FORTRAN Developed : 20th September

Q. Why Do Python Programmers Wear Specs?

A – Because they don’t see sharp!

That’s a programming humour for you. And talking of programming, there’s currently an explosion of code being auto-generated by AI and before long, human-coders may go the way of the early switchboard operators. Hmm, possibly!

Yet can you imagine painstakingly programming computers, line-by-line with assembly language, punched-cards and needing almost infinite patience? Yet that’s what life was like before “High-Level” languages came along and compiled the assembly language to make life easier.

69 Years Old This Week

One such language was reportedly first run this week in September, 1954 – 69 years ago. It was called “FORTRAN”, short for Formula Translating (depending on whom you ask) and developed for an early IBM machine (which still used vacuum tubes). The contemporary coding community were sceptical it would actually be any good, yet it quickly took off like wildfire. So if you’ve ever programmed in a language like BASIC or PASCAL at school (i.e. before all the web languages came along), you can thank FORTRAN as an early pioneer.

It was adopted enthusiastically largely because 20 lines of code in assembly language could be accomplished in just one line with Fortran. In fact, John Backus, the inventor of it reportedly said “Much of my work has come from being lazy“, during a interview with IBM’s ‘Think’ magazine.

He went on to say “I didn’t like writing programs, and so, when I was working on the IBM 701, writing programs for computing missile trajectories, I started work on a programming system to make it easier to write programs.”

Still In Use Today

And while it’s relatively ancient, it’s still in use today! Primarily crafted for engineers and scientists, it continues to be employed in areas such as fluid dynamics calculations, economic modelling, computational physics, climate simulations, computational chemistry and astronomy.

The next time you’re having to shout due to a poor signal on your mobile-phone, spare a thought for lonely NASA probes Voyager 1 and Voyager 2. The first one is now around 15 billion miles away and the signal takes over 22 hours to reach back to earth, yet it still functions after approaching fifty years in space and it was originally programmed in FORTRAN.

Not bad for something originally created by a “lazy” programmer!

In an apparent admission of defeat, the UK government has conceded that requiring scanning of platforms like WhatsApp for messages with harmful content, as required in the Online Safety Bill, is not (currently) feasible.

The ‘Spy Clause’ 

Under what’s been dubbed the ‘spy clause’ (Clause 122) in the UK’s Online Safety Bill, the government had stated Ofcom could issue notices to messaging apps like WhatsApp and Signal (which use end-to-end encryption) that would allow the deployment of scanning software. The reason given was to scan for child sex abuse images on the platforms. However, the messaging apps argued that this would effectively destroy the end-to-end encryption, an important privacy feature valued by customers. This led to both WhatsApp and Signal threatening to pull their services out of the UK if the Bill went through with the clause in it.

Also, some privacy groups, like the Open Rights Group, argued that forcing the scanning of private messages on apps amounted to an expansion of mass surveillance.

Climbdown 

However, in a recent statement to the House of Lords junior arts and heritage minister Lord Stephen Parkinson announced that the government would be backing down on the issue. Lord Parkinson said: “When deciding whether to issue a notice, Ofcom will work closely with the service to help identify reasonable, technically feasible solutions to address child sexual exploitation and abuse risk, including drawing on evidence from a skilled persons report. If appropriate technology which meets these requirements does not exist, Ofcom cannot require its use.” 

In other words, the technology that enables scanning of messages without violating encryption doesn’t currently exist and, therefore, under the amended version of the bill, WhatsApp and Signal will not be required to have their messages scanned (until such technology does exist).

This is a significant climbdown for the government which has been pushing for ‘back doors’ and scanning of encrypted apps for many years, particularly since it was revealed that the London Bridge terror attack appeared to have been planned via WhatsApp.

Victory – Signal & WhatsApp 

Writing on ‘X’ (formerly Twitter), Meredith Whittaker, the president of Signal, said the government’s apparent climbdown was “a victory, not a defeat” for the tech companies. She also admitted, however, that it wasn’t a total victory, saying “we would have loved to see this in the text of the law itself.”

Also posting on ‘X,’ Will Cathcart, head of WhatsApp said that WhatsApp “remains vigilant against threats” to its end-to-end encryption service, adding that “scanning everyone’s messages would destroy privacy as we know it. That was as true last year as it is today.” 

Omnishambles 

Following the news of the government’s ‘spy clause’ climbdown, privacy advocates the Open Rights Group’ (ORG) highlighted the fact that on the one hand, the government had conceded that the technology that would have been needed to scan messages didn’t exist, while on the other hand appeared they to say they hadn’t conceded.  Describing the matter as an “omnishambles,” the ORG highlighted how during an appearance on Times radio, Michelle Donelan MP said that, “We haven’t changed the bill at all” and that “further work to develop the technology was needed.” 

What Does This Mean For Your Business? 

For apps like WhatsApp and Signal, this is not only a victory against government pressure but is also good news for business as, presumably, they will continue to operate in the UK market.

This is also good news for many UK businesses that routinely use WhatsApp as part of their business communications and won’t need to worry (for the time being) about having their commercially (and personally) sensitive messages scanned, thereby posing a risk to privacy and security, and perhaps increasing the risk of hacks and data breaches. It appears that the UK government has been forced to admit the technology does not yet exist that can scan messages on end-to-end encrypted services and maintain the integrity of that end-to-end encryption at the same time. It also appears that it may realistically take quite some time (years) before this technology exists, thereby making the victory all the sweeter for the encrypted apps.

The government’s climbdown on ‘clause 122’ (the ‘spy clause’), is also being celebrated by the many privacy groups that have long argued against it on the grounds of it enabling mass surveillance.

In this insight, we look at how, according to an investigation by Swedish newspaper Svenska Dagbladet (SvD), criminals may have been using Spotify to launder money since 2019.

How? 

The reported money laundering process, which was noticed by analysts from the National Operative Unit of the Swedish Police Force, involved a web of activities using a Facebook group, cryptocurrency payments and the encrypted app Telegram, the digital music streaming service Spotify, artists connected to criminal gangs and the setting up of a label.

The Process 

According to the SvD investigation, here’s an outline of how the criminal network’s money laundering process has been working:

– Bitcoin cryptocurrency is purchased (cash in hand) via a Facebook group.

– The bitcoin pays for fake streams / manipulated streams in order to make a song. For example, bots are used to simulate user behaviour by repeatedly streaming a song. The end-to-end encrypted app Telegram is used to organise the false streaming activities, e.g. using hijacked accounts, and other inauthentic methods (in addition to the bots). Possible other methods for fake streaming (some of which may be used) include click farms, VPN manipulation, algorithmic exploitation, collusive behaviour, paid services (paying others to use these methods), and more.

– The increased popularity / higher ratings of the songs as a result of the fake streams lead to more real plays / actual streams of the songs. With the artist and their labels both being linked to / owned by the criminal gangs, the laundered money then comes back as payouts via Spotify.

Only Worth It For Large Amounts 

Considering the relatively small amounts that artists receive via Spotify plays, it’s been reported that it would only have been worth operating such a process with sums exceeding several million Swedish krona (1mn SEK = approx. €84,000). This also gives an idea of how much money the criminal gangs are making before (allegedly) laundering and how much manipulation of Spotify streams may be taking place (according to reports of the SvD investigation).

How Was It Discovered? 

According to reports, the analysts at the National Operative Unit of the Swedish Police Force were actually listening to music by rappers who had published the music on Spotify since autumn 2021 in order to gather information about crimes from the lyrics. This led to the analysts noticing the unusual streaming patterns.

What Does Spotify Say? 

Spotify has acknowledged that “manipulated streams are an industry-wide challenge” but says it has not been contacted by law enforcement concerning SVD article outlining how Spotify may have been used by criminals for money laundering. Spotify also says that it hasn’t been provided with any data or “hard evidence” that its platform has been used in the way described.

How Many Fake Streams? 

Spotify says that only 1 per cent of its streams are deemed to be artificial, and its systems can detect anomalies before they reach a “significant” threshold.

However, it was recently reported (Financial Times) that there has been a suggestion by JP Morgan executives that as much as 10 per cent of all streams could be fake.

The 30-Second Track Trick 

Unfortunately for Spotify, it has also been in the news having to deny that users may have been fooling its royalty system to make money by using a ‘trick’ involving a 30-second track. It’s been alleged that users can simply repeatedly listen to their own uploaded 30-second track to make royalties. It’s been reported, for example, that analysts at JP Morgan have suggested that Spotify subscribers could make as much as £960 per a month by listening to their song on repeat, 24 hours a day.

Spotify has denied that the 30-second track money-making trick is possible on its platform saying that its royalty system doesn’t work that way.

What Does This Mean For Your Business? 

According to Spotify, the reports about how criminals may have been using its platform for money laundering have not been backed up with evidence and haven’t led to police enquiries. However, although Spotify suggests that fake streams only make up one per cent on its platform, it appears that others (JP Morgan analysts) suggest it could be at a much higher level. The story of the alleged money laundering and the 30-secong track allegations could also appear to suggest that Spotify’s systems may not be as good at spotting and preventing manipulation of the platform as the company thinks/says.

With AI now widely available, the potential for manipulation could be even greater and, no doubt, may be something that Spotify (and other platforms) are having to think about. Fake streaming can damage the music industry and distort ratings, thereby adversely affecting many artists.

It appears, however, that change is on the way, with Universal Music Group and Deezer announcing the joint launch of a music streaming model that’s designed to give more (royalty) money to the artists, which could put pressure on others like Spotify and Apple Music, to follow suit or at least re-examine how their owns systems work.

Vienna-based advocacy group ‘Noyb’ has filed complaints against Google-owned Fitbit, alleging that it has violated the EU’s GDPR over illegal exporting of user data.

Complaints In Three Countries 

Noyb, which stands for ‘None Of Your Business,’ (and founded by privacy activist Max Schrems) filed three complaints against Fitbit – in Austria, the Netherlands and Italy.

Why? 

Noyb alleges that Fitbit forces users to consent to data transfers outside the EU, to the US and other countries (with different data protection laws), without providing users with the possibility to withdraw their consent, thereby potentially violating GDPR’s requirements. Noyb says that the only option users have to stop the “illegal processing” is to completely delete their Fitbit account.

How Would This Go Against GDPR? 

There are several ways that this (alleged) practice by Google’s Fitbit could violate GDPR. For example:

– GDPR mandates that consent must be freely given. If users are forced to agree to data transfers with no ability to withdraw, the consent is not freely given.

– Under GDPR, users must be informed about how their data will be used and processed. If the data transfer is a condition that users cannot opt-out of, then the consent cannot be considered specific or informed.

In relation to these points, Noyb says that because Fitbit (allegedly) forces users to consent to sharing sensitive data without providing them with clear information about possible implications or the specific countries their data goes to, this means that consent that it is neither free, informed, or specific (as GDPR requires).

Sensitive Data 

GDPR also emphasises that only the data that is necessary for the intended purpose should be collected and processed. Fitbit Forcing data transfers may violate this principle if the data being transferred is broader than what is strictly necessary for the service provided.

In relation to this, Noyb alleges that Fitbit’s privacy policy says that the shared data not only includes things like a user’s email address, date of birth and gender, but can also include “data like logs for food, weight, sleep, water, or female health tracking; an alarm; and messages on discussion boards or to your friends on the Services”.  This has raised concerns that, for example, the sharing of menstrual tracking data could be used in court cases where abortion care is criminalised, especially considering that sharing this kind of data is not common practice even in specialised menstrual tracking apps.

Also, Noyb alleges that the collected Fitbit data can even be shared for processing with third-party companies, the location of which are unknown, and that it’s “impossible” for users to find out which specific data is affected.

‘Take It Or Leave It’ Approach? 

One other aspect of GDPR is that to ensure users can change their mind, every person has the right to withdraw their consent. Noyb says that Fitbit’s privacy policy states that the only way to withdraw consent is to delete an account which would mean losing all previously tracked workouts and health data, even for those on a premium subscription for 79.99 euros per year. Noyb argues that this means that although people may buy a Fitbit for its features, there appears to be no realistic way to regain control their data without making the product useless.

Maartje de Graaf, Data Protection Lawyer at Noyb says: “First, you buy a Fitbit watch for at least 100 euros. Then you sign up for a paid subscription, only to find that you are forced to “freely” agree to the sharing of your data with recipients around the world. Five years into the GDPR, Fitbit is still trying to enforce a ‘take it or leave it’ approach.” 

Blank Cheque? 

Bernardo Armentano, Data Protection Lawyer at Noyb, says: “Fitbit wants you to write a blank check, allowing them to send your data anywhere in the world. Given that the company collects the most sensitive health data, it’s astonishing that it doesn’t even try to explain its use of such data, as required by law.” 

Fine Could Be £ Billions 

According to Noyb, based on Alphabet’s (Google’s parent company) turnover of last year, if the complaints are upheld by data regulators, Google could face fines of up to 11.28 billion euros over Fitbit’s alleged data protection violations.

There appears to be no publicly available comment from Google about Noyb’s allegations at the time of writing this article.

What Does This Mean For Your Business? 

Google which acquired Fitbit in 2021 and at the time, in addition expanding its move wearables, some commentators noted that it may also have been motivated by the lure of the health data of millions of Fitbit customers (potentially for profiling and advertising) and the ability to improve its competitive position in the lucrative healthcare tech space. Also, at the time, it was noted that Fitbit’s corporate partnerships with insurance companies and corporate wellness programmes may have also been attractive to Google.

Now, just a couple of years down the line, it’s the data aspect of the deal that appears to have landed Google in some hot water. Noyb’s complaints against Google-owned Fitbit could have a ripple effect that goes well beyond just a potentially hefty fine. With a penalty that could be up to 11.28 billion euros, the situation would have serious financial repercussions, and the case could set a precedent for how Google and other tech giants handle user data (especially sensitive health information), forcing them to change their global data policies.

It’s been noted, for example, in analyst GlobalData’s recent tech regulation report that data protection regulators look likely to continue closer scrutiny of companies in 2023, so there could be more trouble to come for other tech companies relating to which data they collect, how they share it, and around matters of consent.

Some may argue that Google may, several years down the line from GDPR’s introduction, need to invest more resources in compliance to avoid facing similar allegations related to other products or services.

For businesses that similarly rely on user-data, this case is a wake-up call to thoroughly review their data collection and transfer policies to ensure they align with GDPR requirements. Businesses must offer clear, informed choices to users about how their data is used, especially if it crosses borders. The situation with Fitbit highlights the reputational damage and legal risks involved in “take it or leave it” approaches to data consent. If Fitbit’s alleged actions are deemed a violation of GDPR, it could trigger a domino effect, prompting closer scrutiny of other businesses that have similar policies.

For users of Fitbit and similar devices, this case could lead to more transparent data practices, potentially providing them with greater control over their personal information. Reading about what may be happening to their extremely sensitive data may mean that users may become more cautious and discerning about the permissions they grant to these apps. Given the sensitive nature of health data involved, ranging from sleep patterns to menstrual cycles, users may start to demand more robust privacy protections, and this case could also encourage users to seek alternatives that offer better data protection guarantees.