• Tech News
    • Games
    • Pc & Laptop
    • Mobile Tech
    • Ar & Vr
    • Security
  • Startup
    • Fintech
  • Reviews
  • How To
What's Hot

Elementor #32036

January 24, 2025

The Redmi Note 13 is a bigger downgrade compared to the 5G model than you might think

April 18, 2024

Xiaomi Redmi Watch 4 is a budget smartwatch with a premium look and feel

April 16, 2024
Facebook Twitter Instagram
  • Contact
  • Privacy Policy
  • Terms & Conditions
Facebook Twitter Instagram Pinterest VKontakte
Behind The ScreenBehind The Screen
  • Tech News
    1. Games
    2. Pc & Laptop
    3. Mobile Tech
    4. Ar & Vr
    5. Security
    6. View All

    Bring Elden Ring to the table with the upcoming board game adaptation

    September 19, 2022

    ONI: Road to be the Mightiest Oni reveals its opening movie

    September 19, 2022

    GTA 6 images and footage allegedly leak

    September 19, 2022

    Wild west adventure Card Cowboy turns cards into weird and silly stories

    September 18, 2022

    7 Reasons Why You Should Study PHP Programming Language

    October 19, 2022

    Logitech MX Master 3S and MX Keys Combo for Business Gen 2 Review

    October 9, 2022

    Lenovo ThinkPad X1 Carbon Gen10 Review

    September 18, 2022

    Lenovo IdeaPad 5i Chromebook, 16-inch+120Hz

    September 3, 2022

    It’s 2023 and Spotify Still Can’t Say When AirPlay 2 Support Will Arrive

    April 4, 2023

    YouTube adds very convenient iPhone homescreen widgets

    October 15, 2022

    Google finishes iOS 16 Lock Screen widgets rollout w/ Maps

    October 14, 2022

    Is Apple actually turning iMessage into AIM or is this sketchy redesign rumor for laughs?

    October 14, 2022

    MeetKai launches AI-powered metaverse, starting with a billboard in Times Square

    August 10, 2022

    The DeanBeat: RP1 simulates putting 4,000 people together in a single metaverse plaza

    August 10, 2022

    Improving the customer experience with virtual and augmented reality

    August 10, 2022

    Why the metaverse won’t fall to Clubhouse’s fate

    August 10, 2022

    How Apple privacy changes have forced social media marketing to evolve

    October 16, 2022

    Microsoft Patch Tuesday October Fixed 85 Vulnerabilities – Latest Hacking News

    October 16, 2022

    Decentralization and KYC compliance: Critical concepts in sovereign policy

    October 15, 2022

    What Thoma Bravo’s latest acquisition reveals about identity management

    October 14, 2022

    What is a Service Robot? The vision of an intelligent service application is possible.

    November 7, 2022

    Tom Brady just chucked another Microsoft Surface tablet

    September 18, 2022

    The best AIO coolers for your PC in 2022

    September 18, 2022

    YC’s Michael Seibel clarifies some misconceptions about the accelerator • DailyTech

    September 18, 2022
  • Startup
    • Fintech
  • Reviews
  • How To
Behind The ScreenBehind The Screen
Home»Tech News»Twitter faces privacy scrutiny from EU watchdogs after Mudge report – DailyTech
Tech News

Twitter faces privacy scrutiny from EU watchdogs after Mudge report – DailyTech

August 24, 2022No Comments8 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
Twitter faces privacy scrutiny from EU watchdogs after Mudge report – TechCrunch
Share
Facebook Twitter LinkedIn Pinterest Email

The explosive Twitter whistleblower complaint that was made public yesterday — detailing a raft of damning allegations across security, privacy and data protection issues (among others) by Twitter’s former former head of security, Peiter “Mudge” Zatko — contained references to European regulators along with claims that the social media firm had misled or intended to mislead regional oversight bodies over its compliance with local laws.

Two national data protection authorities in the EU, in Ireland and France, have confirmed to DailyTech that they are following up on the whistleblower complaint.

Ireland, which is Twitter’s lead supervisor for the bloc’s General Data Protection Regulation (GDPR) — and previously led a GDPR investigation of a separate security incident that resulted in a $550k fine for Twitter — said it is “engaging” with the company in the wake of the publicity around the complaint.

“We became aware of the issues when we read the media stories [yesterday] and have engaged with Twitter on the matter,” the regulator’s deputy commissioner, Graham Doyle, told us.

While France’s DPA said it is investigating allegations made in the complaint.

“The CNIL is currently investigating the complaint filed in the US. For the moment we are not in a position to confirm or deny the accuracy of the alleged breaches,” a spokesperson for the French watchdog told us. “If the accusations are true, the CNIL could carry out checks that could lead to an order to comply or a sanction if breaches are found. In the absence of a breach, the procedure would be terminated.

Machine learning concerns

Ireland’s Data Protection Commission (DPC) and France’s national equivalent, the CNIL, were both cited in the ‘Mudge report’ — in one instance in relation to Zatko’s suspicion that Twitter intended to mislead them in relation to enquiries about data-sets used to train its machine learning algorithms in a similar way to how the complaint alleges Twitter misled the FTC years earlier over the issue.

In a section of the complaint given the title “misleading regulators in multiple countries”, Zatko asserts that the FTC had asked Twitter questions about the training material used to build its machine learning models.

“Twitter realized that truthful answers would implicate the company in extensive copyright / intellectual property violations,” runs the complaint, before asserting that Twitter’s strategy (which he says executives “explicitly acknowledged was deceptive”) was to decline to provide the FTC with the requested training material and instead point it to “particular models that would not expose Twitter’s failure to acquire appropriate IP rights”.

See also  The 2022 McLaren GT is a fresh take on a classic recipe  – DailyTech

The two European regulators come into the picture because Zatko suggests they were poised to make similar enquiries this year — and he says he was told by a Twitter staffer that the company intended to try to use the same tactic it had deployed in response to earlier FTC enquiries on the issue, to derail regulatory scrutiny.

“In early 2022, the Irish-DPC and French-CNIL were expected to ask similar questions, and a senior privacy employee told Mudge that Twitter was going to attempt the same deception,” the complaint states. “Unless circumstances have changed since Mudge was fired in January, then Twitter’s continued operation of many of its basic products is most likely unlawful and could be subject to an injunction, which could take down most or all of the Twitter platform.”

Neither the Irish nor French watchdog responded to questions about the specific claims being made. So it’s not clear what enquiries the EU data protection agencies may have made — or be planning to make — of Twitter in relation to its machine learning training data-sets.

One possibility — and perhaps the most likely one, given EU data protection law — could be they have concerns or suspicions that Twitter processed personal data to build its AI models without having a proper legal basis for the processing.

In a separate example, the controversial facial recognition firm, Clearview AI, has in recent months faced a raft of regional enforcements from DPAs linked to its use of personal data for training its facial recognition models. Although the personal data in that case — selfies/facial biometrics — is among the most protected ‘sensitive’ class of data under EU law, meaning it carries the strictest requirements for legal processing (and it’s not clear whether Twitter might have been using similarly sensitive data-sets for training its AI models).

Cookies out of control?

The Mudge complaint also makes a direct claim that Twitter misled the CNIL over a separate issue — related to improper separation of cookie functions — after the French watchdog ordered it to amend its processes to come into compliance with relevant laws in December 2021.

See also  Trust sells: If online users won’t self-advocate for their own privacy, companies should

Zatko alleges that up until Q2/Q3 of 2021 Twitter lacked sufficient understanding of how it was deploying cookies and what they were used for — and also that Twitter cookies were being used for multiple functions, such as ad tracking and security sessions.

“It was apparent Twitter was in violation of international data requirements across many regions of the world,” the complaint asserts.

A key tenet of European Union data protection law that applies here is ‘purpose limitation’ — i.e. the principle that personal data must be used for the stated (legitimate) purpose it was collected for; and that uses for data should not be bundled. So if Twitter was mingling cookie function for distinctly different purposes, such as marketing and security — as the complaint claims — that would create clear legal problems for it in the EU.

According to the complaint, the CNIL got wind of a cookie function problem at Twitter and ordered the company to fix at the end of last year, presumably relying on its competence under the EU’s ePrivacy Direction (which regulates use of tracking technologies like cookies).

Zatko writes that a new privacy engineering team at Twitter had worked “tirelessly” to disentangle cookie function in order to permit “some form of user choice and control” — to, for example, deny tracking cookies but accept security-related cookies — as would be required under EU law. And he says this fix was rolled out, exclusively in France, on December 31, 2021, but was immediately rolled back and disabled after Twitter encountered a problem — an ops SNAFU he seizes on to heap more blame on Twitter for failing to have a separate testing environment.

But while he writes that the bug was fixed “in a matter of hours”, he claims Twitter product and legal decision-makers blocked rolling it out for another month — until January 31, 2021 — “in order to extract maximum profit from French users before rolling out the fix”.

“Mudge challenged executives to claim this was anything other than an effort to prioritize incremental profits over user privacy and legal data privacy requirements,” the complaint also asserts, adding: “The senior leaders in that meeting confessed that Mudge was correct.”

See also  CoinDCX launches Okto to make DeFi apps accessible to masses – DailyTech

Zatko makes a further claim that Twitter launched “proactive” legal action — in which he says they were “attempting to claim that all cookies were by definition critical and required, because the platform is powered by advertisements” — before going on to allege that during internal conversations he heard product staff stating the argument was “false and made in bad faith”.

Twitter was contacted for a response to the specific claims referenced in cited portions of the whistleblower’s report but at the time of writing it had not responded. But the company put out a general response to the Mudge report yesterday — dismissing the complaint as a “false narrative” by a disgruntled former employee, which it also claimed was “riddled with inconsistencies and inaccuracies”.

Regardless, the whistleblower complaint is already sparking fresh regulatory scrutiny of Twitter’s claims.

It’s not clear what penalties the company could face in the EU if regulators decide — on closer inspection — that it has breached regional requirements after following up on Mudge’s complaint.

The GDPR allows for penalties that scale up to 4% of annual global turnover — although Twitter’s prior GDPR penalty, for a separate security-related breach, fell far short of that. However enforcements are supposed to factor in the scale and extent (and indeed intent) of any violations — and the extensive failings being alleged by Mudge, could — if stood up by formal regulatory investigation — lead, eventually, to a far more substantial penalty.

The ePrivacy Directive, which gives CNIL competency to regulate Twitter’s cookies, empowers DPAs to issue “effective, proportionate and dissuasive” sanctions — so it’s hard to predict what that might mean in hard financial terms if it deems a fine is justified. But in recent years the French watchdog has issues a series of multi-million dollar fines to tech giants for cookie-related failures.

This includes two beefy penalties for Google — a $170M fine in January over deceptive cookie consent banners; and a separate $120M fine in December 2020 for dropping tracking cookies without consent — as well as a $68M fine for Facebook back in January (also for deceptive cookies), and a $42M fine for Amazon at the end of 2020, also for dropping tracking cookies without consent.

Source link

DailyTech faces Mudge privacy report scrutiny Twitter watchdogs
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

The Most Popular Digital Abortion Clinics, Ranked by Data Privacy

August 21, 2023

By Seizing @Music, Elon Musk Shows He Doesn’t Know What Made Twitter Good

August 13, 2023

The Senate’s AI Future Is Haunted by the Ghost of Privacy Past

August 5, 2023

This Is the Era of Zombie Twitter

July 29, 2023
Add A Comment

Comments are closed.

Editors Picks

Total War: Warhammer III patch lets you subjugate everyone for the Dark Gods

September 8, 2022

Floodland is a colourful settlement builder about surviving post-climate collapse

August 24, 2022

Steve Otto, CTO, The R&A

August 17, 2022

Xiaomi 13 Lite review: Slim chassis, thin upgrades

March 24, 2023

Subscribe to Updates

Get the latest news and Updates from Behind The Scene about Tech, Startup and more.

Top Post

Elementor #32036

The Redmi Note 13 is a bigger downgrade compared to the 5G model than you might think

Xiaomi Redmi Watch 4 is a budget smartwatch with a premium look and feel

Behind The Screen
Facebook Twitter Instagram Pinterest Vimeo YouTube
  • Contact
  • Privacy Policy
  • Terms & Conditions
© 2025 behindthescreen.uk - All rights reserved.

Type above and press Enter to search. Press Esc to cancel.