Skip to content

GAFAM’s “surveillance capitalism” or the Old Western?

Adapted with authorization of Diário de Notícias. You can read the original version in Portuguese here.

GAFAM’s “surveillance capitalism” or the Old Western?

This week has been lavish in news about the rush of regulators and courts to seek to discipline the free-for-all in the unbridled competition for attention. It is ‘surveillance capitalism’, which competes for the attention of the audience and the sale of advertising.

Meta, in just five days, reached 100 million users in its new app Threads, stating that it was due to organic growth via Instagram only: it is an absolute record, surpassing the two-month mark of ChatGPT, according to Visão, and the company closes the second quarter with 11% growth in revenues and 16% in profits, which amounted to $7.8 billion, as announced yesterday.

Distortion of markets by discrimination against competitors

In business-to-business (B2B), Internet giants use their dominance in distribution channels to put their competitors at a disadvantage on an unequal footing. In France, online advertisers have complained that through discriminatory privacy policies Apple favors its own advertising business thanks to privileged access to user data on its smartphones and digital services, Negócios reported yesterday.

In Brussels, the European Commission is preparing to condemn Meta, up to a maximum of €10.5 billion, for using the data of its business customers who advertise in its marketplace for the benefit of its own business of selling advertising. In Portugal, by the hand of Ius Omnibus, Apple’s App Store and Google Play Store were sued in court for the abusive collection of exorbitant percentages on the revenues of the apps sold in these online stores.

In relation to Apple’s App Store, Ius accuses the company of anti-competitive practices, including contracts with terms and conditions that result in a 30% commission on each sale, increasing prices for Portuguese consumers. One of the companies affected is Europe is Spotify, which has already complained to the European Commission against abuse of dominant position while she struggles to compete with the streaming services of Apple Music, its competitor and supplier.

In the case of Google, Ius Omnibus continues to defend Portuguese consumers against anti-competitive practices associated with the Google Play Store and the commissions charged on sales. Consumers using mobile communications equipment running the Android operating system have no effective alternative to using that system and Android apps and in-app content.

In markets with extraordinarily strong scale or network effects, bigger gets bigger require strict vigilant supervision by regulators and strict enforcement of sanctions and the redress of damage caused.

Violation of personal data by design?

The Old-West style in privacy violation goes further: promises of data security and privacy are made to lure users of digital services only to be intentionally violated by design.

This week in Australia, a court fined Meta for misleading use of user data. Facebook Israel and Onavo, Meta’s subsidiaries, admitted that they offered, advertised, and promoted the Onavo Protect app, on the App Store and Play Store, as providing a VPN (Virtual Private Network) where users could browse safely and privately. However, Onavo Protect collected the data on how users used their mobile phones and provided it to Meta, which used that data for a number of commercial purposes, in a similar move to the one carried out by the company Flo Health with Facebook as well.

With Flo Health, Meta has squandered women’s intimate data.

The case of the vicious invasion of female intimacy to sell advertising.

The scale and social gravity of Flo Health’s illegal practices sanctioned by the US Federal Trade Commission made it a priority for Ius Omnibus to sue this company in the courts claiming compensation for users in Portugal.

Flo Health is a mobile application based on Artificial Intelligence, functioning as an ovulation calendar that monitors menstruation, serves as a guide for pregnancy and for monitoring aspects of women’s gynecological and psychic health.

More than 100 million women worldwide, of which more than 10 million in the US, and 19 million in the EU, have installed and used this app since 2016 with a deprivation of their privacy. Flo Health was sold on the Apple App Store and Google Play Store. In the Apple App Store, it was the most downloaded app of the year 2019.

Like Onavo Protect that sold VPN services, in its ‘privacy policy’ Flo Health guaranteed that it did not give any health data to third parties, and that the only data it gave were intended to run the service, but never the non-anonymized data of intimacy and health details. But it lied blatantly and continuously for years on end. Because it has actually sold to dozens of companies the access the data of its users, despite the fact that its privacy policy expressly and specifically states exactly the opposite.

Among Flo Health’s buyers there are large digital marketing and data analytics companies, such as Facebook’s marketing department – Facebook Analytical Tool – Google’s marketing service; or two other major marketing companies specialized in mobile apps: Flurry and Apps Flyer.

Cautions to take with health apps.

Among the data that Flo Health has distributed to dozens of third-party companies is intimate health data along with users’ personal identification – their name, email, address, date of birth, and mobile device identifier.

The users recorded, by appeal of the app itself, the days of menstruation, thus calculating ovulation and tracking the days of fertility, receiving reminders of the phases of the menstrual cycle. In addition, the app called on women to record their moods and symptoms of so-called premenstrual syndrome, pregnancy symptoms, weight, or temperature.

Learn what surveillance kits are

Technically, surveillance is carried out by the combination of three mechanisms. By installing the so-called Software Development Kits (SDK). This software collects the data and associates it with so-called individual advertising or mobile device identifiers – Unique Advertising Identifier or Unique Device Identifier. SDKs belong to the third-party companies to whom the data is sold. Flo Health integrated into its app the SDK’s of those dozens of companies.

The second mechanism is the identifiers themselves: IAU or IDU.

The third mechanism is the so-called Standard App Events, which give titles to actions of users in a mobile application, and which receive a relevance for the purpose of addressing advertising.

In the Flo Health app, an event happens when, for example, the user enters the week in which she became pregnant, this act is marked (receives a label or a tag) as “chosen pregnancy week”. In another example, if the user asked to receive menstruation reminders in the area dedicated to “I want to get pregnant”, that event will be recorded as “accepts menstruation notifications” and catalogued with a ‘P’, for pregnancy. Flo Health’s advertiser clients will know about these standard events and, thanks to the identifiers, target individualized advertising.

This way, with third-party SDKs, unique identifiers and Standard App Events, Flo has illegally developed a multi-million-dollar business for years. It is important that we are all alert to what can be done with our data: when we give data about our health, it is important to control its fate, its use by AI.

Ius Omnibus alerts the public to the need to evaluate the contractual conditions for the protection of personal data that the consumer subscribes to and to monitor the advertising they receive and, if they have suspicions, to submit submissions to the National Data Protection Commission, which is competent to deal with these cases.

There is an agreement between the US and the EU on the basis of which Europe accepts that personal data of Europeans is transferred to the US provided that the same level of protection enshrined in European law is guaranteed, notably in the General Data Protection Regulation (GDPR), known as the EU-USA Privacy Shield, which the FTC itself has accused Flo Health of violating.

Compensating the injured and publicizing popular actions: the debate in the Parliament and in the Court of Santarém

In the USA, Flo eventually confessed and made commitments to stop the illegal practices and to compensate users. In Europe, nothing has yet happened to the company. Ius Omnibus is the only entity in Europe, to our knowledge, that is fighting in court for compensation for the injured.

It is very important that the initial disclosure of popular actions is improved. Publishing two ads in newspapers is not enough and this solution should be rethought by the legislator, as criticized, and well, Judge Joana Araújo of the Court of Competition, Regulation and Supervision, Santarém, in an interview with the Lusa Agency. The judge, who has before her several popular actions for consumer compensation, drew the attention into the way of disclosure of popular actions currently provided for in the law, of publication of advertisements in two newspapers, which leads to many consumers “not taking effective knowledge of the Popular Actions and the rights that are intended to be protected through them.” The magistrate stressed the importance of disclosing these actions to ensure consumers are effectively compensated.

Ius strongly adheres to this position. Over the past two weeks, Ius has been heard by the Economy Committee of the Assembly of the Republic in the context of the transposition of the Representative Actions Directive. In its submission (available online), it argues that the new law on collective actions expressly provides that a condemnatory sentence may order a array of measures that promote the wide publicity and claim for compensation by injured consumers.

Such is the case of direct payment by the Defendant to the represented consumers who are still its customers and are identifiable. Another one, is the direct information by the Defendant to the consumers represented in the class action through the channels with which it normally communicates with its customers, including a notice on invoice, through postal mail, e-mail and or SMS, repeating this information in more than one monthly billing cycle, being that the case. Ius also advocates reinforcing the advertising in the media, through a press release to be distributed by the Judiciary Superior Council, and more ads in the written press, radio, television, websites, and social networks.

Ius Omnibus also puts forward the proposal to use one or more electronic platforms for the dissemination and distribution of global compensations, of a private or public nature. The Association will soon make available to the public an electronic platform developed by herself.

But, in her opinion, the ideal solution is to disclose consumer compensation judgments not only on a website managed by the Directorate-General for Consumers, but also through a system of direct communications similar to the IVAucher programme, in order to achieve the high level of disclosure that this programme had.

In the Economy Committee of the Assembly of the Republic, Ius was questioned by parliamentarians of the PS, PSD and Chega, who participated in the hearing, and was also received by the parliamentary groups of the PS and PSD. It was with great pleasure that Ius saw all members of parliament praise the importance of popular actions for the protection of consumers and the rights of injured persons, with consensus on the need to promote the widest dissemination of cases and the transparency of their conduct to the public.

It is a good sign that the debate is gaining attention in the courts and in the Assembly of the Republic. The solutions are already identified. All that remains is to adopt them and give them notoriety in order to create a new culture of compliance with the law and reparation of the injured when this does not happen.

Ius Omnibus, for its part, will continue to work on consumer protection.