Data Digest № 028
Happy New Year and welcome to 2020’s first Datawallet Data Digest, where I review and occasionally analyze the latest news and the most critical developments in the data industry. Here’s a look at the latest developments:
New Year, New Rights
On January 2nd, I had the pleasure of discussing the state of the data industry in 2020 with “squawk alley” on CNBC. We debated what companies are doing wrong when it comes to data privacy; the new privacy rights gained with the CCPA, thought-leaders in data privacy, CCPA enforcement, and the possibility of federal legislation. Check out the full interview below:
Ad-tech Firms Are Struggling To Implement The CCPA Properly
While the ad-tech industry grapples with the implementation of the CCPA, a survey conducted by BritePool found that “87% of consumers would opt-out of targeted advertising under CCPA.” Bob Perkins, the COO of BritePool, noted that the main contention among advertisers is what exactly constitutes a “sale of data” — which is probably the most hotly debated issue of the CCPA. The CCPA defines the term “sale” very broadly and includes any transfer of personal information for valuable consideration, for instance, if the receiving party uses this data for commercial purposes. This means that many common data-sharing practices which may not constitute a “sale” in the traditional sense, might fall under the broad CCPA sale-definition, and therefore require businesses to post conspicuous “Do Not Sell My Information” links on their homepages, allowing consumers to opt-out of the sharing of their data.
A way out of the uncertainty would be by categorizing a third party as a service provider: The CCPA makes an exception to the term “sale”, by excluding data-transfers to service providers, if the information is necessary for a business purpose, the service provider performs services on the business’ behalf and does not sell the data. This means that if Company A shares data with Company B and Company B only use Company A’s data to deliver services to Company A, which are defined in a service provider contract, Company B would be a service provider. In this case, the business transferring personal information would not need to worry about whether or not it ‘sells’ data under the CCPA. If, however, Company B receives data from Company A and is not restricted by the agreement with company A to also use this information to service company C, then it would not be a service provider. Since AdTech generally relies on the aggregation of personally identifiable data, it is likely that the entire AdTech space would not classify as ‘service provider’ (as Google, Facebook, and pretty much all other AdTech firms claim). This would allow consumers in California to opt-out of the selling of their data, meaning AdTech firms would not be able to use this data to target these individuals. Such massive opt-outs could severely undermine AdTech’s business model. As Perkins states, the advent (and subsequent popularity) of Netflix’s ad-free streaming service was a sign the media industry could no longer be complacent in maintaining its historic value exchange with consumers. The question is what AdTech firms can offer consumers to provide enough value to stay around — seeing as the ‘data for content’ model is going out of style and these companies having built their entire revenue model by actively shutting consumers out of the value chain.
Ad-Tech Industry Fails to Address Heightened Privacy Worries
CES 2020 Demonstrates Big Tech’s Tendencies To “Privacy-Wash”
Last week CES 2020, the world’s largest consumer electronics conference, took place in Las Vegas. Shortly after, a barrage of critics commented on big tech’s tendency to “privacy-wash”: companies that market control and transparency over your data, but simultaneously devour it for their own financial gain. Eroding trust in consumer tech comes from this very notion. Companies who have gained their wealth through the collection of people’s data are learning to “talk the talk on privacy” but are making no real changes within their tech to back it up, such as Facebook’s Privacy Chief claiming that “I think privacy is protected today for people on Facebook” after just paying a $5 billion fine to the Federal Trade Commission to settle a privacy investigation, and Google touting its always-listening voice Assistant as designed for privacy because you can now tell it, “Hey, Google, that wasn’t for you.” It looks as though this year big tech needs more than privacy billboards to sway consumer trust back in the right direction.
Perspective | At CES, Apple, Facebook and Amazon are preaching privacy. Don’t believe the hype.
Amazon Defends Ring’s Controversial Facial Recognition Product
Despite severe criticisms from over 30 civil rights organizations, including privacy, racial justice, and civil liberties advocates about the safety of Amazon Ring, no concerns have been addressed by the eCommerce giant. Quite the opposite. Ring’s chief hardware exec boldly announced that he’s “proud” of the controversial product. To the annoyance of the campaigners, he went even further to announce Ring’s progression towards solidifying more police partnerships and integrating more in-depth facial recognition technology in the future. Amazon Ring also fired several employees last week for improperly accessing Ring customers’ videos, raising privacy advocates’ concerns on the access-levels of rogue employees to sensitive data, and the lack of privacy integrations into the design of the product.
Amazon Doubles Down on Ring Partnerships With Law Enforcement
Voter Manipulation and Malicious Propaganda Disrupts Democracy In 2020
A data dump about the operations of Cambridge Analytica revealed the global scale of the firm’s operations to influence elections. Ex-business development director Brittany Kaiser published links to hundreds of unreleased internal documents via a Twitter account called @HindsightFiles, with the promise of 100,000 more to come. The documents show that Cambridge Analytica was actively involved in operations across 65 countries.
Almost two years after Facebook’s promises of “locking down” and auditing “all apps that had access to large amounts of information” in a report following the Cambridge Analytica scandal, nothing has emerged. Apparently, the $5billion fine handed out by the FTC for the Cambridge Analytica scandal did nothing to incentivize meaningful changes within the company. Albeit that the now-defunct Cambridge Analytica won’t be a viable vessel anymore for parties looking to influence an election, Facebook’s unwillingness to shut down its data hose will likely increase the odds of other firms offering propaganda-as-a-service by psychographically targeting users to pose a threat to democracy in 2020.
Facebook data misuse and voter manipulation back in the frame with latest Cambridge Analytica leaks – TechCrunch
Who Else Is In The Driver’s Seat?
The Washington Post conducted an experiment whereby a hacker figured out the kinds of information a car’s internal computers collect on a randomly selected 2017 model. It was a lot more than they expected. “Details about where the car was driven and parked, call logs, identification information for his phone and contact information from his phone, right down to people’s address, emails, and even photos.” And of course, the methods implemented to limit the data collection were arduous to find. This begs the question of why so much data needs to be recorded in the first place, what it is used for, and whether there are other monetization opportunities carmakers engage in outside of the revenue generated by selling cars. Why does a car manufacturer need to know the numbers I am calling? Is the reason my acceleration and braking behavior is being monitored that car companies want to improve their next-generation breaks or is this information passed on to insurance companies to up my premium? Even though data privacy regulation such as the California Consumer Privacy Act (CCPA) gives consumers the right to know more about the car’s data collection and usage, companies are still trying their best to hide the specifics of this collection and usage. It’s exactly this type of clandestine data operations that eradicate consumer trust. Companies that are good data custodians should not fear to put their data collection and usage front and center in the consumer journey and should make it easy for customers to make educated decisions about which data collection and usage they consent to.
Perspective | What does your car know about you? We hacked a Chevy to find out.
Ransomware Gang Weaponize GDPR Fines
A ransomware gang called Sodinokibi, also known as REvil, told the BBC that they are behind the hack on Travelex and asked for $6m in ransom. They claim to have downloaded over 5GB of sensitive consumer data, including credit card information, dates of birth, and national insurance numbers. Ransomware expert Fabian Wosar said, “Stealing data essentially gives threat actors additional bargaining chips when it comes to dealing with companies unwilling to pay the ransom. The idea is to weaponize the hefty fines associated with GDPR violations to pressure the company into paying.” The General Data Protection Regulation stipulates that companies can face a maximum fine of 4% of its global turnover for non-compliance with its procedures during a ransomware attack. If a personal data breach presents risk to people’s rights and freedoms, companies must notify the ICO within 72 hours of becoming aware.
Travelex being held to ransom by hackers
What I'm Reading:
Why is a 22GB database containing 56 million US folks' personal details sitting on the open internet using a Chinese IP address? Seriously, why?
Incident Of The Week: Zynga Security Breach Affects 170 Million User Accounts
Ex-Google policy chief dumps on the tech giant for dodging human rights – TechCrunch
Mozilla: All Firefox users get California's CCPA privacy rights to delete personal data | ZDNet
Opinion | Why Are You Publicly Sharing Your Child’s DNA Information? (Published 2020)
SerafinData Digest Consumer PrivacyCCPA GDPR Data Breaches Data Misuse Ad Tech