Facebook referred to EU over suspect tracking methods

The UK’s Information Commissioners Office has referred an investigation into Facebook to the EU’s lead data protection watchdog over concerns about how the internet giant is tracking users.

The investigation, which was initially launched in May 2017, is primarily focused on the Cambridge Analytica scandal, though this might only be the tip of the iceberg for Facebook. Aside from fining the social media giant, the ICO has referred the case to the Irish Data Protection Commission, as the lead supervisory authority for Facebook under the General Data Protection Regulation (GDPR). As you can see below, Cambridge Analytica might only be the beginning of Facebook’s headache.

“Since we began, the scope of our investigation has extended to 30 organisations, we have formally interviewed 33 individuals and are working through forensic analysis of 700 terabytes of data,” said Information Commissioner Elizabeth Denham. “In layman’s terms, that’s the equivalent of 52 billion pages.

“Now I have published a report to Parliament that brings the various strands of our investigation up to date. It sets out what we have found and what we now know. But it is not the end. Some of the issues uncovered in our investigation are still ongoing or will require further investigation or action.”

Those who practise the dark arts of hyper-targeted advertising rarely give explanations as to how what information is being specifically held and how much of a detailed picture is being built up through primary sourced data and third-party sources. Few have a genuine understanding of the complexities of these advertising machines, though this is the foundation of various investigations. Transparency is the key word here, with many wanting the curtain to be pulled aside and the mechanics explained.

The fine is clear evidence the ICO is not happy with the state of affairs, though continuation of the investigation and referral to the EU overlords suggests there are more skeletons to be uncovered in-between Zuckerberg’s V-neck jumpers and starch ironed chinos.

“We have referred our ongoing concerns about Facebook’s targeting functions and techniques that are used to monitor individuals’ browsing habits, interactions and behaviour across the internet and different devices to the to the IDPC,” said Denham.

The initial focus of the investigation might have been political influence, though the more details which emerge, the less comfortable pro-privacy bureaucrats in Brussels are likely to feel. Regulating the slippery Silicon Valley natives has always been a tricky job, but with the Facebook advertising machine becoming increasingly exposed, the rulebook governing the data sharing economy might well be in need of a refresh.

ICO report shows UK is starting to take privacy and data protection seriously

The UK Information Commissioner’s Office has released its annual report for 2017/18 which hints the UK is starting to present the right attitudes to privacy and data protection.

Privacy and data protection are areas of the technology world which everyone seems to deeply care about, but few seem to want to do anything. Consumers are constantly shocked about the lack of protections offered to their personal information by leaky organizations, but the same consumers are always more than willing to hand over data when it means avoiding payment. It has seemed to be a bugbear of convenience for the consumer, but perhaps this report indicates these attitudes are changing.

“This is an important time for privacy rights, with a new legal framework and increased public interest,” said UK Information Commissioner Elizabeth Denham. “Transparency and accountability must be paramount, otherwise it will be impossible to build trust in the way that personal information is obtained, used and shared online.”

Denham and her team do of course have a challenging task. In the mission statement of the Information Commissioner’s Office some very lofty goals are listed, increasing the public’s trust and confidence in how data is used for instance, or improving standards of information rights practice across industry, though winning this battle will rely not only on companies taking their responsibilities more seriously, but also consumers realising it is also their duty to manage their own personal data. Sceptics would argue neither of these ideas are being taken seriously at the moment, though optimists might point towards the statistics.

The report claims 235,672 calls were received by the ICO’s helpline, an increase of 24.1% year-on-year, while 30,469 live chats were requested, up 31.5%. The caseload from 31 March 2018 to the same date in 2018 has increased from 115 to 3526. Over the course of the year, 21,019 calls were focused on data protection, a 15% increase from 2017, with most people concerned about subject access (39%), the disclosure of data (16%), its accuracy (11%) and securing the right to prevent processing (9%). The sceptics might still have a case that privacy and data protection is not being taken seriously, the fact enquiries and complaints are heading upwards suggests the general public and businesses are starting to acquire a new appreciation for how the digital economy works, as well as the risks.

On the data breach front, the number of self-reported cases is also on the up. 3,172 incidents were reported to the ICO over the course of 2017/18, a 29.6% increase. The majority of these case did not result in a fine, there is wiggle room if a company is able to demonstrate its approach to security could be deemed stringent, though healthcare is proving to be the most porous in the UK, accounting for 36% of the incidents.

Security has seemingly never been a top priority for many organizations, except when trying to generate PR points, though the same could be said of the consumer. The last 12-18 months has seen a change in attitude towards personal information, consumers are more sensitive about giving information out freely, though there does seem to be a lack of understanding of how terms and conditions work in the app economy. How many realise that by playing Clash of Clans, the user is effectively handing over ownership of a lot of personal information?

Awareness is only one area of the industry which needs work, as the ICO also points out there are still a few risks on the horizon. There is still uncertainty over the final wording of the upcoming Data Protection Bill and its enactment, while operational changes necessary to regulate GDPR will cause issue, as will introducing a new funding regime for data protection work.

A lot is changing on the regulatory front, but the worrying question about bureaucrats still remains; are they able to keep up the pace and sheer breadth of change which is constantly taking place in the technology world?

Brexit data contravention lands Facebook a £500,000 fine

The Information Commissioner’s Office (ICO), UK’s data protection regulator, intends to fine Facebook half a million pounds for its failure to safeguard user data in the run-up to the country’s referendum to leave the EU in 2016.

After more than a year’s investigation, the ICO’s progress report published today (11 July) determined that Facebook breached Data Protection Act 1998 by lacking transparency “and security issues relating to the harvesting of data”. Facebook is due to present its case in front of the ICO later this month.

We asked Facebook for a comment and got this from Erin Egan, its Chief Privacy Officer: “As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015. We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We’re reviewing the report and will respond to the ICO soon.”

In addition to penalising Facebook with the highest possible sum in its jurisdiction, ICO has also undertaken actions against a string of parties suspected of having involved in irregularities during the campaign:

  • Enforcement Notice to cooperate with investigation was sent to SCL Elections, affiliated with Cambridge Analyica, and steps are being take to bring criminal charges against SCL Elections for its failure to implement the Enforcement Notice;
  • Warning letters were sent to 11 political parties on their ways of buying and using voter data. Audits are planned for later this year;
  • Enforcement Notice was sent to the Canadian data analytics firm AggregateIQ (AIQ) demanding it to stop possessing UK voters’ data, in cooperation with the Canadian authorities;
  • Investigation into both the Leave and Remain campaigns are ongoing;
  • An audit on Cambridge University’s policy and process will be conducted. A recommendation to Universities UK was issued demanding the education institutions to be more vigilant on the usage of personal data gathered for academic research purposes vs. academics’ private commercial interest.

In a certain sense, Facebook was fortunate with timing. Had the new GDPR been in place before the referendum, the ICO would have the authority to handout a ticket of up to €20 million (£17 million).

ICO broadens data privacy investigation to 30 organizations

The ICO has announced it is investigating 30 organizations, including Facebook, to understand how personal data and analytics can impact political campaigning and influence elections.

Following the Facebook/Cambridge Analytica scandal, the ICO was sharp out of the blocks to kick-start an investigation in how personal data has been used in an unethical or potentially illegal manner. While we are usually quite critical about the sluggishness of the public sector, the ICO defied logic by securing a warrant before Facebook had the chance to conduct its own audit of the Cambridge Analytica data. The warrant was granted on Friday 23 March, before being investigators left the Cambridge Analytica offices at about 3am the next morning.

Having dug around the Cambridge Analytica filing cabinets, the ICO is taking the investigation up a step and broadening the number of companies underneath the microscope.

“As part of my investigation into the use of personal data and analytics by political campaigns, parties, social media companies and other commercial actors, the ICO is investigating 30 organisations, including Facebook,” said Information Commissioner Elizabeth Denham

“The ICO is looking at how data was collected from a third party app on Facebook and shared with Cambridge Analytica. We are also conducting a broader investigation into how social media platforms were used in political campaigning.”

As a result of the scandal, Facebook has brought in a host of changes to how and the amount of information developers can extract from user profiles. While this work has been noted by the ICO, Denham highlighted that only time would tell as to whether this would be deemed sufficient.

Elsewhere in the world other headaches are starting to appear for the social media giant. Alongside the ICO investigation and a grilling in the US, Australia has opened up its own probe into the saga. Australian Information Commissioner and acting Privacy Commissioner Angelene Falk has opened up an investigation after Facebook confirmed the information of over 300,000 Australian users may have been acquired and used without authorisation.

Back to the UK, details on who the other 29 organizations are unknown for the moment, though this should hardly be a surprising move from the ICO. Scandals are opportunities for politically charged public servants to make a mark in the history books, and Denham has seemingly spotted a potentially catastrophic one here. Widening the net and potentially uncovering more nefarious behaviour is a chance for the Commissioner to make a name for herself. Expect this to be a political circus for months.

GDPR is 100 days away and we think the panic button is getting pushed

New research from EfficientIP has claimed 72% of UK businesses are confident about being compliant when GDPR hits the industry in May, but we’re not too sure.

Although security teams have had two years to get ready for the new regulations, in typical fashion, it has only been in the last couple of months activity has been ramping up. We’ve been speaking to various people in the industry recently, and the feedback is a bit panicked.

This is of course human nature. When something is deemed non-critical or still on the horizon, it is pushed to the bottom of the priority list. Maybe some of these businesses assumed government agencies would be toothless in dishing out fines? Unfortunately few business appreciated how time-consuming the process of being GDPR-compliant actually is and is now smacking the big red panic button with increasing severity.

Having spoken to a few friendlies, feedback is businesses do not appreciate the amount of grunt work is associated with data audits, updating cookies or understanding what is opt-in and what is opt-out. GDPR work is flooding into consultancies and any consultant who is free is being reallocated to make sure the influx of demand can be serviced. Businesses are realizing there isn’t a huge amount of time remaining.

We are sceptical about progress and think there will be quite a few cases of non-compliance; this is something people should be seriously worried about.

The fine itself could be up to 3% of annual global revenues or €20 million, dependent on which number is higher. Of course, when it comes to a public sector organization dishing out fines or catching people in the act of wrong-doing, the general feeling is that of wiggle room. Some businesses would be confident they could avoid detection or a fine of any real detriment. Most watchdogs are generally viewed as a bit toothless, with a bark comparable to a three month-old Chihuahua.

When we spoke to the Information Commissioner’s Office, the body which will be responsible for enforcing the new rules, we were told May 25 would be a hard deadline and there would not be any grace period for companies to adapt to the new rules. The feedback was GDPR guidance has been around for ages so there is no excuse for non-compliance.

In terms of the fines and what would constitute as mitigating circumstances, this is where the grey areas start to appear. The ICO will be ‘proportionate’ when dishing out fines and also assessing each scenario. Whether this means there will be an escape-route for non-compliant companies who can prove they really tried their hardest remains to be seen. Or could it mean fines will be inconsequential when compared to the revenues and profits being made by these business?

Once again we have a government agency which hasn’t really drawn out concrete rules and the legal minefield of interpretation is out there again. It should be worth noting the blame for these grey areas should not be placed firmly on the doorstep of the ICO, as the rules are being passed down from the boresome bureaucrats in the European Commission.

We are not confident in the research’s claim the majority of businesses are confident about being GDPR compliant. Perhaps this is a clever bit of marketing though; if you claim the majority of people are ready for GDPR and it could force those who are not into even more of a frenzy. The threat of being the odd-one-out would certainly encourage a couple of CSO’s to dig deeper into their wallets.

Perhaps the most interesting part of this debacle will be the reaction of regulators; this could be viewed as a test of character of the ICO. The number of mitigating factors which the ICO allows and the severity of the fines for non-compliance will decide whether there is any credibility in the watchdog. Are the team going to punish non-compliance at an appropriate level or will the Chihuahua’s resort to gentle yapping at the ankles of British businesses?

It looks like no-one cares about data protection regulations

It doesn’t matter if they were given more than two years to get ready, with six months to go until the EU GDPR deadline, it’s going to be a sprint finish for a worryingly large number of companies.

That’s the view of law firm Blake Morgan. After conducting a survey looking into the readiness of companies in the UK, a high number are at risk of non-compliance. We’ve been talking about companies not being ready for the new regulations for some time now, but perhaps a conversation which we should start having is whether they actually care. There are only so many warnings which can be given before you realize no-one is actually listening.

According to the research, only 13% businesses had updated privacy policies, one of the significant requirements of GDPR. 23% said they were unaware of the new data protection laws despite the looming deadline of 25 May 2018. 39% had not taken any steps at all to prepare for the new law. 38% were not confident they would be able to comply with GDPR by 25 May. 21% do not currently have a senior person in place responsible for data protection.

These statistics do not make us believe businesses in the UK are that worried about the regulations or the consequences of being non-compliant. Just a reminder, non-compliance means a fine of up to £17m or 4% of worldwide turnover, whichever is greater.

“GDPR Compliance is good corporate housekeeping,” said Simon Stokes, a Partner specialising in data protection law at Blake Morgan.

“Not only will it avoid running the risk of financially and reputationally damaging fines or sanctions – ultimately it will assure the public’s trust in your organisation at a time when data privacy and security are more important than ever before. As the UK’s data protection regulator ICO has recently highlighted GDPR is essentially about trust.”

Perhaps companies are calling the bluff of regulators. Maybe they don’t think regulators will follow through on the fines? Maybe they don’t think their customers care that much about data protection? Perhaps the concerns of regulators and customers is secondary to commercial concerns?

The latter wouldn’t surprise anyone at Telecoms.com, as data protection doesn’t seem to be more than a PR tool right now. If it was anywhere near the top of the agenda, would we be seeing this many data breaches? Would there be any reason for websites like haveibeenpwned.com?

The sceptic in us just says these organizations do not care that much about data protection. If there is a breach or a leak, just ride the negative press for a couple of weeks and back to business as normal. The optimist in us believes these organizations have underappreciated the complexity of remaining compliant once the rules change.

In both cases, the organization is essentially saying the damage done by EU GDPR non-compliance will not be that bad. Either consciously or sub-consciously, they are prioritizing other areas over the changes which need to happen to data protection policy and processes. Either customer decision making process won’t be impacted by data protection compliance or the ICO doesn’t have the veg to follow through on the fines.

May 25 2018 will come very quickly once the new year passes, and then we’ll find out who is in trouble. The ICO might destroy its credibility by not following through on scare tactics, the customer might prove it doesn’t care about data protection and privacy, or some organizations might find themselves on the sharp end of a fine and customer churn.