Google to face $5bn privacy lawsuit as consumer craving for secrecy increases

Law firm Boies Schiller Flexner has filed a $5 billion class action lawsuit against Google in the Northern District of California for continuing to collect data while privacy mode is activated.

Alleging Google violated the Federal Wiretap Act, the California Invasion of Privacy Act and the Fourth Amendment, the law firm is suing on behalf of millions. Although $5 billion is a significant financial penalty to be fearful of, Google should perhaps be more worried of precedent as losing this case could open the door for other lawsuits in States with their own privacy laws.

The ruling of this lawsuit will boil down to one question; did Google illegally mislead users by overstating the privacy protection afforded when users activated ‘Incognito’, a mode which supposedly acts as an opt-out for data collection and analysis.

“Google tracks and collects consumer browsing history and other web activity data no matter what safeguards consumers undertake to protect their data privacy,” the lawsuit states.

“Indeed, even when Google users launch a web browser with ‘private browsing mode’ activated (as Google recommends to users wishing to browse the web privately), Google nevertheless tracks the users’ browsing data and other identifying information.”

Should the lawsuit be successful, the team would like to award $5,000 in damages to every user who has used Google’s ‘Incognito’ mode since June 1, 2016.


‘Incognito’ mode was first introduced to Google search functions in 2008 and is designed to allow users to browse the internet without Google Chrome remembering the activities. Although it sounds promising, what should be noted is that Google has always stated it is not an absolute protection from online tracking.

The following statement is taken from the Google ‘Incognito’ section of the website:

Chrome won’t save your browsing history, cookies and site data, or information entered in forms. Files you download and bookmarks you create will be kept. Your activity isn’t hidden from websites you visit, your employer or school, or your internet service provider.

The contentious issue is how much ‘Incognito’ mode was oversold to the user, with the Boies Schiller Flexner legal team believing Google misled users. Through applications and functions such as Google Ad Manager and Google Sign-In, the claim is that browsing information was still collected by the search giant despite assurances to the user it wouldn’t.

Of course, what is worth noting is that there is serious incentive for the collection of personal information. According to estimates (albeit, old estimates) from Tim Morey of digital strategy firm Frog, the value of different data segment vary quite significantly:

  • $240 – Social security number
  • $150 – Credit card information
  • $57 – Internet browsing history
  • $38 – Health history
  • $5.7 – Online purchasing history
  • $4.2 – Contact information

The question which is being asked today is whether all of these data collection and analysis strategies are being done legally.


One trend which is becoming increasingly more obvious is the desire for more privacy.

Earlier this week, Brave, a privacy-orientated search engine, said that monthly active users (MAUs) passed 15 million for the first time in May, a 125% increase year-on-year. These browsers also tend to be more engaged, with click-through rates of ads were as high as 9%.

Perhaps it is the dangers of the digital economy hitting home, finally, but users are becoming much more aware of their privacy rights. This is not good for business for the likes of Google and other internet giants where business models are moulded around information, but it does raise a few questions about the suitability of existing privacy laws:

Telecoms.com Poll – Should privacy rules be re-evaluated in light of a new type of society?
30% Yes, the digital economy requires a difference stance on privacy
41% The user should be given more choice to create own privacy rights
29% No, technology has changed but privacy principles are the same

One question which has not been properly addressed is whether the privacy rules which are being enforced today are suitable for the digital era?

The EU’s General Data Protection Regulations (GDPR) were passed in 2018, ensuring rules in Europe were fit for purpose, but many countries are dictated by privacy rules and regulations written in a bygone era.

In this lawsuit against Google, the three laws mentioned could certainly be considered out of date:

  • The Federal Wiretap Act was actually written in 1968 and largely replaced by the Electronic Communications Privacy Act of 1986
  • California’s Invasion of Privacy Act was first legislated in 1967, though there have been numerous updates, including the California Consumer Privacy Act in 2018
  • The Fourth Amendment was written in 1789 to protect the rights of citizens and prevent warrantless searches of their homes

Although all of these laws are theoretically in the same ballpark, they have been designed for analogue societies. Legal documents are full of nuances and loopholes and taking an example slightly out of context can create all sorts of problems. Today’s digital society is fundamentally different from the analogue era, making it difficult to apply existing laws perfectly.

A donkey might have four legs, a tail and eat hay, but that does not mean it will be at home in the starting gate at a racecourse.


There are plenty of ways the lawsuit against Google can fall apart, most notably as the lawyers on the offensive will have to demonstrate an extensive knowledge of the intricate operations within the search engine business to prove their points. This is an issue.

What you can also guarantee is that Google will throw plenty of legal resources at the case. These are seasoned professionals who have become very well accustomed to defending the internet giant.

Google will of course not want to pay the $5 billion penalty which is being sought by the lawyers championing this class action suit, a bigger consequence is precedent. If lawyers are successful in suing Google for breaking California laws, who is to say another firm would not raise the alarm in any one of the other 49 States which make up the USA.

The USA is a highly litigious country and precedent is a very powerful force in this community.

Arizona Attorney General sues Google for misleading data collection practices

Arizona Attorney General Mark Brnovich has filed a lawsuit against Google for what he describes as ‘deceptive and unfair’ methods to secure valuable personal data.

While it is hardly unusual for Google to find itself on the wrong side of right when it comes to data collection and privacy practices, registering the attention of a single Attorney General could be a worrying start. These lawyers have a tendency to swarm around an adversary, collecting support from counterparts in other states. Simply look at how easily New York Attorney General Letitia James rallied disciples in failed opposition to the T-Mobile US and Sprint mega-merger, as well as a previous antitrust case against Google.

“While Google users are led to believe they can opt-out of location tracking, the company exploits other avenues to invade personal privacy,” said Brnovich. “It’s nearly impossible to stop Google from tracking your movements without your knowledge or consent. This is contrary to the Arizona Consumer Fraud Act and even the most innovative companies must operate within the law.”

The basis of this lawsuit is whether Google is acting with the rules set forth in Arizona consumer law. Brnovich details that the majority of Google’s revenues are derived from the collection of valuable personal information, though he also claims it is often done without the users’ consent or knowledge.

In 2018, the Associated Press ran an article which claimed Google was continuing to collect data even when the user explicitly removed consent. This practice seemingly carried on until the mid-2018’s and forms the basis of the case for Arizona. However, this is only the tip of the spear.

Following a two-year investigation, the Arizona Attorney General office has filed a 50-page complaint against Google in the Maricopa County Superior Court. Featuring internal documents, under-oath testimony from Google employees, as well as external opinions from academia condemning the activities.

A significant proportion of the information has been redacted and will be examined in private, thanks to confidentiality claims from Google, but the State lawyers will be pushing for more to be made public. Over the course of the next few weeks this could be a very interesting case to keep an eye on as details of the internal workings of Google are potentially exposed. Few people genuinely understand how Google works, so this could be very illuminating.

This will be an interesting case, though Brnovich will have to rally some support very quickly. The privacy advocacy organisations are remaining quiet for the moment, as are other politicians and Attorney Generals. That might change by this afternoon as our transatlantic cousins wake up but fighting the powerful Google legal department solo is unlikely to end well for Arizona’s Attorney General.

Trump needs fodder for the campaign trail, maybe Huawei fits the bill

A thriving economy and low levels of unemployment might have been the focal point of President Donald Trump’s re-election campaign, pre-pandemic, but fighting the ‘red under the bed’ might have to do now.

In 2016, Donald Trump won the Presidential election for numerous reasons, but one very important element was his ability to mobilise the vote of elements of society who wouldn’t have had any interest in politics otherwise. One reason was because of who Trump was and is, a celebrity more than a statesman, but perhaps a more critical element was the message.

Trump ignored political correctness, seemingly appealing to racism and xenophobia as the Make America Great Again slogan was born. He proposed the deportation of all illegal immigrants, the construction of a wall on the US-Mexico border and a temporary ban on foreign Muslims entering the US. The forgotten men and women of the US were the focal point of this campaign.

This campaign, focusing on a single message of foreign people are bad for patriotic US citizens, worked. If Trump is to repeat the success of his 2016 Presidential Election in November, there will have to be another message at the core of the campaign to rouse the masses and build a slogan on.

There has been a suspicion that the success of the economy and low levels of unemployment would have been this focal point. Prior to the COVID-19 pandemic, the economy was on the rise. From Trump’s entry to the Oval office on 6 January 2017, to the final days before lockdown in February, the Dow Jones grew from 19,963 to 29,398, a 47% surge. Unemployment was down to 3.5%, slowly eroding through the three-year period.

The message could have been ‘look what four years of Trump has gotten you, wouldn’t you like four more?’. But then coronavirus hit, and the economy went down the toilet.

The Dow Jones will recover, as will unemployment, but the Trump campaign would be playing with fire by making this the central point of the campaign. Many believe Trump was too slow to act against the coronavirus after spending months claiming it was little more than the common flu. At its worst point, the Dow Jones fell to 18,591 while unemployment is currently as high as 14%, and likely to go higher.

Using the economy as a reason for re-elections is offering ammunition to the Democrat candidate, the opening round of a slug match where Trump can be undermined and embarrassed.

Without this weapon in his arsenal, Trump will have to find a new focal point to build a campaign around; China and Huawei could fit the bill.

Trump needs to redirect attention away from his failings as a leader during the pre-coronavirus weeks. People generally need an enemy when times are hard, and the invisible enemy of today will not do; you can’t get people angry about a virus, not in the way that the Trump campaign will want. If Trump can further vilify the Chinese, he can position himself as the hero, the man to champion US values, whatever they might be.

Huawei has been made the proxy of the Chinese Government in the eyes of the US. If the US is scared about the ‘red under the bed’, the idea of communism creeping into democratic societies secretly, the successful telecoms vendor can be made public enemy number one.

This is clearly not a new campaign of hate from the President, but it is one which had quietened off over the last few months. It is an on-going conflict point between the US and Chinese Governments, and fuel was thrown onto the embers last week.

In a new assault from the US Department of Commerce, further efforts were made to inhibit the ability of Huawei to source semiconductor components for smartphones and base stations. The US is perhaps hoping the globalised nature of the technology industry, which has allowed Huawei to thrive, can be weaponised against it as few (if any) companies could operate without a single trace of the US in its supply chain.

“We have survived and forged ahead despite all the odds,” Huawei Rotating Chairman Guo Ping said at a virtual conference this week. “The US insists on persistently attacking Huawei, but what will that achieve for the world?”

Conflict with the Chinese might not sound good for economic reasons, but for political ones, it is fantastic. Trump needs an enemy so he can be the champion of for the forgotten men and women of the US.

While it is clear there are a lot of US politicians buying into the anti-China campaign of hate, we asked Telecoms.com readers how they feel about the on-going aggression towards Huawei:

Telecoms.com Poll: Do you feel the US Government is justified in its action against Huawei?
Yes, it is effectively a pawn for the Chinese Government 43%
Yes, but Government links are not there 1%
Maybe, but show us the evidence of foul play first 12%
No, Trump shouldn’t punish a company just because it is Chinese 22%
No, international competition should be left to sort itself out 22%

Huawei might have enjoyed a brief breather over the last few months, but the signs are there to suggest there might be greater conflict on the horizon. Speaking at the Munich Security Conference this week, Secretary of State Mike Pompeo and Secretary of Defence Mark Esper both drew battle lines.

“Let’s talk for a second about the other realm, cybersecurity,” Pompeo said during his speech. “Huawei and other state-back tech companies are trojan horses for Chinese intelligence.”

“Under President Xi’s rule, the Chinese Communist Party is heading even faster and further in the wrong direction,” said Esper. “More internal repression, more predatory economic practices, more heavy handedness, and most concerning for me, a more aggressive military posture.”

Further sanctions and more aggressive policies against Huawei specifically, as well as other Chinese companies in the international markets, could be on the horizon. Huawei executives have certainly expressed concern, but there are numerous other companies who should also be sitting uncomfortably.

The US Senate recently passed the Holding Foreign Companies Accountable Act (S.945) which could result in numerous companies who do not pass strict criteria being delisted from US stock exchanges. China is of course a target with this legislation.

“The SEC works hard to protect American investors from being swindled by American companies,” said Senator John Kennedy, one of the politicians to introduce the original bill.

“It’s asinine that we’re giving Chinese companies the opportunity to exploit hardworking Americans – people who put their retirement and college savings in our exchanges – because we don’t insist on examining their books. There are plenty of markets all over the world open to cheaters, but America can’t afford to be one of them.”

This legislation would not impact Huawei, it is a private company after all, but it is further evidence of increasing aggression towards China, and suggestions there could be rising tensions.

And while Huawei might be attracting the most attention from US Senators right now, there are certainly more which could fall into the crosshairs. Tencent owns TikTok which has already come under criticism, Alibaba is hoping to expand its cloud computing venture into international markets, while the likes of OPPO and Xiaomi are proving to be quite successful in gaining interest as challenger smartphone brands. These are all companies which would perhaps fall foul of US opinion.

The first Trump campaign rallies will give more of an indication of what will be the focus of his scorn and hatred over the coming months, and where the pent-up frustrations of US citizens could be directed. We suspect Huawei could be in for a rough few months as Trump further vilifies the Chinese Government and looks for an opponent to bureaucratically challenge during the campaign.

Taking down Huawei could be the feather the Trump campaign is looking for in its quest for re-election to the White House.


Telecoms.com Daily Poll:

Can the sharing economy (ride-sharing, short-stay accommodation etc.) survive COVID-19?

Loading ... Loading ...

US Senate blurs democratic principles with OK for warrantless searches

In a move which is more suited to an authoritarian state, the US Senate has voted to extend the powers of intelligence authorities to search browser history without a court warrant.

Although the amended text still has to be agreed by the House of Representatives before heading to the Oval Office to be approved by President Donald Trump, this is a blow for US citizens who should correctly crave the right to privacy.

With only 59 votes being cast in support of a clause which would remove the ability of intelligence and enforcement agencies to snoop and spy without petitioning court judges for a warrant. Such abilities were introduced during the Patriot Act, following the 9/11 attacks in the US, to fight terrorism but it seems these politicians have forgotten the very principles which they are supposed to be protecting.

Ironically, at the same time it is supposedly fighting dictatorships around the world, the US’ attitude towards remarkably similar to the Chinese Governments.

The snooping powers were granted as part of the Foreign Intelligence Surveillance Act (FISA) which expired in March. Certain aspects from this Act and Section 215 of the US Patriot Act had been slated to be included in the USA Freedom Reauthorization Act. The USA Freedom Reauthorization Act was an effort to renew numerous elements, including the ability for intelligence agencies to spy with judicial authorisation.

Despite the PR campaign in play to validate the legislation (such as ludicrous Bill names and acronyms), and efforts to increase national security, privacy rights should still be respected. Fear should not be used as a weapon to erode democratic rights.

In most democratic nations, authorities have to seek permission from the courts to workaround privacy rules, but this is not the case here. Such rules contradict the claim that Governments are working for the people and can be held accountable by the people; the process of checks and balances has been compromised.

Senator Ron Wyden of Oregon has been championing the fight against government overreach, but it seems he fell one vote short. Had 60 votes been cast in favour of the clause, privacy of the US citizens would be protected, however, his cause fell one vote short. It is not fair to blame the failure of this pro-democracy movement on a single person, but it is interesting to see who didn’t turn up to cast a vote.

There were four individuals not to show up:

Absentee votes for Amendment Number: 1583
Senator State Party
Lamar Alexander Texas Republican
Ben Sasse Nebraska Republican
Patty Murray Washington Democrat
Bernie Sanders Vermont Independent

The Republican Senators were expected to vote against the Amendment (though many defied party orders) therefore the absence of Alexander and Sasse is not a material loss. Murray, the Democratic representative of Washington was not in the capital during the vote, and neither was the anti-establishment figure of Bernie Sanders.

It does appear both Murray and Sanders have been distracted in recent weeks, enough so that inaction has sent US legislation down a worrying path.


Telecoms.com Poll:

Do US authorities believe in the right to privacy?

Loading ... Loading ...

ETSI gets to work on new contact tracing app standard

With countries across Europe all trying to reinvent the wheel with their own contact tracing apps, standardization is long overdue.

The responsibility for this has been taken by the European Telecommunications Standards Institute, which has created a special group dedicated to developing a ‘standardization framework for secure smartphone-based proximity tracing systems’. It’s called the Industry Specification Group “Europe for Privacy-Preserving Pandemic Protection,” which is mercifully abbreviated to ISG E4P.

“By their nature smartphones are highly personal devices, carrying large amounts of data about individuals,” said ETSI Director-General Luis Jorge Romero. “In ETSI we are committed to support an international development community with a robust standardization framework that allows rapid, accurate and reliable solutions while winning the trust of the population at large.”

Point well made about trust Luis. The UK, for example, currently seems determined to give its National Health Service access to the data created by the national contact tracing app. Not only would this alienate Google and Apple, thus making the app a lot less effective, but it would almost certainly lead to far fewer people using it.

“A primary challenge is collecting, processing and acting on information about citizens’ proximity at scale, potentially representing tens or hundreds of millions of people,” says the ETSI announcement. “This must also be achieved without compromising users’ anonymity and privacy, and while safeguarding them against exposure to potential cyber-attacks.”

Again, Google and Apple seem to have this more or less covered, but there’s no way a mega public bureaucracy like the EU would ever concede the private sector might have the answer to a public problem. So ETSI will probably take weeks to come up with something very similar, at which time the EC will order all its members to use it regardless of any progress they’ve made independently.

After 107 million downloads in April, TikTok faces a European privacy probe

Questions over the privacy of popular video-sharing application TikTok have been raised by Dutch authorities, but scepticism can’t slow the rapid expansion.

Although other investigations around the world are far more damning, suggesting some very nefarious activities, let’s not forget giants can be taken down by unsuspecting means. After all, Goliath was conquered by a pebble and Al Capone was felled by tax evasion charges.

“A huge number of Dutch children clearly love using TikTok,’ said Monique Verdier, Deputy Chairman of the Dutch DPA.

“We will investigate whether the app has a privacy-friendly design. We’ll also check whether the information TikTok provides when children install and use the app is easy to understand and adequately explains how their personal data is collected, processed and used. Lastly, we’ll look at whether parental consent is required for TikTok to collect, store and use children’s personal data.”

The investigation will focus on whether TikTok effectively protects the privacy of Dutch children, and whether there would need to be any changes enforced on the team through regulation. As with every other investigation, this probe from the Dutch could shed light on certain aspect of operations which could have a domino effect.

While TikTok was thrust on the world to much consumer enthusiasm last year, the momentum has certainly continued through 2020 and has perhaps been compounded by lockdown protocols currently in place around the world.

Most downloaded Apps (non-gaming) during April 2020 – Global
Overall App Store Google Play
1. Zoom Zoom Zoom
2. TikTok TikTok TikTok
3. Facebook Google Meet Facebook
4. WhatsApp Microsoft Teams WhatsApp
5. Instagram Netflix Aarogya Setu

Source: Sensor Tower

With more entertainment needed by those taking part in enforced lockdown, there has been a surge in interest in numerous categories, but social media and content streaming applications are close to the top of the list. TikTok has benefitted from these tendencies, but also endorsements from numerous celebrities around the world.

Over the weekend, Anthony Hopkins challenged Sylvester Stallone and Arnold Schwarzenegger to a dance-off on the platform with Drake’s Toosie Slide.

@anthonyhopkins##Drake I’m late to the party… but better late than never. @oficialstallone @arnoldschnitzel ##toosieslidechallenge♬ original sound – officialanthonyhopkins

With more and more celebrities embracing the platform, everyday consumers will be encouraged, especially during a period of boredom. This might be seen as a worrying trend to US politicians who are attempting to dilute the influence China and its companies have on global societies and economies.

Last October, Republican Senator Tom Cotton and Senate Minority Leader Chuck Schumer wrote to the Acting Director of National Intelligence, Joseph Maguire, to formally request an investigation into TikTok, questioning whether it is a threat to national security as the applications developer ByteDance could be coerced to collaborate with the Chinese Government.

A few days later, Senator Josh Hawley also introduced a new bill, known as the National Security and Personal Data Protection Act (S.2889), which would force foreign technology companies to store data locally.

This would provide some protections to US consumers but would also open up the political class to a barrage of complications as the US has been attempting to punish countries who enforce data localisation rules on US companies. India is one of these nations at loggerheads with the US, and while many would attempt to avoid such complications, hypocrisy and irony seem to be completely lost on the current political administration.

TikTok has escaped much scrutiny over the last few months, though this is perhaps due to other areas demanding more attention. The application might be enjoying success for the moment, but we suspect it is not clear of privacy investigations just yet.

Half of Americans approve of using smartphones to track infected individuals

Pew Research Center asked thousands of US adults what they thought about how personal data should be used to help tackle the COVID-19 pandemic.

A surprisingly large proportion of the land of the free are in favour of allowing the government to use smartphones to track individuals suspected of having the bug. 52% were fine with those who have tested positive being tracked, while 45% thought that was fine even for people who had been in contact with an infected person. Most remarkably a third of them thought it was acceptable for the government to track everyone’s location, to make sure they were obeying lockdown rules.

Perversely, 60% of the nearly 5,000 punters surveyed said they didn’t think location tracking would really achieve anything. Since some of those must have been in favour of at least one of the tracking suggestions above, you have to wonder how they could reconcile those two positions.

Other key findings revealed general confusion on the part of many Americans about how their data is collected and what it’s used for. Furthermore they seem to see more negatives than positives from having their data collected and commoditised, which once more makes it surprising that so many of them are fine with digital snooping in the name of safety.

UK’s COVID-19 contact tracing app – will it work?

The UK has officially launched its NHS contact tracing app, but there remain many questions about how effective it can be.

The app is called ‘NHS COVID-19’ and is currently being trialled in the Isle of White, presumably to limit its spread, should it turn out to be rubbish. You can read the details of it as explained by the National Cyber Security Centre here. In short, it’s designed to do pretty much the same as all other contact tracing apps – to notify anyone who has been in close physical contact with anyone who is suspected of having COVID-19.

Also in common with other such initiatives around the world, the key point of contention around NHS COVID-19 is whether it uses a centralised or decentralised approach to collecting data. The decentralised method is favoured by Google and Apple, who own the platforms on which nearly all smartphones run and thus have ultimate control over what apps on them can or can’t do.

Under the decentralised system no significant data ever leaves the individual’s phone. All that happens that, when someone tells their version of the app they think they might have the ‘rona, it notifies the apps installed in phones of anyone who has been near them recently. This is all done by Bluetooth LE running in the background and no identity or location data is involved.

NHS COVID-19, however, uses the centralised model. In this case, when someone notifies the app of their possible blight, it passes that bulletin on to an NHS server, which then performs the function of notifying other at-risk punters. The advantage of this approach is that it will also enable a bunch of other clinical and epidemiological activities such as inviting the person to be tested and mapping disease hot-spots.

The centralised model obviously comes with a lot more data privacy and even civil liberty concerns, which is why the UK government has gone to considerable lengths to demonstrate security, transparency and accountability. Ian Levy, the Technical Director at the NCSC has blogged extensively on the matter and you can even read the technical paper. The Information Commissioner’s Office has also blogged and published a formal opinion.

As you would expect, Parliament is having a good look at this app too. Matthew Gould, CEO of NHSX, which is the digital transformation bit of the NHS, got a socially-distanced grilling from the Joint Committee on Human Rights yesterday and the matter of data protection was very much as the forefront.

“The app doesn’t at this stage know who you are, it doesn’t know who the people are you’ve been near, it doesn’t know where you’ve been,” said Gould, with the ‘at this stage’ bit somewhat undermining his attempt to reassure. “We’ve said we will open-source the code, we will publish the privacy assessment and security models.”

That was around 15:05 of the recording of the briefing. At 15:19 Gould is asked about the longer-term use of data shared with the NHS. “If data has been shared by choice with the NHS then it can be retained for research in the public interest,” he said. It remains to be seen how compliant with GDPR and general data best-practice that will be. Furthermore his answer serves as a great illustration of why people may be reluctant to allow their data to leave the confines of their phone.

Which brings us to a major flaw in the decision to go for the centralised approach – trust. The majority of the population will need to download and use the app for it to be effective, so anything that makes them think twice about doing so is surely a major setback. It seems clear the NHS is doing everything by the book and subjecting itself to maximum public scrutiny, but by going down this path is has built an unnecessary element of doubt into the whole project.

The biggest problem of all, however, is likely to stem from the fact that Google and Apple don’t support NHS COVID-19. That doesn’t mean they’re going to block it from their app stores, but it does mean it presumably won’t have access to the Google/Apple Exposure Notification API. The single biggest challenge that presents is how to keep the Bluetooth LE functionality active when the app isn’t on or in the foreground of the phone.

Coincidentally the two tech giants released more details of their API today, with Tech Crunch doing a good job of summarising the rules determining its use. By adopting the strategy it has, it seems the NHS has ensured we won’t get a COVID-19 contact tracing app that uses the Google/Apple API, which is a shame.

NHSX and the government are keen to stress that NHS COVID-19 is not, by itself, a silver bullet, and will form part of a broader set of measures designed to keep a lid on the pandemic once we’re allowed out of the house again. While we should stress that we’re not in any way advising against people doing their bit by downloading and using this app – we certainly will – its usefulness seems very likely to be seriously diminished by the decision to adopt the centralised approach.

Europe’s GDPR blasted for underinvestment and enforcement

Open source web browser Brave has directed weighty criticism towards European Governments for failing to equipment data protection agencies and enforcing GDPR rules.

With the release of a white paper and the filing of a complaint to the European Commission, Brave has directed weighty criticism to all Governments and agencies involved in upholding the privacy and data protection rights afforded through the implementation of GDPR. In short, the Governments are not directing enough money towards the data protection authorities to enforce GDPR.

“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities,” said Johnny Ryan, Chief Policy & Industry Relations Officer at Brave.

“Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”

Brave does of course benefit from disruption to the status quo of the internet economy, though there are some valid points being made. Aside from a few examples, there rhetoric from posturing politicians and boresome bureaucrats on the importance of data protection does not seem to have translated into action.

For all the good work which has been done in creating a regulatory framework to elevate data protection and privacy in today’s society, if the relevant authorities are not enforcing the rules it means nothing.

As Brave points out in the complaint, Article 52(4) of the GDPR (Regulation 2016/679/EU) and Article 41(1) of the Law Enforcement Directive (Directive 2016/680/EU) require that national governments give data protection authorities the human and financial resources necessary to perform their tasks.

Looking at the research presented by Brave, it would appear Governments are failing to adhere to these rules.

How well funded are the data protection agencies?
Nation Budget (2019/20) Nation Budget (2019/20)
UK €61 million Spain €16.5 million
Italy €30.1 million Estonia €0.8 million
Germany €26.8 million Sweden €10.3 million
Ireland €16.9 million Greece €3.1 million
Poland €9.4 million Austria €2.3 million
Netherlands €18.6 million Romania €1.3 million

This is just a snapshot of the budgets which across the continent. Some countries might look suitably funded, but this is perhaps just a comparison to the other end of the scale. However, it does appear some of these agencies are somewhat of a profit centre for Governments.

In the UK, for example, the data watchdog the Information Commissioner’s Office (ICO) is funded by data protection fees, a fee which is applicable to every organisation or sole trader who processes personal information in the UK. For 2019/20, the ICO budget from these fees totalled £46,560,000. The authority is also the recipient of £4,626,000 of Government funding.

What is worth noting, however, is that any fine which is given by the ICO for data protection or privacy violations is directly paid to Her Majesty’s Treasury. None of these funds are used to further enhance the powers of the ICO or employ additional experts. The ICO currently employs 22 technology specialists of a total staff of more than 600.

So far, the ICO has issued some substantial fines:

Company Fine Reason
Cathay Pacific £500,000 Data breach
DSG Retail £500,000 Lack of security during cyber-attack
Life at Parliament View £80,000 Inadequate cybersecurity
Bounty £400,000 Sharing personal information illegally

These are the relevant fines from the last 12 months, though it should also be noted that they were all cases where the incident occurred before the introduction of GDPR, and the maximum fine was £500,000. In the Cathay Pacific incident, if the breach was after the introduction it could have been fined up to 4% of annual revenues, some £460 million.

Currently, the ICO has 56 cases under investigation, one of the busier data protection authorities, but by no means the busiest. That crown is offered to Ireland, where the annual budget of the data protection authority, the DPC, is €16.9 million.

The DPC in Ireland currently has 21 staff who are specialist tech investigators to evaluate the 127 cases which are running. The DPC is the lead data protection authority for complaints against the likes of Facebook, Google, Apple, Intel, IBM and numerous other tech giants owing to their corporate HQ being in Dublin.

€16.9 million should not be seen as an adequate budget to over see that many GDPR cases or hold the internet giants accountable. These companies could lodge numerous appeals or filings to prolong the legal proceedings, bleeding the DPC dry and severely inhibiting its ability to maintain GDPR principles in Ireland, as well as ensuring the internet giants are held accountable.

In this example, it is very difficult to levy all of the criticism towards Ireland. As the DPC is being asked to be the champion for all of Europe, fighting against some of the companies who are presumably the worst data protection and privacy offenders, contributions should be enforced from other member states to build this authority. €16.9 million is quite frankly pathetic when the DPC is effectively being asked to take on Silicon Valley.

Across Europe, the Brave research suggests there are only 305 technology specialists working for the data protection authorities. Only six have more than 10 specialist tech investigation staff, seven have two specialists or less and half of all authorities have annual budgets less than €5 million.

EU GDPR was a regulatory evolution which was very much needed in 2018. It created rules which were fit-for-purpose in the current digital society, but this means nothing if Governments are not doing what they should to create the agencies to enforce the rules.

Brave might be looking to throw a cat amongst the bureaucratic pigeons for its own gain, but it is not wrong. Governments are failing.

Europe releases guidelines for building COVID-19 apps

The European Commission has unveiled guidelines for member states creating COVID-19 apps, with perhaps an attempt to prevent mission creep from private industry.

The document, which is available here, suggests the national health authorities take the leadership position in developing the applications, while another recommendation is to store data on devices wherever possible. Minimising data analysis, external storage and the role of private organisations are ways and means to maintain privacy principles but also reduce the risk of data breaches.

“This is the first global crisis where we can deploy the full power of technology to offer efficient solutions and support the exit strategies from the pandemic,” said Vice-President for Values and Transparency, Věra Jourová.

“Trust of Europeans will be key to success of the tracing mobile apps. Respecting the EU data protection rules will help ensure that our privacy and fundamental rights will be upheld and that the European approach will be transparent and proportional.”

Although the guidelines are relatively simple, such a tick-box exercise is critical to ensure the largest possible adoption rates. The apps will assist individuals irrelevant as to how many people install, however for the contact tracing features to be the most effective in slowing the spread of COVID-19, downloads would have to meet critical mass. Oxford University researchers suggest this would be at least 60% of the population.

If any of the apps being discussed are to reach 60% penetration, privacy and security fears would have to be addressed, while legislation would have to be introduced to ensure such tracking activities do not become the new normality and data is not retained after the crisis.

In brief, the guidelines are as follows:

  • Downloading the app should be voluntary not compulsory
  • National health services should own the project and be responsible as the Data Controller
  • Data minimisation principles should be applied
  • GDPR principles of right to deletion should be adhered to
  • Data should be stored on user devices wherever possible
  • Consent should be applied to each element of the application not a catch-all opt-in at the beginning
  • Rules should be introduced for the deletion of collected raw data and the subsequent insight

There are of course multiple other nuances and elements included in the 14-page document, though should the above guidelines be adhered to and the role of private industry limited, there could be trust installed in the apps. Irrelevant to how elegant and sophisticated the apps are, the most important aspect is user adoption.

This is not the first time the world has faced a pandemic to this degree, but technology and insight are tools which we have never had at our disposal before. The contact tracing apps, to warn individuals of potential infection and educate on how to further prevent the spread, should be adopted by every nation. However, privacy and security concerns should not be ignored.

The technology and telecoms industry has a pretty poor record when it comes to privacy and security. Executives might point to policies and features to improve resilience, however these are almost always reactionary additions not proactive. Considering the sensitive nature of the data which is being discussed in relation to these apps, this is the time to be overly cautious in applying privacy and security principles.