What’s Happening in the World?

While the field of Data Protection is developing at an accelerating pace in our country, worldwide innovations continue to remain on the radar of the Personal Data Protection Authority (“Authority”).

From the examples we have repeatedly encountered before, we witness that the Authority keeps up with the world agenda, especially the European General Data Protection Regulation (“GDPR”) regulations, and tries to catch up with the requirements of the fast-moving data privacy world.

As GRC Legal Law Firm, we closely follow the world agenda and present a selection of the current developments for your information with this content.

The news below belongs to October 2022.

WispR x WhatsApp & Telegram

WispR is a messaging application that uses blockchain technology to provide a fully decentralised messaging service, consisting of a database system consisting of blocks and encrypted transaction tracking stored in blocks. One of the main tasks of WispR is to solve the common problem that ordinary people face with such applications – the privacy dilemma.

The rapid development of new technologies has directly impacted the way people communicate on a daily basis, allowing us to stay connected with each other more than ever before. Social media and messaging apps have taken on a vital role in today’s interconnected way of life. However, it has become clear that apps from big tech companies such as WhatsApp and Telegram are not trusted platforms that guarantee data privacy to their users, despite using end-to-end encryption methods that prevent data from being read except by senders and recipients.

Previously, it was also witnessed that well-known technology companies caused chaos due to lack of transparency in the use of data for profit. An important and striking example was the allegation that Facebook, founded and owned by Mark Zuckerberg, sold sensitive user data to Cambridge Analytica during the 2010s. It would be a useful reminder to draw attention to how much user data is obtained from a large audience to say that META, with its new name, owns Facebook, WhatsApp, Instagram, Messenger and much more.

Messaging apps are obliged to comply with privacy regulations, including GDPR. The GDPR came into force in May 2018 to protect the data and privacy of countries within Europe and the European Economic Area. In the same year, the Data Protection Commission (DPC) launched an investigation into the messaging app WhatsApp, which resulted in a €225 million fine.

WispR promises blockchain technology that enables a censorship-resistant and fully transparent messaging application where all forms of communication (messages, calls, video conferences, file transfers) are encrypted. This is achieved thanks to an innovative mechanism called Voice Over Blockchain Protocol (“VOPB”), a security system that utilises industry-standard protocols to enhance users’ safety.

WispR was produced by the CryptoDATA software startup in collaboration with Patentpool Group, a company with over 20 years of experience in funding innovation-driven startups.

Because WispR uses the latest encryption protocols, including Advanced Encryption Standard – 256 (AES – 256), third parties are prevented from accessing users’ messages or listening to voice memos, and even WispR itself is prevented from reading or hearing users’ messages and calls under this new protocol. Technically, VOBP was created as a system that generates private keys that are exchanged between users when they initiate a conversation and destroyed at the end of each session.

WispR is an application available for Android and iOS devices that, once installed on the device, converts the user’s phone number into a code and gives them a Matrix ID, allowing them to communicate with their contacts while remaining anonymous. This mode of operation is particularly useful on platforms such as WhatsApp, as it is tied to the phone number, preventing fraudsters from sending messages to second SIM cards to access backed-up conversations or hacking second SIM cards. On other platforms, such as Telegram, users’ phone numbers can be hidden, but these pose a similar risk as usernames are always public (end-to-end encryption is also not used).

The next step on WispR’s roadmap is to offer Europe’s leading digital payment service, similar to WeChat Pay, a payment tool of the Chinese social media app WeChat.

TikTok x Child Privacy

The UK’s data watchdog has announced that TikTok faces a £27 million fine for failing to protect children’s privacy. An investigation by the Information Commissioner’s Office (ICO) found that video sharing app TikTok may have breached data protection law between May 2018 and July 2020.

The ICO has issued a “notice of intent” on TikTok, heralding a potential fine of up to £27 million. If this fine were levied on TikTok, it would be the largest in ICO history, surpassing the record £20 million fine imposed on British Airways in 2018 for the hacking of the personal information of more than 400,000 customers.

The regulator’s “provisional view” was that TikTok may have processed the data of children under 13 without parental consent and failed to provide accurate information to its users “in a concise, transparent and easy-to-understand manner”.

The ICO also said that TikTok may have processed special category data, including ethnic and racial origin, political opinions, religious beliefs, sexual orientation, trade union membership and genetic, biometric or health data types, without lawful justification.

ICO member John Edwards said: “We all want children to be able to learn and experience the digital world with appropriate data privacy protections. Companies providing digital services have a legal duty to fulfil these protections, but our provisional view is that TikTok has failed to meet this requirement.”

“We will carefully consider any representations from TikTok before making a final decision,” the ICO explained that it has not yet reached a conclusion on whether data protection law has been violated or whether a financial penalty will be imposed.

TikTok, on the other hand, announced that it disagrees with the ICO’s provisional findings and will provide an official response clarifying the findings of the investigation. In this context, the company spokesperson said, “This notice of intent covering the period May 2018 – July 2020 is provisional and, as the ICO has stated, no final conclusion can be reached at this time. While we respect the ICO’s role in protecting privacy in the UK, we disagree with the preliminary views expressed and plan to formally respond to the ICO in due course.”

In response, ICO member John Edwards made it clear that the ICO’s work to better protect children online includes working with organisations but will also include enforcement action where necessary. However, he said that they are currently investigating how more than 50 different online services are complying with children’s law and that they have six ongoing investigations into companies offering digital services that, in their initial view, do not take their responsibilities for child safety seriously enough.

CIA x Citizen Lab

The US Central Intelligence Agency (CIA) has used hundreds of websites for clandestine communications that have serious flaws that could be identified even by an amateur detective, according to security researchers. The flaws reportedly led to the deaths of more than two dozen US news sources in China in 2011 and 2012 and led Iran to execute or imprison other CIA agents.

New research is being carried out by Citizen Lab, the University of Toronto’s interdisciplinary laboratory for software development and information controls that pose a threat to human rights.

The Citizen Lab team said it did not publish a detailed technical report on the findings to avoid putting CIA agents or employees at risk. The limited published findings have raised serious doubts about the intelligence agency’s handling of security measures.

Citizen Lab said that using only a single website and publicly available material, it had identified a network of 885 websites that it was certain were attributed to CIA use, and that the websites appeared to be related to news, weather, health care and other legitimate websites, and that an amateur investigator could easily map the CIA network and attribute it to the US government if they wanted to during the time the websites were active.

The websites in question were active between 2004 and 2013 and were probably not used by the CIA recently, but Citizen Lab said that a subset of the websites were linked to active intelligence employees or agents, including a foreign contractor and a ministry employee.

Citizen Lab said that the reckless construction of this infrastructure by the CIA led directly to the detection of agents and put the lives of untold numbers of other individuals at risk, and called on those who caused this to happen to take responsibility as the investigation and disclosure process came to an end.

The story dates back to 2018, when Yahoo News reporters Jenna McLaughlin and Zach Dorfman first reported that a system used by the CIA to communicate with spies was exposed by Iran and China, leading to the deaths of more than two dozen news outlets in China in 2011/2012. Yahoo News also reported that there was renewed concern among people familiar with the flaw, as authorities have not been held accountable in the past.

Google x Consumer Privacy

An agreement has been reached for Google to pay $85 million to settle an Arizona state court consumer privacy lawsuit alleging that Alphabet-owned tech giant Google secretly collected users’ location data for targeted advertising.

The settlement was reached as Google faces similar complaints about user location data in their respective state courts by a group of state attorneys general, including Texas, Indiana and Washington D.C.

In a complaint dated May 2020, the Arizona State Court accused Google of violating the Consumer Fraud Act because it continued to collect location data even though users had disabled the ability to save location history through other settings, such as “Web and App Activity”. In its defence, Google stated that the alleged violation must be in connection with a sale or advertisement as required by the Consumer Fraud Act. Then, last January, an Arizona state judge denied Google’s motion to dismiss the case.

Attorney General Mark Brnovich’s office said in a statement that the settlement represents the largest amount Google has ever paid per individual user in this type of privacy and consumer fraud case. Mark Brnovich added that he is proud of this historic settlement, which proves that no entity, even large technology companies, are above the law.

Google spokesperson José Castañeda explained that the lawsuit in Arizona State Court was based on old product policies that the company changed years ago, offering simple controls and automatic deletion options for location data and always striving to minimise the data they collect. However, he also stated that they are pleased that this issue has been resolved and that they will continue to focus their attention on providing useful products for their users.

Google x Neeva

Neeva, an ad-free and tracker-free search engine with 600,000 users in the US, where it was launched last year, has recently launched in the UK, France and Germany. Neeva, co-founder and CEO of Sridhar Ramaswamy, has so far raised $77.5 million from investors.

Sridhar Ramaswamy, who worked at Google for 16 years and ran the company’s biggest business, the $ 115 billion advertising division, said that the technology sector exploits people’s data and that he no longer wants to be part of this sector. Indeed, trackers are known to share information about users’ online activities, largely for the purpose of targeting adverts.

Neeva offers a free calling service, along with other features such as password manager access and a virtual-private-network (“VPN”) service that will be available on a subscription basis. Users will also be asked to create an account to set up subscriptions in the future.

Sridhar Ramaswamy also said that he felt that the purpose of traditional search engines was not really about serving users, but about advertising and advertisers. He said that Google has a dominant position in the market and the incentive for them to really innovate and create disruptive experiences is not there, and as a company they have to show more revenue and profit to their shareholders, so they continue to increase the number of adverts.

When the word “migraine” is searched on both Google and Neeva, the first page results are similar, with news articles and links to factual information. However, the difference becomes apparent with a brand search. When the word “BMW” is searched, both search engines provide links to the car manufacturer’s website and Wikipedia entry, but Google follows with a map, social media content streams and links to used car dealers, while Neeva follows with links to different BMW official pages. Google certainly has more variety in this regard, but it also clearly directs users to buy a car.

Neeva’s Chrome browser extension lists the trackers installed on the web pages visited, and almost all searches list at least one Google tracker. This means that Google receives anonymised information about users who visit these pages. When the extension is enabled, no adverts are displayed around the editorial content.

Ultimately, however, none of Neeva’s other competitors have broken the dominance of Google search. The fact that other privacy-focused services such as Duckduckgo or Bing do not compare to Google can be inferred from the existence of an adjective such as “googling” today.

When asked whether Sridhar Ramaswamy, an analyst specialising in privacy and search at Forrester, could oust his former employer Steph Liu, he said, “Realistically, no. It’s kind of like a David and Goliath story. Google has too many users and too much revenue. Our ultimate goal is to create an alternative for the consumer base who are concerned about their privacy, who don’t want Google collecting their data and targeting adverts based on their search history.”

With the David and Goliath reference, Sridhar Ramaswamy gives the message that the giants are not as powerful as they seem.

Uber X Data Breach

A former Uber executive pleaded guilty in 2016 to failing to report unauthorised access to a system at the ride-sharing company to the Federal Trade Commission (Federal Trade Commission, “FTC”). It is believed to be the first time an executive has faced a criminal case for a data breach.

Former security chief Joe Sullivan, who previously worked at Facebook and was fired by Uber in 2017, was convicted in federal court in San Francisco of obstruction of justice, misconduct in office and/or concealment of a crime. According to the New York Times, the trial lasted three weeks and the jury took about 19 hours to reach a verdict.

According to the Justice Department, a sentencing date has not yet been set, but Sullivan is thought to face a maximum of five years in prison for obstruction of justice and up to three years for failing to report the offence.

Sullivan’s lawyer David Angeli said in a statement that they disagreed with the jury’s verdict and that his client’s sole focus in this case and throughout his distinguished career has been to ensure the security of people’s personal data online.

According to prosecutors, in 2016, while the FTC was investigating Uber in connection with a previous hacking incident, Sullivan received an email from anonymous hackers saying they had discovered a vulnerability involving approximately 57 million Uber riders and 60,000 drivers. The hackers demanded $100,000 in exchange for not publishing the data, and the company paid the hackers. The company later obtained their credentials and got the hackers to sign an agreement not to disclose the data. Two hackers pleaded guilty to the breach in 2019, and one of them testified for the prosecution during Sullivan’s trial. The attack was not reported to the FTC until CEO Dara Khosrowshahi was hired in 2017.

However, in his closing argument, Angeli said Sullivan believed the incident was a prize money deal for people who found software bugs and that there was no cover-up, according to the Journal.

Easylife Limited X ICO

Easylife Limited is a catalogue retailer of household goods, as well as products and services relating to health, motoring, gardening and virtual cards.

An investigation by the Information Commissioner’s Office (the “ICO”) found that Easylife Limited used the personal data of 145,400 customers who had previously shopped Easylife Limited’s health club catalogue without their consent, made assumptions about their medical conditions and targeted them for the marketing of health-related products. It was also found that while profiling customers, health data was processed invisibly in violation of data protection law, and customers were not aware of this situation. Due to this violation, the ICO fined Easylife Limited £ 1,350,000.

To illustrate with a concrete example, when a customer purchased a jar opener or a food tray, Easylife Limited used this purchase data to assume that the person had arthritis in the joints and called the customer to market glucosamine-containing joint patches.

In addition, the ICO received 25 complaints that Easylife Limited was making unsolicited direct marketing calls to subscribers, with individuals stating in their complaints that they felt angry, anxious, threatened and distressed. The ICO investigated these complaints and found that 1,345,732 unsolicited direct marketing calls were made to subscribers between 1 August 2019 and 19 August 2020.

Under the Privacy and Electronic Communications Regulations (“PECR”), a customer must tell the caller that they wish to receive a call from a marketer, and if they do not, live marketing calls must not be made to anyone who has registered with the Transaction Processing System (“TPS”). Under this regulation, Easylife Limited was fined £130,000 as a result of unsolicited direct marketing calls.

John Edwards, the UK Information Commissioner, said that Easylife’s unlawful sales policy was unacceptable, that profiling without transparency was a serious breach of information rights and that other companies making similar nuisance calls and harming people will be warned.