All posts in “Privacy”

Facebook, Google face first GDPR complaints over “forced consent”

After two years coming down the pipe at tech giants, Europe’s new privacy framework, the General Data Protection Regulation (GDPR), is now being applied — and long time Facebook privacy critic, Max Schrems, has wasted no time in filing four complaints relating to (certain) companies’ ‘take it or leave it’ stance when it comes to consent.

The complaints have been filed on behalf of (unnamed) individual users — with one filed against Facebook; one against Facebook-owned Instagram; one against Facebook-owned WhatsApp; and one against Google’s Android.

Schrems argues that the companies are using a strategy of “forced consent” to continue processing the individuals’ personal data — when in fact the law requires that users be given a free choice unless a consent is strictly necessary for provision of the service. (And, well, Facebook claims its core product is social networking — rather than farming people’s personal data for ad targeting.)

“It’s simple: Anything strictly necessary for a service does not need consent boxes anymore. For everything else users must have a real choice to say ‘yes’ or ‘no’,” Schrems writes in a statement.

“Facebook has even blocked accounts of users who have not given consent,” he adds. “In the end users only had the choice to delete the account or hit the “agree”-button — that’s not a free choice, it more reminds of a North Korean election process.”

We’ve reached out to all the companies involved for comment and will update this story with any response. Update: Facebook has now sent the following statement, attributed to its chief privacy officer, Erin Egan: “We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information. Our work to improve people’s privacy doesn’t stop on May 25th. For example, we’re building Clear History: a way for everyone to see the websites and apps that send us information when you use them, clear this information from your account, and turn off our ability to store it associated with your account going forward.”

Schrems most recently founded a not-for-profit digital rights organization to focus on strategic litigation around the bloc’s updated privacy framework, and the complaints have been filed via this crowdfunded NGO — which is called noyb (aka ‘none of your business’).

As we pointed out in our GDPR explainer, the provision in the regulation allowing for collective enforcement of individuals’ data rights in an important one, with the potential to strengthen the implementation of the law by enabling non-profit organizations such as noyb to file complaints on behalf of individuals — thereby helping to redress the imbalance between corporate giants and consumer rights.

That said, the GDPR’s collective redress provision is a component that Member States can choose to derogate from, which helps explain why the first four complaints have been filed with data protection agencies in Austria, Belgium, France and Hamburg in Germany — regions that also have data protection agencies with a strong record defending privacy rights.

Given that the Facebook companies involved in these complaints have their European headquarters in Ireland it’s likely the Irish data protection agency will get involved too. And it’s fair to say that, within Europe, Ireland does not have a strong reputation for defending data protection rights.

But the GDPR allows for DPAs in different jurisdictions to work together in instances where they have joint concerns and where a service crosses borders — so noyb’s action looks intended to test this element of the new framework too.

Under the penalty structure of GDPR, major violations of the law can attract fines as large as 4% of a company’s global revenue which, in the case of Facebook or Google, implies they could be on the hook for more than a billion euros apiece — if they are deemed to have violated the law, as the complaints argue.

That said, given how freshly fixed in place the rules are, some EU regulators may well tread softly on the enforcement front — at least in the first instances, to give companies some benefit of the doubt and/or a chance to make amends to come into compliance if they are deemed to be falling short of the new standards.

However, in instances where companies themselves appear to be attempting to deform the law with a willfully self-serving interpretation of the rules, regulators may feel they need to act swiftly to nip any disingenuousness in the bud.

“We probably will not immediately have billions of penalty payments, but the corporations have intentionally violated the GDPR, so we expect a corresponding penalty under GDPR,” writes Schrems.

Only yesterday, for example, Facebook founder Mark Zuckerberg — speaking in an on stage interview at the VivaTech conference in Paris — claimed his company hasn’t had to make any radical changes to comply with GDPR, and further claimed that a “vast majority” of Facebook users are willingly opting in to targeted advertising via its new consent flow.

“We’ve been rolling out the GDPR flows for a number of weeks now in order to make sure that we were doing this in a good way and that we could take into account everyone’s feedback before the May 25 deadline. And one of the things that I’ve found interesting is that the vast majority of people choose to opt in to make it so that we can use the data from other apps and websites that they’re using to make ads better. Because the reality is if you’re willing to see ads in a service you want them to be relevant and good ads,” said Zuckerberg.

He did not mention that the dominant social network does not offer people a free choice on accepting or declining targeted advertising. The new consent flow Facebook revealed ahead of GDPR only offers the ‘choice’ of quitting Facebook entirely if a person does not want to accept targeting advertising. Which, well, isn’t much of a choice given how powerful the network is. (Additionally, it’s worth pointing out that Facebook continues tracking non-users — so even deleting a Facebook account does not guarantee that Facebook will stop processing your personal data.)

Asked about how Facebook’s business model will be affected by the new rules, Zuckerberg essentially claimed nothing significant will change — “because giving people control of how their data is used has been a core principle of Facebook since the beginning”.

“The GDPR adds some new controls and then there’s some areas that we need to comply with but overall it isn’t such a massive departure from how we’ve approached this in the past,” he claimed. “I mean I don’t want to downplay it — there are strong new rules that we’ve needed to put a bunch of work into into making sure that we complied with — but as a whole the philosophy behind this is not completely different from how we’ve approached things.

“In order to be able to give people the tools to connect in all the ways they want and build committee a lot of philosophy that is encoded in a regulation like GDPR is really how we’ve thought about all this stuff for a long time. So I don’t want to understate the areas where there are new rules that we’ve had to go and implement but I also don’t want to make it seem like this is a massive departure in how we’ve thought about this stuff.”

Zuckerberg faced a range of tough questions on these points from the EU parliament earlier this week. But he avoided answering them in any meaningful detail.

So EU regulators are essentially facing a first test of their mettle — i.e. whether they are willing to step up and defend the line of the law against big tech’s attempts to reshape it in their business model’s image.

Privacy laws are nothing new in Europe but robust enforcement of them would certainly be a breath of fresh air. And now at least, thanks to GDPR, there’s a penalties structure in place to provide incentives as well as teeth, and spin up a market around strategic litigation — with Schrems and noyb in the vanguard.

Schrems also makes the point that small startups and local companies are less likely to be able to use the kind of strong-arm ‘take it or leave it’ tactics on users that big tech is able to use to extract consent on account of the reach and power of their platforms — arguing there’s a competition concern that GDPR should also help to redress.

“The fight against forced consent ensures that the corporations cannot force users to consent,” he writes. “This is especially important so that monopolies have no advantage over small businesses.”

Image credit: noyb.eu

Family claims their Echo sent a private conversation to a random contact

A Portland family tells KIRO news that their Echo recorded and then sent a private conversation to someone on its list of contacts without telling them. Amazon called it an “extremely rare occurrence.”

Portlander Danielle said that she got a call from one of her husband’s employees one day telling her to “unplug your Alexa devices right now,” and suggesting she’d been hacked. He said that he had received recordings of the couple talking about hardwood floors, which Danielle confirmed.

Amazon, when she eventually got hold of the company, had an engineer check the logs, and he apparently discovered what they said was true. In a statement, Amazon said “We investigated what happened and determined this was an extremely rare occurrence. We are taking steps to avoid this from happening in the future.”

What could have happened? It seems likely that the Echo’s voice recognition service misheard something, interpreting it as instructions to record the conversation like a note or message. And then it apparently also misheard them say to send the recording to this particular person. And it did all this without saying anything back.

The house reportedly had multiple Alexa devices, so it’s also possible that the system decided to ask for confirmation on the wrong device — saying “All right, I’ve sent that to Steve” on the living room Echo because the users’ voices carried from the kitchen. Or something.

Naturally no one expects to have their conversations sent out to an acquaintance, but it must also admitted that the Echo is, fundamentally, a device that listens to every conversation you have and constantly sends that data to places on the internet. It also remembers more stuff now. If something does go wrong, “sending your conversation somewhere it isn’t supposed to go” seems a pretty reasonable way for it to happen.

I’ve asked Amazon for more details on what happened, but as the family hasn’t received one, I don’t expect much.

Instapaper on pause in Europe to fix GDPR compliance “issue”

Remember Instapaper? The Pinterest-owned, read-it-later bookmarking service is taking a break in Europe — apparently while it works on achieving compliance with the region’s updated privacy framework, GDPR, which will start being applied from tomorrow.

Instapaper’s notification does not say how long the self-imposed outage will last.

The European Union’s General Data Protection Regulation updates the bloc’s privacy framework, most notably by bringing in supersized fines for data violations, which in the most serious cases can scale up to 4% of a company’s global annual turnover.

So it significantly ramps up the risk of, for example, having sloppy security, or consent flows that aren’t clear and specific enough (if indeed consent is the legal basis you’re relying on for processing people’s personal information).

That said, EU regulators are clearly going to tread softly on the enforcement front in the short term. And any major fines are only going to hit the most serious violations and violators — and only down the line when data protection authorities have received complaints and conducted thorough investigations.

So it’s not clear exactly why Instapaper believes it needs to pause its service to European users. It’s also had plenty of time to prepare to be compliant — given the new framework was agreed at the back end of 2015. We’ve reached out to Pinterest with questions and will update this story with any response.

In an exchange on Twitter, Pinterest product engineering manager Brian Donohue — who, prior to acquisition was Instapaper’s CEO — flagged that the product’s privacy policy “hasn’t been changed in several years”. But he declined to specify exactly what it feels its compliance issue is — saying only: “We’re actively working to resolve the issue.”

In a customer support email that we reviewed, the company also told one European user: “We’ve been advised to undergo an assessment of the Instapaper service to determine what, if any, changes may be appropriate but to restrict access to IP addresses in the EU as the best course of action.”

“We’re really sorry for any inconvenience, and we are actively working on bringing the service back online for residents in Europe,” it added.

The product’s privacy policy is one of the clearer T&Cs we’ve seen. It also states that users can already access “all your personally identifiable information that we collect online and maintain”, as well as saying people can “correct factual errors in your personally identifiable information by changing or deleting the erroneous information” — which, assuming those statements are true, looks pretty good for complying with portions of GDPR that are intended to give consumers more control over their personal data.

Instapaper also already lets users delete their accounts. And if they do that it specifies that “all account information and saved page data is deleted from the Instapaper service immediately” (though it also cautions that “deleted data may persist in backups and logs until they are deleted”).

In terms of what Instapaper does with users’ data, its privacy policy claims it does not share the information “with outside parties except to the extent necessary to accomplish Instapaper’s functionality”.

But it’s also not explicitly clear from the policy whether or not it’s passing information to its parent company Pinterest, for example, so perhaps it feels it needs to add more detail there.

Another possibility is Instapaper is working on compliance with GDPR’s data portability requirement. Though the service has offered exports options for years. But perhaps it feels these need to be more comprehensive.

As is inevitable ahead of a major regulatory change there’s a good deal of confusion about what exactly must be done to comply with the new rules. And that’s perhaps the best explanation for what’s going on with Instapaper’s pause.

Though, again, there’s plenty of official and detailed guidance from data protection agencies to help.

Unfortunately it’s also true that there’s a lot of unofficial and dubious quality advice from a cottage industry of self-styled ‘GDPR consultants’ that have sprung up with the intention of profiting off of the uncertainty. So — as ever — do your due diligence when it comes to the ‘experts’ you choose.

FBI reportedly overestimated inaccessible encrypted phones by thousands

The FBI seems to have been caught fibbing again on the topic of encrypted phones. FBI director Christopher Wray estimated in December that it had almost 7,800 phones from 2017 alone that investigators were unable to access. The real number is likely less than a quarter of that, The Washington Post reports.

Internal records cited by sources put the actual number of encrypted phones at perhaps 1,200 but perhaps as many as 2,000, and the FBI told the paper in a statement that “initial assessment is that programming errors resulted in significant over-counting of mobile devices reported.” Supposedly having three databases tracking the phones led to devices being counted multiple times.

Such a mistake would be so elementary that it’s hard to conceive of how it would be possible. These aren’t court notes, memos or unimportant random pieces of evidence, they’re physical devices with serial numbers and names attached. The idea that no one thought to check for duplicates before giving a number to the director for testimony in Congress suggests either conspiracy or gross incompetence.

The latter seems more likely after a report by the Office of the Inspector General that found the FBI had failed to utilize its own resources to access locked phones, instead suing Apple and then hastily withdrawing the case when its basis (a locked phone from a terror attack) was removed. It seems to have chosen to downplay or ignore its own capabilities in order to pursue the narrative that widespread encryption is dangerous without a backdoor for law enforcement.

An audit is underway at the Bureau to figure out just how many phones it actually has that it can’t access, and hopefully how this all happened.

It is unmistakably among the FBI’s goals to emphasize the problem of devices being fully encrypted and inaccessible to authorities, a trend known as “going dark.” That much it has said publicly, and it is a serious problem for law enforcement. But it seems equally unmistakable that the Bureau is happy to be sloppy, deceptive or both in its advancement of a tailored narrative.

Zuckerberg didn’t make any friends in Europe today

Speaking in front of EU lawmakers today Facebook’s founder Mark Zuckerberg namechecked the GDPR’s core principles of “control, transparency and accountability” — claiming his company will deliver on all that, come Friday, when a new European Union data protection framework, GDPR, starts being applied, finally with penalties worth the enforcement.

However there was little transparency or accountability on show during the session, given the upfront questions format which saw Zuckerberg cherry-picking a few comfy themes to riff on after silently absorbing an hour of MEPs’ highly specific questions with barely a facial twitch in response.

The questions MEPs asked of Zuckerberg were wide ranging and often drilled deep into key pressure points around the ethics of Facebook’s business — ranging from how deep the app data misuse privacy scandal rabbithole goes; to whether the company is a monopoly that needs breaking up; to how users should be compensated for misuse of their data.

Is Facebook genuinely complying with GDPR, he was asked several times (unsurprisingly, given the scepticism of data protection experts on that front). Why did it choose to shift ~1.5BN users out of reach of the GDPR? Will it offer a version of its platform that lets people completely opt out of targeted advertising, as it has studiously avoided doing so so far.

Why did it refuse a public meeting with the EU parliament? Why has it spent “millions” lobbying against EU privacy rules? Will the company commit to paying taxes in the markets where it operates? What’s it doing to prevent fake accounts? What’s it doing to prevent bullying? Does it regulate content or is it a neutral platform?

Zuckerberg made like a sponge and absorbed all this fine-grained flak. But when the time came for responses the data flow was not reciprocal; Self-serving talking points on self-selected “themes” was all he had come prepared to serve up.

Yet — and here the irony is very rich indeed — people’s personal data flows liberally into Facebook, via all sorts of tracking technologies and techniques.

And as the Cambridge Analytica data misuse scandal has now made amply clear, people’s personal information has also very liberally leaked out of Facebook — oftentimes without their knowledge or consent.

But when it comes to Facebook’s own operations, the company maintains a highly filtered, extremely partial ‘newsfeed’ on its business empire — keeping a tight grip on the details of what data it collects and why.

Only last month Zuckerberg sat in Congress avoiding giving straight answers to basic operational questions. So if any EU parliamentarians had been hoping for actual transparency and genuine accountability from today’s session they would have been sorely disappointed.

Yes, you can download the data you’ve willingly uploaded to Facebook. Just don’t expect Facebook to give you a download of all the information it’s gathered and inferred about you.

The EU parliament’s political group leaders seemed well tuned to the myriad concerns now flocking around Facebook’s business. And were quick to seize on Zuckerberg’s dumbshow as further evidence that Facebook needs to be ruled.

Thing is, in Europe regulation is not a dirty word. And GDPR’s extraterritorial reach and weighty public profile looks to be further whetting political appetites.

So if Facebook was hoping the mere appearance of its CEO sitting in a chair in Brussels, going through the motions of listening before reading from his usual talking points, that looks to be a major miscalculation.

“It was a disappointing appearance by Zuckerberg. By not answering the very detailed questions by the MEPs he didn’t use the chance to restore trust of European consumers but in contrary showed to the political leaders in the European Parliament that stronger regulation and oversight is needed,” Green MEP and GDPR rapporteur Jan Philipp Albrecht told us after the meeting.

Albrecht had pressed Zuckerberg about how Facebook shares data between Facebook and WhatsApp — an issue that has raised the ire of regional data protection agencies. And while DPAs forced the company to turn off some of these data flows, Facebook continues to share other data.

The MEP had also asked Zuckerberg to commit to no exchange of data between the two apps. Zuckerberg determinedly made no such commitment.

Claude Moraes, chair of the EU parliament’s civil liberties, justice and home affairs (Libe) committee, issued a slightly more diplomatic reaction statement after the meeting — yet also with a steely undertone.

“Trust in Facebook has suffered as a result of the data breach and it is clear that Mr. Zuckerberg and Facebook will have to make serious efforts to reverse the situation and to convince individuals that Facebook fully complies with European Data Protection law. General statements like ‘We take privacy of our customers very seriously’ are not sufficient, Facebook has to comply and demonstrate it, and for the time being this is far from being the case,” he said.

“The Cambridge Analytica scandal was already in breach of the current Data Protection Directive, and would also be contrary to the GDPR, which is soon to be implemented. I expect the EU Data Protection Authorities to take appropriate action to enforce the law.”

Damian Collins, chair of the UK parliament’s DCMS committee, which has thrice tried and failed to get Zuckerberg to appear before it, did not mince his words at all. Albeit he has little reason to, having been so thoroughly rejected by the Facebook founder — and having accused the company of a pattern of evasive behavior to its CTO’s face — there’s clearly not much to hold out for now.

“What a missed opportunity for proper scrutiny on many crucial questions raised by the MEPs. Questions were blatantly dodged on shadow profiles, sharing data between WhatsApp and Facebook, the ability to opt out of political advertising and the true scale of data abuse on the platform,” said Collins in another reaction statement after the meeting. “Unfortunately the format of questioning allowed Mr Zuckerberg to cherry-pick his responses and not respond to each individual point.

“I echo the clear frustration of colleagues in the room who felt the discussion was shut down,” he added, ending with a fourth (doubtless equally forlorn) request for Zuckerberg to appear in front of the DCMS Committee to “provide Facebook users the answers they deserve”.

In the latter stages of today’s EU parliament session several MEPs — clearly very exasperated by the straightjacked format — resorted to heckling Zuckerberg to press for answers he had not given them.

[embedded content]

“Shadow profiles,” interjected one, seizing on a moment’s hesitation as Zuckerberg sifted his notes for the next talking point. “Compensation,” shouted another, earning a snort of laughter from the CEO and some more theatrical note flipping to buy himself time.

Then, appearing slightly flustered, Zuckerberg looked up at one of the hecklers and said he would engage with his question — about shadow profiles (though Zuckerberg dare not speak that name, of course, given he claims not to recognize it) — arguing Facebook needs to hold onto such data for security purposes.

Zuckerberg did not specify, as MEPs had asked him to, whether Facebook uses data about non-users for any purposes other than the security scenario he chose to flesh out (aka “keeping bad content out”, as he put it).

He also ignored a second follow-up pressing him on how non-users can “stop that data being transferred”.

“On the security side we think it’s important to keep it to protect people in our community,” Zuckerberg said curtly, before turning to his lawyer for a talking point prompt (couched as an ask if there are “any other themes we wanted to get through”).

His lawyer hissed to steer the conversation back to Cambridge Analytica — to Facebook’s well-trodden PR about how they’re “locking down the platform” to stop any future data heists — and the Zuckbot was immediately back in action regurgitating his now well-practiced crisis PR around the scandal.

What was very clearly demonstrated during today’s session was the Facebook founder’s preference for control — that’s to say control which he is exercising.

Hence the fixed format of the meeting, which had been negotiated prior to Facebook agreeing to meet with EU politicians, and which clearly favored the company by allowing no formal opportunity for follow ups from MEPs.

Zuckerberg also tried several times to wrap up the meeting — by insinuating and then announcing time was up. MEPs ignored these attempts, and Zuckerberg seemed most uncomfortable at not having his orders instantly carried out.

Instead he had to sit and watch a micro negotiation between the EU parliament’s president and the political groups over whether they would accept written answers to all their specific questions from Facebook — before he was publicly put on the spot by president Antonio Tajani to agree to provide the answers in writing.

Although, as Collins has already warned MEPs, Facebook has had plenty of practice at generating wordy but empty responses to politicians’ questions about its business processes — responses which evade the spirit and specifics of what’s being asked.

The self-control on show from Zuckerberg today is certainly not the kind of guardrails that European politicians increasingly believe social media needs. Self-regulation, observed several MEPs to Zuckerberg’s face, hasn’t worked out so well has it?

The first MEP to lay out his questions warned Zuckerberg that apologizing is not enough. Another pointed out he’s been on a contrition tour for about 15 years now.

Facebook needs to make a “legal and moral commitment” to the EU’s fundamental values, he was told by Moraes. “Remember that you’re here in the European Union where we created GDPR so we ask you to make a legal and moral commitment, if you can, to uphold EU data protection law, to think about ePrivacy, to protect the privacy of European users and the many millions of European citizens and non-Facebook users as well,” said the Libe committee chair.

But self-regulation — or, the next best thing in Zuckerberg’s eyes: ‘Facebook-shaped regulation’ — was what he had come to advocate for, picking up on the MEPs’ regulation “theme” to respond with the same line he fed to Congress: “I don’t think the question here is whether or not there should be regulation. I think the question is what is the right regulation.”

“The Internet is becoming increasingly important in people’s lives. Some sort of regulation is important and inevitable. And the important thing is to get this right,” he continued. “To make sure that we have regulatory frameworks that help protect people, that are flexible so that they allow for innovation, that don’t inadvertently prevent new technologies like AI from being able to develop.”

He even brought up startups — claiming ‘bad regulation’ (I paraphrase) could present a barrier to the rise of future dormroom Zuckerbergs.

Of course he failed to mention how his own dominant platform is the attention-sapping, app gobbling elephant in the room crowding out the next generation of would-be entrepreneurs. But MEPs’ concerns about competition were clear.

Instead of making friends and influencing people in Brussels, Zuckerberg looks to have delivered less than if he’d stayed away — angering and alienating the very people whose job it will be to amend the EU legislation that’s coming down the pipe for his platform.

Ironically one of the few specific questions Zuckerberg chose to answer was a false claim by MEP Nigel Farage — who had wondered whether Facebook is still a “neutral political platform”, griping about drops in engagement for rightwing entities ever since Facebook’s algorithmic changes in January, before claiming, erroneously, that Facebook does not disclose the names of the third party fact checkers it uses to help it police fake news.

So — significantly, and as was also evident in the US Senate and Congress — Facebook was taking flak from both left and right of political spectrum, implying broad, cross-party support for regulating these algorithmic platforms.

Actually Facebook does disclose those fact checking partnerships. But it’s pretty telling that Zuckerberg chose to expend some of his oh-so-slender speaking time to debunk something that really didn’t merit the breath.

Farage had also claimed, during his three minutes, that without “Facebook and other forms of social media there is no way that Brexit or Trump or the Italian elections could ever possibly have happened”. 

Funnily enough Zuckerberg didn’t make time to comment on that.