The shift, prompted by Britain’s exit from the EU, will leave the sensitive personal information of tens of millions with less protection and within easier reach of British law enforcement.

The change was described to Reuters by three people familiar with its plans. Google intends to require its British users to acknowledge new terms of service including the new jurisdiction.

Ireland, where Google and other U.S. tech companies have their European headquarters, is staying in the EU, which has one of the world’s most aggressive data protection rules, the General Data Protection Regulation.

Google has decided to move its British users out of Irish jurisdiction because it is unclear whether Britain will follow GDPR or adopt other rules that could affect the handling of user data, the people said.

If British Google users have their data kept in Ireland, it would be more difficult for British authorities to recover it in criminal investigations.

The recent Cloud Act in the United States, however, is expected to make it easier for British authorities to obtain data from U.S. companies. Britain and the United States are also on track to negotiate a broader trade agreement.

Beyond that, the United States has among the weakest privacy protections of any major economy, with no broad law despite years of advocacy by consumer protection groups.

A Google spokesman declined to comment ahead of a public announcement.

Source: Exclusive: Google users in UK to lose EU data protection – sources – Reuters

The nation’s largest financial data broker, Yodlee, holds extensive and supposedly anonymized banking and credit card transaction histories on millions of Americans. Internal documents obtained by Motherboard, however, appear to indicate that Yodlee clients could potentially de-anonymize those records by simply downloading a giant text file and poking around in it for a while.

According to Motherboard, the 2019 document explains how Yodlee obtains transaction data from partners like banks and credit card companies and what data is collected. That includes a unique identifier associated with the bank or credit card holder, amounts of transactions, dates of sale, which business the transaction was processed at, and bits of metadata, Motherboard wrote; it also includes data relating to purchases involving multiple retailers, such as a restaurant order through a delivery app. The document states that Yodlee is giving clients access to this data in the form of a large text file rather than a Yodlee-run interface.

The document also shows how Yodlee performs “data cleaning” on that text file, which means obfuscating patterns like “account numbers, phone numbers, and SSNs by redacting them with the letters “XXX,” Motherboard wrote. It also scrubs some payroll and financial transfer data, as well as the names of the banking and credit card companies involved.

But this process leaves the unique identifiers, which are shared across each entry associated with a particular account, intact. Research has repeatedly shown that taking supposedly anonymized data and reverse-engineering it to identify individuals within can be a trivial undertaking, even when no information is shared across records.

Experts told Motherboard that anyone with malicious intent would just need to verify a purchase was made by a specific individual and they might gain access to all other transactions using the same identifier.

With location and time data on just three to four purchases, an “attacker can unmask the person with a very high probability,” Rutgers University associate professor Vivek Singh told the site. “With this unmasking, the attacker would have access to all the other transactions made by that individual.”

Imperial College of London assistant professor Yves-Alexandre de Montjoye, who worked with Singh on a 2015 study that identified shoppers from metadata, wrote to Motherboard this process appeared to leave the data only “pseudonymized” and that “someone with access to the dataset and some information about you, e.g. shops you’ve been buying from and when, might be able to identify you.”

Yodlee and its owner, Envestnet, is facing serious heat from Congress. Democratic Senators Ron Wyden and Sherrod Brown, as well as Representative Anna Eshoo, recently sent a letter to the Federal Trade Commission asking for it to investigate whether the sale of this kind of financial data violates federal law.

“Envestnet claims that consumers’ privacy is protected because it anonymizes their personal financial data,” the congresspeople wrote. “But for years researchers have been able to re-identify the individuals to whom the purportedly anonymized data belongs with just three or four pieces of information.”

Source: Report: Firm Tracking Purchase, Transaction Histories of Millions Maybe Not Really Anonymizing Them

It’s very hard to get anonymity right.

The US state of Maine is violating internet broadband providers’ free speech by forcing them to ask for their customers’ permission to sell their browser history, according to a new lawsuit.

The case was brought this month by four telco industry groups in response to a new state-level law aimed at providing Maine residents with privacy protections killed at the federal level by the FCC just days before they were due to take effect.

ACA Connects, CTIA, NCTA and USTelecom are collectively suing [PDF] Maine’s attorney general Aaron Frey, and the chair and commissioners of Maine’s Public Utilities Commission claiming that the statute, passed in June 2019, “imposes unprecedented and unduly burdensome restrictions on ISPs’, and only ISPs’, protected speech.”

How so? Because it includes “restrictions on how ISPs communicate with their own customers that are not remotely tailored to protecting consumer privacy.” The lawsuit even explains that there is a “proper way to protect consumer privacy” – and that’s the way the FCC does it, through “technology-neutral, uniform regulation.” Although that regulation is actually the lack of regulation.

If you’re still having a hard time understanding how requiring companies to get their customers’ permission before they sell their personal data infringes the First Amendment, the lawsuit has more details.

It “(1) requires ISPs to secure ‘opt-in’ consent from their customers before using information that is not sensitive in nature or even personally identifying; (2) imposes an opt-out consent obligation on using data that are by definition not customer personal information; (3) limits ISPs from advertising or marketing non-communications-related services to their customers; and (4) prohibits ISPs from offering price discounts, rewards in loyalty programs, or other cost saving benefits in exchange for a customer’s consent to use their personal information.”

All of this results in an “excessive burden” on ISPs, they claim, especially because not everyone else had to do the same. The new statute includes “no restrictions at all on the use, disclosure, or sale of customer personal information, whether sensitive or not, by the many other entities in the Internet ecosystem or traditional brick-and-mortar retailers,” the lawsuit complains.

Discrimination!

This is discrimination, they argue. “Maine cannot discriminate against a subset of companies that collect and use consumer data by attempting to regulate just that subset and not others, especially given the absence of any legislative findings or other evidentiary support that would justify targeting ISPs alone.”

We’ll leave the idea that customers are suffering by not receiving marketing materials from companies that ISPs sell their data to alone for now and focus on the core issue: that if Google and Facebook are allowed to sell their users’ personal data then ISPs feel they should be allowed to as well.

Which is a fair point, although profoundly depressing in a broader context. The basic argument appears to be that we should only provide the minimum protections that are available. Nothing above minimum is legal.

If you look at what the statute actually does, it was clearly written in users’ own interests. It prevents companies from refusing to serve customers that do not agree to allow it to collect and sell their personal data and it requires ISPs to take “reasonable measures” to protect that data. Those companies are still allowed to use the data to market their own products; just not to sell it to others to sell theirs.

But because the ISPs successfully managed to get the FCC to kill off its own rules on similar protections, it argues that the scrapping of rules is the legal precedent here. “The Statute is preempted by federal law because it directly conflicts with and deliberately thwarts federal determinations about the proper way to protect consumer privacy,” the lawsuit argues.

The solution of course is federal privacy protections. But despite overwhelming public support for just such a law, the same ISPs and telcos fighting this law in Maine, have flooded Washington DC with lobbying money and campaign contributions to make sure that it doesn’t progress through Congress. And if this Maine challenge is successful, next in the ISPs’ sites will be California’s new privacy laws.

Source: Forcing us to get consent before selling browser histories violates our free speech, US ISPs claim • The Register