Tag Archives: data protection

Six Hundred and Twenty Two Advertising Partners

If you still think that privacy and data sharing isn’t an issue, then take a look at this…
The other day I was visiting a popular gaming website and up popped the the usual notice about use of cookies. Normally I would dismiss these without a second thought but I  was on a tablet and accidently tapped on the link to their privacy notice. Noodling around, I discovered on this page that they listed all their advertising partners…..and there were SIX HUNDRED AND TWENTY TWO of them.

Here’s just those that begin with “A”.
A1 Media Group, A1platform, Aarki, abilicom, Acuityads, Adacado, Adadyn, Adara Media, Adbalancer, Adblade, ADBOX,Adcash, AdClear, Adclouds, AdColony, Addictive Mobility, Addition Plus, Addroid, AdElement, Adello, ADEX, Adform, AdGibbon BV, adhood, Adikteev, AdKernel, AdLedge, adlocal.net, Adloox, Adludio, AdMaster/LnData, AdMaxim,Admedo, Admetrics, Admixer, Adnami ApS, adnanny.com, Adnetic, Adobe Advertising Cloud, AdPlay, AdPredictive, AdRetarget, Adriver, AdRoll Inc., adrule, Adsniper, Adssets, adTarget.me, Adtelligence, Adtelligent Inc., AdTrader, AdTriba, advanced STORE GmbH, Advanse, Adventive, Adventori, Adverline, Advertserve, Advmaker, advolution.control, Adways SAS, Adzerk, Adzymic, AE Media, Aedge Performance S.L. , AerServ, affilinet, Aidata, Airtory, Akamai, AKTYVUS SEKTORIUS, Alkemics, All In Views LTD, Alooma, Amazon, Amino Payments, Inc., Amobee, Analights, Aniview Inc., Answer Media, AntVoice, APNIC, AppGrowth Inc., Appier, AppLift, AppLovin Corp., AppNexus, Appreciate, appTV, Arbigo Inc., Arrivalist, Art of Click, Artsai, Audience2Media, AudienceProject, Audiencevalue, Aunica, Avocet, Azameo

Recognise many? Adobe, Amazon?

And from the website’s privacy policy, “We share your personal information with our affiliates and with exhibitors, sponsors, media partners, joint venture partners and other third parties.” which can be summarised as “We share your personal information with anyone we like.”

Let me get this straight. I visit one gaming website and my information could be shared with up to 622 other organisations that, really, I know nothing about. Who knows where this data will eventually land?

There’s something very wrong here.

Women Look at Security Cameras photo by Matthew Henry on Unsplash.

Facebook Fined For Cambridge Analytica Fiasco

The UK’s Information Commissioner’s Office (ICO) has fined Facebook GB£500,000 for data breaches relating to the Cambridge Analytica scandal. That’s about  US$650,000. The ICO’s investigation into the activities of Facebook is highly critical of Facebook’s laissez-faire approach to user’s data.

For seven years, Facebook failed to stop application developers taking users’ information without informed consent, and allowed capture of the information even when people were only friends with others who had downloaded particular apps. For example, person A would download a survey app to their phone or tablet which then needed Facebook credentials and permissions to proceed. Once he or she had given access, the survey app then collected data on all their Facebook friends without the agreement of the friends.

Using this loophole, one app developer gathered the Facebook data of up to 87 million people worldwide despite only a small fraction of these downloading the app. Part of this data was subsequently shared with other organisations, particulary SCL Group, the parent company of Cambridge Analytica.

The ICO was also scathing about Facebook’s response after the abuse of friend data was uncovered in late 2015, noting that it failed to ensure that data was deleted and didn’t kick SCL off Facebook until 2018.

Elizabeth Denham, Information Commissioner, said “Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”

The £500,000 fine is the maximum penalty under the previous regulations and had the offence occurred under the GDPR framework, the fine would have been much higher. The Commissioner went on, “We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”

In a week where Apple’s CEO called for GDPR-style regulations in the US, there’s a clear need for greater regulation of social media organisations and the world-wide protection of people’s information.

Camera image by Paweł Czerwiński on Unsplash

Equifax Hit With £500,000 Fine

The UK’s Information Commissioner’s Office (ICO) has hit credit reference agency Equifax with a GB£500,000 fine for the 2017 data breach.  Equivalent to US$660,000, the fine is the largest ever imposed by the ICO and is the maximum permitted under the legislation in force at the time. Under the newer GDPR laws, the fine could’ve been as high as $20 million.

The Equifax data breach involved the records of 146 million people, with nearly 15 mlllion being UK nationals. The ICO was scathing in its comments about Equifax, saying, “The ICO found that measures that should have been in place to manage the personal information were inadequate and ineffective. Investigators found significant problems with data retention, IT system patching, and audit procedures. Our investigation also found that the US Department of Homeland Security had warned Equifax Inc about a critical vulnerability as far back as March 2017. Sufficient steps to address the vulnerability were not taken meaning a consumer facing portal was not appropriately patched.”

During the cyber attack last year, a range of personal information was taking including, names, dates of birth, addresses, passwords, driving licences and financial data.

The Information Commissioner herself, Elizabeth Denham, went on to say, “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data.”

Equifax’s approach to data protection and the care of our personal data was negligent, and frankly, I don’t think they deserve to be in business. The full judgement is here pdf.

Money photo by Sharon McCutcheon on Unsplash.

Google Acted Illegally in UK

Google LogoThe UK’s Information Commissioner today confirmed that Google breached UK’s Data Protection Act when the Street View cars captured personal data while collecting wi-fi network information.

As a result of this, Google will be required to sign an undertaking to take steps to ensure that breaches of the Act don’t re-occur.  Google will then be audited in nine month’s time to confirm that the required policies and training has taken place. Finally, once any legal obstacles have been cleared, Google will have to delete the personal data from the UK.

Currently, the Information Commissioner does not intend to fine Google, but will take further action if necessary

Information Commissioner's OfficeThe Commissioner, Christopher Graham said,  “It is my view that the collection of this information was not fair or lawful and constitutes a significant breach of the first principle of the Data Protection Act.  The most appropriate and proportionate regulatory action in these circumstances is to get written legal assurance from Google that this will not happen again – and to follow this up with an ICO audit.”

What’s interesting about this is that the Information Commissioner’s Office (ICO) had previously decided not to take action against Google because the sample data shown to the ICO was considered to be fragmentary and therefore unlikely to constitute personal data.

However, Google’s Alan Eustace admitted on Google’s own blog that, “A number of external regulators have inspected the data as part of their investigations (seven of which have now been concluded). It’s clear from those inspections that whilst most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords.”

The Commissioner then infers that because this happened in other countries, it happened in the UK, even if most of the data was fragmentary.  You can read the Commissioner’s letter to Google Inc here.

Personally, I’m pleased that Google is being held to account.  Far too often it seems that big business gets away with abusing our personal information.

Google WiFi – Wrong But No Big Deal

Information Commissioner's Office logoThe UK’s Information Commissioner’s Office has issued a press release on Google’s collection of WiFi data that was obtained by the StreetView cars as they drove round.

In what appears to be a holding statement, the ICO says that it has reviewed samples of collected data at Google premises and confirms that the samples do not include any “meaningful personal details“.  Additionally, the information cannot be connected to an identified individual and it is unlikely to cause any harm.

However, the ICO confirms that collecting the information was wrong but there is nothing further in the press release to indicate if any penalties will be levied against Google.  Apparently the Information Commissioner will be taking a “responsible and proportionate approach.”