Google And Facebook Hit With $238 Million Fines In France Over Privacy Violations

France’s data protection regulator on Thursday hit Google and Facebook with fines of €150 million ($170 million) and €60 million ($68 million), respectively, for failing to provide internet users an easy way to disable online trackers, marking the latest in a series of fines faced by the two American tech giants for failing to comply with European privacy laws.

Key Facts

In a statement outlining its investigation, French regulator CNIL noted that Facebook, Google and Youtube’s websites offered a button that allowed users to immediately accept cookies but did not provide a similar button to easily refuse them.

The regulator added that the process of refusing the online trackers was several steps longer.

The CNIL ruled that this process affects users’ freedom of consent as it influences their choice of accepting or rejecting cookies.

While cookies can be essential for a website’s functioning—allowing for user authentication and remembering preferences among other things—they can also be used to track a user’s online behavior and serve them advertising.

In addition to the hefty fines, both companies have been ordered to update their interface for French users—making it easier for them to reject cookies—within three months.

Key BackgroundThe fines against Google and Facebook follow a series of similar regulatory actions facing U.S  tech giants including Apple and Amazon in Europe. In December 2020, Google and Amazon were hit with similar fines for their handling of web cookies to track user activities without seeking proper consent..

Last year, regulators in France, the U.K., and the EU initiated formal antitrust probes into Google and Facebook’s online advertising business. The European Union’s General Data Protection Regulation (GDPR) which went into effect in May 2018 has dramatically increased the powers of the bloc’s privacy enforcers. Under the law, serious privacy breaches can lead to fines of as much as 4% of a company’s annual global revenue.

Follow me on Twitter. Send me a secure tip.

I am a Breaking News Reporter at Forbes, with a focus on covering important tech policy and business news. Graduated from Columbia University with an

Source: Google And Facebook Hit With $238 Million Fines In France Over Privacy Violations

.

More contents:

This New 2022 Law Will Ban Use Of Dumb Passwords In Smart Devices

The U.K. government has, and not before time, many would argue, moved to introduce legislation that will ban the use of dumb passwords in so-called smart devices.

The Product Security and Telecommunications Infrastructure (PSTI) Bill has yet to become law; according to government sources that will happen as soon as parliamentary time allows. This means that we should see the law come into play in 2022.

However, what has happened already is that the legislation has been published, and we now know what the months and years of consultation and industry expertise have brought to bear.

What consumer security protections will the new law introduce?

In effect, the PSTI Bill will provide for three regulatory steps to shore up the security sinkhole as it applies to smart devices:

  1. Default, factory set, weak passwords will no longer be allowed. Instead, all relevant devices will need to come with unique passwords that cannot be set back to a single, universal, factory default.
  2.  A contact for researchers, hackers, bug bounty hunters and the like to report security vulnerabilities must be published publicly.
  3.  Consumers must be advised of the period for which the device they are buying will receive security updates, and so advised at the point of purchase. If the device cannot receive such updates or patches or won’t get any, that must be declared.

“One of the most commonly used attack vectors is through default passwords, which are easy to guess and preloaded on multiple devices,” George Papamargaritis, a director at Obrela Security Industries, said. “The fact that this new legislation bans default passwords is a huge step forward and it will encourage device manufacturers to consider security before marketing products, otherwise they could face business destroying fines.”

“We’re getting to a place where security by design will be a mandatory requirement and not an afterthought,” Laurie Mercer, a security engineer at HackerOne, said. “This is a significant milestone towards more secure consumer connectable products, and shows the U.K. is leading in creating a safe digital connected society.”

What smart devices will be covered by this new law?

What devices are covered? Well, it’s consumer goods legislation and covers routers, security cameras, games consoles, TVs, smart speakers and assistants, baby monitors, doorbells and, yes, smartphones. It doesn’t cover laptops and desktops, medical devices, cars, or smart meters.

This is a good step forward in that the law will apply to both manufacturers of the devices and those who import and sell them. It will be overseen by an as yet to be appointed regulator and come with fines of £10 million or 4% of global revenues; ongoing breaches can carry a daily £20,000 penalty. Of course, California already has Senate Bill 327 that requires similar password rules and came into effect on 1 January 2020.

Overall, it’s a good thing but has limitations as many smart devices are pretty stupid when it comes to security and have no ability for firmware patching; the law will only require it to be declared there are none. Even for those that can be patched, there’s no requirement for this to be automated. Without such automation, most consumers will not bother and declaring that vulnerability could make the device less secure as threat actors will then find exploits.

The expert opinion: an interview with David Rogers MBE

I’ve been chatting with David Rogers MBE, the CEO at Copper Horse and chair of the GSM Association (GSMA) Fraud and Security Group. Rogers also sits on the executive board of the Internet of Things Security Foundation. With more than 20 years of experience in embedded device security, David volunteered to draft a set of technical requirements, which ended up with the U.K. Code of Practice for Consumer IoT Security.

“The government always said if they didn’t see improvement to the market situation that they were prepared to legislate and regulate,” Rogers says, “and we’re here now where there is demonstrable market failure.” He points to research by his company that found four out of five IoT device companies didn’t have any way for security researchers to contact them, for example. “That is a truly shocking state of affairs and is really the tip of the iceberg,” Rogers continues, “what does it say about the ability of these companies to secure their own products?”

An important first step

Rogers agrees that the new PSTI Bill is a first step that addresses the top three mandates of the code of practice. “This to me hits the major issues, and if we only resolve those parts, we go a long way to protecting consumers,” he says. But it’s far from the end of the story, and the key message to the industry has to be, Rogers insists, “why wait? What is your excuse? Bad stuff is happening, and it’s IoT manufacturers’ responsibility to be part of the solution, not the problem!”Rogers admits it’s a difficult challenge because it should be a constantly moving target if you think about product security. If a vulnerability is discovered, it should be addressed and patched if possible. “That’s why it really comes down to that point about how long vendors are providing security updates for,” he says, “and providing that information clearly to consumers and retailers.”

A baseline of security across all electronic devices?

But what about the covered devices, or rather those that aren’t? “Of course, I want to see a baseline of security across all electronic devices,” Rogers continues, “but there are clearly sectoral differences and already existing regulation, particularly in the automotive and medical sectors. They cover safety aspects that go above and beyond where we are here, and it doesn’t seem to make sense to land grab those spaces.”

Rogers also thinks that an impact is being made even before the legislation gets Royal Assent and becomes law. “Interest in conformance schemes for IoT security in the industry has gone through the roof,” he says, “simply with the threat of legislation by a host of countries.”

To be fair to the responsible companies out there, Rogers points out that they have been pushing for this too. “GSMA’s excellent IoT security work was underway in 2014, already drawing on existing work from the mobile device space,” he says, “what we’ve seen is an alignment across government, industry and also the hacking community. Everyone knows what the problems are and, crucially, how to fix them. So, let’s do it!”

We can’t look back and fix the past

When it comes to the existing volume of smart devices already in the market, Rogers take a pragmatic view. “One thing many of us were conscious about was not adding to the already-existing mountain of IoT e-waste or unnecessarily penalizing people who can’t afford expensive products,” he says. “We can’t look back and fix the past,” Rogers concludes, “but we can look forward, and the lifecycle of technology is still very swift.

genesis3-2-1-1-1-1-1-2-1-1-2-2-1-1-1-1

More broadly, it is more about bad practices that we’re seeking to eliminate, and we’re seeing a broad swathe of work that is intolerant to poor and unacceptable engineering practices, whether it be around supply chain security or protecting people’s privacy.”

“This is the start of a huge movement towards a safer online society, but it won’t be changing overnight,” Jake Moore, a cybersecurity specialist at ESET, concludes. “These proposals are exactly what is required to help guide people in the right direction after typical security measures by design haven’t been strong enough to help those who desperately need it.”

Follow me on Twitter or LinkedIn. Check out my website or some of my other work here.

Davey is a three-decade veteran technology journalist and has been a contributing editor at PC Pro magazine since the first issue in 1994. A co-founder of the Forbes Straight Talking

Source: This New 2022 Law Will Ban Use Of Dumb Passwords In Smart Devices

.

Google Pushes to Overturn EU’s $5 Billion Antitrust Decision on Android

BRUSSELS— Alphabet Inc.’s GOOG -0.88% Google started its appeal Monday to overturn a $5 billion antitrust fine imposed by the European Union, contending that its Android operating system for mobile devices has boosted competition rather than foreclosing it.

The tech giant presented oral arguments in Luxembourg before the EU’s second-highest court, in its appeal to overturn the 2018 decision from the bloc’s antitrust enforcer. In that case, EU authorities found Google had illegally abused the market power of Android to push companies that manufacture and distribute Android phones into agreements aimed at entrenching and expanding the dominance of the Google search engine on mobile devices.

That decision was the largest of three antitrust fines totaling more than $9 billion that the EU has levied against Google in the past half decade. It also ordered changes to the distribution agreements buttressing one of the company’s biggest growth engines: search ads on mobile phones.

“Android has created more choice for everyone, not less,” a Google spokeswoman said. “This case isn’t supported by the facts or the law.”

A verdict isn’t expected for months, and it can be appealed to the EU’s top court, the Court of Justice. Still, the litigation is a new test for the EU’s competition and digital-policy chief, Margrethe Vestager, who already faces a pending appeal of an earlier decision against Google’s alleged abuse of the dominance of its search engine to favor its online-shopping ads.

Ms. Vestager has since opened a new antitrust probe into Google’s ad-tech business, along with a wave of cases exploring whether companies including Facebook Inc., Apple Inc. and Amazon.com Inc. abuse their dominance to drive out smaller rivals. The companies deny wrongdoing.

A spokeswoman for the European Commission, the bloc’s top antitrust regulator, declined to comment.

While the appeal is under way, Google has had to comply with the decision, offering all users of new Android phones in the EU a choice screen of alternative search engines. But so far Google’s market share for search on mobile phones has remained relatively stable, according to Statcounter.

At issue in the hearing this week is whether Google’s Android is indeed dominant, as European regulators argue, and whether Google’s distribution deals for the operating system and its Google Play app store for Android were anticompetitive.

The Commission has argued that Google used those agreements to block the rise of potential competitors and secure the dominance of its cash cow search engine on mobile phones—an outcome far from assured at the time.

The Commission found Google had abused its control of the Android operating system by forcing phone makers to pre-install Google Search and Google’s Chrome browser if they also wanted to include Google’s Play store for apps, by far the most common way to get Android apps.

The Commission also found Google’s so-called antifragmentation agreements—deals that discourage official Android manufacturers from selling devices that run unofficial, modified versions of Android—illegally blocked the development and emergence of competing operating systems.

“Instead of an antifragmentation agreement, it should be called an anticompetition agreement,” said Thomas Vinje, a lawyer representing FairSearch, a group representing Oracle Inc. and other companies whose 2013 complaint led the Commission to open a formal case investigating Android in 2015.

Apple and Google have one of Silicon Valley’s most famous rivalries, but behind the scenes they maintain a deal worth $8 billion to $12 billion a year according to a U.S. Department of Justice lawsuit. Here’s how they came to depend on each other. Photo illustration: Jaden Urbi

Google argues that those analyses are flawed. It says Android devices must compete with Apple’s iPhone and iPad, and the Commission was wrong to largely exclude them from its analysis. The company argues that its antifragmentation agreements are necessary to keep Android phones compatible with apps, and aren’t a barrier to creating competing operating systems.

Google also says the allegation that it blocked competing apps is false because manufacturers typically install many rival apps on Android devices, and consumers can easily download others. The company says it has a right to recoup the money it spends developing Android, which it makes available free to manufacturers, by encouraging them to install Google Search, from which the company makes the bulk of its revenue.

Google and the Commission will be joined in this week’s arguments by nearly a dozen outside companies and trade groups that have filed their own supporting briefs in the case. Google’s supporters include the Computer & Communications Industry Association and two handset manufacturers.

Arguments on the Commission’s side will include some from German publisher groups and complainants in the case, including FairSearch.

By: Sam Schechner at sam.schechner@wsj.com and Daniel Michaels at daniel.michaels@wsj.com

Source: Google Pushes to Overturn EU’s $5 Billion Antitrust Decision on Android – WSJ

.

Related Contents:

%d bloggers like this: