Ian Forrester over at Cubic Garden has submitted a GDPR request to ClearView AI, the alt-right linked company that is hawking their facial recognition database (based on scraped online images) to law enforcement as well as commercial outfits. Should be interesting to follow along. Recently IBM stopped facial recognition work (they previously showed not being up to speed with CC licensing it seemed to me), and others like Amazon and MicroSoft did too when it comes to law enforcement. Facial recognition is extremely sensitive to bias.

facial-recognition-1Facial recognition 1, by EFF, license CC BY

The conclusion of a report by the Norwegian consumer association, Forbrukerrådet, minces no words: adtech is systematically in breach of GDPR rules. The report’s title is Out of Control.

The extent of tracking makes it impossible for us to make informed choices about how our personal data is collected, shared and used, Finn Myrstad, director of digital policy in the Norwegian Consumer Council is quoted. This is a key issue. The GDPR demands meaningful consent, not just the token consent that sites and apps still often try to get away with. Earlier a French ruling stated much the same about a boiler plate consent form advocated by IAB and that form has since disappeared, or at least I don’t encounter it anymore during my web surfing.

It reads as if the report is the basis for various GDPR complaints in multiple EU countries, so it will be interesting to see those progress through the system.

I’m very much in agreement with Doc Searls position that GDPR is lethal to AdTech.
I came across a nice illustration of the effect (ht Tomasino). Below is an image that shows you what happens when you visit USAToday on its GDPR compliant version and its non GDPR version. Paul Calvano who made the image says “The US site is 5.5MB and contains 835 requests loaded from 188 hosts. When loaded from France it’s 297KB, 36 requests and contains no 3rd party content.” The image shows what a striking difference that is:

Goed nieuws. Mijn eenmanszaak krijgt eindelijk een BTW-nummer dat niet mijn BSN-nummer bevat. Dat nummer moet op je website, je brieven en facturen staan, en daarmee geef ik dus gedwongen persoonsgebonden gegevens bloot. Dat is strijdig met de AVG. Per 1 januari 2020 kan ik in externe communicatie een ander nummer hanteren.

20191013_110943

Elizabeth Renieris’ Hackylawyer blog is a very read worthy blog I’ve recently come across and added to my feedreader. This article takes the core principles of the EU GDPR and compares them to how this might play out in blockchain usage, or not. A good reference list for conversations I am bound to end up in with clients.

Read Forget erasure: why blockchain is really incompatible with GDPR by Elizabeth RenierisElizabeth Renieris (Hackylawyer)

The [post] is not meant as a commentary on the suitability of blockchain or GDPR, taking either in isolation. Rather, it is meant as an assessment of blockchain against the GDPR’s core principles. In this way, it is intended to provide a higher-level entry point into the conversation about the compatibility (or incompatibility) of blockchain and the GDPR, as well as a tool for reconsidering bold, an often unfounded, compliance claims.

It sounds to me like Superhuman e-mail service is in permanent breach of the GDPR by collecting the reading behaviour and geolocation of every recipient of an email from one of their users. So that user can get a ‘message read’ signal, except it shows the user every time you opened a mail and your geolocation at that moment. Without the recipient’s knowledge, and thus without explicit consent, which is definitely needed for something like geotracking.

Also: switch off loading remote images in your e-mail client, so tracking pixels and other image based beacons won’t automatically load upon opening your mail.

You’d think the habit would have died out in the last millennium, but apparently not. An Italian business’ platform at which I registered just sent me a friendly email confirmation that contains my name, username and password in plaintext. What better way to start a relationship with a new client than with a security breach, eh?