason your boss is eager to replace everyone with language models, they won’t have any “ethical backbone” :’)

[DrewADesign]

Many developers overestimate their agency without extremely high labor demand. We got a say because replacing us was painful, not because of our ethics and wisdom. Without that leverage, developers are cogs just like every other part of the machine.

[sdeframond]

No-one replaced developers when we got IDEs and CIs and such. We just produced more software faster.

Same with LLMs. This is a race. Competent people are in demand.

[jcgrillo]

You can't actually push back as an IC. Tech companies aren't structured that way. There's no employment protection of any kind, at least in the US. So the most you can do is protest and resign, or protest and be fired. Either way, it'll cost you your job. I've paid that price and it's steep. There's no viable "grassroots" solution to the problem, it needs to come from regulation. Managers need to serve time in prison, and companies need to be served meaningfully damaging fines. That's the only way anything will get done.

[philipallstar]

> There's no viable "grassroots" solution to the problem

Does something like running the duckduckgo extension not help?

[jll29]

I'm hoping the Ladybird project's new Web browser (alpha release expected in August) will solve some issues resulting from big tech controlling most browers.

[philipallstar]

Yes, that might be good. I use Firefox with the dog plugin, and Proton login aliases, and hope for the best.

[worik]

> There's no viable "grassroots" solution to the problem, it needs to come from regulation. Managers need to serve time in prison,

No, yes

Yes, giving these people short (or long, mēh) prison sentences is the only thing that will stop this.

No, the obvious grassroots response is to not use LinkedIn or Chrome. (You mean developers not consumers, I think. The developers in the trenches should obey if they need their jobs, they are not to blame. It is the evil swine getting the big money and writing the big cheque's...)

[jcgrillo]

Yes, what I meant was there's no way ICs will change any of this. Using this or that extension, or choosing not to use some service won't really change anything either. The popular appetite just isn't there. Personally I use a variety of adblockers and haven't had a linkedin or anything for many years, but I fully accept that's an extremist position and most consumers will not behave that way. The only way these companies' behavior will improve is when they are meaningfully, painfully punished for it. There's very little we as consumers or ICs can do until then. Unless of course their risk management fails and they alienate a sufficiently large number of users that it becomes "uncool" to use the product. But all we need to do is look to twitter to see just how bad it'll get before then...

[worik]

> The popular appetite just isn't there.

Cory Doctorow, if he is to believed, states 50% of web users use ad blockers. So maybe?

[jcgrillo]

That's really interesting, I had no idea it was so prevalent.

[mrguyorama]

I integrate these kinds of systems in order to prevent criminals from being able to use our ecommerce platform to utilize stolen credit cards.

That involves integrating with tracking providers to best recognize whether a purchase is being made by a bot or not, whether it matches "Normal" signals for that kind of order, and importantly, whether the credit card is being used by the normal tracking identity that uses it.

Even the GDPR gives us enormous leeway to do literally this, but it requires participating in tracking networks that have what amounts to a total knowledge of purchases and browsing you do on the internet. That's the only way they work at all. And they work very well.

Is it Ethical?

It is a huge portion of the reason why ecommerce is possible, and significantly reduces credit card fraud, and in our specific case, drastically limits the ability of a criminal to profit off of stolen credit cards.

Are people better off from my work? If you do not visit our platforms, you are not tracked by us specifically, but the providers we work with are tracking you all over the web, and definitely not just on ecommerce.

Should this be allowed?

[benregenspan]

What I'm wondering is if this requires sending the full list of extensions straight to a server (as opposed to a more privacy-protecting approach like generating some type of hash clientside)?

Based on their privacy policy, it looks like Sift (major anti-fraud vendor) collects only "number of plugins" and "plugins hash". No one can accuse them of collecting the plugins for some dual-use purpose beyond fingerprinting, but LinkedIn has opened themselves up to this based on the specific implementation details described.

[mrguyorama]

The SOP of this entire industry is "Include this javascript link in your tag manager of choice", and it will run whatever javascript it can to collect whatever they want to collect. You then integrate in the back end to investigate the signals they sell you. America has no GDPR or similar law, so your "privacy" never enters the picture. They do not even think about it.

This includes things like the motion of your mouse pointer, typing events including dwell times, fingerprints. If our providers are scanning the list of extensions you have installed, they aren't sharing that with us. That seems overkill IMO for what they are selling, but their business is spyware so...

On the backend, we generally get the results and some signals. We do not get the massive pack of data they have collected on you. That is the tracking company's prime asset. They sell you conclusions using that data, though most sell you vague signals and you get to make your own conclusions.

Frankly, most of these providers work extremely well.

Sometimes, one of our tracking vendors gets default blackholed by Firefox's anti-tracking policy. I don't know how they manage to "Fix" that but sometimes they do.

Again, to make that clear, I don't care what you think Firefox's incentives are, they objectively are doing things that reduce how tracked you are, and making it harder for these companies to operate and sell their services. Use Firefox.

In terms of "Is there a way to do this while preserving privacy?", it requires very strict regulation about who is allowed to collect what. Lots of data should be collected and forwarded to the payment network, who would have sole legal right to collect and use such data, and would be strictly regulated in how they can use such data, and the way payment networks handle fraud might change. That's the only way to maintain strong credit card fraud prevention in ecommerce, privacy, status quo of use for customers, and generally easy to use ecommerce. It would have the added benefit of essentially banning Google's tracking. It would ban "Fraud prevention as a service" though, except as sold by payment networks.

Is this good? I don't know.

[fc417fc802]

Mandating that tracking for anti-fraud be vertically integrated with the payment network seems unnecessary. Surely the law could instead mandate the acceptable uses of such data? The issue at present appears to be the lack of regulation, not scofflaws.

I'm not convinced tracking is the only or even a very good way to go about this though. Mandating chip use would largely solve the issue as it currently stands (at least AFAIK). The card provider doing 2FA on their end prior to payment approval seems like it works just as well in practice.

At this point my expectation is that I have to do 2FA when first adding a new card to a platform. I'm not clear why they should need to track me at that point.

[ribosometronome]

No, credit card companies should be made to develop robust solutions to protect themselves from cards being able to be stolen. It's not like secure authentication isn't a relatively solved problem. They've obviously managed to foist the problem on you and make you come up with shitty solutions. But that's bad.

[michaelt]

> Even the GDPR gives us enormous leeway to do literally this, but it requires participating in tracking networks that have what amounts to a total knowledge of purchases and browsing you do on the internet. That's the only way they work at all.

That data sounds like it would be very valuable.

But I think if I sell widgets and a prospective customer browsers my site, telling my competitors (via a data broker) that customer is in the market for widgets is not a smart move.

How do such tracking networks get the cooperation of retailers, when it’s against the retailers interests to have their customers tracked?

[mrguyorama]

That data is very valuable. It's their entire business.

The tracking network is NOT our competitor, nor is it a competitor to any of our competitors. It is a third party outside of our market. We buy fraud signals from them, not the data.

We do not get to learn anything about any other ecommerce from them. They collect info from all ecommerce that buys from them, and any partnerships they have, and they sell us derived signals that we can use to deny transactions that are most likely fraudulent.

That's why they get the cooperation of retailers. They save retailers lots of money, they enable ecommerce to exist basically at all, there's no downside but their price, and they charge big bucks.

There's very little actual "Data brokering" going on. Almost all tracking is done as a company collecting data as an asset, and selling derivations of that data. Why would a tracking company sell the data itself? That's their core IP.

What's funny is that all the retailers could replace that expensive contract with a very very cheap alliance of all interested retailers where you pay some portion of a collective AWS bill and submit your signals and everyone benefits collectively, but US business loves to buy services rather than solve problems efficiently.

Some people point at your raw data not being openly available for some sort of "It's not that bad" conclusion which is absurd. You can't buy the raw data but a third party will happily sell whatever "Against the current regime bit" the right buyer wants. Think of a way the raw data can be used against you and then add to that situation a layer of indirection that gives everyone involved plausible deniability.

[iamacyborg]

I suspect a lot of retailers simply aren’t aware that that data is being collected and sold off to their competitors (or to ad networks so their competitors can poach their audience)

[kevin_thibedeau]

They get demographic data on their customers and can use that for marketing and setting prices.

[orochimaaru]

One works for money. And money is important. Ethics isn’t going pay mortgage, send kids to university and all that other stuff. I’m not going to do things that are obviously illegal. But if I get a requirement that needs to be met and then the company legal team is responsible for the outcome.

In short, you are not going to solve this problem blaming developer ethics. You need regulation. To get the right regulation we need to get rid of PACs and lobbying.

[IG_Semmelweiss]

You are transfering moral agency from yourself, to the government.

Will you do the same for your kids ? WOuld you let the government decide for you whats right, and what's wrong ?

[ryandrake]

Regulation does not necessarily need to be about deciding what's right and what's wrong. It's about making life better for people. That's supposed to be why we have government. If they are not improving people's lives, why do we even have them? Too many people see the government doing nothing to improve their lives and think there's totally nothing wrong with that.

[IG_Semmelweiss]

I fail to see how some of the octogenarians in DC, who are making a kiling for decades in trading on market moves that they initiate/regulate themselves, are making life better for your family, or mine.

[ryandrake]

Because at least half the country thinks that government can't/shouldn't help them, and reliably votes for people who can't/won't make their lives better. We get the government we vote for, and too many people think the government's job is to grief people.

[worik]

> You are transfering moral agency from yourself, to the government

That is the deal in a state based society. There are alternatives, but are you ready for Council Communism and it's ilk?

> WOuld you let the government decide for you whats right, and what's wrong ?

Yes, in a state based society

In a state based society fight for democracy and civil rights. Freedom must be defended

[jt2190]

> These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects. What the article describes should not be "what many devs would land on" naturally. What many devs should land on is "scanning the user's browser in order to try to fingerprint him without consent is wrong and we cannot do it."

I think using LinkedIn is pretty much agreeing to participate in “fingerprinting” (essentially identifying yourself) to that system. There might be a blurry line somewhere around “I was just visiting a page hosted on LinkedIn.com and was not myself browsing anyone else’s personal information”, but otherwise LinkedIn exists as a social network/credit bureau-type system. I’m not sure how we navigate this need to have our privacy while simultaneously needing to establish our priors to others, which requires sharing information about ourselves. The ethics here is not black and white.

[miohtama]

The difference is between the data you give out voluntarily and what is taken from you without consent

[jt2190]

If you voluntarily visit my website and my web server sends a response to your IP address, have I “taken” your IP address, or did you give it to me “voluntarily”? What if I log your IP address?

[account42]

Under the GDPR you do not have informed consent to use that IP address for whatever you want.