WELCOME to Connected Rights, your jam in the jar of digital rights news and analysis.
REMEMBER WHEN MARK ZUCKERBERG TOLD CONGRESS that “all of your information is included in ‘download your information'”, while trying to dodge questions over whether Facebook also collects browsing and other data from third parties, that aren’t included in such downloads?
Funny story: now Facebook is developing a tool called Clear History that, according to a company blog post, “will enable you to see the websites and apps that send us information when you use them, delete this information from your account, and turn off our ability to store it associated with your account going forward”. This refers to data from sites with embedded Like buttons and Facebook analytics tools. Browsing data, basically.
Apart from the fact that this contradicts Zuckerberg’s testimony, it also sounds like an opt-out where Facebook should really be offering an opt-in, at least if it wants to comply with the EU’s General Data Protection Regulation (GDPR). This looks like a court case in the making – unless Facebook changes its mind following the roundtables it’s holding on the tool’s development.
UK PARLIAMENTARIANS ARE LESS THAN GRUNTLED that Mark Zuckerberg sent a flunky to testify to them about Cambridge Analytica et al, especially as said flunky (CTO Mike Schroepfer) left dozens of questions unanswered. So now they’re threatening to issue the CEO with a formal summons the next time he steps onto British soil. Just testify already, Zuck.
Bonus fact: There are now more than three dozen class action lawsuits against Facebook in the U.S. over the Cambridge Analytica SNAFU.
THE GERMAN COURTS ARE GIVING FACEBOOK MORE HEADACHES, and this time the rest of the world should sit up and take notice too, as our old friend Jurisdictional Overreach may be coming to dinner again.
Quick recap: Germany forces Facebook and other big platforms to take down hate speech very quickly. The far right is fighting back, largely aided by lawyer Joachim Steinhöfel, who has already secured an injunction forcing Facebook to stop deleting an anti-immigrant comment that arguably stops just short of being outright hate speech.
Enter Alice Weidel, the co-leader of the far-right AfD party, whom someone insulted in a Facebook comment by calling her “Nazi filthy swine”. Represented by Steinhöfel, she has managed to get an injunction forcing Facebook not only to block the comment for users with German IP addresses (which Facebook has already done), but to also stop people in Germany from being able to view the comment at all, even if they’re using VPNs to see it via a foreign server.
The court did not spell out the technical aspects of fulfilling its injunction, but Facebook is worried that the only way to do so is to scrub the comment for users across the world. Remember the French privacy regulator CNIL telling Google it has to remove results globally in order to absolutely implement a French person’s right to be forgotten? The same principle may come into play here, and it’s hard to imagine Facebook won’t appeal as far as possible.
The Google/CNIL case has already gone all the way to the European Court of Justice. Speaking of which…
FACEBOOK TRIED AND FAILED TO DELAY THE IRISH HIGH COURT’S referral of Max Schrems’s (new) landmark case against it to the European Court of Justice. The case could scupper the EU-U.S. Privacy Shield data-sharing agreement, as well as the “standard contractual clauses” that Facebook and many other companies rely upon to send personal data across the Atlantic.
Facebook wanted the High Court to stay the referral so it could appeal the case up to Ireland’s Supreme Court. Its lawyers tried to argue that there’s an open question over whether the GDPR would render the case moot. The court was not impressed, and this morning it said the referral to the ECJ would go ahead as planned, as the risk to Europeans’ rights would be too great if there was a delay.
THE UK GOVERNMENT HAS BOTH WON AND LOST a High Court ruling over the data retention bits in the Snooper’s Charter, aka the Investigatory Powers Act. Campaigners at Liberty defeated the government on the issue of oversight and who gets to access people’s communications data – this part of the law will now need to be rewritten by November. However, the court decided that the data retention regime was not “general and indiscriminate”.
BRITISH PRIVACY ADVOCATES HAVE OFFICIALLY COMPLAINED about the cops being able to download the contents of people’s phones without a warrant – “people” here being not only criminal suspects, but also witnesses and even victims of crimes.
Privacy International says the practice is illegal. The Metropolitan Police, however, claim a 1984 law (the year, not the book, though actually…) allows them to “seize and examine this information”.
MORE CONFIRMATION THAT THE E-PRIVACY REGULATION is quite a way off – the German government says the EU Council presidency is planning a political debate on it in early June, and trilogue discussions between the EU institutions will only take place in the second half of this year.
The what now and who cares? I haven’t been writing a lot about the ePR, but it is important – a companion law to the GDPR that deals specifically with the privacy of electronic communications, which these days take in a lot more than previously. Think Internet of Things and so on.
The big question revolves around how much emphasis will be put on user consent. While the GDPR provides several potential legal bases for processing personal data, the ePR thus far only accepts consent, which a) doesn’t align very well with the GDPR, although the ePR will take precedence anytime there’s a clash, and b) is difficult to imagine in a world full of environmental sensors.
A lot of businesses are having to prepare for GDPR compliance in, ooh, three and a bit weeks, while not knowing whether their newly redesigned systems will also comply with the ePR or not. And they won’t know for a while yet. Reminder: the two laws were supposed to come into effect together. For a reason.
EUROPEAN PUBLISHERS ARE DEEPLY UNHAPPY WITH GOOGLE (surprise!) over the company’s way of complying with the GDPR. Google wants the publishers to get users’ consent for collecting their personal data when they visit the publishers’ sites – data that then informs Google’s advertising systems, so they can choose what ads to throw onto those webpages.
The publishers don’t like that Google wants affirmative consent in all cases, even though the GDPR could allow data collection for “legitimate interests” without requiring consent (a grey area, sure to be tested). They also claim Google’s tactics leave them, rather than Google, liable if things go wrong.
ICANN, THE BODY THAT RUNS THE INTERNET’S NAMESPACES, thought it could get a moratorium on compliance with the GDPR. It can’t, but why on earth did it think it could? The Register has more…
If you’d like me to write articles for you about digital rights issues, speak at your event or provide privacy advice for your business, drop me an email at email@example.com.
THE CHINESE AUTHORITIES CAN RECONSTRUCT deleted WeChat messages without permission from courts or the users involved, according to a post from an anti-corruption body (the post was, naturally, deleted after going viral).
This apparently happened in case back in March. Tencent, WeChat’s owner, denied placing a backdoor into the extremely popular messaging app, saying the authorities used tools designed to help users recover their own lost conversations. Signal it ain’t.
WHATSAPP CHIEF JAN KOUM IS LEAVING FACEBOOK, and there may be a troubling backstory to his decision. According to The Washington Post, Koum clashed with the Facebook top brass over the company’s inability to scour conversations on the app for tidbits that could help target advertising at users.
Another WhatsApp co-founder, Brian Acton, has already run away screaming, and is now funding Signal (whose end-to-end encryption protocol, also used in WhatsApp, is the issue here). Koum says he will continue cheering on WhatsApp from the sidelines, but for how long? And should users be worried about Facebook weakening WhatsApp’s security? On the latter point, it’s hard to imagine any big changes could be snuck in without people noticing, so keep ’em peeled…
US INVESTIGATORS TURNED TO A GENEALOGY WEBSITE to catch a serial murderer and rapist. They had the Golden State Killer’s DNA from a decades-old crime scene, and they compared it with the genetic information sent to a site by its customers – consumer DNA testing is popular these days. They found a partial match with the DNA of a customer: not the killer, but a relative. Once the match was ascertained, it was just a matter of scouring the customer’s family tree for people who potentially fit the bill, based on other clues.
Good that they got him, of course, but it’s a salutary reminder of the fact that, when sending a site your genetic information, you’re sending the genetic information of your relatives, too.