In this edition of AdGuard’s Digest: Apple scans nudes to protect children, the EU wages a never-ending war on Big Tech, Zoom pays to the victims of its security holes, Musk takes over Twitter, as Google makes it easier to opt out of cookies and hide from the search.

Apple scales up its nudity-scanning feature, claiming children’s safety is at stake

Apple is gearing up to launch its "communication safety in Messages" feature, which is aimed at protecting children from being exposed to X-rated content, namely, nudes, in the UK, Canada, New Zealand, and Australia. The opt-in feature will scan images, both which a child sends and receives, for any red flags. If the algorithm believes that the image contains nudity, then it will blur the offending picture and show the kid a pop-up message advising them to ask for help or simply block the sendee.

The feature was originally rolled out in the US last year. While some may see the feature as a necessary evil, one cannot but think if it’s not a slippery slope towards more surveillance and less privacy.

This particular tool, however, might seem quite benign, privacy-wise, if we compare it with the original proposal by Apple we covered in August last year. Apple originally presented the nude-detection function as part of the triad of features designed to protect minors. And while two of these three have been implemented, the fate of the third - conspicuously called CSAM (not to be confused with SCAM) — still hangs in the balance after Apple was forced to delay its release due to the massive public backlash. CSAM, which stands for Child Sexual Abuse Material, would have allowed Apple to scan all the photos on your device for potential signs of child abuse before they are uploaded to an iCloud. With no recent updates on CSAM, it’s unclear if Apple dumped the project for good or readying up its release. Meanwhile, you can read more about it here.

EU on the quest to curb tracking-based ads. Fingers crossed

The adoption of the new EU-wide privacy-friendly package is on its way after the European Parliament reconciled a set of rules for social networks, app stores, search engines and other online platforms. The legislation known as the Digital Services Act (DSA) is yet to be approved, but is expected to come into force later this year. However, tech giants can start bracing themselves for its arrival already, since it will target them in particular. The services with over 45 million monthly active users will be subject to a set of particularly stringent restrictions, while micro and small companies will be partially exempt. So what should Google, Meta, Twitter, Amazon, Microsoft and other tech giants expect from the new attempt by Europe to rein them in?

For instance, they will be required to explain to users how their recommender algorithms work and offer them an alternative option not based on profiling. That is not based on the processing of personal data to predict users’ economic situation, health, personal preferences, interests, location etc. In addition, tech giants will also have to subject themselves to annual audits and carry out "risk reduction analysis" giving researchers a glimpse into their inner workings. Perhaps, one of the key proposals in the new act is the total ban on tracking-based advertising for minors along with the ban on targeted ads based on processing of special categories of personal data, such as ethnic origin, political opinions, religious beliefs, trade union memership, health data or sexual orientation. In case of non-compliance with the DSA, tech companies will face steep fines amounting to as much as 6% of their global annual sales. The text of the document is yet to be finalized, but MEP Christel Schaldemose already declared the DSA "a golden global standard."

While it is early to say how the rules will be enforced, and whether the DSA may one day indeed become a global standard. We can only hope.

Zoom forks out millions over 'Zoombombing' plague

Zoom has agreed to pay some $85m to its users that joined a class-action lawsuit, accusing the world's most popular video-conferencing app of lax security. In one particularly egregious case, the plaintiffs claimed that their online bible study class was disrupted by an intruder, who had disabled all their control buttons and "forced" them to watch pornography.

The practice when someone takes part in a video conference to which they are not invited to with a malicious intent has become known as Zoombombing. Since the pandemic began, the practice has become so widespread that it now boasts its own entry in a dictionary.

The lawsuit claims that Zoom shared data with Google and Facebook without permission and misled users about the security of the service’s end-to-end encryption protocol. In addition to the generous payout, Zoom agreed to train employees in privacy and data handling (long overdue, you might think) and alert participants of the meetings whenever third-party apps are being used either by the host or the other participants. Lawyers for the plaintiffs dubbed the settlement "historic", saying that Zoom will have to "implement privacy practices that, going forward, will help ensure that users are safe and protected".

We can only welcome this news, since Zoom is notorious for its hole-ridden security. Numerous cases of Zoombombing have graced international headlines, prompting privacy concerns and public outrage. There have even been FAQs compiled on how to avoid being "zoombombed", which is in itself a tell-tale sign.

Twitter changes hands and course

Our digest wouldn’t be complete without the deal between the world’s richest man, Elon Musk, and the social media behemoth – Twitter. The platform accepted Musk’s $44bn all-cash offer to buy the company, with the news of the buy-out sending ripples across the industry.

In his statement, the billionaire referred to Twitter as the "digital town square" and to free speech as "the bedrock of a functioning democracy". Known as a vocal free speech advocate and an equally vocal critic of Twitter purges, Musk said that he would prefer even his "worst critics" to stay on the platform for the sake of free speech.

In any case, it looks like Musk’s Twitter will become more privacy-cautious and less ad-dependent. The billionaire has already stated Twitter DMs should have "end-to-end encryption" like privacy-savvy Signal messaging app, and declared that all of Twitter’s algorithms should be open source in order to "increase trust". Musk has also hinted that he wants to reduce the platform’s dependence on ad revenue via premium subscriptions, which is somewhat challenging, since about 90% of Twitter's revenue comes from advertising as of now.

AdGuard commends Musk’s intention to make the social network more privacy-oriented, and hopes that it will start actually protecting the privacy of its users.

One click to reject all cookies

Google users in Europe will soon find it far more convenient to opt out of all cookies, which they will be able to do in one click instead of going through the settings manually. The "Reject all" button is being introduced by Google in response to the hefty €150m cookie-related fines issued to the tech giant by the French Data Protection Agency, The CNIL, late last year. The CNIL found Google in violation of the French law, arguing that it was too cumbersome for users to refuse cookies, and demanded that it make rejecting cookies as easy as accepting them. The new feature is being rolled out first on Google-owned video streaming platform, YouTube, and will soon be coming to all Google users based in Europe.

However, there is a catch. The "Reject All" option alongside the "Accept All" option will be shown only to the users who have signed out of their Google accounts or browse in an Incognito Mode. Others will have to still jump through some hoops to finetune their cookie preferences through privacy settings

We at AdGuard believe that user privacy should be protected by default. It means that a user should have an exclusive right to either deny or grant permission to use his or her data.

Google will remove your data if you ask it kindly

Google has announced that it will now allow users to request the removal of additional personal information from its own search results via a special form.
Previously, users could have asked Google to remove sensitive personal data such as their bank card number or contact info, for instance, in cases of doxxing. Doxxing is an act of revealing identifiable personal information, such as home address or phone number publicly without the victim’s consent.

Now, the list of removable info has been expanded, and you can ask Google to pull your home address, phone number, government-issued confidential identification number, images of handwritten signatures and ID docs, email address, log-in credentials, and medical records from search results even if there’s no obvious threat to you.

Welcoming news it may be, one need to bear in mind that Google will not erase the data it knows about you, but rather will hide select information from the search results of its own search engine. Moreover, Google can’t force the website owner to remove content about you. It won’t show up in search results, but still be visible on the website.