This is one of the reasons I didn't put Hacker Monthly up for sale when I've decided to shut it down.
Our subscribers (a little over 10k) trusted us enough to provide us their contact information (and mailing address for print delivery). Turning them over to 3rd party (even after due diligence) just didn't seem right.
It hardly even matters if the company is put up for sale.
Assume a kitten-loving company that will rather die than let your data be abused. They take VC funding, hit a bad turn, take more VC funding. Now the board is controlled by VCs. You're now trusting the VCs with your data and not the company itself.
Assume a second kitten-loving company that will rather die than let your data be abused, and is run by only two co-founders. You give them all your data. The two co-founders end up in a plane crash. Their company is transferred to... who knows really? Your data is now sold off in liquidation to.. who knows really?
> Assume a second kitten-loving company that will rather die than let your data be abused, and is run by only two co-founders. You give them all your data. The two co-founders end up in a plane crash. Their company is transferred to... who knows really? Your data is now sold off in liquidation to.. who knows really?
At least in theory, that's possible to avoid. If you accepted the data only under a specific set of terms, and ensured either that the original terms under which data was obtained are those that apply, or that specific privacy and usage terms were required to survive into any successor agreement, then in doing so you'd bind any future owner of the company by the same terms. You can't sell (or liquidate) something you don't have the rights to yourself.
Assume the only surviving beneficiary of the company is a Chinese nationalist. All of the company and servers are transferred over to him. He quickly moves all the data over to mainland China and uses it for.. who knows?
Even if you had laws, I'm not sure they would help in this case.
Besides, even if you have perfectly written self-binding contracts, there's nothing stopping the next owner from being a scumbag and finding clever or illegal ways around the deal. eg, he could 'find' a million dollars on the pavement in the surprising position where he happened to 'lose' a hard drive with all the data. Exaggeration obviously, but if the data is in someones possession there are a lot of things that can be done with it without overtly breaching any agreement. Eg, he could start a new company himself that 'leverages' the data to provide all previous customers with 'incredible deals and benefits'.
You're now assuming the new owners are willing to commit illegal acts, or at the very least breach a contract. (And the newly started company would be breaching the contract as well, if it was written to exclude that.) That's at least a significantly higher bar than "the highest bidder can do whatever they want with the data", which is the current state of things.
But yes, even better protection would be never collecting data you don't need in the first place.
Since the concept was established in 1983 by the constitutional court, there's probably a body of knowledge around that, just in the 'wrong' language and hence less known in the anglo-saxon culture.
Britain has similar laws, of a similar age. We don't have a word for it, but I think there's an attitude that companies shouldn't be given more data than needed, and a suspicion when they ask.
"Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed." [2]
Which the guidance[1] explains as "So you should identify the minimum amount of personal data you need to properly fulfil your purpose. You should hold that much information, but no more. This is part of the practice known as “data minimisation”."
And how much data is google allowed to store about us?
And why isn't the user allowed to specify the amount of bits that google store about us?
There are 7 billion people on this planet. If I allow google to store at most 32 bits about me, then at least that data cannot uniquely identify me (roughly speaking).
The EU Data Protection Directive also pushes for that: "Member States shall provide that personal data must be (...) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes [and must be] adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed".
It's a pretty anti-science stance. Data is very rarely 'unnecessary'. The scientific method requires that you investigate and control as many variables as possible, because often things that you don't realize have far-reaching effects. Throwing that data away early is bad for your business, bad for your customers, and bad for society.
No, I don't think companies should be aggregating all data without regard for consequences of breach, but nor do I believe that cutting data is the answer. Consumers, nee, people, need to learn that 'their' data is not so special snowflake, and that aggregate data is a fantastic tool for making their lives better.
Actually, the scientific method involves coming up with a hypothesis first and then collecting data for it. What you are suggesting is called data fishing and is a major flaw in many so-called "scientific" studies...
It'll stop anyone unwilling to commit a breach of contract, which is a higher bar than "highest bidder can do whatever they like". Right now, most terms of service can be unilaterally changed by the company, which means the new owner can arbitrarily change them and then use the data however they like, without any contractual obligations binding them.
Right, and that's not going to be changing in a hurry. Stop giving people data that you don't want others to have.
If anybody who understands this issue says anything other than "Stop giving people data that you don't want others to have" then I have to question their judgement. If you do decide that something is incredibly valuable then hand over the data; but make sure you consider the data 'sold'.
The most important point here is that the company that originally collected the data isn't that relevant. If other laws don't support privacy protection, you must assume your data may end up just about anywhere & everywhere.
We do have laws that support privacy protection around here, and I still assume it may end up just about anywhere. Data is just too easy to copy around. What these laws give me is the power to tell those companies to delete it, and to get our National Commission for Data Protection to fine them if I ever get evidence that they didn't.
But I would never assume the data is actually protected.
I was talking about this with a friend of mine no earlier than yesterday. We were discussing about how Facebook Messenger doesn't need an account anymore, but only your phone number. For years I tried to not give my phone number to Facebook (for various reasons, but I knew I'd someday "need" to give them my number). Well turns out they've had my phone number associated with my name ever since they bought Whatsapp. Along with all the conversations I've had on this service probably. This article definitely points something that should be kept in mind when uploading personal info online, althout this isn't anything too new.
Well the case of phone number information is even more devilish - it is in the phonebooks of your (not so privacy-savvy) friends so you have almost no control over it.
This is the worst part about your contact details, just think about the number of times you get those spam emails when one of their accounts gets hacked, not to mention address books mobile APIs.
Now think about how they often contain your home address, birthday, spouces, photos etc...
I was about to join Whatsapp but heard rumors that FB is about to buy it, back then. I am still on FB and never gave FB my number, and never joined Whatsapp. Though FB has my number (hidden from me on), as many of my friends uploaded or sync their address book (FB app and Whatsapp). [FB is just an example]
Yes. Which is why you should never trust a company with info you wouldn't trust their competitor (or any other company for that matter), regardless of how kitten-loving and un-evil they are today.
If a company buys yours, does anyone expect them to buy everything expect for the information on their customers?
That gets nasty if a company is selling only the data, but the legalese that allows companies to sell data to whomever may be buying the company shouldn't come as a surprise.
It's not about it being a surprise that this happens as long as it is allowed. It's a surprise that there are no laws in place to protect consumers.
Especially in times when most "tech savvy" people advice the use of cloud services for backups, syncing, sharing and communication, a sale of a company becomes a privacy nightmare for those who listened and tried out these services. There should be more people that spell out that it is not safe to upload your data to someone else's computer.
Would you upload a backup of your data to my computer? Of course not. Would you do it if I made an over-designed one page website and offered an iOS/Android app? There are a lot who do that every day. Once the deed is done, I shouldn't be allowed to do whatever the hell I want with your data. Selling or sharing data with third parties should be strictly opt-in, no matter the circumstances.
Imagine your Dropbox, Password manager or backups being sold to the highest bidder. A company which you previously trusted becomes greedy and sells you out. There's nothing you can do about it because "you should have read the small print 10 years ago, when you started using the service." It's not surprising that there are people who'd sell you out. What is surprising is that it is allowed.
According to studies cited in the last week on HN, yes. People underestimate the sociopathy of the corporate world. Or perhaps expect more European norms to apply.
> If a company buys yours, does anyone expect them to buy everything expect for the information on their customers?
Pretty much everyone in the western world that isn't the United States expects that because it's enforced by law. Although US companies are trying to get their proxies in the US government to have that stripped away as a "trade barrier".
If I want to buy ebooks, games, music, movies etc. online, it's extremely difficult to find a company that actually respects my privacy (as opposed to just saying they respect my privacy - plenty of those). I wonder, if I bought myself one of those Visa giftcards, and just made up a fake name and address, would that be any problem? Would I be breaking any laws or anything?
If you submit personal information to any business you're putting yourself at risk.
Social media companies have a lot of data, yes, but most of it is pretty benign. The world should be far more concerned about the PII that gets transmitted around less tech-savvy smaller businesses and non-profits. Particularly for-profit education companies.
Education companies have gobs of very sensitive info like social security numbers, previous addresses, family relationships with full contact info, medical history etc and many of them are clueless when it comes to privacy and data security. Not only are they at high risk for data breaches but their lists can also get acquired and traded when the business changes hands.
The bigger issue is bankruptcy. Creditors will look to sell any assets that can be monetized, and given the nature of the proceeding, the court will have a lot of discretion in allowing them to do so, much more so than a private purchaser.
I'm guessing everyone who works at a big company and used Secret was hoping that said big company didn't acquire Secret's assets when they folded.
It does always make me think twice before committing to using a startup's product, you never know who is going to fail and sell assets to the highest bidder, or who is going to get acquired by a big company whose ideals you don't like.
The problem is that oftentimes, the data is one of a company's most valuable assets, so you can't just make it off-limits since that would erase a lot of the value. I just wish there was a better legal framework to handle these kinds of situations.
Considering so many companies whole business model is based on personal data, this not a surprise. Seriously, how could Uber be valued so high without every customers personal info being sold off to the highest bidder.
Some time ago I participated in some Startup Accelerator.
Was part of Startup with really fast growing user base, but small amount of sales. What some investors really suggested to do with our database - is to sell it!
So companies can sell personal data (and they do it) not only when put up for sale, but at any time.
Our subscribers (a little over 10k) trusted us enough to provide us their contact information (and mailing address for print delivery). Turning them over to 3rd party (even after due diligence) just didn't seem right.