Tag: privacy

POPI Act comes into effect today

Source: 702

The Protection of Personal Information Act, 4 of 2013 (POPIA) comes into effect today, 1 July 2021.

Consumers and legitimate businesses should welcome the next stage in the implementation of a law to better protect your privacy and to allow legitimate businesses to engage with you on a basis that will make doing business better.

It was first enacted in 2013 with the last of the provisions coming into effect from 1 July 2021. While it will be in force it does not mean that everything will enforced right away as the Information Regulator that oversees the compliance may not be in a position to begin responding to transgressions right away and everyone acknowledges that there is a lot to get done and so many of the lapses will not be intentional or nefarious.

Why do we need it?
The earliest collections of personal information would have been census polls to help nations determine how many people lived in the state. From members of a family, to the residents of a town to the entire kingdom and even the empire if the state included conquered territories.

There was not much need to know the individuals just the numbers, their age and possibly occupation and gender.

In the last century, businesses would have wanted to know more about who they could sell their products to. Advertising would be most effective when directed at people who could both use and want to use your product. The cost to reach them would be offset by increase in sales.

Newspapers were the first to see the value of a model to supplement the cost of the publication with ads from businesses that would like to reach the readers of a particular newspaper. The level of information about the readers would effectively be that they lived in a particular location and had the means to buy and read the paper in question.

Besides business ads, personal ads could also be bought to announce significant events like births, deaths and marriage. You could also buy small ads listing items you had for sale.

As newspapers grew the kind of ads changed too. National newspapers would typically runs ads from companies that were available nationwide, local papers would be favoured for smaller companies that only served one City.

With the introduction of radio, there was a period when no-one knew how to make money from the near instant audio medium. Some of the first large corporate broadcasters were also telephone companies that opted to sell airtime like phone calls, by the minute.

Once again stations with big broadcast areas would cost more and be used by larger advertisers that sold products everywhere, while smaller stations would feature the local businesses.

The model was used again when TV came along and the advertising industry had come of age with many channels and location and audiences to choose from to ensure the greatest return on the money they spent on ads.

The world wide web was supposed to add another layer, instead it brought about the most significant disruption the media and advertising industry had ever experienced, the effects are still being felt and the final configuration is still to be seen.

The attention economy
Print and magazines had physical presence and could be read by multiple people but typically needed to be regularly replaced.

Radio was instant with rich sound to transport you to where the news was happening or create a concert or play in your home, but it was gone just as soon as it arrived. There was no pause or record, instead everything needed to be repeated often.

TV offered images and sound and typically had a very big broadcast area. Initially it also had to rely on repeats to ensure content would be seen or scheduling to put the best content on when people were most likely able to watch.

This is all history, but when the web was still in its infancy, few saw the potential of how it could do everything that print, broadcast and TV could do, but it could be permanent, on demand, local and global all at the same time.

Advertisers saw this as the great way to not only be able to reach everyone, but as it promised you could tell who you were reaching it would be much more effective and much cheaper too.

The first casualty was newspaper classifieds. Websites offering free listings attracted huge audiences and thousands of ads, to make money the site operators would allow you to pay for a bigger ad or one that displayed more prominently.

Not many in the media industry seemed too concerned, smart media owners started building an online presence and slowly began building their content offering online. First to grow the small market with vague plans on how to make as much money online as they did with the traditional mediums.

Search engines, blogs and social media all looked like only minor threats to traditional media companies even as online media began to start learning a lot more about their audience.

Facebook was not the first or only social media, but it did do something that at the time was genius even though it was the spark that lit the online privacy issue.

Most online spaces operated with usernames chosen by the users and then offered you access to people who shared your interests, back then they were typically academic or technical.

Facebook first asked university students and then anyone what their actual name was. They asked where they were studying and where they went to school and who their partners and family were. As more people signed up, Facebook was able to connect them online. Many that you had lost contact with like former colleagues, team mates and school friends.

Initially it seemed like magic that this free service somehow knew who all your friends were and gave you easy ways to say hi and share what you were up to.

It was so popular that many businesses would block Facebook for the amount of time staff would spend on it.

Facebook had built the perfect attention tool using content that its users created. Next it needed a way to make money and that was of course advertising. But because Facebook knew so much about you, advertisers could be very specific about who would see their ads and only have to pay for the ones that were actually seen.

At this point media companies realised the game was changing and their businesses were at risk.

It was not only Facebook, Google’s search engine could find what you were looking for and if that was for a product or service, advertisers could pay to be included in the results.

Data mining and manipulation
In 2007 Apple introduced the iPhone, the web was now in your hand and everywhere you were. Anything you did on your phone could be tracked and we did everything on our phones and the default was to make everything public.

An early YouTube video showed that by turning on the location for posts, you could find users around you. If they had posted recently you could find them still there. In the video the person looks back at previous posts and then introduces himself, mentioning the details of the previous posts. The users’ surprise turns to unease as the stranger tells them about some quite private events in their lives. Once explained that the information was public, the users almost all undertake to change their settings afterwards.

As users did wise up to limiting who else had access they continued to share everything with the likes of Google and Facebook and advertisers could buy that.

South Africa first recognised that personal information required protection in 2009 but did not have much in place to prevent multinational companies from using personal data because at the time, the issue was mobile number abuse and a growing issue with email spam and sms scams.

By 2016, the pushback had started in earnest but not before one of the most audacious and naïve lapses by Facebook to allow political parties and even governments to buy ads targeted at specific communities to sway public opinion.

It is hard to say that Brexit and the election of Donald Trump are thanks to Facebook allowing their users to be manipulated for ad revenue, but the risk was real and something was needed to limit it.

A light at the end of the tunnel
The EU was first to implement the General Data Protection Regulations in 2018 that required companies to take responsibility and accountability of what data they collected and how they used it. Users need to give full consent before data could be used or they could be contacted.

South Africa updated the 2009 regulations in 2013 with more regulations relating to various parts about how data is gathered, used, stored and sold added over the years. The next big roll-out is now and it follows the EU guidelines quite closely.

Express permission must be given to contact consumers so no more unsolicited communication. Hacks might still happen, but besides the data breach and embarrassment, there are now also legal consequences which include big fines and even jail time.

Cookies are the next piece of the web that while perfectly useful and for the most part harmless have been used to follow our every move and subject us to ads that while targeted can have the same effect as that YouTuber pretending to know you.

Initially they tracked what you had done on a website to save on time and server loads. When you see something on a website you want to buy, the click to add it to your cart is stored in a cookie, but so are all the other items you looked at. When you next return they might show them again or offer a discount.

Site publishers would like to know how much time a user spent on the site, what they looked at and how often they returned. This is done via a cookie.

But now you also get cookies that can track you from one site to the next, comparing what you did on social media with what you did on the web. Know not just what you searched for but when you might need it again and even know what you might need the next time you are in a specific place.

On the face of it, it can be very helpful. An alert to let you know there is a clothing sale on at a shop you like that is near you based on your recent search for certain items at that shop online could be great, but if you were not aware all that info was being collected and used and not so subtly trying to get you to act on it thanks to payments from advertisers, it is not so good. The move is slowly moving away from the most intrusive versions and in time should at least be better understood if not always welcome.

For many businesses there will need to be significant effort to become compliant, but in the medium term an easy way for users to find service providers would be to check they are compliant and to simply reject anyone that is not.

Pandora’s box has been opened and we will never return to that innocent anonymous age, but if hope was all that was left in the box, here is hoping that POPI while hated by some, a complete head scratcher to many and a sea of pop-ups clicked and not sufficiently read will still give us a level of protection we have not had online before.

By Jan Vermeulen for MyBroadband

Facebook reneged on a commitment to appear before the Committee on Communications and Digital Technologies this week because, at the time, it was the only company that confirmed its attendance.

“Without more industry players and other key stakeholders present, we believed the Roundtable would not meet the objectives that were outlined to us, hence we requested that the Roundtable be postponed to a later date,” said Kojo Boakye, the Facebook public policy director for Africa.

“We believe as a Tech Industry, it is important that we collectively come together to outline how we support elections and ensure election integrity in light of the local Government Elections taking place later this year,” Boakye stated.

“The Roundtable with the Parliamentary Committee was meant to do just that.”

Facebook initially agreed to meet with South Africa’s Parliament over concerns around misinformation and disinformation before the 2021 local elections.

Former Democratic Alliance (DA) MP Phumzile Van Damme said at the time that the meeting was requested by the DA.

The reason for inviting Facebook was to establish what steps the tech giant would be taking to tackle harmful misinformation, particularly in light of the upcoming elections.

“Facebook often tailors plans for countries ahead of elections to guard against harmful misinformation,” Van Damme said. “We would like to see the same done for South Africa.”

In September 2020, the social media company implemented measures which it said were intended to help secure the integrity of the US elections by encouraging voting, connecting people with authoritative information, and reducing the risks of post-election confusion.

These included updates related to misinformation, COVID-19 and voter suppression, and a ban on new electoral, political, or social issue ads.

Facebook is also in hot water with South Africa’s Information Regulator, which has challenged the tech giant on the implementation of a new privacy policy for WhatsApp.

The Information Regulator contends that the Protection of Personal Information Act of South Africa is similar to the data privacy laws of the European Union, and that WhatsApp should therefore offer South Africans the same privacy protections as it affords users in Europe.

The chairperson of the Information Regulator, Pansy Tlakula, recently called on the South African government to help the regulator in its engagements with Facebook.

“We are fighting a giant,” Tlakula told the Parliamentary Portfolio Committee.

“They cannot willy-nilly abuse the personal information of users,” she stated.

Tlakula proposed that the Portfolio Committee on Justice and Correctional Services join forces with the Committee on Communications and Digital Technologies to ask questions of Facebook relating to the WhatsApp privacy policy changes.

With Facebook pulling out of its meeting with the Parliamentary Portfolio Committee on Communications and Digital Technologies, it is unclear whether the tech giant will give feedback on any of the South African government’s questions.

However, Facebook has stated that it is open to rescheduling the meeting.

“Our commitment to participating in a roundtable is well documented,” said Boakye.

He said that Facebook remains committed to engaging with national governments, and has clearly indicated to the committee that it welcomes ongoing dialogue, and a meeting at a later date.

“Facebook has teams and technology in place to protect the integrity of elections in South Africa, across Africa and around the world. We devote extensive resources to reducing the spread of misinformation and fighting election interference on our platforms,” Boakye said.

It is interesting to note that when Van Damme announced that Facebook has pulled out of appearing at the Parliamentary Portfolio Committee Meeting, she also revealed that Google had committed to attending the meeting.

MyBroadband asked Facebook whether Google’s confirmation that it will attend the meeting changes its stance, but the company declined to comment further.

Google did not respond to requests for comment.

 

By Hanno Labuschagne by MyBroadband

Popular call screening app Truecaller could be in violation of South Africa’s incoming Protection of Personal Information Act (POPIA), according to two law firms who recently spoke to MyBroadband.

Many South Africans may be familiar with the app, particularly given its usefulness in identifying unknown phone numbers and blocking unsolicited calls from telemarketers or scammers.

The app has more than 150-million daily users across the globe – 1.7-million of which are based in South Africa.

Truecaller is often able to show the owner of a number which a user does not yet have through its universal database which is supported by crowd-sourcing of data from its users.

Contrary to popular belief, Truecaller does not actually automatically upload your address book or contact list to its servers when you download and install the app from the Apple App Store or Google Play Store.

This is because both companies have strict data protection policies which prohibit the app from doing so.

However, this is not the case if the app is downloaded directly from the truecaller.com website. In this instance, Truecaller will prompt the user with an option to upload their full address book as part of its crowd-sourcing features.

This information is then uploaded to the company’s database, which is stored in a foreign server.

In addition, Truecaller allows users to manually submit the details of a number which was not yet available on its database.

According to law firms Werksmans Attorneys and Norton Rose Fulbright, there are several issues with these features under POPIA.

No lawful basis for data processing
Director at Werksmans Attorneys Ahmore Burger-Smidt said Truecaller failed to comply with POPIA in a number of areas.

“Without a doubt, concerns can be raised from a POPIA perspective in relation to the manner and the purposes for which personal data is collected and processed via the Truecaller app,” Burger-Smidt said.

She said that there were grave concerns in terms of POPIA regulations when the app is considered from the perspective of a person or business who has not registered for the service.

The primary issue was that the app allowed full disclosure of a contact list, which could amount to confidential information being disclosed.

“From a data protection perspective, a responsible party, in this instance Truecaller, can only process the personal information of a data subject if he has a lawful basis to do so,” Burger-Smidt said.

“POPIA provides for lawful bases, which include: consent, compliance with a legal obligation, if there is a legitimate interest, and the performance of a contract.”

“One can argue that there might indeed be a legitimate basis for processing the personal information of the individual that subscribes to the Truecaller service,” she stated.

“However, on what basis are they processing all the contact information that the subscriber holds?” Burger-Smidt asked.

“It is very difficult to motivate for this to be done on the basis of a legitimate interest.”

“It is entirely possible that individuals do not have any knowledge of this use of their data at all. This means that they are being denied their rights as data subjects in terms of POPIA and that their privacy is being infringed,” Burger-Smidt stated.

Shifting the blame to the user
Director in Competition Practice at Norton Rose Fulbright Rosalind Lake echoed these views.

She said POPIA requires a responsible party – in this case Truecaller – to notify a data subject of how it will process – use, store, transmit, and access – its personal information, even when it is not collected directly from the data subject.

“These notification requirements are usually fulfilled through a privacy policy,” Lake stated.

“However, it appears that Truecallers’ privacy policy places this obligation on the user,” Lake said.

According to its privacy policy, Truecaller says users must confirm with another party whose details they share with Truecaller before doing so.

Lake said this approach was problematic under POPIA.

“If you are reporting a number as spam, you are hardly going to phone them to tell them that their number has been added to the database,” Lake said.

“In this situation, the user of the app would not be considered a responsible party when it consents to provide access to its phone book. Truecaller is the one who requests access and use of the information and they are therefore responsible under POPI.”

“The user of the app may be considered an ‘operator’ for Truecaller, but then POPI says there must be an agreement in place to impose certain obligations on the operator, but the liability still sits with the responsible party.”

Lake warned that users should still think carefully before consenting to provide access to their address book and carefully peruse the privacy settings on the app.

“There have been some circumstances reported where a person’s safety may be compromised by their name being on the database – such as a journalist working undercover – or indeed, businesses may suffer losses in some way from being identified without their knowledge,” Lake cautioned.

What Truecaller can do
Burger-Smidt said that Truecaller ought to consider how it collects personal information from non-subscribers.

According to Lake, the inclusion of its privacy policy on its website does not give sufficient notice to the data subjects, as they are explicitly directed to it during the process.

She said that POPIA requires a responsible party to take reasonably practicable measures to notify the data subject of the collection and processing of their personal information.

“It would be our recommendation, therefore, even though consent may not be required if Truecaller relies on its legitimate interests to process the information, that under POPI Truecaller notify by SMS or email each person who is added to their database, direct them to their privacy policy and highlight their ability to delist from the database.”

However, this could introduce another problem under POPIA, Lake added.

“A tricky issue is that the responsible party is required to disclose where it is collecting the personal information from if it is not collecting it directly from the data subject,” Lake said.

“It is not clear yet whether stating that it is collected from users of the app will be sufficient or whether the particular individual from whom the information is collected has to be disclosed.”

“It seems unlikely to be the latter as this may also be unnecessary processing of the user’s personal information.

Truecaller not anticipating any issues
Truecaller told MyBroadband that the POPIA offered a good opportunity for companies to review their practices and think more deeply about the importance of privacy of their users.

“We are continuing to look at changes we can make to align with the evolution of privacy laws in different jurisdictions, including South Africa,” the company said.

However, it said it did not anticipate any disruption to the services or features its app offers due to the implementation of POPIA.

Both Burger-Smidt and Lake submitted that Truecaller is beneficial in its ability to identify and screen unsolicited calls.

Lake added that POPI in and of itself would also help restrict direct marketing, which will hopefully reduce the volume of spam calls in South Africa.

Spy pixels in e-mails have become endemic

By Leo Kelion for BBC

The use of “invisible” tracking tech in e-mails is now “endemic”, according to a messaging service that analysed its traffic at the BBC’s request.

Hey’s review indicated that two-thirds of emails sent to its users’ personal accounts contained a “spy pixel”, even after excluding for spam.

Its makers said that many of the largest brands used email pixels, with the exception of the “big tech” firms.

Defenders of the trackers say they are a commonplace marketing tactic.

And several of the companies involved noted their use of such tech was mentioned within their wider privacy policies.

Emails pixels can be used to log:

  • If and when an email is opened
  • How many times it is opened
  • What device or devices are involved
  • The user’s rough physical location, deduced from their internet protocol (IP) address – in some cases making it possible to see the street the recipient is on
  • This information can then be used to determine the impact of a specific email campaign, as well as to feed into more detailed customer profiles.

Hey’s co-founder David Heinemeier Hansson says they amount to a “grotesque invasion of privacy”.

Without special software, it is not easy to spot which emails contain a tracking pixel.
And other experts have also questioned whether companies are being as transparent as required under law about their use.

Invisible beacons
Tracking pixels are typically a .GIF or .PNG file that is as small as 1×1 pixels, which is inserted into the header, footer or body of an email.

Since they often show the colour of the content below, they can be impossible to spot with the naked eye even if you know where to look.

Recipients do not need to click on a link or do anything to activate them beyond open an email they are embedded in.

British Airways, TalkTalk, Vodafone, Sainsbury’s, Tesco, HSBC, Marks & Spencer, Asos and Unilever are among UK brands Hey detected to be using them.

But their use was much more widespread despite many members of the public being unaware of it, said Hansson.

“It’s not like there’s a flag saying ‘this email includes a spy pixel’ in most email software,” he added.

By Zoe Kleinman for BBC

Message platforms Signal and Telegram have both seen a huge surge in downloads around the world following a controversial update to WhatsApp’s terms and conditions.

WhatsApp has told its two billion users they must allow it to share data with its parent company Facebook if they wish to continue using it.

This does not apply to users in the UK and Europe.

However, the notification has been sent to everyone.

All WhatsApp users will be unable to continue with the service unless they accept the new terms by 8 February. The platform said the update will enable it to offer features such as shopping and payments.

It also said its practice of sharing data with Facebook was not new.

WhatsApp and Facebook to share data outside Europe
Both Telegram and Signal also offer free-to-use encrypted messaging services.

Signal strength
According to data from analytics firm Sensor Tower, Signal was downloaded globally 246,000 times the week before WhatsApp announced the change on 4 January, and 8.8 million times the week after.

This included big surges in India, where downloads went from 12,000 to 2.7 million, the UK (from 7,400 to 191,000) and the US (63,000 to 1.1 million).

In a series of tweets, Signal said some people were reporting issues with creating groups and delays to verification codes arriving because of the rapid expansion but that it was solving the issues.

“Our new servers are ready to serve you,” it said on 10 January.

It also received endorsement from Tesla co-founder Elon Musk, who tweeted “use Signal” on 7 January.

Telegram soars
Telegram has proved even more popular, with downloads booming globally from 6.5 million for the week beginning 28 December to 11 million over the following week.

In the UK, downloads went from 47,000 to 101,000. And in the US they went from 272,000 to 671,000.

During the same period, WhatsApp’s global downloads shrank from 11.3 million to 9.2 million.

Even so, one industry watcher said he did not think this necessarily represented a big problem for WhatsApp, which has been downloaded 5.6 billion times since its launch in 2014.

“It’s going to be difficult for rivals to break user habits, and WhatsApp will continue to be one of the world’s most popular and widely used messaging platforms,” said Craig Chapple, mobile insights strategist at Sensor Tower.

“It’ll be interesting to see whether this latest trend sticks, or users revert back to what they know.”

WhatsApp has said the data it shares with its parent company does not include messages, groups or call logs.

However, it does include:

  • Phone number and other information provided on registration (such as name)
  • Information about the user’s phone, including make, model, and mobile company
  • Internet protocol (IP) addresses, which indicate the location of a user’s internet connections
  • Any payments and financial transactions made over WhatsApp

It said its policies were in line with “applicable” privacy laws.

 

Source: NBC

Google was sued on Tuesday in a proposed class action accusing the internet search company of illegally invading the privacy of millions of users by pervasively tracking their internet use through browsers set in “private” mode.

The lawsuit seeks at least $5-billion, accusing the Alphabet Inc unit of surreptitiously collecting information about what people view online and where they browse, despite their using what Google calls Incognito mode.

According to the complaint filed in the federal court in San Jose, California, Google gathers data through Google Analytics, Google Ad Manager and other applications and website plug-ins, including smartphone apps, regardless of whether users click on Google-supported ads.

This helps Google learn about users’ friends, hobbies, favourite foods, shopping habits, and even the “most intimate and potentially embarrassing things” they search for online, the complaint said.

Google “cannot continue to engage in the covert and unauthorised data collection from virtually every American with a computer or phone,” the complaint said.

Jose Castaneda, a Google spokesman, said the Mountain View, California-based company will defend itself vigorously against the claims.

“As we clearly state each time you open a new incognito tab, websites might be able to collect information about your browsing activity,” he said.

While users may view private browsing as a safe haven from watchful eyes, computer security researchers have long raised concern that Google and rivals might augment user profiles by tracking people’s identities across different browsing modes, combining data from private and ordinary internet surfing.

The complaint said the proposed class likely includes “millions” of Google users who since June 1, 2016 browsed the internet in “private” mode.

It seeks at least $5,000 of damages per user for violations of federal wiretapping and California privacy laws.

Boies Schiller & Flexner represents the plaintiffs Chasom Brown, Maria Nguyen and William Byatt.

The case is Brown et al v Google LLC et al, U.S. District Court, Northern District of California, No. 20-03664.

By Riccardo Spagni for Fin24

Privacy is widely held as a fundamental human right and is recognised in the UN Declaration of Human Rights, the International Covenant on Civil and Political Rights and in the Constitution of nearly every country in the world.

Privacy is becoming a growing concern as the world continues its mass digitisation. As we move more of our day-to-day business and personal communications and interactions online, the trail of personal data breadcrumbs we leave behind grows.

Take something as simple as an online transaction: when the average consumer pays a merchant in Europe via their PayPal account, their data goes to as many as 600 different companies. The consumer has zero visibility over any of the companies involved. The amount of metadata about our lives is staggering – and we have no control over any of it.

Financial privacy and its malcontents

Regulators have tried to resolve some of the issues around data privacy and use of personal information by businesses. The European Union’s General Data Protection Regulation is a far-reaching piece of legislation that aims to protect EU citizens from unwanted or unauthorised personal data use. Although the upper limits of its sanctions still need to be tested, GDPR promises fines of up to €20-million to organisations that compromise the personal data of any EU citizen.

But for most transactions, consumers and businesses remain at the mercy of a vast network of interlinked companies that process and distribute our personal metadata across the globe. A lot of this is driven by convenience: when cash was still the preferred payment method, people enjoyed a fair amount of privacy as cash transactions can be concluded away from any prying eyes.

With the introduction of electronic payment methods such as wire transfers, SWIFT, credit cards and mobile payments, privacy has been sacrificed for convenience. The amount of Know-Your-Customer (KYC) and Anti-Money Laundering (AML) processes in place means consumers have little in the way of financial privacy as financial services firms are bound by law to constantly analyse transactions for any irregularities and report them to authorities where appropriate.

Shining a light on criminality

Financial crime is a massive problem. A 2018 Thomson Reuters survey of 2373 respondents in 19 countries – including South Africa – found that the aggregate lost turnover as a result of financial crimes amounted to $1.45-trillion, or 3.5% of their total global turnover. In Europe, on average one in every 200 transactions reviewed by bank compliance officers lead to a criminal investigation, but only 1% of criminal proceeds generated in the EU are confiscated by authorities.

But financial privacy is not only important to criminals; it is a critical safety measure for every digital citizen. Without financial privacy, personal and financial safety can be compromised by criminals who could, for example, see the value of a purchase that someone made – as well as their personal details – and use that information to target them with criminal activities. As a business, financial privacy keeps intimate business details such as salary information, profit margins and revenue away from unwanted eyes.

Cryptocurrencies often come into the firing line for their anonymity and lack of regulatory oversight. High-profile examples of illicit purchases on the dark web using cryptocurrencies have made regulators wary of their potential for driving criminal activity.

Not all cryptocurrencies are made equal

A large part of the appeal of cryptocurrencies is that they are more discrete than mainstream payment methods. And while this is partly what makes them attractive to criminals, it is unfair to assume all discrete transactions are criminal. We all make purchases we would rather other people not know about, for fear of embarrassment or judgement. Anonymity also has its benefits: who hasn’t suddenly seen a spike in advertisements related to something you once searched for online, or saw similar products to one you’ve just bought advertised on sites you visit?

Privacy enhancing cryptocurrencies are built on five pillars, namely:

  • Unlinkability, which conceals where transactions are going to;
  • Untraceability, which conceals the origins of transactions;
  • Cryptgraphically valueless, which hides the value of a transaction;
  • Passively hidden, which conceals the transaction from other internet users; and
  • Optionality, which maximises the privacy set while still enabling you to reveal information should you need to.

But not all cryptocurrencies are created equal. And not all have the privacy of their users as a primary concern. Cryptocurrencies such as Monero were built to provide users with the optimum amount of privacy. That’s why I’d add a sixth pillar to the above, namely Ideology. Since cryptocurrencies involve thousands – even millions – of people, it is critical that the cryptocurrency is managed according to a strict set of privacy-enhancing guidelines.

Every contributor to Monero, for example, understands they are responsible for other people’s money, privacy and, by extension, safety. Contributors could, through reckless actions, compromise someone’s financial security or even their lives. Any privacy project that treats it with less care is indistinguishable from a scam and can put people’s lives at risk.

There’s a popular argument that honest people don’t need privacy since they have nothing to hide. But that’s fallacy. As Edward Snowden put it, “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different to saying you don’t care about free speech because you have nothing to say.”

Financial privacy is a fundamental human right. Technology can be both the greatest inhibitor or promoter of privacy. The responsibility rests on all of us who participate in the new world of cryptocurrencies to ensure we protect the privacy of our users.

By Cheyenne MacDonald for DailyMail

Google’s private browsing options may not be as incognito as you’d expect.

New research into Google’s ‘filter bubbles,’ in which search results are personalized based on the data it’s collected about you, has found that logging out or switching to Incognito Mode does almost nothing to shield you from targeted results.

By comparing search results for controversial topics, including gun control, immigration, and vaccinations, the study (notably conducted by rival search engine, DuckDuckGo) uncovered significant variations in what different users were shown.

New research into Google’s ‘filter bubbles,’ in which search results are personalised based on the data it’s collected about you, has found that logging out or switching to Incognito Mode does almost nothing to shield you from targeted results.

Despite the common assumption that logging out or going Incognito provides anonymity, DuckDuckGo points out that this isn’t really the case.

Websites use several other identifying factors to keep tabs on users’ activity, including IP addresses.

To highlight the issue, DuckDuckGo recruited volunteers in the US to perform a series of searches for the terms ‘gun control,’ ‘immigration,’ and ‘vaccinations.’

All were tasked to do this at the same time, at 9pm ET on Sunday, June 24, in Incognito, logged out, and then logged back in.

The study also controlled for location, DuckDuckGo notes.

This made for 87 sets of results in total, with 76 desktop users and 11 mobile users.

Despite the anonymised conditions, which would be expected to produce the same results across the board, most of the participants still appeared to see personalised results.

Private searches for gun control, for example, yielded 62 different sets of results for the 76 participants.

Similar trends were seen in searches for the other two terms, with 57 variations in ‘immigration’ results, and 73 variations in ‘vaccinations’ results.

Users were shown links in different orders, and some were shown links that were not displayed to others.

News and Video infoboxes, in particular, demonstrated ‘significant variation.’

A search for ‘immigration,’ for example, pulled up six variations from six different sources in the Videos infobox, while ‘gun control’ led to 12 variations from 7 sources.

According to DuckDuckGo, the findings indicate that ‘it’s simply not possible to use Google search and avoid its filter bubble.’

While the motivations behind the study are undoubtedly biased, the findings still stand as a reminder that true anonymity on the internet isn’t as straightforward as it might seem.

By Giovanni Buttarelli for The Washington Post 

First came the scaremongering. Then came the strong-arming. After being contested in arguably the biggest lobbying exercise in the history of the European Union, the General Data Protection Regulation became fully applicable at the end of May.

Since its passage, there have been great efforts at compliance, which regulators recognize. At the same time, unfortunately, consumers have felt nudged or bullied by companies into agreeing to business as usual. This would appear to violate the spirit, if not the letter, of the new law.

The GDPR aims to redress the startling imbalance of power between big tech and the consumer, giving people more control over their data and making big companies accountable for what they do with it. It replaces the 1995 Data Protection Directive, which required national legislation in each of the 28 E.U. countries in order to be implemented. And it offers people and businesses a single rulebook for the biggest data privacy questions. Tech titans now have a single point of contact instead of 28.

The new regulation, like the old directive, requires all personal data processing to be “lawful and fair.” To process data lawfully, companies need to identify the most appropriate basis for doing so. The most common method is to obtain the freely given and informed consent of the person to whom the data relates. A business can also have a “legitimate interest” to use data in the service of its aims as a business, as long as it doesn’t unduly impinge on the rights and interests of the individual. Take, for example, a pizza shop that processes your personal information, such as your home address, in order to deliver your order. It may be considered to have a legitimate interest to maintain your details for a reasonable period of time afterward in order to send you information about its services. It isn’t violating your rights, just pursing its business interests. What the pizza shop cannot do is then offer its clients’ data to the juice shop next door without going back and requesting consent.

A third aspect of lawfully processing data pertains to contracts between a company and client. When you purchase an item online, for example, you enter into a contract. But in order for the business to fulfill that contract and send you your goods, you must offer credit card details and a delivery address. In this scenario, the business may also legitimately store your data, depending on the terms of that limited business-client relationship.

But under the GDPR, a contract cannot be used to obtain consent. Some major companies seem to be relying on take-it-or-leave-it contracts to justify their sweeping data practices. Witness the hundreds of messages telling us we cannot continue to use a service unless we agree to the data use policy. We’ve all faced the pop-up window that gives us the option of clicking a brightly colored button to simply accept the terms, with the “manage settings” or “read more” section often greyed-out. One of the big questions is the extent to which a company can justify collecting and using massive amounts of information in order to offer a “free” service.

Under E.U. law, a contractual term may be unfair if it “causes a significant imbalance in the parties’ rights and obligations arising under the contract that are to the detriment of the consumer.” The E.U. is seeking to prevent people from being cajoled into “consenting” to unfair contracts and accepting surveillance in exchange for a service. What’s more, a company is generally prohibited to process, without the “explicit consent” of the individual, sensitive types of information that may reveal race or political, religious, genetic and biometric data.

Indeed, regulators are being asked to determine whether disclosing so much data is even necessary for the provision of services — whether it is ecommerce, search or social media. One key principle to remember is that asking for an individual’s consent should be regarded as an unusual request, given that asking for consent often signals that a party wants to do something with personal data that the individual may not be comfortable with or might not reasonably expect. Thus, it should be a duty of customer care for a company to check back with users or patrons honestly, transparently and respectfully. As the Facebook/Cambridge Analytica scandal revealed, allowing an outside company to collect personal data was not the type of service that users would have reasonably expected. Clearly, abuse has become the norm. The aim of the EU data protection agency that I lead is to stop it.

Independent E.U. enforcement authorities — at least one in each E.U. member state — are already investigating 30 cases of such alleged violations, including those lodged by the activist group NOYB (“none of your business”). The public will see the first results before the end of the year. Regulators will use the full range of their enforcement powers to address abuses, including issuing fines.

The GDPR is not perfect, but it passed into law with an extraordinary consensus across the political spectrum, belying the increasingly fractious politics of our times. As of June, there were 126 countries around the world with modern data protection laws broadly modeled on the European approach. This month, Brazil is next. And it will the biggest country to date to adopt such laws. It is likely to be followed by Pakistan and India, both of which recently published draft laws.

But if the latest effort is a reliable precedent, data protection reform comes around every two decades or so — several lifetimes in terms of the pace of technological change. We still need to finish the job with the ePrivacy Regulation still under negotiation, which would stop companies snooping on private communications and require — again — genuine consent to use metadata about who you talk to as well as when and where.

I am nevertheless already thinking about the post-GDPR future: a manifesto for the effective de-bureaucratizing and safeguarding of peoples’ digital selves. It would include a consensus among developers, companies and governments on the ethics of the underlying decisions in the application of digital technology. Devices and programming would be geared by default to safeguard people’s privacy and freedom. Today’s overcentralized Internet would be de-concentrated, as advocated by Tim Berners-Lee, who first invented the Internet, with a fairer allocation of the digital dividend and with the control of information handed back to individuals from big tech and the state.

This is a long-term project. But nothing could be more urgent as the digital world develops ever more rapidly.

  • 1
  • 2

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top