The Massive Fine The EU Hit Meta With… Is Really About The NSA, Not Meta

Privacy

from the privacy-or-privacy dept

You may have heard the news that the EU hit Meta with a $1.3 billion fine for violating EU “data privacy rules” and assumed that this was just Meta being Meta and being bad about your privacy. But that’s not really an accurate portrayal of what happened, and it hides how this fine is actually pretty problematic for a lot of reasons that have nothing to do with Meta whatsoever, and a lot to do with the NSA.

Also, it may actually be a total disaster for privacy.

And on top of that, it makes US politicians trying to ban TikTok over fears of China spying on users appear to be total hypocrites.

The Backstory:

Some background is in order. First, almost exactly a decade ago, Ed Snowden first revealed the existence of PRISM, which unfortunately was widely misreported in the original articles about it. The original reports suggested that it was a story of tech companies giving full access to their backend data for the intel community to search. The reality, which came out a few days later, was that it was more of a system for the intel community to request data via a (HIGHLY QUESTIONABLE) legal process, and for the companies to deliver that info. It was still extremely problematic, but not in the ways it was originally reported.

Still, the revelation of the program raised many reasonable concerns, including how it was that these very same companies who had been handling “data transfers” of EU user data to US data centers under what was called the data protection “safe harbor” agreement were doing so. Part of the safe harbor agreement between the US and the EU was that the US companies would protect the data of EU users, and this didn’t seem to be happening.

Privacy activist Max Schrems sued over this, and a few years later, the EU Court of Justice tossed out the “safe harbor” agreement between the US and the EU, saying that because of the PRISM revelations and NSA’s snooping, that the agreement did not comport with EU data protection laws. Sometime after this, the EU and the US came to a new agreement, which became known as the “privacy shield” to again allow data transfers from the EU to the US. But, as we noted, the problem wasn’t the agreement, the problem was the NSA’s surveillance. And if that didn’t change, we didn’t see how the “privacy shield” was any better than the privacy “safe harbor” agreement.

Once again, Schrems sued. And once again, the court said that the agreement was invalid. Last year, the US and the EU announced yet another deal on transatlantic data flows. And, as we noted at the time (once again!) the lack of any changes to NSA surveillance meant it seemed unlikely to survive yet again.

In the midst of all this, Schrems also went after Meta directly, claiming that because these US/EU data transfer agreements were bogus, that Meta had violated data protection laws in transferring EU user data to US servers.

And that’s what this fine is about. The European Data Protection Board fined Meta all this money based on the fact that it transferred some EU user data to US servers. And, because, in theory, the NSA could then access the data. That’s basically it. The real culprit here is the US being unwilling to curb the NSA’s ability to demand data from US companies.

So, this isn’t about Meta doing anything particularly egregious on its own (I mean, it likely has, but that’s not the crux of this ruling).

The Damage to Privacy

Of course, the end result of all this could actually be hugely problematic for privacy around the globe. That might sound counterintuitive, seeing as here is Meta being dinged for a data protection failure. But, when you realize what the ruling is actually saying, it’s a de facto data localization mandate.

And data localization is the tool most frequently used by authoritarian regimes to force foreign internet companies (i.e., US internet companies) to host user data within their own borders where the authoritarian government can snoop through it freely. Over the years, we’ve seen lots of countries do this, from Russia to Turkey to India to Vietnam.

And, now, because of this ruling, they (and others) can continue to justify the demands for privacy-destroying data localization by pointing to the EU decision.

There are different privacy interests at play here. And while some will cheer this on simply because it dings Meta/Facebook, the reality is that for much of the world, getting their user data out of their local country and onto Meta’s US servers actually is much more protective of their privacy.

Of course, there’s a simple way to solve much of this: the US could cut back on NSA surveillance. What a concept.

The Hypocrisy Issue

It’s kind of amazing that all this is playing out against the backdrop of bipartisan efforts all around the US to “ban TikTok,” claiming that there’s a (still unproven) direct link enabling the Chinese government to access TikTok data. Nevermind that the US has already pressured TikTok into localizing US user data in the US under “Project Texas” (which, as we’ve already described, might also undermine US national security).

So, just as we’re forcing TikTok to locate US user data in the US and freaking out that the Chinese government might access TikTok US user data… the EU is slapping Meta with a large fine and effectively forcing it to locate EU data in the EU and freaking out that the US government might access Meta EU user data.

Basically, we’re doing exactly what we’re freaking out and claiming China is doing. Maybe we should stop?

And, of course, there are some simple ways to fix this: seriously cut back the NSA’s access to data from US companies without a valid reason. The fishing expeditions need to stop. They were an affront to the 4th Amendment all along and now they’re having a large, negative impact on US internet companies.

And then, pass a real federal privacy law that is focused on actual privacy violations, not some nonsense that simply empowers the biggest companies (i.e., Meta) to gain more control over the market, and ends up with something silly and useless like more cookie popups.

But, instead, the US will go on freaking out about TikTok, pushing garbage, broken, fake “privacy” fixes (often on a state by state business where those laws will conflict with one another), and refusing to admit that maybe the powers we gave the NSA are the problem?

Filed Under: data localization, data protection, data transfers, eu, fines, hypocrisy, localization, nsa, prism, privacy, privacy shield, surveillance, us
Companies: meta

Telecoms Detail Their Dumb Plan To Force Tech Giants To Pay Them Billions For No Reason

Broadband

from the give-me-huge-piles-of-money-for-absolutely-no-reason dept

The EU is currently proposing a plan to tax Big Tech companies, and throw that money at Big Telecom companies. For no coherent reason.

The proposal is part of the EU’s efforts to craft digital policies for the next few decades. While this is purportedly for “broadband expansion,” it’s not… really. Both EU and U.S. telecoms have a long, proud history of taking billions in subsidies and then pocketing most of the proceeds, leaving everyone in the chain with substandard service.

In reality, the effort is a lobbying gambit by telecom giants once again looking to offload their network deployment and maintenance costs onto somebody else. It’s net neutrality wars 2.0: a dumb telecom gambit to extract money these companies don’t deserve and can’t be trusted with. All pushed by EU Internal Market Commissioner Thierry Breton, himself the former CEO of France Telecom.

Much like the net neutrality fracas of old, the effort generally involves first (falsely) claiming that tech giants eat up an unfair portion of available internet bandwidth, and should therefore pony up a significant chunk of cash to telecoms. Last week, telecom trade groups tried to pitch the EU on a plan that would let them directly tax tech companies that that account for over 5 percent of a telco’s average peak traffic.

Telecom trade groups want to skip any pesky government middleman, and have the money deposited directly from tech giants into their bank accounts:

The GSMA and ETNO seem to want direct payments from tech companies, rather than having tech firms pay into a government-operated fund that would distribute money to ISPs. “A contribution mechanism should be based on commercial negotiations enshrined in a framework that obliges the parties to negotiate, in good faith and based on common EU principles, a fair and reasonable contribution for traffic delivery,” the proposal said.

The problem, of course, is that the entire proposal is bullshit. Tech giants aren’t, of course, getting a “free ride” on the internet. They spend untold billions on their own cloud storage, transit routes, undersea cables, and even (in Google’s case) residential broadband access.

This traffic is also being demanded by consumers, who routinely pay more than their fair share for access thanks to regional telecom monopolization. When it comes to regional telecom monopolies, everybody — from tech giants to the consumer — pay far more than their fair share for access thanks to consolidated telecom power, limited competition, market failure, and incompetent regulators.

Stanford net neutrality expert Barbara van Schewick dropped a statement in my inbox pointing to a broader blog post on the proposal, noting that this was, once again, telecoms attempting to get paid twice for the same service:

“This dangerous proposal undoes 30 years of internet economics by requiring streaming companies like Twitch and YouTube, as well as service providers like Amazon Web Services to negotiate with and pay every broadband provider in Europe.

These network fees are unnecessary and violate the EU’s net neutrality law. Europeans already pay to get online, but now the ISPs want to get paid twice.”

As we saw in the older net neutrality wars, policymakers and the press have been fooled into treating this entire project as a serious, adult policy proposal instead of the transparent cash grab it actually is. Telecoms have always been envious of “Big Tech’s” fat ad revenues, and have always believed they’re inherently somehow owed a massive cut of their revenues. Even if that makes no sense.

Telecom lobbyists, and the captured regulators who love them, want everybody bogged down in policy minutiae that treats this stuff like a serious proposal. They’ve already convinced captured EU regulators that imposing errant fees on tech giants has nothing to do with net neutrality and therefore doesn’t violate existing net neutrality rules, which is absurd.

Telecoms have also successfully implemented a regulatory system in South Korea where ISPs feel emboldened to sue Netflix for extra money simply because some streaming TV shows are popular. If the EU proposal is successful, you can absolutely expect a similar renewed push here in the States (some captured U.S. regulators have been laying the groundwork for several years).

The end result: bigger revenues for telecoms, and higher broadband and internet service costs for everybody else. All because some giant telecom monopolies wanted to be paid even more money for what’s already routinely substandard service.

Filed Under: big tech, big telecom, eu, fair share, net neutrality
Companies: etno, google, gsma, meta

EU’s New AI Law Targets Big Tech Companies But Is Probably Only Going To Harm The Smallest Ones

Policy

from the ask-gpt-to-write-better-laws dept

The EU Parliament is looking to regulate AI. That, in itself, isn’t necessarily a bad idea. But the EU’s proposal — the AI Act — is pretty much bad all over, given that it’s vague, broad, and would allow pretty much any citizen of any EU nation to wield the government’s power to shut down services they personally don’t care for.

But let’s start with the positive aspects of the proposal. The EU does want to take steps to protect citizens from the sort of AI law enforcement tends to wield indiscriminately. The proposal would actually result in privacy protections in public spaces. This isn’t because the EU is creating new rights. It’s just placing enough limits on surveillance of public areas that privacy expectations will sort of naturally arise.

James Vincent’s report for The Verge highlights the better aspects of the AI Act, which is going to make a bunch of European cops upset if it passes intact:

The main changes to the act approved today are a series of bans on what the European Parliament describes as “intrusive and discriminatory uses of AI systems.” As per the Parliament, the prohibitions — expanded from an original list of four — affect the following use cases:

• “Real-time” remote biometric identification systems in publicly accessible spaces;
• “Post” remote biometric identification systems, with the only exception of law enforcement for the prosecution of serious crimes and only after judicial authorization;
• Biometric categorisation systems using sensitive characteristics (e.g. gender, race, ethnicity, citizenship status, religion, political orientation);
• Predictive policing systems (based on profiling, location or past criminal behaviour);
• Emotion recognition systems in law enforcement, border management, workplace, and educational institutions; and
• Indiscriminate scraping of biometric data from social media or CCTV footage to create facial recognition databases (violating human rights and right to privacy).

That’s the good stuff: a near-complete ban on facial recognition tech in public areas. Even better, the sidelining of predictive policing programs which, as the EU Parliament already knows, is little more than garbage “predictions” generated by bias-tainted garbage data supplied by law enforcement.

Here’s what’s terrible about the AI Act, which covers far more than the government’s own use of AI tech. This analysis by Technomancers roots out what’s incredibly wrong about the proposal. And there’s a lot to complain about, starting with the Act’s ability to solidly entrench tech incumbents.

In a bold stroke, the EU’s amended AI Act would ban American companies such as OpenAI, Amazon, Google, and IBM from providing API access to generative AI models.  The amended act, voted out of committee on Thursday, would sanction American open-source developers and software distributors, such as GitHub, if unlicensed generative models became available in Europe.  While the act includes open source exceptions for traditional machine learning models, it expressly forbids safe-harbor provisions for open source generative systems.

Any model made available in the EU, without first passing extensive, and expensive, licensing, would subject companies to massive fines of the greater of €20,000,000 or 4% of worldwide revenue.  Opensource developers, and hosting services such as GitHub – as importers – would be liable for making unlicensed models available. The EU is, essentially, ordering large American tech companies to put American small businesses out of business – and threatening to sanction important parts of the American tech ecosystem.

When you make the fines big enough and the mandates restrictive enough, only the most well-funded companies will feel comfortable doing business in areas covered by the AI Act.

In addition to making things miserable for AI developers in Europe, the Act is extraterritorial, potentially subjecting any developer located anywhere in the world to the same restrictions and fines as those actually located in the EU.

And good luck figuring out how to comply with the law. The acts (or non-acts) capable of triggering fines and bans are equally vague. AI providers must engage in extensive risk-testing to ensure they comply with the law. But the list of “risks” they must foresee and prevent are little more than a stack of government buzzwords that can easily be converted into actionable claims against tech companies.

The list of risks includes risks to such things as the environment, democracy, and the rule of law. What’s a risk to democracy?  Could this act itself be a risk to democracy?

In addition, the restrictions on API use by third parties would put US companies in direct conflict with US laws if they attempt to comply with the EU’s proposed restrictions.

The top problem is the API restrictions.  Currently, many American cloud providers do not restrict access to API models, outside of waiting lists which providers are rushing to fill.  A programmer at home, or an inventor in their garage, can access the latest technology at a reasonable price.  Under the AI Act restrictions, API access becomes complicated enough that it would be restricted to enterprise-level customers.

What the EU wants runs contrary to what the FTC is demanding.  For an American company to actually impose such restrictions in the US would bring up a host of anti-trust problems.

While some US companies will welcome the opportunity to derail their smaller competitors and lock in large contracts with their wealthiest customers, one of the biggest tech companies in the world is signaling it wants no part of the EU Parliament’s AI proposal. The proposal may not be law yet, but as Morgan Meaker and Matt Burgess report for Wired, Google is already engaging in some very selective distribution of its AI products.

[G]oogle has made its generative AI services available in a small number of territories of European countries, including the Norwegian dependency of Bouvet Island, an uninhabited island in the South Atlantic Ocean that’s home to 50,000 penguins. Bard is also available in the Åland Islands, an autonomous region of Finland, as well as the Norwegian territories of Jan Mayen and Svalbard.

This looks like Google is sending a bit of a subtle hint to EU lawmakers, letting them know that if they want more than European penguins to have access to Google’s AI products, they’re going to have to do a bit of a rewrite before passing the AI Act.

The EU Parliament is right to be concerned about the misuse of AI tech. But this isn’t the solution, at least not in this form. The proposal needs to be far less broad, way less vague, and more aware of the collateral damage this grab bag of good intentions might cause.

Filed Under: ai, antitrust, apis, competition, eu, facial recognition, regulations

EU Approves Microsoft, Activision Acquisition With Some Minor Stipulations

Legal Issues

from the promises-promises dept

One hurdle defeated, two more to go. For months now, we have been discussing Microsoft’s proposed acquisition of Activision for $69 billion. What would be the largest video game studio acquisition in history has faced several hurdles along the way, primarily from the EU, the UK, and the United States. While the UK’s CMA has already formally nixxed the purchase (appeal by Microsoft pending) and the FTC decision is looming, leaks had already suggested months ago that the EU was set to approve the deal.

And now those leaks have been proven prescient. The European Commission has formally approved of the purchase. To get there, the EC relied on three points: it believes Microsoft’s promises to keep its titles available to other cloud-gaming providers, it thumbs its nose at the popularity of Call of Duty in the EU, and, my favorite, it claims that Microsoft wouldn’t make popular titles Xbox exclusives because Microsoft has so badly lost the console wars to Sony. Yes, seriously.

As to those promises:

Because of those concerns, the EC’s decision is conditional on certain assurances Microsoft has made to preserve competition. Those include a free license for any cloud streaming service to allow its users access to “any Activision Blizzard PC and console games” for at least 10 years. Anyone who has purchased any current or upcoming Activision-Blizzard games (or accessed them through a subscription) will “have the right to stream those games with any cloud game streaming service of their choice and play them on any device using any operating system” throughout Europe.

With this commitment in place, the EC says it’s satisfied that the merger will “represent a significant improvement for cloud game streaming compared to the current situation.” The Commission notes that “cloud game streaming service providers gave positive feedback and showed interest in the licenses” and points to existing Microsoft agreements with cloud providers such as Boosteroid.

Which… fine, whatever. Cloud gaming isn’t completely without adoption, but it also is a fraction of the total gaming market. If, when it comes to cloud-gaming specifically, the EC wants to buy into Microsoft’s totally coincidental 10 year deals it made after the purchase, so be it. I, and the industry generally, have been more focused on the non-cloud console market. What happens if Microsoft decides to make Call of Duty an Xbox/PC exclusive? Well, to start, no big deal, according to the EC, because the series isn’t as popular in the EU as it is in America.

Even if Microsoft did make the Call of Duty franchise an Xbox exclusive, the decision would “not significantly harm competition in the consoles market” because the series “is less popular in [Europe] than in other regions of the world, and is less popular in [Europe] within its genre compared to other markets,” European regulators wrote.

And that’s true. It’s hard to break this down to the EU specifically, or by game specifically, but sources I’m looking at suggest that Call of Duty titles quite recently have been the number one seller in the EU, even if those sales are outpaced by the Americas in total numbers. I don’t think the numbers warrant the hand-waving routine the EC is undergoing here, but that also wasn’t their only comment on the matter. The EC didn’t think Microsoft would ever consider pulling CoD off of the PlayStation due to Microsoft being outpaced by its rival in sales so badly.

In the end, European regulators said they were not concerned about the merger’s effects on the market for non-cloud console gaming. Despite Sony’s concerns, Microsoft “would have no incentive to refuse to distribute Activision’s games to Sony” after a merger, the EC said, partly because “there are four Sony PlayStation consoles for every Microsoft Xbox console bought by gamers” across Europe.

And there you have it: the EC has approved the acquisition.

As I stated earlier, this isn’t the end of the story. Microsoft still has its appeal of the CMA to contend with, nevermind the far more important potential battle with the FTC in America. Were the latter to refuse to allow this to move forward, that would probably be the end of this deal. In the meantime, I suppose Microsoft should be focusing on ensuring it can keep its promises to the EC while also committing to not accidentally gaining console market share on Sony.

Filed Under: antitrust, call of duty, cloud streaming, competition, eu, european commission, exclusives, video games
Companies: activision blizzard, microsoft

EU Commissioner Heading Push For Client-Side Scanning Continues To Say Dumb Stuff In Defense Of Her Terrible Proposal

Privacy

from the doubling-down dept

There may be an entire commission behind the push to mandate client-side scanning in the European Union, but there’s one truly propulsive force behind it: Commissioner Ylva Johansson, the person in charge of the Home Affairs office.

Johansson is the one who penned a largely incoherent defense of the proposal back in August 2022, long before criticism of the proposal hit critical mass. Her defense basically relied on this being “for the children,” which she apparently considered to be enough of an impetus to shout down any objections. That this might make children less safe wasn’t considered. That this would expose EU citizens to persistent surveillance, as well as increase the risk of their personal data being obtained by criminals, was shoved to the side to buttress the narrative Commissioner Johansson wanted to push.

Despite being soundly advised of the risks, Johansson pushed forward, claiming whatever happened to anyone wasn’t really a problem. She also dodged the encryption-breaking elements of the proposal by pretending this had nothing to do with basically outlawing end-to-end encryption. But facts are facts: you can’t perform client-side scanning without breaking end-to-end encryption. If content has to be scanned, one end of the encryption needs to be broken.

The proposal is so bad even the EU government’s lawyers won’t condone it. It’s so bad even certain EU constituent countries won’t condone it. The German government has already stated it’s not interested in compelling client-side scanning even if it the EU Commission says that’s the way things are going to be in the European Union.

None of this appears to be having any effect on the Commissioner, who has chosen to disregard any valid criticism of this proposal and double down on everything she and “her” proposal are wrong about. Perhaps its fitting that one of the burrs under Johansson’s saddle is the German government, as Morgan Meaker reports in this recent article for Wired.

On April 23, the German politician Patrick Breyer uploaded a meme to his Mastodon account. “Big Sister is Watching You”, it warned in big white letters, written behind a smiling photograph of Ylva Johansson, the EU commissioner in charge of home affairs. Within the bureaucratic confines of Brussels, it’s rare for a politician to evoke enough anger to feature on a meme—let alone be labeled as the modern incarnation of author George Orwell’s Big Brother by her colleagues.

Germany’s in no hurry to accept the intrusion of a EU-mandated Big Brother. It spent years doing its own Big Brother work, both under Hitler and as a USSR farm team. This direct rejection of Johansson and her proposal is, as the Wired article notes, a rarity.

But criticism in general of Johansson and this proposal is far from rare. Lots of opposition has been raised, almost all of it pointing out how this would be either (1) unworkable, (2) dangerous, or (3) both of the above.

If anything, this constant stream of criticism appears to have given Johansson the impression she must be right, if only because so many people think she’s wrong. Couching her arguments in loaded “for the children” language, she suggests her opponents are either incorrect or simply don’t care if kids get sexually abused.

In many ways, the responses given to Wired are the inversion of this assessment of Johansson from one of the many services her proposal would harm.

“Either she’s stupid or she’s evil,” says Jan Jonsson, CEO of Swedish VPN service Mullvad.

Maybe it’s both. Or maybe it’s neither. Maybe it’s just someone deciding this will be their legacy and now, having been told by thousands of people their baby is ugly, they’re fiercely determined to prove everyone else wrong.

This is how Johansson can (virtually) attend the Big Brother Awards to accept a facetious award for her contribution to the surveillance state without a solitary trace of irony or shame. And maybe that’s why she can continue to pretend this isn’t about encryption, when it has everything to do with encrypted communication services that ensure users’ security by refusing to break their end of the encryption.

The wording of Johansson’s proposal is “technology neutral,” meaning it doesn’t even mention encrypted spaces. But, crucially, it doesn’t rule out encrypted services either.

That’s implausible deniability. That’s willfully ignoring the technical details in favor of presenting broader claims about saving children and insinuating anyone objecting to this massive expanse of EU government surveillance power just doesn’t care enough about sexually exploited children.

Johansson stresses that this bill is not about privacy, but about protecting children. We should be thinking about the 11-year-old girl who has been coerced into sending someone explicit pictures and is now seeing them circulate around the internet, she says. “What about her privacy?”

That’s the mentality we’re dealing with. Of course the victim of CSAM has had their privacy violated. But it’s been violated by the person performing the criminal act, not by the services utilized to communicate with the victim. And hosts of user-generated content already block and report CSAM when it’s detected on the open web. Demanding service providers scan all users’ content proactively means millions of privacy violations will occur every day, with only a very small percentage of them involving the distribution of illegal content.

That seems to be fine with Johansson, who is apparently willing to sacrifice the privacy and security of millions for the hypothetical 11-year-olds she presents as a counterargument.

No one is arguing CSAM needs to be actively combated, deterred, and subjected to the full force of the law. What they’re arguing against is the wholesale dismantling of privacy and security protections their users trust them to provide in exchange for incremental law enforcement gains that will always fail to satisfy politicians like Johansson, who seem to believe everyone should be punished because a small minority of internet users utilize communication services to break the law.

She’s clearly unwilling to listen to reason. And as this proposal inches forward against increasing resistance, the arguments made in support of it will become less rational and more emotional. But emotions aren’t legal justifications for the always-on surveillance this proposal would create.

Filed Under: client side scanning, csam, eu, germany, surveillance, ylva johansson

EU Commission Asks EU Council Lawyers If Compelled Client-Side Scanning Is Legal, Gets Told It Isn’t

(Mis)Uses of Technology

from the Welcome-to-Lawsuit-Town,-commissioners dept

Lots of ideas have been floated by legislators and others in hopes of limiting the distribution of child sexual abuse material (CSAM). Very few of these ideas have been good. Most have assumed that the problem is so horrendous any efforts are justified. The problem here is that governments need to actually justify mandated mass privacy invasions, which is something that they almost always can’t do.

It’s even a fraught issue in the private sector. Apple briefly proposed engaging in client-side scanning of users’ devices to detect CSAM and prevent its distribution. This effort was put on hold when pretty much everyone objected to Apple’s proposal, stating the obvious problems it would create — a list that included undermining the security and privacy protections Apple has long used as evidence of its superiority over competing products and their manufacturers.

Not that legislators appear to care. The EU Commission continues to move forward with “for the children” client-side scanning mandate, despite the multitude of problems this mandate would create. Last year, the proposal was ripped to shreds by the EU Data Protection Board and its supervisor in a report that explained the mandate would result in plenty of privacy invasion and data privacy law violations that simply could not be excused by the Commission’s desire to limit the spread of CSAM.

In defense of the decimated proposal, EU Commussioner for Home Affairs, Yiva Johansson, penned an absurd, incomprehensible defense of the Commission’s client-side scanning proposal that basically stated this proposal was justified by the ends, while glossing over the potentially disastrous means.

So, the proposal continues to move forward, ignoring pretty much every rational person’s objections and the German government’s flat-out refusal to enforce this mandate should it actually become law.

The Commission has ignored pretty much everyone while pushing this massive privacy/security threat past the legislative goal line. But it may not be able to ignore the latest objections to its proposal, given that they’re being raised by the EU government’s own lawyers.

A legal opinion on a controversial European Union legislative plan set out last May, when the Commission proposed countering child sexual abuse online by applying obligations on platforms to scan for abuse and grooming, suggests the planned approach is incompatible with existing EU laws that prohibit general and indiscriminate monitoring of people’s communications.

The advice by the Council’s legal service on the proposed Child Sexual Abuse Regulation (also sometimes referred to as “Chat control”), which leaked online this week — and was covered by The Guardian yesterday — finds the regulation as drafted to be on a collision course with fundamental European rights like privacy and data protection; freedom of expression; and the right to respect for a private family life, as critics have warned from the get-go.

Security consultant and cryptographer Alec Muffett posted a link to the leaked legal opinion to Twitter while highlighting the Council’s numerous statements that the proposal has zero chance of being found legal under EU law, much less a proportionate response to the stated problem that might be considered serious enough to allow a massive number of rights violations by the EU government.

The legal opinion [PDF] makes it clear there’s very little that’s actually legal about compelled client-side scanning. The entire thing is damning, but here’s just one of several issues the legal Council says the EU Commission is wrong about:

The screening of interpersonal communications as a result of the issuance of a detection order undeniably affects the fundamental right to respect for private life, guaranteed in Article 7 of the Charter, because it provides access to and affects the confidentiality of interpersonal communications (text messages, e-mails, audio conversations, pictures or any other kind of exchanged personal information). It is also likely to have a deterrent effect on the exercise of freedom of expression, which is enshrined in Article 11 of the Charter. It does not matter in this respect whether the information in question relating to private life is sensitive or whether the persons concerned have been inconvenienced in any way on account of that interference.

Furthermore, such screening constitutes the processing of personal data within the meaning of Article 8 of the Charter and affects the right to protection of personal data provided by that provision.

It must be noted, in this respect, that under settled case law the fact that the automated analysis based on predefined indicators would not, as such, allow all the users whose data is being analysed to be identified, does not prevent such data from being considered personal data, in so far as the automated analysis would allow the person or persons concerned by the data to be identified at a later stage. According to the definition of personal data in Article 4(1) of the General Data Protection Regulation (GDPR), information relating, inter alia, to an identifiable person constitutes personal data. Therefore, screening of all communications in a given service, with the assistance of an automated operation, presupposes systematic access to and processing of all information and constitutes an interference with the right to data protection, regardless of how that data is used subsequently. In particular, the question whether that information is subsequently accessed by the competent authorities is irrelevant.

A shotgun approach to CSAM detection is civil rights disaster waiting to happen, especially in cases where the government decides all users of a service are guilty just because some users are using the service to distribute illegal content.

The proposed legislation requires the general screening of the data processed by a specific service provider without any further distinction in terms of persons using that specific service. The fact that the detection orders would be directed at specific services where there is evidence of a significant risk of the service being used for the purpose of online child sexual abuse would be based on a connection between that service and the crimes of child sexual abuse, and not, even indirectly, on the connection between serious criminal acts and the persons whose data are scanned. The data of all the persons using that specific service would be scanned without those persons being, even indirectly, in a situation liable to give rise to criminal prosecutions, the use of that specific service being the only relevant factor in this respect.

And this would set off a chain of events that could easily result in permanent surveillance of millions of people’s communications across multiple internet-based services. Not so much mission creep as mission sprint.

Furthermore, since issuing a detection order with regard to a specific provider of interpersonal communication services would entail the risk of encouraging the use of other services for child sexual abuse purposes, there is a clear risk that, in order to be effective, detection orders would have to be extended to other providers and lead de facto to a permanent surveillance of all interpersonal communications.

The opinion also notes that weakening encryption to achieve this goal would result in more interference with citizens’ rights by making it that much more difficult to ensure their own data privacy and preventing providers from taking the steps needed to ensure the security of data collected from users. Collection of written communications (that contain no images) in order to detect those trying to lure children into CSAM creation creates another long list of data privacy law violations by introducing even more surveillance in hopes of ascertaining the ages of those engaged in these communications.

And, while CSAM is definitely a problem, it’s not on par with the security of EU nations, which is what justifies most exceptions to EU privacy laws. But these two issues are not comparable, no matter how EU Commissioners portray CSAM when advocating for mass privacy violations. The Council notes that exceptions that have been made in the interest of national security are unlikely to apply to CSAM detection, especially when the latter is asking for something even intelligence agencies haven’t been able to legally obtain. (Emphasis in the original.)

[I]f the screening of communications metadata was judged by the Court proportionate only for the purpose of safeguarding national security, it is rather unlikely that similar screening of content of communications for the purpose of combating crime of child sexual abuse would be found proportionate, let alone with regard to the conduct not constituting criminal offences.

The Council sums up its report by saying that if this proposal hopes to survive even the most cursory of legal challenges, it needs to vastly decrease its scope and greatly increase the specificity of its targeting. Otherwise, it’s just a bunch of illegal surveillance masquerading as a child protection program. The Commission may be able to ignore security professionals and the occasional member state, but it seems unlikely it can just blow off its own lawyers.

Filed Under: client side scanning, csam, eu, eu commission, privacy, protect the children

EU Website Links Keep Getting Delisted Over Piracy Advertisements

Copyright

from the nice-website-you-have-there... dept

Policing copyright infringement is hard. Hard for those operating websites that allow for the public to input content and hard for the rightsholders that far too often use automated systems that suck out loud at determining what is actually infringing and what isn’t. This is a lesson currently being learned by the European Union, as its website is being bombarded with DMCA notices that are getting parts of the site’s search results delisted.

The European Union recognizes that online piracy poses a serious threat to copyright holders and the public at large. In recent years, Europe has updated legislation to deal with modern piracy threats. This includes a requirement for large platforms to deter repeat copyright infringers.

Copyright holders have sent hundreds of DMCA notices flagging alleged copyright infringements on Europa.eu, the official website of the European Commission. The EU seems unable to deal with a recurring piracy spam problem on its own portal, up to the point that Google has begun removing Europa.eu search results.

I actually reversed the order of those paragraphs from the TorrentFreak post I’m quoting. Why? Because it highlights a problem that not nearly enough people recognize: regulations putting the burden of policing copyright infringement on otherwise innocent websites is a recipe for absolute disaster, as the EU is now learning with respect to its own website.

So what’s actually happening here? Is the EU website actually serving as a repository for infringing material? Nope!

Over the past few months, we have documented how scammers are exploiting weaknesses in various Europa.eu portals including, most recently, the European School Education Platform. These scams exploit public upload tools to share .pdf files, which in turn advertise pirated versions of the latest blockbusters. People who fall for these scams are in for a huge disappointment. Instead of gaining access to pirated movies, they are redirected to shady sites that often promise ‘free’ content in exchange for the visitor’s credit card details.

Meaning that in these cases the EU site isn’t hosting any actual infringing material, but is instead getting inundated with documents advertising links to other, supposedly/likely infringing websites. The webmaster for the site has said they’re aware of the problem and are trying to solve it, but the only real solution is almost certainly to shut down the kind of document submissions that is allowing for this to occur in the first place.

The lack of actually infringing material isn’t keeping the DMCA notices at bay however.

In several instances, the European Commission isn’t able to spot the problematic uploads. For example, a .pdf advertising a pirated copy of the film “The Last Manhunt” remains online today, more than two weeks after it first appeared. Following a DMCA notice, Google decided to remove the link from its search results.

In other cases, the Commission spots the scammy ads and removes them. When that happens, Google typically takes no action. According to Google’s records, the company has removed roughly two dozen Europa.eu URLs from its search results thus far.

Turns out this is all very hard to police. Something the EU should keep in mind when crafting its new piracy policies requiring more of the websites within its jurisdiction.

Filed Under: copyright, dmca, dmca abuse, eu, european commission, links, piracy

Meta Correctly Calls The EU Plan To Impose A Broadband Tax On ‘Big Tech’ Arbitrary Nonsense

Broadband

from the please-pay-us-billions-of-additional-dollars-for-no-coherent-reason dept

In case you’d missed it, the EU is currently proposing a telecom-industry backed plan to effectively tax Big Tech companies, and throw that money at Big Telecom companies for broadband expansion.

On the surface, the proposal is part of the EU’s efforts to craft digital policies for the next few decades, with an eye on shoring up lagging broadband access.

In reality, the effort is a lobbying gambit by telecom giants looking to offload their network deployment and maintenance costs onto somebody else. All being pushed by EU Internal Market Commissioner Thierry Breton, himself a former CEO of France Telecom.

It’s effectively an extension of the net neutrality wars, in which telecom monopolies insisted they should be paid even more money if you want to access their networks — for no coherent reason.

We’ve repeatedly noted there are several problems with the proposal. One, the whole effort is based on the lie that Big Tech companies “don’t pay their fair share” for broadband (in reality they pay countless billions for bandwidth, cloud storage, CDNs, transit, and even undersea cables). Two, it’s being driven by telecom monopolies with long, rich histories of bullshit on this subject (not to mention subsidy fraud).

It’s effectively yet another effort by the telecom lobby to “double dip,” dressed up as a serious, adult policy proposal. But throwing billions of dollars at telecom monopolies (without reforming existing broadband subsidy programs) in the hopes that this just magically fixes the digital divide this time is a fool’s errand. Yet here we are, having learned nothing from decades of policy experience.

Both Google and Netflix have come out swinging against the EU’s Big Tech tax, pointing out how the claim they “don’t pay their fair share” and should be directly responsible for paying to bridge the digital divide is telecom industry nonsense.

And now Meta’s Kevin Salvadori, VP of Network, and Bruno Cendon Martin, Senior Director of Wireless Technologies, have issued a blog post also pointing out that Facebook has spent more than $100 billion of capital expenditures and operational expenditures on global digital infrastructure:

proposals by some European telecom operators to impose network fees on Content Application Providers (CAPs) such as Meta are not the solution. Network fee proposals are built on a false premise because they do not recognise the value that CAPs create for the digital ecosystem, nor the investments we make in the infrastructure that underpins it.

Facebook/Meta has no shortage of dumb problems (including clumsy and sometimes predatory missteps on efforts to shore up global broadband access), but they’re correct here.

While broadband subsidy programs in the U.S. and EU do need shoring up, that shouldn’t necessarily be the job of Big Tech companies. Especially given that, in both the EU and U.S., telecom monopolies have routinely driven up the cost of essential broadband access for everyone through regulatory capture and relentless attacks on disruptive competition.

When it comes to telecom monopolies, nobody gets a “free ride.”

Some groups have warned that the EU’s telecom industry’s plan to tax Big Tech giants would simply drive up online costs for consumers, given Big Tech companies would just pass these added costs on to users already paying an arm and a leg for bandwidth. Some groups have warned the internet could also become less stable as online companies try to reroute their traffic around such fees.

And in South Korea, where telecoms convinced regulators to implement a similar tax on Big Tech companies, ISPs have taken to suing Netflix simply because Squid Game was popular with consumers and that resulted in a bandwidth consumption spike.

Content companies and consumers already pay an arm and a leg for bandwidth due to corruption, regulatory capture, and monopolization. It’s the telecoms’ responsibility to use that money — in addition to the billions in taxpayer subsidies they already get — to ensure their networks are ready for customer bandwidth demands. Suggesting it’s Netflix’s fault because you weren’t prepared is preposterous.

Again, if policymakers were serious about bridging the digital divide, they’d embrace policies that take aim at concentrated telecom monopoly power. They’d reform telecom subsidy programs that, for decades, have thrown billions of unaccountable dollars at these monopolies in exchange for networks that are always only half completed. And they’d more seriously police fraud by major telecoms.

Forcing tech giants to pay telecom giants billions of dollars for no coherent reason isn’t actually a solution for the digital divide, but telecom lobbyists have convinced many captured regulators otherwise. And if the push in the EU is successful, you can be absolutely assured it will see a renewed push in the U.S. by the likes of AT&T and Comcast, with captured regulators like the FCC’s Brendan Carr at the fore.

Filed Under: big tech, digital divide, eu, high speed internet, lobbying, net neutrality, regulatory capture, sender pays, telecom, thierry breton

Microsoft Inks 2 More CoD Multiplatform Deals With Game Streaming Services

Deals

from the obvious-strategy-is-obvious dept

Microsoft continues to make moves to get its purchase of Activision Blizzard past the various regulatory bodies that have voiced their concerns. While there are plenty of signs that the EU regulators are getting ready to approve the deal, there is still the UK’s Competition and Markets Authority (CMA) and the Federal Trade Commission (FTC) in the States to get past. Microsoft’s strategy for getting over those hurdles has been very clear: ink as many decade-long deals to put the Call of Duty franchise on as many platforms as possible to show regulators that they aren’t planning on bringing games to exclusivity. Microsoft already has a deal in place for this with Nintendo and a proposed deal for it with Sony, which has been the main private objector to this purchase to begin with.

And now Microsoft is piling them on, inking two additional CoD deals with two game-streaming platforms.

Microsoft announced Tuesday that it has signed a 10-year deal to bring its Xbox PC games to little-known Ukraine-based streaming platform Boosteroid. The move is being positioned in part to “mak[e] even more clear to regulators that our acquisition of Activision Blizzard will make Call of Duty available on far more devices than before,” as Microsoft Vice Chair and President Brad Smith said in a statement.

The new deal comes a month after Microsoft signed a similar 10-year commitment with Nvidia to bring Xbox PC games to that company’s GeForce Now streaming service.

As I said, the reason for these deals is plainly obvious. Microsoft isn’t even bothering to pretend otherwise, having told the Wall Street Journal directly that these new deals are going to make it hard for Sony to make arguments in court or in front of regulators that center on exclusivity of the CoD franchise.

Just as notable, if not more so, is what is going on at the FTC. Over there, the FTC, having heard Sony’s arguments that Microsoft’s exclusivity pursuits on Bethesda titles should result in assuming it will do likewise with Activision Blizzard titles, is apparently considering opening the door to Microsoft getting Sony’s exclusivity deals, in detail, as part of the discovery process.

Microsoft argues that the Complaint in this case makes a number of allegations regarding high-performance video game console developers’ exclusivity arrangements with video game publishers. Microsoft states that it is aware that SIE requires many third-party publishers to agree to exclusivity provisions, including preventing the publishers from putting their games on Xbox’s multi-game subscription service, and that understanding the full extent of SIE’s exclusivity arrangements and their effect on industry competitiveness will assist in its defense.

Judge Chappell says this is because “the nature and extent of [Sony’s] content-licensing agreements are relevant to the Complaint’s allegations of exclusivity arrangements between video game console developers and video game developers and publishers.”

What does this mean? Well, it means that from 2019 on, Microsoft is going to get a look at the costs, terms, and conditions for all kinds of Sony exclusivity deals for the past several years. And you can bet Sony doesn’t want that released, especially if it has engaged in the exact kind of anti-competitive nonsense that it is warning Microsoft might engage in.

As to whether that information will make its way into the public, one can only hope.

Filed Under: antitrust, call of duty, competition, eu, ftc, uk
Companies: activision, activision blizzard, microsoft

German Parliament Rejects EU Commission Call For Client-Side Scanning

Policy

from the not-happening-here-if-we-can-help-it dept

Everybody agrees child sexual abuse material is a serious problem. Unfortunately, far too many supposedly serious people are coming up with very unserious “solutions” to the problem.

Pressure applied by lawmakers and law enforcement led to Apple deciding to get out ahead of the seemingly-impending mandates to “do something” about the problem. In August 2021, it declared its intent to engage in client-side scanning of users’ content which would search for illegal material on users’ devices as well as their cloud storage accounts. After receiving a ton of backlash, Apple backpedaled, putting its scanning plans on ice for the foreseeable future.

Apple recognized the problem, albeit after the fact. Legislators pushing for client-side scanning don’t appear to be getting any smarter about the issue, despite having a real-world example to learn from. A bunch of security researchers wrote a report detailing all the security and privacy issues client-side scanning introduces, noting that any tradeoffs in effectiveness of shutting down CSAM were extremely limited.

This too has been ignored. Government officials all over the world still think the best thing for the children is something that would reduce the security and privacy of children who own smartphones and are almost always connected to the internet. Two GCHQ employees wrote a paper suggesting the smart thing to do was mandate client-side scanning wherever it was needed. Bundled with that proposal was the implicit suggesting that end-to-end encryption was no longer an option — not when there are children to protect.

Less than a month after this paper was published, an EU commissioner composed an incomprehensible defense of client-side scanning, one presumably provoked by the EU Data Protect Board’s rejection of the entire premise, which pointed out the numerous violations of enshrined personal privacy rights client-side scanning would result in.

Somehow, despite all of this, the EU Commission is trying to move forward with mandated client-side scanning. Here’s what at least some members of the Commission want, as described by Hanna Bozakov in a blog post at Tutanota:

The EU proposal covers three types of sexualized abuse, such as depictions of abuse, previously unknown material, but also so-called grooming, i.e. targeted contact with minors with the intention of abuse.

The draft law is currently in the European process of becoming a law. If passed in its current form, it would force online service providers to scan all chat messages, emails, file upload, chats during games, video conferences etc. for child sexual abuse material. This would undermine everybody’s right to privacy and weaken the level of security online for all EU citizens.

Broad. Sweeping. Dangerous. These are all suitable terms for this proposal. And let’s not forget the children it’s supposed to help, who will be just as victimized by the law as the people who wrote it.

Fortunately, there’s already some strong opposition to this proposal. The German Parliament has soundly rejected this push for client-side scanning, saying there’s no way it’s willing to inflict this privacy invasion on its constituents.

While the German Parliament itself is not directly involved with the EU Commission’s proposal to make client-side scanning of encrypted communication mandatory for online services, the hearing was still a great success for digital rights groups and privacy activists.

The draft law itself is being negotiated between the EU Commission, the European Parliament and the member states in the Council of Ministers. In this context, the German government can have a deciding influence in the Council of Ministers.

And, to the very least, the German government wants the removal of client-side scanning, i.e. the examination of communications content on end devices, from the proposal.

So, if the EU Commission ratifies this proposal, the German government likely won’t enforce it. In fact, it will probably challenge the law in the EU human rights court, which will almost certainly find it a violation of rights guaranteed by other EU laws. This is a losing proposal for several reasons, but especially in a continent where this same commission has created sweeping privacy protections for European residents. It can’t just undo those because it wants to solve a problem it didn’t consider during its erection of other privacy protections.

Now that an entire country has rejected client-side scanning, the EU Commission needs to go back to the drawing board. Yes, CSAM is a problem that needs to be addressed. But it simply can’t be solved by turning everyone accessing the internet into a suspect.

Filed Under: client side scanning, csam, eu, gchq, germany, privacy, security, surveillance