In an apparent admission of defeat, the UK government has conceded that requiring scanning of platforms like WhatsApp for messages with harmful content, as required in the Online Safety Bill, is not (currently) feasible.

The ‘Spy Clause’ 

Under what’s been dubbed the ‘spy clause’ (Clause 122) in the UK’s Online Safety Bill, the government had stated Ofcom could issue notices to messaging apps like WhatsApp and Signal (which use end-to-end encryption) that would allow the deployment of scanning software. The reason given was to scan for child sex abuse images on the platforms. However, the messaging apps argued that this would effectively destroy the end-to-end encryption, an important privacy feature valued by customers. This led to both WhatsApp and Signal threatening to pull their services out of the UK if the Bill went through with the clause in it.

Also, some privacy groups, like the Open Rights Group, argued that forcing the scanning of private messages on apps amounted to an expansion of mass surveillance.

Climbdown 

However, in a recent statement to the House of Lords junior arts and heritage minister Lord Stephen Parkinson announced that the government would be backing down on the issue. Lord Parkinson said: “When deciding whether to issue a notice, Ofcom will work closely with the service to help identify reasonable, technically feasible solutions to address child sexual exploitation and abuse risk, including drawing on evidence from a skilled persons report. If appropriate technology which meets these requirements does not exist, Ofcom cannot require its use.” 

In other words, the technology that enables scanning of messages without violating encryption doesn’t currently exist and, therefore, under the amended version of the bill, WhatsApp and Signal will not be required to have their messages scanned (until such technology does exist).

This is a significant climbdown for the government which has been pushing for ‘back doors’ and scanning of encrypted apps for many years, particularly since it was revealed that the London Bridge terror attack appeared to have been planned via WhatsApp.

Victory – Signal & WhatsApp 

Writing on ‘X’ (formerly Twitter), Meredith Whittaker, the president of Signal, said the government’s apparent climbdown was “a victory, not a defeat” for the tech companies. She also admitted, however, that it wasn’t a total victory, saying “we would have loved to see this in the text of the law itself.”

Also posting on ‘X,’ Will Cathcart, head of WhatsApp said that WhatsApp “remains vigilant against threats” to its end-to-end encryption service, adding that “scanning everyone’s messages would destroy privacy as we know it. That was as true last year as it is today.” 

Omnishambles 

Following the news of the government’s ‘spy clause’ climbdown, privacy advocates the Open Rights Group’ (ORG) highlighted the fact that on the one hand, the government had conceded that the technology that would have been needed to scan messages didn’t exist, while on the other hand appeared they to say they hadn’t conceded.  Describing the matter as an “omnishambles,” the ORG highlighted how during an appearance on Times radio, Michelle Donelan MP said that, “We haven’t changed the bill at all” and that “further work to develop the technology was needed.” 

What Does This Mean For Your Business? 

For apps like WhatsApp and Signal, this is not only a victory against government pressure but is also good news for business as, presumably, they will continue to operate in the UK market.

This is also good news for many UK businesses that routinely use WhatsApp as part of their business communications and won’t need to worry (for the time being) about having their commercially (and personally) sensitive messages scanned, thereby posing a risk to privacy and security, and perhaps increasing the risk of hacks and data breaches. It appears that the UK government has been forced to admit the technology does not yet exist that can scan messages on end-to-end encrypted services and maintain the integrity of that end-to-end encryption at the same time. It also appears that it may realistically take quite some time (years) before this technology exists, thereby making the victory all the sweeter for the encrypted apps.

The government’s climbdown on ‘clause 122’ (the ‘spy clause’), is also being celebrated by the many privacy groups that have long argued against it on the grounds of it enabling mass surveillance.

In this insight, we look at how, according to an investigation by Swedish newspaper Svenska Dagbladet (SvD), criminals may have been using Spotify to launder money since 2019.

How? 

The reported money laundering process, which was noticed by analysts from the National Operative Unit of the Swedish Police Force, involved a web of activities using a Facebook group, cryptocurrency payments and the encrypted app Telegram, the digital music streaming service Spotify, artists connected to criminal gangs and the setting up of a label.

The Process 

According to the SvD investigation, here’s an outline of how the criminal network’s money laundering process has been working:

– Bitcoin cryptocurrency is purchased (cash in hand) via a Facebook group.

– The bitcoin pays for fake streams / manipulated streams in order to make a song. For example, bots are used to simulate user behaviour by repeatedly streaming a song. The end-to-end encrypted app Telegram is used to organise the false streaming activities, e.g. using hijacked accounts, and other inauthentic methods (in addition to the bots). Possible other methods for fake streaming (some of which may be used) include click farms, VPN manipulation, algorithmic exploitation, collusive behaviour, paid services (paying others to use these methods), and more.

– The increased popularity / higher ratings of the songs as a result of the fake streams lead to more real plays / actual streams of the songs. With the artist and their labels both being linked to / owned by the criminal gangs, the laundered money then comes back as payouts via Spotify.

Only Worth It For Large Amounts 

Considering the relatively small amounts that artists receive via Spotify plays, it’s been reported that it would only have been worth operating such a process with sums exceeding several million Swedish krona (1mn SEK = approx. €84,000). This also gives an idea of how much money the criminal gangs are making before (allegedly) laundering and how much manipulation of Spotify streams may be taking place (according to reports of the SvD investigation).

How Was It Discovered? 

According to reports, the analysts at the National Operative Unit of the Swedish Police Force were actually listening to music by rappers who had published the music on Spotify since autumn 2021 in order to gather information about crimes from the lyrics. This led to the analysts noticing the unusual streaming patterns.

What Does Spotify Say? 

Spotify has acknowledged that “manipulated streams are an industry-wide challenge” but says it has not been contacted by law enforcement concerning SVD article outlining how Spotify may have been used by criminals for money laundering. Spotify also says that it hasn’t been provided with any data or “hard evidence” that its platform has been used in the way described.

How Many Fake Streams? 

Spotify says that only 1 per cent of its streams are deemed to be artificial, and its systems can detect anomalies before they reach a “significant” threshold.

However, it was recently reported (Financial Times) that there has been a suggestion by JP Morgan executives that as much as 10 per cent of all streams could be fake.

The 30-Second Track Trick 

Unfortunately for Spotify, it has also been in the news having to deny that users may have been fooling its royalty system to make money by using a ‘trick’ involving a 30-second track. It’s been alleged that users can simply repeatedly listen to their own uploaded 30-second track to make royalties. It’s been reported, for example, that analysts at JP Morgan have suggested that Spotify subscribers could make as much as £960 per a month by listening to their song on repeat, 24 hours a day.

Spotify has denied that the 30-second track money-making trick is possible on its platform saying that its royalty system doesn’t work that way.

What Does This Mean For Your Business? 

According to Spotify, the reports about how criminals may have been using its platform for money laundering have not been backed up with evidence and haven’t led to police enquiries. However, although Spotify suggests that fake streams only make up one per cent on its platform, it appears that others (JP Morgan analysts) suggest it could be at a much higher level. The story of the alleged money laundering and the 30-secong track allegations could also appear to suggest that Spotify’s systems may not be as good at spotting and preventing manipulation of the platform as the company thinks/says.

With AI now widely available, the potential for manipulation could be even greater and, no doubt, may be something that Spotify (and other platforms) are having to think about. Fake streaming can damage the music industry and distort ratings, thereby adversely affecting many artists.

It appears, however, that change is on the way, with Universal Music Group and Deezer announcing the joint launch of a music streaming model that’s designed to give more (royalty) money to the artists, which could put pressure on others like Spotify and Apple Music, to follow suit or at least re-examine how their owns systems work.

Vienna-based advocacy group ‘Noyb’ has filed complaints against Google-owned Fitbit, alleging that it has violated the EU’s GDPR over illegal exporting of user data.

Complaints In Three Countries 

Noyb, which stands for ‘None Of Your Business,’ (and founded by privacy activist Max Schrems) filed three complaints against Fitbit – in Austria, the Netherlands and Italy.

Why? 

Noyb alleges that Fitbit forces users to consent to data transfers outside the EU, to the US and other countries (with different data protection laws), without providing users with the possibility to withdraw their consent, thereby potentially violating GDPR’s requirements. Noyb says that the only option users have to stop the “illegal processing” is to completely delete their Fitbit account.

How Would This Go Against GDPR? 

There are several ways that this (alleged) practice by Google’s Fitbit could violate GDPR. For example:

– GDPR mandates that consent must be freely given. If users are forced to agree to data transfers with no ability to withdraw, the consent is not freely given.

– Under GDPR, users must be informed about how their data will be used and processed. If the data transfer is a condition that users cannot opt-out of, then the consent cannot be considered specific or informed.

In relation to these points, Noyb says that because Fitbit (allegedly) forces users to consent to sharing sensitive data without providing them with clear information about possible implications or the specific countries their data goes to, this means that consent that it is neither free, informed, or specific (as GDPR requires).

Sensitive Data 

GDPR also emphasises that only the data that is necessary for the intended purpose should be collected and processed. Fitbit Forcing data transfers may violate this principle if the data being transferred is broader than what is strictly necessary for the service provided.

In relation to this, Noyb alleges that Fitbit’s privacy policy says that the shared data not only includes things like a user’s email address, date of birth and gender, but can also include “data like logs for food, weight, sleep, water, or female health tracking; an alarm; and messages on discussion boards or to your friends on the Services”.  This has raised concerns that, for example, the sharing of menstrual tracking data could be used in court cases where abortion care is criminalised, especially considering that sharing this kind of data is not common practice even in specialised menstrual tracking apps.

Also, Noyb alleges that the collected Fitbit data can even be shared for processing with third-party companies, the location of which are unknown, and that it’s “impossible” for users to find out which specific data is affected.

‘Take It Or Leave It’ Approach? 

One other aspect of GDPR is that to ensure users can change their mind, every person has the right to withdraw their consent. Noyb says that Fitbit’s privacy policy states that the only way to withdraw consent is to delete an account which would mean losing all previously tracked workouts and health data, even for those on a premium subscription for 79.99 euros per year. Noyb argues that this means that although people may buy a Fitbit for its features, there appears to be no realistic way to regain control their data without making the product useless.

Maartje de Graaf, Data Protection Lawyer at Noyb says: “First, you buy a Fitbit watch for at least 100 euros. Then you sign up for a paid subscription, only to find that you are forced to “freely” agree to the sharing of your data with recipients around the world. Five years into the GDPR, Fitbit is still trying to enforce a ‘take it or leave it’ approach.” 

Blank Cheque? 

Bernardo Armentano, Data Protection Lawyer at Noyb, says: “Fitbit wants you to write a blank check, allowing them to send your data anywhere in the world. Given that the company collects the most sensitive health data, it’s astonishing that it doesn’t even try to explain its use of such data, as required by law.” 

Fine Could Be £ Billions 

According to Noyb, based on Alphabet’s (Google’s parent company) turnover of last year, if the complaints are upheld by data regulators, Google could face fines of up to 11.28 billion euros over Fitbit’s alleged data protection violations.

There appears to be no publicly available comment from Google about Noyb’s allegations at the time of writing this article.

What Does This Mean For Your Business? 

Google which acquired Fitbit in 2021 and at the time, in addition expanding its move wearables, some commentators noted that it may also have been motivated by the lure of the health data of millions of Fitbit customers (potentially for profiling and advertising) and the ability to improve its competitive position in the lucrative healthcare tech space. Also, at the time, it was noted that Fitbit’s corporate partnerships with insurance companies and corporate wellness programmes may have also been attractive to Google.

Now, just a couple of years down the line, it’s the data aspect of the deal that appears to have landed Google in some hot water. Noyb’s complaints against Google-owned Fitbit could have a ripple effect that goes well beyond just a potentially hefty fine. With a penalty that could be up to 11.28 billion euros, the situation would have serious financial repercussions, and the case could set a precedent for how Google and other tech giants handle user data (especially sensitive health information), forcing them to change their global data policies.

It’s been noted, for example, in analyst GlobalData’s recent tech regulation report that data protection regulators look likely to continue closer scrutiny of companies in 2023, so there could be more trouble to come for other tech companies relating to which data they collect, how they share it, and around matters of consent.

Some may argue that Google may, several years down the line from GDPR’s introduction, need to invest more resources in compliance to avoid facing similar allegations related to other products or services.

For businesses that similarly rely on user-data, this case is a wake-up call to thoroughly review their data collection and transfer policies to ensure they align with GDPR requirements. Businesses must offer clear, informed choices to users about how their data is used, especially if it crosses borders. The situation with Fitbit highlights the reputational damage and legal risks involved in “take it or leave it” approaches to data consent. If Fitbit’s alleged actions are deemed a violation of GDPR, it could trigger a domino effect, prompting closer scrutiny of other businesses that have similar policies.

For users of Fitbit and similar devices, this case could lead to more transparent data practices, potentially providing them with greater control over their personal information. Reading about what may be happening to their extremely sensitive data may mean that users may become more cautious and discerning about the permissions they grant to these apps. Given the sensitive nature of health data involved, ranging from sleep patterns to menstrual cycles, users may start to demand more robust privacy protections, and this case could also encourage users to seek alternatives that offer better data protection guarantees.

Following pressure resulting from a formal investigation by the European Commission over a possible breach of competition rules, Microsoft has announced that it will begin unbundling Teams from Office 365 and Microsoft 365 in European markets.

Antitrust Investigation 

Following a complaint by Slack three years ago, this July the European Commission opened an antitrust investigation into Microsoft’s bundling of its Teams app with its Office suite over concerns that it could be in breach of the EU’s competition rules.

Slack Complaint 

In the July 2020 complaint that led to the EC investigation, Slack said on its website: “Microsoft has illegally tied its Teams product into its market-dominant Office productivity suite, force installing it for millions, blocking its removal, and hiding the true cost to enterprise customers”.  

David Schellhase, General Counsel at Slack said: “Slack simply wants fair competition and a level playing field. Healthy competition drives innovation and creates the best products and the most choice for customers. Competition and antitrust laws are designed to ensure that dominant companies are not allowed to foreclose competition illegally. We’re asking the EU to be a neutral referee, examine the facts, and enforce the law.”   

The Investigation – Concerns 

The EC’s investigation centred on concerns that Microsoft’s bundling of Teams with its other software could put rival online meetings and communications software (like Slack and others) at a disadvantage. The EC said that Microsoft’s practices “may constitute anticompetitive tying or bundling and prevent suppliers of other communication and collaboration tools from competing, to the detriment of customers in the European Economic Area”, and that, “The commission is concerned that Microsoft may be abusing and defending its market position in productivity software by restricting competition in the EEA for communication and collaboration products.” 

Will Unbundle It, Starting In October 

Microsoft’s response to the concerns outlined in the investigation has been for Nanna-Louise Linde, Vice President, Microsoft European Government Affairs to announce, “proactive changes that we hope will start to address these concerns in a meaningful way, even while the European Commission’s investigation continues and we cooperate with it.”

The ‘proactive changes’ (unbundling) will impact Microsoft 365 and Office 365 suites for business customers in the European Economic Area and Switzerland. Microsoft says that, in the coming months, it will take the following steps:

– Beginning October 1, 2023, Teams will be unbundled from Microsoft 365 and Office 365 suites in the EEA and Switzerland. Microsoft says that instead it will simply sell these offerings without Teams at a lower price (€2 less per month or €24 per year).

– It will enhance its existing resources on interoperability with Microsoft 365 and Office 365, e.g. to allow companies like Zoom and Salesforce to create tailored and integrated experiences across Exchange, Outlook and even Teams.

– It will create new ways to enable third-party solutions to host Office web applications. For example, Microsoft says it will develop a new method for hosting the Office web applications within competing apps and services, much like it already does in Teams.

Investigated Before 

As some commentators have pointed out, Microsoft has been investigated before by the EU for similar bundling practices. For example, in the early 2000s, the EU ordered Microsoft to unbundle its media player from its Windows operating system, arguing that the bundling practice was anticompetitive. In fact, Microsoft has incurred £1.9bn in EU antitrust fines over the last decade for practices that breach EU competition rules, e.g. by bundling products together.

That said, Microsoft certainly doesn’t have the ‘monopoly’ on triggering antitrust investigations. For example, back in 2018, Google was fined £3.8 billion for pre-installing its search engine and browser on Android devices, which was seen as an abuse of its dominant position.

What Does This Mean For Your Business? 

Having already incurred almost a couple of £ billion in fines from the EU over antitrust-related issues in the last decade, it seems that Microsoft would now rather comply than have to offer more self-limiting remedies and risk a mega-fine of (potentially) up to 10 per cent of its total annual turnover. The dominant position of its suite of products means that any bundling is jumped-upon quickly by competitors, some of whom (Slack and Zoom) have grown dramatically and gained in power, share, and influence since the pandemic restrictions skyrocketed their user-numbers.

In its defence, Microsoft says that including modern communication and collaboration capabilities in its business suites was simply in response to what customers expect from a modern work solution. Unfortunately, Microsoft’s market dominance and history make it difficult for Microsoft to do anything other than hold its hand up and politely agree to unbundling.

For competitors like Slack, this may seem like a victory and something that’s long overdue. For customers in Europe, the positive spin is that Microsoft’s suite of products without Teams bundled will cost a little less, but then there’s still the added inconvenience of having to add Teams and then presumably pay the bit of extra money on top for it. As mentioned above, Microsoft’s certainly not the only big tech company to have run into problems over antitrust rules and since the tech world is still dominated by just a few major players, it’s unlikely to be the last time we see this sort of thing.

25 Years Of Google This Month!

Did you know that Google was incorporated 25 years ago, in September 1998?
Or that it was originally made from Lego? (sort of)

Google began as a research project by Larry Page and Sergey Brin when they were students at Stanford in 1996. Originally named “BackRub.” the name “Google” is a play on the word “googol,” a mathematical term for the number 1 followed by 100 zeros. The name reflects the company’s mission to organise the massive amount of information on the web.

Their first version of Google was stored on ten 4GB hard drives in a Lego casing! Nevertheless, by the end of 1998, Google was processing 10,000 search queries per day. This number grew rapidly, and by the end of 1999, it was processing 500,000 queries per day.

It now processes over 3.5 billion searches daily.

Google’s homepage was notably simple (primarily because neither Larry nor Sergey were proficient in HTML). This simplicity, plus their powerful ‘PageRank’ algorithm quickly blew all the other search engines away. Remember them? The likes of HotBot, AltaVista, Lycos, Excite and of course, Yahoo were all less relevant, highly cluttered and covered in ads*

Here’s (just a few) notable acquisitions they’ve made, you should have heard of these :

Applied Semantics (2003): Acquired for its contextual advertising technology, which later became a core component of Google AdSense.
Android (2005): Purchased for an estimated $50 million, Android has become the dominant mobile operating system globally.
YouTube (2006): Acquired for $1.65 billion. Say no more!
Fitbit (2007): A consumer electronics company specialising in health and fitness wearables, acquired for $2.1 billion. Think of all your health(y) data!
Motorola Mobility (2012): Acquired for its telecommunications expertise at a cost of £12.5 billion.
Nest (2014): A home automation company purchased for $3.2 billion.
DeepMind (2014): A British artificial intelligence company acquired for an estimated $500 million.

See The Synergy And Strategy Here?

They have many other less well-known acquisitions, yet they all help Google provide services ranging from live-flight bookings to restaurant reviews. Alphabet has a current market cap of around $1.7 TRILLION dollars – not bad for a couple of college kids starting out in a garage on a “Lego” setup, who made an algorithm to rank websites by the number of inbound citations!

* Note – Of course, nowadays Google also promotes many adverts and their famous “Don’t be Evil” code of conduct was reportedly removed a few years ago, depending on who you listen to!