Can anyone tell me whether it is legal to have a web application with highly encrypted data based in the UK which can be used by users based in any other country worldwide?
I understand that many countries like to monitor their citizens and that there are some examples of encryption causing issues for companies such as RIM and their Blackberry's encryption.
Is it the case that a web application would be exempt from such worries if it is physically based in a country such as the UK, where data may be encrypted to any level, or will it have to conform to the rules of whatever countries its users are based in?
See this survey on cryptographic laws around the world. The section on UK is quite long.
As for RIM, drawing conclusions is a bit hazardous. As Schneier says, "this is a weird story" and only small parts of it are publicly known.
Related
I am working on a research project based on the six degrees of separation theory (based on the works of Stanley Milgram 1967 and later, Duncan Watts 2001). I just wanted to plot the connections of every user part of the study.
I wanted to show a users connections list, from LinkedIn. I read that there was something like a peoples API which could be used, but I think it is deprecated now. Is there any way of getting a users list of connections, even if we take the users permission?
I also read that there is something like a LinkedIn partners program, I cannot find much information about how I can apply for it.
I've been doing some research on intent data and I have some technical questions, especially about how two businesses might be collecting "contact level" i.e. personally identified web traffic details without using third-party cookies.
Some quick background: Most of the large providers of intent data (bombora, the big willow/aberdeen/Spiceworks Ziff Davis, Tech Target etc.) offer "account" based intent data - essentially when users visit websites in their network, they do a reverse IP addresses lookup, match them to know IP addresses of large companies (usually companies with at least 250 employees) and note what topics are "surging" - aka showing unusual traffic on a given week. This largely makes sense to me. I'm assuming that when a visitor shows up at your site, google analytics and similar tools can tell you what google search keywords were used to arrive at your site, and that's how they can say things like - we can "observe intent signals across an unlimited number of contextual keyword categories, allowing you to customize your keywords and layer these insights onto your campaigns for optimal performance." Third party cookies, and data from DSP's (demand side platform's enabling ad buyers to buy ads across many platforms) are also involved in providing data, those these will be less useful sources of data after google sunset's third party cookies on Chrome.
Two providers - intentdata.io, and intentflow.com are offering contact level intent data. You can imagine why that would be of interest - if the director of sales is interested in your sales SaaS tool, you have a better idea of how qualified that lead is and who to reach out to. Only one of the two providers is specific about what exactly they're collecting - i.e. what "intent" they are capturing and how they're collecting it.
Intentdata.io:
Intentdata.io looks like a tiny company (two employees on LinkedIn). The most specific statement I've found about what their data is was in an Impact+ podcast interview - Ed, the CRO at intentdata.io, mentions that the data is analogous to commenting on a Forbes article or a conversation on LinkedIn. But he's clear - "that's just an analogy." They also say elsewhere that the data they provide mentions specifically what action the contact took that landed them in the provided data.
Ed from intentdata.io is also asked about GDPR compliance in his Impact+ interview - he basically says, some lawyers will disagree but he believes their data to be GDPR compliant, and it is in use by some firms in the EU. He does mention though that some firms have asked them to exclude certain columns from the data, like email addresses.
Edit: Found a bit more on intentdata.io - looks like they build a custom setup to pull "intent" data for each customer - they don't have a database monitoring company interaction with content across social media and b2b sites, instead you provide them with "lists (names and URLs) of customers, competitors, influencers, events, target accounts and key terms that would indicate intent at different stages in the buying journey. Pull together important hashtags, details on your ideal buyer (job titles, functions, seniority) and firmographics (size, industry, location)" - then they create a custom "algorithm" from this info, and they iterate on that "algorithm" a little bit over time.
They also make this statement on their site: "IntentData.io's data is collected from observing public actions that users are taking around the web. That means that first, we observe action (not reading, searching, browsing, being shown an ad, etc.) which we believe is a more concrete manifestation of intent. Second, people are taking these actions publicly for the world to see. We do not use any cookies, bidstream data or reverse IP lookups."
Finally one piece of their sales collateral asks: What ad budget do you have for PPC nurturing ads? So their may be some targeted PPC ads involved in the "algorithm."
Edit 2: Their sales collateral also states that they use "a third-party intent data methodology that uses multi-variable linear regression analysis to correlate observed actions with a specific contact. This is the method that the LeadSift engine of IntentData.io data uses."
Intentflow.com:
Intentflow.com seems like the sketchier of the two providers if I'm honest. They provide a video walkthrough of how they get their data at intentflow.com/thesis - but I'm not following how using "traceable urls" with no cookies involved, could give you contact level information. They also say they lookup what the most popular articles/pages are for 5k to 40k unique keywords or phrases that are related to 10-50 keywords or phrases you give them to target. And they use "traceable urls" to track who visits those sites. Again - no cookies involved. Supposedly fully compliant at least with US laws. They don't provide data for the EU "by design" so presumably they're not GDPR compliant? They also claim they can identify the individuals who are visiting your website, again using "traceable urls" - it seems clear from the pitch that you're asked to reach out to your backlink providers around the web to use this traceable url.
I've seen an interview where a rep from Bombora says they tried for a while to do contact level intent data and it wasn't very useful - and it wasn't really doable in a compliant way. Ed seems to be aware they've said that publicly, and he says "that's just not true."
So what's going on here? How exactly are these two small firms getting contact level intent data? Do you think they're doing it in a compliant way?
Got more information:
Intentdata.io use public comments, likes, shares etc. on blogs, social posts via web crawling and scraping for events, influencers, hashtags, articles etc. that the customer deems worth tracking. They do some work to try and connect the commenters with an identifiable contact. They bill on a quarterly basis for this.
Intentflow.com doesn't seem to use "traceable urls" at all. They take bidstream data, and identify the individual visitors via an "identity graph." They provide a minimum of 5k contacts per month at $2 per contact, making their data very expensive ($120k+ per year). You can't get lower than however many contacts their system spits out per month so it seems like there's not a good firm limit on what you will be charged. They say they can identify ~70% of web traffic, and they only provide data on US site visitors. Each row of their output would include not just the contact, but the site that contact was shown an ad on. Definitely interesting data - but I'm guessing they will be very affected by upcoming changes to third party cookies, privacy laws, etc.
There are two Swiss (.ch) websites, let's call them A and B. A is owned by me and B by a customer.
Because of legal data protection issues B is hosted in Switzerland and not allowed to store any user information abroad. Which means that software like Google Analytics is not available on B. A is a Swiss website but hosted in a (European) cloud.
Now we would like to find out how many common users we both have over the duration of 30 days. In short:
numberOfUsersA ∩ numberOfUsersB
For the sake of simplicity: Instead of users we are perfectly happy to measure common browsers.
What would you suggest is the simplest way to solve this problem?
First off all, best regards from Zurich/Zug :) Swiss people are everywhere...
I don't think you're correct that it's not legal to collect data in Switzerland at all (also abroad). As I'm working in the financial industry I know this topic very well and we also had to do a lot research to use GA at all.
It's always the question what and how you collect data. What you can't do - beside you got in upfront the permission of the user - is storing personal identifiable information. That's anyway not allowed by GA - you can't import/save in custom dimension/metrics for example email addresses.
Please check https://support.google.com/adsense/answer/6156630?hl=en as general basic information about this topic.
If you save the IP addresses via IP anonymization, you shouldn't run into problems if you're declaring this in your data-privacy statements. Take this approach: https://support.google.com/analytics/answer/2763052?hl=en
I'm not a lawyer and also not want to give you legal advises, but ours told us that's fine. If you are real paranoid about sending data to the USA - like we have to be - you can exclude your tracking from very sensitive forms.
To go back to your basic question, if you want to find this out via Google Analytics, your key is "cross domain tracking". Check https://support.google.com/analytics/answer/1034342?hl=en for more information in this direction.
The only work-around I have in my mind beside this, is if you start collecting browser-fingerprints yourself and then connect both collections over the finger prints together (that's not save, as your visitors will use more than one device/configuration). I personally would go for the IP anonimization, exclude very sensitive forms and ensure that your data-privacy declaration contains all necessary parts for and offer an opt-out option then you should be on the safe side.
All the best and TGIF :)
Basically I was looking to use stripe to take online payments for an online lottery website however the application is marked as a prohibited business.
Prohibited Businesses: Gambling
Lotteries; bidding fee auctions; sports forecasting or odds making; fantasy sports leagues with cash prizes; internet gaming; contests; sweepstakes; games of chance
Alternative Options??
I was looking for another option instead of stripe that would take online payments for my application.
It is a startup business so i would like the payment option to handle the merchant bank account side like stripe/paypal.
The project is being developed on asp.net, web forms c#.
Any advice would be greatly appreciated.
Most countries are regulating gambling of any form.
A few examples:
some countries like France have a company dealing with such purpose under the authority of the government.
for US, gambling regulation is different by state, and some don't even allow Lottery at all.
in Ireland, latest laws allows online gambling, prior to acquire a license delivered by the state. Not having this license can cost up to €300,000 as a fine.
There is a good chance that your Lottery application will fall under the same regulation, in which case you have to contact whichever authority in your country to ask them how you can create a gambling application under required law, if permitted (keeping in mind that this could be a pretty tedious and long process).
Bottom line of your question:
Stripe or other online payment systems are not allowing these types of payments because of this regulation.
Even if passing the barrier of regulation, a lot of technical restrictions would have to be applied to verify people residence to avoid legal issues.
UPDATE:
One option as mentioned in comments would be to use Bitcoin (using it with ASP.NET) as an alternative money to circumvent legal issues, but that doesn't mean that this is not regulated yet or going to be in a near future (which falls legally under a Lacuna).
Is it eligible to apply real-time insta-like filters on Google Street View imagery retrieved via the google street view API that will be published online as a part of a slideshow in a web app?
No Google street view Content will be cached on a third party server in the process.
Do you think this would be in alignment with google's terms?
Streetview seems to be under the Google Maps umbrella as far as the api TOS goes. The document isn't that long, but your use case doesn't seem to be in direct violation. I would still be wary of something such as Section 8.3 (a):
Content (including but not limited to map data, traffic, directions,
and places) is provided for planning purposes only. You may find that weather conditions, construction projects, closures, or other events may cause road conditions or directions to differ from the results depicted in the Content. You should exercise judgment in your use of the Content.
Although that seems more like a caveat emptor warning admonishing them of liability if their data is inaccurate and tells you to turn left off of a cliff. I insist that you should really read the actual terms. There are a lot of little things that they seem to be worried about in there and I would definitely recommend having an attorney help you navigate what's going on in there.
I'd hazard to say you'd be fine especially with no caching, but you should really consult with an attorney and read the terms.