WELCOME to Connected Rights, your shot in the arm of digital rights news and analysis.
A slightly longer newsletter than usual today, but there’s a lot to discuss. Here goes…
THE EQUIFAX DATA LEAK is what can mostly politely be termed as an omnishambles. Hackers made off with the personal information of 143 million Americans, and data on a bunch of non-Americans too.
The credit rating agency had been repeatedly warned it had lousy security: http://bit.ly/2xuFyR7. After it found out about the hack, but before it told the public, top executives sold off shares in the company: http://for.tn/2eSw7PW. And when it gave people tools to check if they had been affected, those tools were also vulnerable: http://zd.net/2ffg0fQ. Oh, and Equifax also tried to get everyone using its safety-checking tools to automatically waive their rights to sue: http://bit.ly/2wYcW14
Equifax’s conduct has been so egregious that it has achieved the impossible: the White House *claims* (yes, I know) that it will now consider data protection laws: http://bit.ly/2xX2BjB. Indeed, as The New York Times‘s Farhad Manjoo spluttered, there is currently no way for the system to adequately punish the company: http://nyti.ms/2xjzNpp. Something’s got to give – or at least, it ought to.
Hang on, what about those non-Americans? In its mea culpa (http://bit.ly/2gLTNq0), Equifax noted that the hackers also got “limited personal information for certain UK and Canadian residents” and would work with regulators in those countries “to determine appropriate next steps”. The number of British people affected in the hack is reportedly a whopping 44 million – not direct Equifax customers, mind you, but customers of Equifax customers such as BT and British Gas: http://bit.ly/2gPUZw3
The company is extremely lucky that the EU General Data Protection Regulation (GDPR) hasn’t come into force yet, because the UK’s still in the EU for now, and the GDPR will hammer companies that are slack with personal data and don’t quickly tell customers when they’ve been affected in a serious way. As in fines of up to 4 percent of global annual turnover.
So, can Brits and Canadians use Equifax’s tools to see if they’ve been affected? Er, nope. You need a US Social Security number for that. Again, the GDPR would tear Equifax to pieces. US legislators, take note.
FACEBOOK’S “FAKE NEWS” PROBLEM isn’t leaving the headlines anytime soon. Last week, the company said it seemed a Russian troll farm had bought $100,000 worth of ads for “inauthentic accounts” between June 2015 and May 2017, with the ads trying to exacerbate social and political divides in the US: http://bit.ly/2gLbtFQ
Expert analysis showed these ads may have reached as many as 70 million people in America: http://thebea.st/2vKjMnO. Now some lawmakers are pushing for new regulations that would ensure transparency in digital political advertising: http://bit.ly/2jkuQqc. The Washington Post‘s Margaret Sullivan reckons Facebook-based disinformation definitely swayed the election: http://wapo.st/2eKqgMN. The New York Times calls it a “worldwide, internet-based assault on democracy”: http://nyti.ms/2gWnrwn
Now, let’s remember that – as with all Facebook advertising – this propaganda will have found its audience based on Facebook’s exploitation of their personal data: not just their location in the US, but also their political leanings and personal tastes, as expressed by their activity on the website and elsewhere. And on that subject…
FACEBOOK GOT A €1.2 MILLION FINE IN SPAIN for violating privacy laws. It’s the same story as usual, with data protection authorities hitting the company for (among other things) collecting sensitive data on people’s ideologies and beliefs without clearly telling them what it would do with this information, i.e. use it for ad-targeting: http://for.tn/2xgSTvt
Facebook’s counter-argument here is super-interesting. The company is trying to claim that it doesn’t target ads based on the sensitive information about sexuality and beliefs that people have consciously listed at the top of their profiles, but rather on the basis of people’s “likes”. In other words, Facebook would have us believe that the information it gleans from likes doesn’t constitute “sensitive personal data”. This is, to use the legal term, balderdash, and the Spanish privacy regulator doesn’t seem to have been convinced.
Good thing the EU has meaningful data protection laws (current and incoming) to punish companies for poorly protecting people’s data and exploiting their data in opaque ways. America! Over to you!
P.S. – TWITTER’S CO-FOUNDER SAYS THE WIDER MEDIA is far more to blame for Trump’s election than Twitter was: http://for.tn/2w85Wjx
Want to support this newsletter? There’s a Patreon page for that. Many thanks to those who are already contributing!
THE SOFTWARE THAT WILL BE USED IN THE GERMAN ELECTION – to tabulate votes, rather than for the voting itself – has been found to be riddled with holes. Here’s my piece for ZDNet: http://zd.net/2wWUggH
THE UK’S INVESTIGATORY POWERS ACT (a.k.a. the Snooper’s Charter) is finally going to be referred to the Court of Justice of the European Union in Luxembourg. The court will need to decide whether the law is legal: http://bit.ly/2h1KeTN
We can confidently predict that the court will find it is not legal, because this has happened before, again and again. The CJEU ruled in 2014 that the EU-wide Data Retention Directive was illegal, because it said countries had to force internet service providers to store all their customers’ web-surfing information. There was no targeting, so this was mass surveillance, so it was illegal.
The CJEU ruled last year that the UK Data Retention and Investigatory Powers Act (the current law’s short-lived predecessor) was illegal, for exactly the same reason. Ditto a similar law in Sweden. And now, seeing as the Investigatory Powers Act still has no targeting for the data retention it forces, it does not take a genius to figure out what the court will say.
However, when ruling that it needs to refer the matter to the CJEU, the UK Investigatory Powers Tribunal did something rather sneaky: it refused to push for a speedy process, so it is quite possible that the CJEU ruling will only come after Brexit. And who knows what sway the court will have over the UK at that point?
BUT LET’S NOT OVERDO THE PRAISE FOR THE EU. Here’s some analysis of where things are at with the EU’s copyright proposals, courtesy of EDRi (http://bit.ly/2gGiqEu) and Tilburg Law School’s Martin Huvosec (http://bit.ly/2jhnS55). Short version: the EU is quite likely to force internet platforms to install surveillance-tastic filters. Some jumping up and down may be in order here.
ANTI-MASS-SURVEILLANCE CRUSADER EDWARD SNOWDEN has given a very good interview to Der Spiegel, which has thankfully published it in English too: http://bit.ly/2xXLApH
There’s one nugget of new information (to me anyway) in there. When the German parliament conducted an extensive inquiry into state surveillance, prompted by Snowden’s leaks, they didn’t bring him in to provide testimony. They claimed this was because he demanded asylum in Germany as a condition. “It’s a lie,” says the man himself.
THE INTERNET GOT REALLY SLOW in Togo when people were demonstrating against the president. Weird, that: http://bbc.in/2eT7FOI
If you’d like me to write articles for you about digital rights issues, speak at your event or provide advice for your business, drop me an email at email@example.com.
TESLA DID SOMETHING NICE FOR CERTAIN CUSTOMERS who were trying to flee hurricane-stricken Florida, by delivering a software update that extended the driving range of their cars: http://bit.ly/2gZb7vm
Basically, when Tesla started selling the affected models, it offered a cheaper version with less driving range, but this didn’t involve installing smaller, cheaper batteries – it was an artificial limitation enforced by software. When Irma loomed, Tesla temporarily lifted the limitation so drivers could get the heck out of Florida.
A reminder, if it was needed, that when you buy internet-connected things – even expensive things like cars – the real control over them lies in the hands of the company that sold it to you, not to you, the “owner”.
AI CORNER: IBM’s Watson “artificial intelligence” is a lot less useful in oncology than the company’s marketing department has been making out: http://bit.ly/2xOq7QK
That study about how AI can tell if you’re gay or not by studying your face is also severely flawed. This breakdown uses the wonderfully damning term “AI phrenology”: http://bit.ly/2xW9qBX
Hackers can use AI to craft convincing phishing messages, and lots of them: http://bit.ly/2xXQqDo
Google is funding software to automatically write local news, thus making more human journalists redundant. Thanks Google! http://bit.ly/2uTSA5a