Connect with us


Antitrust case against Facebook’s ‘super profiling’ back on track after German federal court ruling – TechCrunch



A landmark regulatory intervention that seeks to apply structural antitrust remedies to cut big (ad)tech’s rights-hostile surveillance business models down to size has been revived after Germany’s federal court overturned an earlier ruling that had suspended enforcement of a ban on Facebook combining user data.

The upshot is the tech giant could be forced to stop combining the personal data of users of its various social services with other personal data it harvests on Internet users via its various social plug-ins and tracking pixels. Which in turn would amount to a structural separation of Facebook’s social empire.

That said, there’s still some mileage left in the legal process — which will likely delay any enforcement for months more at least. But the federal court has put the train back on the tracks.

As we’ve reported previously, the intervention by Germany’s antitrust regulator is seen as highly innovative as it joins the dots of EU privacy rights and competition law. So this case is being closely watched by regulators around the world.

Quick recap: Last year Germany’s Federal Cartel Office ordered Facebook to stop combining data on users across its different services after determining that its zero opt-out T&Cs combined with Facebook’s dominant market position in the social network space to make its pervasive people-profiling an “exploitative abuse”.

The order originated with an investigation by the Bundeskartellamt (FCO) into Facebook’s data-gathering practices, which kicked off in March 2016. Almost exactly three years later the regulator concluded it had identified abuse — and issued the order banning Facebook from combining data on users across its own suite of social platforms without first obtaining their consent.

Instead of agreeing to offer users a choice over how they’re tracked, Facebook appealed — and, last August, the Higher Regional Court in Dusseldorf granted it a suspension, delaying application of the order — and seemingly derailing the chance for an innovative regulatory intervention against a rights hostile ‘track and target’ adtech business model. 

All was not lost though, as the FCO appealed the suspension — leading to today’s fresh legal twist.

In today’s decision, the Germany Federal Court of Justice provisionally confirms the FCO’s allegation of an abuse of a dominate position by Facebook — opening the door to the regulator being able to enforce the ban.

So it’s game (back) on for the antitrust case against platform giants whose dominance stems from mass surveillance of Internet users.

In a statement, FCO president Andreas Mundt welcomed the decision.

“I am pleased about the decision by the Federal Court of Justice,” he said. “Data are an essential factor for economic strength and a decisive criterion in assessing online market power. The court’s decision provides important information on how we should deal with the issue of data and competition in the future. Whenever data are collected and used in an unlawful way, it must be possible to intervene under antitrust law to avoid an abuse of market power.”

We’ve also reached out to Facebook for comment.

The Dusseldorf Higher Regional Court has still not issued a ruling on Facebook’s original appeal against the FCO order — though it granted the company’s request for a suspension, saying it had doubts about its legality.

But the Federal Court of Justice has overturned that earlier decision. And not just overturned it — it’s blasted it with a legal equivalent of a blowtorch.

In a press release today (in German, which we’ve translated using Google Translate) the court writes [emphasis ours]: “There are no serious doubts about Facebook’s dominant position in the German market for social networks or that Facebook is abusing this dominant position with the terms of use prohibited by the Cartel Office.”

The court takes issue with Facebook’s terms and condition — finding them “abusive” because it says users are not offered a choice over the extent of the company’s tracking and targeting of them; with the court pointing out there’s no option for users to have Facebook’s content “personalization” based only on the data they reveal on Instead Facebook forces users to accept what it calls “a more intensive personalization of the user experience”, which the court further notes is “associated with a potentially unlimited access to characteristics of their ‘off-Facebook’ Internet use by Facebook”.

Which doesn’t sound, y’know, proportionate.

In additional remarks, the court writes that Facebook’s super profiling of Internet users has negative impacts on people’s personal autonomy — infringing their rights, not only under EU data protection law, but it asserts this also represents an antitrust abuse as a consequence of how Facebook is exploiting its dominant position in the market for social networks.

Or, as it put it in the press release: “The lack of choice for Facebook users not only affects their personal autonomy and the protection of their right to informational self-determination, which is also protected by the GDPR [General Data Protection Regulation]. Against the background of the high hurdles to change that exist for the users of the network (“lock-in effects”), it also represents an exploitation of the users that is relevant under antitrust law, because competition is no longer effective due to Facebook’s dominant position.”

The court also points to findings by the FCO that significant numbers of Facebook users want to be able to hand over less personal information to use its service — noting that if thriving competition existed in the social network market there may well be a more privacy-friendly offer from Facebook. Instead, you get none.

In another interesting observation, the court said Facebook’s access to “a significantly larger database” — i.e. via its super profiling of users — reinforces what are already “pronounced” network effects keeping a lid on competition in the social media market. So a double negative.

Additionally, it suggests Facebook’s super profiling helps the company amass larger ad revenues — which it notes “also depend on the scope and quality of the data available”. “Finally, due to the negative effects on competition for advertising contracts, an impairment of the market for online advertising cannot be ruled out,” it adds in another shot across Zuckerberg’s bow.

Commenting on the decision, Rupprecht Podszun, a chair for civil law, German and European competition law at Heinrich Heine University, called it “a spectacular success” for the FCO and an “important step forward” in regulating Internet giants whose empires are based on this type of rights-hostile profiling. 

“The decision is a spectacular success for the competition watchdog, and an important signal for competition on the internet. The proceedings against Facebook are regarded worldwide as a pioneering case: The FCO is attempting to tame the tech giants and to stop the build-up of economic power through integration of data to ‘super profiles’. This is something new in terms of antitrust law. Exploitation of users through data aggregation, as the FCO has accused Facebook of doing, has so far been uncharted territory,” he told TechCrunch. 

“The Federal Supreme Court said it has ‘no serious doubts’ that Facebook is market-dominant and abuses its market power. The court is even stricter than the competition authority: It does not require a protection of privacy laws (as in the General Data Protection Regulation), but it says that freedom of choice and autonomy of users is key in such cases. This is an important step forward –– making the users’ self-determination a benchmark for competition on the internet.”

“The FCO can now demand from Facebook to submit a plan within four months how to stop the merging of data into so-called ‘super profiles’,” Podszun added. “Facebook merges data from the group’s own services such as Facebook, WhatsApp and Instagram with other data collected on the net via so-called Facebook Business Tools. This was the Bundeskartellamt’s central point of attack.”

The professor remains critical of the pace of regulatory progress — dubbing it “almost a bad joke” for this latest twist of the legal saga to be couched an ‘interim proceeding’.

He also cautions against expecting any swift break-up of Facebook’s data mining and mingling to follow, noting there are other legal avenues for the lawyered-up company to pursue — meaning it could be months or even years more before there’s any enforcement of the FCO order.

“This is particularly problematic because economic power in digital markets consolidates extremely quickly,” Podszun added, calling for reform of competition law so it can effectively respond to digital gatekeepers.

“The proceedings therefore show that there must be changes in the way dominance of gatekeeper companies on the Internet is dealt with. The competition authorities must be able to act more effectively and more quickly in such cases. This is where the German and European legislators are called upon to act. Plans are being developed on the national and the European level. The reasoning in the Facebook case will be a boost to competition commissioner Margrethe Vestager in her fight against these companies, too.”

The sedate pace of regional competition law vs the blistering speed of digital business has long led to calls for competition law reform — a topic that’s now front of mind for EU lawmakers.

After Facebook’s first successful appeal of the FCO order, Podszun suggested a number of changes were needed to update EU competition law for the platform era. One of which — to evolve traditional market definitions to allow for interventions in digital markets to prevent tipping — is being actively consulted on by the Commission which is now considering whether regulators need a new tool to combat tipping in digital markets. 

It is also looking at applying ex ante regulation to so called ‘gatekeepers’ — aka platforms which have gained significant market power — as another step to try to ensure ‘fair functioning’ of digital markets.

Speaking during an Atlantic Council discussion today, Commission EVP Margrethe Vestager — who both leads digital policy for the bloc and heads up its antitrust division — signalled, in her usual roundabout way, that digitally driven competition reform is indeed coming.

“We have an intense debate about competition enforcement in the digital era [and] we need to change for the times we’re in because the market dynamics are different, they are faster, you have marginal prices approaching zero, you have network effects, you have the data-driven economy. So of course we need to change with the times that we’re in,” she said. “But we will not negotiate and we will not compromise on this being build on the rule of law and the responsibility for the courts in order to make sure that we have equal treatment between businesses.”

Asked whether she’d like the power to rescind merger approvals — with the moderator citing the case of Facebook reversing a prior commitment to EU regulators who approved its acquisition of WhatsApp (that it would never combine user data between its eponymous service and the messaging app, before going on to do just that) — she responded that that is “a very specific situation”, before noting that EU regulators performed a competition analysis at the time — looking at whether, if Facebook did merge data between the services, would it be a “competition problem” or not?

“Back then they found that no that would not be the case. So in that respect… on substance this would not be a case for unscrambling ‘the eggs’. And it is indeed very difficult to unscramble the eggs,” she said.

Vestager also conceded that the third component of EU antitrust decisions — “how to make competition come back?” — remains a “work in progress”.

“Of course we haven’t seen the effect of the Android preference menu because very few Android phones have been shipped due to the COVID crisis,” she said on that, referring to a major antitrust decision against Google. “But it remains to be seen if, when Google is preinstalled after the untying and other services can be chosen, will that work? Will that sort of open the market for others — search and browsers — than the Google choices?”

Continue Reading


US government says North Korean hackers are targeting American healthcare organizations with ransomware – TechCrunch



The FBI, CISA, and the U.S. Treasury Department are warning that North Korean state-sponsored hackers are using ransomware to target healthcare and public health sector organizations across the United States.

In a joint advisory published Wednesday, the U.S. government agencies said they had observed North Korean-backed hackers deploying Maui ransomware since at least May 2021 to encrypt servers responsible for healthcare services, including electronic health records, medical imaging, and entire intranets.

“The FBI assesses North Korean state-sponsored cyber actors have deployed Maui ransomware against Healthcare and Public Health Sector organizations,” the advisory reads. “The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health. Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting [healthcare] organizations.”

The advisory notes that in many of the incidents observed and responded to by the FBI, the Maui ransomware caused disruption to healthcare services “for prolonged periods.”

Maui was first identified by Stairwell, a threat-hunting startup that aims to help organizations determine if they have been compromised, in early-April 2022. In an analysis of the ransomware, Stairwell principal reverse engineer Silas Cutler notes that Maui lacks many of the features commonly seen with tooling from ransomware-as-a-service (RaaS) providers, such as an embedded ransom note or automated means of transmitting encryption keys to attackers. Rather, Stairwell concludes that Maui is likely manually deployed across victims’ networks, with remote operators targeting specific files they want to encrypt.

North Korea has long used cryptocurrency-stealing operations to fund its nuclear weapons program. In an email, John Hultquist, vice president of Mandiant Intelligence, said that as a result “ransomware is a no-brainer” for the North Korean regime.

“Ransomware attacks against healthcare are an interesting development, in light of the focus these actors have made on this sector since the emergence of COVID-19. It is not unusual for an actor to monetize access which may have been initially garnered as part of a cyber espionage campaign,” said Hultquist. “We have noted recently that North Korean actors have shifted focus away from healthcare targets to other traditional diplomatic and military organizations. Unfortunately, healthcare organizations are also extraordinarily vulnerable to extortion of this type because of the serious consequences of a disruption,” he added.

The advisory, which also includes indicators of compromise (IOCs) and information on tactics, techniques and procedures (TTPs) employed in these attacks to help network defenders, urges organizations in the healthcare industries to strengthen their defenses by limiting access to data, turning off network device management interfaces, and by using monitoring tools to observe whether Internet of Things devices have become compromised.

“The FBI, along with our federal partners, remains vigilant in the fight against North Korea’s malicious cyber threats to our healthcare sector,” said FBI Cyber Division assistant director Bryan Vorndran. “We are committed to sharing information and mitigation tactics with our private sector partners to assist them in shoring up their defenses and protecting their systems.”

The U.S. government’s latest warning follows a spate of high-profile cyberattacks targeting healthcare organizations; University Medical Center Southern Nevada was hit by a ransomware attack in August 2021 that compromised files containing protected health information and personally identifiable information, and Eskenazi Health said in October that cybercriminals had access to their network for almost three months. Last month, Kaiser Permanente confirmed a breach of an employee’s email account led to the theft of 70,000 patient records.

Continue Reading


Hotel giant Marriott confirms yet another data breach – TechCrunch



Hotel group Marriott International has confirmed another data breach, with hackers claiming to have stolen 20 gigabytes of sensitive data including guests’ credit card information.

The incident, first reported by Tuesday, is said to have happened in June when an unnamed hacking group claimed they used social engineering to trick an employee at a Marriott hotel Maryland into giving them access to their computer.

“Marriott International is aware of a threat actor who used social engineering to trick one associate at a single Marriott hotel into providing access to the associate’s computer,” Marriott spokesperson Melissa Froehlich Flood told TechCrunch in a statement. “The threat actor did not gain access to Marriott’s core network.”

Marriott said the hotel chain identified, and was investigating, the incident before the threat actor contacted the company in an extortion attempt, which Marriott said it did not pay.

The group claiming responsibility for the attack say the stolen data includes guests’ credit card information and confidential information about both guests and employees. Samples of the data provided to purport to show reservation logs for airline crew members from January 2022 and names and other details of guests, as well as credit card information used to make bookings.

However, Marriott told TechCrunch that its investigation determined that the data accessed “primarily contained non-sensitive internal business files regarding the operation of the property.”

The company said that it is preparing to notify 300-400 individuals regarding the incident, and has already notified relevant law enforcement agencies.

This isn’t the first time Marriott has suffered a significant data breach. Hackers breached the hotel chain in 2014 to access almost 340 million guest records worldwide – an incident that went undetected until September 2018 and led to a £14.4 million ($24M) fine from the U.K’s Information Commissioner’s Office. In January 2020, Marriott was hacked again in a separate incident that affected around 5.2 million guests.

TechCrunch asked Marriott what cybersecurity protections it has in place to prevent such incidents from happening, but the company declined to answer.

Continue Reading


Rivian says it’s on track to deliver 25,000 vehicles this year – TechCrunch



Rivian said Wednesday the company produced 4,401 vehicles at its manufacturing facility in Normal, Illinois, and delivered 4,467 vehicles for the quarter ended June 30.

“These figures remain in line with the company’s expectations, and it believes it is on track to deliver on the 25,000 annual production guidance previously provided,” Rivian said in a statement.

In the first quarter of 2022, Rivian produced 2,553 vehicles and delivered 1,227 vehicles.

The production figures include a mix of the Rivian R1T pickup truck, R1S SUV and the commercial vans it is making for Amazon.


Continue Reading