Connect with us

Biz & IT

GDPR adtech complaints keep stacking up in Europe

Published

on

It’s a year since Europe’s General Data Protection Regulation (GDPR) came into force and leaky adtech is now facing privacy complaints in four more European Union markets. This ups the tally to seven markets where data protection authorities have been urged to investigate a core function of behavioral advertising.

The latest clutch of GDPR complaints aimed at the real-time bidding (RTB) system have been filed in Belgium, Luxembourg, the Netherlands and Spain.

All the complaints argue that RTB entails “wide-scale and systemic” breaches of Europe’s data protection regime, as personal date harvested to profile Internet users for ad-targeting purposes is broadcast widely to bidders in the adtech chain. The complaints have implications for key adtech players, Google and the Internet Advertising Bureau, which set RTB standards used by other in the online adverting pipeline.

We’ve reached out to Google and IAB Europe for comment on the latest complaints. (The latter’s original response statement to the complaint can be found here, behind its cookie wall.)

The first RTB complaints were filed in the UK and Ireland, last fall, by Dr Johnny Ryan of private browser Brave; Jim Killock, director of the Open Rights Group; and Michael Veale, a data and policy researcher at University College London.

A third complaint went in to Poland’s DPA in January, filed by anti-surveillance NGO, the Panoptykon Foundation.

The latest four complaints have been lodged in Spain by Gemma Galdon Clavell (Eticas Foundation) and Diego Fanjul (Finch); David Korteweg (Bits of Freedom) in the Netherlands; Jef Ausloos (University of Amsterdam) and Pierre Dewitte (University of Leuven) in Belgium; and Jose Belo (Exigo Luxembourg).

Earlier this year a lawyer working with the complainants said they’re expecting “a cascade of complaints” across Europe — and “fully expect an EU-wide regulatory response” give that the adtech in question is applied region-wide.

Commenting in a statement, Galdon Cavell, the CEO of Eticas, said: “We hope that this complaint sends a strong message to Google and those using Ad Tech solutions in their websites and products. Data protection is a legal requirement must be translated into practices and technical specifications.”

A ‘bug’ disclosed last week by Twitter illustrates the potential privacy risks around adtech, with the social networking platform revealing it had inadvertently shared some iOS users’ location data with an ad partner during the RTB process. (Less clear is who else might Twitter’s “trusted advertising partner” have passed people’s information to?)

The core argument underpinning the complaints is that RTB’s data processing is not secure — given the design of the system entails the broadcasting of (what can be sensitive and intimate) personal data of Internet users to all sorts of third parties in order to generate bids for ad space.

Whereas GDPR bakes in a requirement for personal data to be processed “in a manner that ensures appropriate security of the personal data”. So, uh, spot the disconnect.

The latest RTB complaints assert personal data is broadcast via bid requests “hundreds of billions of times” per day — which it describes as “the most massive leakage of personal data recorded so far”.

While the complaints focus on security risks attached by default to leaky adtech, such a long chain of third parties being passed people’s data also raises plenty of questions over the validity of any claimed ‘consents’ for passing Internet users’ data down the adtech chain. (Related: A decision by the French CNIL last fall against a small local adtech player which it decided was unlawfully processing personal data obtained via RTB.)

This week will mark a year since GDPR came into force across the EU. And it’s fair to say that privacy complaints have been piling up, while enforcement actions — such as a $57M fine for Google from the French CNIL related to Android consent — remain far rarer.

One complexity with the RTB complaints is that the technology systems in question are both applied across EU borders and involve multiple entities (Google and the IAB). This means multiple privacy watchdogs need to work together to determine which of them is legally competent to address linked complaints that touch EU citizens in multiple countries.

Who leads can depend on where an entity has its main establishment in the EU and/or who is the data controller. If this is not clearly established it’s possible that various national actions could flow from the complaints, given the cross-border nature of the adtech — as in the CNIL decision against Android, for example. (Though Google made a policy change as of January 22, shifting its legal base for EU law enforcement to Google Ireland which looks intended to funnel all GDPR risk via the Irish DPC.)

The IAB Europe, meanwhile, has an office in Belgium but it’s not clear whether that’s the data controller in this case. Ausloos tells us that the Belgian DPA has already declared itself competent regarding the complaint filed against the IAB by the Panoptykon Foundation, while noting another possibility — that the IAB claims the data controller is IAB Tech Lab, based in New York — “in which case any and all DPAs across the EU would be competent”.

Veale also says different DPAs could argue that different parts of the IAB are in their jurisdiction. “We don’t know how the IAB structure really works, it’s very opaque,” he tells us.

The Irish DPC, which Google has sought to designate the lead watchdog for its European business, has said it will prioritize scrutiny of the adtech sector in 2019, referencing the RTB complaints in its annual report earlier this year — where it warned the industry: “the protection of personal data is a prerequisite to the processing of any personal data within this ecosystem and ultimately the sector must comply with the standards set down by the GDPR”.

There’s no update on how the UK’s ICO is tackling the RTB complaint filed in the UK as yet — but Veale notes they have a call today. (And we’ve reached out to the ICO for comment.)

So far the same RTB complaints have not been filed in France and Germany — jurisdictions with privacy watchdogs that can have a reputation for some of the most muscular action enforcing data protection in Europe.

Although the Belgian DPA’s recently elected new president is making muscular noises about GDPR enforcement, according to Ausloos — who cites a speech he made, post-election, saying the ‘time of sit back and relax’ is over. They made sure to reference these comments in the RTB complaint, he adds.

Veale suggests the biggest blocker to resolving the RTB complaints is that all the various EU watchdogs “need a vision of what the world looks like after they take a given action”.

In the meanwhile, the adtech complaints keep stacking up.

Source link



Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Lord of the Rings-themed cryptocurrency gets thrown into Mount Doom

Published

on

Enlarge / A screenshot from jrrtoken.com. All similarities to LOTR were purely coincidental, apparently.

The estate of J.R.R. Tolkien, the author of The Lord of the Rings, has successfully vanquished a cryptocurrency that styled itself as “The One Token That Rules Them All.”

The JRR Token cryptocurrency launched in August, with a website that featured rings, hobbit holes, and a wizard with an uncanny resemblance to Gandalf.

But the Tolkien estate, which handles the rights to J.R.R. Tolkien’s The Hobbit and The Lord of the Rings fantasy novels, quickly stepped in to lodge a complaint with the World Intellectual Property Organization (WIPO), the global forum for intellectual property policy.

It noted that the cryptocurrency’s website domain name infringed its trademarks. Tolkien’s novels have been made into a trilogy of Hollywood films, directed by Peter Jackson and starring Ian McKellen.

In response, lawyers for Matthew Jensen, JRR Token’s Florida-based developer, said that “token” was a generic term, should not be confused with the surname Tolkien, and it did not infringe any intellectual property.

But the WIPO administrative panel decision concluded that there was no doubt that the developer was “aware of Tolkien’s works and created a website to trade off the fame of these works.”

The Tolkien estate said it had now recovered the JRRToken.com domain name and had obtained the developer’s undertaking to stop all operations under the JRR Token name and delete any infringing content from all relevant websites and social media accounts.

Steven Maier, solicitor at law firm Maier Blackburn, which acted for the J.R.R. Tolkien estate, said this was a “particularly flagrant case of infringement” and added that the estate was “vigilant” about preventing unauthorized parties from taking advantage of the J.R.R. Tolkien name.

In the past the Tolkien estate has sued tourism and merchandise companies for making use of the author’s name and literary works, but this is the first time it has taken action against a cryptocurrency.

Johnson Dalal, the US law firm representing Jensen, has been contacted for comment but had not responded by time of publication.

© 2021 The Financial Times Ltd. All rights reserved Not to be redistributed, copied, or modified in any way.

Continue Reading

Biz & IT

A grim milestone: I maxed out the number of spammy addresses Gmail can block

Published

on

Getty Images

A few months ago, my G Suite-enabled Gmail account reached a grim milestone: with no warning, the “block [email address]” feature—available from the menu with the three vertical dots in the upper left of the Gmail screen—stopped working because I had maxed out the total number of addresses Google allows to be blocked.

For years, I’ve used the feature liberally to block emails from PR ​​people who send off-topic pitches or scammers who try to phish my passwords or infect my devices. With a single click, any future emails sent by those nuisance addresses automatically landed in my spam folder.

Blocked but not blocked

At some point, the block address feature stopped working. When I use the feature now to block an address, I see a message telling me that all future emails from the address will go to my spam folder. Which is exactly what I want. But that’s not what happens. Emails from those addresses continue to go right into my inbox.

Google provides no easy way to know about this. Here’s what I see immediately after I try to block an address:

And yet, I continue to receive emails from the same address. And when I open the email, sure enough, it’s clear the address is NOT blocked.

I asked Google PR about this and got a response that Gmail accounts are limited to just 1,000 blocked addresses. A spokesperson said Google is considering raising the limit, but if it does, it will “take some time” for it to happen.

This is a MAJOR step back. I get so much junk mail (mostly from PR people who either don’t know or don’t care what my beat is) that the block feature has been crucial to my productivity. Gmail was the first to pioneer an email service with data storage caps measured in the gigabytes. Early on, it provided powerful tools for sorting and searching messages. It integrated the calendar. And yet, despite all this ingenuity, Gmail limits blocked addresses to a paltry 1,000? What the hell?

Since then, I’ve used Gmail filter rules to free my inbox of junk, but that’s hardly satisfactory. Creating filter rules on an address-by-address basis requires considerably more clicks than using the block feature. And even then, Gmail filters have no way to send messages to spam. I’m also guessing Gmail may limit the number of filter rules as well.

An imperfect workaround

Google Project Zero researcher Tavis Ormandy, acting solely on his own behalf and not for his employer, has offered one workaround. It’s not very user-friendly, and I’m still not sure if it fully works for me, but it seems promising. The idea is to copy all 1,000 email addresses I have blocked and paste them into a filter rule that deletes all messages from those senders.

What this means is that he created a script and ran it inside his browser console as he was viewing his blocklist in the Gmail settings menu. To find the blocklist, click the three vertical dots in the main Gmail window, choose “manage inbox settings,” and select the “filters and blocked addresses” tab. Then, hit the F12 key on a computer keyboard, choose the console tab, and paste the script.

Ormandy’s script looks like this:

Array.from(document.querySelectorAll("tr.r7[role=listitem]")).map(a => a.innerText.match(/<(.*)>tunblock/)?.[1]).filter(a => a).join(' OR ')

The console then returns a list of all the email addresses in the blocklist, with each one separated by a boolean OR. Then copy the list, go back to the Gmail “filters and blocked addresses” tab, and click “create new filter.” Paste the addresses into the “From” field, click “continue,” tick the “Delete it” box, and click the “create filter” at the bottom.

In theory, this single rule should block all emails sent from these addresses, and that should allow me to delete the 1,000 blocked addresses so I can once again add fresh addresses to the blocklist. In practice, Gmail tends to choke when fed all 1,000 addresses at once.

When I broke up the list into smaller chunks, I got inconsistent results. Some emails were deleted and others weren’t. I wasn’t able to find a pattern for those that worked or didn’t work. Besides choking on large lists of addresses, another problem is that in my tests, new filters can take as long as an hour to begin working, but I don’t think that’s the only reason for the difficulty.

The bigger point is that Gmail users shouldn’t have to jump through hoops like these to keep their inboxes free of spam and malicious emails. There’s no limit to the badness the Internet can dish out, so there shouldn’t be a limit on remedies for this badness, either. Gmail, please throw me a life raft soon. Without the block capability, I’m drowning.

Continue Reading

Biz & IT

Locked out of “God mode,” runners are hacking their treadmills

Published

on

Enlarge / NordicTrack owners aren’t giving up the fight just yet.

Sam Whitney | Getty Images

JD Howard just wanted to watch cloud security tutorials. Howard, a construction industry worker on sabbatical, spent $4,000 on a NordicTrack X32i treadmill, lured in by its 32-inch HD screen and the opportunity to exercise body and mind. His plan was to spend his time away from work exercising while watching technical videos from learning platforms such as Pluralsight and Udemy. But his treadmill had other ideas.

Despite having a huge display strapped to it, NordicTrack’s hardware pushes people to subscribe to exercise software operated by iFit, its parent company, and doesn’t let you watch videos from other apps or external sources. iFit’s content includes exercise classes and running routes, which automatically change the incline of the treadmill depending on the terrain on the screen. But Howard, and many other NordicTrack owners, weren’t drawn to the hardware by iFit’s videos. They were drawn in by how easy the fitness machines were to hack.

To get into his X32i, all Howard needed to do was tap the touchscreen 10 times, wait seven seconds, then tap 10 more times. Doing so unlocked the machine—letting Howard into the underlying Android operating system. This privilege mode, a sort of God mode, gave Howard complete control over the treadmill: he could sideload apps and, using a built-in browser, access anything and everything online. “It wasn’t complicated,” Howard says. After accessing privilege mode he installed a third-party browser that allowed him to save passwords and fire up his beloved cloud security videos.

While NordicTrack doesn’t advertise privilege mode as a customer feature, its existence isn’t exactly a secret. Multiple unofficial guides tell people how to get into their machines, and even iFit’s support pages explain how to access it. The whole reason Howard bought the X32i, he says, was because he could access God mode. But the good times didn’t last long.

Since October, NordicTrack has been automatically updating all of its exercise equipment—its bikes, ellipticals, and rowing machines all have big screens attached—to block access to privilege mode. The move has infuriated customers who are now fighting back and finding workarounds that allow them to bypass the update and watch whatever they want while they work out.

“I got exactly what I paid for,” Howard says, adding that he already owned a “crappy” treadmill without a screen before he purchased the Internet-connected model and is also a subscriber to the iFit software. “Now they’re trying to take away [features] that are of critical importance to me. I’m not OK with that.”

Another NordicTrack owner, who asked not to be named, says the treadmill is one of the most expensive purchases he’s ever made, and he was “outraged” when the update stopped him and his partner from watching Netflix, YouTube, and English Premier League football highlights while they worked out. “You’ve actually pushed an update to stop me from doing this, which is really bizarre,” he says. “It’s so frustrating because this beautiful screen is here.”

They aren’t alone in their complaints. In recent weeks multiple threads and posts lamenting NordicTrack and iFit’s decision to lock down privilege mode have appeared online. Customers complain that they’ve spent thousands of dollars on their machines and should be able to do what they like with them, many arguing that being able to watch their favorite shows means they’re more likely to spend time working out. Some say they valued the ability to cast iFit’s exercise videos onto a bigger screen; other say they want to use their treadmills for Zoom calls. Many complain that, in contrast to previous software updates, the one to block privilege mode was forced upon them.

“The block on privilege mode was automatically installed because we believe it enhances security and safety while using fitness equipment that has multiple moving parts,” says a spokesperson for NordicTrack and iFit. The company has never marketed its products as being able to access other apps, the spokesperson adds. “As there is no way of knowing what kind of changes or errors a consumer could introduce into the software, there is no way of knowing what specific issues accessing privilege mode might cause,” the spokesperson says. “Therefore, to maintain security, safety, and machine functionality, we have restricted access to privilege mode.” The spokesperson also emphasizes that privilege mode was “never designed as a consumer-facing functionality.” Rather, it was designed to allow the company’s customer service team to remotely access the products to “troubleshoot, update, reset, or repair our software.”

Continue Reading

Trending