Skip to content

GDPR

The Week in Tech: Facebook and Google Reshape the Narrative on Privacy

And from the bs department

QUOTE

…Stop me if you’ve heard this before: The chief executive of a huge tech company with vast stores of user data, and a business built on using it to target ads, now says his priority is privacy.

This time it was Google’s Sundar Pichai, at the company’s annual conference for developers. “We think privacy is for everyone,” he explained on Tuesday. “We want to do more to stay ahead of constantly evolving user expectations.” He reiterated the point in a New York Times Op-Ed, and highlighted the need for federal privacy rules.

The previous week, Mark Zuckerberg delivered similar messages at Facebook’s developer conference. “The future is private,” he said, and Facebook will focus on more intimate communications. He shared the idea in a Washington Post op-ed just weeks before, also highlighting the need for federal privacy rules.

Google went further than Facebook’s rough sketch of what this future looks, and unveiled tangible features: It will let users browse YouTube and Google Maps in “incognito mode,” will allow auto-deletion of Google history after a specified time and will make it easier to find out what the company knows about you, among other new privacy features.

Fatemeh Khatibloo, a vice president and principal analyst at Forrester, told The Times: “These are meaningful changes when it comes to the user’s expectations of privacy, but I don’t think this affects their business at all.” Google has to show that privacy is important, but it will still collect data.

What Google and Facebook are trying to do, though, is reshape the privacy narrative. You may think privacy means keeping hold of your data; they want privacy to mean they don’t hand data to others. (“Google will never sell any personal information to third parties,” Mr. Pichai wrote in his Op-Ed.)

Werner Goertz, a research director at Gartner, said Google had to respond with its own narrative. “It is trying to turn the conversation around and drive public discourse in a way that not only pacifies but also tries to get buy-in from consumers, to align them with its privacy strategy,” he said.
Politics of privacy law

Right – pacify the masses with BS.

Politics of privacy law

Facebook and Google may share a voice on privacy. Lawmakers don’t.

Members of the Federal Trade Commission renewed calls at a congressional hearing on Wednesday to regulate big tech companies’ stewardship of user data, my colleague Cecilia Kang reported. That was before a House Energy and Commerce subcommittee, on which “lawmakers of both parties agreed” that such a law was required, The Wall Street Journal reported.

Sounds promising.

But while the F.T.C. was united in asking for more power to police violations and greater authority to impose penalties, there were large internal tensions about how far it should be able to go in punishing companies. And the lawmakers in Congress “appeared divided over key points that legislation might address,” according to The Journal. Democrats favor harsh penalties and want to give the F.T.C. greater power; Republicans worry that strict regulation could stifle innovation and hurt smaller companies.

Finding compromise will be difficult, and conflicting views risk becoming noise through which a clear voice from Facebook and Google can cut. The longer disagreement rages, the more likely it is that Silicon Valley defines a mainstream view that could shape rules.

Yeah — more lobbyists and political donation subverting the democracy. The US should enact an EU equivalent GDPR now. And another thing, Zuckerberg’s cynical attempt to change the narrative by implementing end to end encryption is simply a bad idea. It gets them off the hook to moderate content (read: more profits), still allows them to sell ads and makes it nearly impossible for law enforcement to do their job. Hey Zuck, why not hand hang a sign out: criminals, pedophiles, gangs, repressive regimes, etc. – “all welcome here.”

Unearthed emails could be smoking gun in epic GDPR battle against Google, adtech giants

If online ads were simply outlawed, the problem would be fixed. That will not happen soon, so use the best ad-blocker you can, set your browser to dump cookies and other data upon exit (not available in Google Chrome –hhmmm now I wonder why..), and when done on one site, close browser and restart before going to new site.

Quote

Privacy warriors have filed fresh evidence in their ongoing battle against real-time web ad exchange systems, which campaigners claim trample over Europe’s data protection laws.

The new filings – submitted today to regulators in the UK, Ireland, and Poland – allege that Google and industry body the Interactive Advertising Bureau (IAB) are well aware that their advertising networks’ business models flout the EU’s privacy-safeguarding GDPR, and yet are doing nothing about it. The IAB, Google – which is an IAB member – and others in the ad-slinging world insist they aren’t doing anything wrong.

The fresh submissions come soon after the UK Information Commissioner’s Office (ICO) revealed plans to probe programmatic ads. These are adverts that are selected and served on-the-fly as you visit a webpage, using whatever personal information has been scraped together about you to pick an ad most relevant to your interests.

Typically, advertisers bid for space on a webpage in real-time given the type of visitor: the page is fetched from a website, it brings in ad network code, which triggers an auction between advertisers that completes in a fraction of a second, and the winning ad is served and displayed (assuming the advert isn’t blocked.) This transaction, dubbed real-time bidding or RTB, happens automatically and immediately when an ad is required, and it can be fairly convoluted: ad slots may be passed through a tangle of publishers and exchanges before they arrive in a browser.

Netizens known to be wealthy and with a lot of disposable income, or IT buyers with big spending budgets, for example, will command higher ad rates than those unlikely to buy anything through an ad. This is why ad networks and exchanges, like Google, love to know everything about you, all that lovely private data, so they can tout you to advertising buyers and target ads at you for stuff you’re previously shown an interest in.

The ICO’s investigation will focus on how well informed people are about how their personal information is used for this kind of online advertising, which laws ad-technology firms rely on for processing said private data, and whether users’ data is secure as it is shared on these platforms.

Meanwhile, these latest filings follow on from gripes lodged by the same online rights campaigners late last month and in 2018.

The privacy warriors allege the aforementioned auction systems fall foul of Europe’s General Data Protection Regulation (GDPR) because netizens do not have much or any real control over the massive amounts of ad-related data lobbed between sites and services. Moreover, this information can be highly personal – sometimes including location coordinates along with pseudonymous identifiers, personal interests, and the site they are browsing.

The complaints, which point the finger of blame at the IAB’s openRTB and Google’s Authorized Buyers systems, were filed to watchdogs in the UK by Open Rights Group executive director Jim Killock and privacy research Michael Veale; in Ireland by Johnny Ryan of browser biz Brave; and in Poland by the Panoptykon Foundation.

The IAB has consistently stressed that the complaints should not be directed at RTB technology makers, such as itself – and that doing so is like holding road builders accountable for people who break the speed limit. In other words, the tech can be abused, but apparently not by its developers. And the industry body claimed the complainants have only proven it is possible to break the law, not that it has been broken.

As such, the privacy warriors hope to add more weight to their arguments, and today submitted a fresh set of documents to regulators in the aforementioned trio of nations. This cache includes examples of the data passed through RTB systems, and the number of daily bid requests ad exchanges make, which reach 131 billion for AppNexus and 90 billion for Oath/AOL.
Programmatic trading, or is that problematic trading?

The complainants have also filed documents they claim prove the IAB has long been aware that there is a potential problem with RTB systems and their compliance with GDPR.

Among the latest cache is an email from 2017 – obtained under a Freedom-of-Information request – sent from the CEO of IAB Europe, Townsend Feehan, to senior staff in the European Commission Directorate General for Communications Networks, Content, and Technology.

The email reveals Feehan lobbying commission staffers against proposals for a new ePrivacy Regulation – which was meant to come into force with GDPR but has been stuck in negotiations – saying it could “mean the end of the online advertising model.”

Programmatic trading would seem, at least prima facie, to be incompatible with consent under GDPR

The exec attached an 18-page document to the email detailing IAB Europe’s reasoning, which discussed the impact of proposals to tighten rules on the use of people’s private data to the same level as that of GDPR, particularly the requirement of someone’s consent to share their information. Crucially, consent under GDPR requires that people are told clearly what’s going on with their sensitive info, which means website visitors must be told the identity of the data controller(s) processing their data and the purposes of processing. Given the instantaneous and convoluted nature of ad bidding, it is seemingly impossible to alert netizens prior to the real-time auctions, it is claimed.

This, essentially, is the rub between GDPR and today’s on-the-fly web advertising, it would seem.

“As it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario, programmatic trading, the area of fastest growth in digital advertising spend, would seem, at least prima facie, to be incompatible with consent under GDPR,” the IAB said.

Brave’s Johnny Ryan said this acknowledges the issue at the core of the campaigners’ complaint – and suggests the IAB doesn’t think adtech’s operating model can work with GDPR.

The IAB has since launched a “Consent and Transparency Framework” to help companies involved in RTB systems meet their legal requirements – but opponents argue that this doesn’t change the facts at the heart of the matter.

Similarly, a document from May 2018 produced by the IAB Tech Lab – a group that produces standards, software, and services for digital publishers, marketers, media, and adtech firms – acknowledged concerns about GDPR compliance. In it, the lab said publishers were concerned “there is no technical way to limit the way data is used after the data is received by a vendor for decisioning/bidding on/after delivery of an ad but need a way to clearly signal the restriction for permitted uses in an auditable way.”

It also said that “surfacing thousands of vendors with broad rights to use data w/out tailoring those rights may be too many vendors/permissions.” And elsewhere in the 2017 document, the IAB said that, since third parties in adtech have “no link to the end-user [they] will be unable to collect consent.”
All your basis are belong to…?

It is question-marks like these, from the industry itself, that the privacy campaigners hope will bolster their case. These concerns were also highlighted by the ICO’s tech policy lead Simon McDougall in a blog post earlier this month outlining the body’s plan to look into adtech.

“The lawful basis for processing personal data that different organisations operating in the adtech ecosystem currently rely upon are apparently inconsistent,” he said. “There seem to be several schools of thought around the suitability of various basis for processing personal data – we would like to understand why the differences exist.”

He added that the ICO was interested in how and what people are told about how their personal data is used for online advertising, and how accurate these disclosures are.

A third prong of the ICO probe will consider the security of the data that is widely and rapidly shared during the auctions. “We are interested in how organisations can have confidence and provide assurances that any onward transfers of data will be secure,” said McDougall.

The ICO stressed that it was in the fact-finding stages of its work, and that it wanted to listen to all the “diverging views” on adtech.

And, for their part, the complainants in the case against IAB Europe and Google have said that they aren’t, necessarily, seeking an end to online advertising. Rather, they want to see adtech firms operate without sharing the highly personal information they do at the moment. For instance, Ryan said that the IAB RTB system allows 595 different kinds of data to be included in a bid request. Scrapping the use of just four per cent would be an “easy, long overdue, fix

Asleep at the Switch

Quote

Facebook Data Scandals Stoke Criticism That a Privacy Watchdog Too Rarely Bites

Last spring, soon after Facebook acknowledged that the data of tens of millions of its users had improperly been obtained by the political consulting firm Cambridge Analytica, a top enforcement official at the Federal Trade Commission drafted a memo about the prospect of disciplining the social network.

Lawmakers, consumer advocates and even former commission officials were clamoring for tough action against Facebook, arguing that it had violated an earlier F.T.C. consent decree barring it from misleading users about how their information was shared.

But the enforcement official, James A. Kohm, took a different view. In a previously undisclosed memo in March, Mr. Kohm — echoing Facebook’s own argument — cautioned that Facebook was not responsible for the consulting firm’s reported abuses. The social network seemed to have taken reasonable steps to address the problem, he wrote, according to someone who read the memo, and most likely had not broken its promises to the F.T.C.

“They have been asleep at the switch,” said Senator Richard Blumenthal, the Connecticut Democrat and ranking member of the subcommittee charged with overseeing the agency.

The Cambridge Analytica data leak set off a reckoning for Facebook and a far-reaching debate about the tech industry, which has collected more information about more people than almost any other in history. At the same time, the F.T.C., which is investigating Facebook, is under growing attack for what critics say is a systemic failure to police Silicon Valley’s giants and their enormous appetite for personal data.

Almost alone among industrialized nations, the United States has no basic consumer privacy law. The F.T.C. serves as the country’s de facto privacy regulator, relying on more limited rules against deceptive trade practices to investigate Google, Twitter and other tech firms accused of misleading people about how their information is used.

But many in Washington view the agency as a watchdog that too rarely bites. In more than 40 interviews, former and current F.T.C. officials, lawmakers, Capitol Hill staff members, and consumer advocates said that as evidence of abuses has piled up against tech companies, the F.T.C. has been too cautious. Now, as the Trump administration and Congress debate whether to expand the agency and its authority over privacy violations, the Facebook inquiry looms as a referendum on the F.T.C.’s future.

“They have been asleep at the switch,” said Senator Richard Blumenthal, the Connecticut Democrat and ranking member of the subcommittee charged with overseeing the agency. “It’s a lack of will even more than paucity of resources.”

Long Overdue: It is time for the US to develop strong data privacy along the lines of the EU GDPR ( General Data Protection Regulation). It is also time for US “Netizens” to demand strong data privacy protect laws with extremely stiff penalties for non compliance.