May 2, 2022
Headwinds | The Cat Herder, Volume 5, Issue 16
| |
| May 2 · Issue #178 · View online |
|
|
A lot of Facebook. Is Captain Samuel Ramsel real? 😼
|
|
|
|
|
|
These ads are wild. Full page in today’s IT. I don’t actually want to know how to spot being surreptitiously recorded. I just want to, you know, not be surreptitiously recorded. https://t.co/eO2jrpcc7C
|
|
|
|
|
|
The companies that have complied with the bogus requests include Meta Platforms Inc., Apple Inc., Alphabet Inc.’s Google, Snap Inc., Twitter Inc and Discord Inc., according to three of the people. All of the people requested anonymity to speak frankly about the devious new brand of online crime that involves underage victims. The fraudulently obtained data has been used to target specific women and minors, and in some cases to pressure them into creating and sharing sexually explicit material and to retaliate against them if they refuse, according to the six people. The tactic is considered by law enforcement and other investigators to be the newest criminal tool to obtain personally identifiable information that can be used not only for financial gain but to extort and harass innocent victims.
|
Data From Fake Legal Requests Used to Sexually Extort Minors (FB, GOOG, TWTR) - Bloomberg
Major technology companies have been duped into providing sensitive personal information about their customers in response to fraudulent legal requests, and the data has been used to harass and even sexually extort minors, according to four federal law enforcement officials and two industry investigators.
|
|
|
Even Facebook doesn’t know how Facebook works, which is such a common feature of large, complex systems that I’ve long suspected this is the case. Which is going to cause problems for Facebook since the way Facebook appears to work seems to be very much in breach of data protection law.
|
Facebook Doesn’t Know What It Does With Your Data, Or Where It Goes: Leaked Document
“We do not have an adequate level of control and explainability over how our systems use data,” Facebook engineers say in leaked document.
|
According to legal experts interviewed by Motherboard, GDPR specifically prohibits that kind of repurposing, and the leaked document shows Facebook may not even have the ability to limit how it handles users’ data. The document raises the question of whether Facebook is able to broadly comply with privacy regulations because of the sheer amount of data it collects and where it flows within the company.
|
While the above is accurate it’s worth pointing out that the principle of purpose limitation in European data protection law is not something that came into effect with the GDPR in 2018. Purpose limitation has been a principle of data protection since long before Facebook existed, as noted by Natasha Lomas in a comment piece for Techrunch.
|
The European Union also didn’t suddenly invent privacy regulation in 2018, when the GDPR came into force. Before that law there was the Data Protection Directive, which included many of the same principles. So — in Europe at least — if a company like Facebook had actually been paying attention to legal requirements around privacy by design — and if EU regulators had been muscularly enforcing these long-standing rules — Meta might not now be warning investors about the ‘regulatory headwinds’ coming for their shareholder value. Nor facing what sounds to be a monumentally expensive and resource intensive re-engineering challenge — not so much akin to landing on the moon as more like needing to reconstruct the whole of the planet from pulverized moondust in a way that ensures every tiny piece of rock and dust is put back in exactly the place it originated for. Oh, and — guess what! — the deadline for doing all that already passed. Call it the ‘Zuckerberg’s moonshot.’
|
Leaked Facebook ads document raises fresh questions over GDPR enforcement – TechCrunch
Motherboard/Vice had an explosive report on Facebook’s business yesterday that’s sure to raise fresh questions over the lack of enforcement of European privacy laws against the adtech giant. The report is based on a leaked internal document written last year by privacy engineers on its Ad and Business product team. The document, which is entitled […]
|
|
|
|
So now that Facebook is *known*, with *evidence* to be in massive (deliberate) violation of the GDPR, all businesses using the Facebook pixel or cookies have an obligation to stop using them, or be in breach of Article 24 themselves.
|
|
|
|
|
|
From the very beginning, when a visitor entered their email address on the sign-in page, that address was being sent to Facebook, The Markup found. As families filled out more of the form, the tracking continued—not just on pages requesting parents’ information but also on pages specifically meant to receive students’ personal information. A page for demographic information on the student applying for aid, for example, was sending names, email addresses, and zip codes to Facebook. Similar data was tracked on pages for student financials and even on pages asking for information on the student’s high school. Facebook generally “hashes” the data, a process that scrambles sensitive data. While it is moderately more secure than sending the data via plaintext, hashing isn’t a guarantee of security.
|
Applied for Student Aid Online? Facebook Saw You – The Markup
The FAFSA form included code that sent personal information back to Facebook
|
|
|
For users in China, the platform will display the province or municipality where they are posting from, it said. For those using Weibo overseas, the country of users’ IP addresses will be displayed. The settings are designed to “reduce bad behaviour such as impersonating parties involved in hot topic issues, malicious disinformation and traffic scraping, and to ensure the authenticity and transparency of the content disseminated,” it said in a notice. “Weibo has always been committed to maintaining a healthy and orderly atmosphere of discussion and protecting the rights and interests of users to quickly obtain real and effective information,” the notice read.
|
China's Weibo shows user locations to combat 'bad behaviour' | Reuters
Weibo , China’s equivalent of Twitter, told users on Thursday it would start to publish their IP locations on their account pages and when they post comments, in a bid to combat “bad behaviour” online.
|
|
|
The EDPB announced during the week that its members had “ agreed to further enhance cooperation on strategic cases and to diversify the range of cooperation methods used.”
|
|
|
|
|
-
“The researchers say that Echo interaction data is collected both by Amazon and third-parties and that Amazon shares user data with as many as 41 ad partners. They say that ad targeting enabled by the data leads to ad bids as much as 30x higher, and that Amazon’s inference of ad interests from voice data is a clear violation of the company’s privacy policy and public statements. In addition, over 70 percent of Skills fail to mention Alexa or Amazon, and a mere 2.2 percent make their data collection practices clear in their privacy policies, the researchers contend.” From ‘Study: How Amazon uses Echo interactions to target ads’ by Thomas Claburn for The Register.
-
“I can’t believe the one to finally break that silence publicly is ‘Toontown Rewritten,’” Nixon said, noting that most of the technology companies that have been duped “treated this as a shameful matter to be kept top secret.” “They did what no big tech company could do and wrote a public advisory full of actionable information with the entire fake emergency data request,” she said. The request appears to have come from a hacker who compromised the email system of the Dhaka Metropolitan Police, which operates in Bangladesh’s capital and most populous city, according to Toontown Rewritten and a cybersecurity expert. The email contained an obvious clue: Dhaka was spelled incorrectly.“ From ‘Toontown Kids’ Game Operator Rebuffed Fake Police Data Request’ by William Turton for Bloomberg.
-
"The DSA applies to numerous Internet intermediary services. It provides both immunities and obligations. Many of its specific rules apply only to services in specific categories (access, caching, hosting, and marketplace providers, for example). A last minute compromise brought search engines into scope, but largely left it to future courts to ascertain when search engines fit under one of the DSA’s enumerated categories, and thus what rules apply. Much like the GDPR, the DSA asserts significant jurisdiction over companies based outside the EU. It reaches services “directed” to EU Member States. (Art 2) It allows enforcers to assess extremely steep fines, in principle reaching up to 6% of annual revenue. (In practice, I wouldn’t expect fines of that magnitude absent serious platform intransigence.) It also sets up major new regulatory powers within the European Commission, many details of which will be hashed out later.” From ‘What does the DSA say?’ by Daphne Keller for the Center for Internet and Society at Stanford Law School.
—
|
|
|
|
|
If you know someone who might enjoy this newsletter do please forward it on to them.
|
|
Did you enjoy this issue?
|
|
|
|
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
|
|
|
|
Privacy Kit, Made with 💚 in Dublin, Ireland
|
|
|
A lot of Facebook. Is Captain Samuel Ramsel real?
😼
https://twitter.com/FitzTechLawIE/status/1519967345023889408
—–
Major technology companies have been duped into providing sensitive personal information about their customers in response to fraudulent legal requests, and the data has been used to harass and even sexually extort minors, according to four federal law enforcement officials and two industry investigators.
Even Facebook doesn’t know how Facebook works, which is such a common feature of large, complex systems that I’ve long suspected this is the case. Which is going to cause problems for Facebook since the way Facebook appears to work seems to be very much in breach of data protection law.
“We do not have an adequate level of control and explainability over how our systems use data,” Facebook engineers say in leaked document.
While the above is accurate it’s worth pointing out that the principle of purpose limitation in European data protection law is not something that came into effect with the GDPR in 2018. Purpose limitation has been a principle of data protection since long before Facebook existed, as noted by Natasha Lomas in a comment piece for Techrunch.
Motherboard/Vice had an explosive report on Facebook’s business yesterday that’s sure to raise fresh questions over the lack of enforcement of European privacy laws against the adtech giant. The report is based on a leaked internal document written last year by privacy engineers on its Ad and Business product team. The document, which is entitled […]
Meanwhile …
The FAFSA form included code that sent personal information back to Facebook
Weibo , China’s equivalent of Twitter, told users on Thursday it would start to publish their IP locations on their account pages and when they post comments, in a bid to combat “bad behaviour” online.
The EDPB announced during the week that its members had “ agreed to further enhance cooperation on strategic cases and to diversify the range of cooperation methods used.”
—
-
“The researchers say that Echo interaction data is collected both by Amazon and third-parties and that Amazon shares user data with as many as 41 ad partners. They say that ad targeting enabled by the data leads to ad bids as much as 30x higher, and that Amazon’s inference of ad interests from voice data is a clear violation of the company’s privacy policy and public statements. In addition, over 70 percent of Skills fail to mention Alexa or Amazon, and a mere 2.2 percent make their data collection practices clear in their privacy policies, the researchers contend.” From ‘Study: How Amazon uses Echo interactions to target ads’ by Thomas Claburn for The Register.
-
“I can’t believe the one to finally break that silence publicly is ‘Toontown Rewritten,’” Nixon said, noting that most of the technology companies that have been duped “treated this as a shameful matter to be kept top secret.” “They did what no big tech company could do and wrote a public advisory full of actionable information with the entire fake emergency data request,” she said. The request appears to have come from a hacker who compromised the email system of the Dhaka Metropolitan Police, which operates in Bangladesh’s capital and most populous city, according to Toontown Rewritten and a cybersecurity expert. The email contained an obvious clue: Dhaka was spelled incorrectly.“ From ‘Toontown Kids’ Game Operator Rebuffed Fake Police Data Request’ by William Turton for Bloomberg.
-
"The DSA applies to numerous Internet intermediary services. It provides both immunities and obligations. Many of its specific rules apply only to services in specific categories (access, caching, hosting, and marketplace providers, for example). A last minute compromise brought search engines into scope, but largely left it to future courts to ascertain when search engines fit under one of the DSA’s enumerated categories, and thus what rules apply. Much like the GDPR, the DSA asserts significant jurisdiction over companies based outside the EU. It reaches services “directed” to EU Member States. (Art 2) It allows enforcers to assess extremely steep fines, in principle reaching up to 6% of annual revenue. (In practice, I wouldn’t expect fines of that magnitude absent serious platform intransigence.) It also sets up major new regulatory powers within the European Commission, many details of which will be hashed out later.” From ‘What does the DSA say?’ by Daphne Keller for the Center for Internet and Society at Stanford Law School.
—
Endnotes & Credits
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
