Nokia-branded phones sent personal data from Norway to China

Norwegian media is reporting that private data of Nokia 7 Plus users may have been sent to a server in China for months. Finland’s data protection ombudsman will investigate and may escalate the case to the EU.

Henrik Austad, a Nokia 7 Plus user in Norway, alerted the Norwegian public media group NRK in February when he noticed every time he powered on his phone it would ping a server in China and batches of data would be sent. The data included the phone’s IMEI numbers, SIM card numbers, the cell ID of the base station the phone is connected to, and its network address (the MAC address), and they have been sent unencrypted. Investigation by NRK discovered that the recipient of the data is a domain (“http://zzhc.vnet.cn”) belonging to China Telecom.

Nokia 7 Plus pinging China server

Because HMD Global, the company behind the Nokia-branded phones that was set up by former Nokia executives and has licensed the Nokia brand, is a Finland-registered company, the news was quickly brought to the attention of Reijo Aarnio, Finland’s data protection ombudsman . “We started the investigation after receiving the news from the Norwegian Broadcasting Company (NRK) and I also consulted our IT experts. The findings showed this looks rather bad,” Aarnio said.

When talking to the Finnish state broadcaster YLE and the country’s biggest broadsheet newspaper Helsingin Sanomat (HS), the ombudsman also raised a couple of serious concerns he said he would seek clarifications from HMD Global early next week:

  • Are the users aware that their personal data are being transferred to China?
  • On what legal ground, if any, are personal data transferred outside of the EU?
  • Have corrective actions been taken to prevent similar cases from happening again?

Earlier when writing to NRK, Aarnio said his first thought was this could be a breach of GDPR, and, if true, the case would be brought in front of the European Union. (Although Norway is not a EU member state, Iceland, Liechtenstein, and Norway, the three EEA countries which are not part of the EU, agreed to accept GDPR two months after it came into effect in the EU.)

Replying to Telecoms.com’s enquiry, HMD Global, through its PR agency, sent this statement:

We can confirm that no personally identifiable information has been shared with any third party. We have analysed the case at hand and have found that our device activation client meant for another country was mistakenly included in the software package of a single batch of Nokia 7 Plus. Due to this mistake, these devices were erroneously trying to send device activation data to a third party server. However, such data was never processed and no person could have been identified based on this data. This error has already been identified and fixed in February 2019 by switching the client to the right country variant. All affected devices have received this fix and nearly all devices have already installed it.

Collecting one-time device activation data when the phone is taken first time into use is an industry practice and allows manufacturers to activate phone warranty. HMD Global takes the security and privacy of its consumers seriously.

Jarkko Saarimäki, Director Finland’s National Cyber Security Centre (Kyberturvallisuuskeskus), which offered to support the ombudsman if needed, raised another point while talking to YLE, “In cases of this kind, the company should report the case to the Office of the Data Protection Ombudsman (tietosuojavaltuutetun toimisto) and inform the customers of the data security risk.” It looks what HMD Global has done is exactly the opposite: it quietly fixed the issue with a software update.

What exactly happened remains unclear, but the investigation from NRK may shed some light. Further research into the data transfer took NRK investigators to GitHub, where they discovered a set of code that would generate data transmission similar to that on the Nokia 7 Plus in question, and to the same destination. This code resides in a subfolder called “China Telecom”. On the same level there are also subfolders for China Mobile, China Unicom as well as other folders for different purposes. Henrik Lied, the NRK journalist who first reported the case, shared with Telecoms.com this subfolder structure that he captured on GitHub:

GitHub snapshot

Closer analyses of the code in question on GitHub by Telecoms.com seem to have given us a bit more insight. This is what we assume has happened: HMD Global or its ODM partner sourced the code from a developer by the GitHub username of “bcyj” to transfer user data when a phone on China Telecom network is started. But, by mistake, HMD Global has loaded this set of code on a number of Nokia 7 Plus meant for Norway (“our device activation client meant for another country was mistakenly included in the software package of a single batch of Nokia 7 Plus”). When it realised the mistake by whatever means HMD Global released a software update to overwrite this code.

Incidentally it looks the code was originally written for a Chinese OEM LeEco (which is largely defunct now) whose product, e.g. the Le Max 2, was running on the Snapdragon 820 platform with the MSM8996 modem. The modem was later incorporated in the mid-tier platform Snapdragon 660 which powers the Nokia 7 Plus.

There are still quite a few questions HMD Global’s statement does not answer.

  • How many users have been affected? And in what countries? The award-winning Nokia 7 Plus is one of the more popular models from HMD Global, and it is highly unlikely a batch of products were specifically made for the Norwegian market with its limited size. Could the same products have been shipped to other Northern European markets too?
  • Is China Telecom the only operator in China that requires phones on its network to be equipped with a software that regularly sends personal data? We do not find similar programmes under the China Mobile or China Unicom subfolders on the same GitHub location.
  • Is HMD Global the only culprit? Or other OEMs’ products on China Telecom network and on the same Qualcomm modem are also running the same script every time the phone is powered on, but they have not made the same mistake by mixing up regional variants as HMD Global did?
  • On what ground could HMD Global claim that the recipients of the data or any other parties who have access to the data (as they are sent unencrypted), will not be able to identify the individuals (“no person could have been identified based on this data”)? To defend itself, in its statement to NRK, HMD Global referred to the Patrick Breyer vs Bundesrepublik Deutschland case when the Court of Justice of the European Union (CJEU) ruled that whether a certain type of data would qualify as “personal data” should generally need to be assessed based on a “subjective / relative approach”. In the present case HMD Global seems to be arguing that the recipients of the data sent from the phones are not able to establish the identities of the users. It may have its point as China Telecom (or other identities in China that receive the data) does not have the identity information of the users. However, this is a weak defence. The CJEU sided with the German Federal Court of Justice because the point of dispute was dynamic IP only, and the court deemed “that dynamic IP addresses collected by an online media service provider only constitute personal data if the possibility to combine the address with data necessary to identify the user of a website held by a third party (i.e. user’s internet service provider) constitutes a mean “likely reasonably to be used to identify” the individual”, as was summarised by the legal experts Fabian Niemann and Lennart Schüßler. In the HMD Global case, however, a full set of private data were transmitted, not to mention transmitted unencrypted.
  • On what evidence did HMD Global claim that the data transmitted has not been processed or shared with third parties?

To be fair to HMD Global, this is not the first, and by no means the biggest data leaking incident by communication products. For example the IT and communication system at the African Union headquarters, supplied and installed by Huawei, was sending data every night from Addis Ababa to Shanghai for over four years before it was uncovered by accident. Huawei’s founder later claimed that the data leaking “had nothing to do with Huawei”, though it was not clear whether he was denying that Huawei was aware of it or claiming Huawei was not playing an active role in it.

EE takes step towards content aggregator model

Content is a tricky topic to discuss around EE and BT, such is the scale of the disaster over the last few years, but a tie up with Amazon Prime and MTV Play is a step in the right direction.

The new content offer will see EE customers receive six-month memberships to both Amazon’s Prime Video service and MTV Play. The news starts to make a more comprehensive content platform for the MNO, with customers already able to access Apple Music and BT Sport, all of which is covered under the EE Video Data Pass, a zero-rating initiative available to all customers.

“It’s our ambition to offer our customers unrivalled choice, with the best content, smartest devices, and the latest technology through working with the world’s best content providers,” said Marc Allera, CEO of BT’s Consumer division.

“In offering all EE pay monthly mobile customers Prime Video and MTV Play access, in addition to BT Sport and Apple Music – we’re providing them with a wealth of great entertainment they can experience in more places thanks to our superfast 4G network, and soon to be launched 5G service. So, if they want music on a Monday, telly on a Tuesday, films on a Friday or sport on a Saturday, we’ve got something for them.”

While the content play over the last couple of years have been pretty dismal this is an approach to content and diversification which we like. It allows the telco to leverage the scale of their customer bases, while also adding value to the existing relationship with said customers.

Content fragmentation is an irk for many customers, not only because of the various apps which need to be installed, but also the number of different bills. EE doesn’t seem to be addressing the first issue but consolidating bills to a single provider might well be of interest to some customers. It also has the advantage of making EE a ‘stickier’ provider, perhaps having a positive impact on churn.

“Content is a key differentiator for telcos,” said Paolo Pescatore of PP Foresight. “However, consumers are now spoilt for choice resulting in too much fragmentation. Telcos are very well placed to aggregate content, integrate billing and provide universal search. Whoever achieves this first will have a significant advantage over their rivals.”

Sky is one of the companies which has had a good crack at addressing the fragmentation challenge, Sky and Netflix content is available on the same platform and through the same universal search function, though EE’s push on the mobile side would certainly attract attention. Consumers no-longer consider entertainment as simply for the living room, new trends show more preference for on-the-go content.

While this is a step in the right direction for EE, this is only one step. The content options need to offer more depth to meet the demands of the user, while streamlining all the content into a single app would be a strong step forward. It would certainly be difficult to convince partners to hand over customer experience to a third-party, Netflix has shown much resistance to this idea making the Sky tie-up all the more impressive, though whoever nails this aspect of the aggregator model would certainly leap to the front.

Nick Clegg defends Facebook’s business model from EU’s privacy regulation

Facebook’s head of PR reportedly had a series of meetings with EU and UK officials aiming to safeguard the social network’s business model heavily relying on targeted advertising.

Sir Nick Clegg, the former UK Deputy Prime Minister, now Facebook’s VP for Global Affairs and Communications, met three EU commissioners during the World Economic Forum in Davos and shortly after the event in Brussels, according to a report by the Telegraph. These commissioners’ portfolios include Digital Single Market (Andrus Ansip), Justice, Consumers and Gender Equality (Věra Jourová), and Research, Science and Innovation (Carlos Moedas). Clegg’s mission, according to the Telegraph report, was to present Facebook’s case to defend its ads-based business model in the face of new EU legislation related to consumer privacy.

According to a meeting minutes from the Ansip meeting, seen by the Telegraph, “Nick Clegg stated as main Facebook’s concern the fact that the said rules are considered to call into question the Facebook business model, which should not be ‘outlawed’ (e.g. Facebook would like to measure the effectiveness of its ads, which requires data processing). He stated that the General Data Protection Regulation is more flexible (by providing more grounds for processing).”

In response, Ansip defended the proposed ePrivacy Regulation as a complement to GDPR and it is primarily about protecting the confidentiality of consumers’ communications. In addition, the ePrivacy Regulation will be more up to date and will provide more clarity and certainty, compared with the current ePrivacy Directive, which originated in 2002 and last updated in 2009. Member states could interprete and implement the current Directive more restrictively, Ansip warned.

Facebook’s current security setup makes it possible to access users’ communication and able to target them with advertisements based on the communications. Under the proposed Regulation, platforms like Facebook need to get explicit consent from account holders to access the content of their communications, for either advertisement serving, or effectiveness measuring.

There are two issues with Facebook’s case. The first one is, as Ansip put it, companies like Facebook would still be able to monetise data after obtaining the consent of users. They just need to do it in a way more respectful of users’ privacy, which 92% of EU consumers think important, according to the findings of Eurobarometer, a bi-annual EU wide survey.

Another is Facebook’s own strategy announced by Zuckerberg recently. The new plan will make it impossible for Facebook to read users’ private communications with its end-to-end WhatsApp-like encryption. This means, even if consumers are asked and do grant consent, Facebook in the future will not be able to access the content for targeted advertising. Zuckerberg repeatedly talked about trade-offs in his message. This would be one of them.

On the other hand, last November the EU member states’ telecom ministers agreed to delay the vote on ePrivacy Regulations, which means it will be highly unlikely that the bill will be passed and come into effect before the next European Parliament election in May.

The office of Jeremy Wright, the UK’s Secretary of State for Digital, Culture, Media and Sport, did not release much detail related to the meeting with Clegg, other than claiming “We are at a crucial stage in the formulation of our internet safety strategy and as a result we are engaging with many stakeholders to discuss issues pertinent to the policy. This includes discussions with social media companies such as Facebook. It is in these crucial times that ministers, officials and external parties need space in which to develop their thinking and explore different options in a free and frank manner.”

The Telegraph believed Clegg’s objective was to minimise Facebook’s exposure to risks from the impending government proposals that could “place social media firms under a statutory duty of care, which could see them fined or prosecuted” if they fail to protect users, especially children, from online harms.

It is also highly conceivable that the meeting with the UK officials was related to influence post-Brexit regulatory setup in the country, when it will not longer be governed by EU laws. Facebook may want to have its voice heard before the UK starts to make its own privacy and online regulations.

Data survey suggests UK consumers should be more price savvy

Cable.co.uk has released data which suggests the UK is 136th in the world for affordability when it comes to mobile data plans.

Data is increasingly running our lives and while many might feel they have struck the right balance between quantity and affordability this survey suggests otherwise. After comparing 6,313 mobile data plans in 230 countries, the UK ranks at 136 worldwide, and in the bottom half of the table for Europe.

“When looking at the UK compared to our European and EU counterparts, it’s disappointing to see the UK among the most expensive countries for mobile data,” said Dan Howdle of Cable.co.uk.

“Despite a healthy UK marketplace, our study has uncovered that EU nations such as Finland, Poland, Denmark, Italy, Austria and France pay a fraction of what we pay in the UK for similar data usage. It will be interesting to see how our position is affected post-Brexit.”

On average, UK consumers are currently paying £4.97 per GB a month ($6.42), with the lowest being £0.7 and the most expensive as high as £32 per GB a month. What is worth taking into account is the survey only measured SIM-only plans, excluding the complicated task of factoring in the price of a subsidized device. But how does this compare to other countries?

India was the cheapest worldwide, with a GB costing only $0.26 per month, though all of the telcos are struggling to remain profitable. Asian countries take up 50% of the top 20 in fact. Finland was the cheapest in Europe, $1.16 per GB a month, while across the pond, US consumers are paying $12.37 per GB a month and the Canadians came out at $12.02. The global average was $8.53.

As there haven’t been riots on the streets, it does seem most consumers are relatively content with the price they are paying. Admittedly in some cases it is extortionately expensive, something which should be addressed, but many of the markets are pricing plans in-line with the relative wealth of the nation.

That said, there is a wide chasm between the most and least expensive plans more often than not. This suggests consumers are not being savvy enough when purchasing mobile contracts in the first place, are not aware of other deals which are available or do not believe there is value in changing provider. It may be easy to blame the telcos for the high-price of data, but this can be a lazy route to take.

Cable.co.uk and other consumer groups might use this data to punish telcos, we suspect the increased price in the UK is more to do with consumers not being savvy enough. After years as a Vodafone customer, your correspondent switched to Giffgaff and a data plan which was much more generous. Admittedly a subsidized phone is not included in the deal, but in paying £1.33 per GB ($1.75), the monthly bill is substantially lower than what Vodafone was offering, or what Cable.co.uk have identified as the monthly average in the UK.

We believe the consumer is not blameless. For example, a now-available Vodafone 24-month contract with a Huawei Mate 20 Pro would cost £38 per month. Adding in the upfront cost of £179, the total would be £3.03 per GB a month. This is still below the average quoted by Cable.co.uk and would still be lower if the cost of the handset was factored into the equation.

Cable.co.uk has only taken into account tariffs which are currently available to consumers, therefore removing data points from legacy and on-going tariffs which might have thrown the averages, but the availability of cheaper contracts suggests some of the blame has to be taken by the consumer.

The price of tariffs are generally relative to the market which they are in. In the UK, we are relatively lucky due to competition keeping the price of data down (in comparison to the geographically vast markets such as the US) but squeeze too tight and the telcos don’t have enough to invest in networks in a commercially viable fashion, or they prioritise markets which are more profitable. Both would impact experience and the latter would create a digital divide.

While your correspondent cannot comment on other markets, being based in the UK, the outcome of this survey seems to be relatively clear. If you’re not happy with the price of your tariff, move, as there are cheaper options on the market.

California data dividend sounds nice but shows digital economy ignorance

The State of California might be making friends in Silicon Valley with its defence of net neutrality rules, but in proposing a ‘data dividend’ on the digital economy, these kinships might turn sour very quickly.

In his ‘State of the State’ speech this week, California Governor Gavin Newsom proposed a new ‘data dividend’ which would see internet players who monetise user’s personal information have to pay those users for the privilege, according to CNBC. This might sound like a lovely idea to share the wealth, but you can guarantee Silicon Valley is going to throw a temper tantrum about this.

“California’s consumers should also be able to share in the wealth that is created from their data,” said Newsom.

Aside from the revolt from the likes of Google and Facebook which is bound to be on the horizon, Newsom has joined the long list of politicians who are demonstrating they don’t understand how the digital economy functions. Social media platforms or video hosting websites are offered for free to the consumer because data is taken as payment. The value exchange is a free service for the permission to monetise personal data.

While this might sound like an excellent way for Newsom to score political points with the voters of California, you have to wonder how the internet players are going to react. There will of course be intense lobbying, but should the proposal make it into the rulebook, will services continue to be offered for free? Perhaps the internet players will replace lost revenues created by the digital dividend with a paywall?

Some politicians appear to be very anti-profit when it comes to the internet players, seemingly believing platforms like Facebook and Twitter are a public service not private corporations with shareholders to keep happy. These are companies which should of course be held accountable when it comes to data privacy and protection standards, but the value exchange in the digital economy has been accepted as a business model which benefits both sides of the equation.

This is not the first time such an idea has been aired, though rarely has it floated out of such senior political offices. The profits which flow into Silicon Valley are being attacked from numerous sides currently, but you also have to ask what others impacts there will be on the development of the digital economy.

One of the reasons the technology industry has been advancing so quickly in recent years is the aggressive investments which have been made in R&D by Silicon Valley. The likes of Amazon and Google are certainly not shy about searching for the next big idea, fully embracing the concept of fail-fast, but the confidence in these investments exists partly because of the commercial successes of the core business models. Sustained erosion of these revenue channels might well result in smaller R&D operations.

Not only will this slow down improvements to customer experience, it could also place speed bumps in-front of momentum. The US technology industry is advancing very quickly, with some truly wonderful and ludicrous ideas being explored (See Google’s Loon), but this progress could stutter when you attack the ways these companies make money.

The battle between Silicon Valley and rule makers is raging for several reasons. The internet companies have been caught with their pants down in the data protection and privacy realms, though their resistance to collaboration is antagonising politicians. Silicon Valley is desperately trying to side-road and resist any new rules to govern the digital economy, as any major corporation would, but these rules are of course critical for positive societal development. The more Silicon Valley resists, the more aggressive proposals will be put forward.

We strongly agree with the calls to increase regulation on the digital economy, but you have to pick your battles. What would be the benefit to the user with these rules? A couple of dollars a year, nothing which will turn heads, but what will be the consequences?

Hold the internet players to more stringent data protection rules. Enforce more consent regulations. Ensure these companies pay fair and reasonable tax. But destroying a generally accepted way to make money will probably not end well. We suspect this might be a net loss in the long-run.

Give control back to your users, scholars tell Facebook

In a new position paper, scholars from Oxford and Stanford recommended nine measures Facebook should take to make itself a better forum for free speech and democracy.

The report, titled “GLASNOST! Nine ways Facebook can make itself a better forum for free speech and democracy”, was jointly published by the Reuters Institute for the Study of Journalism and the Oxford University. The scholars, headlined by the historian Timothy Garton Ash, recommended Facebook take concrete steps related to three key aspects of the social network’s operation: content policy and moderation practices, news feed, and governance.

The starting premise of the report is that, with over 2.2 billion active users and being in the centre of past and present controversies and conversations, Facebook has gone beyond the stage where it could choose “between self-regulation and no regulation”. Decisions made inside Facebook could have strong political, social, and cultural impact on the world outside of it. “A single small change to the News Feed algorithm, or to content policy, can have an impact that is both faster and wider than that of any single piece of national (or even EU-wide) legislation,” the report says.

Instead, the authors argued, Facebook needs to make itself more transparent with both its policies and the interpretation and implementation mechanisms of these policies to the outside world including both its users, its customers, and other institutions, and engage more with regulators and the civil society, academia, and NGOs.

The authors recognised that Facebook has made efforts in all the three aspects over the past few years, especially after the Cambridge Analytica case was uncovered. They argued however that more should be done. Specifically the authors suggested the following:

Regarding “content policy and the moderation of political speech”, Facebook should

  • Tighten community standards wording on hate speech
  • Hire more and contextually expert content reviewers
  • Increase ‘decisional transparency’
  • Expand and improve the appeals process

Targeting at “News Feed”, the authors suggested that in order to move “towards more diverse, trustworthy political information”, Facebook should

  • Provide meaningful News Feed controls for users
  • Expand context and fact-checking facilities

When it comes to the company’s “governance”, the report recognises that Facebook has adopted “cautious glasnost” recently but in order to grow “from Transparency to Accountability” the company should

  • Establish regular auditing mechanisms
  • Create an external content policy advisory group
  • Establish an external appeals body

Admittedly, Facebook is far from being the only culprit. The authors also agreed that “many of the problems identified here are also found on other platforms, such as YouTube and Twitter.” Additionally, Facebook does have policies related to content and its moderation, though their interpretation or implementation could be called into question. Platforms like Twitter on the other hand, barely have a policy or standard practice in place.

Despite the authors’ claim that the “goal of this report is to focus on areas that Facebook itself can feasibly improve now”, it would require radical changes on Facebook’s side to put any of these recommendations into practice, both how the company is run, and how it is judged. The authors argued that “ideally, the user interface and experience on Facebook should be designed to promote active, informed citizenship, and not merely clickbait addiction for the commercial benefit of Facebook, the corporation.” However, commercial benefit is the most important index how a business is evaluated. In addition to stressing the company’s responsibilities beyond business returns, the authors could also remind it of the commercial damage from not acting in a responsible way. For example, advertisers would run away from the platform if a Cambridge Analytica type of scandal were to happen again.

The changes needed, as the authors also agreed, are easier said than done. Some suggestions are reasonable. For example, the report suggested Facebook, and other social platforms, consider industry wide self-regulating mechanisms following the model of the Financial Industry Regulatory Authority (FINRA), which oversees brokerage firms and the securities industry in the US. But it also agrees that it is hard to define the “industry” for the social networks. Other suggestions are much harder for Facebook and others to take. For example the report requests Facebook to open its data and, more importantly, its algorithms, which are the most guarded secrets in all internet companies.

The choice of the report’s title is also interesting. “Glasnost” is Russian for “openness, transparency”. Together with “perestroika”, Russian for “reform”, the concepts were popularised by the last Soviet leader Mikhail Gorbachev. The report suggested that, to achieve real change instead of merely glorified PR, “beyond glasnost, we need perestroika” from Facebook, a line almost surely from Professor Garton Ash, a leading scholar in Central and Eastern European history. If the young executives at Menlo Park are unaware of the historical connotation of these concepts, they may want to know that by embracing Glasnost and Perestroika, Gorbachev brought the Soviet empire to its demise.

Privacy champion Max Schrems is back with another lawsuit

The man who is largely credited with the downfall of Safe Harbour has re-emerged from the shadows to take eight of the internet giants to court over GDPR violations.

As user privacy increasingly seems to be an alien concept to Silicon Valley and the other internet players, Austrian data privacy champion Max Schrems has jumped into the limelight once again. This time he is challenged eight internet companies and their data privacy practices, suggesting they are violating Europe’s General Data Protection Regulation (GDPR).

Through a filing with the Austrian Data Protection Authority, by Schrem’s non-profit NOYB, the complaints focus on the ‘right to access’ enshrined in Article 15 GDPR and Article 8(2) of the Chart of Fundamental Rights. Amazon, Apple, DAZN, Filmmit, Netflix, Sound Cloud, Spotify and YouTube are on the receiving end of the lawsuit, with the potential penalties ranging from €20 million through to €8 billion.

“Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to,” said Schrems. “In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”

GDPR is supposed to hand control of personal data back to said individual. Its aim is to hold the digital society accountable to their actions and provide a certain level of justification for holding onto, and potentially monetizing, an individual’s personal information. Several clauses are also aimed at transparency to ensure the user is fully informed, or at least offering the user the opportunity to be, about how these software and services providers commercialise data.

In addition to what raw data is being stored, individuals do now also have the right to know where this data was sourced, the recipients and also the purpose. This is where a few of the complaints are focusing specifically, as this is the information which was absent from some of the responses.

If privacy is an alien concept, then transparency is a dirty, inconceivable word to the internet players. It seems former habits have been hard to shake.

NOYB Snip

As you can see from the table above, Schrems has tested out how some of the internet players have reacted to the introduction of GDPR. Progress has been made, except in the case of Sound Cloud and DAZN, but that is irrelevant. The introduction of GDPR on May 25 2018 was not the starting line to gradually move yourself through to compliance, day one was a hard introduction of the rules. There are some circumstances where companies can avoid penalties, but these are scenarios where non-compliance would be seen as out of the control of the company, or best efforts have been made.

This is where these firms might find themselves in a bit of hot water. An automated response which offers up some information but not all which is required through the new regulation should not be considered good enough. The pair ignoring the requests completely should be very worried about the repercussions. And finally, the Austrian regulator will also have to decide whether four weeks is an appropriate response time or too long. None of these firms are in a safe place right now.

Another interesting aspect will be the readability of the data. In the complaint, Schrems notes the raw data was provided in what would be considered cryptic form for the general public. Users would not be able to read the data therefore it is not being made accessible by the company. Whether this is taken as a violation of GDPR remains to be seen, though Austria could set precedent.

Many of the internet giants have resisted the calls from data privacy advocates and governments around the world, but GDPR is supposed to be a stick to keep the segment in line. These are companies which will want to avoid giving too many details away as the power and depth of the data sharing economy has the potential to spook large swathes of the general public. Too much light shed on data processing and exchanging practices would also offer more ammunition to the blood-thirsty politicians, many of whom are on a PR crusade to make heads roll.

Ultimately this will give us a good indication as to how sharp European regulators’ teeth actually are. In passing GDPR, the European Commission has offered a stick to the pro-privacy regulators, but how hard they swing it remains to be seen. The dreaded ‘up to’ phrase is present when looking at potential fines, so let’s see whether these regulations have the stones to dish out appropriate punishments.

The connected car takes pole position at CES

With the glitz and glamour of Las Vegas, it perhaps shouldn’t come as much of a surprise the connected car is stealing the headlines at the 2019 Consumer Electronics Show (CES).

Starting with Audi, pairing up with Disney the team has unveiled an in-car VR entertainment system which adapts the content to the movements of the car. The game itself is called ‘Marvel’s Avengers: Rocket’s Rescue Run’ and is based on the journey itself. If the car turns right or accelerates the spaceship in the experience does the same.

While Audi is the parent company, the open platform has been brought to the market through subsidy Holoride. Audi will license the technology to the start-up, which will be made available to all carmakers and content developers in the future.

“Creative minds will use our platform to come up with fascinating worlds that turn the journey from A to B into a real adventure,” said Nils Wollny, Head of Digital Business at Audi, and future the CEO of Holoride. “We can only develop this new entertainment segment by adopting a cooperative, open approach for vehicle, device and content producers.”

Moving across to the mapping side of the connected vehicle, Intel’s Mobileye announced a new agreement with UK mapping agency Ordnance Survey. Although this might not be the most exciting aspect of the connected car space, it is perhaps the most crucial; without the relevant location data, the OS is pretty much useless.

While this data will certainly supplement the Intel offering for the connected car space, Mobileye and Ordnance Survey will use the data to create new customized solutions derived from the location intelligence, to help companies realise the riches promised through the city segment.

“One key, and common, learning is that detailed and accurate geospatial data is a must for the success of these projects,” said Neil Ackroyd, Ordnance Survey CEO. “We envisage this new rich data to be key to how vehicles, infrastructure, people and more will communicate in the digital age. Our partnership with Mobileye further enhances our commitment to supporting Britain as a world-leading center for digital and tech excellence.”

For chipmaker Qualcomm there’s been no rest to check out the shows. While Audi, Ducati and Ford have all been using its tech to run various demos across the show, the team has also teamed up with Amazon’s Alexa to demonstrate in-car artificial intelligence.

“The vision behind Qualcomm Technologies’ automotive solutions is to continuously improve and expand the realm of possibilities for in-car experiences while delivering unparalleled safety-conscious solutions,” said Nakul Duggal, SVP of Product Management, Qualcomm.

“Leveraging Amazon’s natural language processing technology, along with services like Amazon Music, Prime Video, Fire TV and Audible, allows us to offer an exclusive, interactive in-car experience for both the drivers and passengers to leverage the latest innovations in a natural, intuitive way.”

The demonstration makes use of Qualcomm’s Smart Audio Platform to include immersive natural language instructions involving in-vehicle navigation, points of interest outside the car and multimedia services which users will use every day at home with Alexa.

“Our vision is for Alexa to be available anywhere customers want to interact with her, whether they’re at home, in the office or on the go,” said Ned Curic, VP of Alexa Auto at Amazon.

This is of course not the only bit of news featuring Amazon this week, as the team announced a partnership with navigation firm Here yesterday. The tie in gives the Here platform a smarter, voice UI and gives Alexa a useful little foray into the connected car segment, an area Google’s virtual assistant has got a little bit of a head-start in.

Finally, AT&T and Toyota Motor North America announced they will enable 4G LTE connectivity for various Toyota and Lexus cars and trucks across the US, starting at the end of the year. As part of the deal, owners of the relevant vehicles will also receive unlimited data plans from AT&T, while the vehicle will also become a wifi hotspot.

“Cars are the ultimate mobile device. Working with Toyota and KDDI we will bring the benefits of connectivity to millions of consumers,” said Chris Penrose, President of IoT Solutions at AT&T.

“This new technology deepens our relationship with Toyota. And we couldn’t be happier to continue working with them. We’re both founding members of the American Center for Mobility testing facility for connected and automated vehicles, where we will help deliver the future of connectivity.”

Europe is losing in the race to secure digital riches – DT CEO

Despite politicians around the world declaring the importance of technology and insisting their nation is one of the world leaders in digital, Deutsche Telekom CEO Tim Hottges does not believe Europe is competing with the US and Asia.

This might seem like somewhat of a bold statement, but it is entirely true. The US, led by the internet players of Silicon Valley, have dominated the consumer technology world, while the China and Japan’s heavyweight industries have conquered the industrialised segments. Europe might have a few shining lights but is largely left to collect the scraps when the bigger boys are done feasting on the bonanza.

“Europe lost the first half of the digitalisation battle,” said Hottges, speaking at Orange’s Show Hello. “The second half of the battle is about data, the cloud and the AI-based services.”

In all fairness to the continent, there has been the odd glimmer of hope. Spotify emerged from Sweden, Google’s Deepmind was spun-out of Oxford University, while Nokia and Ericsson are reconfirming their place in the world. There is occasionally the odd suggestion Europe has the potential to offer something to the global technology conversation.

What has been achieved so far cannot be undone. The US and Asia are dominant in the technology world and Europe will have to accept its place in the pecking order. That said, lessons must be learnt to ensure the next wave of opportunity does not pass the continent by. A new world order is being written as we speak, and it is being written in binary.

If Europe is to generate momentum through the AI-orientated economy, it will have to bolster the workforce, create the right regulatory landscape (a common moan from the DT boss), but also make sure the raw materials are available. If data is cash, Europeans are paupers.

As it stands, less than 4% of the world’s data is stored in the European market, according to Hottges. This is the raw material required to create and train complex, AI-driven algorithms and business models. If European data is constantly being exported to other continents, other companies and economies will feel the benefits. More of an effort needs to be made to ensure the right conditions are in place to succeed.

Conveniently, the data collected through Orange’s and DT’s new smart speaker ecosystem will be retained within the borders of the European Union. There need to be more examples like this, forcing partners to comply with data residency requirements, as opposed to taking the easy route and whisking information off to far away corners of the world.

Another interesting statistic to consider is the number of qualified developers in Europe. Recent research from Atomico claims there are currently 5.7 million developers across the continent, up 200,000 over the last 12 months, compared to 4.4 million in the US. Everyone talks about the skills gap, though it seems Europe is in a better position than the US if you look at the number of professional developers alone.

Europe has lost the first skirmishes of the digital economy, and to be fair, the fight wasn’t even close. However, the cloud-oriented, intelligent world of tomorrow offers plenty more opportunities.

Google faces GDPR complaints over user location tracking

Seven privacy advocacy groups will be reporting Google to their relevant data protection authority, claiming the firm is violating GDPR through location tracking of users.

Forbrukerrådet (Norway), Consumentenbond (The Netherlands), Ekpizo (Greece), dTest (Czech Republic), Zveza Potrošnikov Slovenije (Slovenia), Federacja Konsumentów (Poland) and Sveriges Konsumenter (Sweden) will all file complaints, while vzbv in Germany is considering action for an injunction and the  Transatlantic Consumer Dialogue will bring it to the attention of the Federal Trade Commission. This is of course not the first time Google has faced complaints in the EU over privacy, but the volume here might cause a headache.

The complaint is a simple one. Even if a dataset has been anonymised by Google, detailed information on that users location can make this irrelevant, while in-depth and personal insights can be learned, violating user rights to privacy. For example, if a smartphone is stationary for eight hour consistently, at the same time every night, it would be a fair assumption this is the home address of the person, while learning about what bars they visit could give away the sexual persuasion of the individual.

Not only are these insights which can be used for personalised advertising, but the data can be sold onto other companies to dictate was services are sold to that individual at what price. An insurance company could up premiums for someone who never visits the gym, but this is not personal information which the individual has given permission to be released. Some would argue it is an invasion of privacy, others would suggest it is statistical science and fair game.

One of the complaints being made against Google is the lack of transparency. Yes, Google has made the consumer aware it collects information when the opt-outs are not altered in ‘location history’ settings tabs, though it has not made the user aware this opt-out could be irrelevant. By using other apps and services, Google is collecting the data in any case. Once it is said out loud it should seem obvious, even if you have opted out when you want to use the Maps app, you will have to send Google your location data, but the slight contradiction has the capacity to confuse users. This is not what many would consider complete transparency.

“Google’s practices leave consumers very little choice other than providing their location data, which is then used by the company for a wide range of purposes including targeted advertising,” European privacy group BEUC said in a statement. “BEUC and its members argue that these practices contradict basic principles of the GDPR, such as the lawfulness, transparency and fairness of processing, and infringe on data subject’s rights such as the right to information. In our assessment Google notably lacks a lawful legal ground for processing the location data in question.”

There will of course be investigations over the course of the next couple of months, as we suspect there will be more complaints filed in the near future, though this will be a test of GDPR. As a reminder, the largest fine which the EU can impose is 3% of annual turnover. Google might have been able to swallow previous fines from the EU, but this one will be a bit more difficult to justify.