Privacy Campaigners Challenge Government Over Test and Trace

Privacy campaign groups Big Brother Watch and The Open Rights Group have voiced their concerns that there is a lack of clarity from the government about how the data of users of the new NHS contact tracing app will be protected.

Concerns

The privacy campaign groups are concerned that both the Track and Trace system and the contact tracing app appear to be risking the privacy of the public as regards their personal details and that a lack of clarity over this is contributing to a lack of trust in the system by the public and, therefore, may be endangering public health and prolonging the pandemic’s effects.

A key concern by the privacy groups is the apparent lack of a legally required Data Protection Impact Assessment (DPIA).  A DPIA, introduced by the UK’s data regulator, the Information Commissioner’s Office (ICO), is a process that can reduce the likelihood of data breaches.

No Longer Based on Public Trust

The Big Brother Watch website highlights what it believes to shift by the UK government from creating and nourishing public trust towards simply relying on coercion and penalties to make contract tracing in the UK work.  For example, Big Brother watch says “This new approach to contact tracing is no longer based on public trust, but on exclusion, criminal sanctions and police enforcement. Many people will be rightly shocked to find they’re refused entry to coffee shops and restaurants unless they hand over their personal contact details. This is an astoundingly excessive law that poses a serious risk to privacy and data rights.”

Open Rights Group

Although the Open Rights Group was pleased that, in June, the government scrapped its plans to use a centralised model for its Covid-19 tracker app and opted for the decentralised model (no big, central database), it is also very concerned about the apparent lack of a Data Protection Impact Assessment (DPIA). The Open Rights Group highlights its particular concerns over the government’s apparent lack of clear explanation of how bars and restaurants should keep data, and what the legal liabilities are.  It points out that although the England and Wales App and QR code scan for a venue may record that some people were there, it does not give the full picture and there may be a security and privacy loophole.  For example, if a person doesn’t have a modern smartphone, and simply hands their data to a pub or restaurant, the Open Rights Group is concerned that the person will have little or no privacy protection and that no thought appears to have gone into the privacy and risks,  even though those risks are very tangible.

What Does This Mean For Your Business?

The failure of the previous tracing app, criticisms of a lack of an effective, large scale track and trace system for 6 months, and a lack of availability of tests, a large death toll, and recent criticism of the government by the media over what appears to be a confused strategy and messages have all contributed to reduction in the level of trust.  This is a difficult backdrop with which to launch a new app to which the government wants all of us to subscribe to.  It may be particularly bad for many businesses who have been forced to make difficult decisions to comply with COVID laws e.g. in the hospitality industry to hear that the UK government may not have met its own legal requirement for a Data Protection Impact Assessment (DPIA).  Although posting the QR code at business premises is a way to make it easier for businesses to comply and help with track and trace, there may well be a grey area as regards the collection and protection of data for those who don’t have a smartphone with the capacity to work with the app system. Trust, transparency, and clarity are all areas the government may need to work on to make a test and trace system work, help businesses and protect public health.

Brexit Border IT Systems Behind Schedule

A leaked government memo reportedly suggests that critical IT systems needed to avoid border disruption post-Brexit are behind schedule, raising the threat of border chaos for hauliers.

Memo After Meeting

The memo, reported by Bloomberg, from the UK Cabinet Office’s Border and Protocol Delivery Group was allegedly sent after a meeting with representatives of the logistics industry.  

Smart Freight Service and More

Reports indicate that ten IT systems are needed to be in place and that hauliers will need to know how to use them to ensure that post-Brexit border movement can go ahead without major problems.  These systems include the web-based Smart Freight Service which will be used to manage the customs declarations for the movement of food and medicines.

To date, however, it appears that at least three systems are being designed just now and that there are serious concerns that with only four months to go and not enough time to train users on the systems that the situation could become unmanageable.

GVMS IT System

It has also emerged that following an announcement by HMRC in July that £100m would be made available for border IT systems that would make it smoother and easier for traders to operate in a “roll-on, roll-off environment” the development of the Goods Vehicle Movement Service (GVMS) IT system needed to achieve this hasn’t even been started yet.  One emergency suggestion to plug this gap has been to simply license the French IT system instead.

No Information on NI

Recent announcements by the UK government about a law-breaking amendment to the Brexit deal negotiated with the EU that could change plans as regards the Northern Ireland have also highlighted the fact that there is now no totally reliable information available about the location of checkpoints or what impact this change of plans will have on the IT systems for hauliers to use that are ready or are still in the development stage.

What Does This Mean For Your Business?

Hauliers have highlighted the fact that unless IT systems relating to post-Brexit customs arrangements are all up and running and there has been time for training in the use of the systems, there is a real possibility of serious delays and disruption at ports and in supply chains.  With only four months to go, the real worry is that the knock-on effects of border delays and/or problems relating to any amendments concerning decisions about the Northern Ireland border i.e. avoiding a hard border/checkpoints could affect businesses and organisations of all kinds across the country. Businesses are now in the final count-down to Brexit and it will very soon become much clearer how well prepared the country is in terms of IT systems that are vital to ensure effective and smooth operations at ports and borders post-Brexit.

Trump Terminates TikTok

The Trump administration’s next high-profile target in its Chinese trade-war is the hugely popular video-sharing mobile app TikTok, which has been slapped with a 45-day ban in the U.S. from 20 September 2020.

Executive Orders

Chinese apps TikTok (from parent ByteDance) and WeChat (from parent Tencent) have received Executive Orders forbidding “any transaction by any person, or with respect to any property, subject to the jurisdiction of the United States”. The “person” in this order applies to any individual or entity e.g. government, corporation, organisation, or group. This appears to illustrate how the Trump administration would like to see American companies banning the use of TikTok on their devices.

The ban follows the Trump administration’s ban on the use of Huawei’s equipment in communications infrastructure on the grounds that Huawei was viewed to be too close to the Chinese state and, therefore, the use of its equipment could be deemed to pose a national security risk.

TikTok

The White House website states that “TikTok automatically captures vast swaths of information from its users” and that “this data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information”.  The Whitehouse website also says that “TikTok also reportedly censors content that the Chinese Communist Party deems politically sensitive, such as content concerning protests in Hong Kong and China’s treatment of Uyghurs and other Muslim minorities”. 

For these reasons, and that “steps must be taken to deal with the national emergency with respect to the information and communications technology and services supply chain”, the Trump administration has issued the TikTok ban.

WeChat

Similarly, the White house order against the Chinese messaging, social media, and electronic payment app ‘WeChat’ and how it also allegedly captures “vast swaths of information from its users” which could then be accessed by the Chinese Communist Party.  In the case of WeChat, the White House website highlights a report of the discovery of a Chinese database that contains billions of WeChat messages sent from users in China, the United States, Taiwan, South Korea, and Australia.  The website also suggests that WeChat is a mechanism for Chinese Communist Party to keep tabs on Chinese nationals visiting the United States and “enjoying the benefits of a free society for the first time in their lives”.

TikTok and the UK

The ban in the U.S. prompted reports that the UK government was close to allowing TikTok to launch its headquarters in London, which is something that has not gone down well with Trump administration in the U.S.

What Does This Mean For Your Business?

The U.S. represents a big market for app makers and on a commercial level, the ban could be damaging to ByteDance and Tencent, owners of WeChat. Unfortunately, although the U.S. states “real” security concerns and a “national emergency” in the ITC services and supply chain as the reasons for the ban, many see this as politically motivated and as another step in the Trump Administration’s trade-war with the Chinese, which has been further stoked by accusations over the origins of the COVID-19 pandemic. Only recently, the UK’s decision not to use Huawei equipment in the 5G infrastructure was viewed by many as the UK bowing to U.S. pressure.  The future for businesses that have traditionally operated between the U.S. and China looks to be difficult and business opportunities in Chinese markets look less likely as the trade-war and the war of words escalates.

Featured Article – Antitrust and Big-Tech

With U.S. Congress members grilling the bosses of the big tech companies this week with a view to deciding if their companies have become too big and powerful, in this article we take a look at the Antitrust laws and issues.

Antitrust Laws

In the U.S., home of big tech companies Facebook, Apple, Google and Amazon, the bosses of which are about to face an antitrust grilling, there are three core federal antitrust laws. The objectives of the laws are to help consumers by protecting the process of competition, making sure there are strong enough incentives for businesses to operate efficiently, to keep prices down, and keep maintain quality of goods and services. 

When Microsoft faced Congress back in 1998 over an antitrust row about Microsoft allegedly forcing PC manufacturers to make Internet Explorer the default browser on their computers, the Sherman Act of 1890 was the main Act used in the against Microsoft.  This act concerns monopolies and prohibits “unreasonable” restraints of trade.

The other two core federal antitrust laws are The Federal Trade Commission Act which bans “unfair methods of competition” and “unfair or deceptive acts or practices”, and the Clayton Act which relates to some practices that the Sherman Act does not clearly prohibit e.g. mergers.

Before Congress

This week, Mark Zuckerberg of Facebook, Sundar Pichai of Google, Tim Cook of Apple and Jeff Bezos of Amazon are all appearing before members of the U.S. Congress to face questions related to the antitrust laws and to help the U.S. government decide whether these companies have become too big and powerful. 

Complicated Argument

The arguments in relation to Google and Facebook particularly (both of which offer services for free, funded by advertising), are likely to be complicated by their ‘free’ business-model.

Facebook, for example, offers Instagram, WhatsApp, and its classic Facebook platform free to consumers and Google offers its search engine, email, YouTube, and other services for free. Apple also offers free apps for download.  The offering of these free services could, therefore, make it difficult for Congress to use an antitrust law against them that is based on consumer pricing.

Issues

Some of the issues the Congress legislators may mention have also been echoed in the UK. These issues include:

– Big tech companies thrived during the pandemic which may indicate that they could be “too big to fail” and that this could indicate that they have become too powerful and this could represent an unfair situation for competitors.

– The tech giants, like Amazon and Google, own the Internet utilities and, therefore, could be acting unfairly e.g. Amazon promoting its own products over others on Amazon marketplace.

– That even though some key services are offered for free, the tech giants may be hurting consumers in a less direct way by making it difficult for other competitors to compete with ‘free’ and thereby damaging the wider economy.

– The issue of the role that powerful platforms such as Facebook have played (and could play) in the influencing of votes in elections due to content posted and shared on those platforms.  Significantly, there is a U.S. presidential election later this year.

– Google and Facebook’s market positions may mean that they have had a detrimental impact on newspapers and their circulation.

– Apple and Google own iOS and Android and, therefore, could be said to control the app market, making it difficult for app makers to go anywhere else for sales and distribution.

– Companies like Google and Facebook may be too powerful in the advertising market.  This is a point that has been made in the UK too by the Competition and Markets Authority (CMA) which has noted that Google has more than 90 per cent of the £7.3bn search advertising market and Facebook has more than half of the £5.5bn UK online display advertising market.

Counter Arguments

Obviously, the heads of tech giants Facebook, Google, Apple, and Amazon have their own counter-arguments and points.  These may include:

– In providing free services, they also face competition from other popular free services such as TikTok, and their free services e.g. Facebook provides a great way for people to connect and share and for all kinds of businesses to promote themselves.

– Advertising e.g. via Google and Facebook provides a fast and effective way to help businesses compete and consumers to see and buy the products and services they want and need.

– Facebook may be likely to say that it has grown from nothing, in a fair way, and that U.S. laws also promote the kind of competition and innovation that has helped it and other U.S. companies to grow.

– Amazon, for example, has said that it welcomes scrutiny of all large institutions, including itself, government agencies and non-profits.

– Breaking up or over-regulating the big U.S. tech companies could hand more power to Chinese tech companies (e.g. Huawei).

Microsoft

Microsoft’s Bill Gates is reported to have said that he wishes the four tech giant leaders well before their grilling by Congress.  Microsoft provides an example of what could happen when the leaders face Congress members as back in 1998,  Bill Gates faced his own four-hour hearing in the hot seat as he and some peers (Sun Microsystems Chairman Scott McNealy, Michael Dell, Netscape’s president Jim Barksdale and more) faced some serious questions from Congress over antitrust laws.  In Microsoft’s case, the judge ruled that Microsoft should be broken up, but this decision was reversed on appeal and following a settlement reached by Microsoft and the court.  The hearing took its toll in other ways though, as it led to the demise of Netscape and to Bill Gates deciding to retire in 2000. 

What Could Happen?

The ultimate fear among the tech giants is that the same sort of ruling as the initial one reached against Microsoft could happen again or that it could lead to over-regulation.

There are also fears among supporters of scrutinising tech companies that questioning the tech company bosses all together and not individually could mean that really difficult questions could be deflected and skilfully side-stepped and that some Congress members may simply use the occasion to ‘grandstand’.

In The UK

In the UK, the CMA is calling for the introduction of a new ‘Digital markets Unit’ that could be given the powers to enforce a code of conduct for big tech firms and even the powers to break them up.

Looking Ahead

It is difficult to deny that big tech companies like Facebook, Amazon, Apple, and Google are huge and powerful in markets across the world. The arguments relating to antitrust laws, however, are more complicated than they may first appear and there is also a political dimension in this debate as well as one relating to fair competition and how well consumers are served.  This argument may go on for quite some time yet, but the tech company bosses are likely to find the hearing in the U.S. an uncomfortable step in the way forward.

Police Crack Encrypted Network To Reach Crime Gangs

An international law enforcement operation has led to the cracking of the EncroChat Android phone network and the arrest of criminal gangs.

The Network

The France-based EncroChat network, which was discovered by the French National Gendarmerie in 2017, is an encrypted network for Android handsets with their GPS, camera and microphone functions disabled.  The handsets, which have reportedly sold for €1,000 each, plus €1,500 for a six-month contract have, until now, offered many criminals a secure, encrypted communications channel.  It has been reported that at the time the police were able to crack the channel, it had 10,000 users in the UK alone and a further 60,000 around Europe.

The Operation

“Operation Venetic”, the law enforcement operation to infiltrate and crack EncroChat involved French and Dutch police, the UK’s National Crime Agency (NCA) and Europol, the EU agency for law enforcement cooperation.  It has been reported that a team of over 500 NCA officers worked on Operation Venetic.

Arrests

The cracking of the network has, so far, reportedly led to the arrest of around 800 criminals across Europe.  It has been reported that two law enforcement officers were among those arrested.

The arrests have also netted the seizure of £54m in cash, 77 illegal firearms (including assault rifles and grenades), two tonnes of class A and B drugs, as well as 55 luxury cars and 73 luxury watches.

The Met

The Metropolitan Police were able to make a reported 171 arrests as part of the operation and to have seized £13.3m in cash. 

The Met reports on its website that those arrested in one investigation were “part of the most high-harm Organised Crime Group (OCG) in London, with long-standing links to violent crime and the importation of Class A drugs” where “central figures of this group lead lavish lifestyles and live in multi-million-pound properties with access to top of the range vehicles.”

Comparison Made To Enigma Code

Even though the circumstances and the resources available to the authorities are by no means the same, Nikki Holland, NCA director of investigations, highlighted the achievement and complexity of cracking the encrypted channel as being “akin to cracking the enigma code”.

Just The Beginning

Even though Commissioner Cressida Dick said that the operation was the most significant ever carried out against serious and organised criminality across London, she also described it “just the beginning” and highlighted the fact that there are now many more people being investigated as a result.

What Does This Mean For Your Business?

Organised crime of the scale and nature that has been tackled by Operation Venetic poses a threat to businesses and society through crime, its proceeds, and its many impacts. Although some luxury goods businesses and property companies have clearly benefitted from some sales, many of which may have been innocently made via legitimate-looking fronts, the lavish lifestyle of some of the criminals caught by this operation has come to an abrupt end.

UK home secretaries Amber Rudd and now Priti Patel have been critics of how end-to-end encryption has protected the guilty as well as the innocent in some apps and channels, and the fact that an encrypted channel has been cracked sends a powerful warning message to criminals who may assume they are safe in their communications.  It may also send a veiled message to other legitimate end-to-end encrypted apps and channels about the future, how global agencies are able to act, and what they are capable of doing.

Facial Recognition, Photo Identity and Privacy Protection

With phone cameras, surveillance cameras with facial recognition seemingly everywhere and the world entering a new phase of social change, many people are looking at how they can take simple steps to retain and protect their privacy rights.

Faces

As enshrined in data protection laws, such as GDPR, and with biometrics now being used widely, our faces are part of the personal data that we need to protect. Concerns, such as those expressed by the ICO’s head, Elizabeth Dunham, that police facial recognition systems have issues including accuracy are the reason for many to be looking at ways to protect themselves where necessary.

Public trust in facial recognition systems also still has some way to go as the technology progresses from what is now a relatively early stage.  For example, the results of a recent survey released by Monash University in Australia showed that half of Australians believe that their privacy is being invaded by the presence of facial recognition technology in public spaces.  Also, in the U.S., government researchers of the National Institute of Standards and Technology (NIST) have said (in May 2020) that not enough is being done to engender trust in any decisions made by facial recognition and biometrics systems, and in Europe in January, the European Commission was considering a ban on the use of facial recognition in public spaces for up to five years while new regulations for its use could be put in place.

Protest Example

In a democracy such as the UK, protests are allowed take place for any number of issues, and the recent protests over the killing of George Floyd and in support of Black Lives Matter have brought into focus how to protect personal data and identity while exercising democratic rights.

For example, those wishing to obscure faces in their own protest photos that they share often use software to paint over faces, or use a mosaic blur technique because these cannot be reversed, rather than a simple blur effect which it is possible for authorities to de-blur using new neural networks.

This process of blocking out faces in photos can be carried out using the built-in photo editor on a smartphone.  For example:

– On iOS, open Photos, tap on the photo, select Edit (top right), tap the three dots to access Mark-up and use solid circles or squares to block out faces.

– On Android (using the native Mark-up tool), in the Photos app, select the photo, tap on Edit (bottom, second left), select Mark-up (bottom, second right), and block out faces e.g. using the Pen tool.

Removing Metadata

Removing the photo’s metadata (data stored in phone photos e.g. type of device and camera, date, time, location) can be achieved by taking screenshots the photos, and making sure that there are no other identifying features in the screenshot.

Masks and Facial Recognition

Tech and news commentators have noted recently how mask-wearing during the COVId-19 pandemic has proven to be a challenge for facial recognition systems, although it has also been suggested that AI facial recognition systems have now had the chance to have more ‘training’ in being able to identify mask-wearing people correctly.

What Does This Mean For Your Business?

Facial recognition (if used responsibly as intended) can help to fight crime in towns and city centres, thereby helping the mainly retail businesses that operate there, although there are still questions about its accuracy and its impact on our privacy and civil liberties.

Where sharing photos and worries about privacy is concerned, there are apps in place on smartphones that allow faces to be blocked out.  Also, when on Facebook, for example, not using a close up / clear photo of your face as a public profile picture, or revealing too much about where photos were taken, as well as not geotagging or posting photos that reveal your address or show valuable items at your home / where you keep valuables are also steps that can be taken to help retain your privacy and security.  Photos taken in the workplace, particularly those posted on websites and social media should also be vetted to ensure that there are no implications for physical security and that staff featured are happy to have the photo shared.

Featured Article – A Look At Cookies

Cookies perform functions and provide information that helps website users, businesses, publishers, and advertisers. This article looks at what cookies are, what they do, and the legislation that affects how they are used.

What Are Cookies?

Cookies are text files sent by the website you are on and stored on your browser as a record of your activity on the site. Although most websites use cookies, cookies do not harm devices and cookies do not tell websites who a user is or gather personal details about website visitors.

Current EU legislation states that all websites must let people know when cookies are in use. Website visitors should also be given the option to accept cookies or not and should be allowed to browse a website and experience the functionality even if they choose not to accept the cookies.

What Are Cookies For?

Cookies are supposed to help users to access a website more quickly and easily by telling a website that a visitor has been there before.  For example, cookies can store information that allows a repeat visitor to access a website without logging in, or fill in a form (autofill) without a person having to type all the details in. Cookies can also provide information to help with website shops, analytics and can help advertisers. 

Types of Cookies

There are several different types of website cookies. These include:

– First-party cookies. These are set by the website and are used for analytics data gathering (for analytics tools) e.g. the number of visitors, page views, pages visited, and sessions. These cookies provide data to publishers and advertisers for ad targeting.

– Third-Party Cookies. These cookies are used when other, third-party elements e.g. chatbots or social plugins have been added to a website. These cookies, set by domains, can track users, and save data that can be used in ad targeting and behavioural advertising.

– Session cookies, as the name suggests, are temporary, short-lived and expire immediately or shortly after a user leaves a web browser. They are commonly used by e-commerce websites to remember the items have been placed in the shopping cart, to keep users logged in, and to record user sessions to help with analytics.

– Persistent Cookies. These cookies must have a built-in expiration date but can stay on a user’s browser for years (or until a user manually deletes them) in order to track a user and their interaction with a website over time.

– Secure Cookies. Websites with HTTPS set secure cookies. These cookies have encrypted data and are used on payment/checkout pages of e-commerce websites or online banking websites.

What Is The ‘Cookie Law’?

The so-called ‘cookie law’, which began life as an EU Directive, is privacy legislation that requires websites to ask visitors for consent to store or retrieve information on a computer, smartphone, or tablet.

The Cookie Law was widely adopted in 2011, became an update to the UK’s Privacy and Electronic Communications Regulations, and was designed to make people aware of how the information about them is collected online and to give them the opportunity to say yes or no to it. 

The introduction of the General Data Protection Regulation (GDPR) in May 2018 with its focus on ensuring that businesses are transparent and protect individual privacy rights means that businesses must be able to prove clear and affirmative consent to process personal data and people must be able to opt-in rather than opt-out.  These aspects have clear implications for cookies.

GDPR Cookie Consent

GDPR requires consent to be gathered from data subjects and the Court Justice of the European Union rules state that this must consent must be explicit.  This means that a website’s users must be presented with a consent banner that is explicit and cannot have pre-checked boxes giving consent on categories of cookies except for those deemed strictly necessary.  Websites using cookies other than those that are strictly necessary for its basic function must present a method for obtaining the cookie consent of users prior to any collection or processing.

Website visitors must also be able to withdraw the consent that they have given before, in a way that is accessible, if they choose to. Also, the data controller must delete any personal data of individuals if that data is not necessary for the original stated purpose.

GDPR Cookie Compliance

One of the key ways in which a business can remain GDPR compliant is to make sure that it obtains prior consent if it provides service or collects personal data about persons in the EU. This means being very clear and explicit in describing the extent and purpose of the data processing in language that is easy-to-understand language to the user, before gathering any personal data from that user. Website users must be able to find out what type of personal data is being collected about them on a website at any time, and it should be easy for users to withdraw consent that has been previously given.

For this to happen, businesses and organisations need to know what kinds of cookies are used by their website and why. This information can be addressed in a cookie policy.

CCPA

For those businesses and organisations worldwide, that handle the personal information of any California residents, they will need to also ensure that their data processing (including cookie use) is compliant with the new California Consumer Privacy Act (CCPA).

A Cookie Policy

Companies and organisations are legally required under GDPR (and CCPA) to make a cookie policy available on their website to users. This cookie policy, which can be included as part of a website’s privacy policy, should be a declaration to users about what cookies are active on the website, what user data is being tracked by those cookies, for what purpose, and where in the world this data is sent.  This cookie policy must also give information about how users can opt-out of the cookies or change their settings regarding the cookies on the website.

Awareness and Challenges

Strengthening of data protection laws in recent years has, therefore, forced businesses to become very familiar with aspects of how they manage data in order to be legally compliant.  This has led to a much greater awareness of cookies and their use and for first-time visitors to a website, cookie consent is the first thing they encounter.

Also, changes that have led to many browsers blocking third party cookies have presented marketing and monetary challenges to publishers and advertisers.

Are Masks A Challenge To Facial Recognition Technology?

In addition to questions about the continued use of potentially unreliable and unregulated live facial recognition (LFR) technology, masks to protect against the spread of coronavirus may be presenting a further challenge to the technology.

Questions From London Assembly Members

A recently published letter by London Assembly members Caroline Pidgeon MBE AM and Sian Berry AM to Metropolitan Police commissioner Cressida Dick have asked whether the LFR technology could be withdrawn during the COVID-19 pandemic on the ground that it has been shown to be generally inaccurate, and it still raises questions about civil liberties. 

Also, concerns are now being raised about how the already questionable accuracy of LFR could be challenged further by people wearing face masks to curb the spread of COVID-19.

Civil Liberties of Londoners

The two London Assembly members argue in the letter that a lack of laws, national guidelines,  regulations and debate about LFR’s use could mean that stopping Londoners or visitors to London “incorrectly, without democratic public consent and without clear justification erodes our civil liberties”.  The pair also said that this could continue to erode trust in the police, which has been declining anyway in recent years.

Inaccurate

The letter highlights concerns about the general inaccuracy of LFR. This is illustrated by the example of first two deployments of LFR this year, where more than 13,000 faces were scanned,  only six individuals were stopped, and five of those six were misidentified and incorrectly stopped by the police. Also, of the eight people who created a ‘system alert’, seven were incorrectly identified.

Others Concerns

Other concerns by the pair outlined in the letter about the continued deployment of LFR include worries about the possibility of mission creep, the lack of transparency about which watchlists are being used, worries that LFR will be used operationally at protests, demonstrations, or public events in future e.g. Notting Hill Carnival, and fears that the technology will continue to be used without clarity, accountability or full democratic consent

Masks Are A Further Challenge

Many commentators from both sides of the facial recognition debate have raised concerns about how the wearing of face masks could affect the accuracy of facial recognition technology.

China and Russia

It has been reported that Chinese electronics manufacturer Hanwang has produced facial recognition technology that is 95% accurate in identifying the faces of people who are wearing masks.

Also, in Moscow, where the many existing cameras have been deployed to help enforce the city’s lockdown and to identify those who don’t comply, systems have been able to identify those wearing masks.

France

In France, after the easing of lockdown restrictions, it has been reported that surveillance cameras will be used to monitor compliance with social distancing and the wearing of masks.  A recent trial in Cannes using French firm Datakalab’s surveillance software, which includes an automatic alert to city authorities and police for breaches of mask-wearing and social distancing rules looks set to be rolled out to other French cities.

What Does This Mean For Your Business?

Facial recognition is another tool which, under normal circumstances (if used responsibly as intended) could help to fight crime in towns and city centres, thereby helping the mainly retail businesses that operate there.  The worry is that there are still general questions about the accuracy of LFR, its impact on our privacy and civil liberties and that the COVId-19 pandemic could be used as an excuse to use it more and in a way that leads to mission creep. It does appear that in China and Russia for example, even individuals wearing face masks can be identified by facial recognition camera systems, although many in the west regard these as states where a great deal of control on the privacy and civil liberties population is exercised and may be alarmed at such systems being used in the UK.  The pandemic, however, appears to be making states less worried about infringing civil liberties for the time being as they battle to control a virus that has devastated lives and economies, and technology must be one of the tools being used in the fight against COVID-19.

Businesses Get Extra Time To Meet New Payment Processing Rules

The Financial Conduct Authority (FCA) has given UK businesses an extra 6 months to reach compliance with the new Strong Customer Authentication (SCA) rules for payment processing.

What Are The SCA Rules?

The SCA rules, introduced in 2019, are intended to the improve security of payments and limit fraud by making sure that whoever requests access to a person’s account or tries to make a payment, is the account holder or someone to whom the account holder has given consent.

These new rules, which come from the EU Payments Services Directive (PSD2), which came into effect in January 2018, mean that online payments of more than €50 will need two methods of authentication from the person making the payment e.g. password, fingerprint (biometric) or a phone number. This also means that online customers will not be able to check out using just a credit or debit card but will also need an additional form of identification.

Card Present

For normal ‘card present’ situations (not online) contactless will still be OK for ‘low value’ transactions of less than €50 at point-of-sale and Chip and PIN will still be suitable for values above €50.

Recurring Payments Exempt

Where a recurring payment of the same value is being made from a card to the same merchant e.g. subscriptions and memberships, the initial set up will require authentication, but subsequent transactions will be exempt.

Put Back

The first deadline for the implementation of the SCA rules was 14th September 2019 but this was put back by 18 months.

While the deadline for the implementation of SCA is still 31st December 2020 in the rest of the European Economic Area (EEA), in the UK, the FCA has now announced that, in order to help merchants who have been severely affected by the Covid-19 crisis the enforcement of SCA has now been delayed until 14th September 2021.

What Does This Mean For Your Business?

Most businesses would agree that high levels of online fraud are bad for everyone and just reduce consumer confidence, so if the introduction of new improved payment security measures can reduce fraud this will be helpful.  The COVID-19 crisis has, however, hit businesses very hard and for many, it’s been a case of simply trying to keep the business going, let alone worry about how they can comply with new payment rules in time.  This latest extension is, therefore, good news and should lessen the burden on merchants as the lockdown is lifted and the country tries to find the new normal in a post-COVID business environment.

Amazon Can Own Deliveroo Because of Pandemic

After the Competition and Markets Authority’s (CMA) worries last May, the CMA has now announced that Amazon can invest in food distribution company Deliveroo.

Last May

Last May, Amazon was a leading investor in a funding round of $575 million for UK-based food delivery company Deliveroo. At the time (17th May), Deliveroo’s founder and CEO, Will Shu, said of the $575M Series G preferred shares funding from Amazon and existing investors T. Rowe Price, Fidelity Management and Research Company, and Greenoaks, “This new investment will help Deliveroo to grow and to offer customers even more choice, tailored to their personal tastes, offer restaurants greater opportunities to grow and expand their businesses, and to create more flexible, well-paid work for riders.”

Amazon Restaurants

Amazon had previously operated its own ‘Amazon Restaurants’ food delivery service in London, but this was closed in December 2018 following strong competition from Deliveroo, Uber Eats, Just Eat, among and others. It was also reported that Amazon had previously tried two times to buy Deliveroo outright.

CMA Concerns

The Competition and Markets Authority’s (CMA), however, had concerns that the investment by Amazon in Deliveroo would be bad for competition and had launched its own investigation. The two main concerns expressed by the CMA were that:

– There were only a small number of companies that acted as the middleman between restaurants and customers and the Amazon/Deliveroo deal could have damaged competition in online restaurant food delivery by discouraging Amazon from re-entering the market in the UK i.e. re-entry by Amazon would have significantly increased competition in online restaurant food delivery in the UK.

– The CMA was concerned that the deal could have damaged competition in the emerging market for online convenience grocery delivery, where the 2 companies already had established market-leading positions.

COVID-19 Change

In the light of what the CMA says has been “a deterioration in Deliveroo’s financial position as a result of coronavirus (COVID-19)”, the CMA has now put aside its original concerns and provisionally cleared Amazon’s investment in Deliveroo. There will, however, be a three-week consultation period and a final decision will not be made until 11th June after all relevant feedback about the investment has been gathered (all submissions will need to be made by Monday 11th May 2020).

The CMA appears to have concluded that only Amazon would be able to provide the kind of funding that Deliveroo needs to meet its financial commitments in the extraordinary global circumstances caused by the pandemic.

Stuart McIntosh, Chair of the CMA’s independent inquiry group, said of that “some customers are cut off from online food delivery altogether, with others facing higher prices or a reduction in service quality. Faced with that stark outcome, we feel the best course of action is to provisionally clear Amazon’s investment in Deliveroo.”

What Does This Mean For Your Business?

For Deliveroo this is, of course, a great outcome at a crucial moment. The outcome also shows how the pandemic has had a dramatic effect on all aspects of business, including the decisions made regulators against a changed backdrop. The decision may also, as the CMA pointed out, be good news for customers, particularly those who are more “cut off” from their normal food supplies.

This decision is unlikely to be welcomed, however, by competitors such as Uber and Just Eat who saw-off Amazon’s move into the food delivery market in London last time.