Tag: finance

Home » finance

On Friday the Information Commissioner’s Office’s lead investigator on real-time bidding, executive director for technology and innovation Simon McDougall, signalled that the body would not bring enforcement action against Google and the Interactive Advertising Bureau. 

The ICO warned it would use its regulatory powers against those in the adtech industry that “ignored the window of opportunity to engage and transform”, but he accepted moves by the IAB to educate the industry on special category data (which contains sensitive information about internet users), and that Google will remove content categories and improve its auditing process. 

This is despite the ICO confirming last November that special category data, which includes information about users such as their sexual orientation or political affiliation, was being directly processed without explicit consent. 

Google and the IAB are responsible for the standards that underpin RTB, the programmatic ad tech market in which ad impressions are sold within nanoseconds based on the data held about web users. Sensitive category data, such as political beliefs and reproductive health, are tracked and broadcast via RTB, but Google and the IAB say these categories are not tracked against individual people. 

The ICO is the UK’s watchdog for Europe’s General Data Protection Regulation and has the power to fine companies up to 4% of their global turnover for serious data breaches. However, such sanctions are normally imposed on individual companies. Taking action against the entire system of open-market bidding for ad impressions is a much larger and complicated undertaking.  

McDougall’s article last week prompted outcry from the privacy experts that lodged complaints about RTB well over a year ago, such as the Brave browser’s chief product officer Johnny Ryan and UCL lecturer Michael Veale, who said: “When an industry is premised and profiting from clear and entrenched illegality that breaches individuals’ fundamental rights, engagement is not a suitable remedy. The ICO cannot continue to look back at its past precedents for enforcement action, because it is exactly that timid approach that has led us to where we are now.”

Privately, industry sources have suggested that the ICO has opted for the “middle of the road” option. This is despite industry warnings last May that the regulator would start to show its teeth as the GDPR had then been in force for one year. 

Ryan tells Campaign that the industry has been aware of these issues for years and it is no excuse for the ICO to continue dragging its feet on enforcement, given that it received formal evidence of “incontrovertible wrongdoing” 16 months ago. 

“The [ICO] blog post says ‘we’re seeing genuine engagement from the industry, the IAB and Google’. That’s patently a misinterpretation of what we’re seeing… this is the biggest data breach the UK has ever had. 

“We expected when they announced what they were doing [in their report findings update in November] – that step would be banning processes and maybe fines (although fines are less important than the processes themselves). We thought they would go into ad exchanges and demand management platforms and demand the deletion of data. They have the power to do that.” 

Ryan warns that Brave and its fellow complainants are now considering legal action, as well as other options that would “compel the regulator to enforce the law”. 

“This industry has known about this for so long. I used to be a member of IAB Tech Lab and was saying this from the inside,” he adds.

He also rejects the idea that the ICO is compromising because the harm associated with such a widespread data breach is massive and the ad tech players involved are operating without proper checks and balances. 

“We’re at this moment that is similar to other industries: it’s like the medical industry was in the Middle Ages – there was nothing, people in barber shops with rusty blades. Then the enlightenment happens and in the 1800s there are standards and guilds, you have sanitation and electricity. Now if you want to operate on someone, you have to do it in a hospital – if haven’t got a hospital you can go away – tough. It’s called professionalisation.”

The ICO’s response to these criticisms, meanwhile, is framed as a reminder that this is a complex issue.

McDougall tells Campaign: “There are thousands of companies involved in the adtech eco-system and at this stage the issues raised involve the entire industry. We stand ready to deal with the problems but it is a hugely complex area. As a pragmatic regulator, we have a duty to build a thorough and robust case for any regulatory action we may decide to take, and all of this takes time. 

“We are using the intelligence gathered throughout last year to develop an appropriate regulatory response and we continue to investigate real-time bidding. It may be necessary to take formal regulatory action and we will continue to progress our work on that basis.”

Meanwhile the IAB UK says it is “pleased” that the ICO is recognising the work that the industry had done to date and the further work to which it has committed.

Christie Dennehy-Neil, head of policy and regulatory affairs at the IAB UK, says: “We have made good progress, but what matters now is the outcome. Implementing the actions outlined in our response to the ICO needs our members and the wider industry to work with us and be willing to take action where necessary to deliver meaningful change. We look forward to continuing to engage with the ICO as this process develops.” 

The apparent change in tone from the ICO also surprises Damon Reeve, chief executive of the Ozone Project, the digital publishing joint venture representing major UK news publishers Reach, News UK, The Guardian and Telegraph Media Group. 

Reeve tells Campaign: “We expected a slightly firmer position from the ICO… What was missing from Simon’s blog post was anything of real substance. There’s been a lot of discussion and maybe they’re looking to see more action off the back of that.

“It doesn’t really change anything that we’re already on the path to doing. At Ozone we are being fairly proactive in the decisions we’re making to reduce the risks around the processing of data.”

Reeve agrees about the need for a balanced approach: “The right thing for them to do is facilitate change through those organisations. If everyone is in good faith doing the right thing, that must be the best way for them to move in the right direction. Unless individual companies are being fraudulent and going against the industry grain, it makes sense to support competition through that process.”

However, there may be events going on behind the scenes of the ICO that are having an impact on this investigation. 

Last week the law firm Mishcon de Reya spotted that the watchdog had effectively decided to delay imposing £282m worth of fines on Marriott and British Airways. The US hotel chain and UK airline had both been found to have committed significant data breaches in 2018 under the GDPR and had been fined £99m and £183m respectively.

Mishcon’s data protection adviser, Jon Baines, told The Register that he suspected both companies had deployed similar legal arguments to Facebook when it fought back against a Cambridge Analytica-linked fine and ended up being fined £500,000. 

The suspicion is that the ICO’s internal procedures are being challenged and it could be that the watchdog is not feeling as confident as it was last June, or is simply too stretched in terms of its resources to fight so many battles at the same time.

Source: Ico Search Results
Continue reading Is the ICO going soft on the ‘out of control’ adtech industry?

Home » finance

Trusted News Since 1995

A service for investment professionals
·
Tuesday, January 21, 2020

·
507,734,718
Articles


·
3+ Million Readers

Source: Ico Search Results
Continue reading CountingWorks PRO Announces the 2019 TaxBuzz Top 100 Tax Professionals & CountingWorks Top 100 Cloud Accounting Experts

Home » finance

Cyber security data breach reports continued to flood in to the Information Commissioner’s Office (ICO) last year, with phishing proving to be the top cause of breaches, according to new analysis of ICO data between 2017 to 2019. The analysis conducted by the intelligent cyber security awareness platform, CybSafe, includes data published on Tuesday this week by the ICO.

CybSafe found that in 2019, UK organisations reported more cyber security breaches to the ICO than ever before. A total of 2,376 reports were sent to the public body last year, up from 540 in 2017, and 1,854 reports in 2018 – the year that GDPR came into force. Based on these figures, cyber breach reports to the ICO increased by 28 per cent from 2018 and 2019.

Phishing data breach reports have increased even more significantly over the last three years. In 2017, only 16 breach reports were made to the ICO as a result of successful phishing attacks. This jumped to 877 phishing reports in 2018, and in 2019, UK organisations reported a record 1,080 phishing-related breaches to the ICO – representing 45 per cent of all cyber security data breach reports received by the ICO that year.

In 2019, phishing was therefore the most common reason cited for cyber data breaches. ‘Unauthorised access’ took second place, with 791 breaches reported to the ICO. Other notable causes for breaches included 243 reports related to malware or ransomware, 64 related to hardware/software misconfiguration, and 34 related to brute force password attacks.

CybSafe’s research illustrates the continued prevalence of human-focused attacks and breaches. Considering all cyber security reports received by the ICO in 2019, the company suggests that over 90 per cent can likely be attributed to some form of user error or mistakes, as opposed to hardware or software security vulnerabilities.

Commenting on the company’s latest analysis, Oz Alashe, CEO of CybSafe, said: “With GDPR causing a massive surge in reporting during 2018, we might have expected that reports to the ICO would taper off in 2019 – but this wasn’t the case. 2019 surpassed the numbers achieved in the previous year quite dramatically. In terms of human error data breaches, it was a particularly significant year.

“With end-user mistakes often found to be the cause or catalyst of the majority of breaches, there’s a clear opportunity for the channel to step up and offer expertise and workable programmes. The channel needs to start the conversation with their customers about whether they’re successfully minimising human risk. Many companies won’t be doing anything at all to tackle these types of cyber risks, and those that are doing something, often won’t be using cost-effective, impactful, and measurable solutions.”

Source: Ico Search Results
Continue reading ICO reveals Phishing as top threat between 2017-2019

Home » finance

The UK’s data watchdog has accused companies of “ignoring” its message that the adtech industry needs to clean up its act as it considers formal regulatory action as part of its real-time bidding investigation.

Simon McDougall, executive director for technology and innovation at the Information Commissioner’s Office’s, warned today that “those who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilise its wider powers”.

The ICO launched an investigation in June 2019 into the RTB industry supply chain and gave a deadline of six months for companies to start getting their house in order.

Through the RTB process, a wide range of data is broadcast to multiple advertisers via an auction that uses this data to serve ads to online users in a fraction of a second.

Following complaints by privacy advocates and Brave, the anti-tracking internet browser company, the ICO said RTB was failing in terms of good data protection and that the adtech industry was “immature” in its understanding of compliance. 

Companies that fall foul of the General Data Protection Regulation, Europe’s data-privacy law, are liable to be fined 4% of annual turnover or €20m (£17.9m), whichever is higher. The ICO enforces GDPR in the UK. 

Google and the Internet Advertising Bureau are the principal bodies in the UK that set RTB standards and support for online advertisers.

Today, McDougall added that both companies had made progress on cleaning up the RTB supply chain: the IAB has pledged to educate the industry on special category data (which contains sensitive information about internet users), while Google will remove content categories and improve its auditing process. 

Google also announced this week that it will remove third-party data cookies from its Chrome browser that allow advertisers to track users across the web. 

McDougall said: “We are using the intelligence gathered throughout last year to develop an appropriate regulatory response. While it is too soon to speculate on the outcome of that investigation, given our understanding of the lack of maturity in some parts of this industry, we anticipate it may be necessary to take formal regulatory action and will continue to progress our work on that basis.”

Source: Ico Search Results
Continue reading ICO eyes formal real-time bidding regulation after being ‘ignored’

Home » finance

The US Securities and Exchange Commission’s (SEC’s) Investor Education and Advocacy division is warning the public that, because both Initial Exchange Offerings (IEOs) and the platforms selling them may be unregistered and unregulated, investing in IEOs may be high risk- and not much different than investing in ICOs.

“There is no such thing as an SEC-approved IEO,” the SEC writes in the warning.

IEO’s emerged in 2018 after a number of SEC communiqués and enforcements made it clear that the regulator largely regards ICO’s (initial coin offerings) as unregistered securities.

According to the SEC, IEOs are differently named but similarly featured. The only difference is that, rather than being sold directly to investors by ICO projects themselves, IEO’s are sold by trading platforms where they can also be traded:

“Initial exchange offerings (IEOs) are a recent development in the rapidly evolving digital asset space.  IEOs are similar to initial coin offerings (ICOs) in that they are initial offerings of digital assets (e.g., coins or tokens) to raise capital.  However, IEOs are being touted as an innovation on ICOs because they are offered directly by online trading platforms on behalf of companies—usually for a fee—to provide immediate trading opportunities for the digital assets.”

First, the word “exchange” is a misnomer, the SEC claims:

“These online trading platforms, which are typically not registered with the SEC and which may improperly refer to themselves as ‘exchanges,’ may also claim to perform due diligence or other quality assessments of the IEOs.”

Because the platforms are not true and regulated exchanges, using them implies considerable risk:

“Noncompliance with the federal securities laws means the IEO and/or trading platform may be operating unlawfully and the investor and market protections and remedies these laws are intended to provide may be absent.”

Further:

“You should carefully consider whether the company and the trading platform involved in the IEO has complied with federal securities laws.”

IEO’s may be cleverly marketed, but, “Be cautious if considering an investment in an IEO,” the SEC writes:

“Claims of new technologies and financial products, such as those associated with digital asset offerings, and claims that IEOs are vetted by trading platforms, can be used improperly to entice investors with the false promise of high returns in a new investment space.  As described below, IEOs may be conducted in violation of the federal securities laws and lack many of the investor protections of registered and exempt securities offerings.”

According to the regulator, a failure to reference securities laws in an IEO offering is “a red flag”:

“It is a red flag if the IEO and its participants, including the online trading platform, do not address or discuss the applicability of the federal securities laws.”

Projects may also claim they are registered when they are not:

“Saying something is registered doesn’t make it so.  In addition, be careful if the promoter of the IEO or the digital trading platform hosting the IEO states that they are approved or registered with the SEC.”

Once again:

“There is no such thing as an SEC-approved IEO.”

American securities laws are thorough -some would say too thorough- though SEC Chair Jay Clayton has defended the standards claiming they help assure that U.S. remains a safe place to invest money.

Strong rules have meant that even cryptocurrency projects and trading platforms with premises and staff in the US are registered offshore.

Rules at offshore businesses may be loosely enforced. Cryptocurrency trading platforms like Bitfinex and BitMEX, for instance, have been accused of only tacitly enforcing stated policies barring American traders.

Though, “Projects may claim to be exempt because they are located overseas,” the SEC warns, “…if the offering is being made to American investors, American securities laws may apply,” meaning IEO offerings may be non-compliant (and subject to future enforcement action?).

Furthermore, “Offshore trading platforms that attempt to avoid regulatory scrutiny can leave investors without important information,” the SEC writes, “including information about the IEO issuer, the digital asset offered, and any arrangements between the trading platforms and IEO issuers that enable them to make informed judgments about whether to invest in an IEO.”

Distance can also mean poor oversight regarding trades and conflict of interest at exchanges. Popular crypto trading platforms have been accused of using order data to trade against their own customers and conspiring amongst themselves to manipulate the prices of cryptocurrencies.

For example, executives at Korean crypto trading platform Komid were prosecuted for consducting alleged billion dollar wash trades designed to give customers the false impression that the exchange and the “crypto assets” on it were very popular.

Importantly, if an investor ends up defrauded by a foreign entity, the SEC warns, there may be little recourse.

Defrauded investors, “may have no effective legal remedies in U.S. courts against offshore trading platforms or IEOs issuing on the platforms.  Even if investors sue successfully in a U.S. court, they may not be able to collect on a U.S. judgment against a foreign company, entity or person.”

As well, collecting relief in such cases would, “rely on legal remedies in a foreign country.  These remedies may not exist or may differ greatly from remedies available in the United States.”

Source: Ico Search Results
Continue reading An ICO by Any Other Name: SEC Issues Investor Alert on Initial Exchange Offerings (IEOs)

Home » finance

Trusted News Since 1995

A service for investment professionals
·
Thursday, January 9, 2020

·
506,776,606
Articles


·
3+ Million Readers

Source: Ico Search Results
Continue reading FINTECH COMPANY MANAGECASH HOSTS CASH LOGISTICS EXHIBIT AT WORLD’S LARGEST ATM-FOCUSED EVENT

Home » finance

The Internet Advertising Bureau UK has announced a range of commitments to help advertisers that use real-time bidding meet their data protection obligations amid an investigation by the UK’s data watchdog.

The six actions are launched ahead of an expected update by the Information Commissioner’s Office on its probe into RTB, having heavily criticised the practice in June 2019. The ICO warned that sensitive data about internet users may be being broadcasted through bid requests and thus breaching Europe’s General Data Protection Regulation without the necessary consent.

Each of the IAB commitments respond to key issues that the ICO identified in its latest update report, in which the data watchdog gave six months for companies involved in the RTB supply chain to get their houses in order because the adtech industry appears “immature” in its understanding of GDPR compliance.

Regulators such as the ICO are empowered to fine GDPR violators up to €20m (£17.9m) or 4% of the offending company’s annual turnover (whichever is highest).

Through the RTB process, a wide range of data is broadcast to multiple advertisers via an auction that uses this data to serve ads to online users in a fraction of a second.

The IAB, which develops industry standards and provides legal support for the digital advertising industry, has committed to:

• Develop good-practice guidance covering data security, minimisation and retention, and work with IAB Europe to explore how the requirements in the Transparency and Consent Framework policies could be enhanced;
• Carry out a range of actions to be taken on special category data, including education for the industry on restrictions (developed with other trade bodies, particularly on the buy side), and work to identify potential controls to minimise risks arising from the content of referred URLs in bid requests;
• Educate its members on the consent requirements of UK online privacy regulations, with reference to the ICO’s current cookie guidance, and promoting the use of the TCF for obtaining user consent in a GDPR-compliant way;
• Educate its members on Legitimate Interests Assessment requirements and work with IAB Europe to develop resources to support companies to meet these requirements;
• Educate members on Data Protection Impact Assessment requirements and encourage them to review their processing operations in light of the ICO’s existing guidance. It will also identify whether additional guidance is needed for the industry and work with relevant trade bodies as they develop their own DPIA approaches and guidance;
• Provide transparency and fairness of information to consumers.

Simon McDougall, the ICO’s executive director for technology and innovation, said: “Our ‘update report’  documented our concerns with how personal data is processed using RTB and our subsequent engagement work with the adtech industry has largely validated these concerns. 

“We’re very pleased with the engagement we’ve had so far and, while we still have a long way to go, we’re optimistic that an industry-led solution is possible. We look forward to continuing our constructive discussions with the IAB and the industry as it implements the proposals made.”

However, the IAB has also said it does not believe that including context category fields in bid requests, such as “health” or “religion”, leads to special category data used.

In the IAB’s full response to the ICO, published last month, it said: “[Context category fields] do not in themselves constitute special category data because, on their own, they do not reveal information about the individual user or concern their health, sex life or sexual orientation. 

“Rather, they are derived from categorising the nature of the environment (eg surrounding page content) where the ad impression has become available. The nature of the environment is independent from the user and cannot be attributed to the user by default. Whether the content-based data in a bid request constitutes personal data on the basis that it can identify a person, directly or indirectly, will depend on what other data the company in question holds or has access to.”

Source: Ico Search Results
Continue reading IAB launches six ‘actions’ in response to ICO real-time bidding probe