WELCOME to Connected Rights, your paddle up the creek of digital rights news and analysis.
THE WORLD OF FACEBOOK AND PRIVACY provides rich pickings this week. First up, we have the German federal cartel office signalling that it thinks the company has been breaking antitrust law with its privacy practices. The authority’s investigation is almost complete, and it’s set to make a formal decision later this year.
Antitrust and privacy? Yup. Facebook has a clearly dominant position in the social networking market and, according to the Bundeskartellamt, it abuses its monopoly by forcing people to accept terms and conditions that are difficult to understand and that allow Facebook to hoover up too much of their personal data: http://bit.ly/2todFp6
It looks like Facebook can be tackled in multiple ways for the same misbehaviour: through privacy law, obviously, but also through competition law and consumer rights law. Consumer watchdogs in Germany and Norway have recently been getting very active in suing tech firms over lengthy, impenetrable terms and conditions that make people sign away their privacy without being super-clear about what will happen to their data.
Staying in Germany, the government has rushed through a law that threatens Facebook and other social networks with fines of up to €50 million if they don’t remove posts containing illegal hate speech and “fake news” within 24 hours. As has been repeatedly noted, this will encourage Facebook & Friends to err towards removing content when they’re not quite sure if it should or shouldn’t be taken down: http://zd.net/2sLGtpg
On the positive side, this law no longer contains an element that it once did when in draft form: a mandate for social networks to install automated systems for spotting illegal speech so it can be automatically removed or even blocked from posting in the first place. That would put us firmly on the road to widespread speech suppression on Facebook, particularly as other countries would demand the mechanism be used to block what’s illegal in their jurisdictions too. Such a mandate would also be illegal under European law.
However, given that this sort of automation will probably end up the cheapest way for Facebook to comply with the law on removing illegal posts, for how long will it resist setting up such mechanisms?
Meanwhile in the US, Facebook has slipped off the hook for exactly the same behaviour that got it in trouble in several European countries in recent years: using its cookies to track people as they surf the web, even if they don’t want to be tracked. A Northern California district judge decided that plaintiffs suing Facebook didn’t prove that the tracking had harmed them or caused them loss, nor that they even had a reasonable expectation of privacy when surfing the web.
As The Register pointed out, Facebook is at the same time trying to overturn a government gag order that stops it telling users if their data has been demanded under warrant: http://bit.ly/2sovqmU. That’s a noble cause of course, but the overall picture does rather suggest that Facebook is only all about protecting your privacy when it’s someone else that’s doing the snooping.
THAT’S NOT A WARRANT, THIS IS A WARRANT: A single wiretap order in the US allowed authorities there to intercept and record more than three million phone conversations over two months. It was a drug case and the wiretap reportedly led to a dozen arrests but didn’t provide any incriminating evidence. It’s not clear how many people were caught up in the taps, but the case shows just how broad a warrant can be, and how much privacy can be compromised as a result: http://zd.net/2sahgpk
GOOGLE’S HEALTH DATA DEALS with National Health Service hospitals in the UK have come in for a lot of scrutiny. The big one was a deal with the Royal Free NHS Foundation Trust in London, which shared 1.6 million people’s health records with Google’s DeepMind artificial intelligence division in order to help develop an app for detecting kidney failure. It didn’t ask the patients for their permission first.
The UK’s privacy regulator delivered its long-awaited report on the arrangement this week, finding that Royal Free broke data protection law by not adequately telling patients what was happening with their data: http://bit.ly/2siRYp4. The trust will now have to “establish a proper legal basis” for the data sharing and work on being more transparent with patients.
However, an independent review commissioned by DeepMind found that DeepMind itself didn’t break the law. Although it wasn’t sufficiently transparent about the arrangement, the company didn’t break data protection law because it was only acting as the “processor” of the data, and the “controller of the data” – Royal Free – was the one that’s has more responsibility for doing right by the patients: http://bzfd.it/2tfDvgi
OVER IN AUSTRALIA, there are concerns about whether people will continue to trust the country’s national digital health record system, My Health Record, after it turned out that some of the data was showing up for sale on the “dark web”: http://ab.co/2snJSvj
A fifth of the country is already in this database, and those that haven’t yet signed up will automatically do so next year unless they opt out. Digital health records are certainly a good thing in theory, removing the need for duplication across hospitals and generally helping people get the proper treatment, but people need to trust these systems if they’re going to use them. Right now, it’s not clear whether this was anything more than a minor breach – a mere “traditional crime” rather than a “cyber incident”, according to the Australian human services minister, Alan Tudge. Let’s hope he’s right.
THE GOVERNMENTS OF THE “FIVE EYES” COUNTRIES – Australia, New Zealand, the UK, Canada and the US – should all defend strong encryption and stop trying to insert backdoors in private communications apps, according to a host of digital rights groups.
“Five Eyes” refers to a longstanding, secretive agreement between the countries to share intelligence between their agencies. They’re also countries that are considering messing with end-to-end encryption, in order to aid the fight against terrorism. I and others have gone into the arguments against this folly many times, but if you’d like to read the experts’ fresh pleas to our governments, here they are: http://bit.ly/2sLjJpw
IF YOU CAN’T PROTECT IT, DELETE IT. That seems to be the message from British pub chain Wetherspoons, which has taken the highly unusual step of deleting its database of over 650,000 customers’ email addresses: http://bit.ly/2tfWLKz
The company’s official line is that many people find promotional emails “intrusive” – Wetherspoons will now announce promotions on its website instead – but this is a company that suffered a major breach of its customer database back in 2015. With the EU’s incoming general data protection regulation threatening heavy fines for not keeping customers’ data secure, experts reckon the company has just decided its trove is more trouble than it’s worth.