Zebeth Media Solutions

Privacy

Mozilla looks to its next chapter • ZebethMedia

Mozilla today released its annual “State of Mozilla” report and for the most part, the news here is positive. Mozilla Corporation, the for-profit side of the overall Mozilla organization, generated $585 million from its search partnerships, subscriptions and ad revenue in 2021 — up 25% from the year before. And while Mozilla continues to mostly rely on its search partnerships, revenue from its new products like the Mozilla VPN, Mozilla Developer Network (MDN) Plus, Pocket and others now accounts for $57 million of its revenue, up 125% compared to the previous year. For the most part, that’s driven by ads on the New Tab in Firefox and in Pocket, but the security products now also have an annual revenue of $4 million. With the launch of this year’s report, the Mozilla leadership team is also taking some time to look ahead, because in many ways, this is an inflection point for Mozilla. When Mozilla was founded, the internet was essentially the web and the browser was the way to access it. Since then, the way we experience the internet has changed dramatically and while the browser is still one of the most important tools around, it’s not the only one. With that, Mozilla, too, has to change. Its Firefox browser has gone from dominating the space to being something of a niche product, but the organization’s mission (“to ensure the internet is a global public resource, open and accessible to all”) is just as important today — and maybe more so — as it was almost 25 years ago when Mozilla was founded. To talk about the state of the business and to look ahead to what’s next for Mozilla, I sat down with its executive chairwoman and CEO Mitchell Baker, Mozilla chief product officer Steve Teixeira (who recently joined Mozilla after leaving Twitter), and Mozilla Foundation executive director Mark Surman. Mozilla’s executive chairperson Mitchell Baker. In talking about the state of the business, Baker noted that given the pandemic, 2021 was obviously not a normal year. For the first half of 2022, with the war in Ukraine and the overall economic headwind, Mozilla’s financials looked somewhat similar, she noted. But more importantly, Mozilla’s attempts at diversification are starting to pay off. “There are some things in 2021 that I think are our doing and that we intend to continue — multi-product, different business models, engaging with consumers — […] that do represent the future and our very early steps of making this new chapter of Mozilla,” she explained. With Mozilla’s three business models (privacy-preserving ads, subscriptions and search partnerships), the organization is now a bit more dependent on the overall ad market. But as Teixeira stressed, the market may be softer, but this has mostly manifested itself in slower growth, not a drop in the market. “For us, as a non-public company, that’s okay,” he said. “We can we can do great. Since we don’t have to manage a public market perception, all we need to have is a great business to run and that keeps us happy. ” He also believes that while its security products are a small portion of Mozilla’s overall revenue so far (with the VPN driving virtually all of that), there is still a lot of upside there. Mozilla is looking at how it can add more features and products to its overall security suite going forward, both as part of Firefox and as stand-alone products. Earlier this year, Mozilla introduced paid subscriptions for its Mozilla Developer Network (MDN). Teixeira said it was meeting the organization’s “modest expectations,” but also represented Mozilla’s willingness to experiment with these business models. With a product like MDN, which has a very long history, Mozilla has to be careful about how it manages an experiment like this, because it can easily backfire and tarnish its brand, too, something Baker acknowledged. “We were really determined to honor MDN for what it is and make sure that what we’re adding is truly a premium service,” she said. Yet while Mozilla continues to expand its product offerings, for a lot of people, its brand remains synonymous with Firefox. Both Baker and Teixeira stressed that Mozilla will continue to invest in Firefox and Teixeira especially stressed that he sees a lot of opportunity for growth on mobile. But Baker also noted that she wants Mozilla to stand for something more universal than that. “What I find about the Mozilla brandis that inspires hope, it represents aspiration,” she said. “I’ve been testing that the last few years, because we knew that Firefox was a global brand — which is hard to get, especially one that’s lasted 20 years — but I’ve been testing the Mozilla brand globally and found a couple things: it is a global brand, it’s not as well-known as Firefox, but it’s more well-known than you would expect.” But people want more from Mozilla, she argued. It’s one thing, after all, to fix Firefox (which Mozilla has arguably done) and compete with Edge and Chrome, it’s another to compete against Microsoft and Google and return a sense of agency to users when it’s so hard to preserve your privacy and security online. “[The internet] is controlled by a handful of organizations aimed at me, designed to get me to do something, buy something, believe something, take some kind of action,” she said about the current state of the internet. “What we don’t currently have, and why I spend my life energy here at Mozilla — we don’t have that power working on my behalf, reaching out into the world, looking for what I’m looking for or influencing the world, or finding the things I want or representing me. It’s aimed at me and no individual human has the resources to really understand or respond or take care of what’s going on.” Yet without solving for privacy and security online, it’s hard to see what’s next. “Privacy and security are necessary. We need them right now. People are aware of

Google Play streamlines policies around kids’ apps as regulations tighten • ZebethMedia

Google Play today announced a series of changes to its programs and policies around apps designed for children. The company is describing the update as an expansion of its previously launched “Teacher Approved” program, which includes a review process where teachers and experts vetted apps not just for safety and security elements, but for educational quality and other factors. The newly revamped policies will now impact how apps qualify for this program, which allows apps to gain entry to the Play Store’s “Kids” tab. These changes should help to streamline some of the policies around apps made for children which, in turn, will increase the number of apps that become eligible to be reviewed for the Teacher Approved program. In addition, these policy updates and other changes will push Android app makers to come into compliance with stricter regulations and laws around software targeting children. Before, Google Play ran two (sometimes overlapping) programs around apps aimed at kids. App developers were required to participate in Google’s “Designed for Families” program if their app was aimed at children, and could optionally choose to participate in the program if their app targeted both kids and older users. The Designed for Families program included a number of requirements around the app’s content, its functionality, use of ads, data practices, use of warning labels, feature set, underlying technology components, and more. Any apps in this program were also eligible to be rated for the Teacher Approved program, which had stricter guidelines, but entry was not guaranteed. Now, the additional policy requirements for the Designed for Families program are being rolled into the Play Store’s broader Families Policy. This latter set of guidelines requires apps to comply with applicable laws and regulations relating to children, like the U.S. Children’s Online Privacy Protection Act (COPPA), and the E.U. General Data Protection Regulation (GDPR), for example. The Families Policy also prohibits access to precise location data, prevents developers from transmitting device identifiers from children, and includes additional privacy and content restrictions, among other things. For developers, the merging of the Designed for Families requirements into the Google Play Families Policy simplifies and strengthens the rules for developers around apps that target kids. And, with this change, all the apps that meet the now more robust Families Policy will become eligible to apply for the Teacher Approved program. The Teacher Approved program’s requirements are not changing, however, and only a subset of apps meeting the overarching Families Policy will qualify. The Teacher Approved program itself first arrived in April 2020 — at the beginning of the Covid-19 pandemic and lockdowns. At this time, many schools had shifted to virtual learning, and children were spending more time on their devices to both learn and be entertained. Beyond meeting safety requirements and government regulations, the apps chosen for “Teacher Approved” were vetted by a panel of academic experts including more than 200 U.S. teachers. The panel rated the apps on various aspects like age-appropriateness, quality of experience, enrichment, and whether kids enjoy using the app, among other things. This information would then be displayed on the app’s Play Store listing if the app was approved so parents could determine if the app was right for their child. Consumers can find these Teacher Approved apps on the “Kids” tab of the Play Store or they can look for the Teacher Approved badge on an individual app’s listing. With the update, all apps that are compliant with the Families Policy will also soon receive an additional badge that’s displayed in the Data safety section of their app’s listing. This badge will indicate the app has committed to the Play Store’s Families Policy. Image Credits: Google In addition to the merging of its two families policies, Google also noted it recently updated its Families Self-Certified Ads SDK Program. Makers of SDKs (software development kits, or software used by developers to expand the functionality of their apps), must now identify which versions of their SDKs are appropriate for use in Families apps. In 2023, Android app developers in the Families program will be required to use only the SDKs that are identified as appropriate — though Google suggests developers start to make the shift to these safer SDKs now. These changes aren’t just about serving developers or consumers — they also help Google to meet stricter regulations being considered, drafted, and enacted worldwide around how software is permitted to handle kids’ data — such as the EU’s GDPR and the U.K.’s Age Appropriate Design Code. Failure to meet these requirements can result in significant penalties, as Meta recently learned when it was fined roughly $400 million for how it treated children’s data on Instagram.  

After key privacy and security departures last week, Twitter names ‘acting DPO’ • ZebethMedia

Following a flurry of resignations of senior Twitter privacy and security staffers late last week, the social media firm has informed its lead data protection regulator in the European Union that it has appointed an “acting” replacement for one of those positions: The key role of data protection officer (DPO). The abrupt departures of Twitter’s CISO Lea Kissner; chief privacy officer (and DPO) Damien Kieran; and chief compliance officer Marianne Fogarty immediately raised questions over its ability to meet regulatory requirements under new, norm-trashing broom, Elon Musk — who only completed his $44 billion takeover at the end of last month. A company that’s processing personal data at the scale Twitter does is obliged, under the European Union’s General Data Protection Regulation (GDPR), to at least have a DPO — at a bare minimum. Twitter also has a 2011 consent decree with the FTC that requires it to submit regular reports on how it’s living up to ongoing commitments to safeguard user data — so the sudden departure of senior privacy and security staffers immediately set alarm bells ringing. Including at the Irish Data Protection Commission (DPC), Twitter’s lead data supervisor for the EU’s GDPR. A meeting between the DPC and Twitter followed hard on the heels of the trio of resignations — arranged last week and taking place yesterday — and at this meeting the DPC said Twitter informed it that it has appointed an existing employee, Renato Monteiro, as its “acting DPO”. Monteiro has been employed at Twitter for two years nine months, per his LinkedIn profile — starting in Match 2020 in São Paulo, Brazil, as a Data Protection Counsel Lead for Latin America, before relocating to Twitter Ireland this summer to take up a role as director for international privacy and data protection lead — managing privacy and data protection teams in Europe, the Middle East and Africa, North and South America and APAC. It is not clear why Monteiro has only been named “acting” DPO — or whether his appointment is intended only as a stop-gap while a full replacement is sought, or not. Since Musk took over Twitter, the company has stopped responding to press enquiries so it is not possible to obtain confirmation via an official channel. But Musk appears to have a penchant for appointing ‘acting’ rather than actual job titles, as well as for playing with absurd job titles (such as initially christening himself “chief twit“, after he fired and took over from the actual CEO; followed by Musk becoming “Twitter complaint hotline operator“, seemingly as a commentary on users responding negatively to his early product decisions and other changes). One question that’s likely to arise, therefore, is whether Monteiro is being invested with the full responsibilities and duties required by the DPO role under GDPR — and, if not, whether an ‘acting’ framing will pass muster with EU regulators or not. At the time of writing the DPC had not responded to our question on this point. But we’ll update this report if we get a response. Last week, the Irish regulator told us that in addition to using Monday’s meeting with Twitter to seek information from it about the DPO situation it planned to discuss a wider concern — to ask whether the business is still claiming its main establishment (for GDPR purposes) in Ireland. This structure is important because it enables Twitter to participate in the GDPR’s one-stop-shop (OSS) mechanism — which sets up the DPC as its lead data supervisor for EU data protection issues and means complaints made elsewhere in the bloc are typically funnelled via Ireland — allowing the US-based company to streamline its GDPR compliance and shrink regulatory risk. However, given all the drastic changes accompanying Musk’s takeover of Twitter — including, reportedly, standard privacy and security review processes being dispensed with — doubts are being cast over whether Twitter can still credibly claim main establishment in Ireland, as we reported yesterday. The DPC’s deputy commissioner Graham Doyle declined to provide an update on its questioning of Twitter’s main establishment status following yesterday’s meeting — saying only: “We continue to engage with Twitter.” Other EU data protection agencies are likely to be watching developments on this front exceedingly closely. A spokesperson for France’s CNIL told ZebethMedia it will be approaching the DPC to discuss the nature and “possible consequences” of changes reported to have taken place at Twitter since Musk took over. Although the regulator also told us that, at present, it does not have “sufficient information” to question the application of the OSS. “Until now, the evidence available to the supervisory authorities has led them to consider that Twitter’s principal place of business in the EU was in Ireland, which made the DPC the lead authority. The CNIL intends to approach the DPC to discuss about the nature and possible consequences that the changes mentioned in the press are likely to have on the role and status of Twitter’s Irish establishment,” the CNIL’s spokesperson said. “At this stage, the CNIL does not have sufficient information to consider that the application of the one-stop shop system is in question.”

Google to pay $391.5 million in location-tracking settlement with 40 states • ZebethMedia

Google has agreed to a $391.5 million settlement with 40 state attorneys general over its location tracking practices. The settlement outlines that Google misled its users into thinking they had turned off location tracking even as the company continued to collect their location information. The investigation, which marks the largest attorney general-led consumer privacy settlement ever, was co-led by Oregon and Washington. “For years Google has prioritized profit over their users’ privacy,” said Oregon Attorney General Ellen Rosenblum in a news release. “They have been crafty and deceptive. Consumers thought they had turned off their location tracking features on Google, but the company continued to secretly record their movements and use that information for advertisers.” Google said in a statement that it has already addressed and corrected some of the location tracking practices detailed in the settlement. “Consistent with improvements we’ve made in recent years, we have settled this investigation which was based on outdated product policies that we changed years ago,” a spokesperson for Google told ZebethMedia in an email. As part of the settlement, Google has agreed to improve its location tracking disclosures and user controls starting next year. The settlement requires Google to show additional information to users whenever they turn a location-related account setting on or off. Key information about location tracking must also not be hidden going forward. In a blog post, Google outlined it will “provide a new control that allows users to easily turn off their Location History and Web & App Activity settings and delete their past data in one simple flow.” The company also plans to add additional disclosures to its Activity controls and Data & Privacy pages. Alongside these changes, Google is going to create a comprehensive information hub that highlights key location settings. In addition, Google plans to give users who are setting up new accounts a more detailed explanation of what Web & App Activity is and what information it includes. The company said it will continue deleting location history data for users who have not recently contributed new location history data to their account. “Until we have comprehensive privacy laws, companies will continue to compile large amounts of our personal data for marketing purposes with few controls,” Rosenblum said in the news release. The attorneys general opened the Google investigation after a 2018 Associated Press report found that the company recorded users’ movements even when they explicitly told it not to. The investigation found that Google violated state consumer protection laws by misleading consumers about its location tracking practices since at least 2014. Last month, Google agreed to pay the state of Arizona $85 million to settle a separate lawsuit that alleged the search giant deceived users by collecting location data without their consent. Google is also currently facing a lawsuit from Washington, DC, Texas, Washington state and Indiana. The lawsuit alleges that Google deceived users by collecting their location data even when they believed that kind of tracking was disabled.

Is Elon Musk’s Twitter about to fall out of the GDPR’s one-stop shop? • ZebethMedia

Helmed by erratic new owner Elon Musk, Twitter is no longer fulfilling key obligations required for it to claim Ireland as its so-called “main establishment” under the European Union’s General Data Protection Regulation (GDPR), a source familiar with the matter has told ZebethMedia. Our source, who is well placed, requested and was granted anonymity owing to the sensitivity of the issue — which could have major ramifications for Twitter and for Musk. Like many major tech firms with customers across the European Union, Twitter currently avails itself of a mechanism in the GDPR known as the one-stop shop (OSS). This is beneficial because it allows the company to streamline regulatory administration by being able to engage exclusively with a lead data supervisor in the EU Member State where it is ‘main established’ (in Twitter’s case Ireland), rather than having to accept inbound from data protection authorities across the bloc. However, under Musk’s chaotic reign — which has already seen a fast and deep downsizing of Twitter’s headcount, kicking off with layoffs of 50% of staff earlier this month — questions are being asked over whether its main establishment status in Ireland for the GDPR still holds or not. The resignation late last week of key senior personnel responsible for ensuring security and privacy compliance looks like a canary in the coal-mine when it comes to Twitter’s regulatory situation — with CISO Lea Kissner; chief privacy officer Damien Kieran; and chief compliance officer Marianne Fogarty all walking out the door en masse. It’s not clear whether any adequately qualified individuals will be willing to step into these critical compliance roles for privacy and security at Twitter given the current Musk-driven craziness — since anyone signing up for that level of responsibility risks opening themselves up to personal liability should regulatory requirements be breached on their watch. As we reported Friday, Musk’s attorney and now head of legal at Twitter, Alex Spiro — who has reportedly been given a key role in the overhaul of the platform — emailing all staff on behalf of “Elon” to claim they face no personal liability will surely sound alarm bells at regulators over Twitter’s direction of travel. Last week, The Verge also reported on turmoil inside Twitter’s privacy and security function as standard review procedures were dispensed with and engineers were asked to “self certify” compliance with FTC rules. Its report also cited an unnamed company lawyer who it said had Slacked employees to warn them that changes to how Twitter operates is piling personal, professional and legal risk onto engineers instructed to implement Musk’s will regardless of consequences. Under the EU’s GDPR, meanwhile, Twitter is obliged — in just one very basic requirement — to have a data protection officer (DPO) to provide a contact point for regulators. Hence the departure of Kieran, its first and only DPO since the role was created at the company in 2018, has not gone unnoticed by its data protection watchdog in Ireland — as we also reported Friday. But the Irish Data Protection Commission (DPC)’s concerns are already spiralling wider than Twitter’s compliance with notifications about core personnel: Last week, the authority — currently Twitter’s lead EU DPA under the GDPR’s OSS — put the social media firm on watch by signalling public concern when it said it would be putting questions to the company about the status of its main establishment in Ireland at a meeting scheduled for early this week, to discuss all the recent privacy changes since the Musk takeover. Twitter has not commented publicly on the DPC’s warning nor on the departures of senior regulator-facing staffers. Indeed, since Musk took over, its communications department appears to have been dismantled and the company no longer responds to press requests for comment — so it was not possible to obtain an official statement from Twitter about these departures or on the substance of our report. (We’re happy to add a response if Twitter or Musk wants to send us one.) For Twitter’s business itself, there are a number of potential consequences in play if its ability to meet regulatory requirements falls. If the DPC assesses (or is informed by Musk) that it no longer has its main establishment in Ireland the company will crash out of the OSS — opening it up to being regulated by data protection authority across the bloc’s 27 Member States which would become competent to oversee its business. In practice, that means any EU data protection authority would be able to act directly on concerns it has that local users’ data is at risk — with the power to instigate their own investigations and take enforcement actions. So Ireland’s more business friendly regulator would no longer be leading the handling of any GDPR concerns about Twitter; probes could be simultaneously opened up all over the EU — including in Member States like France and Germany where data protection authorities have a reputation for being quicker to the punch (and/or more aggressive) in responding to complaints compared to Ireland. If Twitter loses its ability to claim main establishment in Ireland it would therefore drastically amp up the complexity, cost and risk of achieving GDPR compliance. (Reminder: Penalties under the regulation can scale up to 4% of annual global turnover — so these are not rules a normal CEO would ignore.) The GDPR does not set out specific criteria for assessing main establishment. But, in Twitter’s case — in order for it to be able to fulfil the regulation’s requirement of “effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements” actually taking place locally, in Ireland, despite Twitter product development being led out of the US — we understand that the company devised a careful legal framework which was designed to empower an Irish entity to be the data controller for EU users by ensuring that this Ireland-located Twitter company, which has its own board of directors subject to

Twitter’s lead EU watchdog for data protection has fresh questions for Musk • ZebethMedia

In parallel with the FTC’s ominous warning to Elon Musk’s Twitter yesterday — that ‘no CEO or company is above the law‘ — the microblogging platform’s lead regulator in the European Union is on its case in the wake of senior staffers in charge of security and privacy compliance walking out the door. Graham Doyle, a deputy commissioner at Ireland’s Data Protection Commission (DPC), which currently leads oversight of Twitter under the EU’s General data Protection Regulation (GDPR), told ZebethMedia it’s in contact with the company following media reports yesterday that its data protection officer (DPO) had resigned. A meeting between the DPC and Twitter will take place early next week, according to Doyle. He also confirmed to us that Twitter had not informed the regulator of the DPO’s departure prior to the media reports. Getting clarity over the DPO situation will be top of the meeting agenda, per Doyle. But he said the regulator now has another concern it wants to discuss with Twitter — regarding whether Twitter’s main establishment, for GDPR purposes, is still located in Ireland… Next stop: One-stop-shop stopped? “One of the issues that we want to discuss is the issue around main establishment,” Doyle told ZebethMedia. “They’re obliged to have a data protection officer in place and provide us with the details but equally, under the [GDPR] one-stop-shop (OSS) mechanism in order to get a main establishment to engage with one regulator, the decision making processes — in terms of the processing of EU data — needs to take place in that country. That’s one of the principles of main establishment. And what we want to establish is that that is continuing to be the case for Twitter.” Ireland being Twitter’s lead regulator for the GDPR under the OSS is important because it puts the Irish watchdog in the driving seat when it comes to opening inquiries (or not), or otherwise acting on concerns over Twitter’s compliance (such as following up on the un-notified resignation of its DPO now). From Twitter’s point of view, the arrangement is advantageous because it streamlines compliance since it only needs to liaise with one (lead) regulator over any issues, rather than handling inbound from multiple data protection agencies (potentially in different languages). Ireland has a lead supervisor role for Twitter because the company was able to notify its Dublin office as its “main establishment” in the EU — what the regulation refers to as either the place of “central administration in the Union” or “where the main processing activities take place in the Union”. However were Twitter to be deemed to no longer have this processing base in Ireland there would be an immediate regulatory reconfiguration and data protection authorities across the bloc, from any of the EU’s 27 Member States, could instigate inquiries or act on local complaints themselves — cranking up the regulatory complexity, velocity and risk for Twitter’s European business. With Musk slashing 50% of Twitter’s headcount globally just last week — and a reported “carnage” in the Irish office, per an Irish Times report which said more than 50% of local staff were affected — questions have arisen in Dublin over the stability of its main establishment status for the GDPR. “We’ve made contact with Twitter.. And for us one of the issues we want to discuss with them is the issue of main establishment — is there any change? With the announcement of the departures — including the DPO — is there any plans to change the decision making process that’s in place that allows them to avail of the main establishment,” Doyle reiterated. Reports that all was not well up at the senior echelons of Twitter’s security and privacy function spilled out onto Twitter yesterday afternoon. Platformer journalists, Casey Newton and Zoë Schiffer, reported that Twitter’s CISO, chief privacy officer and chief compliance officer has all resigned — citing messages shared in Twitter Slack which they had obtained. Soon afterwards, the Washington Post’s Cat Zakrzewski tweeted that the Irish DPC was “seeking more information” from Twitter. According to messages shared in Twitter Slack, Twitter’s CISO, chief privacy office, and chief compliance officer all resigned last night. An employee says it will be up to engineers to “self-certify compliance with FTC requirements and other laws.” — Casey Newton (@CaseyNewton) November 10, 2022 NEW: A senior member of Twitter’s legal team just posted this message in Slack:“Everyone should know that our CISO, Chief Privacy Officer and Chief Compliance Officer ALL resigned last night. This news will be buried in the return-to-office drama. I believe that is intentional.” — Zoë Schiffer (@ZoeSchiffer) November 10, 2022 Twitter CISO Lea Kissner later confirmed her departure in a tweet — as did Damien Kieran, Twitter’s now ex chief privacy officer.  While Marianne Fogarty, Twitter’s (reportedly ex) chief compliance officer, tweeted what may be an indirect confirmation too late yesterday — writing: “Therapy Thursdays have taken on new meaning of late. #LoveTwitter”. Enquiries to Twitter’s press line have gone unanswered since Musk took over so it’s not been possible to obtain an official line on what’s going on. The company’s communications department appears to have been a major casualty of the 50% headcount reduction Musk swiftly applied on taking over — with press staffers either entirely or almost entirely laid off. It also not clear how many of Twitter’s staff in Ireland were laid off last week. There is no obligation on the company to report overall layoffs numbers to the DPC. Nor is the criteria a regulator should use for assessing main establishment clear as it is not stipulated in the GDPR itself — but rather left up to regulators to determine. (On determining main establishment, the regulation states: “The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements” — further stipulating that “criterion should not

FTC warns ‘no CEO or company is above the law’ if Twitter shirks privacy order • ZebethMedia

The FTC has telegraphed what appears to be a now-inevitable investigation into Twitter’s internal data handling practices, as the company continues to shed important staff and improvise new features. “No CEO or company is above the law,” the agency said in a statement — and if Elon Musk’s Twitter continues its current spree, they may find themselves in violation of the FTC’s order and facing serious consequences. To be clear at the outset, the FTC has not announced any investigation into Twitter, Elon Musk, or even that they are gathering information in service of such an investigation. Nor would it be able to confirm it was investigating if it was. But circumstantial evidence, common sense, and the ominous statement issued today leave little doubt that the company is in the agency’s crosshairs. In the course of its ordinary oversight duties, the FTC looks into complaints by consumers, companies, and anyone with a bone to pick about things like misleading advertising, broken privacy promises, illicit business arrangements, and so on. But in 2011 Twitter agreed to a consent decree with the regulator after being found to have misused user data. It was also found to have done so again for many years in an investigation culminating in a $150 million settlement earlier this year, so this isn’t some bygone red tape. This decree required Twitter to establish and maintain a program to ensure and regularly report that its new features do not further misrepresent “the extent to which it maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information.” The revised order adds more oversight and gives the FTC more power, since evidently Twitter needed a stick as well as a carrot. The gist of it is that Twitter is in the doghouse with the FTC already, and it has specific and legally binding requirements regarding what it can and can’t do with data, and how it verifies that it is in compliance. Around the time of the settlement, Elon Musk entered the stage and now we have all… this. But the news that last night several data handling executives, no doubt important to walking the line with a watchful regulator, all reportedly left at once. Literally minutes after I wrote this paragraph, the company’s head of trust and safety, Yoel Roth, was reported to be leaving as well. NEW: A senior member of Twitter’s legal team just posted this message in Slack:“Everyone should know that our CISO, Chief Privacy Officer and Chief Compliance Officer ALL resigned last night. This news will be buried in the return-to-office drama. I believe that is intentional.” — Zoë Schiffer (@ZoeSchiffer) November 10, 2022   This would be troubling at any company, at any time, under any level of federal scrutiny. But for Twitter the departing chiefs might as well have hired a skywriter to spell out “INVESTIGATE ME” in huge letters above Twitter HQ. (Of course normally that might apply to any number of companies in downtown San Francisco, but right now there’s little question.) The amount of changes, new products, eliminations of various departments and processes (many of which had to do with privacy, fairness, data handling and other crucial topics) don’t mean Twitter is necessarily in violation of the consent decree. But with things going the way they are, it’s quite hard to imagine that it is in compliance now, or it is is, will remain so for long. It’s important, though, to understand that the FTC isn’t like the FBI, kicking doors down and arranging evidence in damning dioramas. The FTC conducts its investigations privately and at great length — they can’t and don’t publicize the fact that they are looking into a company for some violation or another until there is a legally binding consequence like a signed consent decree, settlement, or a decision to go to trial via the Department of Justice. Although many expected the FTC under the leadership of tech skeptic and very smart person Lina Khan to be more proactive, it is limited by law what it can do. It’s actually a bit surprising that the agency got as spicy as it did in the full statement: We are tracking recent developments at Twitter with deep concern. No CEO or company is above the law, and companies must follow our consent decrees. Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them. Though it stops short of saying “We are sharpening our knives,” this statement nevertheless is about as strong an implication that they will be giving Twitter a call soon as they can make. (A juicy tidbit uncovered by CNN’s Brian Fung, while enticing, could relate to ongoing discussions regarding the $150M settlement, so don’t get too excited.) If they decide to pursue an investigation, which would probably happen if there are any red flags at all, let alone this many, it will be done confidentially — but importantly, it is not secret. That means that although it is the FTC’s policy not to reveal or comment on an investigation, a company or person being investigated may do so at any time if they wish. So if the FTC makes a formal request for certain data from Twitter, or deposes its executives (present or former), they may decide to publicize that information. In fact Twitter did this in late 2020, long before the settlement with the FTC was finalized. After all, you don’t want your investors to be the last to hear about something like a $150M charge, even though in telling them you risk discovery by hawk-eyed journalists. So if the FTC investigates Twitter, it’s far more likely that we will hear about it from the company — in a filing with investors or, more likely, from its incautious and prolix CEO during one of his increasingly frequent emergency meetings. The state of chaos at Twitter makes the commonplace observation that we don’t know what it will look like in six months

Twitter safety head suggests further ‘identity verification’ beyond paid verification may later be required • ZebethMedia

Twitter’s head of Safety and Integrity Yoel Roth admitted in a Twitter thread that the company may have to further invest in “identity verification” that goes beyond the paid verification system that will accompany its revamped Twitter Blue subscription. Under Elon Musk, Twitter has rushed to release a new version of its Twitter Blue subscription whose key selling point will be the ability to purchase a verification badge by paying $7.99 per month. This change is meant to make Twitter verification more accessible to users who previously couldn’t get verified under Twitter’s old system, which only doled out the coveted blue-and-white badge to public figures, celebs, politicians, journalists, and other high-profile individuals. Twitter’s prior system vetted who received the checkmark through an internal process that would confirm the person was who they said they were, so other users on Twitter could be assured of that public figure’s identity. Now, Twitter seems to realize that real identity verification — the kind that can’t be bought for $8, that is — actually has its advantages. But it’s unclear where Twitter would draw the line in terms of who would require their identities to be further verified or how that would be accomplished. In a thread where Roth attempted to explain Twitter’s differing policies around parody (which is permitted), and impersonation (which is not), he also detailed how the company would tackle a situation where a number of verified, blue-badged accounts engaged in impersonation. This led to him sharing his thoughts about identity verification on Twitter, as well. Verification! Impersonation! Twitter Blue! There’s a lot going on around identity on Twitter — let’s break down what our policies are, and some of the big questions we still need to answer… — Yoel Roth (@yoyoel) November 8, 2022 The thread came about because large-scale impersonation is something that recently happened to Elon Musk himself. This week, a number of verified celebrities appropriated Musk’s screen name and profile picture to troll him. Musk responded by announcing a ban on any accounts pretending to be someone else and even booted one of the impersonators — comedian Kathy Griffin — off of Twitter entirely. (She later returned to the platform by using her late mother’s Twitter account.) Roth said that going forward, Twitter will deal with impersonation conducted by verified users as it has in the past — it would suspend those accounts engaging in the practice. When the new Twitter Blue subscription launches publicly, however, impersonation could become more difficult to enforce if there’s an increase in verified users for Twitter to keep its eye on. To address this, Roth said that Twitter will “ramp up proactive review of Blue Verified accounts that show signs of impersonating another user,” and then suspend them, if found. He also called for Twitter users to also report accounts engaged in impersonation. Of course, Roth’s  Trust & Safety team has seen layoffs following Musk’s Twitter takeover, potentially making such enforcement a challenge. While the exec claimed that his team only saw 15% cuts, compared with 50% cuts for Twitter overall, it’s clear that many teams that played vital roles around managing misinformation on the service were impacted – including those that dealt with election integrity and public policy. It’s not understood how well the newly under-staffed teams would be able to keep up if a large number of users decided to engage in impersonation after becoming verified. Because of the potential for abuse, Twitter decided to delay the rollout of the revamped Twitter Blue system until after the U.S. midterms elections on Tuesday, The New York Times reported this weekend and Roth has now confirmed. What’s more, is that Roth seems to admit that simply asking users to pay for their blue badge isn’t a very robust form of identity verification and that Twitter may need to do more in this area in the future. (You know…like it used to, back when verification meant something more than “I have $8!”). Roth explained Twitter’s older system made verification both a signal of authenticity (you are who you say you are) and notability, meaning you’re important in some way. The exec said he supports getting rid of notability and instead focusing on “proof-of-humanness” — something that the $8 paid subscription feed could help with as it could weed out spammers and bad actors who don’t want to pay or go through the fraud checks involved with in-app purchases on the major app stores. However, Roth hinted that paid verification alone cannot work to verify identities entirely, suggesting that Twitter will need to do more work on this front in the future. “Long-term, I think we need to invest more in identity verification as a complement to proof-of-humanness,” wrote Roth. “Paid Verification is a strong (not perfect) signal of humanness, which helps fight bots and spam. But that’s not the same thing as identity verification,” he said. Roth didn’t go into further detail about what Twitter may need to do differently beyond paid verification through Blue to accomplish identity verification. Long-term, I think we need to invest more in identity verification as a complement to proof-of-humanness. Paid Verification is a strong (not perfect) signal of humanness, which helps fight bots and spam. But that’s not the same thing as identity verification. — Yoel Roth (@yoyoel) November 8, 2022 His statement, however, raises questions about what Twitter could have in mind here. Today, a number of social networks have begun to embrace facial recognition and A.I. to verify their users, which has raised privacy concerns. Instagram, for example, uses A.I. to scan “happy birthday” posts to see if a child may have lied about their age at sign-up. Yubo is asking all the users on its platform to verify their age with a facial scan. While those methods are focused on making sure minors haven’t lied about their ages on the platform, they could be put to use for other purposes. Video, in particular, comes in handy for identity verification — even Amazon was

Ireland-led GDPR probe of Yahoo’s cookie banners moves to draft decision review • ZebethMedia

A multi-year investigation into ZebethMedia’s parent entity Yahoo — looking at compliance with key transparency requirements of the European Union’s General Data Protection Regulation (GDPR), including in relation to cookie banners displayed on its media properties — has taken a step forward today after Ireland’s Data Protection Commission (DPC) announced that it has submitted a draft decision to other EU data protection agencies for review. In a statement on the development, deputy commissioner Graham Doyle said: “On October 27, 2022, the DPC submitted a draft decision in an inquiry into Yahoo! EMEA Limited to other Concerned Supervisory Authorities across the EU. The inquiry examined the company’s compliance with the requirements to provide transparent information to data subjects under the provisions of the GDPR. Under the Article 60 GDPR process, Concerned Supervisory Authorities have until 24 November, 2022 to send any ‘relevant and reasoned objections’ to the DPC’s draft decision.” Following its usual procedure, the DPC has not released any details on the substance of its draft decision. In any case, the outcome is not final until other interested DPAs have weighed in — so nothing has been concluded yet. The inquiry concerns Yahoo’s processing of European users’ data and is focused on its compliance with Articles 5(1)(a), 12, 13 and 14 of the GDPR — so the DPAs will be considering whether Yahoo’s business has been meeting GDPR requirements for personal data processing to be lawful, fair and transparent; and also whether it’s been properly communicating to users how their data is being processed. If other DPAs agree with Ireland’s draft a final decision could be issued fairly soon — maybe even in a couple of months. However if objections are raised the process may need to go through a dispute resolution mechanism in the GDPR — which could spin things out for many more months. (A draft decision on Instagram’s processing of kids’ data went to Article 60 in December 2021 but a final decision (and hefty fine in that case) took until September 2022 to land after other DPAs raised objections to Ireland’s draft, for example.) The DPC’s investigation into Yahoo kicked off in August, 2019, when the entity was known as Verizon Media (neé Oath) and owed by US carrier Verizon. The latter went on to sell the division, in May 2021, to private equity giant, Apollo Global Management — which plumped for a retro rebranding (to Yahoo). So it’s the PE giant that’s been left holding the regulatory exposure here. Speaking to the Irish Independent back in 2019, the DPC’s commissioner, Helen Dixon, said the investigation focused on transparency issues related to publications operated by the company and was opened in response to multiple complaints from individuals about Yahoo media sites — including over cookie banners she said sometimes “effectively” offer no choice to users — beyond an ‘option’ to click “okay”.  Yahoo owns a string of Yahoo-branded media properties, including Yahoo News, Yahoo Finance, Yahoo Sports etc, tech media sites like Engadget (and this Internet website) — as well as, at the time the DPC opened its probe, the HuffPo and tumblr — which the company linked to its online advertising business via the use of tracking cookies dropped on visitors’ devices. Hence these cookie consent banners popping up with information about ad ‘partners’ and purposes for processing. Thing is, under the GDPR, in order for consent to be a valid legal basis to process people’s data it must be informed, specific and freely given — so a cookie banner that lacks an option for users to deny ad tracking is going to attract complaints that it is not offering the required free choice. Verizon Media does appear to have made a notable change to the design of its cookie banner (circa spring 2021) — so subsequent to the DPC opening its investigation — which tweaked the implementation of the consent flow to include a reject button. A current version of a Yahoo cookie banner (shown below being displayed on a Yahoo website) can be seen including two ‘reject all’ options: Screengrab: Natasha Lomas/ZebethMedia On the less positive side, this cookie banner tries to claim a “legitimate interest” (i.e. non-consent based) ground for processing people’s data for ad targeting (and defaults those toggles to ‘on’) — but you can at least deny this by selecting “reject all” under the LI field. The current Yahoo cookie banner implementation — at least on the version we saw — also relegates the reject button to the second level of the menu — rather than displaying it at the top level, alongside the “accept all” option displayed there. This means users have to click through “manage settings” before they can even see a reject all option (while this second level menu is long and requires scrolling) — so the tweaked design may raise fresh objections from regulators since it does not offer an equally easy way to reject tracking as allow it. Still, it remains to be seen what the EU DPAs will decide on the Yahoo complaint as a whole. Since the complaint predates this implementation of the cookie banner the inquiry may not consider the current design as closely as looking at the old one which netted Yahoo all these complaints. (Although DPAs could also take it into consideration in any order to the company to amend the design of the banner in a final decision.) One thing is clear: Cookie consents for ad tracking are getting increasing attention from EU regulators. Early this year, France’s CNIL hit Google and Facebook with substantial fines related to dark patterns on cookie banners (under the ePrivacy Directive, which — unlike the GDPR — does not require cross-border complaints to be funnelled to a lead DPA, as has happened here with the Yahoo complaint). A few months later Google updated its cookie banner in Europe to include a top-level reject all button. Last year, the UK’s data protection watchdog also published an opinion urging the ad tracking industry to prepare

TikTok privacy update in Europe confirms China staff access to data as GDPR probe continues • ZebethMedia

An incoming privacy policy change announced by TikTok yesterday for users in Europe — which, for the first time, names China as one of several third countries where user data can be remotely accessed by “certain” company employees to perform what it claims are “important” functions — has landed months ahead of expected movement on a year+ long investigation into the platform’s data exports to China under the bloc’s General Data Protection Regulation (GDPR). The GDPR probe into the legality of the video sharing platform’s data transfers to China is being led by Ireland’s Data Protection Commission (DPC), TikTok’s lead privacy regulator in the region, which opened the inquiry just over a year ago. The DPC told ZebethMedia today that it expects its TikTok data transfers inquiry to progress to the next stage in the coming months — with a draft decision slated to be sent to other EU DPAs for review in the first quarter of next year. This ‘Article 60’ review process could lead either to an affirming of Ireland’s draft decision — which would then, in relatively short order, allow for a final decision to be issued (potentially before the middle of next year, judging by past inquiry timelines). However if other EU regulators raise objections to Ireland’s draft decision the inquiry would have to move to an ‘Article 65’ dispute resolution process — which could add many more months to the process before a final decision could be issued as the bloc’s regulators seek consensus. It’s not clear whether TikTok’s announcement of the privacy policy tweak relates to this overarching GDPR investigation. The incoming changes — which are due to apply from December 2 — do also include an update on how the platform collects users location information so they are not wholly focused on data transfers. But the disclosure of China staffers accessing European user data could also be a not-very-subtle attempt to pre-empt regulatory enforcement over its data transfers — and try to soften a future blow by being able to point to steps already taken to improve its transparency with European users. (Not that that is the only potential issue of regulatory concern vis-a-vis data exports, though.) A spokesman for TikTok declined to comment on whether its updated privacy policy is in any way linked to the GDPR inquiry — saying it could not do so as the inquiry remains ongoing. However in a blog post announcing the update, the company claimed the changes “include greater transparency into how we share user information outside of Europe”. That’s notable because transparency is a key principle of the GDPR — while infringements of the transparency principle can lead to stiff penalties (such as the $267M fine for Meta-owned WhatsApp last year, after an Ireland-led inquiry found a string of transparency breaches). Claiming you’re being transparent and actually being transparent are not necessarily the same thing, of course. So it’s worth noting that TikTok’s updated privacy policy appears to atomize key bits of information — such as the full list of third countries countries where employees may remotely access European users’ data and for what specific reasons — across a number of collapsable menus and hyperlinks spread throughout the policy, thereby requiring a user to click around, follow multiple links and basically hunt for relevant intel amid a larger morass of data in order to piece together a comprehensive view of what’s happening with their data (rather than clearly articulating and collating everything into a single, easy to digest view…). So, if it’s transparency TikTok is really shooting for here it still looks like it has work to do. Also still a work in progress for TikTok: A data localization project to store European users’ data in the region — which, earlier this year, it announced had been delayed again (until 2023). Thing is, if TikTok intends to continue to allow employees located in third countries with no EU adequacy agreement affirming they have essentially equivalent data protection standards as the bloc to have remote access to European users’ information then questions over the legality of its international data transfers are likely to persist. As well as China, TikTok’s privacy policy names Brazil, Malaysia, Philippines, Singapore, and the US (which has only a preliminary agreement with the EU for a fresh data transfer agreement atm) as countries where employees have remote access to European user data without the cover of an adequacy agreement — saying it’s relying on standard contractual clauses (SCCs) for these transfers. But, as the EDPB guidance on data transfers points out, each transfer to a third country must be individually assessed and some may not be possible legally, even with supplementary measures applied. So every single one of these transfers will need to stand up to regulatory scrutiny. Given so many third country transfers, TikTok’s European data localization project can only — at least for now — be considered a PR exercise. And/or an attempt to curry favor with local regulators in the hopes they take a kinder view of ongoing data exports. Unless or until it ceases data exports to third countries and finds a way to fully firewall its parent entity in China from being able to access any European users’ data in the clear. TikTok’s spokesman declined to comment on any future plans it may have to further adapt its data transfers in light of these challenges but he pointed back to its blog post — which describes its approach to data governance in Europe as being “centred on limiting the number of employees with access to European user data, minimising data flows outside of the region, and storing European user data locally”. TikTok’s wider problem is that it’s facing dialled up regulatory scrutiny across the Western world more generally as a result of security concerns attached to the Chinese state’s ability to gain access to data commercial platforms/services hold on their users — with national security laws in its home country overriding the usual standard contractual protections. Its platform

Subscribe to Zebeth Media Solutions

You may contact us by filling in this form any time you need professional support or have any questions. You can also fill in the form to leave your comments or feedback.

We respect your privacy.
business and solar energy