WELCOME to Connected Rights, your hand in the glove of digital rights news and analysis.

Enjoy this newsletter? Forward it to a friend or get them to sign up. I’m David Meyer, aka @superglaze on Twitter and @davidmeyerwrites on Facebook. Don’t forget to check out the Connected Rights website and download a copy of my book, Control Shift: How Technology Affects You and Your Rights. Tempokani!

INDIA’S MASSIVE AADHAAR BIOMETRIC DATABASE IS LEGAL, the country’s supreme court ruled today, overall prioritising the system’s benefits over its privacy and security risks. Indian digital rights campaigners are not happy.

However, the court also set out limits for the use of Aadhaar data: the information must not be compulsory for enrolling kids in school, opening bank accounts and registering SIM cards – the privacy risk there is too great, the court said, and telecoms companies will have to delete the Aadhaar data they’ve already gathered.

Private companies such as Amazon may no longer demand Aadhaar data for customer verification, and investigators can’t access it without a warrant. Aadhaar data may, however, be required for tax filings.

BRITISH DOMESTIC INTELLIGENCE SPIED ON PRIVACY INTERNATIONAL, agencies have admitted. MI5 said it had both gathered and examined the human rights group’s private data under its mass surveillance programs. GCHQ and MI6 also admitted unlawfully gathering information about the NGO and its staff.

The information came to light as Privacy International is challenging MI5’s bulk communications data (BCD) and bulk personal datasets (BPD) schemes. The group had demanded action by Home Secretary Sajid Javid.

PI general counsel Caroline Wilson Palow: “Today’s revelations are troubling for a whole host of reasons. The UK intelligence agencies’ bulk collection of communications data and personal data has been shown to be as vast we have always imagined – it sweeps in almost everyone, including human rights organisations like Privacy International. Not only was Privacy International caught up in the surveillance dragnet, its data was actually examined by agents from the UK’s domestic-facing intelligence agency – MI5.

“We do not know why MI5 reviewed Privacy International’s data, but the fact that it happened at all should raise serious questions for all of us. Should a domestic intelligence agency charged with protecting national security be spying on a human rights organisation based in London?”

THE BRITISH GOVERNMENT IS CONSIDERING SETTING UP AN INTERNET REGULATOR that would, according to BuzzFeed News, “make tech firms liable for content published on their platforms and have the power to sanction companies that fail to take down illegal material and hate speech within hours”. In other words, a British version of Germany’s contentious NetzDG law.

This isn’t official policy yet, but rather part of a set of under-development proposals that also include “age verification for users of Facebook, Twitter and Instagram” and the enforcement of “new regulations on non-illegal content and behaviour online,” which sounds pretty darn ominous if you ask me.

To support my work, why not become a patron of Connected Rights? If you would prefer to make a one-off donation, I also have a PayPal.me page.

PRIVACY PLAYED A RELATIVELY SMALL BUT NONETHELESS SIGNIFICANT role in the decision by the European Parliament to launch Article 7 proceedings against Hungary – a road that could theoretically lead to Hungary losing its voting rights in the Council of the EU, unlikely though that is.

I dived into this angle in an article for the IAPP, in which I interviewed one of the litigants in the Szabó and Vissy v. Hungary mass surveillance case – Máté Szabó doesn’t think it will come to sanctions, but he is hopeful that the Article 7 proceedings will lead to a “structured dialogue” between member states and EU institutions over surveillance issues.

I ALSO WROTE AN IAPP PIECE ON ARTICLE 13 of the new EU Copyright Directive, specifically addressing the question of how much Axel Voss’s recent amendments fix concerns over an embedding of surveillance and censorship mechanisms across the interwebs. Short answer: they do and they don’t.

THE FRENCH PRIVACY REGULATOR, CNIL, has published guidance on the interplay between the GDPR and blockchain technology. Here’s the document, and here’s a Twitter thread from Michèle Finck that teases out CNIL’s main points: deleting private keys may suffice as “erasure” on an immutable blockchain; best to store personal data off-chain where possible; people engaging with the shared ledger may be controllers if they’re doing so professionally; miners aren’t controllers; nodes may or may not be controllers; and the developers of smart contracts can be data processors.

GOOGLE DOESN’T JUST LET THIRD-PARTY SERVICES READ PEOPLE’S GMAIL emails, as reported earlier this year – it also allows those third parties to share what they find with… fourth parties? Anyhow, it’s all apparently fine because the privacy policies make it clear where the data goes, says Google, enraging people like Electronic Privacy Information Center’s Marc Rotenberg, who told the WSJ that “there is simply no way that Gmail users could imagine that their personal data would be transferred to third parties”.

THERE’S BEEN A BIT OF A FLAP about Google adding a feature to Chrome that shows you when you’re signed into a Google website. Cryptography expert Matthew Green says Google is betraying people’s trust by automatically signing the browser into people’s Google accounts. Chrome developer Adrienne Porter Felt says it doesn’t automatically sync browser data to those accounts, as this requires a further step on the user’s part. Motherboard’s Lorenzo Franceschi-Bicchierai thinks the outcry is very silly.

If you’d like me to speak about digital rights at your event or provide advice for your business, drop me an email at david@dmeyer.eu.

AMAZON HAS LAUNCHED A BUNCH OF NEW ALEXA-EQUIPPED things (including a “smart” microwave that requires you to access Amazon’s cloud for the settings). Recode’s Jason Del Rey notes that Amazon didn’t talk about the privacy implications of all those be-microphoned gadgets, opining quite plausibly that it simply didn’t see much demonstrable consumer demand for “internet of things” privacy. “If Amazon customers don’t push Amazon, we live in a world where you can’t expect the company to discuss the potential downsides itself,” he writes.

AMAZON IS BEING TENTATIVELY PROBED by the team of EU Competition Commissioner Margrethe Vestager. DG COMP wants to know if Amazon, which “competes” with third-party merchants on its ecommerce platform, uses the data it has on their transactions to unfairly benefit its own operations. This is all very early-stage stuff; nothing formal yet.

Vestager: “The question here is about the data. Do you then also use this data to do your own calculations, as to what is the new big thing, what is it that people want, what kind of offers do they like to receive, what makes them buy things?”