Google 在歐盟的服務將提供 Reject All Cookies 的按鈕

看到「Google gives Europe a ‘reject all’ button for tracking cookies after fines from watchdogs」這篇,在講 Google 在歐盟的服務開始提供 Reject All Cookie 的按鈕,其中 Google 官方的公告可以在「New cookie choices in Europe」這邊看到。

Reject All Cookies 的按鈕是像這樣的設計:

照報導說的,今年初的時候法國罰了 Google 一億五千萬歐元,因為 Accept All Cookies 只要一個按鍵,但 Reject All Cookies 需要按很多選單才能達成,而法國認為這樣非對稱式的設計是違法的:

Earlier this year, France’s data protection agency CNIL fined Google €150 million ($170 million) for deploying confusing language in cookie banners. Previously, Google allowed users to accept all tracking cookies with a single click, but forced people to click through various menus to reject them all. This asymmetry was unlawful, said CNIL, steering users into accepting cookies to the ultimate benefit of Google’s advertising business.

Google 的說明裡面也有提到法國的事情,但當然沒有提到罰款:

Based on these conversations and specific direction from France’s Commission Nationale de l’Informatique et des Libertés (CNIL), we have now completed a full redesign of our approach, including changes to the infrastructure we use to handle cookies.

另外就是這個功能目前只在法國啟用,後續會放到整個歐盟區:

We’ve kicked off the launch in France and will be extending this experience across the rest of the European Economic Area, the U.K. and Switzerland.

公平會對創業家兄弟與松果公司的 SEO 誘導轉向開罰

好像很少提到國內的新聞,但這則應該是這兩天蠻熱門的一個新聞,創業家兄弟與松果公司 (也是創業家兄弟公司) 被公平會開罰:「操作SEO搜尋關鍵字誤導消費者 創業家兄弟、松果公司挨罰」,相關的備份先留起來:Internet Archivearchive.today

公平會官方的新聞稿則可以在「利用程式設計引誘消費者「逛錯街」,公平會開罰」這邊看到,對應的網頁備份:Internet Archivearchive.today

用的是公平交易法第 25 條:

公平會於4月12日第1594次委員會議通過,創業家兄弟股份有限公司及松果購物股份有限公司利用「搜尋引擎優化 (Search Engine Optimization,簡稱SEO)」技術,並在搜尋引擎的顯示結果上不當顯示特定品牌名稱,使消費者誤認該賣場有販售特定品牌產品,藉以增進自身網站到訪率,違反公平交易法第25條規定,處創業家兄弟公司200萬元、松果公司80萬元罰鍰。

這條的條文可以從「公平交易法§25-全國法規資料庫」這邊看到:

除本法另有規定者外,事業亦不得為其他足以影響交易秩序之欺罔或顯失公平之行為。

主要的原因是點進去後卻沒有該項商品:

公平會發現,消費者在Google搜尋引擎打上特定品牌名稱,例如「悅夢床墊」時,搜尋結果會出現「悅夢床墊的熱銷搜尋結果│生活市集」、「人氣熱銷悅夢床墊口碑推薦品牌整理─松果購物」等搜尋結果,消費者被前述搜尋結果吸引點選進入「生活市集」、「松果購物」網站後,卻發現該賣場並無「悅夢床墊」之產品,此係生活市集及松果購物之經營者創業家兄弟公司及松果公司分別利用SEO技術所產生的現象。

而且會透過使用者在往站上搜尋的關鍵字產生對應的頁面:

公平會進一步調查後發現,創業家兄弟公司及松果公司對其所經營之「生活市集」及「松果購物」網頁進行設計,只要網路使用者在該2網站搜尋過「悅夢床墊」,縱然該2網站賣場並沒有賣「悅夢床墊」,其網站程式也會主動生成行銷文案網頁,以供搜尋引擎攫取。若有消費者之後在Google搜尋引擎查詢「悅夢床墊」時,搜尋結果便會帶出「悅夢床墊的熱銷搜尋結果│生活市集」、「人氣熱銷悅夢床墊口碑推薦品牌整理─松果購物」等搜尋結果項目,經消費者點選後即會導向「生活市集」、「松果購物」之網站。

然後判罰的部份:

公平會過往即曾就事業使用競爭對手事業名稱作為關鍵字廣告,並在關鍵字廣告併列競爭對手事業名稱之行為,認定違反公平交易法第25條規定。本案雖非創業家兄弟公司及松果公司直接使用「悅夢床墊」等他人商品品牌作為關鍵字廣告,但最終呈現之結果,本質上都是「誘導/轉向」(bait-and-switch)的欺罔行為,除了打斷消費者正常的商品搜尋與購買過程,也對其他販售該等品牌商品之經營者形成不公平競爭的效果。若任由發生而不予規範,未來將可能導致其他競爭者之競相仿效,消費者將更難以分辨搜尋結果呈現資訊之真偽,進而威脅電商市場之競爭秩序及消費者利益。故公平會認為違反公平交易法第25條「足以影響交易秩序之欺罔及顯失公平行為」,並分別處創業家兄弟公司200萬元、松果公司80萬元罰鍰。

所以這算是對 Dark pattern SEO 的部份開罰...

EULA 不能禁止使用者 decompile 修 bug

Hacker News Daily 上翻到的,歐洲法院認為 EULA 不能禁止使用者 decompile 修 bug:「EU court rules no EULA can forbid decompilation, if you want to fix a bug (europa.eu)」,官方的英文版文件在這邊可以翻到,不過原始判決是法文:

* Language of the case: French.

這是 Top System SA 與比利時政府打的訴訟,法院認為修 bug 而需要 decompile 這件事情是合法的,即使考慮到 Article 6 的規範:

In the light of the foregoing considerations, the answer to the first question referred is that Article 5(1) of Directive 91/250 must be interpreted as meaning that the lawful purchaser of a computer program is entitled to decompile all or part of that program in order to correct errors affecting its operation, including where the correction consists in disabling a function that is affecting the proper operation of the application of which that program forms a part.

In the light of the foregoing considerations, the answer to the second question referred is that Article 5(1) of Directive 91/250 must be interpreted as meaning that the lawful purchaser of a computer program who wishes to decompile that program in order to correct errors affecting the operation thereof is not required to satisfy the requirements laid down in Article 6 of that directive. However, that purchaser is entitled to carry out such a decompilation only to the extent necessary to effect that correction and in compliance, where appropriate, with the conditions laid down in the contract with the holder of the copyright in that program.

案子看起來應該還有得打?看起來好像不是最終判決...

REQUEST for a preliminary ruling under Article 267 TFEU from the Cour d’appel de Bruxelles (Court of Appeal, Brussels, Belgium), made by decision of 20 December 2019, received at the Court on 14 January 2020[.]

但不管怎樣,算是有些東西出來了... 然後 Hacker News 上面的討論就看到一些很歡樂的例子:

This becomes incredibly interesting in terms of e.g. Denuvo. This anti-piracy middleware has been shown to make games unplayable, and this EU law seems to support removing it.

哭啊怎麼提到該死的 Denuvo XDDD

Atlassian 在 ToS 內禁止使用者討論 Cloud 產品的效能

Hacker News Daily 上看到的:「Atlassian Cloud ToS section 3.3(I) prohibits discussing performance issues (atlassian.com)」,引用的頁面是「Atlassian Cloud Terms of Service」這邊。

翻了下 Internet Archive,看起來在 2018/11/01 生效的版本就有這條了:「20181102013014」。

出自這條:

3.3. Restrictions. Except as otherwise expressly permitted in these Terms, you will not: [...]; (i) publicly disseminate information regarding the performance of the Cloud Products; [...]

這個條文已經生效兩年多了,不過我猜就是被大家批一批還是依舊...

這類條款類似於 OracleMicrosoft 在資料庫系統上面的條款 (可以參考「Is it against license to publish Oracle and SQL Server performance test?」這邊的回答),看起來除非從法律層級禁止,不然應該只會有愈來愈多公司納入這類條款...

GitHub 拿掉所有非必要的 Cookie 了

GitHub 家的老大宣佈拿掉 cookie banner 了,因為他們直接把所有非必要的 cookie 都拿掉了:「No cookie for you」。

會有 cookie banner 主要是因為歐盟的規定:

Well, EU law requires you to use cookie banners if your website contains cookies that are not required for it to work. Common examples of such cookies are those used by third-party analytics, tracking, and advertising services. These services collect information about people’s behavior across the web, store it in their databases, and can use it to serve personalized ads.

然後他們的解法是拔掉:

At GitHub, we want to protect developer privacy, and we find cookie banners quite irritating, so we decided to look for a solution. After a brief search, we found one: just don’t use any non-essential cookies. Pretty simple, really. ?

是個「解決製造問題的人」的解法 XDDD (但是是褒意)

美國汽車的兒童安全座椅法律,影響生育的意願

Hacker News Daily 上看到的,原文標題比較漂亮:「Car Seats as Contraception」,在 Hacker News 上也有討論:「Car seats as contraception (ssrn.com)」,重點是作者之一 (David H. Solomon) 也有跑上去回應。

Abstract 的部份把重點都講出來了,1977 年美國通過汽車的兒童安全座椅法律,但大多數的汽車無法放下第三張座椅,這反而使得生第三胎的成本大幅提高 (需要買空間更大的車),然後另外拉出資料分析因為法律而制止的車禍數量:

Since 1977, U.S. states have passed laws steadily raising the age for which a child must ride in a car safety seat. These laws significantly raise the cost of having a third child, as many regular-sized cars cannot fit three child seats in the back. Using census data and state-year variation in laws, we estimate that when women have two children of ages requiring mandated car seats, they have a lower annual probability of giving birth by 0.73 percentage points. Consistent with a causal channel, this effect is limited to third child births, is concentrated in households with access to a car, and is larger when a male is present (when both front seats are likely to be occupied). We estimate that these laws prevented only 57 car crash fatalities of children nationwide in 2017. Simultaneously, they led to a permanent reduction of approximately 8,000 births in the same year, and 145,000 fewer births since 1980, with 90% of this decline being since 2000.

濃濃的政治不正確感 XD

Brave 出手檢舉 Google 沒有遵守 GDPR

Brave (從 Chromium 分支出來的瀏覽器) 檢舉 Google 沒有遵守 GDPR 的規定:「Formal GDPR complaint against Google’s internal data free-for-all」。

主要是「purpose limitation」這個部份,出自「REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016」:

1. Personal data shall be:

(b)

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

比較重要的是 specified 與 explicit 這兩個詞,GDPR 規定必須明確指明用途,而可以從整理出來的文件「Inside the black box」裡的「Purported processing purpose」看到大量的極為廣泛的說明。

Google 應該會就這塊反擊認為這樣的描述就夠用,就看歐盟決定要怎麼做了...

紐約時報的 The Privacy Project 分析了這二十年來 Google 的隱私條款

紐約時報The Privacy Project 分析了 Google 在這二十年來的 Privacy Policy (英文版),可以看出網路廣告產業的變化,以及為什麼變得極力蒐集個資與使用者行為:「Google’s 4,000-Word Privacy Policy Is a Secret History of the Internet」。整篇看起來有點長,可以先看裡面的小標題,然後看一下列出來的條文差異,把不同時間的重點都列出來了。

最早期的轉變是「針對性」:

1999-2004
No longer talks about users ‘in aggregate’

1999 年的版本強調了整體性,後來因為針對性廣告而被拿掉:

1999
Google may share information about users with advertisers, business partners, sponsors, and other third parties. However, we only talk about our users in aggregate, not as individuals. For example, we may disclose how frequently the average Google user visits Google, or which other query words are most often used with the query word "Microsoft."

接下來的是蒐集的項目大幅增加,讓分析更準確:

2005-2011
Google shares more data for better targeting

然後是更多產品線互相使用使用者行為資訊:

2012-2017
Its complicated business requires a more complicated policy

接下來是因為法規而配合修改條文 (最有名的就是 GDPR):

2018-PRESENT
Policy adjusts to meet stricter regulation

Amazon 需要對賣出去的產品造成的傷害負責

前幾天還蠻引人注目的案件,Amazon 被判決要對平台商家透過 Amazon 平台賣出去的產品負責:「Federal appeals court says Amazon is liable for third-party sellers' products」。

這個案例裡面是消費者透過 Amazon 的平台,向上架的商家購買 hoverboard (懸浮滑板?),結果把消費者家給搞爆了:

Last year, a judge in Tennessee ruled the company was not liable for damages caused by a defective hoverboard that exploded, burning down a family's house.

目前最新的判決中指出,Amazon 在合約裡面簽訂消費者必須透過 Amazon 的平台跟賣家溝通,使得賣家與消費者之間沒有直接的管道可以處理爭議,所以 Amazon 不能免責:

"Amazon fails to account for the fact that under the Agreement, third-party vendors can communicate with the customers only through Amazon," the ruling states. "This enables third-party vendors to conceal themselves from the customer, leaving customers injured by defective products with no direct recourse to the third-party vendor."

這個判決看起來會影響蠻大的,因為這些條款就是希望維持平台業者可以從中獲利,現在反過來殺傷自身... 看起來上訴是跑不掉的?等幾個月後再回來看...

Square 在使用條款裡禁止 AGPLv3+ 的軟體

雖然 AGPL 系列的確不是什麼好貨色,也的確有不少人批評過,但 Square 直接透過自家的平台服務攻擊 AGPLv3+ 就很稀奇了?

在「Square’s terms of service forbid use of AGPL-licensed software in online stores (squareup.com)」這邊看到的,公告的條款 (尚未生效) 是「Additional Point of Sale Terms of Service」這個站台,出自於這段:

B. Content Restrictions. In addition to the restrictions set forth in these Additional Product Terms, the General Terms and Payment Terms, you will not:

[...]

15. use, under any circumstance, any open source software subject to the GNU Affero General Public License v.3, or greater;

是直接指名而不是誤殺,不知道是發生什麼事情...

現在 Hacker News 上有些人猜測是律師團認為 AGPL 會反過來影響 Square 自己的程式碼也被感染?反正現在變成 PR 事件了,加上資訊也不足,先蹲著看...