Author: Natasha Lomas

Pew: Social media still growing in emerging markets but stalled elsewhere

Facebook founder Mark Zuckerberg’s (so far) five-year project to expand access to the Internet in emerging markets makes plenty of business sense when you look at the latest report by the Pew Research Center — which shows social media use has plateaued across developed markets but continues to rise in the developing world.

In 2015-16, roughly four-in-ten adults across the emerging nations surveyed by Pew said they used social networking sites, and as of 2017, a majority (53%) use social media. Whereas, over the same period, social media use has generally been flat in many of the advanced economies surveyed.

Internet use and smartphone ownership have also stayed level in developed markets over the same period vs rising in emerging economies.

Pew polled more than 40,000 respondents in 37 countries over a roughly three month period in February to May last year for this piece of research.

The results show how developing markets are of clear and vital importance for social behemoth Facebook as a means to eke continued growth out of its primary ~15-year-old platform — plus also for the wider suite of social products it’s acquired around that. (Pew’s research asked people about multiple different social media sites, with suggested examples being country-specific — though Facebook and Twitter were staples.)

Especially — as Pew also found — of those who use the internet, people in developing countries often turn out to be more likely than their counterparts in advanced economies to network via social platforms such as Facebook (and Twitter) .

Which in turn suggests there are major upsides for social platforms getting into an emerging Internet economy early enough to establish themselves as a go-to networking service.

This dynamic doubtless explains why Facebook has been so leaden in its response to some very stark risks attached to how its social products accelerate the spread and consumption of misinformation in some developing countries, such as Myanmar and India.

Pulling the plug on its social products in emerging markets essentially means pulling the plug on business growth.

Though, in the face of rising political risk attached to Facebook’s own business and growing controversies attached to various products it offers, the company has reportedly rowed back from offering its ‘Free Basics’ Internet.org package in more than half a dozen countries in recent months, according to analysis by The Outline.

In March, for example, the UN warned that Facebook’s platform was contributing to the spread of hate speech and ethnic violence in crisis-hit Myanmar.

The company has also faced specific questions from US and EU lawmakers about its activities in the country — with scrutiny on the company dialed up to 11 after a major global privacy scandal that broke this spring.

And, in recent months, Facebook policy staffers have had to spend substantial quantities of man-hours penning multi-page explanations for all sorts of aspects of the company’s operations to try to appease angry politicians. So it looks pretty safe to conclude that the days of Facebook being able to pass off Internet.org-fueled business expansion as a ‘humanitarian mission’ are well and truly done.

(Its new ‘humanitarian project’ is a new matchmaking feature — which really looks like an attempt to rekindle stalled growth in mature markets.)

Given how the social media usage gap is closing between developed vs developing countries’ there’s also perhaps a question mark over how much longer Facebook can generally rely on tapping emerging markets to pump its business growth.

Although Pew’s survey highlights some pretty major variations in usage even across developed markets, with social media being hugely popular in Northern America and the Middle East, for example, but more of a patchwork story in Europe where usage is “far from ubiquitous” — such as in Germany where 87% of people use the internet but less than half say they use social media.

Cultural barriers to social media addiction are perhaps rather harder for a multinational giant to defeat than infrastructure challenges or even economic barriers (though Facebook does not appear to be giving up on that front either).

Outside Europe, nations with still major growth potential on the social media front include India, Indonesia and nations in sub-Saharan Africa, according to the Pew research. And Internet access remains a major barrier to social growth in many of these markets.

“Across the 39 countries [surveyed], a median of 75% say they either use the internet occasionally or own a smartphone, our definition of internet use,” it writes. “In many advanced economies, nine-in-ten or more use the internet, led by South Korea (96%). Greece (66%) is the only advanced economy surveyed where fewer than seven-in-ten report using the internet. Conversely, internet use is below seven-in-ten in 13 of the 22 emerging and developing economies surveyed. Among these countries, it is lowest in India and Tanzania, at a quarter of the adult population. Regionally, internet use is lowest in sub-Saharan Africa, where a median of 41% across six countries use the internet. South Africa (59%) is the only country in the region where at least half the population is online.”

India, Indonesia and sub-Saharan Africa are also regions where Facebook has pushed its controversial Internet.org ‘free web’ initiative. Although India banned zero-rated mobile services in 2016 on net neutrality grounds. And Facebook now appears to be at least partially rowing back on this front itself in other markets.

In parallel, the company has also been working on a more moonshot-y solar-powered high altitude drone engineering to try to bring Internet access (and thus social media access) to remoter areas that lack a reliable Internet connection. Although this project remains experimental — and has yet to deliver any commercial services.

Pew’s research also found various digital divides persisting within the surveyed countries, related to age, education, income and in some cases gender still differentiating who uses the Internet and who does not; and who is active on social media and who is inactive.

Across the globe, for example, it found younger adults are much more likely to report using social media than their older counterparts.

While in some emerging and developing countries, men are much more likely to use social media  than women — in Tunisia, for example, 49% of men use social networking sites, compared with just 28% of women. Yet in advanced countries, it found social networking is often more popular among women.

Pew also found significant differences in social media use across other demographic groups: Those with higher levels of education and those with higher incomes were found to be more likely to use social network sites.

Prisma co-founders raise $1M to build a social app called Capture

Two of the co-founders of the art filter app Prisma have left to build a new social app.

Prisma, as you may recall, had a viral moment back in 2016 when selfie takers went crazy for the fine art spin the app’s AI put on photos — in just a few seconds of processing.

Downloads leapt, art selfies flooded Instagram, and similar arty effects soon found their way into all sorts of rival apps and platforms. Then, after dipping a toe into social waters with the launch of a feed of its own, the company shifted focus to b2b developer tools — and we understand it’s since become profitable.

But two of Prisma’s co-founders, Aleksey Moiseyenkov and Aram Hardy, got itchy feet when they had an idea for another app business. And they’ve both now left to set up a new startup, called Capture Technologies.

The plan is to launch the app — which will be called Capture — in Q4, with a beta planned for September or October, according to Hardy (who’s taking the CMO role).

They’ve also raised a $1M seed for Capture, led by US VC firm General Catalyst . Also investing are KPCB, Social Capital, Dream Machine VC (the seed fund of former TechCrunch co-editor, Alexia Bonatsos), Paul Heydon, and Russian Internet giant, Mail.Ru Group.

Josh Elman from Greylock Partners is also involved as an advisor.

Hardy says they had the luxury of being able to choose their seed investors, after getting a warmer reception for Capture than they’d perhaps expected — thinking it might be tough to raise funding for a new social app given how that very crowded space has also been monopolized by a handful of major platforms… (hi Facebook, hey Snap!)

But they also believe they’ve identified overlooked territory — where they can offer something fresh to help people interact with others in real-time.

They’re not disclosing further details about the idea or how the Capture app will work at this stage, as they’re busy building and Hardy says certain elements could change and evolve before launch day.

What they will say is that the app will involve AI, and will put the emphasis for social interactions squarely on the smartphone camera.

Speed will also be a vital ingredient, as it was with Prisma — literally fueling the app’s virality. “We see a huge move to everything which is happening right now, which is really real-time,” Hardy tells TechCrunch. “Even when we started Prisma there were lots of similar products which were just processing one photo for five, ten, 15 minutes, and people were not using it because it takes time.

“People want everything right now. Right here. So this is a trend which is taking place right now. People just want everything right now, right here. So we’re trying to give it to them.”

“Our team’s mission is to bring an absolutely new and unique experience to how people interact with each other. We would like to come up with something unique and really fresh,” adds Moiseyenkov, Capture’s CEO (pictured above left, with Hardy).

“We see a huge potential in new social apps despite the fact that there are too many huge players.”

Having heard the full Capture pitch from Hardy I can say it certainly seems like an intriguing idea. Though how exactly they go about selectively introducing the concept will be key to building the momentum needed to power their big vision for the app. But really that’s true of any social product.

Their idea has also hooked a strong line up of seed investors, doubtless helped by the pair’s prior success with Prisma. (If there’s one thing investors love more than a timely, interesting idea, it’s a team with pedigree — and these two certainly have that.)

“I’m happy to have such an amazing and experienced team,” adds Moiseyenkov, repaying the compliment to Capture’s investors.

“Your first investors are your team. You have to ask lots of questions like you do when you decide whether this or that person is a perfect fit for your team. Because investors and the team are those people with whom you’re going to build a great product. At the same time, investors ask lots of questions to you.”

Capture’s investors were evidently pleased enough with the answers their questions elicited to cut Capture its founding checks. And the startup’s team is already ten-strong — and hard at work to get a beta launched in fall.

The business is based in the US and Europe, with one office in Moscow, where Hardy says they’ve managed to poach some relevant tech talent from Russian social media giant vk.com; and another slated to be opening in a couple of weeks time, on Snap’s home turf of LA. 

“We’ll be their neighbors in Venice beach,” he confirms, though he stresses there will still be clear blue water between the two companies’ respective social apps, adding: “Snapchat is really a different product.”

Cambridge Analytica’s Nix said it licensed ‘millions of data points’ from Acxiom, Experian, Infogroup to target US voters

The repeat grilling by the UK parliament’s DCMS committee today of Alexander Nix, the former CEO of the now ex company Cambridge Analytica — aka the controversial political and commercial ad agency at the center of a Facebook data misuse scandal — was not able to shed much new light on what may or may not have been going on inside the company.

But one nugget of information Nix let slip were the names of specific data aggregators he said Cambridge Analytica had bought “consumer and lifestyle” information on US voters from, to link to voter registration data it also paid to acquire — apparently using that combined database to build models to target American voters in the 2016 presidential election, rather than using data improperly obtained from Facebook.

This is more information than Cambridge Analytica has thus far disclosed to one US voter, professor David Carroll, who in January last year lodged a subject access request with the UK-based company after learning it had processed his personal information — only to be fobbed off with a partial disclosure.

Carroll persisted, and made a complaint to the UK’s data protection watchdog, and last month the ICO ordered Cambridge Analytica to provide him with all the data it held on him. The deadline for that passed yesterday — with no response.

The committee questioned Nix closely over responses he had given it at his earlier appearance in February, when he denied that Cambridge Analytica used Facebook data as the foundational data-set for its political ad targeting business.

He had instead said that the work Dr Aleksandr Kogan did for the company was “fruitless” and thus that the Facebook data Kogan had harvested and supplied to it had not been used.

“It wasn’t the foundational data-set on which we built our company,” said Nix today. “Because we went out and we licensed millions of data points on American individuals from very large reputable data aggregators and data vendors such as Acxiom, Experian, Infogroup. That was the cornerstone of our data base together with political data — voter file data, I beg your pardon — which again is commercially available in the United States. That was the cornerstone of our company and on which we continued to build the company after we realized that the GSR data was fruitless.”

“The data that Dr Kogan gave to us was modeled data and building a model on top of a model proved to be less statistically accurate… than actually just using Facebook’s own algorithms for placing advertising communications. And that was what we found out,” he added. “So I stand by that statement that I made to you before — and that was echoed and amplified in much more technical detail by Dr Kogan.”

And Kogan did indeed play down the utility of the work he did for Cambridge Analytica — claiming it was essentially useless when he appeared before the committee back in April.

Asked about the exact type of data Cambridge Analytica/SCL acquired and processed from data brokers, Nix told the committee: “This is largely — largely — consumer and lifestyle data. So this is data on, for instance, loyalty card data, transaction data, this is data that pertains to lifestyle choices, such as what car you drive or what magazines you read. It could be data on consumer habits. And together with some demographic and geographic data — and obviously the voter data, which is very important for US politics.”

We’ve asked the three data brokers named by Nix to confirm Cambridge Analytica was a client of theirs, and the types of data it licensed from them, and will update this report with any response.

Fake news committee told it’s been told fake news

What was most notable on this Nix’s second appearance in front of the DCMS committee — which is investigating the role and impact of fake news/online disinformation on the political process — were his attempts to shift the spotlight via a string of defiant denials that there was much of a scandal to see here.

He followed a Trumpian strategy of trying to cast himself (and his former company) as victims — framing the story as a liberal media conspiracy and claiming no evidence of wrongdoing or unethical behavior had been produced.

Cambridge Analytica whistleblower Chris Wylie, who Nix had almost certainly caught sight of sitting in the public gallery, was described as a “bitter and jealous” individual who had acted out of resentment and spite on account of the company’s success.

Though the committee pushed back against that characterization, pointing out that Wylie has provided ample documents backing up his testimony, and that it has also taken evidence from multiple sources — not just from one former employee.

Nix did not dispute that the Facebook data-harvesting element of the scandal had been a “debacle”, as he put it.

Though he reiterated Cambridge Analytica’s previous denial that it was ever the recipient of the full data-set Kogan acquired from Facebook — which Facebook confirmed in April consisted of information on as many as 87M of its users — saying it “only received data on about 26M-27M individuals in the USA”.

He also admitted to personally being “foolish” in what he had been caught saying to an undercover Channel 4 reporter — when he had appeared to suggest Cambridge Analytica used tactics such as honeytraps and infiltration to gain leverage against clients’ political opponents (comments that got him suspended as CEO), saying he had only been talking in hypotheticals in his “overzealousness to secure a contract” — and once again painting himself as the victim of the “skillful manipulation of a journalist”.

He also claimed the broadcaster had taken his remarks out of context, claiming too that they had heavily edited the footage to make it look worse (a claim Channel 4 phoned in to the committee to “heavily” refute during the session).

But those sole apologetic notes did not raise the the tone of profound indignation Nix struck throughout almost the entire session.

He came across as poised and well-versed in his channeled outrage. Though he has of course had plenty of time since his earlier appearance — when the story had not yet become a major scandal — to construct a version of events that could best serve to set the dial to maximum outrage.

Nix also shut down several lines of the committee’s questions, refusing to answer whether Cambridge Analytica/SCL had gone on to repeat the Facebook data-harvesting method at the heart of the scandal themselves, for example.

Nor would he disclose who the owners and shareholders of Cambridge Analytica and SCL Group are — claiming in both cases that ongoing investigations prevented him from doing so.

Though, in the case of the Information Commission’s Office’s ongoing investigation into social media analytics and political campaigning — which resulted in the watchdog raiding the offices of Cambridge Analytica in March — committee chair Damian Collins made a point of stating the ICO had assured it it has no objection to Nix answering its questions.

Nonetheless Nix declined.

He also refused to comment on fresh allegations printed in the FT suggesting he had personally withdrawn $8M from Cambridge Analytica before the company collapsed into administration.

Some answers were forthcoming when the committee pressed him on whether Aggregate IQ, a Canadian data company that has been linked to Cambridge Analytica, and which Nix described today as a “subcontractor” for certain pieces of work, had ever had access to raw data or modeled data that Cambridge Analytica held.

The committee’s likely interest in pursing that line of questioning was to try to determine whether AIQ could have gained access to the cache of Facebook user data that found its way (via Kogan) to Cambridge Analytica — and thus whether it could have used it for its own political ad targeting purposes.

AIQ received £3.5M from leave campaign groups in the run up to the UK’s 2016 EU referendum campaign, and has been described by leave campaigners as instrumental in securing their win, though exactly where it obtained data for targeting referendum ads has been a key question for the enquiry.

On this Nix said: “It wouldn’t be unusual for AIQ or Cambridge Analytica to work on a client’s data-sets… And to have access to the data whilst we were working on them. But that didn’t entitle us to have any privileges over that data or any wherewithal to make a copy or retain any of that data ourselves.

“The relationship with AIQ would not have been dissimilar to that — as a subcontractor who was brought in to assist us on projects, they would have had, possibly, access to some of the data… whether that was modeled data or otherwise. But again that would be covered by the contract relationship that we have with them.”

Though he also said he couldn’t give a concrete answer on whether or not AIQ had had access to any raw data, adding: “I did speak to my data team prior to this hearing and they assured me there was no raw data that went into the Rippon platform [voter engagement platform AIQ built for Cambridge Analytica]. I can only defer to their expertise.”

Also on this, in prior evidence to the committee Facebook said it did not believe AIQ had used the Facebook user data obtained via Kogan’s apps for targeting referendum ads because the company had used email address uploads to Facebook’s ad platform for targeting “many” of its ads during the referendum — and it said Kogan’s app had not gathered the email addresses of app installers or their friends.

(And in its evidence to the committee AIQ’s COO Jeff Silvester also claimed: “The only personal information we use in our work is that which is provided to us by our clients for specific purposes. In doing so, we believe we comply with all applicable privacy laws in each jurisdiction where we work.”)

Today Nix flat denied that Cambridge Analytica had played any role in the UK’s referendum campaign, despite the fact it was already known to have done some “scoping work” for UKIP, and which it did invoice the company for (but claims not to have been paid). Work which Nix did not deny had taken place but which he downplayed.

“We undertook some scoping work to look at these data. Unfortunately, whilst this work was being undertaken, we did not agree on the terms of a contract, as a consequence the deliverables from this work were not handed over, and the invoice was not paid. And therefore the Electoral Commission was absolutely satisfied that we did not do any work for Leave.EU and that includes for UKIP,” he said.

“At times we undertake eight, nine, ten national elections a year somewhere around the world. We’ve never undertaken an election in the UK so I stand by my statement that the UK was not a target country of interest to us. Obviously the referendum was a unique moment in international campaigning and for that reason it was more significant than perhaps other opportunities to work on political campaigns might have been which was why we explored it. But we didn’t work on that campaign either.”

In a less comfortable moment for Nix, committee member Christian Matheson referred to a Cambridge Analytica document that the committee had obtained — described as a “digital overview” — and which listed “denial of service attacks” among the “digital interventions” apparently being offered by it as services.

Did you ever undertake any denial of service attacks, Nix was asked?

“So this was a company that we looked at forming, and we never formed. And that company never undertook any work whatsoever,” he responded. “In answer to your question, no we didn’t”

Why did you consider it, wondered Matheson?

“Uh, at the time we were looking at, uh, different technologies, expanding into different technological areas and, uh, this seemed like, uh, an interesting, uh, uh, business, but we didn’t have the capability was probably the truth to be able to deliver meaningfully in this business,” said Nix. “So.”

Matheson: “Was it illegal at that time?”

Nix: “I really don’t know. I can’t speak to technology like that.”

Matheson: “Right. Because it’s illegal now.”

Nix: “Right. I don’t know. It’s not something that we ever built. It’s not something that we ever undertook. Uh, it’s a company that was never realized.”

Matheson: “The only reason I ask is because it would give me concern that you have the mens rea to undertake activities which are, perhaps, outside the law. But if you never went ahead and did it, fair enough.”

Another moment of discomfort for Nix was when the committee pressed him about money transfers between Cambridge Analytica/SCL’s various entities in the US and UK — pointing out that if funds were being shifted across the Atlantic for political work and not being declared that could be legally problematic.

Though he fended this off by declining to answer — again citing ongoing investigations.

He was also asked where the various people had been based when Cambridge Analytica had been doing work for US campaigns and processing US voters’ data — with Collins pointing out that if that had been taking place outside the US it could be illegal under US law. But again he declined to answer.

“I’d love to explain this to you. But this again touches on some of these investigations — I simply can’t do that,” he said.

Apple got even tougher on ad trackers at WWDC

Apple unveiled a handful of pro-privacy enhancements for its Safari web browser at its annual developer event yesterday, building on an ad tracker blocker it announced at WWDC a year ago.

The feature — which Apple dubbed ‘Intelligent Tracking Prevention’ (IPT) — places restrictions on cookies based on how frequently a user interacts with the website that dropped them. After 30 days of a site not being visited Safari purges the cookies entirely.

Since debuting IPT a major data misuse scandal has engulfed Facebook, and consumer awareness about how social platforms and data brokers track them around the web and erode their privacy by building detailed profiles to target them with ads has likely never been higher.

Apple was ahead of the pack on this issue and is now nicely positioned to surf a rising wave of concern about how web infrastructure watches what users are doing by getting even tougher on trackers.

Cupertino’s business model also of course aligns with privacy, given the company’s main money spinner is device sales. And features intended to help safeguard users’ data remain one of the clearest and most compelling points of differentiation vs rival devices running Google’s Android OS, for example.

“Safari works really hard to protect your privacy and this year it’s working even harder,” said Craig Federighi, Apple’s SVP of software engineering during yesterday’s keynote.

He then took direct aim at social media giant Facebook — highlighting how social plugins such as Like buttons, and comment fields which use a Facebook login, form a core part of the tracking infrastructure that follows people as they browse across the web.

In April US lawmakers also closely questioned Facebook’s CEO Mark Zuckerberg about the information the company gleans on users via their offsite web browsing, gathered via its tracking cookies and pixels — receiving only evasive answers in return.

Facebook subsequently announced it will launch a Clear History feature, claiming this will let users purge their browsing history from Facebook. But it’s less clear whether the control will allow people to clear their data off of Facebook’s servers entirely.

The feature requires users to trust that Facebook is doing what it claims to be doing. And plenty of questions remain. So, from a consumer point of view, it’s much better to defeat or dilute tracking in the first place — which is what the clutch of features Apple announced yesterday are intended to do.

“It turns out these [like buttons and comment fields] can be used to track you whether you click on them or not. And so this year we are shutting that down,” said Federighi, drawing sustained applause and appreciative woos from the WWDC audience.

He demoed how Safari will show a pop-up asking users whether or not they want to allow the plugin to track their browsing — letting web browsers “decide to keep your information private”, as he put it.

Safari will also immediately partition cookies for domains that Apple has “determined to have tracking abilities” — removing the 24 window after a website interaction that Apple allowed in the first version of IPT.

It has also engineered a feature designed to detect when a domain is solely used as a “first party bounce tracker” — i.e. meaning it is never used as a third party content provider but tracks the user purely through navigational redirects — with Safari also purging website data in such instances.

Another pro-privacy enhancement detailed by Federighi yesterday is intended to counter browser fingerprinting techniques that are also used to track users from site to site — and which can be a way of doing so even when/if tracking cookies are cleared.

“Data companies are clever and relentless,” he said. “It turns out that when you browse the web your device can be identified by a unique set of characteristics like its configuration, its fonts you have installed, and the plugins you might have installed on a device.

“With Mojave we’re making it much harder for trackers to create a unique fingerprint. We’re presenting websites with only a simplified system configuration. We show them only built-in fonts. And legacy plugins are no longer supported so those can’t contribute to a fingerprint. And as a result your Mac will look more like everyone else’s Mac and will it be dramatically more difficult for data companies to uniquely identify your device and track you.”

In a post detailing IPT 2.0 on its WebKit developer blog, Apple security engineer John Wilander writes that Apple researchers found that cross-site trackers “help each other identify the user”.

“This is basically one tracker telling another tracker that ‘I think it’s user ABC’, at which point the second tracker tells a third tracker ‘Hey, Tracker One thinks it’s user ABC and I think it’s user XYZ’. We call this tracker collusion, and ITP 2.0 detects this behavior through a collusion graph and classifies all involved parties as trackers,” he explains, warning developers they should therefore “avoid making unnecessary redirects to domains that are likely to be classified as having tracking ability” — or else risk being mistaken for a tracker and penalized by having website data purged.

ITP 2.0 will also downgrade the referrer header of a webpage that a tracker can receive to “just the page’s origin for third party requests to domains that the system has classified as possible trackers and which have not received user interaction” (Apple specifies this is not just a visit to a site but must include an interaction such as a tap/click).

Apple gives the example of a user visiting ‘https://store.example/baby-products/strollers/deluxe-navy-blue.html’, and that page loading a resource from a tracker — which prior to ITP 2.0 would have received a request containing the full referrer (which contains details of the exact product being bought and from which lots of personal information can be inferred about the user).

But under ITP 2.0, the referrer will be reduced to just “https://store.example/”. Which is a very clear privacy win.

Another welcome privacy update for Mac users that Apple announced yesterday — albeit, it’s really just playing catch-up with Windows and iOS — is expanded privacy controls in Mojave around the camera and microphone so it’s protected by default for any app you run. The user has to authorize access, much like with iOS.

Facebook data misuse firm snubs UK watchdog’s legal order

The company at the center of a major Facebook data misuse scandal has failed to respond to a legal order issued by the U.K.’s data protection watchdog to provide a U.S. voter with all the personal information it holds on him.

An enforcement notice was served on Cambridge Analytica affiliate SCL Elections last month and the deadline for a response passed without it providing a response today.

The enforcement order followed a complaint by the U.S. academic, professor David Carroll, that the original Subject Access Request (SAR) he made under European law seeking to obtain his personal data had not been satisfactorily fulfilled.

The academic has spent more than a year trying to obtain the data Cambridge Analytica/SCL held on him after learning the company had built psychographic profiles of U.S. voters for the 2016 presidential election, when it was working for the Trump campaign.

Speaking in front of the EU parliament’s justice, civil liberties and home affairs (LIBE) committee today, Carroll said: “We have heard nothing [from SCL in response to the ICO’s enforcement order]. So they have not respected the regulator. They have not co-operated with the regulator. They are not respecting the law, in my opinion. So that’s very troubling — because they seem to be trying to use liquidation to evade their responsibility as far as we can tell.”

While he is not a U.K. citizen, Carroll discovered his personal data had been processed in the U.K. so he decided to bring a test case under U.K. law. The ICO supported his complaint — and last month ordered Cambridge Analytica/SCL Elections to hand over everything it holds on him, warning that failure to comply with the order is a criminal offense that can carry an unlimited fine.

At the same time — and pretty much at the height of a storm of publicity around the data misuse scandal — Cambridge Analytica and SCL Elections announced insolvency proceedings, blaming what they described as “unfairly negative media coverage.”

Its Twitter account has been silent ever since. Though company directors, senior management and investors were quickly spotted attaching themselves to yet another data company. So the bankruptcy proceedings look rather more like an exit strategy to try to escape the snowballing scandal and cover any associated data trails.

There are a lot of data trails though. Back in April Facebook admitted that data on as many as 87 million of its users had been passed to Cambridge Analytica without most of the people’s knowledge or consent.

“I expected to help set precedents of data sovereignty in this case. But I did not expect to be trying to also set rules of liquidation as a way to avoid responsibility for potential data crimes,” Carroll also told the LIBE committee. “So now that this is seeming to becoming a criminal matter we are now in uncharted waters.

“I’m seeking full disclosure… so that I can evaluate if my opinions were influenced for the presidential election. I suspect that they were, I suspect that I was exposed to malicious information that was trying to [influence my vote] — whether it did is a different question.”

He added that he intends to continue to pursue a claim for full disclosure via the courts, arguing that the only way to assess whether psychographic models can successfully be matched to online profiles for the purposes of manipulating political opinions — which is what Cambridge Analytica/SCL stands accused of misusing Facebook data for — is to see how the company structured and processed the information it sucked out of Facebook’s platform.

“If the predictions of my personality are in 80-90% then we can understand that their model has the potential to affect a population — even if it’s just a tiny slice of the population. Because in the US only about 70,000 voters in three states decided the election,” he added.

What comes after Cambridge Analytica?

The LIBE committee hearing in the European Union’s parliament is the first of a series of planned sessions focused on digging into the Cambridge Analytica Facebook scandal and “setting out a way forward,” as committee chair Claude Moraes put it.

Today’s hearing took evidence from former Facebook employee turned whistleblower Sandy Parakilas; investigative journalist Carole Cadwalladr; Cambridge Analytica whistleblower Chris Wylie; and the U.K.’s ICO Elizabeth Denham, along with her deputy, James Dipple-Johnstone.

The Information Commissioner’s Office has been running a more-than-year-long investigation into political ad targeting on online platforms — which now of course encompasses the Cambridge Analytica scandal and much more besides.

Denham described it today as “unprecedented in scale” — and likely the largest investigation ever undertaken by a data protection agency in Europe.

The inquiry is looking at “exactly what data went where; from whom; and how that flowed through the system; how that data was combined with other data from other data brokers; what were the algorithms that were processed,” explained Dipple-Johnstone, who is leading the investigation for the ICO.

“We’re presently working through a huge volume — many hundreds of terabytes of data — to follow that audit trail and we’re committed to getting to the bottom of that,” he added. “We are looking at over 30 organizations as part of this investigation and the actions of dozens of key individuals. We’re investigating social media platforms, data brokers, analytics firms, political parties and campaign groups across all spectrums and academic institutions.

“We are looking at both regulatory and criminal breaches, and we are working with other regulators, EU data protection colleagues and law enforcement in the U.K. and abroad.”

He said the ICO’s report is now expected to be published at the end of this month.

Denham previously told a U.K. parliamentary committee she’s leaning toward recommending a code of conduct for the use of social media in political campaigns to avoid the risk of political uses of the technology getting ahead of the law — a point she reiterated today.

“Beyond data protection I expect my report will be relevant to other regulators overseeing electoral processes and also overseeing academic research,” she said, emphasizing that the recommendations will be relevant “well beyond the borders of the U.K.”

“What is clear is that work will need to be done to strengthen information-sharing and closer working across these areas,” she added.

Many MEPs asked the witnesses for their views on whether the EU’s new data protection framework, the GDPR, is sufficient to curb the kinds of data abuse and misuse that has been so publicly foregrounded by the Cambridge Analytica-Facebook scandal — or whether additional regulations are required?

On this Denham made a plea for GDPR to be “given some time to work.” “I think the GDPR is an important step, it’s one step but remember the GDPR is the law that’s written on paper — and what really matters now is the enforcement of the law,” she said.

“So it’s the activities that data protection authorities are willing to do. It’s the sanctions that we look at. It’s the users and the citizens who understand their rights enough to take action — because we don’t have thousands of inspectors that are going to go around and look at every system. But we do have millions of users and millions of citizens that can exercise their rights. So it’s the enforcement and the administration of the law. It’s going to take a village to change the scenario.

“You asked me if I thought this kind of activity which we’re speaking about today — involving Cambridge Analytica and Facebook — is happening on other platforms or if there’s other applications or if there’s misuse and misselling of personal data. I would say yes,” she said in response to another question from an MEP.

“Even in the political arena there are other political consultancies that are pairing up with data brokers and other data analytics companies. I think there is a lack of transparency for users across many platforms.”

Parakilas, a former Facebook platform operations manager — and the closest stand in for the company in the room — fielded many of the questions from MEPs, including being asked for suggestions for a legislative framework that “wouldn’t put breaks on the development of healthy companies” and also not be unduly burdensome on smaller companies.

He urged EU lawmakers to think about ways to incentivize a commercial ecosystem that works to encourage rather than undermine data protection and privacy, as well as ensuring regulators are properly resourced to enforce the law.

“I think the GDPR is a really important first step,” he added. “What I would say beyond that is there’s going to have to be a lot of thinking that is done about the next generation of technologies — and so while I think GDPR does a admirable job of addressing some of the issues with current technologies the stuff that’s coming is, frankly, when you think about the bad cases is terrifying.

“Things like deepfakes. The ability to create on-demand content that’s completely fabricated but looks real… Things like artificial intelligence which can predict user actions before those actions are actually done. And in fact Facebook is just one company that’s working on this — but the fact that they have a business model where they could potentially sell the ability to influence future actions using these predictions. There’s a lot of thinking that needs to be done about the frameworks for these new technologies. So I would just encourage you to engage as soon as possible on those new technologies.”

Parakilas also discussed fresh revelations related to how Facebook’s platform disseminates user data published by The New York Times at the weekend.

The newspaper’s report details how, until April, Facebook’s API was passing user and friend data to at least 60 device makers without gaining people’s consent — despite a consent decree the company struck with the Federal Trade Commission in 2011, which Parakilas suggested “appears to prohibit that kind of behavior.”

He also pointed out the device maker data-sharing “appears to contradict Facebook’s own testimony to Congress and potentially other testimony and public statements they’ve made” — given the company’s repeat claims, since the Cambridge Analytica scandal broke, that it “locked down” data-sharing on its platform in 2015.

Yet data was still flowing out to multiple device maker partners — apparently without users’ knowledge or consent.

“I think this is a very, very important developing story. And I would encourage everyone in this body to follow it closely,” he said.

Two more LIBE hearings are planned around the Cambridge Analytica scandal — one on June 25 and one on July 2 — with the latter slated to include a Facebook representative.

Mark Zuckerberg himself attended a meeting with the EU parliament’s Council of Presidents on May 22, though the format of the meeting was widely criticized for allowing the Facebook founder to cherry-pick questions he wanted to answer — and dodge those he didn’t.

MEPs pushed for Facebook to follow up with answers to their many outstanding questions — and two sets of Facebook responses have now been published by the EU parliament.

In its follow up responses the company claims, for example, that it does not create shadow profiles on non-users — saying it merely collects information on site visitors in the same way that “any website or app” might.

On the issue of compensation for EU users affected by the Cambridge Analytica scandal — something MEPs also pressed Zuckerberg on — Facebook claims it has not seen evidence that the app developer who harvested people’s data from its platform on behalf of Cambridge Analytica/SCL sold any EU users’ data to the company.

The developer, Dr. Aleksandr Kogan, had been contracted by SCL Elections for U.S.-related election work. Although his apps collected data on Facebook users from all over the world — including some 2.7 million EU citizens.

“We will conduct a forensic audit of Cambridge Analytica, which we hope to complete as soon as we are authorized by the UK’s Information Commissioner,” Facebook also writes on that.

Facebook, Google face first GDPR complaints over “forced consent”

After two years coming down the pipe at tech giants, Europe’s new privacy framework, the General Data Protection Regulation (GDPR), is now being applied — and long time Facebook privacy critic, Max Schrems, has wasted no time in filing four complaints relating to (certain) companies’ ‘take it or leave it’ stance when it comes to consent.

The complaints have been filed on behalf of (unnamed) individual users — with one filed against Facebook; one against Facebook-owned Instagram; one against Facebook-owned WhatsApp; and one against Google’s Android.

Schrems argues that the companies are using a strategy of “forced consent” to continue processing the individuals’ personal data — when in fact the law requires that users be given a free choice unless a consent is strictly necessary for provision of the service. (And, well, Facebook claims its core product is social networking — rather than farming people’s personal data for ad targeting.)

“It’s simple: Anything strictly necessary for a service does not need consent boxes anymore. For everything else users must have a real choice to say ‘yes’ or ‘no’,” Schrems writes in a statement.

“Facebook has even blocked accounts of users who have not given consent,” he adds. “In the end users only had the choice to delete the account or hit the “agree”-button — that’s not a free choice, it more reminds of a North Korean election process.”

We’ve reached out to all the companies involved for comment and will update this story with any response.

The European privacy campaigner most recently founded a not-for-profit digital rights organization to focus on strategic litigation around the bloc’s updated privacy framework, and the complaints have been filed via this crowdfunded NGO — which is called noyb (aka ‘none of your business’).

As we pointed out in our GDPR explainer, the provision in the regulation allowing for collective enforcement of individuals’ data rights in an important one, with the potential to strengthen the implementation of the law by enabling non-profit organizations such as noyb to file complaints on behalf of individuals — thereby helping to redress the imbalance between corporate giants and consumer rights.

That said, the GDPR’s collective redress provision is a component that Member States can choose to derogate from, which helps explain why the first four complaints have been filed with data protection agencies in Austria, Belgium, France and Hamburg in Germany — regions that also have data protection agencies with a strong record defending privacy rights.

Given that the Facebook companies involved in these complaints have their European headquarters in Ireland it’s likely the Irish data protection agency will get involved too. And it’s fair to say that, within Europe, Ireland does not have a strong reputation for defending data protection rights.

But the GDPR allows for DPAs in different jurisdictions to work together in instances where they have joint concerns and where a service crosses borders — so noyb’s action looks intended to test this element of the new framework too.

Under the penalty structure of GDPR, major violations of the law can attract fines as large as 4% of a company’s global revenue which, in the case of Facebook or Google, implies they could be on the hook for more than a billion euros apiece — if they are deemed to have violated the law, as the complaints argue.

That said, given how freshly fixed in place the rules are, some EU regulators may well tread softly on the enforcement front — at least in the first instances, to give companies some benefit of the doubt and/or a chance to make amends to come into compliance if they are deemed to be falling short of the new standards.

However, in instances where companies themselves appear to be attempting to deform the law with a willfully self-serving interpretation of the rules, regulators may feel they need to act swiftly to nip any disingenuousness in the bud.

“We probably will not immediately have billions of penalty payments, but the corporations have intentionally violated the GDPR, so we expect a corresponding penalty under GDPR,” writes Schrems.

Only yesterday, for example, Facebook founder Mark Zuckerberg — speaking in an on stage interview at the VivaTech conference in Paris — claimed his company hasn’t had to make any radical changes to comply with GDPR, and further claimed that a “vast majority” of Facebook users are willingly opting in to targeted advertising via its new consent flow.

“We’ve been rolling out the GDPR flows for a number of weeks now in order to make sure that we were doing this in a good way and that we could take into account everyone’s feedback before the May 25 deadline. And one of the things that I’ve found interesting is that the vast majority of people choose to opt in to make it so that we can use the data from other apps and websites that they’re using to make ads better. Because the reality is if you’re willing to see ads in a service you want them to be relevant and good ads,” said Zuckerberg.

He did not mention that the dominant social network does not offer people a free choice on accepting or declining targeted advertising. The new consent flow Facebook revealed ahead of GDPR only offers the ‘choice’ of quitting Facebook entirely if a person does not want to accept targeting advertising. Which, well, isn’t much of a choice given how powerful the network is. (Additionally, it’s worth pointing out that Facebook continues tracking non-users — so even deleting a Facebook account does not guarantee that Facebook will stop processing your personal data.)

Asked about how Facebook’s business model will be affected by the new rules, Zuckerberg essentially claimed nothing significant will change — “because giving people control of how their data is used has been a core principle of Facebook since the beginning”.

“The GDPR adds some new controls and then there’s some areas that we need to comply with but overall it isn’t such a massive departure from how we’ve approached this in the past,” he claimed. “I mean I don’t want to downplay it — there are strong new rules that we’ve needed to put a bunch of work into into making sure that we complied with — but as a whole the philosophy behind this is not completely different from how we’ve approached things.

“In order to be able to give people the tools to connect in all the ways they want and build committee a lot of philosophy that is encoded in a regulation like GDPR is really how we’ve thought about all this stuff for a long time. So I don’t want to understate the areas where there are new rules that we’ve had to go and implement but I also don’t want to make it seem like this is a massive departure in how we’ve thought about this stuff.”

Zuckerberg faced a range of tough questions on these points from the EU parliament earlier this week. But he avoided answering them in any meaningful detail.

So EU regulators are essentially facing a first test of their mettle — i.e. whether they are willing to step up and defend the line of the law against big tech’s attempts to reshape it in their business model’s image.

Privacy laws are nothing new in Europe but robust enforcement of them would certainly be a breath of fresh air. And now at least, thanks to GDPR, there’s a penalties structure in place to provide incentives as well as teeth, and spin up a market around strategic litigation — with Schrems and noyb in the vanguard.

Schrems also makes the point that small startups and local companies are less likely to be able to use the kind of strong-arm ‘take it or leave it’ tactics on users that big tech is able to use to extract consent on account of the reach and power of their platforms — arguing there’s a competition concern that GDPR should also help to redress.

“The fight against forced consent ensures that the corporations cannot force users to consent,” he writes. “This is especially important so that monopolies have no advantage over small businesses.”

Image credit: noyb.eu

Instapaper on pause in Europe to fix GDPR compliance “issue”

Remember Instapaper? The Pinterest-owned, read-it-later bookmarking service is taking a break in Europe — apparently while it works on achieving compliance with the region’s updated privacy framework, GDPR, which will start being applied from tomorrow.

Instapaper’s notification does not say how long the self-imposed outage will last.

The European Union’s General Data Protection Regulation updates the bloc’s privacy framework, most notably by bringing in supersized fines for data violations, which in the most serious cases can scale up to 4% of a company’s global annual turnover.

So it significantly ramps up the risk of, for example, having sloppy security, or consent flows that aren’t clear and specific enough (if indeed consent is the legal basis you’re relying on for processing people’s personal information).

That said, EU regulators are clearly going to tread softly on the enforcement front in the short term. And any major fines are only going to hit the most serious violations and violators — and only down the line when data protection authorities have received complaints and conducted thorough investigations.

So it’s not clear exactly why Instapaper believes it needs to pause its service to European users. It’s also had plenty of time to prepare to be compliant — given the new framework was agreed at the back end of 2015. We’ve reached out to Pinterest with questions and will update this story with any response.

In an exchange on Twitter, Pinterest product engineering manager Brian Donohue — who, prior to acquisition was Instapaper’s CEO — flagged that the product’s privacy policy “hasn’t been changed in several years”. But he declined to specify exactly what it feels its compliance issue is — saying only: “We’re actively working to resolve the issue.”

In a customer support email that we reviewed, the company also told one European user: “We’ve been advised to undergo an assessment of the Instapaper service to determine what, if any, changes may be appropriate but to restrict access to IP addresses in the EU as the best course of action.”

“We’re really sorry for any inconvenience, and we are actively working on bringing the service back online for residents in Europe,” it added.

The product’s privacy policy is one of the clearer T&Cs we’ve seen. It also states that users can already access “all your personally identifiable information that we collect online and maintain”, as well as saying people can “correct factual errors in your personally identifiable information by changing or deleting the erroneous information” — which, assuming those statements are true, looks pretty good for complying with portions of GDPR that are intended to give consumers more control over their personal data.

Instapaper also already lets users delete their accounts. And if they do that it specifies that “all account information and saved page data is deleted from the Instapaper service immediately” (though it also cautions that “deleted data may persist in backups and logs until they are deleted”).

In terms of what Instapaper does with users’ data, its privacy policy claims it does not share the information “with outside parties except to the extent necessary to accomplish Instapaper’s functionality”.

But it’s also not explicitly clear from the policy whether or not it’s passing information to its parent company Pinterest, for example, so perhaps it feels it needs to add more detail there.

Another possibility is Instapaper is working on compliance with GDPR’s data portability requirement. Though the service has offered exports options for years. But perhaps it feels these need to be more comprehensive.

As is inevitable ahead of a major regulatory change there’s a good deal of confusion about what exactly must be done to comply with the new rules. And that’s perhaps the best explanation for what’s going on with Instapaper’s pause.

Though, again, there’s plenty of official and detailed guidance from data protection agencies to help.

Unfortunately it’s also true that there’s a lot of unofficial and dubious quality advice from a cottage industry of self-styled ‘GDPR consultants’ that have sprung up with the intention of profiting off of the uncertainty. So — as ever — do your due diligence when it comes to the ‘experts’ you choose.