Enough of this waiting for virtuous entities to address legitimate concerns of the public.
The "ad industry" is a cancer and we need legal protection against this "industry". The solution is political not technical and definitely can not be left to "the market".
Yep.
One of the things which the FSF did right was the GPL. They didn’t tried like programmers hack against bad things which never works in long term.
The bad people will change the API, lock the bootloader, implement a problematic standard (ACPI, SecureBoot) or add more DRM.
We cannot solve political issues (law) with technical solutions (programming). If we don’t like locked iPhones, the solution is a law. If we don’t like tracking, the solution is a law. But the EU Cookie-Directive of failed? Because malicious compliance, they made a business case out of it instead of ending it (cookies for logins are fine). And if we want public APIs, local computing and open-source the solutions are laws.
> One of the things which the FSF did right was the GPL
And the GPL is dying. Every year fewer projects are maintained under the GPL standard. Violations abound anyway. The MIT License and other permissive licenses; or commercially restrictive licenses like the SSPL, are the new go-to; because the GPL didn’t think about SaaS or “Tivoization” until it was too late.
AGPL is a lawyer’s nightmare. Not just because of the restrictions - but because it’s very, very sloppily put together.
Does connecting a AGPL-licensed database to your website make your whole website AGPL? What is the line between an innocent connection, or a viral integration?
What happens if you add a proprietary protocol to the database specifically for your app? Do you need to open source it, if that database is/isn’t publicly accessible? Why wouldn’t it be considered? Your project dependencies certainly aren’t directly publicly available, yet you agree the AGPL applies there.
Some have quoted the FSF about how “internal data structures” should be the distinction. But even that is something a lawyer could seriously bend - is JSON from your database, that only your app understands, such a structure?
The license is ridiculously vague in this regard. Not that it matters anyway - almost all of the big AGPL projects offer alternative proprietary licenses to paying customers, so it’s really more of a source available license.
Let's look at this paragraph, which is the only real difference between the GPL & AGPL, because I think the English is perfectly clear and understandable:
> Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software. This Corresponding Source shall include the Corresponding Source for any work covered by version 3 of the GNU General Public License that is incorporated pursuant to the following paragraph.
> Does connecting a AGPL-licensed database to your website make your whole website AGPL?
The user doesn't interact with the database, so no. Since the app server is not linking to the database, it also isn't subject to the AGPL from that direction.
> What is the line between an innocent connection, or a viral integration?
Exactly the same as the GPL, since that section has not changed.
> What happens if you add a proprietary protocol to the database specifically for your app? Do you need to open source it, if that database is/isn’t publicly accessible?
If the user can access the database, you must provide them with the combined source code under the AGPL. If the user cannot access the database, you do not need to do anything.
> Why wouldn’t it be considered? Your project dependencies certainly aren’t directly publicly available, yet you agree the AGPL applies there.
You are linking against those dependencies. Therefore the whole work is under the AGPL, through the same mechanism as the GPL. Now that the entire work is under the AGPL, you must provide users who access it over the network the source code.
> Some have quoted the FSF about how “internal data structures” should be the distinction.
See this is a real source of ambiguity. But it is an ambiguity that applies to every *GPL license, not just the AGPL. But it's really not as big of a deal as you make it out to be, using the documented public network APIs obviously is not linking.
> I think the English is perfectly clear and understandable.
Because you are not a lawyer. The points I’ve made have been cited by actual lawyers. Your opinion as a technologist blinds you to the degree of legal ambiguity.
Also, the very fact that these opinions exist shows this license is not safe. There’s never a correct interpretation that will perfectly win the day eventually, only rulings. As the AGPL has never been in court before, things could quickly go sideways.
As my second link, written by an actual lawyer, puts it: “Inebriated aliens might as well have beamed it down from space as a kind of practical joke.”
If you have some background knowledge of Google's architecture, this explains exactly why the AGPL is banned there: all code is built from one monorepo where everything is linked together.
At least on my Debian I retain full control using the shim and my own enrolled keys. So seems less an issue with the technology but perhaps with how some vendors (that are already locking you in anyway) use secureboot?
>> Shim then becomes the root of trust for all the other distro-provided UEFI programs. It embeds a further distro-specific CA key that is itself used for as a trust root for signing further programs (e.g. Linux, GRUB, fwupdate). This allows for a clean delegation of trust - the distros are then responsible for signing the rest of their packages. Shim itself should ideally not need to be updated very often, reducing the workload on the central auditing and CA teams.
In theory the benefits of secureboot around attestation and hashing/measuring of boot components do not require a secure/verifiable chain of custody. You could self verify using PCRs. The boot loader signing aspects were always for control and restricting devices, IMO.
> The boot loader signing aspects were always for control and restricting devices
Not surprising, given the huge role Microsoft had in developing this.
You can't enroll your MOK without booting up, and you can't boot up if Microsoft hasn't signed your bootloader/kernel... It used to be an no-brainer and now its difficult.
only using self verifying of PCRs is not an effective protecting against most attacks. (Against which a secure boot chain is supposed to help.)
Sure it depends a bit on what you want from secure boot. But in general if you need PCRs you also need to make sure only verified code can run. If you don't, you likely don't need PCRs either, and some simple flawed secure module key storage would work as good.
In a certain way having a trust verification of the boot loader is the most important part. Everything after that depends on how the boot loader is implemented, through having PCRs is still helpful.
Through this is where secure boot failed (very hard), as long as you don't enroll your own keys you are not really getting a secure boot chain. Something which IMHO is fundamental requirement for any company laptops and similar. (Or, instead of using custom PKs, you are MS and disable all 3rd party keys and disable any BIOS option to add/enroll 3rd party keys, like they did on some older ARM devices).
I.e. IMHO a secure boot chain and protocols related to it are a must have, but the current implementation is garbage, especially for most Windows users.
If you want to know in which direction things could be done you could look a ARM Mac Books more specifically the documentation Asahi Linux created for it. Through just the direction not the exact design.
Basically for PCs (even in huge companies with MDA) you don't need global trust chains, just local per-system trust automatically setup on first boot after "reset" and making sure a "reset" is roughly like a wipe (by using full disk encryption) is all you need (and want). The devil is in the details, but it isn't really that hard to make it work.
Personally I don't get any benefits from secure boot and it is already used to verify the alleged integrity of systems. Not sure how using your own keys would work for remote attestation, it probably wouldn't. Healthy experience with the industry and the market tells me the future if such systems are widely adapted. And that would be a net negative for software freedom that is beyond the security gains, which can be reached through other means as well.
"ad industry" is a cancer and we need legal protection..."
Absolutely true, but how do you expect that to happen or come about?
Rampant advertising is similar to the copyright law problem. The majority of users may not like what's happening but their opposition and or dislike is but mild so when it comes to political action it collectively amounts to little more than nought.
On the other hand, advertisers, like copyright holders, have strong vested interests thus are highly motivated to ensure politicians act in their favor (one only has to look at the lopsidedness of lobbying interests to see that).
The real enemy is indifference, as a whole the citizenry is not motivated enough for things to change. Simply, we have ourselves to blame.
> Absolutely true, but how do you expect that to happen or come about?
In the same manner through which legal protection for various other matters have come about. By raising awareness, sharing thoughts and solutions, and organizing.
When it comes to the internet... I'd prefer it to stay like the wild west. Least amount of regulation beyond something like net neutrality. People forget that the reason we have all of these "free" services is because of ads and that's coming from someone who hates ads. Every streaming subscription I have, I pay for the ad-free service. Let the people who don't know how to install a browser extension or change a few settings pay for these things for the rest of us.
I observed a friend of mine click on a malicious ad link recently in front of me when driving a presentation for a community meeting. It was shown as an overlay for a seemingly harmless site I found. In my home with a pihole I didn't see any of the ads.
I felt terrible that I was partially responsible for her clicking it. This knowledge and habit of ad-blocking and secure computer usage takes factors of time, effort, and money to learn, and not everyone is going to, or is capable of, devoting what's needed.
I agree; it seems worth it. My wife, who resisted dropping cable for the longest time, now prefers adless streaming and asks if wifi is down, because ads popped on her phone. If it has a downside, it is that my kid now is fascinated by ads, when we are in the wild. She normally does not see them and thus has no internal firewall built up.
It's an understandable reaction against a loud and aggressive (political) minority we've been seeing for the past four years. Thanks for the link, this finally pushed me to support the developer.
"The market" needs to be checked in so many ways. You'd think that by now we could learn to take what works and modify the rest but apparently everything has to be black and white and even a concept like "the market" ends up bound by dogma.
Yes, yes! Excellent! Then that system can also be improved, so that important websites get more money from a visit because they need the support more. For example the Arch Linux wiki. And also the system should have a blocklist so that dangerous and undemocratic websites do not get any money from the visitors.
Also, individuals who are richer should have more of their salary deducted, since they can afford it, and people who have low income or belong to groups who need special protection should not have to pay, instead they should be paid a monthly internet allowance by the government, which can increase if they visit websites who are beneficial to them and to society. For example the Arch Linux wiki.
Nah, there should be a max upper limit. So if you have a cooking site and you run it as one person you couldn't get more than, let's say 3k eur monthly. Arch linux wiki needs love, I agree.
There are nuances that need to be ironed out with this approach, but at least we can guarantee that if someone works for the common good, that individual also gets something back, can keep a straight backbone and not beg for money.
How would that legal "protection" work in practice? What would it protect against? Who would it protect?
What you say sounds reasonable. And I'm not trying to say "well, it's impossible because of some current status quo", because we could change that.
What I'm trying to say is that we need this "industry" to work out the practicalities. Otherwise we are "protected" in a same way the GDPR protects us against 3rd part trackers (you don't need a cookie banner if you don't allow 3rd parties to track your users. Yet here we are...)
Full liability for secondary harms caused by the leak of data that wasn’t directly required to provide a service to those same end users. Selling of data to third parties doesn’t transfer this liability but expands it to include any leaks or misuse coming from the entities the data is sold to. No statute of limitations.
So if company X sells data to company Y and then Y sells to company Z then company X has full liability for leaks or misuse from all entities in the chain.
No more free credit monitoring. Banks, credit card companies, and end users get to directly sue these companies. May not completely solve it but you can try to make it so expensive to mine data you don’t truly need that it ends the whole industry.
I am sure there are holes in this but we can at least try to kill the data brokers and bad actors.
We don't need more laws to solve this if your concern is a more harsh punishment for data leaks, we need to remove existing laws that limit the damages a company can be liable for and we need consumers that care enough to sue when they are harmed.
That is what I am saying above. Full liability for the data stored and shared with others. Transitive liability would need to be a new law though as I don’t believe that currently exists.
EDIT: forgot to mention consumers don’t need to care much for this to be effective. If there are damages to be had law firms are incentivized to file class action lawsuits and recruit affected customers. So, there is an incentivized actor within this framework to do the leg work to get a big payday.
> Transitive liability would need to be a new law though as I don’t believe that currently exists.
That likely would end up just being case law rather than legislation. Meaning, a lawsuit can be filed for it today and its up to the courts to decide if that liability is reasonable.
We don't necessarily need the ad industry to work out the practicalities if we simply do away with the whole ad industry. We could quite easily outlaw receiving payments from a third party in exchange for displaying information to your users.
There is a (lazy) line of argument related to GDPR, cookie banners, etc. that goes something like this: "That legislation failed, thus any legislation will fail." It was a while since I did proof by induction, but I do believe there is some step missing here.
Personally, I am open to an argument that any legislation is folly. But we need to raise the discourse rather than just bash legislative failures (or merely partial successes) of the past.
I wasn't trying to make the argument that since some parts of the GDPR didn't work out as intentended/hoped, other legislation will fail too.
My point was specifically that the GDPR put a law in place that when you send private data from users to third parties, you must ask the user for permission and allow that user to decline this and then not send that users' private data to these third parties.
The idea and intention and hope is clear: that site/app/platform owners don't send/sell data to other parties. Or, if they still do so, are punished by having to nag users with popups/banners etc.
The ad industry then spun this around, ensured that virtually every site nags users (mitigating that punishment), continue harvesting data exactly like before, and -above all- pursuade the general public that "the EU is forcing you to click cookie banners all day" or similar double-speak.
With which I was trying to put forward that any legislation must be a lot better than what the GDPR did here. So as to avoid being circumvented by the industry and also hated by the public.
Ok, sure, but that's exactly what I said: simply outlawing advertising leaves a lot less wiggle room than allowing it but with some minor semblance of consent.
My perfect world would have a law against advertising in general. If someone's paying you to say something, it's a conflict of interest and illegal.
Hopefully, the vacuum of people needing to know things would result in better independent Product reviews.
And the vacuum of not spending 30% of your company budget on advertising would hopefully lead to sinking prices and people being more willing to spend on things that were previously funded by advertising.
> If someone's paying you to say something, it's a conflict of interest and illegal.
That already misses a huge problem though, I don't pay Mozilla for Firefox and I don't pay most online sites and services that gobble up my data and sell it off.
Sure, but I don't think that really changes anything here. The idea of a law that bans advertising when the customer pays you would miss a huge portion of advertising and data collection including Firefox.
Is the concern you want fixed only that paid products still collect and sell data?
I may have misunderstood you, but my read on the third paragraph was mainly that Firefox, in this case, could still have a free browser that collects and sells data. That rule would just add one more fsctor for them to consider if they ever want a paid browser, they both need a viable market and be willing to give up the option to sell data.
Please don't engage in this blatant political activism and flamebait here. This is anti-intellectual and not what I want to see on HN.
I agree that something needs to be done about the ad industry and rampant data collection, but your emotionally manipulative comments are not it, and actively make it harder to discuss solutions to the problem.
Anyone bothered enough by advertising can stop using whatever product has been ruined by ads, or find ways to remove the advertising.
More laws and larger governments doesn't have to be the answer to all problems. If consumers care enough they'll change their usage, if they don't change their usage they likely don't care enough.
I don't particularly have an issue with advertising itself. If adverts get on my nerves on a product or page I just leave, as you suggest: problem solved.
The actual issue is the stalky tracking of me throughout my life that is currently inseparable from the advertising. I can't just walk away from that: it happens behind my back, it has happened before I get the chance to walk away.
> can stop using whatever product has been ruined by ads
Which will not stop the stalky behaviour of the ad industry. They'll still track me if I happen to click the wrong thing, or track me through my connections to other people. I suppose I could walk away from life and become a hermit, but that would be just a little extreme.
> or find ways to remove the advertising.
Which is, while I do take part, an ultimately fruitless task. Every block we make for the stalky behaviour, be it technical or legislative (other than outright banning the tracking of personal data except with explicit opt-in without exceptions, and properly enforcing punishments for breaking the ban), they'll find a way around. Removing it is not a long term solution, it is a war or attrition where we have to have our guard up all the time and they only have to get lucky, or just be particularly sneaky, every now and again.
> More laws and larger governments doesn't have to be the answer to all problems.
This has often been said by companies and their shills. Oddly, they are all in favour of extra laws and government reach when it is, for example, to protect what they consider to be their intellectual property.
> Which will not stop the stalky behaviour of the ad industry. They'll still track me if I happen to click the wrong thing, or track me through my connections to other people. I suppose I could walk away from life and become a hermit, but that would be just a little extreme.
You could make some real progress without being a hermit though, it doesn't have to be all or nothing. Don't use a smartphone, limit as much of your time online as you can, and pay in cash when you can. Those wouldn't make you a hermit but would seriously limit the data you make available to be gobbled up in the first place.
> This has often been said by companies and their shills. Oddly, they are all in favour of extra laws and government reach when it is, for example, to protect what they consider to be their intellectual property.
Well that's actually what I see as a better approach, remove protections for those companies and industries rather than trying to create new laws to limit them. Its a strange balancing act to attempt to both protect and limit an industry with different laws, we would be better off not doing either.
If I walk outside I'm bombarded by ads. Almost all websites have been tailored to include ads and hide information. You're tracked on all devices you touch.
Vaguely referencing more laws or larger government doesn't mean anything. We're not talking about all problems but a specific one. There is an obvious imbalance between the power and information an individual consumer can use to shield themselves from activities by companies that are detrimental to them. We are also not expected to test our own food for toxins.
More platitudes and soundbites doesn't have to be the answer to all problems.
Seeing ads outside likely doesn't harm you though, you can ignore them. If your city is plastered with ads to a point at where you can't stand it you can always move, that's just another part of a city that someone may decide they don't like and want something different.
> Almost all websites have been tailored to include ads and hide information. You're tracked on all devices you touch.
That's really the crux of it though. The problem isn't just that companies are gobbling up all this data, it's also that we make the data available in the first place.
Stop using a smartphone and taking it everywhere with you, limit what you do online in general, and pay cash when you can. A few simple changes would really reduce the data you make available, I'm sure there are other simple changes I'm missing here but the point is that we don't have to protect data that doesn't exist.
> Seeing ads outside likely doesn't harm you though, you can ignore them.
Just for a different perspective, I can't ignore them. I read more-or-less all text that comes into my field of vision, and cannot help but look at bright flashing lights. To my knowledge this isn't recognized anywhere as a disability (though it is associated with a standard diagnosis).
For me, and presumably others like me, flashing road signs that tell me I'm driving the right speed thanks are a serious dustraction even though I've seen the same one hundreds of times. I stopped watching association football when animated sideline ads became common because I could mot focus on the game.
If it makes sense to put in wheelchair ramps at the stadium couldn't it make sense to accommodate me, even if most people can redirect their attention just as easily as walking up the stairs?
When it comes to driving, that's seems like a totally reasonable concern. I also find roadside signs, digital boards, etc really distracting when driving. That one falls into a safety concern for everyone on the road too, where as ads in general may just be distracting, that distrsction could literally kill someone on the road.
In general, it is a really tough line to draw what is considered a protected disability. I don't know where I would draw the line, and it just gets harder as we create more diagnoses. I don't mean that to demonize the diagnoses at all, but it does make drawing a line for what to legally protect that much harder.
<< Seeing ads outside likely doesn't harm you though, you can ignore them.
I honestly do not think it is possible to ignore ads unless you do not see/smell/hear/experience them. Even if you dismiss them, you have received an impression of that ad. Your mind has been affected. It just happens that we normalized it as a normal function of society ( not completely unlike how we normalized cameras everywhere including on doorbell ). I have no interest in dating farmers, but I still remember being exposed to farmers only ad.
edit:
<< Stop using a smartphone and taking it everywhere with you.
It seems less and less of an option. Amtrak gatekeeps its best prices behind an app. Parking lot wants me to use an app. My workplace now effectively forced me to have phone on me ( even if I come into office.. I can understand the need for it while remote ).
The current societal construct practically requires a smartphone. You could technically go on without it the same way you COULD technically not have a car. It is possible, but very, very limiting. And I would argue that not having a car now is way more forgiving than not having a cell and that is saying something.
> I honestly do not think it is possible to ignore ads unless you do not see/smell/hear/experience them
While we can't avoid seeing ads in a public place, we can manage how we respond to them. That's really not much different than not liking what someone else says. We can try to regulate everything such that people can be comfortable and never have to build a thick skin, or we can trust that people can and should be able to manage their emotions well enough to ignore things they don't like.
> It seems less and less of an option. Amtrak gatekeeps its best prices behind an app. Parking lot wants me to use an app. My workplace now effectively forced me to have phone on me ( even if I come into office.. I can understand the need for it while remote
I can't stand when companies do this stuff, assuming that everyone has a smartphone and is willing to give them access to it. I choose not to patronize companies that do it, but yeah that's harder when your office building requires a smartphone to enter. When push comes to shove, I wonder what the employer would say if someone raised that it isn't an option for them and they need a different way to enter.
Broadly, we have a real issue today with society allowing conveniences to become necessities. We do it to ourselves, but just because smartphones and cars are convenient doesn't mean we should build a world where everyone has to have them. It locks us into certain paths, and when concerns like climate change come up for example we're hamstrung because we can't imagine giving up things like personal vehicles, air travel, smartphones, etc.
So because we want to keep government small and ad companies can get so big they basically invade every part of your life you have to leave your phone, close your eyes, stay offline, just move bro. This doesn't seem like a very serious or productive line of reasoning.
Sure. A phone is a product, it isn't a right or necessity. I get that they are very convenient, and addictive, but they're a very new novelty on the scale of a legal system. There are good arguments for wanting to limit advertising and data privacy, but protecting our right to use a certain piece of technology really just isn't very compelling IMO.
> close your eyes
Advertising is nothing new though. If your concern is even just seeing ads at all, that's a problem that has existed much longer than digital data brokers.
> stay offline
Similar to smartphones, being online isn't a right and is a very new concept. We don't have to be online to live our lives, and we shouldn't expect that everyone is online.
> just move bro
Moving isn't easy, and may not be cheap depending on how you do it, but is there really something wrong with moving when you don't like the area you live in? To me that seems like a totally reasonable response for anyone that's able, and for those that aren't willing to move they can try to change the place they live. Moving is just easier than somehow convincing a locality to limit or remove advertising.
> More laws and larger governments doesn't have to be the answer to all problems
More laws and larger governments are generally undesirable (for obvious reasons) but saying that we shouldn't make any laws at all is throwing the baby out of the bathwater.
If you're thoughtful and deliberate about how you write your legislation, you can have a disproportionately positive impact with a very small amount of additional weight.
For instance, instead of trying to enumerate every single way that data could be leaked and forbid that (see: HIPAA), you should just make the end state (PII in the hands of someone the user didn't explicitly authorize it to be in) illegal and mandate a fine per unit of information (e.g. 1% of the median US salary for SSN) to every entity in the leak chain (because a chain of custody for personal information is just about mandatory at this point).
Details will vary, but this general approach is vastly better than the crazy laws we have in other areas that attempt to "enumerate badness" in the intermediate rather than the end state.
I wasn't arguing for no laws though, only that we don't need to resch for them as quickly as we often do or want to do. I thought the topic here was about banning advertising as a whole, if we want to zoom into privacy concerns relates to the retention of PII data that is more doable and we already have a framework to start with based on the EU.
> If you're thoughtful and deliberate about how you write your legislation, you can have a disproportionately positive impact with a very small amount of additional weight.
Unfortunately that really is a non-starter in the US today. I have very little faith that Congress is interested in carefully considering and clarifying. I have even less faith that any bill with thousands of pages of text, which is how they appear to do business these days, could ever be clearly defined and scoped to avoid obvious unintended consequences or misplaced boundaries.
We can, but, as OP noted, the change is only temporary, while political change is harder, but also tends to last longer. I still remember when pihole worked on most things. These days it is just a part of adblocking approach for me.
tldr: Some of us are tired of fiddling with things where were we shouldn't have to.
<< More laws and larger governments doesn't have to be the answer to all problems.
If market participants can't behave ( and they clearly can't help themselves ), it is the only real answer.
<< If consumers care enough they'll change their usage, if they don't change their usage they likely don't care enough.
Or.. options for consumers are limited, which affects what they do. In all seriousness, streaming execs seemed to admit the ads simply bring more money for them so they don't care if non-ad version is profitable. It is not enough.
My household dropped Netflix and Prime over their silliness. We currently still have Disney until they get too greedy. And that is just streaming. Regular net is soooo much worse without a way to scrub the ads away.
> My household dropped Netflix and Prime over their silliness. We currently still have Disney until they get too greedy. And that is just streaming. Regular net is soooo much worse without a way to scrub the ads away.
Isn't that a good example of consumers exercising their right to not patronize companies they don't agree with? You didn't need a law stopping you from using Prime, and you don't have a right to use it, you just decided you didn't like their product anymore.
The blindspot missing in a ban of advertising is what that does to the viability and price of a product. Prime and Netflix as it is today is built based partly on the advertising revenue. Presumably if that money disappears the product would get worse, disappear, or become more expensive.
>Regular net is soooo much worse without a way to scrub the ads away.
Hmm, there are ways: I browse with NoScript and unlock Origin installed and see almost no ads. If a website doesn't work and I really need to visit it for some reason, I selectively enable part of the JS they want me to load. Other sites simply don't get my attention.
It works for now and note that there already were some attempts to have solutions like origin stop working[1]. Unsuccessful, for now, but the intent is there and I am starting to get tired of the whack a mole.
The "ad industry" is a cancer and we need legal protection against this "industry". The solution is political not technical and definitely can not be left to "the market".
Haven't you had enough?