1. Home /
  2. Tech News /
  3. Headlines in Tech 6 - 13 Jul 2022
  • 2022.07.18

Headlines in Tech 6 – 13 Jul 2022

Headlines in Tech News of the Week

Irish Data Protection Commission considers the transfer of EU citizens’ data to the US by Meta to be unlawful

…Back in 2020, EU’s top court (CJEU) ruled that it was unlawful to transfer EU citizens’ data to the US where the EU considered had inadequate protection for personal data owing to US’ invasive survelliance programmes under which the government could request US businesses to turn over data under their control (Schrems II decision).   

The Irish Data Protection Commission rendered a draft decision to the effect that Facebook’s reliance on Standard Contractual Clauses (these are terms designed to provide sufficient protection of personal data for data transfers between EU and non-EU countries) did not make the transfer lawful, in light of the Schrems II decision.  If Meta cannot suggest changes to satisfy the Irish Protection Commission, all transfers of EU citizens’ data to the US must be stopped. Meta’s EU headquarters is in Ireland, which is why the Irish Data Protection Commission is taking the lead, but if data authorities in other EU member states do not agree then the issue may be prolonged. The US and EU have since then been trying to put in place a Transatlantic Data Privacy Network, which ensures that US access to EU citizens’ data is proportionate and restricted to instances to only where necessary. Meta will be hoping that the framework will be agreed quickly. It has already threatened to pull out of the EU if it can’t transfer data back to the US.

Seeking of information on drug dealing on Facebook

By way of example about what the EU might mean by inadequate protection of data, I noticed an article covering a dispute going on between a law enforcement authority and Facebook in New Jersey. According to the report, an appellate court last April ruled that law enforcement authority investigating drug dealing can rely on data communication warrants (just need to show probable cause – so the article explains) and did not need a wiretap order (more difficult to obtain – allows surveillance of communications in real time) to gain access to Facebook users’ data collected after the issuance of the warrant.

Having said this, and by the by, the EU Agency for Law Enforcement (Europol) has recently been given expanded powers to receive personal information from tech companies to identify crimes. There is a debate as to whether the new law safeguards the privacy of data subjects.

BigTech/ Data / Platforms

FTC says it will enforce against illegal use and sharing of highly sensitive data

…this is clearly a move as a result of Roe v Wade which enables states to make abortion unlawful. The statement warns that the “potent combination of location data and user-generated health data creates a new frontier of potential harms to consumers”. The statement explains how sensitive data can be collected and sold off to unknown entities:

The FTC mentions that it has in the past carried out enforcement actions bringing home the fact that the concerns are not just hypothetical:

  • Copley Advertising:
    • Claim:  using location technology to identify when people crossed a secret digital “fence” near a clinic offering abortion services. Based on that data, the company sent targeted ads to their phones with links to websites with information about alternatives to abortion.
    • Cause of action: Consumer Protection Law violation
    • Settled 2017
  • Flo Health (period and fertility tracking)
    • Claim: sharing with third parties – including Google and Facebook – sensitive health information about women collected from its period and fertility-tracking app, despite promising to keep this information private.
    • Cause of action: unfair or deceptive acts or practices, in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.
    • Settled 2021
  • OpenX (Adexchange)
    • Claim: collecting children’s location data without parental consent
    • Cause of action: federal children’s privacy protection law violation
    • Settled 2021
  • Kurbo/Weight Watchers
    • Claim: indefinitely retaining sensitive consumer data
    • Cause of action: Violation of COPPA (The Children’s Online Privacy Protection Act)
    • The settlement requires the company to pay a $1.5 million fine (2022)

Google takes action to disable updates to popular South Korean KakaoTalk app as a result of it enabling users to bypass Google Play Billing System

…Many will know that, apps on the Android system with In App Purchases must utilise the Google Play Billing system. This is how Google generates a revenue, by levying 15-30% Commission on In App Purchases carried out through apps (and at the same time Google obtains data about what users do using the App).

KakaoTalk enabled users to purchase via its websites, bypassing the Google Play Billing system (such conduct is called sideloading), in contravention of Google’s terms and conditions with app developers.

Uniquely, Korea provided a revision to The Telecommunication Business Act last year prohibiting app store operators from restrictive in-app billing policies like, forcing app developers to offer one method of payment. What Google is reported to have provided for is to allow an alternative payment system to operate, but structured to enable Google to continue receiving commission on purchases made on such alternative systems albeit discounted. KakaoTalk attempted to avoid paying Google altogether. There is a query whether Google’s arrangement complies with the revised Act.

It has been reported that Google’s latest policy change stating it will remove non-complying apps, has prompted the Korea Publishers Association to file a complaint with the Korea Communications Commission (KCC), South Korea’s telecommunications regulator.

EU’s Digital Markets Act provides for a ban on requiring app developers to use certain of the gatekeeper’s services (such as payment systems) in order to appear in app stores of the gatekeeper.

Separately Korea is actively looking at regulating online activities, focussing on establishing fair practices such as dark patterns after reviewing the results of a research which revealed that 97 out of 100 popular apps engaged in dark patterns (this is not defined, but essentially, designing the web interface or operations to influence user behaviour and choice. It will also look at online platforms’ control of fake reviews.

Note that the EU’s current text of Digital Services Act states online platforms shall not design, organise or operate their online interfaces in a way that deceives, manipulates or otherwise materially distorts or impairs the ability of recipients of their service to make free and informed decisions).

Amazon buys 2% stake in Food delivery firm Grubhub

…It’s aim is to boost Prime membership (which encourages consumers to do more with Amazon), for members will get free delivery for one year. At the same time, it justifies the recent Prime membership subscription hike.

UK Competition Authority to investigate Amazon’s potential anti-competitive practices

…the scope of investigation very much overlaps with the one ongoing in the EU.

The investigation will focus on 3 main areas:

  • How Amazon collects and uses third-party seller data, including whether this gives Amazon an unfair advantage in relation to business decisions made by its retail arm – see Amazon’s solution as a result of the EU Commission’s probe, below.
  • How Amazon sets criteria for allocation of suppliers to be the preferred/first choice in the ‘Buy Box’. The Buy Box is displayed prominently on Amazon’s product pages and provides customers with one-click options to ‘Buy Now’ or ‘Add to Basket’ in relation to items from a specific seller. Again – see below.
  • How Amazon sets the eligibility criteria for selling under the Prime label. Offers under the Prime label are eligible for certain benefits, such as free and fast delivery, that are only available to Prime users under Amazon’s Prime loyalty programme.

In parallel, the UK Competition Authority is investigating Amazon (and Google’s) conduct over concerns that they have not been doing enough to combat fake reviews on their sites.

Amazon poised to settle with the EU Commission over investigations concerning potential anticompetitive conduct

…there were two types of conduct under investigation.

  1. Use of data generated by third party sellers selling items on the eCommerce’s platform to Amazon’s own advantage: Amazon will share data with those third parties to enable them to sell more products online.
  • Amazon will make clear how sellers can be included in the Buy Box (as explained above). There is a query whether Amazon favours sellers which use its logistics and delivery services: Amazon said that its will make rival products more visible.

Facebook sues Octopus Data claiming data scraping users’ data infringes copyright and breaches contract

…First a bit of background. In the case LinkedIn v HiQ, LinkedIn sued HiQ in the US alleging breach of Computer Fraud and Abuse Act (CFAA). LinkedIn complained that HiQ had scraped publically accessible data and used the information gained to provide services to various clients. The Ninth Circuit (at least – there are precedents with a different take in other circuits) said that HiQ’s actions did not contravene the Computer Fraud and Abuse Act because all it scraped was publically available information. For example, HiQ did not hack into LinkedIn, or somehow circumvent any technical protection measures to access data.

Contrast this to one of Facebook’s past claims, for example against BrandTotal, which was successful because the Defendant there was found to have breached CFAA because it collected data from password protected sites by using fake user accounts.

The present case advanced by Facebook concerns Octopus Data’s business which require customers to allow Octopus Data (a US subsidiary of a Chinese company) to access their accounts, to then enable Octopus’ software to crawl over data available to those are logged in to Facebook. This includes other users’ birthdays, addresses and phone numbers. Facebook is alleging that Octopus Data is breaching copyright law arguing that users’ content is protected from scraping under the Digital Millennium Copyright Act.

Separately Facebook alleges that Octopus Data has breached the terms of use, which prohibits users from collecting data using autonomous means.

In addition, Facebook (or really I should say, Meta) has sued an individual in the US for scraping data from some 350,000 Instagram users  (Instagram is a Facebook/Meta company) and publishing that on his own website.

Both cases have been started in the Northern District of California

What would a case like this be like in Europe?

In Europe, a copyright based case might be difficult to maintain unless there is some form of creativity in the material that is said to have been copied (although instead there is something called a database right which Facebook might be able to rely on depending on how that database is configured and created).

Cloud technologies

Deep pocketed financial institutions Wells Fargo and Bank of America again hit with patent infringement action which concern cloud native payment processing (ie: settle using your mobile phone) – again

…Cloud computing enabled services have been subject to numerous patent litigation especially in the US. I myself have managed a piece of cloud payment patent litigation over in the UK. Financial institutions which deal with volumes of transactions carried out on mobile phones and other remote devices have been targets because they are so well resourced. Both Wells Fargo and Bank of America have been hit with patent litigation of this nature in the past.

Cyberattack

1 billion Chinese citizens’ data reported to be hacked including name, address, birthplace, national ID number, mobile number, all crime/case details from local Chinese police database

…This has now been confirmed and is the largest hack in history. Data now offered for sale…

Conti, one of the largest criminal organisation famed for their ransomware falls away as Costa Rica refuses to pay ransom

…the FT reports that Costa Rica which has resolutely refused to pay the $1m-$20m ransom has put the nail into Conti. Conti has been crippled by revolts of Ukrainians in the Russian group causing chaos.

Conti had managed to hack 27 ministries in Costa Rica. President Chaves refused to pay up causing disruption to services like tax payments, public healthcare and payment of public sector workers and much more. Large tech companies and other countries (Spain and US notably) have sent support to Costa Rica.

EV

Warren Buffet backed Chinese automaker BYD overtakes Tesla in EV Sales

…No doubt price (about $15k per car) will be the key component of BYD’s success although it has to be noted that BYD cars are hybrids, meaning that they have the traditional internal combustion engine (ICE) built in as well. Tesla has had a particularly rough ride as their factories were forced to close owing to strict covid policies. BYD factories were located in regions which were less affected.

Having said this, BYD is still a force to be reckoned with. It is currently also a significant EV battery maker (estimated 10% of global capacity for EV batteries) having outpaced LG and behind China’s CATL. This means that BYD is highly vertically integrated; with prioritised access to batteries, being one of the key components of an EV (and in insufficient supply).

Interesting statistic: According to the FT, about half of exports of EVs from China accounted for by Tesla. About a third are from Chinese owned European brands such as Volvo and MG, about 14% from European joint ventures in China (eg. VW) and only about 2% from Chinese automakers.   

There are now rumours that Buffet might be selling his stake.

Vehicle-to-everything (V2X) is not progressing owing to regulatory uncertainty and insufficient spectrum allocation says Alliance for Automotive Innovation

…V2X technology is critical to autonomous driving, enabling vehicles to suss out the environment around them by facilitating real-time wireless data sharing between vehicles and infrastructure (eg. traffic lights), other vehicles and road users (pedestrians, bikes etc). V2X which will significantly enhance road safety and help unleash value for users of roads.

Two ingredients are necessary for V2X to be enabled, neither of which, the Alliance says, have sufficient support (the complaint mainly concerns US):

  • Sufficient spectrum: US Federal Communications Commissions (under the Trump administration) had shunted off 60% of spectrum which was reserved for intelligence transport systems (like V2X) to other businesses. What they are left with is inadequate.
  • Regulation: this is not being progressed fast enough. The Alliance pointed to a fatal bus accident which arose out of interference from unlicensed devices and regulatory uncertainty.

Metaverse / VR / AR / MR / XR

Snap (parent of Snapchat) toys with using NFTs as Augmented Reality filters

…Snap (which the company insists is a camera company), parent of Snapchat and purveyors of AR technology are looking at enabling creators to show NFTs as its AR filters (called Lens – take a look). The strategy is to ensure Snap remains attractive to its young user base. Snap is planning to facilitate creators to monetize their NFTs in the future. Other firms are doing something similar; Meta is offering exclusive access to digital collectibles as is Reddit.

Satellites

Ericsson (Telecoms), Thales (Defence) and Qualcomm (chip maker) come together to provide 5G from Low Earth Orbit (defined to be between 150-2000km) Satellites

…to be deployed within the next few years. It joins Starlink, which does not use cellular technology unlike this venture to provide connectivity, but broadband internet.

Delving Deeper

Ride-hailing company Lyft appeals to the California Public Utilities Commission over its ruling classifying only part of its Trip Data as confidential

…Lyft’s briefing is interesting because it gives you an inside peek into Lyft’s operations. This is why I’ve decided to delve deeper on this development this week.

Lyft said that the ruling correctly determined that the disclosure of GPS coordinates for pick-up and drop-off locations within the Trip Data would constitute an invasion of personal privacy, but the very same data at the census block and zip code level presents no such privacy concerns. Lyft is concerned that this data would allow third parties to track TNC (Transportation Network Companies) users’ movements and reveal their intimate personal associations. Lyft also says that such data is also confidential information.

Note: Census block is a bit like a zip code, it’s a geographical boundary, which encompasses a small area. The coverage is across the entire US and other areas. In a city, a census block looks like a city block bounded on all sides by streets.

Trip Data is a massive database of time-and-date stamped records of every ride completed by the millions of users. Lyft says such data constitute trade secrets because (i) it has independent economic value from not being generally known and (ii) it has made efforts to keep it secret.

How does Lyft use the Trip Data?

Lyft says, in relation to (i), the Trip Data allows Lyft to:

  • Licence out that data to third parties – Lyft itself has been approached and there are platforms which sell these sorts of data
  • More effectively target its marketing campaigns
  • The data is continually collected, compiled and analyzed as an integral aspect of Lyft’s business operations, as the success of Lyft’s business model depends upon continually optimizing the balance between ride demand and vehicle supply.
    • Optimize demand: competitive pricing and promotions, such as ride credits and other discounts
    • Increase the supply of vehicles to areas with high demand: offering drivers minimum hour guarantees, bonuses, and other driver incentives
    • Further analyse the “real-world” effectiveness of incentives, retire incentives that are not effective

What sort of damage will be caused if Data were made available to others?

Lyft also explained the damage caused if Trip Data were disclosed to other TNCs:

  • If Lyft’s competitors, including Uber, HopSkipDrive, Wings, Silver Ride, Nomad Transit… were provided access to Lyft’s Census Block Trip Data, they could and would analyze and manipulate that data to gain insights into Lyft’s market share, its pricing practices, its marketing strategies, and other critical aspects of its business that it does not publicly disclose.
  • Lowers barrier to entry: A new competitor could enter the market without substantial investment, while existing competitors could use the data to increase their market share, or undercut Lyft’s marketing campaigns, by “free-riding” on Lyft’s data. [This is a double-edged point, it goes to emphasise why incumbents with volumes of granular data (in particular GAFAM – who also have the infrastructure and high compute power) have a huge competitive advantage – which is the reason why regulation is coming into play in the US and the EU, in particular].

Should there be a distinction between claiming the data and the algorithm which can be used on the data?

Lyft also deals with the point.

  • The Ruling relies on Cotter v. Lyft, Inc. (N.D. Cal. 2016) which distinguishes between a secret formula possibly being a trade secret and the resulting data derived from a secret formula. It held that an algorithm used to generate Prime Time fares and driver commissions was a trade secret, while the total amount of revenue or commissions generated was not.
  • Lyft makes clear that it is not claiming trade secret protection because disclosure of data would reveal the particulars of a secret algorithm. It claims trade secret for the experience data itself, derived from Lyft’s interactions with its users

The Ruling states that Lyft failed to make reasonable efforts to keep the information a secret

  • One of the reasons why the Ruling states that the information should not be regarded as confidential is because a particular driver or passenger may have access to select information regarding their own ride (such as the zip code or census block from which it originated or the time and date). Lyft explains that this does not mean that the trade secret — i.e., the compilation of data elements associated with millions of individual rides — has become “generally known.”

The point is an interesting one to IP lawyers like myself in view of the proposed Data Act in the EU which provides that users must be able to access data generated data through their use. It would be interesting to see whether the courts of the EU would support Lyft’s argument.

The briefing also addressed the issue of privacy, with Lyft referring to evidence that it says shows that mobility data at the census block and zip code level can be re-identified to track individuals’ movements.

There were many other arguments, but these seemed to me to be the most interesting points.

Why does the government compel data collection from TNCs?

Such data is sought because they are useful for a variety of purposes such as:

  • Urban town planning
  • Traffic Management
  • Provision of more effective Emergency Services
  • Law enforcement

Privacy advocates warn that access to data could render it to become a tool for surveillance. As mentioned, this is a point that Lyft supports.

Bonus News

Elon Musk says he’s pulling out from buying Twitter

…whether he can legally do so without breach of contract is another question, given that he has already signed a contract committing to the purchase. He says that Twitter has stated to the SEC (US securities exchange commission) that the proportion of fake accounts/bots was 5% when the reality is much more. He says he should be able to rely on what is claimed publicly by Twitter, a public company.  Because the proportion of real accounts would dictate how much advertisers will be willing to fork out to advertise on Twitter, the percentage of fake accounts on Twitter directly impacts the value of Twitter itself. Twitter has predictably sued.

This piece of tech news doesn’t really impact our future (which is what I cover) but I’ve included it for good measure as everyone is talking about it.