Ban the sale of precise geolocation

4/17/2026 at 2:58:37 PM

A lot of geolocation data on the market is anonymized, following medium-lived unique IDs that aren't able to be mapped to other identifiers. The problem with that is that if you have precise locations, or enough samples that you can apply statistics to find precise locations, in many cases you can de-anonymize the IDs. You can purchase address and resident listings from a number of different data vendors, and by checking where the device returns to at night you can figure its home address. Then if you find information on the residents (work locations, schools, etc.), you see if said device goes where each resident of the home address is likely to go, and you now have a pretty good idea of exactly who the device belongs to.

by Johnbot

4/17/2026 at 3:31:28 PM

There is no such thing as anonymized location data when you have the location of something where and when they sleep and work.

It's a rhetorical fiction the ad industry tells itself.

by rockskon

4/17/2026 at 5:14:59 PM

Right, there's probably no other phone in the world that typically stops for hours within 1000 feet of my bed and typically stops on Monday-Friday within 1000 feet of my work-desk.

by Terr_

4/17/2026 at 6:36:03 PM

Now think what Lavrenti Beria and an LLM could have done with that.

by mapt

4/17/2026 at 7:13:19 PM

Somebody once said that if Stalin had access to television, he would never have to kill 20+ million ppl. What would he do with all that data? No idea.

by wafflemaker

4/18/2026 at 2:03:54 PM

If all you've got is full political power and control over propaganda networks, your won't get the USSR. You'll get Hungary between 2010 and 2026. It works well, but in the critical moments when things start going wrong you need to kill people to maintain power, or else your nascent autocracy collapses as quick as Orban's.

by kspacewalk2

4/18/2026 at 6:50:22 AM

I'm no fun of Stalin, but this meme about 20+ million victims needs to be purged.

"The scholarly consensus affirms that archival materials declassified in 1991 contain irrefutable data far superior to sources used prior to 1991, such as statements from emigres and other informants.

Before the dissolution of the Soviet Union and the archival revelations, some historians estimated that the numbers killed by Stalin's regime were 20 million or higher. After the Soviet Union dissolved, evidence from the Soviet archives was declassified and researchers were allowed to study it. This contained official records of 799,455 executions (1921–1953), around 1.5 to 1.7 million deaths in the Gulag, some 390,000[ deaths during the dekulakization forced resettlement, and up to 400,000 deaths of persons deported during the 1940s, with a total of about 3.3 million officially recorded victims in these categories. According to historian Stephen Wheatcroft, approximately 1 million of these deaths were "purposive" while the rest happened through neglect and irresponsibility. The deaths of at least 5.5 to 6.5 million persons in the Soviet famine of 1932–1933 are sometimes included with the victims of the Stalin era." [0]

https://en.wikipedia.org/wiki/Excess_mortality_under_Joseph_...

by drysine

4/19/2026 at 10:29:12 AM

lol naturally the criminals were obsessed with honestly keeping comprehensive official records of their misdeeds

by nacozarina

4/19/2026 at 1:01:02 PM

> I'm no fun of Stalin

I would argue for the generality of this characterization

by maximinus_thrax

4/18/2026 at 12:44:53 AM

Only thing better to rule with is a network connected telescreen that monitors and issues orders to the proles.

by kevin_thibedeau

4/18/2026 at 7:51:11 AM

So Instagram and TikTok?

by nlitened

4/18/2026 at 10:07:48 PM

The party needs a modern alternative to FauxNews to manipulate the youth. They've already sunk their claws into TikTok.

by kevin_thibedeau

4/18/2026 at 10:29:02 AM

Please kill me first

by cwmoore

4/17/2026 at 10:50:28 PM

Pretty sure it would be hard to enslave these people through television

by breppp

4/17/2026 at 11:12:48 PM

Would it be? I'd argue the current US administration is entirely propped up by television. Hell, the president seems to "rule" based on what Fox News said last night.

by hightrix

4/18/2026 at 12:26:11 AM

A slightly different and no more charitable perspective is that the people pulling the president's strings are the same people pulling Fox News's strings.

by lithocarpus

4/18/2026 at 7:14:12 AM

Never saw the current US administration shipping people to labor camps with a single winter life expectancy

by breppp

4/18/2026 at 10:20:23 AM

What is the life expectancy in CECOT?

by tdeck

4/18/2026 at 5:12:08 PM

Let's see, during Stalin's Rule 18 million people went through forced labor camps and roughly 10% died, around 1.8 million

Let's add around 5 million for man made famine, and probably a 2 million for arbitrary executions and deportations, while many estimate the full death count as between 15-20 million

As far I can understand the top range of estimates for CECOT, which is a non American facility, are that 500 died, of around imprisoned 20,000 inmates. So the scale is a bit... different

I think the issue here is that contrary to popular belief, not every wrong thing is the same

by breppp

4/18/2026 at 9:51:48 PM

Death rates are particularly hard to compare because part of the idea of El Salvador's system is that people are expected to die there - there is no release policy - yet most of them are young healthy men recently detained.

If we just look at incarceration rates:

CECOT is one facility, but around 2% of El Salvador's population has been imprisoned by Bukele's operation.

In 1950 the USSR had a population of around 180 million, and the gulag system was at its height with a population of 2.5 million, very similar.

The US prison system has been around 1% from the peak of the War On Drugs until recent fads in liberalized sentencing, currently holding at 0.7%, one of the highest in the world if you exclude ethnic purges like Xinjiang or Gaza.

by mapt

4/19/2026 at 5:46:17 PM

Imagine how lost your morale compass needs to be to defend Stalin because you don't like Trump.

Apart for the fact that people were released from El Salvador system, the population percentage is wrong for El Salvador, USSR and US, the difference between slavery camps and a penal system, Gaza not being a prison.

But what are you really saying, that the 200-500 dead in El Salvador, most non associated with Trump, makes Trump equivalent with Stalin's 15 million dead? Does that make sense?

by breppp

4/18/2026 at 7:55:06 AM

Ever seen entire countries of people locked up in their homes within a week — for months?

by nlitened

4/18/2026 at 3:12:42 PM

I’m pretty sure most phones have a higher location accuracy than 1000 feet.

by xigoi

4/17/2026 at 3:58:32 PM

And with LLM’s now it’s easier than ever to piece the parts together. Companies were doing it before we even knew what LLM’s were capable of.

Edit: It's a rhetorical fiction the ad industry tells us.

by Forgeties79

4/17/2026 at 10:27:25 PM

I think this begs the question of what anonymous data means. Sure my visit to HN is "anonymous" in that it doesn't say "abustamam visited this site" but piece together all the other visits that have my "anonymous ID" then eventually it paints a pretty nice picture of who I am.

by abustamam

4/18/2026 at 12:29:41 AM

Does it map to a single, identifiable person or something close enough that the distinction is meaningless?

Then it's not anonymous.

Simple as that.

by rockskon

4/18/2026 at 4:42:50 AM

My point is that even completely anonymous data that conforms to what you just said can easily become de-anonymized when contextualized to other "anonymous" data.

by abustamam

4/18/2026 at 5:31:55 AM

A marketer's definition of anonymized is worthless. It's a fantasy they want everyone else to believe in.

If it can be "de-anonymized" then it was never anonymous to begin with.

"De-anonymized" is quite literally an oxymoron.

by rockskon

4/18/2026 at 6:08:16 PM

> A marketer's definition of anonymized is worthless. It's a fantasy they want everyone else to believe in.

I'm using your definition.

> Does it map to a single, identifiable person or something close enough that the distinction is meaningless?

Also

> If it can be "de-anonymized" then it was never anonymous to begin with.

Well sure, that's the point I was trying to make in my rhetorical question above. Individual pieces of data may be "anonymous" but put together with other anonymous data that can be traced to a single source and suddenly you can figure out quite easily who this person is. The data itself is still technically anonymous but it can be pieced together.

by abustamam

4/18/2026 at 2:50:57 PM

Does that mean that no non-post-quantum encryption was ever actually encryption because in 20 years someone will be able to decrypt things?

by thfuran

4/17/2026 at 4:17:54 PM

We should have learned this lesson 20 years ago when researchers were able to deanonymize a lot of the Netflix Prize dataset, which contained nothing except movie ratings and their associated dates.

https://arxiv.org/abs/cs/0610105

If movie ratings are vulnerable to pattern-matching from noisy external sources, then it should be obvious that location data is enormously more vulnerable.

by teraflop

4/18/2026 at 3:00:35 AM

> In contrast to previous attacks on micro-data privacy [22], our de-anonymization algorithm does not assume that the attributes are divided a priori into quasi-identifiers and sensitive attributes. Examples include anonymized transaction records (if the adversary knows a few of the individual's purchases, can he learn all of her purchases?), recommendation and rating services (if the adversary knows a few movies that the individual watched, can he learn all movies she watched?), Web browsing and search histories (12], and so on. In such datasets, it is impossible to tell in advance which attributes might be available to the adversary;

Is Location data highly dimensional though?

by totetsu

4/17/2026 at 3:37:15 PM

exactly. calling it 'anonymized' is pure security theater once you have enough data points to map out someones daily routine.

waiting for legislation or eulas to fix this is a lost cause since adtech always finds a loophole. the fix has to be architectural. moving toward stateless proxies that strip device identifiers at the edge before they even hit upstream servers. if the payload never touches a persistent db there is literally nothing to de-anonymize. stateless infra is the only sane way forward

by vovanidze

4/17/2026 at 3:52:13 PM

To be honest, I feel like this is where iOS and Android are failing us. Why is every app allowed to embed a bunch of trackers? Only blocking cross-app tracking on user request as iOS does is not enough (and data of different apps/websites can be correlated externally).

by microtonal

4/17/2026 at 4:14:50 PM

Because we don’t enforce antitrust law in this country and the people that make those decisions profit from the ads.

by CPLX

4/17/2026 at 6:09:28 PM

> To be honest, I feel like this is where iOS and Android are failing us. Why is every app allowed to embed a bunch of trackers? Only blocking cross-app tracking on user request as iOS does is not enough (and data of different apps/websites can be correlated externally).

Even if Google and Apple both want to commit to fighting this, it becomes a game of whack-a-mole, because there are all sorts of different ways to track users that the platforms can't control.

As an easy example: every time you share an Instagram post/video/reel, they generate a unique link that is tracked back to you so they can track your social graph by seeing which users end up viewing that link. (TikTok does the same thing, although they at least make it more obvious by showing that in the UI with "____ shared this video with you").

by chimeracoder

4/17/2026 at 4:27:09 PM

im not sure about allowed. perhaps required may be closer.

why would someone include tech that makes people think twice about using the app, unless it is required if you want to "sell" in a particular venue.

if your developing geolocation based apps, location tracking is a core function.

a calender, absolutely does not require location tracking beyond what side of the prime meridian are you on.

by rolph

4/17/2026 at 5:01:01 PM

> if your developing geolocation based apps, location tracking is a core function.

But the subsequent sale of that data is not—is the discussion here.

by nickburns

4/17/2026 at 6:08:55 PM

and the reason why that data is available for sale, starts with forced collection of data, if you want to participate in an app store as a developer.

you cant sell what you dont have unless you lie lower than a rug.

fix the data collection problem and a second order effect of no data for sale emerges.

by rolph

4/17/2026 at 6:59:39 PM

Are you suggesting Android/iOS app developers are forced into data collection somehow? If so, how? I'm genuinely curious.

by nickburns

4/17/2026 at 8:00:25 PM

> why would someone include tech that makes people think twice about using the app, unless it is required if you want to "sell" in a particular venue.

Because the overwhelming majority of people don't think twice about this tech.

I do, and that's why I use a lot of web tools or old-fashioned phone calls, but most people think metadata=unimportant and assume that the purpose of the app is what it does for them rather than to gather their personal information for sale.

by LeifCarrotson

4/17/2026 at 6:06:32 PM

How is this legal under the GPDR? There is clear examples in the citizenlab document of a user been tracked inside of the EU from outside.

Is there not also a requirement for clean consent? Ie a weather app can’t track your precise location?

by uxhacker

4/17/2026 at 3:29:37 PM

Companies exist that de-anonymize other data brokers data. Lets the other data brokers claim they have anonymized data while end end users get everything.

by sroussey

4/17/2026 at 3:47:56 PM

you could probably run a anonymization company at the same time you run a de-anonymization company

by ImPostingOnHN

4/17/2026 at 5:37:37 PM

Best of both worlds - legal and profitable \s

by gessha

4/17/2026 at 7:15:09 PM

> enough samples that you can apply statistics to find precise locations, in many cases you can de-anonymize the IDs

I think a lot of people don't realize the power of a big enough sample size. With enough samples even something pretty innocent looking like your daily step counter could make you identifiable.

As far as I know we don't have large enough databases to make this happen in practice, but I don't think this is impossible in the future.

by nzach

4/17/2026 at 7:34:22 PM

How large are you estimating is "large enough"?

by jandrewrogers

4/17/2026 at 3:57:40 PM

Location and identity are inextricably linked. You can't destroy identity without also destroying location and location is critical for myriad purposes.

The analytic reconstruction of identity from location is far more sophisticated than the scenarios people imagine. You don't need to know where they live to figure out who they are. Every human leaves a fingerprint in space-time.

by jandrewrogers

4/17/2026 at 4:03:28 PM

> and location is critical for myriad purposes.

It's not though.

Critical for myriad elective purposes? Sure.

by nickburns

4/17/2026 at 4:15:58 PM

Only if you consider the entire concept of logistics in civilization as "elective".

by jandrewrogers

4/17/2026 at 4:53:08 PM

Seems hyperbolic we had logistics that functioned extremely well before we had customer location data for sale on 3rd party sites.

by xphos

4/17/2026 at 6:04:11 PM

If you re-read the comment they didn't say that selling it was intrinsic.

by philipallstar

4/18/2026 at 12:30:35 AM

The article is about privacy tracking spyware cookies. I think making statements in that context about how modern logistics don't work with out location data implies you mean location data from those sources. I mean i suppose it doesn't have to but than it just feels off topic no?

by xphos

4/17/2026 at 4:19:09 PM

I don't follow what you mean by 'logistics in civilization' as that's pretty vague and amorphous.

Could you be more specific with maybe a single example of where my physical geographic location is electronically critical for a purpose that isn't elective/optional/avoidable?

(And I'm not just trying to be obtuse. I think you're touching on at least part of the 'heart' of both this conversation and that of digital ID verification.)

by nickburns

4/17/2026 at 4:49:15 PM

How does tracking the movements of individual humans aid shipping and logistics, other than providing traffic data to freight companies? How did we manage to have global supply chains prior to GPS being invented?

Edit: I assume I am missing a crucial part of logistics that you’re familiar with, genuinely curious.

by quickthrowman

4/17/2026 at 4:10:21 PM

In what sense can the latitude and longitude of my house be called anonymous data?

by ninalanyon

4/17/2026 at 4:19:34 PM

Ultimately, a map is anonymous data containing lat/lon of everyone's house

Alone, these points are not deanonymizing, it's when there's other data associated.

by kube-system

4/17/2026 at 7:07:07 PM

From what I've seen none of this is that complex, one could simply 'draw a circle around your house' and get all the "anonymized" device pings and just trace those.

by ramoz

4/17/2026 at 3:21:13 PM

Yep. With side channel/one order of thinking above the laws, its trivial to get around said laws. Need better laws.

by 1121redblackgo

4/17/2026 at 3:48:04 PM

> A lot of geolocation data on the market is anonymized

A lot isn't good enough.

by malfist

4/17/2026 at 2:49:06 PM

IMO we should ban gathering this data without a warrant or specific contractual agreement between the device owner and entity aggregating the data. As much as congress loves to claim the interstate commerce theory of everything, this seems like a slam dunk.

by ch4s3

4/17/2026 at 2:57:07 PM

Contractual agreement? Nobody reads things like EULAs or terms of service. It's probably in there already.

by Dwedit

4/17/2026 at 3:05:57 PM

I should have been a bit more clear. We should ban retention for any purposes where it is not explicitly required for the intended function and clearly agreed to by all parties. Think somethig like strava or asset tracking. You know it stores gps data, and why.

by ch4s3

4/17/2026 at 3:14:08 PM

There is no such things as "clearly agreed to by all parties" when it comes to end users. Companies provide a one-sided, "take it or leave it" EULA, and if you don't agree to everything in it, you don't use the product. There is no meeting of the minds, there is no negotiation, and there is no actual agreement. It's a rule book dictated by one side.

by ryandrake

4/17/2026 at 3:16:37 PM

Then it's not a valid contract and therefore does not absolve them of criminal liability for stalking you.

by pocksuppet

4/17/2026 at 4:26:46 PM

Contracts of adhesion can be valid contracts. The ability to negotiate or equal bargaining power is not a required element of a contract.

Furthermore, you cannot contract away criminal liability if any exists.

by kube-system

4/17/2026 at 4:34:22 PM

Even attempting to use a contract of adhesion to justify selling GPS location data to a third party should be a criminal act.

by lukeschlather

4/17/2026 at 4:37:40 PM

Yes, the US is in desperate need of better privacy laws.

by kube-system

4/17/2026 at 4:41:16 PM

You click on “accept terms and conditions” which means you agree to the contact.

by celeritascelery

4/17/2026 at 3:23:10 PM

You can't just bury literally anything in an EULA. There's a fair amount of case law establishing that EULAs clauses that are surprising or illegal aren't enforceable.

by ch4s3

4/17/2026 at 3:34:15 PM

That fact does not change the point of the individual to which you replied. Regardless of whether the clauses in the EULA are 100% legal, some mixture or 100% illegal, the entire EULA is a "one sided rule-book dictated completely by one side". You, the person held to the EULA's rules, do not get to negotiate on the individual points. You simply have a "take it or go away" set of options.

by pwg

4/17/2026 at 4:47:57 PM

You're talking about contracts of adhesion and they are overwhelmingly common for B2C agreements. Most red-lining of contracts only happens in high-value B2B transactions where the sums of money involved are enough that it makes sense to bring lawyers into the loop.

by kube-system

4/17/2026 at 4:07:12 PM

https://en.wikipedia.org/wiki/Shrinkwrap_(contract_law)

by nickburns

4/17/2026 at 7:05:31 PM

If the product has any serious audience / traction, it becomes profitable to scan its EULA for illegal clauses, and sue the company for damages (and maybe extra punishment for breaking the law).

The fact that 100% of its users, except the litigant, skimmed through the EULA and did not notice anything does not relieve the company from the responsibility.

by nine_k

4/17/2026 at 4:32:15 PM

when you already pay for the device and a contract, then surprise now that you have skin and flesh in the game, you HAVE TO agree to this EULA or your property is a brick and we keep your money.

that is defined as extortion, but labled as onboarding.

by rolph

4/17/2026 at 4:49:06 PM

Courts do look poorly upon this -- to have a valid contract of adhesion there is some degree of advanced notice required and ability to reject it.

by kube-system

4/17/2026 at 3:41:31 PM

There is the GDPR.

by stavros

4/17/2026 at 3:03:41 PM

if it were up to me i’d require a hand signed contract that explicitly, up front and in plain english gives permission and is not transferable to any “partners”.

by toofy

4/17/2026 at 3:01:25 PM

Right, privacy terms are written to be vague and permissive. Even if you read them you can’t usually understand how the data will be used or opt out.

by rubyfan

4/17/2026 at 5:12:01 PM

Instead of “I accept”, you’re given a quiz

by teeray

4/17/2026 at 3:00:10 PM

I think we should make this type of tracking opt-out by default. We should also ban the sale of its use to third parties and its use for purposes other than the specific functionality which required it to be enabled in the first place.

by rubyfan

4/17/2026 at 3:06:57 PM

>I think we should make this type of tracking opt-out by default

That's opt-in, not opt-out.

https://en.wiktionary.org/wiki/opt-out

by gruez

4/17/2026 at 4:09:44 PM

GP states correctly that they believe the default 'choice' of a user should be 'opting-out' of location tracking.

by nickburns

4/17/2026 at 8:35:47 PM

This is utterly confusing the use of the terms. Opting is making a choice. The default isn't a choice. Opting by default makes no sense.

by rcxdude

4/18/2026 at 1:25:04 AM

Yeah it is. What I mean is the default is you have not opted in. You must choose to opt in for this type of tracking. It should be a choice that doesn’t preclude you from using a service if you don’t allow tracking.

by rubyfan

4/18/2026 at 4:54:23 AM

You are describing opt-in policies — you’re out by default and you have to opt-in to be tracked.

by quantum_magpie

4/17/2026 at 6:08:50 PM

Every EULA already covers this basically. The real problems are: people agree to it, and the government can do an end-run around the constitution by simply purchasing data or hiring contractors.

by wakawaka28

4/18/2026 at 12:34:32 AM

companies don't buy anymore, they just take it. think about Claude, every time you use it, you are literally give away your code, your data, and even your personal information.

by philipnee

4/17/2026 at 3:04:07 PM

> IMO we should ban gathering this data without

GDPR tried. And the narrative around GDPR was deliberately completely derailed by adtech.

Lack of enforcement didn't help either

by troupo

4/17/2026 at 3:07:27 PM

GDPR like all EU regulation is needlessly complicated and aimed at a compliance model that seems designed for SAP.

by ch4s3

4/17/2026 at 3:13:32 PM

You can literally read the entire "complicated" regulation in one sitting in an afternoon. There's literally nothing complex or complicated about it.

Congrats on gullibly believing the ad tech narrative.

by troupo

4/17/2026 at 3:18:21 PM

The "GDPR is complicated" meme has been circulating among software developers since probably before it was even written. It's so wild that HN dunks on it so much: Here we have a societal problem in computing we've been complaining about for decades, someone offers an incremental but imperfect regulation to start taking steps to correct it, and everyone hates it!

by ryandrake

4/17/2026 at 6:51:59 PM

> It's so wild that HN dunks on it so much: Here we have a societal problem in computing we've been complaining about for decades, someone offers an incremental but imperfect regulation to start taking steps to correct it, and everyone hates it!

YOUR collection of user's data is an overreach and breach of privacy. MY collection of data is absolutely necessary to grow my scrappy small business and provide value. I am a good person with good intentions, so its OK. You are a bad person doing bad things, so its not OK.

by kentm

4/17/2026 at 6:23:04 PM

The GDPR is vague and unworkable as written. It fundamentally restricts all data processing with a few, vague exceptions.

What is data processing essential for the services being provided? Many publishers assumed that getting paid was an essential part of providing a service, and it was not until 3 months before the implementation deadline that the committee clarified that getting paid is not included when you are being paid by a third party.

How are you to know whether or not the user is an EU citizen (and thus subject to the GDPR)? Is making that determination a service essential for providing your service? The answers apparently were "You don't" and "No", which would effectively make companies assume that the GDPR applies to everyone on the planet.

The GDPR also is fundamentally opposed to how things currently work in the internet, making almost all advertising on the web illegal overnight. It was too big of a change to happen at once, so it effectively only loosely enforced in practice.

I like the idea of the GDPR, but the implementation sucks.

by IX-103

4/17/2026 at 9:06:30 PM

> The GDPR is vague and unworkable as written. It fundamentally restricts all data processing with a few, vague exceptions.

What utter utter FUD

You are free to collect as much personal data as you want, PROVIDING you have my explicit opt-in informed consent to do so.

What about this is difficult to understand?

> How are you to know whether or not the user is an EU citizen (and thus subject to the GDPR)?

The GDPR provides _basic_ data safety and consumer protection. If you aren't protecting users private data regardless of where they live in line with GDPR principles (such as collecting it fairly, and not selling it to randoms) then you are playing fast and loose with your users private, sensitive data. In which case you need to _seriously_ consider if what you are doing is ethical.

> The GDPR also is fundamentally opposed to how things currently work in the internet, making almost all advertising on the web illegal overnight.

Utter Bullshit!

You are free to advertise as much as you like! But if you want to track me with your advertising (hello scummy adtech industry) then you need my explicit informed consent to do so. And so you should!

Again, what about this is difficult to understand?

by GJim

4/17/2026 at 9:23:04 PM

> If you aren't protecting users private data regardless of where they live in line with GDPR principles (such as collecting it fairly, and not selling it to randoms) then you are playing fast and loose with your users private, sensitive data.

It's interesting and revealing when someone responds to a law that says "You're not allowed to abuse users in countries X, Y, and Z" with "How can I figure out who's in the other countries, so I can abuse them?" instead of "I'll just stop abusing everyone, and then I don't even need to worry about where anyone is."

Whenever you find yourself asking "how do I toe as close to the 'illegal' line as I can without technically going over it?" I think it's time to ask yourself some pretty hard questions.

by ryandrake

4/17/2026 at 11:10:37 PM

Your entire reply is both a non sequitur, and doesn't even attempt to understand what people tell you

by troupo

4/17/2026 at 3:19:13 PM

Same with the California age input box.

by pocksuppet

4/17/2026 at 4:42:31 PM

The problem with the age input box is that we don't have the GDPR. We're mandating that people give accurate age information to advertisers, and it's legal for advertisers to sell detailed dossiers on people including their age and target advertising using the age. This is why Meta wrote the age input box legislation, they want to make everyone legally required to provide Meta with their age.

by lukeschlather

4/18/2026 at 11:52:19 AM

No actually it's not mandated to be accurate

by pocksuppet

4/17/2026 at 3:28:12 PM

Being able to read something in one sitting doesn't make it simple or obvious. The law establishes a board that gets to set new requirements.

by ch4s3

4/17/2026 at 7:40:57 PM

What new requirements can be set by the board? As far as I understand EDPB can only issue guidelines, recommendations and best practices. All of these are just guidelines on how to interpret GDPR. Courts are the ones who ultimately decide if are complying with GDPR. Local DPA likely won't harshly punish you if you follow EDPB's recommendations if they end up getting overturned by court.

DPA won't punish you for not following EDPB's recommendations, they will punish you for breaking GDPR. You are free to ignore EDPB if you think your legal position is strong, but you carry the risk if you are wrong.

by buzer

4/17/2026 at 3:44:53 PM

As someone who has to implement it, it's really not bad at all: Ask the user for consent to use their data, and don't be misleading about it. That's it.

The rest of the "It'S So LaRgE AnD UndErSpEciFieD" is just FUD. The regulators don't just slap fines, they work with you to get you to comply, and they just want to see that you're putting in the effort instead of messing them about.

I have literally never been surprised by the GDPR. Whenever I thought "surely this is allowed" it was, whenever I thought "this can't be allowed", it wasn't. For everything in the middle, nobody will punish you for an honest mistake.

by stavros

4/17/2026 at 6:38:42 PM

Also, "Be able to track a user's data and delete it on a request."

This is not too hard if you do proper engineering work ahead of time and are purposeful about how you move and manage data (step 1 is just not collecting it unless its vital). But the industry encourages us to be very bad about that because we gotta "move fast and break things or you're not gonna make it."

by kentm

4/17/2026 at 4:00:44 PM

Anti GDPR people: "it's so complicated not being able to walk into someone's house and take their things! Which things can I not take? How about this? And now I need a lawyer if I take someone's things? Ridiculous!"

Just don't spy on people.

by redwall_hp

4/17/2026 at 4:04:31 PM

Yeah that's pretty much what it feels like, or sometimes it's "what if someone's stuff is lying on the street? Can I take it then?" and the regulator is kind of like "look around and ask if it belongs to anyone, and if not, sure".

by stavros

4/17/2026 at 5:54:50 PM

> for everything in the middle, nobody will punish you for an honest mistake.

How do you know that? Again the law establishes a rules making body that can at any time change or add rules, and as far as I can tell there's no public review process.

by ch4s3

4/17/2026 at 11:15:07 PM

> Again the law establishes a rules making body that can at any time change or add rules

Please quote the exact text of the law that you claim does that. And since the law has been in force for 10 years, perhaps you can point at the website of said body.

If you say "DPAs", then...erm... perhaps learn something about the world around you? Who do you think monitors compliance, say, for food, or for construction? It just appears out of nowhere? Same here

by troupo

4/17/2026 at 6:11:31 PM

Which body is this? The EDPB?

by stavros

4/17/2026 at 3:59:55 PM

The compliance model is very simple. Do not collect data. Problem solved. If you need to collect data (e.g. because you are a webshop), only collect the minimum necessary.

The problem is not the GDPR, the problem is the surveillance industry that wants to grab as much data as possible and try to do as much malicious compliance as possible.

by microtonal

4/17/2026 at 4:14:04 PM

Designing around GDPR compliance shows up all over the place in industrial data collection. It doesn't only affect surveillance webslop.

The costs are often worse on industrial side because the data is so much larger and faster than web or mobile data.

by jandrewrogers

4/17/2026 at 5:06:37 PM

What do you mean by "industrial" in this case?

by gwerbin

4/17/2026 at 5:34:42 PM

Telemetry from machines and data from environmental sensors that is collected for operational purposes (safety, efficiency, reliability) in industrial applications. Old school engineering systems that in modern times have expansive network-connected sensors that may even have onboard classifiers to reduce the quantity of data.

The trouble started when lawyers correctly noticed that these are incidentally capable surveillance systems even though that isn't how we use them or what they were designed for.

by jandrewrogers

4/17/2026 at 11:20:33 PM

> The trouble started when lawyers correctly noticed that these are incidentally capable surveillance systems even though that isn't how we use them or what they were designed for.

Many systems were not explicitly designed for surveillance, and are. Because many systems collect too much data to begin with.

Hence the problem: people who collect too much data claim that GDPR is complicated, complex, convoluted, impossible to comply with... instead of changing what data they collect, and how.

Additionally, people confuse the complexity of human endeavours with the complexity of the law. GDPR itself is neither complex nor complicated. It doesn't try to carve out exceptions, rules, and regulations for every possible activity humans may attempt. Then it would become impossible to understand or comply with.

As is, it has enough carveouts for industries which require more data than strictly necessary, called "legitimate interest" (which still doesn't allow you to just use this data willy-nilly). E.g. banks collect significantly more data about customers than strictly necessary (because KYC, fraud, security etc.), and store that data for significantly longer amount of time than allowed by privacy-related laws (because they are governed by bank laws of respective countries). It doesn'tmean they can sell that data or spy on users.

Same here. It's not on the law to tell you exactly how to operate your "industrial-scale operation". It's on you to fix your shit, stop collecting more data than necessary, have data protection in place, delete data after a reasonable time, anonymize data etc.

by troupo

4/17/2026 at 7:53:36 PM

Interesting. What are your obligations under GDPR in that case? It's not like a packing machine can request data deletion.

by gwerbin

4/17/2026 at 9:38:13 PM

No one has been able to provide a satisfactory answer to this question. I've seen the lawyers try to figure this out at a few companies.

GDPR frames everything in the context of a person's data. There is no "person_id" or similar field in these data models. That isn't the purpose of the data, it would be expensive to extract it, and then it would create obvious liability under GDPR. This makes the idea of finding a person's data expensive -- brute-force search on huge data volumes.

Compounding this, these data systems are often operational and some of the data may be in situ at the edge because it is too large to move all of it. The power and compute budget may not exist to find a person using brute force.

AFAICT, current best practice is to maintain a polite fiction that people aren't being tracked because that is not the intent. No one thinks that would stand up to serious legal scrutiny though. If the regulators come after you then plead best effort based on the technical infeasibility of doing anything else.

by jandrewrogers

4/17/2026 at 11:26:22 PM

https://gdpr-info.eu/art-25-gdpr/

--- start quote ---

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. 3In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

--- end quote ---

IANAL, but this basically covers all your bases, together with https://gdpr-info.eu/art-32-gdpr/

Unless, of course, your industrial-scale data collection actually collects significantly more data than you let on, and extraction of personal data is not as hard as you make it sound

by troupo

4/18/2026 at 12:35:16 AM

Let's say I'm an industrial monitoring SaaS company with a bunch of analytics products and a new AI intelligence product.

Forget tracking workers' movements and stuff like that because that's even more complicated (the data is tied to a person, but only in their capacity as an employee and not as a private individual).

Focus on a case like a cluster of sensors attached to various equipment powered by electric motors, or using RFID to detect when a pallet enters the warehouse. Let's say that all goes to a cloud platform and I store it, I build a bunch of derived analytics stuff from it, and I send it up to Anthropic (with no-train-on-me-pls contract clause) for my cool new AI insights engine.

Does GDPR apply at all to that? I would have assumed it doesn't have any relevance whatsoever, but you're implying that it does. Or are you specifically talking about the case when individual employees are the data collection subjects, like a fleet management platform with a telematics component?

by gwerbin

4/17/2026 at 8:51:36 PM

Eh?

The GDPR is there to protect your personal/sensitive data, or data that can personally identify you. If has nothing whatsoever to do with data capture from industrial machinary.

I remain astounded how ignorant some people are of basic GDPR principle: protecting your _personal_ data.

by GJim

4/17/2026 at 9:59:44 PM

Industrial data capture can produce detailed traces of your travel no different than tracking your mobile phone. Some can capture personal details that adtech often can't because the sensor suites are more diverse and operate in different environments. We just don't use it for that.

How is this not your personal data?

Exploitation of these types of data sources has been demonstrated for 15+ years at this point. Abuse is often impractical for technical reasons but GDPR doesn't give you free pass on collecting personal data just because you aren't using it like personal data.

by jandrewrogers

4/18/2026 at 1:14:58 AM

> compliance model is very simple. Do not collect data. Problem solved

In a perfect world, yes. In the real world, there is an entire industry of lawyers who will smother your competitors with bogus requests because GDPR requires you spend time and resources to investigate and respond to each and every complaint regardless of merit.

by JumpCrisscross

4/17/2026 at 3:17:46 PM

Have you read it? It's not that bad, unless you're thinking like an adtech programmer trying to find the exact edge case for the maximal amount of tracking you're allowed to do, because such a bright line does not exist and that fact infuriates adtech professionals. It is vague because reality is vague and complex; each specific case of alleged violation has to be interpreted by multiple humans; there is no algorithm.

by pocksuppet

4/17/2026 at 3:27:33 PM

The law mandates a data protection officer with specific duties. It also establishes a board that "issue guidelines, recommendations, and best practices" which is where administrative complication and nonsense always creeps in.

by ch4s3

4/18/2026 at 11:53:03 AM

It's not a separate position. It's a role that one of your upper management plays. It's saying someone at the company must respond to data protection requests, and that person is the data protection officer. Every law that mandates companies do things implies that someone at the company has to do those things.

by pocksuppet

4/17/2026 at 3:47:47 PM

It is regulation that imagines companies are a government bureaucracy.

I have read GDPR and don't work in adtech. It is vague and it is pretty easy to find pathological scenarios that don't make much sense or impose an unusually high burden for no benefit. Every European law firm seems to agree with this assessment despite what proponents assert. Consequently, it forces a lot of expensive defensive activity in practice.

To some extent, it was just a failure of imagination on the part of GDPR's authors. Many things are not nearly as simple as it seems to assume and it bleeds into data models that have nothing to do with people.

It is what it is but no one should pretend it is not a burden for companies that have nothing to do with adtech or even data about people.

by jandrewrogers

4/18/2026 at 4:12:17 PM

> I have read GDPR and don't work in adtech. It is vague

As laws go, it's crystal clear

> is pretty easy to find pathological scenarios

Laws in general don't try to tell you how to implement every single facet of every single human endeavor. Otherwise no laws would be written, and those that would get written would be incomprehensible monstrosities.

To not repeat myself, I have more here: https://news.ycombinator.com/item?id=47811648

For 99.999% of businesses GDPR is trivial. For 99.999% of the remaining businesses it's either covered by other laws (banking) or is only difficult to implement because they were ised to collecting user data en masse (any social netowrk or streaming service).

There are very, very, very few instances were GDPR cannot be applied using basic common sense.

by troupo

4/17/2026 at 8:16:18 PM

The problem the USA has is that it has no concept of "private data" outside of some part of HIPAA.

Until that changes you're going to be stuck.

Something as simple as the data protections act 1998 (https://en.wikipedia.org/wiki/Data_Protection_Act_1998) would kneecap a lot of the shady shit that goes on in the USA.

by KaiserPro

4/17/2026 at 3:40:43 PM

The problem with all these discussions about banning stuff is that privacy is always on the back foot. It's by design. People who want to surveil and manipulate us are actively investigating new ways of doing it, they get paid for it and they risk nothing in the long run. All of these discussions about specifics are just reactions. They aren't even reactions to the surveillance itself, but rather to a discovery by someone that a new surveillance machine has been constructed and launched.

So the current feedback process involves: construction → exploitation → reporting → public awareness → legislation. This is too slow. Moreover, operating in this environment is exhausting.

We need a different feedback loop altogether. I'm not sure which one would work best, but something different needs to be considered.

by romaniv

4/17/2026 at 5:24:23 PM

Yeah, abuse of privacy should be the crime, the same way theft is. How exactly the crime is committed shouldn't matter. Companies can have every right to make a compelling argument that what they did was not an abuse of privacy when they are defending themselves in court.

And critically, it is not someone becoming aware of private information that is the abuse of privacy, it is exploiting that private information which is the abuse. There may be countless legitimate technical reasons you need to collect data, but there can not possibly be a technical justification for selling it.

by jjk166

4/18/2026 at 5:01:14 AM

A culture that values privacy, out of respect, necessity and/or fear, has potential to sabotage each step of the process even if it were not to change.

There was a point, at least in my bubble, where there was a general sense that government surveillance is bad (expect against those people). I think coming out of the Cold War, then 9/11, and followed by propaganda obfuscating the increase, purpose and prevalence of private surveillance took us from "no, we aren't Stalinist Russia" to "I don't care, I have nothing to hide" to just "I don't care" when it comes to the topic of surveillance at all.

Unfortunately, it will take great shocks to instill it so the next generation can learn from the suffering of the previous, and then forget it when privacy is taken for granted again.

by heavyset_go

4/17/2026 at 6:55:58 PM

Once wealthy and powerful people realize how this can be used to track them they will start cracking down. One of many examples for how underrated access to location data is for unauthorized people, it is a primary way that the military locates and kills targets in foreign countries. It is surprising all of the data is so freely available with data brokers. Or in some cases from the app companies themselves, if you're willing to make it worth the trouble for them.

by treebeard901

4/18/2026 at 5:29:41 PM

They realize it. But they can exercise enough power to target removal of information that they don't want public.

by Schiendelman

4/17/2026 at 7:52:31 PM

Seems there’s an opening for an ElonJet-like tracker that operates on this data.

by crummy

4/17/2026 at 6:11:27 PM

Most people don't realize how bad geolocated data is for a free society. I can buy data from a broker, geo-fence your house address, and then I'm able to see all the places where you went, who you associate with, and identify all you associate with by tracking them to addresses. All of this happens with anonymized device identifiers. It is the wet dream of a company such as Palantir and all governments who desire absolute control over their populations.

by groos

4/17/2026 at 3:43:16 PM

Let’s just stretch copyright to cover movement/location as a protected creative expression. It’s somewhat ridiculous but we’ve already established case law and technology for handling/mishandling protected assets.

by linkjuice4all

4/18/2026 at 12:00:42 AM

Cory Doctorow argued against using copyright law as a substitute for privacy law or labor law [1], and I argue the same for location privacy. Copyright law already gets abused enough in contexts that indisputably involve copying of creative work. I do not want to stretch copyright law into location/movement privacy, where nonconsensual recording of location/movement does not necessarily copy something created by the person whose location was tracked. At least in the US, copyright comes into existence when creative expression is recorded in a tangible medium (such as your device's RAM, because outside of my beloved meme world you cannot download more RAM), and the copyright belongs to whoever did the recording. If an app on your phone records your location, was it you who recorded it? Was it the phone maker who recorded it? Was it the app maker who recorded it? Keep in mind, maybe you didn't install the app, or maybe you weren't aware that the app would track your location when you first installed it.

[1] https://pluralistic.net/2023/10/21/the-internets-original-si...

by hn_acker

4/17/2026 at 4:56:59 PM

Then they add a clause to the ToS with "you grant us and our affiliates a worldwide, non-exclusive, royalty-free, sublicensable and transferable license to your location..."

by gruez

4/18/2026 at 12:45:45 AM

It's frustrating how much of the system already is a hassle for everyone who already does the things right.

I make some apps that use precise location. We don't sell the data, we share it with the interested party who the app user is working for only. The user is fully aware when the data is collected and when not, they can even turn it off at will. Nobody even cares who has the device, just that they're delivering a package or something to that effect. It's all good.

Then I hit the app-stores and it's like pulling teeth with paperwork and rejections (depends on the reviewer, sometimes you fly through, sometimes very much not).

I have to attest that we don't do shit with an email that may or may not appear in a field, that we don't do porn (I have no idea where that reviewer got that idea). Some reviewer misread something and now I have to explain that no we don't use contacts, we never do... wtf. More delays.

I'm privacy minded so I don't so much mind the IDEA that I have to attest to all these things, but all the hoops I have to run through is because the bad guys who steal all this info and sell it do their thing, but they're still doing their bad thing just fine ...

Meanwhile my app is stuck in review.

It feels like being pulled over randomly by the cops because "well there's a lot of speeders out there" when I'm not one of them. It's all hassle for everyone doing it right, and for the bad guys or the apps that clearly don't have to follow the rules that everyone else does it has no impact on them.

The whole system is borked.

by duxup

4/17/2026 at 2:50:27 PM

More details are available here, including screenshots of the tool.

https://citizenlab.ca/research/analysis-of-penlinks-ad-based...

by uxhacker

4/18/2026 at 12:02:39 AM

Corresponding HN thread: https://news.ycombinator.com/item?id=47758309

by mtlynch

4/17/2026 at 4:05:01 PM

These people really have no idea at the level of data collection from Google's rootkit on Android known as "Google Play Services".

by titzer

4/17/2026 at 7:15:16 PM

When I had the opportunity to peer into public records, I found some extremely intriguing stuff.

There was one person with a feminine name who showed up with a “home address” that would correspond to being my “neighbor” at home, at my clinic, at church, when I went to college, etc. All the years corresponded correctly, and the addresses were some residential place about a block or less away from the places where I went.

For all I know, this person was either fictional or an innocent bystander. She did appear to have a Facebook account or two. I was never able to directly contact her. But I found it very strange and I wondered what would be gained by doxxxing me in this manner?

Of course this has nothing directly to do with GPS coordinates, but imagine if the GPS began to be part of your public record as well, or on your credit report. Imagine if it was entered into the public record what coffee house you visited every morning, or if there were errors in this record.

by ButlerianJihad

4/17/2026 at 9:32:03 PM

> GPS coordinates

* coordinates

There are many ways of establishing ones latitude and longitude without recourse to one particular GNSS system.

by GJim

4/17/2026 at 10:16:33 PM

Excuse my colloquialism. All I meant was “universally recognized coördinate format”, okay?

by ButlerianJihad

4/17/2026 at 4:26:08 PM

There needs to be a believeable legal framework behind this.

Imagine a option on your iPhone that says “Enable this to allow geo-location tracking for organisations registered under the NOADSJUSTPUBLICGOOD Act” - then any wifi endpoint could locate you as long based on signal strength etc and that data could only be made available to people registered under the act.

Would we see new understanding of how people move around in cities, would we see better traffic information, Inthink so - as long as people believe that there are real teeth to the laws and they enforced loudly and publically.

We should embrace the benefits of a society wide epidemiology experiment - the benefits for public health are incredible. (Add to that supply chain logistics on open ledgers and many of the new things that just were not possible before and the future of open transparent but well regulated democracies is bright.

Let me know if you spot one.

by lifeisstillgood

4/17/2026 at 7:24:15 PM

"Get consent first" hasn't worked because the average consumer can't give informed consent to the kind of stuff going on behind the scenes.

What about: "If something bad happens because of the data your company shared or lost, it is criminally and financially liable?"

by Terr_

4/17/2026 at 7:58:33 PM

Both make sense. Depends on who you want to protect.

by atmosx

4/17/2026 at 6:01:29 PM

I'm of the opinion now that posting videos online without the explicit permission of EVERYONE in the video should be illegal. It's one thing to take a video and keep it on your phone but if you share it outside of your family and only your family, then it needs to have the expressed consent of everyone whose face is on it otherwise it should be a crime.

The previous views on privacy didn't take into account the fact that everyone now has video cameras and people are incentivized to violate privacy to make money as influencers. I think people's privacies need to be protected and I think that means making laws around it much, much stricter. This includes things like location data, it shouldn't be sold or exposed at all.

by reenorap

4/17/2026 at 6:06:41 PM

So, no videos of festivals or politicians speaking? How about legally recorded conversations or anything else exposing corruption? Body cam footage? Harassment is already a crime. Take care not to come up with oppressive laws to deal with a nuisance.

by wakawaka28

4/17/2026 at 6:12:22 PM

The examples show Android devices. How does Webloc track iOS devices given Apple doesn't allow unique IDs and allows the user to disable the ad ID? I wish these articles would go into a bit more detail for the technical reader.

by pnw

4/17/2026 at 3:16:43 PM

Does anyone know of any groups that are organizing and lobbying to get things like this into law? I know about the EFF but they seem to be more focused on documenting and reporting instead of lobbying and getting things passed.

by Eextra953

4/17/2026 at 5:05:45 PM

Restore the fourth, Brennan Center, EPIC, Freedom of the press foundation.

by Cider9986

4/17/2026 at 3:56:30 PM

Senator Wyden has been pretty focused on it. I think it's going to take some changes in Congress before it happens though.

by dminor

4/17/2026 at 5:03:40 PM

Massie and McGovern in the house as well.

by Cider9986

4/17/2026 at 6:06:13 PM

I had a theory that the way to solve this was a location intelligence data union which sold safely anonymised aggregates and shared the profits, while also litigating on behalf of members under available legislation to stop other people using their data.

Alas, I was stymied by not having any cash to work on it, and the unit economics were not very VC friendly (at least I assume that’s one of the reasons why I didn’t get any traction from VCs).

by kidnoodle

4/17/2026 at 3:25:32 PM

How about we just ban the collection of precise geolocation? Wouldn't that be a better solution?

by glitchc

4/17/2026 at 3:48:45 PM

You can have legitimate use cases where it's a core functionality of the application to store it, so the user obviously knows it's being collected and agrees by using it.

by davebren

4/18/2026 at 1:33:03 AM

Storage accessible only to the user is usually not what we mean when we say data collection.

by foresto

4/18/2026 at 4:29:27 PM

If data is collected and stored on a server, that is what we mean when we say data collection.

by davebren

4/17/2026 at 6:03:18 PM

So you want to ban all mapping apps and all fitness apps?

by warkdarrior

4/17/2026 at 8:10:24 PM

Nothing external needs my precise location to navigate with a map. An approximate location is sufficient to deliver to my device a map of an area I'm in, and of the overall route, and all of the details that are useful for navigation.

Fitness apps can be local. We have pocket supercomputers; certainly, we don't need help from the clown to keep track of how far (or how energetically) we biked or walked today, or where that took place.

by ssl-3

4/17/2026 at 3:26:46 PM

I would expect such a law to be lobbied to death.

by Mithriil

4/17/2026 at 2:46:05 PM

Don't you want random companies to store your precise location for 12 years? https://x.com/dmitriid/status/1817122117093056541

by troupo

4/17/2026 at 2:50:04 PM

Screenshot in that tweet says 13 months FYI

by Swizec

4/17/2026 at 2:55:46 PM

  > Lifespan: 13 Months
  > ...
  > Standard retention (4320 Days)

It looks like a cookie prompt, so I assume "Lifespan" refers to cookie expiration and "retention" to how long the data (including geolocation) is retained on the spyware company's servers.

by mzajc

4/17/2026 at 2:58:55 PM

[Cookie] Lifespan: 13 Months

Data Retention: Standard Retention (4320 days)

by troupo

4/17/2026 at 3:01:19 PM

Smartphones, mobile apps, mobile networks, and WiFi stopped being your friends around 2015-2016. Now it's just a matter of how much data can be harvested from device sensors in real time until reaching a pain point which doesn't exist.

by lifestyleguru

4/17/2026 at 5:09:09 PM

WiFi isn't that bad, we have mac address randomization[1] and VPNs. Cellular is obscenely bad, though.

[1] https://grapheneos.org/usage#wifi-privacy

by Cider9986

4/17/2026 at 4:53:50 PM

If anyone's interested in this the book "The Age of Surveillance Capitalism" is rather revealing of the sheer scale of this.

by reorder9695

4/17/2026 at 4:14:27 PM

Yep.

And the FLOSS/Linux phone hardware attempts have frankly sucked.

I was hoping that my PinePhone Pro would actually be usable. But no, its a PineDoorstop.

Proper Linux would be a great 3rd choice. But yeah. We've got a duopoly and not much we can do about it.

by mystraline

4/17/2026 at 5:57:52 PM

GrapheneOS is a proper Linux. The hardware isn't open, but otherwise it's quite nice and clearly designed for the end-user's benefit, in stark contrast to the more widely-adopted alternative mobile OSes.

by 9991

4/17/2026 at 9:32:18 PM

You cannot regulate anything anymore, everything is geotracked, be real

by victor22

4/17/2026 at 7:37:05 PM

I want geolocation to not be sold. Yet, I do not believe we have been successful in banning the sale of cocaine and elephant tusks. What makes us think this will be an easier problem to solve?

by eptcyka

4/20/2026 at 3:38:08 AM

What a facile point. By your logic, literally nothing should be banned. Murder, rape, etc.

by stult

4/17/2026 at 7:38:09 PM

People get arrested for running large cocaine operations, that's the difference.

by lionkor

4/17/2026 at 5:11:33 PM

Soon Geolocation will be tied to Age! Then you can meet locals and congratulate them on their birthday. The movie Minority Report was way too timid in its prediction here. Age up everything! \o/

by shevy-java

4/17/2026 at 7:12:34 PM

I think it's fair for law enforcement to compensate the people collecting this data instead of forcing them to give it away for free.

by charcircuit

4/17/2026 at 5:00:01 PM

Haven't read the article yet but having more NTRIP public endpoint could help a lot to this precise location

by kristianpaul

4/17/2026 at 11:19:20 PM

instead buy it and show the horror things ! may be focus on politicians who can be swayed with this data !

by sciencesama

4/18/2026 at 10:24:56 PM

Perhaps you saw the news about GM reaching an FTC settlement because they were tracking the locations cars they made at all times and selling the information to LexisNexis. You might have left the articles with a belief that GM agreed to stop.

Their settlement allows them to sell precise locations -- but with 'anonymous ids' instead of names, and also allows them to sell data with name/personal information but only zipcode resolution location information.

by nullc

4/17/2026 at 5:49:35 PM

Alternatively, opt out of services that sell it

by erelong

4/17/2026 at 2:55:20 PM

Just ban the sale of any kind of adtracking. That way we can get rid of the cookiewalls too.

Missed opportunity by the EU when they wrote GDPR.

by wolvoleo

4/17/2026 at 3:08:07 PM

GDPR literally prohibits the sale of user data and tracking without user consent (because yes, you want to give people the possibility to opt in for a variety of reasons).

GDPR has literally nothing to do with cookie popups. That was, and is, adtech

by troupo

4/17/2026 at 3:25:24 PM

prohibits [...] without user consent

that's what causes the popups.

it should prohibit it outright, consent or not.

by em-bee

4/17/2026 at 3:59:57 PM

But the only reason the popups are needed is the adtech tracking cookies. You don't need a popup for cookies that are related to essential site functionality.

by SoftTalker

4/17/2026 at 4:07:42 PM

yes, so if ad tracking is forbidden outright then asking for permission to do it is invalid too.

by em-bee

4/17/2026 at 5:19:52 PM

We certainly do need another law to ban the adtech industry..... Though no doubt that would prompt a _shitstorm_ from Google, Elon and chums.

by GJim

4/17/2026 at 6:34:56 PM

I see only positives there.

by wolvoleo

4/17/2026 at 6:21:17 PM

I can live with the tears of Google and Elon, frankly.

The adtech industry has, time and again, proven they cannot self-regulate to any decent capacity. At this point, the only reasonable course of action is to shackle them down with such heavy legislative burdens they're rendered de facto extinct.

I will not mourn their loss.

by nathanlied

4/17/2026 at 11:29:28 PM

There are absolutely valid reasons for users to opt-in to tracking/data collection.

EU is first and foremost a capitalist economy which nevertheless tries to protect people from abuse. Who are they to forbid someone to collect data, and to someone to provide this data? Even things like quality surveys are collecting personal data.

However, adtech and tracking (also capitalists, (un)ironically) ruined everything for it for everyone.

by troupo

4/17/2026 at 3:18:55 PM

I think they are saying GDPR did not ban websites from noisily asking for consent and trying to trick you into giving consent.

by pocksuppet

4/17/2026 at 6:37:53 PM

Well they did but that is not policed.

For example, giving consent should be the same difficulty as denying it. So one click consent means there must be also one click non-consent. But this is policed very poorly.

I think they should just ban adtech altogether, at least any form of targeted advertising, individual pricing (which is already illegal in many EU countries) and ideally also deep market research.

by wolvoleo

4/17/2026 at 3:21:31 PM

My job was building cookie walls in response to GDPR. It might not have been the “intent” but it certainly was the consequence of that law.

by lotu

4/18/2026 at 7:02:57 PM

> My job was building cookie walls in response to GDPR.

If you're building cookie walls, you are not building them in response to GDPR. You are literally building dark patterns intended to circumvent GDPR and trick users into accepting any and all data collection. You wouldn't need to build cookie walls if people you work for didn't, say, store precise geolocation of everyone for 12 years: https://x.com/dmitriid/status/1817122117093056541

by troupo

4/17/2026 at 5:16:34 PM

> Missed opportunity by the EU when they wrote GDPR.

Not really.

There are legitimate reasons why I might wish to be tracked or give my personal data to a company. As long as I'm asked to give clear, opt-in informed consent, this is perfectly fine. This is the very essence of the GDPR!

Instead, direct your ire to the scummy adtech industry who are constantly asking to invade my privacy and smell my knickers trying to work out what I ate for lunch. Another law to ban the adtech industry would be welcome from me, though would meet fierce resistance from the likes of Google.

The GDPR is well written.

by GJim

4/17/2026 at 6:13:37 PM

> There are legitimate reasons why I might wish to be tracked or give my personal data to a company. As long as I'm asked to give clear, opt-in informed consent, this is perfectly fine. This is the very essence of the GDPR!

In these cases they don't even need to ask for your permission.

> Instead, direct your ire to the scummy adtech industry who are constantly asking to invade my privacy and smell my knickers trying to work out what I ate for lunch. Another law to ban the adtech industry would be welcome from me, though would meet fierce resistance from the likes of Google.

No, the EU should have done more to prevent this. They didn't want to kill a billions-of-euros industry. But they should have.

by wolvoleo