Privacy

A new bill introduced last week in the New York State Senate would give New Yorkers stronger online privacy protection than residents of any other state, notably California which was ahead of the game until now.

The New York bill authored by Long Island senator Kevin Thomas goes further than California and requires platforms such as Google, Facebook and others to to attain consent from consumers before they share and/or sell their information.

Unlike the California law, however, the proposed New York bill gives users the right to sue companies directly over privacy violations, possibly setting up a barrage of individual lawsuits, according to a report on the proposed legislation by Wired magazine .

The New York bill also applies to any online company, while the California law exempts any company with less that $25 million annual gross revenue from its requirements.

And as a final flourish, the bill required that any company that hoovers up user data must use that data in ways that benefit the user, before they use it to turn a profit for themselves.

Facebook will create a privacy oversight committee as part of its recent agreement with the US Federal Trade Commission (FTC), according to reports.

According to Politico, Facebook will appoint a government-approved committee to 'guide' the company on privacy matters. This committee will also consist of company board members.

The plans would also see Facebook chairman and CEO Mark Zuckerberg act as a designated compliance officer, meaning that he would be personally responsible and accountable for Facebook's privacy policies.

Last week, it was reported that Facebook could be slapped with a fine of up to $5 billion over its handling of user data and privacy. The FTC launched the investigation last March, following claims that Facebook allowed organisations, such as political consultancy Cambridge Analytica, to collect data from millions of users without their consent.

Google is set to roll out a dashboard-like function in its Chrome browser to offer users more control in fending off tracking cookies, the Wall Street Journal has reported.

While Google's new tools are not expected to significantly curtail its ability to collect data itself, it would help the company press its sizable advantage over online-advertising rivals, the newspaper said .

Google has been working on the cookies plan for at least six years, in stops and starts, but accelerated the work after news broke last year that personal data of Facebook users was improperly shared with Cambridge Analytica.

The company is mostly targeting cookies installed by profit-seeking third parties, separate from the owner of the website a user is actively visiting, the Journal said.

Apple Inc in 2017 stopped majority of tracking cookies on its Safari browser by default and Mozilla Corp's Firefox did the same a year later.

Based on the results of an investigation by Privacy International, one of Europe's key data protection authorities has opened an inquiry into Quantcast, a major player in the online tracking industry.

The Irish Data Protection Commission has now opened statutory inquiry into Quantcast International Limited. The organisation writes:

Since the application of the GDPR significant concerns have been raised by individuals and privacy advocates concerning the conduct of technology companies operating in the online advertising sector and their compliance with the GDPR. Arising from a submission to the Data Protection Commission by Privacy International, a statutory inquiry pursuant to section 110 of the Data Protection Action 2018 has been commenced in respect of Quantcast International Limited. The purpose of the inquiry is to establish whether the company's processing and aggregating of personal data for the purposes of profiling and utilising the profiles generated for targeted advertising is in compliance with the relevant provisions of the GDPR. The GDPR principle of transparency and retention practices will also be examined.

It's not only China and the UK that want to identify internet users, Austria also wants to demand that forum contributors submit their ID before being able to post.

Austria's government has introduced a bill that would require larger social media websites and forums to obtain the identity of its users prior to them being able to post comments. Users will have to provide their name and address to websites but nicknames are still allowed and the identity data will not be made public.

Punishments for non complying websites will be up to 500,000 euros and double that for repeat offences.

It would only affect sites with more than 100,000 registered users, bring in revenues above 500,000 euros per year or receive press subsidies larger than 50,000 euros.

There would also be exemptions for retail sites as well as those that don't earn money from either ads or the content itself.

If passed and cleared by the EU, the law would take effect in 2020. The immediate issues noted are that some of the websites most offending the sensitivities of the government are often smaller than the trigger condition. The law may also step on the toes of the EU in rules governing which EU states has regulatory control over websites.

Update: Identity data will be available to other users

17th May 2019. See article from edri.org

The law on care and responsibility on the net forces media platforms with forums to store detailed data about their users in order to deliver them in case of a possible offence not only to police authorities, but also to other users who want to legally prosecute another forum user. Looking at the law in detail, it is obvious that they contain so many problematic passages that their intended purpose is completely undermined.

According to the Minister of Media, Gernot Blümel, harmless software will deal with the personal data processing. One of the risks of such a system would be the potential for abuse from public authorities or individuals requesting a platform provider the person's name and address with the excuse to wanting to investigate or sue them, and then use the information for entirely other purposes.

Last week, an investigation by Bloomberg revealed that thousands of Amazon employees around the world are listening in on Amazon Echo users.

As we have been explaining across media, we believe that by using default settings and vague privacy policies which allow Amazon employees to listen in on the recordings of users' interactions with their devices, Amazon risks deliberately deceiving its customers.

Amazon has so far been dismissive, arguing that people had the options to opt out from the sharing of their recordings -- although it is unclear how their customers could have done so if they were not aware this was going on in the first place.

Even those who had read the privacy policy would have had a hard time interpreting "We use your requests to Alexa to train our speech recognition and natural language understanding systems" to mean that thousands of employees are each listening up to a thousand recordings per day. And sharing file recordings with one another they find to be "amusing".

As a result, today we wrote to Jeff Bezos to let him know we think Amazon needs to step up and do a lot better to protect the privacy of their customers.

If you use an Amazon Echo device and are concerned about this, read our instructions on how to opt out here .

Dear Mr. Bezos,

We are writing to call for your urgent action regarding last week's report [1] in Bloomberg, which revealed that Amazon has been employing thousands of workers to listen in on the recordings of Amazon Echo users.

Privacy International (PI) is a registered charity based in London that works at the intersection of modern technologies and rights. Privacy International challenges overreaching state and corporate surveillance, so that people everywhere can have greater security and freedom through greater personal privacy.

The Bloomberg investigation asserts that Amazon employs thousands of staff around the world to listen to voice recordings captured by the Amazon Alexa. Among other examples, the report states that your employees use internal chat rooms to share files when they "come across an amusing recording", and that they share "distressing" recordings -- including one of a sexual assault.

Currently, your privacy policy states: "We use your requests to Alexa to train our speech recognition and natural language understanding systems." We are concerned that your customers could not reasonably assume from such a statement that recordings of their interactions with the Amazon Echo could, by default, be listened to by your employees.

An ambiguous privacy policy and default settings that allow your employees to access recordings of all interactions is not our idea of consent. Instead, we believe the default settings should be there to protect your users' privacy.

Millions of customers enjoy your product and they deserve better from you. As such, we ask whether you will:

• Notify all users whose recordings have been accessed, and describe to them which recordings;

• Notify all users whenever their recordings are accessed in the future, and describe to them which recordings;

• Modify the settings of the Amazon Echo so that "Help Develop New Features" and "Use Messages to Improve Transcriptions" are turned off by default;

• Clarify your privacy policy so that it is clear to users that employees are listening to the recordings when the "Help Develop New Features" and "Use Messages to Improve Transcriptions" settings are on.

In your response to the Bloomberg investigation, you state you take the privacy of your customer seriously. It is now time for you to step up and walk the walk. We look forward to engaging with you further on this.

Sincerely yours,
Eva Blum-Dumontet

Facebook changes its terms and clarify its use of data for consumers following discussions with the European Commission and consumer authorities

The European Commission and consumer protection authorities have welcomed Facebook's updated terms and services. They now clearly explain how the company uses its users' data to develop profiling activities and target advertising to finance their company.

The new terms detail what services, Facebook sells to third parties that are based on the use of their user's data, how consumers can close their accounts and under what reasons accounts can be disabled. These developments come after exchanges, which aimed at obtaining full disclosure of Facebook's business model in a comprehensive and plain language to users.

Vera Jourova , Commissioner for Justice, Consumers and Gender Equality welcomed the agreement:

Today Facebook finally shows commitment to more transparency and straight forward language in its terms of use. A company that wants to restore consumers trust after the Facebook/ Cambridge Analytica scandal should not hide behind complicated, legalistic jargon on how it is making billions on people's data. Now, users will clearly understand that their data is used by the social network to sell targeted ads. By joining forces, the consumer authorities and the European Commission, stand up for the rights of EU consumers.

In the aftermath of the Cambridge Analytica scandal and as a follow-up to the investigation on social media platforms in 2018 , the European Commission and national consumer protection authorities requested Facebook to clearly inform consumers how the social network gets financed and what revenues are derived from the use of consumer data. They also requested the platform to bring the rest of its terms of service in line with EU Consumer Law.

As a result, Facebook will introduce new text in its Terms and Services explaining that it does not charge users for its services in return for users' agreement to share their data and to be exposed to commercial advertisements. Facebook's terms will now clearly explain that their business model relies on selling targeted advertising services to traders by using the data from the profiles of its users.

In addition, following the enforcement action, Facebook has also amended:

• its policy on limitation of liability and now acknowledges its responsibility in case of negligence, for instance in case data has been mishandled by third parties;

• its power to unilaterally change terms and conditions by limiting it to cases where the changes are reasonable also taking into account the interest of the consumer;

• the rules concerning the temporary retention of content which has been deleted by consumers. Such content can only be retained in specific cases 203 for instance to comply with an enforcement request by an authority 203 and for a maximum of 90 days in case of technical reasons;

• the language clarifying the right to appeal of users when the their content has been removed.

Facebook will complete the implementation of all commitments at the latest by the end of June 2019.