GDPR?

So, when I logged into Blogger today, I was greeted with this notice:

European Union laws require you to give European Union visitors information about cookies used and data collected on your blog. In many cases, these laws also require you to obtain consent.

Out of courtesy, we have added a notice on your blog to explain Google's use of certain Blogger and Google cookies, including use of Google Analytics and AdSense cookies, and other data collected by Google.

You are responsible for confirming that this notice actually works for your blog, and that it displays. If you employ other cookies, for example by adding third-party features, this notice may not work for you. If you include functionality from other providers there may be extra information collected from your users.

Which is... fine, I guess? The weird part is that I have no idea what the notice says, because I'm in Canada, and the notice doesn't appear for Canadian users. Hopefully the thing is actually working, since I have no way to know; blogger's relevent help page says that it should be active automatically, with no action needed from me, which I find to be somewhat at odds with the notice itself, which says that I'm somehow supposed to be responsible for ensuring that it's working, even though I apparently can't do that from here.

If Blogger's default GDPR notice says anything you object to, please direct those objections to Google, who are entirely responsible for the no-doubt-legalese passages in question. If it's not there at all, please feel free to leave a comment on this blog post or something to let me know.

For the record, I have my browser options set to delete all cookies automatically when Firefox closes (and, yes, I use Firefox -  it's what I'm used to, and Quantum's performance is close enough to Chrome's to be acceptable), and to accept third-party cookies only from sites I've already visited. Since Firefox is also set to clear my history when it closes, and since I also run two ad-blockers (uBlock Origin and AdBlocker Ultimate), I feel pretty okay with the level of data that people can collect about me without my knowledge. I'm probably not doing much to slow the the likes of Facebook with their shadow profiles, but I shouldn't be broadcasting much of anything to the world that I'd rather keep quiet.

Remember... it's not paranoia if they are watching you. And they definitely are watching you. C'est la vie.

People seeing what people want to see

So, apparently Mark Zuckerberg sailed through his appearance before the EU... unless he didn't, and it was actually spectacularly awkward.

First up, Fortune:

Facebook CEO Mark Zuckerberg managed to dodge tough questioning by European Union parliamentary members on Tuesday during a hearing about the company’s data collection practices.

The parliamentary members asked thorough, multi-part questions about Facebook’s policies and global operations. But because their questions were grouped together at the beginning of the roughly hour-and-a-half long session, Zuckerberg was able to mostly ignore them when it was finally his turn to speak.

Instead, he reiterated the company’s recent talking points around its efforts to clean up its service like hiring more monitors and combating fake news.

Sounds like he aced it. Right, Quartz?

Facebook CEO Mark Zuckerberg met with members of the European Parliament today (May 22) in what was billed as a “meeting” but ended up being more of an awkward hearing, in which the executive took a public lashing but was also let off the hook from many tough, detailed questions.

In one particularly uncomfortable moment for Zuckerberg, Nigel Farage, the well-known euro-skeptic and far-right leader, said that without social media, Trump and Brexit wouldn’t have happened, since these causes were able to circumvent traditional media to get their message to the public. “Perhaps you’re horrified by this creation of yours and what it’s led to,” he said to the 34-year-old, who looked a bit flabbergasted.

For the better part of the meeting, which was scheduled to last a little over an hour, the politicians lobbed their questions and reflections on technology at Zuckerberg, who, at the end, repeated talking points he’s given to US lawmakers, journalists, and investors over the past several months.

OK... maybe not?

Selection bias in action: Windows 10's data collection policies really haven't been as positively received as they'd like you to think.

From Wikipedia:

Selection bias is the bias introduced by the selection of individuals, groups or data for analysis in such a way that proper randomization is not achieved, thereby ensuring that the sample obtained is not representative of the population intended to be analyzed.^[1] It is sometimes referred to as the selection effect. The phrase "selection bias" most often refers to the distortion of a statistical analysis, resulting from the method of collecting samples. If the selection bias is not taken into account, then some conclusions of the study may not be accurate.

Keep this definition in mind when reading ZDNet's latest reportage on Microsoft's Windows 10 privacy officer's latest press release (and, OMG, did that ever become a bear of a sentence):

After being pummeled by critics and regulators for Windows 10's overzealous personalization efforts, Microsoft says it's received "positive" feedback about privacy-enhancing changes it introduced in the Windows 10 Creators Update.

Those changes, which Microsoft rolled out in Windows 10 in recent months, include an online privacy dashboard and finer controls for location, speech recognition, diagnostics, tips and recommendations, and relevant ads.

It made those changes under the watch of European data-protection authorities, amid the French National Data Protection Commission's (CNIL) year-long probe over Windows 10's "excessive data collection" and tracking browser data without user consent.

CNIL in June lifted its formal notice on Microsoft, noting it had halved the volume of telemetry data collected under the Basic Diagnostic setting, and now provided "clear and precise information" about web tracking for personalizing ads.

With that episode in the rearview, Microsoft is now highlighting signs that customers do trust it with their data and that its responsiveness to customer feedback -- rather than just legal threats from watchdogs -- is driving Windows privacy improvements.

"Feedback we've received about the Creators Update has been positive. This is great news to us because what we hear from you directly impacts the improvements we make," says Marisa Rogers, Microsoft privacy officer for the Windows Devices Group.

Despite the basic Diagnostics setting collecting far less data than before, Rogers points out that 71 percent of customers select the Full option, which sends browser data, app and feature usage, and inking and typing data to Microsoft.

The setting is on Full by default, but can be toggled to Basic.

So, where's the selection bias here? you're probably asking by now.

Let's start with the fact that a significant number of the Windows users most likely to have objected to Microsoft's Windows 10 privacy regime are still using Windows 7. They never switched to Windows 10, precisely because of Microsoft's broken data collection and privacy policies, and that has not changed, even after the changes which Microsoft made while under threat of regulatory action by the Article 29 Working Party.

We'll continue with the fact that "Full" data collection is still the default, and that leaving it on may not represent approval so much as apathy on the part of those who have done so. The 71% of customers who are still set to "Full" data collection didn't select it; they just didn't care enough to change the setting. How many times have you clicked through an annoying pop-up screen to get to whatever you'd turned on your PC to do, intending to go back and look at it later... only to forget to go back later? Yeah, me, too.

And, about that positive feedback? All I can say is, "Duh."

Windows 10 est assez bon, dit CNIL.

Score one for Microsoft, I guess - it looks like French regulators have been appeased.

From Tech Republic:

Microsoft has scaled back the volume of data it collects from Windows 10 PCs by 'almost half', leading French authorities to drop their threat of a fine.

The French regulator CNIL today announced that Windows 10 is no longer in breach of the country's data protection laws, following changes to how the OS handles user privacy. Microsoft had previously faced the threat of a fine of up to €150,000 ($158,000) if Windows 10 wasn't brought into compliance with French data protection rules.

Since the notice was issued to Microsoft in July last year, Windows 10 has almost halved the volume of data it collects when the user picks the 'Basic' telemetry setting, according to a notice issued by CNIL.

Other positive changes highlighted by CNIL include Microsoft making it clearer that devices will be tied to an ID used for advertising purposes and making it easier for users to opt-out.

[...]

While Swiss data protection and privacy regulator FDPIC also dropped its enforcement action related to Windows 10 earlier this year, Microsoft has faced questions about Windows 10 telemetry from an EU data protection body. In February, the EU's Article 29 Working Party, said it "remained concerned about the level of protection of users' personal data".

At the time of publication, a spokesperson for the Article 29 Working Party had not responded to a request for comment about whether subsequent changes to Windows 10 had addressed its concerns.

The changes made weren't actually all that substantial (Paul Thurrott described them as "privacy theatre"), and since Microsoft had always maintained that all of the data it was harvesting via telemetry was essential, the simple fact that they were able to reduce mandatory data collection by half and still be collecting everything they "needed" pretty clearly reveals that their statements on data collection have always been at least 50% bullshit.

It's an open question whether CNIL's threatened penalties actually forced Microsoft to change anything, either. Microsoft had already applied for, and received, multiple extensions to CNIL's deadlines, and with the EU's Article 29 Working Party already on the case by the time the Creators Update changes came into effect, it's entirely possible that the much bigger threat of EU regulatory action was actually the determining factor behind the changes made to date.

Those EU regulators are still a potential thorn in Microsoft's side, and there's still a possibility that they'll mandate the kind of changes that Windows 7 holdouts, among others, have been calling for, but the chances of further meaningful change arising from European regulatory action appear to be dimming. It's still an open question whether consumer pressure, in the form of stagnant Windows 10 adoption rates, can still do the job, but after nearly two years of slow-to-stagnant adoption, it's looking less likely that Microsoft will respond to that pressure, either, especially since the Universal Windows Platform initiative appears to be nearly dead, anyway.

So, for the moment, nothing changes that hadn't changed already, while we wait for EU regulators to decide whether they'll also be appeased, as independent Swiss and French regulatory bodies have been already. I'll be keeping an eye on this one, but I'm less hopeful than I was a week ago.

Well.... I guess that's one way to approach the problem...

When Kaspersky Lab filed its antitrust complaint with the EU earlier this month, Microsoft's response was basically boilerplate corporate legalese. "Microsoft's primary objective is to keep customers protected and we are confident that the security features of Windows 10 comply with competition laws," they said, adding that they'd reached out directly to Kaspersky a number of months ago offering to meet directly at an executive level to better understand their concerns," but without success (quotes from The Inquirer).

But that was then, and this is now, and their current strategy for fighting this antitrust complaint, is... novel, let's say. Yes, let's go with novel.

From The Reg:

Redmond is currently being sued by security house Kaspersky Lab in the EU, Germany and Russia over alleged anti-competitive behaviour because it bundles the Windows Defender security suite into its latest operating system. Kaspersky (and others) claim Microsoft is up to its Internet Explorer shenanigans again, but that’s not so, said the operating system giant.

“Microsoft’s application compatibility teams found that roughly 95 per cent of Windows 10 PCs had an antivirus application installed that was already compatible with Windows 10 Creators Update,” said Rob Lefferts, director of security in the Windows and Devices group.

“For the small number of applications that still needed updating, we built a feature just for AV apps that would prompt the customer to install a new version of their AV app right after the update completed. To do this, we first temporarily disabled some parts of the AV software when the update began.”

Basically, Kaspersky are complaining about Microsoft abusing their control of the Windows platform to disable competitors' software, violating EU rules about such things, and Microsoft's defense is that they do exactly this, but that it's OK, because security. Presenting their actions as a consumer protection move is pretty baller; it's also bullshit, because there's plenty of evidence just floating around that Microsoft can, and do, disable competing AV software for reasons other than compatibility issues.

If you're wondering what it looks that like, then wonder no longer! It looks like this:

So, Microsoft can use their control of Windows to (a) know when your AV subscription is due to expire, and (b) "helpfully" remind you a day or so ahead of time.... that they have a free AV solution already installed on your machine, which they'll just be switching you to, automatically, if you should be, I dunno, too busy, or something, to renew that. Because they have your back (wink, wink). Somehow, according to Microsoft, this is about software compatibility, even though compatibility issues with the 3rd part software are never once mentioned.

This genius legal strategy is the work of the same team who are defending against multiple class-action lawsuits using basically the same argument that cost Microsoft US$10,000 in small claims court. Redmond's anticonsumer, monopolistic practices seem so blatant here that I'm finding it hard to imagine the EU doing anything except ruling in Kaspersky's favour. There's a reason why Microsoft already have a not-dissimilar, €497 million antitrust ruling on record.

All of this comes even as Microsoft's data privacy practices still being assessed by EU regulators - most of their recent improvements in that area were done in response to regulatory pressure, and regulators were not sounding convinced that Redmond's concessions in that area went far enough. To be facing antitrust action, again, with the data privacy stuff still not resolved, and multiple class action lawsuits grinding their way to apparently inevitable losses... well, I'm not an expert, but it sure looks to me like Microsoft's leadership have been on the receiving end of some seriously awful legal advice.

Microsoft are now perpetually operating in a mode of trying to minimize eventual penalties, while doing as little as possible about their bad practices in the meantime, all while knowing that their arguments in defense of those practices are basically insufficient to win any case on its merits. And, as a yuge corporation with plenty of cash in reserve, they can probably afford to wage these legal battles of attrition for quite a while yet. Whether they can afford the long-term damage that they're doing to their reputation in the meantime, or the momentum gains they're missing while spending years mired in legal trouble, remains to be seen.

Windows 10's still-lacking user privacy controls not good enough for the EU

Call me cynical, but this didn't surprise me.

From Reuters:

European Union data protection watchdogs said on Monday they were still concerned about the privacy settings of Microsoft's Windows 10 operating system despite the U.S. company announcing changes to the installation process.

The watchdogs, a group made up of the EU's 28 authorities responsible for enforcing data protection law, wrote to Microsoft last year expressing concerns about the default installation settings of Windows 10 and users' apparent lack of control over the company's processing of their data.

The group - referred to as the Article 29 Working Party -asked for more explanation of Microsoft's processing of personal data for various purposes, including advertising.

"In light of the above, which are separate to the results of ongoing inquiries at a national level, even considering the proposed changes to Windows 10, the Working Party remains concerned about the level of protection of users’ personal data," the group said in a statement which also acknowledged Microsoft's willingness to cooperate.

Microsoft was not immediately available to comment.

A number of national authorities have already begun enquiries into Windows 10, including France which in July ordered Microsoft to stop collecting excessive user data.

A regulatory ruling by the EU would effectively apply in every EU country, though, excluding Switzerland and (soon enough) the U.K. but including basically everyone else, which could be a significant problem for Microsoft. If nothing else, this keeps Windows 10's privacy issues inconveniently front and centre at a time when Microsoft would very much like this particular topic of discussion to just die, already, which can't be at all helpful as they try to lure more Enterprise users into adopting the platform.

I'm sure that Microsoft were hoping that their legal and regulatory issues with Windows 10 were a thing of the past. This latest news from the EU is a pretty clear sign that they're very much an ongoing issue.

Irony, thy name is DMCA

That the U.S.'s Digital Millennium Copyright Act is something of a mess is something that any YouTuber could probably attest to... and many have. Criminalizing acts as innocuous as making backups of media for your own use, and inviting all manner of systemic abuse by moneyed corporate interests, all while providing almost no additional protections for fair use, the DMCA would almost read like parody if clueless U.S. lawmakers hadn't passed it at the behest of the lobbyists of those same moneyed interests (and the moneyed corporate donors that they represented).

But this tidbit of news finally illustrates the absurdity of the DMCA in ways that nothing else ever could, that I could think of.

From The Beeb:

Film studio Warner Brothers has asked Google to remove its own website from search results, saying it violates copyright laws.

It also asked the search giant to remove links to legitimate movie streaming websites run by Amazon and Sky, as well as the film database IMDB.

The request was submitted on behalf of Warner Brothers by Vobile, a company that files hundreds of thousands of takedown requests every month.

[...]

The self-censorship was first spotted by news blog Torrent Freak, which said Vobile had made some "glaring errors".

In one request, Google was asked to remove links to the official websites for films such as Batman: The Dark Knight and The Matrix.

Licensed online movie portals such as Amazon and Sky Cinema were also reported for copyright infringement.

"Warner is inadvertently trying to make it harder for the public to find links to legitimate content, which runs counter to its intentions," said Ernesto van der Sar, from Torrent Freak.

[...]

Companies such as Vobile typically work on behalf of major film studios, reporting illegally uploaded copies of movies and television programmes.

Google's transparency report says Vobile has submitted more than 13 million links for removal.

It also reveals other potential mistakes - such as film studio Lionsgate reporting a copy of London Has Fallen found on the Microsoft download store.

"Unfortunately these kind of errors are very common," said Mr Van der Sar.

Warner Brothers has yet to comment, but really, what can they say? The DMCA, a law they lobbied hard to get, which tramples the free expression rights of U.S. residents on a regular basis, and whose features the RIAA and MPAA are working hard to see adopted globally through such vehicles as the Trans Pacific Partnership, is such a mess that a company as big as Warner Bros. is issuing automated DMCA takedowns against itself. We're through the looking glass here, people.

The DMCA needs serious revision, as do similar laws already passed in the UK, EU, and elsewhere, and I think that's going to have to start with at least one major movie studio admitting that they got it completely wrong when pushing for the law's passage in the first place. It's not an enviable role, by any means, so kudos to Warner Bros. for stepping up, and nominating themselves in such hilarious fashion.

</sarcasm>

Reminder: EU regulators have some teeth

From Reuters, via The Huffington Post:

BRUSSELS (Reuters) - EU antitrust regulators ordered Apple on Tuesday to pay up to 13 billion euros ($14.5 billion) in taxes plus interest to the Irish government after ruling that a special scheme to route profits through Ireland was illegal state aid.

The massive sum, 40 times bigger than the previous known demand by the European Commission to a company in such a case, could be reduced, the EU executive said in a statement, if other countries sought more tax themselves from the U.S. tech giant.

[...]

“Ireland granted illegal tax benefits to Apple, which enabled it to pay substantially less tax than other businesses over many years,” said Competition Commission Margrethe Vestager, whose crackdown on mainly U.S. multinationals has angered Washington which accuses Brussels of protectionism.

Apple intends to appeal, of course, and may well succeed in bringing down the size of their back tax bill, but $14.5B is a non-zero percentage of their market cap, in addition to being an enormous sum of money in its own right, and Apple's stock dropped 0.77% on the news. The previous record was €300M from Swedish engineer Atlas Copco AB, for back taxes in Belgium. It would seem that the EU is all done fucking around with companies that flout the rules.

Microsoft is already facing regulatory action in France; if the scope of that official response were to expand to include the EU as a whole, a very real possibility, then the potential costs were already high. The size of this penalty against Apple, though, shows that the EU has an appetite for imposing large enough fines that even these huge multinationals will feel them; if Microsoft don't resolve their European regulatory issues quickly, then the potential costs now appear to be much, much higher than they were just yesterday.

I wonder if they're worried yet?