An early test of the GDPR: taking on data brokers

SOPA Images via Getty Images

Major data brokers Acxiom and Oracle are among seven companies accused of violating GDPR laws on personal information privacy. Advocates hope the complaints will shed light on the opaque ways that personal data is traded through third parties online both in the EU and the US.

The General Data Protection Regulation is a sweeping personal data privacy law that came into force in late May in the EU. For the rest of the world, it’s viewed as a bellwether for whether Big Tech can be held in check when immense data leaks seem to happen with painful regularity.

Formal complaints to European regulators under the GDPR by UK non-profit Privacy International were also filed against ad-tech companies Criteo, Quantcast and Tapad as well as credit agencies Equifax (the subject of a massive breach just last year) and Experian.

“Our complaints target companies that, despite exploiting the data of millions of people, are not household names and therefore rarely have their practices challenged,” said Ailidh Callander, legal officer at Privacy International, in an email to Engadget. “These companies’ business models are premised on data exploitation.”

Data brokers aggregate personal information from other sources — for instance, websites you’ve visited or credit card records — to create a complex profile on who they think you are. That profile may include political leanings and income, and subsequently get sold to brands or social networks. Acxiom claims to have data on about 700 million people globally. Consumers often don’t hand data directly to these companies via their own websites — the way one would with, say, Facebook — which allows the data trading to operate in relative obscurity.

This alleged lack of consent is precisely what Privacy International is targeting. The non-profit also claims that these companies lack “legitimate interest” (in legal terms) for processing the personal data, which may infer political, ethnic and religious affiliations. The companies fail to comply, according to Privacy International, with the principles of “transparency, fairness, purpose limitation, data minimisation, accuracy and confidentiality and integrity” — in other words, nearly all of the new privacy law’s core foundations.

“The law has changed and these companies need to as well,” said Callander. “There is a gap between how [the] GDPR conceptualises data privacy and [how] these companies do and the onus is on them (if necessary, pushed by regulators) to close it.”

In public statements, Experian has said: “We have worked hard to ensure that we are compliant with GDPR and we continue to believe that our services meet its requirements.” Criteo has stated: “We have complete confidence in our privacy practices.”

Companies are still feeling out just how the law is going to be enforced, which is why test cases like this bear watching. Facebook and Google are among the other companies who have faced complaints so far. A spokesman from the Data Protection Commission in Ireland, where many American tech firms keep European headquarters, said the regulators have already received 2,500 breach notifications and 1,200 complaints related to the GDPR since May.

Let’s block ads! (Why?)

Link to original source

Facebook Dating expands to Canada and Thailand

Getty Images/iStockphoto

Facebook’s quest to help singletons find love continues. After launching its Dating feature in Colombia in September, it’s now rolling the service out to Canada and Thailand. And, presumably based on feedback from its Colombian users, it’s adding a couple of new features.

The newest version will allow users to temporarily pause matches, as well as give them the ability to take a “second look” at potential matches they’d previously said no to — a feature that might prove useful as enthusiastic users wait for others in their area to get on board with the app (although Facebook has said users in Canada and Thailand won’t be able to match with anyone right away, as it waits for enough people to sign up).

The company hasn’t given any details on how many Facebook users in Colombia have used the feature, although product manager Nathan Sharp has said there’s been an “overwhelmingly positive response” so far. Nonetheless, the expansion of Facebook Dating comes at a precarious time for the company, as it continues to face scrutiny for its involvement in the Cambridge Analytica scandal, as well as ongoing investigation into its role in political interference. However, the company wouldn’t roll out the feature further if there was no demand for it, so people are clearly still willing to let Facebook into the most intimate areas of their lives.

Let’s block ads! (Why?)

Link to original source

A long and winding road to new copyright legislation

Back in May, as part of a settlement, Spotify agreed to pay more than $112 million to clean up some copyright problems. Even for a service with millions of users, that had to leave a mark. No one wants to be dragged into court all the time, not even bold, disruptive technology start-ups.

On October 11th, the President signed the Hatch-Goodlatte Music Modernization Act (the “Act”, or “MMA”). The MMA goes back, legislatively, to at least 2013, when Chairman Goodlatte (R-VA) announced that, as Chairman of the House Judiciary Committee, he planned to conduct a “comprehensive” review of issues in US copyright law. Ranking Member Jerry Nadler (D-NY) was also deeply involved in this process, as were Senators Hatch (R-UT) Leahy (D-VT), and Wyden (D-OR). But this legislation didn’t fall from the sky; far from it.

After many hearings, several “roadshow” panels around the country, and a couple of elections, in early 2018 Goodlatte announced his intent to move forward on addressing several looming issues in music copyright before his planned retirement from Congress at the end of his current term (January 2019).  With that deadline in place, the push was on, and through the spring and summer, the House Judiciary Committee and their colleagues in the Senate worked to complete the text of the legislation and move it through to process. By late September, the House and Senate versions had been reconciled and the bill moved to the President’s desk.

What’s all this about streaming?

As enacted, the Act instantiates several changes to music copyright in the US, especially as regards streaming music services. What does “streaming” refer to in this context? Basically, it occurs when a provider makes music available to listeners, over the internet, without creating a downloadable or storable copy: “Streaming differs from downloads in that no copy of the music is saved to your hard drive.”

“It’s all about the Benjamins.”

One part, by far the largest change in terms of money, provides that a new royalty regime be created for digital streaming of musical works, e.g. by services like Spotify and Apple Music. Pre-1972 recordings — and the creators involved in making them (including, for the first time, for audio engineers, studio mixers and record producers) — are also brought under this royalty umbrella.

These are significant, generally beneficial results for a piece of legislation. But to make this revenue bounty fully effective, a to-be-created licensing entity will have to be set up with the ability to first collect, and then distribute, the money. Think “ASCAP/BMI for streaming.” This new non-profit will be the first such “collective licensing” copyright organization set up in the US in quite some time.

Collective Licensing: It’s not “Money for Nothing”, right?

What do we mean by “collective licensing” in this context, and how will this new organization be created and organized to engage in it? Collective licensing is primarily an economically efficient mechanism for (A) gathering up monies due for certain uses of works under copyright– in this case, digital streaming of musical recordings, and (B) distributing the royalty checks back to the rights-holding parties ( e.g. recording artists, their estates in some cases, and record labels).  Generally speaking, in collective licensing:

 “…rights holders collect money that would otherwise be in tiny little bits that they could not afford to collect, and in that way they are able to protect their copyright rights. On the flip side, substantial users of lots of other people’s copyrighted materials are prepared to pay for it, as long as the transaction costs are not extreme.”

—Fred Haber, VP and Corporate Counsel, Copyright Clearance Center

The Act envisions the new organization as setting up and implementing a new, extensive —and, publicly accessible —database of musical works and the rights attached to them. Nothing quite like this is currently available, although resources like SONY’s Gracenote suggest a good start along those lines. After it is set up and the initial database has a sufficient number of records, the new collective licensing agency will then get down to the business of offering licenses:

“…a blanket statutory license administered by a nonprofit mechanical licensing collective. This collective will collect and distribute royalties, work to identify songs and their owners for payment, and maintain a comprehensive, publicly accessible database for music ownership information.”

— Regan A. Smith, General Counsel and Associate Register of Copyrights

(AP Photo) The Liverpool beat group The Beatles, with John Lennon, Paul McCartney, George Harrison and Ringo Starr, take it easy resting their feet on a table, during a break in rehearsals for the Royal variety show at the Prince of Wales Theater, London, England, November 4, 1963. (AP Photo)

You “Can’t Buy Me Love”, so who is all this going to benefit?

In theory, the listening public should be the primary beneficiary. More music available through digital streaming services means more exposure —and potentially more money —for recording artists. For students of music, the new database of recorded works and licenses will serve to clarify who is (or was) responsible for what. Another public benefit will be fewer actions on digital streaming issues clogging up the courts.

There’s an interesting wrinkle in the Act providing for the otherwise authorized use of “orphaned” musical works such that these can now be played in library or archival (i.e. non-profit) contexts. “Orphan works” are those which may still protected under copyright, but for which the legitimate rights holders are unknown, and, sometimes, undiscoverable. This is the first implementation of orphan works authorization in US copyright law.  Cultural services – like Open Culture – can look forward to being able to stream more musical works without incurring risk or hindrance (provided that the proper forms are filled out) and this implies that some great music is now more likely to find new audiences and thereby be preserved for posterity. Even the Electronic Frontier Foundation (EFF), generally no great fan of new copyright legislation, finds something to like in the Act.

In the land of copyright wonks, and in another line of infringement suits, this resolution of the copyright status of musical recordings released before 1972 seems, in my opinion, fair and workable. In order to accomplish that, the Act also had to address the matter of the duration of these new copyright protections, which is always (post-1998) a touchy subject:

  • For recordings first published before 1923, the additional time period ends on December 31, 2021.
  • For recordings created between 1923-1946, the additional time period is 5 years after the general 95-year term.
  • For recordings created between 1947-1956, the additional time period is 15 years after the general 95-year term.
  • For works first published between 1957-February 15, 1972 the additional time period ends on February 15, 2067.

(Source: US Copyright Office)

 (Photo by Theo Wargo/Getty Images for Live Nation)

Money (That’s What I Want – and lots and lots of listeners, too.)

For the digital music services themselves, this statutory or ‘blanket’ license arrangement should mean fewer infringement actions being brought; this might even help their prospects for investment and encourage  new and more innovative services to come into the mix.

“And, in The End…”

This new legislation, now the law of the land, extends the history of American copyright law in new and substantial ways. Its actual implementation is only now beginning. Although five years might seem like a lifetime in popular culture, in politics it amounts to several eons. And let’s not lose sight of the fact that the industry got over its perceived short-term self-interests enough, this time, to agree to support something that Congress could pass. That’s rare enough to take note of and applaud.

This law lacks perfection, as all laws do. The licensing regime it envisions will not satisfy everyone, but every constituent, every stakeholder, got something. From the perspective of right now, chances seem good that, a few years from now, the achievement of the Hatch-Goodlatte Music Modernization Act will be viewed as a net positive for creators of music, for the distributors of music, for scholars, fans of ‘open culture’, and for the listening public. In copyright, you can’t do better than that.

Let’s block ads! (Why?)

Link to original source

The UK refuses to give up on a Mark Zuckerberg privacy hearing

Charles Platiau / Reuters

UK MPs are doubling down on their campaign to get Facebook CEO Mark Zuckerberg to appear before them to answer questions on data privacy. Zuckerberg has previously refused MPs’ requests, instead sending a representative to hearings. This time, though, the Commons Digital Culture is joining forces with its Canadian counterpart for a joint hearing in London on November 27, with chair Damian Collins saying Zuckerberg’s “evidence is now overdue and urgent.”

Collins and Bob Zimmer, the chairman of the Canadian standing committee on access to information, privacy and ethics, have written jointly to Zuckerberg, calling on him to “take up this historic opportunity to tell parliamentarians from both sides of the Atlantic and beyond about the measures Facebook is taking to halt the spread of disinformation on your platform, and to protect user data.”

Zuckerberg is yet to respond to the “invitation”, but having already appeared in front of the US Congress and EU Parliament regarding the matter, it’s likely he’ll once again send a representative — perhaps chief technology officer Mike Schroepfer, who appeared before the UK committee in April. The MPs are persistent, if nothing else, but if Zuckerberg continues to say no they’ll be left red-faced, and certainly unwilling to tolerate any future privacy issues from the platform.

Let’s block ads! (Why?)

Link to original source

Signal's new 'Sealed Sender' feature makes conversations anonymous

Jaap Arriens/NurPhoto via Getty Images

Messaging service Signal is popular with privacy-minded users. It doesn’t store any record of your contacts, social graph, conversation list, location, avatar, profile name or group details. Until recently, though, one important piece of data was still visible: who is messaging whom — kind of like having the sender’s address on a physical piece of mail. The latest beta release, however, includes a feature that blocks that, too: “sealed sender.”

In a blog post, Signal’s Joshua Lund explains that, “While the service always needs to know where a message should be delivered, ideally it shouldn’t need to know who the sender is. It would be better if the service could handle packages where only the destination is written on the outside, with a blank space where the ‘from’ address used to be.”

Traditionally, sending a signal message involves an authentication process that validates the sender’s identity to help prevent spoofing and to provide the recipient with some assurance about who sent the message. It also uses the sender’s identity to apply rate limiting and abuse protection. To do away with the “from” address, then, Signal has had to come up with some workarounds, which it’s testing with the beta release of sealed sender.

For a start, Signal will only allow sealed sender messages to be sent between accounts that have already established trust, such as being in one another contact’s list. You’ll also be able to receive sealed sender messages from anyone, if you choose — like open DMs on Twitter. Signal has also made cryptographic changes that will still recognise a blocked contact, so they won’t be able to message you even if they use the sealed sender function. And, as Lund notes, if Signal is compromised, any attackers within the system will only see encrypted messages going to their destinations, and not where they came from.

As the service is rolled out, messages will automatically be delivered using sealed sender whenever possible, and users can enable an optional status icon that will be displayed in the detailed information view for a message to indicate when this happens. But as Lund says, these protocol changes are “an incremental step.” You can try it out now in the Signal public beta, but as Lund notes, beta releases are “not for the faint of heart.” If you need a stable and reliable messaging service, maybe hold off for the time being.

Let’s block ads! (Why?)

Link to original source

Facebook fined £500k in the UK for Cambridge Analytica scandal

PA Wire/PA Images

The UK’s Information Commissioner’s Office (ICO) has upheld its £500,000 ($645,000) fine for Facebook for the social network’s involvement in the Cambridge Analytica scandal. ICO’s investigations found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their data “without sufficiently clear and informed consent”. It also found that Facebook failed to make suitable checks on the apps and developers using its platform.

The £500,000 fine, first posited in July, is the maximum allowable fine under the laws that were in place when the incidents occurred — a silver lining for Facebook, as the sum is hardly likely to make a dent in its bank account. Should a similar event have taken place under the EU’s GDPR, which took effect in May this year, Facebook could have faced a much larger fine of £17 million, or four percent of its global turnover. Again, not enough to bankrupt the company, but hefty enough to act as a significant deterrent for future misdemeanors.

Let’s block ads! (Why?)

Link to original source

Tim Cook calls for GDPR-style privacy laws in the US


Apple CEO and long-time data privacy advocate Tim Cook has made an impassioned speech calling for new digital privacy laws in the US. At a privacy conference in Brussels, Cook said that modern technology has resulted in a “data-industrial complex” where personal information is “weaponized against us with military efficiency,” and in a way that doesn’t just affect individuals but whole sections of society.

“Platforms and algorithms that promised to improve our lives can actually magnify our worst human tendencies,” said Cook. “Rogue actors and even governments have taken advantage of user trust to deepen divisions, incite violence, and even undermine our shared sense of what is true and what is false. This crisis is real. It is not imagined, or exaggerated, or crazy.”

While Cook didn’t specify the catalysts behind this crisis, it’s clear he was nodding towards recent events such as the Cambridge Analytica Scandal, and ongoing concerns regarding political ad targeting. He didn’t mention any companies by name, but he did, of course, reiterate Apple’s commitment to privacy.

Cook praised Europe’s “successful implementation” of privacy law GDPR, and said that “It is time for the rest of the world … to follow your lead. We at Apple are in full support of a comprehensive federal privacy law in the United States.” He outlined four key areas that he believes should be turned into legislation: the right to have personal data minimized; the right for users to know what data is collected on them; the right to access that data; and the right for that data to be kept securely.

Cook has been outspoken about privacy rights before, and has repeatedly called for tougher regulations in the past — something which has jarred with critics claiming such regulations would be an obstacle for innovation. However, he pre-empted this take during his Brussels speech. “This notion isn’t just wrong, it’s destructive,” he said. “Technology’s potential is and always must be rooted in the faith people have in it.” He then followed up his speech with a tweet that asked, “It all boils down to a fundamental question: What kind of world do we want to live in?”

Let’s block ads! (Why?)

Link to original source

Facebook’s confusion about its Portal camera is concerning

Facebook couldn’t have picked a worse time to introduce Portal, a camera-equipped smart display designed to make video chatting in your home easier. And, if the rumors are true, the company is reportedly also preparing to launch a video chat camera for your TV, based on the same system as Portal. Not only does news of this hardware come at a time when when Facebook is under major scrutiny after suffering a massive data breach in September, which exposed private information of 29 million users, including usernames, birth date, gender, location, religion and the devices used to browse the site. But the most concerning part about Portal, is that Facebook’s own executives don’t seem to have a basic understanding of what types of data the company will be collecting or what it will be using it for.

As Recode reports, during the announcement of Portal, Facebook execs said no data collected through the hardware, such as call logs or third-party app usage, would be used to serve users targeted ads on Facebook. But, over a week later, Facebook (which has not replied to our request for comment) told the publication that this information was actually wrong.

“Portal voice calling is built on the Messenger infrastructure, so when you make a video call on Portal, we collect the same types of information (i.e. usage data such as length of calls, frequency of calls) that we collect on other Messenger-enabled devices,” a Facebook spokesperson told Recode this week. “We may use this information to inform the ads we show you across our platforms. Other general usage data, such as aggregate usage of apps, etc., may also feed into the information that we use to serve ads.”


Given that nearly 90 percent of Facebook’s revenue comes from ads, the fact that Portal would be collecting data for advertisers to sell you products or services shouldn’t come as a surprise. That’s the company’s business model in a nutshell. But, if Facebook executives don’t even know how their company is going to use their devices to serve its bottom line, especially when it includes collecting people’s information, then what hope do the rest of us have. Sure, Facebook came forward and corrected its mistake, but those facts should have been well known on day one.

Facebook’s Portal product lead, Rafa Camargo, told Recode the company doesn’t have any plans to use data collected from the device for ad-targeting purposes, since the smart display doesn’t run ads. “I think [my colleague] was intending to say that we don’t intend to use it,” he said, before adding, “Potentially, it could be used.”

“The timing of this is really odd from Facebook given Cambridge Analytica and the recent massive breach. [It] promised new tools like ‘Delete History’ several months ago to allay privacy concerns, but instead of delivering on that, [it rolls out] this in-home product with access to lots of personal information.”

Still, when you’re already under the microscope for being careless with people’s data, as Facebook is, you simply can’t afford to launch a product with this much confusion — especially when you’re launching a $199 video camera that’s going to be watching people in their home.

Facebook’s latest mishap was being hacked and exposing detailed personal information of 29 million people. But who can forget the scandal caused by the political firm Cambridge Analytica in March, which harvested data of up to 87 million users without their consent or Facebook’s knowledge. It just makes you wonder why Facebook thought anyone would trust a camera from it in their home right now?

“These devices have access to really sensitive data, even more than normal Facebook products. Persistent cameras and microphones in your house carry with them a heightened sense of privacy concern,” Justin Brookman, director of privacy and technology policy at Consumers Union, told Engadget. “The timing of this is really odd from Facebook given Cambridge Analytica and the recent massive breach. [It] promised new tools like ‘Delete History’ several months ago to allay privacy concerns, but instead of delivering on that, [it rolls out] this in-home product with access to lots of personal information.”

Brookman said part of this could be because Facebook feels like it’s getting left behind in the smart home race, by rivals like Google and Amazon. “Operating from that place of desperation and urgency,” he said, can lead to some questionable choices. But, whatever the reason may be, Facebook’s launch of Portal couldn’t be more of a tone-deaf move. And the company doesn’t help itself by creating unnecessary confusion.

Images: Facebook

Let’s block ads! (Why?)

Link to original source