Data Digest № 018
Welcome to the 18th edition of the Data Digest, where I sum up the most important happenings in the data industry. This week: UK regulators fiercely warn adtech to clean up data practices, a NYT experiment on ad trackers, California’s new privacy measures are put under pressure, genetic privacy paradoxes, Foursquare’s dodgy dealings, and more. Enjoy!
UK Regulator Warns Adtech Over Personal Data
Two months ago, the UK became the first country to attempt to rein in the $200 billion online advertising industry for illegally sharing personal data to target ads. The Information Commissioner’s Office (ICO) gave the industry until the end of the year to tidy up its data-sharing practices before starting to investigate breaches and handing out fines. Despite the clear warnings by the ICO, little to no progress has been seen whatsoever in the ad industry’s methods of data-sharing. Simon McDougall, who is leading the investigation for the ICO commented that so far the answers offered by the adtech industry had been “vague, immature and short” when questioned on their data privacy safeguarding practices.
The primary focus of the ICO is how adtech utilizes “special category” data without user permissions, which includes the processing of sensitive information about health, sexuality, religious beliefs and political views to target ads. It also seeks to analyze the non-consensual transfer of that data through an ecosystem of thousands of companies, which I referenced a few weeks ago in an earlier data digest, with the former likely being in direct violation of the GDPR due to lacking user consent. Fundamentally, the adtech industry hasn’t taken governmental regulation seriously, as the non-consensual transfer of highly sensitive data on location, inferred race, gender, and financial means continues to fuel the advertising industry without any apparent problems. Ultimately, whether to comply or not seems to be a clear cost/benefit analysis on parts of adtech firms. Therefore, the increased scrutiny of the ICO will likely need to be followed up with heavy fines levied against key industry players to reign in other participants of the adtech ecosystem, otherwise the business case for compliance becomes hard to rationalize for these companies as the cost factor in their cost/benefit analysis doesn’t have any empirical data to be backed up with.
Subscribe to read | Financial Times
Hundreds of Trackers Exposed
Talking about adtech privacy violations: the New York Times (NYT) conducted an experiment on data privacy and revealed the immense extent to which we’re being surveilled across the web by adtech firms. The experiment involved a NYT reporter installing a Firefox web browser version developed by privacy researchers at Princeton that can monitor how sites track user data. The results were as worrying as expected. Fahrad Manjoo, the subject of the experiment observed,
“I just had to venture somewhere, anywhere, and I was watched. This is happening every day, all the time, and the only reason we’re O.K. with it is that it’s happening behind the scenes, in the comfortable shadows. If we all had pictures like this, we might revolt.”
Interestingly, Manjoo even called out the NYT on having “the most tracking resources.” Another study from Princeton revealed that news sites often engage in more tracking than other industries, given their reliance on advertising revenue. He also flagged Google for being present on every single website he visited, collecting vast amounts of information on the devices he used, everything he looked at, and his location information.
Opinion | I Visited 47 Sites. Hundreds of Trackers Followed Me.
U.S. Government Wants Access to Genetic Personal Data
Known to many as ‘The Privacy Paradox’, governmental programs designed to protect user data can severely clash with governmental prevention programs to protect citizens and solve crimes. A prime example of this was reported in the WSJ this week whereby family testing site, ‘FamilyTreeDNA’, was pressured by the FBI to pass on customer data to solve criminal cases involving DNA. This case is particularly disconcerting as people are worried about the potential implications of the government having access to large troves of genetic data, without receiving user consent. Governmental needs are often pitted against tech companies’ privacy rules, and in some cases, for good reasons. These cases, however, are often used to argue for a carte blanche for mass surveillance which covers other uses cases whose benefits aren’t clearly defined. With data privacy regulation such as CCPA coming into effect in January 2020 and federal data privacy regulation on the horizon, it becomes clear that we need clear rules around governmental access to personal data collected by tech companies.
Government wants access to personal data while it pushes privacy
Tech Companies Lobby Against California’s New Privacy Laws
Concerns over industry efforts to amend exemptions from the California Consumer Privacy Act, effective from January 1st, 2020, were published in the L.A. Times on Monday. The CCPA is the most comprehensive data privacy law ever enacted in the U.S., and gives consumers the ability to i.a. find out who’s collecting personal information about them, stop that information from being sold, and demand that it be deleted. Industry lobbyists are pushing for more types of data to be exempt from the law’s protections, under the guise that the ‘provisions are unworkable’. While it is the case that some provisions targeted at data brokers are spilling over onto smaller tech companies not involved in data brokerage, the above argument is clearly an attempt to leverage an edge case in order to enact change that maintains the status quo for companies not affected by said edge case.
Just last May, California’s Senate Bill 561 was blocked in the Senate. SB 561 would have amended the California Consumer Privacy Act (“CCPA”) to expressly grant plaintiffs the right to sue for all CCPA violations and most likely set in motion a wave of litigation beginning early next year. In its current form, CCPA limits private claims to breaches of unencrypted or unredacted data caused by a business’s failure to implement and maintain reasonable information security practices, even though there is a 30 day grace period in the CCPA, allowing companies to fix issues within this window without legal recourse. Otherwise, CCPA leaves enforcement of the Act to the California Attorney General. The AG’s office, however, has publicly acknowledged being vastly understaffed to effectively enforce the CCPA and was therefore a strong proponent of SB 561. As can be seen, the battle to weaken the CCPA is far from over. Fortunately, there are other ways for individuals to enforce the CCPA come January 2020. For instance, California’s Unfair Competition Law (“UCL”) (Cal. Bus. & Prof. Code § 17200, et seq.) permits private plaintiffs to sue for business practices that are “unlawful,” “unfair,” or “fraudulent,” and may provide an alternative to CCPA’s express private right of action.
Editorial: Keep California’s new privacy protections safe from tech company meddling
Foursquare Is Tracking You, 10 Years Later
“A charming, rickety, vintage-2000s social app that’s survived the last decade by evolving into a powerhouse enterprise data-extraction business” is one hell of a way to describe the viral app Foursquare that now receives 99 percent of its revenue from its software and data products. Since 2014, the company shifted their focus from being the next Facebook to a much less sexy, but much more profitable, software provider to data-hungry developers, advertisers and brands. Because of their relatively low profile over the years, Foursquare has been able to create detailed “interest profiles” of over 100 million U.S. consumers with little backlash among privacy advocates who have been focusing on the worst and most visible offenders, like Facebook and Google. It is precisely because of its independence from the other big tech firms that companies such as Uber use Foursquare for its geolocation services. This year, Foursquare’s revenue will exceed $100 million, and despite their promises to “lead by example”, there’s little evidence to support that the company’s protecting user data sufficiently. If you’re as concerned about lingering Foursquare data as I am, there’s thankfully a nifty life-hack to delete it.
You Might Not Be Checking In on Foursquare, But Foursquare Is Checking In on You
Facebook Are Handed Deadline To Help Researchers With Data
Facebook said in April 2018 it would share data with academics to help them research the effects of social media on democracy. BuzzFeed News revealed last week that funders and researchers were beginning to lose patience with the company because it had not yet provided all of the necessary data, and had said it would not provide some of the data it initially promised. Focusing on the areas relating to elections and democracy the research could have exposed valuable insights into the ways in which our societies and institutions work and the effects of social media. Unfortunately, if Facebook is unable to provide the data it promised to the academic researchers by September 30, the consortium of funders will pull the plug on the research altogether. It’s not hard to see how that may actually be what Facebook wants.
Funders Are Ready To Pull Out Of Facebook's Academic Data Sharing Project
What I'm Reading:
Federal grand jury indicts Paige Thompson on two counts related to the Capital One data breach – TechCrunch
Swiss companies razzed for bad data management
A Controversial Scooter Data Tracking Program Gains Traction
SerafinData Digest Ad TechCCPA Consumer PrivacyRegulatory Updates GDPR Data Misuse