BC TECH
Saved by @zmbnski

Recently, the @CNIL issued a decision regarding the GDPR compliance of an unknown French adtech company named "Vectaury". It may seem like small fry, but the decision has potential wide-ranging impacts for Google, the IAB framework, and today's adtech. It's thread time! 👇

 It's all in French, but if you're up for it you can read:
• Their blog post (lacks the most interesting details): https://t.co/PHkDcOT1hy
• Their high-level legal decision: https://t.co/hwpiEvjodt
• The full notification: https://t.co/QQB7rfynha

I've read it so you needn't!
Vectaury was collecting geolocation data in order to create profiles (eg. people who often go to this or that type of shop) so as to power ad targeting. They operate through embedded SDKs and ad bidding, making them invisible to users.
The @CNIL notes that profiling based off of geolocation presents particular risks since it reveals people's movements and habits. As risky, the processing requires consent — this will be the heart of their assessment.
Interesting point: they justify the decision in part because of how many people COULD be targeted in this way (rather than how many have — though they note that too). Because it's on a phone, and many have phones, it is considered large-scale processing no matter what.
Other factor: the technicity and opacity of ad bidding systems is used to justify greater transparency requirements. People cannot expect to consent to what they don't understand (or even know exist), therefore the adtech ecosystem is de facto under *stronger* requirements.
The decision also notes that the @CNIL is openly using this to inform not just the company in question but whole ecosystem, including adtech of course but also app makers who embed ads and marketers who use them. You're all on notice!
Note that there is no fine: if Vectaury remediates by 1) no longer processing geographic data without consent, 2) retroactively wiping the data they have (since consent was invalid), and 3) prove they've done that then they're good to go. Out of business, too, I would guess.
Fun fact: the @CNIL takes privacy seriously, and two years from now the Vectaury decision they have just made will be anonymised so that just the pure legal content remains.
Let's jump into the heart of it. The decision looked at two distinct but related aspects:

1) Consent obtained directly in apps that embed Vectaury as an SDK, using Vectaury's CMP (Consent Management Platform). You can see it in action in this video: https://t.co/LGOjNOD18d
2) Consent collected elsewhere and signalled to Vectaury through use of the @IABEurope Consent Framework.

Both are found to be failing — the second one in very interesting ways. Keep reading!
The CMP fails exactly as you would expect:

1) The consent is not informed;
2) The consent is not specific;
3) The consent is not affirmative.

Given the high-risk nature of the processing and its opacity, this isn't even a very strict interpretation.
Here is the bombshell though: Consent through the @IABEurope framework is inherently invalid. Not because of a technical detail. Not because of an implementation aspect that could be fixed. No.
You cannot pass consent to another controller through a contractual relationship. BOOM
Precisely: a controller has the obligation to demonstrate, for the entirety of the data they are processing under consent, the validity of the consent obtained. Otherwise you're just failing Article 7.

This is huge.
This means that if someone gains consent for you, and you have a contract saying it's their responsibility to do so, you *still* have the obligation to verify that the consent is valid.
This rules the @IABEurope out as an option, but more than that: @Google forced publishers to collect consent on its behalf for advertising profiling. They have said that they will audit that publishers do it right — but will auditing be enough?
The decision very specifically states the need to verify consent for the "entirety" of the data. By definition an auditing approach only does spot checking.

Also, Google has said they won't use a clear definition of valid consent. This shows they will have to.
So, yeah — that happened. It will be interesting to see how this lines up with @johnnyryan and @RaviNa1k's complaint about programmatic in terms of enforcement decision.
The one part that slightly disappoints me is that the decision does not call into question the role of Android and iOS in providing the ad ID and geolocation in the first place, as joint controllers, without proper consent.

That might be a fight for another day 😊🤗

More from Tech

Shaun Russell
Shaun Russell
@_ShaunRussell
"I really want to break into Product Management"

make products.

"If only someone would tell me how I can get a startup to notice me."

Make Products.

"I guess it's impossible and I'll never break into the industry."

MAKE PRODUCTS.

Courtesy of @edbrisson's wonderful thread on breaking into comics – https://t.co/TgNblNSCBj – here is why the same applies to Product Management, too.


There is no better way of learning the craft of product, or proving your potential to employers, than just doing it.

You do not need anybody's permission. We don't have diplomas, nor doctorates. We can barely agree on a single standard of what a Product Manager is supposed to do.

But – there is at least one blindingly obvious industry consensus – a Product Manager makes Products.

And they don't need to be kept at the exact right temperature, given endless resource, or carefully protected in order to do this.

They find their own way.
TECH
Tinker \u274e
Tinker ❎
@TinkerSec
Singing the Blues:
Taking Down an Insider Threat

"I had all of the advantages. I was already inside the network. No one suspected me. But they found my hack, kicked me off the network...

...and physically hunted me down."


Many pentests start from the outside, wanting to see how the perimeter might be breached.

This pentest started from the inside. My client wanted to assume they had already been breached, and, if breached, how far could an attacker go.

Could they stop me once I was inside?

So they snuck me in. Disguised me as a new employee. Gave me a work computer, an ID badge, an account in their system... hell, I even had a cubicle w/my assumed name on it.

The only person who knew who I really was was their CISO. Everyone else thought I was Jeremy in Marketing.

During most of the first morning, I completed onboarding, made introductions, and completed menial tasks.

But I had to act quick. I only had a week onsite. I had to hack their network while not raising suspicion.

So I set about it.

You have to understand... most "Internal Pentests" are straight forward. The hard part is breaching the network, but once you're inside, it's a target rich environment. End of Life computers, default passwords, everyone a Local Administrator...
TECH
Advertisement
Mike Metzler
Mike Metzler
@MTZLER
I’ve been flooded with Snapchat Spotlight questions after posting I’ve qualified for a payout 4 times. Here are the answers to the most common questions I’ve gotten in my DMs. These answers are my own experience and may differ from others .

Q: How will I know if I am getting paid?
A: You will get a message from Team Snapchat that looks like the below message 2-3 weeks after the snap has gone live. At this point it important that you verify your email address.


Q: How long after I’ve been notified I qualify, will I know for how much?
A: my experience is that usually 7-10 days after you get the qualifying message, you get a message with the amount, it will look like this. This message will include a unique access code for HyperWallet.


Q: How do I set up my HyperWallet?
A: Around three weeks after you get the payment amount you will get an email to your verified email from Snapchat Pay. It will look like this and will require you to fill out some tax forms, takes like 10 min.


Q: How long does it take to actually get the money in my account?
A: it took me like 7 days from when I had my HyperWallet approved before I got the money into my HyperWallet account. I recommend you set up auto withdraw. You can send money to PayPal, Venmo or bank account.
TECH
Santiago
Santiago
@svpino
Here is a simple example of a machine learning model.

I put it together a long time ago, and it was very helpful! I sliced it apart a thousand times until things started to make sense.

It's TensorFlow and Keras.

If you are starting out, this may be a good puzzle to solve.


The goal of this model is to learn to multiply one-digit
TECH
Tessa Davis
Tessa Davis
@TessaRDavis
How do you optimise your slides, audio or video when delivering online teaching?

There are many learning theories out there, but Mayer’s Multimedia Learning Theory is epic.

Read this thread + use his theories to improve learning transfer

Non-ideal slide to get started👇

1/17
TECH

You May Also Like

Kate Julian
Kate Julian
@katejulian
1/ Something strange is happening with people’s sex lives. 20-somethings are having sex later and less frequently than previous generations. I spent several months digging into this for @theatlantic. https://t.co/5ehzmWY9wi


2/ This phenomenon—I’m calling it a Sex Recession—really surprised me. It seemed improbable in the age of Tinder, digital porn, and attitudes that are generally permissive and sex-positive.

3/ What’s happening isn’t exclusively American: Similar trends are being observed in other countries, including Japan, Australia, the U.K., Finland, and the Netherlands.


4/ One cause is obvious: Adults under 35 are less likely to be living with a partner than in recent decades, and more likely to be living with their parents—which, it’s safe to say, isn’t great for one’s sex life.

5/ But I also found other explanations, each with profound implications. The first, unsurprisingly, has to do with internet enticements. Netflix and other online entertainment may be substituting for sex.
SOCIETY
John Papa
John Papa
@John_Papa
Choosing the Right JavaScript Framework

Thanks for joining me @pluralsight to talk about javascript frameworks. We had 150+ awesome questions, so I'll try to answer the ones I couldn't get to online right here in a tweet stream

Watch the video -->
https://t.co/G7zeiKhXme


Q. Do arrow functions really make dealing with JavaScript's "this" keywords easier?

A. Yes! When using arrow functions, the scope of "this" is effectively passed in from the outer scope. See here in this REPL

1/n


Q. Where does Polymer fit in? Is it considered a framework like the others?

A. @Polymer is an excellent way to create web components, which are ideal for creating sets of interactivity that can be shared in web apps.

2/n

Q. Have we gone framework crazy?

A. At one time, quite possibly. A few years back we literally had framework overload. I feel it really has solidified into a few very strong choices.

3/n

Q. [Is] there no more need for @polymer?

A. See my previous question on this ... but in general, I think there is a lot of room for Web Components with frameworks.

4/n
ALL
Advertisement
Andrew Chen
Andrew Chen
@andrewchen
👇Thread.

Published a new essay: The red flags and magic numbers that investors look for in your startup’s metrics – 80 slide deck included!


This was a deck that I created on my (longish) interview process with @a16z. It was a long path, starting with meeting folks at the firm 10 years ago. But the purpose of the deck was to explain how I would use my superpower in an investing context

Here's what I explain in the deck. As investors (whether angel or VC) we're often confronted with an up-and-to-the-right graph. Is it going to go up? Or down?


One solution to forecast these growth curves is the Growth Accounting Framework, where you add up New+Reactivated and subtract churned users. In each time period that gives you the difference in monthly actives.


The problem with this is that it's a lagging metric, not a leading one. We need to go one level deeper and look at the underlying loops that drive these numbers, to understand the quality.
STARTUPS
Brian Cates
Brian Cates
@drawandstrike
A lot of people don't understand that Trump & his incoming team didn't face a normal transition period, like it was over a in a matter of a few weeks or months.

The DOJ transition period JUST ENDED when Sessions left. Almost 2 exact years to get it there.

Pompeo at the CIA took over a year before he was done and ready to shift over to the State Department.

All kinds of stuff has been going on behind the scenes nobody leaks or talks about.

We only had the barest mention of the fact the Clinton Email investigation restarted

Nobody leaked in a year that Huber was deep diving into the Clinton Foundation.
Keep that in mind as all the usual suspects continue to INSIST nothing is happening/going to happen.
POLITICS
Jig's Patel
Jig's Patel
@jigspatel1988
What is best way to sell strangle in Banknifty on an intraday basis
Simple
at 9:45 Open Option chain and check In which strike highest OI change in call side and put side

Sell both option with combine SL
Enjoy easy and simple intraday trading strategy
Today 35000CE and 34500PE
OPTIONSLEARNINGS , OPTION LEARNING , OPTIONSELLING