Skip to main content

Deck.blue brings a TweetDeck experience to Bluesky users

With over 3 million users and plans to open up more broadly in the months ahead, Bluesky is still establishing itself as an alternative to Twitter/X. However, that hasn’t stopped the developer community from embracing the project and building tools to meet the needs of those fleeing the now Elon Musk-owned social network, formerly known […] © 2024 TechCrunch. All rights reserved. For personal use only. from TechCrunch https://ift.tt/TBbEAPF

Leaked Facebook ads document raises fresh questions over GDPR enforcement

Motherboard/Vice had an explosive report on Facebook’s business yesterday that’s sure to raise fresh questions over the lack of enforcement of European privacy laws against the adtech giant.

The report is based on a leaked internal document written last year by privacy engineers on its Ad and Business product team.

The document, which is entitled “ABP Privacy Infra, Long Range Investments [A/C Priv],” appears to show engineers at the tech giant now known as Meta scratching their heads at the nightmarish task they’re facing: Trying to make Facebook’s data-ingesting ads business compliant with a “tsunami” of global privacy regulations that need it to know how user data flows through its systems so the company can apply policies that control what’s done with people’s information and perform basic stuff like reflect people’s privacy choices. So next time Sheryl Sandberg talks about Meta’s “regulatory headwinds” this is the contextual meat to graft on those euphemistic bones.

Meta’s text deploys some internal business shorthand/acronyms whose literal meanings aren’t always clear. But the gist of the read — and it’s worth reading in full if you can spare the time for 15-pages of text, diagrams and a few colorful analogies such as one comparing a person’s information to a bottle of ink being poured into a giant lake (oopsy!) — is that Meta has ‘designed’ its ad system in such a totally unsiloed way that it’s very, very, very far from being able to comply with (even existing) laws like Europe’s General Data Protection Regulation (GDPR) which has a purpose limitation principle meaning you need a legal basis for each use of personal data. Nor, per the document, do Meta’s engineers sound confident of being able to transform the mess and achieve timely compliance with a bunch of other, incoming global regulations either. (And don’t even get them started on what AI regulations might mean for the business.)

Meta disputes that the document shows non-compliance with any privacy laws, of course.

In a statement to Motherboard, the company claims the document “does not describe our extensive processes and controls to comply with privacy regulations”; adding therefore that “it’s simply inaccurate to conclude that it demonstrates non-compliance”; and further claiming: “New privacy regulations across the globe introduce different requirements and this document reflects the technical solutions we are building to scale the current measures we have in place to manage data and meet our obligations.” 

But, well, they would say that, wouldn’t they? 

Independent privacy researcher, Wolfie Christl — an expert in forensic analysis of ad data flows — takes a different view of what the leaked document reveals — dubbing it “dynamite” and a “confession” (albeit one not intended by Meta for public consumption) that it does not comply with the GDPR. See his detailed Twitter thread here — where he unpacks and contextualizes the implications of the engineers’ observations, as he sees it.

“The document is a straight and clear confession that Facebook’s whole business is based on a massive GDPR violation at the most fundamental level,” Christl tells TechCrunch. “Purpose limitation is one of the most basic principles in the GDPR. A company can generally only collect personal data for a specified purpose. If a company cannot specify the purpose it collects personal data for, it is simply not allowed to process it under the GDPR.”

Asked what Meta’s lead data protection regulator in the EU should do, Christl adds: “The Irish regulator must take action now. If Facebook cannot make clear how exactly its surveillance advertising machine uses personal data, it must be ordered to stop processing it.”

TechCrunch contacted the Irish Data Protection Commission (DPC) to ask whether it will be opening an investigation into Meta’s ad data flows in light of what the document appears to show is, basically, an ads system that, either by design or systemic build creep, exists (or existed in 2021) in a state that’s antithetical to regulation — and, indeed, whether the document is of relevance to any of the (several) ongoing investigations it has into aspects of Facebook’s business.

The regulator did not provide a statement but deputy commissioner Graham Doyle confirmed it had only seen the document for the first time when Motherboard/Vice published it.

That may raise further questions, given the DPC has — on paper — been investigating whether Facebook’s ads business complies with the GDPR’s requirement to have a valid legal basis for processing people’s data for almost four years now.

For example, the DPC has been considering a complaint against Facebook, focused on its legal basis for processing user data for ads, since May 2018, when the regulation entered into force.

A draft DPC decision on that inquiry, which was published (not by the DPC) last fall, was quickly branded a joke by privacy campaigners as the regulator appeared to be intending to accept a tactic by Meta to evade the GDPR’s standard for consent-based processing by claiming a cunning contractual bypass.

The tl;dr here is that for consent to be valid under the GDPR, data subjects must be given a free choice. Consent must also be purpose specific (aka no bundling); and it must be informed.

None of which happens if you use Facebook — where the platform makes processing your information for ad targeting a condition of use. Click ‘agree to ads’ or no Facebook account for you.

But, per last year’s leaked draft DPC decision, Facebook claims users are actually in a contract with it to receive targeted ads — and the DPC didn’t appear to see reason to object to that GDPR-bypassing construction.

Given GDPR complaints are still floundering on such legal basics, is it any wonder that the deep, dark, underbelly of Meta’s ad-targeting machinery contains, as this document tells it, a vast ocean of surveillance data on web users but so little apparatus to order this information according to people’s own wishes?

The bottom line is that the EU is almost four years into enforcement of its ‘flagship’ data protection regime and Facebook itself remains untouched by GDPR enforcement. (Its messaging platform WhatsApp was hit by a fine last year.)

The European Union also didn’t suddenly invent privacy regulation in 2018, when the GDPR came into force. Before that law there was the Data Protection Directive, which included many of the same principles.

So — in Europe at least — if a company like Facebook had actually been paying attention to legal requirements around privacy by design — and if EU regulators had been muscularly enforcing these long-standing rules — Meta might not now be warning investors about the ‘regulatory headwinds’ coming for their shareholder value. Nor facing what sounds to be a monumentally expensive and resource intensive re-engineering challenge — not so much akin to landing on the moon as more like needing to reconstruct the whole of the planet from pulverized moondust in a way that ensures every tiny piece of rock and dust is put back in exactly the place it originated for. Oh, and — guess what! — the deadline for doing all that already passed. Call it the ‘Zuckerberg’s moonshot.’

A Meta spokesperson did not respond to a question asking whether, following the Motherboard report, it had contacted the DPC to provide its lead EU regulator with information on how its ads system functions.

The company sent us the same statement it provided Motherboard earlier, which concludes with this lament: “This analogy lacks the context that we do, in fact, have extensive processes and controls to manage data and comply with privacy regulations.”

The European Commission is ultimately responsible for monitoring the application of the GDPR by EU Member State agencies.

We asked the Commission if it had any concerns in light of the leaked document and/or a view on whether the DPC should open an investigation into Meta’s ads data flows. But at the time of writing it had not responded.

In February, following a complaint against the Commission by the Irish Council for Civil Liberties — which accuses the EU’s executive of neglecting its duty to act on Ireland’s “failure to properly apply” the GDPR — the EU’s ombudsperson opened an inquiry — giving the Commission until May 15 to provide it with a “detailed and comprehensive” account of the information it has collected so far around whether the regulation is applied “in all respects” in Ireland.



from TechCrunch https://ift.tt/GUmd8CF

Comments

Popular posts from this blog

New month, new crypto market moves?

To get a roundup of TechCrunch’s biggest and most important crypto stories delivered to your inbox every Thursday at 12 p.m. PT, subscribe here . Welcome back to Chain Reaction. Seems like just yesterday we were ringing in the New Year, but we’ve coasted into February and all seems to be somewhat relaxed (for once) in the crypto world. Last month was filled with crypto companies laying off staff , developments around the existing and new Chapter 11 bankruptcies in the space, partnerships and conversations about potential recovery in 2023. Even with a range of bad news flooding the industry, some cryptocurrencies had a bull run in January, amid the market turmoil. Bitcoin rallied 40% on the month, while ether rose about 32% during the same period. Solana also saw serious recovery, from about $10 in the beginning of the year, near its lowest level since February 2021, up 146% to about $24.3 by the end of January, CoinMarketCap data showed. These market movements could pot

Metaverse app BUD raises another $37M, plans to launch NFTs

BUD , a nascent app taking a shot at creating a metaverse for Gen Z to play and interact with each other, has raised another round of funding in three months. The Singapore-based startup told TechCrunch that it has closed $36.8 million in a Series B round led by Sequoia Capital India, not long after it secured a Series A extension in February . The new infusion brings BUD’s total financing to over $60 million. As with BUD’s previous rounds, this round of raise attracted a handful of prominent China-focused investors — ClearVue Partners, NetEase and Northern Light Venture Capital. Its existing investors GGV Capital, Qiming Venture Partners and Source Code Capital also participated in the round. Founded by two former Snap engineers Risa Feng and Shawn Lin in 2019, BUD lets users create bulbous 3D characters, cutesy virtual assets and richly colored experiences through drag-and-drop and without any coding background. The company declined to reveal its active user size but said its use

Can Arbitrum’s recently formed DAO recover from its messy week?

The TechCrunch Podcast Network has been nominated for two Webbys in the Best Technology Podcast category. You can help TechCrunch win by voting for Chain Reaction , which digs into the wild world of crypto, or Found , which brings you the stories behind the startups by sitting down with the founders themselves. Please take a few moments to vote here . Voting closes April 20. (NB I host Chain Reaction, so vote for my show!) Welcome back to Chain Reaction. This week was pretty bearable as a crypto reporter covering this space. There was less crazy news transpiring, compared to previous weeks (where we saw a number of U.S. government crackdowns on major crypto companies like Binance and Coinbase ). Still, it’s never a dull week in the crypto world. In late March, Arbitrum, an Ethereum scaling solution, transitioned into a decentralized autonomous organization (DAO), after airdropping community members its new token, ARB. DAOs are meant to operate with no central authority and token h