How to handle the flood of GDPR privacy updates

Many app users’ inboxes are bulging with requests to review new terms of service and privacy conditions.

And it is no coincidence that so many developers have revamped their small print at the same time.

In just under a month, the EU will introduce a new privacy law that gives Europeans new data protection rights and threatens giant fines for organisations that do not comply.

But making sense of the new terms poses a challenge.

Some companies, including Facebook, are asking members to give explicit consent to new features such as facial recognition.

Others – such as Twitter, Fitbit and Yahoo – have told members that simply continuing to use their products will be interpreted as agreement to the tweaked conditions.

The time-strapped public would be forgiven for thinking the easiest thing to do is to tick the necessary boxes and otherwise plough on regardless, despite the advent of the General Data Protection Regulation (GDPR).

After all, who normally reads this stuff?

  • Are you ready for the EU’s data privacy shake-up?
  • Who controls your data?
  • Facebook seeks facial recognition consent

    But that would be to pass up an opportunity to understand and place limits on how your personal details are being exploited for profit.

    And there is value in knowing what you have signed up for in advance of the next data privacy scandal.

    Digital rights campaign group Privacy International suggests that one way to handle the deluge of documents is to search for instances of the following terms:

    ‘Data providers’

    The phrase may be mentioned in sections that explain what data is being collected and how that is achieved.

    In particular, users should watch out for details of personal information being acquired from third parties that could let the services profile them in unexpected ways.

    ‘Location data’

    The new law explicitly defines the places a person visits in their past and present as being a type of personal data for the first time.

    Organisations are therefore required to detail how such information will be used to identify individuals.

    ‘Affirmative act’

    When consent is required, it must now be given via a clear action.

    The days of automatically signing up people to a marketing campaign because they did not untick a box are over.

    But it’s worth double-checking how consent is being sought to avoid clicking a button without realising its consequences.

    ‘Controller’

    Users based outside the EU should check where the entity is based. Facebook recently switched millions of its users out of the control of its Irish office, which means they will no longer be protected by the European watchdogs enforcing the new legislation.

    ‘Purposes’ and ‘Recipients’

    These terms are often used to inform users what a business will do with their data and with whom they will share it.

    The UK’s Consumers’ Association – known more commonly as Which? – has published its own guide to GDPR.

    It highlights some of the ways you can take advantage of GDPR’s new rights.

    These include the right to object to any decisions taken by organisations based solely on algorithms having analysed your personal data. For instance, you can appeal against a decision to refuse you a job interview based solely on computer analysis of your CV.

    You can also request a copy of the personal data being processed to make software-driven decisions.

    Which’s computing editor told the BBC that people should be aware that if they are unhappy at how their personal information is being used to target ads at them, they can now demand part or all of it to be erased.

    She added that people should also watch out for illegitimate enticements.

    “I saw on Twitter the other day somebody share an email… saying you’d get a free pizza if/when you consented,” commented Kate Bevan.

    “That is a big fat nope – consent can’t be bundled with something else.”

    Those that take the time to wade through all the paperwork may still have questions.

    For example, while an app might have to disclose that it shares data with third parties, it does not necessarily have to name them unless a user personally requests the information.

    “They should always give you a point of contact,” explained Nicola Fulford, head of data protection and privacy at the law firm Kemp Little.

    “If they sent you an email and you have questions, then they should respond to it, although obviously at the moment they may be very busy.”

    View comments

Tech Tent: Questions for Zuckerberg and Cambridge

It was a two-day interrogation with dozens of questions – some of them acute, some of them rambling, a few quite bizarre.

On the Tech Tent podcast this week, we zero in on what Mark Zuckerberg failed to answer during his US congressional appearances, about just how much data Facebook collects – and the control users have over it.

We also try to find out whether something bad is going on at University of Cambridge when it comes to academic use of Facebook data, as Mr Zuckerberg suggested.

  • Stream or download the latest Tech Tent podcast
  • Listen live every Friday at 15.00 GMT on the BBC World Service

    The single most uncomfortable moment for Facebook’s founder was probably when Senator Dick Durbin asked him whether he would share with the committee the name of the hotel where he had spent the night in Washington.

    After a long pause and an embarrassed grin he answered “umm…no!”

    It made the point, according to Senator Durbin, that he was more cautious about his privacy than the average Facebook user who “checks in” without a thought.

    The following day, he was asked by Congressman Ben Lujan about the data collected on people who had never even signed up to Facebook. Again, Mr Zuckerberg appeared uncomfortable. He had never heard of the widely used term “shadow profiles” to describe this kind of data collection.

    Then the congressman took us down an Alice in Wonderland-style rabbit hole, where people who do not use Facebook are told to log in to their Facebook accounts to find out what data Facebook holds on them. “We’ve got to fix that,” he said.

    Frederike Kaltheuner from Privacy International tells Tech Tent that this kind of data collection, with users unaware of what is happening, is all too common – and Facebook is far from the only culprit.

    We also examine the issue raised by Mr Zuckerberg when he was asked whether he planned to sue either Dr Aleksandr Kogan or Cambridge University over the misuse of Facebook data.

    ‘Stronger action’

    He talked of a whole programme at the university, where a number of researchers were building similar apps to that made by Dr Kogan for Cambridge Analytica.

    “We do need to know whether there was something bad going on at Cambridge University overall that will require a stronger action from us,” he said.

    The university fired straight back. Mr Zuckerberg should have known that perfectly respectable academic research into social media had been going on, some of it with the involvement of Facebook employees. And as for Dr Kogan, the university had written to Facebook about its allegations against him but had not received a reply.

    On Wednesday morning, before Mr Zuckerberg’s remarks, I visited the Cambridge Psychometrics Centre and found some acknowledgement of the harm caused to the university’s reputation.

    The Centre, which is located in the Judge Business School, was drawn into the controversy when Facebook banned Cubeyou, another firm that had developed a personality quiz in collaboration with the university’s academics.

    Business development director Vesselin Popov insisted it was opt-in only and was in line with Facebook’s policies at the time, so was not at all like the app developed for Cambridge Analytica by Dr Kogan.

    He told me that Dr Kogan’s work had raised issues for the university: “Even if an academic does something – quote unquote in their ‘spare time’, with their own company – they still ought to be held to professional standards as a psychologist.”

    Dr Kogan and the Cambridge Psychometrics Centre are in dispute over whether a row over his personality app – and the involvement of the centre’s academics – was about ethics or money. I wrote another article about that issue on Friday.

    But the two sides agree that Facebook needs to focus on what commercial businesses do with user data, rather than academics.

    “It’s very clear that Cambridge Analytica and these kinds of companies are the product of an environment to which Facebook has contributed greatly,” says Mr Popov. “Although they might be making some changes today in response to public and regulatory pressure, this needs to be seen as an outcome of very permissive attitudes towards those companies.”

    With an audit of thousands of Facebook apps under way, we may hear more in the coming weeks about just how cavalier some companies have been with our personal data.

    • Stream or download the latest Tech Tent podcast
    • Listen live every Friday at 15.00 GMT on the BBC World Service

Google loses ‘right to be forgotten’ case

A businessman fighting for the “right to be forgotten” has won a UK High Court action against Google.

The man, who has not been named due to reporting restrictions surrounding the case, wanted search results about a past crime he had committed removed from the search engine.

The judge, Mr Justice Mark Warby, ruled in his favour on Friday.

But he rejected a separate claim made by another businessman who had committed a more serious crime.

The businessman who won his case was convicted 10 years ago of conspiring to intercept communications. He spent six months in jail.

The other businessman, who lost his case, was convicted more than 10 years ago of conspiring to account falsely. He spent four years in jail.

Both had ordered Google to remove search results about their convictions, including links to news articles, stating that they were no longer relevant.

They took Google to court when it refused to remove the search results.

Google said it would accept the rulings.

“We work hard to comply with the right to be forgotten, but we take great care not to remove search results that are in the public interest,” it said in a statement.

“We are pleased that the Court recognised our efforts in this area, and we will respect the judgements they have made in this case.”

‘Legal precedent’

The right to be forgotten is a legal precedent set by the Court of Justice of the European Union in 2014, following a case brought by Spaniard Mario Costeja Gonzalez who had asked Google to remove information about his financial history.

Google says it has removed 800,000 pages from its results following so-called “right to be forgotten” requests. However, search engines can decline to remove pages if they judge them to remain in the public interest.

Explaining the decisions made on Friday, the judge said one of the men had continued to “mislead the public” while the other had “shown remorse”.

The Open Rights Group, which campaigns for internet freedoms, said the rulings set a “legal precedent”.

“The right to be forgotten is meant to apply to information that is no longer relevant but disproportionately impacts a person,” said Jim Killock, executive director.

“The Court will have to balance the public’s right to access the historical record, the precise impacts on the person, and the public interest.”

Russia to block Telegram app over encryption

A court in Moscow has approved a request from the Russian media regulator to block the Telegram messaging app immediately.

The media regulator sought to block the app because the firm had refused to hand over encryption keys used to scramble messages.

Security officials say they need to monitor potential terrorists.

But the company said the way the service was built meant it had no access to customers’ encryption keys.

Telegram had missed a deadline of 4 April to hand over the keys.

Russia’s main security agency, the FSB, has said Telegram is the messenger of choice for “international terrorist organisations in Russia”.

A suicide bomber who killed 15 people on a subway train in St Petersburg last April used the app to communicate with accomplices, the FSB said last year.

The app is also widely used by the Russian authorities, Reuters news agency reports.

In its court filing, media regulator Roskomnadzor said Telegram had failed to comply with its legal requirements as a “distributor of information”.

Telegram’s lawyer, Pavel Chikov, said the official attempt to stop the app being used in Russia was “groundless”.

“The FSB’s requirements to provide access to private conversations of users are unconstitutional, baseless, which cannot be fulfilled technically and legally,” he said.

The messaging app is widely used across Russia and many nations in the Middle East, as well as around the rest of the world. It says it has more than 200 million active users.

Its popularity has grown because of its emphasis on encryption, which thwarts many widely used methods of reading confidential communications.

It allows groups of up to 5,000 people to send messages, documents, videos and pictures without charge and with complete encryption.

Telegram has been used by the Islamic State (IS) group and its supporters though the company says it has made efforts to close down pro-IS channels.

Facebook’s Zuckerberg fires back at Apple’s Tim Cook

Facebook’s chief executive has defended his leadership following criticism from his counterpart at Apple.

Mark Zuckerberg said it was “extremely glib” to suggest that because the public did not pay to use Facebook that the firm did not care about them.

Last week, Apple’s Tim Cook said it was an “invasion of privacy” to traffic in users’ personal lives.

And when asked what he would do if he were Mr Zuckerberg, Mr Cook replied: “I wouldn’t be in that situation.”

Facebook has faced intense criticism after it emerged that it had known for years that Cambridge Analytica had harvested data from about 50 million of its users, but had relied on the political consultancy to self-certify that it had deleted the information.

Channel 4 News has since reported that at least some of the data in question is still in circulation despite Cambridge Analytica insisting it had destroyed the material.

Mr Zuckerberg was asked about Mr Cook’s comments during a lengthy interview given to news site Vox about the privacy scandal.

He also acknowledged that Facebook was still not transparent enough about some of the choices it had taken, and floated the idea of an independent panel being able to override some of its decisions.

‘Dire situation’

Mr Cook has spoken in public twice since Facebook’s data-mining controversy began.

On 23 March, he took part in the China Development Forum in Beijing.

“I think that this certain situation is so dire and has become so large that probably some well-crafted regulation is necessary,” news agency Bloomberg quoted him as saying in response to a question about the social network’s problems.

“The ability of anyone to know what you’ve been browsing about for years, who your contacts are, who their contacts are, things you like and dislike and every intimate detail of your life – from my own point of view it shouldn’t exist.”

  • Facebook haunted by ‘ugly truth’ memo
  • Facebook privacy settings revamped after scandal
  • Zuckerberg will not appear before MPs

    Then in an interview with MSNBC and Recode on 28 March, Mr Cook said: “I think the best regulation is no regulation, is self-regulation. However, I think we’re beyond that here.”

    During this second appearance – which has yet to be broadcast in full – he added: “We could make a tonne of money if we monetised our customer, if our customer was our product. We’ve elected not to do that… Privacy to us is a human right.”

    Apple makes most of its profits from selling smartphones, tablets and other computers, as well as associated services such as online storage and its various media stores.

    This contrasts with other tech firms whose profits are largely derived from advertising, including Google, Twitter and Facebook.

    Mr Zuckerberg had previously told CNN that he was “open” to new regulations.

    But he defended his business model when questioned about Mr Cook’s views, although he mentioned neither Apple nor its leader by name.

    “I find that argument, that if you’re not paying that somehow we can’t care about you, to be extremely glib and not at all aligned with the truth,” he said.

    “The reality here is that if you want to build a service that helps connect everyone in the world, then there are a lot of people who can’t afford to pay.”

    He added: “I think it’s important that we don’t all get Stockholm syndrome and let the companies that work hard to charge you more convince you that they actually care more about you, because that sounds ridiculous to me.”

    Mr Zuckerberg also defended his leadership by invoking Amazon’s chief executive.

    “I make all of our decisions based on what’s going to matter to our community and focus much less on the advertising side of the business,” he said.

    “I thought Jeff Bezos had an excellent saying: “There are companies that work hard to charge you more, and there are companies that work hard to charge you less.”

    ‘Turned into a beast’

    Elsewhere in the 49-minute interview, Mr Zuckerberg said he hoped to make Facebook more “democratic” by giving members a chance to challenge decisions its own review team had taken about what content to permit or ban.

    Eventually, he said, he wanted something like the “Supreme Court”, in which people who did not work for the company made the ultimate call on what was acceptable speech.

    Mr Zuckerberg also responded to recent criticism from a UN probe into allegations of genocide against the Rohingya Muslims in Myanmar.

    Last month, one of the human rights investigators said Facebook had “turned into a beast” and had “played a determining role” in stirring up hatred against the group.

    Mr Zuckerberg claimed messages had been sent “to each side of the conflict” via Facebook Messenger, attempting to make them go to the same locations to fight.

    But he added that the firm had now set up systems to detect such activity.

    “We stop those messages from going through,” he added.

    “But this is certainly something that we’re paying a lot of attention to.”

Alphons Kannanthanam: India minister’s ‘naked’ visa claim criticised

An Indian minister has sparked a social media storm with his comments on the country’s controversial biometric identity scheme.

Alphons Kannanthanam said Indians had no problem “getting naked” for a US visa, but object to the Aadhaar scheme over privacy concerns.

It is not clear what he meant exactly but he may be referring to airport strip searches.

Since Aadhar’s inception, critics have been worried about its data safety.

In January, an Indian journalist said she was able to access citizens’ personal details on the Aadhaar website after paying an agent 500 rupees ($8; £6). The government called it a data breach at the time.

“But when the government of India, which is your government, asks you your name and your address, nothing more, there’s a massive revolution in the country saying it’s an intrusion into the privacy of the individual.”

He added that the biometric data collected under the scheme was safe with the government.

  • Aadhaar: Are a billion identities at risk on India’s biometric database
  • Aadhaar data leak: Edward Snowden backs India reporter over expose

    The comment by the minister comes a week after the Indian Supreme Court extended its deadline on ruling whether Aadhaar needs to be mandatorily linked to avail various services, including welfare schemes, bank accounts and phone numbers.

    Mr Kannanthanam added that he had to fill out a 10-page form to apply for a US visa.

    “Ten pages of data which you have never even confessed to your wife or husband ever, that is passed on to the white man. We have no problem,” he said.

    However, many on social media were quick to point out the differences between the two scenarios he put forward:

    Skip Twitter post by @MangoBwoy

    Is applying for US visa voluntarily mandatory for every Indian citizen? Do you guys understand consent, privacy and things like that?

    — শেখর (@MangoBwoy) March 25, 2018

    Report

    End of Twitter post by @MangoBwoy

    Skip Twitter post by @mehraan_1989

    But 1.6 billion people doesn't apply for US Visa. Weird argument to defend privacy theft #databreach

    — Mehraan Laigroo (@mehraan_1989) March 25, 2018

    Report

    End of Twitter post by @mehraan_1989

    Skip Twitter post by @ankur2smart

    Not everyone goes to US and those who do, do it by choice. How do you guys even manage to be such high profile minister.

    — Ankur Goel (@ankur2smart) March 25, 2018

    Report

    End of Twitter post by @ankur2smart

    Skip Twitter post by @Retributions

    This going naked for a US visa is not only factually incorrect but plainly disingenuous: countries treat citizens/non-citizens differently. US may ask for all sort of biometrics for a visa but doesn’t ask any for a social security number. Can find better defense of #aadhaar

    — Rohit Pradhan (@Retributions) March 25, 2018

    Report

    End of Twitter post by @Retributions

    Skip Twitter post by @chetan_cbe

    @alphonstourism you should realize that us visa is voluntary. Can you assure me that #Aadhaar is voluntary too?
    And no I don't have a us visa but I was forced to get an #Aadhaar

    — chetan shah (@chetan_cbe) March 25, 2018

    Report

    End of Twitter post by @chetan_cbe

    Skip Twitter post by @bombaywallah

    Naked? For a US visa? Things have certainly changed https://t.co/7aNLYuWSQ5

    — Sidharth Bhatia (@bombaywallah) March 25, 2018

    Report

    End of Twitter post by @bombaywallah

    India’s biometric database is the world’s largest. The government has collected fingerprints and iris scans from more than a billion residents – or nearly 90% of the population – and stored them in a high security data centre.

    Last year, the Supreme Court ruled that citizens have a fundamental right to privacy in a landmark judgment. The ruling, experts said, had significant implications for the government’s vast biometric ID scheme.

Alphons Kannanthanam: India minister’s ‘naked’ visa claim criticised

An Indian minister has sparked a social media storm with his comments on the country’s controversial biometric identity scheme.

Alphons Kannanthanam said Indians had no problem “getting naked” for a US visa, but object to the Aadhaar scheme over privacy concerns.

It is not clear what he meant exactly but he may be referring to airport strip searches.

Since Aadhar’s inception, critics have been worried about its data safety.

In January, an Indian journalist said she was able to access citizens’ personal details on the Aadhaar website after paying an agent 500 rupees ($8; £6). The government called it a data breach at the time.

“But when the government of India, which is your government, asks you your name and your address, nothing more, there’s a massive revolution in the country saying it’s an intrusion into the privacy of the individual.”

He added that the biometric data collected under the scheme was safe with the government.

  • Aadhaar: Are a billion identities at risk on India’s biometric database
  • Aadhaar data leak: Edward Snowden backs India reporter over expose

    The comment by the minister comes a week after the Indian Supreme Court extended its deadline on ruling whether Aadhaar needs to be mandatorily linked to avail various services, including welfare schemes, bank accounts and phone numbers.

    Mr Kannanthanam added that he had to fill out a 10-page form to apply for a US visa.

    “Ten pages of data which you have never even confessed to your wife or husband ever, that is passed on to the white man. We have no problem,” he said.

    However, many on social media were quick to point out the differences between the two scenarios he put forward:

    Skip Twitter post by @MangoBwoy

    Is applying for US visa voluntarily mandatory for every Indian citizen? Do you guys understand consent, privacy and things like that?

    — শেখর (@MangoBwoy) March 25, 2018

    Report

    End of Twitter post by @MangoBwoy

    Skip Twitter post by @mehraan_1989

    But 1.6 billion people doesn't apply for US Visa. Weird argument to defend privacy theft #databreach

    — Mehraan Laigroo (@mehraan_1989) March 25, 2018

    Report

    End of Twitter post by @mehraan_1989

    Skip Twitter post by @ankur2smart

    Not everyone goes to US and those who do, do it by choice. How do you guys even manage to be such high profile minister.

    — Ankur Goel (@ankur2smart) March 25, 2018

    Report

    End of Twitter post by @ankur2smart

    Skip Twitter post by @Retributions

    This going naked for a US visa is not only factually incorrect but plainly disingenuous: countries treat citizens/non-citizens differently. US may ask for all sort of biometrics for a visa but doesn’t ask any for a social security number. Can find better defense of #aadhaar

    — Rohit Pradhan (@Retributions) March 25, 2018

    Report

    End of Twitter post by @Retributions

    Skip Twitter post by @chetan_cbe

    @alphonstourism you should realize that us visa is voluntary. Can you assure me that #Aadhaar is voluntary too?
    And no I don't have a us visa but I was forced to get an #Aadhaar

    — chetan shah (@chetan_cbe) March 25, 2018

    Report

    End of Twitter post by @chetan_cbe

    Skip Twitter post by @bombaywallah

    Naked? For a US visa? Things have certainly changed https://t.co/7aNLYuWSQ5

    — Sidharth Bhatia (@bombaywallah) March 25, 2018

    Report

    End of Twitter post by @bombaywallah

    India’s biometric database is the world’s largest. The government has collected fingerprints and iris scans from more than a billion residents – or nearly 90% of the population – and stored them in a high security data centre.

    Last year, the Supreme Court ruled that citizens have a fundamental right to privacy in a landmark judgment. The ruling, experts said, had significant implications for the government’s vast biometric ID scheme.