"Arduino-powered artificial wrist" | The Cat Herder, Volume 1, Issue 8

Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re   September 23 · Issue #8 · View online Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re barely newsworthy and Facebook turning out to be an even worse custodian of personal data than most had anticipated, the domain of data privacy is still in a terrible state o’ chassis. Nice as it would be to publish a regular collection of really excellent privacy practices, those are still pretty hard to find. Examples of organisations doing it wrong, however, are plentiful. Decades of misconceptions can’t be unlearned in a hurry. Join us on our quest to learn from the worst. There’ll be some positives too. Eventually. We hope. 😼 [Narrator]: They did see it coming. Nobody listened. It’s been a fairly good year so far for ‘we told you so’ moments for privacy advocates. One of the contributors to this newsletter has been waiting for this one for a while. Horace Dediu @asymco John Hancock, one of the oldest and largest North American life insurers, will stop underwriting traditional life insurance and instead sell only interactive policies that track fitness and health data through wearable devices 3:17 PM - 19 Sep 2018 This announcement came very shortly after Apple announced the latest Apple Watch had received FDA clearance for some advanced heart monitoring features. Reuters has more, as does the BBC. If you aren’t presently in possession of a large and active dog, now might be a good time to acquire one. Strapping an Apple Watch or other activity tracking device to such a beast could reduce your premiums. Or, even better: Alan Cooper @MrAlanCooper Billion-Dollar-Startup-Idea: Arduino-powered artificial wrist that wears a Fitbit and tells my insurance company I’m doing fine. https://t.co/7HnLykG6uV 9:37 PM - 20 Sep 2018 Yes it will In Issue 5 we talked about Tusla’s injudicious and unfortunate use of the phrase “in perpetuity” in relation to the length of time they felt they were entitled to hang on to individuals’ personal data. Presumably they have something like this in mind. Child abuse algorithms: from science fiction to cost-cutting reality | The Guardian www.theguardian.com – Share Councils trying to harness the power of big data also grapple with its ethical implications “If you only have data for families relying on council resources, like public housing, then the model doesn’t have all the information it needs to make accurate predictions,” said Virginia Eubanks, author of a book called Automating Inequality. “If there are holes in the system or you’re over-collecting data on one group of people, and none at all on others, then it will not only mirror inequalities, but amplify them.” The responses to this piece on the Guardian’s letters pages cover pretty much all that needs to be said about this. There are large and unaddressed ethical and functional issues around deploying systems such as this. Jason Kint @jason_kint America is going to owe Europe a pint or two one day when we actually realize all of the important work it’s doing for us on data protection. https://t.co/ZKrDnOUxaR 12:49 AM - 20 Sep 2018 The Information Commissioner’s Office in the UK fined Equifax £500,000, the maximum possible fine available under the old pre-GDPR legal regime. In the notes to editors at the bottom of the press release the ICO notes that Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover. This does appear to show a willingness on the ICO’s part to impose the full range of fines available under the GDPR. Credit reference agency Equifax fined for security breach | ICO ico.org.uk – Share The eagle-eyed Tim Turner (@tim2040 on Twitter) noticed the ICO had quietly served an Enforcement Notice on a Canadian company called Aggregate IQ Data Services in July. Jon Baines provides a bit more detail and a few thoughts on the Mishcon de Reya website. First UK enforcement action under GDPR and the new Data Protection Act | Mishcon de Reya www.mishcon.com – Share If you’re wondering who Aggregate IQ are and why the ICO issued an order compelling them to ‘cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes’ we can only point you to this notice presently prominently displayed on the homepage of their website  AggregateIQ is a digital advertising, web and software development company based in Canada. It is and has always been 100% Canadian owned and operated. AggregateIQ has never been and is not a part of Cambridge Analytica or SCL. Aggregate IQ has never entered into a contract with Cambridge Analytica. Chris Wylie has never been employed by AggregateIQ. AggregateIQ works in full compliance within all legal and regulatory requirements in all jurisdictions where it operates. It has never knowingly been involved in any illegal activity. All work AggregateIQ does for each client is kept separate from every other client. AggregateIQ has never managed, nor did we ever have access to, any Facebook data or database allegedly obtained improperly by Cambridge Analytica. So, uh, those guys who’ve never done nuthin’ guvnor. Is there a new DPC website yet? No When is it due? Soon When did the GDPR become enforceable? May 25th 2018 What date is it today? September 22nd 2018  In one pilot program already in place, each citizen has been assigned a score out of 800. In other programs it’s 900. Those, like Dandan, with top “citizen scores” get VIP treatment at hotels and airports, cheap loans and a fast track to the best universities and jobs. Those at the bottom can be locked out of society and banned from travel, or barred from getting credit or government jobs. That’s from the Australian Broadcasting Corporation’s ‘Leave No Dark Corner’, another examination of the Chinese government’s mass surveillance and social credit programme. Which is very similar to the Black Mirror episode ‘Nosedive’. There’s a video version of the ABC piece on YouTube. There’s a lot of reading (and an enormous and beautiful diagram) in Kate Crawford and Vladan Joler‘s essay ’Anatomy of an AI System’, an exquisitely detailed unpacking of Amazon’s Echo. Jennifer Valentino-DeVries, Natasha Singer, Aaron Krolik and Michael H. Kelleher did a very deep dive into the world of data collection and sharing for the New York Times, specifically looking at mobile apps marketed to kids. New Mexico’s Attorney General has just filed a lawsuit against an app maker “Tiny Lab Productions, along with online ad businesses run by Google, Twitter and three other companies, of flouting a law intended to prevent the personal data of children under 13 from falling into the hands of predators, hackers and manipulative marketers.” The Harvard Business Review is currently running a themed series of pieces called Tracked. Leslie K John‘s contribution, 'Uninformed Consent’, is well worth a read. —- Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster this newsletter will be in your inbox again next weekend. See you then. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re barely newsworthy and Facebook turning out to be an even worse custodian of personal data than most had anticipated, the domain of data privacy is still in a terrible state o’ chassis. Nice as it would be to publish a regular collection of really excellent privacy practices, those are still pretty hard to find. Examples of organisations doing it wrong, however, are plentiful. Decades of misconceptions can’t be unlearned in a hurry. Join us on our quest to learn from the worst. There’ll be some positives too. Eventually. We hope.

😼

It’s been a fairly good year so far for ‘we told you so’ moments for privacy advocates. One of the contributors to this newsletter has been waiting for this one for a while.

This announcement came very shortly after Apple announced the latest Apple Watch had received FDA clearance for some advanced heart monitoring features.

Reuters has more, as does the BBC.

If you aren’t presently in possession of a large and active dog, now might be a good time to acquire one. Strapping an Apple Watch or other activity tracking device to such a beast could reduce your premiums. Or, even better:

In Issue 5 we talked about Tusla’s injudicious and unfortunate use of the phrase “in perpetuity” in relation to the length of time they felt they were entitled to hang on to individuals’ personal data. Presumably they have something like this in mind.

Councils trying to harness the power of big data also grapple with its ethical implications

The responses to this piece on the Guardian’s letters pages cover pretty much all that needs to be said about this. There are large and unaddressed ethical and functional issues around deploying systems such as this.

The Information Commissioner’s Office in the UK fined Equifax £500,000, the maximum possible fine available under the old pre-GDPR legal regime. In the notes to editors at the bottom of the press release the ICO notes that

This does appear to show a willingness on the ICO’s part to impose the full range of fines available under the GDPR.

The eagle-eyed Tim Turner (@tim2040 on Twitter) noticed the ICO had quietly served an Enforcement Notice on a Canadian company called Aggregate IQ Data Services in July. Jon Baines provides a bit more detail and a few thoughts on the Mishcon de Reya website.

If you’re wondering who Aggregate IQ are and why the ICO issued an order compelling them to ‘cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes’ we can only point you to this notice presently prominently displayed on the homepage of their website 

So, uh, those guys who’ve never done nuthin’ guvnor.

Is there a new DPC website yet? No

When is it due? Soon

When did the GDPR become enforceable? May 25th 2018

What date is it today? September 22nd 2018 

That’s from the Australian Broadcasting Corporation’s ‘Leave No Dark Corner’, another examination of the Chinese government’s mass surveillance and social credit programme. Which is very similar to the Black Mirror episode ‘Nosedive’. There’s a video version of the ABC piece on YouTube.

There’s a lot of reading (and an enormous and beautiful diagram) in Kate Crawford and Vladan Joler‘s essay ’Anatomy of an AI System’, an exquisitely detailed unpacking of Amazon’s Echo.

Jennifer Valentino-DeVries, Natasha Singer, Aaron Krolik and Michael H. Kelleher did a very deep dive into the world of data collection and sharing for the New York Times, specifically looking at mobile apps marketed to kids. New Mexico’s Attorney General has just filed a lawsuit against an app maker “Tiny Lab Productions, along with online ad businesses run by Google, Twitter and three other companies, of flouting a law intended to prevent the personal data of children under 13 from falling into the hands of predators, hackers and manipulative marketers.”

The Harvard Business Review is currently running a themed series of pieces called Tracked. Leslie K John‘s contribution, 'Uninformed Consent’, is well worth a read.

—-

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster this newsletter will be in your inbox again next weekend. See you then.