european union

UK report blasts Huawei for network security incompetence

Posted by | 5g, 5G network security, Asia, China, Ciaran Martin, computer security, cyberattack, cybercrime, ernst & young, Europe, european union, huawei, Mobile, National Cyber Security Centre, national security, Security, telecommunications, UK government, United Kingdom | No Comments

The latest report by a UK oversight body set up to evaluation Chinese networking giant Huawei’s approach to security has dialled up pressure on the company, giving a damning assessment of what it describes as “serious and systematic defects” in its software engineering and cyber security competence.

Although the report falls short of calling for an outright ban on Huawei equipment in domestic networks — an option U.S. president Trump continues dangling across the pond.

The report, prepared for the National Security Advisor of the UK by the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board, also identifies new “significant technical issues” which it says lead to new risks for UK telecommunications networks using Huawei kit.

The HCSEC was set up by Huawei in 2010, under what the oversight board couches as “a set of arrangements with the UK government”, to provide information to state agencies on its products and strategies in order that security risks could be evaluated.

And last year, under pressure from UK security agencies concerned about technical deficiencies in its products, Huawei pledged to spend $2BN to try to address long-running concerns about its products in the country.

But the report throws doubt on its ability to address UK concerns — with the board writing that it has “not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects”.

So it sounds like $2BN isn’t going to be nearly enough to fix Huawei’s security problem in just one European country.

The board also writes that it will require “sustained evidence” of better software engineering and cyber security “quality”, verified by HCSEC and the UK’s National Cyber Security Centre (NCSC), if there’s to be any possibility of it reaching a different assessment of the company’s ability to reboot its security credentials.

While another damning assessment contained in the report is that Huawei has made “no material progress” on issues raised by last year’s report.

All the issues identified by the security evaluation process relate to “basic engineering competence and cyber security hygiene”, which the board notes gives rise to vulnerabilities capable of being exploited by “a range of actors”.

It adds that the NCSC does not believe the defects found are a result of Chinese state interference.

This year’s report is the fifth the oversight board has produced since it was established in 2014, and it comes at a time of acute scrutiny for Huawei, as 5G network rollouts are ramping up globally — pushing governments to address head on suspicions attached to the Chinese giant and consider whether to trust it with critical next-gen infrastructure.

“The Oversight Board advises that it will be difficult to appropriately risk-manage future products in the context of UK deployments, until the underlying defects in Huawei’s software engineering and cyber security processes are remediated,” the report warns in one of several key conclusions that make very uncomfortable reading for Huawei.

“Overall, the Oversight Board can only provide limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term,” it adds in summary.

Reached for its response to the report, a Huawei UK spokesperson sent us a statement in which it describes the $2BN earmarked for security improvements related to UK products as an “initial budget”.

It writes:

The 2019 OB [oversight board] report details some concerns about Huawei’s software engineering capabilities. We understand these concerns and take them very seriously. The issues identified in the OB report provide vital input for the ongoing transformation of our software engineering capabilities. In November last year Huawei’s Board of Directors issued a resolution to carry out a companywide transformation programme aimed at enhancing our software engineering capabilities, with an initial budget of US$2BN.

A high-level plan for the programme has been developed and we will continue to work with UK operators and the NCSC during its implementation to meet the requirements created as cloud, digitization, and software-defined everything become more prevalent. To ensure the ongoing security of global telecom networks, the industry, regulators, and governments need to work together on higher common standards for cyber security assurance and evaluation.

Seeking to find something positive to salvage from the report’s savaging, Huawei suggests it demonstrates the continued effectiveness of the HCSEC as a structure to evaluate and mitigate security risk — flagging a description where the board writes that it’s “arguably the toughest and most rigorous in the world”, and which Huawei claims shows at least there hasn’t been any increase in vulnerability of UK networks since the last report.

Though the report does identify new issues that open up fresh problems — albeit the underlying issues were presumably there last year too, just laying undiscovered.

The board’s withering assessment certainly amps up the pressure on Huawei which has been aggressively battling U.S.-led suspicion of its kit — claiming in a telecoms conference speech last month that “the U.S. security accusation of our 5G has no evidence”, for instance.

At the same time it has been appealing for the industry to work together to come up with collective processes for evaluating the security and trustworthiness of network kit.

And earlier this month it opened another cyber security transparency center — this time at the heart of Europe in Brussels, where the company has been lobbying policymakers to help establish security standards to foster collective trust. Though there’s little doubt that’s a long game.

Meanwhile, critics of Huawei can now point to impatience rising in the U.K., despite comments by the head of the NCSC, Ciaran Martin, last month — who said then that security agencies believe the risk of using Huawei kit can be managed, suggesting the government won’t push for an outright ban.

The report does not literally overturn that view but it does blast out a very loud and alarming warning about the difficulty for UK operators to “appropriately” risk-manage what’s branded defective and vulnerable Huawei kit. Including flagging the risk of future products — which the board suggests will be increasingly complex to manage. All of which could well just push operators to seek alternatives.

On the mitigation front, the board writes that — “in extremis” — the NCSC could order Huawei to carry out specific fixes for equipment currently installed in the UK. Though it also warns that such a step would be difficult, and could for example require hardware replacement which may not mesh with operators “natural” asset management and upgrades cycles, emphasizing it does not offer a sustainable solution to the underlying technical issues.

“Given both the shortfalls in good software engineering and cyber security practice and the currently unknown trajectory of Huawei’s R&D processes through their announced transformation plan, it is highly likely that security risk management of products that are new to the UK or new major releases of software for products currently in the UK will be more difficult,” the board writes in a concluding section discussing the UK national security risk.

“On the basis of the work already carried out by HCSEC, the NCSC considers it highly likely that there would be new software engineering and cyber security issues in products HCSEC has not yet examined.”

It also describes the number and severity of vulnerabilities plus architectural and build issues discovered by a relatively small team in the HCSEC as “a particular concern”.

“If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of the network, in some cases causing it to cease operating correctly,” it warns. “Other impacts could include being able to access user traffic or reconfiguration of the network elements.”

In another section on mitigating risks of using Huawei kit, the board notes that “architectural controls” in place in most UK operators can limit the ability of attackers to exploit any vulnerable network elements not explicitly exposed to the public Internet — adding that such controls, combined with good opsec generally, will “remain critically important in the coming years to manage the residual risks caused by the engineering defects identified”.

In other highlights from the report the board does have some positive things to say, writing that an NCSC technical review of its capabilities showed improvements in 2018, while another independent audit of HCSEC’s ability to operate independently of Huawei HQ once again found “no high or medium priority findings”.

“The audit report identified one low-rated finding, relating to delivery of information and equipment within agreed Service Level Agreements. Ernst & Young concluded that there were no major concerns and the Oversight Board is satisfied that HCSEC is operating in line with the 2010 arrangements between HMG and the company,” it further notes.

Last month the European Commissioner said it was preparing to step in to ensure a “common approach” across the European Union where 5G network security is concerned — warning of the risk of fragmentation across the single market. Though it has so far steered clear of any bans.

Earlier this week it issued a set of recommendations for Member States, combining legislative and policy measures to assess 5G network security risks and help strengthen preventive measures.

Among the operational measures it suggests Member States take is to complete a national risk assessment of 5G network infrastructures by the end of June 2019, and follow that by updating existing security requirements for network providers — including conditions for ensuring the security of public networks.

“These measures should include reinforced obligations on suppliers and operators to ensure the security of the networks,” it recommends. “The national risk assessments and measures should consider various risk factors, such as technical risks and risks linked to the behaviour of suppliers or operators, including those from third countries. National risk assessments will be a central element towards building a coordinated EU risk assessment.”  

At an EU level the Commission said Member States should share information on network security, saying this “coordinated work should support Member States’ actions at national level and provide guidance to the Commission for possible further steps at EU level” — leaving the door open for further action.

While the EU’s executive body has not pushed for a pan-EU ban on any 5G vendors it did restate Member States’ right to exclude companies from their markets for national security reasons if they fail to comply with their own standards and legal framework.

Powered by WPeMatico

Law enforcement needs to protect citizens and their data

Posted by | Android, Australia, Column, computer security, crypto wars, cryptography, encryption, european union, Facebook, Federal Bureau of Investigation, General Data Protection Regulation, human rights, law, law enforcement, national security, privacy, Security, United Kingdom | No Comments
Robert Anderson
Contributor

Robert Anderson served for 21 years in the FBI, retiring as executive assistant director of the Criminal, Cyber, Response and Services Branch. He is currently an advisor at The Chertoff Group and the chief executive of Cyber Defense Labs.

Over the past several years, the law enforcement community has grown increasingly concerned about the conduct of digital investigations as technology providers enhance the security protections of their offerings—what some of my former colleagues refer to as “going dark.”

Data once readily accessible to law enforcement is now encrypted, protecting consumers’ data from hackers and criminals. However, these efforts have also had what Android’s security chief called the “unintended side effect” of also making this data inaccessible to law enforcement. Consequently, many in the law enforcement community want the ability to compel providers to allow them to bypass these protections, often citing physical and national security concerns.

I know first-hand the challenges facing law enforcement, but these concerns must be addressed in a broader security context, one that takes into consideration the privacy and security needs of industry and our citizens in addition to those raised by law enforcement.

Perhaps the best example of the law enforcement community’s preferred solution is Australia’s recently passed Assistance and Access Bill, an overly-broad law that allows Australian authorities to compel service providers, such as Google and Facebook, to re-engineer their products and bypass encryption protections to allow law enforcement to access customer data.

While the bill includes limited restrictions on law enforcement requests, the vague definitions and concentrated authorities give the Australian government sweeping powers that ultimately undermine the security and privacy of the very citizens they aim to protect. Major tech companies, such as Apple and Facebook, agree and have been working to resist the Australian legislation and a similar bill in the UK.

Image: Bryce Durbin/TechCrunch

Newly created encryption backdoors and work-arounds will become the target of criminals, hackers, and hostile nation states, offering new opportunities for data compromise and attack through the newly created tools and the flawed code that inevitably accompanies some of them. These vulnerabilities undermine providers’ efforts to secure their customers’ data, creating new and powerful vulnerabilities even as companies struggle to address existing ones.

And these vulnerabilities would not only impact private citizens, but governments as well, including services and devices used by the law enforcement and national security communities. This comes amidst government efforts to significantly increase corporate responsibility for the security of customer data through laws such as the EU’s General Data Protection Regulation. Who will consumers, or the government, blame when a government-mandated backdoor is used by hackers to compromise user data? Who will be responsible for the damage?

Companies have a fiduciary responsibility to protect their customers’ data, which not only includes personally identifiable information (PII), but their intellectual property, financial data, and national security secrets.

Worse, the vulnerabilities created under laws such as the Assistance and Access Bill would be subject almost exclusively to the decisions of law enforcement authorities, leaving companies unable to make their own decisions about the security of their products. How can we expect a company to protect customer data when their most fundamental security decisions are out of their hands?

phone encryption

Image: Bryce Durbin/TechCrunch

Thus far law enforcement has chosen to downplay, if not ignore, these concerns—focusing singularly on getting the information they need. This is understandable—a law enforcement officer should use every power available to them to solve a case, just as I did when I served as a State Trooper and as a FBI Special Agent, including when I served as Executive Assistant Director (EAD) overseeing the San Bernardino terror attack case during my final months in 2015.

Decisions regarding these types of sweeping powers should not and cannot be left solely to law enforcement. It is up to the private sector, and our government, to weigh competing security and privacy interests. Our government cannot sacrifice the ability of companies and citizens to properly secure their data and systems’ security in the name of often vague physical and national security concerns, especially when there are other ways to remedy the concerns of law enforcement.

That said, these security responsibilities cut both ways. Recent data breaches demonstrate that many companies have a long way to go to adequately protect their customers’ data. Companies cannot reasonably cry foul over the negative security impacts of proposed law enforcement data access while continuing to neglect and undermine the security of their own users’ data.

Providers and the law enforcement community should be held to robust security standards that ensure the security of our citizens and their data—we need legal restrictions on how government accesses private data and on how private companies collect and use the same data.

There may not be an easy answer to the “going dark” issue, but it is time for all of us, in government and the private sector, to understand that enhanced data security through properly implemented encryption and data use policies is in everyone’s best interest.

The “extra ordinary” access sought by law enforcement cannot exist in a vacuum—it will have far reaching and significant impacts well beyond the narrow confines of a single investigation. It is time for a serious conversation between law enforcement and the private sector to recognize that their security interests are two sides of the same coin.

Powered by WPeMatico

Ahead of third antitrust ruling, Google announces fresh tweaks to Android in Europe

Posted by | Android, antitrust, Apple, Apps, chrome os, competition commission, DuckDuckGo, Europe, european commission, european union, France, G Suite, Google, Image search, joaquin almunia, Jolla, Kent Walker, Margrethe Vestager, Mobile, operating systems, play store, Policy, Qwant, search app, search engine, search engines, smartphone, Spotify, travel search | No Comments

Google is widely expected to be handed a third antitrust fine in Europe this week, with reports suggesting the European Commission’s decision in its long-running investigation of AdSense could land later today.

Right on cue the search giant has PRed another Android product tweak — which it bills as “supporting choice and competition in Europe”.

In the coming months Google says it will start prompting users of existing and new Android devices in Europe to ask which browser and search apps they would like to use.

This follows licensing changes for Android in Europe which Google announced last fall, following the Commission’s $5BN antitrust fine for anti-competitive behavior related to how it operates the dominant smartphone OS.

tl;dr competition regulation can shift policy and product.

Albeit, the devil will be in the detail of Google’s self-imposed ‘remedy’ for Android browser and search apps.

Which means how exactly the user is prompted will be key — given tech giants are well-versed in the manipulative arts of dark pattern design, enabling them to create ‘consent’ flows that deliver their desired outcome.

A ‘choice’ designed in such a way — based on wording, button/text size and color, timing of prompt and so on — to promote Google’s preferred browser and search app choice by subtly encouraging Android users to stick with its default apps may not actually end up being much of a ‘choice’.

According to Reuters the prompt will surface to Android users via the Play Store. (Though the version of Google’s blog post we read did not include that detail.)

Using the Play Store for the prompt would require an Android device to have Google’s app store pre-loaded — and licensing tweaks made to the OS in Europe last year were supposedly intended to enable OEMs to choose to unbundle Google apps from Android forks. Ergo making only the Play Store the route for enabling choice would be rather contradictory. (As well as spotlighting Google’s continued grip on Android.)

Add to that Google has the advantage of massive brand dominance here, thanks to its kingpin position in search, browsers and smartphone platforms.

So again the consumer decision is weighted in its favor. Or, to put it another way: ‘This is Google; it can afford to offer a ‘choice’.’

In its blog post getting out ahead of the Commission’s looming AdSense ruling, Google’s SVP of global affairs, Kent Walker, writes that the company has been “listening carefully to the feedback we’re getting” vis-a-vis competition.

Though the search giant is actually appealing both antitrust decisions. (The other being a $2.7BN fine it got slapped with two years ago for promoting its own shopping comparison service and demoting rivals’.)

“After the Commission’s July 2018 decision, we changed the licensing model for the Google apps we build for use on Android phones, creating new, separate licenses for Google Play, the Google Chrome browser, and for Google Search,” Walker continues. “In doing so, we maintained the freedom for phone makers to install any alternative app alongside a Google app.”

Other opinions are available on those changes too.

Such as French pro-privacy Google search rival Qwant, which last year told us how those licensing changes still make it essentially impossible for smartphone makers to profit off of devices that don’t bake in Google apps by default. (More recently Qwant’s founder condensed the situation to “it’s a joke“.)

Qwant and another European startup Jolla, which leads development of an Android alternative smartphone platform called Sailfish — and is also a competition complainant against Google in Europe — want regulators to step in and do more.

The Commission has said it is closely monitoring changes made by Google to determine whether or not the company has complied with its orders to stop anti-competitive behavior.

So the jury is still out on whether any of its tweaks sum to compliance. (Google says so but that’s as you’d expect — and certainly doesn’t mean the Commission will agree.)

In its Android decision last summer the Commission judged that Google’s practices harmed competition and “further innovation” in the wider mobile space, i.e. beyond Internet search — because it prevented other mobile browsers from competing effectively with its pre-installed Chrome browser.

So browser choice is a key component here. And ‘effective competition’ is the bar Google’s homebrew ‘remedies’ will have to meet.

Still, the company will be hoping its latest Android tweaks steer off further Commission antitrust action. Or at least generate more fuzz and fuel for its long-game legal appeal.

Current EU competition commissioner, Margrethe Vestager, has flagged for years that the division is also fielding complaints about other Google products, including travel search, image search and maps. Which suggests Google could face fresh antitrust investigations in future, even as the last of the first batch is about to wrap up.

The FT reports that Android users in the European economic area last week started seeing links to rival websites appearing above Google’s answer box for searches for products, jobs or businesses — with the rival links appearing above paid results links to Google’s own services.

The newspaper points out that tweak is similar to a change promoted by Google in 2013, when it was trying to resolve EU antitrust concerns under the prior commissioner, Joaquín Almunia.

However rivals at the time complained the tweak was insufficient. The Commission subsequently agreed — and under Vestager’s tenure went on to hit Google with antitrust fines.

Walker doesn’t mention these any of additional antitrust complaints swirling around Google’s business in Europe, choosing to focus on highlighting changes it’s made in response to the two extant Commission antitrust rulings.

“After the Commission’s July 2018 decision, we changed the licensing model for the Google apps we build for use on Android phones, creating new, separate licenses for Google Play, the Google Chrome browser, and for Google Search. In doing so, we maintained the freedom for phone makers to install any alternative app alongside a Google app,” he writes.

Nor does he make mention of a recent change Google quietly made to the lists of default search engine choices in its Chrome browser — which expanded the “choice” he claims the company offers by surfacing more rivals. (The biggest beneficiary of that tweak is privacy search rival DuckDuckGo, which suddenly got added to the Chrome search engine lists in around 60 markets. Qwant also got added as a default choice in France.)

Talking about Android specifically Walker instead takes a subtle indirect swipe at iOS maker Apple — which now finds itself the target of competition complaints in Europe, via music streaming rival Spotify, and is potentially facing a Commission probe of its own (albeit, iOS’ marketshare in Europe is tiny vs Android). So top deflecting Google.

“On Android phones, you’ve always been able to install any search engine or browser you want, irrespective of what came pre-installed on the phone when you bought it. In fact, a typical Android phone user will usually install around 50 additional apps on their phone,” Walker writes, drawing attention to the fact that Apple does not offer iOS users as much of a literal choice as Google does.

“Now we’ll also do more to ensure that Android phone owners know about the wide choice of browsers and search engines available to download to their phones,” he adds, saying: “This will involve asking users of existing and new Android devices in Europe which browser and search apps they would like to use.”

We’ve reached out to Commission for comment, and to Google with questions about the design of its incoming browser and search app prompts for Android users in Europe and will update this report with any response.

Powered by WPeMatico

5G phones are here but there’s no rush to upgrade

Posted by | 5g, Android, Apple, Asia, barcelona, broadband, Caching, China, deutsche telekom, donovan sung, Europe, european commission, european union, huawei, Intel, Internet of Things, iPhone, LG, Mobile, mwc 2019, Qualcomm, Samsung, singtel, smartphone, smartphones, south korea, TC, telecommunications, Xiaomi | No Comments

This year’s Mobile World Congress — the CES for Android device makers — was awash with 5G handsets.

The world’s No.1 smartphone seller by marketshare, Samsung, got out ahead with a standalone launch event in San Francisco, showing off two 5G devices, just before fast-following Android rivals popped out their own 5G phones at launch events across Barcelona this week.

We’ve rounded up all these 5G handset launches here. Prices range from an eye-popping $2,600 for Huawei’s foldable phabet-to-tablet Mate X — and an equally eye-watering $1,980 for Samsung’s Galaxy Fold; another 5G handset that bends — to a rather more reasonable $680 for Xiaomi’s Mi Mix 3 5G, albeit the device is otherwise mid-tier. Other prices for 5G phones announced this week remain tbc.

Android OEMs are clearly hoping the hype around next-gen mobile networks can work a little marketing magic and kick-start stalled smartphone growth. Especially with reports suggesting Apple won’t launch a 5G iPhone until at least next year. So 5G is a space Android OEMs alone get to own for a while.

Chipmaker Qualcomm, which is embroiled in a bitter patent battle with Apple, was also on stage in Barcelona to support Xiaomi’s 5G phone launch — loudly claiming the next-gen tech is coming fast and will enhance “everything”.

“We like to work with companies like Xiaomi to take risks,” lavished Qualcomm’s president Cristiano Amon upon his hosts, using 5G uptake to jibe at Apple by implication. “When we look at the opportunity ahead of us for 5G we see an opportunity to create winners.”

Despite the heavy hype, Xiaomi’s on stage demo — which it claimed was the first live 5G video call outside China — seemed oddly staged and was not exactly lacking in latency.

“Real 5G — not fake 5G!” finished Donovan Sung, the Chinese OEM’s director of product management. As a 5G sales pitch it was all very underwhelming. Much more ‘so what’ than ‘must have’.

Whether 5G marketing hype alone will convince consumers it’s past time to upgrade seems highly unlikely.

Phones sell on features rather than connectivity per se, and — whatever Qualcomm claims — 5G is being soft-launched into the market by cash-constrained carriers whose boom times lie behind them, i.e. before over-the-top players had gobbled their messaging revenues and monopolized consumer eyeballs.

All of which makes 5G an incremental consumer upgrade proposition in the near to medium term.

Use-cases for the next-gen network tech, which is touted as able to support speeds up to 100x faster than LTE and deliver latency of just a few milliseconds (as well as connecting many more devices per cell site), are also still being formulated, let alone apps and services created to leverage 5G.

But selling a network upgrade to consumers by claiming the killer apps are going to be amazing but you just can’t show them any yet is as tough as trying to make theatre out of a marginally less janky video call.

“5G could potentially help [spark smartphone growth] in a couple of years as price points lower, and availability expands, but even that might not see growth rates similar to the transition to 3G and 4G,” suggests Carolina Milanesi, principal analyst at Creative Strategies, writing in a blog post discussing Samsung’s strategy with its latest device launches.

“This is not because 5G is not important, but because it is incremental when it comes to phones and it will be other devices that will deliver on experiences, we did not even think were possible. Consumers might end up, therefore, sharing their budget more than they did during the rise of smartphones.”

The ‘problem’ for 5G — if we can call it that — is that 4G/LTE networks are capably delivering all the stuff consumers love right now: Games, apps and video. Which means that for the vast majority of consumers there’s simply no reason to rush to shell out for a ‘5G-ready’ handset. Not if 5G is all the innovation it’s got going for it.

LG V50 ThinQ 5G with a dual screen accessory for gaming

Use cases such as better AR/VR are also a tough sell given how weak consumer demand has generally been on those fronts (with the odd branded exception).

The barebones reality is that commercial 5G networks are as rare as hen’s teeth right now, outside a few limited geographical locations in the U.S. and Asia. And 5G will remain a very patchy patchwork for the foreseeable future.

Indeed, it may take a very long time indeed to achieve nationwide coverage in many countries, if 5G even ends up stretching right to all those edges. (Alternative technologies do also exist which could help fill in gaps where the ROI just isn’t there for 5G.)

So again consumers buying phones with the puffed up idea of being able to tap into 5G right here, right now (Qualcomm claimed 2019 is going to be “the year of 5G!”) will find themselves limited to just a handful of urban locations around the world.

Analysts are clear that 5G rollouts, while coming, are going to be measured and targeted as carriers approach what’s touted as a multi-industry-transforming wireless technology cautiously, with an eye on their capex and while simultaneously trying to figure out how best to restructure their businesses to engage with all the partners they’ll need to forge business relations with, across industries, in order to successfully sell 5G’s transformative potential to all sorts of enterprises — and lock onto “the sweep spot where 5G makes sense”.

Enterprise rollouts therefore look likely to be prioritized over consumer 5G — as was the case for 5G launches in South Korea at the back end of last year.

“4G was a lot more driven by the consumer side and there was an understanding that you were going for national coverage that was never really a question and you were delivering on the data promise that 3G never really delivered… so there was a gap of technology that needed to be filled. With 5G it’s much less clear,” says Gartner’s Sylvain Fabre, discussing the tech’s hype and the reality with TechCrunch ahead of MWC.

“4G’s very good, you have multiple networks that are Gbps or more and that’s continuing to increase on the downlink with multiple carrier aggregation… and other densification schemes. So 5G doesn’t… have as gap as big to fill. It’s great but again it’s applicability of where it’s uniquely positioned is kind of like a very narrow niche at the moment.”

“It’s such a step change that the real power of 5G is actually in creating new business models using network slicing — allocation of particular aspects of the network to a particular use-case,” Forrester analyst Dan Bieler also tells us. “All of this requires some rethinking of what connectivity means for an enterprise customer or for the consumer.

“And telco sales people, the telco go-to-market approach is not based on selling use-cases, mostly — it’s selling technologies. So this is a significant shift for the average telco distribution channel to go through. And I would believe this will hold back a lot of the 5G ambitions for the medium term.”

To be clear, carriers are now actively kicking the tyres of 5G, after years of lead-in hype, and grappling with technical challenges around how best to upgrade their existing networks to add in and build out 5G.

Many are running pilots and testing what works and what doesn’t, such as where to place antennas to get the most reliable signal and so on. And a few have put a toe in the water with commercial launches (globally there are 23 networks with “some form of live 5G in their commercial networks” at this point, according to Fabre.)

But at the same time 5G network standards are yet to be fully finalized so the core technology is not 100% fully baked. And with it being early days “there’s still a long way to go before we have a real significant impact of 5G type of services”, as Bieler puts it. 

There’s also spectrum availability to factor in and the cost of acquiring the necessary spectrum. As well as the time required to clear and prepare it for commercial use. (On spectrum, government policy is critical to making things happen quickly (or not). So that’s yet another factor moderating how quickly 5G networks can be built out.)

And despite some wishful thinking industry noises at MWC this week — calling for governments to ‘support digitization at scale’ by handing out spectrum for free (uhhhh, yeah right) — that’s really just whistling into the wind.

Rolling out 5G networks is undoubtedly going to be very expensive, at a time when carriers’ businesses are already faced with rising costs (from increasing data consumption) and subdued revenue growth forecasts.

“The world now works on data” and telcos are “at core of this change”, as one carrier CEO — Singtel’s Chua Sock Koong — put it in an MWC keynote in which she delved into the opportunities and challenges for operators “as we go from traditional connectivity to a new age of intelligent connectivity”.

Chua argued it will be difficult for carriers to compete “on the basis of connectivity alone” — suggesting operators will have to pivot their businesses to build out standalone business offerings selling all sorts of b2b services to support the digital transformations of other industries as part of the 5G promise — and that’s clearly going to suck up a lot of their time and mind for the foreseeable future.

In Europe alone estimates for the cost of rolling out 5G range between €300BN and €500BN (~$340BN-$570BN), according to Bieler. Figures that underline why 5G is going to grow slowly, and networks be built out thoughtfully; in the b2b space this means essentially on a case-by-case basis.

Simply put carriers must make the economics stack up. Which means no “huge enormous gambles with 5G”. And omnipresent ROI pressure pushing them to try to eke out a premium.

“A lot of the network equipment vendors have turned down the hype quite a bit,” Bieler continues. “If you compare this to the hype around 3G many years ago or 4G a couple of years ago 5G definitely comes across as a soft launch. Sort of an evolutionary type of technology. I have not come across a network equipment vendors these days who will say there will be a complete change in everything by 2020.”

On the consumer pricing front, carriers have also only just started to grapple with 5G business models. One early example is TC parent Verizon’s 5G home service — which positions the next-gen wireless tech as an alternative to fixed line broadband with discounts if you opt for a wireless smartphone data plan as well as 5G broadband.

From the consumer point of view, the carrier 5G business model conundrum boils down to: What is my carrier going to charge me for 5G? And early adopters of any technology tend to get stung on that front.

Although, in mobile, price premiums rarely stick around for long as carriers inexorably find they must ditch premiums to unlock scale — via consumer-friendly ‘all you can eat’ price plans.

Still, in the short term, carriers look likely to experiment with 5G pricing and bundles — basically seeing what they can make early adopters pay. But it’s still far from clear that people will pay a premium for better connectivity alone. And that again necessitates caution. 

5G bundled with exclusive content might be one way carriers try to extract a premium from consumers. But without huge and/or compelling branded content inventory that risks being a too niche proposition too. And the more carriers split their 5G offers the more consumers might feel they don’t need to bother, and end up sticking with 4G for longer.

It’ll also clearly take time for a 5G ‘killer app’ to emerge in the consumer space. And such an app would likely need to still be able to fallback on 4G, again to ensure scale. So the 5G experience will really need to be compellingly different in order for the tech to sell itself.

On the handset side, 5G chipset hardware is also still in its first wave. At MWC this week Qualcomm announced a next-gen 5G modem, stepping up from last year’s Snapdragon 855 chipset — which it heavily touted as architected for 5G (though it doesn’t natively support 5G).

If you’re intending to buy and hold on to a 5G handset for a few years there’s thus a risk of early adopter burn at the chipset level — i.e. if you end up with a device with a suckier battery life vs later iterations of 5G hardware where more performance kinks have been ironed out.

Intel has warned its 5G modems won’t be in phones until next year — so, again, that suggests no 5G iPhones before 2020. And Apple is of course a great bellwether for mainstream consumer tech; the company only jumps in when it believes a technology is ready for prime time, rarely sooner. And if Cupertino feels 5G can wait, that’s going to be equally true for most consumers.

Zooming out, the specter of network security (and potential regulation) now looms very large indeed where 5G is concerned, thanks to East-West trade tensions injecting a strange new world of geopolitical uncertainty into an industry that’s never really had to grapple with this kind of business risk before.

Chinese kit maker Huawei’s rotating chairman, Guo Ping, used the opportunity of an MWC keynote to defend the company and its 5G solutions against U.S. claims its network tech could be repurposed by the Chinese state as a high tech conduit to spy on the West — literally telling delegates: “We don’t do bad things” and appealing to them to plainly to: “Please choose Huawei!”

Huawei rotating resident, Guo Ping, defends the security of its network kit on stage at MWC 2019

When established technology vendors are having to use a high profile industry conference to plead for trust it’s strange and uncertain times indeed.

In Europe it’s possible carriers’ 5G network kit choices could soon be regulated as a result of security concerns attached to Chinese suppliers. The European Commission suggested as much this week, saying in another MWC keynote that it’s preparing to step in try to prevent security concerns at the EU Member State level from fragmenting 5G rollouts across the bloc.

In an on stage Q&A Orange’s chairman and CEO, Stéphane Richard, couched the risk of destabilization of the 5G global supply chain as a “big concern”, adding: “It’s the first time we have such an important risk in our industry.”

Geopolitical security is thus another issue carriers are having to factor in as they make decisions about how quickly to make the leap to 5G. And holding off on upgrades, while regulators and other standards bodies try to figure out a trusted way forward, might seem the more sensible thing to do — potentially stalling 5G upgrades in the meanwhile.

Given all the uncertainties there’s certainly no reason for consumers to rush in.

Smartphone upgrade cycles have slowed globally for a reason. Mobile hardware is mature because it’s serving consumers very well. Handsets are both powerful and capable enough to last for years.

And while there’s no doubt 5G will change things radically in future, including for consumers — enabling many more devices to be connected and feeding back data, with the potential to deliver on the (much hyped but also still pretty nascent) ‘smart home’ concept — the early 5G sales pitch for consumers essentially boils down to more of the same.

“Over the next ten years 4G will phase out. The question is how fast that happens in the meantime and again I think that will happen slower than in early times because [with 5G] you don’t come into a vacuum, you don’t fill a big gap,” suggests Gartner’s Fabre. “4G’s great, it’s getting better, wi’fi’s getting better… The story of let’s build a big national network to do 5G at scale [for all] that’s just not happening.”

“I think we’ll start very, very simple,” he adds of the 5G consumer proposition. “Things like caching data or simply doing more broadband faster. So more of the same.

“It’ll be great though. But you’ll still be watching Netflix and maybe there’ll be a couple of apps that come up… Maybe some more interactive collaboration or what have you. But we know these things are being used today by enterprises and consumers and they’ll continue to be used.”

So — in sum — the 5G mantra for the sensible consumer is really ‘wait and see’.

Powered by WPeMatico

Europe is prepared to rule over 5G cybersecurity

Posted by | 5g, artificial intelligence, Australia, barcelona, broadband, China, computer security, EC, Emerging-Technologies, Europe, european commission, european union, Germany, huawei, Internet of Things, Mariya Gabriel, Mobile, mwc 2019, network technology, New Zealand, Security, telecommunications, trump, UK government, United Kingdom, United States, zte | No Comments

The European Commission’s digital commissioner has warned the mobile industry to expect it to act over security concerns attached to Chinese network equipment makers.

The Commission is considering a defacto ban on kit made by Chinese companies including Huawei in the face of security and espionage concerns, per Reuters.

Appearing on stage at the Mobile World Congress tradeshow in Barcelona today, Mariya Gabriel, European commissioner for digital economy and society, flagged network “cybersecurity” during her scheduled keynote, warning delegates it’s stating the obvious for her to say that “when 5G services become mission critical 5G networks need to be secure”.

Geopolitical concerns between the West and China are being accelerated and pushed to the fore as the era of 5G network upgrades approach, as well as by ongoing tensions between the U.S. and China over trade.

“I’m well away of the unrest among all of you key actors in the telecoms sectors caused by the ongoing discussions around the cybersecurity of 5G,” Gabriel continued, fleshing out the Commission’s current thinking. “Let me reassure you: The Commission takes your view very seriously. Because you need to run these systems everyday. Nobody is helped by premature decisions based on partial analysis of the facts.

“However it is also clear that Europe has to have a common approach to this challenge. And we need to bring it on the table soon. Otherwise there is a risk that fragmentation rises because of diverging decisions taken by Member States trying to protect themselves.”

“We all know that this fragmentation damages the digital single market. So therefore we are working on this important matter with priority. And to the Commission we will take steps soon,” she added.

The theme of this year’s show is “intelligent connectivity”; the notion that the incoming 5G networks will not only create links between people and (many, many more) things but understand the connections they’re making at a greater depth and resolution than has been possible before, leveraging the big data generated by many more connections to power automated decision-making in near real time, with low latency another touted 5G benefit (as well as many more connections per cell).

Futuristic scenarios being floated include connected cars neatly pulling to the sides of the road ahead of an ambulance rushing a patient to hospital — or indeed medical operations being aided and even directed remotely in real-time via 5G networks supporting high resolution real-time video streaming.

But for every touted benefit there are easy to envisage risks to network technology that’s being designed to connect everything all of the time — thereby creating a new and more powerful layer of critical infrastructure society will be relying upon.

Last fall the Australia government issued new security guidelines for 5G networks that essential block Chinese companies such as Huawei and ZTE from providing equipment to operators — justifying the move by saying that differences in the way 5G operates compared to previous network generations introduces new risks to national security.

New Zealand followed suit shortly after, saying kit from the Chinese companies posed a significant risk to national security.

While in the U.S. President Trump has made 5G network security a national security priority since 2017, and a bill was passed last fall banning Chinese companies from supplying certain components and services to government agencies.

The ban is due to take effect over two years but lawmakers have been pressuring to local carriers to drop 5G collaborations with companies such as Huawei.

In Europe the picture is so far more mixed. A UK government report last summer investigating Huawei’s broadband and mobile infrastructure raised further doubts, and last month Germany was reported to be mulling a 5G ban on the Chinese kit maker.

But more recently the two EU Member States have been reported to no longer be leaning towards a total ban — apparently believing any risk can be managed and mitigated by oversight and/or partial restrictions.

It remains to be seen how the Commission could step in to try to harmonize security actions taken by Member States around nascent 5G networks. But it appears prepared to set rules.

That said, Gabriel gave no hint of its thinking today, beyond repeating the Commission’s preferred position of less fragmentation, more harmonization to avoid collateral damage to its overarching Digital Single Market initiative — i.e. if Member States start fragmenting into a patchwork based on varying security concerns.

We’ve reached out to the Commission for further comment and will update this story with any additional context.

During the keynote she was careful to talk up the transformative potential of 5G connectivity while also saying innovation must work in lock-step with European “values”.

“Europe has to keep pace with other regions and early movers while making sure that its citizens and businesses benefit swiftly from the new infrastructures and the many applications that will be built on top of them,” she said.

“Digital is helping us and we need to reap its opportunities, mitigate its risks and make sure it is respectful of our values as much as driven by innovation. Innovation and values. Two key words. That is the vision we have delivered in terms of the defence for our citizens in Europe. Together we have decided to construct a Digital Single Market that reflects the values and principles upon which the European Union has been built.”

Her speech also focused on AI, with the commissioner highlighting various EC initiatives to invest in and support private sector investment in artificial intelligence — saying it’s targeting €20BN in “AI-directed investment” across the private and public sector by 2020, with the goal for the next decade being “to reach the same amount as an annual average” — and calling on the private sector to “contribute to ensure that Europe reaches the level of investment needed for it to become a world stage leader also in AI”.

But again she stressed the need for technology developments to be thoughtfully managed so they reflect the underlying society rather than negatively disrupting it. The goal should be what she dubbed “human-centric AI”.

“When we talk about AI and new technologies development for us Europeans it is not only about investing. It is mainly about shaping AI in a way that reflects our European values and principles. An ethical approach to AI is key to enable competitiveness — it will generate user trust and help facilitate its uptake,” she said.

“Trust is the key word. There is no other way. It is only by ensuring trustworthiness that Europe will position itself as a leader in cutting edge, secure and ethical AI. And that European citizens will enjoy AI’s benefits.”

Powered by WPeMatico

Europe agrees platform rules to tackle unfair business practices

Posted by | Amazon, Android, antitrust, competition, e-commerce, eBay, EC, eCommerce, Europe, european commission, european parliament, european union, General Data Protection Regulation, Google, google search, Google Shopping, Margrethe Vestager, microsoft store, online marketplaces, online platforms, search engine, search engines, search results | No Comments

The European Union’s political institutions have reached agreement over new rules designed to boost transparency around online platform businesses and curb unfair practices to support traders and other businesses that rely on digital intermediaries for discovery and sales.

The European Commission proposed a regulation for fairness and transparency in online platform trading last April. And late yesterday the European Parliament, Council of the EU and Commission reached a political deal on regulating the business environment of platforms, announcing the accord in a press release today.

The political agreement paves the way for adoption and publication of the regulation, likely later this year. The rules will apply 12 months after that point.

Online platform intermediaries such as ecommerce marketplaces and search engines are covered by the new rules if they provide services to businesses established in the EU and which offer goods or services to consumers located in the EU.

The Commission estimates there are some 7,000 such platforms and marketplaces which will be covered by the regulation, noting this includes “world giants as well as very small start-ups”.

Under the new rules, sudden and unexpected account suspensions will be banned — with the Commission saying platforms will have to provide “clear reasons” for any termination and also possibilities for appeal.

Terms and conditions must also be “easily available and provided in plain and intelligible language”.

There must also be advance notice of changes — of at least 15 days, with longer notice periods applying for more complex changes.

For search engines the focus is on ranking transparency. And on that front dominant search engine Google has attracted more than its fair share of criticism in Europe from a range of rivals (not all of whom are European).

In 2017, the search giant was also slapped with a $2.7BN antitrust fine related to its price comparison service, Google Shopping. The EC found Google had systematically given prominent placement to its own search comparison service while also demoting rival services in search results. (Google rejects the findings and is appealing.)

Given the history of criticism of Google’s platform business practices, and the multi-year regulatory tug of war over anti-competitive impacts, the new transparency provisions look intended to make it harder for a dominant search player to use its market power against rivals.

Changing the online marketplace

The importance of legislating for platform fairness was flagged by the Commission’s antitrust chief, Margrethe Vestager, last summer — when she handed Google another very large fine ($5BN) for anti-competitive behavior related to its mobile platform Android.

Vestager said then she wasn’t sure breaking Google up would be an effective competition fix, preferring to push for remedies to support “more players to have a real go”, as her Android decision attempts to do. But she also stressed the importance of “legislation that will ensure that you have transparency and fairness in the business to platform relationship”.

If businesses have legal means to find out why, for example, their traffic has stopped and what they can do to get it back that will “change the marketplace, and it will change the way we are protected as consumers but also as businesses”, she argued.

Just such a change is now in sight thanks to EU political accord on the issue.

The regulation represents the first such rules for online platforms in Europe and — commissioners’ contend — anywhere in the world.

“Our target is to outlaw some of the most unfair practices and create a benchmark for transparency, at the same time safeguarding the great advantages of online platforms both for consumers and for businesses,” said Andrus Ansip, VP for the EU’s Digital Single Market initiative in a statement.

Elżbieta Bieńkowska, commissioner for internal market, industry, entrepreneurship, and SMEs, added that the rules are “especially designed with the millions of SMEs in mind”.

“Many of them do not have the bargaining muscle to enter into a dispute with a big platform, but with these new rules they have a new safety net and will no longer worry about being randomly kicked off a platform, or intransparent ranking in search results,” she said in another supporting statement.

In a factsheet about the new rules, the Commission specifies they cover third-party ecommerce market places (e.g. Amazon Marketplace, eBay, Fnac Marketplace, etc.); app stores (e.g. Google Play, Apple App Store, Microsoft Store etc.); social media for business (e.g. Facebook pages, Instagram used by makers/artists etc.); and price comparison tools (e.g. Skyscanner, Google Shopping etc.).

The regulation does not target every online platform. For example, it does not cover online advertising (or b2b ad exchanges), payment services, SEO services or services that do not intermediate direct transactions between businesses and consumers.

The Commission also notes that online retailers that sell their own brand products and/or don’t rely on third party sellers on their own platform are also excluded from the regulation, such as retailers of brands or supermarkets.

Where transparency is concerned, the rules require that regulated marketplaces and search engines disclose the main parameters they use to rank goods and services on their site “to help sellers understand how to optimise their presence” — with the Commission saying the aim is to support sellers without allowing gaming of the ranking system.

Some platform business practices will also require mandatory disclosure — such as for platforms that not only provide a marketplace for sellers but sell on their platform themselves, as does Amazon for example.

The ecommerce giant’s use of merchant data remains under scrutiny in the EU. Vestager revealed a preliminary antitrust probe of Amazon last fall — when she said her department was gathering information to “try to get a full picture”. She said her concern is dual platforms could gain an unfair advantage as a consequence of access to merchants’ data.

And, again, the incoming transparency rules look intended to shrink that risk — requiring what the Commission couches as exhaustive disclosure of “any advantage” a platform may give to their own products over others.

“They must also disclose what data they collect, and how they use it — and in particular how such data is shared with other business partners they have,” it continues, noting also that: “Where personal data is concerned, the rules of the GDPR [General Data Protection Regulation] apply.”

(GDPR of course places further transparency requirements on platforms by, for example, empowering individuals to request any personal data held on them, as well as the reasons why their information is being processed.)

The platform regulation also includes new avenues for dispute resolution by requiring platforms set up an internal complaint-handling system to assist business users.

“Only the smallest platforms in terms of head count or turnover will be exempt from this obligation,” the Commission notes. (The exemption limit is set at fewer than 50 staff and less than €10M revenue.)

It also says: “Platforms will have to provide businesses with more options to resolve a potential problem through mediators. This will help resolve more issues out of court, saving businesses time and money.”

But, at the same time, the new rules allow business associations to take platforms to court to stop any non-compliance — mirroring a provision in the GDPR which also allows for collective enforcement and redress of individual privacy rights (where Member States adopt it).

“This will help overcome fear of retaliation, and lower the cost of court cases for individual businesses, when the new rules are not followed,” the Commission argues.

“In addition, Member States can appoint public authorities with enforcement powers, if they wish, and businesses can turn to those authorities.”

One component of the regulation that appears to be being left up to EU Member States to tackle is penalties for non-compliance — with no clear regime of fines set out (as there is in GDPR). So it’s not clear whether the platform regulation might not have rather more bark than bite, at least initially.

“Member States shall need to take measures that are sufficiently dissuasive to ensure that the online intermediation platforms and search engines comply with the requirements in the Regulation,” the Commission writes in a section of its factsheet dealing with how to make sure platforms respect the new rules.

It also points again to the provision allowing business associations or organisations to take action in national courts on behalf of members — saying this offers a legal route to “stop or prohibit non-compliance with one or more of the requirements of the Regulation”. So, er, expect lawsuits.

The Commission says the rules will be subject to review within 18 months after they come into force — in a bid to ensure the regulation keeps pace with fast-paced tech developments.

A dedicated Online Platform Observatory has been established in the EU for the purpose of “monitoring the evolution of the market and the effective implementation of the rules”, it adds.

Powered by WPeMatico

Is Europe closing in on an antitrust fix for surveillance technologists?

Posted by | Android, antitrust, competition law, data protection, data protection law, DCMS committee, digital media, EC, Europe, european commission, european union, Facebook, General Data Protection Regulation, Germany, Giovanni Buttarelli, Google, instagram, Margrethe Vestager, Messenger, photo sharing, privacy, Social, social media, social networks, surveillance capitalism, TC, terms of service, United Kingdom, United States | No Comments

The German Federal Cartel Office’s decision to order Facebook to change how it processes users’ personal data this week is a sign the antitrust tide could at last be turning against platform power.

One European Commission source we spoke to, who was commenting in a personal capacity, described it as “clearly pioneering” and “a big deal”, even without Facebook being fined a dime.

The FCO’s decision instead bans the social network from linking user data across different platforms it owns, unless it gains people’s consent (nor can it make use of its services contingent on such consent). Facebook is also prohibited from gathering and linking data on users from third party websites, such as via its tracking pixels and social plugins.

The order is not yet in force, and Facebook is appealing, but should it come into force the social network faces being de facto shrunk by having its platforms siloed at the data level.

To comply with the order Facebook would have to ask users to freely consent to being data-mined — which the company does not do at present.

Yes, Facebook could still manipulate the outcome it wants from users but doing so would open it to further challenge under EU data protection law, as its current approach to consent is already being challenged.

The EU’s updated privacy framework, GDPR, requires consent to be specific, informed and freely given. That standard supports challenges to Facebook’s (still fixed) entry ‘price’ to its social services. To play you still have to agree to hand over your personal data so it can sell your attention to advertisers. But legal experts contend that’s neither privacy by design nor default.

The only ‘alternative’ Facebook offers is to tell users they can delete their account. Not that doing so would stop the company from tracking you around the rest of the mainstream web anyway. Facebook’s tracking infrastructure is also embedded across the wider Internet so it profiles non-users too.

EU data protection regulators are still investigating a very large number of consent-related GDPR complaints.

But the German FCO, which said it liaised with privacy authorities during its investigation of Facebook’s data-gathering, has dubbed this type of behavior “exploitative abuse”, having also deemed the social service to hold a monopoly position in the German market.

So there are now two lines of legal attack — antitrust and privacy law — threatening Facebook (and indeed other adtech companies’) surveillance-based business model across Europe.

A year ago the German antitrust authority also announced a probe of the online advertising sector, responding to concerns about a lack of transparency in the market. Its work here is by no means done.

Data limits

The lack of a big flashy fine attached to the German FCO’s order against Facebook makes this week’s story less of a major headline than recent European Commission antitrust fines handed to Google — such as the record-breaking $5BN penalty issued last summer for anticompetitive behaviour linked to the Android mobile platform.

But the decision is arguably just as, if not more, significant, because of the structural remedies being ordered upon Facebook. These remedies have been likened to an internal break-up of the company — with enforced internal separation of its multiple platform products at the data level.

This of course runs counter to (ad) platform giants’ preferred trajectory, which has long been to tear modesty walls down; pool user data from multiple internal (and indeed external sources), in defiance of the notion of informed consent; and mine all that personal (and sensitive) stuff to build identity-linked profiles to train algorithms that predict (and, some contend, manipulate) individual behavior.

Because if you can predict what a person is going to do you can choose which advert to serve to increase the chance they’ll click. (Or as Mark Zuckerberg puts it: ‘Senator, we run ads.’)

This means that a regulatory intervention that interferes with an ad tech giant’s ability to pool and process personal data starts to look really interesting. Because a Facebook that can’t join data dots across its sprawling social empire — or indeed across the mainstream web — wouldn’t be such a massive giant in terms of data insights. And nor, therefore, surveillance oversight.

Each of its platforms would be forced to be a more discrete (and, well, discreet) kind of business.

Competing against data-siloed platforms with a common owner — instead of a single interlinked mega-surveillance-network — also starts to sound almost possible. It suggests a playing field that’s reset, if not entirely levelled.

(Whereas, in the case of Android, the European Commission did not order any specific remedies — allowing Google to come up with ‘fixes’ itself; and so to shape the most self-serving ‘fix’ it can think of.)

Meanwhile, just look at where Facebook is now aiming to get to: A technical unification of the backend of its different social products.

Such a merger would collapse even more walls and fully enmesh platforms that started life as entirely separate products before were folded into Facebook’s empire (also, let’s not forget, via surveillance-informed acquisitions).

Facebook’s plan to unify its products on a single backend platform looks very much like an attempt to throw up technical barriers to antitrust hammers. It’s at least harder to imagine breaking up a company if its multiple, separate products are merged onto one unified backend which functions to cross and combine data streams.

Set against Facebook’s sudden desire to technically unify its full-flush of dominant social networks (Facebook Messenger; Instagram; WhatsApp) is a rising drum-beat of calls for competition-based scrutiny of tech giants.

This has been building for years, as the market power — and even democracy-denting potential — of surveillance capitalism’s data giants has telescoped into view.

Calls to break up tech giants no longer carry a suggestive punch. Regulators are routinely asked whether it’s time. As the European Commission’s competition chief, Margrethe Vestager, was when she handed down Google’s latest massive antitrust fine last summer.

Her response then was that she wasn’t sure breaking Google up is the right answer — preferring to try remedies that might allow competitors to have a go, while also emphasizing the importance of legislating to ensure “transparency and fairness in the business to platform relationship”.

But it’s interesting that the idea of breaking up tech giants now plays so well as political theatre, suggesting that wildly successful consumer technology companies — which have long dined out on shiny convenience-based marketing claims, made ever so saccharine sweet via the lure of ‘free’ services — have lost a big chunk of their populist pull, dogged as they have been by so many scandals.

From terrorist content and hate speech, to election interference, child exploitation, bullying, abuse. There’s also the matter of how they arrange their tax affairs.

The public perception of tech giants has matured as the ‘costs’ of their ‘free’ services have scaled into view. The upstarts have also become the establishment. People see not a new generation of ‘cuddly capitalists’ but another bunch of multinationals; highly polished but remote money-making machines that take rather more than they give back to the societies they feed off.

Google’s trick of naming each Android iteration after a different sweet treat makes for an interesting parallel to the (also now shifting) public perceptions around sugar, following closer attention to health concerns. What does its sickly sweetness mask? And after the sugar tax, we now have politicians calling for a social media levy.

Just this week the deputy leader of the main opposition party in the UK called for setting up a standalone Internet regulatory with the power to break up tech monopolies.

Talking about breaking up well-oiled, wealth-concentration machines is being seen as a populist vote winner. And companies that political leaders used to flatter and seek out for PR opportunities find themselves treated as political punchbags; Called to attend awkward grilling by hard-grafting committees, or taken to vicious task verbally at the highest profile public podia. (Though some non-democratic heads of state are still keen to press tech giant flesh.)

In Europe, Facebook’s repeat snubs of the UK parliament’s requests last year for Zuckerberg to face policymakers’ questions certainly did not go unnoticed.

Zuckerberg’s empty chair at the DCMS committee has become both a symbol of the company’s failure to accept wider societal responsibility for its products, and an indication of market failure; the CEO so powerful he doesn’t feel answerable to anyone; neither his most vulnerable users nor their elected representatives. Hence UK politicians on both sides of the aisle making political capital by talking about cutting tech giants down to size.

The political fallout from the Cambridge Analytica scandal looks far from done.

Quite how a UK regulator could successfully swing a regulatory hammer to break up a global Internet giant such as Facebook which is headquartered in the U.S. is another matter. But policymakers have already crossed the rubicon of public opinion and are relishing talking up having a go.

That represents a sea-change vs the neoliberal consensus that allowed competition regulators to sit on their hands for more than a decade as technology upstarts quietly hoovered up people’s data and bagged rivals, and basically went about transforming themselves from highly scalable startups into market-distorting giants with Internet-scale data-nets to snag users and buy or block competing ideas.

The political spirit looks willing to go there, and now the mechanism for breaking platforms’ distorting hold on markets may also be shaping up.

The traditional antitrust remedy of breaking a company along its business lines still looks unwieldy when faced with the blistering pace of digital technology. The problem is delivering such a fix fast enough that the business hasn’t already reconfigured to route around the reset. 

Commission antitrust decisions on the tech beat have stepped up impressively in pace on Vestager’s watch. Yet it still feels like watching paper pushers wading through treacle to try and catch a sprinter. (And Europe hasn’t gone so far as trying to impose a platform break up.) 

But the German FCO decision against Facebook hints at an alternative way forward for regulating the dominance of digital monopolies: Structural remedies that focus on controlling access to data which can be relatively swiftly configured and applied.

Vestager, whose term as EC competition chief may be coming to its end this year (even if other Commission roles remain in potential and tantalizing contention), has championed this idea herself.

In an interview on BBC Radio 4’s Today program in December she poured cold water on the stock question about breaking tech giants up — saying instead the Commission could look at how larger firms got access to data and resources as a means of limiting their power. Which is exactly what the German FCO has done in its order to Facebook. 

At the same time, Europe’s updated data protection framework has gained the most attention for the size of the financial penalties that can be issued for major compliance breaches. But the regulation also gives data watchdogs the power to limit or ban processing. And that power could similarly be used to reshape a rights-eroding business model or snuff out such business entirely.

#GDPR allows imposing a permanent ban on data processing. This is the nuclear option. Much more severe than any fine you can imagine, in most cases. https://t.co/X772NvU51S

— Lukasz Olejnik (@lukOlejnik) January 28, 2019

The merging of privacy and antitrust concerns is really just a reflection of the complexity of the challenge regulators now face trying to rein in digital monopolies. But they’re tooling up to meet that challenge.

Speaking in an interview with TechCrunch last fall, Europe’s data protection supervisor, Giovanni Buttarelli, told us the bloc’s privacy regulators are moving towards more joint working with antitrust agencies to respond to platform power. “Europe would like to speak with one voice, not only within data protection but by approaching this issue of digital dividend, monopolies in a better way — not per sectors,” he said. “But first joint enforcement and better co-operation is key.”

The German FCO’s decision represents tangible evidence of the kind of regulatory co-operation that could — finally — crack down on tech giants.

Blogging in support of the decision this week, Buttarelli asserted: “It is not necessary for competition authorities to enforce other areas of law; rather they need simply to identity where the most powerful undertakings are setting a bad example and damaging the interests of consumers.  Data protection authorities are able to assist in this assessment.”

He also had a prediction of his own for surveillance technologists, warning: “This case is the tip of the iceberg — all companies in the digital information ecosystem that rely on tracking, profiling and targeting should be on notice.”

So perhaps, at long last, the regulators have figured out how to move fast and break things.

Powered by WPeMatico

This early GDPR adtech strike puts the spotlight on consent

Posted by | Advertising Tech, Android, Apps, artificial intelligence, China, data processing, data protection, Europe, european union, Facebook, Fidzup, GDPR, General Data Protection Regulation, Google, location based services, mobile advertising, mobile device, online advertising, privacy, retail, smartphone, TC, terms of service | No Comments

What does consent as a valid legal basis for processing personal data look like under Europe’s updated privacy rules? It may sound like an abstract concern but for online services that rely on things being done with user data in order to monetize free-to-access content this is a key question now the region’s General Data Protection Regulation is firmly fixed in place.

The GDPR is actually clear about consent. But if you haven’t bothered to read the text of the regulation, and instead just go and look at some of the self-styled consent management platforms (CMPs) floating around the web since May 25, you’d probably have trouble guessing it.

Confusing and/or incomplete consent flows aren’t yet extinct, sadly. But it’s fair to say those that don’t offer full opt-in choice are on borrowed time.

Because if your service or app relies on obtaining consent to process EU users’ personal data — as many free at the point-of-use, ad-supported apps do — then the GDPR states consent must be freely given, specific, informed and unambiguous.

That means you can’t bundle multiple uses for personal data under a single opt-in.

Nor can you obfuscate consent behind opaque wording that doesn’t actually specify the thing you’re going to do with the data.

You also have to offer users the choice not to consent. So you cannot pre-tick all the consent boxes that you really wish your users would freely choose — because you have to actually let them do that.

It’s not rocket science but the pushback from certain quarters of the adtech industry has been as awfully predictable as it’s horribly frustrating.

This has not gone unnoticed by consumers either. Europe’s Internet users have been filing consent-based complaints thick and fast this year. And a lot of what is being claimed as ‘GDPR compliant’ right now likely is not.

So, some six months in, we’re essentially in a holding pattern waiting for the regulatory hammers to come down.

But if you look closely there are some early enforcement actions that show some consent fog is starting to shift.

Yes, we’re still waiting on the outcomes of major consent-related complaints against tech giants. (And stockpile popcorn to watch that space for sure.)

But late last month French data protection watchdog, the CNIL, announced the closure of a formal warning it issued this summer against drive-to-store adtech firm, Fidzup — saying it was satisfied it was now GDPR compliant.

Such a regulatory stamp of approval is obviously rare this early in the new legal regime.

So while Fidzup is no adtech giant its experience still makes an interesting case study — showing how the consent line was being crossed; how, working with CNIL, it was able to fix that; and what being on the right side of the law means for a (relatively) small-scale adtech business that relies on consent to enable a location-based mobile marketing business.

From zero to GDPR hero?

Fidzup’s service works like this: It installs kit inside (or on) partner retailers’ physical stores to detect the presence of user-specific smartphones. At the same time it provides an SDK to mobile developers to track app users’ locations, collecting and sharing the advertising ID and wi-fi ID of users’ smartphone (which, along with location, are judged personal data under GDPR.)

Those two elements — detectors in physical stores; and a personal data-gathering SDK in mobile apps — come together to power Fidzup’s retail-focused, location-based ad service which pushes ads to mobile users when they’re near a partner store. The system also enables it to track ad-to-store conversions for its retail partners.

The problem Fidzup had, back in July, was that after an audit of its business the CNIL deemed it did not have proper consent to process users’ geolocation data to target them with ads.

Fidzup says it had thought its business was GDPR compliant because it took the view that app publishers were the data processors gathering consent on its behalf; the CNIL warning was a wake up call that this interpretation was incorrect — and that it was responsible for the data processing and so also for collecting consents.

The regulator found that when a smartphone user installed an app containing Fidzup’s SDK they were not informed that their location and mobile device ID data would be used for ad targeting, nor the partners Fidzup was sharing their data with.

CNIL also said users should have been clearly informed before data was collected — so they could choose to consent — instead of information being given via general app conditions (or in store posters), as was the case, after the fact of the processing.

It also found users had no choice to download the apps without also getting Fidzup’s SDK, with use of such an app automatically resulting in data transmission to partners.

Fidzup’s approach to consent had also only been asking users to consent to the processing of their geolocation data for the specific app they had downloaded — not for the targeted ad purposes with retail partners which is the substance of the firm’s business.

So there was a string of issues. And when Fidzup was hit with the warning the stakes were high, even with no monetary penalty attached. Because unless it could fix the core consent problem, the 2014-founded startup might have faced going out of business. Or having to change its line of business entirely.

Instead it decided to try and fix the consent problem by building a GDPR-compliant CMP — spending around five months liaising with the regulator, and finally getting a green light late last month.

A core piece of the challenge, as co-founder and CEO Olivier Magnan-Saurin tells it, was how to handle multiple partners in this CMP because its business entails passing data along the chain of partners — each new use and partner requiring opt-in consent.

“The first challenge was to design a window and a banner for multiple data buyers,” he tells TechCrunch. “So that’s what we did. The challenge was to have something okay for the CNIL and GDPR in terms of wording, UX etc. And, at the same time, some things that the publisher will allow to and will accept to implement in his source code to display to his users because he doesn’t want to scare them or to lose too much.

“Because they get money from the data that we buy from them. So they wanted to get the maximum money that they can, because it’s very difficult for them to live without the data revenue. So the challenge was to reconcile the need from the CNIL and the GDPR and from the publishers to get something acceptable for everyone.”

As a quick related aside, it’s worth noting that Fidzup does not work with the thousands of partners an ad exchange or demand-side platform most likely would be.

Magnan-Saurin tells us its CMP lists 460 partners. So while that’s still a lengthy list to have to put in front of consumers — it’s not, for example, the 32,000 partners of another French adtech firm, Vectaury, which has also recently been on the receiving end of an invalid consent ruling from the CNIL.

In turn, that suggests the ‘Fidzup fix’, if we can call it that, only scales so far; adtech firms that are routinely passing millions of people’s data around thousands of partners look to have much more existential problems under GDPR — as we’ve reported previously re: the Vectaury decision.

No consent without choice

Returning to Fidzup, its fix essentially boils down to actually offering people a choice over each and every data processing purpose, unless it’s strictly necessary for delivering the core app service the consumer was intending to use.

Which also means giving app users the ability to opt out of ads entirely — and not be penalized by not being able to use the app features itself.

In short, you can’t bundle consent. So Fidzup’s CMP unbundles all the data purposes and partners to offer users the option to consent or not.

“You can unselect or select each purpose,” says Magnan-Saurin of the now compliant CMP. “And if you want only to send data for, I don’t know, personalized ads but you don’t want to send the data to analyze if you go to a store or not, you can. You can unselect or select each consent. You can also see all the buyers who buy the data. So you can say okay I’m okay to send the data to every buyer but I can also select only a few or none of them.”

“What the CNIL ask is very complicated to read, I think, for the final user,” he continues. “Yes it’s very precise and you can choose everything etc. But it’s very complete and you have to spend some time to read everything. So we were [hoping] for something much shorter… but now okay we have something between the initial asking for the CNIL — which was like a big book — and our consent collection before the warning which was too short with not the right information. But still it’s quite long to read.”

Fidzup’s CNIL approved GDPR-compliant consent management platform

“Of course, as a user, I can refuse everything. Say no, I don’t want my data to be collected, I don’t want to send my data. And I have to be able, as a user, to use the app in the same way as if I accept or refuse the data collection,” he adds.

He says the CNIL was very clear on the latter point — telling it they could not require collection of geolocation data for ad targeting for usage of the app.

“You have to provide the same service to the user if he accepts or not to share his data,” he emphasizes. “So now the app and the geolocation features [of the app] works also if you refuse to send the data to advertisers.”

This is especially interesting in light of the ‘forced consent’ complaints filed against tech giants Facebook and Google earlier this year.

These complaints argue the companies should (but currently do not) offer an opt-out of targeted advertising, because behavioural ads are not strictly necessary for their core services (i.e. social networking, messaging, a smartphone platform etc).

Indeed, data gathering for such non-core service purposes should require an affirmative opt-in under GDPR. (An additional GDPR complaint against Android has also since attacked how consent is gathered, arguing it’s manipulative and deceptive.)

Asked whether, based on his experience working with the CNIL to achieve GDPR compliance, it seems fair that a small adtech firm like Fidzup has had to offer an opt-out when a tech giant like Facebook seemingly doesn’t, Magnan-Saurin tells TechCrunch: “I’m not a lawyer but based on what the CNIL asked us to be in compliance with the GDPR law I’m not sure that what I see on Facebook as a user is 100% GDPR compliant.”

“It’s better than one year ago but [I’m still not sure],” he adds. “Again it’s only my feeling as a user, based on the experience I have with the French CNIL and the GDPR law.”

Facebook of course maintains its approach is 100% GDPR compliant.

Even as data privacy experts aren’t so sure.

One thing is clear: If the tech giant was forced to offer an opt out for data processing for ads it would clearly take a big chunk out of its business — as a sub-set of users would undoubtedly say no to Zuckerberg’s “ads”. (And if European Facebook users got an ads opt out you can bet Americans would very soon and very loudly demand the same, so…)

Bridging the privacy gap

In Fidzup’s case, complying with GDPR has had a major impact on its business because offering a genuine choice means it’s not always able to obtain consent. Magnan-Saurin says there is essentially now a limit on the number of device users advertisers can reach because not everyone opts in for ads.

Although, since it’s been using the new CMP, he says a majority are still opting in (or, at least, this is the case so far) — showing one consent chart report with a ~70:30 opt-in rate, for example.

He expresses the change like this: “No one in the world can say okay I have 100% of the smartphones in my data base because the consent collection is more complete. No one in the world, even Facebook or Google, could say okay, 100% of the smartphones are okay to collect from them geolocation data. That’s a huge change.”

“Before that there was a race to the higher reach. The biggest number of smartphones in your database,” he continues. “Today that’s not the point.”

Now he says the point for adtech businesses with EU users is figuring out how to extrapolate from the percentage of user data they can (legally) collect to the 100% they can’t.

And that’s what Fidzup has been working on this year, developing machine learning algorithms to try to bridge the data gap so it can still offer its retail partners accurate predictions for tracking ad to store conversions.

“We have algorithms based on the few thousand stores that we equip, based on the few hundred mobile advertising campaigns that we have run, and we can understand for a store in London in… sports, fashion, for example, how many visits we can expect from the campaign based on what we can measure with the right consent,” he says. “That’s the first and main change in our market; the quantity of data that we can get in our database.”

“Now the challenge is to be as accurate as we can be without having 100% of real data — with the consent, and the real picture,” he adds. “The accuracy is less… but not that much. We have a very, very high standard of quality on that… So now we can assure the retailers that with our machine learning system they have nearly the same quality as they had before.

“Of course it’s not exactly the same… but it’s very close.”

Having a CMP that’s had regulatory ‘sign-off’, as it were, is something Fidzup is also now hoping to turn into a new bit of additional business.

“The second change is more like an opportunity,” he suggests. “All the work that we have done with CNIL and our publishers we have transferred it to a new product, a CMP, and we offer today to all the publishers who ask to use our consent management platform. So for us it’s a new product — we didn’t have it before. And today we are the only — to my knowledge — the only company and the only CMP validated by the CNIL and GDPR compliant so that’s useful for all the publishers in the world.”

It’s not currently charging publishers to use the CMP but will be seeing whether it can turn it into a paid product early next year.

How then, after months of compliance work, does Fidzup feel about GDPR? Does it believe the regulation is making life harder for startups vs tech giants — as is sometimes suggested, with claims put forward by certain lobby groups that the law risks entrenching the dominance of better resourced tech giants. Or does he see any opportunities?

In Magnan-Saurin’s view, six months in to GDPR European startups are at an R&D disadvantage vs tech giants because U.S. companies like Facebook and Google are not (yet) subject to a similarly comprehensive privacy regulation at home — so it’s easier for them to bag up user data for whatever purpose they like.

Though it’s also true that U.S. lawmakers are now paying earnest attention to the privacy policy area at a federal level. (And Google’s CEO faced a number of tough questions from Congress on that front just this week.)

“The fact is Facebook-Google they own like 90% of the revenue in mobile advertising in the world. And they are American. So basically they can do all their research and development on, for example, American users without any GDPR regulation,” he says. “And then apply a pattern of GDPR compliance and apply the new product, the new algorithm, everywhere in the world.

“As a European startup I can’t do that. Because I’m a European. So once I begin the research and development I have to be GDPR compliant so it’s going to be longer for Fidzup to develop the same thing as an American… But now we can see that GDPR might be beginning a ‘world thing’ — and maybe Facebook and Google will apply the GDPR compliance everywhere in the world. Could be. But it’s their own choice. Which means, for the example of the R&D, they could do their own research without applying the law because for now U.S. doesn’t care about the GDPR law, so you’re not outlawed if you do R&D without applying GDPR in the U.S. That’s the main difference.”

He suggests some European startups might relocate R&D efforts outside the region to try to workaround the legal complexity around privacy.

“If the law is meant to bring the big players to better compliance with privacy I think — yes, maybe it goes in this way. But the first to suffer is the European companies, and it becomes an asset for the U.S. and maybe the Chinese… companies because they can be quicker in their innovation cycles,” he suggests. “That’s a fact. So what could happen is maybe investors will not invest that much money in Europe than in U.S. or in China on the marketing, advertising data subject topics. Maybe even the French companies will put all the R&D in the U.S. and destroy some jobs in Europe because it’s too complicated to do research on that topics. Could be impacts. We don’t know yet.”

But the fact of GDPR enforcement having — perhaps inevitably — started small, with so far a small bundle of warnings against relative data minnows, rather than any swift action against the industry dominating adtech giants, that’s being felt as yet another inequality at the startup coalface.

“What’s sure is that the CNIL started to send warnings not to Google or Facebook but to startups. That’s what I can see,” he says. “Because maybe it’s easier to see I’m working on GDPR and everything but the fact is the law is not as complicated for Facebook and Google as it is for the small and European companies.”

Powered by WPeMatico

Seized cache of Facebook docs raise competition and consent questions

Posted by | Android, api, competition, Damian Collins, data protection law, DCMS committee, Developer, Europe, european union, Facebook, Mark Zuckerberg, Onavo, Policy, privacy, Six4Three, Social, social network, terms of service, United Kingdom, vpn | No Comments

A UK parliamentary committee has published the cache of Facebook documents it dramatically seized last week.

The documents were obtained by a legal discovery process by a startup that’s suing the social network in a California court in a case related to Facebook changing data access permissions back in 2014/15.

The court had sealed the documents but the DCMS committee used rarely deployed parliamentary powers to obtain them from the Six4Three founder, during a business trip to London.

You can read the redacted documents here — all 250 pages of them.

In a series of tweets regarding the publication, committee chair Damian Collins says he believes there is “considerable public interest” in releasing them.

“They raise important questions about how Facebook treats users data, their policies for working with app developers, and how they exercise their dominant position in the social media market,” he writes.

“We don’t feel we have had straight answers from Facebook on these important issues, which is why we are releasing the documents. We need a more public debate about the rights of social media users and the smaller businesses who are required to work with the tech giants. I hope that our committee investigation can stand up for them.”

The committee has been investigating online disinformation and election interference for the best part of this year, and has been repeatedly frustrated in its attempts to extract answers from Facebook.

But it is protected by parliamentary privilege — hence it’s now published the Six4Three files, having waited a week in order to redact certain pieces of personal information.

Collins has included a summary of key issues, as the committee sees them after reviewing the documents, in which he draws attention to six issues.

Here is his summary of the key issues:

  • White Lists Facebook have clearly entered into whitelisting agreements with certain companies, which meant that after the platform changes in 2014/15 they maintained full access to friends data. It is not clear that there was any user consent for this, nor how Facebook decided which companies should be whitelisted or not.

Facebook responded

  • Value of friends data It is clear that increasing revenues from major app developers was one of the key drivers behind the Platform 3.0 changes at Facebook. The idea of linking access to friends data to the financial value of the developers relationship with Facebook is a recurring feature of the documents.

In their response Facebook contends that this was essentially another “cherrypicked” topic and that the company “ultimately settled on a model where developers did not need to purchase advertising to access APIs and we continued to provide the developer platform for free.”

  • Reciprocity Data reciprocity between Facebook and app developers was a central feature in the discussions about the launch of Platform 3.0.
  • Android Facebook knew that the changes to its policies on the Android mobile phone system, which enabled the Facebook app to collect a record of calls and texts sent by the user would be controversial. To mitigate any bad PR, Facebook planned to make it as hard of possible for users to know that this was one of the underlying features of the upgrade of their app.
  • Onavo Facebook used Onavo to conduct global surveys of the usage of mobile apps by customers, and apparently without their knowledge. They used this data to assess not just how many people had downloaded apps, but how often they used them. This knowledge helped them to decide which companies to acquire, and which to treat as a threat.
  • Targeting competitor Apps The files show evidence of Facebook taking aggressive positions against apps, with the consequence that denying them access to data led to the failure of that business.

Update: 11:40am

Facebook has posted a lengthy response (read it here) positing that the “set of documents, by design, tells only one side of the story and omits important context.” They give a blow-by-blow response to Collins’ points below though they are ultimately pretty selective in what they actually address.

Generally they suggest that some of the issues being framed as anti-competitive were in fact designed to prevent “sketchy apps” from operating on the platform. Furthermore, Facebook details that they delete some old call logs on Android, that using “market research” data from Onava is essentially standard practice and that users had the choice whether data was shared reciprocally between FB and developers. In regard to specific competitors’ apps, Facebook appears to have tried to get ahead of this release with their announcement yesterday that it was ending its platform policy of banning apps that “replicate core functionality.” 

The publication of the files comes at an awkward moment for Facebook — which remains on the back foot after a string of data and security scandals, and has just announced a major policy change — ending a long-running ban on apps copying its own platform features.

Albeit the timing of Facebook’s policy shift announcement hardly looks incidental — given Collins said last week the committee would publish the files this week.

The policy in question has been used by Facebook to close down competitors in the past, such as — two years ago — when it cut off style transfer app Prisma’s access to its live-streaming Live API when the startup tried to launch a livestreaming art filter (Facebook subsequently launched its own style transfer filters for Live).

So its policy reversal now looks intended to diffuse regulatory scrutiny around potential antitrust concerns.

But emails in the Six4Three files suggesting that Facebook took “aggressive positions” against competing apps could spark fresh competition concerns.

In one email dated January 24, 2013, a Facebook staffer, Justin Osofsky, discusses Twitter’s launch of its short video clip app, Vine, and says Facebook’s response will be to close off its API access.

As part of their NUX, you can find friends via FB. Unless anyone raises objections, we will shut down their friends API access today. We’ve prepared reactive PR, and I will let Jana know our decision,” he writes. 

Osofsky’s email is followed by what looks like a big thumbs up from Zuckerberg, who replies: “Yup, go for it.”

Also of concern on the competition front is Facebook’s use of a VPN startup it acquired, Onavo, to gather intelligence on competing apps — either for acquisition purposes or to target as a threat to its business.

The files show various Onavo industry charts detailing reach and usage of mobile apps and social networks — with each of these graphs stamped ‘highly confidential’.

Facebook bought Onavo back in October 2013. Shortly after it shelled out $19BN to acquire rival messaging app WhatsApp — which one Onavo chart in the cache indicates was beasting Facebook on mobile, accounting for well over double the daily message sends at that time.

Onavo charts are quite an insight into facebook’s commanding view of the app-based attention marketplace pic.twitter.com/Ezdaxk6ffC

— David Carroll 🦅 (@profcarroll) December 5, 2018

The files also spotlight several issues of concern relating to privacy and data protection law, with internal documents raising fresh questions over how or even whether (in the case of Facebook’s whitelisting agreements with certain developers) it obtained consent from users to process their personal data.

The company is already facing a number of privacy complaints under the EU’s GDPR framework over its use of ‘forced consent‘, given that it does not offer users an opt-out from targeted advertising.

But the Six4Three files look set to pour fresh fuel on the consent fire.

Collins’ fourth line item — related to an Android upgrade — also speaks loudly to consent complaints.

Earlier this year Facebook was forced to deny that it collects calls and SMS data from users of its Android apps without permission. But, as we wrote at the time, it had used privacy-hostile design tricks to sneak expansive data-gobbling permissions past users. So, put simple, people clicked ‘agree’ without knowing exactly what they were agreeing to.

The Six4Three files back up the notion that Facebook was intentionally trying to mislead users.

In one email dated November 15, 2013, from Matt Scutari, manager privacy and public policy, suggests ways to prevent users from choosing to set a higher level of privacy protection, writing: “Matt is providing policy feedback on a Mark Z request that Product explore the possibility of making the Only Me audience setting unsticky. The goal of this change would be to help users avoid inadvertently posting to the Only Me audience. We are encouraging Product to explore other alternatives, such as more aggressive user education or removing stickiness for all audience settings.”

Another awkward trust issue for Facebook which the documents could stir up afresh relates to its repeat claim — including under questions from lawmakers — that it does not sell user data.

In one email from the cache — sent by Mark Zuckerberg, dated October 7, 2012 — the Facebook founder appears to be entertaining the idea of charging developers for “reading anything, including friends”.

Yet earlier this year, when he was asked by a US lawmaker how Facebook makes money, Zuckerberg replied: “Senator, we sell ads.”

He did not include a caveat that he had apparently personally entertained the idea of liberally selling access to user data.

Responding to the publication of the Six4Three documents, a Facebook spokesperson told us:

As we’ve said many times, the documents Six4Three gathered for their baseless case are only part of the story and are presented in a way that is very misleading without additional context. We stand by the platform changes we made in 2015 to stop a person from sharing their friends’ data with developers. Like any business, we had many of internal conversations about the various ways we could build a sustainable business model for our platform. But the facts are clear: we’ve never sold people’s data.

Zuckerberg has repeatedly refused to testify in person to the DCMS committee.

At its last public hearing — which was held in the form of a grand committee comprising representatives from nine international parliaments, all with burning questions for Facebook — the company sent its policy VP, Richard Allan, leaving an empty chair where Zuckerberg’s bum should be.

Powered by WPeMatico

Google faces GDPR complaint over ‘deceptive’ location tracking

Posted by | Android, Apps, Europe, european union, GDPR, General Data Protection Regulation, Google, google search, Mobile, Norwegian Consumer Council, privacy, smartphones, TC | No Comments

A group of European consumer watchdogs has filed a privacy complaint against Google — arguing the company uses manipulative tactics in order to keep tracking web users’ locations for ad-targeting purposes.

The consumer organizations are making the complaint under the EU’s new data protection framework, GDPR, which regulators can use to levy major fines for compliance breaches — of up to 4 percent of a company’s global annual turnover.

Under GDPR, a consent-based legal basis for processing personal data (e.g. person’s location) must be specific, informed and freely given.

In their complaint, the groups, which include Norway’s Consumer Council, argue that Google does not have proper legal basis to track users through “Location History” and “Web & App Activity” — settings which are integrated into all Google accounts, and which, for users of Android -based smartphones, they assert are particularly difficult to avoid.

The Google mobile OS remains the dominant smartphone platform globally, as well as across Europe.

“Google is processing incredibly detailed and extensive personal data without proper legal grounds, and the data has been acquired through manipulation techniques,” said Gro Mette Moen, acting head of the Norwegian Consumer Council’s digital services unit in a statement.

“When we carry our phones, Google is recording where we go, down to which floor we are on and how we are moving. This can be combined with other information about us, such as what we search for, and what websites we visit. Such information can in turn be used for things such as targeted advertising meant to affect us when we are receptive or vulnerable.”

Responding to the complaint, a Google spokesperson sent TechCrunch the following statement:

Location History is turned off by default, and you can edit, delete, or pause it at any time. If it’s on, it helps improve services like predicted traffic on your commute. If you pause it, we make clear that — depending on your individual phone and app settings — we might still collect and use location data to improve your Google experience. We enable you to control location data in other ways too, including in a different Google setting called Web & App Activity, and on your device. We’re constantly working to improve our controls, and we’ll be reading this report closely to see if there are things we can take on board.

Earlier this year the Norwegian watchdog produced a damning report calling out dark pattern design tricks being deployed by Google and Facebook meant to manipulate users by nudging them toward “privacy intrusive options.” It also examined Microsoft’s consent flows, but judged the company to be leaning less heavily on such unfair tactics.

Among the underhand techniques that the Google-targeted GDPR complaint, which draws on the earlier report, calls out are allegations of deceptive click-flow, with the groups noting that a “location history” setting can be enabled during Android set-up without a user being aware of it; key settings being both buried in menus (hidden) and enabled by default; users being presented at the decision point with insufficient and misleading information; repeat nudges to enable location tracking even after a user has previously turned it off; and the bundling of “invasive location tracking” with other unrelated Google services, such as photo sorting by location.

GDPR remains in the early implementation phrase — just six months since the regulation came into force across Europe. But a large chunk of the first wave of complaints have been focused on consent, according to Europe’s data protection supervisor, who also told us in October that more than 42,000 complaints had been lodged in total since the regulation came into force.

Where Google is concerned, the location complaint is by no means the only GDPR — or GDPR consent-related — complaint it’s facing.

Another complaint, filed back in May also by a consumer-focused organization, took aim at what it dubbed the use of “forced consent” by Google and Facebook — pointing out that the companies were offering users no choice but to have their personal data processed to make use of certain services, yet the GDPR requires consent to be freely given.

Powered by WPeMatico