WELCOME to Connected Rights, your dummy in the mouth of digital rights news and analysis.

Enjoy this newsletter? Forward it to a friend or get them to sign up. I’m David Meyer, aka @superglaze on Twitter and @davidmeyerwrites on Facebook. Don’t forget to check out the Connected Rights website and download a copy of my book, Control Shift: How Technology Affects You and Your Rights. Buiti achüluruni!

NB: This will be the last Connected Rights newsletter of the year – I’m going to take a break during December. I’ll pause Patreon payments for next month, naturally.

YESTERDAY’S FACEBOOK-PRIVACY HEARING in London was extraordinary for multiple reasons. It was the first time that lawmakers from many countries had participated in a joint hearing like this. Mark Zuckerberg refused to come – not so extraordinary, that, as he has persistently done so, though it’s notable that the MPs left an empty chair to protest his absence.

The big surprise was the unexpected appearance of former Federal Trade Commission chief technologist Ashkan Soltani, who wanted to provide the lawmakers with some informed technical expertise to aid their analysis of the Cambridge Analytica fiasco.

Earlier in the day, Facebook’s EMEA policy chief, Richard Allan, had shown up in Zuck’s stead to answer questions, and he claimed that several years ago Facebook was transitioning third-party developers onto a new platform that gave them access to much more limited information on users than the first platform held. “This is false,” Soltani then testified, noting that as late as this year whitelisted apps were able to access the private information of users’ friends, even if this was supposed to be blocked in settings.

He also strongly disputed Allan’s assertion that the first version of the platform did not give developers full access to people’s information.

Soltani: “When companies make technically nuanced and perhaps… deceitful statements, it kind of gets under my skin.” Good man.

FACEBOOK’S FLASHY “WAR ROOM”, which it showed off to journalists a couple months back in a PR blitz intended to show how serious the company is about fighting disinformation during election campaigns – and which was supposed to be used during future elections – has already been disbanded. Facebook says it is being replaced with a “more permanent” strategic response team.

IN WHAT APPEARS TO BE GERMANY’S FIRST GDPR FINE, a local chat app called Knuddels has to pay €20,000 after a hacker stole the information of hundreds of thousands of users. Knuddels was storing user passwords and emails in plaintext – the hacker published them all on Pastebin and Mega.

Why was the Baden-Württemberg data protection authority so lenient with its fine? Because, despite the company’s lack of basic encryption chops at the time, it quickly “implemented extensive measures to improve its IT security architecture,” once the horse had bolted.

POLITICO HAS A PIECE ON THE GDPR’S IMPACT, SIX months in. A couple points in there – that the big U.S. tech firms are still dominant in their fields, and there haven’t been any huge fines yet – are less than informative given the timescale involved. All things in time. But there are some valuable insights in there, too.

For one thing, there seem to have been over 57,000 GDPR complaints already, and 27,000 timely data breach notifications – both figures point to everything working as it should (though blimey that’s a lot of breaches). Also, there is some indication that the GDPR may be having an impact on funding for European startups. Again, though, I think more time is needed before any informed conclusions can be drawn on that front.

WANT TO KNOW MORE ABOUT SPAIN’S GDPR-COMPLIANT new data protection law? DLA Piper has you covered.

SOUTH KOREA IS CURRENTLY TRYING TO GET an “adequacy decision” from the European Commission that would allow frictionless personal data transfers from the bloc. However, as I’ve written about for IAPP’s Privacy Advisor, that will rely on legislative changes that are currently under consideration.

The issue is that the Korean data protection authority currently doesn’t have any enforcement powers, while the body that does – the Ministry of the Interior and Safety – lacks the necessary independence because, well, it’s a government ministry. The changes should fix that, by giving the regulator the teeth it should always have had.

I ALSO WROTE ABOUT THE DEBATE OVER “ethics certification” for autonomous and intelligent systems – or AI, as it were. The IEEE Standards Organization is presiding over the creation of such certification processes, but what does ethics certification actually mean in this context? Find out here.

A BUNCH OF GOOGLERS have written an open letter about why the company should abandon its “Project Dragonfly” plans to re-enter the Chinese search market. As recounted here several times, Google seems to be considering the move despite the fact that returning to China would mean playing ball with the country’s censors – one of the main reasons it left in the first place – and enabling surveillance.

The Googlers wrote: “Our opposition to Dragonfly is not about China: we object to technologies that aid the powerful in oppressing the vulnerable, wherever they may be. The Chinese government certainly isn’t alone in its readiness to stifle freedom of expression, and to use surveillance to repress dissent. Dragonfly in China would establish a dangerous precedent at a volatile political moment, one that would make it harder for Google to deny other countries similar concessions…

“Providing the Chinese government with ready access to user data, as required by Chinese law, would make Google complicit in oppression and human rights abuses. Dragonfly would also enable censorship and government-directed disinformation, and destabilize the ground truth on which popular deliberation and dissent rely.”

SPEAKING OF GOOGLE, CONSUMER ORGANISATIONS in multiple European countries have banded together to lob a series of GDPR complaints at the company over its location-tracking practices, which they say involve tricking people into sharing more than they might want to.

AND PRIVACY REGULATORS IN THE UK AND THE NETHERLANDS have fined Uber over its 2016 data mega-breach and the subsequent cover-up attempt. The fines total a mere $1.17 million, but bear in mind we’re talking about an offence that took place before the GDPR came in.

CPAP MACHINES, WHICH ARE USED TO COMBAT SLEEP APNOEA, can come with wireless modems these days. One purpose is to allow technicians to troubleshoot problems remotely, but that’s not all, as ProPublica explains in a piece brilliantly entitled “You Snooze, You Lose”.

From the article: “Last March, Tony Schmidt discovered something unsettling about the machine that helps him breathe at night. Without his knowledge, it was spying on him. From his bedside, the device was tracking when he was using it and sending the information not just to his doctor, but to the maker of the machine, to the medical supply company that provided it and to his health insurer… Privacy experts worry that data collected by insurers could be used to discriminate against patients or raise their costs…

“Without his CPAP, Eric Umansky, a deputy managing editor at ProPublica, wakes up repeatedly through the night and snores so insufferably that he is banished to the living room couch. ‘My marriage depends on it.’ In September, his doctor prescribed a new mask and airflow setting for his machine. Advanced Oxy-Med Services, the medical supply company approved by his insurer, sent him a modem that he plugged into his machine, giving the company the ability to change the settings remotely if needed. But when the mask hadn’t arrived a few days later, Umansky called Advanced Oxy-Med. That’s when he got a surprise: His insurance company might not pay for the mask, a customer service representative told him, because he hadn’t been using his machine enough. ‘On Tuesday night, you only used the mask for three-and-a-half hours,’ the representative said. ‘And on Monday night, you only used it for three hours.'”