Connect with us

Biz & IT

GDPR adtech complaints keep stacking up in Europe

Published

on

It’s a year since Europe’s General Data Protection Regulation (GDPR) came into force and leaky adtech is now facing privacy complaints in four more European Union markets. This ups the tally to seven markets where data protection authorities have been urged to investigate a core function of behavioral advertising.

The latest clutch of GDPR complaints aimed at the real-time bidding (RTB) system have been filed in Belgium, Luxembourg, the Netherlands and Spain.

All the complaints argue that RTB entails “wide-scale and systemic” breaches of Europe’s data protection regime, as personal date harvested to profile Internet users for ad-targeting purposes is broadcast widely to bidders in the adtech chain. The complaints have implications for key adtech players, Google and the Internet Advertising Bureau, which set RTB standards used by other in the online adverting pipeline.

We’ve reached out to Google and IAB Europe for comment on the latest complaints. (The latter’s original response statement to the complaint can be found here, behind its cookie wall.)

The first RTB complaints were filed in the UK and Ireland, last fall, by Dr Johnny Ryan of private browser Brave; Jim Killock, director of the Open Rights Group; and Michael Veale, a data and policy researcher at University College London.

A third complaint went in to Poland’s DPA in January, filed by anti-surveillance NGO, the Panoptykon Foundation.

The latest four complaints have been lodged in Spain by Gemma Galdon Clavell (Eticas Foundation) and Diego Fanjul (Finch); David Korteweg (Bits of Freedom) in the Netherlands; Jef Ausloos (University of Amsterdam) and Pierre Dewitte (University of Leuven) in Belgium; and Jose Belo (Exigo Luxembourg).

Earlier this year a lawyer working with the complainants said they’re expecting “a cascade of complaints” across Europe — and “fully expect an EU-wide regulatory response” give that the adtech in question is applied region-wide.

Commenting in a statement, Galdon Cavell, the CEO of Eticas, said: “We hope that this complaint sends a strong message to Google and those using Ad Tech solutions in their websites and products. Data protection is a legal requirement must be translated into practices and technical specifications.”

A ‘bug’ disclosed last week by Twitter illustrates the potential privacy risks around adtech, with the social networking platform revealing it had inadvertently shared some iOS users’ location data with an ad partner during the RTB process. (Less clear is who else might Twitter’s “trusted advertising partner” have passed people’s information to?)

The core argument underpinning the complaints is that RTB’s data processing is not secure — given the design of the system entails the broadcasting of (what can be sensitive and intimate) personal data of Internet users to all sorts of third parties in order to generate bids for ad space.

Whereas GDPR bakes in a requirement for personal data to be processed “in a manner that ensures appropriate security of the personal data”. So, uh, spot the disconnect.

The latest RTB complaints assert personal data is broadcast via bid requests “hundreds of billions of times” per day — which it describes as “the most massive leakage of personal data recorded so far”.

While the complaints focus on security risks attached by default to leaky adtech, such a long chain of third parties being passed people’s data also raises plenty of questions over the validity of any claimed ‘consents’ for passing Internet users’ data down the adtech chain. (Related: A decision by the French CNIL last fall against a small local adtech player which it decided was unlawfully processing personal data obtained via RTB.)

This week will mark a year since GDPR came into force across the EU. And it’s fair to say that privacy complaints have been piling up, while enforcement actions — such as a $57M fine for Google from the French CNIL related to Android consent — remain far rarer.

One complexity with the RTB complaints is that the technology systems in question are both applied across EU borders and involve multiple entities (Google and the IAB). This means multiple privacy watchdogs need to work together to determine which of them is legally competent to address linked complaints that touch EU citizens in multiple countries.

Who leads can depend on where an entity has its main establishment in the EU and/or who is the data controller. If this is not clearly established it’s possible that various national actions could flow from the complaints, given the cross-border nature of the adtech — as in the CNIL decision against Android, for example. (Though Google made a policy change as of January 22, shifting its legal base for EU law enforcement to Google Ireland which looks intended to funnel all GDPR risk via the Irish DPC.)

The IAB Europe, meanwhile, has an office in Belgium but it’s not clear whether that’s the data controller in this case. Ausloos tells us that the Belgian DPA has already declared itself competent regarding the complaint filed against the IAB by the Panoptykon Foundation, while noting another possibility — that the IAB claims the data controller is IAB Tech Lab, based in New York — “in which case any and all DPAs across the EU would be competent”.

Veale also says different DPAs could argue that different parts of the IAB are in their jurisdiction. “We don’t know how the IAB structure really works, it’s very opaque,” he tells us.

The Irish DPC, which Google has sought to designate the lead watchdog for its European business, has said it will prioritize scrutiny of the adtech sector in 2019, referencing the RTB complaints in its annual report earlier this year — where it warned the industry: “the protection of personal data is a prerequisite to the processing of any personal data within this ecosystem and ultimately the sector must comply with the standards set down by the GDPR”.

There’s no update on how the UK’s ICO is tackling the RTB complaint filed in the UK as yet — but Veale notes they have a call today. (And we’ve reached out to the ICO for comment.)

So far the same RTB complaints have not been filed in France and Germany — jurisdictions with privacy watchdogs that can have a reputation for some of the most muscular action enforcing data protection in Europe.

Although the Belgian DPA’s recently elected new president is making muscular noises about GDPR enforcement, according to Ausloos — who cites a speech he made, post-election, saying the ‘time of sit back and relax’ is over. They made sure to reference these comments in the RTB complaint, he adds.

Veale suggests the biggest blocker to resolving the RTB complaints is that all the various EU watchdogs “need a vision of what the world looks like after they take a given action”.

In the meanwhile, the adtech complaints keep stacking up.

Source link



Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

AT&T eats a $15.5 billion impairment charge as DirecTV debacle continues

Published

on

Enlarge / A man walks with an umbrella outside of AT&T corporate headquarters on March 13, 2020, in Dallas, Texas.

AT&T lost 617,000 customers from DirecTV and its other TV businesses in the final quarter of 2020, capping a year in which it lost nearly 3 million customers in the category, AT&T reported today.

AT&T today also informed the Securities and Exchange Commission that it has taken “noncash impairment charges of $15.5 billion” related to its ongoing DirecTV debacle. AT&T said the $15.5 billion charges reflect “changes in our management strategy and our evaluation of the domestic video business… including our decision to operate our video business separately from our broadband and legacy telephony operations.” This operational decision “required us to identify a separate Video reporting unit and to assess both the recoverability of its long-lived assets and any assigned goodwill for impairment,” AT&T said.

AT&T said it also logged “charges of approximately $780 million from the impairment of production and other content inventory at WarnerMedia, with $520 million resulting from the continued shutdown of theaters during the pandemic and the hybrid distribution model for our 2021 film slate.”

The charges were added to AT&T’s Q4 expenses. As a result, AT&T reported a $13.9 billion net loss in the quarter, compared to a net profit of $2.4 billion a year ago. Q4 revenue was $45.7 billion, down from $46.8 billion year over year. The Q4 net loss swung AT&T to a full-year net loss of $5.4 billion.

“Executives called the non-cash accounting charge a sign of the pay-TV unit’s aging status as the Dallas company promotes an Internet-streaming model that gives its content-production business a direct line to viewers,” The Wall Street Journal wrote today.

“Our biggest and single most important bet is HBO Max,” AT&T CEO John Stankey said.

Premium TV customers flee in droves

AT&T is down to 16.5 million customers in the Premium TV category that includes DirecTV satellite, U-verse wireline video, and the newer AT&T TV online service. That’s down from 17.1 million three months earlier and down from 19.5 million since the beginning of 2020.

AT&T has strung together several years of big TV-customer losses since early 2017, when it had over 25 million users in the category. The loss of nearly 3 million customers in 2020 was an improvement over 2019, when AT&T lost 3.4 million Premium TV customers in the calendar year.

These numbers do not include the streaming service formerly known as DirecTV Now, which AT&T just killed off this month. The service dropped from 1.86 million subscribers in Q3 2018 to 656,000 by year-end 2020. Existing customers can keep that service, but AT&T isn’t offering it to new users.

DirecTV and U-verse customers have been driven away by years of price increases and AT&T’s reduced use of promotional offers. This is reflected in AT&T’s average revenue per user (ARPU) in the Premium TV category, which jumped from $121.76 per month at year-end 2018 to $131 at year-end 2019 and $137.64 at the end of 2020.

AT&T attributed the 617,000-customer loss in Q4 to “competition, lower gross adds from the continued focus on adding higher value customers and a programming dispute, partially offset by lower churn.”

Video revenue down 11.2 percent

AT&T reported video revenue of $7.2 billion in Q4 2020, “down 11.2 percent year over year due to declines in premium and [online] subscribers, partially offset by higher premium TV ARPU and higher advertising revenues during the general election.” Operating expenses in the category were $7.1 billion, leaving AT&T with a profit of $98 million.

AT&T doesn’t report individual numbers for DirecTV, U-verse TV, and AT&T TV. But the company said gains in AT&T TV streaming subscribers last quarter helped offset losses in DirecTV and U-verse, meaning that DirecTV and U-verse together lost more than the 617,000 net-customer loss in the Premium TV category.

AT&T said it is encouraged by the progress of HBO Max, which costs $15 a month on its own but is also included in various bundles. “The release of Wonder Woman 1984 helped drive our domestic HBO Max and HBO subscribers to more than 41 million, a full two years faster than our initial forecast,” Stankey said.

Selling DirecTV at a loss

AT&T bought DirecTV for $49 billion in 2015 but has been trying to sell the beleaguered satellite division for the past few months. AT&T is reportedly close to a deal to sell a stake in DirecTV to TPG, a private-equity firm, but AT&T may maintain majority ownership of the company. Bids for DirecTV have reportedly valued the subsidiary at about $15 billion.

Fiber gains, DSL losses

AT&T’s broadband-subscriber base remained steady at 14.1 million in the quarter. The company boosted fiber-to-the-premises subscribers from 4.68 million to 4.95 million in Q4 2020, but it dropped from 8.98 million to 8.74 million in fiber-to-the-node and from 440,000 to 407,000 in its outdated DSL service. AT&T stopped accepting new DSL customers in October 2020.

AT&T said its Q4 broadband revenue was “$3.1 billion, down 1.4 percent year over year due to declines in legacy services partially offset by higher IP broadband ARPU resulting from an increase in high-speed fiber customers and pricing actions.” Operating expenses were $2.8 billion.

Continue Reading

Biz & IT

SpaceX adds laser links to Starlink satellites to serve Earth’s polar areas

Published

on

Enlarge / Starlink logo imposed on stylized image of the Earth.

SpaceX has begun launching Starlink satellites with laser links that will help provide broadband coverage in polar regions. As SpaceX CEO Elon Musk wrote on Twitter on Sunday, these satellites “have laser links between the satellites, so no ground stations are needed over the poles.”

Starlink satellites prior to launch. The black circles in the middle are laser links.
Enlarge / Starlink satellites prior to launch. The black circles in the middle are laser links.

The laser links are included in 10 Starlink satellites just launched into polar orbits. The launch came two weeks after SpaceX received Federal Communications Commission approval to launch the 10 satellites into polar orbits at an altitude of 560km.

“All sats launched next year will have laser links,” Musk wrote in another tweet yesterday, indicating that the laser systems will become standard on Starlink satellites in 2022. For now, SpaceX is only including laser links on polar satellites. “Only our polar sats have lasers this year & are v0.9,” Musk wrote.

Alaskan residents will benefit from the polar satellites, SpaceX told the FCC in an application to change the orbit of some of its satellites in April 2020. The plan is to “ensure that all of the satellites in SpaceX’s system will provide the same low-latency services to all Americans, including those in places like Alaska that are served by satellites in polar orbits,” SpaceX said at the time. The satellites can serve both residential and US-government users “in otherwise impossible-to-reach polar areas,” SpaceX said.

Starlink satellites communicate with ground stations, of which about 20 are deployed in the United States so far. A SpaceNews article today described how the laser links reduce the need for ground stations and provide other benefits:

Inter-satellite links allow satellites to transfer communications from one satellite to another, either in the same orbital plane or an adjacent plane. Such links allow operators to minimize the number of ground stations, since a ground station no longer needs to be in the same satellite footprint as user terminals, and extend coverage to remote areas where ground stations are not available. They can also decrease latency, since the number of hops between satellites and ground stations are reduced.

The 10 satellites were originally authorized by the FCC for altitudes in the 1,100-1,300km range. The FCC approval allowing SpaceX to cut the altitude in half will help reduce latency.

With polar orbits, also known as Sun-synchronous orbits, satellites “travel past Earth from north to south rather than from west to east, passing roughly over Earth’s poles,” as the European Space Agency explains.

“Space lasers have exciting potential”

In December, during an interview with Ars’ Senior Space Editor Eric Berger, SpaceX President Gwynne Shotwell said that demonstrating laser communications in space was among the company’s most significant achievements in 2020.

SpaceX had revealed a few months earlier that it was testing space lasers for transferring data between satellites. Starlink engineers provided more detail in a Reddit AMA in November; here’s an excerpt from our coverage at the time:

“The speed of light is faster in vacuum than in fiber, so the space lasers have exciting potential for low latency links,” the Starlink team said on Reddit in response to a question about the space-laser testing. “They will also allow us to serve users where the satellites can’t see a terrestrial gateway antenna—for example, over the ocean and in regions badly connected by fiber.”

Space lasers won’t play a major role in Starlink any time soon, though. “We did have an exciting flight test earlier this year with prototype space lasers on two Starlink satellites that managed to transmit gigabytes of data,” the engineering team wrote. “But bringing down the cost of the space lasers and producing a lot of them fast is a really hard problem that the team is still working on.”

SpaceX seeks FCC OK for more polar satellites

In November 2020, SpaceX urged the FCC for an expedited approval “to facilitate deployment of 348 Starlink satellites into Sun-synchronous polar orbits at the lower altitude,” the FCC said in its decision to approve 10 satellites. The FCC approved only those 10 because it is evaluating interference concerns raised by other satellite companies.

“We find that partial grant of ten satellites will facilitate continued development and testing of SpaceX’s broadband service in high latitude geographic areas in the immediate term pending later action to address arguments in the record as to both grant of the modification as a whole and the full subset of polar orbit satellites,” the FCC order said.

Amazon’s Project Kuiper, Viasat, Kepler Communications, and Pacific Dataport urged the FCC to reject even the partial grant of 10 satellites because of the potential for increased interference with other non-geostationary satellite systems. But the FCC order said that SpaceX committed to “operate these satellites on a non-harmful interference basis with respect to other licensed spectrum users until the Commission has ruled on its modification in full.” A battle between SpaceX and Amazon is brewing, with Musk accusing Amazon of trying “to hamstring Starlink today for an Amazon satellite system that is at best several years away from operation.”

Continue Reading

Biz & IT

North Korea hackers use social media to target security researchers

Published

on

Enlarge / Cyber threat from North Korea. North Korean hacker at the computer, on a background of binary code, the colors of the flag of the DPRK. DDoS attack

Dmitry Nogaev | Getty Images

Google has warned it has uncovered an “ongoing” state-backed hacking campaign run by North Korea targeting cyber security researchers.

The Silicon Valley group said its threat analysis team found that cyber attackers posing as researchers had created numerous fake social media profiles on platforms such as Twitter and LinkedIn. To gain credibility, they also had set up a fake blog for which they would get unwitting targets to write guest posts about actual software bugs.

After establishing communication with an actual researcher, the attackers would ask the target to work together on cyber vulnerability research and then share collaboration tools containing malicious code to install malware on the researcher’s systems.

In some cases, the attackers were able to create a backdoor to the victim’s computer even when their systems were running fully patched and up-to-date Windows 10 and Chrome browser versions, Google said.

The campaign would allow the hackers to glean insights into vulnerabilities the research community was studying to exploit them.

Several researchers wrote on Twitter in the wake of the Google statement that they had been contacted by the hackers but had not been compromised.

Google attributed the latest campaign to “a government-backed entity based in North Korea”—one of the biggest state sponsors of hacking alongside Russia, Iran and China.

North Korea is also among the countries that have been accused of carrying out cyber attacks to steal coronavirus vaccine-related research and data. The Wall Street Journal reported last year that Pyongyang had coordinated attacks on at least six vaccine developers including Johnson & Johnson and Novavax in the US, the UK’s AstraZeneca and several South Korean companies.

According to analysts, North Korea’s cyber army comprises thousands of expert hackers whose targets range from smaller-scale fraud and theft of cryptocurrencies to stealing nuclear secrets and weapons technology.

Belying perceptions of the country as a technological backwater, its hackers have a record of major cyber disruptions including hacking Sony Pictures in 2014 and the WannaCry malware attack in 2017. In 2019 a UN sanctions report estimated that $2 billion had been raised for Kim Jong Un’s weapons program via North Korean cyber actors.

The latest campaign comes as cyber security companies have found themselves a particular target of hacking campaigns.

In December, cyber security group FireEye as well as Microsoft reported that they had been victims of a sprawling cyber espionage campaign run by Russian state hackers that also targeted a number of US federal agencies and private sector groups.

Additional reporting by Edward White in Seoul.

© 2021 The Financial Times Ltd. All rights reserved Not to be redistributed, copied, or modified in any way.

Continue Reading

Trending