Three cheers for critical reporting! In programmes about politics or consumer protection, our public-service broadcasters every now and then warn about Facebook and the like. But there is a lack of consistency. In broadcasts pretending audience participation, there is hardly an instance where Facebook receives no exposure. Several times a day, the audience is encouraged to “send us your photos”. To fill programme time, particularly trenchant comments from social media sites are read out or superimposed. You could get the impression that the broadcasters interpret their educational task by reaching out to people, but taking them nowhere. We would like to take the broadcasters to the Digitalcourage statement on how to handle Facebook (in German): https://digitalcourage.de/themen/facebook/facebook-eine-grundsatzentscheidung
Illegitimate ID card copies
Only a few companies are entitled to copy official identity documents or request them to be presented in the first place. Among them are banks and SIM card vendors. But landlords or companies including German Railways (Deutsche Bahn) often request that people provide official identification, or even to scan identity documents and send them in via email. This is illegal, and there is a very good reason for that: the password for the electronic features of the German ID card is printed on the card in a perfectly legible way. And you surely wouldn’t want to hand that to any random person.
Digitalcourage recommends obtaining an unofficial photo ID. With that you can even choose which data should be shown: https://shop.digitalcourage.de/lichtbildausweis-mit-selbst-gewaehlten-daten.html
BlaBlaCar and Immobilienscout24
Many Internet and web applications, apps and portals mediate between supply and demand, e. g. car-sharing agencies and real estate service providers. Contact between suppliers and customers is established after registration via a communication server owned by the intermediary. But say that you, as a potential passenger, want to get into touch directly with the driver after an initial contact. Let’s say you want to discuss the crucial details before entering a formal contract, and for that you want to exchange phone numbers. You will be surprised: The messages are not transmitted but deleted by the intermediary’s portal software. Communication is only allowed via the company’s server. The reason is that the intermediary companies fear they might be circumvented and lose their commission. This mistrust of the customers’ honesty is at least very annoying and inconvenient, perhaps even a breach of the Telecommunications Act. This alone surely deserves a reprimand.
Outright mischievous, however, is the demeanour of the BlaBlaCar company: To circumvent the Telecommunications Act, the company publishes all the messages they accept on their website in a slightly concealed place. As a result, there is no such thing as a “private message” in the strict sense on BlaBlaCar. The legality of this trick again seems highly doubtful to us.
Federal Intelligence Agency (Bundesnachrichtendienst, BND) – Update May 2017
No reprimand, but an update to https://bigbrotherawards.de/2015/behoerden-verwaltung: According to a project plan published by Netzpolitik.org, the German Federal Intelligence Agency plans to acquire funding of 150 million Euro from politics to be able to decrypt and read digital communications. In particular, the BND is targeting popular messaging services that have meanwhile enabled end-to-end encryption. This assault on encryption as a means of user self-protection is flanked by further initiatives of the German federal government aiming to break the basic right to confidential communication. The primary focus here is on the Central Agency for Information Technology in the Security Sector (Zentrale Stelle für Informationstechnik im Sicherheitsbereich, ZITIS). In 2017 alone, ZITIS will receive 12.5 million Euro for the “research and development of new methods, products and strategies” extending the surveillance of citizens’ digital communication.
Reprimand: The European Commission
The European Commission and the Council of the European Union have proposed a 5th directive on money laundering which would lead to a complete ban of anonymous online payments and a restriction of offline anonymous payments via eCash to 150 Euro. At the same time, they are planning to create an infrastructure that would effectively force financial service providers to disclose individual financial transactions to the security authorities. Another part of this “campaign” are political aspirations to push back the use of anonymous cash even for private consumption. An expert assessment of the Data Protection Expertise Network has concluded that the envisaged 5th directive on money laundering would have a similarly unconstitutional surveillance effect as the former regulations concerning telecommunications data retention, which have been revoked by the German Federal Constitutional Court and the European Court of Justice.
“You provide us the phone numbers of WhatsApp users and your other contacts in your mobile phone address book on a regular basis. You confirm you are authorized to provide us such numbers to allow us to provide our Services.”
The above is taken from the WhatsApp small print (terms of service) as of May 2017. This is how the instant messaging service seeks consent from its users to store and merge all contacts from all its users, and to try converting any contacts who aren’t users yet.
Hamburg's data protection officer Johannes Caspar has strong doubts whether such a clause is permitted in the terms because it seems unrealistic that a user has really asked all contacts for consent before giving this confirmation.
We, too, have our doubts, and we think it's a disgrace.
Reprimand: WordPress / Google Fonts
When we visit a web page these days, the data almost never comes from just one server. We navigate to a web address without realising that content is retrieved from various sources: Texts and photos might come from the actual provider, advertisements will arrive from a number of ad networks, videos from YouTube, and web fonts from Google. Web fonts are used to make text look the same in all web browsers. Google Fonts is a popular provider of free web fonts. When a web page embeds Google Fonts, each visit to that web page also leaves traffic metadata (IP address etc.) on the Google Fonts server. But Google would not dream of doing anything nefarious with our data, now would they? (Be sure to consult our laudation on the occasion of giving the BigBrotherAward 2013 to Google: https://bigbrotherawards.de/en/2013/global-data-acquisition-google.)
We find it unacceptable that the default installation of the popular blogging system WordPress uses fonts that are downloaded straight from Google. A court should decide if this automatic remote retrieval is legally permissible – after all, the user is “betrayed” in a way. Certainly most web sites do no inform about this data protection risk, and even if they did, it would actually be too late when a visitor reads about it.