Re: [projectvrm] Facebook and GDPR

[Guy Higgins < >]

I’ve had bits and pieces of this discussion before.  “Building a community” is a hard thing because it entails developing trust and relationships.  Users of a product are someone’s “customer.”  Customers have two kinds of needs (and neither of them is trust — not at the top level):

1. Customer-identified needs
2. Identified customer needs

Henry Ford famously observed that if he had asked people what they needed for transportation, they would have told him they needed a faster horse.  He identified a customer need — the affordable automobile.  Similarly, no one needed an iPod — they already had MP3 players and they could access any number of legitimate or pirate websites to download music which, with a little bit of hacking they could play or their bright yellow MP3 player with its gray buttons (that required you to memorize arcane sequences to do anything more complicated than on/off) and it’s clever little LCD display which showed the track number and maybe time remaining on the track.  Steve Jobs identified the really cool iPod with a series of commercials that included no spoken words and was mostly just the shadow of someone grooving to their iPod.  He re-created the entire industry and the community, if any, subsequently self organized.

Customers need to know the answer to the “What’s In It For Me” (WIIFM) question.  Cambridge Analytica and Mr Zuckerberg’s outrageously ambiguous testimony have opened a window to help people get that answer.  VRM provides the capability to protect your personal data/information — that’s the answer to the WIIFM question.  I do not now, nor have I ever believed in, “If you build it, they will come.”  The Hudson automobile was built but nobody came even though it was an incredibly advanced automobile.  They built Betamax, but not enough people came because it was too expensive for the delta performance it offered.  The VRM community needs something like Steve Jobs cool iPod commercial.  Will creating that be easy — not a chance, and I certainly don’t know how to do it, but I’ll bet someone out there does.  A friend of mine once talked about knowledge mobilization — that’s the notion that someone knows the answer to almost every question or problem.  The trick is finding that person.

Just my thoughts,

Guy

From: John Philpin < "> >
Date: Thursday, April 19, 2018 at 19:57
To: ProjectVRM list < "> >, Guy Higgins < "> >
Cc: Tim Walters < "> >, Iain Henderson < "> >
Subject: Re: [projectvrm] Facebook and GDPR

RE : "those competitors should include VRM-friendly players.”

such as the indie web ?

and people like micro blog ?

…. an open blogging system that currently supports text, photos and podcasts that can be syndicated into third party spaces like twitter and facebook -   with a social layer on top - where you can build social connection, develop conversations - but never lose you content - where your data isn’t sold - because you are running it yourself

etc etc 

yeah - it exists - we are just trying to build the community. Come on over.

On Apr 19, 2018, at 9:11 AM, Guy Higgins < " class=""> > wrote:

On Tuesday, we had a serious wind storm locally and one of my neighbors had a fir tree blown over in his front yard.  While I was helping him and his wife attempt to save the tree, we fell into a discussion of monopolies and success.  I’ve held for a long time that success is a self-correcting condition.  Successful companies, like FaceBook and Amazon and Google (and US Steel and Standard Oil and AT&T), become successful, then they begin to suffer from the pathologies of large organizations.  These pathologies include, but are certainly not limited to, large, rule-bound bureaucracies, slowing growth, fiscal laxity and hubris (my personal favorite).  These pathologies create risks for the organization — risks that are extremely difficult to effectively address because addressing them would require the leadership to take actions that do not reward said leadership (short-term bloodletting for long term health).  That opens the door for competitors.  Is any of this inevitable — of course not, it’s merely the way the Second Law of Thermodynamics (paraphrased as, “Left to itself, everything goes to s#*&.”) weights the evolving ecosystem.  Look at the Dow Jones Industrial Index.  The average time that a company is on the index has been monotonically declining for a century.

I suspect that the contortions that the illustrious Mr. Zuckerberg is going through will ultimately open the door for competitors — and I think that the most effective thing government could do is to nature the economy/economies to enable those competitors — and those competitors should include VRM-friendly players.

Guy

From: Tim Walters < " class="" style="font-family: Calibri; font-size: 11pt;"> >
Date: Thursday, April 19, 2018 at 6:44 
To: Iain Henderson < " class="" style="font-family: Calibri; font-size: 11pt;"> >
Cc: ProjectVRM list < " class="" style="font-family: Calibri; font-size: 11pt;"> >
Subject: Re: [projectvrm] Facebook and GDPR

And as expected/feared. I suspect this will be worth a court battle. It's not clear to me what it means to "switch the data controller entity." If FB Ireland continues doing all of the processing, I doubt that FB can simply *designate* FB US as the controller. 

https://techcrunch.com/2018/04/18/data-experts-on-facebooks-gdpr-changes-expect-lawsuits/

<Screen Shot 2018-04-19 at 14.40.52.png>
​

On Thu, Apr 19, 2018 at 9:27 AM, Iain Henderson < " target="_blank" class=""> > wrote:

Hi Tim, on your first point i’d have thought that just boils down to which Facebook entity is the data controller for which which set of users; as you say if ‘served from Ireland’ equals Facebook IE is the data controller then yes all 1.9bn should have those rights.

If true then that won’t have been by design related to GDPR; just historical, and I don’t see how they could move users from one controller to another at this point.

Sounds like facial recognition activity was planned pre Cambridge Analytica blow up as it does not sound like a good thing to be doing in that context.

Cheers

Iain

On 18 Apr 2018, at 18:05, Tim Walters < " target="_blank" class="" style="font-family: Calibri, sans-serif; font-size: 14px;"> > wrote:

Two quick news items to promote and solicit viewpoints. 

First, I was surprised by this statement a couple of days ago. "The 89 percent of users served from Facebook Ireland—even those who don’t live in EU countries—will already benefit from the GDPR’s legal protection, regardless of public promises, and can seek redress through European regulators and courts." 

If it is true that these global users -- all except the US and Canada -- are served from Ireland, then according to Article 3(1), all 1.9 billion of them should be due full GDPR protections and rights as of 25 May. It seems to me that that, combined with the Article 5 requirements for purpose specification and limitation plus the heightened awareness around data abuse, could equal a significant revenue impact for Facebook. 

Make sense? 

Of course, if the impact is significant enough, it could motivate FB to restrict Ireland to serving EU residents and deal with the rest of the globe from elsewhere. 

Second, that highlights the question of how successful FB will be in getting users to consent to purposes that go beyond those necessary to facilitate social exchanges. And this article says that FB has started rolling out the requests. FB provided a sample of a consent request for facial recognition. (I'll try to embed it here, but it didn't work last time.) I can't see how any data protection authority is going to find this acceptable. (But then, the lead DPA for FB will be Ireland's Helen Dixon, who has until now shown no backbone in standing up to FB re Max Schrem's complaints.) 

The left screen asks for consent for facial recognition. But instead of the "affirmative action" choices being Accept/Refuse or Allow/Disable, they are "Accept and Continue" or "Manage Data Setting." 

Problem #1: The request is not "clear" and "transparent" as required by the GDPR. A request to accept or decline a given type of data collection should offer accept or decline actions. Instead, users can accept, or they can . . . ugg, yuck, "manage my data settings"? Sounds hard. I'll just accept. 

If you do select Manage Data Setting -- that is, if you want to say NO -- you're presented (I presume) with the screen on the right. This does nothing but ask AGAIN if Facebook can use facial recognition. Even I (a trained sceptic) initially thought this was a different question. The choices after this question -- allow/don't allow -- are the ones that ought to have been presented on the left screen. 

Finally, note that according to one quote in this article, FB itself evidently thinks that GDPR protections apply only in the EU, not for the 1.9 billion served from Ireland. Namely: "The company says that “people in the EU will see specific details relevant only to people who live there, like how to contact our Data Protection Officer under GDPR.”

Cheers, 

tw

<Screen Shot 2018-04-19 at 14.40.52.png>