Google is putting into action a system that connects your digital identity to your credit and debit card purchases in brick-and-mortar stores. Its partner companies performing the analysis reportedly have access to 70% of U.S. credit and debit card transactions. Google’s objective in this new massive data linkage is to connect its online ads to success in sales, even in offline settings. It uses what it calls “double-blind encryption” to prevent retailers from knowing Google user identities and prevent Google from knowing real-world shopper identities. Privacy rights groups are expressing deep skepticism that personal identities will be secure under this system or stand up against hacking attempts. Google will now be able to link browsing history, search terms, and location to purchase history.
Source: Washington Post
The BROWSER internet privacy bill, sponsored by House Republicans, is being lobbied against by Google and Facebook representatives. The bill would require an opt-in by internet users before location and browsing history are used for advertising. Websites and ISPs would face repercussions from the FTC if they break privacy restrictions. The Internet Association is claiming that the regulations would stifle innovation (same argument used against net neutrality) and “upend the consumer experience.” The current paradigm for targeted ads and tracking is opt-out, although we consumers cannot really opt out of tracking. The Internet Association was founded by members of Google and Facebook, and includes similar big companies such as Amazon, Dropbox, and Netflix.
After taking part in rolling back privacy protections enacted by the FCC, House Republican Marsha Blackburn (Tenn.) introduced a bill containing some of the same restrictions, but this time under FTC jurisdiction. Called “Balancing the Rights of Web Surfers Equally and Responsibly” (BROWSER), the bill requires ISPs and internet companies to obtain consent before using location and browsing history for targeting ads. Compared to the recently struck down FCC rules, this constraint would apply not just to ISPs, but to companies like Facebook and Google. In addition, BROWSER would forbid any denial of service to users who do not opt-in to tracking. Co-sponsors of the bill include Brian Fitzpatrick (R-Pa.) and Bill Flores (R-Tex.).
Source: Investor’s Business Daily
Last Thursday, the FCC voted 2:1 to formally propose to eliminate net neutrality rules. Chairman Ajit Pai applauded the vote for putting “technologists and engineers” at “the center of the online world,” rather than “lawyers and accountants.” [This, despite overwhelming support by technologists and engineers for net neutrality.] [And this, despite the very probably involvement of lawyers and accountants in deciding which websites receive faster or slower access.] The approved proposal rescinds classification of broadband internet as a Title II telecommunications service. Commissioner Clyburn offered a dissenting statement, referring to the proposal as Destroying Internet Freedom and arguing that it contains a “hollow theory of trickle-down internet economics.” She refutes that removing regulations will in any way improve service to consumers. Though the proposal has been approved, it now enters a 3-month comment period before the FCC votes on whether to adopt the rule. This means there is more time to make specific comments on the proposal and defend net neutrality.
France’s Commission Nationale de l’Informatique et des Libertés (CNIL) has fined Facebook €150,000 ($166,400) for violation of data privacy. CNIL finds that the social networking site continues to collect sensitive user data without explicit consent and tracks activity on third-party sites through cookies without informing internet users. This is after CNIL gave Facebook 3 months to stop tracking non-users and transferring data to the USA. Facebook retains user IP addresses for the life of user accounts, which, CNIL says, the company has not demonstrated a need for. Facebook released a statement that it “respectfully disagree[s]” with CNIL’s findings, arguing that it should follow Ireland’s data protection rules, the country where its European headquarters resides. Other European data protection authorities (DPAs) have been investigating Facebook’s data behavior alongside France, and the Dutch DPA concurred on Tuesday that Facebook provides users “insufficient information about the use of their personal data.” In 2018, new European regulations will go into effect that could fine companies up to 4% of their global turnover (Facebook has about $27 billion in revenue in one year).
Source: The Verge
In 2016, London’s Royal Free Hospital (RFH) provided medical records of 1.6 million patients to Google to test a Streams AI app for acute kidney damage. These records, all identifiable patient data, were transferred to Google’s DeepMind and processed as “implied consent for direct care.” The data involved: full names, HIV diagnoses, drug overdoes, abortions, other medical events. The purpose of the Streams AI app was to help doctors intervene and quickly administer treatment, but it is not in use. This month, the National Data Guardian for the UK, Dame Fiona Caldicott, sent a letter to RFH stating that sharing medical data to Google under the guise of implied consent was wrong; the use of patient data to develop new technology is not direct care. If the Information Commissioner’s Office concurs with the assessment, Google must delete the data. DeepMind’s chief claims that the patient data has not been shared with other Google products or used for commercial purposes [kind of scary that this has to be claimed].
Allegations from an anonymous whistleblower claim that London’s Metropolitan Police enlisted the services of hackers in India to access email accounts of activists, including campaign organizers and journalists. The whistleblower claims to be a current detective and accuses the Met’s Domestic Extremism unit of unlawfully tracking such email activity for years. As proof, the anonymous tipster provided email passwords of 10 individuals claimed to be targeted, five of which have been independently confirmed as correct. One of the targets, Greenpeace activist Colin Newman, reports feeling violated, as his email account contains not just event planning but intimate details of personal counseling. The Independent Police Complaints Commission is now investigating the unit’s collection of email data and shredding of a large volume of documents in 2014. The interception of emails without evidence of investigating serious crimes constitutes unlawful spying on protest groups.
Source: UK ArsTechnica
A nice little piece on the surveillance economy appeared in the New York Times Magazine this week. Whereas I’ve usually considered data to be the currency in the big data economy, this piece frames privacy as what we’re trading in when we surf the Internet. Writer Amanda Hess cites many of the jarring privacy news items of this month, year, and decade: the revelation of Unroll.Me’s sale of inbox Lyft receipts to Slice Intelligence and Uber, the attribution of porn-related Reddit comments to a man in a red sweater who asked a question during a presidential debate, and remarks from Rep. F. James Sensenbrenner Jr. (R-Wis.) on internet privacy: “Nobody’s got to use the internet.” [Not true.].
Hess remarks on how privacy wasn’t always viewed so positively, and how in ancient Greece, sticking to the private realm, “idion,” meant that citizens were not adequately engaging in public life. Her main argument about privacy as luxury is that celebrities and other high-profile individuals (see Zuckerberg, Trump, Spicer, and Hannity) request and obtain privacy, while it is denied from those who can’t pay for it. This results in an inversion of the history of privacy, which belonged to the humble lower class, or “common” people.
Members of the Guardian newspaper’s Soulmates dating service were victims of a data breach where user IDs and email addresses were exposed online due to “human error.” Soulmates users report being targeted with sexually explicit email referring to information only available on their dating profiles. Once adversaries had access to the email and user ID, they could then obtain information on users’ public profiles, including physical descriptions, relationship categories sought, and photos. The Guardian blamed a third party contractor for the data breach, which has now been reportedly patched up. Some users who were no longer active and no longer paying for the site were surprised to find that they were included in the targeted spam, indicating that Guardian Soulmates did not actually delete their profiles, and so they were still susceptible to data breaches.