La Liga Fined 250K Euros For Using Mobile App To Try To Catch 3rd Party Pirates

from the goooooooal dept

Roughly one year ago, we wrote about La Liga, the Spanish soccer league, pushing out an app to soccer fans that allowed the software to repurpose a mobile device's microphone and GPS to try to catch unauthorized broadcasts of La Liga matches. The league publicized this information, which had previously been buried in obscure language in its TOS, as mandated by the GDPR. At the same time, the league attempted to brush the whole thing off as above board, claiming that what was in the TOS informed users of the app enough that their own mobile devices were being compromised and turned into copyright snoop networks.

If this all sounds like The Dark Knight Rises for European soccer... you aren't wrong.

La Liga apparently was wrong, however, in its claims that all of this was okey-dokey.

While controversial, La Liga felt that it was on solid ground in respect of the feature and its declaration to app users. AEPD, Spain’s data protection agency (Agencia Española de Protección de Datos), fundamentally disagrees.

As a result, AEPD has hit La Liga with a significant 250,000 euro fine for not properly informing its users in respect of the ‘microphone’ feature, including not displaying a mic icon when recording.

The data protection agency said that La Liga’s actions breached several aspects of the EU’s GDPR, including a failure to gain consent every time the microphones in users’ devices were activated.

Now, the GDPR is an absolutely useless monstrosity in nearly every instance, but it's actions -- such as those taken against La Liga -- fool everyone into thinking such laughably broad regulation is necessary in the first place. For any business to somehow think that it would be a good idea to compromise the mobile devices of its customers in order to catch pubs and bars, something like fining the business via the GDPR sure makes it seem like the GDPR is doing something. This is what poisons the well, in other words.

The pro-GDPR argument stemming from this example is undercut, however, by the fact that La Liga is arguing that it modeled its actions to very specifically follow the spelled out way the GDPR enables these kinds of privacy intrusions. This too is an argument we've made about the GDPR.

In a statement, La Liga says it “disagrees deeply” with the AEPD’s decision and believes the agency has “not made the effort to understand how the technology works.” Announcing it will go to court to challenge the ruling, La Liga says it has always complied with the GDPR and other relevant data protection regulations. Noting that users of the app must “expressly, proactively and on two occasions give their consent” for the microphone to be used, La Liga further insists that the app does not “record, store or listen” to people’s conversations.

“[T]he technology used is designed to generate only a specific sound footprint (acoustic fingerprint). This fingerprint only contains 0.75% of the information, discarding the remaining 99.25%, so it is technically impossible to interpret the voice or human conversations. This footprint is transformed into an alphanumeric code (hash) that is not reversible to the original sound,” La Liga says.

As if another test case was needed, the outcome of the appeal will certainly be one for the usefulness of the GDPR. Because if the outcome is that La Liga actually did comply with it, all while snooping on 3rd parties using the mobile hardware of customers that didn't really know what was happening, that should be revealing.

Filed Under: apps, copyright, gdpr, piracy, pirates, recording, surveillance
Companies: la liga

One Year Into The GDPR: Can We Declare It A Total Failure Yet?

from the click-here-to-pretend-we-respect-your-privacy dept

Tomorrow will represent a full year since the GDPR went into effect. In the run-up to the GDPR, we called out many of the problems with the regulation which, while well-intended, did not seem to deal well with the nature of the internet, speech, or what privacy actually means. In the year since, we've posted numerous stories highlighting the negative consequences of this poorly considered law.

Whenever we do that, however, many of the law's defenders insist that these unintended consequences are a small price to pay for either protecting our privacy or reining in the internet giants. So, it does seem worth investigating whether or not the GDPR has done either of those things. And, so far, the evidence is sorely lacking. Indeed, on the question of dominance, we pointed out late last year that the early returns suggested that the GDPR had only made Google more dominant, which hardly seems like a way to punish the company.

And now that we have more results, it seems more and more people are realizing that the GDPR has been an utter failure. As CNBC notes in its evaluation of the law, it's hard to see how the GDPR has resulted in any benefits to the public. Instead, it's just created a big mess:

...one year later, GDPR hasn’t lived up to its potential.

Among some consumers, GDPR is perhaps best known as a bothersome series of rapid-fire, pop-up privacy notices. Those astronomical fines have failed to materialize. The law has created new bureaucracies within corporations, and with those, tension and confusion. And it’s unclear if the EU data authority that oversees the law is adequately staffed to handle its demands.

In short, from the user side especially, all the GDPR has done is made people constantly need to click on annoying privacy and cookie notices that they don't read and don't find useful at all. This shouldn't have been a surprise. We've pointed out for many years that the entire concept of a privacy policy is backwards. It creates a situation where no one actually reads it, and it doesn't do much to protect anyone's privacy. I head someone recently note that they should really be called "data exploitation policies," and that, at least, would be a bit more accurate. But still wouldn't get anyone to read them or better protect anyone's privacy.

And, as Politico has pointed out, it appears that not only has the GDPR made the big tech companies more dominant, it's now laid out the rules of the road by which they can introduce even more privacy-destroying offerings:

New forms of data collection, including Facebook’s reintroduction of its facial recognition technology in Europe and Google’s efforts to harvest information on third-party websites, have been given new leases on life under Europe’s General Data Protection Regulation, or GDPR.

Smaller firms — whose fortunes were of special concern to the framers of the region’s privacy revamp — also have suffered from the relatively high compliance costs and the perception, at least among some investors, that they can’t compete with Silicon Valley’s biggest names.

“Big companies like Facebook are 10 steps ahead of everyone else, and 100 steps ahead of regulators,” declared Paul-Olivier Dehaye, a privacy expert who helped uncover Facebook’s Cambridge Analytica scandal. “There are very big questions about what they’re doing.”

This entire approach is backwards and silly. If we want to have better control over our privacy we're not going to do it through demanding better privacy policies, or confusing data protection laws. We need to create the incentives to put the actual control of the data back into the hands of the users. And that doesn't just mean a right to download your info. It means that you have full control over your data and get to control what apps and services can access it and for what reasons. That's not the world we have today, and nothing in the GDPR gets us any closer to it.

And the answer is not "more enforcement." That just locks in the big companies even more and continues to present the roadmap to "follow" the rules, or to work the refs. Instead, if we moved to a system of protocols instead of platforms we could decouple the data from the service, putting real control of the data back in the hands of end users. Then things like privacy policies and GDPR enforces wouldn't matter so much, because we'd have direct control over our data.

Instead, all we have is a massive law that has harmed startups, entrentched big companies, failed to protect privacy and just served to annoy most users.

The reality is that many people, in order to save time, simply click “OK” on the never-ending stream of pop-ups and most everyone I spoke to confess that they just move on when unable to access the desired website. Or, as one Twitter user told expressed, “I read a lot fewer articles in US papers/magazines.”

And, sure, there have been a few fines of internet companies, but as recent GDPR complaints show, there does not appear to be any way to actually fully comply with the GDPR, which makes it a particularly useless law. If you can't actually comply, if it's not actually protecting privacy, and it's just annoying users and creating more bureaucracy, what good is it?

Meanwhile, Alec Stapp has collected a ton of stories and examples of the GDPR's negative impact. It notes much of the stuff above, but also highlights just how damaging it's been to innovation on the whole:

Startups: One study estimated that venture capital invested in EU startups fell by as much as 50 percent due to GDPR implementation. (NBER)

Mergers and acquisitions: “55% of respondents said they had worked on deals that fell apart because of concerns about a target company’s data protection policies and compliance with GDPR” (WSJ)

Scientific research: “[B]iomedical researchers fear that the EU’s new General Data Protection Regulation (GDPR) will make it harder to share information across borders or outside their original research context.” (POLITICO)

So now that we've had a year, can we admit that the GDPR has been a total failure by almost every possible measure? Supporters of the law will say to give it more time, or to say we need to "improve" the rules, but it should be obvious by now that the entire approach is the problem, not the implementation.

Filed Under: censorship, competition, compliance, data protection, dominance, eu, free speech, gdpr, privacy, tech

Prince Harry Uses GDPR To Obtain Payout From Photographer Who Shot Photos Of His Rental Home

from the something-about-pictures-of-a-house-on-a-beach... dept

The repeated answer to the question, "How does the GDPR work?" is: "Not well." The privacy law enacted by the European Union is a regulatory omnishambles that was first greeted by non-European websites telling Europeans their business was no longer welcome.

From there, the convoluted law the EU Commission itself can't even comply with properly has been used to vanish everything from documents on US court dockets to trash cans inside an Ireland post office. When it's not providing new attack vectors to cybercriminals, it's being co-opted by the powerful to control what the public gets to see and hear about them.

The latest repurposing of the GDPR into an offensive weapon occurred in the pre-Brexit UK, which may give the royal family a reason for remaining united with the rest of Europe. Britain's literal ruling class has never shied away from dragging publications and paparazzi into court, but this latest case -- involving photos of house being rented by Prince Harry -- has a new GDPR twist.

Prince Harry this week notched another victory in the royal family's long-running battle with paparazzi photographers, securing a "substantial payout" from an agency which used a helicopter to take pictures inside a house he was renting.

Potentially even more interesting than that is the way in which he won his battle — basing a legal case partly on a sweeping new European data law that is less than a year old.

According to a statement delivered to London's High Court on Thursday, in which the paparazzi agency Splash News apologized to Harry, also known as the Duke of Sussex (emphasis ours):

"This matter concerns a claim for misuse of private information, breaches of The Duke's right to privacy under Article 8 ECHR and breaches of the General Data Protection Regulation ("GDPR") and Data Protection Act 2018 ("DPA")."

This settlement has the potential to deter journalists from taking pictures of anyone or anything. While this case involved photos of the inside of Prince Harry's rental property, it wouldn't take much to stretch the definition of unlawful data-handling to cover any photos taken without the subject's permission.

Although the details of the settlement still remain mostly under wraps, there's speculation that the privacy violation wasn't just the photos of the interior of the house -- an interior only visible by air. (The photos were taken by a paparazzo in a helicopter.) It may also have something to with information not revealed publicly by Prince Harry: namely, the address of the photographed residence.

Given that the law allows subjects to revoke consent at any time following publication, this makes reporting on the lives of public figures that much more risky. It appears the GDPR can be abused much more easily than the UK's routinely-abused defamation laws. The GDPR has an exemption for journalists, but it's not clear-cut and requires a case-by-case examination by an EU comptroller who will make the final determination on the issue of public interest.

There's no presumed exemption to the law that protects reporting. The EU Commission comptroller decides whether or not the published info was in the public interest when it's challenged, which puts even less-sensational efforts on shaky ground. Given its retroactive reach, the GDPR can act as yet another "right to be forgotten," allowing subjects of reporting to revoke consent (implied or otherwise) months or years after publication to force removal of content from the web. This case may deal with the unsavory actions of paparazzi but the side effects will be felt by journalism as a whole. Any public figure who wants to keep their private dealings out of the news -- for whatever reason -- will have the GDPR available to do their dirty work.

Filed Under: censorship, eu, gdpr, media, paparazzi, prince harry

GDPR Concerns Temporarily Result In The Removal Of Trash Cans From Ireland Post Office

from the that's-some-fine-regulation-you-got-there,-EU dept

The regulatory nightmare known as GDPR continues to wreak havoc. The data privacy law enacted by the European Union has possibly helped protect the data of Europeans, but the thick cloud of smoke rising from the collateral damage makes it impossible to say for sure.

Regulating the internet isn't as simple as the EU Parliament thought it would be. The first reaction many US sites had to the new law was to block every user appearing to originate from a covered country. The EU Parliament couldn't even comply with GDPR properly. Its own website didn't anonymize incoming users correctly, allowing the Parliament's site to hoover up IP addresses to send through to Google Analytics. The EU Commission responded to this gaffe by exempting itself from the law.

Meanwhile, European citizens were experiencing the downsides of mandated data export. The law requires all user data collected by tech companies to be available on demand to European internet users. In theory, a wonderful idea. In practice, it means if someone hacks one of your accounts, they can start requesting your data as well. Even without being hacked, your personal data can be sent to someone else because tech companies are just as prone to clerical errors as anyone else.

This latest incident is more of the same. Another debacle powered by GDPR. This time, the problem created wasn't composed of 1s and 0s. This time the side effects could be felt physically.

All public bins have been removed from the GPO [General Post Office] due to potential privacy breaches under the General Data Protection Regulation (GDPR).

Customers and visitors to the historic building will no longer be able to dispose their litter within the premises.

An Post says under the new privacy laws, even rubbish containing personal details is considered their responsibility.

For this reason, a decision was taken to remove every bin from the post office’s main hall.

The problem? Post office customers were tossing out unwanted mail and receipts -- all of which contained confidential personal data now regulated by GDPR. The post office's solution was to remove its inadvertent data collection facilities, which apparently led to people leaving their regulated data lying on the office's counters and floors.

Fortunately, this new normal for post office users was swiftly reverted back to the old normal. The Commissioner of the Office of Data Protection issued a clarifying statement on post offices, rubbish bins, and protecting the privacy of post office customers.

When contacted this evening, a spokesperson for the Office of the Data Protection Commissioner told independent.ie that "under no circumstances" could public litter be in breach of GDPR.

Great. Glad that's cleared up. Business as usual then?

“An Post have confirmed a number of outstanding issues around the handling of waste material from public litter bins in the GPO,” a spokesperson said.

“The bins had been removed from the public office of the GPO on a trial basis and have now been re-instated,” he said.

THE BINS HAVE BEEN REINSTATED.

This is the stupid world the EU Parliament has gifted us. A breathtakingly broad law that regulates every entity that might possess the personal information of others has, however briefly, resulted in the removal of trash cans to ensure compliance. This may be the dumbest collateral damage yet, but it certainly won't be the last.

Filed Under: data protection, gdpr, ireland, irish post office, trash cans

GDPR Penalties Prove Why Compliance Isn't Enough—And Why Companies Need Clarity

from the when-trying-to-comply-is-evidence-of-failing-to-comply dept

The legal uncertainty created by the General Data Protection Regulation (GDPR) is becoming so common, it’s starting to go unnoticed. In yet another recent example, Poland’s data protection authority (DPA), UODO (“Urząd Ochrony Danych Osobowych” in Polish), fined a European company over €220,000 for failing to comply with a GDPR requirement that companies provide individuals with privacy notices. While it hasn’t drawn considerable attention, this case could have considerable implications for many other European companies. The sanction cuts through expectations that data protection authorities (DPAs) will play a constructive role of both regulators and advisors under the GDPR, and it illustrates that the need to clarify the European privacy law is ever more urgent.

Bisnode, a European digital marketing company that specializes in data analytics, had collected and processed personal data from publicly available registers on six million individuals to provide creditworthiness scores to banks. The company used its access to the email addresses of about 679,000 users to inform them of the processing of their personal data—to which, out of a sample of 90,000 users, only 10 percent objected. But the operational costs of sending letters to the remaining 5.7 million users whose emails were unavailable would amount to €8 million of postal charges, an estimate which did not even include the related administrative costs. As a result, the company decided to publish a general statement on its website to alert the remaining data subjects. However, the Polish DPA decided that Bisnode did not go far enough in upholding its obligations under the GDPR.

The decision to sanction this company is misguided and sets a worrying precedent for two reasons. First, this penalty is a direct consequence of the privacy law’s vague provisions and misleading language, which EU policymakers must urgently clarify. Under Article 14 of the GDPR, organizations collecting and processing personal data must provide privacy notices directly to data subjects. But this obligation does not apply in case providing this information is “impossible, or would involve a disproportionate effort.” The Polish company thought it had fulfilled its obligations under the GDPR, as the exorbitant cost of reaching out to the remaining users could trigger this exception. But while accepting the company’s calculations, UODO regulators did not assess that €8 million would constitute a sufficiently “disproportionate effort.” What is more, because the GDPR is not prescriptive about how companies must provide users with information, UODO claimed that the law does not oblige them to inform users specifically via registered post. Hence UODO considered that a public statement was insufficient because the company could have used other solutions such as sending SMS messages, even though Bisnode did not have telephone numbers for everyone and the costs of doing so would have been high.

Second, this decision calls for a clarification of the role of DPAs under the GDPR. The company had taken a number of proactive steps to comply with the GDPR, yet UODO saw it as nothing more than proof that it was aware of its obligations and thus had intentionally violated them. DPAs should not impose penalties when there is ambiguity in the rules and companies are making an honest effort to comply. Instead, DPAs should play the role of educators so as to facilitate companies’ complex journey towards compliance. Before imposing penalties, they should take into account whether companies acted in good faith when establishing compliance strategies, the extent to which they have implemented compliance procedures internally, and the degree of interpretability of the provisions in question.

Many EU companies have yet to comply with the privacy law and do not expect that they ever will. EU policymakers should realize that the privacy law’s strict and complex requirements may be the main reason why. But the Polish decision shows that compliance may not even be enough. Companies cannot interpret unclear regulations, so they will continue to face unpredictable decisions. Even if a company appeals a decision, it will take time before the final outcome establishes jurisprudence.

EU policymakers and data protection authorities should focus on clarifying the legislation, specifying the technical requirements to provide information, and take into account the costs and difficulties compliance may impose on companies in some cases. Otherwise European businesses will continue to face difficulties interpreting and complying with the GDPR.

Eline Chivot is a senior policy analyst at the Center for Data Innovation, based in Brussels. Daniel Castro is the director of the Center for Data Innovation and vice president of the Information Technology and Innovation Foundation.

Filed Under: data protection, eu, gdpr, penalties, privacy
Companies: bisnode

Mark Zuckerberg To Congress: Okay, Fine, Please Regulate Me And Lock In My Dominant Market Position

from the hey-wait-a-second dept

Let's get a few things out of the way: Facebook deserves much of the crap it's gotten over the past few years. Indifference to serious problems, bad management, and worse practices have put it at the receiving end of a ton of bad press.

At the same time, however, the company's near total inability to do the right things means that when it actually does try to do the right things (like increasing accountability, transparency, and due process in its content moderation practices), people freak out and attack the company. Sometimes people will automatically suspect the worst possible motives. Other times, they'll completely twist what is being proposed into something else. And sometimes their expectations just aren't reasonable. (Of course, sometimes people will be correct that Facebook is just fucking things up again.)

It makes sense that the company may be frustrated by the impossible position it finds itself in, where any solution it trots out gets the company attacked, even when it might actually be a good idea. But that does not mean it should just throw in the towel. Yet it's difficult not to read Mark Zuckerburg's new op-ed in the Washington Post (possible paywall) as an exasperated throwing up of his hands, as if to say, "fine, fuck it, no one likes what we're doing, so here, government, you take over."

Technology is a major part of our lives, and companies such as Facebook have immense responsibilities. Every day, we make decisions about what speech is harmful, what constitutes political advertising, and how to prevent sophisticated cyberattacks. These are important for keeping our community safe. But if we were starting from scratch, we wouldn’t ask companies to make these judgments alone.

I believe we need a more active role for governments and regulators. By updating the rules for the Internet, we can preserve what’s best about it — the freedom for people to express themselves and for entrepreneurs to build new things — while also protecting society from broader harms.

It might be one thing if by tossing out ideas like this, Zuckerberg is basically calling the government's bluff, and saying "if you guys think it's so easy, tell us what to do."

Lawmakers often tell me we have too much power over speech, and frankly I agree. I’ve come to believe that we shouldn’t make so many important decisions about speech on our own.

After all, it's an impossible request that the government will fail at just as Facebook does. And maybe if it did, people would understand just how unreasonable it is to expect Facebook to do any better.But rather than being an effort to help the public and regulators see the futility of so many of the pressures they keep foisting on Facebook, most of the op-ed instead seems like a serious invitation for government regulation.

From what I’ve learned, I believe we need new regulation in four areas: harmful content, election integrity, privacy and data portability.

That said, much of what else Zuckerberg lays out is... disingenuous. Back when Facebook did a huge about face and started supporting FOSTA, a number of startups told me that they fully believed that Zuckerberg and Sheryl Sandberg had decided that (1) it would be costly to comply with FOSTA but (2) that they could handle the expense. Unfortunately the same could not be said for most smaller companies.

Yet here we are again, with Facebook tempting regulation that it thinks it can cope with, regardless of its impact on others.

One idea is for third-party bodies to set standards governing the distribution of harmful content and to measure companies against those standards. Regulation could set baselines for what’s prohibited and require companies to build systems for keeping harmful content to a bare minimum.

Facebook can afford to do this. Startups? Not so much.

People around the world have called for comprehensive privacy regulation in line with the European Union’s General Data Protection Regulation, and I agree. I believe it would be good for the Internet if more countries adopted regulation such as GDPR as a common framework.

New privacy regulation in the United States and around the world should build on the protections GDPR provides. It should protect your right to choose how your information is used — while enabling companies to use information for safety purposes and to provide services. It shouldn’t require data to be stored locally, which would make it more vulnerable to unwarranted access. And it should establish a way to hold companies such as Facebook accountable by imposing sanctions when we make mistakes.

Again, GDPR has already been incredibly costly to startups -- and has had a much bigger impact on them than the giants like Facebook. Yes, it was costly for Facebook to (try to) comply with the GDPR, but it has the money to deal with such things while smaller companies do not.

Zuckerberg knows what's going on. He knows the narrative in the press and in DC has turned very much against the company. He also knows that regulation is very much coming. Furthermore, he knows that part of the narrative is that "Silicon Valley" doesn't want to be regulated. And so he's effectively... er... leaning in on the opportunity to call for regulation. Regulations that he knows Facebook can deal with (and which would somewhat call the bluff of angry Congress critters).

At the time when Facebook made its FOSTA flip-flop, some suspected it was a cynical move designed to give Facebook the dual benefit of positive press coverage for having supported it, while also purposefully ensuring that they'd made life more difficult for all of their potentially disruptive competitors. This op-ed does nothing to quell these suspicions. But even if Facebook is more foolish than disingenuous in calling for more regulation that will inevitably [hurt it too], the reality is the same: it will hurt everyone else even more, and thus essentially lock in Facebook's dominance, since no one else will be able to deal with what regulation Facebook is now calling for, at best indifferent to its effect.

Last year, after Facebook sold out the community by throwing its weight behind the odious FOSTA, we talked about how Facebook lost recess for the rest of Silicon Valley. All had to suffer because of its bad decisions. Now it's even worse, as the class terror purposefully is trying to dictate the terms of his own punishment in a way that is certain to punish everyone else too.

Filed Under: fosta, gdpr, mark zuckerberg, regulation, social media
Companies: facebook

Clash Of EU's Poorly Thought Out Laws: German Data Protection Commissioner Warns That Article 13 Might Violate GDPR

from the fight-fight-fight dept

As we've been noting recently, the EU really seems to be bending over backwards to pass poorly thought out laws about the internet (sometimes, though not always, with the best of intentions). For example, the GDPR certainly seems to have good intentions behind it, but in practice it has been a disaster in many specific cases, where it seems obvious that those who crafted the law simply ignored warnings about how it would intersect with real world situations -- especially those regarding free speech. Then, of course, there's the EU Copyright Directive and Article 13, where as far as I can tell, the EU is rushing forward with this effort, knowing that it's awful, because the entire point of the law is to be so awful that internet companies are pressured into grovelling before Hollywood not to sue them for violating a law with which it is literally impossible to be in compliance with.

Of course, in a bit of irony, at least one German official is recognizing that the intersection of these two laws may, in fact, cause some significant concerns. Despite what supporters have said about Article 13, it will require that most online platforms use upload filters. While supporters insist the law does not say that, when pressed on this issue, they only note that filters are one way to try to comply, and basically say that tech companies might need to "nerd harder" to come up with alternatives. However, in all practicality, this law is a giant government handout to filter companies. Indeed, as we noted, some of the strongest lobbying in favor of Article 13 came from Audible Magic, which is the recognized leading independent upload filtering company (many, many other companies use its technology, with the one major exception being Google, which built its own filtering tech).

TorrentFreak points us to a letter to the EU Parliament from Germany's Data Protection Commissioner (basically, the person in charge of enforcing the GDPR), warning that since there are so few filter companies, and Article 13 will more or less mandate their usage, it will raise significant concerns about all the data those companies (really: Audible Magic) will collect on people and their internet habits. The letter was first translated into English by Florian Mueller, who received an official "approval" from the German Federal Commissioner that his translation was accurate.

The letter starts off by brushing away the silly claim that Article 13 won't require filters:

The Federal Commissioner for Data Protection and Freedom of Information, Ulrich Kelber, therefore warns against the potential consequences of the reform in question: "Even though upload filters are not explicitly mandated by the bill, they will be employed as a practical effect. Especially smaller platform operators and service providers will not be in a position to conclude license agreements with all [copy]right holders. Nor will they be able to make the software develoment effort to create upload filters of their own. Instead, they will utilize offerings by large IT companies just the way it is already happening, for one example, in the field of analytics tools, where the relevant components created by Facebook, Amazon and Google are used by many apps, websites, and services."

From there, Kelber notes that with so few filter vendors on the market, significant data protection concerns are raised about the government mandating these companies basically sift through the entire internet:

"At the end of the day, this would result in an oligopoly consisting of a few vendors of filtering technologies, which would then be instrumental to more or less the entire Internet data traffic of relevant platforms and services. The wealth of information those vendors would receive about all users in the process is evidenced by, among other examples, current media coverage of data transfers by eHealth apps to Facebook."

Therefore, the Federal Commissioner for Data Protection and Freedom of Information sees a clear and present danger of a further concentration of data in the hands of an oligopoly of vendors as an adverse effect of the present EU proposal. Against the background of the decision the Federal Cartel Office [Germany's national antitrust authority] handed down against Facebook a few weeks ago, the objective should actually be to achieve the opposite [of such concentration of data].

Ulrich Kelber calls for further steps to be taken to avert the previously-outlined scenario: "If the EU believes platform operators can meet their new obligations [under the proposed copyright directive] without upload filters, it must make a clear showing. That is why I am awaiting with great interest the [European] Commission's forthcoming recommendations. In the other event, data privacy considerations require a thorough overhaul of the bill. Notwithstanding the need to update the protection of author's rights in our times, such a measure must not harm or compromise the protection of Internet users' data."

In other words, it looks like Article 13 in the EU Copyright Directive might run headlong into the GDPR's restriction on the collection and use of data. This kinda feels like something that should have been thought out way earlier, but seems consistent with the slapdash manner in which the EU is regulating the internet these days: with little to no understanding of how the internet actually works, demands to do the impossible, and threats of massive fines for any company that then fails to do the impossible. This is no way to actually regulate, but apparently it's par for the course in the EU right now.

Filed Under: article 13, copyright, data protection, eu, eu copyright directive, gdpr, germany, monopoly, upload filters
Companies: audible magic

Stupid Patent Of The Month: Veripath Patents Following Privacy Laws

from the your-privacy-is-infringing dept

What if we allowed some people to patent the law and then demand money from the rest of us just for following it?

As anyone with a basic understanding of democratic principles can see, that is a terrible idea. In a democracy, elected representatives write laws that apply to everyone, ideally, based on the public interest. We shouldn't let private parties "own" legal principles or use technical jargon to re-cast those principles as "inventions." 

But that's exactly what the U.S. Patent Office has allowed two inventors, Nicholas Hall and Steven Eakin, to do. Last September, the government proclaimed that Hall and Eakin are the inventors of "Methods and Systems for User Opt-In to Data Privacy Agreements," U.S. Patent No. 10,075,451. 

The owner of this patent, a company called "Veripath," is already filing lawsuits against companies that make privacy compliance software. With Congress and many states actively engaged in debates over consumer privacy laws, Veripath might soon be using this patent to extract licensing cash from U.S. companies as well.

Privacy-For-Functionality isn't an "Invention," it's a Policy Debate

Claim 1 of the '451 patent describes a basic data privacy agreement. An API provides personal information from a software application; then the user is asked for a "required permission" for the use of that information. There's one add-on to the privacy deal: in exchange for the permission, the user gets access to "at least one enhanced function."

The next several claims go on to describe minor variations on this theme. Claim 2 specifies that the "enhanced function" won't be available to other users. Claim 3 describes the enhanced function as being fewer advertisements; Claim 4 describes offering the enhanced function in exchange for a monetary payment.

To say this "method" is well-known is a major understatement. The idea of exchanging privacy for enhanced functionality or better service is so widespread that it has been codified in law. For example, last year's California Consumer Privacy Act (CCPA) specifically allows a business to offer "incentives" to a user to collect and sell their data. That includes "financial incentives," or "a different price, rate, level, or quality of goods or services." The fact that state legislators were familiar enough with these concepts to write them into law is a sign of just how ubiquitous and uninventive they are. This is not technology this is policy.

(An important aside: EFF strongly opposes pay-for-privacy, and is working to remove it from the CCPA. Pay-for-privacy undermines the law's non-discrimination provisions, and more broadly, creates a world of privacy "haves" and "have-nots." We've long sought this change to the CCPA.) 

Follow the Law, Infringe this Patent

Veripath has already sued two companies that help website owners comply with Europe's General Data Protection Regulation, or GDPR, saying they infringe its patent. Netherlands-based Faktor was sued [PDF] on Feb. 15, and France-based Didomi was sued [PDF] on Feb. 22

Some background: Venpath, Inc., a company with a New York address that appears to be a virtual office, assigned the rights in the '451 patent to VeriPath just days before the patent issued in September last year. As it happens, the FTC began enforcement proceedings against VenPath last September. The FTC's complaint [PDF] alleged that VenPath's website represented that "VenPath participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework." The FTC alleged a count of "privacy misrepresentation." It claimed that VenPath "did not complete the steps necessary to renew its participation in the EU-U.S. Privacy Shield framework after that certification expired in October 2017." The FTC issued a Decision and Order [PDF] requiring VenPath to remove the misrepresentations. 

An exhibit [PDF] attached to the complaint shows that one of the named inventors on the patent, Nick Hall, contacted Faktor to ask what its prices were. Hall identified himself as the CEO of VenPath. Once Faktor responded, Veripath sued Faktor in federal court in New York.

In its lawsuits, Veripath claims that basic warnings about cookies on websites, a now-common method of complying with the GDPR, violate its patent. The lawsuit against Faktor notes that Faktor's own website "might not work properly" unless a user consents to having her browser accept cookies.

Veripath and its legal team argue that this simple deal—accepting cookie use, in order to visit websites—is enough to infringe the patent. They also claim that Faktor's Privacy Manager software infringes at least Claim 1 of the patent, and facilitates infringement by others. 

The '451 patent should never have been granted. In our view, its claims are clearly ineligible for patent protection under Alice v. CLS Bank. In Alice, the Supreme Court held that an abstract idea (like privacy-for-functionality) doesn't become eligible for a patent simply because it is implemented using generic technology. Courts have struck down similar claims, like a patent on the idea of conditioning access to content on viewing ads. 

Even when a patent is invalid, defendants face pressure to settle. Patent litigation is expensive and it can cost tens or hundreds of thousands of dollars just to get through the early stages. To really protect innovation we have to ensure that patents like the '451 patent are never issued in the first place. The fact that this patent was granted shows the Patent Office is failing to apply the law.

We are currently urging the public to tell the Patent Office to stop issuing abstract software patents. You can use our Action Center to submit comments.

Republished from the EFF's Stupid Patent of the Month series.

Filed Under: compliance, gdpr, patents, privacy, stupid patent of the month, stupid patents
Companies: venpath, veripath

Be Careful What You Wish For: Demanding Platforms Delete Disinformation May Make It Harder To Understand What Happened

from the watch-out dept

Here's another one in the "be careful what you wish for" category. Over the last few years, under tons of pressure from politicians and many users, various internet platforms have gotten more and more aggressive in removing content and accounts that were credibly accused of spreading disinformation and propaganda. Most people cheered over this, and you can completely understand why. But, that doesn't mean it doesn't create some consequences that might not all be good. J.A. Guerrero-Saade points out that all of this content removal can make things harder for researchers and investigators.

I'm reminded, somewhat, of all the demands in the past (and present) that these platforms need to take down "terrorist" content as quickly as possible. That ignores the fact that "terrorist" content can actually also be evidence of war crimes and atrocities that it might be useful for certain people to see. It also makes it that much more difficult for investigators -- whether government actors or open source investigative reporters -- to track down the perpetrators.

In response to this thread, Facebook's former Chief Security Officer, Alex Stamos, warned that he didn't think the research Facebook conducted over the past few years to find Russian disinfo spreaders would even be allowable under the GDPR:

This, as always, is the kind of thing we've been concerned about from the very beginning with the GDPR. There may be the best of intentions behind it, and "protecting privacy" always sounds good. But there are significant consequences to this, and demanding that private data be locked up, or that "bad" content be deleted as fast as possible, can have significant real world consequences that we might not like very much over the long haul.

Filed Under: alex stamos, deleting information, disinformation, gdpr, historical record, privacy, propaganda