Agenda | The Cat Herder, Volume 2, Issue 41

Bank Holiday edition. The PSC trundles on, directionless, purposeless and always confusing. Has a bus   October 28 · Issue #57 · View online Bank Holiday edition. The PSC trundles on, directionless, purposeless and always confusing. Has a business case for it been found? Maybe. Maybe not. Who knows. Recording devices keep on recording. ‘Glitches’ keep on occurring. 😼 It's dismayingly easy to make an app that turns a smart-speaker into a password-stealing listening device and sneak it past the manufacturer's security checks boingboing.net – Share German security researchers from Security Research Lab created a suite of apps for Google and Amazon smart speakers that did trivial things for their users, appeared to finish and go dormant, but which actually stayed in listening mode, then phished the user for passwords spoken aloud to exfiltrate to a malicious actor; apps were successfully smuggled past the companies app store security checks. Yes they could Mercedes-Benz app glitch exposed car owners’ information to other users techcrunch.com – Share Mercedes-Benz car owners have said that the app they used to remotely locate, unlock and start their cars was displaying other people’s account and vehicle information. TechCrunch spoke to two customers who said the Mercedes-Benz’ connected car app was pulling in information from other accounts and not their own, allowing them to see other car […] After it was pointed out that Ireland’s newest virtual mobile network operator GoMo was asking for a Public Services Card as proof of identity on registration, this was withdrawn. Remember, everyone involved in building this biometric national identity register has repeatedly insisted that it isn’t to be used as an identity card. So how eir (the private company behind GoMo) got the impression that it is an identity card is a mystery, right? Then it emerged that any organisations using the Garda vetting service were also using the Public Services Card as proof of identity. Bafflingly the Public Services Card is awarded more points than a passport in the scoring system the vetting service uses. On Tuesday the Irish Examiner reported that Public Expenditure and Reform Minister Paschal Donohoe said his department had dramatically ordered that an alternative application method be scrapped because allowing the Department of Children and Youth Affairs to incorporate its own online system would serve to spend “taxpayers’ money on two different systems to do the exact same thing, where one reusable, legal and secure alternative exists”. Earlier in the month the Public Accounts Committee wrote to the Department of Public Expenditure and Reform asking if they could have a look at the business case for the Public Services Card. The department wrote back to the PAC [direct link to PDF] to say they couldn’t find it down the back of their couch and that perhaps it might be down the back of a couch in the Department of Employment Affairs and Social Protection. Some readers may remember that a report by the Comptroller and Auditor General in 2016 found that - the Department of Social Protection had put forward no “single business case” before a contract was awarded, as he would have expected. As a result, there was no high-level plan identifying the resources and scope of the project and no clear identification of who exactly was responsible for its development. It’s over a month since the Minister for Employment Affairs and Social Protection told Catherine Connolly TD that a business case did exist. The minister didn’t know when it had been carried out - I do not have a date for when the business case was established but I can come back to the Deputy with it later today. As part of this exchange the minister also mentioned that her department had presented this business case to the DPC - The supporting documentation for the project was released to the DPC in December 2018. Not only was there a business case, but the supporting documentation on the questions and answers, transparency, and privacy was laid before the commission as a response to the initial draft report in 2018. The DPC report makes no mention of this business case, which presumably came into being at some point in time after the C&AG’s report was published and before December 2018. Curious. — This week we also learned that the government’s Chief Information Officer - a man who would like to make government like Amazon in some ways that sound very much like detailed profiling - dismissed criticism of the Public Services Card as coming from those “with an agenda against the card”. The piece Lowry is referring to appears to be this article by Karlin Lillington from January 2018: ‘Wary of the Public Services Card? You have good reason to be’. There's every chance it will Under digital surveillance: how American schools spy on millions of kids | The Guardian www.theguardian.com – Share Fueled by fears of school shootings, the market has grown rapidly for technologies that monitor students through official school emails and chats “The European Data Protection Supervisor (EDPS) opened an enquiry into the contractual arrangements between EU institutions and the tech giant this April, following changes to rules governing EU outsourcing. Today it writes [with emphasis]: “Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services.”” ‘EU contracts with Microsoft raising ‘serious’ data concerns, says watchdog’, Techcrunch “The footage was held by An Garda Síochána. Somebody recorded the CCTV images off a monitor screen and shared them in a WhatsApp group. The images were posted on Facebook, and it’s estimated that they were shared 125,000 times. Several days later, Dara Quigley took her own life. No organisation or individual has ever been held responsible for their role in the violation of Dara’s rights. The Garda Síochána Ombudsman Commission (GSOC) confirmed to the Irish Times that a garda accused of sharing the footage will not face criminal charges. Elizabeth Farries in the Dublin InQuirer. "Turning the human face into another object for measurement and categorisation by automated processes controlled by powerful companies and governments touches the right to human dignity - even without the threat of it being used as a tool for oppression by an authoritarian state.” A blog post from the European Data Protection Supervisor Wojciech Wiewiórowski - ‘Facial recognition: A solution in search of a problem?’ “Rather than the traditional method of calculating a company’s market share, Smith said regulators should also consider how much consumer data it possesses when determining whether it is a monopoly. That method could spell trouble for the other tech giants, like Google and Facebook, that are currently facing antitrust investigations in the United States. It would likely have a lesser effect on Microsoft itself.” Clare Duffy for CNN, ‘Top Microsoft exec says online privacy has reached 'a crisis point’ “Labour and the Conservatives buy Experian’s Mosaic database, which uses more than 850 million records, including crime data, GCSE results, gas and electricity consumption and child benefits, to classify people into one of 66 "types”. Until last year, Labour also used an Experian tool called Origin to target voters based on ethnicity, with classifications such as “Black African”, “Black Carribean”, “Celtic”, “Eastern European” and “Jewish/Armenian”.“ Rowland Manthorpe investigates what might be going on, profiling-wise, ahead of an election in the UK. —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster we’ll be in your inbox again next weekend. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Bank Holiday edition. The PSC trundles on, directionless, purposeless and always confusing. Has a business case for it been found? Maybe. Maybe not. Who knows. Recording devices keep on recording. ‘Glitches’ keep on occurring.

😼

German security researchers from Security Research Lab created a suite of apps for Google and Amazon smart speakers that did trivial things for their users, appeared to finish and go dormant, but which actually stayed in listening mode, then phished the user for passwords spoken aloud to exfiltrate to a malicious actor; apps were successfully smuggled past the companies app store security checks.

Mercedes-Benz car owners have said that the app they used to remotely locate, unlock and start their cars was displaying other people’s account and vehicle information. TechCrunch spoke to two customers who said the Mercedes-Benz’ connected car app was pulling in information from other accounts and not their own, allowing them to see other car […]

After it was pointed out that Ireland’s newest virtual mobile network operator GoMo was asking for a Public Services Card as proof of identity on registration, this was withdrawn. Remember, everyone involved in building this biometric national identity register has repeatedly insisted that it isn’t to be used as an identity card. So how eir (the private company behind GoMo) got the impression that it is an identity card is a mystery, right?

Then it emerged that any organisations using the Garda vetting service were also using the Public Services Card as proof of identity. Bafflingly the Public Services Card is awarded more points than a passport in the scoring system the vetting service uses.

On Tuesday the Irish Examiner reported that

Earlier in the month the Public Accounts Committee wrote to the Department of Public Expenditure and Reform asking if they could have a look at the business case for the Public Services Card. The department wrote back to the PAC [direct link to PDF] to say they couldn’t find it down the back of their couch and that perhaps it might be down the back of a couch in the Department of Employment Affairs and Social Protection.

Some readers may remember that a report by the Comptroller and Auditor General in 2016 found that -

It’s over a month since the Minister for Employment Affairs and Social Protection told Catherine Connolly TD that a business case did exist. The minister didn’t know when it had been carried out -

As part of this exchange the minister also mentioned that her department had presented this business case to the DPC -

The DPC report makes no mention of this business case, which presumably came into being at some point in time after the C&AG’s report was published and before December 2018. Curious.

—

This week we also learned that the government’s Chief Information Officer - a man who would like to make government like Amazon in some ways that sound very much like detailed profiling - dismissed criticism of the Public Services Card as coming from those “with an agenda against the card”.

The piece Lowry is referring to appears to be this article by Karlin Lillington from January 2018: ‘Wary of the Public Services Card? You have good reason to be’.

Fueled by fears of school shootings, the market has grown rapidly for technologies that monitor students through official school emails and chats

“The European Data Protection Supervisor (EDPS) opened an enquiry into the contractual arrangements between EU institutions and the tech giant this April, following changes to rules governing EU outsourcing. Today it writes [with emphasis]: “Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services.””

‘EU contracts with Microsoft raising ‘serious’ data concerns, says watchdog’, Techcrunch

• “The footage was held by An Garda Síochána. Somebody recorded the CCTV images off a monitor screen and shared them in a WhatsApp group. The images were posted on Facebook, and it’s estimated that they were shared 125,000 times. Several days later, Dara Quigley took her own life. No organisation or individual has ever been held responsible for their role in the violation of Dara’s rights. The Garda Síochána Ombudsman Commission (GSOC) confirmed to the Irish Times that a garda accused of sharing the footage will not face criminal charges. Elizabeth Farries in the Dublin InQuirer.
• "Turning the human face into another object for measurement and categorisation by automated processes controlled by powerful companies and governments touches the right to human dignity - even without the threat of it being used as a tool for oppression by an authoritarian state.” A blog post from the European Data Protection Supervisor Wojciech Wiewiórowski - ‘Facial recognition: A solution in search of a problem?’
• “Rather than the traditional method of calculating a company’s market share, Smith said regulators should also consider how much consumer data it possesses when determining whether it is a monopoly. That method could spell trouble for the other tech giants, like Google and Facebook, that are currently facing antitrust investigations in the United States. It would likely have a lesser effect on Microsoft itself.” Clare Duffy for CNN, ‘Top Microsoft exec says online privacy has reached 'a crisis point’
• “Labour and the Conservatives buy Experian’s Mosaic database, which uses more than 850 million records, including crime data, GCSE results, gas and electricity consumption and child benefits, to classify people into one of 66 "types”. Until last year, Labour also used an Experian tool called Origin to target voters based on ethnicity, with classifications such as “Black African”, “Black Carribean”, “Celtic”, “Eastern European” and “Jewish/Armenian”.“ Rowland Manthorpe investigates what might be going on, profiling-wise, ahead of an election in the UK.

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster we’ll be in your inbox again next weekend.

If you know someone who might enjoy this newsletter do please forward it on to them.