Facebook is to be sued in Europe over the major leak of user data that dates back to 2019 but which only came to light recently after information on more than 533 million accounts was found posted for free download on a hacker forum.
Today Digital Rights Ireland (DRI) announced it’s commencing a “mass action” to sue Facebook, citing the right to monetary compensation for breaches of personal data that’s set out in the European Union’s General Data Protection Regulation (GDPR).
Article 82 of the GDPR provides for a “right to compensation and liability” for those affected by violations of the law. Since the regulation came into force, in May 2018, related civil litigation has been on the rise in the region.
The Ireland-based digital rights group is urging Facebook users who live in the European Union or European Economic Area to check whether their data was breached — via the haveibeenpwned website (which lets you check by email address or mobile number) — and sign up to join the case if so.
Information leaked via the breach includes Facebook IDs, location, mobile phone numbers, email address, relationship status and employer.
Facebook has been contacted for comment on the litigation. Update: A Facebook spokesperson said:
We understand people’s concerns, which is why we continue to strengthen our systems to make scraping from Facebook without our permission more difficult and go after the people behind it. As LinkedIn and Clubhouse have shown, no company can completely eliminate scraping or prevent data sets like these from appearing. That’s why we devote substantial resources to combat it and will continue to build out our capabilities to help stay ahead of this challenge.
The tech giant’s European headquarters is located in Ireland — and earlier this week the national data watchdog opened an investigation, under EU and Irish data protection laws.
A mechanism in the GDPR for simplifying investigation of cross-border cases means Ireland’s Data Protection Commission (DPC) is Facebook’s lead data regulator in the EU. However it has been criticized over its handling of and approach to GDPR complaints and investigations — including the length of time it’s taking to issue decisions on major cross-border cases. And this is particularly true for Facebook.
With the three-year anniversary of the GDPR fast approaching, the DPC has multiple open investigations into various aspects of Facebook’s business but has yet to issue a single decision against the company.
(The closest it’s come is a preliminary suspension order issued last year, in relation to Facebook’s EU to U.S. data transfers. However, that complaint long predates GDPR; and Facebook immediately filed to block the order via the courts. A resolution is expected later this year after the litigant filed his own judicial review of the DPC’s processes.)
Since May 2018 the EU’s data protection regime has — at least on paper — baked in fines of up to 4% of a company’s global annual turnover for the most serious violations.
Again, though, the sole GDPR fine issued to date by the DPC against a tech giant (Twitter) is very far off that theoretical maximum. Last December the regulator announced a €450,000 (~$ 547,000) sanction against Twitter — which works out to around just 0.1% of the company’s full-year revenue.
That penalty was also for a data breach — but one which, unlike the Facebook leak, had been publicly disclosed when Twitter found it in 2019. So Facebook’s failure to disclose the vulnerability it discovered and claims it fixed by September 2019, which led to the leak of 533 million accounts now, suggests it should face a higher sanction from the DPC than Twitter received.
However, even if Facebook ends up with a more substantial GDPR penalty for this breach the watchdog’s caseload backlog and plodding procedural pace makes it hard to envisage a swift resolution to an investigation that’s only a few days old.
Judging by past performance it’ll be years before the DPC decides on this 2019 Facebook leak — which likely explains why the DRI sees value in instigating class action-style litigation in parallel to the regulatory investigation.
“Compensation is not the only thing that makes this mass action worth joining. It is important to send a message to large data controllers that they must comply with the law and that there is a cost to them if they do not,” DRI writes on its website.
It also submitted a complaint about the Facebook breach to the DPC earlier this month, writing then that it was “also consulting with its legal advisors on other options including a mass action for damages in the Irish Courts”.
It’s clear that the GDPR enforcement gap is creating a growing opportunity for litigation funders to step in in Europe and take a punt on suing for data-related compensation damages — with a number of other mass actions announced last year.
In the case of DRI its focus is evidently on seeking to ensure that digital rights are upheld. But it told RTE that it believes compensation claims which force tech giants to pay money to users whose privacy rights have been violated is the best way to make them legally compliant.
Facebook, meanwhile, has sought to play down the breach it failed to disclose in 2019 — claiming it’s “old data” — a deflection that ignores the fact that people’s dates of birth don’t change (nor do most people routinely change their mobile number or email address).
Plenty of the “old” data exposed in this latest massive Facebook leak will be very handy for spammers and fraudsters to target Facebook users — and also now for litigators to target Facebook for data-related damages.
The European Commission must block the Google -Fitbit merger as a matter of democratic imperative, prominent academic and author Shoshana Zuboff has warned.
The Harvard professor who wrote the defining book on surveillance capitalism has become the latest voice raised against the $ 2.1 billion data+devices deal — that’s now been delayed at the regulatory clearance stage for more than a year.
Others calling for the Google-Fitbit acquisition to be blocked — unless or until robust competition, democratic and human rights safeguards can be baked in — include Amnesty International; scores of consumer, privacy and digital rights groups across civic society; and the EU’s very own data protection advisor, to name a few.
EU regulators are still considering whether or not to greenlight the merger. The deadline for them to make up their minds was recently extended into early 2021 — although a decision could come as soon as next week.
Back in August, the Commission opened an in-depth investigation into the deal — saying it was concerned it would “further entrench Google’s market position in the online advertising markets by increasing the already vast amount of data that Google could use for personalisation of the ads it serves and displays”.
EU lawmakers have also expressed skepticism over initial concessions offered by Google which suggested storing Fitbit data in a silo that it said would be kept separate from other Google data.
It also said it would not use Fitbit data for ad targeting — at least for a time-limited period (though it’s not clear what exactly it has proposed in Europe). Elsewhere, Australian regulators are also still eyeing the deal — and recently sought industry feedback on a pledge by Google not to use Fitbit data for ads for 10 years.
The ACCC published draft undertakings in November which includes stipulations such as: “Google must not use any Measured Body Data or Health and Fitness Activity Location Data in or for Google Ads” and that data must be kept separate.
But Zuboff’s point is that targeted advertising is just the tip of the vast data-extracting ambitions of surveillance capitalists — while health data is one of the few personal data fields these digital giants have not yet been able to mine in their usual limitless way.
“Any notion of approving the Fitbit acquisition — based on Google’s promises not to do something that is anyway an irrelevant thing, to do or not to do — is a serious mistake,” she said yesterday, giving the keynote speech at the annual lecture of the EU Parliament’s Science and Technology Options Assessment (STOA) panel.
“Such a decision should be reconsidered immediately. And never again repeated,” she added.
A Google spokesman declined to comment on Zuboff’s remarks — pointing only to its blog post from August where it claims the deal is about “devices not data”.
Beware the “epistemic coup”
In the STOA lecture, Zuboff articulates a view of tech giants’ uncontrolled extraction and use of data leading to what she described as an “epistemic coup” — where bottomless digitally-enabled data extraction leads to an unprecedented dominance of knowledge by the private sector, generating radical inequalities and full-spectrum harms, as a data-empowered few are able to run roughshod over humanity, democratic values and the rule of law in the name of increasing their profits.
“There is no ‘attention economy’; these are effects of a deeper cause — and that cause is surveillance capitalism’s economic imperatives. These corporations are not publishers, they are not distributors, they are not merely adtech providers; they are indiscriminate, radically indifferent all-you-can-eat extractors of everything forever, all for the sake of prediction that become more lucrative as they approach certainty,” she said.
“Knowledge at this kind of scale produces a new kind of power over people. This is what data scientists call the shift from monitoring to actuation. Where there’s actually sufficient data about a machine system to be able to control it remotely. The thing is now it’s not just the machine systems; it’s the human systems.”
The wide-ranging keynote is well worth watching in full for how clearly Zuboff articulates why allowing corporates to “unilaterally claim[…] private human experience for raw material, bent to the purposes of datafication, computational production and sales” is terrible for humanity and the (genuine) communities which make up our civilization — likening it to how uncontrolled extraction of oil for corporate profit has threatened the survival of life on earth, fuelling climate change, biodiversity decline and mass species extinction.
The nub of the argument is that surveillance capitalism’s target is human nature itself — with Zuboff calling out the “data business” playbook of “hidden extraction mechanisms” which she said are robbing us of the ability to fight back.
“Today our nemesis is not, and could never be, mere data or technology — but rather the extractors, led by a handful of giant corporations: Google, Facebook, Apple, Amazon, Microsoft, to name only the largest, along with their complex, far-reaching ecosystems, these are corporate institutions that have pioneered a new logic of extraction but with a dark and startling twist… These corporations have placed the defence of their narrow economic self-interest above the interests of individual sovereignty, democracy and humanity itself.”
The keynote included a call to action to European lawmakers to step in and reverse what has been allowed to become entrenched at humanity’s expense.
“I am here today because the European Union represents humanity’s best hope to alter this course before lawless, unprecedented computational concentrations of knowledge and power become as irreversible and poisonous to our societies as the toxic concentrations of carbon dioxide in our atmosphere have become to our earth,” said Zuboff, adding: “The idea that we could bequeath both of these cataclysms to our children is intolerable.”
EU lawmakers are on the cusp of unveiling a major package of legislative proposals which will update rules for digital services and bring in new requirements for platforms with significant market power.
The Commission’s Digital Services Act (DSA) and the Digital Markets Act (DMA) proposals are due to be presented next Tuesday — the start of a long road of negotiating to turn the policies into EU law.
It has turned out to be particularly awkward timing for the Commission, in parallel with the Google-Fitbit decision. Not least because a key EVP involved in shaping the new digital strategy, Margrethe Vestager, is also the competition commissioner — so she’s simultaneously tasked with deciding whether to waive the tech giant’s latest data acquisition through, even as she puts the finishing touches on ex ante rules for gatekeepers that won’t likely come into force for years.
Vestager told the EU parliament’s Committee on Economic and Monetary Affairs this week that the Commission’s incoming proposals for a major overhaul of digital regulations are necessary to tackle the challenges of the platform economy.
The scale and the scope of the platform economy is “unprecedented and it’s increasing”, she said, acknowledging that the digitization process has “given us a concentration of data, intellectual property, capital — and because of that there’s a lot of power in the hands of a few global players”.
That in turn is making it “really urgent” to complement existing EU competition law enforcement with dedicated regulation for digital services and platform giants, said Vestager.
“The DSA will propose a clear set of due diligence obligations and operate the e-commerce framework for all Internet services within the EU and the point is to ensure that digital services face no borders within the EU, define clearer responsibilities and accountability for online platforms such as social media and marketplaces,” she told MEPs — saying the overarching aim is to ensure consumers have the same protections online as they already do offline.
The aim of the DMA — and its incoming list of “dos and don’ts” for platforms that the EU will define as gatekeepers — is to make sure digital markets “stay open and contestable”, and thus to serve consumers in “the best possible way”.
‘Trust but verify’ via audit authority
In her keynote, Zuboff suggested EU regulators should follow two key principles as they consider what to do.
Firstly, “trust but verify” is how to treat with surveillance capitalists — so no more “taken at face value” pledges swallowed naively and later regurgitated under the one-way logic of extraction maximization. (She raised the awkward example of Facebook’s reversal of an earlier pledge to EU regulators not to combine WhatsApp user data with Facebook data.)
“Secondly we have to keep in mind so often we reduce the harms back to that originating context of targeted advertising — when in fact this whole economic logic has moved way beyond targeted advertising to many other markets,” she also said, warning against EU regulators taking too narrow a view on any concessions made by Google as it works to push open another data gate.
We’ve reached out to the Commission for comment on Zuboff’s remarks.
Zuboff also spoke to concerns that EU regulators don’t believe they have legal grounds to deny Google-Fitbit.
“If the decision to approve Google’s acquisition of Fitbit was made because of a determination that EU laws are not strong enough to defend the acquisition denial in the European courts then let us please stop talking this minute; let’s suspend our event while the parliament moves into an emergency session to pass new laws that are strong enough to take this kind of rejection through the courts. Because we need those laws,” she said.
It would certainly be ironic if the Commission green-lit the Google-Fitbit merger because it was worried about losing a legal challenge down the line — given how frequently tech giants resort to legal action to try to thwart the application of existing EU regulations. Not to mention how fiercely these giants lobby against any new regulation or legislative proposal that would dare to put limits on their ability to continue maximizing their data extraction.
Zuboff said the forthcoming DMA “is the legal instrument to accomplish this necessary lawmaking [against the surveillance capitalists]”, addressing her remarks to those in the EU who have the power to pass laws.
“Make no mistake: This is your opportunity to make a bold intervention to defend democracy against the surveillance capitalists. Faint heartedness is not an option,” she said, adding that the DSA is likewise an essential intervention to defend democracy.
“This is your chance to finally pry open the black box of surveillance capitalism and demand the right of democratic societies to control their own destiny,” she said, suggesting regulators’ watch word here should be “audit authority”.
Democracy must have audit authority to protection the public just as regulators have done in countless other industries, she added.
The Google-Fitbit acquisition was raised in a question to Vestager yesterday during a session of the Committee on Economic and Monetary Affairs — where she was asked what the EU intends to do vis-à-vis health data and competition, given the risk of tech giants gleaning far deeper and more intimate knowledge of users than they’ve been able to via current data-mining practices.
Vestager told the committee she couldn’t comment on the specific merger as the process is ongoing but she said she agreed health data “are much more precious and much more sensitive” than other types of commercially exploited data.
“This is why one has to be very careful when it comes to health data and advertising — because here it can be a much more vulnerable position for the person in question,” she said.
“For health data as such I think it’s very important that the market develops because the more health data that becomes available the more services people expect for the market to provide for them to have a better understanding of how their health develops,” she went on, adding on Google-Fitbit specifically that “it remains to be seen how the remedies were to bear out if they were to be accepted”.
U.S. versus EU approach to antitrust
During the session Vestager also faced a number of questions from MEPs about the difference of approach to antitrust between the EU and the U.S. — where states have just opened a massive antitrust case against Facebook.
She repeatedly stressed that Europe has a “different” approach to competition law versus the U.S., sounding a tad on the defensive.
“The U.S. Facebook case is a different approach than what we have. In Europe we do not have a ban of monopolies. They have a different legal basis in the U.S. We would say you’re more than welcome to be successful but with success comes responsibility — which is why we have article 102 [against abusing a dominant position],” she said.
“As a last resort in Europe we would also be able to ask our [institutions] to split up companies but then we would also have to prove that this was the only thing to solve a competition problem and I don’t think we have been there yet,” Vestager added.
Responding to other questions from MEPs she described her department as doing its “best” across a number of big tech investigations — pointing it’s recently opened case against Amazon and has others ongoing into Google’s and Facebook’s use of data for advertising.
“We have a couple of ongoing investigations into the Facebook ecosystem — on the use of data from customers and consumers into advertising and how the Facebook marketplace is functioning,” she noted.
“These cases are not as advanced as they are in the U.S. when it comes to Facebook but I find [the U.S. action] very encouraging,” she added, saying it’s a sign that “the global debate about tech dominance has been shifting over the last couple of years”.
Asked about Facebook’s reversal of an earlier promise not to combine Facebook and WhatsApp user data, Vestager said EU regulators had performed an analysis at the time — looking into whether such a move would still allow for competition — and “found there would be room for others services of the same kind”.
There were no follow-up questions in the event format so MEPs were unable to ask whether Vestager believes that analysis was sound or flawed. But it’s not a good look that the EU’s competition authorities were left so wrong-footed on Facebook’s market power.
Off her own bat, Vestager merely said: “It remains to be seen what will be the outcome of the U.S. [Facebook antitrust] case; as I said they have a different legal basis — to see if by acquiring this company you have entrenched monopoly position.”
She was also asked what the Commission intends to do about companies using self-serving tactics to artificially prolong investigations (and thus delay competition enforcement) — such as by procrastinating or handing out requested information only with substantial delay.
Vestager said its approach is to aim to “always try to balance things out” but she argued it’s important to give businesses enough time to respond properly even though it extends the length of investigations.
During the session she did also note that the aim for the DMA is to enable competition authorities to be “so much quicker” — because the ex ante rules will bake in “self-executing obligations”.
The gatekeeper status also means regulators will not need to do the work of establishing dominance first — “which means you’ll get to the sanction must faster and should prevent damages in the marketplace”, she noted.
It’s not clear whether or not the forthcoming legislative package will feature a new competition tool for specifically tackling digital markets — which the Commission consulted on earlier this year.
Reports have suggested this has been dropped after a standard EU pre-regulatory review process. But the commissioner did not confirm either way.
She was also asked about interim measures — an existing tool she dusted off last year after an extended period when it had not been used, applying it in a case against chipmaker Broadcom.
On this she said the tool has been shown to have been useful — noting the Broadcom case was settled in a year (which is a very speedy turnaround for a competition case) — and she suggested the tool could be used more frequently in the future. “I think that we will see we can use it more often,” she told the MEPs.
Facebook’s dating feature expands after a regulatory delay, we review the new Amazon Echo and President Donald Trump has an on-the-nose Twitter password. This is your Daily Crunch for October 22, 2020.
The big story: Facebook Dating comes to Europe
Back in February, Facebook had to call off the European launch date of its dating service after failing to provide the Irish Data Protection Commission with enough advanced notice of the launch. Now it seems the regulator has given Facebook the go-ahead.
Facebook Dating (which launched in the U.S. last year) allows users to create a separate dating profile, identify secret chats and go on video dates.
As for any privacy and regulatory concerns, the commission told us, “Facebook has provided detailed clarifications on the processing of personal data in the context of the Dating feature … We will continue to monitor the product as it launches across the EU this week.”
The tech giants
Amazon Echo review: Well-rounded sound — This year’s redesign centers on another audio upgrade.
Facebook adds hosting, shopping features and pricing tiers to WhatsApp Business — Facebook is launching a way to shop for and pay for goods and services in WhatsApp chats, and it said it will finally start to charge companies using WhatsApp for Business.
Spotify takes on radio with its own daily morning show — The new program will combine news, pop culture, entertainment and music personalized to the listener.
Startups, funding and venture capital
Chinese live tutoring app Yuanfudao is now worth $ 15.5 billion — The homework tutoring app founded in 2012 has surpassed Byju’s as the most valuable edtech company in the world.
E-bike subscription service Dance closes $ 17.7M Series A, led by HV Holtzbrinck Ventures — The founders of SoundCloud launched their e-bike service three months ago.
Freelancer banking startup Lili raises $ 15M — It’s only been a few months since Lili announced its $ 10 million seed round, and it’s already raised more funding.
Advice and analysis from Extra Crunch
How unicorns helped venture capital get later, and bigger — Q3 2020 was a standout period for how high late-stage money stacked up compared to cash available to younger startups.
Ten Zurich-area investors on Switzerland’s 2020 startup outlook — According to official estimates, the number of new Swiss startups has skyrocketed by 700% since 1996.
Four quick bites and obituaries on Quibi (RIP 2020-2020) — What we can learn from Quibi’s amazing, instantaneous, billions-of-dollars failure.
(Reminder: Extra Crunch is our membership program, which aims to democratize information about startups. You can sign up here.)
President Trump’s Twitter accessed by security expert who guessed password “maga2020!” — After logging into President Trump’s account, the researcher said he alerted Homeland Security and the password was changed.
For the theremin’s 100th anniversary, Moog unveils the gorgeous Claravox Centennial — With a walnut cabinet, brass antennas and a plethora of wonderful knobs and dials, the Claravox looks like it emerged from a prewar recording studio.
Announcing the Agenda for TC Sessions: Space 2020 — Our first-ever dedicated space event is happening on December 16 and 17.
The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.
83North has closed its fifth fund, completing an oversubscribed $ 300 million raise and bringing its total capital under management to $ 1.1BN+.
The VC firm, which spun out from Silicon Valley giant Greylock Partners in 2015 — and invests in startups in Europe and Israel, out of offices in London and Tel Aviv — last closed a $ 250M fourth fund back in 2017.
It invests in early and growth stage startups in consumer and enterprise sectors across a broad range of tech areas including fintech, data centre & cloud, enterprise software and marketplaces.
General partner Laurel Bowden, who leads the fund, says the latest close represents investment business as usual, with also no notable changes to the mix of LPs investing for this fifth close.
“As a fund we’re really focused on keeping our fund size down. We think that for just the investment opportunity in Europe and Israel… these are good sized funds to raise and then return and make good multiples on,” she tells TechCrunch. “If you go back in the history of our fundraising we’re always somewhere between $ 200M-$ 300M. And that’s the size we like to keep.”
“Of course we do think there’s great opportunities in Europe and Israel but not significantly different than we’ve thought over the last 15 years or so,” she adds.
83North has made around 70 investments to date — which means its five partners are usually making just one investment apiece per year.
The fund typically invests around $ 1M at the seed level; between $ 4M-$ 8M at the Series A level and up to $ 20M for Series B, with Bowden saying around a quarter of its investments go into seed (primarily into startups out of Israel); ~40% into Series A; and ~30% Series B.
“It’s somewhat evenly mixed between seed, Series A, Series B — but Series A is probably bigger than everything,” she adds.
It invests roughly half and half in its two regions of focus.
The firm has had 15 exits of portfolio companies (three of which it claims as unicorns). Recent multi-billion dollar exits for Bowden are: Just Eat, Hybris (acquired by SAP), iZettle (acquired by PayPal) and Qlik.
While 83North has a pretty broad investment canvas, it’s open to new areas — moving into IoT (with recent investments in Wiliot and VDOO), and also taking what it couches as a “growing interest” in healthtech and vertical SaaS.
“Some of my colleagues… are looking at areas like lidar, in-vehicle automation, looking at some of the drone technologies, looking at some even healthtech AI,” says Bowden. “We’ve looked at a couple of those in Europe as well. I’ve looked, actually, at some healthtech AI. I haven’t done anything but looked.
“And also all things related to data. Of course the market evolves and the technology evolves but we’ve done things related to BI to process automation through to just management of data ops, management of data. We always look at that area. And think we’ll carry on for a number of years. ”
“In venture you have to expand,” she adds. “You can’t just stay investing in exactly the same things but it’s more small additional add-ons as the market evolves, as opposed to fundamental shifts of investment thesis.”
Discussing startup valuations, Bowden says European startups are not insulated from wider investment dynamics that have been pushing startup valuations higher — and even, arguably, warping the market — as a consequence of more capital being raised generally (not only at the end of the pipe).
“Definitely valuations are getting pushed up,” she says. “Definitely things are getting more competitive but that comes back to exactly why we’re focused on raising smaller funds. Because we just think then we have less pressure to invest if we feel that valuations have got too high or there’s just a level… where startups just feel the inclination to raise way more money than they probably need — and that’s a big reason why we like to keep our fund size relatively small.”
Facebook’s lead privacy regulator in Europe is now asking the company for detailed information about the operation of a voice-to-text feature in Facebook’s Messenger app and how it complies with EU law.
A page on Facebook’s help center also includes a “note” saying “Voice to Text uses machine learning” — but does not say the feature is also powered by people working for Facebook listening in.
A spokesperson for Irish Data Protection Commission told us: “Further to our ongoing engagement with Google, Apple and Microsoft in relation to the processing of personal data in the context of the manual transcription of audio recordings, we are now seeking detailed information from Facebook on the processing in question and how Facebook believes that such processing of data is compliant with their GDPR obligations.”
Bloomberg’s report follows similar revelations about AI assistant technologies offered by other tech giants, including Apple, Amazon, Google and Microsoft — which have also attracted attention from European privacy regulators in recent weeks.
What this tells us is that the hype around AI voice assistants is still glossing over a far less high tech backend. Even as lashings of machine learning marketing guff have been used to cloak the ‘mechanical turk’ components (i.e. humans) required for the tech to live up to the claims.
This is a very old story indeed. To wit: A full decade ago, a UK startup called Spinvox, which had claimed to have advanced voice recognition technology for converting voicemails to text messages, was reported to be leaning very heavily on call centers in South Africa and the Philippines… staffed by, yep, actual humans.
Returning to present day ‘cutting-edge’ tech, following Bloomberg’s report Facebook said it suspended human transcriptions earlier this month — joining Apple and Google in halting manual reviews of audio snippets for their respective voice AIs. (Amazon has since added an opt out to the Alexa app’s settings.)
We asked Facebook where in the Messenger app it had been informing users that human contractors might be used to transcribe their voice chats/audio messages; and how it collected Messenger users’ consent to this form of data processing — prior to suspending human reviews.
The company did not respond to our questions. Instead a spokesperson provided us with the following statement: “Much like Apple and Google, we paused human review of audio more than a week ago.”
Facebook also described the audio snippets that it sent to contractors as masked and de-identified; said they were only collected when users had opted in to transcription on Messenger; and were only used for improving the transcription performance of the AI.
It also reiterated a long-standing rebuttal by the company to user concerns about general eavesdropping by Facebook, saying it never listens to people’s microphones without device permission nor without explicit activation by users.
How Facebook gathers permission to process data is a key question, though.
The company has recently, for example, used a manipulative consent flow in order to nudge users in Europe to switch on facial recognition technology — rolling back its previous stance, adopted in response to earlier regulatory intervention, of switching the tech off across the bloc.
So a lot rests on how exactly Facebook has described the data processing at any point it is asking users to consent to their voice messages being reviewed by humans (assuming it’s relying on consent as its legal basis for processing this data).
Bundling consent into general T&Cs for using the product is also unlikely to be compliant under EU privacy law, given that the bloc’s General Data Protection Regulation requires consent to be purpose limited, as well as fully informed and freely given.
If Facebook is relying on legitimate interests to process Messenger users’ audio snippets in order to enhance its AI’s performance it would need to balance its own interests against any risk to people’s privacy.
Voice AIs are especially problematic in this respect because audio recordings may capture the personal data of non-users too — given that people in the vicinity of a device (or indeed a person on the other end of the phone line who’s leaving you a message) could have their personal data captured without ever having had the chance to consent to Facebook contractors getting to hear it.
Leaks of Google Assistant snippets to the Belgian press recently highlighted both the sensitive nature of recordings and the risk of reidentification posed by such recordings — with journalists able to identify some of the people in the recordings.
Multiple press reports have also suggested contractors employed by tech giants are routinely overhearing intimate details captured via a range of products that include the ability to record audio and stream this personal data to the cloud for processing.
The German Federal Cartel Office’s decision to order Facebook to change how it processes users’ personal data this week is a sign the antitrust tide could at last be turning against platform power.
One European Commission source we spoke to, who was commenting in a personal capacity, described it as “clearly pioneering” and “a big deal”, even without Facebook being fined a dime.
The FCO’s decision instead bans the social network from linking user data across different platforms it owns, unless it gains people’s consent (nor can it make use of its services contingent on such consent). Facebook is also prohibited from gathering and linking data on users from third party websites, such as via its tracking pixels and social plugins.
The order is not yet in force, and Facebook is appealing, but should it come into force the social network faces being de facto shrunk by having its platforms siloed at the data level.
To comply with the order Facebook would have to ask users to freely consent to being data-mined — which the company does not do at present.
Yes, Facebook could still manipulate the outcome it wants from users but doing so would open it to further challenge under EU data protection law, as its current approach to consent is already being challenged.
The EU’s updated privacy framework, GDPR, requires consent to be specific, informed and freely given. That standard supports challenges to Facebook’s (still fixed) entry ‘price’ to its social services. To play you still have to agree to hand over your personal data so it can sell your attention to advertisers. But legal experts contend that’s neither privacy by design nor default.
The only ‘alternative’ Facebook offers is to tell users they can delete their account. Not that doing so would stop the company from tracking you around the rest of the mainstream web anyway. Facebook’s tracking infrastructure is also embedded across the wider Internet so it profiles non-users too.
EU data protection regulators are still investigating a very large number of consent-related GDPR complaints.
But the German FCO, which said it liaised with privacy authorities during its investigation of Facebook’s data-gathering, has dubbed this type of behavior “exploitative abuse”, having also deemed the social service to hold a monopoly position in the German market.
So there are now two lines of legal attack — antitrust and privacy law — threatening Facebook (and indeed other adtech companies’) surveillance-based business model across Europe.
A year ago the German antitrust authority also announced a probe of the online advertising sector, responding to concerns about a lack of transparency in the market. Its work here is by no means done.
The lack of a big flashy fine attached to the German FCO’s order against Facebook makes this week’s story less of a major headline than recent European Commission antitrust fines handed to Google — such as the record-breaking $ 5BN penalty issued last summer for anticompetitive behaviour linked to the Android mobile platform.
But the decision is arguably just as, if not more, significant, because of the structural remedies being ordered upon Facebook. These remedies have been likened to an internal break-up of the company — with enforced internal separation of its multiple platform products at the data level.
This of course runs counter to (ad) platform giants’ preferred trajectory, which has long been to tear modesty walls down; pool user data from multiple internal (and indeed external sources), in defiance of the notion of informed consent; and mine all that personal (and sensitive) stuff to build identity-linked profiles to train algorithms that predict (and, some contend, manipulate) individual behavior.
Because if you can predict what a person is going to do you can choose which advert to serve to increase the chance they’ll click. (Or as Mark Zuckerberg puts it: ‘Senator, we run ads.’)
This means that a regulatory intervention that interferes with an ad tech giant’s ability to pool and process personal data starts to look really interesting. Because a Facebook that can’t join data dots across its sprawling social empire — or indeed across the mainstream web — wouldn’t be such a massive giant in terms of data insights. And nor, therefore, surveillance oversight.
Each of its platforms would be forced to be a more discrete (and, well, discreet) kind of business.
Competing against data-siloed platforms with a common owner — instead of a single interlinked mega-surveillance-network — also starts to sound almost possible. It suggests a playing field that’s reset, if not entirely levelled.
(Whereas, in the case of Android, the European Commission did not order any specific remedies — allowing Google to come up with ‘fixes’ itself; and so to shape the most self-serving ‘fix’ it can think of.)
Meanwhile, just look at where Facebook is now aiming to get to: A technical unification of the backend of its different social products.
Such a merger would collapse even more walls and fully enmesh platforms that started life as entirely separate products before were folded into Facebook’s empire (also, let’s not forget, via surveillance-informed acquisitions).
Facebook’s plan to unify its products on a single backend platform looks very much like an attempt to throw up technical barriers to antitrust hammers. It’s at least harder to imagine breaking up a company if its multiple, separate products are merged onto one unified backend which functions to cross and combine data streams.
Set against Facebook’s sudden desire to technically unify its full-flush of dominant social networks (Facebook Messenger; Instagram; WhatsApp) is a rising drum-beat of calls for competition-based scrutiny of tech giants.
This has been building for years, as the market power — and even democracy-denting potential — of surveillance capitalism’s data giants has telescoped into view.
Calls to break up tech giants no longer carry a suggestive punch. Regulators are routinely asked whether it’s time. As the European Commission’s competition chief, Margrethe Vestager, was when she handed down Google’s latest massive antitrust fine last summer.
Her response then was that she wasn’t sure breaking Google up is the right answer — preferring to try remedies that might allow competitors to have a go, while also emphasizing the importance of legislating to ensure “transparency and fairness in the business to platform relationship”.
But it’s interesting that the idea of breaking up tech giants now plays so well as political theatre, suggesting that wildly successful consumer technology companies — which have long dined out on shiny convenience-based marketing claims, made ever so saccharine sweet via the lure of ‘free’ services — have lost a big chunk of their populist pull, dogged as they have been by so many scandals.
From terrorist content and hate speech, to election interference, child exploitation, bullying, abuse. There’s also the matter of how they arrange their tax affairs.
The public perception of tech giants has matured as the ‘costs’ of their ‘free’ services have scaled into view. The upstarts have also become the establishment. People see not a new generation of ‘cuddly capitalists’ but another bunch of multinationals; highly polished but remote money-making machines that take rather more than they give back to the societies they feed off.
Google’s trick of naming each Android iteration after a different sweet treat makes for an interesting parallel to the (also now shifting) public perceptions around sugar, following closer attention to health concerns. What does its sickly sweetness mask? And after the sugar tax, we now have politicians calling for a social media levy.
Just this week the deputy leader of the main opposition party in the UK called for setting up a standalone Internet regulatory with the power to break up tech monopolies.
Talking about breaking up well-oiled, wealth-concentration machines is being seen as a populist vote winner. And companies that political leaders used to flatter and seek out for PR opportunities find themselves treated as political punchbags; Called to attend awkward grilling by hard-grafting committees, or taken to vicious task verbally at the highest profile public podia. (Though some non-democratic heads of state are still keen to press tech giant flesh.)
In Europe, Facebook’s repeat snubs of the UK parliament’s requests last year for Zuckerberg to face policymakers’ questions certainly did not go unnoticed.
Zuckerberg’s empty chair at the DCMS committee has become both a symbol of the company’s failure to accept wider societal responsibility for its products, and an indication of market failure; the CEO so powerful he doesn’t feel answerable to anyone; neither his most vulnerable users nor their elected representatives. Hence UK politicians on both sides of the aisle making political capital by talking about cutting tech giants down to size.
The political fallout from the Cambridge Analytica scandal looks far from done.
Quite how a UK regulator could successfully swing a regulatory hammer to break up a global Internet giant such as Facebook which is headquartered in the U.S. is another matter. But policymakers have already crossed the rubicon of public opinion and are relishing talking up having a go.
That represents a sea-change vs the neoliberal consensus that allowed competition regulators to sit on their hands for more than a decade as technology upstarts quietly hoovered up people’s data and bagged rivals, and basically went about transforming themselves from highly scalable startups into market-distorting giants with Internet-scale data-nets to snag users and buy or block competing ideas.
The political spirit looks willing to go there, and now the mechanism for breaking platforms’ distorting hold on markets may also be shaping up.
The traditional antitrust remedy of breaking a company along its business lines still looks unwieldy when faced with the blistering pace of digital technology. The problem is delivering such a fix fast enough that the business hasn’t already reconfigured to route around the reset.
Commission antitrust decisions on the tech beat have stepped up impressively in pace on Vestager’s watch. Yet it still feels like watching paper pushers wading through treacle to try and catch a sprinter. (And Europe hasn’t gone so far as trying to impose a platform break up.)
But the German FCO decision against Facebook hints at an alternative way forward for regulating the dominance of digital monopolies: Structural remedies that focus on controlling access to data which can be relatively swiftly configured and applied.
In an interview on BBC Radio 4’s Today program in December she poured cold water on the stock question about breaking tech giants up — saying instead the Commission could look at how larger firms got access to data and resources as a means of limiting their power. Which is exactly what the German FCO has done in its order to Facebook.
At the same time, Europe’s updated data protection framework has gained the most attention for the size of the financial penalties that can be issued for major compliance breaches. But the regulation also gives data watchdogs the power to limit or ban processing. And that power could similarly be used to reshape a rights-eroding business model or snuff out such business entirely.
— Lukasz Olejnik (@lukOlejnik) January 28, 2019
The merging of privacy and antitrust concerns is really just a reflection of the complexity of the challenge regulators now face trying to rein in digital monopolies. But they’re tooling up to meet that challenge.
Speaking in an interview with TechCrunch last fall, Europe’s data protection supervisor, Giovanni Buttarelli, told us the bloc’s privacy regulators are moving towards more joint working with antitrust agencies to respond to platform power. “Europe would like to speak with one voice, not only within data protection but by approaching this issue of digital dividend, monopolies in a better way — not per sectors,” he said. “But first joint enforcement and better co-operation is key.”
The German FCO’s decision represents tangible evidence of the kind of regulatory co-operation that could — finally — crack down on tech giants.
Blogging in support of the decision this week, Buttarelli asserted: “It is not necessary for competition authorities to enforce other areas of law; rather they need simply to identity where the most powerful undertakings are setting a bad example and damaging the interests of consumers. Data protection authorities are able to assist in this assessment.”
He also had a prediction of his own for surveillance technologists, warning: “This case is the tip of the iceberg — all companies in the digital information ecosystem that rely on tracking, profiling and targeting should be on notice.”
So perhaps, at long last, the regulators have figured out how to move fast and break things.
Speaking in front of EU lawmakers today Facebook’s founder Mark Zuckerberg namechecked the GDPR’s core principles of “control, transparency and accountability” — claiming his company will deliver on all that, come Friday, when a new European Union data protection framework, GDPR, starts being applied, finally with penalties worth the enforcement.
However there was little transparency or accountability on show during the session, given the upfront questions format which saw Zuckerberg cherry-picking a few comfy themes to riff on after silently absorbing an hour of MEPs’ highly specific questions with barely a facial twitch in response.
The questions MEPs asked of Zuckerberg were wide ranging and often drilled deep into key pressure points around the ethics of Facebook’s business — ranging from how deep the app data misuse privacy scandal rabbithole goes; to whether the company is a monopoly that needs breaking up; to how users should be compensated for misuse of their data.
Made clear to Mark Zuckerberg that digital platforms have to guarantee full protection of our citizens' privacy. We cannot accept illicit use of personal data to manipulate elections. Democracy cannot be turned into a marketing operation. pic.twitter.com/Nk0MB5IK8u
— Antonio Tajani (@EP_President) May 22, 2018
Is Facebook genuinely complying with GDPR, he was asked several times (unsurprisingly, given the scepticism of data protection experts on that front). Why did it choose to shift ~1.5BN users out of reach of the GDPR? Will it offer a version of its platform that lets people completely opt out of targeted advertising, as it has studiously avoided doing so so far.
Why did it refuse a public meeting with the EU parliament? Why has it spent “millions” lobbying against EU privacy rules? Will the company commit to paying taxes in the markets where it operates? What’s it doing to prevent fake accounts? What’s it doing to prevent bullying? Does it regulate content or is it a neutral platform?
Zuckerberg made like a sponge and absorbed all this fine-grained flak. But when the time came for responses the data flow was not reciprocal; Self-serving talking points on self-selected “themes” was all he had come prepared to serve up.
Yet — and here the irony is very rich indeed — people’s personal data flows liberally into Facebook, via all sorts of tracking technologies and techniques.
And as the Cambridge Analytica data misuse scandal has now made amply clear, people’s personal information has also very liberally leaked out of Facebook — oftentimes without their knowledge or consent.
But when it comes to Facebook’s own operations, the company maintains a highly filtered, extremely partial ‘newsfeed’ on its business empire — keeping a tight grip on the details of what data it collects and why.
Only last month Zuckerberg sat in Congress avoiding giving straight answers to basic operational questions. So if any EU parliamentarians had been hoping for actual transparency and genuine accountability from today’s session they would have been sorely disappointed.
Yes, you can download the data you’ve willingly uploaded to Facebook. Just don’t expect Facebook to give you a download of all the information it’s gathered and inferred about you.
The EU parliament’s political group leaders seemed well tuned to the myriad concerns now flocking around Facebook’s business. And were quick to seize on Zuckerberg’s dumbshow as further evidence that Facebook needs to be ruled.
Thing is, in Europe regulation is not a dirty word. And GDPR’s extraterritorial reach and weighty public profile looks to be further whetting political appetites.
So if Facebook was hoping the mere appearance of its CEO sitting in a chair in Brussels, going through the motions of listening before reading from his usual talking points, that looks to be a major miscalculation.
“It was a disappointing appearance by Zuckerberg. By not answering the very detailed questions by the MEPs he didn’t use the chance to restore trust of European consumers but in contrary showed to the political leaders in the European Parliament that stronger regulation and oversight is needed,” Green MEP and GDPR rapporteur Jan Philipp Albrecht told us after the meeting.
Albrecht had pressed Zuckerberg about how Facebook shares data between Facebook and WhatsApp — an issue that has raised the ire of regional data protection agencies. And while DPAs forced the company to turn off some of these data flows, Facebook continues to share other data.
The MEP had also asked Zuckerberg to commit to no exchange of data between the two apps. Zuckerberg determinedly made no such commitment.
Claude Moraes, chair of the EU parliament’s civil liberties, justice and home affairs (Libe) committee, issued a slightly more diplomatic reaction statement after the meeting — yet also with a steely undertone.
“Trust in Facebook has suffered as a result of the data breach and it is clear that Mr. Zuckerberg and Facebook will have to make serious efforts to reverse the situation and to convince individuals that Facebook fully complies with European Data Protection law. General statements like ‘We take privacy of our customers very seriously’ are not sufficient, Facebook has to comply and demonstrate it, and for the time being this is far from being the case,” he said.
“The Cambridge Analytica scandal was already in breach of the current Data Protection Directive, and would also be contrary to the GDPR, which is soon to be implemented. I expect the EU Data Protection Authorities to take appropriate action to enforce the law.”
Damian Collins, chair of the UK parliament’s DCMS committee, which has thrice tried and failed to get Zuckerberg to appear before it, did not mince his words at all. Albeit he has little reason to, having been so thoroughly rejected by the Facebook founder — and having accused the company of a pattern of evasive behavior to its CTO’s face — there’s clearly not much to hold out for now.
“What a missed opportunity for proper scrutiny on many crucial questions raised by the MEPs. Questions were blatantly dodged on shadow profiles, sharing data between WhatsApp and Facebook, the ability to opt out of political advertising and the true scale of data abuse on the platform,” said Collins in another reaction statement after the meeting. “Unfortunately the format of questioning allowed Mr Zuckerberg to cherry-pick his responses and not respond to each individual point.
“I echo the clear frustration of colleagues in the room who felt the discussion was shut down,” he added, ending with a fourth (doubtless equally forlorn) request for Zuckerberg to appear in front of the DCMS Committee to “provide Facebook users the answers they deserve”.
In the latter stages of today’s EU parliament session several MEPs — clearly very exasperated by the straightjacked format — resorted to heckling Zuckerberg to press for answers he had not given them.
“Shadow profiles,” interjected one, seizing on a moment’s hesitation as Zuckerberg sifted his notes for the next talking point. “Compensation,” shouted another, earning a snort of laughter from the CEO and some more theatrical note flipping to buy himself time.
Then, appearing slightly flustered, Zuckerberg looked up at one of the hecklers and said he would engage with his question — about shadow profiles (though Zuckerberg dare not speak that name, of course, given he claims not to recognize it) — arguing Facebook needs to hold onto such data for security purposes.
Zuckerberg did not specify, as MEPs had asked him to, whether Facebook uses data about non-users for any purposes other than the security scenario he chose to flesh out (aka “keeping bad content out”, as he put it).
He also ignored a second follow-up pressing him on how non-users can “stop that data being transferred”.
“On the security side we think it’s important to keep it to protect people in our community,” Zuckerberg said curtly, before turning to his lawyer for a talking point prompt (couched as an ask if there are “any other themes we wanted to get through”).
His lawyer hissed to steer the conversation back to Cambridge Analytica — to Facebook’s well-trodden PR about how they’re “locking down the platform” to stop any future data heists — and the Zuckbot was immediately back in action regurgitating his now well-practiced crisis PR around the scandal.
What was very clearly demonstrated during today’s session was the Facebook founder’s preference for control — that’s to say control which he is exercising.
Hence the fixed format of the meeting, which had been negotiated prior to Facebook agreeing to meet with EU politicians, and which clearly favored the company by allowing no formal opportunity for follow ups from MEPs.
Zuckerberg also tried several times to wrap up the meeting — by insinuating and then announcing time was up. MEPs ignored these attempts, and Zuckerberg seemed most uncomfortable at not having his orders instantly carried out.
Instead he had to sit and watch a micro negotiation between the EU parliament’s president and the political groups over whether they would accept written answers to all their specific questions from Facebook — before he was publicly put on the spot by president Antonio Tajani to agree to provide the answers in writing.
Although, as Collins has already warned MEPs, Facebook has had plenty of practice at generating wordy but empty responses to politicians’ questions about its business processes — responses which evade the spirit and specifics of what’s being asked.
The self-control on show from Zuckerberg today is certainly not the kind of guardrails that European politicians increasingly believe social media needs. Self-regulation, observed several MEPs to Zuckerberg’s face, hasn’t worked out so well has it?
The first MEP to lay out his questions warned Zuckerberg that apologizing is not enough. Another pointed out he’s been on a contrition tour for about 15 years now.
Facebook needs to make a “legal and moral commitment” to the EU’s fundamental values, he was told by Moraes. “Remember that you’re here in the European Union where we created GDPR so we ask you to make a legal and moral commitment, if you can, to uphold EU data protection law, to think about ePrivacy, to protect the privacy of European users and the many millions of European citizens and non-Facebook users as well,” said the Libe committee chair.
But self-regulation — or, the next best thing in Zuckerberg’s eyes: ‘Facebook-shaped regulation’ — was what he had come to advocate for, picking up on the MEPs’ regulation “theme” to respond with the same line he fed to Congress: “I don’t think the question here is whether or not there should be regulation. I think the question is what is the right regulation.”
“The Internet is becoming increasingly important in people’s lives. Some sort of regulation is important and inevitable. And the important thing is to get this right,” he continued. “To make sure that we have regulatory frameworks that help protect people, that are flexible so that they allow for innovation, that don’t inadvertently prevent new technologies like AI from being able to develop.”
He even brought up startups — claiming ‘bad regulation’ (I paraphrase) could present a barrier to the rise of future dormroom Zuckerbergs.
Of course he failed to mention how his own dominant platform is the attention-sapping, app gobbling elephant in the room crowding out the next generation of would-be entrepreneurs. But MEPs’ concerns about competition were clear.
Instead of making friends and influencing people in Brussels, Zuckerberg looks to have delivered less than if he’d stayed away — angering and alienating the very people whose job it will be to amend the EU legislation that’s coming down the pipe for his platform.
Ironically one of the few specific questions Zuckerberg chose to answer was a false claim by MEP Nigel Farage — who had wondered whether Facebook is still a “neutral political platform”, griping about drops in engagement for rightwing entities ever since Facebook’s algorithmic changes in January, before claiming, erroneously, that Facebook does not disclose the names of the third party fact checkers it uses to help it police fake news.
So — significantly, and as was also evident in the US Senate and Congress — Facebook was taking flak from both left and right of political spectrum, implying broad, cross-party support for regulating these algorithmic platforms.
Actually Facebook does disclose those fact checking partnerships. But it’s pretty telling that Zuckerberg chose to expend some of his oh-so-slender speaking time to debunk something that really didn’t merit the breath.
Farage had also claimed, during his three minutes, that without “Facebook and other forms of social media there is no way that Brexit or Trump or the Italian elections could ever possibly have happened”.
Funnily enough Zuckerberg didn’t make time to comment on that.
The European Union’s executive body is continuing to pressure social media firms to get better at removing illegal content from their platforms before it has a chance to spread further online. Read More
Social – TechCrunch
Snap’s Spectacles are going on a summer tour across Europe. Starting today, anyone in Europe can buy a pair of sunglasses on Snap’s website or in a vending machine. With this launch, Spectacles are available outside of the U.S. for the first time. European Spectacles are exactly the same as the ones that launched in September 2016 in the U.S. While the excitement around Spectacles… Read More
Social – TechCrunch
- Once VMware is free from Dell, who might fancy buying it?
- Facebook faces ‘mass action’ lawsuit in Europe over 2019 breach
- Chinese hardware makers turn to crowdfunding as they look to go global
- Core Web Vitals & Preparing for Google’s Page Experience Update
- Conversion modeling through Consent Mode in Google Ads