Meta, la maison-mère de Facebook WhatsApp et Instagram, travaille sur le développement d’un nouveau réseau social pour concurrencer Twitter. Son nom : P92. L’objectif est de séduire les utilisateurs déçus par Twitter et de créer une alternative plus libre. Ce dernier traverse une crise sans précédent de grande ampleur depuis le rachat de la société par Elon Musk. Le nouveau réseau social serait basé sur une plateforme décentralisée, permettant aux utilisateurs de créer des communautés et de publier des contenus […]
The lawsuit alleges the surveillance firm violated Facebook’s and Instagram’s terms and conditions and California Law. In this instance, information obtained through automated scraping included likes, comments, friends, and users’ photos. Voyager’s surveillance software also scraped information from Twitter, YouTube, Medium, Pinterest, Vimeo, Tumblr, LinkedIn, and Telegram.
The information Voyager scraped was sold to law enforcement agencies, including the LA Police Department, for profit. Marketing its surveillance software to law enforcement agencies for clandestine intel gathering, the company boasted that its data-scraping activities were untraceable.
However, in 2017, Meta gave Voyager a warning to cease and desist its scraping activities. These activities had been going on since it first became active on the Facebook platform back in 2016, according to the exhibits of the case released.
The surveillance software, which cost USD 705,000, created over 38,000 fake Facebook profiles for data scraping purposes. It also tracked COVID-19 victims and their connections.
AI-Backed Surveillance Software
Voyager marketed its surveillance software as untraceable and an intel gatherer. Source: ARS Technica
Voyager designed its AI surveillance software to be untraceable. It then marketed it to law enforcement agencies and departments as an intel gatherer. The surveillance software blatantly disregarded users’ rights and indiscriminately profiled users for criminal behavior.
Voyager’s website states that the software is “designed to analyze massive amounts of data” and “to uncover social whereabouts and hidden connections between entities.”
Its marketing materials further state that “Voyager’s unique collection methods enable traceless collection from social media networks” and claim that the “collection process cannot be associated with clients servers by any third party or by the social network itself.”
Meta recently announced its fight against scraping-for-hire, explaining that a data scraper “covertly collects information that people share with their community, family, and friends, without oversight or accountability, and in a way that may implicate people’s civil rights.”
No Regard for Individual Privacy
Surveillance software disregards international boundaries and national sovereignty. Source: ARS Technica
In another transgression, Voyager Labs used COVID-19 tracing as a public-interest cover-up for its illegal data-scraping policies and surveillance activities. Its surveillance software targeted individuals, pubs, and religious organizations.
For instance, followers of Shincheonji’s Church in South Korea were tracked and monitored through the organization’s Facebook page. Through the scraping operation, the firm obtained information on infection rates and individual connections.
These activities were carried out with intent. As such, they violate both individual privacy and Facebook’s policies, not to mention the sovereignty of individual states whose citizens they monitor. Hyping up its software’s appeal, Voyager claimed it provided near real-time data that was “untraceable” and “completely anonymous”. It achieved this by employing multiple proxies from different vendors and locations.
The Voyager surveillance software case comes after Meta sued another scraping-for-hire company, Octopus, in July 2022. Similar to Voyager, Octopus used automated accounts to scrape data from the profiles of over 350,000 Instagram users.
However, despite Meta’s best efforts to put itself in a favorable light for protecting users’ rights, its own data-scraping activities are well-known. In 2018, reports on Meta (then Facebook) emerged, alleging it collected SMS and voice data from Android mobile devices.
The Ongoing Data Scraping Question
Data scraping is a pressing question for LinkedIn and other social media sites. Source: Unsplash
Whether or not data scraping is legal is a much-debated question. It largely depends on the context and, chiefly, on what purposes the data will serve later on. Social media sites typically discourage data scraping, because users who feel their data isn’t protected would be incentivized to leave the platform.
Voyager’s agents on Facebook and Instagram platforms used the data to aid law enforcement and COVID-19 tracking. As such, they might argue they used scraping for the general good.
Certain jurisdictions, like the EU and California state, enforce users’ rights and privacy with stricter regulations. Data scrapers consider any publicly available information as open-to-scraping, arguing that any private information shouldn’t be public in the first place.
Your personal information should be under tight locks when it comes to public uploads. Source: Pexels
Data scraping is concerning for individuals and businesses. Cybercriminals who gain access to personal information online may later use it in phishing scams and other social engineering attacks. Using scraped personal information, they can contact victims, pretending to be officials from the government.
Many victims end up giving up more sensitive information via email or phone during such interactions. This is because people generally trust that anyone with access to such personal information must belong to the government. But, such information, culled from LinkedIn, Facebook, and Twitter databases is easily accessible on darknet forums.
That said, steps and protections are available for those who take their privacy seriously. Users should take care when posting online. They could also minimize the number of social media accounts that they use and adjust their privacy settings to protect their information from prying eyes. Facebook, Instagram, WhatsApp, and Twitter have all experienced multiple hacks recently. This should put those worried about their individual privacy on alert.
Since these platforms have added more privacy controls over the years, users should strive to put them to good use. Some measures that users can take to protect their privacy are requesting data, setting profiles to private, and refusing to upload any Personally Identifiable Information (PII) in a public way.
A Silver Lining for Public Surveillance Operations
Voyager Labs is a well-backed surveillance software firm that intentionally violated Facebook’s and Instagram’s terms and conditions. Covering up its data-scraping activities under noble causes, it tracked and monitored individuals using sophisticated AI analysis. It did this for purposes it couldn’t disclose to the public without incurring condemnation and ire.
But, despite repeated violations of digital privacy, many see a silver lining. With these incidents becoming public knowledge, the general public will be inspired to exercise care when online. Moreover, data regulation policies within the states are shifting. These policies are starting to align closely with those enshrined in General Data Protection Regulation (GDPR), providing victims with comprehensive and retributive legal recourses against illicit data scraping.
EU regulatory authorities are tightening screws on Big Tech, slapping it with fines and violations. Source: Unsplash
Ireland’s Data Protection Commission (DPC) has fined Meta a total of €390 million ($414 million) in a ruling against Facebook’s and Instagram’s use of targeted advertising. The ruling declared both subsidiaries’ method of furnishing user consent under its updated terms and service a violation of Article 6 of GDPR. The fines levied against Facebook and Instagram amount to €210 million ($225 million) and €180 million ($191 million), respectively.
NOYB, a user privacy protection group, first lodged complaints against Meta’s subsidiaries in May 2018 — immediately after GDPR came into effect. Following this outcome, Meta and its subsidiaries won’t be able to rely on their terms of service as legal cover for obtaining user consent to process their information for personalized ads.
The DPC reversed its initial decision and imposed a much larger fine on Meta. Source: Data Protection
Article 6, under which this recent DPC ruling was made, allows data processing only when an entity complies with one of its six legal premises. In advance of the GDPR implementation in 2018, Meta — then Facebook — changed its terms of services. The company made consent to its processing of user information a precondition for its services.
Arguing its case, representatives of Meta alluded to their terms of service as a legal contract. The “contract” allowed its subsidiaries to process customer data. However, the DPC disagreed and found it in violation of Article 6, and Articles 5 (1)(a), 12, and 13(1)(c) that concern data transparency.
“In breach of its obligations in relation to transparency, information in relation to the legal basis relied on by Meta Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR,” read the DPC statement.
Meta’s Subsidiaries Tried to Bypass GDPR
Meta has lost the battle of forced consent for personalized ads. And it’s losing more and more often. Source: NOYB
According to Schrems: “Instead of having a ‘yes/no’ option for personalized ads, they just moved the consent clause in the terms and conditions. This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way.”
Meta very nearly succeeded in its attempt to bypass GDPR as well. DPC’s original fine was €36 million. But when authorities referred the case to the European Data Protection Board (EDPB), it reversed DPC’s decision that Meta and its subsidiaries could use user information for targeted ad campaigns on a legal contract basis. Consequently, the fine was increased by over 1,000%, from €36 million to €390 million.
Schrems has gone as far as to claim that the DPC colluded with Meta: “This case is about a simple legal question. Meta claims the ‘bypass’ happened with the DPC’s blessing. For years the DPC has dragged out the procedure and insisted that Meta may bypass the GDPR, but was now overruled by the other EU authorities. It is overall the fourth time in a row the Irish DPC got overruled.”
GDPR Affects More than Just Meta
GDPR is affecting businesses, large or small, that fail to comply. Source: Enforcement Tracker
The latest DPC fine puts Meta in a bind. It’ll be unable to operate, in the EU at least, under its current business model. This is especially the case because it’s also struggling to comply with the transatlantic data processing directives. EU authorities are tightening the screws on Big Tech companies. This is in an effort to rein them in and to ensure their compliance with the GDPR.
Apple and Twitter have also recently found themselves in the line of fire. However, fines against Twitter are much less frequent and far lesser than those against Meta. Twitter is currently under a DPC investigation for a breach that could potentially affect 5.4 million users. Apple, meanwhile, has been fined $8 million by the French regulatory authority Commission Nationale de l’informatique et des Libertés (CNIL) for a non-consensual targeted ad campaign toward iOS 14.6 users. The authority leveled the fine under Article 82 of the French Data Protection Act. CNIL previously fined Google for a breach of the same article.
Small and medium-sized businesses are also subject to GDPR provisions, but these cases don’t make major news headlines. The enforcement tracker has a full list of GDPR cases. The tracker includes details such as entity name, fine amount, relevant GDPR provision, jurisdiction, decision date, and official press statement.
To avoid GDPR fines, business owners should tread carefully when processing and using user data. In protecting user information, companies must ensure that their databases are secure. Implementing a combination of cybersecurity protocols, including powerful firewalls, multi-factor authentication, antivirus protection, malware scanners, email spam filters, and automated patch management, can help companies avoid violations.
Implications for Big Tech
For a long time, Big Tech has been operating above the law. This is even though its involvement in feeding deep analytics with user information is an open secret. All this seems to be changing, with the authorities, in Europe especially, calling for stricter GDPR compliance. These stricter user-privacy enforcement measures have led to Meta signaling its withdrawal from the EU. This is because its subsidiaries rely on the processing of user information to remain operational.
Other social media and Big Tech platforms and companies also employ targeted advertising. Big Tech, with its use of sophisticated tracking and surveillance and cross-device, cross-platform monitoring, had eluded accountability for quite some time, with little transparency on how it uses user data.
With GDPR and other directives curtailing Big Tech’s power and enforcing user privacy rights, the playing field is leveling. However, the dream of reclaiming user data and a more sovereign internet still seems distant.
Connexion
Meta, la maison-mère de Facebook WhatsApp et Instagram, travaille sur le développement d’un nouveau réseau social pour concurrencer Twitter. Son nom : P92. L’objectif est de séduire les utilisateurs déçus par Twitter et de créer une alternative plus libre. Ce dernier traverse une crise sans précédent de grande ampleur depuis le rachat de la société par Elon Musk. Le nouveau réseau social serait basé sur une plateforme décentralisée, permettant aux utilisateurs de créer des communautés et de publier des contenus […]