Tag: Privacy

Posted on

Facebook, Google face first GDPR complaints over “forced consent”

After two years coming down the pipe at tech giants, Europe’s new privacy framework, the General Data Protection Regulation (GDPR), is now being applied — and long time Facebook privacy critic, Max Schrems, has wasted no time in filing four complaints relating to (certain) companies’ ‘take it or leave it’ stance when it comes to consent.

The complaints have been filed on behalf of (unnamed) individual users — with one filed against Facebook; one against Facebook-owned Instagram; one against Facebook-owned WhatsApp; and one against Google’s Android.

Schrems argues that the companies are using a strategy of “forced consent” to continue processing the individuals’ personal data — when in fact the law requires that users be given a free choice unless a consent is strictly necessary for provision of the service. (And, well, Facebook claims its core product is social networking — rather than farming people’s personal data for ad targeting.)

“It’s simple: Anything strictly necessary for a service does not need consent boxes anymore. For everything else users must have a real choice to say ‘yes’ or ‘no’,” Schrems writes in a statement.

“Facebook has even blocked accounts of users who have not given consent,” he adds. “In the end users only had the choice to delete the account or hit the “agree”-button — that’s not a free choice, it more reminds of a North Korean election process.”

We’ve reached out to all the companies involved for comment and will update this story with any response.

The European privacy campaigner most recently founded a not-for-profit digital rights organization to focus on strategic litigation around the bloc’s updated privacy framework, and the complaints have been filed via this crowdfunded NGO — which is called noyb (aka ‘none of your business’).

As we pointed out in our GDPR explainer, the provision in the regulation allowing for collective enforcement of individuals’ data rights in an important one, with the potential to strengthen the implementation of the law by enabling non-profit organizations such as noyb to file complaints on behalf of individuals — thereby helping to redress the imbalance between corporate giants and consumer rights.

That said, the GDPR’s collective redress provision is a component that Member States can choose to derogate from, which helps explain why the first four complaints have been filed with data protection agencies in Austria, Belgium, France and Hamburg in Germany — regions that also have data protection agencies with a strong record defending privacy rights.

Given that the Facebook companies involved in these complaints have their European headquarters in Ireland it’s likely the Irish data protection agency will get involved too. And it’s fair to say that, within Europe, Ireland does not have a strong reputation for defending data protection rights.

But the GDPR allows for DPAs in different jurisdictions to work together in instances where they have joint concerns and where a service crosses borders — so noyb’s action looks intended to test this element of the new framework too.

Under the penalty structure of GDPR, major violations of the law can attract fines as large as 4% of a company’s global revenue which, in the case of Facebook or Google, implies they could be on the hook for more than a billion euros apiece — if they are deemed to have violated the law, as the complaints argue.

That said, given how freshly fixed in place the rules are, some EU regulators may well tread softly on the enforcement front — at least in the first instances, to give companies some benefit of the doubt and/or a chance to make amends to come into compliance if they are deemed to be falling short of the new standards.

However, in instances where companies themselves appear to be attempting to deform the law with a willfully self-serving interpretation of the rules, regulators may feel they need to act swiftly to nip any disingenuousness in the bud.

“We probably will not immediately have billions of penalty payments, but the corporations have intentionally violated the GDPR, so we expect a corresponding penalty under GDPR,” writes Schrems.

Only yesterday, for example, Facebook founder Mark Zuckerberg — speaking in an on stage interview at the VivaTech conference in Paris — claimed his company hasn’t had to make any radical changes to comply with GDPR, and further claimed that a “vast majority” of Facebook users are willingly opting in to targeted advertising via its new consent flow.

“We’ve been rolling out the GDPR flows for a number of weeks now in order to make sure that we were doing this in a good way and that we could take into account everyone’s feedback before the May 25 deadline. And one of the things that I’ve found interesting is that the vast majority of people choose to opt in to make it so that we can use the data from other apps and websites that they’re using to make ads better. Because the reality is if you’re willing to see ads in a service you want them to be relevant and good ads,” said Zuckerberg.

He did not mention that the dominant social network does not offer people a free choice on accepting or declining targeted advertising. The new consent flow Facebook revealed ahead of GDPR only offers the ‘choice’ of quitting Facebook entirely if a person does not want to accept targeting advertising. Which, well, isn’t much of a choice given how powerful the network is. (Additionally, it’s worth pointing out that Facebook continues tracking non-users — so even deleting a Facebook account does not guarantee that Facebook will stop processing your personal data.)

Asked about how Facebook’s business model will be affected by the new rules, Zuckerberg essentially claimed nothing significant will change — “because giving people control of how their data is used has been a core principle of Facebook since the beginning”.

“The GDPR adds some new controls and then there’s some areas that we need to comply with but overall it isn’t such a massive departure from how we’ve approached this in the past,” he claimed. “I mean I don’t want to downplay it — there are strong new rules that we’ve needed to put a bunch of work into into making sure that we complied with — but as a whole the philosophy behind this is not completely different from how we’ve approached things.

“In order to be able to give people the tools to connect in all the ways they want and build committee a lot of philosophy that is encoded in a regulation like GDPR is really how we’ve thought about all this stuff for a long time. So I don’t want to understate the areas where there are new rules that we’ve had to go and implement but I also don’t want to make it seem like this is a massive departure in how we’ve thought about this stuff.”

Zuckerberg faced a range of tough questions on these points from the EU parliament earlier this week. But he avoided answering them in any meaningful detail.

So EU regulators are essentially facing a first test of their mettle — i.e. whether they are willing to step up and defend the line of the law against big tech’s attempts to reshape it in their business model’s image.

Privacy laws are nothing new in Europe but robust enforcement of them would certainly be a breath of fresh air. And now at least, thanks to GDPR, there’s a penalties structure in place to provide incentives as well as teeth, and spin up a market around strategic litigation — with Schrems and noyb in the vanguard.

Schrems also makes the point that small startups and local companies are less likely to be able to use the kind of strong-arm ‘take it or leave it’ tactics on users that big tech is able to use to extract consent on account of the reach and power of their platforms — arguing there’s a competition concern that GDPR should also help to redress.

“The fight against forced consent ensures that the corporations cannot force users to consent,” he writes. “This is especially important so that monopolies have no advantage over small businesses.”

Image credit: noyb.eu

Posted on

Family claims their Echo sent a private conversation to a random contact

A Portland family tells KIRO news that their Echo recorded and then sent a private conversation to someone on its list of contacts without telling them. Amazon called it an “extremely rare occurrence.”

Portlander Danielle said that she got a call from one of her husband’s employees one day telling her to “unplug your Alexa devices right now,” and suggesting she’d been hacked. He said that he had received recordings of the couple talking about hardwood floors, which Danielle confirmed.

Amazon, when she eventually got hold of the company, had an engineer check the logs, and he apparently discovered what they said was true. In a statement, Amazon said “We investigated what happened and determined this was an extremely rare occurrence. We are taking steps to avoid this from happening in the future.”

Can your smart home be used against you in court?

What could have happened? It seems likely that the Echo’s voice recognition service misheard something, interpreting it as instructions to record the conversation like a note or message. And then it apparently also misheard them say to send the recording to this particular person. And it did all this without saying anything back.

The house reportedly had multiple Alexa devices, so it’s also possible that the system decided to ask for confirmation on the wrong device — saying “All right, I’ve sent that to Steve” on the living room Echo because the users’ voices carried from the kitchen. Or something.

Naturally no one expects to have their conversations sent out to an acquaintance, but it must also admitted that the Echo is, fundamentally, a device that listens to every conversation you have and constantly sends that data to places on the internet. It also remembers more stuff now. If something does go wrong, “sending your conversation somewhere it isn’t supposed to go” seems a pretty reasonable way for it to happen.

I’ve asked Amazon for more details on what happened, but as the family hasn’t received one, I don’t expect much.

Posted on

PornHub has its own VPN now

PornHub is diversifying. The most popular site that no one you know will admit to frequenting, is launching its very own VPN service today, called, get this: VPNHub. The app, which is available on Android, iOS, MacOS and Windows, is primarily designed to offer “free and unlimited bandwidth,” according to its creators.

It’s an attempt to circumvent ISP throttling, a potential boon for those who frequently visit sites with lot of video. Sites like, well, PornHub. “With 90 million visitors a day, the vast majority of whom are using devices on the go, it’s especially important that we continue to ensure the privacy of our users,” VP Corey Price said in a statement.

The app is free on the aforementioned mobile platforms, but there’s a premium for desktop users. Another higher tier will drop ads, offer faster connection speeds and provide logins in additional countries, according to the company. That one runs either $13 a month or $90 for a full year subscription.

Of course, there are some privacy concerns to contend with, including some security issues that have arisen in recent months. This WTF is a VPN primer should good you a good overview of what you’re contending with a bit more broadly.

“Assume that all the free VPN apps that you see in the App Store and Google Play are free for a reason,” Romain wrote in the piece. “They’ll analyze your browsing habits, sell them to advertisers, inject their own ads on non-secure pages or steal your identity. You should avoid free VPNs at all costs.”

So, keep that in mind.

If you want to take the leap, however, the service is available now. There’s also a free seven-day trial for the premium version.

Posted on

Facebook is asking users worldwide to review their privacy settings

Starting this week, Facebook will begin asking users worldwide to review their privacy settings with a prompt that appears within the Facebook app. The experience will ask you to review how Facebook uses your personal data across a range of products, from ad targeting to facial recognition. This request to review Facebook’s updated terms and your settings follows a similar experience rolled out to users in the European Union as a result of the new user data privacy regulation, GDPR.

However, EU users have to agree to the new terms of service in order to continue using Facebook, Recode point out, after asking Facebook how the worldwide experience differs from the one being shown in Europe.

Elsewhere in the world, users who dismiss the prompt twice will be automatically opted in.

But before you close that window too quickly, you may want to take a look at what Facebook is asking.

Review Your Privacy Settings

Posted by Facebook on Wednesday, May 23, 2018

In the new prompt, which appears when you visit News Feed, Facebook will allow you to review details about advertising, facial recognition, and the information you’ve chosen to share on your profile.

For example, you may no longer feel comfortable having your religion, political views or relationship information exposed, and the new experience will allow you to change those settings.

As you continue reviewing your information, each screen will walk you through what data is collected and how it’s used, allowing you to make better decisions about Facebook’s use of your data.

Specially, Facebook says the feature will include the following information:

  • How it uses data from partners to show more relevant advertising
  • Political, religious, and relationship information you’ve chosen to include on your profile
  • How it uses face recognition, including for features that help protect your privacy
  • Updates to its terms of service and data policy (that were announced in April)

If you’ve already disabled some of these settings, you won’t be shown that information or encouraged to turn the features back on.

After you adjust your settings, the changes go into effect immediately and you can adjust them again at any time from Settings or Privacy Shortcuts, the company says.

Though the GDPR is aimed at protecting user data in the EU, Facebook has come under fire for its breach of trust with its user base due to the Cambridge Analytica scandal – where data was hijacked from 87 million users without their consent. The company is now revisiting a lot of its user data privacy practices and making changes as result of both that and GDPR’s requirements.

The experience will start popping up on Facebook this week.

Posted on

Instapaper on pause in Europe to fix GDPR compliance “issue”

Remember Instapaper? The Pinterest-owned, read-it-later bookmarking service is taking a break in Europe — apparently while it works on achieving compliance with the region’s updated privacy framework, GDPR, which will start being applied from tomorrow.

Instapaper’s notification does not say how long the self-imposed outage will last.

The European Union’s General Data Protection Regulation updates the bloc’s privacy framework, most notably by bringing in supersized fines for data violations, which in the most serious cases can scale up to 4% of a company’s global annual turnover.

So it significantly ramps up the risk of, for example, having sloppy security, or consent flows that aren’t clear and specific enough (if indeed consent is the legal basis you’re relying on for processing people’s personal information).

That said, EU regulators are clearly going to tread softly on the enforcement front in the short term. And any major fines are only going to hit the most serious violations and violators — and only down the line when data protection authorities have received complaints and conducted thorough investigations.

So it’s not clear exactly why Instapaper believes it needs to pause its service to European users. It’s also had plenty of time to prepare to be compliant — given the new framework was agreed at the back end of 2015. We’ve reached out to Pinterest with questions and will update this story with any response.

In an exchange on Twitter, Pinterest product engineering manager Brian Donohue — who, prior to acquisition was Instapaper’s CEO — flagged that the product’s privacy policy “hasn’t been changed in several years”. But he declined to specify exactly what it feels its compliance issue is — saying only: “We’re actively working to resolve the issue.”

In a customer support email that we reviewed, the company also told one European user: “We’ve been advised to undergo an assessment of the Instapaper service to determine what, if any, changes may be appropriate but to restrict access to IP addresses in the EU as the best course of action.”

“We’re really sorry for any inconvenience, and we are actively working on bringing the service back online for residents in Europe,” it added.

The product’s privacy policy is one of the clearer T&Cs we’ve seen. It also states that users can already access “all your personally identifiable information that we collect online and maintain”, as well as saying people can “correct factual errors in your personally identifiable information by changing or deleting the erroneous information” — which, assuming those statements are true, looks pretty good for complying with portions of GDPR that are intended to give consumers more control over their personal data.

Instapaper also already lets users delete their accounts. And if they do that it specifies that “all account information and saved page data is deleted from the Instapaper service immediately” (though it also cautions that “deleted data may persist in backups and logs until they are deleted”).

In terms of what Instapaper does with users’ data, its privacy policy claims it does not share the information “with outside parties except to the extent necessary to accomplish Instapaper’s functionality”.

But it’s also not explicitly clear from the policy whether or not it’s passing information to its parent company Pinterest, for example, so perhaps it feels it needs to add more detail there.

Another possibility is Instapaper is working on compliance with GDPR’s data portability requirement. Though the service has offered exports options for years. But perhaps it feels these need to be more comprehensive.

As is inevitable ahead of a major regulatory change there’s a good deal of confusion about what exactly must be done to comply with the new rules. And that’s perhaps the best explanation for what’s going on with Instapaper’s pause.

Though, again, there’s plenty of official and detailed guidance from data protection agencies to help.

Unfortunately it’s also true that there’s a lot of unofficial and dubious quality advice from a cottage industry of self-styled ‘GDPR consultants’ that have sprung up with the intention of profiting off of the uncertainty. So — as ever — do your due diligence when it comes to the ‘experts’ you choose.

Posted on

50 tech CEOs come to Paris to talk about tech for good

Ahead of VivaTech, 50 tech CEOs came to Paris to have lunch with French President Emmanuel Macron. Then, they all worked together on “tech for good”. The event was all about leveraging tech around three topics — education, labor and diversity.

At the end of the day, French Prime Minister Édouard Philippe invited everyone for a speech in Matignon. It wasn’t a groundbreaking speech as Macron is also speaking at VivaTech tomorrow morning. “We’re trying to pivot France,” Philippe said.

With great power comes great responsibility Édouard Philippe

Maurice Lévy, the former CEO of Publicis, one of the two companies behind VivaTech with Les Échos, first introduced the event, as well as Eric Hazan from McKinsey. McKinsey worked on the data that was used to start those discussions. So let’s see what they talked about.

“As McKinsey showed, there’s no question that technology overall is a net creator of job and GDP. It’s a positive force,” Uber CEO Dara Khosrowshahi said. “At the same time, AI and automation, while driving the economy and productivity, […] will lead to large groups being disadvantaged.”

He then listed a few important points to make sure that nobody is going to be left behind, such as coaching and mentorship programs.

“This is not just the government’s job but it is also the job of private companies,” Khosrowshahi added.

He wanted to remain hopeful and it felt a bit like a lobbying effort. “It’s easy to see the lost of jobs because of automation. But it’s much more difficult to dream about the possibilities of the future,” he said. In other words, don’t worry about the on-demand economy, don’t worry about self-driving cars.

IBM CEO Ginni Rometty was in charge of the discussions around education. “We also had a lot of engineers and pragmatic people there. And we ended up with five recommendations,” she said.

It sounds like these recommendations would be really favorable for IBM and other tech companies. So here are these recommendations:

  • Focus and segment this problem. Focus on the quarter of the population the most at risk.
  • Align the skills that businesses need with the education system (hard skills and soft skills).
  • There should be an open partnership with governments to reposition vocational education, learn by doing, foster internships, apprenticeships, simulations and redirect tax to incentivize.
  • Work with teachers to pilot, get hard evidence and then scale.
  • Retraining employees is the responsibility of all employers.

Finally, SAP CEO Bill McDermott talked about diversity. “As we looked at the facts, there are 33 percent more revenue, more profit for companies that got the memo on companies more inclusive and more diverse,” he said.

Culture, gender and geography were the main themes. But they also talked about differently able people. SAP will make an announcement around autism in France.

“Dara, Ginni and Bill, thank you for your introduction, that was brilliant, in English and concise,” French Prime Minister Édouard Philippe said.

He then listed three ideas that sum up his thinking about the tech industry.

“I truly believe in freedom, in that fundamental ability that you need to be able to take good decisions and bad decisions,” he said. The second idea is the consequence of that first one.

“With great power comes great responsibility. I think a modern philosopher called Peter Parker said that for the first time. And I really think it’s true.”

“While you don’t have to regulate on everything, when something isn’t regulated, it’s possible that it gets out of your control. And when it comes to the digital revolution and the data revolution, that freedom needs some boundaries. You know that Europe worked on some regulation — GDPR. What looked like regulation against innovation now appears as desirable and useful,” he said.

He then indirectly called out Facebook for its half-baked GDPR changes. “Some of you, and I believe it’s the case of Microsoft, decided to enforce GDPR everywhere. And I encourage everyone to do the same.”

The fact that 50 CEOs came to Paris is interesting by itself. It’s a sign that tech companies want to have an open discussion with governments. They want to make sure that regulation is favorable. On the other end, governments want to make sure that tech innovations aren’t going to divide society.

But it’s just starting.

Some companies announced a few things in Paris. Uber expanded its accident insurance to contractors across Europe, when they’re working and also when they’re not on the road. IBM plans to hire 1,800 people in France. Deliveroo is going to invest $117 million (€100 million) over the next few years.

Let’s see if Macron has more to say tomorrow.

Here’s the full list of tech CEOs in Paris for the Tech for Good Summit:

  • Kevin Sneader, CEO, Mckinsey
  • Audrey Azoulay, Director, UNESCO
  • Mark Zuckerberg, Founder and CEO, Facebook
  • John Kerry, Senior Fellow, Carnegie Foundation
  • Satya Nadella , CEO, Microsoft
  • Pierre Louette, CEO, Les Echos
  • Tony Elumelu, President, United Bank for Africa
  • Maurice Lévy, Co-Founder, Viva Technology
  • Charlotte Hogg, CEO, Europe Visa
  • Jean-Paul Agon, CEO, L’Oréal
  • Tristan Harris, Executive Director, Center for Human technology
  • Alexandre Dayon, CEO, Salesforce
  • Brian Krzanich, CEO, Intel
  • Mitchell Baker, President, Mozilla Foundation
  • Yves Meignié, CEO, Vinci Energies
  • Gilles Pelisson, CEO, TF1
  • Bill McDermott, CEO, SAP
  • Young Sohn, CEO, Samsung
  • Gillian Tans, CEO, Booking.com
  • Niklas Zennstrom, Founder and CEO, Atomico
  • Will Shu, CEO, Deliveroo
  • Sunil Bharti Mittal, President, Bharti enterprises
  • Joe Schoendorf, Partner, Accel
  • Nick Bostrom, Director, Future of Humanity Institute
  • Julie Ranty, Director, VivaTech
  • Eric Leandri, CEO, Qwant
  • Olivier Brandicourt, CEO, Sanofi
  • Mo Ibrahim, President, Mo Ibrahim Foundation
  • Yossi Vardi, Entrepreneur
  • Philippe Wahl, CEO, Groupe La Poste
  • Pierre Nanterme, CEO, Accenture
  • Tom Enders, CEO, Airbus
  • Tim Hwang, Director, Harvard-MIT Ethics & Governance of AI Initiative
  • Octave Klaba, Founder and CEO, OVH
  • Ginni Rometty, CEO, IBM
  • Pierre Dubuc, CEO, OpenClassrooms
  • Isabelle Kocher, CEO, Engie
  • Sy Lau, CEO, Tencent
  • Xavier Niel, Founder, Iliad/Free
  • Jimmy Wales, Founder, Wikimedia Foundation
  • Jean-Laurent Bonnafé, CEO, BNP Paribas
  • Angela Ahrendts, Vice President Retail, Apple
  • Frédéric Mazella, Co-Founder and President, BlaBlaCar
  • Stewart Butterfield, CEO, Slack
  • Alex Karp, CEO, Palantir
  • Guillaume Pepy, CEO, SNCF
  • Jacquelline Fuller, President, Google.org
  • Stéphane Richard, CEO, Orange
  • Clare Akamanzi, CEO, Rwanda Development Board
  • Paul Hermelin, CEO, CapGemini
  • Eric Hazan, Senior Partner, McKinsey
  • Ludovic Le Moan, Co-Founder and CEO, Sigfox
  • Dara Khosrowshahi, CEO, Uber
  • Catherine Guillouard, CEO, RATP
  • Tim Collins, CEO, Ripplewood
  • Bernard Liautaud, Partner, Balderton
  • Alain Roumilhac, CEO, Manpower Group France
  • Hiroshi Mikitani, CEO, Rakuten
  • John Collison, Co-Founder and CEO, Stripe
  • Maxime Baffert, Director, VivaTech
  • Thomas Buberl, CEO, Axa