Meta, YouTube face criminal spying complaints in Ireland
Tracking code and ad-block blocking breaks Euro computer law, privacy advocate claims
Exclusive Facebook-owner Meta and Google's YouTube now face criminal complaints in Ireland for alleged unlawful surveillance of EU citizens via tracking scripts.
Privacy consultant Alexander Hanff, who has occasionally contributed to The Register, has challenged Meta's collection of data without explicit consent under Ireland's computer abuse law. He told The Register he's also in the process of filing a similar criminal complaint against YouTube over its use of scripts to detect ad blocking extensions in people's web browsers.
"I have notified Pearse Street Garda that I want to give a statement to them for the purpose of the criminal complaint and will be sending them additional information over the weekend," Hanff told us last night. "They have got back in touch this afternoon acknowledging the complaint and asking for further information."
I want to give a statement to them for the purpose of the criminal complaint and will be sending them additional information over the weekend
Two weeks ago, Hanff filed a civil complaint to the Irish Data Protection Commission against YouTube's browser interrogation system, which detects ad blocking software and refuses to play videos unless adverts are allowed or subscription money handed over. The regulators are right now waiting on a reply from Google to provide an update on the status of that claim.
Pointing to decisions by courts and data protection authorities in Europe that have disallowed behavioral advertising without explicit consent, Hanff argues that Meta has been processing data for behavioral ad targeting without a legal basis to do so for at least the past five years. And thus it follows, he says, that deploying and executing scripts that monitor behavior and gather data, is also unlawful.
"Meta Platforms Ireland Ltd for a period of not less than five years from May 25, 2018 to present, illegally deployed surveillance technology to my computers for the purpose of monitoring my behavior, as they had no reasonable excuse or lawful authority to do so," Hanff alleged to The Register.
Meta also during those years "illegally intercepted transmission of data within an information system (my computing devices) for the purpose of monitoring my behavior," he further alleged.
The Instagram giant has a variety of advertising, analytics, and tracking scripts and they change periodically, but one example would be the Meta Pixel, which Meta describes as "a snippet of JavaScript code that allows you to track visitor activity on your website."
Hanff believes these activities fall under Ireland's computer abuse law, specifically Sections 2 and 5 of the Criminal Justice (Offences Relating to Information Systems) Act 2017.
Section 2 says, "A person who, without lawful authority or reasonable excuse, intentionally accesses an information system by infringing a security measure shall be guilty of an offense."
And Section 5 says, "A person who, without lawful authority, intentionally intercepts any transmission (other than a public transmission) of data to, from or within an information system (including any electromagnetic emission from such an information system carrying such data), shall be guilty of an offense."
Meta deploying scripts for the purpose of surveillance despite my Do Not Track setting and without any consent would constitute a criminal offense
Hanff claimed Meta's processing of personal data for the purpose of behavioral advertising has been unlawful since GDPR took effect on May 25, 2018.
"As you know from the letter I received from the European Commission in relation to the detection of ad blockers – Do Not Track (DNT) is regarded as a setting or other application within the web browser to signal denial of consent as per Recital 66 of 2009/136 (Citizens’ Rights Directive) as such given that I have DNT enabled (and always have had) Meta deploying scripts to my terminal equipment for the purpose of surveillance of my activities (behavioral profiling) despite my DNT setting and without any consent would be a breach of Section 2 above and therefore constitute a criminal offense," Hanff claimed.
"Meta Platforms Ireland were not authorized to deploy these scripts to my devices and should have known they were not authorized to do so as a result of the Do Not Track signal sent from my browser."
Pointing to Section 5, Hanff alleged that since the deployment of the scripts was illegal and Meta circumvented the DNT signal when it deployed those scripts, it's clear any interception of behavior within his device (mouse movements, clicks, and so on), would also be illegal.
- EU lawmakers scolded for concealing identities of privacy-busting content-scanning 'experts'
- It's perfectly legal for cars to harvest your texts, call logs
- Google mulled offering paid-for no-logging private Search subscription
- UK may demand tech world tell it about upcoming security features
With regard to YouTube, Hanff said the issue is essentially the same except that it involves YouTube's attempts to detect ad blocking software using scripts.
"I consider YouTube’s script to be spyware – aka surveillance technology, as it is deployed without my knowledge or authorization to my device for the sole purpose of intercepting and monitoring my behavior (whether or not ads load in my browser or are blocked by an ad blocker)," he explained.
"I chose to go down the criminal complaint route because historically, EU regulators have been absolutely terrible at enforcing the ePrivacy Directive – and I mean really bad, I would argue even negligent; and as someone who has been fighting these issues for 15 years under the ePrivacy Directive, I decided to change tactics and pursue action under criminal law as I am not willing to wait another 15 years for regulators to do their job and enforce the law – neither can I afford the risk of incredibly high costs by pursuing civil litigation which would take years and see Google and Meta drown me with legal fees."
I am not willing to wait another 15 years for regulators to do their job and enforce the law
He expressed skepticism when asked about the adequacy of settable browser flags like Do Not Track and Global Privacy Control to deal with unwelcome data gathering. Consent for any non-necessary code interaction – scripts, analytics, third-party fonts, and so on – should be the norm, as required under EU law, he argued.
Hanff said his hope is that filing these complaints will send a clear message to corporations that they need to stop deploying surveillance technologies on people's devices.
"Additionally, the Irish law I am using holds directors, managers or other officers who willfully cause such an offense to be committed (through policy or authorization, for example) liable of the same offense and are not shielded by the legal entity they work for," he said.
"It is my hope that such a liability might force corporate officers to reconsider signing off on illegal behavior under a fear of liability as clearly these decisions are being made by someone and they need to know they can and will be held to account."
Why now
As to the timing, Hanff said there's been a shift over the past 24 months in the actions taken to curtail behavioral advertising and online surveillance, pointing to decisions affecting Meta and TikTok. But he suggests more pressure should be applied because the regulatory process moves too slowly and the financial penalties have been to small to change corporate behavior.
"Regulators have let us down and are absolutely (in my opinion) partly responsible for the erosion of our fundamental rights and the expansion of these illegal behaviors, by failing to do their jobs and take strong enforcement action against violators," he claimed.
"As a result, it is now considered as the normal way to conduct online business, which is an incredibly bad reflection of the regulators and has significantly eroded trust of the public that their complaints will ever be dealt with at all – let alone in a meaningful way."
"This needs to change," Hanff continued. "For example, I have had a complaint with CNIL since 2019 against Withings – an incredibly simple complaint to deal with (the law and case law is incredibly clear on the issue I have complained about) yet still there has not been any result – and I see this with all of the complaints I have lodged with supervisory authorities across the EU since 2018. It is not acceptable and cannot continue."
Meta and Google both did not wish to comment. We've also asked the Irish cops for further information on the next steps. ®