Facebook is to be sued in Europe over the major leak of user data that dates back to 2019 but which only came to light recently after information on more than 533 million accounts was found posted for free download on a hacker forum.
Today Digital Rights Ireland (DRI) announced it’s commencing a “mass action” to sue Facebook, citing the right to monetary compensation for breaches of personal data that’s set out in the European Union’s General Data Protection Regulation (GDPR).
Article 82 of the GDPR provides for a “right to compensation and liability” for those affected by violations of the law. Since the regulation came into force, in May 2018, related civil litigation has been on the rise in the region.
The Ireland-based digital rights group is urging Facebook users who live in the European Union or European Economic Area to check whether their data was breached — via the haveibeenpwned website (which lets you check by email address or mobile number) — and sign up to join the case if so.
Information leaked via the breach includes Facebook IDs, location, mobile phone numbers, email address, relationship status and employer.
Facebook has been contacted for comment on the litigation. Update: A Facebook spokesperson said:
We understand people’s concerns, which is why we continue to strengthen our systems to make scraping from Facebook without our permission more difficult and go after the people behind it. As LinkedIn and Clubhouse have shown, no company can completely eliminate scraping or prevent data sets like these from appearing. That’s why we devote substantial resources to combat it and will continue to build out our capabilities to help stay ahead of this challenge.
The tech giant’s European headquarters is located in Ireland — and earlier this week the national data watchdog opened an investigation, under EU and Irish data protection laws.
A mechanism in the GDPR for simplifying investigation of cross-border cases means Ireland’s Data Protection Commission (DPC) is Facebook’s lead data regulator in the EU. However it has been criticized over its handling of and approach to GDPR complaints and investigations — including the length of time it’s taking to issue decisions on major cross-border cases. And this is particularly true for Facebook.
With the three-year anniversary of the GDPR fast approaching, the DPC has multiple open investigations into various aspects of Facebook’s business but has yet to issue a single decision against the company.
(The closest it’s come is a preliminary suspension order issued last year, in relation to Facebook’s EU to U.S. data transfers. However, that complaint long predates GDPR; and Facebook immediately filed to block the order via the courts. A resolution is expected later this year after the litigant filed his own judicial review of the DPC’s processes.)
Since May 2018 the EU’s data protection regime has — at least on paper — baked in fines of up to 4% of a company’s global annual turnover for the most serious violations.
Again, though, the sole GDPR fine issued to date by the DPC against a tech giant (Twitter) is very far off that theoretical maximum. Last December the regulator announced a €450,000 (~$ 547,000) sanction against Twitter — which works out to around just 0.1% of the company’s full-year revenue.
That penalty was also for a data breach — but one which, unlike the Facebook leak, had been publicly disclosed when Twitter found it in 2019. So Facebook’s failure to disclose the vulnerability it discovered and claims it fixed by September 2019, which led to the leak of 533 million accounts now, suggests it should face a higher sanction from the DPC than Twitter received.
However, even if Facebook ends up with a more substantial GDPR penalty for this breach the watchdog’s caseload backlog and plodding procedural pace makes it hard to envisage a swift resolution to an investigation that’s only a few days old.
Judging by past performance it’ll be years before the DPC decides on this 2019 Facebook leak — which likely explains why the DRI sees value in instigating class action-style litigation in parallel to the regulatory investigation.
“Compensation is not the only thing that makes this mass action worth joining. It is important to send a message to large data controllers that they must comply with the law and that there is a cost to them if they do not,” DRI writes on its website.
It also submitted a complaint about the Facebook breach to the DPC earlier this month, writing then that it was “also consulting with its legal advisors on other options including a mass action for damages in the Irish Courts”.
It’s clear that the GDPR enforcement gap is creating a growing opportunity for litigation funders to step in in Europe and take a punt on suing for data-related compensation damages — with a number of other mass actions announced last year.
In the case of DRI its focus is evidently on seeking to ensure that digital rights are upheld. But it told RTE that it believes compensation claims which force tech giants to pay money to users whose privacy rights have been violated is the best way to make them legally compliant.
Facebook, meanwhile, has sought to play down the breach it failed to disclose in 2019 — claiming it’s “old data” — a deflection that ignores the fact that people’s dates of birth don’t change (nor do most people routinely change their mobile number or email address).
Plenty of the “old” data exposed in this latest massive Facebook leak will be very handy for spammers and fraudsters to target Facebook users — and also now for litigators to target Facebook for data-related damages.
An executive order from the White House targeting Twitter for moderating one of the president’s posts is being challenged in a new lawsuit from a digital rights group. The president signed the order last week after Twitter added a fact-checking label to one of his tweets that made false claims about mail-in voting.
The order, signed with the blessing of Attorney General William Barr, took aim in particular at a law known as Section 230 of the Communications Decency Act, which protects internet companies from legal liability for the content they host.
The lawsuit was filed by the Center for Democracy and Technology (CDT), a nonprofit focused on defending online civil liberties. That group and other online civil organizations organizations attacked the president’s order last week, with the ACLU dismissing the action as a “blatant, thin-skinned efforts to stifle expression.”
In the suit, embedded below, the CDT argues that the executive order is “plainly retaliatory” in attacking Twitter, which was within its First Amendment rights in annotating the president’s tweet. The lawsuit also criticized the president’s intention to “curtail and chill the constitutionally protected speech of all online platforms and individuals” by wielding the power of the government against its critics.
Twitter shared its support for the CDT’s suit on Tuesday, calling the executive order “a reactionary and politicized” action that encroaches on a free internet.
— Twitter Public Policy (@Policy) June 2, 2020
Tensions between Twitter and President Trump continued to escalate as the company took action against another of the president’s tweets late last week for glorifying violence. That tweet threatened U.S. protesters with the ominous statement “when the looting starts, the shooting starts” — a phrase with troubling historical roots in state-sanctioned violence against black Americans.
“The Executive Order is designed to deter social media services from fighting misinformation, voter suppression, and the stoking of violence on their platforms,” CDT President and CEO Alexandra Givens said.
“… The President has made clear his intent to use threats of retaliation and future regulation to intimidate intermediaries into changing how they moderate content, essentially ensuring that the dangers of voter suppression and disinformation will grow unchecked in an election year.”
Arvind Krishna is not the only CEO to step into a new job this week, but he is the only one charged with helping turn around one of the world’s most iconic companies. Adding to the degree of difficulty, he took the role in the midst of a global pandemic and economic crisis. No pressure or anything.
IBM has struggled in recent years to find its identity as technology has evolved rapidly. While Krishna’s predecessor Ginni Rometty left a complex legacy as she worked to bring IBM into the modern age, she presided over a dreadful string of 22 straight quarters of declining revenue, a record Krishna surely hopes to avoid.
To her credit, under Rometty the company tried hard to pivot to more modern customer requirements, like cloud, artificial intelligence, blockchain and security. While the results weren’t always there, Krishna acknowledged in an email employees received on his first day that she left something to build on.
“IBM has already built enduring platforms in mainframe, services and middleware. All three continue to serve our clients. I believe now is the time to build a fourth platform in hybrid cloud. An essential, ubiquitous hybrid cloud platform our clients will rely on to do their most critical work in this century. A platform that can last even longer than the others,” he wrote.
But Ray Wang, founder and principal analyst at Constellation Research, says the market headwinds the company faces are real, and it’s going to take some strong leadership to get customers to choose IBM over its primary cloud infrastructure competitors.
“His top challenge is to restore the trust of clients that IBM has the latest technology and solutions and is reinvesting enough in innovation that clients want to see. He has to show that IBM has the same level of innovation and engineering talent as the hyper scalers Google, Microsoft and Amazon,” Wang explained.
The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here.
U.S. Attorney General William Barr, acting U.S. Homeland Security Secretary Kevin McAleenan, U.K. Home Secretary Priti Patel and Australia’s minister for home affairs, Peter Dutton, have co-signed an open letter to Facebook calling on the company to halt its plan to roll out end-to-end encryption across its suite of messaging products.
Facebook isn’t the only messaging company using end-to-end encryption, but it’s in governments’ crosshairs on account of a plan to expand its use of e2e crypto.
The scooter startup’s new round comes a few months after TechCrunch reported Bird was looking to raise a Series D round at a $ 2.5 billion valuation.
What if Instagram could automatically tell your Close Friends you’re home, working, on-the-move or chilling and might want to hang out? That’s the idea behind its new companion app Threads.
“What public markets do is indeed the great reckoning,” Benioff said while onstage at Disrupt SF. “But it cleanses [a] company of all of the bad stuff that they have.”
HVSD (named after renowned physicist and electrical engineer Oliver Heaviside) is an electric aircraft designed to go anywhere and land anywhere fast and quietly. Sebastian Thrun’s aviation startup has been working on the aircraft for two years.
This isn’t really a new ban, but rather a reiteration of an existing one. The company says it won’t allow ads supporting a candidate, political party or issue, because they don’t fit with the “light-hearted and irreverent feeling” that the app is aiming for.
An Indian startup that is increasingly posing a threat to established food and grocery delivery businesses, as well as to e-commerce giants, just closed a new financing round.
As Adam Neumann reportedly faces pressure to step down, it’s looking like a fight for life between WeWork and SoftBank
According to a new WSJ report, certain members of WeWork’s seven-person board, which includes cofounder and CEO Adam Neumann, are planning to pressure Neumann to step down and instead become We’s non-executive chairman. The move, says the outlet, “would allow him to stay stay at the company he built into one of the country’s most valuable startups, but inject fresh leadership to pursue an IPO that would bring We the cash it needs to keep up its torrid growth.”
The WSJ and Bloomberg are reporting that it is SoftBank specifically that wants Neumann to step down. Neither WeWork nor SoftBank is commenting publicly.
It’s a fascinating development, the kind we saw when Uber’s board successfully forced cofounder and longtime CEO Travis Kalanick to abandon his role as CEO. Still, we’d caution against drawing too close a comparison. While the venture firm Benchmark, which spearheaded Kalanick’s ouster, stood to lose billions of dollars if Kalanick dragged down Uber and continued to push off an IPO, Benchmark was not in a do-or-die situation because of its Uber investment.
SoftBank appears to be in more dire straights, making this standoff a particularly meaningful one.
Let’s back up a minute first, though, and consider who is involved and which way this could potentially go. A few days ago, Business Insider put together a useful cheat sheet about WeWork’s board members that may hint at their allegiance.
1.) Ronald Fisher — who is vice chairman at SoftBank Group after founding SoftBank Capital, a U.S. venture arm of SoftBank — joined SoftBank’s board last year. He oversees 114 class A shares, each of which carries one vote. Obviously, he’s going to side with SoftBank.
2.) Lewis Frankfort — the chairman of a fitness studio chain called Flywheel Sports — has been a board member of WeWork for roughly five years, and BI says WeWork once loaned him $ 6.3 million, which he repaid in interest earlier this year. We have to think he’d stick with Neumann out of loyalty. At the same time, he doesn’t wield much power unless he has the right to block significant actions at the company (some shareholders get these blocking rights; some don’t.) What he know: he controls 2 million shares, and 750,000 of them are Class B shares that carry 10 votes each.
3.) Benchmark, which first backed WeWork in 2012, is represented on the board by Bruce Dunlevie, the founding partner of the venture firm. Benchmark owns 32.6 million Class A shares, and could go either way, seemingly. On the one hand, Benchmark doesn’t want to establish a reputation for pushing out founders after the Kalanick debacle, and if it supports SoftBank over Neumann, it risks this exact thing happening. On the other hand, Benchmark might not want to battle with SoftBank if it thinks it has staying power or it’s concerned (suddenly) that it allowed Neumann to amass too much control.
4.) Harvard Business School professor Frances Frei was brought in roughly a minute ago to add a much-need sprinkling of gender diversity to WeWork’s all-male board. Frei’s name first came to be more broadly recognized when she was hired to help address Uber’s battered culture, so presumably she has ties to Benchmark. We’d guess she’ll side with Dunlevie, meaning that we have no idea whose side she will take.
5.) Steven Langman, the cofounder of private equity firm Rhône Group, has ties that go back a ways with Neumann, and he has benefited richly from the association, seemingly. According to an April story in the WSJ, Langman met Neumann through a shared rabbi in its earlier days and joined the board in 2012. He also invested in the company (he owns 2.28 million shares in the company, according to a bond filing). Langman is on both the company’s compensation committee and its succession committee. He also runs a real-estate investment vehicle in partnership with We that buys and develops buildings to then lease back to the co-working company, despite that it raises conflict-of-interest questions. We’d guess he’s on Team Neumann.
6.) John Zhao is the chairman and CEO of Hony Capital, which partnered with SoftBank and WeWork to create a standalone entity called WeWork China back in 2017, and Hony has subsequently poured more capital into that subsidiary. We’re not sure how close Zhao is to SoftBank, but if SoftBank brought Hony into WeWork, we’re guessing he’ll back the Japanese conglomerate on this one. Hony doesn’t own 5 percent or more of WeWork’s parent company so its share holdings aren’t listed publicly.
Neumann, it’s very worth noting, is himself is far more powerful than any of these six individuals. Even after the company recently revised Neumann’s supervoting rights, which gave him 20 times the voting power of ordinary shareholders and now give him 10, he could fire the entire board if he so chooses, notes the WSJ.
Naturally, that wouldn’t be a good look for Neumann, who is already battling growing public perception that, among other negatives for a public company CEO, he smokes a whole lot of pot and that he is delusional, following a WSJ piece that reported Neumann confided to different people his interest in the role of Israel’s prime minister and, more recently, to become president of the world.
All that said, SoftBank is also fast-losing credibility. While its CEO, Masayoshi Son, has been long revered as a visionary, a growing number of sources we’ve spoken to question the viability of his entire Vision Fund operation, and they point to WeWork — whose valuation leaps on the private market, from $ 20 billion to, more recently, $ 47 billion, were entirely a product of SoftBank’s doing — as just one in a costly string of poor calls.
Indeed, despite the roughly $ 10 billion that SoftBank has sunk into WeWork, the financial loss it would take if WeWork falls apart would pale in comparison to the reputation hit Son would suffer, and you can bet there will be ripple effects.
Put another way, given the Vision Fund’s impact on the startup industry over the last few years, there’s a lot more riding on what happens with WeWork than meets the eye. Stay tuned.
Less than 10 percent of the 50 million users attacked in Facebook’s recent breach lived in the European Union, tweeted the Irish Data Protection Commission which oversees privacy in the region. However, Facebook still could be liable for up to $ 1.63 billion in fines, or 4 percent of its $ 40.7 billion in annual global revenue for the prior financial year, if the EU determines it didn’t do enough to protect the security of its users.
Facebook wrote in response to the IDPC’s tweet that “We’re working with regulators including the Irish Data Protection Commission to share preliminary data about Friday’s security issue. As we work to confirm the location of those potentially affected, we plan to release further info soon.”
Facebook alerted regulators and the public to the breach Friday morning after discovering it Tuesday afternoon. That’s important because it came under the 72-hour deadline for announcing hacks that can trigger an additional fine of up to 2 percent of a company’s global revenue if not met.
UPDATE Facebook data breach – @DPCIreland understands that the number of potentially affected EU accounts is less than 10% of the 50 million accounts in total potentially affected by the security breach. DPC Ireland statement beneath. #dataprotection #GDPR #EUdataP pic.twitter.com/oSfGy6DP2S
— Data Protection Commission Ireland (@DPCIreland) October 1, 2018
That hack saw sophisticated attackers combine three bugs in Facebook’s profile, privacy, and video uploading features to steal the access token of 50 million users. These access tokens could allow the attackers to take over user accounts and act as them on Facebook, Instagram, Oculus, and other sites that rely on Facebook’s login system. The EU’s GDPR laws threaten heavy fines for improper security practices and are seen as stricter than those in the US, so its findings during this investigation carry weight.
The big question remains what data was stolen and how it could potentially be misused. Unless investigators or journalists discover a nefarious application for that data, such as how Cambridge Analytica’s illgotten data was used to inform Donald Trump’s campaign strategy, it’s unlikely for the public to see this as more than just another of Facebook’s constant privacy scandals. It could still trigger regulation, or push partners away from using Facebook’s login system, but the world seems to be growing numb to the daily cybersecurity breaches that plague the internet.
- Once VMware is free from Dell, who might fancy buying it?
- Facebook faces ‘mass action’ lawsuit in Europe over 2019 breach
- Chinese hardware makers turn to crowdfunding as they look to go global
- Core Web Vitals & Preparing for Google’s Page Experience Update
- Conversion modeling through Consent Mode in Google Ads