California and New Jersey have laws that go above and beyond the protections outlined in CAN-SPAM. I used to work for a company that sent spam (I swear, I didn't know until after I'd already accepted the job), and we avoided sending to those states. If more states would adopt laws like this, we could dramatically curtail spam.
As for what constitutes solicitation, I wish it was that simple. In some instances, companies will buy your email address from another company, and they believe that constitutes consent. In other words, you did business with Company Foo, and I did business with Company Foo, so you consented to do business with me. It's insane.
Having been inside one of these businesses, I have three pieces of advice.
First: Mark spam emails as spam when you see them. You only have to get a few of your messages marked as spam to get your IP address blacklisted. You have far more power over spammers than you think. Not only that, but spammers fear this so much that they keep databases of complainers, and they'll leave you alone in the future. Sometimes they'll even share lists of complainers with other companies so they won't risk your wrath.
Spam companies love non-complainers. Even if you don't open the spam, not complaining helps their numbers with the email provider. By not complaining, you're sending a signal to your email provider that this is a good email, and other users would like to receive it. Not only that, they'll remember you as a person who can be relied upon to not complain, so you'll get more spam than other people.
Second: Read EULAs. We did business with some super-shady companies who sold us tons of really invasive user info. One company even sold us the contents of people's email. Not just meta data, we could actually read the content. They don't mention any of this on their site, but it's subtly stated in the EULA. Read them and check for references to sharing your data with business partners.
I've steered clear of some browsers and email clients as a result of vague EULAs that leave the potential for harvesting my data and selling it.
Third: This one is going to be unpopular on Hackernews, but the best way to avoid being fingerprinted by advertisers is to block JavaScript by default. There are bajillions of ways to uniquely identify your computer, right down to having your browser report which fonts you have installed. Almost every single technique relies on Flash, Java, or JavaScript. Ad-blockers help, but they don't catch everything.
I use NoScript to turn off JavaScript by default, and I only enable a site if it seems legitimate and the site is broken without it.
Here's a terrifying list of the things advertisers can do to uniquely identify you without consent and without a cookie. As the article says, disabling JavaScript by default is by far the most effective method for protecting yourself from fingerprinting: https://wiki.mozilla.org/Fingerprinting
It's a little inconvenient, but good security always is. The locks on your front door are inconvenient (what if you lose your key?), but hopefully they're even more inconvenient for would-be intruders.
> As a side effect disabling javascript also makes pages load faster
Ironically on our rather elderly laptops NoScript actually increases page loading times by a factor of two and that's with the out-of-the-box configuration. I haven't looked to see what pattern-matching algorithms it uses but they're very slow.
Because it is a browser extension which by itself is quite complicated application. I use builtin JS blocking options in Chromium and didn't notice any slowdown.
CAN-SPAM preempts more restrictive state laws with narrow exceptions, so generally the California and New Jersey laws are unenforceable. Those laws, and free m voting them, were a major reason that CAN-SPAM was lobbied for by industry, and that anti-spam activists labelled it a setback that told the industry that they can spam people's inboxes.
Is a company in New York bound by the laws of New Jersey or California? Do consumer protections for an individual in California extend to every company in the US?
the best way to avoid being fingerprinted by advertisers is to block JavaScript by default.
Leaving aside the sheer amount of stuff this will break, you're serving to identify yourself in another way, but perhaps not to an advertiser.
Given the average website, the number of people using a real web browser (i.e. not bots, curl, wget, etc) who don't run JS is going to be absolutely miniscule.
It's kind of like turning on Do Not Track - most people have it off, so you're highlighting yourself by turning it on.
This topic comes up a lot on HN and my response is always the same. Try NoScript again. Give it a day or two and whitelist the sites you use a lot and trust. You will have a stunningly faster browsing experience and the number of sites that don't work will be surprisingly small.
We have passed a tipping point where all the annoying bullshit that depends on JavaScript to function far outnumbers the random websites that NoScript breaks. LONG time user of it and I just don't have much trouble browsing. It makes the web insanely fast and eliminates most annoyances.
I've been using uMatrix for some time (I'm a control freak, I guess) and I support this - you end up whitelisting a few sites here and there (or even just some aspects of those sites, in case of uMatrix), and the Internet becomes overall a much better (and faster) place. The amount of useless JS bloat on-line is staggering, and it hurts me that developers are actually defending this practice. Engineers should know better.
Can't say much about DNT, but I think turning off javascript absolutely makes sense.
If you turn it off, they can put you into the "disabled javascript" pool of users. So what?
But if you keep it on, they can query half a dozen APIs and get a much more detailed configuration of your browser. Which lets them put you into a much smaller pool and identify you more confidently.
And what's more, the more of us that turn off the script, the more anonymizing the "disabled javascript" bucket becomes, as well as the increasing the pressure on web developers to stop the js bloat. Win win I say.
I've been surfing forever with noscript, only white listing those domains I need.
Exploding cookies (the add on, not the terrorist device), and an ad blocker, and the internet is quite usable.
State specific spam laws wouldn't matter unless the company has a physical nexus within that state. You'd have offshore subsidiaries doing the sending even if all 50 states passed such laws.
> § 17529.2. Notwithstanding any other provision of law, a person or entity may not do any of the following:
> (a) Initiate or advertise in an unsolicited commercial e-mail advertisement from California or advertise in an unsolicited commercial e-mail advertisement sent from California.
> (b) Initiate or advertise in an unsolicited commercial e-mail advertisement to a California electronic mail address, or advertise in an unsolicited commercial e-mail advertisement sent to a California electronic mail address.
> (c) The provisions of this section are severable. If any provision of this section or its application is held invalid, that invalidity shall not affect any other provision or application that can be given effect without the invalid provision or application.
tl;dr You may not send unsolicited commercial email to California residents. You are also barred from sending unsolicited commercial email from within the state of California, but this is independent of the first part.
As for what constitutes solicitation, I wish it was that simple. In some instances, companies will buy your email address from another company, and they believe that constitutes consent. In other words, you did business with Company Foo, and I did business with Company Foo, so you consented to do business with me. It's insane.
Having been inside one of these businesses, I have three pieces of advice.
First: Mark spam emails as spam when you see them. You only have to get a few of your messages marked as spam to get your IP address blacklisted. You have far more power over spammers than you think. Not only that, but spammers fear this so much that they keep databases of complainers, and they'll leave you alone in the future. Sometimes they'll even share lists of complainers with other companies so they won't risk your wrath.
Spam companies love non-complainers. Even if you don't open the spam, not complaining helps their numbers with the email provider. By not complaining, you're sending a signal to your email provider that this is a good email, and other users would like to receive it. Not only that, they'll remember you as a person who can be relied upon to not complain, so you'll get more spam than other people.
Second: Read EULAs. We did business with some super-shady companies who sold us tons of really invasive user info. One company even sold us the contents of people's email. Not just meta data, we could actually read the content. They don't mention any of this on their site, but it's subtly stated in the EULA. Read them and check for references to sharing your data with business partners.
I've steered clear of some browsers and email clients as a result of vague EULAs that leave the potential for harvesting my data and selling it.
Third: This one is going to be unpopular on Hackernews, but the best way to avoid being fingerprinted by advertisers is to block JavaScript by default. There are bajillions of ways to uniquely identify your computer, right down to having your browser report which fonts you have installed. Almost every single technique relies on Flash, Java, or JavaScript. Ad-blockers help, but they don't catch everything.
I use NoScript to turn off JavaScript by default, and I only enable a site if it seems legitimate and the site is broken without it.
Here's a terrifying list of the things advertisers can do to uniquely identify you without consent and without a cookie. As the article says, disabling JavaScript by default is by far the most effective method for protecting yourself from fingerprinting: https://wiki.mozilla.org/Fingerprinting
It's a little inconvenient, but good security always is. The locks on your front door are inconvenient (what if you lose your key?), but hopefully they're even more inconvenient for would-be intruders.