Seven reasons not to trust Facebook to play cupid

This week Facebook has launched a major new product play, slotting an algorithmic dating service inside its walled garden as if that’s perfectly normal behavior for an ageing social network.

Insert your [dad dancing GIF of choice] right here.

Facebook getting into dating looks very much like a mid-life crisis — as a veteran social network desperately seeks a new strategy to stay relevant in an age when app users have largely moved on from social network ‘lifecasting’ to more bounded forms of sharing, via private messaging and/or friend groups inside dedicated messaging and sharing apps.

The erstwhile Facebook status update has long been usurped by the Snapchat (and now Instagram) Story as the social currency of choice for younger app users. Of course Facebook owns the latter product too, and has mercilessly cloned Stories. But it hardly wants its flagship service to just fade away into the background like the old fart it actually is in Internet age terms.

Not if it can reinvigorate the product with a new purpose — and so we arrive at online dating.

Facebook — or should that be ‘Datebook’ now?! — is starting its dating experiment in Colombia, as its beta market. But the company clearly has ambitious designs on becoming a major global force in the increasingly popular online dating arena — to challenge dedicated longtime players like eHarmony and OkCupid, as well as the newer breed of more specialized dating startups, such as female-led app, Bumble.

Zuckerberg is not trying to compete with online dating behemoth Tinder, though. Which Facebook dismisses as a mere ‘hook up’ app — a sub category it claims it wants nothing to do with.

Rather it’s hoping to build something more along the lines of ‘get together with friends of your friends who’re also into soap carving/competitive dog grooming/extreme ironing’ than, for e.g., the raw spank in the face shock of ‘Bang with Friends‘. (The latter being the experimental startup which tried, some six years ago, to combine Facebook and sex — before eventually exiting to a Singapore-based dating app player, Paktor, never to be heard of again. Or, well, not until Facebook decided to get into the dating game and reminded us all how we lol’d about it.)

Mark Zuckerberg’s company doesn’t want to get into anything smutty, though. Oh no, no, NO! No sex please, we’re Facebook!

Facebook Dating has been carefully positioned to avoid sounding like a sex app. It’s being flogged as a tasteful take on the online dating game, with — for instance — the app explicitly architected not to push existing friends together via suggestive matching (though you’ll just have to hope you don’t end up being algorithmically paired with any exes, which judging by Facebook’s penchant for showing users ‘photo memories’ of past stuff with exes may not pan out so well… ). And no ability to swap photo messages with mutual matches in case, well, something pornographic were to pass through.

Facebook is famously no fan of nudes. Unsurprisingly, then, nor is its buttoned up dating app. Only ‘good, old-fashioned wholesome’ text-based chat-up lines (related to ‘good clean pieces of Facebook content’) here please.

If you feel moved to text an up-front marriage proposal — feeling 100% confident in Facebook’s data scientists’ prowess in reading the social media tea leaves and plucking your future life partner out of the mix — its algorithms will probably smile on that though.

The company’s line is that dating will help fulfil its new mission of encouraging ‘time well spent’ — by helping people forge more meaningful (new) relationships thanks to the power of its network (and the data it sucks out of it).

This mission is certainly an upgrade on Facebook’s earlier and baser interest in just trying to connect every human on planet Earth to every other human on planet Earth in some kind of mass data-swinging orgy — regardless of the ethical and/or moral consequences (as Boz memorably penned it), as if it was trying to channel the horror-loving spirit of Pasolini’s Salò. Or, well, a human centipede.

But that was then. These days, in its mid teens, Facebook wants to be seen as grown up and a bit worth. So its take on dating looks a lot more ‘marriage material’ than ‘casual encounters’. Though, well, products don’t always pan out how their makers intend. So it might need to screw its courage to the sticking place and hope things don’t go south.

From the user perspective, there’s a whole other side here too though. Because given how much baggage inevitably comes with Facebook nowadays, the really burning question is whether any sensible person should be letting Mark Zuckerberg fire cupid’s arrows on their behalf?

He famously couldn’t tell malicious Kremlin propaganda from business as usual social networking like latte photos and baby pics — so what makes you think he’s going to be attuned to the subtle nuances of human chemistry?!

Here are just a few reasons why we think you should stay as far away from Facebook’s dalliance with dating as you possibly can…

  1. It’s yet another cynical data grab
    Facebook’s ad-targeting business model relies on continuous people tracking to function — which means it needs your data to exist. Simply put: Your privacy is Facebook’s lifeblood. Dating is therefore just a convenient veneer to slap atop another major data grab as Facebook tries to find less icky ways to worm its way back and/or deeper into people’s lives. Connecting singles to nurture ‘meaningful relationships’ is the marketing gloss being slicked over its latest invitation to ask people to forget how much private information they’re handing it. Worse still, dating means Facebook is asking people to share even more intimate and personal information than they might otherwise willingly divulge — again with a company whose business model relies upon tracking everything everyone does, on or offline, within its walled garden or outside it on the wider web, and whether they’re Facebook a user or not.
    This also comes at a time when users of Facebook’s eponymous social network have been showing signs of Facebook fatigue, and even changing how they use the service after a string of major privacy scandals. So Facebook doing dating also looks intended to function as a fresh distraction — to try to draw attention away from its detractors and prevent any more scales falling away from users’ eyes. The company wants to paper over growing scepticism about ad-targeting business models with algorithmic heart-shaped promises.
    Yet the real underlying passion here is still Facebook’s burning desire to keep minting money off of your private bits and bytes.
  2. Facebook’s history of privacy hostility shows it simply can’t be trusted
    Facebook also has a very long history of being outright hostile to privacy — including deliberately switching settings to make previously private settings public by default (regulatory intervention has been required to push back against that ratchet) — so its claim, with Dating, to be siloing data in a totally separate bucket, and also that information shared for this service won’t be used to further flesh out user profiles or to target people with ads elsewhere across its empire should be treated with extreme scepticism.
    Facebook also said WhatsApp users’ data would not be mingled and conjoined with Facebook user data — and, er, look what ended up happening there…!!
    ————————————————————————————————–>

    And then there’s Facebook record of letting app developers liberally rip user data out of its platform — including (for years and years) ‘friend data’. Which almost sounded cosy. But Facebook’s friends data API meant that an individual Facebook user could have their data sucked out without even agreeing to a particular app’s ToS themselves. Which is part of the reason why users’ personal information has ended up all over the place — and in all sorts of unusual places. (Facebook not enforcing its own policies, and implementing features that could be systematically abused to suck out user data are among some of the many other reasons.)
    The long and short history of Facebook and privacy is that information given to it for one purpose has ended up being used for all sorts of other things — things we likely don’t even know the half of. Even Facebook itself doesn’t know which is why it’s engaged in a major historical app audit right now. Yet this very same company now wants you to tell it intimate details about your romantic and sexual preferences? Uhhhh, hold that thought, truly.

  3. Facebook already owns the majority of online attention — why pay the company any more mind? Especially as dating singles already have amazingly diverse app choice…
    In the West there’s pretty much no escape from Facebook Inc. Not if you want to be able to use the social sharing tools your friends are using. Network effects are hugely powerful for that reason, and Facebook owns not just one popular and dominant social network but a whole clutch of them — given it also bought Instagram and WhatsApp (plus some others it bought and just closed, shutting down those alternative options). But online dating, as it currently is, offers a welcome respite from Facebook.
    It’s arguably also no accident that the Facebook-less zone is so very richly served with startups and services catering to all sorts of types and tastes. There are dating apps for black singlesmatchmaking services for Muslims; several for Jewish people; plenty of Christian dating apps; at least one dating service to match ex-pat Asians; another for Chinese-Americansqueer dating apps for women; gay dating apps for men (and of course gay hook up apps too), to name just a few; there’s dating apps that offer games to generate matches; apps that rely on serendipity and location to rub strangers together via missed connections; apps that let you try live video chats with potential matches; and of course no shortage of algorithmic matching dating apps. No singles are lonely for dating apps to try, that’s for sure.
    So why on earth should humanity cede this very rich, fertile and creative ‘stranger interaction’ space, which caters to singles of all stripes and fancies, to a social network behemoth — just so Facebook can expand its existing monopoly on people’s attention?
    Why shrink the luxury of choice to give Facebook’s business extra uplift? If Facebook Dating became popular it would inexorably pull attention away from alternatives — perhaps driving consolidation among a myriad of smaller dating players, forcing some to band together to try to achieve greater scale and survive the arrival of the 800lb Facebook gorilla. Some services might feel they have to become a bit less specialized, pushed by market forces to go after a more generic (and thus larger) pool of singles. Others might find they just can’t get enough niche users anymore to self-sustain. The loss of the rich choice in dating apps singles currently enjoy would be a crying shame indeed. Which is as good a reason as any to snub Facebook’s overtures here.
  4. Algorithmic dating is both empty promise and cynical attempt to humanize Facebook surveillance
    Facebook typically counters the charge that because it tracks people to target them with ads its in the surveillance business by claiming people tracking benefits humanity because it can serve you “relevant ads”. Of course that’s a paper thin argument since all display advertising is something no one has chosen to see and therefore is necessarily a distraction from whatever a person was actually engaged with. It’s also an argument that’s come under increasing strain in recent times, given all the major scandals attached to Facebook’s ad platform, whether that’s to do with socially divisive Facebook ads, or malicious political propaganda spread via Facebook, or targeted Facebook ads that discriminate against protected groups, or Facebook ads that are actually just spreading scams. Safe to say, the list of problems attached to its ad targeting enterprise is long and keeps growing.
    But Facebook’s follow on claim now, with Dating and the data it intends to hold on people for this matchmaking purpose, is it has the algorithmic expertise to turn a creepy habit of tracking everything everyone does into a formula for locating love.
    So now it’s not just got “relevant” ads to sell you; it’s claiming Facebook surveillance is the special sauce to find your Significant Other!

    Frankly, this is beyond insidious. (It is also literally a Black Mirror episode — and that’s supposed to be dysfunctional sci-fi.) Facebook is moving into dating because it needs a new way to package and sell its unpleasant practice of people surveillance. It’s hoping to move beyond its attempt at normalizing its business line (i.e. that surveillance is necessary to show ads that people might be marginally more likely to click on) — which has become increasingly problematic as its ad platform has been shown to be causing all sorts of knock-on societal problems — by implying that by letting Facebook creep on you 24/7 it could secure your future happiness because its algorithms are working to track down your perfect other half — among all those 1s and 0s it’s continuously manhandling.
    Of course this is total bunkum. There’s no algorithmic formula to determine what makes one person click with another (or not). If there was humans would have figured it out long, long ago — and monetized it mercilessly. (And run into all sorts of horrible ethical problems along the way.)
    Thing is, people aren’t math. Humans cannot be made to neatly sum to the total of their collective parts and interests. Which is why life is a lot more interesting than the stuff you see on Facebook. And also why there’s a near infinite number of dating apps out there, catering to all sorts of people and predilections.
    Sadly Facebook can’t see that. Or rather it can’t admit it. And so we get nonsense notions of ‘expert’ algorithmic matchmaking and ‘data science’ as the underpinning justification for yet another dating app launch. Sorry but that’s all just marketing.
    The idea that Facebook’s data scientists are going to turn out to be bullseye hitting cupids is as preposterous as it is ridiculous. Like any matchmaking service there will be combinations thrown up that work and plenty more than do not. But if the price of a random result is ceaseless surveillance the service has a disproportionate cost attached to it — making it both an unfair and an unattractive exchange for the user. And once again people are being encouraged to give up far more than they’re getting in return.
    If you believe that finding ‘the one’ will be easier if you focus on people with similar interests to you or who are in the same friend group there’s no shortage of existing ‘life avenues’ you can pursue without having to resort to Facebook Dating. (Try joining a club. Or going to your friends’ parties. Or indeed taking your pick from the scores of existing dating apps that already offer interest-based matching.)
    Equally you could just take a hike up a mountain and meet your future wife at the top (as one couple I know did). Safe to say, there’s no formula to love. And thankfully so. Don’t believe anyone trying to sell you a dating service with the claim their nerdtastic data scientists will hook you up good and proper.
    Facebook’s chance of working any ‘love magic’ will be as good/poor as the next app-based matchmaking service. Which is to say it will be random. There’s certainly no formula to be distilled beyond connecting ‘available to date’ singles — which dating apps and websites have been doing very well for years and years and years. No Facebook dates necessary.
    The company has little more to offer the world of online dating than, say, OkCupid, which has scale and already combines the location and stated interests of its users in an attempt to throw up possible clicks. The only extra bit is Facebook’s quasi-bundling of Events into dating, as a potential avenue to try and date in a marginally more informal setting than agreeing to go on an actual date. Though, really, it just sounds like it might be more awkward to organize and pull off.
    Facebook’s generic approach to dating is also going to offer much less for certain singles who benefit from a more specialized and tailored service (such as a female-focused player like Bumble which has created a service to cater to women’s needs; or, indeed, any of the aforementioned community focused offerings cited above which help people meet other likeminded singles).
    Facebook appears to believe that size matters in dating. And seems to want to be a generic giant in a market that’s already richly catering to all sorts of different communities. For many singles that catch-all approach is going to earn it a very hard left swipe.
  5. Dating takes resource and focus away from problems Facebook should actually be fixing
    Facebook’s founder made ‘fixing Facebook’ his personal priority this year. Which underlines quite how many issues the company has smashing through its plate. We’re not talking little bug fixes. Facebook has a huge bunch of existentially awful hellholes burning through its platform and punching various human rights in the process. This is not at all trivial. Some really terrible stuff has been going on with its platforms acting as the conduit.
    Earlier this year, for instance, the UN blasted Facebook saying its platform had became a “beast” in Myanmar — weaponized and used to accelerate ethnic violence against the Rohingya Muslim minority.
    Facebook has admitted it did not have enough local resource to stop its software being used to amplify ethnic hate and violence in the market. Massacres of Rohingya refuges have been described by human rights organizations as a genocide.
    And it’s not an isolated instance. In the Philippines the country has recently been plunged into a major human rights crisis — and the government there, which used Facebook to help get elected, has also been using Facebook to savage its critics at the same time as carrying out thousands of urban killings in a bloody so-called ‘war on drugs’.
    In India, Facebook’s WhatsApp messaging app has been identified as a contributing factor in multiple instances of mob violence and killings — as people have been whipped up by lies spread like lightning via the app.
    Set against such awful problems — where Facebook’s products are at very least not helping — we now see the company ploughing resource into expanding into a new business area, and expending engineering resource to build a whole new interface and messaging system (the latter to ensure Facebook Dating users can only swap texts, and can’t send photos or videos because that might be a dick pic risk).
    So it’s a genuine crying shame that Facebook did not pay so much close attention to goings on in Myanmar — where local organizations have long been calling for intelligent limits to be built in to its products to help stop abusive misuse.
    Yet Facebook only added the option to report conversations in its Messenger app this May
    So the sight of the company expending major effort to launch a dating product at the same time as it stands accused of failing to do enough to prevent its products from being conduits for human rights abuses in multiple markets is ethically uncomfortable, to say the least.
    Prospective users of Facebook Dating might therefore feel a bit queasy to think that their passing fancies have been prioritized by Zuckerberg & co over and above adding stronger safeguards and guardrails to the various platforms they operate to try to safeguard humans from actual death in other corners of the globe.
  6. By getting involved with dating, Facebook is mixing separate social streams
    Talking of feeling queasy, with Facebook Dating the company is attempting to pull off a tricky balancing act of convincing existing users (many of whom will already be married and/or in a long term relationship) that it’s somehow totally normal to just bolt on a dating layer to something that’s supposed to be a generic social network.
    All of a sudden a space that’s always been sold — and traded — as a platonic place for people to forge ‘friendships’ is suddenly having sexual opportunity injected into it. Sure, the company is trying to keep these differently oriented desires entirely separate, by making the Dating component an opt-in feature that lurks within Facebook (and where (it says) any activity is siloed and kept off of mainstream Facebook (at least that’s the claim)). But the very existence of Facebook Dating means anyone in a relationship who is already on Facebook is now, on one level, involved with a dating app company.
    Facebook users may also feel they’re being dangled the opportunity to sign up to online dating on the sly — with the company then committed itself to being the secret-keeping go-between ferrying any flirtatious messages they care to send in a way that would be difficult for their spouse to know about, whether they’re on Facebook or not.
    How comfortable is Facebook going to be with being a potential aid to adultery? I guess we’ll have to wait and see how that pans out. As noted above, Facebook execs have — in the past — suggested the company is in the business of ‘connecting people, period’. So there’s perhaps a certain twisted logic working away as an undercurrent and driving its impulse to push for ever more human connections. But the company could be at risk of applying its famous “it’s complicated” relationship status to itself with the dating launch — and then raining complicated consequences down upon its users as a result. (As, well, it so often seems to do in the name of expanding its own business.)
    So instead of ‘don’t mix the streams’, with dating we’re seeing Facebook trying to get away with running entirely opposite types of social interactions in close parallel. What could possibly go wrong?! Or rather what’s to stop someone in the ‘separate’ Facebook dating pool trying to Facebook-stalk a single they come across there who doesn’t responded to their overtures? (Given Facebook dating users are badged with their real Facebook names there could easily be user attempts to ‘cross over’.)
    And if sentiments from one siloed service spill over into mainstream Facebook things could get very messy indeed — and users could end up being doubly repelled by its service rather than additionally compelled. The risk is Facebook ends up fouling not feathering its own nest by trying to combine dating and social networking. (This less polite phrase also springs to mind.)
  7. Who are you hoping to date anyway?!
    Outside emerging markets Facebook’s growth has stalled. Even social networking’s later stage middle age boom looks tapped out. At the same time today’s teens are not at all hot for Facebook. The youngest web users are more interested in visually engaging social apps. And the company will have its work cut out trying to lure this trend-sensitive youth crowd. Facebook dating will probably sound like a bad joke — or a dad joke — to these kids.
    Going up the age range a bit, the under ~35s are hardly enamoured with Facebook either. They may still have a profile but also hardly think Facebook is cool. Some will have reduced their usage or even taken a mini break. The days of this age-group using Facebook to flirt with old college classmates are as long gone as sending a joke Facebook poke. Some are deleting their Facebook account entirely — and not looking back. Is this prime dating age-group suddenly likely to fall en masse for Facebook’s love match experiment? It seems doubtful.
    And it certainly looks like no accident Facebook is debuting Dating outside the US. Emerging markets, which often have young, app-loving populations, probably represent its best chance at bagging the critical mass of singles absolutely required to make any dating product even vaguely interesting.
    But in its marketing shots for the service Facebook seems to be hoping to attract singles in the late twenties age-range — dating app users who are probably among the ficklest, trickiest people for Facebook to lure with a late-stage, catch-all and, er, cringey proposition.
    After that, who’s left? Those over 35s who are still actively on Facebook are either going to be married — and thus busy sharing their wedding/baby pics — and not in the market for dating anyway; or if they are single they may be less inclined towards getting involved with online dating vs younger users who are now well accustomed to dating apps. So again, for Facebook, it looks like diminishing returns up here.
    And of course a dating app is only as interesting and attractive as the people on it. Which might be the most challenging hurdle for Facebook to make a mark on this well-served playing field — given its eponymous network is now neither young nor cool, hip nor happening, and seems to be having more of an identity crisis with each passing year.
    Perhaps Facebook could carve out a dating niche for itself among middle-age divorcees — by offering to digitally hand-hold them and help get them back into the dating game. (Although there’s zero suggestion that’s what it’s hoping to do with the service it debuted this week.)
    If Zuckerberg really wants to bag the younger singles he seems most interested in — at least judging by Facebook Dating’s marketing — he might have been better off adding a dating stream to Instagram.
    I mean, InstaLovegram almost sounds like it could be a thing.

Equifax slapped with UK’s maximum penalty over 2017 data breach

Credit rating giant Equifax has been issued with the maximum possible penalty by the UK’s data protection agency for last year’s massive data breach.

Albeit, the fine is only £500,000 because the loss of customer data occurred when the UK’s prior privacy regime was in force — rather than the tough new data protection law, brought in via the EU’s GDPR, which allows for maximum penalties of as much as 4% of a company’s global turnover for the most serious data failures.

So, again, Equifax has managed to dodge worse consequences over the 2017 breach, despite the hack resulting from its own internal process failings after it failed to patch a server that was known to be vulnerable for months — thereby giving hackers a soft-spot to attack and swipe data on 147 million consumers.

Personal information that was lost or compromised in the 2017 Equifax breach included names and dates of birth, addresses, passwords, driving licence and financial details.

The UK data protection regulator is involved because up to 15 million UK citizens’ data was also breached in the attack. And while the hack compromised Equifax’s US systems, the UK citizens’ data was being processed in the US.

The UK’s Information Commissioner’s Office (ICO) said today that the UK arm of Equifax failed to take adequate steps to ensure its US parents was protecting this data.

Reporting the result of its investigation, the ICO said Equifax contravened five out of eight data protection principles of the Data Protection Act 1998 — including, failure to secure personal data; poor retention practices; and lack of legal basis for international transfers of UK citizens’ data.

“Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law,” said information commissioner Elizabeth Denham in a statement. “We are determined to look after UK citizens’ information wherever it is held.”

“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data,” she added.

The regulator’s investigation, carried out in parallel with the UK’s financial regulator, the Financial Conduct Authority, revealed multiple failures at the credit reference agency.

The ICO says it found that measures that should have been in place to manage personal information were “inadequate and ineffective”, and there were also “significant problems” with data retention, IT system patching, and audit procedures.

It flags the fact that the US Department of Homeland Security had warned Equifax Inc about a critical vulnerability as far back as March 2017, noting that “sufficient steps to address the vulnerability were not taken meaning a consumer facing portal was not appropriately patched”.

“Many of the people affected would not have been aware the company held their data; learning about the cyber attack would have been unexpected and is likely to have caused particular distress,” added Denham, emphasizing the reasons for the ICO to issue the maximum possible penalty for the breach.

The ICO also recently issued Facebook with the same level of fine for allowing user data on up to 87 million Facebook users to be scraped by a third party app which used it to try to build voter targeting models, selling this as a service to a political consultancy involved in US elections.

“Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it,” she continued. “Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers’ expectations. Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, and that led to today’s fine.”

Equifax has responded with disappointment to the ICO’s decision. In a statement responding to the ICO’s ruling, a company spokesperson said: “We have received the Monetary Penalty Notice from the Information Commissioner’s Office (ICO) on Wednesday afternoon and are considering the detailed points made. Equifax has cooperated fully with the ICO throughout its investigation, and we are disappointed in the findings and the penalty.

“As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect. The criminal cyberattack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.

“Data security and combatting criminal digital activity is an ongoing battle for all organisations that requires continued innovation and attention. We have acted and continue to act to make things right for consumers. They will always be our priority.”

The company points to a number of changes it says it has made in response to the incident to strengthen its policies and processes, and also highlights ongoing investments in infrastructure and corporate governance procedures, including hiring additional IT staff, which are intended to improve the resilience of its systems to hack attacks.

However it does concede that the breach itself was the result of internal process failings, given that a file containing historical consumer information which should have been deleted was not.

And the key point here is that the ICO’s decision is based on scrutinising exactly what happened that led to the breach occurring.

How a company has acted since a security crisis will be taken into consideration, as part of the overall picture, but having shut the barn door after the horse has bolted is only going to get so much credit vs the reasons for the barn door not being properly secured in the first place. And that’s as it should be given the point of data protection legislation is to encourage companies to prioritize security, not overlook it.

In the Equifax decision the ICO writes: “The Commissioner has also taken into account her underlying objective in imposing a monetary penalty notice, namely to promote compliance with the DPA [data protection act]. She considers that, given the nature, seriousness and potential consequences of the contravention arising in this case, that objective would not be adequately served by an unduly lenient penalty.”

Call for smart home devices to bake in privacy safeguards for kids

A new research report has raised concerns about how in-home smart devices such as AI virtual voice assistants, smart appliances, and security and monitoring technologies could be gathering and sharing children’s data.

It calls for new privacy measures to safeguard kids and make sure age appropriate design code is included with home automation technologies.

The report, entitled Home Life Data and Children’s Privacy, is the work of Dr Veronica Barassi of Goldsmiths, University of London, who leads a research project at the university investigating the impact of big data and AI on family life.

Barassi wants the UK’s data protection agency to launch a review of what she terms “home life data” — meaning the information harvested by smart in-home devices that can end up messily mixing adult data with kids’ information — to consider its impact on children’s privacy, and “put this concept at the heart of future debates about children’s data protection”.

“Debates about the privacy implications of AI home assistants and Internet of Things focus a lot on the the collection and use of personal data. Yet these debates lack a nuanced understanding of the different data flows that emerge from everyday digital practices and interactions in the home and that include the data of children,” she writes in the report.

“When we think about home automation therefore, we need to recognise that much of the data that is being collected by home automation technologies is not only personal (individual) data but home life data… and we need to critically consider the multiple ways in which children’s data traces become intertwined with adult profiles.”

The report gives examples of multi-user functions and aggregated profiles (such as Amazon’s Household Profiles feature) as constituting a potential privacy risk for children’s privacy.

Another example cited is biometric data — a type of information frequently gathered by in-home ‘smart’ technologies (such as via voice or facial recognition tech) yet the report asserts that generic privacy policies often do not differentiate between adults’ and children’s biometric data. So that’s another grey area being critically flagged by Barassi.

She’s submitted the report to the ICO in response to its call for evidence and views on an Age Appropriate Design Code it will be drafting. This code is a component of the UK’s new data protection legislation intended to support and supplement rules on the handling of children’s data contained within pan-EU privacy regulation — by providing additional guidance on design standards for online information services that process personal data and are “likely to be accessed by children”.

And it’s very clear that devices like smart speakers intended to be installed in homes where families live are very likely to be accessed by children.

The report concludes:

There is no acknowledgement so far of the complexity of home life data, and much of the privacy debates seem to be evolving around personal (individual) data. It seems that companies are not recognizing the privacy implications involved in children’s daily interactions with home automation technologies that are not designed for or targeted at them. Yet they make sure to include children in the advertising of their home technologies. Much of the responsibility of protecting children is in the hands of parents, who struggle to navigate Terms and Conditions even after changes such as GDPR [the European Union’s new privacy framework]. It is for this reason that we need to find new measures and solutions to safeguard children and to make sure that age appropriate design code is included within home automation technologies.

“We’ve seen privacy concerns raised about smart toys and AI virtual assistants aimed at children, but so far there has been very little debate about home hubs and smart technologies aimed at adults that children encounter and that collect their personal data,” adds Barassi commenting in a statement.

“The very newness of the home automation environment means we do not know what algorithms are doing with this ‘messy’ data that includes children’s data. Firms currently fail to recognise the privacy implications of children’s daily interactions with home automation technologies that are not designed or targeted at them.

“Despite GDPR, it’s left up to parents to protect their children’s privacy and navigate a confusing array of terms and conditions.”

The report also includes a critical case study of Amazon’s Household Profiles — a feature that allows Amazon services to be shared by members of a family — with Barassi saying she was unable to locate any information on Amazon’s US or UK privacy policies on how the company uses children’s “home life data” (e.g. information that might have been passively recorded about kids via products such as Amazon’s Alexa AI virtual assistant).

“It is clear that the company recognizes that children interact with the virtual assistants or can create their own profiles connected to the adults. Yet I can’t find an exhaustive description or explanation of the ways in which their data is used,” she writes in the report. “I can’t tell at all how this company archives and sells my home life data, and the data of my children.”

Amazon does make this disclosure on children’s privacy — though it does not specifically state what it does in instances where children’s data might have been passively recorded (i.e. as a result of one of its smart devices operating inside a family home.)

Barassi also points out there’s no link to its children’s data privacy policy on the ‘Create your Amazon Household Profile’ page — where the company informs users they can add up to four children to a profile, noting there is only a tiny generic link to its privacy policy at the very bottom of the page.

We asked Amazon to clarify its handling of children’s data but at the time of writing the company had not responded to multiple requests for comment.

The EU’s new GDPR framework does require data processors to take special care in handling children’s data.

In its guidance on this aspect of the regulation the ICO writes: “You should write clear privacy notices for children so that they are able to understand what will happen to their personal data, and what rights they have.”

The ICO also warns: “The GDPR also states explicitly that specific protection is required where children’s personal data is used for marketing purposes or creating personality or user profiles. So you need to take particular care in these circumstances.”

Surveillance camera vulnerability could allow hackers to spy on and alter recordings

In newly published research, security firm Tenable reveals how popular video surveillance camera software could be manipulated, allowing would-be attackers the ability to view, disable or otherwise manipulate video footage.

The vulnerability, which researchers fittingly dubbed “Peekaboo,” affects software created by NUUO, a surveillance system software maker with clients including hospitals, banks, and schools around the globe.

The vulnerability works via a stack buffer overflow, overwhelming the targeted software and opening the door for remote code execution. That loophole means that an attacker could remotely access and take over accounts with no authorization, even taking over networked cameras connected to the target device.

“This is particularly devastating because not only is an attacker able to control the NVR [camera] but the credentials for all the cameras connected to the NVR are stored in plaintext on disk,” Tenable writes.

Tenable provides more details on potential exploits tested with one of NUUO’s NVRMini2 devices on its Github page. One exploit “grabs the credentials to the cameras that are connected to the NVR, creates a hidden admin user, and disconnects any cameras that are currently connected to the NVR.” Not great.

Tenable set its disclosure to NUUO in motion on June 1. NUUO committed to a September 13 patch date to fix the issue but the date was later pushed to September 18, when anyone with affected equipment can expect to see firmware version 3.9.0.1. Organizations that might be vulnerable can use a plugin from the researchers to determine if they’re at risk or contact the manufacturer directly. TechCrunch reached out to NUUO about its plans to push a patch and notify affected users.

What what makes matters worse with this vulnerability is that NUUO actually licenses its software out to at least 100 other brands and 2,500 camera models. Tenable estimates that the vulnerability could put hundreds of thousands of networked surveillance cameras at risk around the world and many of the groups that operate those devices might have no idea that the risk is even relevant to the systems they rely on.

Security flaw in ‘nearly all’ modern PCs and Macs exposes encrypted data

Most modern computers, even devices with disk encryption, are vulnerable to a new attack that can steal sensitive data in a matter of minutes, new research says.

In new findings published Wednesday, F-Secure said that none of the existing firmware security measures in every laptop it tested “does a good enough job” of preventing data theft.

F-Secure principal security consultant Olle Segerdahl told TechCrunch that the vulnerabilities put “nearly all” laptops and desktops — both Windows and Mac users — at risk.

The new exploit is built on the foundations of a traditional cold boot attack, which hackers have long used to steal data from a shut-down computer. Modern computers overwrite their memory when a device is powered down to scramble the data from being read. But Segerdahl and his colleague Pasi Saarinen found a way to disable the overwriting process, making a cold boot attack possible again.

“It takes some extra steps,” said Segerdahl, but the flaw is “easy to exploit.” So much so, he said, that it would “very much surprise” him if this technique isn’t already known by some hacker groups.

“We are convinced that anybody tasked with stealing data off laptops would have already come to the same conclusions as us,” he said.

It’s no secret that if you have physical access to a computer, the chances of someone stealing your data is usually greater. That’s why so many use disk encryption — like BitLocker for Windows and FileVault for Macs — to scramble and protect data when a device is turned off.

But the researchers found that in nearly all cases they can still steal data protected by BitLocker and FileVault regardless.

After the researchers figured out how the memory overwriting process works, they said it took just a few hours to build a proof-of-concept tool that prevented the firmware from clearing secrets from memory. From there, the researchers scanned for disk encryption keys, which, when obtained, could be used to mount the protected volume.

It’s not just disk encryption keys at risk, Segerdahl said. A successful attacker can steal “anything that happens to be in memory,” like passwords and corporate network credentials, which can lead to a deeper compromise.

Their findings were shared with Microsoft, Apple, and Intel prior to release. According to the researchers, only a smattering of devices aren’t affected by the attack. Microsoft said in a recently updated article on BitLocker countermeasures that using a startup PIN can mitigate cold boot attacks, but Windows users with “Home” licenses are out of luck. And, any Apple Mac equipped with a T2 chip are not affected, but a firmware password would still improve protection.

Both Microsoft and Apple downplayed the risk.

Acknowledging that an attacker needs physical access to a device, Microsoft said it encourages customers to “practice good security habits, including preventing unauthorized physical access to their device.” Apple said it was looking into measures to protect Macs that don’t come with the T2 chip.

When reached, Intel would not to comment on the record.

In any case, the researchers say, there’s not much hope that affected computer makers can fix their fleet of existing devices.

“Unfortunately, there is nothing Microsoft can do, since we are using flaws in PC hardware vendors’ firmware,” said Segerdahl. “Intel can only do so much, their position in the ecosystem is providing a reference platform for the vendors to extend and build their new models on.”

Companies, and users, are “on their own,” said Segerdahl.

“Planning for these events is a better practice than assuming devices cannot be physically compromised by hackers because that’s obviously not the case,” he said.

Mozilla hires former Google executive as its new policy and security chief

Mozilla has hired Alan Davidson, a former Commerce Dept. digital director, as its new global policy chief.

The Firefox browser maker said Tuesday that the former civil servant, who oversaw internet policy and cybersecurity towards the end of Obama’s presidential tenure, will return Mozilla in the new role after last year serving as its tech policy fellow. Davidson also served as Google’s policy chief amid an uproar in 2011 about the search giant’s location tracking, and later as director of New America’s Open Technology Institute.

In his new role, Davidson will be responsible for Mozilla’s policy, trust and security work, including compliance, security and investigations. Mozilla said that will include the company’s ongoing efforts to defend the open web, such as web standards, net neutrality and pushing for user privacy.

Davidson, who said he was “thrilled” to join the browser giant, will report to Mozilla’s chief operating officer, Denelle Dixon.

“At a time when people are questioning the impact of technology on their lives and looking for leadership from organizations like Mozilla, Alan will add considerable capacity to our public policy, trust and security efforts, drawing from his extensive professional history working to advance a free and open digital economy,” said Dixon.

The browser maker has aggressively pushed for opening data and doubling down on privacy features in recent years.

Last week, Mozilla published its Firefox user data in an effort to be more transparent with its telemetry data collection. And, the company recently announced it will soon block trackers that follow users across the web for, among other things, targeted advertising.

‘Five Eyes’ Governments Urge Tech Companies to Build Backdoors into Encrypted Services

Five nations including the U.S. and the U.K. have urged tech companies to comply with requests to build backdoors into their encrypted services, or potentially face legislation requiring them to do so by law.

The statement is a result of a meeting last week between the “Five Eyes” intelligence sharing countries, which include the U.S., the U.K., Canada, Australia, and New Zealand.

In a published memo, the governments claim that the use of such backdoors for accessing encrypted data would respect personal rights and privacy, and be limited only to criminal investigations by law enforcement.

Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute. It is an established principle that appropriate government authorities should be able to seek access to otherwise private information when a court or independent authority has authorized such access based on established legal standards. The same principles have long permitted government authorities to search homes, vehicles, and personal effects with valid legal authority.

The memo goes on to note that each of the Five Eyes jurisdictions will consider how to implement the statement principles, including “with the voluntary cooperation of industry partners”, while adhering to lawful requirements for proper authorization and oversight.

The statement of principles underlines the fractious relationship between some governments and tech companies regarding encryption over the last few years, in which the popularity of digital messaging services has exploded.

The U.K. government has long argued that encrypted online channels such as WhatsApp and Telegram provide a “safe haven” for terrorists because governments and even the companies that host the services cannot read them.

In 2016, Apple and the FBI were involved in a public dispute over the latter’s demands to provide a backdoor into iPhones, following the December 2015 shooter incidents in San Bernardino.

Apple refused to comply with the request, saying that the software the FBI asked for could serve as a “master key” able to be used to get information from any iPhone or iPad – including its most recent devices – while the FBI claimed it only wanted access to a single iPhone.

In another potential test case, Facebook is currently contesting a demand from the U.S. government that it break the encryption of its popular Messenger app so that law enforcement can listen in to a suspect’s conversations as part of an ongoing investigation into a criminal gang.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Discuss this article in our forums

All New and Updated App Store Apps Required to Have a Privacy Policy Starting October

Apple has announced that, starting October 3, 2018, all new apps and app updates will require a privacy policy in order to be submitted for distribution on the App Store or through TestFlight for beta testing purposes.



Apple already requires a privacy policy for apps that access personal information, including apps that offer subscriptions, accept Apple Pay, or use Apple frameworks such as HomeKit, HealthKit, or CareKit. Now, the requirement will extend to all apps, including basic ones that do not share data in any way.

It does not appear that existing apps on the App Store will be affected by this move until they are updated on October 3 or later, so long-outdated apps may remain without a privacy policy if they are no longer maintained.

Apple detailed the upcoming changes in the News section of its App Store Connect portal for developers on Thursday:

Starting October 3, 2018, App Store Connect will require a privacy policy for all new apps and app updates in order to be submitted for distribution on the App Store or through TestFlight external testing. In addition, your app’s privacy policy link or text will only be editable when you submit a new version of your app.

To add or edit your privacy policy for the App Store:

1. Go to My Apps in App Store Connect, and click on your app.

2. Under App Store, click on App Information.

3. In the top right corner, add your privacy policy link for iOS apps or macOS apps, or enter text directly for tvOS apps.

4. Click Save.

To add your privacy policy link to your app for external TestFlight distribution:

1. Go to My Apps in App Store Connect, and click on your app.

2. Under TestFlight, click Test Information.

3. Add your privacy policy link for iOS apps, or enter text directly for tvOS apps.

4. Click Save.

Apple elaborates on its privacy policy requirements in its App Store Review Guidelines, under Section 5.1.1:

Privacy Policies: All apps must include a link to their privacy policy in the App Store Connect metadata field and within the app in an easily accessible manner. The privacy policy must clearly and explicitly:

– Identify what data, if any, the app/service collects, how it collects that data, and all uses of that data.

– Confirm that any third party with whom an app shares user data (in compliance with these Guidelines) — such as analytics tools, advertising networks and third party SDKs, as well as any parent, subsidiary or other related entities that will have access to user data — will provide the same or equal protection of user data as stated in the app’s privacy policy and required by these Guidelines.

– Explain its data retention/deletion policies and describe how a user can revoke consent and/or request deletion of the user’s data.

App Store Connect has long provided a privacy policy metadata field for developers to submit a link to their privacy policy webpage for iOS apps. On the Apple TV, there is no web browser, so App Store Connect has a text box for developers to past the full text of their privacy policy displayed in app.

Discuss this article in our forums