|December, 2016 Issue Two Volume Three|
The 3 Worst Things about the EU's GDPR
An American Perspective
With the GDPR ready for implementation in mid-2018, data collectors, processors, brokers, and buyers are grappling with what this truly onerous legislation will mean to their businesses - and if they aren't, they should be. The law is completely finalized, and there is no going back. There are no grace periods, no grandfathering, and no appeals to be made.
As an American company that assists US-based marketers to source data from more than 4,500 data collectors in over 90 countries - including every EU market - we've necessarily taken a very hard look at the more than 200 pages of the GDPR. We are nothing short of alarmed at what we see.
Let's stipulate for a moment that sane business people agree that consumers' privacy rights are critical, and that advertisers and their many partners absolutely must play by clear, fair, and specific rules regarding how they use this data. With that fundamental belief in place, we believe that this legislation will, ultimately, undermine the sanctity of consumers' data privacy and security, not enhance it. We also believe it will hobble marketing and advertising worldwide, especially if the tenets included in this legislation start to spread to other markets, which is already starting to happen. Here are our top concerns:
The 'Right to Be Forgotten' provisions will in fact mandate precisely the opposite
Under the GDPR, EU citizens must be given the easy ability to withdraw their consent, often called 'the right to be forgotten'. If consent is withdrawn, those data subjects have the right to have their personal data erased and no longer used for processing by the data collector, nor by any other entity who has ever used or purchased or rented that data legitimately in the past.
But, in order to do this, every company that has anything to do with the rental or sale of legitimately collected and fully opted-in data from EU data subjects will henceforth be required to retain extensive details on that same consumer data. In a single transaction, this might include seven or eight separate companies - e.g. the advertiser, its agency, two, or sometimes more, intermediaries, the data collector and a data processor. What the GDPR requires is that every one of those companies must retain every detail on every consumer in every transaction, so that, should the consumer decide to withdraw consent, that consumer can be provably deleted from every place it ever existed - including hard drives, on premise servers, backup datasets, cloud servers, and the like. Up until now, best practice typically mandated the total erasure of consumer data from all these parties' storage when it was not in active use, to ensure that the data could not possibly fall into unintended (read: hackers') hands.
But now? Now, we have increased the likelihood by at least 10x that this data will be hacked somehow, because companies cannot delete data that is no longer permitted to be used. Everyone involved must retain all records so that, three years after consent was given, a consumer can withdraw consent and the data handler can prove that the record was deleted. And, as we all know, everyone's data storage is subject to hacking under the right conditions.
The long arm of the A29WP, soon to be known as the European Data Protection Board
The brand new enforcement body for the GDPR, currently called the 'Article 29 Working Party', has a shocking amount of completely unfettered authority over companies everywhere in the world. All EU nations are automatically and wholly subject to the GDPR and its enforcement authority with no exceptions or option to modify by individual EU countries. Additionally, every company everywhere that handles data on EU citizens is also automatically subject to this group's absolute power - though it's anybody's guess how the EU believes they can enforce such a broad mandate outside its own borders.
The A29WP also has the exclusive and unchallengeable right to search and seize records in question - from any company anywhere - and conduct their own independent, sovereign investigations, functioning as the only adjudicating body as to the outcome of the investigation. They are truly judge, jury, and executioner, with no oversight and no appeals. And, when they and they alone decide they have found infractions, they are able to levy two levels of harsh penalties:
The data storage, consent tracking, and evidentiary requirements of the GDPR law are so extensive that very few, if any, companies will be able to confidently consider themselves as compliant. And that means that companies all over our increasingly interconnected world are truly at risk anytime the A29WP decides they'd like to have a go at them. It also means that the number of illegal data collectors and sellers will skyrocket – and that is nothing but bad for consumers.
The law helps the companies the EU most wants to hurt
It seems obvious to many that the EU fashioned this legislation to punish, or at least attempt to limit, the activities of the companies that the EU loves to hate: Facebook, Google, Uber, and the like. Ironically, it is these huge, technically sophisticated companies that will overcome the GDPR hurdles without missing a beat. They'll simply divert a platoon from their army of lawyers and engineers to build all the needed compliance elements called for in this lugubrious legislation. And while they sail past the difficulties, virtually every other company that does business with EU citizens will suffer direct, immediate and, in many cases, life-threatening harm to their businesses. First these companies - most of them EU-based businesses - will spend years trying to properly architect solutions for all the requirements, causing them to ignore other critical parts of their businesses. And, finally, they'll be hobbled trying to afford building and managing those same solutions.
Some industry experts in the UK predict a 50% loss of revenue for audience data collectors, brokers, ad platforms, and related services such as data cleansing and processing. There is no question that truly compliant, marketable audiences will become scarcer by the minute - we're already seeing this across Europe and the law isn't in force for two more years. And, like any free market, the more the supply dwindles, the higher the price will go for the supply that is considered compliant. Targeted, relevant marketing will become more difficult, less specific and will reach fewer consumers for a much higher price. All but the largest businesses and services will exit the market, while the remaining behemoths dominate the market and raise prices. The idea that this will hurt those big guys that the EU loves to hate is a fallacy. It will only help them by demolishing everyone not big and profitable enough to withstand these requirements while small and mid-sized companies are destroyed.
While we've only outlined these three areas, don't let that fool you into thinking these are the only problems - quite the contrary. This legislation will hurt the global economy and EU businesses - owned by those same consumers the law says it wants to protect - for many years to come.
Addressing the World
What3words set out to assign an easy to remember "address" to every place in the world. This system has divided the globe into a grid of 57 trillion 3 meter by 3 meter squares.
Each square has been assigned a unique "address" consisting of 3 words. Infocore's address for example is daunting.result.lucky. There's a (randomly selected) Starbucks in Louisville KY at relishing.ballpoint.faxing.
What3words is based on latitude and longitude, and each 3 word square translates to latitude/longitude coordinates. Latitude/longitude coordinates are great for computers, but not human friendly says what3words. It is easier to remember 3 words.
You can explore the world using the what3words locator map in several different ways. I found it irresistible to look for familiar places and do some other poking around but I am admittedly a dork who still gets a kick out of satellite view. You can search for an address, you can enter 3 word combinations and see what comes up, and you can just pan and zoom in to an area.
The big advantage to what3words is the scale of the grid - the very small sectors that have been uniquely defined. At 3m x 3m the kitchen and bathroom of your home have different addresses.
Bummer. That dulls the gloss of this shiny system a bit. What3words says "... if and when height becomes helpful to specify, we have various options for including this information with the 3 word address."
Another downside, to me at least, is a limitation of random and non sequential "addresses". Knowing where you are doesn't help you find your way to where you want to go. If I'm headed for 550 Elm Street and as I am driving along I pass 510 Elm, then 520 Elm, I can figure out how to get to 550.
Even if buildings had their what3words address visible the way street addresses are, passing dont.stop.here and keep.on.going doesn't help me find went.too.far. What happens if your phone battery dies?
One interesting thing is that once you have the app on your phone, it will work without a data connection. A GPS signal is independent of an internet connection so an offline device can still pickup GPS coordinates to determine your current location. Then the software does the conversion to get the what3words address.
Despite its limitations, what3words provides some truly great solutions. It provides an address for every spot in the whole world. This is immensely valuable for remote and wilderness areas.
Its also a great boon for densely populated third world places that have no addresses at all. Many countries in Africa have vast sprawling urban slums without even street names. The favelas of Brazil are another compelling example.
People living in those places are trapped because they have no address. An address is an almost universal requirement to establish a legal identity. Essential documents such as a driver's license, passport, national ID card, and the ability to register to vote are dependent on an address. In order to become empowered members of society, people must have one.
Infocore's FREE Data Catalogs
Infocore's International Data Repository tracks 16 billion non-US records from nearly 4000 high quality direct marketing datasets in 150+ countries outside the USA.
Infocore's International Inventory Update
Over 16 billion non US records
Infocore built a private International Data Repository, which tracks all the non-US marketing data that we can source for our clients and partners. In it, we have cataloged extensive details about all the data we have access to in more than 150 countries.
At present, our repository is tracking 16 billion non-US records from nearly 4000 sources, owned by our global network of data partners.
Contact Us to get a custom data summary.
No COPPA for Cayla
Maybe you've seen Cayla, the interactive talking doll, in the news lately. She's being accused of some pretty bad behaviour.
Cayla doesn't seem to learn from her mistakes. Almost 2 years ago security experts demonstrated she could be hacked. That vulnerability still exists.
Cayla brings to mind the hackable Hello Barbie, another conversational doll that was on the naughty list last Christmas. Consumer groups started a campaign called Hell No Barbie in protest.
Cayla outdoes Barbie, who interacts with appropriate preset responses pulled from a database. Cayla converts audio to text and actually searches a number of sites, including Wikipedia, for replies. That IS pretty cool.
But having no security, Cayla connects with ANY bluetooth on a phone or tablet within 50 feet. After connecting, a simple hack lets users talk THROUGH Cayla and eavesdrop on conversations taking place near her. Those things can be done at a distance.
While the security issues reported in the news are certainly cause for alarm, those of us concerned with privacy law will find Cayla getting an F on a host of topics.
AN ALARMING USE OF VOICE RECORDINGS
She was born of 2 American based companies, Genesis Toys and Nuance Communications. Nuance, which provides the speech recognition software, is a leader in speech technology and voice biometrics.
Nuance has a database of 45 to perhaps as many as 60 million voiceprints, and their clients include military, intelligence and law enforcement agencies. That makes people nervous because the childres' voice recordings are sent to Nuance to be converted to text.
Nuance states they use the voice and text information it collects to "develop, tune, enhance, and improve Nuance services and products." And that the information may be shared with third parties acting under the direction of Nuance.
Among the questions Cayla asks her friends are the names of family members, where they attend school, and where they live. IP address is also collected. In addition to the surveillance potential for any conversations about family, the collection of personal information from children younger than 13 is in violation of COPPA.
Parents must accept the Terms of Service BEFORE they can read it in order to set up the app that connects Cayla to the internet via a smart phone. The Terms are accessible only on a smart phone or tablet, are in a tiny font size, contain approximately 3,800 words, numerous repeated paragraphs, and excessive use of all-caps font.
AND, the Privacy statement says it can change at any time and so "you may wish to check it each time you submit personal information to us."
Seeing as it's impossible to read it the first time, people don't realize they have agreed that Cayla "may collect and use the contact names that appear in your address book as part of the Services and to tune, enhance and improve the speech recognition and other components of the Services, and other services and products." Cayla also fails to comply with Deletion and Data Retention Requirements.
Speaking of advertising, Cayla must be making some big bucks off product placement. She touts various Disney products with pre-programmed phrases. Her vacation preferences say she wants to go to Epcot in Disneyworld and enjoys visiting Disneyland. Cayla gives no disclosure of any product placement.
COMPLAINTS HAVE BEEN FILED
Some think Cayla needs to go into a timeout. Groups in the US and Norway have filed complaints, and others are coming from France, Sweden, Greece, Belgium, Ireland and the Netherlands.
In the US the complaint was filed with the FTC and submitted by The Electronic Privacy Information Center, The Campaign for a Commercial Free Childhood, The Center for Digital Democracy, and the Consumers Union. See it here:
Don't miss this great video by the Norwegian Consumer Council. It's quick and it's scary.
Notable International Data: IRELANDIn each issue, we report on interesting datasets that are powering high impact direct marketing programs for global marketers. This time we're focusing in on Ireland.
CONSUMER File - Infocore ID: 569147This consumer data source of 1.7 million records gets a daily update with suppression files and change of address info. Available segments include young families, 50s and over, donors, affluent investors, foodies, current affairs, home & garden, high income households and insurance holders up for renewal.
Select by household income, household composition, home owner, home improvements & DIY, education, marital status, financial products, car ownership, and hobbies and interests.
BUSINESS File - Infocore ID: 677959Reach 511,000 Business Execs in Ireland using this highly responsive list. These folks are decision makers. With excellent guaranteed delivery rates, this multi-channel file is good for email, direct mail, phone and fax.
Selects include SIC Code/NAICS code, industry, public or private, number of employees, number of PCs, technology installed, product, revenue, annual sales volume, URL and many more.
CONSUMER File - Infocore ID: 296289This fully compliant consumer list provides 1,330,000 contacts. Target with precision when you select by address, DM purchaser, donor, dwelling unit type, family name, first name, ID, month-year of birth, occupation code, opt-out, place of birth, street number, city, date of birth, gender, geography, income range, postal code, presence of child, and state.
How the CEO Fraud/Scam Targeted Us
A 3.1 Billion Dollar Scam
The first time we were targeted we hadn't yet heard of the scam. After a few minutes of confusion we quickly realized someone just hit us with a really slick maneuver. It was...amazing.
The second time was creepy. We knew how the scam worked. It felt like being stalked, like someone was watching us, and knew things. And, in fact someone did.
The scam is called the Business E-mail Compromise (BEC), also known as CEO Fraud. It works because the scammers use personal, social, or insider information to lend credibility to their fraudulent requests. It also exploits human nature.
In its simplest version someone in the company with the necessary authority gets an email from the boss telling them to make a transfer of funds. The names are correct and everything looks legit, including the boss' email address.
If the boss is out of the office, that's even better. Scammers look for mentions of conferences, vacations and business travel and try to time their fraudulent actions to correspond. And referring to such things in the phony email adds authenticity.
The boss' email is not real of course. It would have been spoofed and look so much like the true address that it passes as real. It often tells the employee to do a wire transfer to an account that scammers created for the ploy.
More sophisticated criminals hack into the email accounts of high level execs. They will scour the emails for account numbers, names of people who normally perform the tasks, and protocols. They may discern relationships and the tone the CEO uses with an individual - friendly and informal or all business. All those things put the victim at ease and add credibility.
It is common to use urgency and confidentiality when making requests. Pressured by the "President" to transfer money immediately, an accountant is given no opportunity to sit back and think if the events were extraordinary. Being told not to discuss the matter with anyone else ensures the criminals can take receipt of the money and close the account before the employee reconsiders his actions.
According to a report published by the FBI this past June, there were over 3.1 BILLION dollars in reported losses by companies in all 50 states, and over 100 countries. It is thought that many, many victims never report the crime they fell prey to.
Victims are companies large and small, from numerous sectors, and number around 23,000. They have been hit for amounts ranging from thousands to $46.7 million in the case of Ubiquity.
VARIATIONS of the SCAM
Some criminals pose as a foreign supplier with whom the business has a legitimate relationship. The "supplier" requests payment for outstanding invoices to be paid to a new bank account.
Another sophisticated twist on the racket was discovered by Dell’s Counter Threat Unit. These thieves target buyers and sellers in an industry and use malware to get into an exec's account.
Using an elaborate process of redirects and cloned addresses they intercept purchase orders, invoices and payment instructions that go back and forth between buyer and seller. Ultimately the thief modifies the payment information and forwards it to the buyer who then wires money to the thief's account.
As the scam evolves we are seeing a new twist - one that targets PII. In this version the fraudulent email request goes to HR or bookkeeping. The thieves ask for copies of all W-2s or other forms of Personally Identifiable Information. When the employee hands it over the identity theft begins.
Whatever the form the scam takes, success relies on a human being duped. The scam avoids many securitity strategies by tricking a trusted employee into GIVING them the money. It's not high tech, and can't be prevented by installing software. There is no Anti-Human-Duping app.
This is another reason to worry about the vast amount of information we share so freely. Today's thieves easily learn purchase plans, travel schedules, relationships, and personal details like interests and activities.
Sources are plentiful and include company websites, blogs, disgruntled employees, press releases, and of course social media.
We think its very likely that LinkedIn played a role in our experience. About a week after a new financial hire came aboard we were targeted again. The role did in fact handle wire transfers. And the timing was perfect - enough time had passed that a new employee would have asssumed all duties but not yet be familiar with everything. A time when any new employee would be most vulnerable.
Was that a coincidence, or did the scammers use social media to their best advantage? We think they may find people in financial roles and keep an eye on them for job changes. Any new hire is a potential prospect. And if someone leaves a job, target them at the new job, and hit whoever is hired to replace them.
The first incident occurred during a meeting, so we had the uncommon opportunity to watch it play out.
The meeting included the CEO and the company Controller, among others. In the middle of a discussion the Controller apologized for interrupting the speaker, and turned to the CEO, saying "Should I send it now or wait until the meeting is over?"
And so began our learning process.
Implement two factor authentication. Require face to face or phone communication in order to initiate funds transfers - NEVER rely only on an email.
Educate employees, and train them to follow protocols. Be wary of any requests involving money that stress secrecy or urgency. Do it right away - this scam often targets newly hired personnel.
Don't focus only on the financial department since the theft of PII is another successful use of the scam. Make sure everyone is informed and on the alert.
Whether its a massive data center or a small business network, humans are most often the weak spot in any security plan. Whatever the threat, education and mandatory protocols go a long way toward averting disaster.
See the FBI Report here
Get in Touch
Contact Our ContributorsKitty Kolding, CEO, Infocore, Inc.
Jade Boneff-Walsh, VP Global Markets, Infocore, Inc.
Have a question or need some help?Kraig Monteferrante, VP Client Development, Infocore, Inc.
Amy MacNabb, SVP Client Services, Infocore, Inc.
Denise Covington, Account Director, Infocore, Inc.
About InfocoreInfocore sources strategic marketing data from more than 150 countries for Fortune 500 marketers and their agency partners. Its blue chip clients use this carefully vetted data to power their direct marketing, customer acquisition and CRM initiatives, and to enrich their large customer databases with critical data elements. In business for over 20 years, Infocore is a well-known brand in the marketing data industry, with a sterling reputation for service, precision, expertise and deep market knowledge. With decades of experience in serving the Tech, Financial Services, Automotive and Consumer Products sectors, Infocore proudly supports dozens of the biggest brands in the world.
|This is the web version of Infocore's Global Marketing Data Newsletter, an e-newsletter sent to subscribers only. To subscribe, click on the link above and provide the required information. If you have any additional questions about subscriptions, email us at firstname.lastname@example.org.|