The French Govt's Hand-Rolled Encrypted Messaging Service (Briefly) Allowed Anyone To Pretend They Were A Government Official

from the inauspicious-debut dept

Early last year, news leaked out the French government was building its own encrypted messaging service. This seemed a bit disingenuous when this same government was routinely calling for backdoors in encryption for everyone else. The potential upside of the government rolling its own is that it would push government officials off third-party services and onto a platform where they might not be compromised along with everyone else if or when these privately-run platforms were hacked/backdoored.

The problem with rolling your own encryption is it's a more daunting task than those asking for it imagine it will be, as Mike Masnick pointed out in last year's post.

However, doing encrypted messaging well is... difficult. It's the kind of thing that lots of people -- even experts -- get wrong. Rolling your own can often get messy, and you have to bet that a government rolling its own encryption for government officials to use is going to be a clear target for nation-state level hackers to try to break in. That's not to say it can't be done, but there are a lot of tradeoffs here, and I'm not sure that the best encryption is going to come from a government employee.

So far, this warning has proven true. The best encryption hasn't come from a government employee. At least, not yet. As Sean Gallagher writes for Ars Technica, the government's handmade messaging service, Tchap, has already been broken by a security researcher.

The name servers set up by the departments and ministries of the French government running Matrix's code were parsing email addresses submitted for new accounts to check against existing email addresses within their directory services. After doing code analysis on the Tchap package posted to Google's Play store, [researcher Baptiste] Robert used the Frida proxy tool to alter a Web request for a new account from the app to pass a crafted email address value that grafted his own address onto a known account on the targeted directory server—presidence@elysee.fr, the official email address of the Élysée, the official residence of France's president. The value sent to the server used an @ symbol to separate the two addresses (anaddress@protonmail.com@presidence@elysee.fr).

Because of the way the directory service validated the email address, it matched the address in the second half of the pair with the known address. But the code that parsed the address for the validation email on the server side, which was built with the Python email.utils module, trimmed off everything after the first valid address. That means Robert got an email back for verification of the account, and the server thought the address was an official government account.

Not only was Robert able to get his faux account validated within two hours of downloading the app, he was also able to obtain plenty of info linked to other government account profiles. On the bright side, the team behind the app reacted quickly to notification of the security flaw and suspended account creation until it could be patched. The French government has also instituted a bug bounty program for Tchap, which will hopefully result in further flaws being addressed before they're exploited by criminals or state-sponsored hackers.

To be fair, Tchap is still in its "beta" stage. But that's not much comfort considering it was rolled out for use in this state, exposing government employees' personal account info and allowing any outsider to take a seat at the Tchap table just by exploiting the system's less-than-robust validation process.

Filed Under: encryption, france

Be Careful What You Wish For: Twitter Temporarily Bans 'Get Out The Vote' Ads To Comply With 'Fake News' Law

from the why-does-no-one-ever-think-these-things-through dept

If there's one consistent theme that we've talked about on Techdirt over the past few decades, it's that attempts to regulate the internet based on a specifically observed "harm" almost always leads to bad outcomes. That's because trying to regulate away a harm frequently fails to take into account context and the specifics of how such laws would be interpreted. For example, over the last few years, there's been plenty of concern about fake news and questionable "political advertising" that is really just, let's say, "propaganda" from parties wishing to mess up the democratic process, rather than actually encourage effective democracy. Because of this we've seen attempts to pass "fake news" laws and "online political ads" laws that clearly come from a place of good intentions (mostly), but the actual impact can be far reaching and lead to unintended consequences.

For example, just last week people suddenly realized that, with the EU Parliamentary elections coming up next month, and France's new anti-fake news political advertisements law, that Twitter would be blocking the French government's own "get out the vote" advertising campaign:

Since December, France requires online political campaigns to declare who paid for them, and how much was spent.

But now Twitter has rejected a government voter registration campaign.

The company could not find a solution to obey the letter of the new law, officials said – and opted to avoid the potential problem altogether.

Of course, rather than realize that maybe the law they wrote was too broad, French government officials immediately... blamed Twitter. Oh, and they did so on Twitter.

That's France's Minister of the Interior saying "Twitter's priority should be to fight content that glorifies terrorism. Not campaigns to register on the electoral lists of a democratic republic." But, of course, that ignores that it was France's own extreme position on the law that lead Twitter to conclude the best way to comply was to block all political advertising, rather than go through the arduous process of keeping track of which political ads are allowed, which are banned, and to provide an open database of information about all of those ads.

Other French officials also complained... also on Twitter. Minister of Culture Franck Reister -- most recently seen eagerly cheering on censorship filters -- also chose to attack Twitter for trying to comply with France's bad law:

That one roughly says:

We must put an end to the irresponsibility of the platforms: @ Twitter pretends not to understand a law allowing simply a better information of the citizens during an electoral period ... whereas @ facebook has decided to apply it, in anticipation, in all the countries !

Note the focus: blaming Twitter for deciding it was too burdensome to host political ads, rather than recognizing it was the French law that made it so. Also, pointing to Facebook as a "good example" of agreeing to go through the arduous process kind of misses the whole point: the bigger companies (Facebook is a hell of a lot bigger than Twitter) can more easily comply with these laws, while smaller platforms find it too expensive. But, no matter. France's Minister of Culture assumes that all companies should have to spend tons of money just so his government can advertise on them.

Then there's Cedric O, the country's digital minister, who apparently thinks that Twitter should be forced to host some kinds of political advertising, because "the vote is sacred."

Right. The vote is sacred. But it was your government that passed a law that made it quite expensive to host any such advertising. Stop blaming the platforms for reacting appropriately to your bad laws.

Either way, after getting so much pressure in France, the company did back down, saying it was "clarifying" its political advertising rules in France to allow "Get Out The Vote" ads. So perhaps this is a happy ending situation, but what's most annoying is how French officials seem to think their own bad lawmaking is never the problem -- and that internet platforms making rational decisions based on the costs of complying with overreaching laws somehow reflects poorly on the platforms, rather than on their legislative abilities.

Filed Under: france, get out the vote, political advertising, regulations
Companies: twitter

After Insisting That EU Copyright Directive Didn't Require Filters, France Immediately Starts Promoting Filters

from the because-of-course dept

For months now we've all heard the refrain: Article 13 (now Article 17) of the EU Copyright Directive would not require filters. We all knew it was untrue. We pointed out many times that it was untrue, and that there was literally no way to comply unless you implemented filters (filters that wouldn't work and would ban legitimate speech), and were yelled at for pointing this out. Here's the MEP in charge of the Directive flat out insisting that it won't require filters last year:

Over and over and over again, this is what they insisted. Of course, we all knew it wasn't true, and the German government quietly admitted that filters were necessary a few weeks ago. That didn't stop the vote from happening, of course, and the Parliament questionably moving forward with this plan. Still, it's rather striking that just a day after the vote, as pointed out to us by Benjamin Henrion, France's Minister for Culture gave a speech in which he admits that it requires filters and hopes that France will implement the law as quickly as possible in order to start locking down the internet. The quotes here are based on Google translate, so they may not be perfect, but you get the idea. Incredibly, in talking about the Directive, Riester starts off by saying that the passing of the Directive was "despite massive campaigns of misinformation" which seems rather ironic, since it's now clear the misinformation came from those who insisted it didn't require filters, because soon after that he says:

I also announce that the Higher Council of Literary and Artistic Property, the HADOPI and the CNC will jointly launch in the coming days a "Mission to promote and supervise content recognition technologies".

In other words, now that the law is passed, it's time for everyone to install filters.

Riester also suggests that France may be the first to transpose the Directive into French law, meaning that it may be implemented long before required under the Directive. As he said: "there is no time to lose on this subject." If you're a site that has any user-generated content in France, good luck. Your government just sold you out. Of course, if you're a company selling filters, I guess send your lobbyists over to Paris quick and cash in.

Filed Under: article 13, copyright, eu copyright directive, filters, france, franck riester, minister of culture

New Report: Germany Caved To France On Copyright In A Deal For Russian Gas

from the horse-trading:-the-public-internet-for-russian-gas dept

In the hours leading up to the vote in the EU Parliament on the EU Copyright Directive, the German publication FAZ (which has been generally supportive of the Directive) has released quite a bombshell (in German), suggesting that the reason Germany caved to France on its terrible demands concerning copyright was in order to get France's approval of the controversial Nord Stream 2 gas pipeline from Russia.

If you don't recall, the German delegation had actually pushed back on the more extreme versions of Article 13 -- and, in particular, had demanded that a final version have a clear carve-out for smaller companies, so as not to have them forced out of business by the onerous demands of the law. However, after some back and forth, Germany caved in to France's demands, with many left scratching their heads as to why. However, some noted the "coincidence" in timing, that right after this, France also withdrew its objections to the pipeline which is very controversial in the EU (and the US, which is threatening sanctions).

FAZ notes that there were whispered rumors about Germany and France basically trading these two proposals, with Germany effectively selling out the open public internet in exchange for easier access to Russian gas. However, it has now seen documents that support this claim. Germany's economic minister, Peter Altmaier apparently promised startups that Germany would not cave on its promise to create a carve-out for all companies with less than 20 million euros in revenue per year -- only to drop that demand the very next day.

According to FAZ, the French delegation directly suggested the idea of France backing away from its opposition to the Nord Stream 2 pipeline if Germany backed away from its concerns about Article 13. And, voila, within days, Germany gave up on its demands regarding Article 13 and, a few days later, France switched sides and agreed to support the pipeline. So, as the German MEPs go to the polls tomorrow, we'll see if they think it was a fair deal to sell out the public internet in exchange for some Russian gas.

Filed Under: article 13, copyright, eu copyright directive, france, germany, internet, nord stream 2, oil, pipelines, russia

Article 13 Is Back On: Germany Caves To France As EU Pushes Forward On Ruining The Internet

from the bad-news-for-memes dept

When last we checked in on the EU Copyright Directive it had been put on hold when the European Council (with representatives from all the member states) didn't have enough votes to move forward on a so-called "compromise" draft. Most of the council rejected it for the right reasons -- though a few (including France) were holding out to make the law worse. Since then there has been an ongoing back channel negotiation between France and Germany over whose vision would win out. Both of them support very problematic versions of the Directive, though France's is worse. Specifically, France doesn't want any exemptions for smaller internet websites in Article 13 (which will effectively make internet filters mandatory), while Germany wanted to include at least some safe harbors for smaller sites. After a bunch of back and forth, it's now being reported that Germany has caved to France and will now support the Directive, with very little in the way of protections for smaller sites. This is on top of all the other awful stuff in the Directive, including mandatory filtering (that they pretend is not mandatory filtering), huge fines, and liability for any site allowing infringement. The draft apparently still includes a weird and mostly useless safe harbor for sites hosting user-generated content -- which is what made the legacy entertainment industry bail out on its support of the Directive.

So, to be clear, there is now a draft that is worse than the draft that couldn't get the Council's approval a few weeks ago, and that will have an even bigger impact on the internet by sweeping up tons of smaller sites as well as the larger ones, which will do serious harm to any sites that host user-generated content. And you can't find anyone -- outside of the company selling internet filters -- who supports this. The internet companies are all still against the bill. The legacy entertainment companies are whining that it doesn't go far enough.

And, yet, this draft is likely to be added back on the schedule for a meeting this Friday.

There is nothing good about this. The EU bureaucrats negotiating this get really, really annoyed by anyone suggesting that this bill will kill off "memes," but that's not an exaggeration. The bill is literally designed to make it impossible for a site that has not purchased licenses from everyone to allow users to post new content. Meme culture was built almost entirely on free and open message boards and social media, without licenses. But hosting such a site in the EU will now be effectively impossible -- or very, very expensive, with massive restrictions, filters and lockdowns. In such a world, it is difficult to see how new memes can take off, outside of a narrowly prescribed set of "officially sanctioned/licensed" memes -- and we all know what kind of quality that will bring.

This whole thing is an exercise in stupidity, brought about by a cynical legacy entertainment industry that made up a fake concept called "the value gap" that they insisted needed to be closed. And the only way to "close" it, according to the very same lobbyists, was to effectively turn off what made the internet great: the fact that it is, and has always been, an open medium for communication and sharing.

This can still be stopped, but it's going to rely on the EU Parliament actually having a backbone and saying that this is not acceptable. And that is going to require people in Europe to contact their MEPs and telling them not to wreck the internet.

Filed Under: article 11, article 13, copyright, eu, eu copyright directive, eu council, filters, france, germany, intermediary liability, mandatory filters, memes, safe harbors, trilogue negotiations

French Defense Secretary Says Country Is Willing To Fire First In Cyber Wars

from the only-good-things-can-come-of-this dept

Over the past few years, politicians and intelligence officials have floated the idea of hacking back. When not pushing the idea of treating cyber wars like declarations of actual war, these officials have seen nothing wrong with hacking back against cyberattackers or allowing private companies to do the same.

It may seem like there's nothing wrong with a "best defense is a good offense" theory of deterrence, but it's not that simple. First of all, attribution is often more difficult than these officials imagine. Hacking back against the wrong party is only going to escalate tensions. At worst, it could result in international incidents where those hacking back have broken laws in other countries. At best, it will just become another forever war countries throw money at -- one that's sure to result in expanded government power at the expense of the taxpayers, both in terms of tax dollars and civil liberties.

France has been scratching its itchy trigger finger for awhile now. Roughly a year ago, the government shot down a proposal giving private companies the right to retaliate against cyberattacks. It felt doing so would only lead to further "instability in cyberspace." That assessment is likely correct. But the French government apparently only felt private hack backs would lead to instability. If the government did it, no such instability should occur… apparently.

As far as offensive actions are concerned, the [Strategic Review of Cyberdefense] may not want companies to unleash hack-backs after an online attack, but it does want to keep that option open for the French authorities.

Not sure how a government-run cyberattack would lead to greater stability, but there you have it. The French government is apparently so confident in its ability to carry out non-destabilizing cyberattacks that it's not even going to wait around to get hacked first. Defense Secretary Florence Parly had this to say at a recent cybersecurity forum:

“The cyber weapon is not only for our enemies,” said France’s defence secretary this afternoon, speaking through a translator. “No. It’s also, in France, a tool to defend ourselves. To respond and attack.”

Her remarks will be seen as moving the debate about offensive cyber capabilities – not just so-called “active defence” but using infosec techniques as another weapon in the arsenal of state-on-state warfare – to a new level. Coming from a prominent NATO member and EU country, it could set the tone for future discussion of nation states' offensive cyber doctrines.

If France is going to start a cyberwar, it's not going to do it alone. Parly also called for "more cooperation and partnerships" from other European governments, suggesting their asses will also be on the line if France kicks off WWIII/CyberWar I with a misdirected cybersortie. While Parly is correct in her assessment that cyber threats are border-less, it seems a little audacious to suggest everyone else is obligated to bail you out if you take the lead in hacking forward.

Filed Under: cyberattacks, first strike, france, hack back

Some EU Nations Still Haven't Implemented The 2013 Marrakesh Treaty For The Blind

from the copyright-trumps-compassion dept

The annals of copyright are littered with acts of extraordinary stupidity and selfishness on the part of the publishers, recording industry and film studios. But few can match the refusal by the publishing industry to make it easier for the blind to gain access to reading material that would otherwise be blocked by copyright laws. Indeed, the fact that it took so long for what came to be known as the Marrakesh Treaty to be adopted is a shameful testimony to the publishing industry's belief that copyright maximalism is more important than the rights of the visually impaired. As James Love, Director of Knowledge Ecology International (KEI), wrote in 2013, when the treaty was finally adopted:

It difficult to comprehend why this treaty generated so much opposition from publishers and patent holders, and why it took five years to achieve this result. As we celebrate and savor this moment, we should thank all of those who resisted the constant calls to lower expectations and accept an outcome far less important than what was achieved today.

Even once the treaty was agreed, the publishing industry continued to fight against making it easier for the visually impaired to enjoy better access to books. In 2016, Techdirt reported that the Association of American Publishers was still lobbying to water down the US ratification package. Fortunately, as an international treaty, the Marrakesh Treaty came into force around the world anyway, despite the US foot-dragging.

Thanks to heavy lobbying by the region's publishers, the EU has been just as bad. It only formally ratified the Marrakesh Treaty in October of this year. As an article on the IPKat blog explains, the EU has the authority to sign and ratify treaties on behalf of the EU Member States, but it then requires the treaty to be implemented in national law:

In this case, the EU asked that national legislators reform their domestic copyright law by transposing the 2017/1564 Directive of 13 September 2017. The Directive requires that all necessary national measures be implemented by 12 October 2018. Not all member states complied by this deadline, whereby the EU Commission introduced infringement procedures against them for non-compliance. The list of the non-compliant countries is as follows:

Belgium, Cyprus, Czech Republic, Germany, Estonia, Greece, Finland, France, Italy, Lithuania, Luxembourg, Latvia, Poland, Portugal, Romania, Slovenia, UK

The IPKat post points out that some of the countries listed there, such as the UK and France, have in fact introduced exceptions to copyright to enable the making of accessible copies to the visually impaired. It's still a bit of mystery why they are on the list:

At the moment, the Commission has not published details regarding the claimed non-compliance by the countries listed. We cannot assume that the non-compliance proceedings were launched because the countries failed to introduce the exceptions in full, because countries can also be sanctioned if the scope of the exception implemented is too broad, so much so that it is disproportionately harmful to the interest of rightsholders. So we will have to wait and see what part of the implementation was deemed not up to scratch by the Commission.

As that indicates, it's possible that some of the countries mentioned are being criticized for non-compliance because they were too generous to the visually impaired. If it turns out that industry lobbyists are behind this, it would be yet another astonishing demonstration of selfishness from publishers whose behavior in connection with the Marrakesh Treaty has been nothing short of disgusting.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: belgium, blind, copyright, eu, finland, france, germany, greece, italy, marrakesh treaty, poland, publishers, uk

Pompous 'International Grand Committee' Signs Useless But Equally Pompous 'Declaration On Principles Of Law Governing The Internet'

from the they're-really-going-all-in-on-this dept

So just a few weeks after a bunch of countries (and companies and organizations) signed onto a weird and mostly empty Paris Call for Trust and Safety in Cyberspace, a group of nine countries -- Argentina, Belgium, Brazil, Canada, France, Ireland, Latvia, Singapore and the UK, have declared themselves the "International Grand Committee on Disinformation and Fake News" and signed onto a Principles of the Law Governing the Internet. If that list of countries sound familiar, that's because it's the same list of countries that put on that grandstanding inquisition of Facebook that produced fake news in its own way, by falsely claiming that Facebook had discovered Russians extracting 3 billion data points via its API back in 2014 (it wasn't Russia, it was Pinterest; it wasn't 3 billion, it was 6 million; it wasn't abuse of the API, but using it correctly).

The Declaration makes some grand pronouncements:

Noting that:— the world in which the traditional institutions of democratic government operate is changing at an unprecedented pace; it is an urgent and critical priority for legislatures and governments to ensure that the fundamental rights and safeguards of their citizens are not violated or undermined by the unchecked march of technology; the democratic world order is suffering a crisis of trust from the growth of disinformation, the proliferation of online aggression and hate speech, concerted attacks on our common democratic values of tolerance and respect for the views of others, and the widespread misuse of data belonging to citizens to enable these attempts to sabotage open and democratic processes, including elections.

Affirming that:— representative democracy is too important and too hard-won to be left undefended from online harms, in particular aggressive campaigns of disinformation launched from one country against citizens in another, and the co-ordinated activity of fake accounts using data-targeting methods to try manipulate the information that people see on social media.

Believing that:— it is incumbent on us to create a system of global internet governance that can serve to protect the fundamental rights and freedoms of generations to come, based on established codes of conduct for agencies working for nation states, and govern the major international tech platforms which have created the systems that serve online content to billions of users around the world.

Okay. So what does it all mean? Well, here are the details of the "declaration":

i. The internet is global and law relating to it must derive from globally agreed principles;
ii. The deliberate spreading of disinformation and division is a credible threat to the continuation and growth of democracy and a civilising global dialogue;
iii. Global technology firms must recognise their great power and demonstrate their readiness to accept their great responsibility as holders of influence;
iv. Social Media companies should be held liable if they fail to comply with a judicial, statutory or regulatory order to remove harmful and misleading content from their platforms, and should be regulated to ensure they comply with this requirement;
v. Technology companies must demonstrate their accountability to users by making themselves fully answerable to national legislatures and other organs of representative democracy.

Of course, in the context of the committee who created this Declaration having now been revealed to have created "fake news" itself, this kind comes off pretty... weak. But also, the whole thing is kind of meaningless. The companies do recognize their "power" and have been trying to deal with this issue. Yes, perhaps they didn't grasp the severity of the issue in the past, but they certainly have more recently. But simple declarations and pronouncements don't really do anything useful in "solving" those issues. That's because much of it is a human nature issue, and expecting tech companies to "take responsibility" for human nature is... well... nonsense.

Filed Under: argentina, belgium, brazil, canada, content moderation, disinformation, fake news, france, internet regulation, ireland, latvia, prais call, singapore, uk
Companies: facebook

New GDPR Ruling In France Could Dramatically Re-shape Online Advertising

from the not-going-with-the-consent-flow dept

The EU's General Data Protection Regulation only came into force in May of this year. Since then, privacy regulators across the EU have been trying to work out what it means in practice. As Techdirt has reported, some of the judgments that have emerged were pretty bad. A new GDPR ruling from France has just appeared that looks likely to have a major impact on how online advertising works in the EU, and therefore probably further afield, given the global nature of the Internet.

The original decision in French is rather dense, although it does include the use of the delightful word "mobinaute", which is apparently the French term for someone accessing the Internet on a mobile device. If you'd like to read something in English, Techcrunch has a long and clear explanation. There's also a good, shorter take from Johnny Ryan of the browser company Brave, which is particularly interesting for reasons I'll explain below.

First, the facts of the case. The small French company Vectaury gathers personal information, including geolocation, about millions of users of thousands of mobile apps on behalf of the companies that created them. It analyzes the data to create user profiles that companies might want to advertise to:

We continuously analyse, classify and enrich hundreds of thousands of profiles in order to offer you big data predictive models and actionable audience segments at any time. Our geo-profiling algorithm relies on a framework of more than 80 million points of interest around the world, grouped into 450 categories.

Vectaury sells access to those profiles using a standard industry technique known as "real-time bidding" (RTB). This really does happen in real-time: advertisers can bid to display their ads on Web pages as they are loading on a user's mobile. The key benefit is that it allows ads to be tightly targeted to audiences that are more likely to respond to them. However, to do this, personal information has to be sent to many potential advertisers so that they can submit their (automated) bids.

That's a problem under the GDPR, since users are supposed to give their consent before personal data is transmitted to companies in this way. To get around that problem, the industry has developed what are known as consent management platforms (CMP). In theory, these allow users to pick and choose exactly what kind of information is sent to which advertisers. But in practice they usually amount to a top-level button marked "I accept", which everyone clicks on because it's too much effort going through the subsidiary pages that lie underneath. The top-level acceptance grants permission to all the bundled advertisers, hidden in lower levels of the CMP, to use personal data as they wish.

When the French data protection authority CNIL carried out an on-site inspection of Vectaury, it found the company was holding the personal data of 67.6 million people. However, it did not accept that Vectaury had been given meaningful permission to use that data through the use of the bundled permission system. In a trail-blazing decision, CNIL said that Vectaury couldn't simply point to contracts that required its partners to ask users for permission to share personal data: Vectaury had to be able to show that it had checked it really did have permission from everyone whose data it had acquired.

That ruling is not just a big problem for Vectaury -- it's hard to see how it could possibly confirm consent for the 67.6 million people whose data it holds. It's also a problem for the online advertising industry in Europe, which uses a framework for GDPR "consent flow" that has been created by industry trade association and standards body, IAB Europe. Vectaury's system is essentially the same as IAB Europe's, so it would seem that the latest ruling by the French data protection authority also calls into question the industry standard technique for obtaining consent that is vital for the RTB process. Without that "consent flow", it is not possible to share personal data so that automated real-time bids can be submitted.

If that interpretation is correct, it would mean that RTB as currently practiced in the EU will no longer be allowed. In fact, the RTB system was already under threat because of a GDPR complaint filed a couple of months ago with the Irish Data Protection Commissioner and the UK Information Commissioner, which notes:

Every time a person visits a website and is shown a "behavioural" ad on a website, intimate personal data that describes each visitor, and what they are watching online, is broadcast to tens or hundreds of companies. Advertising technology companies broadcast these data widely in order to solicit potential advertisers' bids for the attention of the specific individual visiting the website.

A data breach occurs because this broadcast, known as an "bid request" in the online industry, fails to protect these intimate data against unauthorized access. Under the GDPR this is unlawful.

The three complainants are Jim Killock, Executive Director of the Open Rights Group, Michael Veale of University College London, and Johnny Ryan of Brave, mentioned above. His blog post about the new French GDPR ruling concludes:

This is the latest in a series of decisions published by CNIL against adtech companies. ... What marks this decision apart are the broad implications for RTB, and for the IAB consent framework.

It could also be a problem for Google, which relies on a similar approach for its own real-time ad bidding system. The potential implications of the CNIL ruling across the EU are a further indication of the massive long-term impact the GDPR will have on the Internet, perhaps in multiple and unexpected ways.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: advertising, france, gdpr, online advertising, privacy, real time bidding
Companies: vectuary

French Tax Officials To Start Digging Through Social Media Posts For Expensive Cars It Thinks You Can't Afford

from the faking-it-til-you-make-it-possibly-a-tax-code-violation dept

In a weird announcement threatening the commencement of pointless government monitoring, a French official says tax cheats will now be outed by their own selfies. (via Reason)

France’s tax administrators will start searching through social media accounts in early 2019, a pilot project in the fight against tax avoidance, Budget Minister Gerald Darmanin told weekly business TV show Capital.

[...]

"(The fiscal administration) will be able to see that if you have numerous pictures of yourself with a luxury car while you don’t have the means to own one, then maybe your cousin or your girlfriend has lent it to you... or maybe not," Darmanin said.

I guess French tax collectors will be scrolling through social media profiles with lists of tax dodgers and a keen appraiser's eye. There may be several reasons people have expensive items showcased on social media, and not all of them will have anything to do with ill-gotten net gains. A very common internet pastime is presenting your life as more exciting, dynamic, and filled with material goods than it actually is. Photoshop may be involved. Some of what tax officials come across will be evidence of nothing more than self-esteem issues.

However, this statement may not actually reflect what French tax officials have in mind. This may just be an inelegant (and partially inaccurate) depiction of the program being put in place. It appears this social media monitoring will follow the UK's lead, which doesn't have much to do with scanning social media posts for inexplicable luxury cars. If the French are on the UK Plan, as this article suggests, auditors will bury themselves in mountains of data and hope the algorithm sorts the cheats from the dreamers.

Here's what Her Majesty's Revenue and Customs [HMRC] is doing to track down tax fraudsters:

Tax authorities plan to increase the amount of data Her Majesty Revenue and Customs (HMRC) hold and can analyze. They’ve done this by extending their legal right to gather data from merchant service providers and data aggregators, including those that are based outside of the UK. This is a crucial step, as many Tax Avoidance schemes use businesses and trusts based overseas. They also now have the power to hold an online market place liable if a trader sells goods in the UK without paying tax on it.

Secondly, there will be data gathering and monitoring of certain high-risk groups. These include previous tax evasion and avoidance offenders, who will have data gathered on them for several years after they are convicted. Certain affluent individuals will also be monitored as they have been identified as a high-risk group because those with overseas business assets or connections are at a greater risk of offending.

The monitoring includes social media, but it's only a small part of the data haul.

The UK's HM Revenue & Customs (HMRC) will "observe, monitor, record and retain internet data" which is available to everyone, including blogs and social networking sites where no privacy settings have been applied, it has specifically confirmed in an update to its guidance on criminal investigations for tax offences.

Having a public account means the public -- and the government -- can see everything you post. That includes stuff it may try to use against you -- in this case, expensive items the government feels you can't afford.

And, lest we think we're any better than our European counterparts, the IRS has been doing the same thing in the States for years. And it's possibly been breaking the law the whole time.

The Internal Revenue Service is breaking several laws by mining large data sets and combing through social media posts in its search for people to audit, a Washington State University professor says.

Kimberly Houser, a clinical assistant professor of business law, in WSU’s Carson College of Business, said the IRS is breaking federal privacy law that says citizens should be:

– Informed when the government is collecting data on them.

– Given the chance to review and correct the information.

Such policies are required by the fair information practices incorporated into the Privacy Act of 1974.

The ACLU also argues the IRS's collection of communications violates the Electronic Communications Privacy Act and skirts warrant requirements. The IRS has agreed to stop gathering emails but made no promises about text messages and social media posts.

Of course, the IRS doesn't need a warrant to collect publicly-viewable posts. Text messages, however, definitely aren't public. But it isn't really clear the IRS is collecting these without a warrant. The IRS does have Stingray devices capable of intercepting text messages, but if it has done so, nothing about this use of cell tower spoofers has made it into the public domain. More likely, the IRS has interpreted the ECPA "abandonment" rule -- which allows the government to collect email older than 180 days without a warrant (treating it as abandoned physical mail) -- to cover text messages and social media posts.

Basically, what the French government is threatening to do is something several other governments already do. It's just that none have announced it quite this badly. Trawling social media posts for inexplicable wealth may trap a few tax cheats, but it's far more likely to produce false positives and piles of mostly-useless data for investigators to dig through.

Filed Under: france, social media, taxes, uk