Glyn Moody’s Techdirt Profile

glynmoody

About Glyn MoodyTechdirt Insider




Posted on Techdirt - 12 January 2018 @ 1:22pm

Chinese Internet Users Start To Rebel Against Lack Of Online Privacy

from the just-a-blip-or-the-start-of-something-bigger? dept

We recently reported how China continues to turn the online world into the ultimate surveillance system, which hardly comes as a surprise, since China has been relentlessly moving in this direction for years. What is rather more surprising is that Chinese citizens are beginning to push back, at least in certain areas. For example, The New York Times reports on an "outcry" provoked by a division of the Alibaba behemoth when it assumed that its users wouldn't worry too much if they were enrolled automatically in one of China's commercially-run tracking systems:

Ant Financial, an affiliate of the e-commerce giant Alibaba Group, apologized to users on Thursday after prompting an outcry by automatically enrolling in its social credit program those who wanted to see the breakdown [of their spending made via Ant Financial's online payment system]. The program, called Sesame Credit, tracks personal relationships and behavior patterns to help determine lending decisions.

When one of China's business leaders complained publicly about the lack of privacy in China, and how Tencent's hugely-popular WeChat program spied on users, the company's denials were met with another outcry:

Tencent said that the company did not store the chat history of users and that it would never use chat history for big data analytics. The comments were met with widespread disbelief: WeChat users have been arrested over what they've said on the app, conversations have turned up as evidence in court proceedings, and activists have reported being followed based on WeChat conversations.

Meanwhile, the third of China's Big Three Internet companies -- Baidu -- has been hit with legal action over privacy concerns, reported here by Caixin:

Baidu Inc., China’s largest search-engine operator, is being sued by a consumer-protection organization that claims it collected users' information without consent, in the latest privacy dispute involving the country's tech giants.

Two mobile apps operated by New York-listed Baidu, a search engine and a web browser, could access a user's calls, location data, messages and contacts without notifying the user, the Jiangsu Consumer Council, a government-backed consumer rights association, claimed in a statement on its website.

The Chinese government may not worry too much about these calls for more privacy provided they remain directed at companies, since they offer a useful way for citizens to express their concerns about surveillance without challenging the state. It looks happy to encourage users to demand more control over how online services use their personal data -- so long as the authorities can still access everything themselves.

As well as government acquiescence in these moves, there's another reason why Chinese companies may well start to take online privacy more seriously. Аn article in the South China Morning Post points out that if Chinese online giants want to move beyond their fast-saturating home market, and start operating in the US and EU, they will need to pay much more attention to privacy to satisfy local laws. As Techdirt reported, an important partnership between AT&T and Huawei, China's biggest hardware company, has just been blocked because of unproven accusations that data handled by Huawei's products might make its way back to the Chinese government.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

15 Comments | Leave a Comment..

Posted on Techdirt - 11 January 2018 @ 7:35pm

Shareholder Groups Say Apple Should Do More To Address Gadget 'Addiction' Among Young People: Should It?

from the won't-somebody-think-of-the-children-even-more? dept

In an open letter to Apple, two of its major shareholders, Jana Partners and the California State Teachers' Retirement System, have raised concerns about research that suggests young people are becoming "addicted" to high-tech devices like the iPhone and iPad, and the software that runs on them. It asks the company to take a number of measures to tackle the problem, such as carrying out more research in the area, and providing more tools and education for parents to help them deal with the issue. The letter quotes studies by Professor Jean M. Twenge, a psychologist at San Diego State University, who is also working with the shareholders in an effort to persuade Apple to do more:

Professor Twenge's research shows that U.S. teenagers who spend 3 hours a day or more on electronic devices are 35% more likely, and those who spend 5 hours or more are 71% more likely, to have a risk factor for suicide than those who spend less than 1 hour.

Other quoted research found:

The average American teenager who uses a smart phone receives her first phone at age 10 and spends over 4.5 hours a day on it (excluding texting and talking). 78% of teens check their phones at least hourly and 50% report feeling "addicted" to their phones.

According to the letter, at least part of the solution needs to come from Apple:

we note that Apple's current limited set of parental controls in fact dictate a more binary, all or nothing approach, with parental options limited largely to shutting down or allowing full access to various tools and functions. While there are apps that offer more options, there are a dizzying array of them (which often leads people to make no choice at all), it is not clear what research has gone into developing them, few if any offer the full array of options that the research would suggest, and they are clearly no substitute for Apple putting these choices front and center for parents.

The Apple shareholders behind the letter admit that it is not entirely altruistic:

we believe that addressing this issue now will enhance long-term value for all shareholders, by creating more choices and options for your customers today and helping to protect the next generation of leaders, innovators, and customers tomorrow.

Building on this, they also shrewdly point out that Apple has little to fear from moves to give parents more control over their children's use of Apple products:

Doing so poses no threat to Apple, given that this is a software (not hardware) issue and that, unlike many other technology companies, Apple's business model is not predicated on excessive use of your products. In fact, we believe addressing this issue now by offering parents more tools and choices could enhance Apple's business and increase demand for its products.

That's in contrast to Facebook or Google, for example, both which want people to use their respective products as much as possible so as to maximize the opportunities for advertising. Apple has already responded with a fairly generic reply, published on the iMore site:

we are constantly looking for ways to make our experiences better. We have new features and enhancements planned for the future, to add functionality and make these tools even more robust.

Unless that functionality goes well beyond the perfunctory, it is unlikely to satisfy the shareholder groups, who presumably want the "full array of options" they mention. The danger for Apple is that a limited response might lead to it being swept up in the growing backlash against Silicon Valley and its products, evident in a number of recent articles. One thing Apple could do is to make it easier for third parties to write apps that address the problem in a thoroughgoing way -- something its tightly-controlled ecosystem may make harder than for Android.

A broader issue is how serious the problem of gadget "addiction" in children really is -- and how it should be tackled. Clearly, the parents play a key role here, but what about the hardware and software companies who profit from it? To what extent should they provide fine-grained parental controls -- should social media, for example, offer parents the capability to limit the number and timing of daily posts made by their children, and would that even help?

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

37 Comments | Leave a Comment..

Posted on Techdirt - 8 January 2018 @ 7:39pm

The Stasi's Tiny Torn-Up Analog Files Defeat Modern Digital Technology's Attempts To Re-Assemble East Germany's Surveillance Records

from the too-hard-for-today's-hardware dept

It is nearly 30 years since the wall separating East and West Berlin came down, and yet work is still going on to deal with the toxic political legacy of East Germany. As Techdirt readers are well aware, one of the defining characteristics of the regime in East Germany was the unprecedented -- for the time, at least -- level of surveillance inflicted on citizens by the Stasi (short for Staatssicherheitsdienst, or State Security Service). This led to the creation of huge archives holding dossiers about millions of people.

As it became clear that East Germany's government would fall, and that its long-suffering citizens would demand to know who had been spying on them over the years, Stasi officers began to destroy the most incriminating documents. But there were so many files -- a 2008 Wired article about them says they occupied 100 miles of shelving -- that the shredding machines they used started to burn out. Eventually, Stasi agents were reduced to tearing pages by hand -- some 45 million of them, ripping them into around 600 million scraps of paper.

After thousands of bags holding the torn sheets were recovered, a team working for the Stasi records agency, the body responsible for handling the mountain of paper left behind by the secret police, began assembling the pages manually. It was hoped that the re-assembled documents would shed further light on the Stasi and its deeper secrets. But it was calculated that it would take 700 years to deal with all the scraps of paper by hand. A computerized approach was devised by the Fraunhofer Institute, best-known for devising the MP3 format, and implemented following a pilot project. After some initial successes, the program has run into problems, as the Guardian reports:

A so-called ePuzzler, working with an algorithm developed by the Fraunhofer Institute and costing about €8m of [German] federal funds, has managed to digitally reassemble about 91,000 pages since 2013. However, it has recently run into trouble.

For the last two years, the Stasi records agency has been waiting for engineers to develop more advanced hardware that can scan in smaller snippets, some of which are only the size of a fingernail.

The ePuzzler works by matching up types of paper stock, typewriter fonts, or the outline of the torn-up page. It has struggled with hand-written files that were folded before being torn, leaving several snippets with near-identical outlines.

While the hardware engineers try to come up with a suitable scanner that can handle these tiny fragments, a small team continues to match up the more crudely ripped pages manually. Inevitably, some people will be thinking: "If only the Stasi had used blockchain, all these problems could have been avoided..."

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

25 Comments | Leave a Comment..

Posted on Techdirt - 8 January 2018 @ 12:03pm

Want Anybody's Personal Details From Aadhaar, India's Billion-Person Identity Database? Yours For $8

from the Aadhaar-admin-accounts-also-available-on-request dept

We've been writing about the world's largest biometric database, India's Aadhaar, since July 2015. Over 1.1 billion people have now been enrolled, and assigned an Aadhaar number and card, which represents 99.9% of India's adult population. There are currently around 40 million authentications every day, a number that will rise as Aadhaar becomes inescapable for every aspect of daily life in India, assuming it survives legal challenges. That scale necessarily entails a huge infrastructure to handle enrollment and authentication. So it will comes as no surprise to Techdirt readers that it turns out you can obtain unauthorized access to the Aadhaar system very easily, and for very little cost. As the Indian newspaper The Tribune revealed:

It took just Rs 500 [about $8], paid through Paytm [an Indian online payment system], and 10 minutes in which an "agent" of the group running the racket created a "gateway" for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.

What is more, The Tribune team paid another Rs 300 [$4.75], for which the agent provided "software" that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.

Given the repeated assurances by the UIDAI that the Aadhaar database was completely secure, this is big news, and led to some breathless damage limitation by the Indian authorities on Twitter. The UIDAI explained that: "Some persons have misused demographic search facility, given to designated officials to help residents who have lost Aadhaar/Enrollment slip to retrieve their details"; and: "There has not been any data breach of biometric database which remains fully safe & secure with highest encryption at UIDAI and mere display of demographic info cannot be misused without biometric". Although it may be true that this is not a biometric data breach, it nonetheless reveals a serious vulnerability in the system's design, and on a vast scale. According to the original article in The Tribune, more than 100,000 "village-level enterprise operators", hired to help with Aadhaar enrollment, have been offering this kind of unauthorized access to the database. In fact, the problem seems to be even more serious than simply providing login credentials to thousands of people. Here's what another Indian site discovered:

Following up on an investigation by The Tribune, The Quint found that completely random people like you and me, with no official credentials, can access and become admins of the official Aadhaar database (with names, mobile numbers, addresses of every Indian linked to the UIDAI scheme). But that's not even the worst part. Once you are an admin, you can make ANYONE YOU CHOOSE an admin of the portal. You could be an Indian, you could be a foreign national, none of it matters -- the Aadhaar database won't ask.

Even if biometric data is not involved, it's hard to see how UIDAI could claim that these aren't breaches of the database, or deny that the entire Aadhaar system is seriously compromised. It's almost inevitable that the security of an important database system will be defeated eventually in some way, since the rewards are by definition so high. The fundamental problem with Aadhaar is its underlying intent -- to create a single, giant database with key personal information about a billion people that can be accessed very frequently and very widely. That's never going to be safe, as the inevitable future breaches will confirm.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

13 Comments | Leave a Comment..

Posted on Techdirt - 4 January 2018 @ 10:45am

China Plans To Turn Country's Most Popular App, WeChat, Into An Official ID System

from the won't-that-be-convenient? dept

In one respect at least, China's embrace of digital technology is far deeper and arguably more advanced than that of the West. Mobile phones are not only ubiquitous, but they are routinely used for just about every kind of daily transaction, especially for those involving digital payments. At the heart of that ecosystem sits Tencent's WeChat program, which has around a billion users in China. It has evolved from a simple chat application to a complete platform running hugely popular apps that are now an essential part of everyday life for most Chinese citizens. The centrality of WeChat makes the following move, reported here by the South China Morning Post, entirely logical:

The government of Guangzhou, capital of the southern coastal province of Guangdong, started on Monday a pilot programme that creates a virtual ID card, which serves the same purpose as the traditional state-issued ID cards, through the WeChat accounts of registered users in the city's Nansha district, according to a report by state news agency Xinhua.

It said that trial will soon cover the entire province and further expand across the country from January next year.

The Wall Street Journal has some details of how people register:

Under the pilot program, funded by the National Development and Reform Commission, people create a basic identity card by scanning an image of their face into a WeChat mini program, reading aloud four numbers that pop up on the screen and entering their identification number as well as other information.

It obviously makes a lot of sense to use the WeChat platform to provide a virtual identity card. It's convenient for users who already turn to WeChat apps to handle most aspects of their lives. It means they don't need to carry around a physical ID card, but can let the software handle the necessary authentication when needed. That's also good news for businesses that want to confirm a person's identity.

But it's also an extremely powerful way for the Chinese government to implement its real-name policy for online activities, something that it has so far failed to push through. It will mean that the daily posts and transactions carried out using a mobile will not only be available to the Chinese authorities, but will be unambiguously linked to an individual once such digital IDs become obligatory for WeChat users, as they surely will. That, in its turn, will be very handy for implementing the proposed "citizen score" framework. Once this has been rolled out nationwide, it will form one of the most effective means of control available to the Chinese government, especially if combined with a similarly comprehensive plan to collect everyone's DNA.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

14 Comments | Leave a Comment..

Posted on Free Speech - 3 January 2018 @ 7:50pm

Revealed: Vietnam's 10,000-Strong Internet Monitoring Force, Tasked With Stamping Out 'Wrongful Views'

from the whatever-happened-to-occupying-the-moral-high-ground? dept

Over the years, Techdirt has published quite a few stories about Vietnam's moves to stifle dissent online. On Christmas Day, Colonel General Nguyen Trong Nghia, deputy chairman of the General Political Department of the People's Army of Vietnam, revealed that the country had secretly created a massive Internet monitoring unit called "Force 47":

Nghia said the special force tasked with combating wrongful information and anti-state propaganda is called the Force 47, named after Directive No. 47 that governs its foundation.

The team currently has more than 10,000 members, who are "the core fighters" in cyberspace.

The three-star general underlined that members of this team are "red and competent," implying that they have both technology expertise and good political ideals in addition to personality.

As Tuoi Tre News reports, Force 47 is tasked with fighting "wrongful views". Bloomberg points out some recent moves by the Vietnamese authorities to police the online world:

Facebook this year removed 159 accounts at Vietnam's behest, while YouTube took down 4,500 videos, or 90 percent of what the government requested, according to VietnamNet news, which cited Minister of Information and Communications Truong Minh Tuan last week. The National Assembly is debating a cybersecurity bill that would require technology companies to store certain data on servers in the country.

The Wall Street Journal notes that heavy sentences have been imposed on people for using the Internet to spread some of those "wrongful views":

In recent months, the country has increased the penalties for anyone using Facebook as a platform to attack the government. In November, a young blogger was given a seven-year prison sentence for "spreading propaganda against the state," while a well-known environmentalist, Nguyen Ngoc Nhu Quynh, was handed a 10-year sentence on the same charges in June.

Vietnam is hardly alone in wanting to censor online content on a massive scale. As well as the obvious example of China, Germany, too, now requires Internet companies to delete "hate speech". In addition, the UK is threatening to impose tax penalties on companies that don't take down "extremist" material. In order to meet these global demands for rapid and even pre-emptive removal of material, the leading online companies are taking on thousands of people as in-house censors. Both Google and Facebook have promised to increase their "safety" teams to 20,000 people. Against that background, it's hard for the West to condemn Vietnam's latest moves without appearing hypocritical.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

21 Comments | Leave a Comment..

Posted on Techdirt - 26 December 2017 @ 7:34pm

Germany Accuses Chinese Intelligence Services Of Using Fake LinkedIn Profiles To Recruit Informants And Extract Sensitive Information

from the well,-of-course-it's-not-just-Russia dept

Over the last year, the scale of Russia's disinformation activities has become clearer. Its Internet Research Agency has deployed an astonishing range of sophisticated techniques, included accounts on Twitter and Facebook, and hiring activists within the US without the latter being aware they were working for the Russian government. We also now know that the same organization has been buying Facebook ads on a large scale that were seen by over a hundred million US citizens. But it would be naïve to think that Russia is the only foreign power engaged in this kind of activity. In fact, it would be surprising if any intelligence agency worth its salt were not carrying out similar activities around the globe. The first detailed information about China's use of fake social media accounts to recruit informants and extract sensitive information has just been published by the Bundesamt für Verfassungsschutz (BfV), Germany's domestic intelligence service. As Reuters reports:

Nine months of research had found that more than 10,000 German citizens had been contacted on the LinkedIn professional networking site by fake profiles disguised as headhunters, consultants, think-tankers or scholars, the BfV said.

Quartz quotes the BfV's president, Hans-Georg Maaßen, as saying:

"We are dealing with a broad attempt to infiltrate parliaments, ministries and administrations," said Maaßen. “Chinese intelligence services are using new strategies of attack in the digital space."

An interim report on the analysis that appeared on the BfV site in July (original in German) explains how the Chinese operated. The supposed headhunters, scholars and Chinese officials claimed that there were interested in the specialism of the person being approached. They inquired about a possible exchange of professional views on the topic, and spoke of an "important customer" in China:

the Chinese contact persons ask those involved for a curriculum vitae and offered to pay for a trial project. If this was completed satisfactorily, an invitation is made to go to China to meet with the "important customer", with the costs of the stay being covered by the Chinese side. In fact, however, the "important customer" never appears and is not explicitly named. In due course, the persons involved are usually asked regularly to write reports in return for appropriate remuneration, or to pass on internal, sensitive information from the respective work area.

As part of its report, the BfV published a selection of the fake profies. Reuters explains:

Many of the profile pictures show stylish and visually appealing young men and women. The picture of "Laeticia Chen", a manager at the "China Center of International Politics and Economy" was nicked from an online fashion catalogue, an official said.

The Chinese Foreign Ministry spokesman Lu Kang was, of course shocked by the accusations, which he called "baseless":

"We hope the relevant German organizations, particularly government departments, can speak and act more responsibly, and not do things that are not beneficial to the development of bilateral relations," Lu said.

The implicit threat there chimes with two other stories about China that Techdirt published last month. In one of them, the Chinese authorities put pressure on the academic publisher Springer Nature to censor thousands of papers that dealt with topics that showed China in a less than flattering light. Similarly, Allen & Unwin was "persuaded" by the Chinese authorities not to publish a book about China's growing but covert influence in Australia. The row between Australia and China has since escalated further. The latter denounced remarks by Australian politicians as being "full of prejudices against China", and lodged a formal protest. Taken with the latest news of China's attempts to recruit informants using social media, these recent events are evidence of a newly aggressive China on the world scene -- and of what The Economist calls China's "sharp power".

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

13 Comments | Leave a Comment..

Posted on Techdirt - 26 December 2017 @ 3:16am

British Military Chief Warns Russia Could Cut NATO's Internet Connections, As Traffic For World's Top Sites Is Mysteriously Routed Via...Russia

from the probably-just-a-coincidence dept

We recently wrote about an interesting comment from Vladimir Putin's Press Secretary that Russia had no intention of cutting itself off from the rest of the Internet. But there's another side to the disconnection story, as this Guardian news item reveals:

Russia could pose a major threat to the UK and other Nato nations by cutting underwater cables essential for international commerce and the internet, the chief of the British defence staff, Sir Stuart Peach, has warned.

Russian ships have been regularly spotted close to the Atlantic cables that carry communications between the US and Europe and elsewhere around the world.

In other words, although Russia says it won't cut itself off from the Internet, it could probably cut off many NATO countries. A new report, entitled "Undersea Cables: Indispensable, insecure", emphasizes the importance and vulnerability of the underwater cables that provide much of the Internet's global wiring:

97% of global communications and $10 trillion in daily financial transactions are transmitted not by satellites in the skies, but by cables lying deep beneath the ocean. Undersea cables are the indispensable infrastructure of our time, essential to our modern life and digital economy, yet they are inadequately protected and highly vulnerable to attack at sea and on land, from both hostile states and terrorists.

US intelligence officials have spoken of Russian submarines "aggressively operating" near Atlantic cables as part of its broader interest in unconventional methods of warfare. When Russia annexed Crimea, one of its first moves was to sever the main cable connection to the outside world.

And if there were any doubts that Russia is very interested in the world's Internet connectivity, this recent event may help to clarify things:

Traffic sent to and from Google, Facebook, Apple, and Microsoft was briefly routed through a previously unknown Russian Internet provider Wednesday under circumstances researchers said was suspicious and intentional.

As another story in Ars Technica reported, this is not the first time important traffic has been mysteriously routed through Russia:

large chunks of network traffic belonging to MasterCard, Visa, and more than two dozen other financial services companies were briefly routed through a Russian government-controlled telecom under unexplained circumstances that renew lingering questions about the trust and reliability of some of the most sensitive Internet communications.

These events are a reminder that the online world depends on technologies where trust is an important element. That approach is now looking increasingly shaky as nation states wage attacks not just by means of the Internet, but even against it. This may explain why Russia says it wants alternative DNS servers for the BRICS nations: they could come in quite handy if -- by any chance -- the rest of the Internet goes down.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

30 Comments | Leave a Comment..

Posted on Techdirt - 21 December 2017 @ 3:30pm

Top EU Court Says Uber Is A Transport Service That Can Be Regulated Like Traditional Taxis

from the if-it-looks-like-a-duck,-swims-like-a-duck,-and-quacks-like-a-duck,-then-it-prob dept

Uber is a company that provokes strong emotions, as numerous stories on Techdirt indicate. Uber has been involved in some pretty bad situations, including inappropriate behavior, special apps to hide from regulators, and massive leaks of customer information. Despite this, it is undeniable that millions of people around the world love the convenience and competitive pricing of its service.

Equally, traditional taxi services dislike it for the way Uber flouts transports regulations that they obey, which is fair enough, and hate it for the way Uber challenges their often lazy monopolies, which is not. This has led to some appalling violence in some countries, as well as numerous legal actions. One of those, instituted by a professional taxi drivers' association in Spain, has resulted in a case before the EU's highest court (pdf), the Court of Justice of the European Union (CJEU), which has just ruled as follows:

the Court declares that an intermediation service such as that at issue in the main proceedings, the purpose of which is to connect, by means of a smartphone application and for remuneration, non-professional drivers using their own vehicle with persons who wish to make urban journeys, must be regarded as being inherently linked to a transport service and, accordingly, must be classified as 'a service in the field of transport' within the meaning of EU law.

The CJEU's reasoning was that Uber is more than a simple intermediation service. Its smartphone app is "indispensable" for the process of agreeing to deals between the driver and the customer, and Uber exercises "decisive influence over the conditions under which the drivers provide their service." As a result, the CJEU ruled that Uber is not "an information society service", but a "service in the field of transport", and may therefore be regulated just like traditional taxi services.

In practice, this means that Uber will be able to operate in the EU, but will be unable to continue with its swashbuckling approach that has seen it ignore many traditional requirements for taxi services. That result will be important for its knock-on effect on other services offered as part of the so-called "sharing economy". In fact, these are better described as new kinds of rental services, and like Uber they have often skirted around existing laws that cover their field of operation. The CJEU ruling, which can't be appealed, is likely to mean that other companies using online technology to provide such services will also need to obey relevant EU laws.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

37 Comments | Leave a Comment..

Posted on Techdirt - 21 December 2017 @ 3:23am

Facebook's Collection And Use Of Data From Third-Party Sources Is 'Abusive', Says Germany's Competition Authority

from the informational-self-determination dept

As Techdirt has reported previously, Facebook is having various problems in the European Union because of the region's privacy laws. It turns out that data protection is not the only area where it is coming under scrutiny. Germany's competition authority, the Bundeskartellamt, has just made a preliminary assessment that Facebook's data collection is "abusive":

the authority assumes that Facebook is dominant on the German market for social networks. The authority holds the view that Facebook is abusing this dominant position by making the use of its social network conditional on its being allowed to limitlessly amass every kind of data generated by using third-party websites and merge it with the user's Facebook account. These third-party sites include firstly services owned by Facebook such as WhatsApp or Instagram, and secondly websites and apps of other operators with embedded Facebook APIs.

This is not about privacy, then, but about Facebook's alleged abuse of its dominant position in the German market. The German competition authority is not worried about Facebook's use of personal data gathered directly on its own sites -- not yet, at least -- but the way in which data is transmitted back to Facebook from third-party sites, as a detailed background document (pdf) explains :

The current proceeding examines the terms and conditions Facebook is enforcing with regard to data from third party sources. These are on the one hand data generated by the use of services owned by Facebook, such as WhatsApp or Instagram, and on the other data generated by the use of third party websites and apps. If a third-party website has embedded Facebook products such as the 'like' button or a 'Facebook login' option or analytical services such as 'Facebook Analytics', data will be transmitted to Facebook via APIs the moment the user calls up that third party's website for the first time. These data can be merged with data from the user's Facebook account, even if the user has blocked web tracking in his browser or device settings. In the authority's preliminary assessment, Facebook's terms and conditions in this regard are neither justified under data protection principles nor are they appropriate under competition law standards

The detailed analysis from the German competition authority makes an interesting point about the nature of Facebook's business model, and the fact that its users have no choice about accepting its terms and conditions:

Facebook offers its service for free. Its users therefore do not suffer a direct financial loss from the fact that Facebook uses exploitative business terms. The damage for the users lies in a loss of control: they are no longer able to control how their personal data are used. Facebook's users are oblivious as to which data from which sources are being merged to develop a detailed profile of them and their online activities. On account of the merging of the data, individual data gain a significance the user cannot foresee. Because of Facebook's market power users have no option to avoid the merging of their data, either. Facebook's merging of the data thus also constitutes a violation of the users' constitutionally protected right to informational self-determination.

The competition authority's finding is preliminary: Facebook now has the opportunity "to comment on the allegations and provide justification for its conduct or offer possible solutions." The company has already responded with a blog post by Yvonne Cunnane, Head of Data Protection, Facebook Ireland, in which she writes:

Although Facebook is popular in Germany, we are not dominant. We're just one part of how people interact, and we must constantly innovate to ensure we're meeting people’s expectations -- from designing new features to improving reliability to giving people better controls over their experience on Facebook. If we fail, people will go elsewhere -- as history has shown with other technology services over the years.

This is a crucially important battle for Facebook. If the German competition authority issues a final ruling next year that Facebook is abusing its dominant position through its use of data from third parties, it could order the US company to cease aggregating data in this way. That would be a major blow to Facebook's current business model, in Europe at least, since it is likely that other competition authorities there would take the same line. Facebook derives much of its power as an advertising medium from the vast quantities of data gathered from all around the Web that it collects and uses for profiling.

As if Facebook did not have enough problems in the EU, France's data protection agency has just ordered WhatsApp to stop sharing user data with its parent company, or face fines. Although these would be small under current legislation, once the EU's new General Data Protection Regulation comes into force next year, they could be up to 4% of Facebook's global turnover.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

9 Comments | Leave a Comment..

Posted on Techdirt - 19 December 2017 @ 3:23am

Russia Threatens To Ban YouTube And Twitter, But Probably Won't Try

from the VPN-crackdown?-what-VPN-crackdown? dept

Last year, the Russian authorities ordered LinkedIn to be blocked in the country, supposedly for failing to store personal data locally. Since other US companies like Google and Facebook had also ignored this data localization requirement, it was curious that only LinkedIn was affected. Now the German news site Deutsche Welle is reporting that Twitter and YouTube risk being locked out of Russia, but for quite different reasons. These involve Mikhail Khodorkovsky, once the wealthiest person in Russia, and a long-time vocal opponent of President Putin. Khodorkovsky spent a number of years in prison, allegedly for fraud and embezzlement. He now lives outside Russia, and has set up the NGO Open Russia, which promotes democracy and human rights in Russia.

Open Russia was put on the official list of "undesirable organizations" in April of this year. The Russian government has shut down Open Russia's web site, and now it is demanding that the NGO's presence on social media be deleted as well. Roskomnadzor, the country's media regulatory agency, gave YouTube and Twitter a deadline to delete Open Russia's accounts on their services, or be blocked entirely. The deadline has now passed, but the accounts are still accessible within Russia. The question is: what happens now?

If Twitter and Google continue to refuse to delete the accounts, the Russian authorities could try to block them individually. That wouldn't be easy, so the government might simply order the whole of Twitter and YouTube to be blocked. After all, that is what it did with LinkedIn. However, the local experts interviewed by Deutsche Welle point out that LinkedIn was never very popular in Russia, so its loss passed largely unnoticed. Shutting down Twitter and YouTube would be a different matter, and would probably cause widespread online protests -- something the authorities would be keen to avoid.

In any case, users could use proxies, VPNs, and Tor to circumvent such blocks. It's true that Russia has brought in a law that gives the authorities the power to order those kinds of services to block access to particular sites, or be shut down. But the Deutsche Welle post contains the following information about what is actually happening on the ground:

The Russian government has already limited the use of such [circumvention] tools. But [Russian reporter and blogger Alexandr] Plushev pointed out that is just a formality. "They have declared about seven VPNs illegal but there are tens of thousand of them to be found online," he said. "Both the Tor and Opera browsers allow you to get around such blocks."

That's an indication that the latest threats to block Twitter and YouTube may not amount to much in practice, and are designed more as a warning of what the Russian authorities could do at some point, rather than what they will do immediately. The fact that Russia will be holding a presidential election next March, in which Vladimir Putin is standing, and presumably expects to win, may be a factor here.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

8 Comments | Leave a Comment..

Posted on Techdirt - 18 December 2017 @ 3:23am

China Is Building The Ultimate Surveillance Tool: A DNA Database Of Every Adult Resident In Troubled Xinjiang Region

from the purely-for-scientific-decision-making,-of-course dept

It's no secret that the two regions most affected by China's strict controls are Tibet and Xinjiang, the vast and troubled Western region where the turkic-speaking Uyghurs form the largest ethnic group. Earlier this year, we wrote about one fairly extreme surveillance technique in Xinjiang: a requirement for every vehicle there to be fitted with a tracking device. Now Human Rights Watch reports that an even more intrusive surveillance measure is being implemented for the region's 24 million inhabitants:

Chinese authorities in Xinjiang are collecting DNA samples, fingerprints, iris scans, and blood types of all residents in the region between the age of 12 and 65, Human Rights Watch said today. This campaign significantly expands authorities' collection of biodata beyond previous government efforts in the region, which only required all passport applicants in Xinjiang to supply biometrics.

For so-called "focus personnel" -- those individuals that the authorities consider a threat to political stability -- the biometrics will be taken from everyone in their family, regardless of age. Here's what all that highly-personal information from the "Population Registration Program" will be used for, according to the Chinese government:

Authorities state that the Population Registration Program is meant for "scientific decision-making" that promotes poverty alleviation, better management, and "social stability." Authorities have offered the annual Physicals for All program since 2016, characterizing it as a benefit for the relatively economically poor region. The program's stated goals are to improve the service delivery of health authorities, to screen and detect for major diseases, and to establish digital health records for all residents. Press reports about Physicals for All include testimonies from participants describing how they received treatments for previously undiagnosed illnesses, and in some cases saving their lives.

Who could possibly object to such a well-intentioned health initiative? But as Human Rights Watch emphasizes:

Coercing people to give blood samples, or taking blood samples without informed consent or justification can violate an individual's privacy, dignity, and right to bodily integrity; it can also in some circumstances constitute degrading treatment. Compelled DNA sampling of an entire region or population for purposes of security maintenance is a serious human rights violation in that it cannot be justified as necessary or proportionate.

It would be naïve to think that the authorities won't use this massive DNA database in order to increase their surveillance of the Uyghur population. DNA is the ultimate identity number. It is present in nearly every cell in the body; it is difficult to change in a non-random way unless you have lots of money and top-flight CRISPR scientists at your disposal -- unlikely in the case of Xinjiang residents; and we leave it everywhere we go, and on everything we touch. DNA also has the virtue -- for the authorities -- that it provides information about related individuals, since they all have some of their genetic code in common. That means it would be possible to determine everyone in the close family of a someone under investigation, by finding related DNA sequences. It's the kind of information that could be abused by the police in multiple ways.

As well as concerns about the human rights of Uyghurs being harmed, another issue is that Xinjiang's Population Registration Program may be used as a trial before rolling out DNA collection to the entire Chinese adult population, just as is happening with a national facial recognition database. Although such a large-scale genetic database would have been infeasible a few years ago, advances in sequencing and dramatic falls in data storage and processing costs mean that it could probably be built now. And if China goes down this route, the fear has to be other countries will follow, just as they are doing in the realm of online surveillance.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

12 Comments | Leave a Comment..

Posted on Free Speech - 14 December 2017 @ 3:33am

Australian Government Wants To Punish Whistleblowers And Journalists Who Leak Classified Documents With Up To 20 Years In Prison

from the maybe-they-haven't-heard-about-this-internet-thing dept

Whistleblowing stories have become something of a commonplace, as a stream of Techdirt posts attests. Some leaks offer massive revelations, like the documents released by Chelsea Manning, or Edward Snowden. Others are smaller scale, but expose unsuspected activities that powerful people were trying to keep in the shadows. Here, for example, is a recent leak published in the Guardian about big companies spying on law-abiding organizations that dare to disagree with them:

They shine a rare light on a habitually secretive industry in which large firms hire covert operatives to monitor and infiltrate political groups that object to their commercial activities. At a premium is advance information, tipping off the firms about protests that are being organised against them.

As the Snowden files proved, leaks about government activities can have particularly important knock-on consequences in terms of improving the balance of power between citizens and their supposed representatives. Perhaps because of that effect, the Australian government plans to bring in new laws that could see whistleblowers jailed for 20 years:

Australian government and intelligence whistleblowers -- and potentially even journalists -- may face up to 20 years in jail for disclosing classified information, under the most sweeping changes to the country's secrecy laws since they were introduced.

BuzzFeed reports the legislation will be extremely broad:

The new laws will apply to anyone, not just government officials. They could easily apply to journalists and organisations like WikiLeaks that "communicate" or "deal" with information, instead of just government officials. They will also close a longstanding gap around contractors working on behalf of government agencies, who will also be subject to the new offences.

The good news is:

Journalists will have a defence available to them if publication of information is considered to be in the public interest and is "in the person’s capacity as a journalist engaged in fair and accurate reporting".

But the bad news is the onus will be on journalists to show that they satisfy those conditions -- likely to be expensive and maybe even impossible. Despite that issue, it seems doubtful that the new law will have much impact on leaking. After all, most whistleblowers know and accept that they are taking a risk when they release sensitive material, but have already decided it is worth it. Manning and Snowden were not deterred by the threat of extremely serious penalties, and there will always be people brave enough to follow in their footsteps, whatever the consequences.

As far as news organizations are concerned, while it is true that Australian titles may think twice before publishing leaked government documents, there are plenty of other outlets around the world that won't. Even if other newspapers are reluctant to risk the wrath of the Australian government -- perhaps because they have offices and journalists in the country that would be vulnerable to retaliation -- it is easy to set up a dedicated site for the leaks, and then use social media to spread the word. That's essentially what WikiLeaks does, which is unlikely to take any notice of the new law either.

If the Australian government -- or indeed any government -- wants to reduce leaks it should place as much information as possible in the public domain, and seek to protect only the extremely sensitive stuff. Trying to enforce excessive and unnecessary secrecy with manifestly vindictive punishments simply undermines people's respect for the whole system, and probably provokes even more whistleblowers to leak.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

17 Comments | Leave a Comment..

Posted on Techdirt - 13 December 2017 @ 7:55pm

If You Are Going To Worry About Bitcoin's Energy Consumption, Worry About Server Farms Too -- For More Than One Reason

from the terawatts-up? dept

Bitcoin has been much in the public eye recently. Most of the attention has been focused on the extraordinary rise in its price as measured against traditional currencies. But another aspect that has been exercising people is its energy usage, as a post on the Digiconimist site explains:

The continuous block mining cycle incentivizes people all over the world to mine Bitcoin. As mining can provide a solid stream of revenue, people are very willing to run power-hungry machines to get a piece of it. Over the years this has caused the total energy consumption of the Bitcoin network to grow to epic proportions, as the price of the currency reached new highs. The entire Bitcoin network now consumes more energy than a number of countries, based on a report published by the International Energy Agency.

Currently, the country closest to Bitcoin in terms of electricity consumption, expected to be around 32 terawatt-hours this year, is Denmark. Some are predicting that by 2020, the Bitcoin system will use as much electricity as the entire world does today. Others aren't so sure. Here's Ars Technica:

When Bitcoin launched in 2009, each block came with a 50-bitcoin reward for the miner who created it. This figure is scheduled to fall by half every four years. It fell to 25 bitcoins in 2012 and 12.5 bitcoins in 2016. The reward will fall again to 6.25 bitcoins in 2020. When the mining industry's revenue falls by half, its energy consumption should fall by the same proportion, since, if it didn't fall, mining would become an unprofitable activity.

In any case, a new article in the Guardian reminds us that Bitcoin is just one part of a much larger energy consumption problem that the digital world needs to address:

The communications industry could use 20% of all the world's electricity by 2025, hampering attempts to meet climate change targets and straining grids as demand by power-hungry server farms storing digital data from billions of smartphones, tablets and internet-connected devices grows exponentially.

It doesn't really matter which of Bitcoin and the server farms will consume the most power in years to come -- clearly both will be large, and both will require efforts to increase the availability of low-cost renewable energy so as to minimize their environmental damage. But there's a fundamental way in which the two sectors differ.

Bitcoin is burning up the tera-watts to carry out meaningless calculations in order to win the prize of the next cryptocurrency block. Server farms need power in order to store detailed records of everything we do online, or with our connected devices, alongside masses of Internet of Things data streams. Whatever it is doing, Bitcoin is certainly not threatening our privacy, and arguably is enhancing it. But loss of privacy is exactly the risk arising from the use of massive server farms around the world.

The main reason why they are being built is to hold unprecedented quantities of personal data that can be analyzed and the results sold in some way -- whether for advertising, or for other purposes. We constantly see stories about sensitive information being leaked on a massive scale, or legally acquired and then used in troubling ways. Alongside worthy concerns about the way that Bitcoin mining can degrade our physical world, we should worry more about how data mining can degrade our more personal space.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

26 Comments | Leave a Comment..

Posted on Techdirt - 11 December 2017 @ 7:40pm

Why Does China Love The 'Sharing Economy'? Not Because Of Communism...

from the if-you-rent-a-cheap-bike,-you-may-be-the-product dept

Something strange has been happening in China. People have been going nuts about bicycles. Specifically, investors have gone crazy over startups that allow people to rent bikes for a fraction of a dollar per hour, and then leave them anywhere, rather than only at special bike stations -- what is known as "dockless" bike-sharing. And now that sector is in trouble, as Bloomberg reports:

In the space of 18 months, dockless bike-sharing has become one of the hottest investment trends in China, with the two biggest players each having raised over $1 billion in venture funds, respectively. That money has funded a revolution on the traffic-choked streets of Chinese cities, giving urbanites a low-cost, carbon-free means to get around quickly. What it hasn't produced is a viable business model. A little over a year into China's bike-sharing boom, the industry's future looks precarious.

Given the extremely low margins, that's no surprise. What is more surprising is that billions of dollars have been invested in these startups, and in similar ones based on renting out everyday objects for short periods of time, letting people pay by using smartphones to scan in QR codes. Other examples include companies offering umbrellas, basketballs, refrigerators, luxury handbags, phone chargers, and even sex dolls (that one didn't last long). An illuminating article in the New York Times has a plausible explanation for China's fascination with the so-called "sharing economy", even though it has nothing to do with real sharing:

None of China's bike-sharing companies are turning a profit yet. But even as they fight for market share, the data is the destination. "Collecting data is the first goal of the sharing economy," says William Chou, the head of Deloitte's telecoms, media and technology practice in China. Every time consumers scan the QR code on a bicycle -- or basketball, handbag, umbrella -- they provide information about habits, locations, behaviors and payment histories. That's invaluable not just to [Chinese Internet giants] Tencent and Alibaba but also to city planners seeking precise information about where to build roads, bridges and subways.

In other words, these "sharing" services are conceptually similar to Facebook or Google: they are provided (nearly) free of charge, but you pay with detailed information about what you do. In the case of Facebook and Google, it's data about your online activities; for the "sharing economy", it's about what you do in the physical world. That's highly prized by companies that want to sell something to people. In China, it's also of great interest to someone else -- the government:

what happens as this data filters into China's new social-credit system, which promises to rate every individual by her financial, social and political worth? In fact, Beijing has authorized Tencent and Alibaba to conduct social-credit pilot testing, and their bikes serve as the perfect vehicles. There are no walls of privacy. The government has the ability to access company data, good or bad, faster than you can scan a QR code.

The ability of "sharing" companies to capture, and governments to access, highly-personal data is an important issue for potential customers in the West, which currently lags behind China in the uptake of these kinds of services. However convenient some of them seem, it's worth considering whether you may be paying more than just the attractively-low fees when you use them.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

16 Comments | Leave a Comment..

Posted on Techdirt - 8 December 2017 @ 7:39pm

Top EU Data Protection Body Asks US To Fix Problems Of 'Privacy Shield' Or Expect A Referral To Region's Highest Court

from the please-don't-make-us-do-this dept

The Privacy Shield framework is key to allowing personal data to flow legally across the Atlantic from the EU to the US. As we've noted several times this year, there are a number of reasons to think that the EU's highest court, the Court of Justice of the European Union (CJEU), could reject Privacy Shield just as it threw out its predecessor, the Safe Harbor agreement. An obscure but influential advisory group of EU data protection officials has just issued its first annual review of Privacy Shield (pdf). Despite its polite, bureaucratic language, it's clear that the privacy experts are not happy with the lack of progress in dealing with problems pointed out by them previously. As the "Article 29 Data Protection Working Party" -- the WP29 for short -- explains:

Based on the concerns elaborated in its previous opinions ... the WP29 focused on the assessment of both the commercial aspects of the Privacy Shield and on the government access to personal data transferred from the EU for the purposes of Law Enforcement and National Security, including the legal remedies available to EU citizens. The WP29, assessed whether these concerns have been solved and also whether the safeguards provided under the EU-U.S. Privacy Shield are workable and effective.

As far as the commercial aspects of Privacy Shield are concerned, the WP29 is unhappy about a number of important "unresolved" issues such as "the lack of guidance and clear information on, for example, the principles of the Privacy Shield, on onward transfers [of personal data] and on the rights and available recourse and remedies for data subjects." The issue of US government access to the personal data of EU citizens is even thornier. Although the WP29 welcomed efforts by the US government to become more "transparent on their use of their surveillance powers", the collection of and access to personal data for national security purposes under both section 702 of FISA and Executive Order 12333 were still a problem. On the former, WP29 suggests:

Instead of authorizing surveillance programs, section 702 should provide for precise targeting, along with the use of the criteria such as that of "reasonable suspicion", to determine whether an individual or a group should be a target of surveillance, subject to stricter scrutiny of individual targets by an independent authority ex-ante.

As regards the Executive Order 12333, WP29 wants the Privacy and Civil Liberties Oversight Board (PCLOB) "to finish and issue its awaited report on EO 12333 to provide information on the concrete operation of this Executive Order and on its necessity and proportionality with regard to interferences brought to data protection in this context." That's likely to be a bit tricky, because the PCLOB is understaffed due to unfilled vacancies, and possibly moribund. In conclusion, the WP29 "acknowledges the progress of the Privacy Shield in comparison with the invalidated Safe Harbor Decision", but underlines that the EU group has "identified a number of significant concerns that need to be addressed by both the [European] Commission and the U.S. authorities." It spells out what will happen if they aren't sorted out:

In case no remedy is brought to the concerns of the WP29 in the given time frames, the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling.

That is, it will ask the EU's highest court to rule on the so-called "adequacy decision" of the European Commission, where it decided that Privacy Shield offered enough protection for EU personal data moving to the US. There's a clear implication that WP29 doubts the CJEU's ruling will be favorable unless all the changes it has requested are made soon. And without the Privacy Shield framework, it will be much harder to transfer personal data legally across the Atlantic. Moreover, the EU's data protection laws are about to become even more stringent next year, when the new General Data Protection Regulation (GDPR) is enforced. Organizations in breach of the GDPR can be fined up to 4% of annual global turnover, which means even the biggest Internet companies will have a strong incentive to comply.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

11 Comments | Leave a Comment..

Posted on Techdirt - 8 December 2017 @ 1:23pm

Did A Non-Existent Eatery In A Shed Become TripAdvisor's Top-Rated Restaurant In London?

from the can-you-trust-anything-you-read-online-these-days? dept

A key feature of e-commerce sites is the reviews from people who have used them previously. Such recommendations or warnings are even more important online than in the physical world, because it is much easier to set up a virtual shop than a real one, which makes scams a far greater risk online. However, the enhanced importance of site reviews also increases the incentive to create false ones. A cautionary tale about just how misleading reviews can be is provided by an entertaining post on Vice. In it, the journalist Oobah Butler describes how he turned a non-existent eatery into TripAdvisor's top-rated London restaurant. Or at least that's what he claimed. We should admit, up front, that since this story is about faking stuff on the internet, we should at least be open to the idea that the story of this faked restaurant review might also be... fake.

Butler had the idea after earning money writing fake positive TripAdvisor reviews for restaurants he'd never been to. He started to wonder how many of the other positive reviews on TripAdvisor were similarly bogus. He idly considered whether it was possible for an entire restaurant to be fake -- that is, non-existent despite all the positive reviews. And then:

one day, sitting in the shed I live in, I had a revelation: within the current climate of misinformation, and society's willingness to believe absolute bullshit, maybe a fake restaurant is possible? Maybe it's exactly the kind of place that could be a hit?

In that moment, it became my mission. With the help of fake reviews, mystique and nonsense, I was going to do it: turn my shed into London's top-rated restaurant on TripAdvisor.

There was nothing particularly sophisticated about Butler's methodology: he simply used lots of fake positive reviews, posted by real people on different computers so as to fool TripAdvisor's anti-scammer tools, to drive up the venue's ranking. He bolstered the plausibility of "The Shed at Dulwich" by creating a Web site -- theshedatdulwich.com -- and a suitably pretentious menu:

Instead of meals, our menu is comprised of moods. You choose which fits your day, and our Chef interprets that. We can also tailor dishes for special occasions and at extra cost.

For example:

Contemplation

A deconstructed Aberdeen stew; all elements of the dish are served to the table as they would be in the process of cooking. Served with warm beef tea.

Butler included a few photos of dishes, still visible on the home page of the Web site. They look appetizing enough, but in his Vice post describing the project, he reveals that they are made out of things like bleach tablets, and plastic sponges covered in paint. One image shows a poached egg resting on a slice of bacon -- except that the bacon is actually Butler's naked foot.

The Shed started out in April this year with a TripAdvisor ranking of 18,149, the worst restaurant in London, according to the site. So Butler piled on the reviews, and watched his ranking rise. The phone began to ring: people wanted to reserve tables at this non-existent restaurant. Butler told them it was booked up for weeks. Emails begging for bookings arrived, as did job applications to work at the business, and free samples from companies in the food industry. After just a few months, The Shed at Dulwich becomes London's top-rated restaurant on TripAdvisor, with 89,000 search result views in a single day. As Butler writes in his Vice post:

A restaurant that doesn't exist is currently the highest ranked in one of the world’s biggest cities, on perhaps the internet's most trusted reviews site.

He then did two things. First, he told TripAdvisor that he had managed to game its ranking system completely. Here's TripAdvisor's reply:

"Generally, the only people who create fake restaurant listings are journalists in misguided attempts to test us," replies a representative via email. "As there is no incentive for anyone in the real world to create a fake restaurant it is not a problem we experience with our regular community -- therefore this 'test' is not a real world example."

Well, maybe it isn't a "real world example", but it still shows how unreliable an online review system can be. In the case of The Shed, it wasn't that a few of the opinions for the restaurant were bogus, but that every single one was, and that nonetheless the venue ended up as the top-rated eatery in London according to TripAdvisor. Not surprisingly, the restaurant's page has been removed from the service, but there's an archived version to give you an idea of what it looked like at the height of its fake glory.

The other action taken by Butler was that he opened The Shed for real. You can find out on Butler's Vice post what happened when customers were served microwaved ready meals, surrounded by actors at other tables loudly praising the food, and a DJ playing restaurant sounds in the background to create the right ambience. It's a great story, and a warning that we shouldn't take at face value what we find online -- or what we eat in the physical world. Assuming it's all true, of course....

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

12 Comments | Leave a Comment..

Posted on Techdirt - 8 December 2017 @ 3:22am

Russia Says Disconnecting From The Rest Of The Net 'Out Of The Question', But Wants Alternative DNS Servers For BRICS Nations

from the think-global,-act-local dept

At the start of the year, we wrote about a call for Russia to make its Internet infrastructure resistant to external attempts to shut it down, and able to work in isolation if need be. It looks like the authorities are moving ahead with the idea:

The Russian Security Council has asked the country's government to develop an independent internet infrastructure for BRICS nations, which would continue to work in the event of global internet malfunctions.

The RT news story has some details on how the BRICS subnet will work:

They decided that the problem should be addressed by creating a separate backup system of Domain Name Servers (DNS), which would not be subject to control by international organizations. This system would be used by countries of the BRICS bloc -- Brazil, Russia, India, China and South Africa.

The plan has evidently developed from a purely Russian intranet system to one that includes the other BRICS nations. Creating additional DNS servers will be easy, so there's no reason why it shouldn't happen -- not least because Putin has "personally set a deadline of August 1, 2018 for the completion of the task". Perhaps the most interesting aspect of the story is the following comment by Putin's Press Secretary, Dmitry Peskov:

"Russia’s disconnection from the global internet is of course out of the question," Peskov told the Interfax news agency. However, the official also emphasized that "recently, a fair share of unpredictability is present in the actions of our partners both in the US and the EU, and we [Russia] must be prepared for any turn of events."

That offers a pragmatic recognition that disconnection from the global Internet is no longer an option for a modern state, even if Iran begs to differ. It's true that local DNS servers provide resilience, but they also make it much easier for a government to limit access to foreign sites by ordering their IP addresses to be blocked -- surely another reason for the move.

This latest proposal is part of a long-running campaign by Russia to wrest control of key aspects of the Internet -- such as the DNS system -- from international bodies, for example during the ITU's World Conference on International Communications (WCIT) in 2012. Russia already had the support of other BRICS governments back then, which suggests they will back the new approach.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

34 Comments | Leave a Comment..

Posted on Techdirt - 7 December 2017 @ 7:48pm

UK Court Says Company Is Innocent In Massive Data Breach Caused By Vindictive Employee, But Must Nonetheless Pay Compensation

from the who-said-life-is-fair? dept

It's well known that the EU has laws offering relatively strong protection for personal data -- some companies say too strong. Possible support for that viewpoint comes from a new data protection case in the UK, which follows EU law, where the judge has come to a rather surprising conclusion. Details of the case can be found in a short post on the Panopticon blog, or in the court's 59-page judgment (pdf), but the basic facts are as follows.

In 2014, a file containing personal details of 99,998 employees of the UK supermarket chain Morrisons was posted on a file-sharing Web site. The file included names, addresses, gender, dates of birth, phone numbers (home or mobile), bank account numbers and salary information. Public links to the file were placed elsewhere, and copies of the data sent on a CD to three local newspapers, supposedly by someone who had found it on the Internet. In fact, all the copies originated from Andrew Skelton, a Senior IT Auditor in Morrisons, as later investigations discovered. According to the court, Skelton had a grudge against the company because of a disciplinary process that took place in 2013. As a result of the massive data breach in 2014, Skelton was sentenced to eight years in prison.

The current case was brought by some 5,500 employees named in the leaks, who sought compensation from Morrisons. There were two parts to the claim. One was that Morrisons was directly to blame, and the other that it had "vicarious liability" -- that is, liability for the actions or omissions of others. The UK judge found that Morrisons was not directly liable, since it had done everything it could to avoid personal data being leaked. However, as the Panopticon blog explains:

having concluded that Morrisons was entirely legally innocent in respect of Skelton's misuse of the data, the Judge held that it was nonetheless vicariously liable for Skelton's misdeeds

That is a legal bombshell as far as UK privacy law is concerned, since it means that a company that does everything it reasonably can to prevent personal data being revealed can nonetheless be held vicariously liable for the actions of an employee, even a malicious one. That clearly offers an extremely easy -- if potentially self-damaging -- route for disgruntled employees who want to harm their employers. All they need to do is intentionally leak personal data, and the company they work for will have vicarious responsibility for the privacy breach. In fact, even the judge was worried by the implications of his own decision:

The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims.

As a result, the judge granted leave for Morrisons to appeal against his judgment that it was vicariously liable. Hundreds of thousands of companies around the UK will now be hoping that a higher court, either nationally or even at the EU level, overturns the ruling, and sets a limit on those super-strong data protection laws.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Read More | 26 Comments | Leave a Comment..

Posted on Techdirt - 4 December 2017 @ 7:35pm

Top EU Privacy Campaigner Says He Wants Lots Of Money For 'None Of Your Business'

from the noyb-is-no-newb dept

We've just written about the Austrian privacy activist Max Schrems, and his continuing battle with Facebook. But it seems Schrems now wants to take things up a notch. He's hoping to found a new privacy organization called the "European Center for Digital Rights", with the domain name of noyb.eu - "none of your business":

The focus of noyb will be on commercial data processing by corporations. Corporate practices are rarely transparent. Internet users are commonly confronted with unlawful practices, agreements and terms and conditions. Their data is linked and sold behind the back of these consumers. Phenomena like big data, profiling and selective targeting are common practice today and will only grow in the future.

Noyb's weapon of choice will be a new EU privacy law:

In May 2018, the new EU General Data Protection Regulation (GDPR) comes into force. It includes massive improvements in the area of privacy enforcement for users. NGOs like noyb will be able to directly take actions for consumers with the relevant authorities and in court, e.g. through class action suits or strategic group action.

It's not all legal actions. Noyb also plans to publish guidelines and best practices to give advice to businesses on how to follow the new GDPR rules to avoid being sued. It also plans to create new digital tools for privacy complaints and privacy inquiries, as well as whistleblowing tools. In the short term, these are some possible goals (pdf):

TECHNICAL: Testing Environment for Apps. As an initial technical research project the organization could review the actual data use by the most popular smartphone apps and thereby develop a testing environment for consistent testing of apps. Existing research have e.g. shown that some apps access GPS locations or contacts beyond what is strictly necessary for the function used [an important aspect of the GDPR]. The generated evidence could lead to rankings, complaints or legal procedures.

LEGAL: Smartphone Operating Systems. Apple and Google dominate the smartphone market. Their policies are based on a "take it or leave it" basis and allow these companies significant access to the most personal device of most consumers. Enforcement actions in this area could have a substantial impact in the daily life of almost every citizen.

By the end of 2018 noyb hopes to have achieved the following:

Cooperation with at least five major privacy NGOs, five consumer rights organizations, five universities or research institutions and five hacker institutions/spaces.

Basic network of lawyers at least in Austria, Germany, Ireland, Luxembourg and the US.

Support of 10 small external enforcement actions through the enforcement fund.

In the long-term, it has even more ambitious plans. For example, widening the scope of the noyb organization from privacy to other digital rights such as net neutrality, or related consumer rights, and to set up national NGOs in countries that currently lack local initiatives. Of course, this all requires money. Noyb estimates that it needs a minimum of €250,000 in the start-up period of 2018, while the regular operating costs will be around €500,000 per year. It is hoping a combination of sponsorship and crowdfunding will provide those amounts.

Raising money will probably be the organization's biggest challenge. After all, Schrems has shown more than once that he can take on the biggest Internet companies and win. As with those victories, it's important to note that the legal framework that noyb intends to use may be purely European, but the global nature of the Internet and the companies that serve it means the impacts of any successful legal actions are likely to be felt worldwide.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

9 Comments | Leave a Comment..

More posts from Glyn Moody >>