Here is an update on the Facebook app investigation and audit that Mark Zuckerberg promised on March 21.
As Mark explained, Facebook will investigate all the apps that had access to large amounts of information before we changed our platform policies in 2014 -- significantly reducing the data apps could access. He also made clear that where we had
concerns about individual apps we would audit them -- and any app that either refused or failed an audit would be banned from Facebook.
The investigation process is in full swing, and it has two phases. First, a comprehensive review to identify every app that had access to this amount of Facebook data. And second, where we have concerns, we will conduct interviews, make requests
for information (RFI) -- which ask a series of detailed questions about the app and the data it has access to -- and perform audits that may include on-site inspections.
We have large teams of internal and external experts working hard to investigate these apps as quickly as possible. To date thousands of apps have been investigated and around 200 have been suspended -- pending a thorough investigation into
whether they did in fact misuse any data. Where we find evidence that these or other apps did misuse data, we will ban them and notify people via this website. It will show people if they or their friends installed an app that misused data before
2015 -- just as we did for Cambridge Analytica.
There is a lot more work to be done to find all the apps that may have misused people's Facebook data -- and it will take time. We are investing heavily to make sure this investigation is as thorough and timely as possible. We will keep you
updated on our progress.
Popular messaging service WhatsApp is introducing a minimum age restriction of 16yo, at least in Europe.
The Facebook owned service is changing the rules ahead of the introduction of new EU data privacy regulations in May.
The app,will ask users to confirm their age when prompted to agree new terms of service in the next few weeks. It has not said if the age limit will be enforced.
At present, WhatsApp does not ask users their age when they join, nor does it cross-reference their Facebook or Instagram accounts to find out. About a third of all UK-based 12- to 15-year-olds active on social media use WhatsApp, according to a
2017 report by the media regulator Ofcom. That made it the fifth most popular social network with the age group after Facebook, Snapchat, Instagram and YouTube.
The EU's General Data Protection Regulation (GDPR) includes specific rules to protect youngsters whose personal data is processed in order to provide them with online services. Such websites and apps are obliged to make reasonable efforts to
verify that a parent or guardian has given consent for their child's data to be handled. The law says this obligation applies to under-16s, although some countries - including the UK - have been allowed to set the cut-off limit lower, at 13.
Facebook, which has also been criticised for its handling of personal data, is taking a different approach to younger users on its main service. To comply with GDPR , the social network is asking those aged 13 to 15 to nominate a parent or
guardian to give permission for them to share information on the platform. If they do not, they will not see a fully personalised version of the platform.
The policy changes implemented in response to GDPR will surely have profound impact on the take up of social media services. Age restrictions (or the ability to ignore age restrictions) are incredibly important. For some apps, the dominant
services are those that connect the most people, (whilst others become dominant because the effectively exclude parents). A messaging app will be diminished for many if the kids are banned from it. And as you start chipping away at the reach of
the network so it would be less attractive to others on the network. Users could soon rift away to less restrictive alternatives.
This is so wrong on so many levels. Britain would undergo a mass tantrum.
How are parents supposed to entertain their kids if they can't spend all day on YouTube?
And what about all the privacy implications of letting social media companies have complete identity details of their users. It will be like Cambridge Analytica on speed.
Jeremy Hunt wrote to the social media companies:
Thank you for participating in the working group on children and young people's mental health and social media with officials from my
Department and DCMS. We appreciate your time and engagement, and your willingness to continue discussions and potentially support a communications campaign in this area, but I am disappointed by the lack of voluntary progress in those discussions.
We set three very clear challenges relating to protecting children and young people's mental health: age verification, screen time limits and cyber-bullying. As I understand it, participants have focused more on promoting work already underway and
explaining the challenges with taking further action, rather than offering innovative solutions or tangible progress.
In particular, progress on age verification is not good enough. I am concerned that your companies seem content with a situation where thousands of users breach your own terms and conditions on the minimum user age. I fear that you are
collectively turning a blind eye to a whole generation of children being exposed to the harmful emotional side effects of social media prematurely; this is both morally wrong and deeply unfair on parents, who are faced with the invidious choice of
allowing children to use platforms they are too young to access, or excluding them from social interaction that often the majority of their peers are engaging in. It is unacceptable and irresponsible for you to put parents in this position.
This is not a blanket criticism and I am aware that these aren't easy issues to solve. I am encouraged that a number of you have developed products to help parents control what their children an access online in response to Government's concerns
about child online protection, including Google's Family Link. And I recognise that your products and services are aimed at different audiences, so different solutions will be required. This is clear from the submissions you've sent to my
officials about the work you are delivering to address some of these challenges.
However, it is clear to me that the voluntary joint approach has not delivered the safeguards we need to protect our children's mental health. In May, the Department
for Digital, Culture, Media and Sport will publish the Government response to the Internet Safety Strategy consultation, and I will be working with the Secretary of State to explore what other avenues are open to us to pursue the reforms we need.
We will not rule out legislation where it is needed.
In terms of immediate next steps, I appreciate the information that you provided our officials with last month but would be grateful if you would set out in writing your companies' formal responses, on the three challenges we posed in November. In
particular, I would like to know what additional new steps you have taken to protect children and young people since November in each of the specific categories we raised: age verification, screen time limits and cyber-bullying. I invite you to
respond by the end of this month, in order to inform the Internet Safety Strategy response. It would also be helpful if you can set out any ideas or further plans you have to make progress in these areas.
During the working group meetings I understand you have pointed to the lack of conclusive evidence in this area — a concern which I also share. In order to address this, I have asked the Chief Medical Officer to undertake an evidence review on the
impact of technology on children and young people's mental health, including on healthy screen time. 1 will also be working closely with DCMS and UKRI to commission research into all these questions, to ensure we have the best possible empirical
basis on which to make policy. This will inform the Government's approach as we move forwards.
Your industry boasts some of the brightest minds and biggest budgets globally. While these issues may be difficult, I do not believe that solutions on these issues are outside your reach; I do question whether there is sufficient will to reach
I am keen to work with you to make technology a force for good in protecting the next generation. However, if you prove unwilling to do so, we will not be deterred from making progress.
UK domain registrar Nominet explains that it will remove any personal details ffrom public whois service but will hand them over to anybody who has a 'legitimate interest', you know like copyright trolls
Grovelling to the Senate Judiciary and Commerce Committees, Mark Zuckerberg apologised that Facebook had not taken a broad enough view
of its responsibility for people's public information. He ssaid:
It was my mistake, and I'm sorry. I started Facebook, I run it, and I'm responsible for what happens here.
Zuckerberg said its audit of third-party apps would highlight any misuse of personal information, and said the company would alert users instantly if it found anything suspicious.
When asked why the company did not immediately alert the 87 million users whose data may have been accessed by Cambridge Analytica (CA) when first told about the improper usage in 2015, Zuckerberg said Facebook considered it a closed case after CA
said it had deleted it. He apologised:
In retrospect it was clearly a mistake to believe them.
Zuckerberg's profuse apologies seem to have been a hit at the stock exchange but techies weren't impressed when he clammed up when asked for details on how Facebook snoops on users (and non-users).
UK Censorship Culture Secretary Matt Hancock met Facebook executives to warn them the social network is not above law.
Hancock told US-based Vice President of Global Policy Management Monika Bickert, and Global Deputy Chief Privacy Officer Stephen Deadman he would hold their feet to the fire over the privacy of British users.
Hancock pressed Facebook on accountability, transparency, micro-targeting and data protection. He also sought assurances that UK citizens data was no longer at risk and that Facebook would be giving citizens more control over their data going
Following the talks, Hancock said:
Social media companies are not above the law and will not be allowed to shirk their responsibilities to our citizens. We will do what is needed to ensure that people's data is protected and don't rule anything out - that includes further
regulation in the future.
One of the more understated but intriguing statements in Zuckerberg's Vox interview this past Monday was his public
acknowledgement at long last that the company uses computer algorithms to scan all of our private communications on its platform, including Facebook Messenger. While users could always manually report threatening or illegal behavior and
communications for human review, Zuckerberg acknowledged for the first time that even in private chat sessions, Facebook is not actually a neutral communications platform like the phone company that just provides you a connection and goes away --
Facebook's algorithms are there constantly monitoring your most private intimate conversations in an Orwellian telescreen that never turns off.
The company emphasized in an interview last year that it does not use mine private conversations for advertising, but left open the possibility that they might scan them for other purposes.
In his interview this week, Zuckerberg offered that in cases where people are sending harmful and threatening private messages our systems detect that that's going on. We stop those messages from going through. His reference to our systems detect
suggested this was more than just humans manually flagging threatening content. A spokesperson confirmed that in this case the first human recipients of the messages had manually flagged them as violations and as large number of users began
flagging the same set of messages, Facebook's systems deleted future transmission of them. The company had previously noted that it uses similarity detection for its fake news and other filters, both matching exact duplicates and highly similar
content. The company confirmed that its fingerprinting algorithms (which the company has previously noted include revenge porn, material from the shared terrorism database and PhotoDNA) are applied to private messages as well.
For years, privacy advocates have been shouting about Facebook, and for years the population as a whole didn't care. Whatever the reason, the
ongoing Cambridge Analytica saga seems to have temporarily burst this sense of complacency, and people are suddenly giving the company a lot more scrutiny.
When you delete Facebook, the company provides you with a compressed file with everything it has on you. As well as every photo you've ever uploaded and details of any advert you've ever interacted with, some users are panicking that Facebook
seems to have been tracking all of their calls and texts. Details of who you've called, when and for how long appear in an easily accessible list -- even if you don't use Facebook-owned WhatsApp or Messenger for texts or calls.
Although it has been put around that Facebook have been logging calls without your permission, but this is not quite the case. In fact Facebook do actually follow Facebook settings and permissions, and do not track your calls if you don't give
permission. So the issue is people not realising quite how wide permissions are granted when you have ticked permission boxes.
Facebook seemed to confirm this in a statement in response:
You may have seen some recent reports that Facebook has been logging people's call and SMS (text) history without their permission. This is not the case. Call and text history logging is part of an opt-in feature for people using Messenger or
Facebook Lite on Android. People have to expressly agree to use this feature. If, at any time, they no longer wish to use this feature they can turn it off.
So there you have it, if you use Messenger of Facebook Lite on Android you have indeed given the company permission to snoop on ALL your calls, not just those made through Facebook apps,
The convenience store 7-Eleven is rolling out artificial intelligence at its 11,000 stores across Thailand.
7-Eleven will use facial-recognition and behavior-analysis technologies for multiple purposes. The ones it has decided to reveal to the public are to identify loyalty members, analyze in-store traffic, monitor product levels, suggest products to
customers, and even measure the emotions of customers as they walk around.
The company announced it will be using technology developed by US-based Remark Holdings, which says its facial-recognition technology has an accuracy rate of more than 96%. Remark, which has data partnerships with Alibaba, Tencent, and Baidu, has
a significant presence in China.
The rollout at Thailand's 7-Eleven stores remains unique in scope. It could potentially be the largest number of facial-recognition cameras to be adopted by one company. No corporate entity is so entrenched in Thai lives, according to a report
from Public Radio International. And that may be crucial not only to the success of facial recognition in 7-Eleven stores in Thailand, but across the region.
Today, most web browsers have private-browsing modes, in which they temporarily desist from recording the user's browsing history.
But data accessed during private browsing sessions can still end up tucked away in a computer's memory, where a sufficiently motivated attacker could retrieve it.
This week, at the Network and Distributed Systems Security Symposium, researchers from MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) and Harvard University presented a paper describing a new system, dubbed Veil, that makes
private browsing more private.
Veil would provide added protections to people using shared computers in offices, hotel business centers, or university computing centers, and it can be used in conjunction with existing private-browsing systems and with anonymity networks such as
Tor, which was designed to protect the identity of web users living under repressive regimes.
"Veil was motivated by all this research that was done previously in the security community that said, 'Private-browsing modes are leaky -- Here are 10 different ways that they leak,'" says Frank Wang, an MIT graduate student in
electrical engineering and computer science and first author on the paper. "We asked, 'What is the fundamental problem?' And the fundamental problem is that [the browser] collects this information, and then the browser does its best effort to
fix it. But at the end of the day, no matter what the browser's best effort is, it still collects it. We might as well not collect that information in the first place."
Wang is joined on the paper by his two thesis advisors: Nickolai Zeldovich, an associate professor of electrical engineering and computer science at MIT, and James Mickens , an associate professor of computer science at Harvard.
With existing private-browsing sessions, Wang explains, a browser will retrieve data much as it always does and load it into memory. When the session is over, it attempts to erase whatever it retrieved.
But in today's computers, memory management is a complex process, with data continuously moving around between different cores (processing units) and caches (local, high-speed memory banks). When memory banks fill up, the operating system might
transfer data to the computer's hard drive, where it could remain for days, even after it's no longer being used.
Generally, a browser won't know where the data it downloaded has ended up. Even if it did, it wouldn't necessarily have authorization from the operating system to delete it.
Veil gets around this problem by ensuring that any data the browser loads into memory remains encrypted until it's actually displayed on-screen. Rather than typing a URL into the browser's address bar, the Veil user goes to the Veil website and
enters the URL there. A special server -- which the researchers call a blinding server -- transmits a version of the requested page that's been translated into the Veil format.
The Veil page looks like an ordinary webpage: Any browser can load it. But embedded in the page is a bit of code -- much like the embedded code that would, say, run a video or display a list of recent headlines in an ordinary page -- that executes
a decryption algorithm. The data associated with the page is unintelligible until it passes through that algorithm.
Once the data is decrypted, it will need to be loaded in memory for as long as it's displayed on-screen. That type of temporarily stored data is less likely to be traceable after the browser session is over. But to further confound would-be
attackers, Veil includes a few other security features.
One is that the blinding servers randomly add a bunch of meaningless code to every page they serve. That code doesn't affect the way a page looks to the user, but it drastically changes the appearance of the underlying source file. No two
transmissions of a page served by a blinding sever look alike, and an adversary who managed to recover a few stray snippets of decrypted code after a Veil session probably wouldn't be able to determine what page the user had visited.
If the combination of run-time decryption and code obfuscation doesn't give the user an adequate sense of security, Veil offers an even harder-to-hack option. With this option, the blinding server opens the requested page itself and takes a
picture of it. Only the picture is sent to the Veil user, so no executable code ever ends up in the user's computer. If the user clicks on some part of the image, the browser records the location of the click and sends it to the blinding server,
which processes it and returns an image of the updated page.
The back end
Veil does, of course, require web developers to create Veil versions of their sites. But Wang and his colleagues have designed a compiler that performs this conversion automatically. The prototype of the compiler even uploads the converted site to
a blinding server. The developer simply feeds the existing content for his or her site to the compiler.
A slightly more demanding requirement is the maintenance of the blinding servers. These could be hosted by either a network of private volunteers or a for-profit company. But site managers may wish to host Veil-enabled versions of their sites
themselves. For web services that already emphasize the privacy protections they afford their customers, the added protections provided by Veil could offer a competitive advantage.
"Veil attempts to provide a private browsing mode without relying on browsers," says Taesoo Kim, an assistant professor of computer science at Georgia Tech, who was not involved in the research. "Even if end users didn't explicitly
enable the private browsing mode, they still can get benefits from Veil-enabled websites. Veil aims to be practical -- it doesn't require any modification on the browser side -- and to be stronger -- taking care of other corner cases that browsers
do not have full control of."
A Californian law that prevented the Internet Movie Database (IMDb) from publishing the age of movie stars has been declared
unconstitutional, and so the law is struck down on First Amendment grounds. A federal judge declared it not only to be unconstitutional, but also a bad solution to the wrong problem.
The law went into effect in 2017 after being signed by California Gov. Jerry Brown. The goal was to mitigate age discrimination in a youth-obsessed Hollywood by requiring IMDb to remove age-related information upon the request of a subscriber.
The judge explained:
Even if California had shown that the law was passed after targeted efforts to eliminate discrimination in the entertainment industry had failed, the law is not narrowly tailored. For one, the law is underinclusive, in that it bans only one kind
of speaker from disseminating age-related information, leaving all other sources of that information untouched. Even looking just at IMDb.com, the law requires IMDb to take down some age-related information -- that of the members of its
subscription service who request its removal -- but not the age-related information of those who don't subscribe to IMDbPro, or who don't ask IMDb.com to take their information down.
The judge adds that the law is also overinclusive:
For instance, it requires IMDb not to publish the age-related information of all those who request that their information not be published, not just of those protected by existing age discrimination laws, states the opinion (read below). If the
state is concerned about discriminatory conduct affecting those not covered by current laws, namely those under 40, it certainly has a more direct means of addressing those concerns than imposing restrictions on IMDb's speech.
Californian officials said the state will be appealing this ruling to the Ninth Circuit Court of Appeals.
In a ruling of particular interest to those working in the adult entertainment biz, a German court has ruled that Facebook's real name policy is illegal and that users must be allowed to sign up for the service under pseudonyms.
The opinion comes from the Berlin Regional Court and disseminated by the Federation of German Consumer Organizations, which filed the suit against Facebook. The Berlin court found that Facebook's real name policy was a covert way of obtaining
users' consent to share their names, which are one of many pieces of information the court said Facebook did not properly obtain users' permission for.
The court also said that Facebook didn't provide a clear-cut choice to users for other default settings, such as to share their location in chats. It also ruled against clauses that allowed the social media giant to use information such as profile
pictures for commercial, sponsored or related content.
Facebook told Reuters it will appeal the ruling, but also that it will make changes to comply with European Union privacy laws coming into effect in June.
Facebook has been ordered to stop tracking people without consent, by a court in Belgium. The company has been told to delete all the data it had gathered on people who did not use Facebook. The court ruled the data was gathered illegally.
Belgium's privacy watchdog said the website had broken privacy laws by placing tracking code on third-party websites.
Facebook said it would appeal against the ruling.
The social network faces fines of 250,000 euros a day if it does not comply.
The ruling is the latest in a long-running dispute between the social network and the Belgian commission for the protection of privacy (CPP). In 2015, the CPP complained that Facebook tracked people when they visited pages on the site or clicked
like or share, even if they were not members.
Some users have reported seeing pop ups in Instagram (IG) informing them that, from now on, Instagram will be flagging when you
record or take a screenshot of other people's IG stories and informing the originator that you have rsnapped or ecorded the post.
According to a report by Tech Crunch , those who have been selected to participate in the IG trial can see exactly who has been creeping and snapping their stories. Those who have screenshotted an image or recorded a video will have a little
camera shutter logo next to their usernames, much like Snapchat.
Of course, users have already found a nifty workaround to avoid social media stalking exposure. So here's the deal: turning your phone on airplane mode after you've loaded the story and then taking your screenshot means that users won't be
notified of any impropriety (sounds easy for Instagram to fix this by saving the keypress until the next time it communicates with the Instagram server). You could also download the stories from Instagram's website or use an app like Story
Reposter. Maybe PC users just need another small window on the desktop, then move the mouse pointer to the small window before snapping the display.
Clearly, there's concerns on Instagram's part about users' content being shared without their permission, but if the post is shared with someone for viewing, it is pretty tough to stop then from grabbing a copy for themselves as they view it.
Smartphones rule our lives. Having information at our fingertips is the height of convenience. They tell us all
sorts of things, but the information we see and receive on our smartphones is just a fraction of the data they generate. By tracking and monitoring our behaviour and activities, smartphones build a digital profile of shockingly intimate
information about our personal lives.
These records aren’t just a log of our activities. The digital profiles they create are
traded between companies
and used to make inferences and decisions that affect the opportunities open to us and our lives. What’s more, this typically happens without our knowledge, consent or control.
New and sophisticated methods built into smartphones make it easy to track and monitor our behaviour. A vast amount of information can be collected from our smartphones, both when being actively used and while running in the background. This
information can include our location, internet search history, communications, social media activity, finances and biometric data such as fingerprints or facial features. It can also include metadata – information about the data – such as the time
and recipient of a text message.
Each type of data can reveal something about our interests and preferences, views, hobbies and social interactions. For example, a study conducted by MIT demonstrated how
email metadata can be used to map our lives
, showing the changing dynamics of our professional and personal networks. This data can be used to infer personal information including a person’s background, religion or beliefs, political views, sexual orientation and gender identity, social
connections, or health. For example, it is possible to deduce our specific health conditions
simply by connecting the dots between a series of phone calls.
Different types of data can be consolidated and linked to build a comprehensive profile of us. Companies that buy and sell data –
– already do this. They collect and combine billions of data elements about people to make inferences about them. These inferences may seem innocuous but can
reveal sensitive information
such as ethnicity, income levels, educational attainment, marital status, and family composition.
A recent study found that seven in ten smartphone apps share data
with third-party tracking companies like Google Analytics. Data from numerous apps can be linked within a smartphone to build this more detailed picture of us, even if permissions for individual apps are granted separately. Effectively,
smartphones can be converted into surveillance devices.
The result is the creation and amalgamation of digital footprints that provide in-depth knowledge about your life. The most obvious reason for companies collecting information about individuals is for profit, to deliver targeted advertising and
personalised services. Some targeted ads, while perhaps creepy, aren’t necessarily a problem, such as an ad for the new trainers you have been eyeing up.
But targeted advertising based on our smartphone data can have real impacts on livelihoods and well-being, beyond influencing purchasing habits. For example, people in financial difficulty might be
targeted for ads for payday loans
. They might use these loans to pay for unexpected expenses
, such as medical bills, car maintenance or court fees, but could also rely on them for
recurring living costs
such as rent and utility bills. People in financially vulnerable situations can then become trapped in
as they struggle to repay loans due to the high cost of credit.
Targeted advertising can also enable companies to discriminate against people and deny them an equal chance of accessing basic human rights, such as housing and employment. Race is not explicitly included in Facebook’s basic profile information,
but a user’s “ethnic affinity” can be worked out based on pages they have liked or engaged with. Investigative journalists from ProPublica found that it is possible to exclude those who match certain ethnic affinities
from housing ads
, and certain age groups from job ads
This is different to traditional advertising in print and broadcast media, which although targeted is not exclusive. Anyone can still buy a copy of a newspaper, even if they are not the typical reader. Targeted online advertising can completely
exclude some people from information without them ever knowing. This is a particular problem because the internet, and social media especially, is now such a common source of information.
Social media data can also be used to calculate creditworthiness
, despite its dubious relevance. Indicators such as the level of sophistication in a user’s language on social media, and their friends’ loan repayment histories can now be used for credit checks. This can have a direct impact on the fees and
interest rates charged on loans, the ability to buy a house, and even employment prospects
There’s a similar risk with payment and shopping apps. In China, the government has announced plans
to combine data about personal expenditure with official records, such as tax returns and driving offences. This initiative, which is being led by both the government and companies, is
currently in the pilot stage
. When fully operational, it will produce a social credit score
that rates an individual citizen’s trustworthiness. These ratings can then be used to issue rewards or penalties, such as privileges in loan applications or limits on career progression.
These possibilities are not distant or hypothetical – they exist now. Smartphones are
effectively surveillance devices
, and everyone who uses them is exposed to these risks. What’s more, it is impossible to anticipate and detect the full range of ways smartphone data is collected and used, and to demonstrate the full scale of its impact. What we know could be
just the beginning.
A large number of games apps are snooping on players using the smart phone's microphone to listen to what is
playing on TV, The apps recognise TV audio and report back what is being watched to home base, supposedly to help in targeted advertising.
Software from Alphonso, a start-up that collects TV-viewing data for advertisers, is used in at least 1000 games. The games do actually seek user consent to use the microphone but users may not be fully aware of the consequences of leaving an open
mike in their house or in their children's rooms
Alphonso's software can detail what people watch by identifying audio signals in TV ads and shows, sometimes even matching that information with the places people visit and the movies they see. The information can then be used to target ads more
precisely and to try to analyze things like which ads prompted a person to go to a car dealership.
Alphonso claims that its software does not record human speech. The company claims that it did not approve of its software being used in apps meant for children. But it was, as of earlier this month, integrated in more than a dozen games like
Teeth Fixed and Zap Balloons from KLAP Edutainment in India, which describes itself as primarily focusing on offering educational games for kids and students.
The app can record audio from the microphone when the game is being player or when it is still running in background on the phone.
Comment: Alphonso knows what you watched last summer
Technology startup Alphonso has caused widespread concern by using smartphones microphones to monitor the TV and media habits of games and apps users.
The New York Times has published a story about a company called Alphonso that has developed a technology that uses smartphone microphones to identify TV and films being played in the background. Alphonso claims not to record any conversations, but
simply listen to and encode samples of media for matching in their database. The company combines the collected data with identifiers and uses the data to target advertising, audience measurement and other purposes. The technology is embedded in
over one thousand apps and games but the company refuses to disclose the exact list.
Alphonso argues that users have willingly given their consent to this form of spying on their media consumption and can opt out at any time. They argue that their behaviour is consistent with US laws and regulations.
Even if Alphonso were not breaking any laws here or in the US, there is a systemic problem with the growing intrusion of these types of technologies that monitor ambient sounds in private spaces without sufficient public debate. Apps are sneaking
this kind of surveillance in, using privacy mechanisms that clearly cannot cope. This is despite the apps displaying a widget asking for permission to use the microphone to detect TV content, which would be a "clear affirmative action"
for consent as required by law. Something is not working, and app platforms and regulators need to take action.
In addition to the unethical abuse of users' lack of initiative or ignorance - a bit like tobacco companies - there could be some specific breaches of privacy. The developers are clearly following the letter of the law in the US, obtaining consent
and providing an opt out, but in Europe they could face more trouble, particularly after May when the General Data Protection Regulaiton (GDPR) comes into force.
One of the newer requirements on consent under GDPR will be to make it as easy to withdraw as it was to give it in the first place. Alphonso has a web-page with information on how to opt out through the privacy settings of devices, and this
information is copied in at least some of the apps' privacy policies, buried under tons of legalese. This may not be good enough. Besides, once that consent is revoked, companies will need to erase any data obtained if there is no other legitimate
justification to keep it. It is far from clear this is happening now, or will be in May.
There is also a need for complete clarity on who is collecting the data and being responsible for handling any consent and its revocation. At present the roles of app developers, Apple, Google and Alphonso are blurred.
We have been asked whether individuals can take legal action. We think that under the current regime in the UK this may be difficult because the bar is quite high and the companies involved are covering the basic ground. GDPR will make it easier
to launch consumer complaints and legal action. The new law will also explicitly allow non-material damages, which is possible already in limited circumstances, including for revealing "political opinions, religion or philosophical
beliefs" . Alphonso is recording the equivalent of a reading list of audiovisual media and might be able to generate such information.
Many of these games are aimed at children. Under GDPR, all data processing of children data is seen as entailing a risk and will need extra care. Whether children are allowed to give consent or must get it from their parents/guardians will depend
on their age. In all cases information aimed at children will need to be displayed in a language they can understand. Some of the Alphonso games we checked have an age rating of 4+.
Consumer organisations have presented complaints in the past for similar issues in internet connected toys and we think that Alphonso and the developers involved should be investigated by the Information Commissioner.