Freelancer marketplace Toptal sues Andela and ex-employees, alleging theft of trade secrets

The war for talent in the tech world can be brutal — and so, it turns out, can the war between platforms that help companies source it. In the latest developement, Toptal — a marketplace for filling engineering and other tech roles with freelance, remote workers — has filed a lawsuit against direct competitor Andela and several of its employees, alleging the theft of trade secrets in pursuit of “a perfect clone of its business”, according to the complaint. All of the Andela employees previously worked at Toptal.

Toptal’s lawsuit, filed in the Supreme Court of the State of New York and embedded below, alleges that the employees reneged on confidentiality, non-solicitation and non-compete agreements with Toptal. Toptal also alleges interference with contract, unfair competition and misappropriation of trade secrets.

While both Toptal and Andela have built businesses around the idea of remote freelancers filling tech jobs — a concept that has increased in profile and acceptance as people shifted to remote work during the pandemic — the pair only emerged as very direct competitors in the last year or so.

Toptal was co-founded by CEO Taso Du Val in 2010, and since then it has grown to become one of the world’s most popular on-demand talent networks. The company matches skilled tech personnel like engineers, software developers, designers, finance experts and product managers to clients across the globe. According to company data, it currently serves over 1,000 clients in more than 10 countries.

Andela, on the other hand, only recently turned to using a similar approach. Founded in 2014 in Lagos, Andela’s original business model was based on building physical hubs to source, vet, train and house talent across the continent. It did this in Kenya, Nigeria, Rwanda and Uganda.

However, Andela struggled with scaling and operating that business model, and in 2019 it laid off 400 developers. Early last year as the pandemic took hold, it laid off a further 135 employees. However this time around it did so with a strategy pivot in mind: after testing satellite models in Egypt and Ghana, the talent company decided to go forego physical hubs completely and go remote, first across Africa in 2020 and globally this year.

“We thought, ‘What if we accelerated [the African remote network] and just enabled applicants from anywhere?’ Because it was always the plan to become a global company. That was clear, but the timing was the question,” Andela CEO Jeremy Johnson told TechCrunch in April.

Yet Toptal believes Andela’s choice to scrap its hubs and source remote talent from everywhere was specifically to replicate Toptal’s business model — and success.

“Until recently, Andela operated an outsourcing operation focused on in-person, on-site hubs in Africa,” Toptal notes in the complaint.Over the course of the past year, Andela has moved away from its prior focus on in-person hubs situated in Africa and is engaging in a barely disguised attempt to become a clone of Toptal.”

Toptal claims that for Andela to pull off a “perfect clone of its business,” it poached key Toptal employees to exploit their knowledge, and that the ex-employees knowingly breached their confidentiality and non-solicitation obligations to Toptal.

Companies often try to uncover each other’s trade secrets by poaching, and many blatantly copy a competitor and do so without repercussions. On top of this, these two are hardly the only two places to for tech talent to connect with remote freelance job opportunities. Others include Fiverr, Malt, Freelancer.com, LinkedIn, Turing, Upwork and many more.

In a global economy with an estimated 1 billion so-called knowledge workers, and with freelancers accounting for some 35% of the world’s workforce, it’s a pretty gigantic market, which you could alternately look at as a major opportunity, but also a ripe field for many players with multiple permutations of the marketplace concept.

So why is Toptal crying foul play? The company says its ex-employees have not only revealed Toptal’s trade secrets and confidential information to compete unfairly but are also poaching additional Toptal personnel, clients and the talent that Toptal matches and sources to clients.

The ex-employees cited by Toptal include Sachin Bhagwata, vice president of enterprise; Martin Chikilian, head of talent operations; Courtney Machi, vice president of product; and Alvaro Oliveira, executive vice president of talent operations. Toptal says three additional former employees in non-executive roles breached express covenants not to compete in their agreements with Toptal.

While some of the allegations focus on the expertise of the employees, one of the trade secret allegations more directly references Toptal’s technology.

Toptal claims Machi tapped into her extensive knowledge of Toptal’s “proprietary software platform” and used that to help transform Andela “from a group of outsourcing hubs situated in various African locations into a fully remote, global company like Toptal.”

Asked to comment on the suit, Johnson at Andela said he believes Toptal is suing Andela for being competitive.

“With regards to the situation overall, I can say that frivolous lawsuits are the price of doing anything that matters,” he told TechCrunch in an email. “And this is the kind of baseless bullying and fear tactics that make employees want to leave in the first place. We will defend ourselves and our colleagues vigorously.”

Toptal has an unconventional story for a company that started only a decade ago. It is one of the few companies in the Valley that doesn’t issue stock options to its investors or employees. Even Du Val’s co-founder, Breanden Beneschott, was ousted from the company without any shares, according to an article from The Information.

How did it pull this off? In 2012, Toptal raised a $1.4 million seed via convertible notes and investors were entitled to 15% of the company, according to The Information article.

But there was one condition: Toptal had to raise more money.

However, the company hasn’t needed to secure additional capital because of its profitability and growing revenue ($200 million annually as of 2018, per The Information). So investors are stuck in limbo — as are employees who joined hoping that the company would raise money down the line so their stock options would convert.

The Information story strikes a distinct note of resentment, noting that some employees felt “tricked out of stock in a company that Du Val has said publicly is worth more than $1 billion.”

Given that situation, TechCrunch asked Du Val if he thought it played any role in employee departures, and ex-employee relations.

“The issuance of stock options does not excuse theft of trade secrets,” he replied. “Also, there are more than 800 full-time people at Toptal [but] the complaint names seven individual defendants.”

The full complaint is embedded below.

#andela, #freelance-economy, #freelancer, #freelancers, #labor, #lawsuit, #startups, #talent, #tc, #toptal

0

Archer Aviation pushes for dismissal of Wisk trade secret suit

Archer Aviation hit back against allegations that it misappropriated trade secrets and infringed on patents from electric aircraft rival Wisk Aero, telling a court this week that it designed its Maker aircraft with a third-party eVTOL consultant prior to any former Wisk employees joining the company.

Archer said it worked with consultant FlightHouse Engineering at the end of 2019, when the consultancy firm modeled a 12-rotor fixed wing aircraft, with the front six rotors capable of tilting from a vertical to a horizontal position. This is the design that ultimately became the Maker. By the time the first Wisk employee arrived at Archer, this design had already been modeled, Archer says.

“Despite the breathless innuendo and baseless speculation to which Wisk devotes its entire complaint, Archer’s eVTOL aircraft design is not only the best eVTOL aircraft around, it is entirely Archer’s design,” the answer says.

A Wisk spokesperson told TechCrunch that Archer’s filing changes nothing about the case. It “contains no substantive response to the allegations Archer misappropriated more than 50 specific Wisk trade secrets, which were disclosed in a court filing last month and cover multiple components, systems, and designs for the aircraft,” the spokesperson said. “We believe Archer’s business is built on Wisk’s intellectual property as detailed in our filings, and we look forward to proceeding with our case.”

Wisk filed its lawsuit with the U.S. District Court for the Northern District of California in April, alleging that Archer perpetrated a “brazen theft” of confidential information and intellectual property. The suit came just two months after Archer announced it would merge with special purpose acquisition company Atlas Crest Investment Corp. in a deal valued at $3.8 billion.

In its filing Tuesday, Archer included counterclaims alleging “tortious interference and unfair competition.” Archer stated that Wisk engaged in a “media campaign” that was timed “to maximize harm to Archer after learning of Archer’s impending financial success.”

In a separate motion to dismiss, Archer also said that Wisk failed to identify any specific trade secrets that it allegedly misappropriated in the April complaint.

Wisk, born of a joint venture between Boeing and Kitty Hawk Corp., did include a 72-page trade secret disclosure in a separate injunction filed on May 19. That injunction could potentially bar Archer from using any of the purportedly stolen technology. An Archer spokesperson told TechCrunch that the company will file an opposition to that injunction on June 23, “which will address Wisk’s purported trade secret disclosure statement.”

A major part of Wisk’s suit are allegations that a former Wisk employee, Jing Xue, downloaded thousands of proprietary files from his work computer prior to joining Archer. However, Archer said in the motion to dismiss that Wisk does not allege that the former employee disclosed any such information to Archer. According to Archer, “such allegations do not suffice to show that Archer […] came into possession of the files or learned of the confidential information therein, much less that it did so knowingly, as is required to state a trade secret claim.”

 

#archer-aviation, #electric-aviation, #evtol, #lawsuit, #tc, #transportation, #urban-air-mobility, #wisk-aero

0

Tesla faces $163M payout to drivers in Norway following court decision

A Norwegian conciliation council has ordered Tesla to pay thousands of dollars each to Model S owners after it found that a software update led to longer charging times, the Norwegian newspaper Nettavisen reported Monday. Drivers eligible for compensation under the ruling will receive 136,000 kroner ($16,000) each.

Thirty Tesla drivers brought a complaint to the conciliation council in December 2020, citing that charging times slowed down after a software update the previous year. The poorer performance affected Tesla Model S vehicles manufactured between 2013 and 2015.

Tesla sold about 10,000 Model S vehicles during that timeframe in Norway. That means Tesla faces an overall payout of up to 1.36 kroner ($163 million), Nettavisen said.

Tesla did not respond to the complaint prior to the judgement being issued and it has until May 30 to pay the fine. The company has the opportunity to appeal the ruling to the Oslo Conciliation Board by June 17.

This is not the first time Tesla has faced complaints on charging speeds in court. A Tesla owner in 2019 filed a lawsuit against the EV manufacturer in the Northern California federal court alleging fraud and decreased battery range following a software update.

Norway leads Europe in the number of EVs on the road, with battery electric vehicles accounting for 54% of all new vehicle sales in 2020, according to the Norweigan Road Federation. Audi e-trons were the most popular vehicle sold, followed by the Model 3.

#automotive, #electric-vehicles, #lawsuit, #norway, #tc, #tesla, #tesla-model-s, #transportation

0

Apple CEO faces tough questioning as Epic Games trial wraps up

Apple CEO Tim Cook introduces the WWDC 2020 keynote.

Enlarge / Apple CEO Tim Cook introduces the WWDC 2020 keynote. (credit: Apple)

Apple CEO Tim Cook faced pointed questioning from Judge Yvonne Gonzalez Rogers during his long-awaited testimony in the Epic Games v. Apple trial Friday.

Following hours of questioning and cross-examination from Apple’s and Epic’s lawyers, Rogers wrapped up nearly three weeks of witness testimony with an extended back-and-forth with Cook. She began by asking about a hypothetical situation in which Fortnite‘s in-game V-Bucks currency was available for a lower price on the web than through the iOS app itself. What would be wrong with the app presenting users with the option to make that more affordable purchase—or at least providing that information to the users in the app?

Cook responded that “if you allow people to link out like that, you would essentially give up the total return on our IP.” Earlier in his testimony, Cook said by way of analogy that letting apps direct consumers to commission-free purchase options outside of the App Store “would be akin to Apple going out to Best Buy, putting a sign there where we advertise you can go across the street to the Apple Store to buy an iPhone. If the effort goes into transacting with the customer [in the app], it seems like it ought to happen in the app.”

Read 21 remaining paragraphs | Comments

#apple, #epic, #gaming-culture, #lawsuit, #tim-cook, #trial

0

Tim Cook plays innocent in Epic v Apple’s culminating testimony

Apple CEO Tim Cook took his first turn in the witness chair this morning in what is probably the most anticipated testimony of the Epic v. Apple antitrust case. But rather than a fiery condemnation of Epic’s shenanigans and allegations, Cook offered a mild, carefully tended ignorance that left many of the lawsuit’s key questions unanswered, or unanswerable.

This anticlimax may not make for exciting reporting, but it could serve to defang the dangerous, if somewhat dubious, argument that Apple’s App Store amounts to a monopoly.

After being called by Apple’s own attorneys, Cook took the stand, Law360’s Dorothy Atkins, one of two media members allowed in the court, reported in her comprehensive live tweeting of the testimony. The quotes from Cook are as reported and not to be considered verbatim; the court transcript will follow when the document is compiled and public. Incidentally, Atkins’ stage-setting descriptions are appealing and humanizing, though Epic CEO Tim Sweeney comes off as a bit weird:

The questioning of Cook by his own company’s counsel was gentle and directed at reiterating the reasons why Apple’s App Store is superior and sufficient for iOS users, while also asserting the presence of stiff competition. He admitted to a handful of conflicts with developers, such as differing priorities or needing to improve discovery, but said the company works constantly to retain developers and users.

The facade of innocent ignorance began when he was asked about Apple’s R&D numbers — $15-20 billion annually for the last three years. Specifically, he said that Apple couldn’t estimate how much of that money was directed towards the App Store, because “we don’t allocate like that,” i.e. research budgets for individual products aren’t broken out from the rest.

Now, that doesn’t sound right, does it? A company like Apple knows down the penny how much it spends on its products and research. Even if it can’t be perfectly broken down — an advance in MacOS code may play into a feature on the App Store — the company must know to some extent how its resources are being deployed and to what effect. The differences between a conservative and liberal estimation of the App Store’s R&D allocation might be large, in the hundreds of millions perhaps, but make no mistake, those estimations are almost certainly being made internally. To do otherwise would be folly.

But because the numbers are not publicly declared and broken down, and because they are likely to be somewhat fuzzy, Cook can say truthfully that there’s no single number like (to invent an amount) “App Store R&D was $500 million in 2019.”

Not having a hard number removes a potential foothold for Epic, which could use it either way: If it’s big, they’re protecting their golden goose (enforcing market power). If it’s small, they’re just collecting the eggs (collecting rent via market power). Apple’s only winning move is not to play, so Cook plays dumb and consequently Epic’s argument looks like speculation (and, as Apple would argue, fabulation).

He then deployed a similar strategy of starving the competition with a preemptive shrug about profits. He only addressed total net sales, which were about $275 billion at a 21 percent profit margin, saying Apple does not evaluate the App Store’s income as a standalone business.

Certainly it is arguable that the App Store is very much a tightly integrated component of a larger business structure. But the idea that it cannot be assessed as a standalone business is ludicrous. It is again nearly certain that it, like all of Apple’s divisions and product lines, is dissected and reported internally in excruciating detail. But again it is just plausible that for legal purposes it is not straightforward enough to say “the income and profits of the App Store are such and such,” thus denying Epic its datum.

However, the point is important enough that Epic thought it warranted independent investigation. And among the first things Epic’s attorney brought up, when the witness was turned over to him, was the testimony from earlier in the trial by an expert witness that Apple’s App Store operating margins were around 79 percent.

It was not in Apple’s interest to confirm or deny these numbers, and Cook again pleaded ignorance. The mask slipped a tiny bit, however, when Epic’s attorney asked Cook to break down the confidential income numbers that combined the Mac and iOS App Stores. While Apple objected to this, saying it was privileged information and could only be divulged in a closed court, Cook offered that the iOS numbers are “a lot larger” than the Mac numbers.

What we see here is another piece of financial sleight-of-hand. By mixing the iOS and Mac income Apple gets to muddy the waters of how much money is made and spent in and on them. Epic’s attempt to unmix them was not successful, but the judge is no fool — she sees the same things Epic does, but just as dimly. Apple is attempting to deny Epic a legal victory even at the cost of looking rather shadowy and manipulative.

This was further demonstrated when Cook was asked about Apple’s deal with Google that keeps the search engine as the default on iOS. Cook said he didn’t remember the specific numbers.

If the CEO of one of the biggest tech companies in the world told you they forgot the specifics of a multi-billion dollar, decade-long deal with one of the other biggest tech companies in the world, would you believe them?

Little of the remaining testimony shed light on anything. Cook discussed the complexities of operating in places like China where local laws have technical and policy repercussions, and minimized the assertion that Apple had expanded the scope of in-app purchases and what transactions the company gets a 30% cut from. A bit more testimony will take place in a closed court, but we likely won’t hear about it as it will concern confidential information.

The trial, which is winding down, has held few surprises; both sides laid out their arguments at the start, and much of this will come down to the judge’s interpretation of the facts. There were no dramatic surprise witnesses or smoking guns — it’s simply a novel argument about what constitutes monopolistic behavior. Apple is adamant that competition is present and fierce in Android, and that in the gaming world it competes with Windows and consoles as well.

It seems almost inevitable that whatever the judgment is, the case will be appealed and brought to a higher court, but that judgment will also be a strong indicator of how well Epic’s arguments (and Apple’s obfuscations) have been received. That said, Epic and other critics of Apple’s App Store fees, which are immensely profitable however the company chooses to obscure it, have arguably already accomplished their goals. Apple’s lowered 15% fee for the first million dollars is plainly a response to developer unrest and bad press, and now it is put in the position of defending how the sausage gets made.

Tarnishing Apple’s anodized aluminum tower was always at least partly the intent, and win or lose Epic may feel it has gotten its money’s worth. Besides, the rematch in Europe is yet to come.

#app-store, #apple, #apps, #epic, #epic-v-apple, #lawsuit, #tim-cook

0

European Parliament amps up pressure on EU-US data flows and GDPR enforcement

European Union lawmakers are facing further pressure to step in and do something about lackadaisical enforcement of the bloc’s flagship data protection regime after the European Parliament voted yesterday to back a call urging the Commission to start an infringement proceeding against Ireland’s Data Protection Commission (DPC) for not “properly enforcing” the regulation.

The Commission and the DPC have been contacted for comment on the parliament’s call.

Last summer the Commission’s own two-year review of the General Data Protection Regulation (GDPR) highlighted a lack of uniformly vigorous enforcement — but commissioners were keener to point out the positives, lauding the regulation as a “global reference point”.

But it’s now nearly three years since the regulation begun being applied and criticism over weak enforcement is getting harder for the EU’s executive to ignore.

The parliament’s resolution — which, while non-legally binding, fires a strong political message across the Commission’s bow — singles out the DPC for specific criticism given its outsized role in enforcement of the General Data Protection Regulation (GDPR). It’s the lead supervisory authority for complaints brought against the many big tech companies which choose to site their regional headquarters in the country (on account of its corporate-friendly tax system).

The text of the resolution expresses “deep concern” over the DPC’s failure to reach a decision on a number of complaints against breaches of the GDPR filed the day it came into application, on May 25, 2018 — including against Facebook and Google — and criticises the Irish data watchdog for interpreting ‘without delay’ in Article 60(3) of the GDPR “contrary to the legislators’ intention – as longer than a matter of months”, as they put it.

To date the DPC has only reached a final decision on one cross-border GDPR case — against Twitter.

The parliament also says it’s “concerned about the lack of tech specialists working for the DPC and their use of outdated systems” (which Brave also flagged last year) — as well as criticizing the watchdog’s handling of a complaint originally brought by privacy campaigner Max Schrems years before the GDPR came into application, which relates to the clash between EU privacy rights and US surveillance laws, and which still hasn’t resulted in a decision.

The DPC’s approach to handling Schrems’ 2013 complaint led to a 2018 referral to the CJEU — which in turn led to the landmark Schrems II judgement last summer invalidating the flagship EU-US data transfer arrangement, Privacy Shield.

That ruling did not outlaw alternative data transfer mechanisms but made it clear that EU DPAs have an obligation to step in and suspend data transfers if European’s information is being taken to a third country that does not have essentially equivalent protections to those they have under EU law — thereby putting the ball back in the DPC’s court on the Schrems complaint.

The Irish regulator then sent a preliminary order to Facebook to suspend its data transfers and the tech giant responded by filing for a judicial review of the DPC’s processes. However the Irish High Court rejected Facebook’s petition last week. And a stay on the DPC’s investigation was lifted yesterday — so the DPC’s process of reaching a decision on the Facebook data flows complaint has started moving again.

A final decision could still take several months more, though — as we’ve reported before — as the DPC’s draft decision will also need to be put to the other EU DPAs for review and the chance to object.

The parliament’s resolution states that it “is worried that supervisory authorities have not taken proactive steps under Article 61 and 66 of the GDPR to force the DPC to comply with its obligations under the GDPR”, and — in more general remarks on the enforcement of GDPR around international data transfers — it states that it:

Is concerned about the insufficient level of enforcement of the GDPR, particularly in the area of international transfers; expresses concerns at the lack of prioritisation and overall scrutiny by national supervisory authorities with regard to personal data transfers to third countries, despite the significant CJEU case law developments over the past five years; deplores the absence of meaningful decisions and corrective measures in this regard, and urges the EDPB [European Data Protection Board] and national supervisory authorities to include personal data transfers as part of their audit, compliance and enforcement strategies; points out that harmonised binding administrative procedures on the representation of data subjects and admissibility are needed to provide legal certainty and deal with crossborder complaints;

The knotty, multi-year saga of Schrems’ Facebook data-flows complaint, as played out via the procedural twists of the DPC and Facebook’s lawyers’ delaying tactics, illustrates the multi-layered legal, political and commercial complexities bound up with data flows out of the EU (post-Snowden’s 2013 revelations of US mass surveillance programs) — not to mention the staggering challenge for EU data subjects to actually exercise the rights they have on paper. But these intersecting issues around international data flows do seem to be finally coming to a head, in the wake of the Schrems II CJEU ruling.

The clock is now ticking for the issuing of major data suspension orders by EU data protection agencies, with Facebook’s business first in the firing line.

Other US-based services that are — similarly — subject to the US’ FISA regime (and also move EU users data over the pond for processing; and whose businesses are such they cannot shield user data via ‘zero access’ encryption architecture) are equally at risk of receiving an order to shut down their EU-US data-pipes. Or else having to shift data processing for these users inside the EU.

US-based services aren’t the only ones facing increasing legal uncertainty, either.

The UK, post-Brexit, is also classed as a third country (in EU law terms). And in a separate resolution today the parliament adopted a text on the UK adequacy agreement, granted earlier this year by the Commission, which raises objections to the arrangement — including by flagging a lack of GDPR enforcement in the UK as problematic.

On that front the parliament highlights how adtech complaints filed with the ICO have failed to yield a decision. (It writes that it’s concerned “non-enforcement is a structural problem” in the UK — which it suggests has left “a large number of data protection law breaches… [un]remedied”.)

It also calls out the UK’s surveillance regime, questioning its compatibility with the CJEU’s requirements for essential equivalence — while also raising concerns about the risk that the UK could undermine protections on EU citizens data via onward transfers to jurisdictions the EU does not have an adequacy agreement with, among other objections.

The Commission put a four year lifespan on the UK’s adequacy deal — meaning there will be another major review ahead of any continuation of the arrangement in 2025.

It’s a far cry from the ‘hands-off’ fifteen years the EU-US ‘Safe Harbor’ agreement stood for, before a Schrems challenge finally led to the CJEU striking it down back in 2015. So the takeaway here is that data deals that allow for people’s information to leave Europe aren’t going to be allowed to stand unchecked for years; close scrutiny and legal accountability are now firmly up front — and will remain in the frame going forward.

The global nature of the Internet and the ease with which data can digitally flow across borders of course brings huge benefits for businesses — but the resulting interplay between different legal regimes is leading to increasing levels of legal uncertainty for companies seeking to take people’s data across borders.

In the EU’s case, the issue is that data protection is regulated within the bloc and these laws require that protection stays with people’s information, no matter where it goes. So if the data flows to countries that do not offer the same safeguards — be that the US or indeed China or India (or even the UK) — then that risk is that it can’t, legally, be taken there.

How to resolve this clash, between data protection laws based on individual privacy rights and data access mandates driven by national security priorities, has no easy answers.

For the US, and for the transatlantic data flows between the EU and the US, the Commission has warned there will be no quick fix this time — as happened when it slapped a sticking plaster atop the invalidated Safe Harbor, hailing a new ‘Privacy Shield’ regime; only for the CJEU to blast that out of the water for much the same reasons a few years later. (The parliament resolution is particularly withering in its assessment of the Commission’s historic missteps there.)

For a fix to stick, major reform of US surveillance law is going to be needed. And the Commission appears to have accepted that’s not going to come overnight, so it seems to be trying to brace businesses for turbulence…

The parliament’s resolution on Schrems II also makes it clear that it expects DPAs to step in and cut off risky data flows — with MEPs writing that “if no arrangement with the US is swiftly found which guarantees an essentially equivalent and therefore adequate level of protection to that provided by the GDPR and the Charter, that these transfers will be suspended until the situation is resolved”.

So if DPAs fail to do this — and if Ireland keeps dragging its feet on closing out the Schrems complaint — they should expect more resolutions to be blasted at them from the parliament.

MEPs emphasize the need for any future EU-US data transfer agreement “to address the problems identified by the Court ruling in a sustainable manner” — pointing out that “no contract between companies can provide protection from indiscriminate access by intelligence authorities to the content of electronic communications, nor can any contract between companies provide sufficient legal remedies against mass surveillance”.

“This requires a reform of US surveillance laws and practices with a view to ensuring that access of US security authorities to data transferred from the EU is limited to what is necessary and proportionate, and that European data subjects have access to effective judicial redress before US courts,” the parliament adds.

It’s still true that businesses may be able to legally move EU personal data out of the bloc. Even, potentially, to the US — depending on the type of business; the data itself; and additional safeguards that could be applied.

However for data-mining companies like Facebook — which are subject to FISA and whose businesses rely on accessing people’s data — then achieving essential equivalence with EU privacy protections looks, well, essentially impossible.

And while the parliament hasn’t made an explicit call in the resolution for Facebook’s EU data flows to be cut off that is the clear implication of it urging infringement proceedings against the DPC (and deploring “the absence of meaningful decisions and corrective measures” in the area of international transfers).

The parliament says it wants to see “solid mechanisms compliant with the CJEU judgement” set out — for the benefit of businesses with the chance to legally move data out of the EU — saying, for example, that the Commission’s proposal for a template for Standard Contractual Clauses (SCCs) should “duly take into account all the relevant recommendations of the EDPB“.

It also says it supports the creation of a tool box of supplementary measures for such businesses to choose from — in areas like security and data protection certification; encryption safeguards; and pseudonymisation — so long as the measures included are accepted by regulators.

It also wants to see publicly available resources on the relevant legislation of the EU’s main trading partners to help businesses that have the possibility of being able to legally move data out of the bloc get guidance to help them do so with compliance.

The overarching message here is that businesses should buckle up for disruption of cross-border data flows — and tool up for compliance, where possible.

In another segment of the resolution, for example, the parliament calls on the Commission to “analyse the situation of cloud providers falling under section 702 of the FISA who transfers data using SCCs” — going on to suggest that support for European alternatives to US cloud providers may be needed to plug “gaps in the protection of data of European citizens transferred to the United States” and “reduce the dependence of the Union in storage capacities vis-à-vis third countries and to strengthen the Union’s strategic autonomy in terms of data management and protection”.

#brexit, #china, #cloud, #data-mining, #data-protection, #data-protection-commission, #data-security, #encryption, #eu-us-privacy-shield, #europe, #european-data-protection-board, #european-parliament, #european-union, #facebook, #general-data-protection-regulation, #google, #india, #ireland, #lawsuit, #max-schrems, #noyb, #privacy, #safe-harbor, #surveillance-law, #twitter, #united-kingdom, #united-states

0

Wisk Aero files injunction in trade secret lawsuit against Archer Aviation

Electric aviation company Wisk Aero filed a motion for a preliminary injunction Wednesday in its ongoing lawsuit with rival electric air travel startup Archer Aviation. The injunction could put a serious wrench in Archer’s operations should the courts approve it.

Wisk has asked the court to immediately prohibit Archer from using 52 trade secrets that it alleges were stolen by former employees who were later hired by Archer. The trade secrets “span the gamut of systems within the aircraft and processes for development,” a Wisk spokesperson told TechCrunch.

Archer did not respond to a request for comment by press time. TechCrunch will update the story if they do.

Given the widespread subject matter of the trade secrets, an injunction would likely limit Archer’s operations. The courts have not yet ruled on whether Archer misappropriated trade secrets, as Wisk alleged in its original filing on April 6. Wisk says it discovered the trade secret theft after it sent the work laptops of a departing employee to an outsider investigator, who discovered that the employee had downloaded nearly 5,000 files. This employee is now a senior power electronics engineer at Archer.

The Federal Bureau of Investigation and the U.S. Department of Justice is conducting a separate federal investigation into Archer based on Wisk’s trade secret allegations.

Archer said in a filing with the U.S. Security and Exchange Commission that it had “placed an employee on paid administrative leave in connection with a government investigation and a search warrant issued to the employee.”

The injunction hearing has not been scheduled. It will likely occur within the next few days due to the nature of the request. The suit was filed in the U.S. District Court for the Northern District of California under case no. 5:21-cv-2450.

#aerospace, #archer-aviation, #aviation, #electric-planes, #evtol, #lawsuit, #tc, #transportation, #urban-air-mobility, #wisk-aero

0

Facebook loses last ditch attempt to derail DPC decision on its EU-US data flows

Facebook has failed in its bid to prevent its lead EU data protection regulator from pushing ahead with a decision on whether to order suspension of its EU-US data flows.

The Irish High Court has just issued a ruling dismissing the company’s challenge to the Irish Data Protection Commission’s (DPC) procedures.

The case has huge potential operational significance for Facebook which may be forced to store European users’ data locally if it’s ordered to stop taking their information to the U.S. for processing.

Last September Irish data watchdog made a preliminary order warning Facebook it may have to suspend EU-US data flows. Facebook responding by filing for a judicial review and obtaining a stay on the DPC’s procedure. That block is now being unblocked.

We understand the involved parties have been given a few days to read the High Court judgement ahead of another hearing on Thursday — when the court is expected to formally lift Facebook’s stay on the DPC’s investigation (and settle the matter of case costs).

The DPC declined to comment on today’s ruling in any detail — or on the timeline for making a decision on Facebook’s EU-US data flows — but deputy commissioner Graham Doyle told us it “welcomes today’s judgment”.

Its preliminary suspension order last fall followed a landmark judgement by Europe’s top court in the summer — when the CJEU struck down a flagship transatlantic agreement on data flows, on the grounds that US mass surveillance is incompatible with the EU’s data protection regime.

The fall-out from the CJEU’s invalidation of Privacy Shield (as well as an earlier ruling striking down its predecessor Safe Harbor) has been ongoing for years — as companies that rely on shifting EU users’ data to the US for processing have had to scramble to find valid legal alternatives.

While the CJEU did not outright ban data transfers out of the EU, it made it crystal clear that data protection agencies must step in and suspend international data flows if they suspect EU data is at risk. And EU to US data flows were signalled as at clear risk given the court simultaneously struck down Privacy Shield.

The problem for some businesses is that there may simply not be a valid legal alternative. And that’s where things look particularly sticky for Facebook, since its service falls under NSA surveillance via Section 702 of the FISA (which is used to authorize mass surveillance programs like Prism).

So what happens now for Facebook, following the Irish High Court ruling?

As ever in this complex legal saga — which has been going on in various forms since an original 2013 complaint made by European privacy campaigner Max Schrems — there’s still some track left to run.

After this unblocking the DPC will have two enquiries in train: Both the original one, related to Schrems’ complaint, and an own volition enquiry it decided to open last year — when it said it was pausing investigation of Schrems’ original complaint.

Schrems, via his privacy not-for-profit noyb, filed for his own judicial review of the DPC’s proceedings. And the DPC quickly agreed to settle — agreeing in January that it would ‘swiftly’ finalize Schrems’ original complaint. So things were already moving.

The tl;dr of all that is this: The last of the bungs which have been used to delay regulatory action in Ireland over Facebook’s EU-US data flows are finally being extracted — and the DPC must decide on the complaint.

Or, to put it another way, the clock is ticking for Facebook’s EU-US data flows. So expect another wordy blog post from Nick Clegg very soon.

Schrems previously told TechCrunch he expects the DPC to issue a suspension order against Facebook within months — perhaps as soon as this summer (and failing that by fall).

In a statement reacting to the Court ruling today he reiterated that position, saying: “After eight years, the DPC is now required to stop Facebook’s EU-US data transfers, likely before summer. Now we simply have two procedures instead of one.”

When Ireland (finally) decides it won’t mark the end of the regulatory procedures, though.

A decision by the DPC on Facebook’s transfers would need to go to the other EU DPAs for review — and if there’s disagreement there (as seems highly likely, given what’s happened with draft DPC GDPR decisions) it will trigger a further delay (weeks to months) as the European Data Protection Board seeks consensus.

If a majority of EU DPAs can’t agree the Board may itself have to cast a deciding vote. So that could extend the timeline around any suspension order. But an end to the process is, at long last, in sight.

And, well, if a critical mass of domestic pressure is ever going to build for pro-privacy reform of U.S. surveillance laws now looks like a really good time…

“We now expect the DPC to issue a decision to stop Facebook’s data transfers before summer,” added Schrems. “This would require Facebook to store most data from Europe locally, to ensure that Facebook USA does not have access to European data. The other option would be for the US to change its surveillance laws.”

Facebook has been contacted for comment on the Irish High Court ruling.

Update: The company has now sent us this statement:

“Today’s ruling was about the process the IDPC followed. The larger issue of how data can move around the world remains of significant importance to thousands of European and American businesses that connect customers, friends, family and employees across the Atlantic. Like other companies, we have followed European rules and rely on Standard Contractual Clauses, and appropriate data safeguards, to provide a global service and connect people, businesses and charities. We look forward to defending our compliance to the IDPC, as their preliminary decision could be damaging not only to Facebook, but also to users and other businesses.”

#data-protection, #data-security, #digital-rights, #dpc, #eu-us-privacy-shield, #europe, #european-data-protection-board, #european-union, #facebook, #human-rights, #ireland, #lawsuit, #max-schrems, #nick-clegg, #noyb, #policy, #privacy, #safe-harbor, #united-states

0

Three students sue coding bootcamp Lambda School alleging false advertising and financial shenanigans

Lambda School has attracted a lot of attention, and raised some $130 million in venture funding from an impressive list of investors, for its novel approach to coding education: offering six-month virtual computer science courses for $30,000, with the option of paying for the courses in installments based on a sliding scale that only kicks in after you land a job that makes at least $50,000.

But it turns out that the startup is attracting a a lot of controversy, too. In the latest development, three students have filed lawsuits against the company in California, claiming misleading financial and educational practices.

The suits — which are being brought by the non-profit National Student Legal Defense Network on behalf of Linh Nguyen, Heather Nye and Jonathan Stickrod — go back to a period of between 2018 and 2020, and they focus on four basic claims.

First, that Lambda School falsified and misrepresented job placement rates. Second, that Lambda School misrepresented the true nature of its financial interest in student success (specifically, there are question marks over how Lambda handles its ISA contracts and whether it benefits from those). Third, that it misrepresented and concealed a regulatory dispute in California that required the school to cease operations. And fourth, that it enrolled and provided educational services and signed ISA contracts in violation of that order.

The filings for the three cases are embedded below.

The three students are all currently on the hook for their Lambda tuitions, which they opted to pay back in installments by way of the school’s income share agreement (ISA) model. The suits do not disclose how much the three individuals are seeking in damages.

For those who have been following news of Lambda School over the last several years, the claims detailed in the suit will sound familiar. The inflated job placement rates; and the fact that it wasn’t legally allowed to operate, yet was still accepting students, signing ISA deals, and teaching, for example, were all reported over that period of time, along with other criticisms about how CEO and founder Austen Allred, a self-proclaimed “growth hacker“, leveraged his and Lambda’s other Twitter accounts to hype up the school.

Some of the issues that are raised in the lawsuits have also been resolved since then. For example, the prominent display of over 80% of students finding jobs can no longer be found on the Lambda site, and in California you no longer get an ISA but a retail installment contract (similar but different). But as is the way of litigation, lawsuits based on past issues from people who were impacted by them when they were still active, are, in many ways, the next logical, unsurprising step.

There is also a specific strategy behind these three cases being filed the same time.

Alex Elson, the co-founder of the National Student Legal Defense Network, told TechCrunch in an interview that the ISA contracts that students sign at Lambda have arbitration clauses that preclude students from arbitrating against Lambda in groups, ie class action suits. The idea is that by bringing three nearly identical individual cases simultaneously against the school, the defendants can both expose the widespread practices of Lambda, and pave the way for broader relief for others similarly impacted. (The Student Defense Network’s co-counsel in the case is CalebAndonian PLLC and Cotchett Pitre & McCarthy LLP.)

Originally incubated at Y Combinator and backed by a long list of investors that include GV (Google Ventures), Gigafactory (ex-Founders Fund partners), GGV, and more, Lambda School has had a tough time of it in the last year, a period that has seen the Covid-19 pandemic have a disproportionate and impact on some parts of the economy but not others.

Edtech has largely been seen as a huge growth area, but that may not have been the case for edtech startups specifically focused on vocational, technology jobs, given that the tech world has seen a lot of hiring freezes, and layoffs, as companies sought to keep down costs in the face of the unknown.

Lambda went through two sets of layoffs in the space of a year, and it seems that in one of them it also changed its teaching model, doing away with TLs (team leads), paid mentors who helped assess students, and instead moved to a model where students mentored each other and assessed themselves. It has also changed the courses themselves, shortening them to six months from their original nine- and 18-month formats — but not reducing the prices for those courses.

And it’s not quite past all of its regulatory issues, either.

Just two weeks ago, California’s Department of Financial Protection and Innovation (DFPI) announced a settlement with the school over the language that it uses in financing contracts with students.

Specifically, the DFPI took issue with how it said Lambda falsely described its financial arrangement with students as a “qualified educational loan… subject to the limitations on dischargeability contained in… the United States Bankruptcy Code.” (Educational loans are usually exempt from bankruptcy discharge — when a debtor is not required to pay a debt because that debtor is bankrupt, it’s a bankruptcy discharge; typically educational loans are not covered by this, so the issue here was the Lambda School was claiming that even if a student files for bankruptcy that student would still have to pay back Lambda.)

“The language violates the new California Consumer Financial Protection Law (CCFPL), which took effect this year and prohibits companies from engaging in practices that are unlawful, unfair, deceptive, or abusive,” the DFPI noted.

The settlement requires Lambda to notify students that the bankruptcy dischargeability provision language is not accurate; retain a third party to review the terms of the school’s finance contract to ensure that it complies with all applicable laws; and undergo a review of its marketing materials to ensure that the information is accurate and not likely to mislead consumers.

You could say that all of these issues are the table stakes of being a startup and trying something new: the school is moving fast, breaking things, and iterating along the way to figure it all out. But for a service that can leave students liable for paying back $30,000, it’s a big price for others to pay when those things don’t quite work as advertised.

Still, despite all that, Lambda also continues to have a lot of supporters and partners. Just last month, for example, it announced a new backend engineering program that it developed with Amazon. And while it doesn’t seem guaranteed taking the problem will get you an instant open door to a job with the tech giant, it’s a sign of where there remains interesting value in the idea.

We have also reached out to the company’s CEO and founder Austen Allred, and the company itself, for a response and we will update this post as we learn more.

Updated with Lambda’s response: with the following statement:

Per policy, we don’t speak about individual student or alumni situations in detail publicly, but we’re of course happy to review matters directly and will review any cases that are filed. In general, though, for any student’s ISA payments to be activated, they would have first signed an ISA contract and subsequently landed a role leveraging skills learned at Lambda School that pays $50K or more in salary.

Our mission is to de-risk education and expand access to higher paying jobs. For that reason, our ISAs (and RICs in California) are designed with policies that are as flexible and student-centric as possible. That includes our purposely generous proration refund and proration policy for students who decide to leave the program, regardless of tuition payment method. Additionally, if an alumnus loses their job, salary, or is making under $50K a year, their payments are immediately paused. ISAs expire completely after 24 payments or 60 deferred months, even if the total paid is less than $30,000.

Our number one priority is student success. We stand behind the quality of our instructors and our proven student outcomes (which we go into more detail about here and in our outcomes reporting). While we will always strive for our students and alumni to have a positive experience and achieve their career goals, we’re also willing to work with individuals and review cases to come to a resolution.

The suits are below:

#developer, #education, #lawsuit

0

Snap cuts off Yolo, LMK anonymous messaging apps after lawsuit over teen’s death

Snap cuts off Yolo, LMK anonymous messaging apps after lawsuit over teen’s death

Enlarge (credit: stockcam / Getty)

Snapchat’s parent company, Snap, yesterday suspended two apps that allowed users to send anonymous messages to other users on the platform. The move came in response to a lawsuit filed Monday against Snap and the two messaging apps.

The lawsuit seeks class-action status to represent all 92 million Snapchat users, and it demands that Snap ban both Yolo and LMK from its app store. The developers of both apps, the suit alleges, did not implement adequate safeguards against harassing and bullying behavior.

The suit was brought by Kristin Bride, the mother of Carson Bride, a 16-year-old who suffered from cyberbullying on the Yolo and LMK apps. Over half the messages he received on Yolo were “meant to humiliate him, often involving sexually explicit and disturbing content,” according to the lawsuit. After a particularly personal string of insults, 16-year-old Carson searched in vain for how to reveal the identity of his bullies. Just over two weeks later, he took his own life. His last search was “reveal Yolo username online.”

Read 10 remaining paragraphs | Comments

#cyberbullying, #lawsuit, #policy, #snap, #snapchat, #social-media, #yolo

0

Sony faces lawsuit over alleged “monopoly pricing” of PlayStation downloads

A gift card like this goes less far because of Sony's monopolistic control of the PlayStation downloads market, according to a new lawsuit.

Enlarge / A gift card like this goes less far because of Sony’s monopolistic control of the PlayStation downloads market, according to a new lawsuit.

In Apple’s opening statements in the Epic Games v. Apple trial on Monday, the company argued that “the law protects Apple’s choice to have a closed system, just as it protects Sony and Nintendo.” A new proposed class-action lawsuit against Sony’s alleged monopoly control over the market for downloadable PlayStation games seems set to test that argument in the near future.

The lawsuit, filed in Northern California federal court (first reported on by Bloomberg News and obtained by Polygon), alleges that Sony’s monopoly control over the PlayStation Store leads to “supracompetitive prices for digital PlayStation games, which are… [priced] significantly higher than they would be in a competitive retail market for digital games.”

No more retail code competition

Microsoft and Nintendo also maintain digital storefronts that provide the only legitimate way to download software on the Xbox and Switch platforms, of course. But the lawsuit says the PlayStation Store differs from its console competition for a couple of reasons.

Read 11 remaining paragraphs | Comments

#class-action, #download, #gaming-culture, #lawsuit, #monopoly, #pricing, #sony

0

Europe charges Apple with antitrust breach, citing Spotify App Store complaint

The European Commission has announced that it’s issued formal antitrust charges against Apple, saying today that its preliminary view is Apple’s app store rules distort competition in the market for music streaming services by raising the costs of competing music streaming app developers.

The Commission begun investigating competition concerns related to iOS App Store (and also Apple Pay) last summer.

“The Commission takes issue with the mandatory use of Apple’s own in-app purchase mechanism imposed on music streaming app developers to distribute their apps via Apple’s App Store,” it wrote today. “The Commission is also concerned that Apple applies certain restrictions on app developers preventing them from informing iPhone and iPad users of alternative, cheaper purchasing possibilities.”

The statement of objections focuses on two rules that Apple imposes in its agreements with music streaming app developers: Namely the mandatory requirement to use its proprietary in-app purchase system (IAP) to distribute paid digital content (with the Commission noting that it charges a 30% commission fee on all such subscriptions bought via IAP); and ‘anti-steering provisions’ which limit the ability of developers to inform users of alternative purchasing options.

“The Commission’s investigation showed that most streaming providers passed this fee [Apple’s 30% cut] on to end users by raising prices,” it wrote, adding: “While Apple allows users to use music subscriptions purchased elsewhere, its rules prevent developers from informing users about such purchasing possibilities, which are usually cheaper. The Commission is concerned that users of Apple devices pay significantly higher prices for their music subscription services or they are prevented from buying certain subscriptions directly in their apps.”

Commenting in a statement, EVP and competition chief Margrethe Vestager, added: “App stores play a central role in today’s digital economy. We can now do our shopping, access news, music or movies via apps instead of visiting websites. Our preliminary finding is that Apple is a gatekeeper to users of iPhones and iPads via the App Store. With Apple Music, Apple also competes with music streaming providers. By setting strict rules on the App store that disadvantage competing music streaming services, Apple deprives users of cheaper music streaming choices and distorts competition. This is done by charging high commission fees on each transaction in the App store for rivals and by forbidding them from informing their customers of alternative subscription options.”

Apple sent us this statement in response:

“Spotify has become the largest music subscription service in the world, and we’re proud for the role we played in that. Spotify does not pay Apple any commission on over 99% of their subscribers, and only pays a 15% commission on those remaining subscribers that they acquired through the App Store. At the core of this case is Spotify’s demand they should be able to advertise alternative deals on their iOS app, a practice that no store in the world allows. Once again, they want all the benefits of the App Store but don’t think they should have to pay anything for that. The Commission’s argument on Spotify’s behalf is the opposite of fair competition.”

Spotify’s founder, Daniel Ek, has also responded to the news of the Commission’s charges against Apple with a jubilant tweet — writing: “Today is a big day. Fairness is the key to competition… we are one step closer to creating a level playing field, which is so important for the entire ecosystem of European developers.”

Vestager is due to hold a press conference shortly — so stay tuned for updates.

This story is developing… 

A number of complaints against Apple’s practices have been lodged with the EU’s competition division in recent years — including by music streaming service Spotify; video games maker Epic Games; and messaging platform Telegram, to name a few of the complainants who have gone public (and been among the most vocal).

The main objection is over the (up to 30%) cut Apple takes on sales made through third parties’ apps — which critics rail against as an ‘Apple tax’ — as well as how it can mandate that developers do not inform users how to circumvent its in-app payment infrastructure, i.e. by signing up for subscriptions via their own website instead of through the App Store. Other complaints include that Apple does not allow third party app stores on iOS.

Apple, meanwhile, has argued that its App Store does not constitute a monopoly. iOS’ global market share of mobile devices is a little over 10% vs Google’s rival Android OS — which is running on the lion’s share of the world’s mobile hardware. But monopoly status depends on how a market is defined by regulators (and if you’re looking at the market for iOS apps then Apple has no competitors).

The iPhone maker also likes to point out that the vast majority of third party apps pay it no commission (as they don’t monetize via in-app payments). While it argues that restrictions on native apps are necessary to protect iOS users from threats to their security and privacy.

Last summer the European Commission said its App Store probe was focused on Apple’s mandatory requirement that app developers use its proprietary in-app purchase system, as well as restrictions applied on the ability of developers to inform iPhone and iPad users of alternative cheaper purchasing possibilities outside of apps.

It also said it was investigating Apple Pay: Looking at the T&Cs and other conditions Apple imposes for integrating its payment solution into others’ apps and websites on iPhones and iPads, and also on limitations it imposes on others’ access to the NFC (contactless payment) functionality on iPhones for payments in stores.

The EU’s antitrust regulator also said then that it was probing allegations of “refusals of access” to Apple Pay.

In March this year the UK also joined the Apple App Store antitrust investigation fray — announcing a formal investigation into whether it has a dominant position and if it imposes unfair or anti-competitive terms on developers using its app store.

US lawmakers have, meanwhile, also been dialling up attention on app stores, plural — and on competition in digital markets more generally — calling in both Apple and Google for questioning over how they operate their respective mobile app marketplaces in recent years.

Last month, for example, the two tech giants’ representatives were pressed on whether their app stores share data with their product development teams — with lawmakers digging into complaints against Apple especially that Cupertino frequently copies others’ apps, ‘sherlocking’ their businesses by releasing native copycats (as the practice has been nicknamed).

Back in July 2020 the House Antitrust Subcommittee took testimony from Apple CEO Tim Cook himself — and went on, in a hefty report on competition in digital markets, to accuse Apple of leveraging its control of iOS and the App Store to “create and enforce barriers to competition and discriminate against and exclude rivals while preferencing its own offerings”.

“Apple also uses its power to exploit app developers through misappropriation of competitively sensitive information and to charge app developers supra-competitive prices within the App Store,” the report went on. “Apple has maintained its dominance due to the presence of network effects, high barriers to entry, and high switching costs in the mobile operating system market.”

The report did not single Apple out — also blasting Google-owner Alphabet, Amazon and Facebook for abusing their market power. And the Justice Department went on to file suit against Google later the same month. So, over in the U.S., the stage is being set for further actions against big tech. Although what, if any, federal charges Apple could face remains to be seen.

At the same time, a number of state-level tech regulation efforts are brewing around big tech and antitrust — including a push in Arizona to relieve developers from Apple and Google’s hefty cut of app store profits.

While an antitrust bill introduced by Republican Josh Hawley earlier this month takes aim at acquisitions, proposing an outright block on big tech’s ability to carry out mergers and acquisitions. Although that bill looks unlikely to succeed, a flurry of antitrust reform bills are set to introduced as U.S. lawmakers on both sides of the aisle grapple with how to cut big tech down to a competition-friendly size.

In Europe lawmakers are already putting down draft laws with the same overarching goal.

In the EU, the Commission recently proposed an ex ante regime to prevent big tech from abusing its market power. The Digital Markets Act is set to impose conditions on intermediating platforms who are considered ‘gatekeepers’ to others’ market access.

While over in the UK, which now sits outside the bloc, the government is also drafting new laws in response to tech giants’ market power. It has said it intends to create a ‘pro-competition’ regime that will apply to platforms with so-called  ‘strategic market status’ — but instead of a set list of requirements it wants to target specific measures per platform.

#alphabet, #android, #antitrust, #app-store, #apple, #apple-inc, #apple-pay, #competition, #digital-markets, #epic-games, #europe, #european-commission, #european-union, #google, #ios, #ios-app-store, #ipad, #iphone, #lawsuit, #margrethe-vestager, #mobile-devices, #operating-system, #policy, #spotify, #tc, #tim-cook

0

Cloudflare rallies the troops to fight off another so-called patent troll

Nearly four years ago, we wrote about a battle between Cloudflare, the San Francisco-based internet security and performance company, and Blackbird Technologies, a firm that quickly amassed dozens of patents, then began using them to file dozens of patent infringement lawsuits against companies, including Cloudflare.

The suit was typical in every way, except how Cloudflare responded to it. Unlike many targets of similar lawsuits that opt to settle, Cloudflare fought back, asking very publicly for help in locating prior art that would not only invalidate the broad patent that Blackbird was using to sue Cloudflare, but to invalidate all of Blackbird’s patents. The public answered the call, and two years and 275 unique submissions later, the case against Cloudflare was dismissed and Blackbird’s operations were diminished.

One might surmise that given the stink that Cloudflare raised, other patent trolls might choose an easier target. Yet last month, Cloudflare was sued yet again, this time by Sable Networks, a “company that doesn’t appear to have operated a real business in nearly ten years — relying on patents that don’t come close to the nature of our business or the services we provide,” as says Doug Kramer, general counsel of CloudFlare.

Unsurprisingly, Cloudflare isn’t going to take this newest action lying down. This morning, after revealing the lawsuit publicly, it invited the engineering community to again “turn the tables” on patent trolls by inviting them to participate in a crowdsourced effort to find evidence of prior art to invalidate the “ancient, 20-year-old patents” that Cloudlflare says that Sable is is “trying to stretch . . . lightyears beyond what they were meant to cover.”

Cloudflare is also offering a $100,000 bounty to be split among entrants who provide the most useful prior-art references that can be used in challenging the validity of all of Sable’s patents, not just those being asserted against Cloudflare.

The idea is to deal a big enough blow to Sable that not only is its case against Cloudflare hobbled but also future cases against other entities.

“We feel fortunate that we didn’t run into one of these cases earlier in our history, where it might have really taken us off our path,” Kramer tells TechCrunch. “Blackbird came along when we had a bit more stability, and we have even more stability now.”

Given that position of relative strength, he says, “We want to go about this in a way that will force [Sable] to define their claims and stand on their claims, and we want to do it in a way that leaves something behind for other folks, particularly smaller companies that may come behind us, so we want to put [Sable’s] entire patent portfolio under scrutiny.”

Certainly, Cloudflare is not Sable’s only target. Indeed, a quick search shows that Sable has also sued the cybersecurity business Fortinet, the data platform Splunk, and networking giants Juniper Networks and Cisco Systems, among roughly a dozen other companies.

Eight of those cases — including with Juniper and Cisco — have already settled. The reality is that most companies see infringement cases by non-practicing entities like Sable as a nuisance to be quickly resolved because they are a distraction and because the expense of fighting is often equal to or even more than the cost of settling.

The companies also lose oftentimes. Though in 2017, the Supreme Court ruled unanimously that patent holders suing corporations can’t seek out a friendly court — their venue of choice was long the Eastern District of Texas, where 2,500 cases were brought in  2015 alone, 95% of them initiated by non-practicing entities like Sable — business remains brisk in Texas, where legal teams bring in a lot of money and often successfully cast major corporations to local jurors as villainous.

A report in the Houston Chronicle last year noted that businesses and individuals filed 747 patent complaints in Texas during the first six months of 2020 — double the number from a year earlier and twice as many as any other state. To underscore the point, it noted that while patent infringement lawsuits jumped 16 percent nationwide in the first six months of last year, the number of new disputes in Texas soared 96%.

Some of those cases landed in the Eastern District of Texas (and mostly in Marshall, Texas, which boasts a population of 23,000). Some landed in the Southern District, which covers Houston and, according to that same Houston Chronicle report, experienced a 43% jump in new patent violation cases last year.

But Waco, the Western District of Texas, has become the new center for patent infringement cases. That’s largely because the district encompasses Austin, where many tech companies have offices, and notably, a key piece of that 2017 Supreme Court ruling limited filings to venues where the defendants have actual operations.

So-called patent trolls have also found a friend, seemingly, in U.S. District Judge Alan Albright, a former trial attorney who was nominated to become a federal judge in Waco in 2018 by former President Donald Trump. In the two years following his confirmation by the Senate, Albright has come to preside over the most popular court in the country to litigate intellectual property disputes, with a very high percentage of plaintiffs winning their cases.

It’s no wonder that outfits like Sable continue on their path. Scoring early settlement agreements can add up to big business. (Their continued success is also why litigation finance funds continue to spring into existence.)

Cloudflare is a much bigger target now, too. While Blackbird sued while it was still a privately held entity, Cloudflare went public in 2019 and currently boasts a market cap of $26 billion.

Kramer is acutely aware of the upward battle ahead. It’s why despite its resources, Cloudflare is reaching out to the public again. “I don’t mean to sound self-serving, but we have a very intense group of engineers and people in this space who read [our] blog regularly,” Kramer says of the detailed post he published this morning relating to the case. “I also think this really strikes a nerve with some people because they are so bothered by” the practice of patent infringement suits.

Kramer says it’s impossible to overstate the impact of these far-flung engineers in Cloudflare’s fight against Blackbird, “It wasn’t just people who thought, ‘Oh, it’s a chance to make some money and I’m gonna go do this.’ There wasn’t a lot of junk in [what they submitted]. Instead, we had people saying, ‘Hey, listen, I worked on this back in the ’90s when I was over at this company, and it’s crazy that they’re trying to say they invented this,’ and they would send us articles that they had written.

“We had people doing research at libraries and stuff like that,” adds Kramer, “but we also had people who had worked in the industry and said, ‘I worked on this three years before they ever got that patent; there’s no way they should be able to create this [trouble] based something that I did.’”

Cloudflare is hoping again that a lot of its followers will get energized, but “also the exact right people, who are motivated by this and and who are very, very knowledgeable in this space,” says Kramer.

“We’re hoping to get the gang back together.”

#cisco, #cloudflare, #juniper-networks, #lawsuit, #litigation, #patent-infringement, #patent-troll, #patents, #splunk, #tc, #texas

0

Google misled consumers over location data settings, Australia court finds

Google’s historical collection of location data has got it into hot water in Australia where a case brought by the country’s Competition and Consumer Commission (ACCC) has led to a federal court ruling that the tech giant misled consumers by operating a confusing dual-layer of location settings in what the regulator describes as a “world-first enforcement action”.

The case relates to personal location data collected by Google through Android mobile devices between January 2017 and December 2018.

Per the ACCC, the court ruled that “when consumers created a new Google Account during the initial set-up process of their Android device, Google misrepresented that the ‘Location History’ setting was the only Google Account setting that affected whether Google collected, kept or used personally identifiable data about their location”.

“In fact, another Google Account setting titled ‘Web & App Activity’ also enabled Google to collect, store and use personally identifiable location data when it was turned on, and that setting was turned on by default,” it wrote.

The Court also ruled that Google misled consumers when they later accessed the ‘Location History’ setting on their Android device during the same time period to turn that setting off because it did not inform them that by leaving the ‘Web & App Activity’ setting switched on, Google would continue to collect, store and use their personally identifiable location data.

“Similarly, between 9 March 2017 and 29 November 2018, when consumers later accessed the ‘Web & App Activity’ setting on their Android device, they were misled because Google did not inform them that the setting was relevant to the collection of personal location data,” the ACCC added.

Similar complaints about Google’s location data processing being deceptive — and allegations that it uses manipulative tactics in order to keep tracking web users’ locations for ad-targeting purposes — have been raised by consumer agencies in Europe for years. And in February 2020 the company’s lead data regulator in the region finally opened an investigation. However that probe remains ongoing.

Whereas the ACCC said today that it will be seeking “declarations, pecuniary penalties, publications orders, and compliance orders” following the federal court ruling. Although it added that the specifics of its enforcement action will be determined “at a later date”. So it’s not clear exactly when Google will be hit with an order — nor how large a fine it might face.

The tech giant may also seek to appeal the court ruling.

Google said today it’s reviewing its legal options and considering a “possible appeal” — highlighting the fact the Court did not agree wholesale with the ACCC’s case because it dismissed some of the allegations (related to certain statements Google made about the methods by which consumers could prevent it from collecting and using their location data, and the purposes for which personal location data was being used by Google).

Here’s Google’s statement in full:

“The court rejected many of the ACCC’s broad claims. We disagree with the remaining findings and are currently reviewing our options, including a possible appeal. We provide robust controls for location data and are always looking to do more — for example we recently introduced auto delete options for Location History, making it even easier to control your data.”

While Mountain View denies doing anything wrong in how it configures location settings — while simultaneously claiming it’s always looking to improve the controls it offers its users — Google’s settings and defaults have, nonetheless, got it into hot water with regulators before.

Back in 2019 France’s data watchdog, the CNIL, fined it $57M over a number of transparency and consent failures under the EU’s General Data Protection Regulation. That remains the largest GDPR penalty issued to a tech giant since the regulation came into force a little under three years ago — although France has more recently sanctioned Google $120M under different EU laws for dropping tracking cookies without consent.

Australia, meanwhile, has forged ahead with passing legislation this year that directly targets the market power of Google (and Facebook) — passing a mandatory news media bargaining code in February which aims to address the power imbalance between platform giants and publishers around the reuse of journalism content.

#accc, #android, #australia, #consumer-protection, #consumer-rights, #general-data-protection-regulation, #google, #lawsuit, #location-data, #privacy

0

Facebook faces ‘mass action’ lawsuit in Europe over 2019 breach

Facebook is to be sued in Europe over the major leak of user data that dates back to 2019 but which only came to light recently after information on 533M+ accounts was found posted for free download on a hacker forum.

Today Digital Rights Ireland (DRI) announced it’s commencing a “mass action” to sue Facebook, citing the right to monetary compensation for breaches of personal data that’s set out in the European Union’s General Data Protection Regulation (GDPR).

Article 82 of the GDPR provides for a ‘right to compensation and liability’ for those affected by violations of the law. Since the regulation came into force, in May 2018, related civil litigation has been on the rise in the region.

The Ireland-based digital rights group is urging Facebook users who live in the European Union or European Economic Area to check whether their data was breach — via the haveibeenpwned website (which lets you check by email address or mobile number) — and sign up to join the case if so.

Information leaked via the breach includes Facebook IDs, location, mobile phone numbers, email address, relationship status and employer.

Facebook has been contacted for comment on the litigation.

The tech giant’s European headquarters is located in Ireland — and earlier this week the national data watchdog opened an investigation, under EU and Irish data protection laws.

A mechanism in the GDPR for simplifying investigation of cross-border cases means Ireland’s Data Protection Commission (DPC) is Facebook’s lead data regulator in the EU. However it has been criticized over its handling of and approach to GDPR complaints and investigations — including the length of time it’s taking to issue decisions on major cross-border cases. And this is particularly true for Facebook.

With the three-year anniversary of the GDPR fast approaching, the DPC has multiple open investigations into various aspects of Facebook’s business but has yet to issue a single decision against the company.

(The closest it’s come is a preliminary suspension order issued last year, in relation to Facebook’s EU to US data transfers. However that complaint long predates GDPR; and Facebook immediately filed to block the order via the courts. A resolution is expected later this year after the litigant filed his own judicial review of the DPC’s processes).

Since May 2018 the EU’s data protection regime has — at least on paper — baked in fines of up to 4% of a company’s global annual turnover for the most serious violations.

Again, though, the sole GDPR fine issued to date by the DPC against a tech giant (Twitter) is very far off that theoretical maximum. Last December the regulator announced a €450k (~$547k) sanction against Twitter — which works out to around just 0.1% of the company’s full-year revenue.

That penalty was also for a data breach — but one which, unlike the Facebook leak, had been publicly disclosed when Twitter found it in 2019. So Facebook’s failure to disclose the vulnerability it discovered and claims it fixed by September 2019, which led to the leak of 533M accounts now, suggests it should face a higher sanction from the DPC than Twitter received.

However even if Facebook ends up with a more substantial GDPR penalty for this breach the watchdog’s caseload backlog and plodding procedural pace makes it hard to envisage a swift resolution to an investigation that’s only a few days old.

Judging by past performance it’ll be years before the DPC decides on this 2019 Facebook leak — which likely explains why the DRI sees value in instigating class-action style litigation in parallel to the regulatory investigation.

“Compensation is not the only thing that makes this mass action worth joining. It is important to send a message to large data controllers that they must comply with the law and that there is a cost to them if they do not,” DRI writes on its website.

It also submitted a complaint about the Facebook breach to the DPC earlier this month, writing then that it was “also consulting with its legal advisors on other options including a mass action for damages in the Irish Courts”.

It’s clear that the GDPR enforcement gap is creating a growing opportunity for litigation funders to step in in Europe and take a punt on suing for data-related compensation damages — with a number of other mass actions announced last year.

In the case of DRI its focus is evidently on seeking to ensure that digital rights are upheld. But it told RTE that it believes compensation claims which force tech giants to pay money to users whose privacy rights have been violated is the best way to make them legally compliant.

Facebook, meanwhile, has sought to play down the breach it failed to disclose in 2019 — claiming it’s ‘old data’ — a deflection that ignores the fact that people’s dates of birth don’t change (nor do most people routinely change their mobile number or email address).

Plenty of the ‘old’ data exposed in this latest massive Facebook leak will be very handy for spammers and fraudsters to target Facebook users — and also now for litigators to target Facebook for data-related damages.

#data-protection, #data-protection-commission, #data-security, #digital-rights, #digital-rights-ireland, #europe, #european-union, #facebook, #gdpr, #general-data-protection-regulation, #ireland, #lawsuit, #litigation, #personal-data, #privacy, #social, #social-media, #tc, #twitter

0

Uber hit with default ‘robo-firing’ ruling after another EU labor rights GDPR challenge

Labor activists challenging Uber over what they allege are ‘robo-firings’ of drivers in Europe have trumpeted winning a default judgement in the Netherlands — where the Court of Amsterdam ordered the ride-hailing giant to reinstate six drivers who the litigants claim were unfairly terminated “by algorithmic means.”

The court also ordered Uber to pay the fired drivers compensation.

The challenge references Article 22 of the European Union’s General Data Protection Regulation (GDPR) — which provides protection for individuals against purely automated decisions with a legal or significant impact.

The activists say this is the first time a court has ordered the overturning of an automated decision to dismiss workers from employment.

However the judgement, which was issued on February 24, was issued by default — and Uber says it was not aware of the case until last week, claiming that was why it did not contest it (nor, indeed, comply with the order).

It had until March 29 to do so, per the litigants, who are being supported by the App Drivers & Couriers Union (ADCU) and Worker Info Exchange (WIE).

Uber argues the default judgement was not correctly served and says it is now making an application to set the default ruling aside and have its case heard “on the basis that the correct procedure was not followed.”

It envisages the hearing taking place within four weeks of its Dutch entity, Uber BV, being made aware of the judgement — which it says occurred on April 8.

“Uber only became aware of this default judgement last week, due to representatives for the ADCU not following proper legal procedure,” an Uber spokesperson told TechCrunch.

A spokesperson for WIE denied that correct procedure was not followed but welcomed the opportunity for Uber to respond to questions over how its driver ID systems operate in court, adding: “They [Uber] are out of time. But we’d be happy to see them in court. They will need to show meaningful human intervention and provide transparency.”

Uber pointed to a separate judgement by the Amsterdam Court last month — which rejected another ADCU- and WIE-backed challenge to Uber’s anti-fraud systems, with the court accepting its explanation that algorithmic tools are mere aids to human “anti-fraud” teams who it said take all decisions on terminations.

“With no knowledge of the case, the Court handed down a default judgement in our absence, which was automatic and not considered. Only weeks later, the very same Court found comprehensively in Uber’s favour on similar issues in a separate case. We will now contest this judgement,” Uber’s spokesperson added.

However WIE said this default judgement “robo-firing” challenge specifically targets Uber’s Hybrid Real-Time ID System — a system that incorporates facial recognition checks and which labor activists recently found misidentifying drivers in a number of instances.

It also pointed to a separate development this week in the U.K. where it said the City of London Magistrates Court ordered the city’s transport regulator, TfL, to reinstate the licence of one of the drivers revoked after Uber routinely notified it of a dismissal (also triggered by Uber’s real time ID system, per WIE).

Reached for comment on that, a TfL spokesperson said: “The safety of the travelling public is our top priority and where we are notified of cases of driver identity fraud, we take immediate licensing action so that passenger safety is not compromised. We always require the evidence behind an operator’s decision to dismiss a driver and review it along with any other relevant information as part of any decision to revoke a licence. All drivers have the right to appeal a decision to remove a licence through the Magistrates’ Court.”

The regulator has been applying pressure to Uber since 2017 when it took the (shocking to Uber) decision to revoke the company’s licence to operate — citing safety and corporate governance concerns.

Since then Uber has been able to continue to operate in the U.K. capital but the company remains under pressure to comply with a laundry list of requirements set by TfL as it tries to regain a full operator licence.

Commenting on the default Dutch judgement on the Uber driver terminations in a statement, James Farrar, director of WIE, accused gig platforms of “hiding management control in algorithms.”

“For the Uber drivers robbed of their jobs and livelihoods this has been a dystopian nightmare come true,” he said. “They were publicly accused of ‘fraudulent activity’ on the back of poorly governed use of bad technology. This case is a wake-up call for lawmakers about the abuse of surveillance technology now proliferating in the gig economy. In the aftermath of the recent U.K. Supreme Court ruling on worker rights gig economy platforms are hiding management control in algorithms. This is misclassification 2.0.”

In another supporting statement, Yaseen Aslam, president of the ADCU, added: “I am deeply concerned about the complicit role Transport for London has played in this catastrophe. They have encouraged Uber to introduce surveillance technology as a price for keeping their operator’s license and the result has been devastating for a TfL licensed workforce that is 94% BAME. The Mayor of London must step in and guarantee the rights and freedoms of Uber drivers licensed under his administration.”  

When pressed on the driver termination challenge being specifically targeted at its Hybrid Real-Time ID system, Uber declined to comment in greater detail — claiming the case is “now a live court case again”.

But its spokesman suggested it will seek to apply the same defence against the earlier “robo-firing” charge — when it argued its anti-fraud systems do not equate to automated decision making under EU law because “meaningful human involvement [is] involved in decisions of this nature”.

 

#app-drivers-couriers-union, #artificial-intelligence, #automated-decisions, #europe, #european-union, #facial-recognition, #gdpr, #general-data-protection-regulation, #gig-worker, #james-farrar, #labor, #lawsuit, #london, #netherlands, #transport-for-london, #uber, #united-kingdom

0

Florida sues USA, CDC to get people back on cruise ships

Florida Gov. Ron DeSantis speaks to the media about the cruise industry during a press conference at PortMiami on April 8, 2021 in Miami, Florida.

Enlarge / Florida Gov. Ron DeSantis speaks to the media about the cruise industry during a press conference at PortMiami on April 8, 2021 in Miami, Florida. (credit: Getty | Joe Raedle)

The state of Florida has filed a lawsuit against the United States of America and the Centers for Disease Control and Prevention, claiming that the health agency’s guidance for the cruise industry is “arbitrary and capricious” and that it should be immediately dubbed “unlawful.”

“Today, Florida is fighting back,” Florida Gov. Ron DeSantis (R) said in a news conference at Miami’s seaport Thursday, in which he announced the lawsuit. “We don’t believe the federal government has the right to mothball a major industry for over a year based on very little evidence and very little data. And I think we have a good chance for success.”

The lawsuit comes just days after the CDC released updates to its Conditional Sailing Order (CSO), which the cruise industry called “unduly burdensome” and “largely unworkable.”

Read 10 remaining paragraphs | Comments

#cdc, #covid-19, #cruises, #desantis, #florida-man, #infectious-disease, #lawsuit, #public-health, #science

0

Clarence Thomas plays a poor devil’s advocate in floating First Amendment limits for tech companies

Supreme Court Justice Clarence Thomas flaunted a dangerous ignorance regarding matters digital in an opinion published today. In attempting to explain the legal difficulties of social media platforms, particularly those arising from Twitter’s ban of Trump, he makes an ill-informed, bordering on bizarre, argument as to why such companies may need their First Amendment rights curtailed.

There are several points on which Thomas seems to willfully misconstrue or misunderstand the issues.

The first is in his characterization of Trump’s use of Twitter. You may remember that several people sued after being blocked by Trump, alleging that his use of the platform amounted to creating a “public forum” in a legal sense, meaning it was unlawful to exclude anyone from it for political reasons. (The case, as it happens, was rendered moot after its appeal and dismissed by the court except as a Thomas’s temporary soapbox.)

“But Mr. Trump, it turned out, had only limited control of the account; Twitter has permanently removed the account from the platform,” writes Thomas. “[I]t seems rather odd to say something is a government forum when a private company has unrestricted authority to do away with it.”

Does it? Does it seem odd? Because a few paragraphs later, he uses the example of a government agency using a conference room in a hotel to hold a public hearing. They can’t kick people out for voicing their political opinions, certainly, because the room is a de facto public forum. But if someone is loud and disruptive, they can ask hotel security to remove that person, because the room is de jure a privately owned space.

Yet the obvious third example, and the one clearly most relevant to the situation at hand, is skipped. What if it is the government representatives who are being loud and disruptive, to the point where the hotel must make the choice whether to remove them?

It says something that this scenario, so remarkably close a metaphor for what actually happened, is not considered. Perhaps it casts the ostensibly “odd” situation and actors in too clear a light, for Thomas’s other arguments suggest he is not for clarity here but for muddying the waters ahead of a partisan knife fight over free speech.

In his best “I’m not saying, I’m just saying” tone, Thomas presents his reasoning why, if the problem is that these platforms have too much power over free speech, then historically there just happen to be some legal options to limit that power.

Thomas argues first, and worst, that platforms like Facebook and Google may amount to “common carriers,” a term that goes back centuries to actual carriers of cargo, but which is now a common legal concept that refers to services that act as simple distribution – “bound to serve all customers alike, without discrimination.” A telephone company is the most common example, in that it cannot and does not choose what connections it makes, nor what conversations happen over those connections – it moves electric signals from one phone to another.

But as he notes at the outset of his commentary, “applying old doctrines to new digital platforms is rarely straightforward.” And Thomas’s method of doing so is spurious.

“Though digital instead of physical, they are at bottom communications networks, and they ‘carry’ information from one user to another,” he says, and equates telephone companies laying cable with companies like Google laying “information infrastructure that can be controlled in much the same way.”

Now, this is certainly wrong. So wrong in so many ways that it’s hard to know where to start and when to stop.

The idea that companies like Facebook and Google are equivalent to telephone lines is such a reach that it seems almost like a joke. These are companies that have built entire business empires by adding enormous amounts of storage, processing, analysis, and other services on top of the element of pure communication. One might as easily suggest that because computers are just a simple piece of hardware that moves data around, that Apple is a common carrier as well. It’s really not so far a logical leap!

There’s no real need to get into the technical and legal reasons why this opinion is wrong, however, because these grounds have been covered so extensively over the years, particularly by the FCC — which the Supreme Court has deferred to as an expert agency on this matter. If Facebook were a common carrier (or telecommunications service), it would fall under the FCC’s jurisdiction — but it doesn’t, because it isn’t, and really, no one thinks it is. This has been supported over and over, by multiple FCCs and administrations, and the deferral is itself a Supreme Court precedent that has become doctrine.

In fact, and this is really the cherry on top, freshman Justice Kavanaugh in a truly stupefying legal opinion a few years ago argued so far in the other direction that it became wrong in a totally different way! It was Kavanaugh’s considered opinion that the bar for qualifying as a common carrier was actually so high that even broadband providers don’t qualify for it (This was all in service of taking down net neutrality, a saga we are in danger of resuming soon). As his erudite colleague Judge Srinivasan explained to him at the time, this approach too is embarrassingly wrong.

Looking at these two opinions, of two sitting conservative Supreme Court Justices, you may find the arguments strangely at odds, yet they are wrong after a common fashion.

Kavanaugh claims that broadband providers, the plainest form of digital common carrier conceivable, are in fact providing all kinds sophisticated services over and above their functionality as a pipe (they aren’t). Thomas claims that companies actually providing all kinds of sophisticated services are nothing more than pipes.

Simply stated, these men have no regard for the facts but have chosen the definition that best suits their political purposes: for Kavanaugh, thwarting a Democrat-led push for strong net neutrality rules; for Thomas, asserting control over social media companies perceived as having an anti-conservative bias.

The case Thomas uses for his sounding board on these topics was rightly rendered moot — Trump is no longer president and the account no longer exists — but he makes it clear that he regrets this extremely.

“As Twitter made clear, the right to cut off speech lies most powerfully in the hands of private digital platforms,” he concludes. “The extent to which that power matters for purposes of the First Amendment and the extent to which that power could lawfully be modified raise interesting and important questions. This petition, unfortunately, affords us no opportunity to confront them.”

Between the common carrier argument and questioning the form of Section 230 (of which in this article), Thomas’s hypotheticals break the seals on several legal avenues to restrict First Amendment rights of digital platforms, as well as legitimizing those (largely on one side of the political spectrum) who claim a grievance along these lines. (Slate legal commentator Mark Joseph Stern, who spotted the opinion early, goes further, calling Thomas’s argument a “paranoid Marxist delusion” and providing some other interesting context.)

This is not to say that social media and tech do not deserve scrutiny on any number of fronts — they exist in an alarming global vacuum of regulatory powers, and hardly anyone would suggest they have been entirely responsible with this freedom. But the arguments of Thomas and Kavanaugh stink of cynical partisan sophistry. This endorsement by Thomas amounts accomplishes nothing legally, but will provide valuable fuel for the bitter fires of contention — though they hardly needed it.

#clarence-thomas, #donald-trump, #facebook, #first-amendment, #google, #government, #lawsuit, #opinion, #section-230, #social-media, #supreme-court, #tc, #trump

0

The Supreme Court sided with Google in its epic copyright fight against Oracle

The highest court in the land has a lot to say about tech this week. The Supreme Court weighed in on Google’s long legal battle with Oracle on Monday, overturning a prior victory for the latter company that could have resulted in an $8 billion award.

In a 6-2 decision, the court ruled that Google didn’t break copyright laws when it incorporated pieces of Oracle’s Java software language into its own mobile operating system. Google copied Oracle’s code for Java APIs for Android, and the case kicked off a yearslong debate over the reuse of established APIs and copyright.

In 2018, a federal appeals court ruled that Google did in fact violate copyright law by using the APIs and that its implementation didn’t fall under fair use.

“In reviewing that decision, we assume, for argument’s sake, that the material was copyrightable. But we hold that the copying here at issue nonetheless constituted a fair use. Hence, Google’s copying did not violate the copyright law,” Justice Stephen Breyer wrote in the decision, which reverses Oracle’s previous win. Justices Samuel Alito and Clarence Thomas dissented.

“Google’s copying of the Java SE API, which included only those lines of code that were needed to allow programmers to put their accrued talents to work in a new and transformative program, was a fair use of that material as a matter of law,” Breyer wrote.

Google SVP of Global Affairs Kent Walker called the ruling, embedded below, a “big win for innovation, interoperability & computing.”

Click to access 18-956_d18f.pdf

#google, #government, #lawsuit, #oracle, #tc

0

Competition challenge to Facebook’s ‘superprofiling’ of users sparks referral to Europe’s top court

A German court that’s considering Facebook’s appeal against a pioneering pro-privacy order by the country’s competition authority to stop combining user data without consent has said it will refer questions to Europe’s top court.

In a press release today the Düsseldorf court writes [translated by Google]: “…the Senate has come to the conclusion that a decision on the Facebook complaints can only be made after referring to the Court of Justice of the European Union (ECJ).

“The question of whether Facebook is abusing its dominant position as a provider on the German market for social networks because it collects and uses the data of its users in violation of the GDPR can not be decided without referring to the ECJ. Because the ECJ is responsible for the interpretation of European law.”

The Bundeskartellamt (Federal Cartel Office, FCO)’s ‘exploitative abuse’ case links Facebook’s ability to gather data on users of its products from across the web, via third party sites (where it deploys plug-ins and tracking pixels), and across its own suite of products (Facebook, Instagram, WhatsApp, Oculus), to its market power — asserting this data-gathering is not legal under EU privacy law as users are not offered a choice.

The associated competition contention, therefore, is that inappropriate contractual terms allow Facebook to build a unique database for each individual user and unfairly gain market power over rivals who don’t have such broad and deep reach into user’s personal data.

The FOC’s case against Facebook is seen as highly innovative as it combines the (usually) separate (and even conflicting) tracks of competition and privacy law — offering the tantalizing prospect, were the order to actually get enforced, of a structural separation of Facebook’s business empire without having to order a break up of its various business units up.

However enforcement at this point — some five years after the FCO started investigating Facebook’s data practices in March 2016 — is still a big if.

Soon after the FCO’s February 2019 order to stop combining user data, Facebook succeeded in blocking the order via a court appeal in August 2019.

But then last summer Germany’s federal court unblocked the ‘superprofiling’ case — reviving the FCO’s challenge to the tech giant’s data-harvesting-by-default.

The latest development means another long wait to see whether competition law innovation can achieve what the EU’s privacy regulators have so far failed to do — with multiple GDPR challenges against Facebook still sitting undecided on the desk of the Irish Data Protection Commission.

Albeit, it’s fair to say that neither route looks capable of ‘moving fast and breaking’ platform power at this point.

In its opinion the Düsseldorf court does appear to raise questions over the level of Facebook’s data collection, suggesting the company could avoid antitrust concerns by offering users a choice to base profiling on only the data they upload themselves rather than on a wider range of data sources, and querying its use of Instagram and Oculus data.

But it also found fault with the FCO’s approach — saying Facebook’s US and Irish business entities were not granted a fair hearing before the order against its German sister company was issued, among other procedural quibbles.

Referrals to the EU’s Court of Justice can take years to return a final interpretation.

In this case the ECJ will likely be asked to consider whether the FCO has exceeded its remit, although the exact questions being referred by the court have not been confirmed — with a written reference set to be issued in the next few weeks, per its press release.

In a statement responding to the court’s announcement today, a Facebook spokesperson said:

“Today, the Düsseldorf Court has expressed doubts as to the legality of the Bundeskartellamt’s order and decided to refer questions to the Court of Justice of the European Union. We believe that the Bundeskartellamt’s order also violates European law.”

#competition-law, #europe, #facebook, #gdpr, #lawsuit, #privacy

0

Uber under pressure over facial recognition checks for drivers

Uber’s use of facial recognition technology for a driver identity system is being challenged in the UK where the App Drivers & Couriers Union (ADCU) and Worker Info Exchange (WIE) have called for Microsoft to suspend the ride-hailing giant’s use of B2B facial recognition after finding multiple cases where drivers were mis-identified and went on to have their licence to operate revoked by Transport for London (TfL).

The union said it has identified seven cases of “failed facial recognition and other identity checks” leading to drivers losing their jobs and license revocation action by TfL.

When Uber launched the “Real Time ID Check” system in the UK, in April 2020, it said it would “verify that driver accounts aren’t being used by anyone other than the licensed individuals who have undergone an Enhanced DBS check”. It said then that drivers could “choose whether their selfie is verified by photo-comparison software or by our human reviewers”.

In one misidentification case the ADCU said the driver was dismissed from employment by Uber and his license was revoked by TfL. The union adds that it was able to assist the member to establish his identity correctly forcing Uber and TfL to reverse their decisions. But it highlights concerns over the accuracy of the Microsoft facial recognition technology — pointing out that the company suspended the sale of the system to US police forces in the wake of the Black Lives Matter protests of last summer.

Research has shown that facial recognition systems can have an especially high error rate when used to identify people of color — and the ADCU cites a 2018 MIT study which found Microsoft’s system can have an error rate as high as 20% (accuracy was lowest for dark skinned women).

The union said it’s written to the Mayor of London to demand that all TfL private hire driver license revocations based on Uber reports using evidence from its Hybrid Real Time Identification systems are immediately reviewed.

Microsoft has been contacted for comment on the call for it to suspend Uber’s licence for its facial recognition tech.

The ADCU said Uber rushed to implement a workforce electronic surveillance and identification system as part of a package of measures implemented to regain its license to operate in the UK capital.

Back in 2017, TfL made the shock decision not to grant Uber a licence renewal — ratcheting up regulatory pressure on its processes and maintaining this hold in 2019 when it again deemed Uber ‘not fit and proper’ to hold a private hire vehicle licence.

Safety and security failures were a key reason cited by TfL for withholding Uber’s licence renewal.

Uber has challenged TfL’s decision in court and it won another appeal against the licence suspension last year — but the renewal granted was for only 18 months (not the full five years). It also came with a laundry list of conditions — so Uber remains under acute pressure to meet TfL’s quality bar.

Now, though, Labor activists are piling pressure on Uber from the other direction too — pointing out that no regulatory standard has been set around the workplace surveillance technology that the ADCU says TfL encouraged Uber to implement. No equalities impact assessment has even been carried out by TfL, it adds.

WIE confirmed to TechCrunch that it’s filing a discrimination claim in the case of one driver, called Imran Raja, who was dismissed after Uber’s Real ID check — and had his license revoked by TfL.

His licence was subsequently restored — but only after the union challenged the action.

A number of other Uber drivers who were also misidentified by Uber’s facial recognition checks will be appealing TfL’s revocation of their licences via the UK courts, per WIE.

A spokeswoman for TfL told us it is not a condition of Uber’s licence renewal that it must implement facial recognition technology — only that Uber must have adequate safety systems in place.

The relevant condition of its provisional licence on ‘driver identity’ states:

ULL shall maintain appropriate systems, processes and procedures to confirm that a driver using the app is an individual licensed by TfL and permitted by ULL to use the app.

We’ve also asked TfL and the UK’s Information Commissioner’s Office for a copy of the data protection impact assessment Uber says was carried before the Real-Time ID Check was launched — and will update this report if we get it.

Uber, meanwhile, disputes the union’s assertion that its use of facial recognition technology for driver identity checks risks automating discrimination because it says it has a system of manual (human) review in place that’s intended to prevent failures.

Albeit it accepts that that system clearly failed in the case of Raja — who only got his Uber account back (and an apology) after the union’s intervention.

Uber said its Real Time ID system involves an automated ‘picture matching’ check on a selfie that the driver must provide at the point of log in, with the system comparing that selfie with a (single) photo of them held on file. 

If there’s no machine match, the system sends the query to a three-person human review panel to conduct a manual check. Uber said checks will be sent to a second human panel if the first can’t agree. 

In a statement the tech giant told us:

“Our Real-Time ID Check is designed to protect the safety and security of everyone who uses the app by ensuring the correct driver or courier is using their account. The two situations raised do not reflect flawed technology — in fact one of the situations was a confirmed violation of our anti-fraud policies and the other was a human error.

“While no tech or process is perfect and there is always room for improvement, we believe the technology, combined with the thorough process in place to ensure a minimum of two manual human reviews prior to any decision to remove a driver, is fair and important for the safety of our platform.”

In two of the cases referred to by the ADCU, Uber said that in one instance a driver had shown a photo during the Real-Time ID Check instead of taking a selfie as required to carry out the live ID check — hence it argues it was not wrong for the ID check to have failed as the driver was not following the correct protocol.

In the other instance Uber blamed human error on the part of its manual review team(s) who (twice) made an erroneous decision. It said the driver’s appearance had changed and its staff were unable to recognize the face of the (now bearded) man who sent the selfie as the same person in the clean-shaven photo Uber held on file.

Uber was unable to provide details of what happened in the other five identity check failures referred to by the union.

It also declined to specify the ethnicities of the seven drivers the union says were misidentified by its checks.

Asked what measures it’s taking to prevent human errors leading to more misidentifications in future Uber declined to provide a response.

Uber said it has a duty to notify TfL when a driver fails an ID check — a step which can lead to the regulator suspending the license, as happened in Raja’s case. So any biases in its identity check process clearly risk having disproportionate impacts on affected individuals’ ability to work.

WIE told us it knows of three TfL licence revocations that relate solely to facial recognition checks.

“We know of more [UberEats] couriers who have been deactivated but no further action since they are not licensed by TfL,” it noted.

TechCrunch also asked Uber how many driver deactivations have been carried out and reported to TfL in which it cited facial recognition in its testimony to the regulator — but again the tech giant declined to answer our questions.

WIE told us it has evidence that facial recognition checks are incorporated into geo-location-based deactivations Uber carries out.

It said that in one case a driver who had their account revoked was given an explanation by Uber relating solely to location but TfL accidentally sent WIE Uber’s witness statement — which it said “included facial recognition evidence”.

That suggests a wider role for facial recognition technology in Uber’s identity checks vs the one the ride-hailing giant gave us when explaining how its Real Time ID system works. (Again, Uber declined to answer follow up questions about this or provide any other information beyond its on-the-record statement and related background points.)

But even just focusing on Uber’s Real Time ID system there’s the question of much say Uber’s human review staff actually have in the face of machine suggestions combined with the weight of wider business imperatives (like an acute need to demonstrate regulatory compliance on the issue of safety).

James Farrer, the founder of WIE, queries the quality of the human checks Uber has put in place as a backstop for facial recognition technology which has a known discrimination problem.

“Is Uber just confecting legal plausible deniability of automated decision making or is there meaningful human intervention,” he told TechCrunch. “In all of these cases, the drivers were suspended and told the specialist team would be in touch with them. A week or so typically would go by and they would be permanently deactivated without ever speaking to anyone.”

“There is research out there to show when facial recognition systems flag a mismatch humans have bias to confirm the machine. It takes a brave human being to override the machine. To do so would mean they would need to understand the machine, how it works, its limitations and have the confidence and management support to over rule the machine,” Farrer added. “Uber employees have the risk of Uber’s license to operate in London to consider on one hand and what… on the other? Drivers have no rights and there are in excess so expendable.”

He also pointed out that Uber has previously said in court that it errs on the side of customer complaints rather than give the driver benefit of the doubt. “With that in mind can we really trust Uber to make a balanced decision with facial recognition?” he asked.

Farrer further questioned why Uber and TfL don’t show drivers the evidence that’s being relied upon to deactivate their accounts — to given them a chance to challenge it via an appeal on the actual substance of the decision.

“IMHO this all comes down to tech governance,” he added. “I don’t doubt that Microsoft facial recognition is a powerful and mostly accurate tool. But the governance of this tech must be intelligent and responsible. Microsoft are smart enough themselves to acknowledge this as a limitation.

“The prospect of Uber pressured into surveillance tech as a price of keeping their licence… and a 94% BAME workforce with no worker rights protection from unfair dismissal is a recipe for disaster!”

The latest pressure on Uber’s business processes follows hard on the heels of a major win for Farrer and other former Uber drivers and labor rights activists after years of litigation over the company’s bogus claim that drivers are ‘self employed’, rather than workers under UK law.

On Tuesday Uber responded to last month’s Supreme Court quashing of its appeal saying it would now treat drivers as workers in the market — expanding the benefits it provides.

However the litigants immediately pointed out that Uber’s ‘deal’ ignored the Supreme Court’s assertion that working time should be calculated when a driver logs onto the Uber app. Instead Uber said it would calculate working time entitlements when a driver accepts a job — meaning it’s still trying to avoid paying drivers for time spent waiting for a fare.

The ADCU therefore estimates that Uber’s ‘offer’ underpays drivers by between 40%-50% of what they are legally entitled to — and has said it will continue its legal fight to get a fair deal for Uber drivers.

At an EU level, where regional lawmakers are looking at how to improve conditions for gig workers, the tech giant is now pushing for an employment law carve out for platform work — and has been accused of trying to lower legal standards for workers.

In additional Uber-related news this month, a court in the Netherlands ordered the company to hand over more of the data it holds on drivers, following another ADCU+WIE challenge. Although the court rejected the majority of the drivers’ requests for more data. But notably it did not object to drivers seeking to use data rights established under EU law to obtain information collectively to further their ability to collectively bargain against a platform — paving the way for more (and more carefully worded) challenges as Farrer spins up his data trust for workers.

The applicants also sought to probe Uber’s use of algorithms for fraud-based driver terminations under an article of EU data protection law that provides for a right not to be subject to solely automated decisions in instances where there is a legal or significant effect. In that case the court accepted Uber’s explanation at face value that fraud-related terminations had been investigated by a human team — and that the decisions to terminate involved meaningful human decisions.

But the issue of meaningful human invention/oversight of platforms’ algorithmic suggestions/decisions is shaping up to be a key battleground in the fight to regulate the human impacts of and societal imbalances flowing from powerful platforms which have both god-like view of users’ data and an allergy to complete transparency.

The latest challenge to Uber’s use of facial recognition-linked terminations shows that interrogation of the limits and legality of its automated decisions is far from over — really, this work is just getting started.

Uber’s use of geolocation for driver suspensions is also facing legal challenge.

While pan-EU legislation now being negotiated by the bloc’s institutions also aims to increase platform transparency requirements — with the prospect of added layers of regulatory oversight and even algorithmic audits coming down the pipe for platforms in the near future.

Last week the same Amsterdam court that ruled on the Uber cases also ordered India-based ride-hailing company Ola to disclose data about its facial-recognition-based ‘Guardian’ system — aka its equivalent to Uber’s Real Time ID system. The court said Ola must provided applicants with a wider range of data than it currently does — including disclosing a ‘fraud probability profile’ it maintains on drivers and data within a ‘Guardian’ surveillance system it operates.

Farrer says he’s thus confident that workers will get transparency — “one way or another”. And after years fighting Uber through UK courts over its treatment of workers his tenacity in pursuit of rebalancing platform power cannot be in doubt.

 

#app-drivers-couriers-union, #artificial-intelligence, #europe, #facial-recognition, #james-farrer, #lawsuit, #microsoft, #policy, #tfl, #uber, #worker-info-exchange

0

Court overturns Amsterdam’s three-district ban on Airbnb rentals

A ban by Amsterdam authorities on housing owners offering their properties for vacation rentals in three central districts of the popular tourist city has been overturned after a court ruled it has no basis in law.

City authorities had been responding to concerns over the impact of tourist platforms like Airbnb on quality of life for residents.

An update to the city’s website notes that, from tomorrow, it will be possible for property owners to apply for a holiday rental permit in the three neighborhoods where vacation rentals had been entirely banned from July 1 last year.

City authorities write that they are studying the court ruling and will update the page “as soon as more is known”.

Amsterdam’s authorities took the step of prohibiting vacation rentals in the Burgwallen-Oude Zijde, Burgwallen-Nieuwe Zijde and Grachtengordel-Zuid districts last summer after a consultation process found widespread support among residents for a ban.

Authorities said strong growth in tourist rentals was impacting quality of life for residents.

It has also previously introduced a permit system to control vacation rentals in other districts of the city — which limits rentals to (currently) a maximum of 30 nights per year and for a maximum of four people per rental.

A further condition of the permit states that: “Your guests [must] not cause any inconvenience.”

Following the court ruling that permit system will operate in the three central districts too.

The city’s ban on vacation rentals in the central districts was challenged by an association that represents the interests of homeowners who rent their properties through Airbnb and other platforms. They had argued that the Housing Act 2014 did not provide a legal basis for a prohibition on holiday rental. 

The Court of Amsterdam agreed, writing in its judgement that “a system of permits cannot contain a total prohibition”.

“Anyone who meets the conditions of the permit is in principle eligible for a permit. A total ban is a major infringement of the right to property and the free movement of services and will only be seen as a justified measure in very exceptional circumstances,” it further emphasized. 

However the court’s verdict leaves room for the city to amend legislation to add new conditions to the permit system which could include a ‘quality of life’ consideration (which it does not currently).

The court also suggests the possibility of a quota system with a night criterion being introduced under existing legislation, as another means of using the permit system to manage quality of life. It further suggests city authorities could enforce residential (rather than touristic) purposes for houses via a zoning plan. So there are alternative avenues for Amsterdam’s officials to explore as a policy tool to limit activity on Airbnb et al.

At the same time the court ruling underlines the challenges European cities face in trying to regulate the impacts of rental platforms on areas like housing availability (and affordability) and wider quality of life issues for residents dealing with over-tourism (not currently an issue, of course, given ongoing travel restrictions related to the coronavirus pandemic).

In recent years a number of major tourist cities in Europe have expressed public frustration over vacation rental platforms — penning an open letter to the European Commission back in 2019 that called for “strong legal obligations for platforms to cooperate with us in registration-schemes and in supplying rental-data per house that is advertised on their platforms”.

“Cities must protect the public interest and eliminate the adverse effects of short term holiday rental in various ways. More nuisances, feelings of insecurity and a ‘touristification’ of their neighbourhoods is not what our residents want. Therefore (local) governments should have the possibility to introduce their own regulations depending on the local situation,” they also wrote, urging EU policymakers to support a rethink of the rules.

Since then the Commission has announced a limited data-sharing arrangement with the leading vacation rental platforms, saying it wants to encourage “balanced” development of peer-to-peer rentals.

Last year the Dutch government pressed the Commission to go further over data access to vacation rental platforms — pushing for a provision to be included in a major planned update to pan-EU rules wrapping digital services, aka the Digital Services Act (DSA).

The DSA proposal, which is now going through the EU’s co-legislative process, is broadly targeted at standardizing processes for tackling illegal goods and services — so it could have implications for vacation platforms in areas like data-sharing where it relates to illegal vacation rentals (i.e. where a property is advertised without a required permit).

 

#airbnb, #amsterdam, #digital-services-act, #eu, #europe, #lawsuit, #platform-regulation, #policy, #vacation-rentals

0

Dutch court rejects Uber drivers’ ‘robo-firing’ charge but tells Ola to explain algo-deductions

Uber has had a good result against litigation in the Netherlands, where its European business is headquartered, that had alleged it uses algorithms to terminate drivers — but which the court has rejected.

The ride-hailing giant has also been largely successful in fending off wide-ranging requests for data from drivers wanting to obtain more of the personal data it holds on them.

A number of Uber drivers filed the suits last year with the support of the App Drivers & Couriers Union (ADCU) in part because they are seeking to port data held on them in Uber’s platform to a data trust (called Worker Info Exchange) that they want to set up, administered by a union, to further their ability to collectively bargain against the platform giant.

The court did not object to them seeking data, saying such a purpose does not stand in the way of exercising their personal data access rights, but it rejected most of their specific requests — at times saying they were too general or had not been sufficiently explained or must be balanced against other rights (such as passenger privacy).

The ruling hasn’t gone entirely Uber’s way, though, as the court ordered the tech giant to hand over a little more data to the litigating drivers than it has so far. While it rejected driver access to information including manual notes about them, tags and reports, Uber has been ordered to provide drivers with individual ratings given by riders on an anonymized basis — with the court giving it two months to comply.

In another win for Uber, the court did not find that its (automated) dispatch system results in a “legal or similarly significant effect” for drivers under EU law — and therefore has allowed that it be applied without additional human oversight.

The court also rejected a request by the applicants that data Uber does provide to them must be provided via a CSV file or API, finding that the PDF format Uber has provider is sufficient to comply with legal requirements.

In response to the judgements, an Uber spokesman sent us this statement:

“This is a crucial decision. The Court has confirmed Uber’s dispatch system does not equate to automated decision making, and that we provided drivers with the data they are entitled to. The Court also confirmed that Uber’s processes have meaningful human involvement. Safety is the number one priority on the Uber platform, so any account deactivation decision is taken extremely seriously with manual reviews by our specialist team.”

The ADCU said the litigation has established that drivers taking collective action to seek access to their data is not an abuse of data protection rights — and lauded the aspects of the judgement where Uber has been ordered to hand over more data.

It also said it sees potential grounds for appeal, saying it’s concerned that some aspects of the judgments unduly restrict the rights of drivers, which it said could interfere with the right of workers to access employment rights — “to the extent they are frustrated in their ability to validate the fare basis and compare earnings and operating costs”.

“We also feel the court has unduly put the burden of proof on workers to show they have been subject to automated decision making before they can demand transparency of such decision making,” it added in a press release. “Similarly, the court has required drivers to provide greater specificity on the personal data sought rather than placing the burden on firms like Uber and Ola to clearly explain what personal data is held and how it is processed.”

The two Court of Amsterdam judgements can be found here and here (both are in Dutch; we’ve used Google Translate for the sections quoted below).

Our earlier reports on the legal challenges can be found here and here.

The Amsterdam court has also ruled on similar litigation filed against India-based Ola last year — ordering the India-based ride-hailing company to hand over a wider array of data than it currently does; and also saying it must explain the main criteria for a ‘penalties and deductions’ algorithm that can be applied to drivers’ earnings.

The judgement is available here (in Dutch). See below for more details on the Ola judgement.

Commenting in a statement, James Farrar, a former Uber driver who is now director of the aforementioned Worker Info Exchange, said: “This judgment is a giant leap forward in the struggle for workers to hold platform employers like Uber and Ola Cabs accountable for opaque and unfair automated management practices. Uber and Ola Cabs have been ordered to make transparent the basis for unfair dismissals, wage deductions and the use of surveillance systems such as Ola’s Guardian system and Uber’s Real Time ID system. The court completely rejected Uber & Ola’s arguments against the right of workers to collectively organize their data and establish a data trust with Worker Info Exchange as an abuse of data access rights.”

In an interesting (related) development in Spain, which we reported on yesterday, the government there has said it will legislate in a reform of the labor law aimed at delivery platforms that will require them to provide workers’ legal representatives with information on the rules of any algorithms that manage and assess them.

Court did not find Uber does ‘robo firings’

In one of the lawsuits, the applicants had argued that Uber had infringed their right not to be subject to automated decision-making when it terminated their driver accounts and also that it has not complied with its transparency obligations (within the meaning of GDPR Articles 13, 14 and 15).

Article 22 GDPR gives EU citizens the right not to be subject to a decision based solely on automated processing (including profiling) where the decision has legal or otherwise significant consequences for them. There must be meaningful human interaction in the decision-making process for it to not be considered solely automated processing.

Uber argued that it does not carry out automated terminations of drivers in the region and therefore that the law does not apply — telling the court that potential fraudulent activities are investigated by a specialized team of Uber employees (aka the ‘EMEA Operational Risk team’).

And while it said that the team makes use of software with which potential fraudulent activities can be detected, investigations are carried out by employees following internal protocols which require them to analyze potential fraud signals and the “facts and circumstances” to confirm or rule out the existence of fraud.

Uber said that if a consistent pattern of fraud is detected, a decision to terminate requires an unanimous decision from two employees of the Risk team. When the two employees do not agree, Uber says a third conducts an investigation — presumably to cast a deciding vote.

It provided the court with explanations for each of the terminations of the litigating applicants — and the court writes that Uber’s explanations of its decision-making process for terminations were not disputed. “In the absence of evidence to the contrary, the court will assume that the explanation provided by Uber is correct,” it wrote.

Interestingly, in the case of one of the applicants, Uber told the court they had been using (unidentified) software to manipulate the Uber Driver app in order to identify more expensive journeys by being able to view the passenger’s destination before accepting the ride — enabling them to cherry pick jobs, a practice that’s against Uber’s terms. Uber said the driver was warned that if they used the software again they would be terminated. But a few days later they did so — leading to another investigation and a termination.

However it’s worth noting that the activity in question dates back to 2018. And Uber has since changed how its service operates to provide drivers with information about the destination before they accept a ride — a change it flagged in response to a recent UK Supreme Court ruling that confirmed drivers who brought the challenge are workers, not self employed.

Some transparency issues were found

On the associated question of whether Uber had violated its transparency obligations to terminated drivers, the court found that in the cases of two of the four applicants Uber had done so (but not for the other two).

Uber did not clarify which specific fraudulent acts resulted in their accounts being deactivated,” the court writes in the case of the two applicants who it found had not been provided with sufficient information related to their terminations. Based on the information provided by Uber, they cannot check which personal data Uber used in the decision-making process that led to this decision. As a result, the decision to deactivate their accounts is insufficiently transparent and verifiable. As a result, Uber must provide [applicant 2] and [applicant 4] with access to their personal data pursuant to Article 15 of the GDPR insofar as they were the basis for the decision to deactivate their accounts, in such a way that they can are able to verify the correctness and lawfulness of the processing of their personal data.”

The court dismissed Uber’s attempt to evade disclosure on the grounds that providing more information would give the drivers insight into its anti-fraud detection systems which it suggested could then be used to circumvent them, writing: “In this state of affairs, Uber’s interest in refusing access to the processed personal data of [applicant 2] and [applicant 4] cannot outweigh the right of [applicant 2] and [applicant 4] to access their personal data.”

Compensation claims related to the charges were rejected — including in the case of the two applicants who were not provided with sufficient data on their terminations, with the court saying that they had not provided “reasons for damage to their humanity or good name or damage to their person in any other way”.

The court has given Uber two months to provide the two applicants with personal data pertaining to their terminations. No penalty has been ordered.

“For the time being, the trust is justified that Uber will voluntarily comply with the order for inspection [of personal data] and will endeavor to provide the relevant personal data,” it adds.

No legal/significant effect from Uber’s aIgo-dispatch

The litigants’ data access case also sought to challenge Uber’s algorithmic management of drivers — through its use of an algorithmic batch matching system to allocate rides — arguing that, under EU law, the drivers had a right to information about automated decision making and profiling used by Uber to run the service in order to be able to assess impacts of that automated processing.

However the court did not find that automated decision-making “within the meaning of Article 22 GDPR” takes place in this instance, accepting Uber’s argument that “the automated allocation of available rides has no legal consequences and does not significantly affect the data subject”.

Again, the court found that the applicants had “insufficiently explained” their request.

From the judgement:

It has been established between the parties that Uber uses personal data to make automated decisions. This also follows from section 9 ‘Automated decision-making’ included in its privacy statement. However, this does not mean that there is an automated decision-making process as referred to in Article 22 GDPR. After all, this requires that there are also legal consequences or that the data subject is otherwise significantly affected. The request is only briefly explained on this point. The Applicants argue that Uber has not provided sufficient concrete information about its anti-fraud processes and has not demonstrated any meaningful human intervention. Unlike in the case with application number C / 13/692003 / HA RK 20/302 in which an order is also given today, the applicants did not explain that Uber concluded that they were guilty of fraud. The extent to which Uber has taken decisions about them based on automated decision-making is therefore insufficiently explained. Although it is obvious that it is The batched matching system and the upfront pricing system will have a certain influence on the performance of the agreement between Uber and the driver, it has not been found that there is a legal consequence or a significant effect, as referred to in the Guidelines. Since Article 15 paragraph 1 under h GDPR only applies to such decisions, the request under I (iv) is rejected.

Ola must hand over data and algo criteria

In this case the court ruled that Ola must provided applicants with a wider range of data than it is currently doing — including a ‘fraud probability profile’ it maintains on drivers and data within a ‘Guardian’ surveillance system it operates.

The court also found that algorithmic decisions Ola uses to make deductions from driver earnings do fall under Article 22 of the GDPR, as there is no significant human intervention while the discounts/fines themselves may have a significant effect on drivers.

On this it ordered Ola to provide applicants with information on how these algorithmic choices are made by communicating “the main assessment criteria and their role in the automated decision… so that [applicants] can understand the criteria on the basis of which the decisions were taken and they are able to check the correctness and lawfulness of the data processing”.

Ola has been contacted for comment.

#adcu, #algorithmic-accountability, #artificial-intelligence, #data-access, #europe, #gdpr, #lawsuit, #ola, #privacy, #tc, #uber

0