Anyone know?
> But Newsom said he is opposed to the new bill's mandate on operating systems. "I am concerned, however, about placing a mandate on operating system (OS) developers at this time," the governor wrote. "No major mobile OS incorporates an option for an opt-out signal. By contrast, most Internet browsers either include such an option or, if users choose, they can download a plug-in with the same functionality. To ensure the ongoing usability of mobile devices, it's best if design questions are first addressed by developers, rather than by regulators. For this reason, I cannot sign this bill."
It didn't refer to any standard about how this signal should be sent so different browsers could send completely different information.
It didn't put any requirements on businesses who receive this signal. They are free to completely ignore it just like Do-Not-Track, and most will.
Even if a company wanted to comply out of good will it doesn't define even vaguely what people are opting out of by toggling this setting which would lead to confusion as different sites would implement different things, and different browsers and OSes would describe it differently.
It was literally mandating a dummy button.
[1] https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml...
We've become such a lazy society, its depressing.
Thanks for pointing out how worthless this bill was.
Unless by "we" you mean "the EU economic zone" then no, "we" really don't. As an American I have been exposed, for the past 15 years, to the blatant failure of any genuine attempt to protect consumer rights or privacy in the nation where both Android and iOS originated. We, the progenitors of the smartphone, have failed to impose any form of substantial regulation that would seriously enable privacy for the end-user.
It's no coincidence. Phone hardware is only worth so much, but the data it generates is priceless. The secondhand market for information enabled by the NSA and industrial contractors like Palantir provides the intelligence backbone of the global economy. The United States' negligence towards Google and Apple is a proven quid-pro-quo agreement.
Bing: "How do I protect my privacy online?" Results: 11,700,000
I don't need to smart enough to build a rocket to go to Mars. I just need to type a basic query into a search engine. Not only do I get 11M results, I now have an AI assistant telling me how I can do that. The results also list ads from companies who can do that for you, written tutorials on how do that, articles on how to do that and a bunch of videos as well.
Is this the insurmountable obstacle you talk about when you say not everybody is an expert in security and privacy??
C'mon man.
How do you even square these adjacent statements?
> even decent OpSec is hard.
> We've become such a lazy society
The plain and obvious response to our situation is that digital privacy and security should be opt-out, not opt-in. It's not as simple as adding a button that does nothing, but it actually is relatively simple for browser vendors et al to reverse their assumptions.
If you don't agree, are you knocking on doors and teaching your neighbors how to manage their security? I hope you've got a lot of patience.
> even decent OpSec is hard.
Its hard to maintain because most people have to give something up in order to get the privacy they want. 99% of the users these days don't care about privacy. Privacy is a "boomer" thing.
Its not hard when you have literally generations of technological knowledge at your fingertips and still want something automated to do all of this for you, without any compromises on your own part - which inevitably leads to:
> We've become such a lazy society
THAT is a terrible take? Putting some onus on the user to get out of their lazyboy chair and do some research?
And your conclusion to OP talking about users taking some actual responsibility for their own privacy is this:
> If you don't agree, are you knocking on doors and teaching your neighbors how to manage their security? I hope you've got a lot of patience.
Seriously. Thanks for confirming OP's point:
> We've become such a lazy society
What was implied in my previous comment is that someone who doesn't know anything about digital privacy and security can't be called lazy for not investing in it. And lots of people know very little about it. "Society is lazy" is in fact a lazy excuse to wash one's hands of a problem and pretend they're better than other people.
> Its hard to maintain because most people have to give something up in order to get the privacy they want. 99% of the users these days don't care about privacy. Privacy is a "boomer" thing.
Its not hard when you have literally generations of technological knowledge at your fingertips and still want something automated to do all of this for you, without any compromises on your own part - which inevitably leads to:
Sorry... I have literally no idea what the point you're making here is. Is it hard or easy? Do people want meaningful privacy or do they not?
If your friend doesn’t jump through all of this month’s hoops in BigCorp’s shiny new privacy policy (so lazy for not opting out yet again!) then your privacy might become collateral damage.
My personal opinion is that framing problems as personal responsibility rather than collective action is a conspiracy to stunt actual solutions. It is effective because it shifts blame from offending companies to unknowing individuals.
In many ways, privacy violations fit the public health model better than the user features model - my privacy can be infringed upon through no action of my own if a contact of mine fails to secure theirs. Surely I shouldn't be expected to carefully vet and interview all acquaintances, neighbors, third party partners to my grocery store, security cameras I happen to walk past, and friends of friends to make sure they follow best practices?
Right now you can't drive on public freeways without commercial entities capturing your license plate, and they can retain it as long as they want and do whatever they want with it, as long as it has the potential for profit. That's not the world I want to live in.
That is not correct. Please see my comment here: https://news.ycombinator.com/item?id=41711728
DNT was then either ignored, or directly used as a tracking vector.
Even the advertising networks that did “respect it” stopped respecting it the moment it became popular (iirc multiple networks said they would not respect it if it was not off by default, or if users were asked ahead of time rather than it being a functionally hidden setting)
The only real problem with DNT is that there's no law requiring it to be respected. A solution to that problem is to pass such laws (which is exactly what this story is about!).
The parts about browsers is quite reasonable. One way to implement the required signal would be for the browser to add a header to HTTP requests that indicates the desire to opt-out.
The problem is the requirement that operating systems do a similar thing for any communications to businesses. Here's how it is phrased in the bill:
> A business shall not develop or maintain a mobile operating system that does not include a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the mobile operating system
What does it mean by "interacts through the mobile operating system"?
Say I install some app. When the user uses that app the app opens a TCP connection to some a server of some business and the user interacts with that server through the app. All that communication between the app and server does go through the operating system, namely via the app making API calls to the operating system's network services.
Does that count as the user interacting "through the mobile operating system"?
If it does, then how is the operating system supposed to send a signal? I suppose that if the app happens to be using HTTP or some other protocol that the OS happens to recognize it could try to inject some signal into that. That likely would be very error prone, but it is theoretically possible.
But what if the app is using end-to-end encryption? Then all the OS sees is encrypted data.
Maybe that part of the bill is meant to apply to situations where the user is interacting using the programs that are part of the operating system? That would be more sensible. If that's what they mean the bill should be re-written to say that.
It's not like going into detail about such things would make the bill unwieldy. The PDF of the bill is 4 pages and 1 of those is a page for signatures of various people acknowledging they received it, 1 is the legislative counsel's digest of the bill, and one is a page for the governor to sign. That leaves 1 page for the bill itself.
Here is the entire text of that page:
>The people of the State of California do enact as follows:
> SECTION 1. Section 1798.136 is added to the Civil Code, to read:
> 1798.136. (a) (1) Unless otherwise prohibited by federal law, a business shall not develop or maintain a browser that does not include a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the browser.
> (2) The setting required by paragraph (1) shall be easy for a reasonable person to locate and configure.
> (b) (1) A business shall not develop or maintain a mobile operating system that does not include a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the mobile operating system.
> (2) This subdivision shall become operative six months after the adoption of regulations by the California Privacy Protection Agency that outline the requirements and technical specifications for an opt-out preference signal to be used by a mobile operating system.
> (c) The California Privacy Protection Agency may adopt regulations as necessary to implement and administer this section, including, but not limited to, ensuring that the setting described by subdivision (a) is easy for a reasonable person to locate and configure and updating the definitions of “browser” and “mobile operating system” to address changes in technology, data collection, obstacles to implementation, or privacy concerns.
> (d) As used in this section:
> (1) “Browser” means an interactive software application that is primarily used by consumers to access internet websites.
> (2) “Mobile operating system” means an operating system in use on a smartphone or tablet.
> (3) “Opt-out preference signal” means a signal that complies with this title and that communicates the consumer’s choice to opt out of the sale and sharing of the consumer’s personal information or to limit the use of the consumer’s sensitive personal information.
> (e) This section shall become operative on January 1, 2026.
> SEC. 2. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
Disclosure: I am one of the co-founders of GPC and a spec editor.
[1] https://globalprivacycontrol.org/.
[2] https://oag.ca.gov/news/press-releases/attorney-general-bont....