Category: privacy

To conduct the study, URL Genius used the Record App Activity feature from Apple’s iOS to count how many different domains track a user’s activity across 10 different social media apps — YouTube, TikTok, Twitter, Telegram, LinkedIn, Instagram, Facebook, Snapchat, Messenger and Whatsapp — over the course of one visit, before you even log into your account. YouTube and TikTok topped the other apps with 14 network contacts apiece, significantly higher than the study’s average number of six network contacts per app. Those numbers are all probably higher for users who are logged into accounts on those apps, the study noted.

Ten of YouTube’s trackers were first-party network contacts, meaning the platform was tracking user activity for its own purposes. Four of the contacts were from third-party domains, meaning the social platform was allowing a handful of mystery outside parties to collect information and track user activity. For TikTok, the results were even more mysterious: 13 of the 14 network contacts on the popular social media app were from third parties. The third-party tracking still happened even when users didn’t opt into allowing tracking in each app’s settings, according to the study. “Consumers are currently unable to see what data is shared with third-party networks, or how their data will be used,” the report’s authors wrote.

Separately, the bill creates a 19-person federal commission, dominated by law enforcement agencies, which will lay out voluntary “best practices” for attacking the problem of online child abuse. Regardless of whether state legislatures take their lead from that commission, or from the bill’s sponsors themselves, we know where the road will end. Online service providers, even the smallest ones, will be compelled to scan user content, with government-approved software like PhotoDNA. If EARN IT supporters succeed in getting large platforms like Cloudflare and Amazon Web Services to scan, they might not even need to compel smaller websites — the government will already have access to the user data, through the platform. […] Senators supporting the EARN IT Act say they need new tools to prosecute cases over child sexual abuse material, or CSAM. But the methods proposed by EARN IT take aim at the security and privacy of everything hosted on the Internet.

The Senators supporting the bill have said that their mass surveillance plans are somehow magically compatible with end-to-end encryption. That’s completely false, no matter whether it’s called “client side scanning” or another misleading new phrase. The EARN IT Act doesn’t target Big Tech. It targets every individual internet user, treating us all as potential criminals who deserve to have every single message, photograph, and document scanned and checked against a government database. Since direct government surveillance would be blatantly unconstitutional and provoke public outrage, EARN IT uses tech companies — from the largest ones to the very smallest ones — as its tools. The strategy is to get private companies to do the dirty work of mass surveillance.

The decision says IP addresses represent personal data because it’s theoretically possible to identify the person associated with an IP address, and that it’s irrelevant whether the website or Google has actually done so. The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of 250,000 euros for each violation, or up to six months in prison, for continued improper use of Google Fonts. Google Fonts is widely deployed — the Google Fonts API is used by about 50m websites. The API allows websites to style text with Google Fonts stored on remote servers — Google’s or a CDN’s — that get fetched as the page loads. Google Fonts can be self-hosted to avoid running afoul of EU rules and the ruling explicitly cites this possibility to assert that relying on Google-hosted Google Fonts is not defensible under the law.