Facebook is asking users worldwide to review their privacy settings

Starting this week, Facebook will begin asking users worldwide to review their privacy settings with a prompt that appears within the Facebook app. The experience will ask you to review how Facebook uses your personal data across a range of products, from ad targeting to facial recognition. This request to review Facebook’s updated terms and your settings follows a similar experience rolled out to users in the European Union as a result of the new user data privacy regulation, GDPR.

However, EU users have to agree to the new terms of service in order to continue using Facebook, Recode point out, after asking Facebook how the worldwide experience differs from the one being shown in Europe.

Elsewhere in the world, users who dismiss the prompt twice will be automatically opted in.

But before you close that window too quickly, you may want to take a look at what Facebook is asking.

Review Your Privacy Settings

Posted by Facebook on Wednesday, May 23, 2018

In the new prompt, which appears when you visit News Feed, Facebook will allow you to review details about advertising, facial recognition, and the information you’ve chosen to share on your profile.

For example, you may no longer feel comfortable having your religion, political views or relationship information exposed, and the new experience will allow you to change those settings.

As you continue reviewing your information, each screen will walk you through what data is collected and how it’s used, allowing you to make better decisions about Facebook’s use of your data.

Specially, Facebook says the feature will include the following information:

  • How it uses data from partners to show more relevant advertising
  • Political, religious, and relationship information you’ve chosen to include on your profile
  • How it uses face recognition, including for features that help protect your privacy
  • Updates to its terms of service and data policy (that were announced in April)

If you’ve already disabled some of these settings, you won’t be shown that information or encouraged to turn the features back on.

After you adjust your settings, the changes go into effect immediately and you can adjust them again at any time from Settings or Privacy Shortcuts, the company says.

Though the GDPR is aimed at protecting user data in the EU, Facebook has come under fire for its breach of trust with its user base due to the Cambridge Analytica scandal – where data was hijacked from 87 million users without their consent. The company is now revisiting a lot of its user data privacy practices and making changes as result of both that and GDPR’s requirements.

The experience will start popping up on Facebook this week.

Instapaper on pause in Europe to fix GDPR compliance “issue”

Remember Instapaper? The Pinterest-owned, read-it-later bookmarking service is taking a break in Europe — apparently while it works on achieving compliance with the region’s updated privacy framework, GDPR, which will start being applied from tomorrow.

Instapaper’s notification does not say how long the self-imposed outage will last.

The European Union’s General Data Protection Regulation updates the bloc’s privacy framework, most notably by bringing in supersized fines for data violations, which in the most serious cases can scale up to 4% of a company’s global annual turnover.

So it significantly ramps up the risk of, for example, having sloppy security, or consent flows that aren’t clear and specific enough (if indeed consent is the legal basis you’re relying on for processing people’s personal information).

That said, EU regulators are clearly going to tread softly on the enforcement front in the short term. And any major fines are only going to hit the most serious violations and violators — and only down the line when data protection authorities have received complaints and conducted thorough investigations.

So it’s not clear exactly why Instapaper believes it needs to pause its service to European users. It’s also had plenty of time to prepare to be compliant — given the new framework was agreed at the back end of 2015. We’ve reached out to Pinterest with questions and will update this story with any response.

In an exchange on Twitter, Pinterest product engineering manager Brian Donohue — who, prior to acquisition was Instapaper’s CEO — flagged that the product’s privacy policy “hasn’t been changed in several years”. But he declined to specify exactly what it feels its compliance issue is — saying only: “We’re actively working to resolve the issue.”

In a customer support email that we reviewed, the company also told one European user: “We’ve been advised to undergo an assessment of the Instapaper service to determine what, if any, changes may be appropriate but to restrict access to IP addresses in the EU as the best course of action.”

“We’re really sorry for any inconvenience, and we are actively working on bringing the service back online for residents in Europe,” it added.

The product’s privacy policy is one of the clearer T&Cs we’ve seen. It also states that users can already access “all your personally identifiable information that we collect online and maintain”, as well as saying people can “correct factual errors in your personally identifiable information by changing or deleting the erroneous information” — which, assuming those statements are true, looks pretty good for complying with portions of GDPR that are intended to give consumers more control over their personal data.

Instapaper also already lets users delete their accounts. And if they do that it specifies that “all account information and saved page data is deleted from the Instapaper service immediately” (though it also cautions that “deleted data may persist in backups and logs until they are deleted”).

In terms of what Instapaper does with users’ data, its privacy policy claims it does not share the information “with outside parties except to the extent necessary to accomplish Instapaper’s functionality”.

But it’s also not explicitly clear from the policy whether or not it’s passing information to its parent company Pinterest, for example, so perhaps it feels it needs to add more detail there.

Another possibility is Instapaper is working on compliance with GDPR’s data portability requirement. Though the service has offered exports options for years. But perhaps it feels these need to be more comprehensive.

As is inevitable ahead of a major regulatory change there’s a good deal of confusion about what exactly must be done to comply with the new rules. And that’s perhaps the best explanation for what’s going on with Instapaper’s pause.

Though, again, there’s plenty of official and detailed guidance from data protection agencies to help.

Unfortunately it’s also true that there’s a lot of unofficial and dubious quality advice from a cottage industry of self-styled ‘GDPR consultants’ that have sprung up with the intention of profiting off of the uncertainty. So — as ever — do your due diligence when it comes to the ‘experts’ you choose.

50 tech CEOs come to Paris to talk about tech for good

Ahead of VivaTech, 50 tech CEOs came to Paris to have lunch with French President Emmanuel Macron. Then, they all worked together on “tech for good”. The event was all about leveraging tech around three topics — education, labor and diversity.

At the end of the day, French Prime Minister Édouard Philippe invited everyone for a speech in Matignon. It wasn’t a groundbreaking speech as Macron is also speaking at VivaTech tomorrow morning. “We’re trying to pivot France,” Philippe said.

With great power comes great responsibility Édouard Philippe

Maurice Lévy, the former CEO of Publicis, one of the two companies behind VivaTech with Les Échos, first introduced the event, as well as Eric Hazan from McKinsey. McKinsey worked on the data that was used to start those discussions. So let’s see what they talked about.

“As McKinsey showed, there's no question that technology overall is a net creator of job and GDP. It's a positive force,” Uber CEO Dara Khosrowshahi said. “At the same time, AI and automation, while driving the economy and productivity, […] will lead to large groups being disadvantaged.”

He then listed a few important points to make sure that nobody is going to be left behind, such as coaching and mentorship programs.

“This is not just the government's job but it is also the job of private companies,” Khosrowshahi added.

He wanted to remain hopeful and it felt a bit like a lobbying effort. “It's easy to see the lost of jobs because of automation. But it's much more difficult to dream about the possibilities of the future,” he said. In other words, don’t worry about the on-demand economy, don’t worry about self-driving cars.

IBM CEO Ginni Rometty was in charge of the discussions around education. “We also had a lot of engineers and pragmatic people there. And we ended up with five recommendations,” she said.

It sounds like these recommendations would be really favorable for IBM and other tech companies. So here are these recommendations:

  • Focus and segment this problem. Focus on the quarter of the population the most at risk.
  • Align the skills that businesses need with the education system (hard skills and soft skills).
  • There should be an open partnership with governments to reposition vocational education, learn by doing, foster internships, apprenticeships, simulations and redirect tax to incentivize.
  • Work with teachers to pilot, get hard evidence and then scale.
  • Retraining employees is the responsibility of all employers.

Finally, SAP CEO Bill McDermott talked about diversity. “As we looked at the facts, there are 33 percent more revenue, more profit for companies that got the memo on companies more inclusive and more diverse,” he said.

Culture, gender and geography were the main themes. But they also talked about differently able people. SAP will make an announcement around autism in France.

“Dara, Ginni and Bill, thank you for your introduction, that was brilliant, in English and concise,” French Prime Minister Édouard Philippe said.

He then listed three ideas that sum up his thinking about the tech industry.

“I truly believe in freedom, in that fundamental ability that you need to be able to take good decisions and bad decisions,” he said. The second idea is the consequence of that first one.

“With great power comes great responsibility. I think a modern philosopher called Peter Parker said that for the first time. And I really think it’s true.”

“While you don’t have to regulate on everything, when something isn’t regulated, it’s possible that it gets out of your control. And when it comes to the digital revolution and the data revolution, that freedom needs some boundaries. You know that Europe worked on some regulation — GDPR. What looked like regulation against innovation now appears as desirable and useful,” he said.

He then indirectly called out Facebook for its half-baked GDPR changes. “Some of you, and I believe it’s the case of Microsoft, decided to enforce GDPR everywhere. And I encourage everyone to do the same.”

The fact that 50 CEOs came to Paris is interesting by itself. It’s a sign that tech companies want to have an open discussion with governments. They want to make sure that regulation is favorable. On the other end, governments want to make sure that tech innovations aren’t going to divide society.

But it’s just starting.

Some companies announced a few things in Paris. Uber expanded its accident insurance to contractors across Europe, when they’re working and also when they’re not on the road. IBM plans to hire 1,800 people in France. Deliveroo is going to invest $117 million (€100 million) over the next few years.

Let’s see if Macron has more to say tomorrow.


Here’s the full list of tech CEOs in Paris for the Tech for Good Summit:

  • Kevin Sneader, CEO, Mckinsey
  • Audrey Azoulay, Director, UNESCO
  • Mark Zuckerberg, Founder and CEO, Facebook
  • John Kerry, Senior Fellow, Carnegie Foundation
  • Satya Nadella , CEO, Microsoft
  • Pierre Louette, CEO, Les Echos
  • Tony Elumelu, President, United Bank for Africa
  • Maurice Lévy, Co-Founder, Viva Technology
  • Charlotte Hogg, CEO, Europe Visa
  • Jean-Paul Agon, CEO, L'Oréal
  • Tristan Harris, Executive Director, Center for Human technology
  • Alexandre Dayon, CEO, Salesforce
  • Brian Krzanich, CEO, Intel
  • Mitchell Baker, President, Mozilla Foundation
  • Yves Meignié, CEO, Vinci Energies
  • Gilles Pelisson, CEO, TF1
  • Bill McDermott, CEO, SAP
  • Young Sohn, CEO, Samsung
  • Gillian Tans, CEO, Booking.com
  • Niklas Zennstrom, Founder and CEO, Atomico
  • Will Shu, CEO, Deliveroo
  • Sunil Bharti Mittal, President, Bharti enterprises
  • Joe Schoendorf, Partner, Accel
  • Nick Bostrom, Director, Future of Humanity Institute
  • Julie Ranty, Director, VivaTech
  • Eric Leandri, CEO, Qwant
  • Olivier Brandicourt, CEO, Sanofi
  • Mo Ibrahim, President, Mo Ibrahim Foundation
  • Yossi Vardi, Entrepreneur
  • Philippe Wahl, CEO, Groupe La Poste
  • Pierre Nanterme, CEO, Accenture
  • Tom Enders, CEO, Airbus
  • Tim Hwang, Director, Harvard-MIT Ethics & Governance of AI Initiative
  • Octave Klaba, Founder and CEO, OVH
  • Ginni Rometty, CEO, IBM
  • Pierre Dubuc, CEO, OpenClassrooms
  • Isabelle Kocher, CEO, Engie
  • Sy Lau, CEO, Tencent
  • Xavier Niel, Founder, Iliad/Free
  • Jimmy Wales, Founder, Wikimedia Foundation
  • Jean-Laurent Bonnafé, CEO, BNP Paribas
  • Angela Ahrendts, Vice President Retail, Apple
  • Frédéric Mazella, Co-Founder and President, BlaBlaCar
  • Stewart Butterfield, CEO, Slack
  • Alex Karp, CEO, Palantir
  • Guillaume Pepy, CEO, SNCF
  • Jacquelline Fuller, President, Google.org
  • Stéphane Richard, CEO, Orange
  • Clare Akamanzi, CEO, Rwanda Development Board
  • Paul Hermelin, CEO, CapGemini
  • Eric Hazan, Senior Partner, McKinsey
  • Ludovic Le Moan, Co-Founder and CEO, Sigfox
  • Dara Khosrowshahi, CEO, Uber
  • Catherine Guillouard, CEO, RATP
  • Tim Collins, CEO, Ripplewood
  • Bernard Liautaud, Partner, Balderton
  • Alain Roumilhac, CEO, Manpower Group France
  • Hiroshi Mikitani, CEO, Rakuten
  • John Collison, Co-Founder and CEO, Stripe
  • Maxime Baffert, Director, VivaTech
  • Thomas Buberl, CEO, Axa

FBI reportedly overestimated inaccessible encrypted phones by thousands

The FBI seems to have been caught fibbing again on the topic of encrypted phones. FBI director Christopher Wray estimated in December that it had almost 7,800 phones from 2017 alone that investigators were unable to access. The real number is likely less than a quarter of that, The Washington Post reports.

Internal records cited by sources put the actual number of encrypted phones at perhaps 1,200 but perhaps as many as 2,000, and the FBI told the paper in a statement that “initial assessment is that programming errors resulted in significant over-counting of mobile devices reported.” Supposedly having three databases tracking the phones led to devices being counted multiple times.

Such a mistake would be so elementary that it’s hard to conceive of how it would be possible. These aren’t court notes, memos or unimportant random pieces of evidence, they’re physical devices with serial numbers and names attached. The idea that no one thought to check for duplicates before giving a number to the director for testimony in Congress suggests either conspiracy or gross incompetence.

The latter seems more likely after a report by the Office of the Inspector General that found the FBI had failed to utilize its own resources to access locked phones, instead suing Apple and then hastily withdrawing the case when its basis (a locked phone from a terror attack) was removed. It seems to have chosen to downplay or ignore its own capabilities in order to pursue the narrative that widespread encryption is dangerous without a backdoor for law enforcement.

An audit is underway at the Bureau to figure out just how many phones it actually has that it can’t access, and hopefully how this all happened.

It is unmistakably among the FBI’s goals to emphasize the problem of devices being fully encrypted and inaccessible to authorities, a trend known as “going dark.” That much it has said publicly, and it is a serious problem for law enforcement. But it seems equally unmistakable that the Bureau is happy to be sloppy, deceptive or both in its advancement of a tailored narrative.

Zuckerberg didn’t make any friends in Europe today

Speaking in front of EU lawmakers today Facebook’s founder Mark Zuckerberg namechecked the GDPR’s core principles of “control, transparency and accountability” — claiming his company will deliver on all that, come Friday, when a new European Union data protection framework, GDPR, starts being applied, finally with penalties worth the enforcement.

However there was little transparency or accountability on show during the session, given the upfront questions format which saw Zuckerberg cherry-picking a few comfy themes to riff on after silently absorbing an hour of MEPs’ highly specific questions with barely a facial twitch in response.

The questions MEPs asked of Zuckerberg were wide ranging and often drilled deep into key pressure points around the ethics of Facebook’s business — ranging from how deep the app data misuse privacy scandal rabbithole goes; to whether the company is a monopoly that needs breaking up; to how users should be compensated for misuse of their data.

Is Facebook genuinely complying with GDPR, he was asked several times (unsurprisingly, given the scepticism of data protection experts on that front). Why did it choose to shift ~1.5BN users out of reach of the GDPR? Will it offer a version of its platform that lets people completely opt out of targeted advertising, as it has studiously avoided doing so so far.

Why did it refuse a public meeting with the EU parliament? Why has it spent “millions” lobbying against EU privacy rules? Will the company commit to paying taxes in the markets where it operates? What’s it doing to prevent fake accounts? What’s it doing to prevent bullying? Does it regulate content or is it a neutral platform?

Zuckerberg made like a sponge and absorbed all this fine-grained flak. But when the time came for responses the data flow was not reciprocal; Self-serving talking points on self-selected “themes” was all he had come prepared to serve up.

Yet — and here the irony is very rich indeed — people’s personal data flows liberally into Facebook, via all sorts of tracking technologies and techniques.

And as the Cambridge Analytica data misuse scandal has now made amply clear, people’s personal information has also very liberally leaked out of Facebook — oftentimes without their knowledge or consent.

But when it comes to Facebook’s own operations, the company maintains a highly filtered, extremely partial ‘newsfeed’ on its business empire — keeping a tight grip on the details of what data it collects and why.

Only last month Zuckerberg sat in Congress avoiding giving straight answers to basic operational questions. So if any EU parliamentarians had been hoping for actual transparency and genuine accountability from today’s session they would have been sorely disappointed.

Yes, you can download the data you’ve willingly uploaded to Facebook. Just don’t expect Facebook to give you a download of all the information it’s gathered and inferred about you.

The EU parliament’s political group leaders seemed well tuned to the myriad concerns now flocking around Facebook’s business. And were quick to seize on Zuckerberg’s dumbshow as further evidence that Facebook needs to be ruled.

Thing is, in Europe regulation is not a dirty word. And GDPR’s extraterritorial reach and weighty public profile looks to be further whetting political appetites.

So if Facebook was hoping the mere appearance of its CEO sitting in a chair in Brussels, going through the motions of listening before reading from his usual talking points, that looks to be a major miscalculation.

“It was a disappointing appearance by Zuckerberg. By not answering the very detailed questions by the MEPs he didn’t use the chance to restore trust of European consumers but in contrary showed to the political leaders in the European Parliament that stronger regulation and oversight is needed,” Green MEP and GDPR rapporteur Jan Philipp Albrecht told us after the meeting.

Albrecht had pressed Zuckerberg about how Facebook shares data between Facebook and WhatsApp — an issue that has raised the ire of regional data protection agencies. And while DPAs forced the company to turn off some of these data flows, Facebook continues to share other data.

The MEP had also asked Zuckerberg to commit to no exchange of data between the two apps. Zuckerberg determinedly made no such commitment.

Claude Moraes, chair of the EU parliament’s civil liberties, justice and home affairs (Libe) committee, issued a slightly more diplomatic reaction statement after the meeting — yet also with a steely undertone.

“Trust in Facebook has suffered as a result of the data breach and it is clear that Mr. Zuckerberg and Facebook will have to make serious efforts to reverse the situation and to convince individuals that Facebook fully complies with European Data Protection law. General statements like ‘We take privacy of our customers very seriously’ are not sufficient, Facebook has to comply and demonstrate it, and for the time being this is far from being the case,” he said.

“The Cambridge Analytica scandal was already in breach of the current Data Protection Directive, and would also be contrary to the GDPR, which is soon to be implemented. I expect the EU Data Protection Authorities to take appropriate action to enforce the law.”

Damian Collins, chair of the UK parliament’s DCMS committee, which has thrice tried and failed to get Zuckerberg to appear before it, did not mince his words at all. Albeit he has little reason to, having been so thoroughly rejected by the Facebook founder — and having accused the company of a pattern of evasive behavior to its CTO’s face — there’s clearly not much to hold out for now.

“What a missed opportunity for proper scrutiny on many crucial questions raised by the MEPs. Questions were blatantly dodged on shadow profiles, sharing data between WhatsApp and Facebook, the ability to opt out of political advertising and the true scale of data abuse on the platform,” said Collins in another reaction statement after the meeting. “Unfortunately the format of questioning allowed Mr Zuckerberg to cherry-pick his responses and not respond to each individual point.

“I echo the clear frustration of colleagues in the room who felt the discussion was shut down,” he added, ending with a fourth (doubtless equally forlorn) request for Zuckerberg to appear in front of the DCMS Committee to “provide Facebook users the answers they deserve”.

In the latter stages of today’s EU parliament session several MEPs — clearly very exasperated by the straightjacked format — resorted to heckling Zuckerberg to press for answers he had not given them.

“Shadow profiles,” interjected one, seizing on a moment’s hesitation as Zuckerberg sifted his notes for the next talking point. “Compensation,” shouted another, earning a snort of laughter from the CEO and some more theatrical note flipping to buy himself time.

Then, appearing slightly flustered, Zuckerberg looked up at one of the hecklers and said he would engage with his question — about shadow profiles (though Zuckerberg dare not speak that name, of course, given he claims not to recognize it) — arguing Facebook needs to hold onto such data for security purposes.

Zuckerberg did not specify, as MEPs had asked him to, whether Facebook uses data about non-users for any purposes other than the security scenario he chose to flesh out (aka “keeping bad content out”, as he put it).

He also ignored a second follow-up pressing him on how non-users can “stop that data being transferred”.

“On the security side we think it’s important to keep it to protect people in our community,” Zuckerberg said curtly, before turning to his lawyer for a talking point prompt (couched as an ask if there are “any other themes we wanted to get through”).

His lawyer hissed to steer the conversation back to Cambridge Analytica — to Facebook’s well-trodden PR about how they’re “locking down the platform” to stop any future data heists — and the Zuckbot was immediately back in action regurgitating his now well-practiced crisis PR around the scandal.

What was very clearly demonstrated during today’s session was the Facebook founder’s preference for control — that’s to say control which he is exercising.

Hence the fixed format of the meeting, which had been negotiated prior to Facebook agreeing to meet with EU politicians, and which clearly favored the company by allowing no formal opportunity for follow ups from MEPs.

Zuckerberg also tried several times to wrap up the meeting — by insinuating and then announcing time was up. MEPs ignored these attempts, and Zuckerberg seemed most uncomfortable at not having his orders instantly carried out.

Instead he had to sit and watch a micro negotiation between the EU parliament’s president and the political groups over whether they would accept written answers to all their specific questions from Facebook — before he was publicly put on the spot by president Antonio Tajani to agree to provide the answers in writing.

Although, as Collins has already warned MEPs, Facebook has had plenty of practice at generating wordy but empty responses to politicians’ questions about its business processes — responses which evade the spirit and specifics of what’s being asked.

The self-control on show from Zuckerberg today is certainly not the kind of guardrails that European politicians increasingly believe social media needs. Self-regulation, observed several MEPs to Zuckerberg’s face, hasn’t worked out so well has it?

The first MEP to lay out his questions warned Zuckerberg that apologizing is not enough. Another pointed out he’s been on a contrition tour for about 15 years now.

Facebook needs to make a “legal and moral commitment” to the EU’s fundamental values, he was told by Moraes. “Remember that you’re here in the European Union where we created GDPR so we ask you to make a legal and moral commitment, if you can, to uphold EU data protection law, to think about ePrivacy, to protect the privacy of European users and the many millions of European citizens and non-Facebook users as well,” said the Libe committee chair.

But self-regulation — or, the next best thing in Zuckerberg’s eyes: ‘Facebook-shaped regulation’ — was what he had come to advocate for, picking up on the MEPs’ regulation “theme” to respond with the same line he fed to Congress: “I don’t think the question here is whether or not there should be regulation. I think the question is what is the right regulation.”

“The Internet is becoming increasingly important in people’s lives. Some sort of regulation is important and inevitable. And the important thing is to get this right,” he continued. “To make sure that we have regulatory frameworks that help protect people, that are flexible so that they allow for innovation, that don’t inadvertently prevent new technologies like AI from being able to develop.”

He even brought up startups — claiming ‘bad regulation’ (I paraphrase) could present a barrier to the rise of future dormroom Zuckerbergs.

Of course he failed to mention how his own dominant platform is the attention-sapping, app gobbling elephant in the room crowding out the next generation of would-be entrepreneurs. But MEPs’ concerns about competition were clear.

Instead of making friends and influencing people in Brussels, Zuckerberg looks to have delivered less than if he’d stayed away — angering and alienating the very people whose job it will be to amend the EU legislation that’s coming down the pipe for his platform.

Ironically one of the few specific questions Zuckerberg chose to answer was a false claim by MEP Nigel Farage — who had wondered whether Facebook is still a “neutral political platform”, griping about drops in engagement for rightwing entities ever since Facebook’s algorithmic changes in January, before claiming, erroneously, that Facebook does not disclose the names of the third party fact checkers it uses to help it police fake news.

So — significantly, and as was also evident in the US Senate and Congress — Facebook was taking flak from both left and right of political spectrum, implying broad, cross-party support for regulating these algorithmic platforms.

Actually Facebook does disclose those fact checking partnerships. But it’s pretty telling that Zuckerberg chose to expend some of his oh-so-slender speaking time to debunk something that really didn’t merit the breath.

Farage had also claimed, during his three minutes, that without “Facebook and other forms of social media there is no way that Brexit or Trump or the Italian elections could ever possibly have happened”. 

Funnily enough Zuckerberg didn’t make time to comment on that.

Amazon facial recognition software raises privacy concerns with the ACLU

Amazon hasn’t exactly kept Rekognition under wraps. In late 2016, the software giant talked up its facial detection software in a relatively benign AWS post announcing that the tech was already being implemented by The Washington County Sheriff’s Office in Oregon for suspect identification.

The ACLU of Northern California is shining more light on the tech this week, however, after announcing that it had obtained documents shedding more light on the service it believes “raises profound civil liberties and civil rights concerns.”

The documents in question highlight Washington County’s database of 300,000 mug shot photos and a mobile app designed specifically for deputies to cross-reference faces. They also note that Amazon has solicited the country to reach out to other potential customers for the service, including a company that makes body cameras.

“People should be free to walk down the street without being watched by the government,” ACLU attorney Matt Cagle writes in a post tied to the news. “By automating mass surveillance, facial recognition systems like Rekognition threaten this freedom, posing a particular threat to communities already unjustly targeted in the current political climate. Once powerful surveillance systems like these are built and deployed, the harm will be extremely difficult to undo.”

The Washington Post reached out to the county’s public information officer, Deputy Jeff Talbot, in the wake of the report. The deputy told the paper that technology doesn’t stray too far from existing systems. “Our goal is to inform the public about the work we’re doing to solve crimes,” said Talbot. “It is not mass surveillance or untargeted surveillance.”

Amazon similarly deflected suggestions that the technology is inherently intrusive. “As a technology, Amazon Rekognition has many useful applications in the real world,” the company wrote in a statement to TechCrunch. “And, the utility of AI services like this will only increase as more companies start using advanced technologies like Amazon Rekognition. Our quality of life would be much worse today if we outlawed new technology because some people could choose to abuse the technology. Imagine if customers couldn’t buy a computer because it was possible to use that computer for illegal purposes? Like any of our AWS services, we require our customers to comply with the law and be responsible when using Amazon Rekognition.” 

The birth of the Universal Digital Profile

It is a well-known fact that Europeans are generally more concerned about privacy than some other countries. Indeed, we’ve had a history of major privacy breaches that had such catastrophic consequences that it is now part of our culture that personal data should be treated as highly sensitive — something the U.S. is now catching up to in the wake of the Facebook/Cambridge Analytica scandal. The culmination of this is the new EU-wide privacy regulation, the GDPR, which will come into effect on May 25, 2018, and was a hot topic during the recent Zuckerberg testimony.

One key article is the right to personal data portability. In a nutshell, it states that users of a service can request their personal data to be transferred to another provider, without hindrance (read: in the format the other provider requests). This means that if you are no longer happy using a social network, you can switch to another one and have all of your personal data (profile, pictures, messages, posts, likes…) sent to the new provider. It’s the same idea as being able to keep your phone number when you change carrier, but applied to all of your personal data.

Although the definition of what constitutes your personal profile is still being debated (is it just the data you uploaded, or all the data that was derived from it? Does it include metadata?), it is safe to say that a big part of your online identity will soon be transferable across multiple providers.

As a user, I would decide who gets access to what and for what.

As these data transfer requests become more and more common, companies will necessarily want to minimize the effort it takes to comply. The only logical thing to do to avoid having to convert data into each provider’s format is to eventually agree on standardized formats for personal data and APIs used to access them. Our messages, social networks, location data, images, purchase history, music listening history and everything else will become standardized, just like our email or calendars have been for decades.

Consumers will eventually realize that the profiles they spent time creating can be reused without effort elsewhere. They will start treating their profiles as a shared resource amongst all providers that need similar information. For example, if you uploaded your ID on a website to be verified, you would be able to reuse that already verified profile elsewhere, removing the need to resend your info and wait for confirmation (if you tried to get your account validated on a crypto exchange recently, you know what I am talking about!).

Having a single, transferable user profile would be very similar to what Facebook does with the Facebook Connect button, but with one huge difference: Facebook would have no say into which company can or cannot access the user profile, and what they can do with it. There would be no more personal data lock-in, and no more legal terms and condition shenanigans. As a user, I would decide who gets access to what and for what.

As this Universal Digital Profile (UDP) starts becoming mainstream, an entire new economy will emerge, from personal data clouds to personal identity aggregators or data monetization platforms. All those ideas that have been floating around for years but couldn’t be scaled due to a lack of interoperability will finally come to life.

This is a major deal for the internet, and for European citizens. It’s by far one of the most profound impacts of the GDPR on our digital lives and on our digital freedom of movement. Let’s just hope that it won’t be limited to Europeans, and that companies across the globe will adopt this idea so we can Make Internet Great Again!

Comcast is leaking the names and passwords of customers’ wireless routers

Comcast has just been caught in a major security snafu: revealing the passwords of its customers’ Xfinity-provided wireless routers in plaintext on the web. Anyone with a subscriber’s account number and street address number will be served up the wi-fi name and password via the company’s Xfinity internet activation service.

Security researchers Karan Saini and Ryan Stevenson reported the issue to ZDnet.

The site is meant to help people setting up their internet for the first time: ideally, you put in your data, and Comcast sends back the router credentials while activating the service.

The problem is threefold:

  1. You can “activate” an account that’s already active
  2. The data required to do so is minimal and it is not verified via text or email
  3. The wireless name and password are sent on the web in plaintext

This means that anyone with your account number and street address number (e.g. the 1425 in “1425 Alder Ave,” no street name, city, or apartment number needed), both of which can be found on your paper bill or in an email, will instantly be given your router’s SSID and password, allowing them to log in and use it however they like or monitor its traffic. They could also rename the router’s network or change its password, locking out subscribers.

This only affects people who use a router provided by Xfinity/Comcast, which comes with its own name and password built in. Though it also returns custom SSIDs and passwords, since they’re synced with your account and can be changed via app and other methods.

What can you do? While this problem is at large, it’s no good changing your password — Comcast will just provide any malicious actor the new one. So until further notice all of Comcast’s Xfinity customers with routers provided by the company are at risk.

One thing you can do for now is treat your home network as if it is a public one — if you must use it, make sure encryption is enabled if you conduct any private business like buying things online. What will likely happen is Comcast will issue a notice and ask users to change their router passwords at large.

Another is to buy your own router — this is a good idea anyway, as it will pay for itself in a few months and you can do more stuff with it. Which to buy and how to install it, however, are beyond the scope of this article. But if you’re really worried, you could conceivably fix this security issue today by bringing your own hardware to the bargain.

I’ve contacted the company for comment and will update when I hear back.

Most GDPR Emails Unnecessary and Some Illegal, Say Experts

The vast majority of emails flooding inboxes across Europe from companies asking for consent to keep recipients on their mailing list are unnecessary and some may be illegal, privacy experts have said, as new rules over data privacy come into force at the end of this week. From a report: Many companies, acting based on poor legal advice, a fear of fines of up to $23.5 and a lack of good examples to follow, have taken what they see as the safest option for hewing to the General Data Protection Regulation (GDPR): asking customers to renew their consent for marketing communications and data processing. But Toni Vitale, the head of regulation, data and information at the law firm Winckworth Sherwood, said many of those requests would be needless paperwork, and some that were not would be illegal.

Read more of this story at Slashdot.

Where to watch Zuckerberg’s meeting with EU MEPs on Tuesday

The Facebook founder Mark Zuckerberg’s meeting with elected representatives of the European Union’s ~500 million citizens will be livestreamed after all, it was confirmed today.

MEPs had been angered by the original closed door format of the meeting, which was announced by the EU parliament’s president last week. But on Friday a majority of the political groups in the parliament had pushed for it to be broadcast online.

This morning president Antonio Tajani confirmed that Facebook had agreed to the 1hr 15 minute hearing being livestreamed.

A Facebook spokesperson also sent us this short statement today: “We’re looking forward to the meeting and happy for it to be live streamed.”

When is the meeting?

The meeting will take place on Tuesday May 22 at 18.15 to 19.30CET. If you want to tune in from the US the meeting is scheduled to start at 9.15PT /12.15ET.

Tajani’s announcement last week said it would start earlier, at 17.45CET, so the meeting appears to have been bumped on by half an hour. We’ve asked Facebook whether Zuckerberg will meet in private with the parliament’s Conference of Presidents prior to the livestream being switched on and will update this story with any response.

Where to watch it online?

According to Tajani’s spokesperson, the meeting will be broadcast on the EU parliament’s website. At the time of writing it’s not yet listed in the EPTV schedule — but we’re expecting it to be viewable here.

Who will be meeting with Zuckerberg?

The Facebook founder will meet with EU parliament president Tajani, along with leaders of the parliament’s eight political groups, and with Claude Moraes, the chair of the EU parliament’s Civil Liberties, Justice and Home Affairs (LIBE) committee.

It’s worth noting that the meeting is not a formal hearing, such as the sessions with Zuckerberg in the US Senate and Congress last month. Nor is it a full Libe committee hearing — discussions remain ongoing for Facebook representatives to meet with the full Libe committee at a later date.

What will Zuckerberg be asked about?

In the wake of the Cambridge Analytica data misuse scandal, MEPs are keen to discuss concerns related to social media’s impact on election processes with Zuckerberg.

Indeed, the impact of social media spread online disinformation is also the topic of an ongoing enquiry by the UK parliament’s DCMS committee which spent some five hours grilling Facebook’s CTO last month. Although Zuckerberg has thrice declined the committee’s summons — preferring to meet with EU parliamentarians instead.

Other topics on the agenda will include privacy and data protection — with Moraes likely to ask about how Facebook’s business model impacts EU citizens’ fundamental rights, and how EU regulations might need to evolve to keep pace, as he explained to us on Friday.

Some of the political group leaders are also likely to bring up concerns around freedom of expression as pressure in the region has ramped up on online platforms to get faster at policing hate speech.