電気通信サービスの契約数及びシェアに関する四半期データの公表 (令和6年度第1四半期(6月末))
地方公務員等共済組合法施行規則の一部を改正する省令案に対する意見募集の結果
情報通信審議会 情報通信技術分科会 IPネットワーク設備委員会非常時における事業者間ローミング等に関する検討作業班(第1回)開催案内
郵便貯金資産・簡易生命保険資産の地方公共団体貸付に関する利率見直し後の適用利率
2020年基準 消費者物価指数 東京都区部 2024年(令和6年)9月分(中旬速報値)
9月20日からの大雨に関する被害状況等について(第14報)
令和6年9月20日からの大雨による被害に係る普通交付税(11月定例交付分)の繰上げ交付
【おすすめ本】長井 暁『NHKは誰のものか』―なぜ権力に弱いのか 公共放送に巣食う病理を告発=永田 浩三(武蔵大学教授・元NHKプロデューサー)
FTC Report Confirms: Commercial Surveillance is Out of Control
A new Federal Trade Commission (FTC) report confirms what EFF has been warning about for years: tech giants are widely harvesting and sharing your personal information to fuel their online behavioral advertising businesses. This four-year investigation into the data practices of nine social media and video platforms, including Facebook, YouTube, and X (formerly Twitter), demonstrates how commercial surveillance leaves consumers with little control over their privacy. While not every investigated company committed the same privacy violations, the conclusion is clear: companies prioritized profits over privacy.
While EFF has long warned about these practices, the FTC’s investigation offers detailed evidence of how widespread and invasive commercial surveillance has become. Here are key takeaways from the report:
Companies Collected Personal Data Well Beyond Consumer ExpectationsThe FTC report confirms that companies collect data in ways that far exceed user expectations. They’re not just tracking activity on their platforms, but also monitoring activity on other websites and apps, gathering data on non-users, and buying personal information from third-party data brokers. Some companies could not, or would not, disclose exactly where their user data came from.
The FTC found companies gathering detailed personal information, such as the websites you visit, your location data, your demographic information, and your interests, including sensitive interests like “divorce support” and “beer and spirits.” Some companies could only report high-level descriptions of the user attributes they tracked, while others produced spreadsheets with thousands of attributes.
There’s Unfettered Data Sharing With Third PartiesOnce companies collect your personal information, they don’t always keep it to themselves. Most companies reported sharing your personal information with third parties. Some companies shared so widely that they claimed it was impossible to provide a list of all third-party entities they had shared personal information with. For the companies that could identify recipients, the lists included law enforcement and other companies, both inside and outside the United States.
Alarmingly, most companies had no vetting process for third parties before sharing your data, and none conducted ongoing checks to ensure compliance with data use restrictions. For example, when companies say they’re just sharing your personal information for something that seems unintrusive, like analytics, there's no guarantee your data is only used for the stated purpose. The lack of safeguards around data sharing exposes consumers to significant privacy risks.
Consumers Are Left in the DarkThe FTC report reveals a disturbing lack of transparency surrounding how personal data is collected, shared, and used by these companies. If companies can’t tell the FTC who they share data with, how can you expect them to be honest with you?
Data tracking and sharing happens behind the scenes, leaving users largely unaware of how much privacy they’re giving up on different platforms. These companies don't just collect data from their own platforms—they gather information about non-users and from users' activity across the web. This makes it nearly impossible for individuals to avoid having their personal data swept up into these vast digital surveillance networks. Even when companies offer privacy controls, the controls are often opaque or ineffective. The FTC also found that some companies were not actually deleting user data in response to deletion requests.
The scale and secrecy of commercial surveillance described by the FTC demonstrates why the burden of protecting privacy can’t fall solely on individual consumers.
Surveillance Advertising Business Models Are the Root CauseThe FTC report underscores a fundamental issue: these privacy violations are not just occasional missteps—they’re inherent to the business model of online behavioral advertising. Companies collect vast amounts of data to create detailed user profiles, primarily for targeted advertising. The profits generated from targeting ads based on personal information drive companies to develop increasingly invasive methods of data collection. The FTC found that the business models of most of the companies incentivized privacy violations.
FTC Report Underscores Urgent Need for Legislative ActionWithout federal privacy legislation, companies have been able to collect and share billions of users’ personal data with few safeguards. The FTC report confirms that self-regulation has failed: companies’ internal data privacy policies are inconsistent and inadequate, allowing them to prioritize profits over privacy. In the FTC’s own words, “The report leaves no doubt that without significant action, the commercial surveillance ecosystem will only get worse.”
To address this, the EFF advocates for federal privacy legislation. It should have many components, but these are key:
- Data minimization and user rights: Companies should be prohibited from processing a person’s data beyond what’s necessary to provide them what they asked for. Users should have the right to access their data, port it, correct it, and delete it.
- Ban on Online Behavioral Advertising: We should tackle the root cause of commercial surveillance by banning behavioral advertising. Otherwise, businesses will always find ways to skirt around privacy laws to keep profiting from intrusive data collection.
- Strong Enforcement with Private Right of Action: To give privacy legislation bite, people should have a private right of action to sue companies that violate their privacy. Otherwise, we’ll continue to see widespread violation of privacy laws due to limited government enforcement resources.
Using online services shouldn't mean surrendering your personal information to countless companies to use as they see fit. When you sign up for an account on a website, you shouldn’t need to worry about random third-parties getting your information or every click being monitored to serve you ads. For now, our Privacy Badger extension can help you block some of the tracking technologies detailed in the FTC report. But the scale of commercial surveillance revealed in this investigation requires significant legislative action. Congress must act now and protect our data from corporate exploitation with a strong federal privacy law.
Call for consultant(s) to support gender integration in policy and regulation for community-centred connectivity models
The UN General Assembly and the Fight Against the Cybercrime Treaty
Note on the update: The text has been revised to reflect the updated timeline for the UN General Assembly’s consideration of the convention, which is now expected at the end of this year. The update also emphasizes that states should reject the convention. Additionally, a new section outlines the risks associated with broad evidence-sharing, particularly the lack of robust safeguards needed to act as checks against the misuse of power. While the majority of the investigatory powers in the convention used the shall language in Chapter IV, and therefore, are mandatory, the safeguards are left to each state’s discretion in how they are applied. Please note that our piece in Just Security and this post are based on the latest version of the UNCC.
The final draft text of the United Nations Convention Against Cybercrime, adopted last Thursday by the United Nations Ad Hoc Committee, is now headed to the UN General Assembly for a vote. The last hours of deliberations were marked by drama as Iran repeatedly, though unsuccessfully, attempted to remove almost all human rights protections that survived in the final text, receiving support from dozens of nations. Although Iran’s efforts were defeated, the resulting text is still nothing to celebrate, as it remains riddled with unresolved human rights issues. States should vote No when the UNGA votes on the UN Cybecrime Treaty.
The Fight Moves to the UN General AssemblyStates will likely consider adopting or rejecting the treaty at the UN General Assembly later this year. It is crucial for States to reject the treaty and vote against it. This moment offers a key opportunity to push back and build a strong, coordinated opposition.
Over more than three years of advocacy, we consistently fought for clearer definitions, narrower scope, and stronger human rights protections. Since the start of the process, we made it clear that we didn’t believe the treaty was necessary, and, given the significant variation in privacy and human rights standards among member states, we raised concerns that the investigative powers adopted in the treaty may accommodate the most intrusive police surveillance practices across participating countries. Yet, we engaged in the discussions in good faith to attempt to ensure that the treaty would be narrow in scope and include strong, mandatory human rights safeguards.
However, in the end, the e-evidence sharing chapter remains broad in scope, and the rights section unfortunately falls short. Indeed, instead of merely facilitating cooperation on core cybercrime, this convention authorizes open-ended evidence gathering and sharing for any serious crime that a country chooses to punish with a sentence of at least four years or more, without meaningful limitations. While the convention excludes cooperation requests if there are substantial grounds to believe that the request is for the purpose of prosecuting or punishing someone based on their political beliefs or personal characteristics, it sets an extremely high bar for such exclusions and provides no operational safeguards or mechanisms to ensure that acts of transnational repression or human rights abuses are refused.
The convention requires that these surveillance measures are proportionate, but leaves critical safeguards such as judicial review, the need for grounds of justifying surveillance, and the need for effective redress as optional despite the intrusive nature of the surveillance powers it adopts. Even more concerning, some states have already indicated that in their view the requirements for these critical safeguards is purely a matter of states' domestic law, many of which already fail to meet international human rights standards and lack meaningful judicial oversight or legal accountability.
The convention ended up accommodating the most intrusive practices. For example, blanket, generalized data retention is problematic under human rights law but states that ignore these restrictions, and have such powers under their domestic law, can respond to assistance requests by sharing evidence that was retained through blanket data retention regimes. Similarly, encryption is also protected under international human rights standards but nothing in this convention prevents a state from employing encryption-breaking powers they have under their domestic law when responding to a cross-border request to access data.
The convention’s underlying flaw is the assumption that, in accommodating all countries' practices, states will act in good faith. This assumption is flawed, as it only increases the likelihood that the powerful global cooperation tools established by the convention will be abused.
The Unsettling Concessions in the Treaty NegotiationsThe key function of the Convention, if ratified, will be to create a means of requiring legal assistance between countries that do not already have mutual legal assistance treaties (MLATs) or other cooperation agreements. This would include repressive regimes who may previously have been hindered in their attempts to engage in cross-border surveillance and data sharing, in some cases because their concerning human rights records have excluded them from MLATs. For countries that already have MLATs in place, the new treaty’s cross-border cooperation provisions may provide additional tools for assistance.
A striking pattern throughout the Convention as adopted is the leeway that it gives to states to decide whether or not to require human rights safeguards; almost all of the details of how human rights protections are implemented is left up to national law. For example, the scope and definition of many offenses “may"—or may not—include certain protective elements. In addition, states are not required to decline requests from other states to help investigate acts that are not crimes under their domestic law; they can choose to cooperate with those requests instead. Nor does the treaty obligate states to carefully scrutinize surveillance requests to ensure they are not pretextual attempts at persecution.
This pattern continues. For example, the list of core cybercrimes under the convention—that in the past swept in good faith security research, whistleblowers, and journalistic activities—let states choose whether specific elements must be included before an act will be considered a crime, for example that the offense was done with dishonest intent or that it caused serious harm. Sadly, these elements are optional, not required.
Similarly, provisions on child sexual abuse material (CSAM) allow states to adopt exceptions that would ensure scientific, medical, artistic or educational materials are not wrongfully targeted, and that would exclude consensual, age-appropriate exchanges between minors, in line with international human rights standards. Again, these exceptions are optional, meaning that over-criminalization is not only consistent with the Convention but also qualifies for the Convention's cross-border surveillance and extradition mechanisms.
The broad discretion granted to states under the UN Cybercrime Treaty is a deliberate design intended to secure agreement among countries with varying levels of human rights protections. This flexibility, in certain cases, allows states with strong protections to uphold them, but it also permits those with weaker standards to maintain their lower levels of protection. This pattern was evident in the negotiations, where key human rights safeguards were made optional rather than mandatory, such as in the list of core cybercrimes and provisions on cross-border surveillance.
These numerous options in the convention are also disappointing because they took the place of what would have been preferred: advancing the protections in their national laws as normative globally, and encouraging or requiring other states to adopt them.
Exposing States’ Contempt For RightsIran’s last-ditch attempts to strip human rights protections from the treaty were a clear indicator of the challenges ahead. In the final debate, Iran proposed deleting provisions that would let states refuse international requests for personal data when there’s a risk of persecution based on political opinions, race, ethnicity, or other factors. Despite its disturbing implications, the proposal received 25 votes in support including from India, Cuba, China, Belarus, Korea, Nicaragua, Nigeria, Russia, and Venezuela.
That was just one of a series of proposals by Iran to remove specific human rights or procedural protections from the treaty at the last minute. Iran also requested a vote on deleting Article 6(2) of the treaty, another human rights clause that explicitly states that nothing in the Convention should be interpreted as allowing the suppression of human rights or fundamental freedoms, as well as Article 24, which establishes the conditions and safeguards—the essential checks and balances—for domestic and cross-border surveillance powers.
Twenty-three countries, including Jordan, India, and Sudan, voted to delete Article 6(2), with 26 abstentions from countries like China, Uganda, and Turkey. This means a total of 49 countries either supported or chose not to oppose the removal of this critical clauses, showing a significant divide in the international community's commitment to protecting fundamental freedoms. And 11 countries voted to delete Article 24, with 23 abstentions.
These and other Iranian proposals would have removed nearly every reference to human rights from the convention, stripping the treaty of its substantive human rights protections and impacting both domestic legislation and international cooperation, leaving only the preamble and general clause, which states: "State Parties shall ensure that the implementation of their obligations under this Convention is consistent with their obligations under international human rights law.”
Additional Risks of Treaty AbuseThe risk that treaty powers can be abused to persecute people is real and urgent. It is even more concerning that some states have sought to declare (by announcing a future potential “reservation”) that they may intend to not follow Article 6.2 (general human rights clause), Article 24 (conditions and safeguards for domestic and cross border spying assistance), and Article 40(22) on human-rights-based grounds for refusing mutual legal assistance, despite their integral roles in the treaty.
Such reservations should be prohibited. According to the International Law Commission’s "Guide to Practice on Reservations to Treaties," a reservation is impermissible if it is incompatible with the object and purpose of the treaty. Human-rights safeguards, while not robust enough, are essential elements of the treaty, and reservations that undermine these safeguards could be considered incompatible with the treaty’s object and purpose. Furthermore, the Guide states that reservations should not affect essential elements necessary to the general tenor of the treaty, and if they do, such reservations impair the raison d’être of the treaty itself. Therefore, allowing reservations against human rights safeguards may not only undermine the treaty’s integrity but also challenge its legal and moral foundations.
All of the attacks on safeguards in the treaty process raise particular concerns when foreign governments use the treaty powers to demand information from U.S. companies, who should be able to rely on the strong standards embedded in US law. Where norms and safeguards were made optional, we can presume that many states will choose to forego them.
Cramming Even More Crimes Back In?Throughout the negotiations, several delegations voiced concerns that the scope of the Convention did not cover enough crimes, including many that threaten online content protected by the rights to free expression and peaceful protest. Russia, China, Nigeria, Egypt, Iran, and Pakistan advocated for broader criminalization, including crimes like incitement to violence and desecration of religious values. In contrast, the EU, the U.S., Costa Rica, and others advocated for a treaty that focuses solely on computer-related offenses, like attacks on computer systems, and some cyber-enabled crimes like CSAM and grooming.
Despite significant opposition, Russia, China, and other states successfully advanced the negotiation of a supplementary protocol for additional crimes, even before the core treaty has been ratified and taken effect. This move is particularly troubling as it leaves unresolved the critical issue of consensus on what constitutes core cybercrimes—a ticking time bomb that could lead to further disputes and could retroactively expand application of the Convention's cross-border cooperation regime even further.
Under the final agreement, it will take 40 ratifications for the treaty to enter into force and 60 before any new protocols can be adopted. While consensus remains the goal, if it cannot be reached, a protocol can still be adopted with a two-thirds majority vote of the countries present.
The treaty negotiations are disappointing, but civil society and human rights defenders can unite to urge states to vote against the convention at the next UN General Assembly, ensuring that these flawed provisions do not undermine human rights globally.