Connect with us


UK watchdog would cease to enforce data protection law if Supreme Court sided with Google, its lawyer tells judges • The Register

Voice Of EU



A barrister for the Information Commissioner’s Office hinted the regulator would stop enforcing the law on data breaches if the Supreme Court sides with Google in a case about class-action lawsuits.

The startling threat was made on behalf of the ICO by barrister Gerry Facenna QC, who was intervening on the authority’s behalf in the Lloyd v Google data protection case.

“If a large number of data subjects have had their data lost, then they have per se suffered damage: harm of the type that I described, namely loss of control of their data,” Facenna told judges in the UK’s highest court. “That is the commissioner’s view of these provisions, that’s the basis on which she takes regulatory action at the moment. If the word ‘damage’ in this regime does not include mere loss of control, it would have to be taken into account in the exercise of those regulatory barriers.”

Facenna was speaking about the difference between a “loss of control” of data by a data controller and “damage” suffered by data subjects as a result of that loss. A loss of control (as alleged here, using personal data given for one purpose for something else altogether) is against the law.

Google previously argued in the case that in law there should be a difference between loss of control and damage, saying that even though it caused the loss of control of millions of Safari users’ data it shouldn’t be held liable because there is no coherent proof anyone suffered damage (in the legal sense) as a result.

Facenna’s written submissions to the Supreme Court about this made the ICO’s position plain, saying:

The barrister also insisted that the ICO was not siding with Richard Lloyd, whose Google You Owe Us campaign aims to extract up to £3bn from Google for its early-2010s Safari Workaround naughtiness, up to half of which will go to a venture capital fund backing the campaign.

You can’t consent to something that’s unlawful

Before Facenna’s arguments came Hugh Tomlinson QC, who was putting Lloyd’s case against Google to the Supreme Court’s judges. Tomlinson had argued the exact same thing as Facenna; drawing a legal distinction between loss of control and damage caused by a data breach would, he said, create a great big hole in data protection law for companies who set out to deliberately misuse it.

While accepting that British users of Apple’s Safari browser in the early 2010s were “very unlikely” to have “suffered material damage” from Google slurping their browser-generated information to beam targeted ads at them, Tomlinson added: “It’s obvious the members of the class have the same interest in the claim. Their interest is in establishing Google breached their data protection rights by operation of the Safari Workaround.”

Profiteering and vindication

Lord Burrows, one of the judges, pondered why “culpability for the breach is relevant” for a loss-of-control case. How could suing Google for loss of control be “effective” when the alleged naughtiness was “profiteering” by a business rather than an overtly criminal act?

“My lord,” answered Tomlinson, picking his words carefully, “we say, from the point of view of the claimants, that losing control of your data or private information where someone has given it away, is a different and more serious wrong than one where it has been done accidentally.”

Killer robot

Vivaldi update unleashes the ‘Cookie Crumbler’ to simply block any services asking for consent (sites may break)


Unsatisfied, Lord Burrows got to the heart of his question: “But it sounds to me – I’m putting it to you now, that what you’re focusing on is not loss of control, you’re focusing on the nature of the breach and that is what you’re seeking the award for. This isn’t compensation at all, that you are in effect asking about something like vindicatory damages.”

It was explained earlier that vindicatory damages wouldn’t be available for Lloyd’s claim against Google. Dropped in front of a treacherous hill, Tomlinson shifted down a gear, looking the least confident that he had at any point in this case since 2018.

“I am certainly, as your lordship knows for reasons which concern the constitution of a representative action – I cannot focus on the individual circumstances of the claimants because that would make it impossible to have a collective action. So I am focusing on the nature of the breach,” said the QC.

And we get back to the money

As for the funding of Lloyd’s case, Tomlinson was blunt: without Therium Capital Partners LLC backing it and paying Lloyd his £50,000 salary, suing Google “wouldn’t have been practical in this case.” He also revealed that Lloyd’s lawyers would be “seeking an order that [if it lost the main case] Google paid damages to the representative on behalf of the members of the class.”

This means Lloyd and his backers would have control of whatever compensation Google was ordered to pay out.

Lord Leggatt, another judge, asked about this. “Suppose damages are awarded on the basis the claimants are entitled to £500 or whatever it is. What is the legal basis for the first part of that sum to be paid out to the litigation funders without their consent? [The members of the class] never signed up to the litigation funding?”

“Because,” replied Tomlinson, “that is the cost of obtaining the damages. It’s the cost of getting in the fund.”

Lord Leggatt replied: “They didn’t choose that the funders should get the first 40 per cent or whatever it is.” Google has previously pointed out in court that Therium Litigation Funding IC is in fact entitled to 50 per cent of the winnings.

Tomlinson dismissed this by saying members of the representative class could take whatever pittance Lloyd offered them or go away and start their own lawsuit, saying: “Your lordship is right, of course, they didn’t authorise it but the position is, without the funders, there’d be no fund at all, and as I say [members of the class] have the option to come to court and say ‘we don’t want anything to do with this action.’ Or ‘we want to proceed on our own.’ Or ‘we’re not interested in it in any way.'”

Realising this approach would mean that damages awarded to millions of people would end up concentrated in the pockets of a tiny handful, Lord Leggatt persisted: “I’m not sure how you say damages awarded to them can be allocated without their permission to litigation funders… what’s the legal principle there, more precisely? Inherent jurisdiction, restitutionary principle? What is it?”

“Mr Lloyd is the trustee of the funds,” explained Tomlinson. “He would hold it on trust for a member of the class. The trustee is entitled to remuneration for getting in the trust’s property. It is on that analogy, we say, one of the costs of getting in the trust property is the cost of funding the litigation.”

The case has now concluded and judgment will be handed down in the not-so-near future. It will set a binding precedent on how class-action lawsuits go ahead in future, so the principles here will set the tone of mass data protection lawsuits for the 2020s.

Once the Supreme Court rules on the legal question being decided here (whether Lloyd should have been refused permission to serve his not-quite-a-class-action case on Google), a lower court will have a full hearing of the Data Protection Act rights and wrongs – and, in turn, that court’s future decision will probably end up being appealed every which way. The odds of any ordinary person receiving a payout from Google are remote in the meantime, but El Reg will be chronicling it all nonetheless. ®

Source link


Web ad firms scrape email addresses before you know it • The Register

Voice Of EU



Tracking, marketing, and analytics firms have been exfiltrating the email addresses of internet users from web forms prior to submission and without user consent, according to security researchers.

Some of these firms are said to have also inadvertently grabbed passwords from these forms.

In a research paper scheduled to appear at the Usenix ’22 security conference later this year, authors Asuman Senol (imec-COSIC, KU Leuven), Gunes Acar (Radboud University), Mathias Humbert (University of Lausanne) and Frederik Zuiderveen Borgesius, (Radboud University) describe how they measured data handling in web forms on the top 100,000 websites, as ranked by research site Tranco.

The boffins created their own software to measure email and password data gathering from web forms – structured web input boxes through which site visitors can enter data and submit it to a local or remote application.

Providing information through a web form by pressing the submit button generally indicates the user has consented to provide that information for a specific purpose. But web pages, because they run JavaScript code, can be programmed to respond to events prior to a user pressing a form’s submit button.

And many companies involved in data gathering and advertising appear to believe that they’re entitled to grab the information website visitors enter into forms with scripts before the submit button has been pressed.

“Our analyses show that users’ email addresses are exfiltrated to tracking, marketing and analytics domains before form submission and without giving consent on 1,844 websites in the EU crawl and 2,950 websites in the US crawl,” the researchers state in their paper, noting that the addresses may be unencoded, encoded, compressed, or hashed depending on the vendor involved.

Most of the email addresses grabbed were sent to known tracking domains, though the boffins say they identified 41 tracking domains that are not found on any of the popular blocklists.

“Furthermore, we find incidental password collection on 52 websites by third-party session replay scripts,” the researchers say.

Replay scripts are designed to record keystrokes, mouse movements, scrolling behavior, other forms of interaction, and webpage contents in order to send that data to marketing firms for analysis. In an adversarial context, they’d be called keyloggers or malware; but in the context of advertising, somehow it’s just session-replay scripts.

Gunes Acar, one of the report co-authors, was also the co-author of a similar research project in 2017 that looked at data gathering by session-replay companies Yandex, FullStory, Hotjar, UserReplay, Smartlook, Clicktale, and SessionCam.

Evidently, not much has changed since then, except perhaps that email addresses have become more desirable as unique identifiers now that privacy-oriented browsers like Brave, Firefox, and Safari are taking more steps to block cookies and tracking scripts.

Email addresses, the researchers observe, represent a cookie replacement because they’re unique, persistent, and can be used to track people across applications, platforms, and even offline interactions that may be tied to an email address like loyalty card transactions.

The website categories with the most leaking forms include: Fashion/Beauty (11.1 per cent, EU; 19 per cent US); Online Shopping (9.4 per cent EU; 15.1 per cent US); and General News (6.6 per cent EU; 10.2 per cent US).

Websites categorized as Pornography had the best privacy when it comes to surreptitious form data harvesting.

“A somehow surprising result was the following: despite filling email fields on hundreds of websites categorized as Pornography, we have not a single email leak,” the researchers say, noting that previous studies of adult-oriented websites have relatively fewer third-party trackers than similarly popular general interest websites.

Those pesky regulations

The report authors say that EU websites practicing email exfiltration may be in violation of at least three GDPR requirements: transparency, purpose limitation, and prior consent. Firms found to be violating these rules can be fined up to $20m euros or 4 per cent of annual revenue, per Article 83(5).

The US doesn’t have a federal data privacy law, though it’s conceivable one of the handful of US states with applicable privacy rules could take action against pre-submission form harvesting. But given the toothlessness of US privacy regulation over the past decade, don’t expect much.

The authors say they attempted to contact 58 first-parties and 28 third-parties with GDPR requests. They report receiving 30 responses from the first-parties, which varied from surprise and remediation to justifications of one sort or another.

“ (via Walt Disney’s DPO), (Atlassian),, and were among the websites that said they had not been aware of the email collection prior to form submission on their websites and removed the behavior,” the report says.

Marriott, meanwhile, said the information collected by digital analytics firm Glassbox helps with customer care, technical support, and fraud prevention.

Third-parties Taboola, Zoominfo, and ActiveProspect defended their data collection practices.

Facebook, aka Meta, is among the third-parties involved in this. The researchers say that email addresses or their hashes were spotted being sent to from 21 different websites in the EU.

“On 17 of these, Facebook Pixel’s Automatic Advanced Matching feature was responsible for sending the SHA-256 of the email address in a SubscribedButtonClick event, despite not clicking any submit button,” the report says.

Advanced Matching – called out recently for harvesting student loan data – is designed to collect hashed customer data, such as email addresses, phone numbers, and names from checkout, sign-in, and registration forms. The researchers speculate that on these sites, Facebook’s script treats clicks on non-submit buttons as a click event for the submit button.

Facebook did not respond to a request for comment.

The report concludes that browser vendors, regulators, and privacy tool makers need to deal with this issue because it isn’t going away. “Based on our findings, users should assume that the personal information they enter into web forms may be collected by trackers – even if the form is never submitted,” the report concludes. ®

Source link

Continue Reading


VC funding in Ireland rose in Q1, but not for deals under €10m

Voice Of EU



A William Fry-commissioned report has found that funding deals under €10m have taken a big hit in the first three months of 2022.

Venture capital funding into Irish tech businesses was up by more than 50pc in the first quarter of this year, but there’s an unfortunate and potentially troubling caveat to that.

The Irish Venture Capital Association (IVCA) has published today (15 May) its latest report on VC funding into tech start-ups and SMEs in Ireland, which found that the investments increased by 52pc to €379.7m in the first three months of 2022, compared to the same period last year.

Future Human

But the report, commissioned by Dublin law firm William Fry, also found that VC funding in deals valued less than €10m have taken a hit.

IVCA chair Nicola McClafferty said that the headline figure of a funding boost conceals a “potentially worrying fall” of 30 to 50pc across all categories of deals under €10m – including seed funding.

“All the growth came from eight deals worth over €10m each, including three over €30m. While the momentum carried over from last year has continued for more established companies raising large rounds, some of that impetus seems to have stalled for earlier stage companies.”

Even the total number of deals overall fell by almost a third to 50 from 74 in the same period last year.

McClafferty said that this could be related to international trends affecting the business world right now, such as Russia’s invasion of Ukraine.

“While challenging market conditions may continue, we also know that many great companies are started and built in times of downturn, so we await with interest the data in the coming quarters,” she added.

Deals in the €5m to €10m range fell in value by more than half, while those in the €1m to €5m range also halved from €70.3m last year to €34.5m in Q1 2022. The value of deals below €1m dropped by 31pc to €8.9m.

Seed funding also took a hit, falling by nearly 40pc to €22.3m from €36.5m last year.

Nearly four-fifths of all funding came from overseas sources, according to IVCA director-general Sarah-Jane Larkin.

“While this is to be welcomed and emphasises the quality of Irish tech firms and their appeal to international investors, we have expressed concern before about where any shortfall would be made up if the global economy contracts,” she said.

Wayflyer, Ireland’s latest tech unicorn, led the way in terms of total value of funding received with a $150m in Series B funding valuing the start-up at $1.6bn. Flipdish, another Irish tech start-up that became a unicorn this year, raised $100m reaching a $1.25bn valuation.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Source link

Continue Reading


Taking his advice was like ‘chewing broken glass’: the short life of dating guru Kevin Samuels | Relationships

Voice Of EU



As a source of dating advice, Kevin Samuels would seem a last resort for America’s Black women. On his YouTube show and podcasts, Samuels criticized Black women for being old and out of shape, and for having children out of wedlock. He sneered at “modern women” who flaunted their multiple college degrees and boasted of their independence. He dropped these bombs in the softest voice, in a tailored suit, and bathed in mood lighting with a funky kinetic energy sculpture on his desk.

Yet many women not only tuned in to Samuels in droves, they cued up to Zoom into his show – some in hopes of putting the self-made image consultant turned relationship expert in his place. When Samuels suddenly died last Thursday in Atlanta at 57, as his star was still rising (the Fulton county medical examiners office has not yet revealed a cause of death), his many detractors reacted like Munchkins at the feet of the Wicked Witch of the East. The overwhelming lack of sympathy for Samuels – whose mother reportedly found out about his death as speculation raged online – comes down to his profiting from dismissing single Black women over 35 as “leftovers” whose unrealistic desire for “high-value men” would doom them to a lonely death.

On a recent episode of the Fox Soul streaming show Cocktails with Queens, the actor Vivica A Fox called Samuels’ death karma payback. “This man was a hypocrite, in my honest opinion,” she said. “He insulted African American women on a consistent basis.” In a Mother’s Day sermon, the preacher-influencer Jamal Bryant indirectly singled out this “high-powered man” for allegedly needing “a GoFundMe for his funeral”. The many women in Bryant’s congregation ate this up.

Still, just as many Black celebrities have rushed to defend Samuels. “Love him or hate him,” said the actor Marlon Wayans, “he spoke his truth. If you hated [him] why tune in?” The rapper turned comedian TI scorned the gleeful reactions to his death as a “fucking travesty” while branding Samuels’ haters as “despicable” and “bullies”. “Whatever he did, he did it, and [he’s] gone,” said the Why You Wanna emcee. “He got away with it.”

Besides his mother and daughter, Samuels is survived by his legion followers in the online community known as the “manosphere”, a sort of digital bathhouse for naked pushback against feminist ideology and the reprisal of traditional gender norms.

Casually drawing on relationship and income statistics, Samuels delighted in playing the role of market adjuster and scolding “average” Black women for pursuing Black men in the Talented Tenth – good-looking men with minimum six-figure incomes, no kids, no priors, and no hangups in bed. According to Samuels, guys mainly wanted women who were “fit, feminine, friendly, cooperative and submissive”. He barely had patience for callers who defied that description, and regularly played those clashes with them for laughs. And this was against the backdrop of Black women having a tough enough time being taken seriously online, let alone settling down.

More than 30,000 people signed an online petition calling on YouTube and Instagram to de-platform Samuels, believing he had “galvanised a community of men of all races and nationalities in the outspoken hatred of women”. To many, Samuel’s polished and bespectacled presentation was little more than a pseudo-intellectual cover for misogynoir. “I think he has had an outsized impact on poisoning the social discourse between Black men and Black women around matters of love, dating and intimacy,” the Rutgers women’s studies professor Brittney Cooper wrote in a recent Facebook post, after Samuels used a clip of her talking about racism and fatphobia as an example of a low-value woman. “I hope that the Black women who liked Kevin’s work stop letting the latest brother with relationship advice exploit your pain.”

Samuels’ public persona wasn’t always such a troll. A chemical engineering major who segued into a career in marketing, Samuels established himself on social media as a self-improvement coach and tastemaker (“the godfather of style”, he called himself), hipping men to the coolest clothes, watches and fragrances.

But Samuels eventually saw the bigger audience for relationship content, and quickly distinguished himself by doubling down on the “negging” techniques that undergirded the pickup artist craze of the early aughts. It’s a blueprint that launched the mainstream success of Steve Harvey. Before he was widely known as the avuncular host of Family Feud and the Miss Universe pageant, Harvey was writing plainspoken relationship manuals for Black women and spinning them into the box-office topping Think Like a Man franchise.

After one video sizing up a woman as “average at best” drew millions of views, Samuels was essentially rebooted as a relationship expert. In another oft-shared video he writes off a proudly curvy Black female caller as “running back-sized.” Before his death, Samuels had amassed more than 1.4 million YouTube subscribers and more than 1.2 million Instagram followers. Mainstream renown wasn’t much farther off.

Already, Samuels was a fixture of the Black gossip blogs for his viral put-downs and for his interviews with Nicki Minaj, Future, and the social media influencer Brittany Renner. Those same blogs were quick to hypothesise about the chaotic circumstances of Samuels’ death and echo reports that the ultimate high-value man died broke.

But his village of YouTube peers have rallied to debunk those rumours and rebuff what they characterise as efforts to defame Samuels in death. Mostly, they claim he was a tireless worker and shrewd businessman who could be harsh, but all in the interest of uplifting the community overall. In a YouTube eulogy, Melanie King, a Samuels protege who credits him for helping her rebuild from an agonising divorce, likened taking advice from him to “chewing broken glass”.

“We needed that shock,” said King, who thought of Samuels more like a tough dad. “Because, let’s be honest, if he had not been so shocking to so many people, would you even know about him?”

Source link

Continue Reading


Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!