Weekly readings – 29th June 2019

Bodies in seats. A horrifying investigative piece on the working environment of and the emotional toll on employees who are tasked with policing content on Facebook.

Millions of Business Listings on Google Maps Are Fake—and Google Profits. Fake business listings plague Google Maps and can spell potential danger on users.

Why Google+ Failed. An insider perspective on why Google’s attempt to unseat Facebook failed.

The 70-year-old retiree who became America’s worst counterfeiter. A highly interesting story that I believe is unknown to many.

GDPR Enforcement Tracker. 56 fines since its official introduction with Google’s $50 million fine as the biggest one so far. Whether GDPR met your expectation, the most important point I think is that without regulations, how could you hold companies accountable?

How E-Commerce Sites Manipulate You Into Buying Things You May Not Want

The Insulin Racket. A deep dive into why insulin, which is very critical to many’s well-being, became three times more expensive in the span of 10 years. Drug companies profited while lives were devastated.

Jony Ive Is Leaving Apple. I like John Gruber’s take on this.

Freemium’s Public Moment. Some interesting head-to-head comparisons between Fremium-based companies

Amazon is watching.

GDPR – Positive impact on firms

Last May, GDPR officially went into effect. Under GDPR, users are given more privacy rights and firms have to adhere to stricter privacy regulations than ever unless they want to be subject to hefty fines. Under GDPR, fines can go up to 20 million euros or 4% of a firm’s global revenue. In the case of companies such as Google or Facebook, which earns to the tune of billions of dollars in annual revenue, the fines could be significant.

I have been in favor of GDPR. Even though it’s not perfect as in the case of any laws enacted for the first time, I believe that with GDPR, we are going in the right direction. Below are a few examples:

According to Cisco 2019 Data Privacy Benchmark Study:

GDPR-ready companies are benefitting from their privacy investments beyond compliance in a number of tangible ways. They had shorter sales delays due to customer’s privacy concerns (3.4 weeks vs. 5.4 weeks). They were less likely to have experienced a breach in the last year (74% vs. 89%), and when a breach occurred, fewer data records were impacted (79k vs. 212k records) and system downtime was shorter (6.4 hours vs. 9.4 hours). As a result, the overall costs associated with these breaches were lower; only 37% of GDPR-ready companies had a loss of over $500,000 last year vs. 64% of the least GDPR ready

Ads trackers were reduced, leading to faster loading pages and more pleasant user experience. Big firms are held more accountable. Google was fined $57 million for its GDPR violations. Without the new regulation, I believe that the amount would have been much less. California passed their toughest privacy laws after being inspired by GDPR.

There is an argument that GDPR might lead to less competition in the advertising fields as only the likes of Google and Facebook have the resources to meet the requirements. An initial study seemed to support that.

Nonetheless, I think that even without GDPR, who could challenge Facebook and Google when it comes to serving ads? At least when there are more rights and protection given to the end users, we get some power back to the users and hold firms to a higher standard. After all, innovation comes only from our raising standards, doesn’t it? Hence, GDPR is still a good move in the right direction and should be improved incrementally in the future. As a result, firms should pay more attention to privacy and security. It will no loner be a check-off-the-list item. It will be a competitive advantage moving forward, especially when everything goes digital.

Facebook & Privacy First Mentality

Quite a week for Facebook

It has been quite a few days for Facebook. First, two days ago on Techcrunch:

Facebook has confirmed it does in fact use phone numbers that users provided it for security purposes to also target them with ads.

Specifically a phone number handed over for two factor authentication (2FA) — a security technique that adds a second layer of authentication to help keep accounts secure.

Then, a bombshell was dropped yesterday. Per Wired:

ON FRIDAY, FACEBOOK revealed that it had suffered a security breach that impacted at least 50 million of its users, and possibly as many as 90 million. What it failed to mention initially, but revealed in a followup call Friday afternoon, is that the flaw affects more than just Facebook. If your account was impacted it means that a hacker could have accessed any account that you log into using Facebook.

Facebook’s track record in data security and privacy hasn’t been particularly stellar recently. 2018 is not 2010. Facebook doesn’t have the same dominant position as it used to in the social network market any more. Users have plenty of alternatives and substitutes to spend their time on. These scandals, coupled with its role in the “free speech vs hate speech” row, don’t do any good to Facebook’s image as well as its appeal to users when privacy has become more and more pressing as a concern to users.

Privacy & regulations

I have been resigned to the fact that there is no anonymity on the Internet and that complete privacy isn’t possible. Yet, when users trust a company with their data, whatever the data is, it’s the company’s responsibility to protect such data. As many important aspects of our lives take place on the Internet, the need to feel safe online is more overwhelming than ever. Without feeling safe, how could users feel comfortable using a service? Privacy and data security will be, if not already is, expected by default of companies. It’s not a nice-to-have feature any more. It’s a do-or-see-your-competitors-get-ahead game.

But companies are not in the business to lose money. If they are not legally required to bolster their security, don’t expect them to. That’s why companies fought hard against GDPR or privacy laws passed in California this year. And this is where I don’t understand the criticisms of some towards regulations such as GDPR. Yes, no law is perfect, especially in the beginning. That’s why we have amendments. GDPR is not an exception. It is a great first step to give power back to users and force companies to be liable for their actions/inactions.

A common criticism that I came across towards GDPR is that it makes it too expensive for small companies and startups to comply, widening the moat or competitive advantage gap between giants such as Google/Facebook and SMBs. Well, if a company with a deep pocket and better security measures has 10% of its 500,000 in user base breached, the impact is 50,000 users. If a small company with fewer recourses and much weaker security measures loses all of its 50,000 users, the impact is the same as in the first scenario. Hence, breaches at SMBs can have significant damages and ramifications as well.

Sure, the best case scenario is to have different levels of compliance applied to companies of different size. I’d love to see that happen. Nonetheless, without privacy regulations, imagine how much companies would care about our data and how much of a mess it would be. Despite having HIPAA in place, every year has been a banner year of cybersecurity in healthcare in the US and healthcare organizations spend 3% of their IT budget on cybersecurity. Verizon reported in their 2018 Payment Security Report that only 40% of all interviewed companies in North America maintained full compliance with PCI. Despite all the scandals related to data security in the past, Facebook still lets more unfortunate events happen. To be fair, I don’t imagine having impeccable security is easy. However, would companies even try to secure your data without any legal requirements?

Progress happens when we raise standards. Would cars be more environmentally friendly if we hadn’t enforced regulations on emission quality? If a university wants to raise its standard for incoming students, will it lower or raise the requirement for GMAT/SAT? Will a drug be safer for patients if the FDA enforces more or fewer tests? Big companies have the means to comply with stringent privacy regulations. Small companies/startups, though difficult, have more access to capital funding. Plus, public cloud providers are investing to have their infrastructure compliant with many compliance regulations (See more here for AWS compliance and Azure compliance). Regardless of size, companies have to take privacy seriously and consider it an integral piece of the puzzle, a competitive advantage if done right or a threat to their competitiveness if ignored.

Equifax fined by UK and GDPR

A couple of days ago, Equifax was fined by the UK’s authority for its data breach last year. The fine is the maximum possible penalty that could be issued, but it is still only half a million pounds, an amount that I think is trivial to a company of Equifax’s size.

John Oliver did a great piece on Equifax here. For a quick summary, I’ll let the FTC explain it:

If you have a credit report, there’s a good chance that you’re one of the 143 million American consumers whose sensitive personal information was exposed in a data breach at Equifax, one of the nation’s three major credit reporting agencies.

Here are the facts, according to Equifax. The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of people in the UK and Canada too.

Almost half of the American population had their sensitive data breached by the negligence of the credit agency. If you think that a breach of that size might have resulted in dire punishments and financial damages for the company, you are sorely mistaken. Per Quartz:

The credit agency kept news of the hack quiet for a month after its internal discovery, giving executives time to sell almost $2 million in shares. Once the news went public, Equifax first insisted that customers waive their right to a class-action lawsuit before accepting any credit protection; after an outcry, it backed down. A typo in a tweet from Equifax’s account directed customers to a phishing site instead of the actual website the company set up to tell customers if they’d been affected, which didn’t really work anyway.

A year after the hack, the lack of penalties for the company’s failures is equally laughable. Stock prices bounced back. Former CEO Richard Smith retired with his full $90 million package. No US federal agency has made any move to punish the company.

In Vietnam, we don’t have such a concept. In Europe, there isn’t an equally concept either, as far as I am concerned. I never encountered anything like that while in Finland. My European friends are baffled by the concept as well. Having been in the US for two years, I don’t pay much attention to the score nor can I understand how it works. I set up all payments automatically to make sure I am not late ever on credit payments. Yet, my scores have fluctuated significantly for absolutely no reasons that I could understand. All they could give me is that my credit profile has only been one year old!? I don’t think that the credit agencies don’t add any value to the society and yet, they are extremely profitable entities. They have access to consumers’ sensitive data and look what they did with the data.

Regarding the small fine due to the fact that the breach took place before GDPR was enforced, I have heard criticisms of the data privacy regulation from EU. Although the regulation isn’t perfect (the same goes for almost any regulation), it is a good start. The primary criticism is that the regulation is too expensive and difficult for SMEs to comply with, meaning that the big corporations can increase their competitive advantage further. My argument is that regardless of the size, any company can have consumers’ sensitive data leaked, easily in the hundreds or thousands of records. GDPR gives the users many rights and much needed power in the conversation. It is true that smaller firms may see their costs rise due to compliance with the regulation, but innovation should start from having higher standards, not lower ones. Would we have more environmentally-friendly cars by raising emission standards or lowering them?

Had the Equifax breach taken place after the enforcement of GDPR, the company would likely have faced a fine worth 4% of their global revenue. Since Equifax generated $3.362 billion in revenue in 2017, it would have amounted to a fine of $134.5 million. Wouldn’t it be worth having such a law to protect users/consumers?