Cheerful news from the "old" continent

TiX0 · October 8, 2024, 3:07am

1. EU Court limits Meta’s use of personal data for targeted ads

This was a very bad day for Meta, as the Court of Justice of the European Union has pronounced its final ruling in a 10 years old legal battle initiated by Austrian NOYB privacy activists.
Quotes from the article:

Europe’s top court has ruled that Meta Platforms must restrict the use of personal data harvested from Facebook for serving targeted ads even when users consent to their information being used for advertising purposes

“An online social network such as Facebook cannot use all of the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data”

In other words, social networks, such as Facebook, cannot keep using users’ personal data for ad targeting indefinitely, the court said, adding limits must be set in place in order to comply with the bloc’s General Data Protection Regulation (GDPR) data minimization requirements

“The application of the ‘data minimization principle’ radically restricts the use of personal data for advertising. The principle of data minimization applies regardless of the legal basis used for the processing, so even a user who consents to personalized advertising cannot have their personal data used indefinitely.”

Non-profit Noyb stated that the judgment also extends to any other online advertisement company that does not have stringent data deletion practices. This means bad news for many other Bigtech companies!

2. New Open Source law in Switzerland: a legal milestone!

I couldn’t believe my eyes when I read about this new and innovative law passed by the Swiss parliament, establishing a mandatory requirement for open source software within public sector bodies.

“Switzerland’s new ‘public money public code’ law is a great opportunity for government, the IT industry and society. All stakeholders benefit from this new regulation since the public sector can reduce vendor lock-in, companies can grow their digital business solutions, and taxpayers spend less on IT solutions and receive better services due to increased competition and innovation.”

The implementation of EMBAG is expected to serve as a model for other countries considering similar measures. The law aims to promote digital sovereignty and encourage innovation and collaboration within the public sector. As Switzerland adopts this approach, the benefits of open source software—greater security, cost efficiency, and enhanced public trust—may become more apparent.

Can you just imagine US Congress one day enacting such a revolutionary law?

irvinewade · October 8, 2024, 3:44am

Any clues as to what that time limit is? In other words, what does “not indefinitely” mean?

1 year? 2 years? 5 years? 10 years?

While the longer periods are creepier, I doubt that Facebook will be too worried from an advertising perspective. If you were potentially going to buy an item 1 year ago, how relevant is it today? Most likely you have either made the purchasing decision (carried out the purchase) or changed strategy (decided not to purchase, purchased an alternative).

That may not apply in all situations. For example, if you are looking to buy a house in location X, that desire may persist, unfulfilled, over many years, until the right property comes along.

JR-Fi · October 8, 2024, 6:37am

Oh, the world, oh the politics… Personal information related good news comes with some unrelated less good news from the same continent: It was reported that in negotiations between EU countries there’s a compromise forming about how communication privacy can be invaded (the article should have links to relevant stuff). It’s the old CSAM argument of mass surveillance of (in)secure instant messaging platforms that they are still riding on (with hinted undercurrents of national security in the mix).

The latest proposal, that’s gotten at least tentatively more backing, has gotten technical about it, so something actually more tangible and practical. I haven’t seen the detailed proposal, but what I’ve gathered is:

only if platform hasn’t applied enough other measures, and by limited court order
only images and video (not text and audio)
by user consent only (if no consent, then no share of images)
image hash before message encryption (so encryption is kept, potentially, secure) and hash is compared to database of known bad stuff (so known stuff, not potentially new stuff)

Unknowns, based on the superficial political news reporting:

whose database and what are the criteria (what kind of materials included and what kinds of limits/definitions for alarms) and can anyone use it (hashes, not the images)?
how are false positives handled (not just technically but impact to user)?
for defined very large online platforms (VLOPs) I imagine, but are even they capable of implementing something like this and making sure the security is sound (and in what timeframe)?
what would be considered reasonable measures that need to be done by the platform?
what would this mean to peer-to-peer, open and other non-centralized apps and protocols (not much I assume) and how fast will non-centralized messaging services get popular?
identifying images (and creating new kinds of files to obfuscate content) may get tricky (there are always people that try to break the system)?

I hate to say this, but so far this is the least insane proposal thus far (and that’s saying something). What I’m seeing here is that VLOPs (like FB, Telegram, UW etc.) get some new requirements that may or may not be implemented - more like a threat that they have to do enough on their own or get slammed with this. Seems unlikely that this would affect the “fringe people” like us on our preferred apps - only the bigger masses (which has, of course, a lot of potential to go badly). On the other hand, when something (finally) can be done, seems likely that eventually it’s going to be used and it becomes a feature that no one thinks twice about…

irvinewade · October 8, 2024, 7:16am

So if I post an image that is encoded as text (e.g. uuencode, a bit old now, but you get the idea, or let’s say MIME encoding for something more current), I can post any “restricted” image I like?

JR-Fi · October 8, 2024, 7:22am

Yea, I have no idea how that would go in practice (see the final point of the second list). At worst, there could be a restriction on only sharing identifiable filetypes. Or we could get more ASCII art!

irvinewade · October 8, 2024, 7:27am

For a general purpose platform that wouldn’t necessarily be a bad thing. Sharing unidentified filetypes could be an attempt to exploit a 0-day or other malicious activity; and it may not be well-supported by the platform anyway.

It raises the question though whether any archive (container file) type is “identifiable” - because that would force recursive validation if so.

lipu · October 8, 2024, 12:35pm

Someone actually wrote a mini-fiction about the text-based scenario:

tracy · October 8, 2024, 12:47pm

Awww, and I thought Atlantis or Mu we’re rising back up.

irvinewade · October 8, 2024, 10:02pm

5 posts were split to a new topic: Overriding web page font

irvinewade · October 8, 2024, 10:47pm

(with the disclaimer that everything on that page is ostensibly fictional…)

Apps can upload the unencrypted media temporarily to their moderation servers

Makes an absolute mockery of end-to-end encryption.

What we’re talking about is a kind of self-negating paradox.
You cannot do mass surveillance privately, full stop

I would like to add to that: Privacy and making money are also a self-negating paradox i.e. are mutually exclusive. So long as communication occurs via a platform that aims to make money, there will always be an incentive for the platform to prioritise making money ahead of your privacy.

weirdnerd · October 8, 2024, 11:07pm

Does the Swiss law require Free Software? That is, what are the license requirements? The article mentioned:

The EMBAG law stipulates that all public bodies must disclose the source code of software developed by or for them, unless precluded by third-party rights or security concerns.

That is great, and it requires that one of the four software freedoms be respected: namely, the freedom to study the software.

That still leaves the other three freedoms potentially still restricted:

The freedom to run the program as you wish.
The freedom to redistribute the source code.
The freedom to redistribute modified versions of the software.

irvinewade · October 8, 2024, 11:30pm

And there’s the small disclaimer …

unless precluded by third-party rights or security concerns

“security concerns” potentially covers a lot of ground. Any government agency can claim “security concerns”.

j_s · October 9, 2024, 1:01am

They need to learn that security by obscurity is a major security concern in itself.

But those two loopholes look to me to remove all teeth from the open source requirement.

TiX0 · October 9, 2024, 3:19am

No. Nowhere in the text is it made any mention of Free, FOSS or GPL licences.
The philosophy is more like “public money, public code”, so transparency is the main goal here.
From what I understand, it is also aimed at fostering local development of Open Source software in order to replace vendor lock-in and proprietary closed source solutions; which will grow an ecosystem locally rather than import and depend on foreign (mainly US) solutions.
There is also a sense of enhancing public trust, something important for a sound democracy, which the Swiss value very much.

TiX0 · October 9, 2024, 3:54am

Agreed. When I saw this “unless precluded by third-party rights or security concerns” in the text, it made me cringe too. The devil is in the detail…
Also “unless precluded by third-party rights” is quite ambiguous: it could mean they can continue to use Windows and the source code does not need to be open in this case because of copyright or EULA