Connect with us

Biz & IT

GDPR adtech complaints keep stacking up in Europe

Published

on

It’s a year since Europe’s General Data Protection Regulation (GDPR) came into force and leaky adtech is now facing privacy complaints in four more European Union markets. This ups the tally to seven markets where data protection authorities have been urged to investigate a core function of behavioral advertising.

The latest clutch of GDPR complaints aimed at the real-time bidding (RTB) system have been filed in Belgium, Luxembourg, the Netherlands and Spain.

All the complaints argue that RTB entails “wide-scale and systemic” breaches of Europe’s data protection regime, as personal date harvested to profile Internet users for ad-targeting purposes is broadcast widely to bidders in the adtech chain. The complaints have implications for key adtech players, Google and the Internet Advertising Bureau, which set RTB standards used by other in the online adverting pipeline.

We’ve reached out to Google and IAB Europe for comment on the latest complaints. (The latter’s original response statement to the complaint can be found here, behind its cookie wall.)

The first RTB complaints were filed in the UK and Ireland, last fall, by Dr Johnny Ryan of private browser Brave; Jim Killock, director of the Open Rights Group; and Michael Veale, a data and policy researcher at University College London.

A third complaint went in to Poland’s DPA in January, filed by anti-surveillance NGO, the Panoptykon Foundation.

The latest four complaints have been lodged in Spain by Gemma Galdon Clavell (Eticas Foundation) and Diego Fanjul (Finch); David Korteweg (Bits of Freedom) in the Netherlands; Jef Ausloos (University of Amsterdam) and Pierre Dewitte (University of Leuven) in Belgium; and Jose Belo (Exigo Luxembourg).

Earlier this year a lawyer working with the complainants said they’re expecting “a cascade of complaints” across Europe — and “fully expect an EU-wide regulatory response” give that the adtech in question is applied region-wide.

Commenting in a statement, Galdon Cavell, the CEO of Eticas, said: “We hope that this complaint sends a strong message to Google and those using Ad Tech solutions in their websites and products. Data protection is a legal requirement must be translated into practices and technical specifications.”

A ‘bug’ disclosed last week by Twitter illustrates the potential privacy risks around adtech, with the social networking platform revealing it had inadvertently shared some iOS users’ location data with an ad partner during the RTB process. (Less clear is who else might Twitter’s “trusted advertising partner” have passed people’s information to?)

The core argument underpinning the complaints is that RTB’s data processing is not secure — given the design of the system entails the broadcasting of (what can be sensitive and intimate) personal data of Internet users to all sorts of third parties in order to generate bids for ad space.

Whereas GDPR bakes in a requirement for personal data to be processed “in a manner that ensures appropriate security of the personal data”. So, uh, spot the disconnect.

The latest RTB complaints assert personal data is broadcast via bid requests “hundreds of billions of times” per day — which it describes as “the most massive leakage of personal data recorded so far”.

While the complaints focus on security risks attached by default to leaky adtech, such a long chain of third parties being passed people’s data also raises plenty of questions over the validity of any claimed ‘consents’ for passing Internet users’ data down the adtech chain. (Related: A decision by the French CNIL last fall against a small local adtech player which it decided was unlawfully processing personal data obtained via RTB.)

This week will mark a year since GDPR came into force across the EU. And it’s fair to say that privacy complaints have been piling up, while enforcement actions — such as a $57M fine for Google from the French CNIL related to Android consent — remain far rarer.

One complexity with the RTB complaints is that the technology systems in question are both applied across EU borders and involve multiple entities (Google and the IAB). This means multiple privacy watchdogs need to work together to determine which of them is legally competent to address linked complaints that touch EU citizens in multiple countries.

Who leads can depend on where an entity has its main establishment in the EU and/or who is the data controller. If this is not clearly established it’s possible that various national actions could flow from the complaints, given the cross-border nature of the adtech — as in the CNIL decision against Android, for example. (Though Google made a policy change as of January 22, shifting its legal base for EU law enforcement to Google Ireland which looks intended to funnel all GDPR risk via the Irish DPC.)

The IAB Europe, meanwhile, has an office in Belgium but it’s not clear whether that’s the data controller in this case. Ausloos tells us that the Belgian DPA has already declared itself competent regarding the complaint filed against the IAB by the Panoptykon Foundation, while noting another possibility — that the IAB claims the data controller is IAB Tech Lab, based in New York — “in which case any and all DPAs across the EU would be competent”.

Veale also says different DPAs could argue that different parts of the IAB are in their jurisdiction. “We don’t know how the IAB structure really works, it’s very opaque,” he tells us.

The Irish DPC, which Google has sought to designate the lead watchdog for its European business, has said it will prioritize scrutiny of the adtech sector in 2019, referencing the RTB complaints in its annual report earlier this year — where it warned the industry: “the protection of personal data is a prerequisite to the processing of any personal data within this ecosystem and ultimately the sector must comply with the standards set down by the GDPR”.

There’s no update on how the UK’s ICO is tackling the RTB complaint filed in the UK as yet — but Veale notes they have a call today. (And we’ve reached out to the ICO for comment.)

So far the same RTB complaints have not been filed in France and Germany — jurisdictions with privacy watchdogs that can have a reputation for some of the most muscular action enforcing data protection in Europe.

Although the Belgian DPA’s recently elected new president is making muscular noises about GDPR enforcement, according to Ausloos — who cites a speech he made, post-election, saying the ‘time of sit back and relax’ is over. They made sure to reference these comments in the RTB complaint, he adds.

Veale suggests the biggest blocker to resolving the RTB complaints is that all the various EU watchdogs “need a vision of what the world looks like after they take a given action”.

In the meanwhile, the adtech complaints keep stacking up.

Source link



Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Kaseya gets master decryptor to help customers still suffering from REvil attack

Published

on

Kaseya—the remote management software seller at the center of a ransomware operation that struck as many as 1,500 downstream networks—said it has obtained a decryptor that should successfully restore data encrypted during the Fourth of July weekend attack.

Affiliates of REvil, one of the Internet’s most cutthroat ransomware groups, exploited a critical zero-day vulnerability in Miami, Florida-based Kaseya’s VSA remote management product. The vulnerability—which Kaseya was days away from patching—allowed the ransomware operators to compromise the networks of about 60 customers. From there, the extortionists infected as many as 1,500 networks that relied on the 60 customers for services.

Finally, a universal decryptor

“We obtained the decryptor yesterday from a trusted third party and have been using it successfully on affected customers,” Dana Liedholm, senior VP of corporate marketing, wrote in an email on Thursday morning. “We are providing tech support to use the decryptor. We have a team reaching out to our customers and I don’t have more detail right now.”

In a private message, threat analyst Brett Callow of security firm Emsisoft said: “We are working with Kaseya to support their customer engagement efforts. We have confirmed the key is effective at unlocking victims and will continue to provide support to Kaseya and its customers.”

REvil had demanded as much as $70 million for a universal decryptor that would restore the data of all organizations compromised in the mass attack. Liedholm declined to say if Kaseya paid any sum in exchange for the decryption tool. Kaseya has since patched the zero-day used in the attack.

That means that, for the time being, it’s not publicly known if Kaseya paid the ransom or received it for free from either REvil, a law enforcement agency, or a private security company.

In the days following the attack, REvil’s site on the dark web, along with other infrastructure the group uses to provide technical support and process payments, suddenly went offline. The unexplained exit left victims and researchers worried that the data would remain locked up forever, since the only people with the ability to decrypt it had vanished.

Where did it come from?

REvil is one of several ransomware groups believed to operate out of Russia or another Eastern European country that was formerly part of Soviet Union. The group’s disappearance came a few days after President Joe Biden warned his Russian counterpart Vladimir Putin that, if Russia didn’t rein in those ransomware groups, the US might take unilateral action against them.

Observers have speculated since then that either Putin pressured the group to go quiet or the group, rattled by all the attention it received from the attack, decided to do so on its own.

Some of the companies victimized by the attack include Swedish grocery store chain COOP, Virginia Tech, two Maryland towns, New Zealand schools, and international textile company Miroglio Group.

REvil is also behind a crippling attack on JBS, the world’s biggest producer of meat. The breach caused JBS to temporarily close some plants.

Continue Reading

Biz & IT

AT&T nightmare: Woman had to wait 3+ months for broadband at new home

Published

on

Enlarge / Lovie Newman tells News 4 San Antonio about having to wait nearly four months for AT&T Internet service.

AT&T reportedly forced a San Antonio woman to wait nearly four months to get Internet service at her new home, and she didn’t get close to solving the problem until she asked a local news station for help.

“Lovie Newman planned for a smooth transition into her new home, including scheduling a transfer for her AT&T high-speed Internet service in advance,” according to a report Tuesday by News 4 San Antonio.

The house Newman moved into was apparently newly built and not yet connected to AT&T’s network, but it sounds like the months-long wait was due primarily to mistakes by AT&T technicians and customer-service problems. In what Newman called “a complete nightmare,” AT&T continually rebuffed her attempts to get Internet service.

Newman scheduled an installation appointment for April 1, but when the day came, AT&T called to say, “we need to reschedule,” she told the news station. Initially, Newman “was told there was a service outage in her new far East Side neighborhood,” News 4 journalist Darian Trotter reported. “Technicians were working on it, but she says they had no idea when service in the area would be restored.”

“I wasn’t hearing back, and I kept getting rescheduled and pushed around to different departments,” Newman said.

“You never came to my house”

Newman was able to schedule another installation appointment in May after the outage was fixed, but installers never came to her house. “For three and a half months, she says she made countless efforts to get connected, including the one time she got an appointment and eagerly waited for technicians to arrive,” News 4 said.

Newman was at home waiting for installers to arrive when she got a message from AT&T saying, “we missed you,” she told News 4. “I’m like, ‘you never came to my house. How did you miss me?'” AT&T installers had mistakenly gone to a different address in Alamo Heights, the report said.

“Out of desperation, she considered switching service providers,” but “an online search of at least three companies revealed service in her neighborhood wasn’t available.” The TV station’s video report shows that those three providers were Charter Spectrum, Grande Communications, and Google Fiber.

“I put in my address and it said, ‘not available,'” Newman said. Newman was afraid of losing her job because of the lack of AT&T Internet service, but News 4 said that “Newman’s employer was able to make special accommodations to keep her working.”

Even though AT&T has dragged its feet for months, its website says that service should be readily available to Newman. We entered Newman’s address into AT&T’s online availability checker, and it reports that fiber-to-the-home service is available where she lives:

AT&T gets moving after hearing from reporter

After months of waiting for AT&T to provide a broadband connection, Newman contacted Trotter at News 4 over two weeks ago. The station reached out to AT&T, and while the company initially did not reply to the media organization, the prospect of news coverage got AT&T’s attention.

The news video showed an email sent to Newman on July 8 from an employee in an AT&T executive office. “The AT&T Office of the President (OOP) received a communication from a local news media reporter,” the email said. “However, since you are our customer, I wanted to reach out to you directly.”

The week after that July 8 email, News 4 “received a statement from a spokeswoman saying, ‘our team has already begun looking into this and is in contact with Ms. Newman,'” Trotter said in the news report. Newman was still waiting for service to be installed this week when the News 4 report aired. “I want my Internet to be installed, up and running by this weekend,” she told the station.

Due to News 4 prodding AT&T into action, it seems that Newman is finally close to getting connected—nearly four months after AT&T abruptly canceled her first installation appointment. “After we got involved, Newman says techs have recently installed wiring, and an Internet box has been set up outside her home,” Trotter said at the end of his report. “Everything is ready, she just needs to schedule the installation.”

We contacted Newman and AT&T today about whether service has been or will soon be installed and will update this article if we get new information.

Newman’s AT&T nightmare unfortunately not unique

Newman’s ordeal is similar to one we wrote about in April. In that case, Comcast had an error in its coverage map and falsely told the customers that Internet service would be available at their new home. The couple, Edward Koll and Jo Narkon, then paid Comcast $5,000 for a network extension, but the project kept getting delayed. Comcast finally provided Internet service after Koll contacted Ars and we reached out to Comcast’s public relations department.

Koll and Narkon ended up waiting six months for cable Internet and had to use unreliable and data-capped cell service that entire time. We’ve written other stories over the years about Comcast falsely telling customers that they could get service. After our article about Koll and Narkon published a few months ago, we heard from a few more people in Comcast territory who were incorrectly told that Internet service would be available at their homes.

We also wrote about a frustrated AT&T-using family in Mississippi in November 2020. AT&T had falsely promised Kathie McNamee and her family U-verse Internet service of about 5Mbps, which is slow by today’s standards but still much faster than what they ended up getting. Ultimately, AT&T only provided the family speeds of up to 768kbps over its legacy DSL network and has not upgraded its network there or in many other areas where glacially slow AT&T speeds are the norm.

This kind of AT&T home-Internet problem is nothing new. Back in 2015, we wrote about a family in Georgia that couldn’t get AT&T Internet at a home they bought even though their neighbors and the home’s previous owners had service. AT&T said it didn’t have enough capacity to hook up additional customers.

Continue Reading

Biz & IT

Saudi Aramco confirms data leak after $50 million cyber ransom demand

Published

on

Enlarge / The Hawiyah Natural Gas Liquids Recovery Plant, operated by Saudi Aramco, in Hawiyah, Saudi Arabia, on Monday, June 28, 2021.

Bloomberg | Getty Images

Saudi Aramco, the world’s largest oil producer, confirmed on Wednesday that some of its company files had been leaked via a contractor, after a cyber extortionist claimed to have seized troves of its data last month and demanded a $50 million ransom from the company.

Aramco said in a statement that it had “recently become aware of the indirect release of a limited amount of company data which was held by third-party contractors.” The oil company did not name the supplier or explain how the data were compromised.

“We confirm that the release of data was not due to a breach of our systems, has no impact on our operations, and the company continues to maintain a robust cyber security posture,” Aramco added.

The statement came after a hacker claimed on the dark web that they had stolen 1 terabyte of Aramco’s data, according to a post from June 23 seen by the Financial Times. The hacker said it had obtained information on the location of oil refineries, as well as payroll files and confidential client and employee data.

In another post, the perpetrator offered to delete the data if Aramco paid up $50 million in a niche cryptocurrency Monero, which is particularly difficult for authorities to trace. The post also offered prospective buyers the chance to purchase the data for about $5 million.

The oil giant has the capacity to pump more than one in every 10 barrels of crude in the global market and any threats to its security or facilities are closely watched by oil traders and policymakers.

The security vulnerabilities of energy companies and pipelines in particular have fallen under the spotlight recently after the hack of the Colonial Pipeline in the US earlier this year resulted in fuel shortages across the east coast of the country.

It was unclear who was behind the Aramco incident. Cyber researchers noted that the attack did not appear to be part of a ransomware campaign, where hackers use malware to seize a users’ data or computer systems and only release it once a ransom has been paid. Nor did the hacker claim to be part of a known ransomware gang.

Instead, the hacker appeared to have seized a copy of the data without using malware, and set up dark web profiles to telegraph its activities.

Saudi Aramco’s facilities have been targeted in the past by both physical and cyber attacks.

In 2019 the Abqaiq processing facility in the eastern part of the country, which prepares the majority of the kingdom’s crude for export, was hit by a series of missile and drone strikes that the US blamed on Iran. Global oil prices soared until Saudi Arabia was able to reassure markets it could still export enough oil to keep customers well supplied.

In 2012 an alleged cyber attack on Saudi Aramco was also blamed on Iran. Cyber security experts have said this was probably a retaliation for the Stuxnet attack on Iran’s nuclear program, which has been widely attributed to the US and Israel.

The 2012 attack erased data on about three-quarters of Aramco’s computers, according to reports at the time, including files, spreadsheets and emails. They were replaced with an image of a burning US flag.

Saudi Aramco refineries, including the newly opened Jazan facility, which was listed in screenshots of the allegedly leaked data, have also been subject to physical attacks both from drones and missile strikes, which have been claimed by Iran-backed Houthi rebels in Yemen. The Jazan refinery is in Saudi Arabia’s southwest on the Red Sea, not far from the Yemen border.

The extortion attempt was first reported by the Associated Press.

© 2021 The Financial Times Ltd. All rights reserved Not to be redistributed, copied, or modified in any way.

Continue Reading

Trending