Windows 10's telemetry violates GDPR, according to Dutch regulators

OMG, has this news item ever been a long time coming. From The Reg:
Microsoft broke Euro privacy rules by carrying out the "large scale and covert" gathering of private data through its Office apps.

That's according to a report out this month that was commissioned by the Dutch government into how information handled by 300,000 of its workers was processed by Microsoft's Office ProPlus suite. This software is installed on PCs and connects to Office 365 servers.

The dossier's authors found that the Windows goliath was collecting telemetry and other content from its Office applications, including email titles and sentences where translation or spellchecker was used, and secretly storing the data on systems in the United States. That's a no-no.

Those actions break Europe's new GDPR privacy safeguards, it is claimed, and may put Microsoft on the hook for potentially tens of millions of dollars in fines. The Dutch authorities are working with the corporation to fix the situation, and are using the threat of a fine as a stick to make it happen.

The investigation was jumpstarted by the fact that Microsoft doesn't publicly reveal what information it gathers on users and doesn't provide an option for turning off diagnostic and telemetry data sent by its Office software to the company as a way of monitoring how well it is functioning and identifying any software issues.

I always thought that there ought to be a law against Microsoft's data collection practices, and had hoped that GDPR might be that law, but I'll admit that it feels really satisfying to see it actually happen. I only wish that it had been the data collection in Windows 10 itself that had triggered this.

Microsoft aren't the only company facing an uphill battle when it comes to transforming their anti-consumer practices into GDPR-compliant ones (The Reg dubbed this "GDPRmageddon," which is just fabulous). Considering just how stubborn Microsoft have been when it comes to addressing the inadequacies of their business practices, though, I have a feeling that they'll struggle with GDPR compliance more than most companies... except, of course, for Facebook.

GDPR?

So, when I logged into Blogger today, I was greeted with this notice:

European Union laws require you to give European Union visitors information about cookies used and data collected on your blog. In many cases, these laws also require you to obtain consent.

Out of courtesy, we have added a notice on your blog to explain Google's use of certain Blogger and Google cookies, including use of Google Analytics and AdSense cookies, and other data collected by Google.

You are responsible for confirming that this notice actually works for your blog, and that it displays. If you employ other cookies, for example by adding third-party features, this notice may not work for you. If you include functionality from other providers there may be extra information collected from your users.

Which is... fine, I guess? The weird part is that I have no idea what the notice says, because I'm in Canada, and the notice doesn't appear for Canadian users. Hopefully the thing is actually working, since I have no way to know; blogger's relevent help page says that it should be active automatically, with no action needed from me, which I find to be somewhat at odds with the notice itself, which says that I'm somehow supposed to be responsible for ensuring that it's working, even though I apparently can't do that from here.

If Blogger's default GDPR notice says anything you object to, please direct those objections to Google, who are entirely responsible for the no-doubt-legalese passages in question. If it's not there at all, please feel free to leave a comment on this blog post or something to let me know.

For the record, I have my browser options set to delete all cookies automatically when Firefox closes (and, yes, I use Firefox -  it's what I'm used to, and Quantum's performance is close enough to Chrome's to be acceptable), and to accept third-party cookies only from sites I've already visited. Since Firefox is also set to clear my history when it closes, and since I also run two ad-blockers (uBlock Origin and AdBlocker Ultimate), I feel pretty okay with the level of data that people can collect about me without my knowledge. I'm probably not doing much to slow the the likes of Facebook with their shadow profiles, but I shouldn't be broadcasting much of anything to the world that I'd rather keep quiet.

Remember... it's not paranoia if they are watching you. And they definitely are watching you. C'est la vie.

Facebook's lies revealed... again

Remember when Mark Zuckerberg was asked, point-blank, if he'd implement GDPR-calibre provisions across all of Facebook, and he replied with some word salad that was meant to sound like an affirmative reply... but only after he'd first said that they wouldn't? It looks like his first answer to that question, i.e. that Facebook had no immediate plans to do this, was actually the truth.

From The Hill:

Facebook is moving to exempt 1.5 billion users in Africa, Asia, Australia and Latin America from its terms of service as dictated under a new European Union regulation, according to a Reuters report.

The move comes weeks before the E.U.'s General Data Protection Regulation (GDPR) is set to take effect. The rule addresses the protection of personal data shared outside the E.U.

By exempting so many of its members from the new regulation, Facebook would limit its liability under the new rule, which allows for fines of up to 4 percent of a company's global annual revenue for violations.

For Facebook, that could mean billions of dollars in potential fines, according to Reuters.
According to Reuters, the exemption would affect more than 70 percent of Facebook users worldwide. As of December, the social media platform had 239 million members in the U.S. and Canada, 370 million in Europe and 1.52 billion users in other parts of the world.

So, if you live in the EU, you'll be covered by GDPR, and if you live in the USA, you'll be covered by Facebook's GDPR-lite privacy policy, but if you're of the other 70% of Facebook's users, then you're fucked. And they didn't buy you a drink, first.

The way Facebook are implementing GDPR (in those few places where they are doing so) is drawing heavy criticism as well, as reported by TechCrunch:

In simple terms, seeking consent from users in a way that’s not fair because it’s manipulative means consent is not being freely given. Under GDPR, it won’t be consent at all. So Facebook appears to be seeing how close to the wind it can fly to test how regulators will respond.

Safe to say, EU lawmakers and NGOs are watching.

[...]

Data protection experts who TechCrunch spoke to suggest Facebook is failing to comply with, not just the spirit, but the letter of the law here. Some were exceeding blunt on this point.

“I am less impressed,” said law professor Mireille Hildebrandt discussing how Facebook is railroading users into consenting to its targeted advertising. “It seems they have announced that they will still require consent for targeted advertising and refuse the service if one does not agree. This violates [GDPR] art. 7.4 jo recital 43. So, yes, they will be taken to court.”

The best worst part of all this? Even the parts of the world that are getting GDPR coverage, are only going to be covered because Facebook has their international headquarters in Ireland... for tax reasons. That's right, it's only their shady tax evasion policy that's left Facebook exposed to GDPR in the first place. If not for that, they wouldn't be covering anybody.

Perhaps that's why people like Richard Stallman are speaking out for stronger regulation, as in his recent interview with New York Magazine:

We need a law. Fuck them — there’s no reason we should let them exist if the price is knowing everything about us. Let them disappear. They’re not important — our human rights are important. No company is so important that its existence justifies setting up a police state. And a police state is what we’re heading toward.

I can only agree. Fuck them. Fuck Mark Zuckerberg and his lying, android-like face, and fuck the horse he rode in on. Fuck Facebook.

#FacebookIsTheProblem
#DeleteFacebook

Half-hearted and half-assed:Facebook's approach to GDPR compliance isn't at all surprising

It won't surprise you to read that I am not surprised by the extent of the flaws in Facebook's plans for GDR "compliance," as reported by TechCrunch:

Facebook is about to start pushing European users to speed through giving consent for its new GDPR privacy law compliance changes. It will ask people to review how Facebook applies data from web to target them with ads, and surface the sensitive profile info they share. Facebook will also allow European and Canadian users to turn on facial recognition after six years of the feature being blocked there. But with a design that encourages rapidly hitting the “Agree” button, a lack of granular controls, a laughably cheatable parental consent request for teens, and an aesthetic overhaul of Download Your Information that doesn’t make it any easier to switch social networks, Facebook shows it’s still hungry for your data.

A lot of TC's criticisms revolve around a user interface design that's clearly intended to "speed through by hitting that big blue button at the bottom," rather than actually managing their privacy options. For example, the ability to control your sensitive profile information, like sexual preference or religious and political views:

As you’ll see at each step, you can hit the pretty blue “Accept And Continue” button regardless of whether you’ve scrolled through the information. If you hit the ugly grey “Manage Settings” button, you have to go through an interstitial where Facebook makes it’s argument trying to deter you from removing the info before letting you make and save your choice. It feels obviously designed to get users to breeze through it by offering no resistance to continue, but friction if you want to make changes.

Facebook doesn’t let advertisers target you based on this sensitive info, which is good. The only exception is that in the US, political views alongside political Pages and Events you interact with impact your overarching personality categories that can be targeted with ads. You can opt out of being targeted by those too. But your only option here is either to remove any info you’ve shared in these categories so friends can’t see it, or allow Facebook to use it to personalize the site. There’s no option to keep this stuff on your profile but not let Facebook use it.

The pattern repeats, over and over, throughout the long list of small changes that FB is making.

Facebook takes a step backwards

Was it just this morning that I was slow-clapping for Facebook's upcoming app management and fact-checking features? Did I really say in that post that today had actually been better for Facebook than yesterday?

Well, it would seem that Zuck ain't havin' none o' that, because he's gone and stuck another of this feet squarely in his own mouth.

As reported by Reuters:

Facebook Inc Chief Executive Mark Zuckerberg said on Tuesday the social network had no immediate plans to apply a strict new European Union law on data privacy in its entirety to the rest of the world, as the company reels from a scandal over its handling of personal information of millions of its users.

Zuckerberg told Reuters in a phone interview that Facebook already complies with many parts of the law ahead of its implementation in May. He said the company wanted to extend privacy guarantees worldwide in spirit, but would make exceptions, which he declined to describe.

“We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing,” said Zuckerberg. He did not elaborate.

His comments signal that U.S. Facebook users, many of them still angry over the company’s admission that political consultancy Cambridge Analytica got hold of Facebook data on 50 million members, may soon find themselves in a worse position than Europeans.

Seriously, I'm starting to think that he's a closet centipede, or something. Because he can't possibly be this much of an idiot.

Adopting the EU standards for user privacy across Facebook's entire operation, as the best practice available in this are, should be a no-brainer at this point. Like allowing users to easily delete their accounts, adopting EU standards globally would be exactly the kind of both, pro-consumer move that would turn public opinion back in Facebook's favour, and stem the flow of exiting users. It might even save them money, since it allows them to have a single platform in all markets, rather than a patchwork of platforms in various countries, each of which runs differently.

There's only one reason to not do this, really, and that's if FB expect to make more money from exploiting users in places (like the U.S.) with lax regulations. Zuckerberg had a clear opportunity to put Facebook's money where his own mouth is, and promise to do better for all of Facebook's users, rather than just the ones protected by a strong regulatory regime; instead, he's put his own foot in his mouth again, and ensured that the day's new cycle will end with a discussion of what they're not doing to protect their users, rather than being about the things that they are doing, which they announced earlier.

To describe this as moronic is to fail to do it justice. I'd ask who the fuck let this happen... except that it was Mark Zuckerberg who approved both the new features of this morning, and uttered the tone-deaf statement of this evening. He's the CEO of Facebook; the buck stops with him.

GG, Zuck. GG.

#FacebookIsTheProblem
#DeleteFacebook

UPDATED: APRIL 5th:

Apparently someone has explained to Zuckerberg just how badly this was playing in the media, because he's walked it back a bit. As per HuffPost:

Asked specifically if he’d be willing to implement new privacy policies in the U.S. similar to the strict new privacy laws rolling out in the European Union, Zuckerberg said he was comfortable with the idea but not in the same format.

When the EU law takes effect on May 25, Facebook will have to get users’ explicit consent to collect data and be much more upfront about how it uses that data. Zuckerberg said Facebook “intends to make the same controls and settings available everywhere, not just in Europe.” That’s subject to some flexibility, however ― a variation he attributed to a patchwork of global laws on the matter.

So Facebook will implement GDPR as the standard Facebook-wide.... except that it will look different in different countries, depending on what's actually required by the laws in those countries. Which is being hailed as good news, from people who've failed to realize that Zuckerberg's said that Facebook both will and won't adopt GDPR world-wide because it represents the best practices available for privacy/ Zuck wants credit for saying that he'll provide the strongest possible privacy protection to users across the board, although he still wants the flexibility to implement something less strong than GDPR in markets where GDPR isn't the law of the land.

That's... how do you say?.. horseshit.

It's possible that the laws in some jurisdictions actually contradict the GDPR standards, of course, but rather than just say that, Zuck went vague. All he needed to say was that Facebook would implement GDPR as the strongest available standard for every market where its provisions weren't actually contradicted by other laws; and, further, that Facebook would lobby for GDPR to be adopted as the standard in jurisdictions where their users would be subject to lesser protections because GDPR provisions can't legally be implemented. What was needed was a clear, concise, and unambiguous statement of intent, here: a new dedication to their users' safety, security, and privacy that Facebook had previously not demonstrated.

Which leaves us exactly where we were; with Facebook planning to meet GDPR standards everywhere, except where they won't, and with no clarity about who will and won't be covered, or exactly why those left exposed won't be benefiting from the new practices. It's PR pablum, acknowledging that they need to do more on this issue, but without actually committing to doing anything more on this issue than they'd already be forced to do, in order to comply with EU laws. It's absolutely the bare minimum he could say, while managing to say nothing at all.

And, yet, it seems to be working. Everyone seems to be reporting this as if Zuckerberg had actually said what they wanted to hear, instead of hearing what he actually said. So, I can't exactly call it a fail; it's accomplishing what he wanted to accomplish. As failures of journalism go, that's pretty disheartening.