Privacy Kit

Subscribe
Archives
February 16, 2020

"a bunch of cowboys" | The Cat Herder, Volume 3, Issue 5

Due to an abundance of vote count watching there was no newsletter last week. Apologies for the unsch
 
February 16 · Issue #69 · View online
The Cat Herder
Due to an abundance of vote count watching there was no newsletter last week. Apologies for the unscheduled absence.
😼

Shoe tracking. It’s now a thing. Despite the claim that this isn’t personal data, it most certainly is.
Caroline Orr
Caroline Orr
@RVAwonk
umm excuse me what? https://t.co/fWo6flMuZU
9:43 PM - 2 Feb 2020
Campaigners say such “digital welfare states” – developed often without consultation, and operated secretively and without adequate oversight – amount to spying on the poor, breaching privacy and human rights norms and unfairly penalising the most vulnerable.
Welfare surveillance system violates human rights, Dutch court rules | Technology | The Guardian
www.theguardian.com – Share
Government told to halt use of AI to detect fraud in decision hailed by privacy campaigners
More:
The UN Special Rapporteur on extreme poverty and human rights, Philip Alston, applauded a landmark ruling by the District Court of the Hague in The Netherlands today. The court ordered the immediate halt to a digital benefit fraud detection tool targeted at poor neighborhoods in the Netherlands because it violated human rights norms.
‘Landmark ruling by Dutch court stops government attempts to spy on the poor – UN expert’, United Nations Human Rights, Office of the High Commissioner
‘The SyRI case: a landmark ruling for benefits claimants around the world’, Privacy International
—
Meanwhile parts of the public sector continue to fail to adequately safeguard the personal data with which they’re entrusted. It’s unclear to what extent Hanlon’s Razor might apply in this situation but it doesn’t matter.
Councils let firms track visits to webpages on benefits and disability | Technology | The Guardian
www.theguardian.com – Share
Investigation finds 400-plus councils let at least one third party track use of their sites
On the same day that a data ethics advisor to the UK government has urged action to regulate online targeting a study conducted by pro-privacy browser Brave has highlighted how Brits are being profiled by the behavioral ad industry when they visit their local Council’s website — perhaps seeking info on local services or guidance about benefits including potentially sensitive information related to addiction services or disabilities.
‘UK Council websites are letting citizens be profiled for ads, study shows’, Techcrunch
—
Back in dear old Ireland the Department of Employment Affairs and Social Protection changed its data protection notice within 24 hours of the outgoing minister losing her seat in parliament. The department says the timing is purely coincidental.
‘Facial recognition used in public services card programme, department says’, Irish Times
‘PSC data protection policy updated after Doherty loses seat’, Irish Examiner
It could, it really could.
It could, it really could.
App used by Netanyahu's Likud leaks Israel's entire voter registry - Israel Election 2020 - Haaretz.com
www.haaretz.com – Share
Names, identification numbers and addresses of over 6 million voters were leaked through the unsecured Elector app
—
WSJ News Exclusive | Federal Agencies Use Cellphone Location Data for Immigration Enforcement
www.wsj.com – Share
The Trump administration has been using a database that maps the movements of millions of cellphones to monitor the Mexican border and make immigration arrests, according to people familiar with the matter.
Phone tracking used to follow movements of Chinese couple with coronavirus in Adelaide - ABC News (Australian Broadcasting Corporation)
www.abc.net.au – Share
A phone-tracking system used to better understand where two people infected with coronavirus roamed in Adelaide is the same system harnessed by SAPOL for criminal investigations, the state’s Police Commissioner says.
Edison is just one of several companies that offer free email apps which then sell anonymized or pseudonymised data derived from users’ inboxes. Another company that mines inboxes called Foxintelligence has data that comes from users of the Cleanfox app, which tidies up users’ inboxes.
How Big Companies Spy on Your Emails - VICE
www.vice.com – Share
Multiple confidential documents obtained by Motherboard show the sort of companies that want to buy data derived from scraping the contents of your email inbox.
The DPC had to send authorised officers around to Facebook’s digs down on Misery Hill to secure some documents relating to the planned rollout of Facebook dating. This might indicate a slight shift in the nature of the engaged approach.
Daragh O Brien of Castlebridge had some thoughts on this which are most definitely worth a few minutes of your time.
—
The previous week the DPC announced investigations into Google and Tinder.
The timeline of the Google complaint is of relevance to the concerns of the Hamburg DPA in the item below.
  • The original complaints were made in November 2018
  • The complainants were told in September 2019 that the DPC was handling their complaints
  • A reminder letter was sent to the DPC in November 2019
  • The investigation was opened in February 2020
“This investigation should be a priority for the Irish data protection authority. As more than 14 months have passed since consumer groups first filed complaints about Google’s malpractice, it would be unacceptable for consumers who trust authorities if there were further delays,” said Monique Goyens, BEUC’s director general, adding that the “credibility” of the EU’s data protection laws, the GDPR, “is at stake.”
‘Ireland launches fresh probes into Google and Tinder’, Politico
—
The Hamburg Commissioner for Data Protection and Freedom of Information issued an English language press release (direct link to PDF) to accompany its annual report. The levels of exasperation with the way the one-stop shop model is working in practice are rising.
“The fact that no legally binding measures have been taken against the majority of the world’s leading Internet service providers and platforms since the GDPR came into force, despite numerous reports of data protection violations in the last two years, and that no draft decisions have even been made, is a bad sign in the second year of the GDPR. Different legal and cultural traditions in enforcement, a lack of corrective action by inactive lead authorities, different national rules on the administrative procedure, and a concentration of companies in a few Member States, all show: As well as the concept of the one-stop shop may be intended, it is not practical.”
—
The Hamburg DPA also revealed in its annual report that it had fined Facebook a symbolic €51,000 for failing to properly appoint a data protection officer.
“This case should be a clear warning to all other companies: naming a data protection officer and telling the regulator about it are duties,” which the data protection authority takes seriously, the watchdog said in the report. “Even smaller violations like these can lead to substantial penalties.”
—
The Italian data protection authority doled out a very hefty fine to TIM, AKA Telecom Italia. €27.8 million and 20 corrective measures for a range of misdeeds mostly relating to unsolicited marketing contacts. Failures in accountability (Article 5.2), data protection by design and default (Article 25), securing valid consent (Article 7) and provision of information (Articles 12-14) are all mentioned in the press release.
—
The Norwegian data protection authority imposed a fine of €120,000 on the municipality of Oslo for failing to implement adequate technical and organisational measure to mitigate the risk to data subjects present in an app used by parents, pupils and school employees to communicate with each other.
—
The European Data Protection Board approved a lot of documents at its seventeenth plenary meeting.
  • Article 64 Opinions on Accreditation Requirements for Codes of Conduct Monitoring Bodies, submitted to the Board by Spain, Belgium and France
  • Guidelines on Connected Vehicles
  • Guidelines on the processing of Personal Data through Video Devices (following public consultation)
  • Article 64 Opinions on Accreditation Requirements for Certification Bodies, submitted to the Board by: The United Kingdom and Luxembourg
  • Article 64 Opinion on the Fujikura Automotive Europe Group’s Controller BCRs
  • Letter on unfair algorithms
  • Letter to the Council of Europe on the Cybercrime Convention
  • Document on the procedure for the approval of certification criteria by the EDPB resulting in a common certification: the European Data Protection Seal
There are links to all of these here.
  • “Most jarringly, he found a photo that I had probably not seen in more than a decade, a picture that ran in a local newspaper in Ireland when I was 15-years-old and in high school. Needless to say, I look a lot different now than I did then; in fact, my producer, who has to spend far more time than she’d like looking at me through a camera, didn’t even recognize me. But the system did.” Donie O'Sullivan for CNN on an unrepentant Hoan Ton-That, CEO of Clearview AI.
  • “Senior NHS figures have told the Observer that patient data compiled from GP surgeries and hospitals – and then sold for huge sums for research – can routinely be linked back to individual patients’ medical records via their GP surgeries. They say there is clear evidence this is already being done by companies and organisations that have bought data from the DHSC, having identified individuals whose medical histories are of particular interest.” Toby Helm in The Observer.
  • “Sophie In’t Veld, a Dutch MEP, told the European Parliament: "This is a country that is not a member of Schengen because it doesn’t want to be a member of Schengen. It doesn’t want to be a member of the European Union. Nevertheless, in the kindness of our hearts we have given them access to the Schengen Information System and they behaved like a bunch of cowboys.” Tony Connelly of RTE looks at the adequacy decision which the UK requires post Brexit and seems increasingly unlikely to get.
  • “In his statement on Monday, Mr. Begor, Equifax’s chief executive, noted that “cybercrime is one of the greatest threats facing our nation today.” But what he ignored was his own company’s role in creating a glaring vulnerability in the system. If we’re to think of cybercrime like an analog counterpart, then Equifax is a bank on Main Street that forgot to lock its vault.” ‘Chinese Hacking Is Alarming. So Are Data Brokers’ writes Charlie Warzel for The New York Times.
——
Endnotes & Credits
  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
  • Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
Did you enjoy this issue?
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland

Due to an abundance of vote count watching there was no newsletter last week. Apologies for the unscheduled absence.

😼

Shoe tracking. It’s now a thing. Despite the claim that this isn’t personal data, it most certainly is.

umm excuse me what? pic.twitter.com/fWo6flMuZU

— Caroline Orr Bueno, Ph.D (@RVAwonk) February 2, 2020

Government told to halt use of AI to detect fraud in decision hailed by privacy campaigners

More:

‘Landmark ruling by Dutch court stops government attempts to spy on the poor – UN expert’, United Nations Human Rights, Office of the High Commissioner

‘The SyRI case: a landmark ruling for benefits claimants around the world’, Privacy International

—

Meanwhile parts of the public sector continue to fail to adequately safeguard the personal data with which they’re entrusted. It’s unclear to what extent Hanlon’s Razor might apply in this situation but it doesn’t matter.

Investigation finds 400-plus councils let at least one third party track use of their sites

‘UK Council websites are letting citizens be profiled for ads, study shows’, Techcrunch

—

Back in dear old Ireland the Department of Employment Affairs and Social Protection changed its data protection notice within 24 hours of the outgoing minister losing her seat in parliament. The department says the timing is purely coincidental.

‘Facial recognition used in public services card programme, department says’, Irish Times

‘PSC data protection policy updated after Doherty loses seat’, Irish Examiner

Names, identification numbers and addresses of over 6 million voters were leaked through the unsecured Elector app

—

The Trump administration has been using a database that maps the movements of millions of cellphones to monitor the Mexican border and make immigration arrests, according to people familiar with the matter.

A phone-tracking system used to better understand where two people infected with coronavirus roamed in Adelaide is the same system harnessed by SAPOL for criminal investigations, the state’s Police Commissioner says.

Multiple confidential documents obtained by Motherboard show the sort of companies that want to buy data derived from scraping the contents of your email inbox.

The DPC had to send authorised officers around to Facebook’s digs down on Misery Hill to secure some documents relating to the planned rollout of Facebook dating. This might indicate a slight shift in the nature of the engaged approach.

Daragh O Brien of Castlebridge had some thoughts on this which are most definitely worth a few minutes of your time.

—

The previous week the DPC announced investigations into Google and Tinder.

The timeline of the Google complaint is of relevance to the concerns of the Hamburg DPA in the item below.

  • The original complaints were made in November 2018
  • The complainants were told in September 2019 that the DPC was handling their complaints
  • A reminder letter was sent to the DPC in November 2019
  • The investigation was opened in February 2020

‘Ireland launches fresh probes into Google and Tinder’, Politico

—

The Hamburg Commissioner for Data Protection and Freedom of Information issued an English language press release (direct link to PDF) to accompany its annual report. The levels of exasperation with the way the one-stop shop model is working in practice are rising.

—

The Hamburg DPA also revealed in its annual report that it had fined Facebook a symbolic €51,000 for failing to properly appoint a data protection officer.

—

The Italian data protection authority doled out a very hefty fine to TIM, AKA Telecom Italia. €27.8 million and 20 corrective measures for a range of misdeeds mostly relating to unsolicited marketing contacts. Failures in accountability (Article 5.2), data protection by design and default (Article 25), securing valid consent (Article 7) and provision of information (Articles 12-14) are all mentioned in the press release.

—

The Norwegian data protection authority imposed a fine of €120,000 on the municipality of Oslo for failing to implement adequate technical and organisational measure to mitigate the risk to data subjects present in an app used by parents, pupils and school employees to communicate with each other.

—

The European Data Protection Board approved a lot of documents at its seventeenth plenary meeting.

  • Article 64 Opinions on Accreditation Requirements for Codes of Conduct Monitoring Bodies, submitted to the Board by Spain, Belgium and France
  • Guidelines on Connected Vehicles
  • Guidelines on the processing of Personal Data through Video Devices (following public consultation)
  • Article 64 Opinions on Accreditation Requirements for Certification Bodies, submitted to the Board by: The United Kingdom and Luxembourg
  • Article 64 Opinion on the Fujikura Automotive Europe Group’s Controller BCRs
  • Letter on unfair algorithms
  • Letter to the Council of Europe on the Cybercrime Convention
  • Document on the procedure for the approval of certification criteria by the EDPB resulting in a common certification: the European Data Protection Seal

There are links to all of these here.

  • “Most jarringly, he found a photo that I had probably not seen in more than a decade, a picture that ran in a local newspaper in Ireland when I was 15-years-old and in high school. Needless to say, I look a lot different now than I did then; in fact, my producer, who has to spend far more time than she’d like looking at me through a camera, didn’t even recognize me. But the system did.” Donie O'Sullivan for CNN on an unrepentant Hoan Ton-That, CEO of Clearview AI.
  • “Senior NHS figures have told the Observer that patient data compiled from GP surgeries and hospitals – and then sold for huge sums for research – can routinely be linked back to individual patients’ medical records via their GP surgeries. They say there is clear evidence this is already being done by companies and organisations that have bought data from the DHSC, having identified individuals whose medical histories are of particular interest.” Toby Helm in The Observer.
  • “Sophie In’t Veld, a Dutch MEP, told the European Parliament: "This is a country that is not a member of Schengen because it doesn’t want to be a member of Schengen. It doesn’t want to be a member of the European Union. Nevertheless, in the kindness of our hearts we have given them access to the Schengen Information System and they behaved like a bunch of cowboys.” Tony Connelly of RTE looks at the adequacy decision which the UK requires post Brexit and seems increasingly unlikely to get.
  • “In his statement on Monday, Mr. Begor, Equifax’s chief executive, noted that “cybercrime is one of the greatest threats facing our nation today.” But what he ignored was his own company’s role in creating a glaring vulnerability in the system. If we’re to think of cybercrime like an analog counterpart, then Equifax is a bank on Main Street that forgot to lock its vault.” ‘Chinese Hacking Is Alarming. So Are Data Brokers’ writes Charlie Warzel for The New York Times.

——

Endnotes & Credits

  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
  • Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.

Don't miss what's next. Subscribe to Privacy Kit:
X
Powered by Buttondown, the easiest way to start and grow your newsletter.