This week Adobe Inc. released some updated software for companies to target customers with advertising and offers using the brands’ own data as opposed to third-party cookies. More and more, third-party cookies are being eliminated from websites due to consumer concerns regarding unwanted tracking across the internet. Many web browsers already block third-party cookies, and soon even Google Chrome will block them. The new Adobe platform, Real-time Customer Data, will let its customers ask consumers for permission to use their information. With this new software, a consumer will likely see clearer information about how a website uses their data and why they are being shown certain personalized experiences.

Another reason the traditional third-party tracking cookies are on their way out is that companies that collect large volumes of data through their own services (i.e., Facebook or Google) do not typically share that data with others who want to use it for their own advertising purposes. Over half of the customers Adobe surveyed about their data use said that they often do not know the type of data collected and stored in disparate systems. The software will use first-party data to get a more complete profile about consumers. It also will allow different companies to share certain non-sensitive data to personalize the products they pitch.

The downside to this software may be that it is more complex than just allowing third-party cookies to collect data and then simply purchasing that data. However, this is a step towards stronger privacy protections for consumers.

At the beginning of April 2021, the U.S. Supreme Court unanimously ruled in favor of Facebook in Facebook, Inc. v. Duguid, reversing the decision of the Ninth Circuit Court of Appeals , holding: “To qualify as an ‘automatic telephone dialing system’ under the Telephone Consumer Protection Act (TCPA), a device must have the capacity either to store a telephone number using a random or sequential number generator, or to produce a telephone number using a random or sequential number generator.” This is big news. This precedent will likely be relied on by other defendants in TCPA class action litigation to argue that the technology used to send text messages does not constitute an autodialer and,therefore, the TCPA does not apply.

The TCPA prohibits certain telemarketing tactics by restricting a business’ ability to make certain communications using an automatic telephone dialing system. The TCPA defines “autodialers” as equipment with the capacity both “to store or produce telephone numbers to be called, using a random or sequential number generator,” and to dial those numbers. Facebook has a security feature in its platform that allows users to elect to receive text messages when someone attempts to log in to the user’s account from a new device or browser. Plaintiff, Noah Duguid, received these type of text messages from Facebook alerting him to login activity on a Facebook account linked to his telephone number. However, Duguid never created an account on Facebook. Facebook explained in its argument that Duguid may have been assigned a recycled cell phone number that was used by a Facebook user who previously opted into receiving these login notifications. Duguid claimed that he tried to stop the text messages, but he was unsuccessful. Duguid claimed that Facebook violated the TCPA by maintaining a database that stored telephone numbers, and then programming its equipment to send automated text messages. Facebook argued that the TCPA does not apply as the technology used to send those texts to Duguid did not use a “random or sequential number generator.” The Ninth Circuit court held that the TCPA did apply to a notification system that has the capacity to dial automatically-stored numbers.

The Supreme Court’s decision cited the intent of the TCPA when first introduced by Congress, saying that autodialers “threatened public safety by ‘seizing the telephone lines of public emergency services, dangerously preventing those lines from being utilized to receive calls from those needing emergency services.’ Indeed, due to the sequential manner in which they could generate numbers, autodialers could simultaneously tie up all the lines of any business with sequentially numbered phone lines. Nor were individual consumers spared: Auto-dialers could reach cell phones, pagers, and unlisted numbers, inconveniencing consumers and imposing unwanted fees.” [citation omitted.] However, the Supreme Court noted that technology has since changed (including cell phone services and the way we pay for those services), and the nuisance and threat of these autodialers has been lessened.

Neither party disputed the fact that the TCPA prohibits unsolicited text messages without prior express consent, and, therefore, the Supreme Court did not consider or resolve that issue.

The Supreme Court’s decision relies heavily on the literal interpretation of the language and grammar of the TCPA:

This case turns on whether the clause “using a random or sequential number generator” in §227(a)(1)(A) modifies both of the two verbs that precede it (“store” and “produce”), as Facebook contends, or only the closest one (“produce”), as maintained by Duguid. The most natural reading of the text and other aspects of §227(a)(1)(A) confirm Facebook’s view. First, in an ordinary case, the “series-qualifier canon” instructs that a modifier at the end of a series of nouns or verbs applies to the entire series. Here, that canon indicates that the modifying phrase “using a random or sequential number generator” qualifies both antecedent verbs, “store” and “produce.” Second, the modifying phrase immediately follows a concise, integrated clause (“store or produce telephone numbers to be called”), which uses the word “or” to connect two verbs that share a common direct object (“telephone numbers to be called”). Given this structure, it would be odd to apply the modifier to just one part of the cohesive clause. Third, the comma in §227(a)(1)(A) separating the modifying phrase from the antecedents suggests that the qualifier applies to all of the antecedents, instead of just the nearest one.

In the end, the takeaway is that an autodialer (whose use is prohibited by the TCPA) must have the ability to use a random or sequential number generator to either store or produce phone numbers to be called.

In just the last two weeks, three of the world’s most prominent social networks have been linked to stories about data leaks. Troves of information on both Facebook and LinkedIn users – hundreds of millions of them – turned up for sale in marketplaces in the cyber underground. Then, earlier this week, a hacker forum published a database purporting to be information on users of the new Clubhouse social network. 

Andrew Sellers is the Chief Technology Officer at QOMPLX Inc.

To hear Facebook, LinkedIn and Clubhouse speak, however, nothing is amiss. All took pains to explain that they were not the victims of a hack, just “scraping” of public data on their  users by individuals. Facebook went so far as to insist that it would not notify the 530 million users whose names, phone numbers, birth dates and other information were scraped from its site. .

So which is it? Is scraping the same as hacking or just an example of “zealous” use of a social media platform? And if it isn’t considered hacking…should it be? As more and more online platforms open their doors to API-based access, what restrictions and security should be attached to those APIs to prevent wanton abuse? 

To discuss these issues and more, we invited Andrew Sellers into the Security Ledger studios. Andrew is the Chief Technology Officer at the firm QOMPLX* where he oversees the technology, engineering, data science, and delivery aspects of QOMPLX’s next-generation operational risk management and situational awareness products. He is also an expert in data scraping with specific expertise in large-scale heterogeneous network design, deep-web data extraction, and data theory. 

While the recent incidents affecting LinkedIn, Facebook and Clubhouse may not technically qualify as “hacks,” Andrew told me, they do raise troubling questions about the data security and data management practices of large social media networks, and beg the question of whether more needs to be done to regulate the storage and retention of data on these platforms. 


(*) QOMPLX is a sponsor of The Security Ledger.

What if you could control a computer with your mind? Well, Facebook’s latest device may allow you to do just that. Facebook recently announced that it has created a wristband that allows you to move a digital object just by thinking about it. The wristband looks like a large iPod on a strap and uses sensors to detect the user’s movements through electromyography (EMG). EMG interprets electrical activity from motor nerves as information is transmitted from the brain to the hand. An example: you could navigate through the augmented-reality menus by thinking about moving your finger to scroll through the options. However, Facebook notes that this “control”  is coming from the part of the brain that controls motor information, not thought.

The wristband is still in the research-and-development phase at Facebook’s Reality Labs;  no details about its cost or release date have been provided yet. This wristband is part of Facebook’s push for every-day virtual reality and augmented-reality products for consumers, and it’s likely only the beginning.

Facebook also released information earlier this month about its augmented-reality glasses that, as you walk past your favorite coffee shop, might ask you if you want to place an order. Herein lies a privacy dilemma: products such as these glasses and wristband mean that companies like Facebook will have access to even more data points about consumers than they already do. In the coffee shop for example, the company and its advertising partners would know what kind of coffee you prefer, where you live/work/ frequently visit, and either by submission or statistical deduction, also know your demographic, health, and other personal information. A personalized consumer profile based on your every move could easily be created (or more likely added to the already-existing profile about your buying behaviors).

WhatsApp started notifying its 2 billion users last month about an update to its privacy policy. Most of its users probably didn’t look at the details, and simply clicked “I agree” when the notice popped up on their phones. (To use the app, one must click “I agree.”) There has been a backlash from privacy advocates, which is worth noting here in case you missed that news. WhatsApp has delayed the implementation of the terms of the new privacy policy for a few months so it can address those concerns.

If you are a WhatsApp user and you click “I agree” to that pop-up that you don’t read, here’s a synopsis (not comprehensive) of what you are agreeing to that is not protecting your privacy:

  • WhatsApp can share all data it collects about you with the entire Facebook network, (including Instagram), even if you don’t have an account with other parts of the network (e.g., Instagram).
  • If you don’t accept the new terms, you will not have full functionality of the app (which is reported to go live in May).
  • WhatsApp is monetizing the data it collects from you and asks for your consent to use your data to make money.
  • WhatsApp will be providing more information about the changes to the privacy policy through a banner in WhatsApp—this writer thinks you may wish to read the banner and the privacy policy a bit more carefully before you agree.
  • Although your conversations in WhatsApp are private and encrypted, WhatsApp has access to your usage data and your unique identifier, which may be linked to your identity. This is one of the reasons they are asking you to accept the new terms.
  • Facebook is monetizing your data and increasing its revenue by using your usage of WhatsApp to push targeted ads to you on Facebook and Instagram.

The changes to the privacy policy are not really designed to protect your privacy, but rather to get consent to sell your information so businesses can sell things to you. It’s not really a “privacy” policy, it is a “let me monetize your data” policy.

Some users are taking note that they will not agree to the new “privacy” policy and are defecting to Signal, which as a privacy pro, I prefer for messaging. WhatsApp users may wish to take a look at Signal’s privacy policy and compare it to WhatsApp’s. It can be accessed here.

The Irish Data Protection Commission (DPC) fined Twitter 450,000 euros (about US$546,000) for failing to timely notify the Irish DPC within the required 72 hours of discovering a Q4 2018 breach involving a bug in its Android app, and also for failing to adequately document that breach.  The bug caused some 88,726 European Twitter users’ protected tweets to be made public.

The case is notable because it is the first fine levied against a U.S. technology company in a cross border violation under the EU’s General Data Protection Regulation’s (GDPR), which went into effect in 2018.  Under the GDPR, the member state of the foreign company’s EU headquarters takes the lead on inquiries on behalf of all the EU’s 27 member states. Because Twitter EU’s headquarters are in Ireland, the DPC took the lead on the investigating the 2018 breach incident, which Twitter attributed to poor staffing during the holidays.

Pursuant to Article 60 of the GDPR, the Irish DPC submitted its draft decision last May to the other EU DPAs. In the draft decision, the Irish DPC found Twitter’s violations to be negligent, but not intentional or systematic.  Other member states disagreed with the Irish DPC draft decision, due in part to the small proposed fine.  The Irish DPC‘s proposed fine was only a small fraction of the maximum fine amount permitted, which under GDPR is up to 4% of a company’s global revenue or 20 million euros ($22 million), whichever is higher. Twitter’s global annual revenue was reportedly about $60 million in 2018.

The Irish DPC responded to the criticisms from other member states by stating that its proposed fine under the GDPR was an “effective, proportionate and dissuasive measure” and brought the matter before the European Data Protection Board, which upheld most of the decision but directed Ireland to increase the fine.

The Twitter case is just the first of many cases involving U.S. companies before the Irish DPC, as there are some 20 other pending inquiries. Ireland also serves as the EU headquarters for U.S. technology companies such as Facebook, Apple and Google.

The decision is available here.

How will a Biden-Harris presidency affect the U.S. privacy landscape? Let’s take a look.

Federal Privacy Legislation

On both sides of the political aisle there have been draft proposals in the last 18 months on federal privacy legislation. In September, movement actually happened on federal privacy legislation with the U.S. Setting an American Framework to Ensure Data Access, Transparency and Accountability Act. To read the bill, visit https://www.billtrack50.com/BillDetail/1242877.

With a Biden-Harris administration, there is potential for continued movement on federal privacy legislation. This movement would likely come from Congress since both the Republicans and Democrats have previously supported (and are pushing for) privacy bills.

E.U.-U.S. Privacy Shield and Data Transfers

With the 2020 “Schrems II” decision  looming over international data transfers, the Biden-Harris administration is likely to pave the way for negotiations with the European Commission for a new version of the Privacy Shield. However, the Schrems II ruling will continue to be a real challenge. The hope is that there can be effective, productive dialogue with the E.U. and that the U.S. can convey the fact that there is a mutually beneficial relationship with intelligence agencies in the U.S. and member states of the E.U.

FTC Enforcement and FCC Rules

During Chairman Joseph Simons’ tenure, the Federal Trade Commission (FTC) has been very active on privacy issues. Examples include the FTC’s enforcement actions against Facebook, Google and YouTube, as well as the Children’s Online Privacy Protection Act (COPPA) rulemaking proceeding held in 2019. Just this past week, the FTC announced a settlement with Zoom for alleged data security failings. While the FTC was certainly busy under a Republican-led agency, it is likely that we will see a heightened level of scrutiny and more enforcement under a Biden-Harris administration. While Chairman Simons can serve until 2024, he might step down, and it is also likely that the FTC will gain more Democratic commissioners.

For the Federal Communications Commission (FCC), a Biden-Harris administration may also lead to a revival of the net neutrality rules.

Cybersecurity

Many experts agree that cyber-attacks are the number one national security threat in the U.S., both from a geopolitical and an economic standpoint. A recent report, the Cyberspace Solarium Commission report, states that one of the biggest reasons for continued cybersecurity issues in the U.S. is the failure of strategy and leadership in this arena, and that now is the time for greater accountability of the government to defend against cyber-attacks.

Big Tech and the U.S.’s International Relationships

There has been a lot of scrutiny on how a Biden-Harris administration will regulate Big Tech in Silicon Valley. Biden has already pledged to create a task force for investigating online harassment, extremism and violence, so it is likely that there will be a focus on privacy, surveillance and hate speech online through some of the Big Tech players in Silicon Valley. We may also see some shifts in the U.S.’s relationship with China when it comes to privacy.

Of course, none of this change will happen overnight, so we’ll be watching as the train chugs forward.

The misinformation on social media about the election results (and other topics) is rampant. Social media companies like Twitter and Facebook are struggling with the balance between the First Amendment right to free speech and false information or exaggerated reports on their platforms and are hiding or flagging those they deem to be false or misleading.

Misinformation and false information does not help anyone get to the truth. Getting news from reliable sources and news outlets, instead of through social media platforms and websites, is usually more reliable because there are standards in the news industry that must be followed by major news organizations regarding content.

In addition, going to unreliable websites to obtain information may put you at a higher risk of a cyber-attack. Cyber criminals and foreign adversaries develop fake websites and when individuals click on such a website, they introduce malware or ransomware into the system.

Don’t be fooled by false or misleading information on social media platforms or websites. Go directly to the source to stay informed and to stay cyber-safe.