Connect with us

Biz & IT

Is Europe closing in on an antitrust fix for surveillance technologists?

Published

on

The German Federal Cartel Office’s decision to order Facebook to change how it processes users’ personal data this week is a sign the antitrust tide could at last be turning against platform power.

One European Commission source we spoke to, who was commenting in a personal capacity, described it as “clearly pioneering” and “a big deal”, even without Facebook being fined a dime.

The FCO’s decision instead bans the social network from linking user data across different platforms it owns, unless it gains people’s consent (nor can it make use of its services contingent on such consent). Facebook is also prohibited from gathering and linking data on users from third party websites, such as via its tracking pixels and social plugins.

The order is not yet in force, and Facebook is appealing, but should it come into force the social network faces being de facto shrunk by having its platforms siloed at the data level.

To comply with the order Facebook would have to ask users to freely consent to being data-mined — which the company does not do at present.

Yes, Facebook could still manipulate the outcome it wants from users but doing so would open it to further challenge under EU data protection law, as its current approach to consent is already being challenged.

The EU’s updated privacy framework, GDPR, requires consent to be specific, informed and freely given. That standard supports challenges to Facebook’s (still fixed) entry ‘price’ to its social services. To play you still have to agree to hand over your personal data so it can sell your attention to advertisers. But legal experts contend that’s neither privacy by design nor default.

The only ‘alternative’ Facebook offers is to tell users they can delete their account. Not that doing so would stop the company from tracking you around the rest of the mainstream web anyway. Facebook’s tracking infrastructure is also embedded across the wider Internet so it profiles non-users too.

EU data protection regulators are still investigating a very large number of consent-related GDPR complaints.

But the German FCO, which said it liaised with privacy authorities during its investigation of Facebook’s data-gathering, has dubbed this type of behavior “exploitative abuse”, having also deemed the social service to hold a monopoly position in the German market.

So there are now two lines of legal attack — antitrust and privacy law — threatening Facebook (and indeed other adtech companies’) surveillance-based business model across Europe.

A year ago the German antitrust authority also announced a probe of the online advertising sector, responding to concerns about a lack of transparency in the market. Its work here is by no means done.

Data limits

The lack of a big flashy fine attached to the German FCO’s order against Facebook makes this week’s story less of a major headline than recent European Commission antitrust fines handed to Google — such as the record-breaking $5BN penalty issued last summer for anticompetitive behaviour linked to the Android mobile platform.

But the decision is arguably just as, if not more, significant, because of the structural remedies being ordered upon Facebook. These remedies have been likened to an internal break-up of the company — with enforced internal separation of its multiple platform products at the data level.

This of course runs counter to (ad) platform giants’ preferred trajectory, which has long been to tear modesty walls down; pool user data from multiple internal (and indeed external sources), in defiance of the notion of informed consent; and mine all that personal (and sensitive) stuff to build identity-linked profiles to train algorithms that predict (and, some contend, manipulate) individual behavior.

Because if you can predict what a person is going to do you can choose which advert to serve to increase the chance they’ll click. (Or as Mark Zuckerberg puts it: ‘Senator, we run ads.’)

This means that a regulatory intervention that interferes with an ad tech giant’s ability to pool and process personal data starts to look really interesting. Because a Facebook that can’t join data dots across its sprawling social empire — or indeed across the mainstream web — wouldn’t be such a massive giant in terms of data insights. And nor, therefore, surveillance oversight.

Each of its platforms would be forced to be a more discrete (and, well, discreet) kind of business.

Competing against data-siloed platforms with a common owner — instead of a single interlinked mega-surveillance-network — also starts to sound almost possible. It suggests a playing field that’s reset, if not entirely levelled.

(Whereas, in the case of Android, the European Commission did not order any specific remedies — allowing Google to come up with ‘fixes’ itself; and so to shape the most self-serving ‘fix’ it can think of.)

Meanwhile, just look at where Facebook is now aiming to get to: A technical unification of the backend of its different social products.

Such a merger would collapse even more walls and fully enmesh platforms that started life as entirely separate products before were folded into Facebook’s empire (also, let’s not forget, via surveillance-informed acquisitions).

Facebook’s plan to unify its products on a single backend platform looks very much like an attempt to throw up technical barriers to antitrust hammers. It’s at least harder to imagine breaking up a company if its multiple, separate products are merged onto one unified backend which functions to cross and combine data streams.

Set against Facebook’s sudden desire to technically unify its full-flush of dominant social networks (Facebook Messenger; Instagram; WhatsApp) is a rising drum-beat of calls for competition-based scrutiny of tech giants.

This has been building for years, as the market power — and even democracy-denting potential — of surveillance capitalism’s data giants has telescoped into view.

Calls to break up tech giants no longer carry a suggestive punch. Regulators are routinely asked whether it’s time. As the European Commission’s competition chief, Margrethe Vestager, was when she handed down Google’s latest massive antitrust fine last summer.

Her response then was that she wasn’t sure breaking Google up is the right answer — preferring to try remedies that might allow competitors to have a go, while also emphasizing the importance of legislating to ensure “transparency and fairness in the business to platform relationship”.

But it’s interesting that the idea of breaking up tech giants now plays so well as political theatre, suggesting that wildly successful consumer technology companies — which have long dined out on shiny convenience-based marketing claims, made ever so saccharine sweet via the lure of ‘free’ services — have lost a big chunk of their populist pull, dogged as they have been by so many scandals.

From terrorist content and hate speech, to election interference, child exploitation, bullying, abuse. There’s also the matter of how they arrange their tax affairs.

The public perception of tech giants has matured as the ‘costs’ of their ‘free’ services have scaled into view. The upstarts have also become the establishment. People see not a new generation of ‘cuddly capitalists’ but another bunch of multinationals; highly polished but remote money-making machines that take rather more than they give back to the societies they feed off.

Google’s trick of naming each Android iteration after a different sweet treat makes for an interesting parallel to the (also now shifting) public perceptions around sugar, following closer attention to health concerns. What does its sickly sweetness mask? And after the sugar tax, we now have politicians calling for a social media levy.

Just this week the deputy leader of the main opposition party in the UK called for setting up a standalone Internet regulatory with the power to break up tech monopolies.

Talking about breaking up well-oiled, wealth-concentration machines is being seen as a populist vote winner. And companies that political leaders used to flatter and seek out for PR opportunities find themselves treated as political punchbags; Called to attend awkward grilling by hard-grafting committees, or taken to vicious task verbally at the highest profile public podia. (Though some non-democratic heads of state are still keen to press tech giant flesh.)

In Europe, Facebook’s repeat snubs of the UK parliament’s requests last year for Zuckerberg to face policymakers’ questions certainly did not go unnoticed.

Zuckerberg’s empty chair at the DCMS committee has become both a symbol of the company’s failure to accept wider societal responsibility for its products, and an indication of market failure; the CEO so powerful he doesn’t feel answerable to anyone; neither his most vulnerable users nor their elected representatives. Hence UK politicians on both sides of the aisle making political capital by talking about cutting tech giants down to size.

The political fallout from the Cambridge Analytica scandal looks far from done.

Quite how a UK regulator could successfully swing a regulatory hammer to break up a global Internet giant such as Facebook which is headquartered in the U.S. is another matter. But policymakers have already crossed the rubicon of public opinion and are relishing talking up having a go.

That represents a sea-change vs the neoliberal consensus that allowed competition regulators to sit on their hands for more than a decade as technology upstarts quietly hoovered up people’s data and bagged rivals, and basically went about transforming themselves from highly scalable startups into market-distorting giants with Internet-scale data-nets to snag users and buy or block competing ideas.

The political spirit looks willing to go there, and now the mechanism for breaking platforms’ distorting hold on markets may also be shaping up.

The traditional antitrust remedy of breaking a company along its business lines still looks unwieldy when faced with the blistering pace of digital technology. The problem is delivering such a fix fast enough that the business hasn’t already reconfigured to route around the reset. 

Commission antitrust decisions on the tech beat have stepped up impressively in pace on Vestager’s watch. Yet it still feels like watching paper pushers wading through treacle to try and catch a sprinter. (And Europe hasn’t gone so far as trying to impose a platform break up.) 

But the German FCO decision against Facebook hints at an alternative way forward for regulating the dominance of digital monopolies: Structural remedies that focus on controlling access to data which can be relatively swiftly configured and applied.

Vestager, whose term as EC competition chief may be coming to its end this year (even if other Commission roles remain in potential and tantalizing contention), has championed this idea herself.

In an interview on BBC Radio 4’s Today program in December she poured cold water on the stock question about breaking tech giants up — saying instead the Commission could look at how larger firms got access to data and resources as a means of limiting their power. Which is exactly what the German FCO has done in its order to Facebook. 

At the same time, Europe’s updated data protection framework has gained the most attention for the size of the financial penalties that can be issued for major compliance breaches. But the regulation also gives data watchdogs the power to limit or ban processing. And that power could similarly be used to reshape a rights-eroding business model or snuff out such business entirely.

The merging of privacy and antitrust concerns is really just a reflection of the complexity of the challenge regulators now face trying to rein in digital monopolies. But they’re tooling up to meet that challenge.

Speaking in an interview with TechCrunch last fall, Europe’s data protection supervisor, Giovanni Buttarelli, told us the bloc’s privacy regulators are moving towards more joint working with antitrust agencies to respond to platform power. “Europe would like to speak with one voice, not only within data protection but by approaching this issue of digital dividend, monopolies in a better way — not per sectors,” he said. “But first joint enforcement and better co-operation is key.”

The German FCO’s decision represents tangible evidence of the kind of regulatory co-operation that could — finally — crack down on tech giants.

Blogging in support of the decision this week, Buttarelli asserted: “It is not necessary for competition authorities to enforce other areas of law; rather they need simply to identity where the most powerful undertakings are setting a bad example and damaging the interests of consumers.  Data protection authorities are able to assist in this assessment.”

He also had a prediction of his own for surveillance technologists, warning: “This case is the tip of the iceberg — all companies in the digital information ecosystem that rely on tracking, profiling and targeting should be on notice.”

So perhaps, at long last, the regulators have figured out how to move fast and break things.

Source link



Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Epik data breach impacts 15 million users, including non-customers

Published

on

Epik has now confirmed that an “unauthorized intrusion” did in fact occur into its systems. The announcement follows last week’s incident of hacktivist collective Anonymous leaking 180 GB of data stolen from online service provider Epik. To mock the company’s initial response to the data breach claims, Anonymous had altered Epik’s official knowledge base, as reported by Ars.

Epik is a domain registrar and web services provider known to serve right-wing clients, some of which have been turned down by more mainstream IT providers due to the objectionable and sometimes illicit content hosted by the clients. Epik’s clients have included the Texas GOP, Parler, Gab, and 8chan, among others.

Epik hack impacts millions of non-customers, too

Turns out, the leaked data dump contains 15,003,961 email addresses belonging to both Epik’s customers and non-customers, and not everyone is pleased with the news. This occurred as Epik had scraped WHOIS records of domains, even those not owned by the company, and stored these records. In doing so, the contact information of those who have never transacted with Epik directly was also retained in Epik’s systems.

Data breach monitoring service HaveIBeenPwned has now begun sending out alerts to millions of email addresses exposed in the Epik hack. The service’s founder, Troy Hunt, is one of the many impacted by the data breach but who “had absolutely nothing to do with Epik.”

In a poll last week, Hunt had asked if affected users who weren’t Epik customers preferred receiving breach alerts as well. The majority of users responded affirmatively to the question.

“The breach exposed a huge volume of data not just of Epik customers, but also scraped WHOIS records belonging to individuals and organisations who were not Epik customers,” states HaveIBeenPwned. “The data included over 15 million unique email addresses (including anonymised versions for domain privacy), names, phone numbers, physical addresses, purchases and passwords stored in various formats.”

Ars has seen a part of the leaked whois.sql data set file, roughly 16 GB in size, with emails, IP addresses, domains, physical addresses, and phone numbers of the users. We noticed WHOIS records for some domains were dated and contained incorrect information about domain owners—people who no longer own these assets.

Epik's WHOIS database, part of the 180 GB leak.
Enlarge / Epik’s WHOIS database, part of the 180 GB leak.

Ax Sharma

Prior to registering domains, domain registrars require users to provide their “WHOIS” contact information, such as email address, physical address, and phone number. This information becomes a part of the public WHOIS directory and is searchable by anyone for contacting the domain owner. Being public data, WHOIS records may be seen or scraped by anyone. Those who prefer not to disclose their personal information directly on a WHOIS directory often rely on a company or a private WHOIS provider to act on their behalf. However, what has gotten the users concerned in this case is that the presence of their contact information in Epik’s data set could falsely portray them as having a connection to Epik when there was none.

“Wonder if there is any legal recourse once can take against [Epik] for harvesting data, and keeping it longer than expected in a cache for individuals who are NOT clients, and have had 0 business dealings with them? Is there a precedent for this?” asked TapEnvy.US, a Texas-based app development shop.

Epik confirms data breach, emails impacted people

Epik has confirmed the breach and is also emailing the impacted parties about an “unauthorized intrusion,” according to screenshots shared by data scientist Emily Gorcenski and cybersecurity expert Adam Sculthorpe:

Epik begins emailing data breach notice to customers.
Enlarge / Epik begins emailing data breach notice to customers.

“As we work to confirm all related details, we are taking an approach toward maximum caution and urging customers to remain alert for any unusual activity they may observe regarding their information used for our services – this may include payment information including credit card numbers, registered names, usernames, emails, and passwords,” reads Epik’s email notice.

Although the company has not confirmed at this time if credit card information was also compromised, as a caution, users are encouraged to “contact any credit card companies that you used to transact with Epik and notify them of a potential data compromise to discuss your options with them directly.”

Previously, an Epik spokesperson had told Ars that the company was not aware of any breach and was investigating the claims.

Users whose contact information was potentially exposed as a part of this hack should keep an eye out for any phishing emails and online banking scams.

Continue Reading

Biz & IT

A new app helps Iranians hide messages in plain sight

Published

on

Enlarge / An anti-government graffiti that reads in Farsi “Death to the dictator” is sprayed at a wall north of Tehran on September 30, 2009.

Getty Images

Amid ever-increasing government Internet control, surveillance, and censorship in Iran, a new Android app aims to give Iranians a way to speak freely.

Nahoft, which means “hidden” in Farsi, is an encryption tool that turns up to 1,000 characters of Farsi text into a jumble of random words. You can send this mélange to a friend over any communication platform—Telegram, WhatsApp, Google Chat, etc.—and then they run it through Nahoft on their device to decipher what you’ve said.

Released last week on Google Play by United for Iran, a San Francisco–based human rights and civil liberties group, Nahoft is designed to address multiple aspects of Iran’s Internet crackdown. In addition to generating coded messages, the app can also encrypt communications and embed them imperceptibly in image files, a technique known as steganography. Recipients then use Nahoft to inspect the image file on their end and extract the hidden message.

Iranians can use end-to-end encrypted apps like WhatsApp for secure communications, but Nahoft, which is open source, has a crucial feature in its back pocket for when those aren’t accessible. The Iranian regime has repeatedly imposed near-total Internet blackouts in particular regions or across the entire country, including for a full week in November 2019. Even without connectivity, though, if you already have Nahoft downloaded, you can still use it locally on your device. Enter the message you want to encrypt, and the app spits out the coded Farsi message. From there you can write that string of seemingly random words in a letter, or read it to another Nahoft user over the phone, and they can enter it into their app manually to see what you were really trying to say.

“When the Internet goes down in Iran, people can’t communicate with their families inside and outside the country, and for activists everything comes to a screeching halt,” says Firuzeh Mahmoudi, United for Iran’s executive director, who lived through the 1979 Iranian revolution and left the country when she was 12. “And more and more the government is moving toward layered filtering, banning different digital platforms, and trying to come up with alternatives for international services like social media. This is not looking great; it’s the direction that we definitely don’t want to see. So this is where the app comes in.”

Iran is a highly connected country. More than 57 million of its 83 million citizens use the Internet. But in recent years the country’s government has been extremely focused on developing a massive state-controlled network, or intranet, known as the “National Information Network” or SHOMA. This increasingly gives the government the ability to filter and censor data, and to block specific services, from social networks to circumvention tools like proxies and VPNs.

This is why Nahoft was intentionally designed as an app that functions locally on your device rather than as a communication platform. In the case of a full Internet shutdown, users will need to have already downloaded the app to use it. But in general, it will be difficult for the Iranian government to block Nahoft as long as Google Play is still accessible there, according to United for Iran strategic adviser Reza Ghazinouri. Since Google Play traffic is encrypted, Iranian surveillance can’t see which apps users download. So far, Nahoft has been downloaded 4,300 times. It’s possible, Ghazinouri says, that the government will eventually develop its own app store and block international offerings, but for now that capability seems far off. In China, for example, Google Play is banned in favor of offerings from Chinese tech giants like Huawei and a curated version of the iOS App Store.

Ghazinouri and journalist Mohammad Heydari came up with the idea for Nahoft in 2012 and submitted it as part of United for Iran’s second “Irancubator” tech accelerator, which started last year. Operator Foundation, a Texas nonprofit development group focused on Internet freedom, engineered the Nahoft app. And the German penetration testing firm Cure53 conducted two security audits of the app and its encryption scheme, which draws from proven protocols. United for Iran has published the findings from these audits along with detailed reports about how it fixed the problems Cure53 found. In the original app review from December 2020, for example, Cure53 found some major issues, including critical weaknesses in the steganographic technique used to embed messages in photo files. All of these vulnerabilities were fixed before the second audit, which turned up more moderate issues like Android denial-of-service vulnerabilities and a bypass for the in-app auto-delete passcode. Those issues were also fixed before launch, and the app’s Github repository contains notes about the improvements.

The stakes are extremely high for an app that Iranians could rely on to circumvent government surveillance and restrictions. Any flaws in the cryptography’s implementation could put people’s secret communications, and potentially their safety, at risk. Ghazinouri says the group took every precaution it could think of. For example, the random word jumbles the app produces are specifically designed to seem inconspicuous and benign. Using real words makes it less likely that a content scanner will flag the coded messages. And United for Iran researchers worked with Operator Foundation to confirm that current off-the-shelf scanning tools don’t detect the encryption algorithm used to generate the coded words. That makes it less likely that censors will be able to detect encoded messages and create a filter to block them.

You can set a passcode needed to open Nahoft and set an additional “destruction code” that will wipe all data from the app when entered.

“There has always been a gap between communities in need and the people who claim to work for them and develop tools for them,” Ghazinouri says. “We’re trying to shrink that gap. And the app is open source, so experts can audit the code for themselves. Encryption is an area where you can’t just ask people to trust you, and we don’t expect anyone to trust us blindly.”

In a 2020 academic keynote, “Crypto for the People,” Brown University cryptographer Seny Kamara made a similar point. The forces and incentives that typically guide cryptographic inquiry and creation of encryption tools, he argued, overlook and dismiss the specific community needs of marginalized people.

Kamara has not audited the code or cryptographic design of Nahoft, but he told WIRED that the goals of the project fit with his ideas about encryption tools made by the people, for the people.

“In terms of what the app is trying to accomplish, I think this is a good example of an important security and privacy problem that the tech industry and academia have no incentive to solve,” he says.

With Iran’s Internet freedom rapidly deteriorating, Nahoft could become a vital lifeline to keep open communication going within the country and beyond.

This story originally appeared on wired.com.

Continue Reading

Biz & IT

SpaceX Starlink will come out of beta next month, Elon Musk says

Published

on

Enlarge / Screenshot from the Starlink order page, with the street address blotted out.

SpaceX’s Starlink satellite-broadband service will emerge from beta in October, CEO Elon Musk said last night. Musk provided the answer of “next month” in response to a Twitter user who asked when Starlink will come out of beta.

SpaceX began sending email invitations to Starlink’s public beta in October 2020. The service is far from perfect as trees can disrupt the line-of-sight connections to satellites and the satellite dishes go into “thermal shutdown” in hot areas. But for people in areas where wired ISPs have never deployed cable or fiber, Starlink is still a promising alternative and service should improve as SpaceX launches more satellites and refines its software.

SpaceX has said it is serving over 100,000 Starlink users in a dozen countries from more than 1,700 satellites. The company has been taking preorders for post-beta service and said in May that “over half a million people have placed an order or put down a deposit for Starlink.”

It is still possible to place pre-orders and submit $99 deposits at the Starlink website, but the site notes that “Depending on location, some orders may take 6 months or more to fulfill.” The deposits are fully refundable.

First 500,000 to order will “likely” get service

There are capacity limits imposed by the laws of physics, and SpaceX hasn’t guaranteed that every person who pre-ordered will actually get Starlink. Musk said in May that the first 500,000 people will “most likely” get service, but that SpaceX will face “[m]ore of a challenge when we get into the several million user range.”

We asked Musk today how many orders will be fulfilled by the end of 2021 and will update this article if we get a response. Musk has said the capacity limits will primarily be a problem in densely populated urban areas, so rural people should have a good chance at getting service.

SpaceX has US permission to deploy 1 million user terminals across the country and is seeking a license to deploy up to 5 million terminals. The number of Starlink pre-orders is up to 600,000 and SpaceX is reportedly speeding up its production of dishes to meet demand, as PCMag wrote last week. 

No changes to pricing yet

In beta, SpaceX has been charging a one-time fee of $499 for the user terminal, mounting tripod, and router, plus $99 per month for service. SpaceX hasn’t announced any changes to the pricing, but that could change when it moves from beta to commercial availability.

In April, SpaceX president and COO Gwynne Shotwell said that Starlink will likely avoid “tiered pricing” and “try to keep [pricing] as simple as possible and transparent as possible.” Shotwell said that SpaceX would keep Starlink in beta “until the network is reliable and great and something we’d be proud of.” SpaceX is also working on ruggedized user terminals for aircraft, ships, large trucks, and RVs.

SpaceX has a Federal Communications Commission license to launch nearly 12,000 low-Earth orbit satellites and is seeking permission to launch an additional 30,000. Amazon, which plans its own satellite constellation, has been urging the FCC to reject the current version of SpaceX’s next-generation Starlink plan. Satellite operator Viasat supported Amazon’s protest and separately urged a federal appeals court to halt SpaceX launches, but judges rejected Viasat’s request for a stay.

Continue Reading

Trending