LONDON (Reuters) - Music streaming leader Spotify (SPOT.N) on Thursday reported results mostly in line with forecasts, as the number of paid subscribers rose 10 percent over the last three months, but revenue growth was slowed by new European data privacy rules.
FILE PHOTO: The Spotify logo is displayed on a screen on the floor of the New York Stock Exchange (NYSE) in New York, U.S., May 3, 2018. REUTERS/Brendan McDermid/File Photo
Monthly subscribers, which account for around 90 percent of revenue, rose to 83 million at the end of June, up from 75 million in the first three months of 2018. Analysts, on average, was looking for 82 million subs, a Thomson Reuters poll showed.
Second-quarter revenue rose 26 percent to 1.27 billion euros, roughly in line with market expectations. Fifteen analysts polled by Thomson Reuters had forecast, on average, 1.26 billion euros.
“We did see some GDPR disruption across our European markets during Q2 but seem to be largely past that now,” the company said in a statement, referring to the European Union’s General Data Protection Regulation that came into effect in May.
Reporting by Eric Auchard in London; Editing by Adrian Croft
Many companies use data they collect about you to make the online services and connected devices you use that much more convenient. But that vast trove of personal information can also come with a number of risks like hacking.
The complexities of how companies can best navigate this reality was the focus of a round table discussion at Fortune’s Brainstorm Tech conference in Aspen, Colo. on Tuesday.
Terry Myerson, executive vice president at Microsoft and former leader of its Windows and devices group, talked about his company’s efforts to replace passwords with biometrics, the use of fingerprints and eye readers instead of passwords. But he quickly pointed out the privacy concerns about using biometrics while another participant pointed out, ominously, that many peoples’ fingerprints are already available online.
Hal Lawton, president of Macy’s, said his company is “using AI to look for behaviors” online that may signal security concerns. But Cliff Justice, a partner at consulting firm KPMG, mentioned that sophisticated hackers are now starting to use AI to power their attacks.
“It’s a marathon. It’s a race,” Lawton said. “An arms race,” agreed Kirsten Wolberg, chief technology and operations officer of digital signature firm DocuSign.
“We are constantly struggling as companies to make sure we have the best experience for customers and at the same time ensure their security,” said Nat Natarajan, chief technology and product officer at Ancestry.com.
JAKARTA (Reuters) - Social media giant Facebook has assured the Indonesian government that personal data of about one million of its citizens had not been improperly accessed by political consultancy Cambridge Analytica.
FILE PHOTO: A 3D plastic representation of the Facebook logo is seen in this illustration in Zenica, Bosnia and Herzegovina, May 13, 2015. REUTERS/Dado Ruvic/File Photo
Facebook has faced intense scrutiny, including multiple official investigations in the United States, Europe and Australia, over allegations of improper use of data for 87 million Facebook users by Cambridge Analytica.
Indonesia, where more than 115 million people use Facebook, has also been pressing the firm to explain how its citizens’ personal data was harvested by Cambridge Analytica via a personality quiz.
“Facebook has reported to the Communications Ministry that no data from any Indonesian users was collected,” Deputy Communications Minister Semuel Pangerapan said on Friday.
A Facebook official had told members of parliament in April that 1,096,666 people in Indonesia may have had their data shared, or 1.26 percent of the global total.
This led Communications Minister Rudiantara, who goes by one name, to briefly threaten to shut down Facebook in Indonesia if personal data was found to have been breached.
But Facebook told Reuters on Thursday it had only indicated the number of Indonesian users “who could potentially have had their data accessed, not necessarily misused”.
“Both public records and existing evidence strongly indicate Aleksandr Kogan did not provide Cambridge Analytica or (its parent) SCL with data on people who use Facebook in Indonesia,” it added, referring to the researcher linked to the scandal.
Facebook says Kogan harvested data by creating an app on the platform that was downloaded by 270,000 people, providing access not only to their own but also their friends’ personal data.
Pangerapan said he believed Facebook had improved options for users to limit access to data, but did not say whether authorities would continue their inquiry.
The Indonesian communications ministry had sent a letter to the company in April seeking confirmation on technical measures to limit access to data in Facebook and more information on an audit the social media company was doing.
Britain’s information regulator on Wednesday slapped a small but symbolic fine of 500,000 pounds on Facebook for breaches of data protection law, in the first move by a regulator to punish the social media giant for the controversy.
Reporting by Fanny Potkin & Cindy Silviana; Editing by Himani Sarkar
(Reuters) - New Zealand-based fuel supplier Z Energy Ltd on Wednesday said it has been presented with evidence that customer data from its Z Card Online database was accessed by a third party in November 2017.
The database held customer data such as names, addresses, registration numbers, vehicle types and credit limits with the company, Z Energy said in a statement. The data accessed did not include bank details, pin numbers or information that would put customer finances directly at risk, it said.
Z Energy did not specify the extent to which its customer data had been compromised.
The company said it had notified affected customers and advised the Privacy Commissioner of the breach. It said the system in question had been closed since December 2017.
The Z Card allows customers to manage fuel accounts online, and is used primarily by companies with vehicle fleets.
Z Energy said it had been made aware of a potential vulnerability in the system in November, but had not found evidence of any data breaches at that time.
Z Energy operates in both New Zealand and Australia. New laws in Australia requiring companies to report data breaches took effect in late-February this year.
WASHINGTON (Reuters) - The U.S. Supreme Court on Friday imposed limits on the ability of police to obtain cellphone data pinpointing the past location of criminal suspects in a major victory for digital privacy advocates and a setback for law enforcement authorities.
In the 5-4 ruling, the court said police generally need a court-approved warrant to get the data, setting a higher legal hurdle than previously existed under federal law. The court said obtaining such data without a warrant from wireless carriers, as police routinely do, amounted to an unreasonable search and seizure under the U.S. Constitution’s Fourth Amendment.
In the ruling written by conservative Chief Justice John Roberts, the court decided in favor of Timothy Carpenter, who was convicted in several armed robberies at Radio Shack and T-Mobile stores in Ohio and Michigan with the help of past cellphone location data that linked him to the crime scenes.
Roberts stressed that the ruling did not resolve other hot-button digital privacy fights, including whether police need warrants to access real-time cellphone location information to track criminal suspects. The ruling has no bearing on “traditional surveillance techniques” such as security cameras or on data collection for national security purposes, he added.
Roberts was joined by the court’s four liberal justices in the majority. The court’s other four conservatives dissented.
Although the ruling explicitly concerned only historical cellphone data, digital privacy advocates are hopeful it will set the tone for future cases on other emerging legal issues prompted by new technology.
“Today’s decision rightly recognizes the need to protect the highly sensitive location data from our cellphones, but it also provides a path forward for safeguarding other sensitive digital information in future cases - from our emails, smart home appliances and technology that is yet to be invented,” said American Civil Liberties Union lawyer Nate Wessler, who represents Carpenter.
“We decline to grant the state unrestricted access to a wireless carrier’s database of physical location information,” Roberts said.
Roberts said the ruling still allows police to avoid obtaining warrants for other types of business records. Police could also avoid obtaining warrants in emergency situations, Roberts added.
The high court endorsed the arguments made by Carpenter’s lawyers, who said that police needed “probable cause,” and therefore a warrant, to avoid a Fourth Amendment violation.
Police helped establish that Carpenter was near the scene of the robberies by securing from his cellphone carrier his past “cell site location information” that tracks which cellphone towers relay calls. His bid to suppress the evidence failed and he was convicted of six robbery counts.
The big four wireless carriers - Verizon Communications Inc, AT&T Inc, T-Mobile US Inc and Sprint Corp - receive tens of thousands of such requests annually from law enforcement.
Carpenter’s case will now return to lower courts. His conviction may not be overturned because other evidence also linked him to the crimes.
‘BIG BROTHER’
The case underscored the rising concerns among privacy advocates about the government’s ability to obtain an ever-growing amount of personal data. During arguments in the case in December, liberal Justice Sonia Sotomayor, who joined Roberts in the ruling, alluded to fears of “Big Brother,” the all-seeing leader in George Orwell’s dystopian novel “1984.”
Conservative Justice Samuel Alito, a former prosecutor, said in a dissenting opinion that the ruling could do “far more harm than good.”
The decision “guarantees a blizzard of litigation while threatening many legitimate and valuable investigative practices upon which law enforcement has rightfully come to rely,” Alito added. Alito also said the ruling does not address “some of the greatest threats to individual privacy” that may come from data collection by private companies.
It was the third ruling in recent years in which the court has resolved major cases on how criminal law applies to new technology, each time ruling against law enforcement. In 2014, it required police in most instances to obtain a warrant to search a cellphone’s contents when its user is arrested. In 2012, it decided a warrant is needed to place a GPS tracking device on a vehicle.
The U.S. Justice Department argued that probable cause should not be required to obtain customer records under a 1986 federal law. Instead, it argued for a lower standard: that prosecutors show only that “reasonable grounds” exist for the records and they are “relevant and material” to an investigation.
Roberts said the government’s argument “fails to contend with the seismic shifts in digital technology that made possible the tracking of not only Carpenter’s location but also everyone else’s.”
A Justice Department spokeswoman declined to comment.
There has been rising concern over the surveillance practices of law enforcement and intelligence agencies, and whether companies like wireless carriers care about customer privacy rights.
Various tech firms, including Alphabet Inc’s Google and Microsoft Corp, joined a brief in the Carpenter case urging the court to adopt strong privacy protections.
FILE PHOTO: The U.S. Supreme Court is seen in Washington, U.S., June 11, 2018. REUTERS/Erin Schaff/File Photo
Reporting by Lawrence Hurley; Editing by Will Dunham
The United Kingdom"s Information Commissioner"s Office issued an order Friday requiring SCL Elections, the British affiliate of the controversial data mining firm Cambridge Analytica, to turn over all of the data it collected about a United States-based academic named David Carroll. Carroll filed a request for this data in January of 2017 under British data protection law, and received a response in March of that year that the Information Commissioner Elizabeth Denham describes in the order as "wholly inadequate." Now, Denham is requiring SCL to comply with the request, or face criminal charges.
The enforcement order comes just days after Cambridge Analytica, which worked for Donald Trump"s 2016 campaign, announced that it would shut down and declare bankruptcy, along with its international affiliates, following revelations that the companies had harvested the data of up to 87 million Americans without their knowledge. The company"s former CEO Alexander Nix was also recorded this year on undercover video, appearing to brag about using tactics like bribery and entrapment on behalf of Cambridge Analytica"s clients.
Long before the name Cambridge Analytica became notorious in households across the country, though, Carroll, a professor of media design at Parsons School of Design in Manhattan, became suspicious about the way the company built its so-called psychographic profiles of US voters. These profiles, the company claimed, contained information not only about people"s demographics, but their personalities as well. Given that Cambridge Analytica originally spun out of a British company called SCL Group, Carroll filed a request under the UK"s Data Protection Act seeking access to all of the information the company had collected on him.
When SCL sent Carroll back his file, he was utterly unsatisfied. It ranked his interest in topics like immigration and gun control on a numeric scale, but offered no insight into what data was being used to generate those scores, or who actually used them. In mid-March, the same day Facebook announced it was suspending Cambridge Analytica and SCL Group from its platform as punishment for their transgressions, Carroll filed a request for disclosure in the UK in an attempt to force SCL to hand over the underlying data and answer a litany of questions about how they were being used.
Though that case is still ongoing, the ICO"s order does accomplish some of that work for Carroll. In the order, Denham describes the months-long battle between her office and SCL"s office over Carroll"s data request. According to the order, SCL repeatedly argued that as an US citizen, Carroll had no right to request his data under British laws, going so far as to write in one response that Carroll had no more data access rights in the UK "than a member of the Taliban sitting in a cave in the remotest corner of Afghanistan."
Denham disagreed with that assessment. In March, after the undercover videos of Nix went public, the ICO stormed the company’s offices and seized its servers. Now, the regulator is giving SCL 30 days to provide descriptions of Carroll’s personal data, the purpose that data served, a list of all the recipients of that data, copies of the data itself, and the sources of that data.
“It’s quite exciting,” Carroll says of the order. “At the minimum, it’s the beginning of a victory and pointing toward winning.”
Still, he says, “It didn’t have to come to this. We’ve been trying for more than a year to do this out of court…It just kept escalating.”
SCL now has the opportunity to appeal the ICO’s order. Representatives for SCL didn’t immediately respond to WIRED’s request for comment.
LONDON (Reuters) - WhatsApp, the popular messaging service owned by Facebook Inc (FB.O), is raising its minimum age from 13 to 16 in Europe to help it comply with new data privacy rules coming into force next month.
FILE PHOTO: The WhatsApp app logo is seen on a smartphone in this picture illustration taken September 15, 2017. REUTERS/Dado Ruvic/Illustration/File Photo
WhatsApp will ask European users to confirm they are at least 16 years old when they are prompted to agree new terms of service and a privacy policy provided by a new WhatsApp Ireland Ltd entity in the next few weeks.
It is not clear how or if the age limit will be checked given the limited data requested and held by the service.
Facebook, which has a separate data policy, is taking a different approach to teens aged between 13 and 15 in order to comply with the European General Data Protection Regulation (GDPR) law.
It is asking them to nominate a parent or guardian to give permission for them to share information on the platform, otherwise they will not see a fully personalized version of the social media platform.
But WhatsApp, which had more than 1.5 billion users in January according to Facebook, said in a blog post it was not asking for any new rights to collect personal information in the agreement it has created for the European Union.
“Our goal is simply to explain how we use and protect the limited information we have about you,” it said.
WhatsApp, founded in 2009, has come under pressure from some European governments in recent years because of its end-to-end encrypted messaging system and its plan to share more data with its parent, Facebook.
Facebook itself is under scrutiny from regulators and lawmakers around the world since disclosing last month that the personal information of millions of users wrongly ended up in the hands of political consultancy Cambridge Analytica, setting off wider concerns about how it handles user data.
WhatsApp’s minimum age of use will remain 13 years in the rest of the world, in line with its parent.
GDPR is the biggest overhaul of online privacy since the birth of the internet, giving Europeans the right to know what data is stored on them and the right to have it deleted.
Apple Inc (AAPL.O) and some other tech firms have said they plan to give people in the United States and elsewhere the same protections and rights that Europeans will gain.
European regulators have already disrupted a move by WhatsApp to change its policies to allow it to share users’ phone numbers and other information with Facebook to help improve the product and more effectively target ads.
WhatsApp suspended the change in Europe after widespread regulatory scrutiny. It said on Tuesday it still wanted to share the data at some point.
“As we have said in the past, we want to work closer with other Facebook companies in the future and we will keep you updated as we develop our plans,” it said.
Other changes announced by WhatsApp on Tuesday include allowing users to download a report detailing the data it holds on them, such as the make and model of the device they used, their contacts and groups and any blocked numbers.
“This feature will be rolling out to all users around the world on the newest version of the app,” it said.
The blog post also points to safety tips on the service, such as the ability to block unwanted users, and delete and report spam.
BERLIN (Reuters) - German lawmakers will question a senior Facebook Inc manager about data privacy in the wake of revelations that the personal information of millions of users wrongly ended up in the hands of political consultancy Cambridge Analytica.
FILE PHOTO: A 3D-printed Facebook logo is seen in front of displayed stock graph in this illustration photo, March 20, 2018. REUTERS/Dado Ruvic/File Photo
Lawmakers in the Bundestag lower house of parliament will grill Joel Kaplan, Facebook’s vice president for global public policy, during a closed-door session on Friday morning.
The meeting mirrors the appearance of Facebook’s Chief Executive Mark Zuckerberg before a U.S. Congressional joint hearing on April 10-11 over the scandal engulfing the world’s largest social network.
The 87 million Facebook users affected included nearly three million Europeans and Zuckerberg is also under pressure from EU lawmakers to come to Europe to shed light on the data breach.
“Facebook needs to show more openness and transparency when dealing with user data,” said Nadine Schoen, deputy leader of Chancellor Angela Merkel’s conservative bloc in the Bundestag.
She said Facebook needed to do more than just pay lip service and it remained to be seen how serious the company was about really improving user rights.
“It is not enough to exchange the gray T-shirt and jeans for suit and tie,” she said in reference to Zuckerberg’s appearance in the U.S. Congress.
The senior lawmaker said that Facebook so far was giving the impression that it only wanted to save its business model.
“For example, the company is already rowing back in the supposedly world-wide announced implementation of the General Data Protection Regulation,” Schoen warned, referring to privacy rules that will enter force in the European Union next month.
“We no longer need excuses, but facts,” she said.
German Justice Minister Katarina Barley last month summoned executives of the firm, including European public affairs chief Richard Allan.
Misuse of data by Facebook means it will in future be bound by stricter regulations and the threat of tougher penalties for further privacy violations, Barley said after the meeting.
Reporting by Michael Nienaber; Editing by Douglas Busvine
NEW YORK (Reuters) - Hudson’s Bay Co said on Sunday that data from card payments in some of its Saks and Lord & Taylor stores in North America had been compromised.
The Lord & Taylor flagship store building is seen along Fifth Avenue in the Manhattan borough of New York City, U.S., October 24, 2017. REUTERS/Shannon Stapleton
The Canadian retail company said it had identified the issue and taken steps to contain it, adding that “there is no indication” so far that the issue had affected the company’s e-commerce or other digital platforms.
Customers will not be liable for fraudulent charges that may result from the issue, the company said.
The stores involved include Saks Fifth Avenue, Saks OFF 5TH and Lord & Taylor, the company said.
Reporting by David Henry in New York; Editing by Bill Rigby
WASHINGTON/LONDON (Reuters) - Facebook Inc Chief Executive Mark Zuckerberg’s apology for how his company handled 50 million users’ data did little on Thursday to ease investor worries about the cost to fix mistakes and lawmakers’ dismay that his response did not go far enough.
Germany’s second-largest bank Commerzbank AG has suspended advertising on Facebook until further notice, Handelsblatt newspaper reported on Thursday, following in the steps of Mozilla, which runs the Firefox web browser.
Allegations that political consultancy Cambridge Analytica improperly accessed data to build profiles on American voters and influence the 2016 presidential election has knocked more than $ 50 billion of Facebook’s market value this week.
Five days after the scandal broke, Zuckerberg apologized on Wednesday that mistakes were made and promised to restrict developers’ access to user information as part of a plan to improve privacy protection.
On Thursday, Facebook executives were still saying sorry. “It was a mistake”, Campbell Brown, head of news partnerships at Facebook, said at The Financial Times FT Future of News Conference in New York City.
Zuckerberg’s apology and promises were not enough to ease political pressure on the world’s largest social media company.
“It shouldn’t be for a company to decide what is the appropriate balance between privacy and innovation and use of data. Those rules should be set by society as a whole and so by parliament,” British minister for Digital, Culture, Media and Sport, Matt Hancock, told BBC Radio. “The big tech companies need to abide by the law and we’re strengthening the law.”
In Washington, Zuckerberg’s media rounds did little to satisfy lawmakers in either political party who have demanded this week that the billionaire testify before Congress.
Facebook executives were expected to brief two congressional committees on Thursday, after being grilled for nearly two hours by staff for the House Energy and Commerce Committee on Wednesday.
Facebook Deputy Chief Privacy Officer Rob Sherman and other executives were unable to answer many questions at Wednesday’s meeting, according to two aides who were present. The executives said they had written down a list of 60 questions they promised to answer, the aides said.
The Republican chairman and top Democrat of the U.S. House Energy and Commerce Committee said they will in coming days formally ask Zuckerberg to testify.
REPUTATIONAL COSTS
Wall Street analysts expressed relief that there were no signs so far of a more fundamental shift in the company’s advertising-driven revenue model, but some said there would be costs to shore up its reputation.
Facebook, with more than 2 billion monthly active users, made almost all its $ 40.6 billion in revenue last year from advertising.
A 3D-printed Facebook logo is seen in front of displayed stock graph in this illustration photo March 20, 2018. Picture taken March 20. REUTERS/Dado Ruvic
Stifel analyst Scott Devitt cut his price target on Facebook by $ 27 to $ 168, while BofA Merrill Lynch slashed its target by $ 35 to $ 230.
“Facebook’s current plight reminds us of eBay in 2004 – an unstructured content business built on trust that lost that trust prior to implementing policies to add structure and process,” Devitt said.
“Warren Buffett has his own thing called a “too hard” pile, and we are choosing to put Facebook shares in it,” he wrote.
Facebook shares were down 2.2 percent on Thursday in heavy trading.
Slideshow (4 Images)
Analysts said that Zuckerberg’s promises to investigate thousands of apps, and to give members a tool that lets them turn off access, would not substantially reduce advertisers’ ability to use Facebook data - the company’s lifeblood.
Nevertheless, open-source browser and app developer Mozilla said it was “pressing pause” on its Facebook advertising after the revelations prompted it to take a closer look at the site’s default privacy settings.
“We found that its current default settings leave access open to a lot of data – particularly with respect to settings for third party apps,” Mozilla, it said in a blog post.
“When Facebook takes stronger action in how it shares customer data, specifically strengthening its default privacy settings for third party apps, we’ll consider returning.”
Commerzbank said it, too, was pausing its campaign on Facebook. “Brand safety and data security are very important to us,” head of brand strategy Uwe Hellmann told Handelsblatt. The comments were confirmed by a spokesman for the bank.
The Times newspaper reported that British advertising group ISBA, which represents thousands of well-known brands, has threatened to withdraw ads if investigations show user data has been misused.
“We think this issue is more likely to snowball than recede and that advertisers are reaching a tipping point at which spending on not only Facebook and other online platforms, is re-evaluated,” brokerage Liberum said in a note.
Technology stocks have fallen along with Facebook this week as investors worried about tighter scrutiny of global platforms like Google, Twitter and Snapchat.
British police removed cordons around the London headquarters of Cambridge Analytica on Thursday after they deemed a suspicious package which sparked a security alert to be safe.
Efforts by Britain’s information watchdog to investigate Cambridge Analytica were delayed when a judge adjourned for 24 hours its application to search the company’s head office.
Additional reporting by Munsif Vengattil and Paul Sandle; Editing by Nick Zieminski
NEW YORK/LONDON (Reuters) - A U.S. resident has sued Facebook and a British-based political consultancy for obtaining data from millions of the social media site’s users without their permission, while an academic at the center of the storm accused both firms of scapegoating him.
The complaint filed at the U.S. District Court in San Jose, California, marked the first of what may be many lawsuits seeking damages over Facebook’s ability to protect user data, and exploitation of the information by the Cambridge Analytica consultancy to help President Donald Trump’s election campaign.
Facebook (FB.O) has been rocked this week by a whistleblower who said Cambridge Analytica, which Trump hired for the 2016 campaign, improperly accessed information on Facebook users to build detailed profiles on American voters.
This revelation has knocked nearly $ 50 billion off Facebook’s stock market value in two days and hit the shares of Twitter and Snap over fears that a failure by big tech firms to protect personal data could deter advertisers and users and invite tougher regulation.
Mark Zuckerberg, Facebook’s founder and chief executive, who has been quiet on the controversy, is to address the revelations later on Wednesday, a source at the company told Reuters.
The proposed class-action complaint was filed late on Tuesday by Lauren Price, a Maryland resident. “Every Facebook user has an interest in this lawsuit, and the enforcement of their privacy rights,” John Yanchunis, a lawyer for Price, told Reuters on Wednesday. The complaint seeks unspecified damages, including possible punitive damages.
Facebook and Cambridge Analytica did not immediately respond on Wednesday to requests for comment.
A former Facebook manager who was responsible for policing the network’s data handling procedures in 2011-2012 said he had warned senior executives about the issue.
The manager, Sandy Parakilas, said he had told them that Facebook’s failure to police how outside software developers used its data put the company at risk of major data breaches. “There was very little detection or enforcement,” he told a British parliamentary committee via videolink.
SWING VOTERS
The academic who provided the data, psychologist Aleksandr Kogan, told the BBC that Cambridge Analytica had greatly exaggerated its role in Trump’s victory.
Facebook and Cambridge Analytica have both blamed Kogan, who gathered the data by running a survey app on Facebook. Kogan combines the roles of an academic at Cambridge University and a web entrepreneur based in San Francisco.
U.S. political campaigns collect large amounts of data, hoping to target swing voters sympathetic to their message. Cambridge Analytica stood out for the scale of claims in its marketing materials to “collect up to 5,000 data points on over 220 million Americans” in all its activities.
It uses techniques based on personality traits and then applies analytic tools to pinpoint supporters.
However, Kogan said the services provided by the consultancy had been greatly exaggerated.
“I think what Cambridge Analytica has tried to sell is magic, and they’ve made claims that this is incredibly accurate and it tells you everything there is to tell about you. But I think the reality is it’s not that,” he said.
Slideshow (5 Images)
Arron Banks, who campaigned for Britain to leave the European Union in a 2016 referendum, also questioned the value of psychologically-based data.
Banks told Reuters that Cambridge Analytica had unsuccessfully pitched for work with his Leave.eu campaign group. “I think they are nothing more than a company that places Facebook ads and shrouds in a sort of mystery,” he said.
Kogan’s application, “thisisyourdigitallife,” offered a personality prediction and billed itself on Facebook as “a research app used by psychologists”.
Kogan said he had gathered the data in 2014. He was then approached by Cambridge Analytica who provided the legal advice around its use, he added.
Facebook says Kogan then violated its policies by passing the data to Cambridge Analytica for commercial use, saying on Friday he “lied to us”. Cambridge Analytica said it destroyed the data once it realized the information did not adhere to data protection rules.
“My view is that I’m being basically used as a scapegoat by both Facebook and Cambridge Analytica,” said Kogan. “We were assured by Cambridge Analytica that everything was perfectly legal and within the limits of the terms of service.”
Cambridge Analytica has denied various allegations made about its business practices in recent media reports.
British Prime Minister Theresa May said she backed an investigation into the consultancy, while the German government also expressed its concern.
In Europe the tax affairs of tech giants have become a hot political issue. On Wednesday the European Commission proposed rules to make digital companies pay their fair share of tax, with Facebook and its peers set to foot much of the bill.
PERSONALITY TEST
Alexander Nix, the head of Cambridge Analytica, said in a secretly recorded video broadcast on Tuesday that his company had played a decisive role in Trump’s election victory. He was suspended by the company shortly before the video was shown on Britain’s Channel 4 News.
Around 270,000 people downloaded the app, Facebook said. The app scored the results of each quiz and gathered up data from test-takers’ Facebook accounts. However, it also pulled down the data of their Facebook friends, vastly increasing the size of the sample.
Kogan put the number of app users as closer to 200,000.
The researcher said, in total, he passed the data of around 30 million American Facebook users to SCL, a government and military contractor that is the parent of Cambridge Analytica. Media reports have put the total number of Facebook profiles collected at around 50 million users.
U.S. and European lawmakers have demanded an explanation of how Cambridge Analytica gained access to user data in 2014 and why Facebook failed to inform its users.
Facebook said it had been told by the Federal Trade Commission, the leading U.S. consumer regulator, that it would receive a letter this week with questions about the data acquired by Cambridge Analytica. It said it had no indication of a formal investigation.
Additional reporting by Dustin Volz in Washington; Editing by Guy Faulconbridge, David Stamp and Janet Lawrence
SAN FRANCISCO (Reuters) - Facebook Inc faced new calls for regulation from within U.S. Congress and was hit with questions about personal data safeguards on Saturday after reports a political consultant gained inappropriate access to 50 million users’ data starting in 2014.
FILE PHOTO: Facebook logo is seen at a start-up companies gathering at Paris" Station F in Paris, France on January 17, 2017. REUTERS/Philippe Wojazer/File Photo
Facebook disclosed the issue in a blog post on Friday, hours before media reports that conservative-leaning Cambridge Analytica, a data company known for its work on Donald Trump’s 2016 presidential campaign, was given access to the data and may not have deleted it.
The scrutiny presented a new threat to Facebook’s reputation, which was already under attack over Russians’ alleged use of Facebook tools to sway American voters before and after the 2016 U.S. elections.
“It’s clear these platforms can’t police themselves,” Democratic U.S. Senator Amy Klobuchar tweeted.
“They say ‘trust us.’ Mark Zuckerberg needs to testify before Senate Judiciary,” she added, referring to Facebook’s CEO and a committee she sits on.
Facebook said the root of the problem was that researchers and Cambridge Analytica lied to it and abused its policies, but critics on Saturday threw blame at Facebook as well, demanding answers on behalf of users and calling for new regulation.
Facebook insisted the data was misused but not stolen, because users gave permission, sparking a debate about what constitutes a hack that must be disclosed to customers.
“The lid is being opened on the black box of Facebook’s data practices, and the picture is not pretty,” said Frank Pasquale, a University of Maryland law professor who has written about Silicon Valley’s use of data.
Pasquale said Facebook’s response that data had not technically been stolen seemed to obfuscate the central issue that data was apparently used in a way contrary to the expectations of users.
“It amazes me that they are trying to make this about nomenclature. I guess that’s all they have left,” he said.
Democratic U.S. Senator Mark Warner said the episode bolstered the need for new regulations about internet advertising, describing the industry as the “Wild West.”
“Whether it’s allowing Russians to purchase political ads, or extensive micro-targeting based on ill-gotten user data, it’s clear that, left unregulated, this market will continue to be prone to deception and lacking in transparency,” he said.
With Republicans controlling the Senate’s majority, though, it was not clear if Klobuchar and Warner would prevail.
The New York Times and London’s Observer reported on Saturday that private information from more than 50 million Facebook users improperly ended up in the hands of Cambridge Analytica, and the information has not been deleted despite Facebook’s demands beginning in 2015.
Some 270,000 people allowed use of their data by a researcher, who scraped the data of all their friends as well, a move allowed by Facebook until 2015. The researcher sold the data to Cambridge, which was against Facebook rules, the newspapers said.
Cambridge Analytica worked on Trump’s 2016 campaign. A Trump campaign official said, though, that it used Republican data sources, not Cambridge Analytica, for its voter information.
Facebook, in a series of written statements beginning late on Friday, said its policies had been broken by Cambridge Analytica and researchers and that it was exploring legal action.
Cambridge Analytica in turn said it had deleted all the data and that the company supplying it had been responsible for obtaining it.
Andrew Bosworth, a Facebook vice president, hinted the company could make more changes to demonstrate it values privacy. “We must do better and will,” he wrote on Twitter, adding that “our business depends on it at every level.”
Facebook said it asked for the data to be deleted in 2015 and then relied on written certifications by those involved that they had complied.
Nuala O’Connor, president of the Center for Democracy & Technology, an advocacy group in Washington, D.C., said Facebook was relying on the good will of decent people rather than preparing for intentional misuse.
Moreover, she found it puzzling that Facebook knew about the abuse in 2015 but did not disclose it until Friday. “That’s a long time,” she said.
Britain’s data protection authority and the Massachusetts attorney general on Saturday said they were launching investigations into the use of Facebook data.
“It is important that the public are fully aware of how information is used and shared in modern political campaigns and the potential impact on their privacy,” UK Information Commissioner Elizabeth Denham said in a statement.
Massachusetts Attorney General Maura Healey’s office said she wants to understand how the data was used, what policies if any were violated and what the legal implications are.
Reporting by David Ingram; Editing by Peter Henderson and Chris Reese
(Reuters) - Facebook Inc on Friday said it was suspending political data analytics firm Cambridge Analytica, which worked for President Donald Trump’s 2016 election campaign, after finding data privacy policies had been violated.
FILE PHOTO: A Facebook logo is seen at the Facebook Gather conference in Brussels, Belgium January 23, 2018. REUTERS/Yves Herman/File Photo
Facebook said in a statement that it suspended Cambridge Analytica and its parent group Strategic Communication Laboratories (SCL) after receiving reports that they did not delete information about Facebook users that had been inappropriately shared.
Cambridge Analytica was not immediately available for comment. Facebook did not mention the Trump campaign or any political campaigns in its statement, attributed to company Deputy General Counsel Paul Grewal.
“We will take legal action if necessary to hold them responsible and accountable for any unlawful behavior,” Facebook said, adding that it was continuing to investigate the claims.
Cambridge Analytica worked for the failed presidential campaign of U.S. Senator Ted Cruz and then for the presidential campaign of Donald Trump. On its website, it says it “provided the Donald J. Trump for President campaign with the expertise and insights that helped win the White House”.
Brad Parscale, who ran Trump’s digital ad operation in 2016 and is his 2020 campaign manager, declined to comment on Friday.
In past interviews with Reuters, Parscale has said that Cambridge Analytica played a minor role as a contractor in the 2016 Trump campaign, and that the campaign used voter data from a Republican-affiliated organization rather than Cambridge Analytica.
Facebook’s Grewal said the company was taking the unusual step of announcing the suspension “given the public prominence” of Cambridge Analytica and its parent organization.
The suspension means Cambridge Analytica and SCL cannot buy ads on the world’s largest social media network or administer pages belonging to clients, Andrew Bosworth, a Facebook vice president, said in a Twitter post.
Trump’s campaign hired Cambridge Analytica in June 2016 and paid it more than $ 6.2 million, according to Federal Election Commission records.
Cambridge Analytica says it uses “behavioral microtargeting”, or combining analysis of people’s personalities with demographics, to predict and influence mass behavior. It says it has data on 220 million Americans, two thirds of the U.S. population.
It has worked on other campaigns in the United States and other countries, and it is funded by Robert Mercer, a prominent supporter of politically conservative groups.
Facebook in its statement described a rocky relationship with Cambridge Analytica and two individuals going back to 2015.
That year, Facebook said, it learned that University of Cambridge professor Aleksandr Kogan lied to the company and violated its policies by sharing data that he acquired with a so-called “research app” that used Facebook’s login system.
Kogan was not immediately available for comment.
The app was downloaded by about 270,000 people. Facebook said that Kogan gained access to profile and other information "in a legitimate way" but "he did not subsequently abide by our rules" when he passed the data to SCL/Cambridge Analytica and Christopher Wylie of Eunoia Technologies. (bit.ly/2FZU1Ir)
Eunoia did not immediately respond to a request for comment.
Facebook said it cut ties to Kogan’s app when it learned of the violation in 2015, and asked for certification from Kogan and all parties he had given data to that the information had been destroyed.
Although all certified that they had destroyed the data, Facebook said that it received reports in the past several days that “not all data was deleted”, prompting the suspension announced on Friday.
Additional Reporting by Ismail Shakil in Bengaluru; Editing by Jonathan Weber, Leslie Adler and Joseph Radford
Most of the questions surrounding the coming age of driverless cars pertain to practical things: regulation, insurance, training protocols for the cars’ remote human backups. Some are philosophical: What do we owe the people whose jobs will be annihilated? Do robo cars need ethics lessons? At least one question is practical and philosophical: How do we know when these things are ready to ditch their human safety drivers and roll about unattended?
No one has much of a response. You could say that as soon as the robot is safer than the average human driver—who crashes once every 238,000 miles or so—it’s wrong to keep it in the lab. Or you can argue that robo cars ought to be held to higher standards: Should they be 10 times better than the human? 1,000 times? Whatever the answer is, data will help us get there. And so we turn to the California DMV’s 2017 Autonomous Vehicle Disengagement Reports.
The Golden State, home to many of the companies leading the robo revolution, has some of the strictest rules for AVs in the country. Operators who run cars on public roads must publicly report any crashes they’re involved in. And at the end of every year, they must hand over data on how many miles they drove and how many times their onboard human safety driver had to take control from the machine—that’s called a disengagement. Combine those, and you have a number approximating how far any company’s self-driving car can go without human help. Something like a grade.
The metric is imperfect, and this data comes with a crate of caveats. But before we get into those, know this: Waymo (formerly known as Google’s self-driving car project) and General Motors appear to be leading the pack and making rapid progress toward the day when human drivers, with all their inattention and distraction and tendency to crash, will be obsolete.
Ifs and Buts
You can read more about the shortcomings of disengagement reports here, but here’s the quick rundown:
They’re unscientific, because each company reports its data in a different way, offering various levels of detail and idiosyncratic explanations for what triggered the human takeover.
They’re packed with vague language and lack context. Delphi cites “cyclist” as the reason for a bunch of disengagements. Zoox blamed every disengagement on a “planning discrepancy” or “hardware discrepancy.”
They’re little use for anyone who wants to compare rival companies, because those companies aren’t running the same tests: Waymo does most of its testing in simple suburbs; GM focuses on the complex city. They’re better for tracking the progress of each outfit, but still not great, because those companies change how and where they test over time.
A disengagement does not mean the car was going to crash, only that the human driver wasn"t 100 percent confident in how it would behave.
They only cover driving on public roads in California. So we don’t know anything about Ford, which focuses its testing around Detroit and Pittsburgh. We don’t see data for Waymo’s increasingly important test program in Phoenix—where its cars are tooling about without anyone inside.
On the other hand, the disengagement reports are the best data we’ve got for evaluating these development efforts. No state but California demands anything like this, and private companies only share such info when the government demands it.
So, let"s sprinkle some grains of salt on the numbers and take a look. We broke them down into a pair of two-axis charts. The first looks at Waymo and General Motors. It notes how many miles they drove in 2016 and 2017 (in green) and how many miles they averaged between disengagements (in blue). (By the way, Uber didn"t have to file a report, because this data isn"t required until your first full calendar year of testing. Uber didn"t get its permit to test in California until March of 2017.)
The takeaway here is that Waymo’s software remains excellent, and it’s still doing tons of testing in California. For GM, you can see a huge ramp-up in miles driven, and a steep increase in miles per disengagement. That’s progress, and it"s a good thing: GM plans to launch a car without a steering wheel or pedals next year. Keep in mind that GM does nearly all its public street testing in San Francisco, a much more complicated environment than Palo Alto and Mountain View, where Waymo works.
HOTLITTLEPOTATO
Next, we have the data for Delphi (now known as Aptiv), Nissan, Mercedes-Benz, and Zoox, a San Francisco–based startup working to build a self-driving vehicle that looks nothing like today"s cars—not that it will say anything more than that for the time being. Each has a serious program, but they do so much less testing than Waymo and GM that we put them in their own chart. (Otherwise, the scales would just be totally out of proportion to each other.)
HOTLITTLEPOTATO
More caveats: Mercedes-Benz may not look so hot in California, but that data’s from just three vehicles. It does much more work in Europe: In 2017, it sent an autonomous S-Class on a five-month tour of five continents. Nissan does a lot of testing at NASA’s Ames Research Center, which doesn’t count as public land, so doesn’t require data reporting. And to get the most interesting bit of data from Zoox, you have to dive into its report.
In its first year of testing (thus the lack of 2016 numbers), it drove just over 100 miles through August. Over the next three months, it drove about 2,000. Yet its rate of disengagements remained steady. Overall, it averaged 160 miles per disengagement. But if you look at just November, when it was doing lots of testing in downtown San Francisco, that number jumps to 430. Even with the caveats, it"s a clear sign that Zoox is making impressive progress—and that more than one of these students is getting ready to throw on a gown, grab its diploma, and give you a ride.
SAN FRANCISCO/WASHINGTON (Reuters) - A 20-year-old Florida man was responsible for the large data breach at Uber Technologies Inc last year and was paid by Uber to destroy the data through a so-called “bug bounty” program normally used to identify small code vulnerabilities, three people familiar with the events have told Reuters.
FILE PHOTO - The logo of Uber is seen on an iPad, during a news conference to announce Uber resumes ride-hailing service, in Taipei, Taiwan April 13, 2017. REUTERS/Tyrone Siu
Uber announced on Nov. 21 that the personal data of 57 million passengers and 600,000 drivers were stolen in a breach that occurred in October 2016, and that it paid the hacker $ 100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money.
Uber made the payment last year through a program designed to reward security researchers who report flaws in a company’s software, these people said. Uber’s bug bounty service - as such a program is known in the industry - is hosted by a company called HackerOne, which offers its platform to a number of tech companies.
Reuters was unable to establish the identity of the hacker or another person who sources said helped him. Uber spokesman Matt Kallman declined to comment on the matter.
Newly appointed Uber Chief Executive Dara Khosrowshahi fired two of Uber’s top security officials when he announced the breach last month, saying the incident should have been disclosed to regulators at the time it was discovered, about a year before.
It remains unclear who made the final decision to authorize the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of last year.
Kalanick, who stepped down as Uber CEO in June, declined to comment on the matter, according to his spokesman.
A payment of $ 100,000 through a bug bounty program would be extremely unusual, with one former HackerOne executive saying it would represent an “all-time record.” Security professionals said rewarding a hacker who had stolen data also would be well outside the normal rules of a bounty program, where payments are typically in the $ 5,000 to $ 10,000 range.
HackerOne hosts Uber’s bug bounty program but does not manage it, and plays no role in deciding whether payouts are appropriate or how large they should be.
HackerOne CEO Marten Mickos said he could not discuss an individual customer’s programs. “In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made,” he said, referring to U.S. Internal Revenue Service forms.
According to two of the sources, Uber made the payment to confirm the hacker’s identity and have him sign a nondisclosure agreement to deter further wrongdoing. Uber also conducted a forensic analysis of the hacker’s machine to make sure the data had been purged, the sources said.
One source described the hacker as “living with his mom in a small home trying to help pay the bills,” adding that members of Uber’s security team did not want to pursue prosecution of an individual who did not appear to pose a further threat.
The Florida hacker paid a second person for services that involved accessing GitHub, a site widely used by programmers to store their code, to obtain credentials for access to Uber data stored elsewhere, one of the sources said.
GitHub said the attack did not involve a failure of its security systems. “Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code,” that company said in a statement.
‘SHOUT IT FROM THE ROOFTOPS’
Uber received an email last year from an anonymous person demanding money in exchange for user data, and the message was forwarded to the company’s bug bounty team in what was described as Uber’s routine practice for such solicitations, according to three sources familiar with the matter.
Bug bounty programs are designed mainly to give security researchers an incentive to report weaknesses they uncover in a company’s software. But complicated scenarios can emerge when dealing with hackers who obtain information illegally or seek a ransom.
Some companies choose not to report more aggressive intrusions to authorities on the grounds that it can be easier and more effective to negotiate directly with hackers in order to limit any harm to customers.
Uber’s $ 100,000 payout and silence on the matter at the time was extraordinary under such a program, according to Luta Security founder Katie Moussouris, a former HackerOne executive.
“If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops,” Moussouris said.
Uber’s failure to report the breach to regulators, even though it may have felt it had dealt with the problem, was an error, according to people inside and outside the company who spoke to Reuters.
“The creation of a bug bounty program doesn’t allow Uber, their bounty service provider, or any other company the ability to decide that breach notification laws don’t apply to them,” Moussouris said.
Uber fired its chief security officer, Joe Sullivan, and a deputy, attorney Craig Clark, over their roles in the incident.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi, said in a blog post announcing the hack last month.
Clark worked directly for Sullivan but also reported to Uber’s legal and privacy team, according to three people familiar with the arrangement. It is unclear whether Clark informed Uber’s legal department, which typically handled disclosure issues.
Sullivan and Clark did not respond to requests for comment.
In an August interview with Reuters, Sullivan, a former prosecutor and Facebook Inc (FB.O) security chief, said he integrated security engineers and developers at Uber “with our lawyers and our public policy team who know what regulators care about.”
Last week, three more top managers in Uber’s security unit resigned. One of them, physical security chief Jeff Jones, later told others he would have left anyway, sources told Reuters. Another of the three, senior security engineer Prithvi Rai, later agreed to stay in a new role.
Reporting by Joseph Menn in San Francisco and Dustin Volz in Washington; Additional reporting by Heather Somerville and Stephen Nellis in San Francisco; Editing by Jonathan Weber and Bill Rigby
