Institute For Ethical Hacking Course and Ethical Hacking Training in Pune – India
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan
Credits: The Register
Privacy pressure group Noyb has filed a legal complaint against Google on behalf of an Austrian citizen, claiming the Android Advertising ID on every Android device is “personal data” as defined by the EU’s GDPR and that this data is illegally processed.
Based in Vienna, Austria, Noyb is a nonprofit founded by Max Schrems, a lawyer and privacy advocate, to focus on “commercial privacy and data protection violations”. It says that “the core task of the office is to work on our enforcement projects and to engage in the necessary research for strategic litigation.”
The complaint against Google, which was filed with the Austrian Data Protection Authority, is based on the claim that Google’s Android operating system generates the advertising ID without user choice as required by GDPR. “In essence, you buy a new Android phone, but by adding a tracking ID they ship you a tracking device,” said Noyb lawyer Stefano Rossetti.
According to Google: “The advertising ID is a unique, user-resettable ID for advertising, provided by Google Play services. It gives users better controls and provides developers with a simple, standard system to continue to monetize their apps. It enables users to reset their identifier or opt out of personalized ads (formerly known as interest-based ads) within Google Play apps.” The opt-out is in Google settings but when you do opt out, it does not delete the advertising ID.
It appears that the effectiveness of the opt-out is in part down to app developers. “The status of the ‘Opt out of Interest-based Advertising’ or ‘Opt out of Ads Personalization’ setting must be verified on each access of the ID,” Google’s documentation states.
There is an option to reset the ID, but when you do so you get a new one, so this will only be effective long-term if you do it repeatedly. “It is like cancelling a contract only under the condition that you sign a new one,” said Rossetti.
The complaint can be viewed here [PDF] and raises key questions about privacy, choice, and tracking. It states that the complainant (the name is redacted) completed a Google contact form to withdraw consent to use of the advertising ID (if consent had been given, which is disputed), and to object to its processing. Article 7 of the GDPR states that “the data subject shall have the right to withdraw his or her consent at any time.” Article 21 is a “right to object at any time to processing of personal data concerning him or her” for marketing and profiling, following which the law states that “the personal data shall no longer be processed for such purposes.”
The complaint says that there is no opt-in “consent button” for the advertising ID. Although users have to agree to the general Google privacy policy, according to the complaint this consent “was neither informed, specific (the data subject has to agree to all Google services in a single step), nor free (the user cannot use a €800 phone without agreeing).”
Google responded to the request by stating that “in the case of non-account holders, Google does not have the means to verify the identity of data subjects from an Advertising ID and therefore, we cannot take specific action on the basis of the content contained in your email” and that “you may immediately cease the processing of personal data related to your Advertising ID by resetting your Advertising ID.”
However, the GDPR states in Article 12 that “the controller shall not refuse to act… unless the controller demonstrates that it is not in a position to identify the data subject.” The complaint claims that “no technical or logical argument was provided, as to why the identification of the Complainant was not possible.”
Apple, notes the complaint, has a similar advertising ID in iOS but explains that this can be “replaced with a non-unique value of all zeros to prevent the serving of targeted ads”.
The complaint requests that Google is ordered to “permanently delete the advertising ID”, provide access to the data collected, and be fined based on various GDPR breaches.
According to Noyb, the complaint was partially based on the Norwegian Consumer Council’s investigation called Out of control. This report claimed it could demonstrate “how every time we use our phones, a large number of shadowy entities that are virtually unknown to consumers are receiving personal data about our interests, habits, and behaviour.”
The UK’s Information Commissioner’s Office has said that it has “significant concerns about the lawfulness of the processing of special category data which we’ve seen in the industry, and the lack of explicit consent for that processing”.
However, the watchdog recently stated that it had decided “to pause our investigation into real-time bidding and the adtech industry” because of COVID-19. It said that “concerns about adtech remain and we aim to restart our work in the coming months, when the time is right” – news which was not well received by privacy advocates.
www.extremehacking.org
Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv10, CHFI, ECSAv10, CAST, ENSA, CCNA, CCNA SECURITY, MCITP, RHCE, CHECKPOINT, ASA FIREWALL, VMWARE, CLOUD, ANDROID, IPHONE, NETWORKING, HARDWARE, TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, CSA Certified SOC Analyst, CTIA EC-Council Certified Threat Intelligence Analyst, Center For Advanced Security Training in India, ceh v10 course in Pune-India, ceh certification in pune-India, ceh v10 training in Pune-India, Ethical Hacking Course in Pune-India