Category: Social Network Platform

Practical difficulties of the GDPR – the ‘right to be forgotten’ applied to online social platforms

From all the legal challenges that the GDPR will present for businesses in general, I would like to address in this post the issues raised by its implementation in regards of social network platforms, which are quite popular nowadays.

Article 17 of the GDPR establishes the ‘right to erasure’ or the right to be forgotten, as it has come to referred to, which provides data subjects with the right to require from data controllers the erasure of their personal data held by the latter, and the consequent obligation of controller, upon that request to abide, without undue delay, when certain conditions are fulfilled.

Considering that infringing the ‘right to erasure’ may lead to the application of significant economic sanctions, there is the risk that social platforms will be tempted to adopt a preventing approach by complying to all the deletion requests, disregarding their validity, thus erasing content on unfounded grounds. This is particularly worrisome because it may directly lead to the suppression of free speech online. Consequently, online businesses are not and should not be deemed competent to make any assessment in regards of the legitimacy of such claims, a point that I have already tried to make here.

While it seems that a notice and take down mechanism is envisaged without much detail being provided in regards of its practical enforceability, a particular issue in this context is the one related to the identities upon which such obligation impends. Indeed, the obligation to implement the ‘right to be forgotten’ can only be required from those who qualify as data controllers.

As data controllers are defined as the entities who determine the purposes and means of the processing of personal data, it is not clear if online social platforms providers can be defined as such.

Considering the well-known Google Spain case, it is at least certain that search engines are deemed to be controllers in this regard. As you may certainly remember, the CJEU ruled that individuals, provided that certain prerequisites are met, have the right to require from search engines, such as Google, to remove certain results about them, subsequently presented to a search based on a person’s name

Thus said, it is questionable if hosting platforms and online social networks, focused on user generated content, as it is the case of Facebook, qualify as such, considering that the data processed depends of the actions of the users who upload the relevant information. Therefore, the users themselves qualify as controllers. The language of Recital 15 of the GDPR about social networking is inconclusive in this regard.

The abovementioned Recital provides as follows:

This Regulation should not apply to processing of personal data by a natural person in the course of a purely personal or household activity and thus without a connection with a professional or commercial activity. Personal and household activities could include
correspondence and the holding of addresses, or social networking and on-line activity undertaken within the context of such personal and household activities. However, this Regulation should apply to controllers or processors which provide the means for processing personal data for such personal or household activities.

This is not an irrelevant issue, though. In practice, it will amount to enable someone to require and effectively compel Twitter or Facebook to delete the information about her/him despite being provided by others.

And considering that any legal instrument is proportionally as efficient in practice as it is capable of being enforced, the definition of whom is covered and ought to comply with it is unquestionably a paramount element.

As I remember to read elsewhere – I fail to remember where, unfortunately – one wondered if the intermediary liability as foreseen in the e-Commerce Directive would be an appropriate mechanism for the enforcement of the right to erasure/right to be forgotten.

Articles 12-14 of the e-Commerce Directive indeed exempt information society services from liability under specific circumstances, namely when they act as a ‘mere conduit’ of information, or engage in ‘caching’ (the automatic, intermediate and temporary storage of information), or when ‘hosting’ (i.e., storing information at the request of a recipient of the service).

Article 15 establishes the inexistence of any general duty impending on online intermediaries to monitor or actively seek facts indicating illegal activity on their websites.

Having into account the general liability of online intermediaries foreseen in the E-commerce Directive (Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market), a particular distinction will perhaps apply according to the level of ‘activity’ or ‘passivity’ of the platforms in the management of the content provided by their users.

However this liability does not fully clarify the extent of the erasure obligation. Will it be proportionate to the degree of ‘activity’ or ‘passivity’ of the service provider in regards of the content?

Moreover, it is not clear how both regimes can be applied simultaneously. While the GDPR does not refer to any notice and take down mechanism and expressly refers that its application is without prejudice of the e-Commerce Directive liability rules, the fact is that the GDPR only establishes the ‘duty of erasure’ to controllers. As the intermediary liability rules require accountability for the activities of third-parties, this is a requirement not easy to overcome.

Thus considering, the most awaited GDPR hasn’t entered into force yet but I already cannot wait for the next chapters.

The not so privacy orientated new privacy policy of Facebook

Am I really in charge?

Am I really in charge?

Following all the criticism regarding the complexity of its terms of service and privacy policy, and allegedly in order to get more people actually reading and understanding the terms which must be agreed on for the use of the service, Facebook has announced, last month, an update (yes, again) of this privacy policy. But this time it is a visually clearer, shorter, linguistically simplified and more understandable version. If you have a Facebook user account, you certainly have already received a notification regarding this update, which will enter into force on the 1st January 2015.

In a section entitled ‘Privacy Basics’, users are told how to control what is to be shown to others, how they might interact with others and what may be shown in their news feed, how to control the visibility of their profile, and how to deactivate or delete their account. This new policy even includes a childlike assistant to guide users through these explanations.

On the terminological side, ‘public information’, which was previously defined as “the information you choose to make public, as well as information that is always publicly available“, is now defined as “any information you share with a public audience, as well as information in your Public Profile, or content you share on a Facebook Page or another public forum”.

However, not much changes, actually. Indeed, this more user friendly appearance does not really give users more control over their data. In fact, it does not give much. Users might control their data regarding others but Facebook and its commercial partners are certainly not included in the concept of ‘others’. The reading of the data policy regarding the type of data which is collected and the use of such data is quite self explanatory in this regard.

To be sure, the users’ settings haven’t been changed. Nevertheless, on a positive note, the user gets now to better understand how Facebook tracks its users. For instance, it is specified that Facebook may collect location information from users on its mobile apps through GPS, Bluetooth or WiFi networks.

In this regard, although users can decline or opt out of sharing information with third party applications or for targeted advertising purposes, which are based on their browsing habits off of the network, they have no control regarding the information that is collected and shared. To be true, no changes were made regarding how much data Facebook collects from its users.

In fact, Facebook has entire access to all the information made available about their users, both provided by users themselves while updating their profiles and by their friends. Moreover, Facebook can use this information namely to provide and develop its Services (yes, with a capital letter) and to promote and evaluate successful advertising. Unless entirely unconnected from the platform, as it does not suffice to close the tab, Facebook is therefore able to access all information provided in websites or applications which use its Services, gathering data on websites visited by its users and their behaviour on those websites. It will be, for instance, the case of Instagram or Whatsapp.

Likewise, as Facebook now accepts payments to be made on the platform, it can use information people share regarding their purchases and financial transactions to better target advertisements. For example, according to the update, the company collects information on each purchase, including payment information such as credit or debit card data, account authentication information, billing, shipping, and contact details. In addition, users are not given the option to control what information is being used for advertising purposes.

Furthermore, users can customize their ads preferences in order to make the advertisements which are shown to them more relevant. Therefore, a user will be able to decide whether or not to see advertisements based on a peculiar interest. While most users may appreciate this new option, the main beneficiary is ultimately Facebook itself as it allows advertisers to differentiate among successful and irrelevant ads. However, it must be noted that users will still not be able to control the data collection resulting from targeted advertising, but only to control how much targeted advertising is presented to them.

What is more, Facebook continues to get location information in order to allegedly present more relevant information regarding, for instance, friends or restaurants nearby. As you may know already, if you at some point read the previous version of the terms of service, advertisements were usually presented based on the location listed in a user’s profile. Facebook now proposes to enable advertisers to target users based on their actual location.

Thus said, Facebook has always been associated with issues regarding its privacy policy and terms of service, which were always deemed to be too complex for the common user. However, I believe that this complexity was not the main cause why most of its users are not aware of the use purposes of their data. My experience tells me that, disregarding how simple they are, and contrary to their best interests, not many people will actually read any terms and conditions of any service. Similarly, these updates on the terms and conditions will certainly not be read by many. And for those who will, it will surely not make them turn away from the social platform.

Facebook is already a very relevant part of its users’ lives, businesses and online interactions. Perhaps most users have accepted that, beyond being a space where friends and family can interact, it is primarily a business intended to deliver effective advertisements by using the information provided by its users. Or perhaps people just don’t care.

Nevertheless, it must be noted that the consent given by users do little in regards of their privacy. Individual consent is rarely exercised as a meaningful choice. And by ‘meaningful’ I mean with awareness and understanding of the implications and consequences of their consent.

Either way, the outcome is as follows: while people continue to use Facebook to interact with their family and friends, Facebook is not the product. Users are.

The Snappening: the new hacking in town

Oh snap!

Oh snap!

Digital privacy is once again in the spotlight due to rumours that emerged last week of a widespread hack of Snapchat accounts. The incident, which has already been dubbed ‘The Snappening’, has allegedly allowed a massive collection of thousands of both random and intimate Snapchat pictures and videos.

Vaguely reminiscent of the iCloud security breach Celebgate, right?

Well, indeed, thousands of private pictures and videos  are said to have recently been published on the notorious 4Chan message board and the online forum Redditt, the same places where hackers published the stolen iCloud pictures of nude celebrities this past summer.

Except, in this case, it is not about pictures and videos of female celebrities which would never have made to the public eye if it wasn’t for the  obvious gender directed attack.

Instead, the pictures have been intentionally sent by the people they concern to others  through the Snapchat mobile application. And, more grievously, it might involve a vast majority of underaged individuals.

For those who are less technologically aware, the Snapchat is a mobile application which allows users to send personalised and draw-on messages to others, with the promise of an instant and automatic deletion of images, pictures and videos within seconds after having been watched by the receiver.

It is like in those Hollywood movies where the message would self destroy in five or ten seconds. How enigmatic!

One romantic viewpoint of the application is that the ephemerity of the content is deemed to make it more treasured and valued and, consequently,  to make people more attentive to it.

On the pragmatic side, it is as well quite obviously  intended that no record of the content will ever be kept and, once self deleted, it won’t surface ever again.

Nevertheless, I fail to understand how someone could trust that the information sent would be secure just because it couldn’t be saved. In my opinion, the whole concept was a pure illusion. In fact, it would suffice to take a screenshot of an image within a phone before it would expire or to use another camera to capture a Snapchat screen and the receiver would be able to make the moment last forever.

Anyway, the overall effect is that the promise of instant and short lasting content has made the application particularly popular among teenagers, who represent the vast majority of its users base. And, therefore, the main concern is that the collection might, in parallel to random content, involve pictures and videos which would legally be considered child pornography.

Although Snapchat has faced security problems before,  it seems that, this time, the incident is due to the use of a third-party website which allows to store and catalogue snaps that would otherwise be deleted.

Indeed, the data has apparently been obtained through a third-party website  Snapsaved.com, which allows Snapchat users to use the service on a desktop computer, rather than just on a mobile phone. By getting a user’s login details, such as username and password, the website could access to Snapchat’s servers. Therefore, it was able to access and store the shared information, thus circumventing Snapchat’s instantaneous deletion most famous feature.

Therefore, its users were able to save photos sent to them via Snapchat without the sender’s knowledge. Not too comforting, I suppose…

Snapchat was quick at issuing a statement according to which the scenario of a security breach of its servers was absolutely rejected:

We can confirm that Snapchat’s servers were never breached and were not the source of these leaks. Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security. We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.

As we can see, it made very clear that the privacy of Snapchat users could have been compromised with the use of a third-party application, which is an expressly prohibited practice in its Terms of Use.

In other words, according to the issued statement, if the victims have used a third-party application, they are the sole responsibles for having suffered a hacking attack.

Does this victim-blaming sounds familiar?

Anyway, although Snapchat is technically correct when it points out that the security of its own servers was not compromised, it conveniently failed to address the real issue at stake.

I am far from being a geek but I cannot help to wonder, for instance, why do these third parties applications and websites succeed in having access to the content shared through Snapchat? What is the company doing in order to prevent the connection of these applications to its own?

Snapchat conveniently dodged the very relevant issue that is: even those users that share messages by means of the real Snapchat application are at risk because it is not possible for the sender to ascertain if the receiver is using the official Snapchat application or a third-party one.

So it is all good when Snapchat blames users who use a third-party unauthorized service; but what about all the users that are unwittingly communicating with friends who use those services? Are they to blame as well? Or should we consider that, in a globally sharing world, they shouldn’t be sharing anything in the first place?

According to Snapchat’s own statement, it seems to consider that users should  envisage the possibility and perhaps expect that the receiver is able to save the pictures, namely  by using a third-party service.

While this is quite unfortunate from a marketing perspective, it is also deeply hypocrite. The whole point of making pictures disappear, besides the romantic vision of ephemeris,  to make the sharing safer.

I am fully aware that Snapchat’s Terms of Use mention the limitations of its technology, stating that services are provided “as is” without warranties of any kind regarding its security. But were most of its users – children and teenagers – equally aware? Besides, is it enough to state that an application is not entirely safe? Shouldn’t users be informed about how weak it is regarding their privacy? After all, it is sufficient to download one of the many readily available third-party application in order to be able to save indefinitely incoming messages without the sender’s knowledge.

It is without any doubt that a security flaw exists within Snapchat’s product, which cannot be ignored and for which Snapchat is responsible.

Currently, there are very few credible sources of information and most are anonymous. Many believe this whole story to be a hoax, arguing that the photos that were being spread on 4chan were images that had already leaked online. On Reddit, some of those who claim to have downloaded the photos in the Snappening hack shared their disappointment regarding the mundane nature of the pictures. No surprise here. We can always rely on internet to destroy any remaining bits of faith in humanity. Others claim that a vast amount of the content qualifies as child pornography.

Disregarding if an actual hack took place or not, this ephemeral messaging application raises serious and longstanding concerns.

It is an unfortunate reminder that privacy violations of social networks’ users may occur even if a company’s servers are not directly attacked due to the use of a third-party services.

Furthermore, it brings to spotlight issues regarding the knowledge regarding the navigation on internet, software usability and social media literacy.

Last but not the least, the exposure of children and underage individuals to the risks of privacy and security online breaches outlines their vulnerabilities in an increasingly technological-based social networking world.

Ello! Here to stay?

Ello, the new kid on the social networks' block.

Ello, the new kid on the social networks’ block.

It must come as a surprise, as I am writing openly on a blog, but I am not the most sociable person in this online world. In fact, my online interactions are mainly limited to an increasingly left aside Facebook account, some comments written here and there in blogs posts or news that particularly interest me and this recently created blog.

Regarding Facebook, I don’t log in as often as I used to. And truth is I find it less interesting in each visit due to the ad-filled pages and the endless requests from friends to play games. Not only am I trying to spend more time offline, but I also find the whole concept of sharing (showing off?), following, liking and commenting bits of others people’s lives very tiring at times. I recognised that is mostly due to a bad management of my account. As I realized recently, I don’t even know that well 90% of my friends and I honestly couldn’t care less about their lives, worries or interests.

However, it is an undeniable source of information regarding feedbacks on the most various subjects, through the specific groups and communities created. Moreover, it has enabled me to find lost friends and to keep in touch with friends and family members living abroad, without having to spend hours on the phone or Skype. In that context, it makes possible for people to share moments and to be part of each other’s lives in a way that would be very difficult otherwise. Besides, it has allowed me to know better people with whom I weren’t that close, making me grow fonder of them or, instead, killing any good impression I might have once had.

Nonetheless, I am more and more driven to more traditional means of communication, for instance gathering and talking. I intend to spend only meaningful time online, namely engaging in rewarding conversations with people who share the same interests as me.

So, when I first heard about the new social networking platform everybody was talking about, Ello, my first question was: what is the point of it? My second thought was: it won’t last. The history of social networks is full of unsuccessful chronicles: Friendster, MySpace, Diaspora or AppleSeed, just to mention a few. The secret for Facebook lasting so long is its most relevant feature: one can actually find almost everybody there and it feeds people’s curiosity and egocentric tendencies.

In Ello’s current Beta phase, you have to receive an invitation from a registered user in order to access the platform and each user can only send up to five invitations. This not only compels users to carefully select future friends but it avoids as well a sharp and fast expansion of the network which would threaten its normal management. However, it will be just a matter of time for it to lose its restricted nature…

Having received an invitation to join Ello, I succumbed to curiosity and created an account… just to see what the fuss was all about!I was not looking for another social network to be in but I was willing to replace Facebook with one platform that would allow me the same benefits without being so annoying.

Regarding the registration act itself, I must point out that identical user-names are not allowed. When I tried to use my real name, it was rejected, both in the integral and partial version of it, because someone else had taken it previously. As a result, I had no option but to pick up a pseudonym. I would have preferred to use my real name, regardless the fact that it might bring identity confusions.

The direct consequence of this is that, if someone wants to add a friend, he or she needs to know what his or her username is. The use of pseudonyms made up just for the registration act makes difficult to find friends on the platform. On the bright side, it certainly helps to keep undesirable wannabe friends away. But it is nevertheless ironic, considering all the buzz surrounding Facebook real names policy, who affected people preferring to adopt pseudonyms. While I don’t believe that Facebook’s policy is unrelated with the recently announced ad network Atlas (which I will address in a future post), I must say that I am not convinced either by Ello’s policy. Google Plus, for instance, had a similar policy and dropped it. However, the same policy regarding user-names is successfully applied in Twitter or Instagram…

Anyway, what is Ello really about? Well, as any other social network platform, it is intended to enable the connection and the sharing of content among users. However, it comes with the promise that user’s data won’t be sold for marketing purposes and paid advertising won’t be allowed.

Regarding the design itself I wasn’t expecting anything special, really. As long as it wasn’t bluish, I would be flexible. I enjoyed the monochrome concept; however I have found the design exaggeratedly minimalist and not very user-friendly. Somehow, knowing that it has been created by artists and designers, I was expecting more creativity.

One feature that struck me negatively is that all the information displayed in each profile is public within the website’s community. Of course, I am fully aware that Facebook itself is far from being the gatekeeper of privacy or a paradigm for any other value. It suffices to remember the sneaky privacy changes or the ones made to please the users, the experiment conducted on users data, and the removal of campaign post-mastectomy photographs or pictures of women breastfeeding considered obscene. More recently, there is the polemic ad network called Atlas. But, I mean, it is a business and profit is its aim. No surprise there. As it is commonly said: if you are not paying for it, you are the product. Proper information and transparency on how, what and why things are done are, in my opinion, the main issues. Nevertheless, I enjoy the apparent privacy regarding the ability to share information among a pre-selected group of friends.

On Ello, users can unilaterally add ‘friends’ (as for acquaintances whose lives they are interested in) and ‘noise’ (as for random popular users) who may be followed through a newsfeed-like menu. It is fairly easy for users to delete their Ello account if they want to opt out of the service. However, one must be aware that it is an irrevocable action and the content will be lost forever. So dramatic!

In an ‘wtf’ section, one can find some elements intended to introduce Ello to the new user. In this regard, its manifest is quite engaging as it reads as follows:

Your social network is owned by advertisers.
Every post you share, every friend you make, and every link you follow is tracked, recorded, and converted into data. Advertisers buy your data so they can show you more ads. You are the product that’s bought and sold.
We believe there is a better way. We believe in audacity. We believe in beauty, simplicity, and transparency. We believe that the people who make things and the people who use them should be in partnership.
We believe a social network can be a tool for empowerment. Not a tool to deceive, coerce, and manipulate — but a place to connect, create, and celebrate life.
You are not a product.

Having navigated around the platform for a little while, I must admit that advertisements were nowhere to be seen. So far, so good… However, despite being a hopeless romantic, the new starry-eyed concept of online celebrating life failed to convince me.

To start with, it is unclear how the website will make money. Let’s not forget that other social network platforms, like Facebook or Tumblr, similarly started without advertising but, profit being intended, it was not a workable business model. According to Ello, profit will eventually come from special features that will be offered against a small amount of money (well, if they are paid for, it is not an offer anymore, just saying…) in order to customize users experience. This is not a new concept: it is called Freemium business model and is used by Evernote, for instance. That makes sense and it is utterly acceptable. After all, Ello has to capitalize somehow. Nevertheless, if the number of users continues to increase, I have serious doubts that those little charges will be sufficient to run the servers.

What is worrying, instead, is that, according to some provisions of its Privacy Policy, Ello is not everything it claims to be.

Although it might have escaped to the most distracted and laziest of us (not everybody reads the privacy policies) , Ello does collect users personal information, namely information about what pages are access, about the device used, information that is send to it directly or post on its web site, and the address of web sites that refer the user. It stores as well the name and e-mail address that users register with. In addition, Ello collects and stores an anonymized version of users IP address and of Google Analytics to gather and aggregate general information about users behaviour, although it offers the option to opt-out of Google Analytics and commits to respect “Do Not Track” browser settings. It states also that it may use or share anonymous data collected for any purpose.

Although Ello reiterates that it won’t sell information about users to any third party, including advertisers, data brokers, search engines, or anyone else, it may share some of the personal information with third parties under several circumstances. Users consent, legal compliance and the fulfilling of contracts requirements celebrated with third party services providers are among the exemptions foreseen.

It is quite strange that, while considering unethical the collecting and selling of personal information for advertising purposes, Ello broadly collects user data for non-advertising ends. Moreover, it establishes the sharing of user data as a rule, and not as an exception, considering the abstract nature of those foreseen.

Bearing in mind that advertising can be very positive as it provides useful information regarding products and services that users may be interested in, I am not sure that this is the biggest of their concerns. Indeed, the door is left open for privacy violations that come along with online tracking. Furthermore, anonymisation of the data does not ensure that, in subsequent matches, an individual won’t be identifiable. Additionally, Ello doesn’t give any guarantee regarding the deletion of information stored in backups when content posted or a personal account is deleted. As for the foreseen possibility of sharing information with future affiliated companies, it just means that the data collected and stored by Ello will be made available for businesses to which users have not delivered their data to.

Only time will tell if Ello is here to stay… But considering the above-mentioned devil in the details, one may conclude that privacy  just seems to be the newest marketing slogan, regardless if it is ensured in fact or not.

© 2017 The Public Privacy

Theme by Anders NorenUp ↑