How is privacy made? On individual basis, it takes a lot of research and wise steps to find and choose trusted software. To achieve, even a basic level of personal privacy online as an active internet user has become extremely challenging. Thankfully, there are people out there, who have our back and are actively fighting for citizens’ and customers’ right to privacy online.
Privacy advocate Dr Johnny Ryan is one of them. Ryan graduated from the University of Cambridge, where he also finished his PhD degree. Dr Johnny Ryan has profiled as an influential expert and champion of privacy, as both former Chief Policy Officer at Brave Software and Senior Fellow at ICCL (Irish Council for Civil Liberties). He also released two publications, first of which was based on his work as a Senior Researcher at the Institute of International & European Affairs in Dublin and was the most cited source in the European Commission’s impact assessment that decided against pursuing Web censorship across the European Union.
Bravely facing Google
As a Chief Policy Officer at Brave Software, Dr. Ryan filed a formal complaint against Google’s alleged GDPR breach, namely article 5(1)b. This article of GDPR sets forth the principle of so-called purpose limitation, which basically means that for whichever legal purpose the company has collected the user data, it has to serve only those purposes, and can’t be processed beyond that. Precisely, the collected data shall be:
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
However, Google seemed to act not in compliance with the GDPR standards of data processing and that is the reason why Dr Johnny Ryan filed the complaint with Google’s lead GDPR regulator in Europe, the Irish Data Protection Commission, on March 16, 2020. The same day, he also tweeted about it, along with the reference to the document called “Inside the Black Box“, which shows the table of Google’s processing purposes, and their purported legal bases.
The external analysis to credibly document privacy violations is extremely arduous. The complaint against Google alone is the result of six month work, when Dr. Ryan was trying to learn what Google does with our data. Brave has sought recourse from the Google’s regulator to reveal it. Regarding the outcome, Dr Ryan has said:
Google has personal data about everyone. It collects this from products like YouTube and Gmail, and many other Google products that operate behind the scenes across the Internet.
But this is not where the incentive ends. Brave took an extra mile to draw the attention of authorities:
Brave has written to European competition regulators to draw their attention to the complaint and highlight the purpose limitation remedy, including the European Commission, the Bundeskartellamt, the UK Competition & Markets Authority, the Autorité de la concurrence, and the Irish Competition and Consumer Protection Commission.
Whatever the laws on the books may be, someone has to care enough to draw the attention of the authorities to these transgressions.
Beyond The Regulators
Alas, the authorities didn’t act immediately. Ryan’s determination to make giants act in GDPR compliant way cemented his decision to leave Brave Software and join ICCL (Irish Council of Civil Rights). In result, now as a Senior Fellow at ICCL, he used the right to go directly to the court. In his own words:
Before Brave, I spent some months trying to get NGOs to act, to no avail. Then I joined Brave and realised that we needed to take action ourselves. We spent two years trying to get enforcement, but the enforcers did not act. It’s clear to me that it’s time to move to the next level, and that’s preparing for litigation.
Ryan’s litigation does not limit itself to Google alone. Focused on RTB (real-time bidding), Dr Ryan wants the whole industry to change, facing the big tech companies like Amazon, Facebook, Google, AT&T etc. RTB appears to be a huge problem. It tracks us across the internet, collecting sensitive data about us with ties to ID codes. Furthermore, no information is taboo. From our preferences, through gender, sexuality, religious beliefs, health condition, to political views or even geolocation, sometimes right up to our GPS coordinates. Everything is exposed, available to ad companies and other bad actors.
To expose the TOP RTB companies, ICCL came up with the list titled Biggest Data Breach Ever.
Thus, RTB has become a central target of ICCL’s lawsuit in Germany. Online advertising is governed by IAB TechLab, which sets the rules, described by SpiritLegal as reckless and harmful. IAB TechLab’s members are the prominent companies across the business spectrum: tech companies, data brokers, and advertising agencies, all follow suit. How will this turn out? I hope that authorities could no longer be able to turn a blind eye to this illegal behaviour. However, courts are known to be slow and the whole proceeding has just began. Will we ever see a future where online tracking is finally constrained?
Ryan characterises the battle thus:
By challenging the online advertising industry’s standards, our lawsuit takes aim at Google, Facebook, Amazon, Twitter, Verizon, AT&T and the entire online advertising & surveillance industry. This industry tracks us, and builds hidden dossiers about our most intimate secrets. Starting today, we mean to change that.
We support Dr Ryan’s initiative and wish him godspeed and good luck.
Call For Improvement
Strangely, we learned about Dr Ryan’s work first hand. He found time to Lastly, after having big tech companies under radar, believe it or not, our small business isn‘t exempt from the spotlight either. However, Dr Ryan’s tone differed a lot. One day when I opened the mailbox, I found a message by Dr. Johnny Ryan himself. Was he complaining? Not really. Was his request of great help for us? Sure!
By default FV Player has always used a minimum of cookies and offers reasonable user privacy. On the other hand, it’s always possible to go an extra mile. How about having an option to set no cookies at all? This was Dr Ryan’s request, no cookies. We were happy to add a no-cookies option to FV Player.
Not only does Dr Ryan use FV Player for his own site, he has been kind enough to recommend FV Player as privacy-respecting software. It’s a good feeling to have been able to build software which can safely be used by human rights activists and anti-tracking/surveillance fighters of ICCL.