58% of UK business can’t detect IoT security breach – study

Digital security vendor Gemalto claims the IoT euphoria might be hitting the UK before its ready, as research shows 58% of businesses are not able to detect a breach.

First and foremost, we need to put a disclaimer on this report. Gemalto is a security company and is thus incentivised do its best scaremongering to drive revenues. The more scared companies are about potential data breaches, and the punishments which follow the incidents, the more likely they are to buy security software. Making the world a big, bad, horrible place is an effective marketing strategy for security vendors.

That said, considering the lax approach most of the industry takes towards security and data protection, we suspect many of the statistics being discussed are pretty accurate.

“The push for digital transformation by organisations has a lot to answer for when it comes to security and bad practices,” said Jason Hart, CTO of Data Protection at Gemalto. “At times it feels organisations are trying to run before they can walk, implementing technology without really understanding what impact it could have on their security.”

The most shocking figure from the report is the 42% of UK companies who are capable of detecting an IoT breach, with only France worse off at 36%. Considering the role IoT has been touted to play over the next few years as 5G hits the streets, this is an incredibly worrying statistic.

While spending on IoT security has increased from 11% of the overall IoT budget to 13%, you have to wonder what direction this money is heading. Perhaps even more concerning for those companies involved, is that 90% of them accept this will be a major buying motivator for customers. At least they are aware that security can have a direct impact on the revenues of the business now, a concept which has taken years to hammer home.

“Given the increase in the number of IoT-enabled devices, it’s extremely worrying to see that businesses still can’t detect if they have been breached,” said Hart. “With no consistent regulation guiding the industry, it’s no surprise the threats – and, in turn, vulnerability of businesses – are increasing. This will only continue unless governments step in now to help industry avoid losing control.”

IoT is set to be one of the biggest winner of the 5G bonanza, while the segment is also predicted to be the major catalyst of 6G. If predictions are anywhere near accurate, 5G networks will soon not be able to cope with the strain of IoT, driving the case for 6G due to the sheer number of ‘things’ connected to the network.

Looking at the predictions, IDC believes the IoT market will grow to be worth more than $1.2 trillion by 2022, with consumer devices expected to account for the largest share at 19%. Ericsson has forecasted the number of cellular IoT connections to reach 3.5 billion in 2023, increasing at a CAGR of 30%.

Security remains a major challenge for the industry, though the buzz around blockchain could provide a suitable means to meet the expectations of the consumer. In the absence of regulation, Gemalto notes the adoption of blockchain technologies has doubled from 9% to 19% in the last 12 months, with 23% of the respondents to this survey believe the technology would be an ideal solution to use for securing IoT devices. 91% who are not using blockchain are considering it for the future.

“Businesses are clearly feeling the pressure of protecting the growing amount of data they collect and store,” said Hart.

“But while it’s positive they are attempting to address that by investing in more security, such as blockchain, they need direct guidance to ensure they’re not leaving themselves exposed. In order to get this, businesses need to be putting more pressure on the government to act, as it is them that will be hit if they suffer a breach.”

While research like this does indicate security is becoming a more serious topic in the world of telecoms and technology, it also confirms there is a very wide gap to close. Security has long been the ugly duckling of the industry, many seemingly choosing to ignore the challenges because they are too difficult to solve, though new regulations such as GDPR has perhaps forced the issue up the agenda.

Interestingly enough, should the telcos get serious about security there would certainly be a revenue generating opportunity to capitalise on. With cyber security incidents and data breaches becoming more prominent in the news, consumers are gradually becoming more aware of the risks of the internet and the emerging digital society. While the industry has played down the risk in recent years, the incidents speak for themselves.

An excellent example of turning this scenario into a business opportunity lies with Orange, the master of the convergence strategy. Here, the team have invested heavily in cyber security capabilities and are now offering security services to customers as a bolt on to other connectivity packages. The move has proven to be a success as while it is generally becoming accepted that 100% secure is impossible nowadays, more people are willing to do something about it.

Security is a topic which has always been in and around the news, but few want to do anything proactive about it. Unfortunately, with the perimeter expanding so rapidly as IoT penetration grows, these statistics are incredibly worrying. Perhaps regulators will get the chance to swing the GDPR stick before too long after all.

EU Advisor tells France to forget about global ‘right to be forgotten’

The Advocate General of the European Court of Justice has given his opinion on the ‘right to be forgotten’ conflict between France and Google, and its good news for the ‘do no evilers’.

Advocate General, Maciej Szpunar, has been pondering the implications of the ‘right to be forgotten’ saga for some months now, and the opinion is relatively simple; France does not have the right to impose its own considerations on a company which operates outside its jurisdiction.

The French regulator can force Google to de-list search results on the grounds of privacy in France, and generally across the EU, though it does not have the authority to impose itself on the companies worldwide footprint. As the Advocate General notes, the repercussions of such a ruling would have too much potential to cause damage in various other scenarios.

The case is somewhat of a tricky one, as it does have implications in the contentious world of privacy/free speech/accountability. And while the European Court of Justice does not have to follow the opinion of the Advocate General, it generally does.

“This is a really important case pitting fundamental rights to privacy against freedom of expression,” said Richard Cumbley, Partner and Global Head of Technology at law firm Linklaters. “The case highlights the continuing conflict between national laws and the Internet which does not respect national boundaries.

“The opinion contains a clear recommendation that the right to remove search results from Google should not have global effect. There are a number of good reasons for this, including the risk other states would also try and supress search results on a global basis. This would seriously affect people’s right to access information.”

The case dates back to the early months of 2018, with the CNIL, France’s data protection watchdog, suggesting the search giant should have to enforce any ‘right to be forgotten’ rulings to all of its domains instead of just that of the home nation of the challenging regulator. Google, and various other free speech advocacy groups, have been suggesting France and the European Union are attempting to impose their own data privacy position on the rest of the world.

Looking at the ramifications, those of us who have more long-term considerations would certainly be thankful of Szpunar’s opinion. As Cumbley points out above, this case could be used as evidence by other nations to supress free speech or opinions which are not in-line with the political climate. Precedent is everything in the legal community, and while it hopefully does not intend to, France may be aiding more authoritarian governments in trying to impose its privacy demands on Google.

What is worth noting is that this opinion is not an official ruling from the European Court of Justice, though it does generally head in the same direction as the Advocate General.

Washington DC takes Zuckerberg to court

The Attorney General for the District of Columbia has filed a lawsuit against Facebook on the grounds of failing to protect user’s privacy and enabling one of the biggest digital scandals to date.

It was only going to be a matter of time before one of the Attorney Generals took the opportunity to take Mark Zuckerberg and his cronies to court, the big question which remains is how many of them will do so. The Cambridge Analytica scandal might be old news in the eyes of the consumer nowadays, but the lawyers aren’t forgetting about it. Blood has been smelt and Washington DC is going to have the first bite.

“Facebook failed to protect the privacy of its users and deceived them about who had access to their data and how it was used,” said Attorney General Karl Racine.

“Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users’ permission. Today’s lawsuit is about making Facebook live up to its promise to protect its users’ privacy.”

The lawsuit itself relates back to the Cambridge Analytica scandal, focusing on Facebook’s inability to meet expectations and commitments when it comes to data protection and privacy, but also the firm’s role in allowing the 2016 Presidential Election to be manipulated. It’s the permission to use data, or lack thereof, which is the big issue here. Cambridge Analytica harvested the data and sold it onto a political consulting firm, none of which it was entitled to do.

This is perhaps one of the biggest grey areas of the digital economy as while technology firms have streamed ahead in how data can be commercialised, rule makers have struggled to keep pace. Firms like Facebook has taken advantage of this regulatory void but cases like this will aim to hold them accountable retrospectively.

This is one of the most difficult things about innovation. Because these firms are playing with new ideas for the first time there is no precedent to where the line between right and wrong should be. In most cases, this would be an effective defence, as while most governments will of course want to protect citizens, they will also want to encourage innovation and exploration. In this case however, Facebook might not be able to lean on this idea.

Recent documents released by the UK government demonstrate not only that Facebook was aware there might unethical and illegal aspects to these practises, but that this knowledge went from the bottom to the top of the organization. The internal emails, which were secured by Six4Three during its own lawsuit against Facebook, paint a very deceptive and nefarious picture of the firm, with no regard to the opinion or privacy of the user.

Facebook is in a hole right now, which seems to be getting deeper and deeper. While it cannot shake off the Cambridge Analytica scandal, new controversies are being thrown at the platform, including the most recent claim. Rumbling through the world as we speak are claims Facebook granted certain technology companies, such as Netflix and Spotify, access to user’s private messages.

Facebook will of course end up in court and considering it has admitted wrong-doing on several occasions, there will be heavy punishments laid out. One of the big questions which remain is how many of the Attorney Generals across the US will bring their own lawsuit forward.

Facebook back on the ropes with more privacy punches

Facebook faces fresh questions surrounding data privacy, with reports emerging it granted advertising customers access to user’s private messages with friends and family.

This is a company which is not helping itself but is looking increasingly suspect. The data and sharing economy does of course require users to make an exchange in order to receive free services, but the personalised advertising machine created by Facebook is starting to look scary. The detail which is known on users, and the apparent nonchalant approach the firm has to abuse of the platform, is starting to become very worrying.

Now we have one of the most worrying accusations. According to the New York Times, new documents have emerged suggesting Facebook granted permissions to advertisers which seemingly go far beyond the consent granted by users.

Among the accusations, sourced from internal documents, Netflix and Spotify were given the ability to read user’s private messages, while Bing was able to access all information about a user’s connections without specific consent. Amazon was given permission to obtain contact information through indirect connections, and Yahoo was allowed view streams of friends’ posts. The Yahoo partnership can be traced back to this summer, long after Facebook had declared such practises had been ended.

Aside from the NYT investigation, one user has also taken the time to pen her frustrations after realising location controls on the platform made no difference to personalised advertising. Aleksandra Korolova turned off all available location services on Facebook, WhatsApp and Instagram, cleared location details off her profile, removed geo-tagging on photos, but was still receiving personalised ads based on recent movements.

“Reading Facebook’s explanations to advertisers provides insight into how this is done,” said Korolova in a Medium post. “Specifically, Facebook tells advertisers that it learns user locations from the IP address, WiFi and Bluetooth data.”

The illusion of control has been created, though Facebook is finding ways around user consent and loopholes to any commitments it has previously made.

The inability for Facebook to be transparent, clearly telling the user what is going on, is incredible. There are so many examples of this company misleading the general public, governments and regulators, they are becoming difficult to count. This is a toxic company which should not be trusted. We are struggling to believe any statement which the company is now making.

In response, Konstantinos Papamiltiadis, Director of Developer Platforms and Programs, has gone to Facebook’s standard response.

“…we recognize that we’ve needed tighter management over how partners and developers can access information using our APIs,” said Papamiltiadis. “We’re already in the process of reviewing all our APIs and the partners who can access them.”

This seems to be Facebook’s new response to accusations which question whether it has acted ethically or legally; partially accepting responsibility and saying they will do better in the future. This is not a good enough answer anymore. It might have worked the first couple of times, but the repetition from Facebook executives just shows how little the company thinks about the general public. We are just assets to be traded in the pursuit of greater advertising revenues.

Privacy is a small hurdle; the grey expanses of technology regulation are too wide for this to be a problem. Facebook is making a mockery of the general public and the data privacy landscape.

Aussies determined to undermine security with anti-encryption law

Ten of the world’s largest tech brands have banded together to denounce a recent law passed by the Australian government which could be viewed as the first step towards a Big Brother government.

With the world turning against China and Chinese companies due to the threat of espionage, you have to question whether the Australian’s have a leg to stand on anymore, as personal privacy takes a heavy blow with this legislation.

The signs have certainly been worrying over the last 18 months. Australia might well be one of the first to pass such controversial legislation, but it is certainly not alone. France, Germany, the UK and the US have all made it clear they all have ambitions to make our world less secure and less private with their own attempts. The privacy damn was set to burst, and the Aussies caved. Privacy has taken a backwards step down-under.

The statement below, signed by Apple, Evernote, Dropbox, Facebook, Google, LinkedIn, Microsoft, Oath, Snap and Twitter, signals the opposition from the technology industry.

“One of the core principles of the Reform Government Surveillance coalition (RGS) is that strong encryption of devices and services protects the privacy and data security of our users, while also promoting free expression and the free flow of information around the world,” a joint statement declares.

“RGS has consistently opposed any government action that would undermine the cybersecurity, human rights, or the right to privacy of our users – unfortunately, the Assistance and Access Bill that was just passed through the Australian Parliament will do just that. The new Australian law is deeply flawed, overly broad, and lacking in adequate independent oversight over the new authorities. RGS urges the Australian Parliament to promptly address these flaws when it reconvenes.”

The law itself will allow the Australian police to issue technical notices, compelling technology companies to assist the government to hack, implant malware, undermine encryption and even insert backdoors into security software. Those who resist would face financial penalties. The justified concerns with the legislation are two-fold.

Firstly, the idea of a backdoor or writing algorithms which allow encryption software to be undermined completely defeats the purpose. The presence of such features should be seen as nothing more than a weakness in the software, a weak link in the chain. Whenever there is a vulnerability, nefarious individuals always expose it. It is just a matter of time before cyber criminals identify these vulnerabilities and it doesn’t matter how well they are hidden. It might happen after months of searching, or it might happen by accident.

Secondly, the law is flawed in that it is full of loop-holes and contradictions which leave it open to abuse and mission creep.

The initial remit of the technical notices will be for serious crimes, such as sex offenders, terrorists, homicide and drug offenses, though critics have pointed towards weak and vague language which opens the door for mission creep. And when there is an opportunity to push the boundaries of acceptable, there are people who will do this.

Another example of the problematic rules is the difference between Technical Capability Notices (TCNs) and Technical Assistance Notices (TANs). Both are used to compel technology companies into assistance for pretty much the same exercises and violations of privacy, though TCNs require approval by the Attorney-General, a consultation period and can only be used by the agency which submitted the request. TANs do not but can wield almost exactly the same amount of power.

“As Government and Labor MPs work today to craft amendments to the Assistance and Access Bill, it appears that one of the biggest flaws in the proposed legislation will not be addressed,” said Communications Alliance CEO, John Stanton on the differences between TCNs and TANs.

These are only a couple of examples of the criticism which the bill has faced over the last couple of weeks, though even after public consultation (which attracted 15,000 comments) few amendments were made to the original draft before being passed into law.

“The Australian government has ignored the expertise of researchers, developers, major tech companies, and civil liberties organizations by charging forward with a disastrous proposal to undermine trust and security for technology users around the world,” the Electronic Frontier Foundation said it a statement.

“The issue isn’t whether the Australian government read the 15,000 comments and ignored them or refused to read them altogether. The issue is that the Australian government couldn’t have read the 15,000 comments in such a short time period. Indeed, the bill’s few revisions reflect this—no security recommendations are included.”

In the pursuit of making life easier for the Australian police force, the government has betrayed the consumer and made the digital landscape a haven for hackers. We are unable to think of any examples of genuine encryption software being hacked or compromised to date, but the Australian government has just made life a lot easier for nefarious actors by voluntarily introducing vulnerabilities.

And this is without addressing the opportunity for abuse and violation of individuals human right to privacy.

There have been countless examples from around the world of individuals, either in private organizations or government agencies, being able to respect privacy rights when given the opportunity. Uber employees used the location tracking features of the app to stalk ex’s and celebrities, while Edward Snowden exposed how the CIA illegally undermined the privacy of thousands of its own citizens.

The Australian government has not done anywhere near enough to ensure the rights of citizens will be maintained, or that actions will be entirely justified. This is a very worrying sign for the world, especially with the likes of the US and UK watching very carefully.

Australia is part of the Five Eyes intelligence fraternity, which traces its origins back to the 50s. This intelligence alliance, comprising of Australia, Canada, New Zealand, the UK and the US, generally work hand-in-hand when it comes to intelligence and security, and tend to implement very similar legislation. With Australia setting the pace of making the world a less safe place, it would not be a surprise to see other nations follow suit.

International politics is generally like a dominoes set. All ‘Western’ governments have similar laws, and when one breaks rank usually it back-tracks or the rest get in line. In this case with governments around the world all showing Big Brother ambitions, we suspect it might not be too long before more of these bills are being discussed elsewhere.

Zuckerberg absent again; Facebook doesn’t seem to want to help itself

Facebook is a company which is consistently under fire for a rap sheet which seems to longer with each passing day, but you have to wonder why it seems to be constantly compounding the problem by irritating lawmakers.

A picture speaks a thousand words, and the tweet below is giving a very simple message to the world; Facebook is bigger and more important than your feeble politicians.

Of course, the company will contest this interpretation, insisting it is doing everything possible to help politicians understand how they can build a bigger and brighter digital world, but with CEO Mark Zuckerberg continuing to ignore calls to attend examinations, there is a bit of a contradiction appearing. All he is doing is agitating politicians and offering up ammunition for haters to attack the platform and its executives.

Some might suggest, as Lord Richard Allan, Facebook’s Director for Policy in Europe, has done that Zucks cannot commit to every request. He has attended a couple, though the Department of Digital, Culture, Media and Sport has played a blinder here. They have ensured the representatives of nine nations, representing almost 500 million people, are all in the same place at the same time. Surely Zucks could squeeze this one into his schedule as it is much more efficient? No, apparently not.

What we are seeing at the moment is a game of chess, and Facebook is losing. The rules are going to change in the future, governing how companies like Facebook can make money, and the longer Zuckerberg continues to irritate legislators and regulators with his absence, the less influence Facebook will have in crafting these rules. This short exchange between Lord Allan and Chairman of the DCMS Committee Damian Collins demonstrates this point very well:

Collins: I put it to you that you have lost the trust of the international community to self-police and that we have to start looking at a method of holding you and your company to account, because Mr Zuckerberg, who is not here, does not appear willing to do the job himself.

Lord Allan: Again, I am going to agree with you. One of the areas that I am working on right now is precisely to understand the kind of regulatory framework that is in everyone’s interest. We have accepted, and Mr Zuckerberg has said himself that we accept, that this requires a regulatory framework and action by responsible companies like ours. It is the two in tandem, and as we go on to discuss false news and elections, I think the regulatory piece is going to be a really important part of that.

Collins: I don’t think it is up to Facebook to determine what regulatory structure it should be under. It should be up to Parliaments to determine that and that is why we here.

This short exchange demonstrates the position Facebook is walking itself into. In years gone, when people liked and trusted Facebook, the team might have been able to influence regulation which dictated how the business could be run. But scandals and a persistent insistence to irritate politicians has changed this. Facebook is being pushed outside the tent, the politicians are building the case against the company and it doesn’t seem to want to repair the broken bonds.

Every single time Zuckerberg refuses to attend one of these sessions he is giving the impression that such tasks are below him. Send one of the minions instead with prompt cards emblazoned with “I’ll get back to you on that one”. That is a phrase which has been consistently repeated, though as several of the politicians in this affair pointed out, Facebook is going to have to get back to them eventually. They won’t simple forget and move onto the next scandal.

Ian Lucas, another MP on the committee, pointed out Zuckerberg had promised the US Senate Committee a list of companies Facebook had banned due to violations of the platforms rules. This promise was made months ago and the list is yet to emerge. The “I’ll get back to you on that one” answer has run its course, and will just become another irritation to the politicians. Soon enough Facebook will have to deliver on the promises.

This scandal is growing day-by-day and the Facebook public relations team is looking woefully underqualified. The absence of Mark Zuckerberg has been well documented here, but all it is doing is compounding the political and PR sh*t-storm which is swirling around the company. Politicians are building the public hatred and mistrust towards the brand, and Zuckerberg is burying his head in the sand.

Uber feels sharp(ish) end of Dutch and British stick

Following a data breach which exposed personal information of roughly three million European customers, Uber has been fined over £900,000 by Dutch and British authorities.

£900,000 does sound like a lot of cash, but let’s just put it into perspective for the moment. In the Netherlands, details of 174,000 customers and drivers were hacked, resulting in a €600,000 (roughly £532,000) fine, while the punishment for leaking details of 2.7 million customers and drivers in the UK was £385,000. In the US, where the exposure was admittedly significantly higher, Uber had to fork out $148 million. The numbers aren’t exactly consistent.

Uber should certainly consider itself lucky the incident occurred prior to the implementation of GDPR, though the fines simply demonstrate how important the new rules are in enforcing data protection requirements. Under today’s rules, Uber could have potentially been fined 3% of global annual turnover, and we suspect the fact it tried to cover up the incident meant it would have been held fully accountable.

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” said Information Commissioner’s Office Director of Investigations, Steve Eckersley. “At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.

“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber-attack. Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”

While many found the implementation of GDPR a nightmare, this is an incident which demonstrates why new data protection rules were completely necessary. In our opinion, Uber got off lightly considering the severity of the breach and subsequent efforts to cover up the hack with ‘hush-money’.

Once the breach was discovered, Uber tried to sweep the incident under the rug. Instead of reporting the breach to authorities, customers and drivers, $100,000 was paid to the hacker, with the promise the data would be deleted, it was downloaded from a cloud-based storage system operated by Uber’s US parent company, and the hacker would keep quiet. As with all of these incidents, the truth eventually emerged. Here, it took a full year.

In both the Dutch data protection authority’s and the ICO’s investigations it was found the breach could have been avoiding if basic and appropriate data protection protocols were followed. Under GDPR, Uber is obliged to inform the relevant data protection authorities within 72 hours of discovery, which can mean fines can be avoided. If a company co-operates and is able to demonstrate it has put in place acceptable protections, authorities will not punish in the strictest of terms.

This is an aspect of GDPR which we like. Rule makers have accepted there is no such thing as 100% secure, and has created a framework which has in-built sympathy for those cases which cannot be avoided. As long as a company is proactive and honest, authorities are willing to work alongside industry to make customers and employees more secure.

This is not an example of this perfect scenario however. Uber acted completely irresponsibly and is incredibly fortunate the incident occurred during a time when data protection rules and punishments were woefully outdated. The whole incident does leave two questions remaining however…

Firstly, how many more incidents have there been which have been swept under the carpet, as we can almost guarantee there will be a few, and secondly, will the EU hold the guilty parties fully accountable to GDPR punishments? We need to know whether authorities are prepared to swing the very sharp stick GDPR hands them.

Google faces GDPR complaints over user location tracking

Seven privacy advocacy groups will be reporting Google to their relevant data protection authority, claiming the firm is violating GDPR through location tracking of users.

Forbrukerrådet (Norway), Consumentenbond (The Netherlands), Ekpizo (Greece), dTest (Czech Republic), Zveza Potrošnikov Slovenije (Slovenia), Federacja Konsumentów (Poland) and Sveriges Konsumenter (Sweden) will all file complaints, while vzbv in Germany is considering action for an injunction and the  Transatlantic Consumer Dialogue will bring it to the attention of the Federal Trade Commission. This is of course not the first time Google has faced complaints in the EU over privacy, but the volume here might cause a headache.

The complaint is a simple one. Even if a dataset has been anonymised by Google, detailed information on that users location can make this irrelevant, while in-depth and personal insights can be learned, violating user rights to privacy. For example, if a smartphone is stationary for eight hour consistently, at the same time every night, it would be a fair assumption this is the home address of the person, while learning about what bars they visit could give away the sexual persuasion of the individual.

Not only are these insights which can be used for personalised advertising, but the data can be sold onto other companies to dictate was services are sold to that individual at what price. An insurance company could up premiums for someone who never visits the gym, but this is not personal information which the individual has given permission to be released. Some would argue it is an invasion of privacy, others would suggest it is statistical science and fair game.

One of the complaints being made against Google is the lack of transparency. Yes, Google has made the consumer aware it collects information when the opt-outs are not altered in ‘location history’ settings tabs, though it has not made the user aware this opt-out could be irrelevant. By using other apps and services, Google is collecting the data in any case. Once it is said out loud it should seem obvious, even if you have opted out when you want to use the Maps app, you will have to send Google your location data, but the slight contradiction has the capacity to confuse users. This is not what many would consider complete transparency.

“Google’s practices leave consumers very little choice other than providing their location data, which is then used by the company for a wide range of purposes including targeted advertising,” European privacy group BEUC said in a statement. “BEUC and its members argue that these practices contradict basic principles of the GDPR, such as the lawfulness, transparency and fairness of processing, and infringe on data subject’s rights such as the right to information. In our assessment Google notably lacks a lawful legal ground for processing the location data in question.”

There will of course be investigations over the course of the next couple of months, as we suspect there will be more complaints filed in the near future, though this will be a test of GDPR. As a reminder, the largest fine which the EU can impose is 3% of annual turnover. Google might have been able to swallow previous fines from the EU, but this one will be a bit more difficult to justify.

Privacy International lines up US firms for GDPR breaches

UK data protection and privacy advocacy group Privacy International has submitted complaints to European watchdogs suggesting GDPR violations at several US firms including Oracle, Equifax and Experian.

The complaints have been submitted to regulators in the UK, Ireland and France, bringing the data broker activities of Oracle and Acxiom into question, as well as ad-tech companies Criteo, Quantcast and Tapad, and credit referencing agencies Equifax and Experian. The complaints are specifically focused on the depth of personal data processing, which Privacy International believes violates Articles five and six of the General Data Protection Regulation (GDPR).

“It’s been more than five months since the EU’s General Data Protection Regulation (GDPR) came into effect,” a Privacy International statement read. “Fundamentally, the GDPR strengthens rights of individuals with regard to the protection of their data, imposes more stringent obligations on those processing personal data, and provides for stronger regulatory enforcement powers – in theory. In practice, the real test for GDPR will be in its enforcement.

“Nowhere is this more evident than for data broker and ad-tech industries that are premised on exploiting people’s data. Despite exploiting the data of millions of people, are on the whole non-consumer facing and therefore rarely have their practices challenged.”

The GDPR Articles in question relate to the collection and processing of information. Article Five dictates a company has to be completely transparent in how it collects and processes information, but also the reasons for doing so. Reasonable steps must be taken to ensure data is erased once the purpose has been fulfilled, this is known as data minimisation. Article Six states a company must seek consent from the individual to collect and process information for an explicit purpose; broad brush collection, storage and continued exploitation of data is being tackled here.

In both articles, the objective is to ensure companies are being specific in their collection of personal information, and that it is utilised in a timely manner before being deleted once it has served its purpose. These are two of the articles which will hit the data-sharing economy the hardest, and it will be interesting to see how stringently GDPR will be enforced if there is any evidence of wrong-doing.

This is where Privacy International is finding issue with the firms. The advocacy group is challenging the business practises on the principles of transparency, fairness, lawfulness, purpose limitation,

data minimisation, accuracy and integrity and confidentiality. It is also requesting further investigations into Articles 13 and 14 (the right to information), Article 15 (the right of access), Article 22 (automated decision making and profiling), Article 25 (data protection and by design and default) and Article 35 (data protection impact assessments).

While GDPR sounds very scary, the reality is no-one has been punished to the full extent of the regulation yet. This might be because every company has taken the guidance on effectively and is operating entirely within the legal parameters, though we doubt this is the case. It is probably a case of no-one being caught yet.

The threat of a €20 million fine, or one which is up to 3% of a business’ total revenues, is nothing more than a piece of paper at the moment. If there is no evidence or fear authorities will punish to the full extent of the law, GDPR doesn’t act as much of a protection mechanism or a deterrent. When a genuine violation of GDPR is uncovered, Europe needs to bear its teeth and demonstrate there will be no breathing room.

This has been the problem for years in the technology industry; fines have been dished out, though there has been no material impact on the business. The staggering growth of revenues in the industry has far exceeded the ability of regulators to act as judge and executioner. Take the recent fines for Apple and Samsung over planned obsolescence in Italy. The $10 million and $5 million fines for Apple and Samsung would have taken 20 and 16 minutes respectively to pay off. This is not good enough.

Regulators now have the authority to hold the suspect characters in the industry accountable for nefarious actions concerning data protection and privacy, but it has to prove itself capable of wielding the axe. Until Europe shows it has a menacing side, nothing will change for the better.

Facebook referred to EU over suspect tracking methods

The UK’s Information Commissioners Office has referred an investigation into Facebook to the EU’s lead data protection watchdog over concerns about how the internet giant is tracking users.

The investigation, which was initially launched in May 2017, is primarily focused on the Cambridge Analytica scandal, though this might only be the tip of the iceberg for Facebook. Aside from fining the social media giant, the ICO has referred the case to the Irish Data Protection Commission, as the lead supervisory authority for Facebook under the General Data Protection Regulation (GDPR). As you can see below, Cambridge Analytica might only be the beginning of Facebook’s headache.

“Since we began, the scope of our investigation has extended to 30 organisations, we have formally interviewed 33 individuals and are working through forensic analysis of 700 terabytes of data,” said Information Commissioner Elizabeth Denham. “In layman’s terms, that’s the equivalent of 52 billion pages.

“Now I have published a report to Parliament that brings the various strands of our investigation up to date. It sets out what we have found and what we now know. But it is not the end. Some of the issues uncovered in our investigation are still ongoing or will require further investigation or action.”

Those who practise the dark arts of hyper-targeted advertising rarely give explanations as to how what information is being specifically held and how much of a detailed picture is being built up through primary sourced data and third-party sources. Few have a genuine understanding of the complexities of these advertising machines, though this is the foundation of various investigations. Transparency is the key word here, with many wanting the curtain to be pulled aside and the mechanics explained.

The fine is clear evidence the ICO is not happy with the state of affairs, though continuation of the investigation and referral to the EU overlords suggests there are more skeletons to be uncovered in-between Zuckerberg’s V-neck jumpers and starch ironed chinos.

“We have referred our ongoing concerns about Facebook’s targeting functions and techniques that are used to monitor individuals’ browsing habits, interactions and behaviour across the internet and different devices to the to the IDPC,” said Denham.

The initial focus of the investigation might have been political influence, though the more details which emerge, the less comfortable pro-privacy bureaucrats in Brussels are likely to feel. Regulating the slippery Silicon Valley natives has always been a tricky job, but with the Facebook advertising machine becoming increasingly exposed, the rulebook governing the data sharing economy might well be in need of a refresh.