WELCOME to Connected Rights, your journey through the looking-glass of digital rights news and analysis.

APPLE HAS ANNOUNCED THAT THE NEXT VERSION OF SAFARI will tell users when third parties are trying to track them through things like “like” and “share” buttons, and give them a simple way to block the tracking. And which tracker did Apple software chief Craig Federighi highlight in order to demonstrate the effectiveness of this mechanism at the WWDC developer conference? Facebook’s.

Apple is also further limiting the information advertisers can scoop up about the type of device that’s being used, in order to stymie “fingerprinting” techniques that help build up user profiles for marketing purposes.

This will be yet another pain in the posteriors of those who try to track us across the web (Safari has a 13.8 percent share of the browser market, worldwide). The other big one, of course, is the GDPR.

I’ve been hugely enjoying the time since the EU’s privacy revamp came into effect. Of course, not everyone is being good, but I keep visiting websites that give me straightforward information about the kinds of cookies and trackers that are in action there, and offer simple ways to turn off the unnecessary stuff. Compare that with some publishers’ decision (described in last week’s Connected Rights) to simply cut off all EU users, rather than give their readers the basic tools to make decisions about their own privacy.

This essentially comes down to respect. It’s increasingly easy for even non-data-protection-literate people to see who has that on offer, and who does not.

FACEBOOK’S DATA-SHARING PRACTICES ARE YET AGAIN under the spotlight after a New York Times report exposed partnerships with device manufacturers that had never previously been explicitly laid out.

A lot of mobile devices have interfaces that allow the use of Facebook functionality – seeing notifications, posting updates and so on – without needing to actually have the Facebook app. This made sense once upon a time, when phones were too underpowered to run that app, but Facebook’s deals with the manufacturers essentially mean these third-party companies’ software can plug into Facebook’s systems.

When Facebook cut off third-party developers’ access to the personal data of users’ friends in 2015 (after the Cambridge Analytica mass-siphoning incident took place), it did not cut off these industry partners – even though they were able to absorb data on people who weren’t aware their data was being shared. That’s all out in the open now, and it may show that Facebook is in breach of its 2011 settlement with the US Federal Trade Commission, where it promised to respect people’s privacy wishes.

This latest scandal also took on a new dimension yesterday when, pressed by a concerned senator, Facebook admitted that Huawei – a company perceived by many as a security risk – was one of the companies with whom it struck a private data-access deal. Facebook insists that Huawei phones were only able to store Facebook data locally, rather than sending it off to Chinese servers. But this certainly isn’t a great political look for Facebook at a time when Congress is antsy about its workings.

UK INFORMATION COMMISSIONER ELIZABETH DENHAM MADE a good point about the GDPR at Monday evening’s European Parliament hearings on Cambridge Analytica and tech’s threat to democracy. “I think orders to stop processing are going to be as powerful if not more powerful than administrative fines,” she said.

Quite so. The Facebooks of this world can absorb the GDPR’s humungous fines, but being ordered to stop using certain algorithms would be even more problematic for them.

THE ADMINS OF FACEBOOK FAN PAGES ARE JOINT CONTROLLERS of the personal data being processed through those pages, the Court of Justice of the European Union has ruled.

This has huge implications for companies such as Facebook and Google that help people in their online marketing efforts. The trend is for those companies to make their customers agree to be the controllers in this relationship, while the platform providers (Facebook, Google Analytics etc) are processors.

However, the CJEU’s ruling – in a case where a fan page operator tried to claim it wasn’t a controller at all – blows a hole in everyone’s arguments. It probably means Facebook and its peers will need to rewrite their controller-processor contracts to turn them into controller-controller contracts, just after they rewrote them to comply with the GDPR. It also means those operating fan pages need to consider whether they’re happy with Facebook’s GDPR compliance, as they might also be on the hook to some degree.

Fun times for all concerned!

To support my work, why not become a patron of Connected Rights or buy my book, Control Shift?


The operators of De-Cix sued the BND intelligence agency in September 2016 over its indiscriminate monitoring of, well, pretty much everything (with its findings being shared with the NSA, per Snowden). Last week, the Leipzig federal administrative court threw out the suit, saying De-Cix did not have legal standing to invoke the German law on telecommunications secrecy because it’s an intermediary, rather than someone who’s affected by surveillance.

The same court previously rejected a suit against the BND by the German branch of Reporters Without Borders, on the basis that the NGO couldn’t prove all of this surveillance took in the communications of journalists.

So now De-Cix will appeal to the German constitutional court, where an appeal from Reporters Without Borders is also languishing. Incidentally, the journalistic non-profit did have some success in its war against the spies – last year it won a court ruling to have the BND delete journalists’ telephony metadata from its special telephony metadata database, and so many people have now called for the same privilege that the BND has scrapped the database altogether.

ICANN, WHICH RUNS THE INTERNET’S NAMING SYSTEM, TOOK a German domain registrar called EPAG to court because the outfit refused to collect certain information on customers who were buying domains – specifically, the personal data of administrative and technical contacts for those domains.

EPAG’s argument was that the GDPR may forbid it from collecting this data and sharing it with ICANN for its Whois domain-ownership-information system, because the processing is not necessary. And the German court quickly sided with EPAG, to a point, saying it’s sufficient to collect domain name registrant data only. However, the court did not address the question of whether collecting and sharing tech and admin contact data contravened the GDPR.

ALMOST TWO-FIFTHS OF COURT-ORDERED DOMAIN BLOCKAGES IN THE UK are erroneous, according to the Open Rights Group. The digital rights group looked at more than 1,000 domain-blocking orders and found 37% were “blocked in error or without any legal basis”.

What does blocked in error mean? “The majority of the domains blocked are parked domains, or no longer used by infringing services.” The full list of blocked domains is secret, though ORG reckons it runs to around 2,500 domains.

“We expect ISPs and rights holders to examine our results and remove the errors we have found as swiftly as possible,” said ORG executive director Jim Killock. “We want ISPs to immediately release lists of previously blocked domains, so we can check blocks are being removed by everyone. Rights holders must make public exactly what is being blocked, so we can ascertain how else these extremely wide legal powers are being applied.”

WHAT DOES MICROSOFT’S PURCHASE OF GITHUB PRESAGE for digital rights? As a Wired article explains, there could be an impact on certain controversial code that’s stored on the service, and that may pose commercial or legal challenges for Microsoft. People are also worried that Microsoft may help the Chinese censor the content stored on GitHub, which China can’t outright block because it’s too useful for Chinese developers.

If you’d like me to write articles for you about digital rights issues, speak at your event or provide privacy advice for your business, drop me an email at david@dmeyer.eu.

DUTCH CONSUMER PROTECTION ADVOCATES HAVE FAILED in their legal quest to force Samsung to keep sending out security patches for the phones they sell. The Hague’s administrative court ruled last week that Consumentenbond was trying to influence Samsung’s future behaviour, so its case was inadmissible.

Court: “The specific (technical) circumstances are still unknown. Therefore, nothing can be decided regarding the nature and severity of any future security risks and Samsung’s future actions.”

Consumentenbond‘s lawyer: “Google classifies the severity of each leak they discover and the possible consequences [when they give manufacturers patches to distribute]. The Consumentenbond does not have to also do that.”

SOMEONE’S BEEN OPERATING IMSI CATCHERS TO SPY ON PEOPLE’S PHONES in Washington, DC. The Department of Homeland Security spotted the activity last year, but it doesn’t seem clear who the culprits are.

MYHERITAGE HAD A HUGE DATA BREACH affecting more than 92 million users. A security researcher found MyHeritage’s database of email addresses and hashed passwords, and reported it to the company. Users should change their passwords, obviously.

A MEDITATION APP CALLED CALM IS OFFERING USERS a soothing reading of the GDPR, in order to help them fall asleep. No, really.