An Eye To The Horizon | The Cat Herder, Volume 5, Issue 12

Busy regulators, biometric releases, fake law enforcement requests, the AI Act and more. 😼   April 3 · Issue #174 · View online Busy regulators, biometric releases, fake law enforcement requests, the AI Act and more. 😼 Eva @evacide Who fell for those fake emergency data requests from compromised law enforcement related accounts? Apple and Meta. https://t.co/eKXht4Mm6y 7:21 PM - 30 Mar 2022 Apple, Meta Gave User Data to Hackers With Forged Legal Requests (AAPL, FB) - Bloomberg www.bloomberg.com – Share Apple Inc. and Meta Platforms Inc., the parent company of Facebook, provided customer data to hackers who masqueraded as law enforcement officials, according to three people with knowledge of the matter. The home security vendor that wasn’t forthcoming about its own security failings. I just learned that for the past three years, Wyze has been fully aware of a vulnerability in its home security cameras that could have theoretically let hackers access your video feeds over the internet — but chose to sweep it under the rug. And the security firm that found the vulnerability largely let them do it. I’m done with Wyze www.theverge.com – Share Instead of telling customers that the inexpensive Wyze Cam v1 had an egregious remote access vulnerability, the company decided never to patch it or tell anybody — and Bitdefender apparently played along with it. “It’s way beyond what someone would need for including someone in a photoshoot or anything like that,” Frederic Jennings, a Brooklyn-based attorney who specializes in privacy and digital rights, told Motherboard. “Between that broad assignment language, and the equally broad waiver on biometric rights and prohibitions, this is a pretty huge rights grab snuck into what should be a simple release.” You Can Now Sign Away Rights to Your Biometric Data www.vice.com – Share Getty Images is now using an ‘Enhanced Release’ form, which prompts photo models to consent to the use of biometrics like facial data. The Hungarian DPA fined a financial institution ~€700,000 for the illegal use of AI-based speech sentiment analysis technology. — The Spanish DPA publicised a number of large fines it had imposed on mobile operators towards the end of last year for not taking adequate measures to prevent SIM-swapping. Telefónica, €900,000; Vodafone, €3,940,000; Orange Virtual, €70,000; Orange €700,000; Xfera Móviles, €200,000. — The Dutch DPA fined a publisher €525,000 for “unnecessarily requesting copies of identity documents”, making it “overly complicated for customers to access their data or have their data deleted.” “Major structural change is politically unlikely within the AI Act legislative process at this stage. A great deal of effort has already been sunk into it by the Commission and Council, and shortly the Parliament, which will make fundamental changes in structure or goal implausible. While fundamental changes to the AI Act – such as the addition of a true ex ante fundamental rights impact assessment, discussed in detail below – may be regarded at this point as unrealistic, this is only the start of regulating AI, both in the EU and globally. We feel it is important to have an eye to the horizon, as well as the ground.” From ‘Expert opinion: Regulating AI in Europe’ by Lilian Edwards for the Ada Lovelace Institute. This thread on Twitter by Paolo Balboni on what he describes as “a very consistent trend in fines for requesting IDs as of late.” Something data controllers would be wise to keep an eye on as requesting ID is often seen as a way of deterring people from making Subject Access Requests. “But, regrettably for the Minister, the CJEU has already said that in the legislation just pushing off the definition or determination of what is necessecary and proportionate to another lower level isn’t enough. It has to be defined in the legal basis to be a valid basis.” Simon McGarr has a look at the surveillance elements of the Circular Economy Bill (also a Twitter thread). — Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Busy regulators, biometric releases, fake law enforcement requests, the AI Act and more.

😼

Apple Inc. and Meta Platforms Inc., the parent company of Facebook, provided customer data to hackers who masqueraded as law enforcement officials, according to three people with knowledge of the matter.

The home security vendor that wasn’t forthcoming about its own security failings.

Instead of telling customers that the inexpensive Wyze Cam v1 had an egregious remote access vulnerability, the company decided never to patch it or tell anybody — and Bitdefender apparently played along with it.

Getty Images is now using an ‘Enhanced Release’ form, which prompts photo models to consent to the use of biometrics like facial data.

The Hungarian DPA fined a financial institution ~€700,000 for the illegal use of AI-based speech sentiment analysis technology.

—

The Spanish DPA publicised a number of large fines it had imposed on mobile operators towards the end of last year for not taking adequate measures to prevent SIM-swapping. Telefónica, €900,000; Vodafone, €3,940,000; Orange Virtual, €70,000; Orange €700,000; Xfera Móviles, €200,000.

—

The Dutch DPA fined a publisher €525,000 for “unnecessarily requesting copies of identity documents”, making it “overly complicated for customers to access their data or have their data deleted.”

• “Major structural change is politically unlikely within the AI Act legislative process at this stage. A great deal of effort has already been sunk into it by the Commission and Council, and shortly the Parliament, which will make fundamental changes in structure or goal implausible. While fundamental changes to the AI Act – such as the addition of a true ex ante fundamental rights impact assessment, discussed in detail below – may be regarded at this point as unrealistic, this is only the start of regulating AI, both in the EU and globally. We feel it is important to have an eye to the horizon, as well as the ground.” From ‘Expert opinion: Regulating AI in Europe’ by Lilian Edwards for the Ada Lovelace Institute.
• This thread on Twitter by Paolo Balboni on what he describes as “a very consistent trend in fines for requesting IDs as of late.” Something data controllers would be wise to keep an eye on as requesting ID is often seen as a way of deterring people from making Subject Access Requests.
• “But, regrettably for the Minister, the CJEU has already said that in the legislation just pushing off the definition or determination of what is necessecary and proportionate to another lower level isn’t enough. It has to be defined in the legal basis to be a valid basis.” Simon McGarr has a look at the surveillance elements of the Circular Economy Bill (also a Twitter thread).

—

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.