Privacy International points GDPR finger at Facebook

An investigation from privacy advocacy group Privacy International on the flow of personal information has questioned whether Facebook and its advertisers are violating Europe’s GDPR.

To date there have not been any major challenges using the data privacy regulation. There have of course been numerous violations of user privacy, but as these incidents occurred prior to the implementation of GDPR, the old-version of the rules and punishments were used. This investigation from Privacy International could prove to be a landmark.

The investigation itself questions whether Facebook and the app-developers which use its platform for data collection and user identification is acting responsibly and legally. Using the Facebook Software Development Kit (SDK), data is automatically sent back to the social media giant, irrelevant as to whether consent has been collected, or even if the user has a Facebook book account.

“Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools,” Privacy International states on its website.

“App developers share data with Facebook through the Facebook Software Development Kit (SDK), a set of software development tools that help developers build apps for a specific operating system. Using the free and open source software tool called ‘mitmproxy’, an interactive HTTPS proxy, Privacy International has analysed the data that a number of Android apps transmit to Facebook through the Facebook SDK.”

After testing dozens of different apps, Privacy International claims 61% automatically transfer data to Facebook the moment a user opens the app, while others routinely send Facebook data that is incredibly detailed. Some of these users may be logged out of the platform or might not even have a Facebook account in the first place. Developers tested include travel comparison app Kayak, job search company Indeed and crowd-sourced search service Yelp.

Looking at the Kayak example, not only was information transferred back to Facebook once the app was opened and closed, but also during each stage of the search process. In the example Privacy International gives, the user selected a flight from London Gatwick to Tokyo between December 2 and 5, Narita Airport was then selected, before another search was conducted searching for hotels for two adults in the city. All of this information was sent to Facebook without prompt, despite Kayak claiming, ‘don’t worry, we’ll never share anything without your permission’, when the user signs in.

Alone this information is useful, but not incredibly so. However, when you consider the huge number of apps which will be sending information back to Facebook, an incredibly detailed picture of the user can be built. Using the other apps tested in this investigation, Facebook could also learn or make assumptions about the user’s religion (Muslim Pro), music interests (Shazam), salary and disposable income (Indeed Job Search) and interest in physical activities (MyFitnessPal). All of this information could be used to feed incredibly personalised advertisements to the user.

The big question which remains is whether this could be perceived as a violation of GDPR. Facebook has stated it released an update to the SDK which allowed developers to suspend the automatic data transfers, though this was only for version 4.34 and later. With the Opt-out section (the Google advertising ID) automatically turned off, some might suggest the user is being led as opposed to asked.

Another factor which could work against Facebook is the collection of data on users who do not have Facebook accounts; this is much more suspect. As per GDPR, a company has to have a specific and justified reason to collect personal information. It does appear Facebook is collecting information on users despite having no purpose or valid reason to do so.

With fines for violating GDPR up to 3% of annual turnover, the stakes are very high. This could prove to be one of the first tests of the rules, designed to protect the privacy of the general public, and few will be surprised Facebook is a central character in the story. With the social media giant seemingly antagonising many governments around the world, we suspect there will be a queue forming to have a swing with the sharp GDPR stick.

The biggest stories of 2018 all in one place

2018 has been an incredibly business year for all of us, and it might be easy to forget a couple of the shifts, curves, U-turns and dead-ends.

From crossing the 5G finish line, finger pointing from the intelligence community, the biggest data privacy scandal to date and a former giant finally turning its business around, we’ve summarised some of the biggest stories of 2018.

If you feel we’ve missed anything out, let us know in the comments section below.

Sanction, condemnation and extinction (almost)

ZTE. Three letters which rocked the world. A government-owned Chinese telecommunications vendor which can’t help but antagonise the US government.

It might seem like decades ago now but cast your mind back to April. A single signature from the US Department of Commerce’s Bureau of Industry and Security (BIS) almost sent ZTE, a company of 75,000 employees and revenues of $17 billion, to keep the dodo company.

This might have been another move in the prolonged technology trade war between the US and China, but ZTE was not innocent. The firm was caught red-handed trading with Iran, a country which sits very prominently on the US trade sanction list. Trading with Iran is not necessarily the issue, it’s the incorporation of US components and IP in the goods which were sent to the country. ZTE’s business essentially meant the US was indirectly helping a country which was attempting to punish.

The result was a ban, no US components or IP to feature in any ZTE products. A couple of weeks later manufacturing facilities lay motionless and the company faced the prospect of permanent closure, such was its reliance on the US. With a single move, the US brought one of China’s most prominent businesses to its knees.

Although this episode has been smoothed over, and ZTE is of course back in action, the US demonstrated what its economic dirty bombs were capable of. This was just a single chapter in the wider story; the US/China trade war is in full flow.

Tinker, tailor, Dim-sum, Spy

This conflict has been bubbling away for years, but the last few months is where the argument erupted.

Back in 2012, a report was tabled by Congressman Mike Rogers which initially investigated the threat posed by Chinese technology firms in general, and Huawei specifically. The report did not produce any concrete evidence, though it suggested what many people were thinking; China is a threat to Western governments and its government is using internationally successful companies to extend the eyes of its intelligence community.

This report has been used several times over the last 12 months to justify increasingly aggressive moves against China and its technology vendors. During the same period, President Trump also blocked Broadcom’s attempts to acquire Qualcomm on the grounds of national security, tariffs were imposed, ZTE was banned from using US technologies in its supply chain and Huawei’s CFO was arrested in Canada on the grounds of fraud. With each passing month of 2018, the trade war was being cranked up to a new level.

Part of the strategy now seems to be undermining China’s credibility around the world, promoting a campaign of suggestion. There is yet to be any evidence produced confirming the Chinese espionage accusations but that hasn’t stopped several nations snubbing Chinese vendors. The US was of course the first to block Huawei and ZTE from the 5G bonanza, but Australia and Japan followed. New Zealand seems to be heading the same way, while South Korean telcos decided against including the Chinese vendors on preferred supplier lists.

The bigger picture is the US’ efforts to hold onto its dominance in the technology arena. This has proved to be incredibly fruitful for the US economy, though China is threatening the vice-like grip Silicon Valley has on the world. The US has been trying to convince the world not to use Chinese vendors on the grounds of national security, but don’t be fooled by this rhetoric; this is just one component of a greater battle against China.

Breakaway pack cross the 5G finish line

We made it!

Aside from 5G, we’ve been talking about very little over the last few years. There might have been a few side conversations which dominate the headlines for a couple of weeks, but we’ve never been far away from another 5G ‘breakthrough’ or ‘first’. And the last few weeks of 2018 saw a few of the leading telcos cross the 5G finish line.

Verizon was first with a fixed wireless access proposition, AT&T soon followed in the US with a portable 5G hotspot. Telia has been making some promising moves in both Sweden and Estonia, with limited launches aiming to create innovation and research labs, while San Marino was the first state to have complete coverage, albeit San Marino is a very small nation.

These are of course very minor launches, with geographical coverage incredibly limited, but that should not take the shine off the achievement. This is a moment the telco and technology industry has been building towards for years, and it has now been achieved.

Now we can move onto the why. Everyone knows 5G will be incredibly important for relieving the pressure on the telco pipes and the creation of new services, but no-one knows what these new services will be. We can all make educated guesses, but the innovators and blue-sky thinkers will come up with some new ideas which will revolutionise society and the economy.

Only a few people could have conceived Uber as an idea before the 4G economy was in full flow, and we can’t wait to see what smarter-than-us people come up with once they have the right tools and environment.

Zuckerberg proves he’s not a good friend after all

This is the news story which rocked the world. Data privacy violations, international actors influencing US elections, cover ups, fines, special committees, empty chairs, silly questions, knowledge of wrong-doing and this is only what we know so far… the scandal probably goes deeper.

It all started with the Cambridge Analytica scandal, and a Russian American researcher called Aleksandr Kogan from the University of Cambridge. Kogan created a quiz on the Facebook platform which exposed a loop-hole in the platform’s policies allowing Kogan to scrape data not only from those who took the quiz, but also connections of that user. The result was a database containing information on 87 million people. This data was used by political consulting firm Cambridge Analytica during elections around the world, creating hyper-targeted adverts.

What followed was a circus. Facebook executives were hauled in-front of political special committees to answer questions. As weeks turned into months, more suspect practices emerged as politicians, journalists and busy-bodies probed deeper into the Facebook business model. Memos and internal emails have emerged suggesting executives knew they were potentially acting irresponsibly and unethically, but it didn’t seem to matter.

As it stands, Facebook is looking like a company which violated the trust of the consumer, has a much wider reaching influence than it would like to admit, and this is only the beginning. The only people who genuinely understand the expanding reach of Facebook are those who work for the company, but the curtain is slowly being pulled back on the data machine. And it is scaring people.

Big Blue back in the black

This might not have been a massive story for everyone in the industry, but with the severe fall from grace and rise back into the realms of relevance, we feel IBM deserves a mention.

Those who feature in the older generations will remember the dominance of IBM. It might seem unusual to say nowadays, but Big Blue was as dominant in the 70s as Microsoft was in the 90s and Google is today. This was a company which led the technology revolution and defined innovation. But it was not to be forever.

IBM missed a trick; personal computing. The idea that every home would have a PC was inconceivable to IBM, who had carved its dominant position through enterprise IT, but it made a bad choice. This tidal wave of cash which democratised computing for the masses went elsewhere, and IBM was left with its legacy business unit.

This was not a bad thing for years, as the cash cow continued to grow, but a lack of ambition in seeking new revenues soon took its toll. Eight years ago, IBM posted a decline in quarterly revenues and the trend continued for 23 consecutive periods. During this period cash was directed into a new division, the ‘strategic imperatives’ unit, which was intended to capitalise on a newly founded segment; intelligent computing.

In January this year, IBM proudly posted its first quarterly growth figures for seven years. Big Blue might not be the towering force it was decades ago, but it is heading in the right direction, with cloud computing and artificial intelligence as the key cogs.

Convergence, convergence, convergence

Convergence is one of those buzzwords which has been on the lips of every telco for a long time, but few have been able to realise the benefits.

There are a few glimmers of promise, Vodafone seem to be making promising moves in the UK broadband market, while Now TV offers an excellent converged proposition. On the other side of the Atlantic, AT&T efforts to move into the content world with the Time Warner acquisition is a puzzling one, while Verizon’s purchase of Yahoo’s content assets have proved to be nothing but a disaster.

Orange is a company which is taking convergence to the next level. We’re not just talking about connectivity either, how about IOT, cyber-security, banking or energy services. This is a company which is living the convergence dream. Tie as many services into the same organisation, making the bill payer so dependent on one company it becomes a nightmare to leave.

It’s the convergence dream as a reality.

Europe’s Great Tax Raid

This is one of the more recent events on the list, and while it might not be massive news now, we feel it justifies inclusion. This developing conversation could prove to be one of the biggest stories of 2019 not only because governments are tackling the nefarious accounting activities of Silicon Valley, but there could also be political consequences if the White House feels it is being victimised.

Tax havens are nothing new, but the extent which Silicon Valley is making use of them is unprecedented. Europe has had enough of the internet giants making a mockery of the bloc, not paying its fair share back to the state, and moves are being made by the individual states to make sure these monstrously profitable companies are held accountable.

The initial idea was a European-wide tax agenda which would be led by the European Commission. It would impose a sales tax on all revenues realised in the individual states. As ideas go, this is a good one. The internet giants will find it much more difficult to hide user’s IP addresses than shifting profits around. Unfortunately, the power of the European Union is also its downfall; for any meaningful changes to be implemented all 28 (soon to be 27) states would have to agree. And they don’t.

Certain states, Ireland, Sweden and Luxembourg, have a lot more to lose than other nations have to gain. These are economies which are built on the idea of buddying up to the internet economy. They might not pay much tax in these countries, but the presence of massive offices ensure society benefits through other means. Taxing Silicon Valley puts these beneficial relationships with the internet players in jeopardy.

But that isn’t good enough for the likes of the UK and France. In the absence of any pan-European regulations, these states are planning to move ahead with their own national tax regimes; France’s 3% sales tax on any revenues achieved in the country will kick into action on January 1, with the UK not far behind.

What makes this story much more interesting will be the influence of the White House. The US government might feel this is an attack on the prosperous US economy. There might be counter measures taken against the European Union. And when we say might, we suspect this is almost a certainty, such is the ego of President Donald Trump.

This is a story which will only grow over the next couple of months, and it could certainly cause friction on both sides of the Atlantic.

Que the moans… GDPR

GDPR. The General Data Protection Regulation. It was a pain for almost everyone involved and simply has to be discussed because of this distress.

Introduced in May, it seemingly came as a surprise. This is of course after companies were given 18 months to prepare for its implementation, but few seemed to appreciate the complexity of becoming, and remaining compliant. As a piece of regulation, it was much needed for the digital era. It heightened protections for the consumer and ensured companies operating in the digital economy acted more responsibly.

Perhaps one of the most important components of the regulation was the stick handed to regulators. With technology companies growing so rapidly over the last couple of years, the fines being handed out by watchdogs were no longer suitable. Instead of defining specific amounts, the new rules allow punishments to be dished out as a percentage of revenues. This allows regulators to hold the internet giants accountable, hitting them with a suitably large stick.

Change is always difficult, but it is necessary to ensure regulations are built for the era. Evolving the current rulebook simply wouldn’t work, such is the staggering advancement of technology in recent years. Despite the headaches which were experienced throughout the process, it was necessary, and we’ll be better off in the long-run.

Next on the regulatory agenda, the ePrivacy Regulation.

Jio piles the misery on competitors

Jio is not a new business anymore, neither did it really come to being in 2018, but this was the period where the telco really justified the hype and competitors felt the pinch.

After hitting the market properly in early 2016, the firm made an impression. But like every challenger brand, the wins were small in context. Collecting 100,000s of customers every month is very impressive, but don’t forget India has a population of 1.3 billion and some very firmly position incumbents.

2017 was another year where the firm rose to prominence, forcing several other telcos out of the market and two of the largest players into a merger to combat the threat. Jio changed the market in 2017; it democratised connectivity in a country which had promised a lot but delivered little.

This year was the sweeping dominance however. It might not be the number one telco in the market share rankings, but it will be before too long. Looking at the most recent subscription figures released by the Telecom Regulatory Authority of India (TRAI), Jio grew its subscription base by 13.02 million, but more importantly, it was the only telco which was in the positive. This has started to make an impact on the financial reports across the industry, Bharti Airtel is particularly under threat, and there might be worse to come.

For a long-time Jio has been hinting it wants to tackle the under-performing fixed broadband market. There have been a couple of acquisitions in recent months, Den Networks and Hathway Cable, which give it an entry point, and numerous other digital services initiatives to diversify the revenue streams.

The new business units are not making much money at the moment, though Jio is in the strongest position to test out the convergence waters in India. Offering a single revenue stream will ensure the financials hit a glass ceiling in the near future, but new products and aggressive infrastructure investment plans promise much more here.

We’re not too sure whether the Indian market is ready for mass market fixed broadband penetration, there are numerous other market factors involved, but many said the initial Jio battle plan would fail as well.

Convergent business models are certainly an interesting trend in the industry, and Jio is looking like it could force the Indian market into line.

Redundancies, redundancies, redundancies

Redundancy is a difficult topic to address, but it is one we cannot ignore. Despite what everyone promises, there will be more redundancies.

Looking at the typical telco business model, this is the were the majority have been seen and will continue to be seen. To survive in the digitally orientated world, telcos need to adapt. Sometimes this means re-training staff to capitalise on the new bounties, but unfortunately this doesn’t always work. Some can’t be retrained, some won’t want to; the only result here will be redundancies.

BT has been cutting jobs, including a 13,000-strong cull announced earlier this year, Deutsche Telekom is trimming its IT services business by 25%, the merger between T-Mobile and Sprint will certainly create overlaps and resulting redundancies, while Optus has been blaming automation for its own cuts.

Alongside the evolving landscape, automation is another area which will result in a headcount reduction. The telcos will tell you AI is only there to supplement human capabilities and allow staff to focus on higher value tasks, but don’t be fooled. There will be value-add gains, but there will also be accountants looking to save money on the spreadsheets. If you can buy software to do a simple job, why would you hire a couple of people to do it? We are the most expensive output for any business.

Unfortunately, we have to be honest with ourselves. For the telco to compete in the digital era, new skills and new business models are needed. This means new people, new approaches to software and new internal processes. Adaptation and evolution is never easy and often cruel to those who are not qualified. This trend has been witnessed in previous industrial revolutions, but the pace of change today means it will be felt more acutely.

Redundancy is not a nice topic, but it is not always avoidable.

Uber feels sharp(ish) end of Dutch and British stick

Following a data breach which exposed personal information of roughly three million European customers, Uber has been fined over £900,000 by Dutch and British authorities.

£900,000 does sound like a lot of cash, but let’s just put it into perspective for the moment. In the Netherlands, details of 174,000 customers and drivers were hacked, resulting in a €600,000 (roughly £532,000) fine, while the punishment for leaking details of 2.7 million customers and drivers in the UK was £385,000. In the US, where the exposure was admittedly significantly higher, Uber had to fork out $148 million. The numbers aren’t exactly consistent.

Uber should certainly consider itself lucky the incident occurred prior to the implementation of GDPR, though the fines simply demonstrate how important the new rules are in enforcing data protection requirements. Under today’s rules, Uber could have potentially been fined 3% of global annual turnover, and we suspect the fact it tried to cover up the incident meant it would have been held fully accountable.

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” said Information Commissioner’s Office Director of Investigations, Steve Eckersley. “At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.

“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber-attack. Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”

While many found the implementation of GDPR a nightmare, this is an incident which demonstrates why new data protection rules were completely necessary. In our opinion, Uber got off lightly considering the severity of the breach and subsequent efforts to cover up the hack with ‘hush-money’.

Once the breach was discovered, Uber tried to sweep the incident under the rug. Instead of reporting the breach to authorities, customers and drivers, $100,000 was paid to the hacker, with the promise the data would be deleted, it was downloaded from a cloud-based storage system operated by Uber’s US parent company, and the hacker would keep quiet. As with all of these incidents, the truth eventually emerged. Here, it took a full year.

In both the Dutch data protection authority’s and the ICO’s investigations it was found the breach could have been avoiding if basic and appropriate data protection protocols were followed. Under GDPR, Uber is obliged to inform the relevant data protection authorities within 72 hours of discovery, which can mean fines can be avoided. If a company co-operates and is able to demonstrate it has put in place acceptable protections, authorities will not punish in the strictest of terms.

This is an aspect of GDPR which we like. Rule makers have accepted there is no such thing as 100% secure, and has created a framework which has in-built sympathy for those cases which cannot be avoided. As long as a company is proactive and honest, authorities are willing to work alongside industry to make customers and employees more secure.

This is not an example of this perfect scenario however. Uber acted completely irresponsibly and is incredibly fortunate the incident occurred during a time when data protection rules and punishments were woefully outdated. The whole incident does leave two questions remaining however…

Firstly, how many more incidents have there been which have been swept under the carpet, as we can almost guarantee there will be a few, and secondly, will the EU hold the guilty parties fully accountable to GDPR punishments? We need to know whether authorities are prepared to swing the very sharp stick GDPR hands them.

Google faces GDPR complaints over user location tracking

Seven privacy advocacy groups will be reporting Google to their relevant data protection authority, claiming the firm is violating GDPR through location tracking of users.

Forbrukerrådet (Norway), Consumentenbond (The Netherlands), Ekpizo (Greece), dTest (Czech Republic), Zveza Potrošnikov Slovenije (Slovenia), Federacja Konsumentów (Poland) and Sveriges Konsumenter (Sweden) will all file complaints, while vzbv in Germany is considering action for an injunction and the  Transatlantic Consumer Dialogue will bring it to the attention of the Federal Trade Commission. This is of course not the first time Google has faced complaints in the EU over privacy, but the volume here might cause a headache.

The complaint is a simple one. Even if a dataset has been anonymised by Google, detailed information on that users location can make this irrelevant, while in-depth and personal insights can be learned, violating user rights to privacy. For example, if a smartphone is stationary for eight hour consistently, at the same time every night, it would be a fair assumption this is the home address of the person, while learning about what bars they visit could give away the sexual persuasion of the individual.

Not only are these insights which can be used for personalised advertising, but the data can be sold onto other companies to dictate was services are sold to that individual at what price. An insurance company could up premiums for someone who never visits the gym, but this is not personal information which the individual has given permission to be released. Some would argue it is an invasion of privacy, others would suggest it is statistical science and fair game.

One of the complaints being made against Google is the lack of transparency. Yes, Google has made the consumer aware it collects information when the opt-outs are not altered in ‘location history’ settings tabs, though it has not made the user aware this opt-out could be irrelevant. By using other apps and services, Google is collecting the data in any case. Once it is said out loud it should seem obvious, even if you have opted out when you want to use the Maps app, you will have to send Google your location data, but the slight contradiction has the capacity to confuse users. This is not what many would consider complete transparency.

“Google’s practices leave consumers very little choice other than providing their location data, which is then used by the company for a wide range of purposes including targeted advertising,” European privacy group BEUC said in a statement. “BEUC and its members argue that these practices contradict basic principles of the GDPR, such as the lawfulness, transparency and fairness of processing, and infringe on data subject’s rights such as the right to information. In our assessment Google notably lacks a lawful legal ground for processing the location data in question.”

There will of course be investigations over the course of the next couple of months, as we suspect there will be more complaints filed in the near future, though this will be a test of GDPR. As a reminder, the largest fine which the EU can impose is 3% of annual turnover. Google might have been able to swallow previous fines from the EU, but this one will be a bit more difficult to justify.

Privacy International lines up US firms for GDPR breaches

UK data protection and privacy advocacy group Privacy International has submitted complaints to European watchdogs suggesting GDPR violations at several US firms including Oracle, Equifax and Experian.

The complaints have been submitted to regulators in the UK, Ireland and France, bringing the data broker activities of Oracle and Acxiom into question, as well as ad-tech companies Criteo, Quantcast and Tapad, and credit referencing agencies Equifax and Experian. The complaints are specifically focused on the depth of personal data processing, which Privacy International believes violates Articles five and six of the General Data Protection Regulation (GDPR).

“It’s been more than five months since the EU’s General Data Protection Regulation (GDPR) came into effect,” a Privacy International statement read. “Fundamentally, the GDPR strengthens rights of individuals with regard to the protection of their data, imposes more stringent obligations on those processing personal data, and provides for stronger regulatory enforcement powers – in theory. In practice, the real test for GDPR will be in its enforcement.

“Nowhere is this more evident than for data broker and ad-tech industries that are premised on exploiting people’s data. Despite exploiting the data of millions of people, are on the whole non-consumer facing and therefore rarely have their practices challenged.”

The GDPR Articles in question relate to the collection and processing of information. Article Five dictates a company has to be completely transparent in how it collects and processes information, but also the reasons for doing so. Reasonable steps must be taken to ensure data is erased once the purpose has been fulfilled, this is known as data minimisation. Article Six states a company must seek consent from the individual to collect and process information for an explicit purpose; broad brush collection, storage and continued exploitation of data is being tackled here.

In both articles, the objective is to ensure companies are being specific in their collection of personal information, and that it is utilised in a timely manner before being deleted once it has served its purpose. These are two of the articles which will hit the data-sharing economy the hardest, and it will be interesting to see how stringently GDPR will be enforced if there is any evidence of wrong-doing.

This is where Privacy International is finding issue with the firms. The advocacy group is challenging the business practises on the principles of transparency, fairness, lawfulness, purpose limitation,

data minimisation, accuracy and integrity and confidentiality. It is also requesting further investigations into Articles 13 and 14 (the right to information), Article 15 (the right of access), Article 22 (automated decision making and profiling), Article 25 (data protection and by design and default) and Article 35 (data protection impact assessments).

While GDPR sounds very scary, the reality is no-one has been punished to the full extent of the regulation yet. This might be because every company has taken the guidance on effectively and is operating entirely within the legal parameters, though we doubt this is the case. It is probably a case of no-one being caught yet.

The threat of a €20 million fine, or one which is up to 3% of a business’ total revenues, is nothing more than a piece of paper at the moment. If there is no evidence or fear authorities will punish to the full extent of the law, GDPR doesn’t act as much of a protection mechanism or a deterrent. When a genuine violation of GDPR is uncovered, Europe needs to bear its teeth and demonstrate there will be no breathing room.

This has been the problem for years in the technology industry; fines have been dished out, though there has been no material impact on the business. The staggering growth of revenues in the industry has far exceeded the ability of regulators to act as judge and executioner. Take the recent fines for Apple and Samsung over planned obsolescence in Italy. The $10 million and $5 million fines for Apple and Samsung would have taken 20 and 16 minutes respectively to pay off. This is not good enough.

Regulators now have the authority to hold the suspect characters in the industry accountable for nefarious actions concerning data protection and privacy, but it has to prove itself capable of wielding the axe. Until Europe shows it has a menacing side, nothing will change for the better.

Facebook referred to EU over suspect tracking methods

The UK’s Information Commissioners Office has referred an investigation into Facebook to the EU’s lead data protection watchdog over concerns about how the internet giant is tracking users.

The investigation, which was initially launched in May 2017, is primarily focused on the Cambridge Analytica scandal, though this might only be the tip of the iceberg for Facebook. Aside from fining the social media giant, the ICO has referred the case to the Irish Data Protection Commission, as the lead supervisory authority for Facebook under the General Data Protection Regulation (GDPR). As you can see below, Cambridge Analytica might only be the beginning of Facebook’s headache.

“Since we began, the scope of our investigation has extended to 30 organisations, we have formally interviewed 33 individuals and are working through forensic analysis of 700 terabytes of data,” said Information Commissioner Elizabeth Denham. “In layman’s terms, that’s the equivalent of 52 billion pages.

“Now I have published a report to Parliament that brings the various strands of our investigation up to date. It sets out what we have found and what we now know. But it is not the end. Some of the issues uncovered in our investigation are still ongoing or will require further investigation or action.”

Those who practise the dark arts of hyper-targeted advertising rarely give explanations as to how what information is being specifically held and how much of a detailed picture is being built up through primary sourced data and third-party sources. Few have a genuine understanding of the complexities of these advertising machines, though this is the foundation of various investigations. Transparency is the key word here, with many wanting the curtain to be pulled aside and the mechanics explained.

The fine is clear evidence the ICO is not happy with the state of affairs, though continuation of the investigation and referral to the EU overlords suggests there are more skeletons to be uncovered in-between Zuckerberg’s V-neck jumpers and starch ironed chinos.

“We have referred our ongoing concerns about Facebook’s targeting functions and techniques that are used to monitor individuals’ browsing habits, interactions and behaviour across the internet and different devices to the to the IDPC,” said Denham.

The initial focus of the investigation might have been political influence, though the more details which emerge, the less comfortable pro-privacy bureaucrats in Brussels are likely to feel. Regulating the slippery Silicon Valley natives has always been a tricky job, but with the Facebook advertising machine becoming increasingly exposed, the rulebook governing the data sharing economy might well be in need of a refresh.

50 million accounts breached at Facebook, but Europe needs to find the bad guy

Details of 50 million accounts have been lost to unknown nefarious individuals, but Facebook might get away with just a heavy hand-slapping from European watchdogs until the full consequences have been identified.

Last week, data from 50 million Facebook accounts was lost due to a vulnerability in the ‘View As’ feature, though as the incident was reported in the 72-hour window set forward by the European Commission, the social media giant might avoid serious penalties under GDPR. The maximum fine would be $1.63 billion.

“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts,” said Guy Rosen, VP of Product Management. “We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.”

Attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature which allows users to view their profile from the perspective of another. This vulnerability allowed the attacker/s to steal ‘Access Tokens’, allowing them to hijack user accounts. Access tokens are the equivalent of digital keys keeping people logged in to Facebook so they don’t need to re-enter their password each time they use the platform.

While this might seem like a significant oversight from the Facebook security, it might just avoid a significant fine. The incident was reported to the relevant authorities after two-days, well within the required window, while the consequence of this incident is also unknown for the moment. As part of GDPR, those companies who report an incident within the required window and who are deemed to be compliant with investigators, will not receive the heaviest fines. The objective here is to remove the stigma of self-reporting, essentially rewarded those who come clean and do not try to hide the incident.

The consequence of the breach is also an important factor. Until misuse of the data can be identified, political persuasion for example, watchdogs are unlikely to be heavy handed. Using both the consequence and compliance with investigators as reasons to reduce the fine are important factors in ensuring the industry works with regulators. The less time these watchdogs spend policing the industry and searching for potential incidents means more time can be spent proactively making security features and processes more resilient. If watchdogs appear rational in their approach to punishments, industry will be much more of an ally.

“The time between detection and public notification on this one may be one for the record books, likely driven as much by risk to reputation and a wary eye on some of the large fines levied lately, as much as by GDPR and other compliance requirements,” said Dan Pitman, Principal Security Architect at Alert Logic. “New features increase the risk that vulnerabilities like this can become part of the live application, and Facebook is known to implement new features at a high rate, having been acknowledged as the leader in agile web development practices in the past.

“This ‘continuous delivery’ of new features, combined with the modular nature of that delivery, increases risk that vulnerabilities like this can become part of the live application. Testing all of the myriad combinations of the sometimes hundreds of components, or modules, that can interact is the challenge.”

The very path to ensuring a more engaging platform might well be what is causing Facebook problems, but in the pursuit of relevance, the Facebook business model might be undermined. Just as with the Cambridge Analytica scandal, users might be discouraged from putting additional information onto the platform, or even encouraged to remove some. At first, this will not have a significant impact on Facebook, but straws piling up on the camel’s back will eventually cause some damage.

While exiting users might be incrementally impacting the Facebook business, the advertisers might start looking at the platform as well. This is not to say people will stop advertising on Facebook, but the more incidents impacting the brand and the more stories of people becoming disengaged might have an influence. Facebook might have led the way when it comes to hyper-targeted advertising but others are catching up. Google is arguably the only platform which can compete toe-to-toe with Facebook, but it doesn’t have the suspect clouds lurking overhead. Twitter has upped its game, Microsoft’s Xbox platform is one worth keeping an eye on, as is AT&T’s advertising business Xandr. Even when you look at companies like Sky, the AdSmart platform offers an incredibly targeted offering. These security breaches might start to weigh heavy considering there are other options out there.

Another very important factor to consider with this incident is GDPR. Since being passed in May, this is the first major incident to test the resiliency and credibility of the rules. How European investigators, currently being led by the Irish data protection watchdog, react will set precedent and also impact the way which other companies view the rules. The next few weeks are very important for Europe in terms of validation.

The issues which the regulators are facing at the moment are consequence and bad guys. To make an appropriate ruling, demonstrate the importance of security and dish out the appropriate fine, there needs to be someone or something to point the naughty finger at.

“Based on information available, a video uploading feature implemented in July of last year exposed this feature to a flaw that allowed attackers to impersonate other user accounts and effectively obtain full access to their Facebook profiles,” said Greg Foss, Senior Manager of Threat Research at LogRhythm. “It appears that attackers are able to access the accounts of ‘friends’ or those already connected to the compromised account.

“If that’s true, it may be possible to trace the attacks back to a single point of origin, given the nature of how the attack spreads to other accounts. That said, the origin account will most likely not be that of a real Facebook user, so determining an individual or group behind this will take some digging.”

When a bad guy has been found, the threat becomes real and there are tangible consequences. This is when the appropriate punishment can be justifiably dished out, while also maintaining a positive relationship with industry, and the dangers of the digital economy can be effectively communicated to the general public. This will scare Facebook more than anything else.

Fines are okay, they are a one off hit, but negative PR and public outcry will mean less people engage with the Facebook community. This will have an impact on the bottom line. Managing this negative impact will be significantly more important than any fine dished out by the European Commission.

US contemplates its own version of GDPR

The U.S. National Telecommunications and Information Administration has started a 30-day public hearing process to gather comments on its policy options towards consumer privacy protection.

Shortly after Europe’s General Data Protection Regulation (GDPR) came into force in late May, “a global tidal wave of new and updated privacy regulations” have followed hot on the heels of GDPR as it was called at the recent Digital Futures conference (see the picture). Regulations and laws passed in jurisdictions from India to California with other markets in between have largely modelled after the European legislation.

In the latest move, on Tuesday September 25, the US federal government, through the National Telecommunications and Information Administration (NTIA), kick-started a month-long process to hear from the public on the approach towards privacy protection.

“The United States has a long history of protecting individual privacy, but our challenges are growing as technology becomes more complex, interconnected, and integrated into our daily lives,” said David Redl, NTIA Administrator and Assistant Secretary of Commerce for Communications and Information. “The Trump Administration is beginning this conversation to solicit ideas on a path for adapting privacy to today’s data-driven world.”

The feedback requested is two-fold. The first part is on the outcome of any future privacy legislation. This includes:

  • Organizations should be transparent about how they collect, use, share, and store users’ personal information.
  • Users should be able to exercise control over the personal information they provide to organizations.
  • The collection, use, storage and sharing of personal data should be reasonably minimized in a manner proportional to the scope of privacy risks.
  • Organizations should employ security safeguards to protect the data that they collect, store, use, or share.
  • Users should be able to reasonably access and correct personal data they have provided.
  • Organizations should take steps to manage the risk of disclosure or harmful uses of personal data.
  • Organizations should be accountable for the use of personal data that has been collected, maintained or used by its systems.

All these are rather similar to what GDPR and the up-coming e-Privacy regulation are designed to achieve.

Meanwhile the NTIA is also requesting comments on the overall “High-Level Goals for Federal Action”, the key points including:

  • “Harmonize the regulatory landscape” between existing and future legislations;
  • “Legal clarity while maintaining the flexibility to innovate” to enable new business models and technologies while privacy is protected;
  • “Comprehensive application” to “all private sector organizations that collect, store, use, or share personal data in activities that are not covered by sectoral laws”;
  • “Incentivize privacy research” in technologies and services that improve privacy protections.
  • FTC should be the enforcement agency

However a few other points stand out that deserve a closer look. One probably deserves a full quote:

Employ a risk and outcome-based approach.  Instead of creating a compliance model that creates cumbersome red tape—without necessarily achieving measurable privacy protections—the approach to privacy regulations should be based on risk modeling and focused on creating user-centric outcomes.  Risk-based approaches allow organizations the flexibility to balance business needs, consumer expectations, legal obligations, and potential privacy harms, among other inputs, when making decisions about how to adopt various privacy practices.  Outcome-based approaches also enable innovation in the methods used to achieve privacy goals.  Risk and outcome-based approaches have been successfully used in cybersecurity, and can be enforced in a way that balances the needs of organizations to be agile in developing new products, services, and business models with the need to provide privacy protections to their customers, while also ensuring clarity in legal compliance.

NTIA’s focus is clearly to avoid heavy-handed measures to regulate what can be done, but rather giving flexibility to businesses to make their own judgement what measures to take. This is also in the same spirit as the first part of the consultation which is “focuses on the desired outcomes of organizational practices, rather than dictating what those practices should be.”

Another point that draws our attention is related to “Scalability”, which stresses that small companies operating in good faith, and 3rd party processing data on behalf of other organisations should be treated differently from big companies that own and control personal data.

The two points above combined make a balanced message for the internet giants, which are not necessarily the biggest fans of privacy regulations. While they are afforded more flexibility, they are also going to be treated more strictly if they contravene. However as we wrote earlier, because of their size, the Googles and Facebooks of the world are much quicker in ticking the compliance boxes.

One more point that worth highlighting, probably for entertainment purposes than anything else, relates to “Interoperability” with other major global legislations. Here, for whatever reason it pointedly does not refer to GDPR but uses the example of “APEC Cross-Border Privacy Rules System.”

In general, the NTIA’s approach is balanced and measured, which is largely in line with our attitude towards privacy protection. On one hand we deplore the blatant abuse of privacy by companies like Facebook and Cambridge Analytics. On the other hand, we also sympathise with the small and medium-sized businesses operating in Europe, most of which had to scramble some policies at the eleventh hour, but may still fall foul of consumers. France’s private data protection agency CNIL (Commission nationale de l’informatique et des libertés) registered a 64% increase in consumer complaints after GDPR came to force over the same four months last year.

As Mary Meeker highlighted, draconian laws could limit the exploratory nature of tech innovators. That many countries model their privacy legislation after GDPR confirmed that Europe’s policymakers are “world-class in setting standards”, as a recent article in The Economist put it. But in the same article the newspaper also highlighted the gap between Europe and the AI leaders, China and US, neither of which is role model in guarding individual privacy, though for entirely different purposes.

In a recent Telecoms.com online poll, a third of the respondents agreed with the statement that there should be “flexible rules to allow users to trade privacy for benefits”. An optimal regulatory environment should give this minority group the freedom to do so while providing the other two third consumers with strict privacy protection.

The security of Polar users’ data could be comprised, in a big way

The Finnish fitness device and software maker Polar has found itself in the centre of a data leaking scandal, which it’s feared could jeopardise the security of personnel on sensitive missions.

In a country where personal space and privacy is highly respected, Finland can be rather transparent too. Every year at the beginning of November, the tax office will grant public access to data on how much income and capital gains made by everyone in the previous year as well as how much tax has been paid.

The country also produced Polar, the company that invented the portable heart beat reader. More recently its professional heart beat monitor system was credited to be largely behind the scientific training at Leicester City Football Club, which went on to win the Premier League in 2016.

But it is safe to say Polar has taken transparency too far. After months’ investigation, the Dutch independent media De Correspondent, in conjunction with the British “citizen journalism” website Bellingcat, and the Finnish investigative journalist Hanna Nikkanen on Long Play (in Finnish), published the findings on how anyone with a Polar account was able to see all the details of anyone else who publicly shared their workout sessions on Polar’s user interface app Flow.

Data extracted include the names, as well as time-stamped GPS data of all the workouts uploaded since 2014. When zoomed out, the aggregated data would generate a clustered view of the user’ activity pattern on the map. This could lead to a rather accurate estimate of the user’ home base, where most exercises started and ended, including places in sensitive locations, e.g. military bases in Iraq or Afghanistan. With some additional cross-search on social networks, the user’s professional affiliation including those of the military and secret service, could be made available.

By the time they published their reports, the journalists had managed to gather personal and professional details of more than 6,000 Polar users, including those working for the NSA of the US, Britain’s GCHQ and MI6, Russia’s GRU and SVR RF, France’s DGSE, the Finnish military, as well as the Dutch MIVD.

The journalists notified the Dutch and Finnish authorities as well as reaching out to Polar before they published the findings. The app was disabled remotely on official phones issued to its employees by the Dutch and Finnish Defence Ministries, and warnings were sent out to private device users. However Polar did not formally take down the feature until yesterday (9 July), more than two weeks after being contacted by the journalists and after a forlorn attempt to defend itself by claiming that the company had not leaked the users’ data.

Finland’s Data Protection Ombudsman is looking into the matter. Because its failure to safeguard user data has affected users in other EU countries, the possibility that the case could be brought under the new GDPR cannot be ruled out.

Polar was not the first fitness app to score own goals. As a matter of fact, it was the high-profile case of Strava leaking training data in military bases, which made headlines at the beginning of the year, that prompted the independent journalists to look into the vulnerability of other apps, including Polar. What makes the Polar case stand out is the ease with which users’ private data could be extracted, and the slow reaction from the company.

The ramification of the case could be profound. The journalists have found that similar data could also be extracted from other fitness apps like Endomondo, Runkeeper, Garmin, albeit with a bit more skill. This could result in authorities banning all similar apps from use by employees in sensitive functions, just to be on the safe side. The Finnish military had already banned the sharing of location data on social networks even before the Strava case, but the rank and file servicemen and the reservists largely ignored the order, according to Long Play.

In her testimony to the Congress, the newly appointed Director of the CIA, Gina Haspel, declared she has no social network accounts. This could move from voluntary decision to mandatory order for employees on sensitive missions. Profiles on social networks like LinkedIn and Facebook have made it straightforward for the journalists to join dots and put together the Polar users’ personal and family details, functions, and locations.

In our latest annual survey published at the end of last year, nearly 95% of the network operators called security as being either critical (69%) or important (25%) to their company’s overall technology and business. Clearly other service providers including device makers and app developers should also enhance their awareness and subject their products to more rigorous security tests.