Adtech/data company "OpenX secretly collected location data and opened the door to privacy violations on a massive scale, including against children"

$2 million settlement b/c of COPPA and FTC Act violations, order to delete "all ad request data":
ftc.gov/news-events/pr…
As of today, OpenX 'strongly recommends' app vendors to include the user's exact GPS location in RTB bid requests, and thus broadcasts it to many other data companies in an uncontrolled way.

And btw. OpenX 'requires' apps to include the user's IP address.
docs.openx.com/publishers/s2s…
The FTC's investigation, however, did not focus on harvesting and sharing GPS location data (which it should) but on a specific form of Wi-Fi location tracking.

According to the complaint, OpenX used a 'backdoor method' to circumvent Android permissions.
ftc.gov/system/files/d…
The FTC ordered OpenX to collect future location data via SDK only if apps have 'affirmative express consent'. This goes beyond what is usually required in the US, doesn't it?

However, it covers SDK data only (why?) and I'm afraid the FTC's conditions for consent are too weak.
In 2019 we found that OpenX received personal data including GPS location during the use of the dating app Grindr in Norway. We filed a GDPR complaint against Grindr & OpenX. Grindr has now received a large fine. I hope, we'll see a decision on OpenX soon.
forbrukerradet.no/side/complaint…
According to the FTC docs, OpenX claims that it stopped the BSSID/Wi-Fi tracking in October 2018. As this is already documented very well in the FTC complaint, it is certainly worth adding it to the GDPR case, or better, open up another one.
Btw. OpenX now claims that it's EU main establishment is in Poland.
openx.com/legal/ad-excha…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Wolfie Christl

Wolfie Christl Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @WolfieChristl

16 Dec
Ian Brown on how interoperability could tackle platform power and required safeguards.

Thanks for including my concerns! Done wrong, mandating interoperability can lead to yet other cesspools of data exploitation for the benefit of both small+large businesses rather than people.
I'm much more sceptical about mandating interoperability (aka creating markets) as a fix for platform dominance in several areas. Where it makes sense, data protection law and 'consent' are too weak as safeguards. I think, hard limitations on freedom of contract are the only way.
While I support messenger interoperability, in the EU protected by rights charter article 7 (despite also not trivial), I'm much more sceptical about e.g. financial services.

I'm afraid open banking / PSD2 already led to something similar to 'FB apps for bank transaction data'.
Read 4 tweets
29 Nov
"Collecting data not only from PCs or mobile phones but also from various home appliances ... will lead to a new digital innovation"

Nope, not from a tech company's marketing copy but from a *scientific* paper on personalized advertising 🙄
mdpi.com/2078-2489/12/1…
"psychological factors ... can be utilized to enhance existing personalization models ... Inferring the psychological characteristics of users and inserting them as input variables into a personalization model could significantly improve the results"
"personalized advertisement systems should not only collect… context-related attributes of the user (profile, history, social, time, location, connected devices, etc.) but also combine them with psychological factors that can positively affect the attitude towards ad acceptance"
Read 4 tweets
25 Nov
In 2019, the UK data protection authority found that surveillance advertising is illegal at scale & millions are affected by GDPR violations myriads of companies commit every day. Now the regulator 'reinforces the need to address the concerns'. I mean #wtf
ico.org.uk/media/about-th…
The 2019 report was very good, and today's 'opinion' once again contains a sharp analysis of massive non-compliance, which the ICO 'continues to see evidence of', including 'invalid consent', 'unlawful' data processing, and it's not even clear by whom.

But NOTHING happens!
"The Commissioner called for industry to make changes, but also recognised the need for a measured and considered approach due to… a commercially sensitive ecosystem"

Bullshit. The ICO undermines compliance, destroys trust into the GDPR and into information technology at large.
Read 5 tweets
24 Nov
"Für FinTechs, InsurTechs, Plattformen, NeoBroker ... soll Deutschland einer der führenden Standorte … Es gilt, die mit den neuen Technologien, wie z. B. Blockchain, verbundenen Chancen zu nutzen" … "neue Dynamik … Finanzinnovationen, Kryptoassets und Geschäftsmodellen"

Puh. Image
Das Problem is nicht mal so sehr das sinnleere BS-Bingo, sondern dass hier ein breites Feld digitaler Geschäftsmodelle mit potenziell gewaltigen gesellschaftlichen Auswirkungen ("Fintech", "Insurtech") zum Nebenschauplatz von mehr oder weniger zwielichtigem Trading-Zeug verkommt.
Wenn wir das, was aktuell unter "Fintech" und "Insurtech" gehandelt wird, nicht aktiv gesellschaftlich gestalten, bzw. wenn uns dazu nicht mehr einfällt als "wir brauchen eine neue Dynamik" und "effektive und zügige Genehmigungsverfahren", dann wird das ein Desaster mit Anlauf.
Read 4 tweets
24 Nov
Excellent article on RTB in digital advertising, one of the "most significant sources of online behaviour surveillance", its non-legality in the EU, non-enforcement by data protection authorities, plus a review of approaches to strategic litigation from non-profit to for-profit.
"While exactly how real-time bidding works and its sheer scale are no secret, its complexity and the multiplicity of stakeholders involved are certainly
opaque"
A major reason "for the failure of regulatory enforcement to date can be found in the one-stop-shop mechanism ... countless examples confirm the criticism that US corporations deliberately use the one-stop-shop mechanism for forum shopping"
Read 6 tweets
13 Oct
The DPC's draft decision about the 2018 NOYB complaint against FB largely reads like Facebook defending itself against the complaint.
Even without considering off-platform data, FB processes personal data on hundreds of millions of Europeans at an EXTREME scale/depth/velocity.

The decision argues this the 'very nature' of FB's service and can thus be part of a 'contract' with the user.
noyb.eu/sites/default/…
(actually, as far as I can see, the investigation of Facebook's personal data processing activities and in-depth legal assessments of each of those data processing activities was not part of the investigation that led to the draft decision)
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(