An early test of the GDPR: taking on data brokers

SOPA Images via Getty Images

Major data brokers Acxiom and Oracle are among seven companies accused of violating GDPR laws on personal information privacy. Advocates hope the complaints will shed light on the opaque ways that personal data is traded through third parties online both in the EU and the US.

The General Data Protection Regulation is a sweeping personal data privacy law that came into force in late May in the EU. For the rest of the world, it’s viewed as a bellwether for whether Big Tech can be held in check when immense data leaks seem to happen with painful regularity.

Formal complaints to European regulators under the GDPR by UK non-profit Privacy International were also filed against ad-tech companies Criteo, Quantcast and Tapad as well as credit agencies Equifax (the subject of a massive breach just last year) and Experian.

“Our complaints target companies that, despite exploiting the data of millions of people, are not household names and therefore rarely have their practices challenged,” said Ailidh Callander, legal officer at Privacy International, in an email to Engadget. “These companies’ business models are premised on data exploitation.”

Data brokers aggregate personal information from other sources — for instance, websites you’ve visited or credit card records — to create a complex profile on who they think you are. That profile may include political leanings and income, and subsequently get sold to brands or social networks. Acxiom claims to have data on about 700 million people globally. Consumers often don’t hand data directly to these companies via their own websites — the way one would with, say, Facebook — which allows the data trading to operate in relative obscurity.

This alleged lack of consent is precisely what Privacy International is targeting. The non-profit also claims that these companies lack “legitimate interest” (in legal terms) for processing the personal data, which may infer political, ethnic and religious affiliations. The companies fail to comply, according to Privacy International, with the principles of “transparency, fairness, purpose limitation, data minimisation, accuracy and confidentiality and integrity” — in other words, nearly all of the new privacy law’s core foundations.

“The law has changed and these companies need to as well,” said Callander. “There is a gap between how [the] GDPR conceptualises data privacy and [how] these companies do and the onus is on them (if necessary, pushed by regulators) to close it.”

In public statements, Experian has said: “We have worked hard to ensure that we are compliant with GDPR and we continue to believe that our services meet its requirements.” Criteo has stated: “We have complete confidence in our privacy practices.”

Companies are still feeling out just how the law is going to be enforced, which is why test cases like this bear watching. Facebook and Google are among the other companies who have faced complaints so far. A spokesman from the Data Protection Commission in Ireland, where many American tech firms keep European headquarters, said the regulators have already received 2,500 breach notifications and 1,200 complaints related to the GDPR since May.

Let’s block ads! (Why?)

Link to original source

Opera for Android will get rid of annoying cookie prompts


If you’re frustrated at having to constantly close “we use cookies” dialog boxes on websites in the GDPR era, relief might be in sight. Opera has released an updated Android browser with an option to block cookie dialogs. Flip it on through the ad blocking settings and Opera will close as many of those intrusive prompts as it can. There’s no guarantee it will work (Opera is relying on a mix of CSS and JavaScript detection), but the company said it had tested the feature with 15,000 sites and was accepting feedback on its success rate through the beta version.

This doesn’t stop the cookies from coming through. If you enable dialog blocking, Opera will allow sites to set cookies as a matter of course. That won’t be an issue for many people, but it’s worth noting if you want to block cookies on some sites. It’s not certain how the European Union will react to Opera’s move, but it’s safe to presume that you’re consenting to cookies by enabling the option.

You’ll have more to try in the new Opera release as it is. You now have home screen shortcuts if you’re using Android 7.1 or later, and there’s now a universal text size slider on top of the existing text wrap feature. Whatever you’re looking for, Opera is once again betting that conveniences like this will draw you away from heavyweights like Chrome.

Let’s block ads! (Why?)

Link to original source

Facebook fined £500k in the UK for Cambridge Analytica scandal

PA Wire/PA Images

The UK’s Information Commissioner’s Office (ICO) has upheld its £500,000 ($645,000) fine for Facebook for the social network’s involvement in the Cambridge Analytica scandal. ICO’s investigations found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their data “without sufficiently clear and informed consent”. It also found that Facebook failed to make suitable checks on the apps and developers using its platform.

The £500,000 fine, first posited in July, is the maximum allowable fine under the laws that were in place when the incidents occurred — a silver lining for Facebook, as the sum is hardly likely to make a dent in its bank account. Should a similar event have taken place under the EU’s GDPR, which took effect in May this year, Facebook could have faced a much larger fine of £17 million, or four percent of its global turnover. Again, not enough to bankrupt the company, but hefty enough to act as a significant deterrent for future misdemeanors.

Let’s block ads! (Why?)

Link to original source

Facebook Fined Just $645,000 in UK Over Cambridge Analytica Scandal, Money It Makes in Less Than 10 Minutes

[unable to retrieve full-text content]

Facebook has been fined £500,000 ($645,000) by the United Kingdom today over the Cambridge Analytica scandal. The miniscule fine was the most allowed under the law, but Facebook can probably find that kind of money in its couch cushions. Based on last year’s revenue, Facebook makes $645,000 in less than 9 minutes of…

Read more…

Link to original source

Tim Cook calls for GDPR-style privacy laws in the US


Apple CEO and long-time data privacy advocate Tim Cook has made an impassioned speech calling for new digital privacy laws in the US. At a privacy conference in Brussels, Cook said that modern technology has resulted in a “data-industrial complex” where personal information is “weaponized against us with military efficiency,” and in a way that doesn’t just affect individuals but whole sections of society.

“Platforms and algorithms that promised to improve our lives can actually magnify our worst human tendencies,” said Cook. “Rogue actors and even governments have taken advantage of user trust to deepen divisions, incite violence, and even undermine our shared sense of what is true and what is false. This crisis is real. It is not imagined, or exaggerated, or crazy.”

While Cook didn’t specify the catalysts behind this crisis, it’s clear he was nodding towards recent events such as the Cambridge Analytica Scandal, and ongoing concerns regarding political ad targeting. He didn’t mention any companies by name, but he did, of course, reiterate Apple’s commitment to privacy.

Cook praised Europe’s “successful implementation” of privacy law GDPR, and said that “It is time for the rest of the world … to follow your lead. We at Apple are in full support of a comprehensive federal privacy law in the United States.” He outlined four key areas that he believes should be turned into legislation: the right to have personal data minimized; the right for users to know what data is collected on them; the right to access that data; and the right for that data to be kept securely.

Cook has been outspoken about privacy rights before, and has repeatedly called for tougher regulations in the past — something which has jarred with critics claiming such regulations would be an obstacle for innovation. However, he pre-empted this take during his Brussels speech. “This notion isn’t just wrong, it’s destructive,” he said. “Technology’s potential is and always must be rooted in the faith people have in it.” He then followed up his speech with a tweet that asked, “It all boils down to a fundamental question: What kind of world do we want to live in?”

Let’s block ads! (Why?)

Link to original source

Apple enables data downloads for US customers

Heinz-Peter Bader / Reuters

Earlier this year, Apple started allowing its customers in the EU to download copies of the data the company holds on them to comply with General Data Protection Regulation rules that came into effect in May. Now, Apple has updated its privacy website, and it is letting its customers in the US grab their data too.

Apple is perhaps more privacy conscious than some other major tech firms — much of your personal data is stored on your device rather than the company’s servers, so it might not necessarily hold that much data on you anyway. Still, it could take up to a week for Apple to prepare your download. The data may include details about your App Store purchase history, Apple Music activity and AppleCare support tickets.

The refreshed privacy site lays out how Apple handles your data, taking into account some new features in iOS 12 and macOS Mojave such as encrypted FaceTime group calls (though that isn’t actually available yet). It also details how Apple uses anonymized data to determine what the most popular features are, such as the most commonly used emoji or the most effective QuickType suggestions.

Let’s block ads! (Why?)

Link to original source

European authorities to investigate Twitter over GDPR non-compliance

Dark days for Twitter in Europe.
Dark days for Twitter in Europe.

The GDPR is beginning to bare its teeth.

Irish authorities are investigating Twitter for not complying with a user request covered by the General Data Protection Regulation (GDPR), according to Fortune.

A researcher asked Twitter to provide him with more information about the data it collects when users click an auto-shortened link in a tweet. But the social media company is refusing — which has prompted investigative action from European privacy authorities. 

Under the European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018, European citizens have the right to know what data companies collect on them, and what they do with that date. 

According to Fortune, London privacy researcher Michael Veale sought to know whether Twitter tracks his web activity when he clicks on a shortened “” link. So he requested that Twitter give him all the data it has on him.

But the social media company wasn’t having it. Veale said Twitter denied the request on the grounds of the “disproportionate effort” it would take to gather that info, which the GDPR allows for. But he’s arguing that Twitter should not be able to obscure data transparency by hiding in the skirts of this provision; Fortune said that Veale considers this “misinterpreting the text of the law.”

Mashable reached out to Twitter for a comment, and we’ll update this story once we hear back.

Veale complained to the Irish Data Protection Commission (DPC), which responded in a letter saying that it would investigate Twitter. The European Data Protection Board will handle the investigation. 

The letter reads:

“The DPC has initiated a formal statutory inquiry in respect of your complaint.” 

“The inquiry will examine whether or not Twitter has discharged its obligations in connection with the subject matter of your complaint and determine whether or not any provisions of the GDPR or the [Irish Data Protection] Act have been contravened by Twitter in this respect.”

Tech companies talk a big talk when it comes to “transparency.” But actually showing the mechanism of its long reach, possibly via web tracking, might not be something Twitter is keen to divulge.

Https%3a%2f%2fblueprint api uploaders%2fdistribution thumb%2fimage%2f85967%2f5ac3511e 3588 47d0 817e 3d170500d683

Let’s block ads! (Why?)

Link to original source

Twitter faces Irish investigation over user tracking

Omar Marques/SOPA Images/LightRocket via Getty Images

Twitter is the latest internet giant facing scrutiny over its data transparency in Europe. Ireland’s Data Protection Commission has launched an investigation into the social network after it declined to provide web link tracking data to researcher Michael Veale, potentially violating the EU’s allowance for requests under GDPR. The privacy expert said that Twitter rejected his request citing an exception to GDPR for demands that would involve “disproportionate effort.” Veale, however, believed that Twitter was misinterpreting the law to limit the information it handed over.

He believed that Twitter was recording device info and timestamps when people clicked the shortened links, and that it was technically feasible for the company to gauge someone’s approximate location. This was about exercising a “right to understand” what Twitter is doing with that info, Veale added.

Twitter has declined to comment. However, it’s new to GDPR disputes — Facebook and Google have faced complaints for a while. It could prove costly if the DPC and the EU’s Data Protection Board find that Twitter has violated the GDPR, though. It’s unlikely that Twitter would face a severe punishment, as officials would have to determine that this was a particularly serious violation. It could, however, force Twitter to comply with similar requests in the future.

Let’s block ads! (Why?)

Link to original source

Senator calls for FTC investigation into Google+ data exposure

POOL New / Reuters

Senator Richard Blumenthal (D-CT) said during a Congressional hearing today on consumer data privacy that he’s calling for an investigation into Google’s latest data exposure. During his questioning of those testifying before the committee — which included Andrea Jelinek, chair of the European Data Protection Board, and Alastair Mactaggart, the real estate developer who introduced a consumer privacy ballot measure in California — he called the Google+ data exposure “the elephant in the room” and emphasized the need for greater consumer privacy protections in the US.

“I will be calling later today, in a letter to the FTC, for an investigation of Google in connection with this incident,” Blumenthal said, adding that he hoped his colleagues and European authorities would back investigations as well. Jelinek noted that Ireland and Germany are both looking into the matter, pointing out that because the issue occurred prior to the implementation of GDPR, the company will likely face multiple probes from separate state authorities rather than just one from the EU.

Earlier this week, the Wall Street Journal broke the news of the data exposure, which Google later confirmed. Up to 500,000 Google+ users’ personal information was left accessible to outside developers, with that data including names, email addresses, birth dates and occupations. But though Google discovered the issue in March, it chose not to disclose the matter. While the company pointed to the fact that there was no evidence developers misused that information as part of its reasoning for keeping the exposure under wraps, the Wall Street Journal reported that regulatory scrutiny and public criticism played into that decision as well.

“We can no longer rely on notice and choice, on voluntary standards, on transparency and consent,” said Blumenthal, who quoted the Wall Street Journal report in his statement. “There needs to be privacy by design.” He also called Google’s concealment “intolerable” and noted that consumers in the US “have no meaningful federal protection for consumer data.”

Talk of data privacy legislation picked up a lot of steam after Facebook’s Cambridge Analytica debacle. A handful of bills have been introduced, the Trump administration has joined the conversation and tech companies have started to discuss what they think regulation should look like going forward. “In the wake of Facebook’s Cambridge Analytica scandal and other similar incidents, including a vulnerability in Google+ accounts reported just this past week, it is increasingly clear that industry self-regulation in this area is not sufficient,” said Senator John Thune (R-SD), chair of the Committee on Commerce, Science and Transportation, which hosted the hearing today. “A national standard for privacy rules of the road is needed to protect consumers.”

Let’s block ads! (Why?)

Link to original source

GDPR has cut ad trackers in Europe but helped Google, study suggests

An analysis of the impact of Europe’s new data protection framework, GDPR, on the adtech industry suggests the regulation has reduced the numbers of ad trackers that websites are hooking into EU visitors.

But it also implies that Google may have slightly increased its marketshare in the region — indicating the adtech giant could be winning at the compliance game at the expense of smaller advertising entities which the study also shows losing reach.

The research was carried out by the joint data privacy team of the anti-tracking browser Cliqz and the tracker blocker tool Ghostery (which merged via acquisition two years ago), using data from a service they jointly run, called — which they say is intended to provide greater transparency on the tracker market. (And therefore to encourage people to make use of their tracker blocker tools.)

A tale of two differently regulated regions

For the GDPR analysis, the team compared the prevalence of trackers one month before and one month after the introduction of the regulation, looking at the top 2,000 domains visited by EU or US residents.

On the tracker numbers front, they found that the average number of trackers per page dropped by almost 4% for EU web users from April to July.

Whereas the opposite was true in the US, with the average number of trackers per page rose by more than 8 percent over the same period.

In Europe, they found that the reduction in trackers was nearly universal across website types, with adult sites showing almost no change and only banking sites actually increasing their use of trackers.

In the US, the reverse was again true — with banking sites the only category to reduce tracker numbers over the analyzed period.

“The effects of the GDPR on the tracker landscape in Europe can be observed across all website categories. The reduction seems more prevalent among categories of sites with a lot of trackers,” they write, discussing the findings in a blog post. “Most trackers per page are still located on news websites: On average, they embed 12.4 trackers. Compared to April, however, this represents a decline of 7.5%.

“On ecommerce sites, the average number of trackers decreased by 6.9% to 9.5 per page. For recreation websites, the decrease is 6.7%, which corresponds to 10.7 trackers per page. A similar trend is observed for almost all other website categories. The only exception are banking sites, on which 7.4% more trackers were active in July than in April. However, the average number of trackers per page is only 2.6.”

Shifting marketshare

In the blog post they also argue that their snapshot comparison of tracker prevalence of April 2018 against July 2018 reveals “a clear picture” of GDPR’s impact on adtech marketshare — with “especially” smaller advertising trackers having “significantly” lost reach (which they are using as a proxy for marketshare).

In their analysis they found smaller tracker players lost between 18% and 31% reach/marketshare when comparing April (pre-GDPR) and July (post-GDPR).

They also found that Facebook suffered a decline of just under 7%.

Whereas adtech market leader Google was able to slightly increase its reach — by almost 1%.

Summing up their findings, Cliqz and Ghostery write: “For users this means that while the number of trackers asking for access to their data is decreasing, a tiny few (including Google) are getting even more of their data.”

The latter finding lends some weight to the argument that regulation can reinforce dominant players at the expense of smaller entities by further concentrating power — because big companies have greater resources to tackle compliance.

Although the data here is just a one-month snapshot. And the additional bump in marketshare being suggested for Google is not a huge one — whereas a nearly 7% drop in marketshare for Facebook is a more substantial impact.

Cliqz shared their findings with TechCrunch ahead of publication and we put several questions to them about the analysis, including whether or not the subsequent months (August, September) indicated this snapshot is a trend, i.e. whether or not Google sustained the additional marketshare.

However the company had not responded to our questions ahead of publication.

In the blog post Cliqz and Ghostery speculate that the larger adtech players might be winning (relatively speaking) the compliance game at the expense of smaller players because website owners are preferring to ‘play it safe’ and drop smaller entities vs big known platforms.

In the case of Google, they also flag up reports that suggest it has used its dominance of the adtech market to “encourage publishers to reduce the number of ad tech vendors and thus the number of trackers on their sites” — via a consent gathering tool that restricts the number of supply chain partners a publisher can share consent with to 12 vendors. 

And we’ve certainly heard complaints of draconian Google GDPR compliance terms before.

They also point to the use of manipulative UX design (aka dark patterns) that are used to “nudge users towards particular choices and actions that may be against their own interests”, suggesting these essentially deliberately confusing consent flows have been successfully tricking users into clicking and accepting “any kind of data collection” just to get rid of cryptic choices they’re being asked to understand. 

Given Google’s dominance of digital ad spending in Europe it stands to gain the most from websites’ use of manipulative consent flows.

However GDPR requires consent to be informed and freely given, not baffling and manipulative. So regulators should (hopefully) be getting a handle on any such transgressions and transgressors soon.

The continued existence of nightmarishly confused and convoluted consent flows is another complaint we’ve also heard before — much and often. (And one we have ourselves, frankly.)

Overall, according to the European Data Protection Board, a total of more than 42,000 complaints have been lodged so far with regulators, just four months into GDPR.

And just last week Europe’s data protection supervisor, Giovanni Buttarelli, told us to expect the first GDPR enforcement actions before the end of the year. So lots of EU consumers will already be warming up the popcorn.

But Cliqz and Ghostery argue that disingenuous attempts to manipulate consent might need additional regulatory tweaks to be beaten back — calling in their blog post for regulations to enforce machine-readable standards to help iron away flakey flows.

“The next opportunity for that would be the ePrivacy regulation,” they suggest, referencing the second big privacy rules update Europe is (still) working on. “It would be desirable, for example, if ePrivacy required that the privacy policies of websites, information on the type and scope of data collection by third parties, details of the Data Protection Officer and reports on data incidents must be machine-readable.

“This would increase transparency and create a market for privacy and compliance where industry players keep each other in check.”

It would also, of course, provide another opportunity for pro-privacy tools to make themselves even more useful to consumers.

Let’s block ads! (Why?)

Link to original source