From your ‘umble scribe’s social media timeline today.
My Firefox browser not only has an ad-blocker extension installed (uBlock Origin), but also additional privacy protection extensions to mop up anything that uBlock Origin manages to miss.
No further comment to the original post is required.
Today’s Guardian reports that civil servants at Whitehall’s Ministry of Defence (MoD) inadvertently sent classified emails intended for the United States military to Mali.
How did this happen? Email addresses for the US military come under the .mil TLD. By omitting the letter i from this TLD, one is left with the two letter country code top level domain .ml, denoting Mali.
To cover its blushes from this glaring example of digital dyslexia, the Ministry has commented as follows:
We have opened an investigation after a small number of emails were mistakenly forwarded to an incorrect email domain.
We are confident they did not contain any information that could compromise operational security or technical data.
All sensitive information is shared on systems designed to minimise the risk of misdirection.
The MoD constantly reviews its processes and is currently undertaking a programme of work to improve information management, data loss prevention, and the control of sensitive information.
Whitehall is currently illuminated bright red by all the embarrassed faces lurking behind all the impressive military statues of senior dead white squaddies fronting its main building in SW1.
Maybe such a cock-up would not have happened had the ministry’s civil servants paid proper attention to what they were typing on their email clients instead of constantly reviewing their processes!
Meta, the parent company of social media platform Facebook, has been fined a record €1.2 bn. by Ireland’s Data Protection Commission (DPC) in relation to breaches of the European Union’s General Data Protection Regulation (GDPR) in respect of user data transfers from the EU to the USA, Irish broadcaster RTE reports.
The company has been given five months to implement changes to such data transfers.
The DPC said Meta had infringed the GDPR by continuing to transfer EU user data to the US despite a ruling by the European court of justice requiring strong protection of such information, adding that the data transferred by Facebook under a measure called standard contractual clauses “did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the [European Court of Justice] in its judgment”.
Meta has said it will appeal the decision, as well as commenting that it was disappointed to have been singled out when using the same legal mechanisms as thousands of other companies providing services in Europe.
The EU and the USA have agreed a new data transfer framework which is expected to be in place later this year.
This is the largest ever fine levied in the EU for a privacy breach. The previous record penalty of €746 mn was imposed on Amazon in 2021.
Your ‘umble scribe is a great fan of the free and open source Firefox web browser and has been using the desktop version since version 0.x many years ago. One of its major attractions has been its emphasis on security and privacy.
Until recently it was also the default browser on my smartphone, until I discovered Firefox Focus. Firefox Focus is a free and open-source privacy-focused mobile browser based on Firefox which is available for Android and iOS devices. First released in December 2015, it was initially a tracker-blocking application for mobile iOS devices, but was developed into a minimalistic web browser shortly afterwards.
According to Mozilla, Firefox Focus is a dedicated privacy browser with automatic tracking protection. meaning web pages load faster and your data stays private. It’s also easy to delete history, passwords and cookies, so advertisers and other ne’er-do-wells don’t follow you around online. Just tap the erase button on the search field and all that data is gone. Tracking protection is also very strong. The browser blocks a wide range of common trackers by default, including social trackers and those sticky ones that come from things like Facebook ads.
After using Firefox Focus for one week, I can say I’m impressed with the way it works. Although it required me to learn how to use tabbed browsing (hint: hold down a link in your search results and a menu appears, offering the option to open the link in a new tab. Ed.), once that was cracked, I was away. As for fast page loading, that’s not disappointing either, even on notoriously slow-loading sites, like that of Bristol City Council, which still seems to be powered by a horse turning a shaft in the basement of the Counts Louse (which some call City Hall. Ed.). 😉
If you value your privacy and security, I’d recommend Firefox Focus on your mobile device.
French IT news site Le Monde Informatique reports that the French Customs authorities have been sent a formal notice by the CNIL, France’s data privacy regulator, in respect of an illegal data file containing the details of more than 45,000 people, including copies of identity documents and records of criminal offences.
Businesses are not the only organisations with which the CNIL has found fault for holding illegal files containing personal data. Public sector organisations can also fall foul of the law.
The French Customs authorities, which come under the control of the Ministry for the Economy have been caught red-handed following a report in respect of Customs’ file used for recording information about vessels and their crews which is known as SIRENE. Intended to identify all the people checked at sea or in port in order to combat fraud, this system was in fact developed and implemented with no legal basis and not in accordance with the law, according to the CNIL
Checks were carried out by Customs’ Channel-North Sea-Atlantic coastguard service and inspections revealed that recourse to this system did not comply with France’s Data Protection Act. This data system actually lists information about the vessels checked and their passengers, including personal information such as marital status, address, occupation and copies of identity documents, as well as criminal convictions (drug trafficking, counterfeiting, off-the-books employment, failure to co-operate, sexual assault, possession of illegal weapons, intentional homicide and murder).
All told, the details of 45,793 persons – including 392 minors – are included in the SIRENE file. “The creation and use of the SIRENE file are not provided for by any legislation (for example a law or a decree). In addition, the CNIL has not received a request for an opinion concerning its implementation, in violation of the Data Protection Act (articles 87 and 89, the CNIL explained. Other grievances have also been lodged against the Ministry for the Economy, such as the failure to send an impact assessment in respect of the protection of personal data and the lack of a clear distinction between the data of the different categories of persons concerned. or the fact that the latter were not made aware that their data had been included.
Following the CNIL’s formal notice, the Ministry for the Economy and Customs have 6 months to comply otherwise a penalty could be issued.
Joinup, the EU’s open source news site, reports that the Czech Republic is to begin using the Matomo open source web analytics tool on the Czech citizen portal and gov.cz websites, where it will replace Google Analytics.
This change will ensure that the data by the sites collected will stay within the EU and, as the Czech administration will be using its own instance of Matomo, it will retain full control of the records.
The change was triggered by an open letter sent by the Czech the digital freedom watchdog luridicum Remedium after it noticed the Czech state vaccination system website was using Google Analytics during the COVID-19 crisis. The Czech Data Protection Authority and public sector strategic partner NAKIT then pursued the matter and replaced Google Analytics with Matomo on Czechia’s Ministry of Health website. This move later led to further action and the country will continue following this trend on public sector websites.
Previously named Piwik, Matomo has been in development since 2007 and is presently deployed on 1.4 million websites, including those of NASA, the European Commission, the United Nations and Amnesty International.
The Czech decision to choose Matomo follows those of other European countries seeking to keep control of their citizens’ data. Last year the French and Austrian data protection authorities determined that Google Analytics was not compliant with EU data privacy standards, in particular because Google’s data transfers to the United States are contrary to the EU’s General Data Protection Regulation (GDPR).
Following the announcement anti-trust action by the United States Department of Justice along with the Attorneys General of California, Colorado, Connecticut, New Jersey, New York, Rhode Island, Tennessee, and Virginia against Google, Meta (owners of Facebook and Instagram), Microsoft and Twitter have all made statements seeking to defend their actions.
In their legal opinions, the big US tech giants, including Microsoft, Meta and Twitter, are warning the Supreme Court against amending Section 230 of the Communications Decency Act (CDA). This would enable actions against content recommendation algorithms, French IT news site Le Monde Informatique reports.
One week after Google’s filing of a defence statement with the US Supreme Court warning that amending Section 230 of the Communications Decency Act (CDA) “would upend the internet“, several companies including Twitter, Meta and Microsoft, have filed their own legal opinions. They support Google’s argument that a restriction of the law could have disastrous consequences for the content editors. By virtue of the 1996 CDA, the companies are shielded from liability for content posted by their users, including comments, criticism and advertising.
However, the Supreme Court has been asked to examine whether Section 230 was still pertinent and appropriate, given that it was promulgated before the internet became part of everyday life. The law was subject to a minute before the suit filed by the family of Nohemi Gonzalez, a 23 year-pld US citizen killed in Paris during the 13th November 2015 terrorist attacks claimed by ISIS. The Gonzalez family asserts that the algorithms should be regarded as editorial content not covered by the immunity from liability granted by Section 230 and thus Google’s YouTube subsidiary has violated the US Anti-Terrorism Act (ATA) when its algorithms have recommended ISIS-linked content to users. The Supreme Court is set to hear oral arguments in the case on 21st February next.
Both Democratic and Republican members of Congress have criticised the protections provided for by the law. The Republicans believe that those in respect of liability make websites take partial decisions regarding content removal, whilst the Democrats would like the same sites to take more responsibility as regards moderation. In a statement President Biden has stated that his administration would support the position that Section 230 protections should not apply to recommendation algorithms. In its petition of 19th January, Microsoft asserts that if the Supreme Court makes amendments to Section 230, it would “strip these digital publishing decisions suit—and it would do so in illogical ways that are inconsistent with how algorithms actually work.“.
The company added that any decision aimed at restricting the law “thereby expose interactive computer services to liability for publishing content to users whenever a plaintiff could craft a theory that sharing the content is somehow harmful“. In its own petition Meta stated that the plaintiffs’ argument is “deeply flawed from a legal point of view”; by interpreting Section 230 as a means of protecting sites from liability for content posted by its users whilst removing protection from content “ignores the way in which the internet works“. The company continued by describing the plaintiffs’ position as “regrettable from a practical point of view” and by stating that a ruling in their favour would ultimately prompt “online services to remove important, provocative and controversial content on matters of general interest“.
Twitter has said that the current interpretation of Section 230 “ensures that sites such as Twitter and YouTube can work in spite of the unfathomable amount of information they make available and the potential liability that might result from this“. Since Twitter’s acquisition by Elon Musk, the site has been criticised for having reinstated the accounts of people it previously banned, such as disgraced former president Donald Trump or alpha male par excellence and all-round amateur human being Andrew Tate who is currently under investigation in Romania for alleged human trafficking.
However, the review of several other high-profile cases will have to take place before the law is changed. Last week the Supreme Court was set to discuss its jurisdiction in two cases that challenge Texas and Florida laws prohibiting online platforms from removing certain political content. In addition, a Twitter vs. Taamneh case, which has many similarities with the Gonzalez vs. Google case, is due to oral pleadings on 2nd February. In this case Twitter, Facebook and YouTube are accused of having aided and abetted another attack claimed by Islamic State.
After a record fine of €390 mn. at the start of January, the Irish Data Protection Commission is imposing a further fine of €5.5 mn. on Meta, this time for WhatsApp’s policy with regard to personal data under the GDPR, Le Monde Informatique reports.
Has been welcoming (in tax terms) to American IT companies, but is proving to be as very sensitive area for implementation of the GDPR. Meta has just experienced this once again with a fine of €5,5 mn. imposed by Ireland’s Data Protection Commissioner. This is the social network’s second fine in less than a month; on 4 January the same commission announced a record fine of €390 mn. on the personal data processing policy of Facebook and Instagram (posts passim).
In this instance it’s WhatsApp’s policy that is being censured following a complaint filed on 25 May 2018 – the date the GDPR entered into effect – by a German user. After this date the messaging service updated its general conditions of use and informed its users they had to click on “accept and continue” to indicate their consent. If they did not reply, they no longer had access to the service.As in the decision of 4th January, WhatsApp regards its data processing policy must be considered like a “contract” according to the GDPR (Article 6.1) concluded between the company and the user.
The Irish Data Protection Commission investigated and drew up a draft decision which was submitted to the European regulators parties involved in this case. It proposed not imposing additional financial penalties. WhatsApp had already been fined €225 mn. in September 2021 for similar actions. However, the DPC pleaded for recognition of the contractual and thus legal nature of WhatsApp’s personal data policy – a position which caused an outcry from other data protection regulators.
The DPC approached the EDPB for a decision. It dismissed the legal basis of the contract and added an additional infringement of the transparency obligation. As a consequence, the Irish DPC is adding €5.5 mn. to the fine imposed on Meta, WhatsApp’s parent company.
Le Monde Informatique reports that Meta, the conglomerate that owns both Facebook and Instagram, has been fined a total of €390 for breaches of the EU’s General Data Protection Regulation (GDPR) in respect of both platforms’ personal data processing policy.
It has been a bad start to the year for Meta which has just been notified of a fine of €390 mn. by the Irish Data Protection Commission (DPC). The regulator is penalising the actions of Meta’s 2 subsidiaries, Facebook to the tune of €210 mn. and Instagram €180 mn. This decision concludes a case which started on 25 May 2018 (the date the GDPR entered into effect after 2 complaints had been filed – one by well-known Austrian privacy campaigner Max Schrems and the other by a Belgian citizen.
In this case Meta Ireland changed its general terms and conditions before the date of entry into effect of the GDPR, in particular “the legal basis on which it relied to legitimise its processing of users’ personal data (including behavioural advertising)”. To adopt this new policy, existing and recent Facebook and Instagram users were asked to click on the “I Accept” button on pain of no longer being able to access the platforms’ services. The questions then arose as to whether users had been forced to give their consent and if the “contract” concluded between Meta and its users conformed to Article 6 of the GDPR.
The debate was long and heated, including at European regulator level. As a matter of fact, the Irish DPC’s analysis did not meet with agreement from other European data protection authorities. For example, it considered the aspect of “forced consent” could not be upheld. Many authorities likewise thought the original Irish financial penalties too lenient. The European Data Protection Board (EDPB) was contacted to settle the matter and gave its decision on 5th December. It judged that “Meta Ireland was not entitled to invoke the legal basis of the “contract” as a legal based for its personal data processing for behavioural advertising purposes”.
It also demanded the fines proposed by the Irish regulator be raised. This is the second fine imposed on Meta in recent months by the CPD. Last November the American company was fined €275 mn. for so-called data scraping. In both cases, Meta still has the possibility of challenging the regulator’s decisions before the European judicial authorities.
Facebook and Instagram have now been given three months to bring their terms and conditions into line with the GDPR.
German newspaper <a href="https://www.welt.de/regionales/bayern/article241937155/Urteil-Buerger-duerfen-Falschparker-fuer-Anzeige-fotografieren.html".Die Welt states that it’s so obvious: people wanting to report an illegal parker just pull out their smartphone and then send the picture to the police. However, two men in Bavariahad trouble with the state’s data protection authorities. A court has now decided who acted corrected.
Anyone who sends photos of illegal parkers as part of a report to the police does not normally violate data protection legislation. This emerged on Thursday from two landmark rulings published by the Ansbach Administrative Court. With these the court agreed with two men who corroborated their reports of parking infringements on footways and cycleways with photos. For using this they received a warning and a fine of €100 each from the Bavarian State Data Protection Office (LDA). Both objected and went to court with the support of Deutsche Umwelthilfe e.V. (DUH)
The administrative court combined the two procedures in a joint hearing because of the identical questions and ultimately ruled that the procedure involved lawful data processing. However, the actual statement of is not available. The verdicts are of fundamental significance from the legal point of view, but are still not absolute.
The DUH, which supported one of the two plaintiffs in a test case, welcomed the verdict. “Illegal parking is no trivial offence, but endangers people who are travelling by bike, wheeled walking frame, wheelchair or pram”, commented Jürgen Resch, its Federal director. “The authorities should not take action against civil society commitment, but rather take consistent measures against blocked footpaths and cycle paths, illegal parking in front of dropped kerbs or at junctions; and do so not just in Bavaria, but nationwide.»
The crux of the proceedings was the question of whether digital transmission of the photos constituted lawful data processing within the meaning of the General Data Protection Regulation since there must be a legitimate interest in forwarding the image files. On the other hand, data transmission and processing must be necessary.
Accordingly, the parties to the proceedings before the court argued about whether the plaintiffs had to be personally affected by the parking violations and whether a written or telephone description of the facts including the vehicle registration number, was not sufficient. In addition, the LDA pointed out that other data such as other cars with registration plates and people can often be seen in the pictures. In reply, the plaintiffs stressed that the police had asked them to document the parking situation as accurately as possible with photos as evidence.
The LDA stated that once the judgment’s statement of grounds was available, it would examine whether the decision was an individual case or whether a reassessment of the use of photos in public places that was critical for data protection had been initiated. In addition, it wants to agree clear and uniform guidelines with the police regarding which information is required when reporting illegal parking and which communication channel should be used.