Meta launches subscription service Meta Verified to sell Instagram and Facebook users blue check mark

Meta given weeks to tell EU consumer protection authorities how it'll fix 'pay or consent'

by with No Comment Tech

Meta launches subscription service Meta Verified to sell Instagram and Facebook users blue check mark

Image Credits: Lionel Bonaventure / Getty Images

Meta has been given until September 1 to respond to consumer protection concerns in the European Union.

The Consumer Protection Cooperation (CPC) Network, a network of authorities responsible for the enforcement of EU consumer protection laws, is concerned about a binary choice Meta has forced on regional users of Facebook and Instagram since last November. It required that users accept being tracked and profiled for behavioral ad targeting in order to continue to access its services for free or else they must pay Meta monthly subscriptions to access versions of the services it claims are free of ads.

Meta’s controversial “pay or consent” model has landed the company on multiple regulators’ radars: It’s already under investigation by the European Commission as it suspects Meta is breaching the bloc’s Digital Markets Act (DMA). The EU has also sought more information from Meta about “pay or consent” model’s compliance with the DMA’s sister regulation, the Digital Services Act.

Additionally, Meta’s pay or consent choice remains under review by data protection authorities, including Ireland’s Data Protection Commission (DPC), which oversees its compliance with the bloc’s General Data Protection Regulation (GDPR).

Now, the mechanism is subject to coordinated action by the CPC network, which has been investigating the binary choice Meta’s imposed on EU users since a flurry of complaints were filed last year.

“Meta has until September 1, 2024 to reply to the letter of the CPC network and the Commission and to propose solutions. If Meta does not take the necessary steps to solve the concerns raised, CPC authorities can decide to take enforcement measures, including sanctions,” warned the Commission Monday.

Consumer protection authorities involved in the coordinated action believe several elements of Meta’s consent mechanism could constitute “misleading or aggressive practices,” per a Commission press release — whereas the EU’s legal standard requires consumers to be provided with “upfront with true, clear and sufficient information.”

Their analysis casts doubt on whether the information provided by Meta allows consumers to understand the implications of a decision to pay or to accept tracking on their consumer rights.

The CPC authorities, which are being led in this Commission-coordinated action by the French directorate general for Competition, Consumer Affairs and Fraud Prevention, are also concerned EU consumers may have been exposed to undue pressure to choose rapidly between the two models — i.e. fearing they would instantly lose access to their accounts and their network of contacts.

Misleading

In particular the network highlights concern over Meta’s use of the word “free” in the information it presents users when they are asked to make a choice to either consent or pay. The CPC suspects this could be misleading since Meta requires consumers to accept it can make revenue from using their personal data to show them personalized ads if they choose not to pay for the ad-free versions of the services.

They also take issue with other aspects of Meta’s use of language, accusing it of using imprecise terms, such as “your info” to refer to consumers’ personal data; and suggesting that consumers who pay will not see any ads. The CPC says they assert users might still see ads when engaging with content shared via Facebook or Instagram by other members of the platforms.

The CPC network further accuses Meta of confusing users by requiring them to navigate through different screens in the Facebook/Instagram app or web-version and click on hyperlinks directing them to different parts of the Terms of Service or Privacy Policy in order to find out how their preferences, personal data and user-generated data will be used by Meta to show them personalized ads.

Another issue they have raised in their letter to Meta is the level of pressure it is applying to consumers who have always used its social networking services free of charge until it introduced the “pay or consent” model — and who are suddenly unable to access their accounts until they make a choice.

The CPC argues this does not give consumers pre-warning, sufficient time or a real opportunity to assess how the choice may affect their contractual relationship with Meta.

Almost 20 consumer organizations banded together to file the original consumer protection complaints with the CPC Network last November. Eight consumer groups subsequently also filed privacy complaints against Meta’s consent or pay model in February, arguing it’s breaching the GDPR too.

Responding to the CPC action, Meta spokesman Matthew Pollard emailed a brief statement and referenced a ruling by the EU’s top court from last summer which concerns a separate competition challenge. “Subscriptions as an alternative to advertising are a well-established business model across many industries. Subscription for no ads follows the direction of the highest court in Europe and we are confident it complies with European regulation,” the company claims.

Despite so much regulatory attention on Meta’s “pay or consent” choice in the EU, it’s notable the company is sticking to its guns for now. However, years of glacial GDPR enforcement against earlier Meta business model choices — that were later confirmed to be in breach of EU law — looks to have accustomed it to deploying a strategy of buying time.

The CPC network is not the Irish DPC, though. And the Commission is directly involved in facilitating dialog to get movement on issues of consumer protection concern so it will be interesting to see whether there is any change of heart from Meta on “pay or consent” come fall.

While the CPC network itself cannot impose fines or sanctions itself, if remedies for concerns it’s raising are not forthcoming through the outreach and engagement process then national consumer protection authorities can pursue enforcement in their respective Member States — where they are empowered to impose penalties of up to 4% of global annual turnover. Given how many EU consumer authorities have raised concerns about Meta’s “pay or consent” model, then enforcement action on the issue could get expensive.

Authorities disrupt operations of notorious LockBit ransomware gang

by with No Comment Tech

LockBit takedown screen

Image Credits: TechCrunch (screenshot)

A coalition of international law enforcement agencies, including the U.S. Federal Bureau of Investigation and the U.K.’s National Crime Agency, have disrupted the operations of the notorious LockBit ransomware gang.

LockBit’s dark web leak site — where the group publicly lists its victims and threatens to leak their stolen data unless a ransom demand is paid — was replaced with a law enforcement notice on Monday.

Since it first emerged as a ransomware operation in late 2019, LockBit has become one of the world’s most prolific cybercrime gangs, targeting victims around the world and netting millions of dollars in extorted ransom payments.

Hattie Hafenrichter, a spokesperson for the U.K.’s National Crime Agency, confirmed to TechCrunch that “LockBit services have been disrupted as a result of international law enforcement action.” A message on the downed leak site confirmed that the site is “now under the control of the National Crime Agency of the U.K., working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.”

At the time of writing, the site now hosts a series of information exposing LockBit’s capability and operations, including back-end leaks and details on LockBit’s alleged ringleader, known as LockBitSupp.

A photo of the now-seized LockBit dark web site. Image Credits: TechCrunch (screenshot)

Operation Chronos is a task force headed by the NCA and coordinated in Europe by law enforcement agencies Europol and Eurojust. The ransomware takedown operation also involved other international police organizations from Australia, Canada, France, Finland, Germany, the Netherlands, Japan, Sweden, Switzerland and the United States.

In its announcement on Tuesday, Europol confirmed that the months-long operation has “resulted in the compromise of LockBit’s primary platform and other critical infrastructure that enabled their criminal enterprise.” This includes the takedown of 34 servers across Europe, the U.K. and the United States, along with the seizure of more than 200 cryptocurrency wallets.

It’s not yet known how much cryptocurrency was stored in these wallets, or how much the authorities seized.

Separately, the U.S. Justice Department unsealed indictments against two Russian nationals, Artur Sungatov and Ivan Gennadievich Kondratiev, for their alleged involvement in launching LockBit cyberattacks.

The DOJ previously charged three other alleged LockBit ransomware members: Mikhail Vasiliev, a dual Russia-Canadian national, is currently in custody in Canada awaiting U.S. extradition; and Russian national Ruslan Magomedovich Astamirov is in custody in the U.S. awaiting trial. A third suspected member, Mikhail Pavlovich Matveev, aka Wazawaka, is believed to live in the Russian enclave of Kaliningrad and remains subject to a $10 million U.S. government bounty for information that leads to his arrest.

Two alleged LockBit actors have also been arrested in Poland and Ukraine at the request of the French judicial authorities.

Prior to Monday’s takedown, LockBit claimed on its dark web leak site that it was “located in the Netherlands, completely apolitical and only interested in money.”

As part of Operation Cronos, law enforcement agencies say they have obtained decryption keys from LockBit’s seized infrastructure to help the ransomware gang’s victims regain access to their data.

Allan Liska, a ransomware expert and threat intelligence analyst at Recorded Future, tells TechCrunch that this action “is absolutely the end of the LockBit operation in its current form.”

“While the main spokesperson for the LockBit operation, LockBitSupp, won’t be arrested, his operation is crippled, and his infrastructure is completely exposed. Based on past takedowns like this, this will have serious impact on his reputation and his ability to attract new affiliates in the future,” Liska said.

According to the DOJ, LockBit has been used in approximately 2,000 ransomware attacks against victim systems in the U.S. and worldwide, and has received more than $120 million in ransom payments.

Matt Hull, head of threat Intelligence at U.K.-based cybersecurity firm NCC Group, told TechCrunch that the company recorded more than a thousand victims of LockBit during 2023 alone, or “22% of all ransomware victims we identified for the whole year.”

LockBit and its affiliates have claimed responsibility for hacking some of the world’s largest organizations. The group last year claimed responsibility for attacks against aerospace giant Boeing, chipmaker TSMC and U.K. postal giant Royal Mail. In recent months, LockBit has claimed responsibility for a ransomware attack on the U.S. state of Georgia’s Fulton County, which has disrupted key county services for weeks, and for cyberattacks targeting India’s state-owned aerospace research lab and one of India’s largest financial giants.

Monday’s takedown is the latest in a series of law enforcement actions targeting ransomware gangs. In December, a group of international law enforcement agencies announced they had seized the dark web leak site of the notorious ransomware gang known as ALPHV, or BlackCat, which claimed a number of high-profile victims, including news-sharing site Reddit, healthcare company Norton and London’s Barts Health NHS Trust.

Read more on TechCrunch:

Why are ransomware gangs making so much money?Why ransomware victims can’t stop paying off hackersDo government sanctions against ransomware groups work?Why extortion is the new ransomware threat

US sanctions LockBit members after ransomware takedown