Privacy

Google has delayed its plan to block third-party cookies from its Chrome internet browser. These are cookies that track and analyse users' internet activity and allow digital publishers to target advertising.

They are already blocked by a number of Google's rivals, including Apple, Microsoft and Mozilla.

Google was intending to replace third party cookies which allow subscribing companies to analyse people's browsing with a system whereby only Google did the analysis and they passed on the resulting summary of user's interests to advertisers in a supposedly anonymised format. Google clled this scheme The Federated Learning of Cohorts, or Floc.

But critics say Google's ban forces ad sellers to go direct to the tech giant for this information gave it an unfair market control advantage. Google's proposals are already under investigation by the UK Competition and Markets Authority (CMA) which investigates monopolies.

Google's cookie ban had been planned for 2022, but has now been put back until 2023. In a blog , Vinay Goel, privacy engineering director for Google's Chrome browser said:

It's become clear that time is needed across the ecosystem in order to get this right.

Farhad Divecha, founder of digital marketing agency AccuraCast, said the delay was good news for his industry. He said:

We welcome this delay and only hope that Google uses this time to consult with the CMA as well as different parties that will be affected by the changes, including advertisers, agencies, publishers, and ad-tech and tracking solutions providers.

Irish police are to be given powers to demand people's passwords for electronic devices when carrying out a search warrant under new legislation.

The change is part of the Garda Síochána Bill published by Irish Injustice Minister Heather Humphreys. She said:

The aim is to create a system that is both clear and straightforward for gardaí to use and easy for people to understand what powers gardaí can use and what their rights are in those circumstances.

Special measures will be introduced for suspects who are children and suspects who may have impaired capacity.

To Members of Parliament: end-to-end encryption keeps us safe

68 million of your constituents are at risk of losing the most important tool to keep them safe and protected from cyber-criminals and hostile governments.

End-to-end encryption means that your constituents' family photographs, messages to friends and family, financial information, and the commercially sensitive data of businesses up and down the country, can all be kept safe from harm's way. It also keeps us safer in a world where connected devices have physical effect: end-to-end encryption secures connected homes, cars and children's toys. The government should not be making those more vulnerable to attack. The draft Online Safety Bill contains clauses that could undermine and in some situations even prohibit the use of end-to-end encryption, meaning UK citizens will be less secure online than citizens of other democracies. British businesses operating online will have less protection for their data flows in London than in the United States or the European Union. Banning end-to-end encryption, or introducing requirements for companies to scan the content of our messages, will remove protections for private citizens and companies' data. We all need that protection, but children and members of at-risk communities need it most of all.

Don't leave them exposed.

With more people than ever before falling prey to criminals online, now is not the time for the UK to undertake a reckless policy experiment that puts its own citizens at greater risk. We, the undersigned, are calling on the Home Office to explain how it plans to protect the British public from criminals online when it is taking away the very tools that keep the public safe. If the draft Online Safety Bill aims to make us safer, end-to-end encryption should not be threatened or undermined by this legislation.

Sincerely,

• ARTICLE 19*
• Association for Proper Internet Governance
• Big Brother Watch*
• Bikal
• Blacknight*
• CCAOI*
• Centre for Democracy and Technology*
• Coalition for a Digital Economy (COADEC)
• Defenddigitalme
• Derechos Digitales*
• Digital Rights Watch*
• eco 203 Association of the Internet Industry*
• English PEN
• Global Partners Digital*
• Internet Governance Project, Georgia Institute of Technology*
• Internet Society*
• Internet Society Ghana Chapter*
• Internet Society Hyderabad Chapter*
• Internet Society UK England Chapter*
• Mega Limited*
• New America's Open Technology Institute*
• Open Rights Group*
• Paradigm Initiative (PIN)*
• Praxonomy*
• Privacy International*
• Prostasia Foundation*
• Riana Pfefferkorn, Research Scholar, Stanford Internet Observatory
• Simply Secure*
• Statewatch
• techUK
• The Tor Project*
• Tresorit*
• Tutao GmbH 203 Tutanota*

*Members of the Global Encryption Coalition

Court documents show Google admits privacy is almost impossible on Android

Last year, the Arizona Attorney General's office filed a lawsuit against Google, accusing the tech giant of unlawfully collecting Android users' location data, even for users that have opted out. Last week, a judge ordered Google to unredact some sections of documents submitted in court.

The documents revealed not only Google's objectionable data collection policies, but also its employees admitting the policies are confusing and should be changed. Documented employee comments include:

So there's no way to give a third party app your location and not Google? This doesn't sound like something we would want on the front page of the [New York Times.]

Even after a user turned off location in the settings, Google still collects location data, the unredacted documents revealed.

In fact Google tested versions of its OS that made privacy settings easy to find. It saw the popularity of those settings as a problem and solved the problem by burying the settings deeper in Android's settings menu, and even pressured phone manufacturers, such as LG, to make those settings harder to find.

Joe Biden's government is reportedly planning to reverse its current privacy policy and snoop on members of its own military by monitoring political opinions they express on social media.

In the past, this type of surveillance was not used out of fear that it might infringe on service members' First Amendment rights, but now that the Biden administration is making combating domestic extremism one of its main narratives, that is changing.

According to The Intercept , which said it had access to relevant internal Defense Department documents and spoke to a source with direct knowledge, a pilot program is in the works to continuously screen behavior on social media of the members of the military, looking for any concerning signs, in the context of opinions espousing domestic extremism.

According to the same source, the Pentagon plans to outsource this job to a private surveillance company -- most likely Babel Street -- and thus bypass the First (and Fourth) Amendment.

A secretive international standards committee (which won't reveal its members but which appears to be made up exclusively of corporate and government representatives) is currently putting the finishing touches on a proposed interoperable global standard for what it calls mobile driver's licenses, or mDLs. The association representing U.S. DMVs is moving to implement that standard, as are federal agencies such as DHS and the TSA.

But the licenses we would get under this standard are not built to include airtight privacy protections using the latest cryptographic techniques. They are not built primarily to give individuals greater control over their information, but to advance the interests of major companies and government agencies in inescapably binding people to identity documents so they can be definitively identified online and off. It's vital that we only accept a system with the strongest possible privacy protections, given all the potential ways that mDLs could expand.

When Apple released iOS 14.5 late last month, it began enforcing a policy called App Tracking Transparency. iPhone, iPad, and Apple TV apps are now required to request users' permission to use techniques like IDFA (ID for Advertisers) to track those users' activity across multiple apps for data collection and ad targeting purposes.

The change met fierce resistance from companies like Facebook, whose revenue streams are built on leveraging users' data to target advertising. Facebook went so far as to take out full-page newspaper ads claiming that the change would not just hurt Facebook but would destroy small businesses around the world.

Nonetheless, Facebook and others have complied with Apple's new rule to avoid being rejected from the iPhone's App Store.

A company called Flurry Analytics, which claims to be used in more than one million mobile apps, has reported that US Apple users agree to be tracked only 4% of the time. The global number is significantly higher at 12%, but that's well below the hopes of advertising companies who were rather hoping that 40% of users would allow snooping.

The EU Commission has welcomed a political agreement between the European Parliament and the Council on the proposed interim legislation regarding the detection of child sexual abuse online by communications services. This legal adjustment was urgently needed to give certain online communications services such as webmail and messaging services legal certainty in their voluntary measures to detect and report child sexual abuse online and to remove child sexual abuse material, as such services fell under the e-Privacy Directive as of 21 December 2020. The new Regulation will provide guarantees to safeguard privacy and protection of personal data. The voluntary measures play an important role in enabling the identification and rescue of victims and reducing the further dissemination of child sexual abuse material, and contribute to the identification and investigation of offenders as well as the prevention of offences.

The rules agreed today have a narrow scope: they will create a temporary and strictly limited derogation concerning the voluntary detection activities of the online communication services. The main elements of today's agreement include:

• A definition of child sexual abuse online in line with the existing EU rules on child sexual abuse , including content constituting child sexual abuse material and solicitation of children.

• Complaint mechanisms so that content that has been removed erroneously can be reinstated as soon as possible.

• Human oversight for any processing of personal data including, where necessary, human confirmation before reporting to law enforcement authorities or organisations acting in the public interest.

• Guarantees to protect privacy : Service providers will have to ensure that the technologies they use to detect child sexual abuse online are the least privacy-intrusive.

• Data protection safeguards: Service providers will have to consult with data protection authorities on their processing to detect and report child sexual abuse online and remove child sexual abuse material. The European Data Protection Board will also be asked to publish guidelines to assist the relevant authorities in assessing compliance with the General Data Protection Regulation of the processing in scope of the agreed Regulation.

• The Commission will have to establish a public register of organisations acting in the public interest against child sexual abuse, with which providers of online communications services can share personal data resulting from the voluntary measures.

• Transparency and accountability to be supported by annual transparency reports.

• A 3-year limit on the application of the Regulation, allowing time for the adoption of long-term legislation in this area.

The Regulation must now be formally adopted by the European Parliament and the Council.

This interim Regulation will cease to apply at the latest 3 years from its application. As announced in the EU Strategy for a more effective fight against child sexual abuse and in the Commission Work Programme for 2021 , the Commission will propose later this year new comprehensive legislation with detailed safeguards to fight child sexual abuse online and offline. These long-term rules will be intended to replace the interim legislation agreed today.

The music streaming service Spotify has files a disgraceful patent to use artificial intelligence for emotional surveillance and manipulation, spying on our conversations and using the sound of our voices to target you with ads and music to keep you on the platform.

Imagine telling a friend that you're feeling depressed and having Spotify hear that and algorithmically recommend music that matches your mood to keep you depressed and listening to the music they want you to hear.

Digital rights organization Access Now sent a letter to Spotify explaining that such a practice would be deeply invasive and could expose Spotify users to security threats from stalkers or government surveillance. It could also disproportionately harm trans people and be used to emotionally manipulate all of us. Emotion recognition software is largely seen as racist pseudoscience , it's disgusting that Spotify is even considering using such a technology to extract data and profit from music listeners. And it's horrifying to think about what kind of impact this could have on independent artists and creators, when music is promoted based on surveillance rather than artistry.

The Biden administration is considering using outside firms to track social media chatter by Americans online, an effort that would expand the government's ability to gather intelligence but could draw criticism over surveillance of US citizens.

The Department of Homeland Security (DHS) is legally limited in how it can monitor citizens online without justification and is banned from activities like assuming false identities to gain access to private messaging apps used by extremist groups. Instead, federal authorities can only browse through unprotected information on social media sites like Twitter and Facebook and other open online platforms. A source familiar with the effort said it is not about decrypting data but rather using outside entities who can legally access these private groups to gather large amounts of information that could help DHS identify key narratives as they emerge.

The plan being discussed inside DHS, according to multiple sources, would, in effect, allow the department to circumvent those limits. The DHS has denied the claim saying it is not partnering with private firms to surveil suspected domestic terrorists online and it is blatantly false to suggest that the department is using outside firms to circumvent its legal limits.

However the DHS statement  said that the department has considered partnering with research firms who have more visibility in this space, though it has not done so to this point. If that ultimately happens, DHS could produce information that would likely be beneficial to both it and the FBI, which can't monitor US citizens in this way without first getting a warrant or having the pretext of an ongoing investigation.

An Australian Federal Court has found that Google misled consumers about personal location data collected through Android mobile devices between January 2017 and December 2018.

The complaint was brought by the Australian Competition and Consumer Commission.

The Court ruled that when consumers created a new Google Account during the initial set-up process of their Android device, Google misrepresented that the Location History setting was the only Google Account setting that affected whether Google collected, kept or used personally identifiable data about their location. In fact, another Google Account setting titled Web & App Activity also enabled Google to collect, store and use personally identifiable location data when it was turned on, and that setting was turned on by default.

The Court also found that when consumers later accessed the Location History setting on their Android device during the same time period to turn that setting off, they were also misled because Google did not inform them that by leaving the Web & App Activity setting switched on, Google would continue to collect, store and use their personally identifiable location data.

The Court also found that Google's conduct was liable to mislead the public.

The ACCC is now seeking declarations, pecuniary penalties, publications orders, and compliance orders. This will be determined at a later date. In addition to penalties, the ACCC is seeking an order for Google to publish a notice to Australian consumers to better explain Google's location data settings in the future.