Facebook gets away with it

Facebook fined for data breaches in Cambridge Analytica scandal
Facebook is to be fined £500,000, the maximum amount possible, for its part in the Cambridge Analytica scandal, the information commissioner has announced.

But talk about good timing.

In the first quarter of 2018, Facebook took £500,000 in revenue every five and a half minutes. Because of the timing of the breaches, the ICO said it was unable to levy the penalties introduced by the European General Data Protection (GDPR), which caps fines at the higher level of €20m (£17m) or 4% of global turnover – in Facebook’s case, $1.9bn (£1.4bn). The £500,000 cap was set by the Data Protection Act 1998.

Elizabeth Denham, the information commissioner, explains her real goal with this fine is to “effect change and restore trust and confidence in our democratic system.”

“Most of us have some understanding of the behavioural targeting that commercial entities have used for quite some time,” Denham said, “to sell us holidays, to sell us trainers, to be able to target us and follow us around the web.”

“But very few people have an awareness of how they can be micro-targeted, persuaded or nudged in a democratic campaign, in an election or a referendum.

“This is a time when people are sitting up and saying ‘we need a pause here, and we need to be sure we are comfortable with the way personal data is used in our democratic process’.”

I think we’re still some way off that; people just seem not to be bothered.

Facebook’s rise in profits, users shows resilience after scandals
Facebook Inc (FB.O) shares rose on Wednesday after the social network reported a surprisingly strong 63 percent rise in profit and an increase in users, with no sign that business was hurt by a scandal over the mishandling of personal data.

But maybe I shouldn’t be so pessimistic.

The digital privacy wins keep coming
Progress can be difficult to measure; it often comes in drips and drops, or not at all for long stretches of time. But in recent weeks, privacy advocates have seen torrential gains, at a rate perhaps not matched since Edward Snowden revealed how the National Security Agency spied on millions of US citizens in 2013. A confluence of factors—generational, judicial, societal—have created momentum where previously there was none. The trick now is to sustain it.

Let’s hope.

All as bad as each other?

Rhett Jones from Gizmodo strikes a cautionary note about Apple’s positioning following Facebook’s recent data sharing controversies.

Apple isn’t your friend
In its own deliberate fashion, Apple appears to see a market opportunity in the privacy debate that goes beyond polishing its own image. As headlines blared about Facebook’s latest data-sharing turmoil, the Wall Street Journal reported that Apple has been quietly planning to launch a new advertising network for the past year. It’s said to be a re-imagining of its failed iAd network that was shuttered in 2016.

[…]

Generally, more competition is welcome. If Apple is giving Facebook and Google headaches, we say that’s great. But it’s a thorny issue when we’re talking about a few billion-dollar companies exchanging places on the ladder as they strive to be trillion-dollar companies. It’s just not enough for the least bad megacorp to keep the evil ones in check.

Another day, another GDPR e-mail

GDPR finally comes into force on Friday, and there seems to be no let up in the privacy notice update e-mails we’re all getting. This raised a smile though.

Most GDPR emails unnecessary and some illegal, say experts
What’s more, Vitale said, if the business really does lack the necessary consent to communicate with you, it probably lacks the consent even to email to ask you to give it that consent.

“In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email.”

I wonder if we’ll still receive these e-mails after 25 May. If we do, are the companies that send them admitting they weren’t compliant initially? I’m sure the ICO won’t be too concerned, but it’ll be interesting to see what happens.

Last-minute frenzy of GDPR emails unleashes ‘torrent’ of spam – and memes
The whole process has inspired the internet to rope in everyone from Julian Assange to Donald Trump to Prince William in an attempt to illustrate their frustration at the electronic onslaught.

GDPR Day’s getting nearer

The EU’s Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data was signed off on 27 April 2016, two years ago. It becomes enforceable from 25 May 2018. Have we been using these last two years to get ready?

This, from a year ago, sums it up, I think.

Concern that schools are not preparing for new rules on personal data
The General Data Protection Regulations are the ‘biggest change in 25 years’ to how organisations must manage personal data, but only a fifth of schools are aware of the May 2018 deadline.

Employers and schools are all certainly busy now, in these last few weeks, reviewing data asset registers and updating privacy notices. The news that the fines for noncompliance could be as high as  £17 million is certainly a motivator, although here’s Elizabeth Denham, the Information Commissioner, suggesting they won’t be levying such large fines lightly.

What is GDPR? Data protection law is changing in 2018. Here’s what you need to know
But Denham says speculation that her office will try to make examples of companies by issuing large business-crippling fines isn’t correct. “We will have the possibility of using larger fines when we are unsuccessful in getting compliance in other ways,” she says. “But we’ve always preferred the carrot to the stick”.

[…]

“Having larger fines is useful but I think fundamentally what I’m saying is it’s scaremongering to suggest that we’re going to be making early examples of organisations that breach the law or that fining a top whack is going to become the norm.” She adds that her office will be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven’t made any effort.

As well as some of us acting as data controllers or data processors, we’re all data subjects too. These are new rules designed to protect our data. I’m sure we’ve all been getting e-mails from companies like Twitter, Instagram and Fitbit and so on, about their revised data and privacy policies.

Here’s a great summary from Danny O’Brien of the Electronic Frontier Foundation, on what to look out for.

Why am I getting all these terms of service update emails?
The EU regulators are certainly paying attention to these email updates. A strongly-worded blog post this week by EU’s head enforcer, European Data Protection Supervisor (EDPS) Giovanni Buttarelli, warned the public and his fellow regulators to be “vigilant about attempts to game the system”, adding that some of these new terms of service emails could be “travest[ies] of the spirit of the new regulation”.

[…]

As Buttarelli says, such “legal cover” might well be against the spirit of the GDPR, but it’s going to take a while for companies, regulators, and privacy groups to establish what the law’s sometimes ambiguous statements really mean. One particularly knotty problem is whether the language that many of these emails use (“by using our service, you agree to these terms”) will be acceptable under the GDPR. The regulation is explicit that in many areas, you need to give informed, unambiguous consent by “a statement or clear affirmative action.” Even more significantly, if the data being collected by a company isn’t necessary for the service it is offering, under the GDPR the company should give covered users the option to decline that data collection, but still allow them to use the service.

GDPR and a Digital Protection Agency?

Ok, I know I said that I’ll stop reading articles about personal data abuses, but they just keep coming.

Silicon Valley has failed to protect our data. Here’s how to fix it
What’s been unfolding for a while now is a rolling catastrophe so obvious we forget it’s happening. Private data are spilling out of banks, credit-rating providers, email providers, and social networks and ending up everywhere.

[…]

Given that the federal government is currently one angry man with nuclear weapons and a Twitter account, and that it’s futile to expect reform or self-regulation from internet giants, I’d like to propose something that will seem impossible but I would argue isn’t: Let’s make a digital Environmental Protection Agency. Call it the Digital Protection Agency. Its job would be to clean up toxic data spills, educate the public, and calibrate and levy fines.

That sounds like a very sensible, pragmatic and effective approach, so it’s obviously going to be ignored. It was interesting reading that after hearing about another data breach yesterday, this time with a fitness app. It seems the company dealt with it appropriately though. This time.

The MyFitnessPal hack may affect 150 million people. It could’ve been even worse.
Under Armour and MyFitnessPal seem to have some good data practices in place: Payment information was kept separate from general user information, which was stored separately from user-uploaded app data. Under Armour also appears to have reacted swiftly once it learned of the breach and notified users and the public a few days later—a stark comparison to other companies, such as Uber, which hid its 2016 data breach by paying off the hackers. Still, it’s an important reminder that being hacked isn’t a matter of if—it’s when.

What will these companies make of the GDPR, I wonder.

WTF is GDPR?
Last year the company [Facebook] told us it had assembled “the largest cross functional team” in the history of its family of companies to support GDPR compliance — specifying this included “senior executives from all product teams, designers and user experience/testing executives, policy executives, legal executives and executives from each of the Facebook family of companies”.

“Dozens of people at Facebook Ireland are working full time on this effort,” it said, noting too that the data protection team at its European HQ (in Dublin, Ireland) would be growing by 250% in 2017. It also said it was in the process of hiring a “top quality data protection officer” — a position the company appears to still be taking applications for.

And this.

How Europe’s new privacy rule is reshaping the internet
Much of the GDPR builds on rules set by earlier EU privacy measures like the Privacy Shield and Data Protection Directive, but it expands on those measures in two crucial ways. First, the GDPR sets a higher bar for obtaining personal data than we’ve ever seen on the internet before. By default, any time a company collects personal data on an EU citizen, it will need explicit and informed consent from that person. Users also need a way to revoke that consent, and they can request all the data a company has from them as a way to verify that consent. It’s a lot stronger than existing requirements, and it explicitly extends to companies based outside the EU. For an industry that’s used to collecting and sharing data with little to no restriction, that means rewriting the rules of how ads are targeted online.

They know everything about us, and that’s ok?

I really need to stop reading articles about how our personal data is being used and abused by seemingly everyone on the internet. Nothing good can come from going over the same bad news. These from The Guardian are the last ones, I promise.

Why have we given up our privacy to Facebook and other sites so willingly?
If you think you’re a passive user of Facebook, minimising the data you provide to the site or refraining from oversharing details of your life, you have probably underestimated the scope of its reach. Facebook doesn’t just learn from the pictures you post, and the comments you leave: the site learns from which posts you read and which you don’t; it learns from when you stop scrolling down your feed and how long it takes you to restart; it learns from your browsing on other websites that have nothing to do with Facebook itself; and it even learns from the messages you type out then delete before sending (the company published an academic paper on this “self-censorship” back in 2013).

[…]

Lukasz Olejnik, an independent security and privacy researcher, agrees: “Years ago, people and organisations used to shift the blame on the users, even in public. This blaming is unfortunate, because expecting users to be subject-matter experts and versed in the obscure technical aspects is misguided.

“Blaming users is an oversimplification, as most do not understand the true implications when data are shared – they cannot. You can’t expect people to fully appreciate the amount of information extracted from aggregated datasets. That said, you can’t expect users to know what is really happening with their data if it’s not clearly communicated in an informed consent prompt, which should in some cases include also the consequences of hitting ‘I agree’.”

So what kind of data are we talking about? What are we sharing? Everything from where we’ve been, what we’ve ever watched or searched for, to even what we’ve deleted.

Are you ready? This is all the data Facebook and Google have on you
This information has millions of nefarious uses. You say you’re not a terrorist. Then how come you were googling Isis? Work at Google and you’re suspicious of your wife? Perfect, just look up her location and search history for the last 10 years. Manage to gain access to someone’s Google account? Perfect, you have a chronological diary of everything that person has done for the last 10 years.

This is one of the craziest things about the modern age. We would never let the government or a corporation put cameras/microphones in our homes or location trackers on us. But we just went ahead and did it ourselves because – to hell with it! – I want to watch cute dog videos.

And texts and calls too.

Facebook logs SMS texts and calls, users find as they delete accounts
Facebook makes it hard for users to delete their accounts, instead pushing them towards “deactivation”, which leaves all personal data on the company’s servers. When users ask to permanently delete their accounts, the company suggests: “You may want to download a copy of your info from Facebook.” It is this data dump that reveals the extent of Facebook’s data harvesting – surprising even for a company known to gather huge quantities of personal information.

So what can be done?

Beware the smart toaster: 18 tips for surviving the surveillance age
Just over a week ago, the Observer broke a story about how Facebook had failed to protect the personal information of tens of millions of its users. The revelations sparked a #DeleteFacebook movement and some people downloaded their Facebook data before removing themselves from the social network. During this process, many of these users were shocked to see just how much intel about them the internet behemoth had accumulated. If you use Facebook apps on Android, for example – and, even inadvertently, gave it permission – it seems the company has been collecting your call and text data for years.

It’s not me, it’s you! So Facebook protested, in the wake of widespread anger about its data-collection practices. You acquiesced to our opaque privacy policies. You agreed to let us mine and monetise the minutiae of your existence. Why are you so upset?

Most of the tips the article lists fail to really address the issues above, as they are more about how to secure your accounts from hackers, rather than dealing with Facebook and Google intrusions and opaque consent agreements. But a couple are worth highlighting.

12. Sometimes it’s worth just wiping everything and starting over
Your phone, your tweets, your Facebook account: all of these things are temporary. They will pass. Free yourself from an obsession with digital hoarding. If you wipe your phone every year, you learn which apps you need and which are just sitting in the background hoovering up data. If you wipe your Facebook account every year, you learn which friends you actually like and which are just hanging on to your social life like a barnacle.

[…]

18. Finally, remember your privacy is worth protecting
You might not have anything to hide (except your embarrassing Netflix history) but that doesn’t mean you should be blase about your privacy. Increasingly, our inner lives are being reduced to a series of data points; every little thing we do is for sale. As we’re starting to see, this nonstop surveillance changes us. It influences the things we buy and the ideas we buy into. Being more mindful of our online behaviour, then, isn’t just important when it comes to protecting our information, it’s essential to protecting our individuality.

Protecting library privacy

You are not what you read: librarians purge user data to protect privacy
“I was approached years ago at a different library about users who’d checked out certain astrological books,” said Thistlethwaite. The NYPD officer told her he was looking for the Zodiac killer. “Most police investigations are a little smarter than that, but sometimes they’re just not.”

Seems pretty clear to me: ​one of the principles in the Data Protection Act is that data should not be kept longer than is necessary. Admittedly this is a news article from the US, where there’s no direct equivalent of the DPA, but still.

On owning your own data

On owning your own data
The problem, of course, is this wretched business model that has your landlord snooping on you and keeping all that information in the first place. If they didn’t have that information — or if that information was encrypted in a manner that only you could access it — they couldn’t share your information even if they wanted to.

Why Groklaw shut down

Groklaw, Pamela Jones’s website reporting on legal issues around the Free and Open Source Software community, closed down and she herself wants to “get off of the Internet to the degree it’s possible.” Loss of privacy, forced exposure, the dehumanising nature of total surveillance: issues I’ve been vaguely aware of recently, but never really thought about seriously. Her post explaining why she’s shut down her blog is the first thing I’ve read that I’ve understood, I think, with all this.

“Anyway, one resource was excerpts from a book by Janna Malamud Smith, ‘Private Matters: In Defense of the Personal Life’, and I encourage you to read it. I encourage the President and the NSA to read it too. I know. They aren’t listening to me. Not that way, anyhow. But it’s important, because the point of the book is that privacy is vital to being human, which is why one of the worst punishments there is is total surveillance.”

http://www.groklaw.net/article.php?story=20130818120421175

Do people really care about personal data?

Do people really care about personal data?
Privacy is difficult to understand as long as it’s presented as an abstract concept. But to those teenagers, the desire to talk to their friends without their parents or teachers knowing everything that’s said is not at all abstract. Similarly, all consumers care very much about the practical effects of today’s centralised data warehouses, such as wasting time dealing with bureaucracy that makes it hard to change the phone number on an account. They care about bad credit histories, misdirected post, and the failure to get what they want. They care when they discover that the photograph they thought they deleted was only hidden from view but has remained in the site’s database, where it has been automatically recognised, reused, and added to profiles that have been sold to advertisers or become the subject of a government applied court order. They care about being erroneously placed on no-fly lists because an online “friend” once watched a terrorist video and feeling that their personal relationships are a commodity.