Energy Vault raises $110 million from SoftBank Vision Fund as energy storage grabs headlines

Imagine a moving tower made of huge cement bricks weighing 35 metric tons. The movement of these massive blocks is powered by wind or solar power plants and is a way to store the energy those plants generate. Software controls the movement of the blocks automatically, responding to changes in power availability across an electric grid to charge and discharge the power that’s being generated.

The development of this technology is the culmination of years of work at Idealab, the Pasadena, Calif.-based startup incubator, and Energy Vault, the company it spun out to commercialize the technology, has just raised $110 million from SoftBank Vision Fund to take its next steps in the world.

Energy storage remains one of the largest obstacles to the large-scale rollout of renewable energy technologies on utility grids, but utilities, development agencies and private companies are investing billions to bring new energy storage capabilities to market as the technology to store energy improves.

The investment in Energy Vault is just one indicator of the massive market that investors see coming as power companies spend billions on renewables and storage. As The Wall Street Journal reported over the weekend, ScottishPower, the U.K.-based utility, is committing to spending $7.2 billion on renewable energy, grid upgrades and storage technologies between 2018 and 2022.

Meanwhile, out in the wilds of Utah, the American subsidiary of Japan’s Mitsubishi Hitachi Power Systems is working on a joint venture that would create the world’s largest clean energy storage facility. That 1 gigawatt storage would go a long way toward providing renewable power to the Western U.S. power grid and is going to be based on compressed air energy storage, large flow batteries, solid oxide fuel cells and renewable hydrogen storage.

“For 20 years, we’ve been reducing carbon emissions of the U.S. power grid using natural gas in combination with renewable power to replace retiring coal-fired power generation. In California and other states in the western United States, which will soon have retired all of their coal-fired power generation, we need the next step in decarbonization. Mixing natural gas and storage, and eventually using 100% renewable storage, is that next step,” said Paul Browning, president and CEO of MHPS Americas.

Energy Vault’s technology could also be used in these kinds of remote locations, according to chief executive Robert Piconi.

Energy Vault’s storage technology certainly isn’t going to be ubiquitous in highly populated areas, but the company’s towers of blocks can work well in remote locations and have a lower cost than chemical storage options, Piconi said.

“What you’re seeing there on some of the battery side is the need in the market for a mobile solution that isn’t tied to topography,” Piconi said. “We obviously aren’t putting these systems in urban areas or the middle of cities.”

For areas that need larger-scale storage that’s a bit more flexible there are storage solutions like Tesla’s new Megapack.

The Megapack comes fully assembled — including battery modules, bi-directional inverters, a thermal management system, an AC breaker and controls — and can store up to 3 megawatt-hours of energy with a 1.5 megawatt inverter capacity.

The Energy Vault storage system is made for much, much larger storage capacity. Each tower can store between 20 and 80 megawatt hours at a cost of 6 cents per kilowatt hour (on a levelized cost basis), according to Piconi.

The first facility that Energy Vault is developing is a 35 megawatt-hour system in Northern Italy, and there are other undisclosed contracts with an undisclosed number of customers on four continents, according to the company.

One place where Piconi sees particular applicability for Energy Vault’s technology is around desalination plants in places like sub-Saharan Africa or desert areas.

Backing Energy Vault’s new storage technology are a clutch of investors, including Neotribe Ventures, Cemex Ventures, Idealab and SoftBank.

Heat waves bring record-breaking temperatures on a geological scale

From Alaska to Europe the world has spent the past few weeks roasting under temperatures never before seen in recorded history.

In Alaska, all-time high record temperatures were set across the state on July 4th, according to the National Weather Service. In Anchorage, the mercury soared to highs of 90 degrees, the highest temperature since recording began in 1952.

Temperatures in Alaska have reached 90 degrees in other cities around the state before, but this is the first time that the thermometer hit that mark in Anchorage.

Meanwhile, hot winds blowing North from the Sahara set temperatures in Europe soaring to record highs, according to data released by the Copernicus Climate Change Service.

It was Europe’s record three degree temperature spike that brought global temperatures to their recorded-history highs.

Screen Shot 2019 07 05 at 12.16.41 PM

“Although local temperatures may have been lower or higher than those forecast, our data show that the temperatures over the southwestern region of Europe during the last week of June were unusually high,” said Jean-Noël Thépaut, head of the Copernicus Climate Change Service. “Although this was exceptional, we are likely to see more of these events in the future due to climate change.”

According to data from Copernicus, the temperature spikes across Europe was the highest on record for the month.

Compared for the same five-day period during the last thirty year climatological reference period, six to ten degree Celsius temperature spikes happened in most of France and Germany, throughout northern Spain, northern Italy, Switzerland, Austria and the Czech Republic.

As these events become common, the need for technologies that can reduce carbon emissions because more pressing.

Increasingly, businesses and investors are returning to the once-shunned market of clean technology and renewable energy to back new electric vehicle manufacturers, new energy efficient construction technologies, the rehabilitation of outdated infrastructure and consumer goods that have a smaller carbon footprint or reduce waste.

Data from Bloomberg New Energy Finance published earlier this year indicated that venture investments into what was once called clean technology hit $9.2 billion in 2018. That’s the highest cumulative investment in the sector since 2009. Much of those deals were in Chinese electric vehicle manufacturers who attracted some $3.3 billion in venture capital and private equity dollars.

That’s critical because global carbon emissions have increased over the past two years, according to estimates from the Global Carbon Project.

“We thought, perhaps hoped, emissions had peaked a few years ago,” said Rob Jackson, a professor of Earth system science in Stanford’s School of Earth, Energy & Environmental Sciences (Stanford Earth). “After two years of renewed growth, that was wishful thinking.”

In the U.S. specifically, climate related pressures (a warmer summer and a colder winter) led to increasing demand along with an uptick in gasoline consumption as demand for bigger vehicles fueled higher gas consumption.

“We’re driving more miles in bigger cars, changes that are outpacing improvements in vehicle fuel efficiency,” Jackson explained.

Italy stings Facebook with $1.1M fine for Cambridge Analytica data misuse

Italy’s data protection watchdog has issued Facebook with a €1 million (~$1.1M) fine for violations of local privacy law attached to the Cambridge Analytica data misuse scandal.

Last year it emerged that up to 87 million Facebook users had had their data siphoned out of the social media giant’s platform by an app developer working for the controversial (and now defunct) political data company, Cambridge Analytica.

The offences in question occurred prior to Europe’s tough new data protection framework, GDPR, coming into force — hence the relatively small size of the fine in this case, which has been calculated under Italy’s prior data protection regime. (Whereas fines under GDPR can scale as high as 4% of a company’s annual global turnover.)

Reached for comment a Facebook spokesperson said: “We have said before that we wish we had done more to investigate claims about Cambridge Analytica in 2015. However, evidence indicates that no Italian user data was shared with Cambridge Analytica. Dr Kogan only shared data with Cambridge Analytica in relation to US users. We made major changes to our platform back then and have also significantly restricted the information which app developers can access. We’re focused on protecting people’s privacy and have invested in people, technology and partnerships, including hiring more than 20,000 people focused on safety and security over the last year. We will review the Garante’s decision and will continue to engage constructively with their concerns.”

Last year the UK’s DPA similarly issued Facebook with a £500k penalty for the Cambridge Analytica breach, although Facebook is appealing — in that case it has also highlighted the regulator not having found evidence UK users’ data was shared with Cambridge Analytica, though it clearly was processed by Kogan.

The Italian regulator says 57 Italian Facebook users downloaded Dr Aleksandr Kogan‘s Thisisyourdigitallife quiz app, which was the app vehicle used to scoop up Facebook user data en masse — with a further 214,077 Italian users’ also having their personal information processed without their consent as a result of how the app could access data on each user’s Facebook friends.

In an earlier intervention in March, the Italian regulator challenged Facebook over the misuse of the data — and the company opted to pay a reduced amount of €52,000 in the hopes of settling the matter.

However the Italian DPA has decided that the scale of the violation of personal data and consent disqualifies the case for a reduced payment — so it has now issued Facebook with a €1M fine.

“The sum takes into account, in addition to the size of the database, also the economic conditions of Facebook and the number of global and Italian users of the company,” it writes in a press release on its website [translated by Google Translate].

At the time of writing its full decision on the case was not available.

Late last year the Italian regulator fined Facebook €10M for misleading users over its sign in practices.

While, in 2017, it also slapped the company with a €3M penalty for a controversial decision to begin helping itself to WhatsApp users’ data — despite the latter’s prior claims that user data would never be shared with Facebook.

Going forward, where Facebook’s use (and potential misuse) of Europeans’ data is concerned, all eyes are on the Irish Data Protection Commission; aka its lead regulator in the region on account of the location of Facebook’s international HQ.

The Irish DPC has a full suite of open investigations into Facebook and Facebook-owned companies — covering major issues such as security breaches and questions over the legal basis it claims to process people’s data, among a number of other big tech related probes.

The watchdog has suggested decisions on some of this tech giant-related case-load could land this summer.

This report was updated with comment from Facebook

Revolut adds Apple Pay support in 16 markets

Fintech startup Revolut has expanded its support for Apple Pay, confirming that from today the payment option is available for users in 16 European markets.

The list of supported markets is: UK, France, Poland, Germany, Czech Republic, Spain, Italy, Switzerland, Ireland, Belgium, Austria, Sweden, Denmark, Norway, Finland and Iceland.

Press reports last month suggested the UK challenger bank had inked Apple Pay agreements in markets including the UK, France, Germany and Switzerland.

It’s not clear what took Revolut so long to join the Apple Pay party.

Customers in the supported markets can add their Revolut card to Apple Pay via the Revolut app or via Apple’s Wallet app. Those without a plastic card can add a virtual card to Apple Wallet via the Revolut app and are able to start spending immediately, without having to wait for the physical card to arrive in the post.

Commenting in statement, Arthur Johanet, product owner for card payments at Revolut, said: “Revolut’s ultimate goal is to give our customers a useful tool to manage every aspect of their financial lives, and the ability to make payments quickly, conveniently and securely is vital to achieving this. Our customers have been requesting Apple Pay for a long time, so we are delighted to kick off our rollout, starting with our customers in 16 markets. This is a very positive step forward in enabling our customers to use their money in the way that they want to.”

Fiat Chrysler-Renault tie up: What the maker of Jeep could gain

Fiat Chrysler Automobiles and Renault are reportedly in talks that could result in merging vast swaths of their businesses, a move that illustrates the growing desire among automakers to consolidate in an environment of increased regulatory pressure, sales declines and rising costs aimed at bringing next-generation technologies like self-driving cars to market.

Bloomberg, Financial Times, and the Wall Street Journal have reported on talks of a tie up that could result in Fiat Chrysler eventually becoming part of the Renault-Nissan Motor alliance. For now, the deal doesn’t include Nissan, according to Bloomberg.

FCA declined to comment.

Fiat Chrysler is best known in U.S. for the company behind the Jeep and Ram trucks. Its business is far larger. Fiat, which has a market value of $20 billion, is also one of Italy’s oldest companies and owns brands like Alfa Romeo, Fiat, Lancia, and Maserati .

Fiat acquired a stake in Chrysler in 2009. The FCA people know today — which employs nearly 200,000 people — was created when the companies merged in 2014.

It’s unclear what deal between FCA and Renault might entail. Some of those details might emerge as early as Monday when Renault’s board meets.

What’s the upshot for Fiat Chrysler? The automaker, which also owns automotive parts business Mopar, has an unbalanced business. Nearly one-third of its employees are in Europe. And yet, most of its profits are derived from the North America market. Such a tie-up could produce considerable cost savings in Europe.

Those cost savings will come in handy if there’s a downturn in sales — a reality that other automakers like GM and Ford are already preparing for. And it allows the company to potentially collaborate or share costs on the expensive endeavor of bringing new technologies to market such as electrification and autonomous vehicles.

FCA, which operates 46 research and development centers, has invested in advanced driver assistance systems like its highway assist feature offered in its Maserati brand. But it has also relied on partnerships such as the one with self-driving vehicle company Waymo .

Last year, the company announced an expanded partnership with Waymo that will add up to 62,000 more Chrysler  Pacifica minivans to Waymo’s self-driving car fleet. The two companies are also working on ways to license Waymo’s self-driving car technology in order to deploy the tech in cars for consumers.

You can do it, robot! Watch the beefy, 4-legged HyQReal pull a plane

It’s not really clear just yet exactly what all these powerful, agile quadrupedal robots people are working on are going to do, exactly, but even so it never gets old watching them do their thing. The latest is an Italian model called HyQReal, which demonstrates its aspiration to winning strongman competitions, among other things, by pulling an airplane behind it.

The video is the debut for HyQReal, which is the successor to HyQ, a much smaller model created years ago by the Italian Institute of Technology, and its close relations. Clearly the market, such as it is, has advanced since then, and discerning customers now want the robot equivalent of a corn-fed linebacker.

That’s certainly how HyQReal seems to be positioned; in its video, the camera lingers lovingly on its bulky titanium haunches and thick camera cage. Its low slung body recalls a bulldog rather than a cheetah or sprightly prey animal. You may think twice before kicking this one.

The robot was presented today at the International Conference on Robotics and Automation, where in a workshop (documented by IEEE Spectrum) the team described HyQReal’s many bulkinesses.

It’s about four feet long and three high, weighs 130 kilograms (around 287 pounds), of which the battery comprises 15 — enough for about two hours of duty. It’s resistant to dust and water exposure and should be able to get itself up should it fall or tip over. The robot was created in collaboration with Moog, which created special high-powered hydraulics for the purpose.

It sounds good on paper, and the robot clearly has the torque needed to pull a small passenger airplane, as you can see in the video. But that’s not really what robots like this are for — they need to generate versatility and robustness under a variety of circumstances, and the smarts to navigate a human-centric world and provide useful services.

Right now HyQReal is basically still a test bed — it needs to have all kinds of work done to make sure it will stand up under conditions that robots like Spot Mini have already aced. And engineering things like arm or cargo attachments is far from trivial. All the same it’s exciting to see competition in a space that, just a few years back, seemed totally new (and creepy).

Facebook found hosting masses of far right EU disinformation networks

A multi-month hunt for political disinformation spreading on Facebook in Europe suggests there are concerted efforts to use the platform to spread bogus far right propaganda to millions of voters ahead of a key EU vote which kicks off tomorrow.

Following the independent investigation, Facebook has taken down a total of 77 pages and 230 accounts from Germany, UK, France, Italy, Spain and Poland — which had been followed by an estimated 32 million people and generated 67 million ‘interactions’ (i.e. comments, likes, shares) in the last three months alone.

The bogus mainly far-right disinformation networks were not identified by Facebook — but had been reported to it by campaign group Avaaz — which says the fake pages had more Facebook followers and interactions than all the main EU far right and anti-EU parties combined.

“The results are overwhelming: the disinformation networks upon which Facebook acted had more interactions (13 million) in the past three months than the main party pages of the League, AfD, VOX, Brexit Party, Rassemblement National and PiS combined (9 million),” it writes in a new report.

Although interactions is the figure that best illustrates the impact and reach of these networks, comparing the number of followers of the networks taken down reveals an even clearer image. The Facebook networks takedown had almost three times (5.9 million) the number of followers as AfD, VOX, Brexit Party, Rassemblement National and PiS’s main Facebook pages combined (2 million).”

Avaaz has previously found and announced far right disinformation networks operating in Spain, Italy and Poland — and a spokesman confirmed to us it’s re-reporting some of its findings now (such as the ~30 pages and groups in Spain that had racked up 1.7M followers and 7.4M interactions, which we covered last month) to highlight an overall total for the investigation.

“Our report contains new information for France, United Kingdom and Germany,” the spokesman added.

Examples of politically charged disinformation being spread via Facebook by the bogus networks it found include a fake viral video seen by 10 million people that supposedly shows migrants in Italy destroying a police car (but was actually from a movie; which Avaaz adds that this fake had been “debunked years ago”); a story in Poland claiming that migrant taxi drivers rape European women, including a fake image; and fake news about a child cancer center being closed down by Catalan separatists in Spain.

There’s lots more country-specific detail in its full report.

In all, Avaaz reported more than 500 suspicious pages and groups to Facebook related to the three-month investigation of Facebook disinformation networks in Europe. Though Facebook only took down a subset of the far right muck-spreaders — around 15% of the suspicious pages reported to it.

“The networks were either spreading disinformation or using tactics to amplify their mainly anti-immigration, anti-EU, or racist content, in a way that appears to breach Facebook’s own policies,” Avaaz writes of what it found.

It estimates that content posted by all the suspicious pages it reported had been viewed some 533 million times over the pre-election period. Albeit, there’s no way to know whether or not everything it judged suspicious actually was.

In a statement responding to Avaaz’s findings, Facebook told us:

We thank Avaaz for sharing their research for us to investigate. As we have said, we are focused on protecting the integrity of elections across the European Union and around the world. We have removed a number of fake and duplicate accounts that were violating our authenticity policies, as well as multiple Pages for name change and other violations. We also took action against some additional Pages that repeatedly posted misinformation. We will take further action if we find additional violations.

The company did not respond to our question asking why it failed to unearth this political disinformation itself.

Ahead of the EU parliament vote, which begins tomorrow, Facebook invited a select group of journalists to tour a new Dublin-based election security ‘war room’ — where it talked about a “five pillars of countering disinformation” strategy to prevent cynical attempts to manipulate voters’ views.

But as Avaaz’s investigation shows there’s plenty of political disinformation flying by entirely unchecked.

One major ongoing issue where political disinformation and Facebook’s platform is concerned is that how the company enforces its own rules remains entirely opaque.

We don’t get to see all the detail — so can’t judge and assess all its decisions. Yet Facebook has been known to shut down swathes of accounts deemed fake ahead of elections, while apparently failing entirely to find other fakes (such as in this case).

It’s a situation that does not look compatible with the continued functioning of democracy given Facebook’s massive reach and power to influence.

Nor is the company under an obligation to report every fake account it confirms. Instead, Facebook gets to control the timing and flow of any official announcements it chooses to make about “coordinated inauthentic behaviour” — dropping these self-selected disclosures as and when it sees fit, and making them sound as routine as possible by cloaking them in its standard, dryly worded newspeak.

Back in January, Facebook COO Sheryl Sandberg admitted publicly that the company is blocking more than 1M fake accounts every day. If Facebook was reporting every fake it finds it would therefore need to do so via a real-time dashboard — not sporadic newsroom blog posts that inherently play down the scale of what is clearly embedded into its platform, and may be so massive and ongoing that it’s not really possible to know where Facebook stops and ‘Fakebook’ starts.

The suspicious behaviours that Avaaz attached to the pages and groups it found that appeared to be in breach of Facebook’s stated rules include the use of fake accounts, spamming, misleading page name changes and suspected coordinated inauthentic behavior.

When Avaaz previously reported the Spanish far right networks Facebook subsequently told us it had removed “a number” of pages violating its “authenticity policies”, including one page for name change violations but claimed “we aren’t removing accounts or Pages for coordinated inauthentic behavior”.

So again, it’s worth emphasizing that Facebook gets to define what is and isn’t acceptable on its platform — including creating terms that seek to normalize its own inherently dysfunctional ‘rules’ and their ‘enforcement’.

Such as by creating terms like “coordinated inauthentic behavior”, which sets a threshold of Facebook’s own choosing for what it will and won’t judge political disinformation. It’s inherently self-serving.

Given that Facebook only acted on a small proportion of what Avaaz found and reported overall, we might posit that the company is setting a very high bar for acting against suspicious activity. And that plenty of election fiddling is free flowing under its feeble radar. (When we previously asked Facebook whether it was disputing Avaaz’s finding of coordinated inauthentic behaviour vis-a-vis the far right disinformation networks it reported in Spain the company did not respond to the question.)

Much of the publicity around Facebook’s self-styled “election security” efforts has also focused on how it’s enforcing new disclosure rules around political ads. But again political disinformation masquerading as organic content continues being spread across its platform — where it’s being shown to be racking up millions of interactions with people’s brains and eyeballs.

Plus, as we reported yesterday, research conducted by the Oxford Internet Institute into pre-EU election content sharing on Facebook has found that sources of disinformation-spreading ‘junk news’ generate far greater engagement on its platform than professional journalism.

So while Facebook’s platform is also clearly full of real people sharing actual news and views, the fake BS which Avaaz’s findings imply is also flooding the platform, gets spread around more, on a per unit basis. And it’s democracy that suffers — because vote manipulators are able to pass off manipulative propaganda and hate speech as bona fide news and views as a consequence of Facebook publishing the fake stuff alongside genuine opinions and professional journalism.

It does not have algorithms that can perfectly distinguish one from the other, and has suggested it never will.

The bottom line is that even if Facebook dedicates far more resource (human and AI) to rooting out ‘election interference’ the wider problem is that a commercial entity which benefits from engagement on an ad-funded platform is also the referee setting the rules.

Indeed, the whole loud Facebook publicity effort around “election security” looks like a cynical attempt to distract the rest of us from how broken its rules are. Or, in other words, a platform that accelerates propaganda is also seeking to manipulate and skew our views.

Tech regulation in Europe will only get tougher

European governments have been bringing the hammer down on tech in recent months, slapping record fines and stiff regulations on the largest imports out of Silicon Valley. Despite pleas from the world’s leading companies and Europe’s eroding trust in government, European citizens’ staunch support for regulation of new technologies points to an operating environment that is only getting tougher.

According to a roughly 25-page report recently published by a research arm out of Spain’s IE University, European citizens remain skeptical of tech disruption and want to handle their operators with kid gloves, even at a cost to the economy.

The survey was led by the IE’s Center for the Governance of Change — an IE-hosted research institution focused on studying “the political, economic, and societal implications of the current technological revolution and advances solutions to overcome its unwanted effects.” The “European Tech Insights 2019” report surveyed roughly 2,600 adults from various demographics across seven countries (France, Germany, Ireland, Italy, Spain, The Netherlands, and the UK) to gauge ground-level opinions on ongoing tech disruption and how government should deal with it.

The report does its fair share of fear-mongering and some of its major conclusions come across as a bit more “clickbaity” than insightful. However, the survey’s more nuanced data and line of questioning around specific forms of regulation offer detailed insight into how the regulatory backdrop and operating environment for European tech may ultimately evolve.

 

Distractions

EU gov’t and public health sites lousy with adtech, study finds

A study of tracking cookies running on government and public sector health websites in the European Union has found commercial adtech to be operating pervasively even in what should be core not-for-profit corners of the Internet.

The researchers used searches including queries related to HIV, mental health, pregnancy, alcoholism and cancer to examine how frequently European Internet users are tracked when accessing national health service webpages to look for publicly funded information about sensitive concerns.

The study also found that most EU government websites have commercial trackers embedded on them, with 89 per cent of official government websites found to contain third party ad tracking technology.

The research was carried out by Cookiebot using its own cookie scanning technology to examine trackers on public sector websites, scanning 184,683 pages on all 28 EU main government websites.

Only the Spanish, German and the Dutch websites were found not to contain any commercial trackers.

The highest number of tracking companies were present on the websites of the French (52), Latvian (27), Belgian (19) and Greek (18) governments.

The researchers also ran a sub-set of 15 health-related queries across six EU countries (UK, Ireland, Spain, France, Italy and Germany) to identify relevant landing pages hosted on the websites of the corresponding national health service — going on to count and identify tracking domains operating on the landing pages.

Overall, they found a majority (52 per cent) of landing pages on the national health services of the six EU countries contained third party trackers.

Broken down by market, the Irish health service ranked worst — with 73 per cent of landing pages containing trackers.

While the UK, Spain, France and Italy had trackers on 60 per cent, 53 per cent, 47 per cent and 47 per cent of landing pages, respectively.

Germany ranked lowest of the six, yet they still found a third of the health service landing pages contained trackers.

Searches on publicly funded health service sites being compromised by the presence of adtech suggests highly sensitive inferences could be being made about web users by the commercial companies behind the trackers.

Cookiebot found a very long list of companies involved — flagging for example how 63 companies were monitoring a single German webpage about maternity leave; and 21 different companies were monitoring a single French webpage about abortion.

Vulnerable citizens who seek official health advice are shown to be suffering sensitive personal data leakage,” it writes in the report. “Their behaviour on these sites can be used to infer sensitive facts about their health condition and life situation. This data will be processed and often resold by the ad tech industry, and is likely to be used to target ads, and potentially affect economic outcomes, such as insurance risk scores.”

“These citizens have no clear way to prevent this leakage, understand where their data is sent, or to correct or delete the data,” it warns. 

It’s worth noting that Cookiebot and its parent company Cybot’s core business is related to selling EU data protection compliance services. So it’s not without its own commercial interests here. Though there’s no doubting the underlying adtech sprawl the report flags.

Where there’s some fuzziness is around exactly what these trackers are doing, as some could be used for benign site functions like website analytics.

Albeit, if/when the owner of the freebie analytics services in question is also adtech giant Google that still may not feel reassuring, from a privacy point of view.

100+ firms tracking EU public sector site users

Across both government and health service websites, Cookiebot says it identified a total of 112 companies using trackers that send data to a total of 131 third party tracking domains.

It also found 10 companies which actively masked their identity — with no website hosted at their tracking domains, and domain ownership (WHOIS) records hidden by domain privacy services, meaning they could not be identified. That’s obviously of concern. 

Here’s the table of identified tracking companies — which, disclosure alert, includes AOL and Yahoo which are owned by TechCrunch’s parent company, Verizon.

Adtech giants Google and Facebook are also among adtech companies tracking users across government and health service websites, along with a few other well known tech names — such as Oracle, Microsoft and Twitter.

Cookiebot’s study names Google “the kingpin of tracking” — finding the company performed more than twice as much tracking as any other, seemingly as a result of Google owning several of the most dominant ad tracking domains.

Google-owned YouTube.com, DoubleClick.net and Google.com were the top three tracking domains IDed by the study. 

“Through the combination of these domains, Google tracks website visits to 82% of the EU’s main government websites,” Cookiebot writes. “On each of the 22 main government websites on which YouTube videos have been installed, YouTube has automatically loaded a tracker from DoubleClick .net (Google’s primary ad serving domain). Using DoubleClick.net and Google.com, Google tracks visits to 43% of the scanned health service landing pages.”

 

Given its control of many of the Internet’s top platforms (Google Analytics, Maps, YouTube, etc.), it is no surprise that Google has greater success at gaining tracking access to more webpages than anyone else,” it continues. “It is of special concern that Google is capable of cross-referencing its trackers with its 1st party account details from popular consumer-oriented services such as Google Mail, Search, and Android apps (to name a few) to easily associate web activity with the identities of real people.”

Under European data protection law “subjective” information that’s associated with an individual — such as opinions or assessments — is absolutely considered personal data.

So tracker-fuelled inferences being made about site visitors are subject to EU data protection law — which has even more strict rules around the processing of sensitive categories of information like health data.

That in turn suggests that any adtech companies doing third-party-tracking of Internet users and linking sensitive health queries to individual identities would need explicit user consent to do so.

The presence of adtech trackers on sensitive health data pages certainly raises plenty of questions.

We asked Google for a response to the Cookiebot report, and a spokesperson sent us the following statement regarding sensitive category data specifically — in which it claims: “We do not permit publishers to use our technology to collect or build targeting lists based on users’ sensitive information, including health conditions like pregnancy or HIV.”

Google also claims it does not itself infer sensitive user interest categories.

Furthermore it said its policies for personalized ads prohibit its advertisers from collecting or using sensitive interest categories to target users. (Though saying you’re telling someone not to do something is not the same as that thing not being done. That would depend on the enforcement.)

Google’s spokesperson was also keen to point to its EU user consent policy — where it says it requires site owners that use its services to ensure they have correct disclosures and consents for personalised ads and cookies from European end users.

The company warns it may suspend or terminate a site’s use of its services if they have not obtained the right disclosures and consents. It adds there’s no exception for government sites.

On tags and disclosure generally, the Google spokesperson provided the following comment: “Our policies are clear: If website publishers choose to use Google web or advertising products, they must obtain consent for cookies associated with those products.”

Where Google Analytics cookies are concerned, Google said traffic data is only collected and processed per instructions it receives from site owners and publishers — further emphasizing that such data would not be used for ads or Google purposes without authorization from the website owner or publisher.

Albeit sloppy implementations of freebie Google tools by resource-strapped public sector site administrators might make such authorizations all too easy to unintentionally enable.

So, tl;dr — as Google tells it — the onus for privacy compliance is on the public sector websites themselves.

Though given the complex and opaque mesh of technology that’s grown up sheltering under the modern ‘adtech’ umbrella, opting out of this network’s clutches entirely may be rather easier said than done.

Cookiebot’s founder, Daniel Johannsen, makes a similar point to Google’s in the report intro, writing: “Although the governments presumably do not control or benefit from the documented data collection, they still allow the safety and privacy of their citizens to be compromised within the confines of their digital domains — in violation of the laws that they have themselves put in place.”

More than nine months into the GDPR [General Data Protection Regulation], a trillion-dollar industry is continuing to systematically monitor the online activity of EU citizens, often with the unintentional assistance of the very governments that should be regulating it,” he adds, calling for public sector bodies to “lead by example – at a minimum by shutting down any digital rights infringements that they are facilitating on their own websites”.

“The fact that so many public sector websites have failed to protect themselves and their visitors against the inventive methods of the tracking industry clearly demonstrates the educational challenge that the wider web faces: How can any organisation live up to its GDPR and ePrivacy obligations if it does not control unauthorised tracking actors accessing their website?”

Trackers creeping in by the backdoor

On the “inventive methods” front, the report flags how third party javascript technologies — used by websites for functions like video players, social sharing widgets, web analytics, galleries and comments sections — can offer a particularly sneaky route for trackers to be smuggled into sites and apps by the ‘backdoor’.

Cookiebot gives the example of social sharing tool, ShareThis, which automatically adds buttons to each webpage to make it easy for visitors to share information across social media platforms.

The ShareThis social plugin is used by Ireland’s public health service, the Health Service Executive (HSE). And there Cookiebot found it releases trackers from more than 20 ad tech companies into every webpage it is installed on.

“By analysing web pages on HSE.ie, we found that ShareThis loads 25 other trackers, which track users without permission,” it writes. “This result was confirmed on pages linked from search queries for “mortality rates of cancer patients” and “symptoms of postpartum depression”.”

“Although website operators like the HSE do control which 3rd parties (like ShareThis) they add to their websites, they have no direct control over what additional “4th parties” those 3rd parties might smuggle in,” it warns.

We’ve reached out to ShareThis for a response.

Another example flagged by the report is what Cookiebot dubs “YouTube’s Tracking Cover-Up”.

Here it says it found that even when a website has enabled YouTube’s so-called “Privacy-enhanced Mode”, in a bid to limit its ability to track site users, the mode “currently stores an identifier named “yt-remote-device -id” in the web browser’s “Local Storage”” which Cookiebot found “allows tracking to continue regardless of whether users click, watch, or in any other way interact with a video – contrary to Google’s claims”.

“Rather than disabling tracking, “privacy-enhanced mode” seems to cover it up,” they claim. 

Google did not provide an on the record comment regarding that portion of the report.

Instead the company sent some background information about “privacy-enhanced mode” — though its points did not engage at all with Cookiebot’s claim that tracking continues regardless of whether a user watches or interacts with a video in any way.

Overall, Google’s main point of rebuttal vis-a-vis the report’s conclusion — i.e. that even on public sector sites surveillance capitalism is carrying on business as usual — is that not all cookies and pixels are ad trackers. So it’s claim is a cookie ‘signal’ might just be harmless background ‘noise’.

(In additional background comments Google suggested that if a website is running an advertising campaign using its services — which presumably might be possible in a public sector scenario if an embedded YouTube video contains an ad (for example) — then an advertising cookie could be a conversion pixel used (only) to measure the effectiveness of the ad, rather than to track a user for ad targeting.

For DoubleClick cookies on websites in general, Google told us this type of cookie would only appear if the website specifically signed up with its ad services or another vendor which uses its ad services.

It further claimed it does not embed tracking pixels on random pages or via Google Analytics with Doubleclick cookies.)

The problem here is the lack of opacity in the adtech industry which requires users to take ad targeters at their word — and trust that an adtech giant like Google, which makes pots of money off of tracking web users to target them with ads, has nonetheless built perfectly privacy-respecting, non-leaky infrastructure that operates 100% as separately and cleanly as claimed, even as the entire adtech industry’s business incentives are pushing in the opposite direction.

Also a problem: Certain adtech giants having a long and storied history of bundling purposes for user data and manipulating consent in privacy-hostile ways.

And with trust in adtech at such a historic low — plus regulation having been rebooted in Europe to put the focus on enforcement (which is encouraging a cottage industry of GDPR ‘compliance’ services to wade in) — the industry’s preferred cloak of complex opacity is under attack on multiple front (including from policymakers) and does look to be on borrowed time.

And as more light shines in and risk steps up, sensitive public sector websites could just decide to nix using any of these freebie plugins.

In another “inventive” case study highlighted by the report, Cookiebot writes that it documented instances of Facebook using a first party cookie workaround for Safari’s intelligent tracker blocking system to harvest user data on two Irish and UK health landing pages.

So even though Apple’s browser natively purges third party cookies to enhance user privacy by default Facebook’s engineers appear to have managed to create a workaround.

Cookiebot says this works by Facebook’s new first party cookie — “_fbp” — storing a unique user ID that’s then forwarded as a URL parameter in the pixel tracker “tr” to Facebook.com — “thus allowing Facebook to track users after all”, i.e. despite Safari’s best efforts to prevent pervasive third party tracking.

“In our study, this combined tracking practice was documented on 2 Irish and UK landing pages featuring health information about HIV and mental illness,” it writes. “These types of workarounds of browser tracking prevention are highly intrusive as they undermine users’ attempts to protect their personal data – even when using browsers and extensions with the most advanced protection settings.”

Reached for a response to the Cookiebot report Facebook also did not engage with the case study of its Safari third party cookie workaround.

Instead, a spokesman sent us the following line: “[Cookiebot’s] investigation highlights websites that have chosen to use Facebook’s Business Tools — for example, the Like and Share buttons, or the Facebook pixel. Our Business Tools help websites and apps grow their communities or better understand how people use their services. For example, we could tell them that their site is most popular among people aged 20-25.”

In further information provided to us on background the company confirmed that data it receives from websites can be used for enhancing ad targeting on Facebook. (It said Facebook users can switch off ad personalization based on such signals — via the “Ads Based on Data from Partners” setting in Ad Preferences.)

It also said organizations that make use of its tools are subject to its Business Tools terms — which Facebook said require them to provide users with notice and obtain any required legal consent, including being clear with users about any information they share with it. 

Facebook further claimed it prohibits apps and websites from sending it sensitive data — saying it takes steps to detect and remove data that should not be shared with it.

ePrivacy Regulation needed to raise the bar

Commenting on the report in a statement, Diego Naranjo, senior policy advisor at digital rights group EDRi, called for European regulators to step up to defend citizens’ privacy.

For the last 20 years, Europe has fought to regulate the sprawling chaos of data tracking. The GDPR is a historical attempt to bring the information economy in line with our core civil liberties, securing the same level of democratic control and trust online as we take for granted in our offline world. Yet, as this study has provided evidence of, nine months into the new regulation, online tracking remains as hidden, uncontrollable, and plentiful as ever,” he writes in the report. “We stress that it is the duty of regulators to ensure their citizens’ privacy.”

Naranjo also warned that another EU privacy regulation, the ePrivacy Regulation — which is intended to deal directly with tracking technologies — risks being watered down.

In the wake of GDPR it’s become the focus of major lobbying efforts, as we’ve reported before.

“One of the great added values of the ePrivacy Regulation is that it is meant to raise the bar for companies and other actors who want to track citizens’ behaviour on the Internet. Regrettably, now we are seeing signs of the ePrivacy Regulation becoming watered out, specifically in areas concerning “legitimate interest” and “consent”,” he warns.

“A watering down of the ePrivacy Regulation will open a Pandora’s box of more and more sharing, merging and reselling of personal data in huge online commercial surveillance networks, in which citizens are being unwittingly tracked and micro-targeted with commercial and political manipulation. Instead, the ePrivacy Regulation must set the bar high in line with the wishes of the European Parliament, securing that the privacy of our fellow citizens does not succumb to the dominion of the ad tech industry.”

Google has quietly added DuckDuckGo as a search engine option for Chrome users in ~60 markets

In an update to the chromium engine, which underpins Google’s popular Chrome browser, the search giant has quietly updated the lists of default search engines it offers per market — expanding the choice of search product users can pick from in markets around the world.

Most notably it’s expanded search engine lists to include pro-privacy rivals in more than 60 markets globally.

The changes, which appear to have been pushed out with the Chromium 73 stable release yesterday, come at a time when Google is facing rising privacy and antitrust scrutiny and accusations of market distorting behavior at home and abroad.

Many governments are now actively questioning how competition policy needs to be updated to rein in platform power and help smaller technology innovators get out from under the tech giant shadow.

But in a note about the changes to chromium’s default search engine lists on an Github instance, Google software engineer Orin Jaworski merely writes that the list of search engine references per country is being “completely replaced based on new usage statistics” from “recently collected data”.

Their choices appear to loosely line up with top four marketshare.

The greatest beneficiary of the update appears to be pro-privacy Google rival, DuckDuckGo, which is now being offered as an option in more than 60 markets, per the Github instance.

Previously DDG was not offered as an option at all.

Another pro-privacy search rivals, French search engine Qwant, has also been added as a new option — though only in its home market, France.

Whereas DDG has been added in Argentina, Austria, Australia, Belgium, Brunei, Bolivia, Brazil, Belize, Canada, Chile, Colombia, Costa Rica, Croatia, Germany, Denmark, Dominican Republic, Ecuador, Faroe Islands, Finland, Greece, Guatemala, Honduras, Hungary, Indonesia, Ireland, India, Iceland, Italy, Jamaica, Kuwait, Lebanon, Liechtenstein, Luxembourg, Monaco, Moldova, Macedonia, Mexico, Nicaragua, Netherlands, Norway, New Zealand, Panama, Peru, Philippines, Poland, Puerto Rico, Portugal, Paraguay, Romania, Serbia, Sweden, Slovenia, Slovakia, El Salvador, Trinidad and Tobago, South Africa, Switzerland, UK, Uruguay, US and Venezuela.

“We’re glad that Google has recognized the importance of offering consumers a private search option,” DuckDuckGo founder Gabe Weinberg told us when approached for comment about the change.

DDG has been growing steadily for years — and has also recently taken outside investment to scale its efforts to capitalize on growing international appetite for pro-privacy products.

Interestingly, the chromium Github instance is dated December 2018 which appears to be around about the time when Google (finally) passed the Duck.com domain to DuckDuckGo, after holding onto the domain and pointing it to Google.com for years.

We asked Google for comment on the timing of the changes to search engine options in chromium. At the time of writing the search giant had not responded.

We’ve also reached out to Qwant for comment on being added as an option in its home market.