Asking companies to clarify surveillance of consumers

13. mai, 2020

The Norwegian Consumer Council asks eight companies to clarify their surveillance of users of the apps Perfect365 and MyDays.

Update 14.05.20: The technical test shows that Fluxloop is involved in the transfer of personal data from the Perfect365 app, but not that the company processes the data itself.

The Norwegian Consumer Council is asking the companies FluxLoop, Fysical, Neura, Placed/Foursquare, Placer, Receptiv/Verve, Safegraph, and Unacast, to clarify their collection of personal data from the makeup app Perfect365 and period tracker app MyDays.

–  These companies have a business model that is, according to our analysis, clearly in breach of the General Data Protection Regulation (GDPR). It is impossible for consumers to know what data is being collected, who it is shared with, and how it is used, says Gro Mette Moen, acting head of unit, Digital services in the Norwegian Consumer Council.

– The Norwegian public broadcaster (NRK) recently uncovered (in Norwegian) that it is possible to purchase location data about thousands of Norwegian consumers from the British data broker Tamoco. However, it is important to understand that this is just the tip of the iceberg. An entire industry is based on commercial surveillance of consumers, through the collection and sale of our personal data.

Based on the response from the companies, the Consumer Council will consider filing complaints to the Norwegian Data Protection Authority (Datatilsynet), in a collaboration with the Austrian privacy NGO noyb.

Simultaneously, noyb is filing a complaint against Google to the Austrian data protection authority for Google’s use of the Advertising ID. The Advertising ID is a unique identifier generated by smartphones, which allows companies to track users across services. The complaint is based on work done by the Norwegian Consumer Council and noyb as part of the “Out of Control” campaign.

Out of control surveillance

In January, the Consumer Council published the report “Out of Control”, as part of a campaign that included more than 40 consumer and human rights organizations from across the world. In the wake of the report, the Consumer Council filed complaints against six companies to the Norwegian Data Protection Authority for breaching the GDPR.

In the report, the Consumer Council revealed how popular apps are sharing personal data with third parties. These third parties, which operate as “data brokers”, have a business model based on the commercial surveillance of consumers.

The technical analysis of apps was performed by the Norwegian security company Mnemonic. The analysis of the adtech industry was done together with the Austrian researcher Wolfie Christl from Cracked Labs.

May have dramatic consequences

The intimate knowledge of our preferences and when we are most susceptible to manipulation is a threat not only to our consumer and privacy rights, but may have dramatic consequences for society at large.

– There are numerous examples of how this type of information can be abused, from manipulating elections, to targeting advertising toward people struggling with addictions. Data breaches can lead to scams and theft, and could also be used to persecute vulnerable groups, says Gro Mette Moen.

– Personal data can be used in circumstances completely divorced from why it was collected in the first place. For example, health data could be used for insurance or other commercial purposes, or be used to discriminate you based on properties such as ethnicity or gender. Furthermore, Amnesty International has demonstrated how this business model is a threat to the freedom of speech and to democratic institutions.