Privacy warfare: Competitors, consumers pose new risks

High above the Las Vegas Convention Center, just off the Vegas strip, a message from Apple overlooked the annual Consumer Electronics Show convention, where key competitor Google was getting ready to announce its latest and greatest technological developments.

“What happens on your iPhone, stays on your iPhone,” the billboard read. A riff on the popular Vegas saying, the quote garnered attention for Apple at a convention it wasn’t even attending and stands as the opening salvo in a war of words tech giants have waged in 2019 around the burgeoning world of data privacy legislation.

Apple never shows up at CES, so I can’t say I saw this coming. pic.twitter.com/8jjiBSEu7z

— DaddyPizza/Mega-Sergio (@chrisvelazco) January 4, 2019

“I’m starting to see that, and it’s pretty new,” says Dominic Sartorio, SVP of products and development at software provider Protegrity. “It used to be: keep quiet, because you don’t want to be out there publicly gloating and then the very next day you’re the one that gets breached as well. It used to be like that.”

He adds: “What’s starting to change is now that companies are putting in place more sophisticated and more mature data protection mechanisms, they may feel more confident.”

Since data privacy laws became in vogue with the enactment of the European Union’s General Data Protection Regulation (GDPR) in May 2018, Apple certainly has not lacked for confidence. CEO Tim Cook spoke in Brussels on the topic in October 2018, calling on the United States to enact its own version of the law and bashing those who “put profits over privacy.”

Hypocrite is what some in the industry thought. Alex Stamos, former chief security officer at Facebook, was quick to take to Twitter to point a finger at Apple’s practices in China, where the company has notably made concessions on user privacy to appease the government, in defense of his prior employer—perhaps the organization most accused of putting profit over privacy.

“We don’t want the media to create an incentive structure that ignores treating Chinese citizens as less-deserving of privacy protections because a CEO is willing to bad-mouth the business model of their primary competitor, who uses advertising to subsidize cheaper devices,” Stamos wrote.

We don't want the media to create an incentive structure that ignores treating Chinese citizens as less-deserving of privacy protections because a CEO is willing to bad-mouth the business model of their primary competitor, who uses advertising to subsidize cheaper devices.

— Alex Stamos (@alexstamos) October 24, 2018

Things went quiet until Apple again made headlines with its billboard in January universally seen as a shot at the privacy shortcomings of Google, which would be fined €50 million (U.S. $57 million) later that month by France’s data protection watchdog, CNIL, for violations of the GDPR regarding its ad practices. Though Google continued to find itself in the muddy waters of the GDPR, with Ireland launching a new probe into the search engine giant in May, that same month CEO Sundar Pichai couldn’t help but take a veiled shot back at Apple in an opinion piece defending Google’s dedication to privacy penned for the New York Times.

“Our mission compels us to take the same approach to privacy,” Pichai wrote. “For us, that means privacy cannot be a luxury good offered only to people who can afford to buy premium products and services. Privacy must be equally available to everyone in the world.”

The “premium products” jab didn’t seem to faze Apple. It wasn’t until August that Google was able to really ruffle the feathers of its competitor, courtesy of a blog post from its Project Zero team.

In the blog, titled “A Very Deep Dive into iOS Exploit Chains Found in the Wild,” the Project Zero team, tasked with finding zero-day vulnerabilities in software across the world, carefully explained the flaws in Apple’s systems that allowed hackers to target China’s Uyghur Muslim community. Perhaps it was too carefully explained though as all the technical jargon masked the Uyghur target portion of the story and caused many iPhone owners unnecessary concern they might have been hacked.

“The sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse’ as described,” Apple responded in a statement. “The attack affected fewer than a dozen Websites that focus on content related to the Uyghur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.

“To me, the companies that have distinguished themselves the greatest and are far long in the maturity curve are the companies that have really viewed privacy and good data protection/data governance as a competitive differentiator for them.”

Hilary Wandall, Chief Data Governance Officer, TrustArc

“Google’s post, issued six months after iOS patches were released, creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time,’ stoking fear among all iPhone users that their devices had been compromised. This was never the case.”

Facebook has also had its say in the back-and-forth with veiled shots from CEO Mark Zuckerberg at Apple’s practices in China. Elsewhere, other companies have been much less subtle, like the Mozilla Foundation publicly calling out payment service provider Venmo twice in the last two years over its privacy practices.

Herein lies the risk that affects all companies. On top of getting in line with new privacy regulations that tout stiff penalties for violations of requirements not easy to achieve, the idea that another firm could put a target on your back regarding your privacy practices poses significant reputational risk.

“To me, the companies that have distinguished themselves the greatest and are far long in the maturity curve are the companies that have really viewed privacy and good data protection/data governance as a competitive differentiator for them,” says Hilary Wandall, senior vice president, general counsel, and chief data governance officer at TrustArc. “They see it as embedded into goodness in practice—their reputation as a whole—with customers as well as the broader public, and that has really been the primary driver.”

With great power …

Privacy laws are undoubtedly designed to empower consumers to protect themselves and their data from being misused by companies. But what happens when the consumer utilizes that power for reasons other than what is intended?

An example of such conduct arose in October, when a post on the aggregate site Reddit went viral after suggesting readers overload the gaming company Blizzard with GDPR requests regarding right of access. The post, shared the same day Blizzard made the controversial decision to ban a top player of its virtual card game Hearthstone for his comments supporting the Hong Kong protests in China, received more than 8,000 positive responses.

“Under EU law, you’re allowed to request all information a company has on you, along with the purpose of this information collection,” the poster wrote. “What most people don’t know, is that these requests are VERY hard to comply with and can often take [a company’s] legal group 2-7 days to complete PER REQUEST. If a company doesn’t get you the information back in 30 days, they face fines and additional issues. In extreme cases, a company can request an additional 2 months to complete the requests if there is a large volume but, suffice to say, if a company gets a significant amount of requests, it can be incredibly expensive to deal with, as inevitably they will have to hire outside firms/lawyers to help out.”

Included by the poster was a letter other users could simply copy/paste in order to submit their own GDPR requests, as well as a follow-up comment defending his or her motives against claims he or she was abusing the GDPR.

“Blizzard has made it clear that they value profit above principle and are willing to bend over backwards for China,” the poster wrote. “With that being the case, understanding what they are doing with my data, who they have provided it to, what measures third parties that have access to it are doing to keep it safe is incredibly important to know. This is literally exactly why these provisions exist in GDPR.”

“You’re doing God’s work for that premade letter,” one commenter replied. “I’m totally gonna do that first thing after I wake up.”

Unsurprisingly, many of the comments on the post struck the same tone. One from an individual claiming to be a data protection officer (DPO) said “reading this post made me break out in cold sweat,” before lauding the original poster as a “miserable bastard genius.”

Requests for comment from Activision Blizzard were not returned.

“It totally does not surprise me,” Sartorio says of the Reddit movement. “The idea of, ‘OK, I’m going to inundate these guys with right-to-be-forgotten requests as a social statement.’ It’s cool, it’s innovative, it’s fun, and not surprising.”

Mounting a defense

Under the GDPR, the onus is on the company to produce the requested data. So even if 10,000 consumers flood a company with requests for the sole purpose of disruption, that’s the company’s problem.

“So many of these emerging trends in terms of laws aimed at protecting the consumer … are written by bureaucrats who really don’t understand the business ramifications—they’re written often in a vacuum,” said Anh Tran, CEO of insurance firm Allianz of America, during a panel on enforcement trends at Compliance Week Europe. Her response was to a question asked by a compliance officer from McDonald’s in the audience who was worried about keeping up with customer demands for data. “It puts a specific burden on us,” Tran added.

In such a case, a company abiding by the GDPR can refuse to comply with a request or charge the requestor a fee if it can prove it is “manifestly unfounded,” which would cover requests malicious in intent. A prudent program would want to consider each request on a case-by-case basis, however, meaning a level of disruption is still required.

The same language is built into the upcoming California Consumer Privacy Act (CCPA).

So what can a company to do to protect itself in such a scenario? Sartorio’s first suggestion is simple: Don’t put a target on your back.

“If you put yourself out there with a very public statement around privacy or rights in the digital sphere, generally you should be prepared to deal with that kind of social activism,” he said.

Preparedness is key, and automated technology solutions can go a long way toward helping address such a problem when it arises. Perhaps the best solution, however, is putting someone in place to identify the issue before it even becomes one.

“I think that is one of the most important things companies can do to protect themselves—put somebody who is thinking about these things strategically and has a voice with the business leaders of the company to make sure everybody is mindful of the problems,” Wandall says.

Change needed?

The GDPR is just the beginning for data privacy legislation. The CCPA is around the corner in the United States (Jan. 1, 2020), and with that could come a new wave of additional state privacy laws that expose more companies to the same risks.

Could the targeted attacks of competitors and consumers lead the way to change?

“I think laws will have to take account for it,” says Wandall. “I don’t think the laws will be able to keep up with the issues companies are facing.

“The law will have to evolve to address these risks that weren’t necessarily anticipated at the time but were written strictly to address individual rights. Because there are competing risks at play, it will have to be balanced in terms of the underlying legislation itself or the regulations.”