WELCOME to Connected Rights, your toad in the hole of digital rights news and analysis.

Enjoy this newsletter? Forward it to a friend or get them to sign up. I’m David Meyer, aka @superglaze on Twitter and @davidmeyerwrites on Facebook. Don’t forget to check out the Connected Rights website. Dayón!

Hey, this is the 50th edition of Connected Rights! I hope you’re enjoying it.

ONE PROBLEM WITH ONLINE PRIVACY is that there are no official standards for privacy-respecting services. That now looks set to change, as the International Standards Organisation has decided to develop a new standard for “consumer protection: privacy by design for consumer goods and services.”

As former Canadian privacy regulator Ann Cavoukian (the creator of the “privacy by design” concept) put it: “Regulatory compliance alone is unsustainable as the sole model for ensuring the future of privacy. Prevention is needed.”

So at some point, consumers will be able to look at a product or service and demand to see that it conforms with this standard. The question now, of course, is what the standard will end up looking like.

According to ISO’s website, the technical committee working on the new standard includes as participating members the UK, South Africa, Austria, Canada, China, Colombia, Italy, South Korea and Switzerland. Interestingly, the US is only listed as an observing member.

GOOGLE AND ORACLE’S EPIC/TEDIOUS RIVALRY has officially spilled over into the world of privacy. Late last year Oracle was alleged to be behind a story that accused Google of surreptitiously tracking the location of Android users, even if they have location services turned off and no SIM card in the phone, but now it’s gone public.

What’s more, Oracle’s claims have fed into a Google investigation by Australia’s competition and privacy regulators. Oracle set out its allegations in a report to the competition watchdog, in the context of a wider probe into Google and Facebook’s impact on the advertising market.

Google’s response? To point out that Oracle is hardly a saint on the privacy front. “Like many of Oracle’s corporate tactics, this presentation is sleight of hand, not facts, and given that Oracle markets itself as the world’s biggest data broker, they know it,” it said in a statement. Oracle declined to respond to that one.

To support my work, please consider visiting my Patreon page or buying my book, Control Shift.

“GDPR MAY WORK FOR EUROPE, but that doesn’t mean it should become a global standard.” That’s IBM’s regulatory affairs chief Christopher Padilla there. The company has embarked on a major lobbying effort to ensure the U.S. doesn’t adopt GDPR-style data protection rules, sending 100 (!) executives to bend the ears of members of Congress.

So what does IBM want? That’s not entirely clear, even after reading Padilla’s blog post on the matter. He wants the U.S. to take a similar approach as the Obama administration did with cybersecurity, working out a voluntary framework with industry, but even then IBM still isn’t giving any indication what it would like a good privacy framework to look like. It’s easy to argue against something, but what is the company arguing for?

KLOUT, THE INFLUENCE-RATING SERVICE, is shutting down on May 25th, for some reason. Could it be sunsetting on GDPR implementation day because, as privacy expert Wolfie Christl notes, it was combining hundreds of millions of social profiles with other marketing data in order to “identify and score consumers across email and social”? Most of those people probably just thought they were getting to know how “influential” they were on social media.

EUROPEAN NEWS SITES ARE BIG OFFENDERS when it comes to tracking visitors. According to a survey by the Reuters Institute, sites in the UK, Spain, France, Poland, Finland, Italy and Germany averaged 40 third-party domains per page and 81 third-party cookies per page.

What are those third-party domains? As Nieman Lab puts it: “Google services are on most of the pages the researchers analysed (followed distantly by Facebook).”

BRITISH PARLIAMENTARIANS ARE TERRIBLY CONFUSED about what the GDPR means for them, with some reporting that they were advised to delete all constituency casework information from before the last election.

“You may say that the very people who have been examining the data protection legislation should be better informed. But they are among many small businesses still struggling to make their way through the fog of confusing advice,” writes the BBC’s Rory Cellan-Jones.

MARK ZUCKERBERG IS STILL STICKING UP HIS MIDDLE FINGER to UK MPs over their desire to have him testify over the Cambridge Analytica scandal. Seriously, what is his problem?

FACEBOOK HAS SUSPENDED AROUND 200 APPS from its platform after it did a post-Cambridge-Analytica-scandal audit of all the data it was freely handing out prior to a policy change in 2014. It will now properly investigate what those apps did with all the information they hoovered up. Before that change, Facebook used to allow third-party apps to take the personal data not only of people who used them, but of all those people’s contacts too.

Meanwhile, it turns out millions of people gave their personal information to the popular Facebook quiz app myPersonality – run, again, by Cambridge academics – and the app’s team left the data exposed for four years. Facebook has suspended the app now, but… oops?

FACEBOOK IS ALSO FACING A FURORE over the fact that it allows advertisers to target users based on sensitive information such as sexuality and religion – stuff that requires very explicit consent on the part of the user.

Facebook’s excuse? “Like other internet companies, Facebook shows ads based on topics we think people might be interested in, but without using sensitive personal data. This means that someone could have an ad interest listed as gay pride because they have liked a Pride-associated page or clicked a Pride ad, but it does not reflect any personal characteristics such as gender or sexuality.”

I’d be very interested to see what the regulators say about that one.

If you’d like me to write articles for you about digital rights issues, speak at your event or provide privacy advice for your business, drop me an email at david@dmeyer.eu.

MEGAHACK VICTIM EQUIFAX INSISTED that the hackers didn’t get people’s passport numbers, but of course they did.

KASPERSKY LAB IS DESPERATE to show its customers that it can be trusted – a big issue when its security systems necessarily exfiltrate data from customers’ PCs in order to check for threats, given that Russia’s authorities can then demand access to that data. So it’s moving those systems from Moscow to Zurich. Not a minute too soon, either, with the Dutch government having just decided to follow the Americans in dropping Kaspersky products over security concerns.

“We chose this location for two reasons,” the company said. “First, Switzerland has maintained its policy of neutrality for two centuries. Second, the country has strong data protection legislation. We believe these two qualities make Switzerland the perfect place to move part of our sensitive infrastructure.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s