Netherlands named as Europe’s meanest GDPR henchman

The Netherlands has seen the most GDPR breach notifications reported to the regulator, but the spread of activity, or inactivity in some nations, is quite remarkable.

In the eight months since GDPR was officially written into European regulations, law firm DLA Piper has said regulators have been alerted to breaches more than 59,000 times. The Netherlands, Germany and the UK have seen the biggest numbers of notifications, with 15,400, 12,600 and 10,600 respectively, though the new privacy status quo has not been embraced with such enthusiasm everywhere.

“GDPR has driven the issue of data breach well and truly into the open,” said Ross McKean, a partner at DLA Piper, “The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations.”

The scale and depth of these breaches vary considerably, a mis-sent email there and a cybersecurity hack here, but the number does represent a significant shift in the tides; data breaches are now being taken seriously, or at least in some nations.

As you can see from the table below, we have selected the ten largest economies across the bloc, the variance is quite interesting.

Nation Breaches in total Breaches per 100,00 people
Germany 12,600 15.6
UK 10,600 16.3
France 1,300 1.9
Italy 610 0.9
Spain 670 1.3
Netherlands 15,400 89.8
Sweden 2,500 24.9
Poland 2,200 5.7
Belgium 420 3.6
Austria 580 6.6

There might be a few reasons for increased number of notifications in certain countries, allowing for the presence of different industries. For example, Ireland has the 4th largest number of notifications to the data watchdog (c.3,800) but the 20th smallest population (out of 28). This is also a country where the economy and society is dominated by the presence of the technology sector.

This will explain some of the variance on figures, but not completely. Take Italy for example. This is the 4th largest economy across the bloc, but in the eight months since May 25 when GDPR was introduced, the regulator was only notified of 610 data breaches. There are two explanations for such a low figure:

  • Italian businesses have some of most advanced data protection policies and mechanisms worldwide
  • The culture of owning mistakes and reporting data protection and privacy inadequacies is almost non-existent in the country

We have made the Italians the centre of this point, but there are quite a few who would fall into this category of (a) squeaky clean or (b) don’t care about GDPR. Spain has 670 breach notifications to the regulator, Belgium 420, Greece 70, Cyprus 35 and Liechtenstein 15.

Although GDPR has certainly made promising sets forward in forcing a more privacy orientated society and economy, the issues will continue to persist unless the same stringent attitudes are adopted across the board. Such is the fluidity and borderless nature of the digital economy, a weak link in the chain can cause disruption. All economies are interlinked, make no doubt about that.

Interestingly enough, momentum will gather as the digital economy becomes more complex. Security and data protection are still not high enough priorities on the corporate agenda, although trends are heading the right direction. Breaches will still continue to occur, and fines will start to get very large.

GDPR violations carry a maximum penalty of €20 million or 3% of annual revenues. These numbers can be reduced if the breach is reportedly in a timely manner and the company is helpful. However, fines to date have not been to this magnitude largely because the incidents occurred prior to the introduction of GDPR. Any breach which occurred after May 25 will be met with a much sharper stick than previously.

For example, Equifax is a company which collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. Hundreds of millions of customers and consumers were impacted by the Equifax data breach of 2017, though the maximum fine which could be imposed by the UK’s Information Commissioner’s Office (ICO) was £500,000. Under GDPR, Equifax would have been fined £20 million.

GDPR took Europe into the 21st century when it comes to data protection and privacy. It forced companies and regulators to take a more stringent approach to the security of personal and corporate information. Despite the pain everyone had to endure to be GDPR-compliant, it should only be viewed as a good thing.

Data breaches are almost certainly going to continue, but one thing you can guarantee is the numbers are going to be getting a lot bigger.

US Government and Big tech on collision course over backdoor entry

Attorney General William Barr has suggested Apple has not offered ‘material’ assistance as authorities investigate the deadly shooting which took place at a Pensacola naval base last month.

Although Apple disputes the claim from Barr, the conflict between the firm and the Attorney General’s office sets the technology industry on a collision course with the Government. Barr seems to be calling for backdoors to be build into digital products and services, a move which has been robustly opposed by the technology industry.

“We have asked Apple for their help in unlocking the shooter’s iPhones,” Barr said during a press conference. “So far Apple has not given us any substantive assistance.

“This situation perfectly illustrates why it is critical that investigators be able to get access to digital evidence once they have obtained a court order based on probable cause. We call on Apple and other technology companies to help us find a solution so that we can better protect the lives of Americans and prevent future attacks.”

Apple rejects the statement and has claimed it has assisted in the investigation.

“We reject the characterization that Apple has not provided substantive assistance in the Pensacola investigation,” Apple said in a statement.

“Our responses to their many requests since the attack have been timely, thorough and are ongoing. We responded to each request promptly, often within hours, sharing information with FBI offices in Jacksonville, Pensacola and New York. The queries resulted in many gigabytes of information that we turned over to investigators. In every instance, we responded with all of the information that we had.”

Apple has not unlocked the devices, but there are ways and means to access some information without doing so. The firm has assisted authorities through data taken from the iCloud (for example) in other cases.

Over the first six months of 2019, Apple received numerous requests from the US Government for customer information and data. The table below outlines the requests.

Request type Requests received Percentage where data was provided
Device 4,796 84%
Financial Identifier 918 81%
Account Identifier 3,619 90%
Emergency 206 90%

For devices, the Government is requesting device identifiers such as serial number or IMEI number. Examples of financial identifiers are credit card or gift card information. The account identifier could be the customers Apple ID or email address. And ‘Emergency’ describes requests received from a government agency seeking customer data in an emergency matter.

The Apple statement also reiterated its position on privacy:

“We have always maintained there is no such thing as a backdoor just for the good guys. Backdoors can also be exploited by those who threaten our national security and the data security of our customers.”

This is an argument which has reared its head numerous times, and it does appear the pieces are falling into place for it to do so once again.

Apple has regularly been a critic of Governments for refused to enable police and intelligence agencies access to phones. In 2015, Apple defied a court order to assist the FBI by unlocking an iPhone which belonged to one of two terrorists who killed 14 people in San Bernardino. The firm has regularly used the argument of privacy in defending its actions, seemingly not wanting to create precedent for future cases.

And while these two cases have focused on the security measures embedded on devices, the services industry has also found itself in conflict in a very similar fashion.

Over the course of 2017, the then-Home Secretary Amber Rudd launched a sustained attack on the technology industry in an attempt to force the creation of backdoors into messaging services such as WhatsApp. The prevention of terrorism and paedophilia was used as justification to break down the defences offered by end-to-end encryption, but industry refused demands to create backdoors to circumnavigate the security features.

Rudd even went as far as to state users do not care about security, but use these messaging applications for simplicity and convenience.

Barr is not taking the same simple-minded and short-sighted approach as Rudd, but this could be viewed as a challenge. What we could see over the coming months is the US Government heading into conflict with the technology industry once again over access to data on secured products and in encrypted services.

What is worth noting is that there are very valid arguments on both sides of the fence. Governments and regulators should be entitled to enlist the assistance of the technology industry in combatting crime, whereas the technology industry should also be able to draw a line through ideas which would create collateral damage.

The creation of backdoors and designed weaknesses in security features is not something which should be considered. Technology companies, whether software or hardware, have designed security features to be robust enough that not even the manufacturer or developer can circumnavigate them. This ensures security but also prevents abuse.

If backdoors are inserted, this is vulnerability by design. It is effectively waving a red-flag in front of the hacker community, inviting them to find the weakness. Accessing an individual’s phone or WhatsApp account will offer reward for hackers, and whether by accident or design, the vulnerability will be eventually found and exploited.

This is not a viable solution for the sustained health of the digital economy, but this fact directs Big Tech and the US Government on another collision course over access. This is a battle which has been fought before and won by no-one, but it is once again on th

Privacy International leads revolt over Android ‘bloatware’

Privacy International is leading a coalition of more than 50 organisations demanding Android owner Google offers users the opportunity to delete any and every app from their device.

On almost every device, there are several apps which are relatively redundant and useless. Unfortunately for the user, these applications are known as ‘bloatware’ and there is no-way to get rid of the squatting app. The open-letter spearheaded by Privacy International is calling for Google to end the practice, allowing users complete control over what applications are kept on the device.

“We, the undersigned, agree with you [Google CEO Sundar Pichai]: privacy cannot be a luxury offered only to those people who can afford it,” the letter states.

“And yet, Android Partners – who use the Android trademark and branding – are manufacturing devices that contain pre-installed apps that cannot be deleted (often known as ‘bloatware’), which can leave users vulnerable to their data being collected, shared and exposed without their knowledge or consent.”

‘Bloatware’ applications are largely harmless on the surface. Generally, they sit there not doing much, but the issue being raised by Privacy International and its followers is what is going on in the background.

Quoting a paper written by several academics, the coalition claim these applications collect data in the background, largely without the knowledge of the user, and also have ‘privileged custom’ permissions which would not usually be granted by the Android security framework. These permissions include access to the devices microphone and camera.

Interestingly enough, the paper also claims the devices carry the ‘Google Play Protect’ badge but 91% of these applications do not appear in the Google Play Store. This could be a way to get around the strict privacy protections which are implemented by Google and therefore undermines the integrity of the ‘Google Play Protect’ credentials.

The letter is calling for several changes to the dynamic, most notably:

  • Users should be able to permanently delete any application
  • Pre-installed apps should face the same scrutiny as other apps
  • Pre-installed apps should have some sort of update mechanism
  • Google should refuse to certify devices unless manufacturers make changes to reinforce privacy credentials and protections

What is worth noting is that Privacy International and other such organisations are lobby groups which often paints an apocalyptic view of the digital economy. Google can never do anything right in the eyes of this community.

That said, Google is often in hot water over privacy concerns.

Numerous executives have penned blog posts and opinion articles to push the importance of privacy both as a concept and an internal company value of Google. However, the odd scandal often emerges to undermine these PR efforts.

In November, Amnesty International suggested Google was implementing strategies to abuse privacy rights of individuals. Its virtual assistant is under investigation after it emerged humans were reviewing transcripts of conversations recorded by its smart speaker without the consent of the user. In July, International Computer Science Institute (ICSI) researchers said numerous apps could easily circumnavigate Android’s privacy protections. The Google smart city initiative, Sidewalk, has also come under some intense privacy criticism.

What is clear is that Google’s actions and the relationships which it has in place are always of benefit to it as an organisation. The presence of ‘bloatware’ is by design not an oversight, therefore Google will begrudgingly back-pedal on this current dynamic. It may well be forced to under the weight of public criticism, but there will be plenty rolls of the dice before it.

Facebook gets a thumbs-up from privacy officials

The Advocate General to the Court of Justice of the European Union (CJEU) has said Facebook is not in violation of privacy rules in transferring data to US servers.

In a rare sign of approval from privacy officials, Facebook has won the backing of Advocate General Saugmandsgaard Øe, who has confirmed Facebook Ireland is acting legally by sending data to servers located in the US. The opinion from Øe is in connection with a lawsuit filed by Austrian privacy advocate Max Schrems.

Removing all the legal jargon, Øe’s opinion is that there are adequate protections in place to ensure the rights of European citizens are maintained in the event data is transferred from Facebook’s Irish servers to be processed in the US. Agreements have been signed between the two parties which contain contractual clauses to enforce the privacy rights of European citizens.

Although this is the opinion of the Advocate General and not binding for the CJEU, it is a very positive (and perhaps surprising) note for a company which so often flirts with privacy controversy.

For Schrems, this is not the most encouraging of signs. The CJEU is not bound to Øe’s opinion, but the courts rarely hold a different view to such high-ranking officials.

The court case in question was initially filed by Schrems, the man largely responsible for the downfall of the Safe Harbour mechanism dictating trans-Atlantic data transfer, in 2015. Schrems argued that in light of privacy violations highlighted by Edward Snowden, the Irish data protection authorities were falling short of their own responsibilities. As it had been proven intelligence agencies were spying on citizens, Schrems argued it was not possible to maintain the privacy rights of European citizens if data is transferred to the US.

With the downfall of Safe Harbour, the mechanism that deems protections were being upheld in the US, big questions were being asked. Schrems suggested that even with the contractual clauses in place protections could not be maintained and there was little justification to transfer data to US servers in the first place.

Øe’s opinion disagrees with these assertions. Firstly, the ‘exporter’ has placed appropriate protections, and secondly, the US Government is entitled to process some data under the banner of national security.

Schrems has been fighting Facebook and other internet platforms for years in an attempt to stop the flow of information across the Atlantic. He and other privacy advocates suggest this information is being used to aide US intelligence agencies in snooping on European citizens. While his actions certainly were successful in bringing down Safe Harbour, he has been less successful in arguing the invalidity of the replacement mechanism, Privacy Shield.

Data protection is, and will continue to be, a significant talking point in the increasingly digital world, though this is a case which will add some confidence in the internet platforms so many people blindly trust. The new digital world needs people like Schrems to hold Big Tech accountable, though it does appear this is a case where the internet giants are on the right side of the line.

MyData signs on first Finnish operator as battle for consumer data rights rages

MyData is not a company which many would have heard of, but it is one everyone should start to take notice of.

The concept of MyData is quite simple. This is a non-profit organisation which acts as the middle-man to collect and manage consumer’s personal information and data. It is a single point of contact where a consumer can manage the flow, depth and breadth of personal data which is flowing across the digital world.

Companies who are betting big on the data-driven world of tomorrow will not like organisation like MyData. This is an organisation which aims to take control of the data-driven digital world, and hand it to the consumer.

This might sound like blue-sky-thinking, but in signing-up Finland’s first operator, Vastuu Group, the idea is starting to spread.

“In today’s data-driven world it is important that the use of personal information is fluent and human-centric,” said Vastuu Group’s Deputy CEO Mika Huhtamäki. “Vastuu Group is a founding member of MyData Global network. We want to build co-operation between different MyData operators and enhance sustainable data-based business.”

For the consumer, this is a very interesting and beneficial idea.

As it stands, the world is not educated on the dangers of the internet. There are still a vast number of unknowns, both in terms of how users could endanger themselves and what the consequence of lost/stolen/copied personal data actually is. Because of these unknowns, few people are appropriately guarded when engaging with the digital economy.

For example, your correspondent has recently downloaded an app called ‘WalkIn’, which allows the user to digitally stand in the queue at restaurants which do not allow bookings. It is a very good idea, though only when researching this article did your correspondent dig into the terms and conditions to understand where the collected personal information was heading and what it was being used for.

In this example, there was little consequence. WalkIn Limited is a company run out of Manchester, and while it collects far more information than necessary for the app to perform effectively, it does not look to be engaging in any nefarious data sharing practises (although this is very difficult to judge on the surface).

This illustrates a point. How many applications have been downloaded by an individual without checking into who the developer is, what information is being collected and where it eventually ends up? We suspect 99.99% of downloads (if not more) would fall into this category.

Firstly, the user is not aware of breadth, depth and type of personal information which is being handed over. And secondly, as few people could remember every single app they have ever downloaded, tracing this information down to understand the consequences will be incredibly difficult.

With companies like Vastuu acting as guardians of personal information for the consumer, it is a logical step to improve the safety of the internet and the digital economy. With the creation of a new business model, “Authorisation as a Service”, companies like Vastuu will be a central point for that consumer, allowing data to be tracked and for the companies who want to make use of it, to be held accountable.

Theoretically, this is an attractive proposition for the health of the digital consumer, but for it to work, the developer community will also need to be engaged. This might be a bit trickier.

Data-driven technology companies are difficult beasts to pin down, especially those in the app economy. Few people would recognise the name of developer organisations, but these companies control the personal information of unknown numbers of people. Such is the embryonic stage of regulating the digital economy, the concept of auditing and reporting on personal information which is being held is almost non-existent. These companies have to prove they are safe-guarding it properly, but few people peer inside the walled gardens.

This dynamic is largely by design. Facebook builds incredibly detailed profiles on its users to serve the advertiser, and it is not alone here. Sky in the UK has a platform called AdSmart which allows you to target adult women, with two children, living in a south-east London, second-time mortgaged semi-detached home with a two-year old BMW in the drive. Other developers sell information onto parties where ambitions are a bit more nefarious than promoting the latest lipstick shade.

In any case, sceptics and critics of the current digital economy will suggest these companies want to muddy the waters as some consumers might retaliate and refuse to engage when the curtain is drawn back on the data wizard. There is probably an element of truth to this, which perhaps explains why a data-intermediators like MyData are not commonplace today.

MyData is an organisation which has the power to do immense good in the digital economy, but it will not be a simple path to success.

Europe needs better, not more regulation – A1 Telecom CEO

It certainly isn’t unusual for telcos to have a swipe at regulators, and they never miss the opportunity to do so.

The FT-ETNO Conference in Brussels is the perfect environment for passive-aggressive duelling between telcos and regulators. ETNO is of course an industry lobby group, so you have to take statements with a pinch of salt, but occasionally there are some valid points made.

“At the moment, I see quite an imbalance,” said Thomas Arnoldner, CEO of the A1 Telecom Austria Group. “I have full empathy with the complexity of the process, I do not envy you [European Commission] at all. The process is a very complex one.”

This is the conundrum being faced by regulators in certain regions. Technology is moving at a pace which is almost impossible for authorities to track. It is very easy to say regulations should be implemented more rapidly, but the democratic process is a stumbling block.

As Roberto Viola, Director General of DG Connect at the European Commission pointed out, European states operate as democracies. In dictatorships, regulation and legislation can be passed on a whim, but in more reasonable societies, rules need to be evidence-based. Once the building blocks of the rules have been established, the next step is the democratic process, taking the rules through the relevant parliamentary mechanism.

This creates a difficult equation to balance. Creating world-leading regulation takes time, GDPR took six years for example, but today’s society demands speed and to be proactive from the early stages of development.

“We don’t need less or more regulation, but we need better regulation which adapts to the society,” said A1 Telecoms Arnoldner.

This is a consistent gripe for the telcos. Most regulation which dictates today’s state-of-play for this industry was written decades ago. It is restrictive in its nature and designed for an analogue era. Arnoldner believes some of the current clauses in the ePrivacy regulation, set to be introduced over the coming months, are equally restrictive. They are not designed as open rules, allowing regulation to adapt to the evolution of technology.

Not only does this create the same awkward regulator landscape which we are living in today, where rules are from a bygone era, but it might also inhibit innovation. Flexibility is key if Europe is to compete with the likes of the US, Korea and China in the global digital economy.

“We have to be there from the start to set the standards which have to be followed,” said Petra De Sutter, a member of European Parliament and the Chair of Internal Market and Consumer Protection (IMCO) working group. “We cannot set standards and regulation if the technology is already there.”

This is another perfectly valid point, and perhaps demonstrates the issue with regulation. The vast majority of regulations are designed for technologies which are already climbing the hype-curve. The foundations of these breakthroughs have been developed and innovators are focusing on fine-tuning; this is too late to have any material impact on the fundamentals of the technology.

These points present an interesting question; if this dynamic continues, will regulation ever be fit-for-purpose?

European Parliament reprimanded by Data Protection Supervisor

The European Data Protection Supervisor (EDPS) has launched a data protection probe into the European Parliament for continued work with a US firm.

The firm in question, NationBuilder, processes data collected though websites run by the European Parliament for citizen engagement, though it has fallen short of European standards on data protection and privacy. This is the second reprimand handed to the European Parliament concerning NationBuilder.

The website placed under current scrutiny, thistimeimvoting.eu, collected personal data from more than 329,000 people who had an interest in European Parliament elections.

“Strong data protection rules are essential for democracy, especially in the digital age,” said Assistant EDPS Wojciech Wiewiórowski.

“They help to foster trust in our institutions and the democratic process, through promoting the responsible use of personal data and respect for individual rights. With this in mind, starting in February 2019, the EDPS acted proactively and decisively in the interest of all individuals in the EU to ensure that the European Parliament upholds the highest of standards when collecting and using personal data.”

Although the details are relatively thin for the moment, the EDPS has issue involving the selection and approval of sub-processors used by NationBuilder. The sub-processors have not been named, though the EDPS has stated Article 29 of Regulation (EU) 2018/1725 are the rules in question.

Considering Europe’s position atop the data protection and privacy high-horse, this should be seen as quite an embarrassing incident. The European Parliament has taken a very condemning approach to those who flirt with data protection and privacy regulations, most notably Facebook and Cambridge Analytica. With this announcement from the EDPS, it does not appear the bureaucrats are listening to their own condemning words.

The collection and application of personal information surrounding elections is of course a very relevant topic today, not only because of numerous scandals and accusations, but also some very high-profile events on the horizon. Not only is the UK’s General Election taking place in a matter of weeks, the threat of a second Brexit referendum is a possibility, while campaigning for the US Presidential Election will hit full-steam over the next couple of months.

Posturing and rhetoric regarding the importance of data privacy and the application of data analytics in a responsible manner are more prominent than ever, but it seems to be nothing more than statements of intent. Data protection and privacy scandals will perhaps never be a thing of the past.

Australia sues Google for misleading users over location data

The Australian Competition and Consumer Commission has taken Google to court over allegations that it misled consumers over the collection of their location data.

The ACCC reckons that from 2017 at the latest Google broke the law when it made on-screen representations to Android users that it alleges misled consumers about the location data Google collected or used when certain Google Account settings were enabled or disabled. In short the ACCC is claiming Google gave users insufficient information to ensure their location data wasn’t collected if they didn’t want it to be.

“We are taking court action against Google because we allege that as a result of these on-screen representations, Google has collected, kept and used highly sensitive and valuable personal information about consumers’ location without them making an informed choice,” said ACCC Chair Rod Sims.

The problem is that Android has multiple settings that need to be adjusted if you don’t want your location data collected and the ACCC is alleging that Google didn’t flag up all of them. That will have resulted in some consumers thinking their location data wasn’t being collected when it still was. At the very least it seems Google has been insufficiently clear in communicating with Android users about this stuff.

Underlying a lot of the current wave of litigation towards internet giants is the desire by regulators and governments to retrospectively address the personal data land grab that characterised the first decade or so of the modern mobile device. Free services such as Android and Facebook have always sought payment in kind through the collection of personal data but have usually been very opaque in the ways they have gone about it. Regulators are now trying to shut the stable door after the horse has bolted.

Microsoft might be toying with European data protection compliance

The European Data Protection Supervisor has raised ‘serious concerns’ over whether Microsoft is compliant with data protection regulations.

The contracts in question are between the software giant and various European Union institutions which are making use of said products. The central issue is whether contractual terms are compliant with data protection laws intended to protect individual rights across the region from foreign bodies which do not hold data protection to the same standards.

“Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services,” a statement reads.

“Similar risk assessments were carried out by the Dutch Ministry of Justice and Security confirmed that public authorities in the Member States face similar issues.”

The preliminary findings from the European Data Protection Supervisor follow on from investigations taking place in the Netherlands and also changes to the Microsoft privacy policies for its VoIP product Skype and AI assistant Cortana. The changes were seemingly a knee-jerk reaction to reports contractors were listening to audio clips to improve translations and the accuracy of inferences.

What is worth noting is that Microsoft is not the only company which has been bending the definition of privacy with regard to contractors and audio clips. Amazon and Google have also been dragged into the hazy definition of privacy and consent.

The issue which seems to be at the heart of this investigation is one of arm’s length. While government authorities and agencies might hand-over responsibility of data protection and privacy compliance to the cloud companies, the European Data Protection Supervisor is suggesting more scrutiny and oversight should be applied by said government parties.

Once again, the definition and extent of privacy principles are causing problems. Europe takes a much more stringent stance on the depth of privacy, as well as the rights which are affording to individuals, than other regions around the world. Ensuring the rights of European citizens are extended elsewhere was one of the primary objectives of the GDPR, though it seems there are still teething problems.

“When using the products and services of IT service providers, EU institutions outsource the processing of large amounts of personal data,” the statement continues.

“Nevertheless, they remain accountable for any processing activities carried out on their behalf. They must assess the risks and have appropriate contractual and technical safeguards in place to mitigate those risks. The same applies to all controllers operating within the EEA.”

One development which could result in additional scrutiny is The Hague Forum, an initiative to create standardised contracts for European member states which meet the baseline data protection and privacy conditions set forward. The European Data Protection Supervisor has encouraged all European institutions to join the Forum.

Although GDPR was seen as a headache for many companies around the world, such statements from the European Data Protection Supervisor proves this is not an area which can simply be addressed once and then forgotten. GDPR was supposed to set a baseline, and there will be more regulation to build further protections. Perhaps the fact that Microsoft is seemingly non-compliant with current regulations justifies the introduction of more rules and red-tape.

Facebook starts taking data guardian role seriously

Facebook needs to get back in the good books of both regulators and the general public sharpish, and it seems it is taking a machete to the developer ecosystem to do so.

As part of the agreement with the Federal Trade Commission, Facebook has promised to create a more comprehensive oversight model for the development and implementation of apps on its platform, and it does seem to be taking its responsibility seriously this time around. Whether this prevents a repeat of the Cambridge Analytica scandal which kicked-off the privacy debate remains to be seen, though it is making the right noises.

“Our App Developer Investigation is by no means finished,” said Ime Archibong, VP of Product Partnerships.

“But there is meaningful progress to report so far. To date, this investigation has addressed millions of apps. Of those, tens of thousands have been suspended for a variety of reasons while we continue to investigate.”

Although it is very difficult to figure out how many app developers and applications there are actually on the Facebook platform at any single point, Archibong has stated that 400 developers have been deemed to be breaking the rules. These 400 are responsible for the ‘tens of thousands’ of apps which have been suspended.

While this is a promising start from the social media giant, it will have to do a lot more. We struggle to believe the number of suspect app developers is as low as 400. There might be 400 in London, but worldwide it is going to be a number which is monstrously larger.

This is where Facebook will struggle to be the perfect guardian of our digital lives. With the number of developers and apps unthinkable it will never be able to protect us from every bad actor. Whether best effort is good enough for the critics remains to be seen.

Dating back to March 2018, this is a saga which Facebook cannot shake-off. The general public, politicians and regulators were all enraged by what can only be described as gross negligence from the social media giant. Rules were in place, though there were not nearly comprehensive enough and rarely were bad actors put to the sword and held accountable.

This is what Facebook has to prove to its critics; it is a company which is responsible and can act as an effective guardian of the user’s personal information. It is currently being judged in court of public opinion, a very difficult place to make any progress when the masses are baying for blood.

Although the Cambridge Analytica scandal is only part of the problem, it was the incident which turned the tides against the technology industry. Along with other privacy scandals and debatable business practices, Silicon Valley is being placed under the microscope and it is not working out well. Best case scenario for the likes of Facebook and Google is stricter regulation, though the worst outcome could see acquisitions reversed in the pursuit of increased competition and diluted influence at these companies.

This Facebook investigation is looking to identify the developers who are most likely to break the rules, though there are stricter guidelines being put in place. Archibong is suggesting many of the quiz apps which plague the platform will be banned moving forward, as many will be judged to collect too much information when measured against the value which they offer. Moving forward, these developers shouldn’t be able to get away with it.

This in itself is the problem; Facebook was asleep at the wheel. It created a valuable product and then started to count the cash. It didn’t evolve the rules as the platform grew into an entirely different proposition and it didn’t keep an eye on whether app developers were breaking the basic rules which it had in place anyway.

If Facebook’s quest continues on its current trajectory, the developer ecosystem might have to work a bit harder to access personal information. Apps with very limited functionality and value will not be granted access to the same treasure troves, while the team will also have to prove collecting personal information will improve experience for the user.

Another interesting point which was raised in the commitment is an annual review. Archibong is suggesting every app will be assessed on a yearly basis, and those who do not respond effectively to the audits will be temporarily suspended or banned.

It remains to be seen whether Facebook is doing enough to keep critics happy, though there is no such thing as being heavy-handed here. Facebook will have to take the strictest approach, over compensating even, to ensure it regains the trust and credibility it threw away through inaction.