HELLO and welcome to Connected Rights, a weekly newsletter about technology and your rights. My name’s David Meyer, and I’ve been reporting on this subject for over a decade now. This newsletter is in its early days and I’m still playing with the format, so please let me know what you like about it and what you’d like to see improved – your feedback is crucial to me. Also let me know if there’s something you’d like to see noted next week.
FACEBOOK’S HORRIFIC WEEK: The social network had an extraordinarily bad week in Europe, with the worst news coming today – the European Commission fined it a whopping €110 million for “providing incorrect or misleading information” when it bought WhatsApp in 2014. At the time, facing a merger probe, Facebook promised the Commission it wouldn’t be able to match users’ WhatsApp and Facebook accounts. Last year it did just that, without giving WhatsApp users a chance to opt out (though it did let them stop Facebook from using their WhatsApp data for ad-targeting and making friend suggestions, if they were lucky enough to find a less-than-obvious opt-out mechanism). According to the Commission, Facebook knew back in 2014 that it was technically possible to link the two types of accounts: http://bit.ly/2qUd8N0
– Italy hit WhatsApp with a €3 million fine last Friday, for forcing users to agree to letting Facebook suck up their data: http://reut.rs/2qwFJF4
– France’s privacy regulator, CNIL, fined Facebook €150,000 over the terms and privacy policies it introduced in 2014. The fine was for Facebook’s tracking of web users without their consent (the same issue that led to Belgian action in 2015) and its “massive compilation of personal data of internet users in order to display targeted advertising” (which is sort of Facebook’s core business): http://bit.ly/2qsQxWR. When CNIL began its investigation, €150,000 was the maximum fine it could levy; since then, the cap raised to €3 million, and the General Data Protection Regulation (GDPR) will allow fines of up to 4 percent of global turnover when it comes into effect next year.
– The Netherlands got Facebook to agree to stop targeting ads at people based on their sexual orientation: http://bit.ly/2qs76lf. The Dutch regulator has also decided that Facebook breaches national law by not telling users enough about how it uses their personal information.
– It’s not all bad news for Facebook though, as the Thai administration seems to have backed down on a threat to ban it over posts that break the country’s strict lèse majesté (insulting royalty) law, in particular a video that appears to show King Maha Vajiralongkorn wandering around in a yellow crop-top: http://bit.ly/2pWUBKU. Good news for Facebook, but it’s too soon to talk of a thaw in Thailand’s censorship. Human rights lawyer Anon Nampa is facing 150 years in jail for Facebook posts in which he reportedly urged people to push the boundary of the lèse majesté law: http://bit.ly/2rrpDN6
GERMAN HACKING: With elections round the corner, the German government has snuck in a last-minute amendment to its draft criminal code reforms, giving the police the ability to break into people’s smartphones and computers when investigating dozens of crime types. Getting around encryption seems to be the aim here, and the country’s opposition is livid. The government’s timing is exquisite, as last week’s catastrophic WannaCry ransomware epidemic was largely the result of US intelligence agents trying to maintain vulnerabilities in Windows so they could break into computers: http://zd.net/2rihwFx
– On the subject of encryption, US Senate staff can officially now use Signal, one of the most highly recommended encrypted messaging apps out there. The move was revealed to the public in a letter from Ron Wyden, a senator who has been vocal in supporting strong encryption. He also congratulated Senate staff for adding encryption to all member and committee websites. Wyden’s stance contrasts with efforts by other politicians – including his Democratic colleague Dianne Feinstein – to undermine strong encryption by mandating backdoors and other anti-security measures: http://bit.ly/2qrR8Yj. However, as someone asked on Twitter, might the secrecy of Signal use have an impact on subsequent freedom-of-information requests for the communications of staffers? http://bit.ly/2pLkrGK
BRITISH PRIVACY: Ahead of the general election next month, the Conservatives have generously promised to let people tell social media companies to delete the embarrassing stuff they posted when they were young: http://bbc.in/2qRTVLS. This is of course something that people will already be able to do under the GDPR, when it comes into effect next year. It’s good of the Tories to claim an EU policy, which will probably remain British law even after Brexit, as one of their own ideas.
– Speaking of elections, the UK’s privacy watchdog has opened a formal investigation into campaigners and parties’ use of people’s personal data as a way of winning their vote: http://bit.ly/2rqTFR8. The Information Commissioner’s probe will focus on last year’s Brexit referendum, but potentially other campaigns too. Did campaigners play dirty by exploiting people’s data in the referendum, in order to send targeted messages to individuals? The jury’s still out, but the Guardian‘s Carole Cadwalladr has recently been asking some fascinating questions about links between the pro-Brexit campaign and data-wrangling company Cambridge Analytica: http://bit.ly/2pORice
– British border police have charged human rights activist Muhammad Rabbani for refusing to hand over the passwords to his electronic devices: http://zd.net/2qwlr0m
– The use of British people’s health data by the Alphabet-owned DeepMind artificial intelligence company may not have been lawful, according to the UK government’s National Data Guardian: http://tcrn.ch/2qsS5Ak. DeepMind struck a deal with the National Health Service to build an app for detecting kidney problems, using the data of 1.6 million NHS patients. It didn’t tell the patients first, though. The Information Commissioner’s investigations continue.
UKRAINE BLOCKS: Ukraine has banned some of Russia’s biggest web services, including Google competitors Yandex and Mail.ru, and social networks Vkontakte and Odnolassniki. President Petro Poroshenko, who said he was shutting down his profile pages on the social networks, said the move was necessary to counter Russian “hybrid war” tactics. According to the Financial Times, “the move risks a backlash from the estimated 25 million Ukrainians who use the sites, which are the most popular in the country not owned by Google”: http://on.ft.com/2rrnpxm
GOOGLE MOSTLY REMEMBERS: Alphabet’s best-known property has evaluated 720,000 “right to be forgotten” requests in the EU over the last three years, it said Monday. That’s how long it’s been since the bloc’s highest court said search engines had to let people demand the de-listing of out-of-date information about them, as long as it wasn’t against the public interest to do so. As things turned out, Google ended up being the arbiter of what is and isn’t in the public interest, which is less than ideal. Anyhow, the company says it has only removed 43 percent of the two million links people asked to be taken down, which is less than I personally expected: http://bit.ly/2pWYzDz
CHELSEA MANNING, the former soldier who gave Wikileaks military secrets and spent seven years in jail before Barack Obama commuted her sentence, is finally free. “I am looking forward to so much!” she said in a statement shared by the American Civil Liberties Union. The secrets she leaked included video footage of the US military massacring civilians in Iraq: http://bbc.in/2retkbS
HP KEYLOGGER: A number of HP laptops have a feature that records everything their users type, password included. HP claimed that a “supplier partner developed software to test audio functionality prior to product launch and it should not have been included in the final shipped version”. For what it’s worth, the Swiss security company that found the feature, modzero, reckons HP wasn’t trying to spy on its users. However, HP should not be proud of the fact that the researchers couldn’t get a response out of it, when they tried to notify it of what they had found. A full list of the 28 affected models can be found on modzero’s site: http://bit.ly/2quLk1E
INTERNET HEROES AND VILLAINS: It’s that time of year again. The UK Internet Service Providers Association wants the public to nominate “internet heroes and villains” for an awards ceremony to be held in mid-July. ISP Review, which has the details you’ll need to send in your nominations, reckons Donald Trump might be villain of the year, or perhaps someone associated with the UK’s porn-censoring new Digital Economy Act: http://bit.ly/2qsGpxc