Home / Tag Archives: data-protection

Tag Archives: data-protection

Audit of NHS Trust’s app project with DeepMind raises more questions than it answers

A third party audit of a controversial patient data-sharing arrangement between a London NHS Trust and Google DeepMind appears to have skirted over the core issues that generated the controversy in the first place. The audit ( full report here ) — conducted by law firm Linklaters — of the Royal Free NHS Foundation Trust’s acute kidney injury detection app system, Streams, which was co-developed with Google-DeepMind (using an existing NHS algorithm for early detection of the condition), does not examine the problematic 2015 information-sharing agreement inked between the pair which allowed data to start flowing. “This Report contains an assessment of the data protection and confidentiality issues associated with the data protection arrangements between the Royal Free and DeepMind . It is limited to the current use of Streams, and any further development, functional testing or clinical testing, that is either planned or in progress. It is not a historical review,” writes Linklaters, adding that: “It includes consideration as to whether the transparency, fair processing, proportionality and information sharing concerns outlined in the Undertakings are being met.” Yet it was the original 2015 contract that triggered the controversy, after it was obtained and published by New Scientist, with the wide-ranging document  r aising questions over the broad scope of the data transfer ; the legal bases for patients information to be shared; and leading to questions over whether regulatory processes intended to safeguard patients and patient data had been sidelined  by the two main parties involved in the project. In  November 2016  the pair scrapped and replaced the initial five-year contract with a different one — which put in place additional information governance steps. They also went on to roll out the Streams app for use on patients in multiple NHS hospitals  — despite the UK’s data protection regulator, the ICO, having instigated an investigation into the original data-sharing arrangement. And just over a year ago  the ICO concluded that the Royal Free NHS Foundation Trust had failed to comply with Data Protection Law in its dealings with Google’s DeepMind. The audit of the Streams project was a requirement of the ICO. Though, notably, the regulator has not endorsed Linklaters report. On the contrary, it warns that it’s seeking legal advice and could take further action. In a statement  on its website, the ICO’s deputy commissioner for policy, Steve Wood, writes: “We cannot endorse a report from a third party audit but we have provided feedback to the Royal Free. We also reserve our position in relation to their position on medical confidentiality and the equitable duty of confidence. We are seeking legal advice on this issue and may require further action.” In a section of the report listing exclusions, Linklaters confirms the audit does not consider: “The data protection and confidentiality issues associated with the processing of personal data about the clinicians at the Royal Free using the Streams App.” So essentially the core controversy, related to the legal basis for the Royal Free to pass personally identifiable information on 1.6M patients to DeepMind when the app was being developed, and without people’s knowledge or consent, is going unaddressed here.

Read More »

UK watchdog issues $330k fine for Yahoo’s 2014 data breach

Another fallout from the  massive Yahoo data breach that dates back to 2014 : The UK’s data watchdog has just issued a £250,000 (~$334k) penalty for violations of the Data Protection Act 1998. Yahoo, which has since been acquired by Verizon and merged with AOL to form a joint entity called Oath (which is also the parent of TechCrunch), is arguably getting off pretty lightly here for a breach that impacted a whopping ~500M users. Certainly given how large data protection fines can now scale under the European Union’s new privacy framework, GDPR , which also requires that most breaches be disclosed within 72 hours of discovery (rather than, ooooh, two years or so later in the Yahoo case … ). The Information Commissioner’s Office (ICO) focused its investigation on the more than 515,000 affected UK accounts which the London-based Yahoo UK Services Ltd had responsibility for as a data controller. And it found a catalogue of failures — specifically finding that Yahoo UK Services had: Failed to take appropriate technical and organisational measures to protect the data against exfiltration by unauthorised persons; had failed to take appropriate measures to ensure that its data processor — Yahoo! Inc — complied with the appropriate data protection standards; had failed to ensure appropriate monitoring was in place to protect the credentials of Yahoo! employees with access to Yahoo! customer data; and also that the inadequacies found had been in place for “a long period of time without being discovered or addressed”. Commenting in a statement, the ICO deputy commissioner of operations, James Dipple-Johnstone, said: “People expect that organisations will keep their personal data safe from malicious intruders who seek to exploit it. The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.” According to the ICO personal data compromised in the breach included names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers. It considered the breach to be a “serious contravention of Principle 7 of the Data Protection Act 1998” — which states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data. Happily for Oath, GDPR does not apply historically because the UK’s domestic regime only allows for maximum penalties of £500k. And given Verizon was able to knock $350M off the acquisition price of Yahoo on account of a pair of massive data breaches , well, it’s not going to be too concerned with the regulatory sting here. Reputation wise is perhaps another matter. Though, again, Yahoo had disclosed the breaches before the acquisition closed so any damage had already been publicly attached to Yahoo

Read More »

Europe’s top court takes a broad view of privacy responsibilities around platforms

An interesting ruling by Europe’s top court could have some major implications for data mining tech giants like Facebook and Google, along with anyone who administers pages that allow platforms to collect and process their visitors’ personal data — such as a Facebook fan page or even potentially a site running Google Analytics. Passing judgement on a series of legal questions referred to it, the CJEU has held that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of the data of visitors to the page — aligning with the the Advocate General’s opinion to the court, which we covered back in October . In practical terms the ruling means tech giants could face more challenges from European data protection authorities. While anyone piggybacking on or plugging into platform services in Europe shouldn’t imagine they can just pass responsibility to the platforms for ensuring they are compliant with privacy rules. The CJEU deems both parties to be responsible (aka, ‘data controllers’ in the legal jargon), though the court also emphasizes that “the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data”, adding: “On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.” Gist of Wirtschaftsakademie final judgement – if you attract users to a service (e.g. FB fan page) – that tracks them – and you use (aggregate) results from the tracking you are a data controller, *even* if you never held or saw anything that could be considered personal data. — Michael Veale (@mikarv) June 5, 2018 The original case dates back to 2011, when a German education and training company with a fan page on Facebook was ordered by a local data protection authority to deactivate the page because neither it nor Facebook had informed users their personal data was being collected. The education company challenged the DPA’s order and, after much legal back and forth, questions were  referred  to Europe’s top court for a preliminary ruling. “The fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data,” the court writes today, handing down its judgement. “It must be emphasised, moreover, that fan pages hosted on Facebook can also be visited by persons who are not Facebook users and so do not have a user account on that social network. In that case, the fan page administrator’s responsibility for the processing of the personal data of those persons appears to be even greater, as the mere consultation of the home page by visitors automatically starts the processing of their personal data. “In those circumstances, the recognition of joint responsibility of the operator of the social network and the administrator of a fan page hosted on that network in relation to the processing of the personal data of visitors to that page contributes to ensuring more complete protection of the rights of persons visiting a fan page, in accordance with the requirements of Directive 95/46.” Facebook unsurprisingly expressed disappointment at the CJEU’s decision when contacted for a response.

Read More »

Facebook says it “disagrees” with the New York Times’ criticisms of its device-integrated APIs

Facebook has responded to a New York Times story that raises privacy concerns about the company’s device-integrated APIs, saying that it “disagrees with the issues they’ve raised about these APIs.” Headined “Facebook Gave Device Makers Deep Access to Data on Users and Friends,” the New York Times article criticizes the privacy protections of device-integrated APIs, which were launched by Facebook a decade ago. Before app stores became common, the APIs enabled Facebook to strike data-sharing partnerships with at least 60 device makers, including Apple, Amazon, BlackBerry, Microsoft and Samsung, that allowed them to offer Facebook features, such as messaging, address books and the like button, to their users. But they may have given access to more data than assumed, says the article. New York Times reporters Gabriel J.X. Dance, Nicholas Confessore and Michael LaForgia write that “the partnerships, whose scope has not been previously reported, raise concerns about the company’s privacy protections,” as well as its compliance with a consent decree it struck with the Federal Trade Commission in 2011 . The FTC is currently investigating Facebook’s privacy practices in light of the Cambridge Analytica data misuse scandal . “Facebook allowed the device companies access to the data of users’ friends without their explicit consent, even after declaring that it would no longer share such information with outsiders,” the New York Times story says. “Some device makers could retrieve personal information even from users’ friends who believed they had barred any sharing, The New York Times found.” Facebook said in April it would begin winding down access to its device-integrated APIs, but the New York Times says that many of those partnerships are still in effect. Facebook is already under intense scrutiny by lawmakers and regulators, including the FTC, because of the Cambridge Analytica revelation, which raised serious concerns about the public APIs used by third-party developers and the company’s data-sharing policies. “In the furor that followed, Facebook’s leaders said that the kind of access exploited by Cambridge in 2014 was cut off by the next year, when Facebook prohibited developers from collecting information from users’ friends,” the New York Times says. “But the company officials did not disclose that Facebook had exempted the makers of cellphones, tablets and other hardware from such restrictions.” Facebook told the New York Times that data sharing through device-integrated APIs adhered to its privacy policies and the 2011 FTC agreement. The company also told the newspapers that it knew of no cases where a partner had misused data. Facebook acknowledged that some partners did store users’ data, including data from their Facebook friends, on their own servers, but said that those practices abided by strict agreements

Read More »

Instapaper on pause in Europe to fix GDPR compliance “issue”

Remember Instapaper? The Pinterest-owned , read-it-later bookmarking service is taking a break in Europe — apparently while it works on achieving compliance with the region’s updated privacy framework, GDPR , which will start being applied from tomorrow. Instapaper’s notification does not say how long the self-imposed outage will last. WTF is instapaper doing with data? pic.twitter.com/eG2dhtkvnd — Sam (@smithsam) May 23, 2018 The European Union’s General Data Protection Regulation updates the bloc’s privacy framework, most notably by bringing in supersized fines for data violations, which in the most serious cases can scale up to 4% of a company’s global annual turnover. So it significantly ramps up the risk of, for example, having sloppy security, or consent flows that aren’t clear and specific enough (if indeed consent is the legal basis you’re relying on for processing people’s personal information). That said, EU regulators are clearly going to tread softly on the enforcement front in the short term. And any major fines are only going to hit the most serious violations and violators — and only down the line when data protection authorities have received complaints and conducted thorough investigations. So it’s not clear exactly why Instapaper believes it needs to pause its service to European users. It’s also had plenty of time to prepare to be compliant — given the new framework was agreed  at the back end of 2015 . We’ve reached out to Pinterest with questions and will update this story with any response. In an exchange on Twitter, Pinterest product engineering manager Brian Donohue — who, prior to acquisition was Instapaper’s CEO — flagged that the product’s  privacy policy “hasn’t been changed in several years”.

Read More »

Brexit data transfer gaps a risk for UK startups, MPs told

The uncertainty facing digital businesses as a result of Brexit was front and center during a committee session in the UK parliament today, with experts including the UK’s information commissioner responding to MPs’ questions about how and even whether data will continue to flow between the UK and the European Union once the country has departed the bloc — in just under a year’s time, per the current schedule. The risks for UK startups vs tech giants were also flagged, with concerns voiced that larger businesses are better placed to weather Brexit-based uncertainty thanks to greater resources at their disposal to plug data transfer gaps resulting from the political upheaval. Information commissioner Elizabeth Denham emphasized the overriding importance of the UK  data protection bill being passed. Though that’s really just the baby step where the Brexit negotiations are concerned. Parliamentarians have another vote on the bill this afternoon, during its third reading, and the legislative timetable is tight, given that the pan-EU General Data Protection Act ( GDPR ) takes direct effect on May 25 — and many provisions in the UK bill are intended to bring domestic law into line with that regulation, and complete implementation ahead of the EU deadline. Despite the UK referendum vote to pull the country out of the EU, the government has committed to complying with GDPR — which ministers hope will lay a strong foundation for it to secure a future agreement with the EU that allows data to continue flowing, as is critical for business. Although what exactly that future data regime might be remains to be seen — and various scenarios were discussed during today’s hearing — hence there’s further operational uncertainty for businesses in the years ahead. “Getting the data policy right is of critical importance both on the commercial side but also on the security and law enforcement side,” said Denham. “We need data to continue to flow and if we’re not part of the unified framework in the EU then we have to make sure that we’re focused and we’re robust about putting in place measures to ensure that data continues to flow appropriately, that it’s safeguarded and also that there is business certainty in advance of our exit from the EU. “Data underpins everything that we do and it’s critically important.” Another witness to the committee, James Mullock, a partner at law firm Bird & Bird, warned that the Brexit-shaped threat to UK-EU data flows could result in a situation akin to what happened after the long-standing Safe Harbor arrangement between the EU and the US was struck down in 2015  — leaving thousands of companies scrambling to put in place alternative data transfer mechanisms. “If we have anything like that it would be extremely disruptive,” warned Mullock. “And it will, I think, be extremely off-putting in terms of businesses looking at where they will headquarter themselves in Europe. And therefore the long term prospects of attracting businesses from many of the sectors that this country supports so well.” “Essentially what you’re doing is you’re putting the burden on business to find a legal agreement or a legal mechanism to agree data protection standards on an overseas recipient so all UK businesses that receive data from Europe will be having to sign these agreements or put in place these mechanisms to receive data from the European Union which is obviously one of our very major senders of data to this country,” he added of the alternative legal mechanisms fall-back scenario. Another witness, Giles Derrington, head of Brexit policy for UK technology advocacy organization, TechUK , explained how the collapse of Safe Harbor had saddled businesses with major amounts of bureaucracy — and went on to suggest that a similar scenario befalling the UK as a result of Brexit could put domestic startups at a big disadvantage vs tech giants. “We had a member company who had to put in place two million Standard Contractual Clauses over the space of a month or so after Safe Harbor was struck down,” he told the committee

Read More »

Unroll.me to close to EU users saying it can’t comply with GDPR

Put on your best unsurprised face : Unroll.me , a company that has, for years, used the premise of ‘free’ but not very useful ’email management’ services to gain access to people’s email inboxes in order to data-mine the contents for competitive intelligence — and controversially flog the gleaned commercial insights to the likes of Uber — is to stop serving users in Europe ahead of a new data protection enforcement regime incoming under GDPR , which applies from May 25. In a section on its website  about the regional service shutdown, the company writes that “unfortunately we can no longer support users from the EU as of the 23rd of May”, before asking whether a visitor lives in the EU or not. Clicking ‘no’ doesn’t seem to do anything but clicking ‘yes’ brings up another info screen where Unroll.me writes that this is its “last month in the EU” — because it says it will be unable to comply with “all GDPR requirements” (although it does not specify which portions of the regulation it cannot comply with). Any existing EU user accounts will be deleted by May 24, it adds: The EU is implementing new data privacy rules, known as General Data Protection Regulation (GDPR). Unfortunately, our service is intended to serve users in the U.S. Because it was not designed to comply with all GDPR requirements, Unroll.Me will not be available to EU residents. This means we may not serve users we believe are residents of the EU, and we must delete any EU user accounts by May 24. We are truly sorry that we are unable to offer our service to you. While Unroll.me, which is owned by Slice Technologies , also claims on the very same website that its parent company “strips away personal information” (i.e. after it has passed personal data attached to commercial and transactional emails found in users’ inboxes) — to “build anonymized market research products that analyze and track consumer trends” — it has been criticized for not being transparent about how it parses and sells people’s personal information. And in fact if you go to the trouble of reading the small print of Unroll.me’s  privacy policy it says it can share users’ personal information how it pleases — not just with its parent entity (and direct affiliates) but with any other ‘partners’ it chooses… We may share personal information we collect with our parent company, other affiliated companies, and trusted business partners. We also will share personal information with service providers that perform services on our behalf

Read More »

What we learned from Facebook’s latest data misuse grilling

Facebook’s CTO Mike Schroepfer has just undergone almost five hours of often forensic and frequently awkward questions from members of a UK parliament committee that’s investigating online disinformation, and whose members have been further fired up by misinformation they claim Facebook gave it. The veteran senior exec, who’s clocked up a decade at the company, also as its VP of engineering, is the latest stand-in for CEO Mark Zuckerberg who keeps  eschewing repeat requests to appear . The DCMS committee’s enquiry began last year as a probe into ‘fake news’ but has snowballed in scope as the scale of concern around political disinformation has also mounted — including, most recently, fresh information being exposed by journalists about the scale of the misuse of Facebook data for political targeting purposes. During today’s session committee chair Damian Collins again made a direct appeal for Zuckerberg to testify, pausing the flow of questions momentarily to cite news reports suggesting the Facebook founder has agreed to fly to Brussels to testify before European Union lawmakers in relation to the Cambridge Analytica Facebook data misuse scandal. “We’ll certainly be renewing our request for him to give evidence,” said Collins. “We still do need the opportunity to put some of these questions to him.” Committee members displayed visible outrage during the session, accusing Facebook of concealing the truth or at very least concealing evidence from it at a prior hearing that took place in Washington in February — when the company sent its UK head of policy, Simon Milner, and its head of global policy management, Monika Bickert, to field questions. During questioning Milner and Bickert failed to inform the committee about a legal agreement Facebook had made with Cambridge Analytica in December 2015 — after the company had learned (via an earlier Guardian article ) that Facebook user data had been passed to the company by the developer of an app running on its platform. Milner also told the committee that Cambridge Analytica could not have any Facebook data — yet last month the company admitted data on up to 87 million of its users had indeed been passed to the firm. Schroepfer said he wasn’t sure whether Milner had been “specifically informed” about the agreement Facebook already had with Cambridge Analytica — adding: “I’m guessing he didn’t know”. He also claimed he had only himself become aware of it “within the last month”. “ Who knows? Who knows about what the position was with Cambridge Analytica in February of this year? Who was in charge of this?” pressed one committee member

Read More »

Facebook moves to shrink its legal liabilities under GDPR

Facebook has another change in the works to respond to the European Union’s beefed up data protection framework — and this one looks intended to shrink its legal liabilities under GDPR , and at scale. Late yesterday Reuters  reported on a change incoming to Facebook’s T&Cs that it said will be pushed out next month — meaning all non-EU international are switched from having their data processed by Facebook Ireland to Facebook USA. With this shift, Facebook will ensure that the privacy protections afforded by the EU’s incoming General Data Protection Regulation (GDPR) — which applies from May 25 — will not cover the ~1.5BN+ international Facebook users who aren’t EU citizens (but current have their data processed in the EU, by Facebook Ireland). The U.S. does not have a comparable data protection framework to GDPR. While the incoming EU framework substantially strengthens penalties for data protection violations, making the move a pretty logical one for Facebook’s lawyers thinking about how it can shrink its GDPR liabilities. Reuters says Facebook confirmed the impending update to the T&Cs of non-EU international users, though the company played down the significance — repeating its claim that it will be making the same privacy “controls and settings” available everywhere. (Though, as experts have pointed out, this does not mean the same GDPR principles will be applied by Facebook everywhere.) Critics have couched the T&Cs shift as regressive — arguing it’s a reduction in the level of privacy protection that would otherwise have applied for international users, thanks to GDPR. Although whether these EU privacy rights would really have been enforceable for non-Europeans is questionable . A t the time of writing Facebook had not responded to a request for comment on the change.  Update:  It’s now sent us the following statement — attributed to deputy chief global privacy officer, Stephen Deadman: “The GDPR and EU consumer law set out specific rules for terms and data policies which we have incorporated for EU users.  We have been clear that we are offering everyone who uses Facebook the same privacy protections, controls and settings, no matter where they live. These updates do not change that.”  The company’s generally argument is that the EU law takes a prescriptive approach — which can make certain elements irrelevant for international users outside the bloc. It also claims it’s working on being more responsive to regional norms and local frameworks. (Which will presumably be music to the New Zealand privacy commissioner ‘s ears, for one…) According to Reuters the T&Cs shift will affect more than 70 per cent of Facebook’s 2BN+ users. As of December, Facebook had 239M users in the US and Canada; 370M in Europe; and 1.52BN users elsewhere. The news agency also reports that Microsoft -owned LinkedIn is one of several other multinational companies planning to make the same data processing shift for international users — with LinkedIn’s new terms set to take effect on May 8, moving non-Europeans to contracts with the U.S.-based LinkedIn Corp.

Read More »

Data experts on Facebook’s GDPR changes: Expect lawsuits

Make no mistake: Fresh battle lines are being drawn in the clash between data-mining tech giants and Internet users over people’s right to control their personal information and  protect their privacy . An update to European Union data protection rules next month — called the General Data Protection Regulation — is the catalyst for this next chapter in the global story of tech vs privacy. A fairytale ending would remove that ugly ‘vs’ and replace it with an enlightened ‘+’. But there’s no doubt it will be a battle to get there — requiring legal challenges and fresh case law to be set down — as an old guard of dominant tech platforms marshal their extensive resources to try to hold onto the power and wealth gained through years of riding roughshod over data protection law. Payback is coming though. Balance is being reset. And the implications of not regulating what tech giants can do with people’s data has arguably  never been clearer . The exciting opportunity for startups is to skate to where the puck is going — by thinking beyond exploitative legacy business models that amount to embarrassing blackboxes whose CEOs dare not publicly admit what the systems really do  — and come up with new ways of operating and monetizing services that don’t rely on selling the lie that people don’t care about privacy.   More than just small print Right now the EU’s General Data Protection Regulation can take credit for a whole lot of spilt ink as tech industry small print is reworded en masse. Did you just receive a T&C update notification about a company’s digital service? Chances are it’s related to the incoming standard. The regulation is generally intended to strengthen Internet users’ control over their personal information, as we’ve explained  before. But its focus on transparency — making sure people know how and why data will flow if they choose to click ‘I agree’ — combined with supersized fines for major data violations represents something of an existential threat to ad tech processes that rely on pervasive background harvesting of users’ personal data to be siphoned biofuel for their vast, proprietary microtargeting engines. This is why Facebook is not going gentle into a data processing goodnight.

Read More »

Instagram will let users download all their data

As data protection and privacy becomes a big issue around the world, social networking companies like Instagram need to appropriately take care of the information we share. One of the provisions of the UK's upcoming Data Protection Bill would require...

Read More »

Facebook, AggregateIQ now being jointly probed by Canada, B.C. data watchdogs

Privacy watchdogs in Canada and British Columbia are combining existing investigations into Facebook and AggregateIQ. The latter being a Victoria-based ad targeting tech company that has been linked to Cambridge Analytica, the political consultancy at the center of the Facebook data misuse storm. Facebook responds to data misuse CA whistleblower Chris Wylie — who last month gave public testimony  revealing how millions of Facebook users’ data was passed to his former employer for political ad targeting — has described AggregateIQ as the Canadian arm of CA’s parent entity, SCL. (Although AggregateIQ has denied any affiliation with CA or SCL, claiming on its website  “it is and has always been 100% Canadian owned and operated”.) “The investigations will examine whether the organizations Aggregate IQ and Facebook are in compliance with Canada’s  Personal Information Protection and Electronic Documents Act ( PIPEDA ) and BC’s  Personal Information Protection Act  ( PIPA ),” said Canada’s watchdog in a statement about the now joint investigation. “The Office of the Information and Privacy Commissioner for BC opened its investigation into AggregateIQ late last year. Last month, the Office of the Privacy Commissioner of Canada  launched an investigation  into allegations about unauthorized access and use of Facebook user profiles. “The two offices decided to jointly investigate these matters as Facebook and AggregateIQ are subject to both  PIPEDA  and  PIPA .” The statement does not go into any new detail about the investigations as it notes they are ongoing. The OPCC’s Facebook investigation, which was launched on March 20, followed a complaint against the company. Facebook has since confirmed that more than 620k Canadian users had their data scraped and passed to CA — the majority of whom would not have consented or even known their information was being shared in this way. Meanwhile AggregateIQ’s role in the UK’s 2016 Brexit referendum vote has been the subject of increasing scrutiny in the country, following a lengthy investigation by the Observer of London  looking at links between the various entities involved and how money was spent by different groups campaigning for the UK to leave the European Union. The company received £3.5M from leave campaign groups in the run up to the 2016 referendum, and has been described by leave campaigners as instrumental in securing their win

Read More »

Grindr hit with privacy complaint in Europe over sharing user data

The Norwegian Consumer Council has filed a privacy complaint about Grindr, arguing it’s in breach of national and European data protection laws after it emerged the dating app has been sharing  personal information about its users with third parties. As we reported earlier, Norwegian research outfit SINTEF  analyzed the app’s traffic  and found that — if set — a user’s HIV status is included in packets sent to two app optimization firms, Apptimize and Localytics. This data was sent via an encrypted transmission. But users were not informed their HIV status was being shared. Grindr has claimed HIV status data is being shared only for testing and platform optimization purposes — and that the third parties in question are “under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy” . But, in SINTEF’s assessment, it is not strictly necessary to transmit such data for analytics and functionality testing (A/B testing) purposes. Localytics, one of the third-party services Grindr shares user data with – such as GPS location, HIV status and 'last tested date' (see https://t.co/Tq6vdgGa0W ) – claims to track app users across 37,000 different apps on 'more than 2.7 billion devices': https://t.co/wJnFaO7crc pic.twitter.com/S4xBIQlM7m — Wolfie Christl (@WolfieChristl) April 2, 2018 As well as HIV statuses, SINTEF found Grindr transmits a raft of other personal data points to third party ad firms — this time via unencrypted transmissions — namely: precise GPS position, gender, age, “tribe” (aka group-affiliation, e.g. trans, bear), intention (e.g. friends, relationship), ethnicity, relationship status, language and device characteristics. The Council is objecting to both the sharing of highly sensitive HIV statuses and other personal information with third parties without Grindr gaining explicit user consent for the data to be handed off to others. “Information about sexual orientation and health status is regarded as sensitive personal data according to European law, and has to be treated with great care. In our opinion, Grindr fails to do so,” said Finn Myrstad, director of digital services at the Council in a statement on its action. “We expect the company to ensure that its users receive both the privacy protection and security that they are entitled to. This also applies to how the information is used by Grindr’s service partners.” The Council argues that by transmitting sensitive personal data to third parties for ad purposes this is outside the original purposes for the data collection — thereby constituting a breach of the principle of purpose limitation. To be legal under European law Grindr would need to gain separate and clear consent from users for their personal info to be shared, it argues.

Read More »