One thing that strikes me reading this, is that the only thing that's changed is that Google won't disallow it. But I think it would make more sense if the ICO actually just went after the companies doing fingerprinting directly, instead of being angry at Google for not enforcing things for them.
There is a subtle but important difference here.
If governments enforce policy by bullying HSBC/Google/E.ON to enforce policies for them, there is no legal opportunity for companies and individuals to argue for their sake. You'll just be shut out of your bank/advertising/electricity for doing something "wrong".
If instead UK ICO would bring a legal case against an individual or company applying fingerprinting (and I'm no advocate of fingerprinting, but that's besides the point) then they can defend themselves in court.
> if the ICO actually just went after the companies doing fingerprinting directly, instead of being angry at Google for not enforcing things for them
Google isn't just a hapless bystander here, they are enabling and profiting from the practice. Big tech companies all build these billion people villages and heavily tax every person inside but when "outside law" is broken then "outside authorities" should fix it for free.
The rules could be simple: you have a problem in your village, either you enforce the laws there, or national authorities will do it and charge you (the company) for the service.
When Amazon allows any of the millions of ephemeral clone-storefronts to sell shady or illegal stuff, would you rather have the authorities spend years chasing ghosts or have Amazon change their rules to make sure such illegality and abuse aren't possible in their marketplace?
> When Amazon allows any of the millions of ephemeral clone-storefronts to sell shady or illegal stuff, would you rather have the authorities spend years chasing ghosts or have Amazon change their rules to make sure such illegality and abuse aren't possible in their marketplace?
I'm fine with a law saying Amazon is liable for fake storefronts etc. Sounds reasonable. I'd also favor requiring e.g. Uber or Airbnb to provide authorities with data to prevent tax fraud from operators in such marketplaces.
But to me saying Google's advertising product should enforce how the individual websites work [fingerprinting], is to me more in the direction of "an electricity provider should enforce how people live their lives in any home provided by such electricity…"
Google literally added all of the random APIs into Chrome that fingerprinting depends on.
If you trust Google then they are a bystander. If you don't then they orchestrated this entire situation over the last decade or so in order to cement the dominance of their advertising business.
What makes you think the UK ICO won’t bring legal cases against individuals or companies applying fingerprinting? They literally say in this guidance that they consider it against the regulations for companies to do this even though google now allows it. Having dealt with regulators a fair bit that’s pretty much as clear cut a warning as you can get that they will go after people who do this. Now, will they be fast? No. Will they go after the worst offenders? Maybe, maybe not. Will they only do it if someone makes a complaint? Perhaps. But this note is literally them saying to companies “don’t think you can do this just because google now says it’s ok”.
> What makes you think the UK ICO won’t bring legal cases against individuals or companies applying fingerprinting?
The vast majority of consent flows ("cookie banners") out there are not compliant and they do absolutely nothing about it. It's very unlikely this would be any different.
I really don't understand this comment. They're not expecting google to enforce anything, and they are talking about going after individual companies.
> If governments enforce policy by bullying HSBC/Google/E.ON to enforce policies for them, there is no legal opportunity for companies and individuals to argue for their sake
Companies are in no way stopped from fingerprinting just because of google.
> When the new policy comes into force on 16 February 2025, organisations using Google’s advertising technology will be able to deploy fingerprinting without being in breach of Google’s own policies. Given Google’s position and scale in the online advertising ecosystem, this is significant.
But when I read this it seems like they are unhappy with Google no longer enforcing their view of fingerprinting:
We think this change is irresponsible. [...] We are continuing to
engage with Google on this U-turn in its position and the departure it
represents from our expectation of a privacy-friendly internet.
Two separate issues. There needs to be regulation to stop Google from doing or allowing fingerprinting, and there also needs to be regulation to help people against one-sided decisions like that.
You don't get to be that big and make your own rules.
That's the problem with allowing a company the reach and keep dominating market position. You need to involve them in regulation enforcement. In a fair market Google could rightfully say that's none of our business.
> it would make more sense if the ICO actually just went after the companies doing fingerprinting directly, instead of being angry at Google
I think it’s quite the opposite - Google enabling illegal use of their services should make their offering unfit for market. Being a monopolist in the space, it’s Google’s responsibility to ensure users are safe when exposed to their services.
This just doesn't make sense. Google wont disallow fingerprinting on companies using ITS advertising technology. I think accountability gets exhausted pretty quickly on this just by thinking about the implications. If UK gov (or any other) enforces a blanket ban on google ads to prevent this problem, where exactly does the issue lie ? This is not like someone selling syringes being accountable for someone putting toxins into the syringe, this is someone who already has a line into a main blood vessel saying they wont prevent someone from putting toxins in. Big, Big difference, they have the privilege of access and wont prevent other people abusing it. This is on google, pure and simple
There's a gazillion of companies outside UK legislation; if they only went against companies doing fingerprinting, only those subject to their legislation would refrain from doing it
That argument works better against having Google be the enforcer than in favour: Google's rules are (as I understand it in this case) global, why should the UK's rules be made to apply to, say, a Japanese-language-only app sold only in the Japan?
(For all I know Japan has similar rules, the point isn't the specific country, but that this would be the UK projecting power internationally that it shouldn't be).
I suppose this is why we need to break up Google, so even the most unaware person on the world can realize that they are the biggest advertising network on the planet. THEIR PRODUCT IS ADVERTISING. TARGETED ADVERTISING. This is what they do. That is where their money is made.
I have no opinion about this particular case at hand, but decades of observations of how governments, esp. in Europe, "regulate" IT by targetting a few big players, and Google always first in line despite that company has been _historically_ the most careful with users data, have convinced me that this has little to do with protection of citizens privacy and much more to do with forcing those whole encompassing corporations to cooperate with governments own surveillance agendas.
Firstly regulators go after the big players because they have finite resources and that’s the easiest way for them to have a lot of leverage versus trying to play whack a mole with thousands of tiny companies who can easily shut down and change name in the event of a regulatory action.
Secondly the idea that google are particularly singled out flies in the face of the significant actions by european data regulators against meta and all the other big tech companies.
Thirdly the idea that google are particularly careful with users data is pretty laughable.
"The Information Commissioner's Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. ICO is an executive non-departmental public body, sponsored by the Department for Science, Innovation and Technology."
https://www.gov.uk/government/organisations/information-comm...
Enforcement action by the IÇO is as rare as hen’s teeth, and when they do enforce, it’s a mild slap on the wrist for large businesses, and “put you out of business” for small businesses. Lose 2,000,000 sets of customer information because you accidentally left it public? Reprimand. Don’t do it again. 1000 spam calls? £100k fine. Go to prison.
If you have a U.K. Ltd company, you must pay them their annual fee.
Quite the gig they have. Do next to nothing, collect a tax on every business in the country.
>If you have a U.K. Ltd company, you must pay them their annual fee.
Businesses that only use data for routine purposes like staff administration, accounts and advertising are exempt. The data protection fee only applies to businesses engaged in higher-risk data processing. The fee for a non-exempt business with turnover of <£632,000 is £40 per year.
The primary purpose of ICO enforcement is to ensure compliance. The general principle is that the sanction administered should be of the lowest level necessary to ensure compliance.
In your examples, the Electoral Commission suffered a breach due to a chain of vulnerabilities exploited by a sophisticated actor. In response to the ICO investigation, the Electoral Commission implemented a major overhaul of their security procedures including a formal process to manage and monitor patching and MFA. The ICO were satisfied that the EC had come into compliance and would remain compliant, so no fine was applied.
sounds just and deserved to me, fine spammers into nonexistence
> Quite the gig they have. Do next to nothing
Maybe you are right that there are serious problems with them (electoral commission failure should have been punished), but demolishing small scale spammers is already an useful service. I would fund it if I would be able to taking decision.
I would be happy to pay 1000 £ if that means that last person who spammed me goes bankrupt and to prison (for say 50 days).
> a mild slap on the wrist for large businesses, and “put you out of business” for small businesses
first one should be fixed if it is a problem so large spammers are also fined into nonexistence
and yes, I support putting their CEO into prison for 50 days if any part of their company does spam
I was absolute fuming when I got my letter from them demanding I pay them money. I knew I was closing my company down in the coming years and ignored them in the end. It's crazy this is allowed to be honest.
Personally I do wish they would intervene more, but if you consider how broad GDPR/DPA18 is I honestly don't think they can enforce it in the way a normal person would expect. Either it's a legislative issue (i.e., legislate better) or we accept these attempts at "balance". It's usually not the institutions weakness it's the legislation or the framework in which they exist.
Consider one example - you "process" (collecting, using, storing, viewing - literally anything) personal data in an electronic system without the latest security patch. Are you breaking GDPR/DPA18? Easily done, especially for sensitive data. "...taking into account the state of the art, the costs of implementation, ... the risk of varying likelihood and severity for the rights .. of natural persons ... the processor shall implement appropaite technical ... measures to ensure a level of security approapite to the risk" (DPA18 Art 32).
I imagine a large number of companies flout the above without realising. Especially when processing any information regarding health, criminal offense data, race, religion, philosophical beliefs etc, which is "special category data" and requires strong protections.
I don’t have a problem with the fines for the spam texters, if anything it should be higher, but not punishing the electoral commission for that is utterly insane.
I absolutely agree that the enforcement is significantly lacking and this "regulator" is useless, but I'm wondering why you are angry that someone got a fine for SMS spam? Some enforcement is still better than no enforcement at all as long as the underlying basis is just, and there should be zero sympathy for spammers out there.
And so the dance takes on a new rhythm. These well-meaning advertising execs, working diligently to support their struggling stakeholders, now have a new string to their bow. And the rest of us, the targets of their magnanimous demand-creation algorithms, we will have 'new and improved' ways to learn about and connect with out favourite brands, outrageous headlines and memetic schemes.
And then there are the sneakier ones; those who dwell in digital shadow, hiding from the luminous glare of corporate glory. What will these funny fellows do, when the fingerprinters tap on their windows and ask for their papers? What of their intent, and the glasses they wear to shield their eyes from the money-grubbing rays?
This came up on reddit a few years ago and maybe here. There was a case that effectively determined that cdns were not gdpr compliant.
And then everyone ignored this outcome because of the implications. Ofc there is the "legitimate interests" line. Vague enough for a judge to apply as they see fit, but one judge messed up at least one time.
Cloudflare captcha? Does such thing exist? They have Turnstyle which I never had problems on my computers (only Firefox installed). I did have problems on a niche phone running an outdated mobile Firefox, but I believe they might have been solved.
Edit: Yes, seems to work now. After I complained on HN earlier their CTO asked me to send a trace. I did so and a couple of months later the problem was gone. Whether that was causal or incidental I have no idea.
Quick note: the article header should say “ICO” and not ISO.
I didn’t know about this change n in policy from Google but, in summary, it doesn’t change the legal positioning on fingerprinting as something that can fall under PII collection under UK data protection legislation. I do worry that the change from Google will make practical enforcement more difficult, however.
There was a historical moment (2012ish, you can search HN and find it) where they changed the motto. They changed it from "don't do evil" to "googlers shouldn't do evil" changing the emphasis away from the organisation to the employee.
They moved a core principle to an employee guideline!
I had to do a separate search for what "ICO" means/is because it's not within 4 clicks of landing on the site. "Information Commissioner's Office", in case anyone is wondering.
Readit News
There is a subtle but important difference here.
If governments enforce policy by bullying HSBC/Google/E.ON to enforce policies for them, there is no legal opportunity for companies and individuals to argue for their sake. You'll just be shut out of your bank/advertising/electricity for doing something "wrong".
If instead UK ICO would bring a legal case against an individual or company applying fingerprinting (and I'm no advocate of fingerprinting, but that's besides the point) then they can defend themselves in court.
Google isn't just a hapless bystander here, they are enabling and profiting from the practice. Big tech companies all build these billion people villages and heavily tax every person inside but when "outside law" is broken then "outside authorities" should fix it for free.
The rules could be simple: you have a problem in your village, either you enforce the laws there, or national authorities will do it and charge you (the company) for the service.
When Amazon allows any of the millions of ephemeral clone-storefronts to sell shady or illegal stuff, would you rather have the authorities spend years chasing ghosts or have Amazon change their rules to make sure such illegality and abuse aren't possible in their marketplace?
I'm fine with a law saying Amazon is liable for fake storefronts etc. Sounds reasonable. I'd also favor requiring e.g. Uber or Airbnb to provide authorities with data to prevent tax fraud from operators in such marketplaces.
But to me saying Google's advertising product should enforce how the individual websites work [fingerprinting], is to me more in the direction of "an electricity provider should enforce how people live their lives in any home provided by such electricity…"
Google literally added all of the random APIs into Chrome that fingerprinting depends on.
If you trust Google then they are a bystander. If you don't then they orchestrated this entire situation over the last decade or so in order to cement the dominance of their advertising business.
Not enough staff in ICO to bring these cases. All the capable people earn much more in private sector (banking/finance) in London.
The vast majority of consent flows ("cookie banners") out there are not compliant and they do absolutely nothing about it. It's very unlikely this would be any different.
The ICO is all bark and no bite.
> If governments enforce policy by bullying HSBC/Google/E.ON to enforce policies for them, there is no legal opportunity for companies and individuals to argue for their sake
Companies are in no way stopped from fingerprinting just because of google.
> When the new policy comes into force on 16 February 2025, organisations using Google’s advertising technology will be able to deploy fingerprinting without being in breach of Google’s own policies. Given Google’s position and scale in the online advertising ecosystem, this is significant.
This seems like a very reasonable statement, no?
But when I read this it seems like they are unhappy with Google no longer enforcing their view of fingerprinting:
You don't get to be that big and make your own rules.
I think it’s quite the opposite - Google enabling illegal use of their services should make their offering unfit for market. Being a monopolist in the space, it’s Google’s responsibility to ensure users are safe when exposed to their services.
Having Google forbid it makes a lot of sense
(For all I know Japan has similar rules, the point isn't the specific country, but that this would be the UK projecting power internationally that it shouldn't be).
What business do you think Google is in?!
The majority of online advertisers are small-medium ecommerce brands.
There is no chance ICO would go that route.
Secondly the idea that google are particularly singled out flies in the face of the significant actions by european data regulators against meta and all the other big tech companies.
Thirdly the idea that google are particularly careful with users data is pretty laughable.
"The Information Commissioner's Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. ICO is an executive non-departmental public body, sponsored by the Department for Science, Innovation and Technology." https://www.gov.uk/government/organisations/information-comm...
Enforcement action by the IÇO is as rare as hen’s teeth, and when they do enforce, it’s a mild slap on the wrist for large businesses, and “put you out of business” for small businesses. Lose 2,000,000 sets of customer information because you accidentally left it public? Reprimand. Don’t do it again. 1000 spam calls? £100k fine. Go to prison.
If you have a U.K. Ltd company, you must pay them their annual fee.
Quite the gig they have. Do next to nothing, collect a tax on every business in the country.
Electoral commission: 40,000,000 U.K. voter records leaked. No fine. https://ico.org.uk/action-weve-taken/enforcement/the-elector...
Random company, 60,000 spam SMS, £120k fine. https://ico.org.uk/action-weve-taken/enforcement/quick-tax-c...
Make it make sense.
Businesses that only use data for routine purposes like staff administration, accounts and advertising are exempt. The data protection fee only applies to businesses engaged in higher-risk data processing. The fee for a non-exempt business with turnover of <£632,000 is £40 per year.
https://ico.org.uk/for-organisations/data-protection-fee/dat...
The primary purpose of ICO enforcement is to ensure compliance. The general principle is that the sanction administered should be of the lowest level necessary to ensure compliance.
In your examples, the Electoral Commission suffered a breach due to a chain of vulnerabilities exploited by a sophisticated actor. In response to the ICO investigation, the Electoral Commission implemented a major overhaul of their security procedures including a formal process to manage and monitor patching and MFA. The ICO were satisfied that the EC had come into compliance and would remain compliant, so no fine was applied.
> 1000 spam calls? £100k fine. Go to prison.
sounds just and deserved to me, fine spammers into nonexistence
> Quite the gig they have. Do next to nothing
Maybe you are right that there are serious problems with them (electoral commission failure should have been punished), but demolishing small scale spammers is already an useful service. I would fund it if I would be able to taking decision.
I would be happy to pay 1000 £ if that means that last person who spammed me goes bankrupt and to prison (for say 50 days).
> a mild slap on the wrist for large businesses, and “put you out of business” for small businesses
first one should be fixed if it is a problem so large spammers are also fined into nonexistence
and yes, I support putting their CEO into prison for 50 days if any part of their company does spam
Consider one example - you "process" (collecting, using, storing, viewing - literally anything) personal data in an electronic system without the latest security patch. Are you breaking GDPR/DPA18? Easily done, especially for sensitive data. "...taking into account the state of the art, the costs of implementation, ... the risk of varying likelihood and severity for the rights .. of natural persons ... the processor shall implement appropaite technical ... measures to ensure a level of security approapite to the risk" (DPA18 Art 32).
I imagine a large number of companies flout the above without realising. Especially when processing any information regarding health, criminal offense data, race, religion, philosophical beliefs etc, which is "special category data" and requires strong protections.
DPA18 Article 32 "Security of processing" - https://www.legislation.gov.uk/eur/2016/679/article/32
Deleted Comment
And then there are the sneakier ones; those who dwell in digital shadow, hiding from the luminous glare of corporate glory. What will these funny fellows do, when the fingerprinters tap on their windows and ask for their papers? What of their intent, and the glasses they wear to shield their eyes from the money-grubbing rays?
And then everyone ignored this outcome because of the implications. Ofc there is the "legitimate interests" line. Vague enough for a judge to apply as they see fit, but one judge messed up at least one time.
Edit: Yes, seems to work now. After I complained on HN earlier their CTO asked me to send a trace. I did so and a couple of months later the problem was gone. Whether that was causal or incidental I have no idea.
I didn’t know about this change n in policy from Google but, in summary, it doesn’t change the legal positioning on fingerprinting as something that can fall under PII collection under UK data protection legislation. I do worry that the change from Google will make practical enforcement more difficult, however.
That would be a first. The most useless regulator on earth.
They moved a core principle to an employee guideline!
It does say it right at the top of the “About the ICO” page on mobile though.
- in the bottom of the logo
- when you click "About the ICO" (breadcrumb or footer link)