All posts in “Social”

Facebook’s new authorization process for political ads goes live in the US

Earlier this month — and before Facebook CEO Mark Zuckerberg testified before Congress — the company announced a series of changes to how it would handle political advertisements running on its platform in the future. It had said that people who wanted to buy a political ad — including ads about political “issues” — would have to reveal their identities and location and be verified before the ads could run. Information about the advertiser would also display to Facebook users.

Today, Facebook is announcing the authorization process for U.S. political ads is live.

Facebook had first said in October that political advertisers would have to verify their identity and location for election-related ads. But in April, it expanded that requirement to include any “issue ads” — meaning those on political topics being debated across the country, not just those tied to an election.

Facebook said it would work with third parties to identify the issues. These ads would then be labeled as “Political Ads,” and display the “paid for by” information to end users.

According to today’s announcement, Facebook will now begin to verify the identity and the residential mailing address of advertisers who want to run political ads. Those advertisers will also have to disclose who’s paying for the ads as part of this authorization process.

This verification process is currently only open in the U.S. and will require Page admins and ad account admins to submit their government-issued ID to Facebook, along with their residential mailing address.

The government ID can either be a U.S. passport or U.S. driver’s license, a FAQ explains. Facebook will also ask for the last four digits of admins’ Social Security Number. The photo ID will then be approved or denied in a matter of minutes, though anyone declined based on the quality of the uploaded images won’t be prevented from trying again.

The address, however, will be verified by mailing a letter with a unique access code that only the admin’s Facebook account can use. The letter may take up to 10 days to arrive, Facebook notes.

Along with the verification portion, Page admins will also have to fill in who paid for the ad in the “disclaimer” section. This has to include the organization(s) or person’s name(s) who funded it.

This information will also be reviewed prior to approval, but Facebook isn’t going to fact check this field, it seems.

Instead, the company simply says: “We’ll review each disclaimer to make sure it adheres to our advertising policies. You can edit your disclaimers at any time, but after each edit, your disclaimer will need to be reviewed again, so it won’t be immediately available to use.”

The FAQ later states that disclaimers must comply with “any applicable law,” but again says that Facebook only reviews them against its ad policies.

“It’s your responsibility as the advertiser to independently assess and ensure that your ads are in compliance with all applicable election and advertising laws and regulations,” the documentation reads.

Along with the launch of the new authorization procedures, Facebook has released a Blueprint training course to guide advertisers through the steps required, and has published an FAQ to answer advertisers’ questions.

Of course, these procedures will only net the more scrupulous advertisers willing to play by the rules. That’s why Facebook had said before that it plans to use AI technology to help sniff out those advertisers who should have submitted to verification, but did not. The company is also asking people to report suspicious ads using the “Report Ad” button.

Facebook has been under heavy scrutiny because of how its platform was corrupted by Russian trolls on a mission to sway the 2016 election. The Justice Department charged 13 Russians and three companies with election interference earlier this year, and Facebook has removed hundreds of accounts associated with disinformation campaigns.

While tougher rules around ads may help, they alone won’t solve the problem.

It’s likely that those determined to skirt the rules will find their own workarounds. Plus, ads are only one of many issues in terms of those who want to use Facebook for propaganda and misinformation. On other fronts, Facebook is dealing with fake news — including everything from biased stories to those that are outright lies, intending to influence public opinion. And of course there’s the Cambridge Analytica scandal, which led to intense questioning of Facebook’s data privacy practices in the wake of revelations that millions of Facebook users had their information improperly accessed.

Facebook says the political ads authorization process is gradually rolling out, so it may not be available to all advertisers at this time. Currently, users can only set up and manage authorizations from a desktop computer from the Authorizations tab in a Facebook Page’s Settings.

Facebook face-recognition error looks awkward ahead of GDPR

A Facebook face recognition notification slip-up hints at how risky the company’s approach to compliance with a tough new European data protection standard could turn out to be.

On Friday a Metro journalist in the UK reported receiving a notification about the company’s face-recognition technology — which told him “the setting is on.”

The wording was curious, as the technology has been switched off in Europe since 2012, after regulatory pressure, and — as part of changes related to its GDPR compliance strategy — Facebook has also said it will be asking European users to choose individually whether or not they want to switch it on. (And on Friday begun rolling out its new consent flow in the region, ahead of the regulation applying next month.)

The company has since confirmed to us that the message was sent to the user in error — saying the wording came from an earlier notification which it sent to users who already had its facial recognition tech enabled, starting in December. And that it had intended to send the person a similar notification — containing the opposite notification, i.e. that “the setting is off”.

“We’re asking everyone in the EU whether they want to enable face recognition, and only people who affirmatively give their consent will have these features enabled. We did not intend for anyone in the EU to see this type of message, and we can confirm that this error did not result in face recognition being enabled without the person’s consent,” a Facebook spokesperson told us.

Here are the two notifications in question showing the setting on versus the setting off wordings:

This is interesting because Facebook has repeatedly refused to confirm it will be universally applying GDPR compliance measures across its entire global user-base.

Instead it has restricted its public commitments to saying the same “settings and controls” will be made available for users — which as we’ve previously pointed out avoids committing the company to a universal application of GDPR principles, such as privacy by design.

Given that Facebook’s facial recognition feature has been switched off in Europe since 2012 “the setting is on” message would presumably have only been sent to users in the US or Canada — where Facebook has been able to forge ahead with pushing people to accept the controversial, privacy-hostile technology, embedding it into features such as auto-tagging for photo uploads.

But it hardly bodes well for Facebook’s compliance with the EU’s strict new data protection standard if its systems are getting confused about whether or not a user is an EU person.

Facebook claims no data was processed without consent as a result of the wrong notification being sent — but under GDPR it could face investigations by data protection authorities seeking to verify whether or not an individual’s rights were violated. (Reminder: GDPR fines can scale as high as 4% of a company’s global annual turnover so privacy enforcement is at last getting teeth.)

Facebook’s appetite for continuing to push privacy hostile features on its user-base is clear. This strategic direction also comes from the very top of the company.

Earlier this month CEO and founder Mark Zuckerberg urged US lawmakers not to impede US companies from be using people’s data for sensitive use-cases like facial recognition — attempting to gloss that tough sell by claiming pro-privacy rules would risk the US falling behind China.

Meanwhile, last week it also emerged that Zuckerberg’s company will switch the location where most international users’ data is processed from its international HQ, Facebook Ireland, to Facebook USA. From next month only EU users will have their data controller located in the EU — other international users, who would have at least technically fallen under GDPR’s reach otherwise, on account of their data being processed in the region, are being shifted out of the EU jurisdiction — via a unilateral T&Cs change.

This move seems intended to try to shrink some of Facebook’s legal liabilities by reducing the number of international users that would, at least technically, fall under the reach of the EU regulation — which both applies to anyone in the EU whose data is being processed and also extends EU fundamental rights extraterritorially, carrying the aforementioned major penalties for violations.

However Facebook’s decision to reduce how many of its users have their data processed in the EU also looks set to raise the stakes — if, as it appears, the company intends to exploit the lack of a comprehensive privacy framework in the US to apply different standards for North American users (and from next month also for non-EU international users, whose data will be processed there).

The problem is, if Facebook does not perform perfect segregation and management of these two separate pools of users it risks accidentally processing the personal data of Europeans in violation of the strict new EU standard, which applies from May 25.

Yet here it is, on the cusp of the new rules, sending the wrong notification and incorrectly telling an EU user that facial recognition is on.

Given how much risk it’s creating for itself by trying to run double standards for data protection you almost have to wonder whether Facebook is trying to engineer in some compliance wiggle room for itself — i.e. by positioning itself to be able to claim that such and such’s data was processed in error.

Another interesting question is whether the unilateral switching of ~1.5BN non-EU international users to Facebook USA as data controller could be interpreted as a data transfer to a third country — which would trigger other data protection requirements under EU law, and further layer on the legal complexity…

What is clear is that legal challenges to Facebook’s self-serving interpretation of EU law are coming.

SmugMug acquires Flickr

Two photo-sharing services are teaming up, as SmugMug buys Flickr from Verizon’s digital media subsidiary Oath.

USA Today broke the news and interviewed SmugMug CEO Don MacAskill, who said he hopes to revitalize Flickr .

At the same time, he said he’s still figuring out his actual plans: “It sounds silly for the CEO to not to totally know what he’s going to do, but we haven’t built SmugMug on a master plan either. We try to listen to our customers and when enough of them ask for something that’s important to them or to the community, we go and build it.”

Flickr was founded in 2004 and sold to Yahoo a year later. Yahoo, in turn, was acquired by Verizon, which brought it together with AOL to create a new subsidiary called Oath.

Over the past couple of months, Oath (which owns TechCrunch) has been selling off some of its AOL and Yahoo properties, including Moviefone (sold to the company behind MoviePass, which Oath now has a stake in) and Polyvore (assets sold to Ssense).

In an FAQ about the deal, SmugMug says it will continue to operate Flickr as a separate site, with no merging of user accounts or photos: “Over time, we’ll be migrating Flickr onto SmugMug’s technology infrastructure, and your Flickr photos will move as a part of this migration — but the photos themselves will remain on Flickr.”

The company also uses the FAQ to describe its vision for the combined services:

SmugMug and Flickr represent the world’s most influential community of photographers, and there is strength in numbers. We want to provide photographers with both inspiration and the tools they need to tell their stories. We want to bring excitement and energy to inspire more photographers to share their perspective. And we want to be a welcome place for all photographers: hobbyist to archivist to professional.

The financial terms were not disclosed.

Twitter banned Russian security firm Kaspersky Lab from buying ads

The U.S. government isn’t the only one feeling skittish about Kaspersky Lab. On Friday, the Russian security firm’s founder Eugene Kaspersky confronted Twitter’s apparent ban on advertising from the company, a decision it quietly issued in January.

“In a short letter from an unnamed Twitter employee, we were told that our company ‘operates using a business model that inherently conflicts with acceptable Twitter Ads business practices,’” Kaspersky wrote.

“One thing I can say for sure is this: we haven’t violated any written – or unwritten – rules, and our business model is quite simply the same template business model that’s used throughout the whole cybersecurity industry: We provide users with products and services, and they pay us for them.”

He noted that the company has spent around than €75,000 ($93,000 USD) to promote its content on Twitter in 2017.

Kaspersky called for Twitter CEO Jack Dorsey to specify the motivation behind the ban after failing to respond to an official February 6 letter from his company.

More than two months have passed since then, and the only reply we received from Twitter was the copy of the same boilerplate text. Accordingly, I’m forced to rely on another (less subtle but nevertheless oft and loudly declared) principle of Twitter’s – speaking truth to power – to share details of the matter with interested users and to publicly ask that you, dear Twitter executives, kindly be specific as to the reasoning behind this ban; fully explain the decision to switch off our advertising capability, and to reveal what other cybersecurity companies need to do in order to avoid similar situations.

In a statement about the incident, Twitter reiterated that Kaspersky Lab’s business model “inherently conflicts with acceptable Twitter Ads business practices.” In a statement to CyberScoop, Twitter pointed to the late 2017 Department of Homeland Security directive to eliminate Kaspersky software from Executive Branch systems due to the company’s relationship with Russian intelligence.

“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” DHS asserted in the directive at the time.

Twitter is down again for some [Update: It’s Back]

Rough week to be in Twitter support. Three days after the site experienced downtime across the globe, the site was hit by another outage. Status.io’s service site is currently listing an “active incident,” leaving many users unable to tweet. In other cases, the site isn’t loading at all, instead serving up internal server errors or messages stating that the service is “over capacity.”

Here in the States, at least, the issue doesn’t appear to be quite as widespread as Tuesday’s incident. We’ve reached out to Twitter for comment and will update as soon as we hear more.

Update: Twitter says it’s resolved the momentary outage, telling TechCrunch in a statement, “Earlier today, people were unable to send Tweets for about 30 minutes. We’ve resolved the internal issue and we’re sorry for the disruption.”