Norway Fining Meta $98,500 per Day for User Privacy Breach
twipla.comDiscussed multiple times in the last couple of months. There seems to be nothing new in this submission, it's just somebody churning away at the content marketing mill.
https://news.ycombinator.com/item?id=37403583
https://news.ycombinator.com/item?id=37173344
https://news.ycombinator.com/item?id=37045185
Big tech - and Meta's approach to user data security - has long felt too powerful for Europe's data protection authorities to control. Given this, Norway's success is showing other European countries the way, and this points to a significant improvement in EU citizen personal data protection in the coming years.
> EU citizen personal data protection
Sadly, there is no personal data protection. EU has recently agreed to allow data transfer to US [1]
[1] https://arstechnica.com/tech-policy/2023/07/big-tech-can-tra...
That's now the EU's third attempt to allow data transfer to the US. Fundamentally not much has changed, so hopefully we'll see Schrems III.
Could someone provide insights into the implications of a hypothetical Schrems III for EU-based SaaS companies that host their servers in the US, particularly those containing Personally Identifiable Information (PII) like email addresses? Essentially, would Schrems III mean that we'd need to immediately move our servers to EU soil, or risk fines?
Whether your servers are in the US or not, if you do business in the EU, EU rules apply. It might be that you will legally not be able to offer your services in the EU, if you have servers in the US, because those can the accessed by US authorities at any time, without you even learning about it. It is probably safer to have servers in the EU, if you want to do business in the EU. Servers in the EU not provided by any US hoster, since that hoster is vulnerable to being ordered in the US to transfer data from EU to the US.
Worth nothing that Norway is not in the EU yet, though the statement remains true.
They are half-way in the EU, though ;) Most EU regulations apply IIRC.
In fact Norway has typically been faster to apply EU regulations as part of its EEA membership than most actual EU countries....
What has less value than pocket change? Because that's what this fine is to Meta or Big Tech in general. And how exactly is Norway pointing the way when other EU states such as Italy, Ireland, France etc have imposed similar fines to Alphabet and/or Meta in the past?
Is it actually changing anything though, or are Meta just paying the fine and continuing their merry way?
I want to ask here: Is there any study/experiment about what way say offline in proximity of our Android mobile devices leads to ads in Google?
My collegue made an experiment with his wife. Put their phones down, talk about different kinds of CRMs and DID NOT SEARCH for that stuff. Lo and behold, ads about different kinds of CRMs start popping up.
I'm skeptical to these things and initially didn't believe. Then people I ask confirm - hey, yeah, I was only talking about it, now I get those ads! He said he was talking non-English, however CRM software names are english.
Coincidance?
I would love to hear some experiment results in this direction.
"A widespread myth regarding online advertising is that Google and Facebook are listening to us speak and showing ads on this basis. This is not true, even if it often seems to be. There is a good explanation for this misconception. All of us have probably been part of a discussion on a specific topic—only to see online ads on the same topic immediately afterward. This is not a case of Google recording your speech and using it to target advertising. The most common reason is that people take keener note of matters that they have just discussed. If your phone is showing you ads for holidays in Maui, you probably ignore them. However, if you have just spent time with your cousin in a café, discussing places to visit in Maui during your holiday, the same ad will grab you in a different way. Another explanation is that your friend has been browsing for Internet content relevant to your discussion, even if you haven't. So, if you discussed haggis with your colleagues during your coffee break and you see a Facebook ad for delicious haggis in the afternoon, there is no conspiracy. Inspired by your discussion, your colleague has gone online for a genuine haggis recipe, from the same address space as your workstation. Sometimes, the most peculiar things have perfectly logical explanations."
*If It's Smart, It's Vulnerable", Mikko Hyppönen
I daresay that's a very Finnish style of explanation.
I am so tired of these memes. The network traffic out of common social media mobile apps is fully studied and understood. You can even inspect it yourself if you like, using an access point, an http reverse proxy, a self-generated CA (manually installed on device), and some netfilter rules. AFAIK the social media apps aren't doing cert pinning, but even if they are you can find the pins in the apk and patch your own in over top.
It would be obvious if they were exfiltrating audio data. They are not.
While I agree with you I think it's pretty easy to do the processing on device, encrypt the relevant topics and communicate them in innocent looking calls?
And it's pretty simple to see when an app is doing audio recording (there's even an indicator in the corner of the screen on newer androids), what is being processed, what is encrypted and with what keys, and then decrypted, and what is being sent and received.
It's a computer program, it's not magic, you can take it apart down to individual system calls, and with popular apps, people actually do that.
Do you have a link to any of these studies? It sounds interesting, but I couldn't find anything with my searches
No, they're usually not published. I encourage you to do it yourself.
Looks like Instagram at least does do TLS cert pinning, but it looks like there are patched binaries that disable it.
I think no hard evidence has ever come from theories like this. And like the sibling comment said, considering how much scrutiny major social media apps (and the Android OS) is under from security researchers - surely someone would have noticed by know.
But. I also think this shows how spookily good the surveillance ad tech really is, and to what extent the major players (Alphabet, Meta etc) keep track of people. Non-techy people attribute it to microphones and dictation, while in reality it is just enormous amount of old school digital behaviour tracking.
(And a dash or two of frequency illusion bias of course, people tend to ignore the "hot single moms in your area" or super general ads with less impressive targeting)
Plus some psychology.
An average user with an adblock gets hundreds, maybe even thousands of ads every day, for new cars, clutch replacements, diapers, washing detergent, shadow raid vpn, local political party, mcdowells, kentucky fried pizza, sex toys, 1:9 baluns, cisco console cables... and they don't even notice most of them.
And then something happens, your washing machine fails, you talk about it, open google, get ads for tampax, ignore them, find service, fix it and forget about everything. Then you watch stranger things, google the reviews, get an ad for yard fences, ignore that and forget about that too. Then you talk with your wife how you're out of detergent, turn on youtube and get a detergent ad... "wait, we were just talking about that? how did they know?! microphones, spying, conspiracy!".
This could be some variation of Baader-Meinhof phenomenon: https://en.m.wikipedia.org/wiki/Frequency_illusion
It doesn't. Maybe try with something more obscure. It is a phenomenon called frequency bias (it has different names)
I often hear different variations of this story, but I have never seen it well documented. I have not seen an online ad in over three years since I switched to Graphene OS without any adware on my devices.
Facebook is a $815 Billion company. This is merely a slap on the wrist. Honest question, why not 100x? They can and will pay, and other governments can follow and end this lizard way of doing business
Revenue is not the same as net income. And market cap is utterly meaningless
Revenue is 120b/year, or $330m a day. This is 1/3,300th of their global revenue.
It's the equivelent of being less than one parking ticket per year - and that's for someone on an SV income.
Just make it an even 1% of revenue per day going up 1% every other day.
They should double it every month.
It's when these matters start moving from civil to criminal and directors fear criminal proceedings that enforcement is taken seriously by organisations that apply every decision through the lens of is the fine the cost of doing business?
This isn't a user privacy breach. Recommending posts is a core functionality of social media. People understand that the site learns your interest. It's not a privacy breach if TikTok learns you like watching piano videos. Nor is it a privacy breach if X learns you like to see posts from artists.
The issue at hand isn't their recommender system for content, it's that they use the same recommender system for ads, which is apparently illegal in Norway.
As I understand it, it's legal to offer recommender systems for personalized content suggestions, but you cannot do the same for personalized ads.
> which is apparently illegal in Norway.
In EU and areas that conform with the EU laws: EEA (which Norway is part of), Switzerland etc.
And for now presumably the UK, which still has GDPR in law.
Just because its been imposed as a "standard" for so long before anyone objected doesn't make it a core functionality of social media. Sites don't need to learn my interest by profiling me like the Stasi.
Just because you don’t like it doesn’t mean it’s not the core functionality. If you don’t want a personalized feed why are you using Facebook in the first place? They don’t really do anything else.
maybe this could be the next way to pad their sovereign wealth fund, when the oil is gone.
When reporting fines for large companies in media, these should also be expressed as percentage of daily/yearly profits or revenues, to highlight the fact that most of the time they won't have any effect.
$30 million per annum wouldn't even represent a bump against their revenue. Until the fines are revenue based, it's not going to matter.
Of course they care about $30 million per year. That's enough to fund a good-sized full-time team just to work on this one single problem.
You can't go idly throwing away $30 million a year, even if you're Facebook. Yes, they can get away with it once or twice, but if that is your approach to unnecessary $30 million costs, you're not going to last very long.
It depends - what is the _benefit_ of not doing anything? Probably more than +30 mil, otherwise they would be doing something.
The benefit is that you still profit from actions that break the law.
If it's possible to stop breaking the law in a way that the revenue drop is smaller than $30M a year, they'll possibly do it at some point. However, it's possible that the drop would be bigger, in which case the $30M/y fine is just cost of doing business.
Quite amazing how legal and accounting teams do this kind of math, really.
If you find a $100 bill on the street, do you pick it up, or do you just assume it can't be real because surely someone else would have picked it up already if it was real?
There's a staggering amount of inefficiencies in large corporations. Just because a corpo is doing something a certain way right now, doesn't mean it's necessarily the result of a higly optimized process or rational risk/benefit analysis.
I mean eventually the consequences could escalate if they are found to not be effective.
And that’s probably the point they’ll do something, but not before
Norway is only 5 million people - if every country in the world did it the fine would be more like $30 billion per annum, which is about a quarter of Facebook's revenue.
Still, agreed would be better if it was a more punitive fine!
Metas profit for 2022 was 23 billion. Assuming 3 billion users that’s like $8 per user per year of profit. Thats actually quite insane how much value they extract out of each of us.
I'd also guess that profitability is not spread evenly across all users, and certainly not across all countries.
I'd guess a good chunk of us are worth £0 (or even negative) and then there is a long tail of increasing valuable users who interact with adverts and services.
Amazing how valuable some of the users must be!
Absolutely. The fact that a single ad click for personal injury lawyers could fetch Google hundreds if not thousands of dollars is testamount to this.
I actually think they care about $30M, especially as this just might start a slew of copycats, or similar suits in Norway.
It is better for them to do something big enough to hurt, but not big enough to get all of Meta's guns blazing. This will accepted, and we can start from there with the next step (applying this same ruling to a hundred other users, or in a hundred other courts)
A million here, a million there, and before you know it you are talking about real money - Everett Dirksen
Small steps. Norway population (5.5 million) is equivalent to 0.07% of the total world population. Meta's revenue would be proportional, and so would be the fine. To avoid inconveniencing foreigners, Norwegian advertisers would have to pony up $98,500 every day.
To frame it differently: if all GDPR countries were to fine similarly it'd scale up to $3-4 billion annually and that would start to hurt a little.
META is trying to fight this in the courts (with no success). At some point other countries will see that it is watertight and they'll follow Norways line. In my opinion META can do what Norway tells them to do or end up not being in the EU, either forced out or leaving themselves. I can't see any other outcome.
No, but when multiple bigger European countries and the EU starts fining them things start to add up.
GDPR fines can be straight global revenue (up to 4%) based, so such fines are no joke
I hear this argument every-single-time some fine against bigcorp.
Someone should sum all those fines, maybe then it will have a dent?
Moreover revenue is useless in this context, we should compare with profit anyways. And maybe profit against Norway particulary or any other country in question.
If you make it clear to the court that you’re just willing to treat the fine as a tax and pay it indefinitely without having any intention of altering your behavior, I’m sure they’ll start imposing other penalties after some time
If we boldly link market cap and individual net worth, then this is like someone with a net worth of $1m being fined 12 cents per day. From Meta's point of view, what makes this more than just an additional tax?
Well we shouldn’t do that because thats a deeply naive way to think about market values, people don’t really think about wealth taxes, and you’re confusing taxes with fines.
What you should compare it to is the net income derived from Norway.
Indeed. How many centuries would Meta need to pay this fine before it starts to begin to hurt/be noticed I wonder.
The fine should double every day of continued violation, if you want to get their attention.
Generally regulators increase fines like this over time if the violation is not resolved. GDPR allows a maximum fine of 4% of global turnover.
I am curious. How does this work?
Do big-tech companies actually pay these fines? In cash? By daily bank transfer? Direct debit?
And to whom? Margrethe, the Queen of Denmark? Or to some bank? Or are bank notes scattered to wind in Copenhagen square so the people can stuff them into their pockets?
Or do the governments of countries whose laws are broken have a nod-and-wink tacit agreement that "fines" are just numbers for the press to print and assuage our sense of outrage. Aren't we just starting to use numbers like this as abstract tokens of justice?
I'd like to see Zuck made to personally lug an enormous pirate's chest of treasure up to the gates of Copenhagen, or face blood-eagling at dawn.
You might care to learn the difference between Norway and Denmark.
Tangential, but it's a hilarious stereotype of Americans how they just bunch together the whole of Northern Europe. I'm a Finn, and in 9/10 cases when an American learns this, they tell me about their travels in Sweden or Norway.
Can't help but think the correct protocol here is to respond to them "Oh you're American? Nice, I've been to Mexico!"
Wait until you mention you're from an African country... :)
"Oh, yeah! I've been to Africa!"
Americans tend to identify by a state or city. The proper retort here is to bundle together different states.
"I live in Ireland" "Oh I LOVE the UK!"
got that (and variations of it) more than once..
I think there are a lot of Americans who don’t know that New Mexico is in the US, so…
In fairness if you're an American from Uruguay you wouldn't have a lot of interest in the internal political boundaries of that area like an Estadounidense would.
(though I suppose you could be an Estadounidense from the Estados Unidos Mexicanos - it's really not the best continent for disambiguation!!)
The OP's site address is .uk, very unlikely to be US based.
I made no such assumption; merely pointed out that the original post is about Norway, but the commenter appeared to have confused it with Denmark. Could happen to anybody, really... ;)
I would not mind if they pay Norwegian fines to Denmark
Almost the same currency name anyways.
at least by name
That's easy, Norway has mountains and Fjords and Denmark is flat.
If you're talking about the Kingdom of Denmark (and not the Country of Denmark) then there is Gunnbjørn, Greenland, 3700 m. ;)
Silly me. Of course, they don't do blood-eagle in Norway for non-payment of fines. Lucky escape for Zuck. :)
What do you mean? Big tech companies pay fines much the same way regular companies pay fines. Going to court and other foreplay notwithstanding, it's generally just a bank transfer to the relevant authority. If you messed up on taxes you usually pay to the tax authority of that country, for many other matters it's often whatever the equivalent of the ministry of finance is. Of course this differs from country to country, but this is a pretty straightforward matter in general. I'm not sure where the confusion comes from?
You say that, but with respect, "the relevant authorities" doesn't add what I'm looking for.
> I'm not sure where the confusion comes from?
There is no confusion, there's a lack of concrete factual knowledge. That's different.
Who exactly takes that money? When and how? And how does that translate into a win for the victims?
https://cms.law/en/int/publication/gdpr-enforcement-tracker-... : "Fines are transferred to the state treasury". Which makes sense, this is usually what happens with fines.
(is this a situation of coming from a US background and being confused about how a unitary state works?)
Given that this is Norway, they probably use Vipps.
The fines are paid to the Data Protection Authority in Norway. You can read their own press here: https://www.datatilsynet.no/en/news/ The kind of tit-for-tat you’re insinuating rarely happens, if ever. I would expect the fines to enter the state’s finances the same way other a fine for speeding does.
Echoing other comments about how Norway and Denmark are separate countries.
Thankyou.
The next question is - if we're hoping to seriously talk about the effectiveness of fines against hostile and uncooperative foreign companies, how does the Norwegian DPA use that money to further remedy the harms inflicted on the people?
That's not a lot of money in the scheme of things. but handing it out amongst everyone doesn't seem useful.
The obvious danger is that the DPA becomes a self-fulfilling entity, in perpetual growth of power and reach, and quite happy if Meta continue to transgress.
Shouldn't Europe use this money to invest in its own social networking infrastructure, thus providing a double-whammy against Meta's misdeeds?
That's a really interesting list of cases and fines. They seem really active and mostly to operate internally in De^H^H Norway.
What to do with that money?
Some of the listed companies clearly got fined because their software engineering is rubbish and they made genuine mistakes. Maybe use the money to pay for (and force) those companies to have their programmers trained in better privacy related SE skills?
One company was fined for changing the password of and then accessing an ex-employee's email account when they left.
Have to think that's pretty widespread behaviour.
https://www.datatilsynet.no/en/news/2021/fined-for-accessing...
They operate a number of programs to help companies and government organizations to do the right thing wrt privacy. Both awareness building, providing open resources, but also having advisors that one can call and get case by case guidance (free of charge for small things). Of course GDPR has been a priority for a long time, but recent focused efforts also exist around AI. Example (should translate OK to English): https://www.datatilsynet.no/regelverk-og-verktoy/sandkasse-f...
Bank transfer would be normal. In some countries a particularly awkward Naughty Company could probably do it in coins if they wanted to (depends on legal tender rules).
i wonder where the money goes
a big viking party would be cool
META privacy breach are nothing when you have App like TEMU ---> https://grizzlyreports.com/we-believe-pdd-is-a-dying-fraudul...
What's up with the whataboutism, both can be bad.