GDPR – Springtime for Spammers

The much lauded GDPR has failed to achieve its hyped expectations.

The General Data Protection Regulation (GDPR) has led to loopholes, and interpretations moulded to suit the business practice.

Greece, Slovenia and Portugal have not fully implemented the directive, and Bulgaria, Czech Republic, Estonia, Finland, Slovenia, and Spain were almost a year late in transcribing it.

In the data-industrial complex the GDPR promise is flawed mostly because privacy compliance is a just an inconvenience to business. Most do the bare minimum to comply. Why would they do more?

Despite this, there is a vast ecosystem of corporate compliance tools. There are even GDPR experts claiming to be certified and official, GDPR consultants, when in fact there is no official standard.

Since GDPR came into force, Ireland’s Data Protection Commission (the body that monitors Big Tech in the EU) says it has launched 19 statutory investigations, 11 of which focus on Facebook, WhatsApp and Instagram.

The International Association of Privacy professionals state 94,000 individual complaints and 64,000 data breach notifications in the first year of GDPR – yet only €56 million in fines were issued in the first year.

In the first yeear, If GDPR achieved one thing: It managed global, if fairly toothless, hype.

Helen Dixon, the Irish data protection commissioner says: “The intention was to modernize the law and harmonize it across Europe. It’s clear we’re moving away from that.”

GDPR is also ailing because there are ‘soft-opt-in’ rules that allow for ‘related products’ to be marketed to users. A company can legally pitch a secondary product or service to their list, or data group. There’s also ‘legitimate interest’ that allows for direct marketing. Again, many of the rules are debateable and poorly enforced. For instance, what is “Strictly necessary”?

To the public, GDPR was about email. It’s no wonder that hoaxing and phishing are commonplace during ‘public service announcement’ periods, like the run-up to GDPR, when people lower their guard.

One way is they use Facebook, Google, Twitter, LinkedIn platforms, or send emails with unsubscribe options (which is within the USA – CAN-SPAM Act of 2003 for email so long as there’s an opt-out). If the email is a ‘service update’ GDPR can be circumvented. For instance a cell phone company email might include a sales pitch. The email might read: “Our pricing is changing. To view the new tariffs, go here, to view our new phones and upgrade to a package deal including broadband and TV, go here”. Or ask users to reconfirm their details for security, while also slipping in a sales message. These are simple examples, but show how the platforms offer a cover for spammers.

Pre-GDPR, UK airline FlyBMI sent 3.3 Million emails to an opt-out list and received a £70,000 fine for doing so. From a spammer’s angle the fines are relatively small. Post GDPR, British Airways are appealing a £183m fine from the UK ICO office. Ironically, for leaking details of customers, who will now see fares rise and perhaps contribute to the payment of the fine, should they book with the airline in the future – same goes for Marriott Hotels. Breaches are not new. Fines are not new. The levels may have changed, the data practices not so much.

In the UK ‘cold pitches’ to corporations are permissible and therefore a spammer might just buy lists of corporate email addresses. If you can’t spam people privately, spam companies or politicians!

So long as the rewards are achievable any fines are worthwhile. There are gambling websites paying upwards of €300 per new customer referred to them. AirBnB pays €360 per new host referred. Almost every subscription service on the net has an incentivised affiliate programme (payday loans, get rich quick schemes, digital downloads, gambling, software/warez etc).

Making money is simple arbitrage between cheap traffic, an email list and using non-confirming platforms.

Mobile notifications are an intrusion of privacy. A like, a poke, a retweet, a friend request and alerts about what other contacts in your network are doing, not what you have done. Each intrusion comes as a notification that entice a response. As Foer called it, a “World Without Mind”, where algorithms dictate a reaction from us.

It’s leading to health issues and companies have introduced dashboards that show the total time used on an app. Apple termed this ‘digital wellbeing’.

Let’s not kid ourselves, the well-being is contradicted by a ‘take it or leave it’ ultimatum to consent to Ts &Cs of the Platform. They may have limited third-party data sharing and they have removed many third-party data targeting options. But they left one glaring hole wide open – email uploads and targeted advertising.

GDPR can’t compete with a list of emails, or a remarketing list in Google Ads or Facebook.

Privacy regulations can’t keep up with side-loaded apps. They can’t keep up with data warehousing and data transfers.

Privacy regulations can’t keep up with opaque algorithms.

Yet, Facebook still allow advertisers to upload email lists that can target at an individual level. They match users to emails uploaded and then create custom lists. Custom lists mean it’s possible to spam news feeds.

Then in a somewhat Cambridge Analytica fashion an advertiser (that’s anyone with a bank account) can expand the targeting to ‘look-alike’ audiences. Those look-alikes are the Facebook users classified as a cohort of the original email contact. If you ‘like’, ‘check-in’ or post from a particular location, and exhibit an interest in something, Facebook can expand the data set and match those actions or demographics to similar people. Therefore, an email list of one hundred entries might end up targeting ten thousand ‘look-a-like’ users. Just as Cambridge Analytica ran a personality quiz, then expanded the data set on those who responded to it, so too can email uploads deploy a similar payload.

Even if Facebook anonymise the data, they still offer cheap traffic and arbitrage for bad actors like work from home scams, US facing gambling companies, penny stocks and until recently bitcoin exchanges were rampant on the platform.

Take an email list and create an event on Facebook with a link to a product or website (include a re-marketing pixel), or create a group and upload the emails to LinkedIn. People respond, they click, they are added to a list. Use the Twitter API to automate everything, record the user IDs of those who respond, then target them with adverts. None of this is without work (or cost), but once on a platform, GDPR is largely irrelevant.

Google Ads is a similar story. AdWords can be used to target advertising at a certain list of emails. Google permits any list of emails to be uploaded. No checks. Just upload 10,000 emails, choose your targeting method, sit back. No compliance, no GDPR.

Like Facebook, Google has been affected by GDPR, but not in a bad way! Google has attempted to foist its rules on to publishers, telling publishers to gain consent as a data processer, when Google are in fact a data controller because they hold the user data and sell it (not the publisher). The data controller should gain consent.

The other quagmire to come out of GDPR is third-party exchanges, like AppNexus, who hitherto sold traffic to Google, who then sold it to their advertisers. The problem being; some of the ad exchanges are questionable, and Google could not confirm that each exchange had gained user consent. So, Google Display Network and DoubleClick For Publishers stopped serving traffic from many third-party ad exchanges. Reports note a 25 – 40 per cent drop in programmatic ad sales. For better or worse, the losers have been third party ad exchanges. In turn Google’s market dominance increased.

Google and Facebook command 84 per cent of global spending on digital advertising. GDPR has consolidated the dominant position. That fewer programmatic ads were available has lifted the price of those that are delivered. The market is rapidly moving to duopoly, leaving publishers cap-in-hand to either Facebook or Google. Both platforms are real winners from GDPR in terms of advertising.

Publishers must accept Facebook and Google’s GDPR terms or remain outside of the advertising eco-system. GDPR was meant to protect the user, not protect the platforms (or spammers!).

Facebook say: here are our terms, this is how we harvest and profile you. Don’t agree? OK, goodbye. To the user it’s a Faustian pact to stay – and most do. #DeleteFacebook campaign never touched the edge of harming the company. Facebook reported mouth-watering 2018 financial results. Despite the scandal and techlash, fourth-quarter results beat projections for earnings and revenue as profit hit $6.88bn, up from $4.27bn a year before.

But it’s completely irrelevant whether you are registered on the site, because even if you have never signed-up, ‘Zuck’ is still tracking you. The data is gathered from websites you visit that contain a ‘like’ button, or Facebook pixel.

Facebook cookies are placed on your device while you surf the open web or from contact lists uploaded by friends or family. If you were in those contacts, Facebook has a file on you.

Google is no better. One example of non-compliance. When a user turns off all tracking on their phone, but check a Google map. Their position is recorded, and they are monitored.

The weak spots are not hard to locate. Adhere to GDPR by never holding the data. Use others to do that for you: LinkedIn, Twitter, Facebook, Google… even eBay and PayPal.

The way a spammer avoids GDPR compliance is along the lines of the way in which Google has acted towards publishers. Google wants publishers to gain user consent, while Google makes the money. The spammer wants the platform to gain consent, while the spammer makes money.

GDPR tried to change everything, and if everything changes, everything stays the same. So not a lot has actually changed – save the level of fines. Subject Access Requests were seen as the control mechanism, but firms can choose what to include in them, or in some cases simply ignore them.

The walled garden of platforms follows terms and conditions, not laws and regulations, and they can afford to pay or fight the fines.