David Meyer

'Deceived by Design:' Google and Facebook Accused of Manipulating Users Into Giving Up Their Data

Facebook and Google introduced new privacy settings in order to comply with Europe’s sweeping new privacy law, the General Data Protection Regulation, but campaigners still aren’t satisfied. Some official complaints on the day the new law went into force, and now others have raised further concerns about how the companies manipulate people into exposing their data.

Facebook Just Lost Its Latest Battle in a Crucial Privacy Case Heading to Europe's Top Court

Facebook has failed in a last-ditch attempt to delay a major privacy case’s journey to Europe’s top court. The case in question was brought about by Facebook’s arch-nemesis, the Austrian law student Max Schrems, who has already succeeded in sinking the Safe Harbor agreement that gave U.S. firms a simple way to import the data of people from the European Union. As before, he is concerned that US intelligence programs break Europeans’ privacy rights.

US: NSA leaks should be no excuse for local storage mandates, which harm “organic” Internet

The US State Department has warned against countries such as Russia forcing web service providers to store citizens’ data locally, even though such moves are at least in part inspired by Edward Snowden’s revelations of the National Security Agency spying on foreigners’ personal data.

“[People should not] use the Snowden revelations as an excuse for taking what are essentially protectionist measures that will harm the ability of the Internet to work in an organic way,” a State Department official said, ahead of the annual Internet Governance Forum meeting in Istanbul.

Germany mulls ban on after-hours work emails and calls

A ban on office communications in the evening and during vacation time could become law in Germany. German labor minister Andrea Nahles said that the Federal Institute for Occupational Safety and Health was consulting on how such a law could be made -- what thresholds would need to be mandated, and so on.

She said the first results were expected in 2015.

Germany “accidentally” spied on Hillary Clinton phone call, report says

The United States spied on German Chancellor Angela Merkel, and that’s a pretty big deal because she’s a head of state, but this wasn’t purely a one-sided affair.

According to a report in the Süddeutsche Zeitung, German intelligence also listened in on a call involving erstwhile US Secretary of State Hillary Clinton.

Australian government reveals mandatory data retention plans

The Australian government has announced plans to introduce mandatory data retention, forcing telecommunications companies to hang on to certain customer data for up to 2 years.

The plans were leaked ahead of a press conference, in which Prime Minister Tony Abbott said they would help in the fight against terrorism. The Liberal-led coalition government said it would “update Australia’s telecommunication interception law which predates the Internet era and is increasingly ineffective,” as well as introduce “proper oversight” to protect Australians’ privacy rights.

The Internet is a politically and culturally loaded tool, particularly when it comes to censorship

[Commentary] Censorship is always bad, right? Not to many people around our connected globe, and there is sometimes validity to their views. Unfortunately the tension between those views places a profound and perhaps dangerous dilemma at the heart of the Internet.

Google could face criminal proceedings in Italy if it doesn’t clean up its act on privacy

Google could face criminal proceedings, as well as a €1 million ($1.35 million) fine, in Italy if it doesn’t change its data-handling ways.

According to a ruling by the Italian data protection commissioner, who has been coordinating with counterparts across Europe, Google must do the following within 18 months to comply with privacy law:

  • Make it clear to users that their data is mixed and matched across Google services for marketing purposes, both by cookies and by more advanced behavioral “fingerprinting” technologies.
  • Get explicit opt-in permission from users before using their data in this way.
  • Define how long it retains users’ data.
  • Delete users’ data when asked, within 2 months for data stored on “active” systems and within 6 months for backed-up data.

Google and Microsoft should be open about their de-linking processes in Europe

[Commentary] Google and other search engines operating in Europe have to take down links to information about people if those people ask them to do so, provided there’s no public-interest or other good reason for keeping the links up.

The problem for now, however, is that the search engines are already plowing ahead with the takedowns and no-one is sure how exactly they’re doing so. European data protection officials, who are due to meet with Microsoft and hopefully Google, want the search engines’ test for removing data to be more transparent. This could be accomplished with a series of blog posts.

We don’t need to know the details of every case (information overload won’t help anyone, and it would defeat the purpose of the exercise anyway) but there’s no reason we can’t get further insight into what the takedown teams are thinking and how they are operating.

UN human rights report blows apart governments’ pro-surveillance arguments

Mass surveillance by intelligence agencies is almost certainly illegal under international law, even where it involves collecting but not looking at people’s data, the United Nations human rights chief has advised.

In a damning but cautiously phrased report, UN High Commissioner for Human Rights Navi Pillay recommended that governments review their national laws, policies and practices to check that they do comply with international human rights law, then fix them if they don’t.

The report doesn’t name names, but it’s not very hard to see that much of it applies to the activities of the US and its various intelligence partners. “The very existence of a mass surveillance programme creates an interference with privacy,” Pillay said.

Lawyers and web experts attack UK’s fast-tracking of surveillance legislation

The World Wide Web Foundation and the United Kingdom Law Society have both strongly criticized the British government for attempting to fast-track the new Data Retention and Investigation Powers (DRIP) Act, which is meant to keep existing surveillance powers going but which will actually expand them greatly.

According to the World Wide Web Foundation, which is headed up by web inventor Tim Berners-Lee, the British government’s assertion that the bill needs to be rushed through as emergency legislation “seems at best incompetent, and at worst manipulative,” as the law could easily have been debated over recent months. The Law Society, which represents British lawyers, warned that history shows emergency laws tend to be “used for purposes for which they were not intended.”

NSA targets Tor administrators and people searching for privacy tools, reports claim

An investigation by the German broadcasters ARD and WDR has apparently demonstrated the targeting by the National Security Agency of a German student called Sebastian Hahn, who runs a node on the anonymization network Tor. It has also shown that anyone searching for “privacy-enhancing software tools” online may be marked for surveillance.

Tor (“The Onion Router”) works by bouncing traffic off a series of servers so that it’s near-impossible to trace who’s browsing what. It’s partly funded by the US Department of State because it’s handy for dissidents in repressive regimes, but Edward Snowden’s leaks already showed in 2013 that the NSA has been targeting Tor because it believes terrorists also use it.

Meanwhile, according to an English-language ARD article -- and partly written by members of the Tor project -- the NSA “tracks all connections to a server that hosts part of an anonymous email service at the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) in Cambridge, Massachusetts.”

What’s more, the broadcasters reported -- again based on the source code -- that the actual contents of emails sent over the Tor network are extracted for scrutiny, not just the emails’ metadata about senders, recipients and timing.

Russia may force web firms to store Russians’ personal data within its borders

The Russian parliament, the Duma, has passed a bill that would require web service providers to store Russians’ personal data within the country’s borders.

The bill was passed on its first reading.

This is a similar move to that proposed in other countries such as Brazil, following Edward Snowden’s US National Security Agency revelations. However, Brazil dropped its plans for mandating local data storage.

If approved by the Federation Council, the Russian requirement will go into effect in September 2016, meaning companies like Google and Twitter would need to establish data centers in Russia by then if they want to continue trading legally there.

What is more, those that don’t comply may find their services blocked on the order of telecommunications regulator Roskomnadzor, according to Lenta.ru. In other words, this may be a precursor to the shutting-off of major international web services in Russia at some point in the coming years.

Europe’s roaming data cuts are welcome, but not the end of the story

Europeans traveling around the union will pay a lot less for mobile data, voice and SMS. The most drastic cut will be for data, with the retail price cap dropping from 45 euro cents ($0.62) per megabyte to 20 cents ($0.27).

This represents the last stage in the grading-down of data roaming premiums within the European Union (there were no retail caps on roaming data before mid-2012, when a 70 cent cap was introduced). It’s far from being the end of the story, though -- a major package of telecommunications reform that’s almost been signed into law will do away with intra-EU roaming premiums altogether.

There’s a huge political driver behind all of this, in the creation of a true EU single market -- in practical terms, EU politicians are trying to erase the borders between member states, and that’s not possible when crossing a border results in massive bill shock. For European startups, this is essential, particularly if their apps and services are intended to be used on the move.

The complete elimination of roaming fees within the EU will take place at the end of 2015, if member states give final approval to measures already backed by the European Commission and the European Parliament.

Germany dumps Verizon for government work over NSA fears

The German government is ditching Verizon as its network infrastructure provider, and it’s citing Edward Snowden’s revelations about NSA surveillance as a reason.

The aftermath of the Snowden leaks has seen China institute heavy vetting of US equipment and Brazil cancel big orders of US military kit. However, despite the fact that the bugging of Chancellor Angela Merkel provided a major diplomatic upset, until now Germany’s response has been more bark than bite. No longer. The German ministry of the interior said it would let its existing contract with Verizon expire as it tries to provide “an infrastructure with an increased level of security.”

Verizon currently manages Germany’s federal administrative infrastructure, through a contract that will run out in 2015. The statement cited the increasing prevalence of malware and other hacking threats, and it also explicitly called out the links -- exposed by “the NSA affair”-- between foreign intelligence agencies and private firms. It said it wanted one company to manage all its government networks.

US may extend some privacy rights to Europeans

The US Department of Justice has said it may extend certain privacy rights to European citizens to help them enjoy the same sort of data protections abroad as they do at home.

Attorney General Eric Holder said that the US intended to “take legislative action in order to provide for judicial redress for Europeans who do not live in the US,” according to a welcoming statement by EU justice chief Viviane Reding. As Reding said, this could remove a major stumbling block in data protection negotiations between the US and the European Union.

DARPA: Without better security, the Internet of things will be messy

The burgeoning Internet of Things is a great idea but it won’t really take off without some serious breakthroughs in security, said Dan Kaufman, director of the Information Innovation Office at the Defense Advanced Research Projects Agency (DARPA).

Kaufman pointed out that the PC industry was unusual in that customers pay thousands of dollars for products that are broken from the start -- you buy a new machine and the first thing you have to do is patch it -- and this model won’t fly when you’re dealing with smart homes and so on.

“If we don’t have a fundamentally new security model, then I don’t know how we’re going to enjoy the Internet of Things,” Kaufman said. “Patch Tuesday for your car or your insulin pump doesn’t make a whole lot of sense.”

That said, DARPA is working on it. Kaufman noted that the defense research agency is trying to build an unhackable operating system, and it’s starting with the real-time operating systems that power embedded systems, such as those that will underpin the Internet of Things.

Change your passwords, eBay urges customers as it reveals large-scale data breach

EBay users are being advised to change their passwords after hackers compromised some employees’ log-in credentials to break into the eBay corporate network.

The company said in a statement that the hackers broke into a database including “encrypted passwords and other non-financial data” and had not got their hands on any financial or credit card information, but best practice dictates users should change their passwords anyway.

The stolen information may include customer names, phone numbers, dates of births, email addresses, physical addresses, and encrypted passwords. The breach took place between late February and early March but was not detected until recently. PayPal data is not affected, being stored in a different (and fully encrypted) system.

Reinventing the Internet: Here’s how to make online life more secure and trustworthy

[Commentary] Personal online security benefits everyone; well, almost everyone. Putting these measures in place wouldn’t be easy, and it would be unpopular in some quarters, but I think it would certainly be worth trying:

  • Responsible disclosure: A neutral body such as the International Telecommunication Union should administer the disclosure scheme, monitoring compliance around the initial quiet-tap-on-the-shoulder stage and ensuring the transparency of subsequent public disclosures.
  • Audit everything: This scheme should be funded by all countries and administered by the ITU or perhaps a standards-setting body like the IETF or the W3C. It should not be expensive, particularly when taking into consideration the public costs of dealing with attacks.
  • Encrypt everything: The W3C’s HTTP Working Group is already trying to ensure that open web use will become encrypted by default. The IETF and others are also now focused on improving the usability of online security and on encouraging standards-setters to think about security from the start.
  • Informed consent: The difference between opting in and out is vast. Shifting from an opt-out to an opt-in model would certainly add friction to sign-up and update processes, and it would require a standardized template that people broadly understand, but it’s the only honest way to process people’s data.
  • Privacy-friendly principles and evolutionary rules: The core principles should ideally be enshrined in a global Internet bill of rights, respected by countries and translated into national law as closely as possible. And here’s the overarching principle that should set the tone for the rest: the rights people enjoy offline should apply just as much online

Here’s a great way to see how the UK’s airwaves are used

The UK telecommunications regulator Ofcom has just released an interactive “map” of the country’s radio spectrum, showing which frequencies are assigned to which use types -- all the way from the 8.3-11.3 kHz band (weather stations) to the 250-275 GHz band (radio astronomy).

For the FTC, privacy is an ecosystem issue

The Federal Trade Commission has its eye on the privacy practices of a wide variety of data-collecting players, the deputy director of the agency’s Bureau of Consumer Protection said.

Daniel Kaufman said the rise of mobile ecosystems and the Internet of things, with the myriad companies and devices they involve, required a broad view. For example, Kaufman said, the FTC targeted HTC over privacy-busting security flaws and Android flashlight app maker Goldenshores over its deceptive privacy policy. The agency even has a “mobile lab” staffed with technologists and attorneys who check out where devices and apps send users’ data, and how that squares with their claimed privacy policies.

“For us we have to look at the entire ecosystem and make sure all the players are doing what they should be doing and what the law allows,” Kaufman said.

Europe’s network neutrality law passes crucial committee vote with poor safeguards

The European Parliament’s industry committee has passed Digital Agenda Commissioner Neelie Kroes’s big telecoms legislation package, including a contentious section covering network neutrality.

The legislation is ostensibly supposed to entrench the principles of net neutrality in European law for the first time, guaranteeing that broadband and mobile providers treat all Internet services equally. However, part of the wording refers to “specialized services” that can be exempted from this principle, and the wording of the package as passed defines these services quite broadly.

Web firms face a strict new set of privacy rules in Europe -- here’s what to expect

The European Parliament has overwhelmingly passed a large package of laws intended to strengthen data protection -- that’s “privacy” in non-legalese -- across the European Union.

The data protection regulation, passed by members of the European Parliament (MEPs) by 621 votes to 10 with 22 abstentions, was proposed by EU Justice Commissioner Viviane Reding just over two years ago as a way of harmonizing data protection law across the 28 member states.

The next Parliament will need to take this over after the May election, and Europe’s governments still need to give their approval through the European Council, but it looks like web firms operating in the EU are about to face a very different regulatory landscape. This would include much higher fines for breaches of data protection law in the EU, the limited right for citizens to demand the erasure of their personal data, and strict limitations on what can be done with EU citizens’ data outside the union. A separate resolution passed could also lead to difficulties for US firms in handling the personal data of Europeans.

“Merkel phone” security firm teams up with Vodafone on new Secure Call app

The company that handles the security of the so-called “Merkel phone” -- the customized BlackBerry that the German chancellor and other members of her administration have recently started using -- is now making a push to offer secure services to normal companies.

At the Cebit tech show in Hanover, Germany, Secusmart announced a deal with mobile carrier Vodafone to offer an app called Secure Call, which supposedly does what it says on the tin. In the words of Vodafone Deutschland CEO Jens Schulte-Bockum, “Secure Call is an effective weapon against phone tapping for people who want to protect their intellectual property.”

Additionally, Secusmart said it would try selling the Merkel phone more widely. The Merkel phone costs €2,000 ($2,800). Secure Call will reportedly cost around €10 per user per month, and it will support more platforms -- Android first, then iOS and Windows Phone. It will initially only be available in Germany. Meanwhile Deutsche Telekom, Vodafone’s biggest rival in Germany, is also expected to unveil an app for secure voice and SMS communications at Cebit. KPN, the Dutch telecommunications company that runs the E-Plus and Base brands in Germany, is also targeting the privacy-conscious by reselling Silent Circle’s secure communications services.

[March 10]