Meanwhile in the World of Data Privacy: 26 May 2017
Note: Given the rapid pace at which developments are taking place in the domain of Data Privacy, our CEO has started curating some of the interesting & relevant features & articles she comes across. She has also provided a brief synopsis of each for the benefit of readers. Below is the first in the series. If you would like to receive this in your mailbox, do drop us a mail at firstname.lastname@example.org
Curated Reads on Data Privacy – 26th May 2017
This article from The Economist emphasizes how the world’s most valuable resource is no longer oil, but data. And how, therefore, the earlier rules of the game may not apply directly. This article focuses on one such aspect – antitrust rules.
The titans of this digital era are Google, Amazon, Apple, Facebook and Microsoft—the five most valuable listed firms in the world. Each vastly benefits from the ‘network effect’ – the more people join in, the more will further join in. ‘With data there are extra network effects. By collecting more data, a firm has more scope to improve its products, which attracts more users, generating even more data, and so on’
‘The nature of data makes the antitrust remedies of the past less useful. Breaking up a firm like Google into five Googlets would not stop network effects from reasserting themselves: in time, one of them would become dominant again. A radical rethink is required’. The article presents two ideas:
Firstly, when considering a merger, instead of size, ‘take into account the extent of firms’ data assets when assessing the impact of deals’. For eg, if this had been the case, ‘Facebook’s willingness to pay so much for WhatsApp, which had no revenue to speak of, would have raised red flags’.
Secondly, ‘loosen the grip that providers of online services have over data and give more control to those who supply them’. Force companies to ‘reveal to consumers what information they hold and how much money they make from it. Governments could encourage the emergence of new services by opening up more of their own data vaults or managing crucial parts of the data economy as public infrastructure, as India does with its digital-identity system, Aadhaar.’
Various cases in Indian courts have seen arguments about how there is no right to privacy enshrined in the Indian constitution. And hence the need for a data privacy law.
One of the concerns behind this urgent need is that Indians are increasingly using resources of non-India based corporates for critical communications and other activities. Who has control or any rights over this? For eg, ‘who has access to your family photographs posted on a family Whatsapp group?’
The announcement last year by Facebook about accessing content and metadata of Whatsapp users generated a lot of controversy worldwide. Last week, the EU slapped a $122 Million fine on Facebook on account of this deal. In India, a case was filed in the Supreme court on this. The way it gets addressed will determine India's approach to privacy moving forward. So this needs to be watched closely.
The EU GDPR is the game-changing regulation in the world of privacy that affects not just companies in the EU but even the rest of the world. Any entity dealing with the data of an EU resident comes under its purview. The regulation kicks in exactly one year from now – on 25th May 2018.
The above interactive infographic gives an excellent ‘quick overview’ of what the regulation entails for organizations.
Google has announced that they have begun using credit card transaction records to determine how many sales – whether online or in physical stores - have actually been generated by digital ad campaigns. This effectively connects digital trails to real-world purchase records.
Google says ‘they are using complex, patent-pending mathematical formulas to protect the privacy of consumers when they match a Google user with a shopper who makes a purchase in a brick-and-mortar store.’ The process uses something called a “double-blind” encryption. Data about offline purchases would be obtained via Google’s partners – who have not been named
This announcement has privacy advocates & practitioners abuzz. One will have to wait and see how this entire thing pans out.
Academics from Technische Universitat Braunschweig in Germany recently published a paper titled ‘Privacy Threats Through Ultrasonic Side Channels on Mobile Devices’. The research found 234 Android Apps (up from 39 in 2015) listen surreptitiously for ultrasonic beacons embedded in audio that are used to track users and serve them with targeted advertising’.
The beacons are embedded in the ultrasonic frequency range (between 18 and 20 kHz) of audio content. They can be detected by the mobile app using the device’s microphone. The paper studies three such enabling applications: Shopkick, Lisnr and SilverPush. Once the user has installed these applications on her phone, ‘she neither knows when the microphone is activated nor is she able to see which information is sent to the company servers’.
Subsequent to this report, Google has removed or suspended the apps mentioned in the report. Read about this here: http://www.cbsnews.com/news/google-removes-apps-that-use-ultrasonic-frequencies-to-track-users/
The research paper can be found here: http://christian.wressnegger.info/content/projects/sidechannels/2017-eurosp.pdf