Most active commenters
  • kortilla(3)

←back to thread

Everyone knows your location: tracking myself down through in-app ads

(timsh.org)
1957 points apokryptein | 11 comments | 02 Feb 25 17:07 UTC | HN request time: 0.001s | source | bottom
Show context
inahga ◴[02 Feb 25 17:31 UTC] No.42910118[source]
There are quite a few interesting tracking flows out there.

My rent is paid through a company called Bilt.

I discovered that when I shop at Walgreens now, Bilt sends me an email containing the full receipt of what I bought like so:

    > Hey [inahga],
    >
    > You shopped at Walgreens on 12/1/24 and earned Bilt Points with your
    > Neighborhood Pharmacy benefit.
    >
    > Items eligible for rewards
    > TOSTITOS HINT OF LIME RSTC 11OZ
    > $3.50
    > 
    > +3 pts
    > TOSTITOS RSTC 12OZ
    > $3.50
    >
    > +3 pts
    > Other items*
    > EXCLUDED ITEMS
    > $0.07
    >
    > *May include rewards-ineligible items and/or prescriptions.
Ostensibly (hopefully) it would exclude sensitive items, plan B, condoms, etc...

I'm curious how this data flows from Walgreens to my rent company, but maybe I'd rather not know and just use cash/certified check from now on.

replies(19): >>42910141 #>>42910150 #>>42910255 #>>42910258 #>>42910275 #>>42910307 #>>42910604 #>>42911346 #>>42911365 #>>42911455 #>>42911597 #>>42911711 #>>42911897 #>>42911933 #>>42913328 #>>42914952 #>>42915737 #>>42922787 #>>42928562 #
1. nicbou ◴[02 Feb 25 17:51 UTC] No.42910275[source]
Things like that are on my mind when HN rants about GDPR. Something like this would be wildly illegal where I live.
replies(3): >>42910875 #>>42911086 #>>42911755 #
2. DoubleGlazing ◴[02 Feb 25 19:07 UTC] No.42910875[source]
Unfortunately the GDPR is largely toothless if a company without an EU presence chooses to ignore it.

I live in Ireland and my data is in the databases of several US data brokers. Thise conpanies can't be forced to to comply with the GDPR because they simply do not have an EU presence. You don't have to search far to find stories from people people who made complaints to their local Data Protection office about such issues only to be told there's nothing that can be done.

replies(1): >>42912262 #
3. kortilla ◴[02 Feb 25 19:35 UTC] No.42911086[source]
HN rants about it because it’s not a good solution. It identified a problem but caused an idiotic fallout (cookie banners) and failed to actually put in a framework to enforce that companies aren’t just lying.
replies(3): >>42911249 #>>42911376 #>>42919113 #
4. throw_away32 ◴[02 Feb 25 19:57 UTC] No.42911249[source]
> failed to actually put in a framework to enforce that companies aren’t just lying.

That's not true. I work in an European company and we were contacted by the agency to give a complete list of partners that we use, reasons for why it is justified, which routines we have for deleting old data etc.

I guess in theory we could have lied and made up data, but only an idiot would risk lying to the government. Everyone at my company took it seriusly and tried to provide as accurate data as possible. There were also several follow up questions that had to be answered.

The mindset of lying to the government to "protect" your employer seems so far fetched. Why should an employee lie to the government? If it turns out that the company was in violation of GDPR the worst case scenario for the company is a fine. If the government finds out you are lying, the employee faces jail time. The trade-off is simply not worth it.

Maybe it's easier to lie to the government in some countries, but not in my country. The government agencies actually checks and verifies your claims.

replies(1): >>42912329 #
5. hsuduebc2 ◴[02 Feb 25 20:14 UTC] No.42911376[source]
I agree but small stick to beat them is better than none.

I guess best solution would be usage of some proxy which intercepts these calls or provide fake data to them. As op in the article did.

6. inahga ◴[02 Feb 25 20:57 UTC] No.42911755[source]
FWIW in Illinois, where I’ve experienced this, there is a bill https://www.ilga.gov/ftp/legislation/102/billstatus/HTML/102... that appears to be GDPR-esque or CCPA-esque. Seems to have little interest though.
7. nicbou ◴[02 Feb 25 21:58 UTC] No.42912262[source]
A common discussion these days is the threat of a foreign app (TikTok) being used by a hostile government to track and influence Americans.

From my non-American perspective, the same thing is happening here. I distrust non-EU software by default.

8. kortilla ◴[02 Feb 25 22:06 UTC] No.42912329{3}[source]
The lie doesn’t have to be intentional. All it takes is a really simple accidental debug logging flag to collect what amounts to a GDPR violation.

The point is that no effort was made to implement a technical solution to protect privacy. So it’s upsettingly trivial to violate the GDPR unknowingly and any company that is even a little unscrupulous (of which there are hundreds) can easily ignore the law.

replies(1): >>42915996 #
9. troupo ◴[03 Feb 25 08:05 UTC] No.42915996{4}[source]
> The point is that no effort was made to implement a technical solution to protect privacy.

And you want the government to do that?

Why haven't the companies who at every turn shout how privacy conscious they are haven't done that?

It's now been 8 years of GDPR. Why hasn't the world's largest advertising company incidentally owning the world's most popular browser implemented a technical solution for tracking and cookie banners in the browser? Oh wait...

replies(1): >>42947572 #
10. triceratops ◴[03 Feb 25 15:26 UTC] No.42919113[source]
I've been seeing cookie banners on European websites long before GDPR was a twinkle in some Brussels bureaucrat's eye.
11. kortilla ◴[05 Feb 25 12:31 UTC] No.42947572{5}[source]
> And you want the government to do that?

Yes, it’s their job. Building codes have technical specifications and don’t allow people to opt out. Airspace is very tightly regulated with technical specifications.

> Why hasn't the world's largest advertising company incidentally owning the world's most popular browser implemented a technical solution for tracking and cookie banners in the browser? Oh wait...

Because the government is the thing that is supposed to produce useful regulations, not an advertising company.

GDPR is like trying to solve smog by passing a law that says people can opt out of smog by staying out of the city. No regulations to actually reduce smog.