April 11, 2021
C-19 1GC | The Cat Herder, Volume 4, Issue 13
| |
| April 11 · Issue #126 · View online |
|
|
All data leaks eventually. 😼
|
|
|
|
|
There’s a not insignificant chance that footage from yer fancy internet-connected security camera is being viewed for entertainment by people like this. Because they can.
|
|
|
Why is it that the folks involved in these kinds of grand, daft and potentially dangerous schemes always feel the need to give them ominous-sounding names which could have leapt straight from the pages of an Ian Fleming novel? And go on to deploy language lifted directly from Doctor Strangelove? |
A draft email drawn up by an EY partner and sent to civil servants for distribution to State bodies outlines a plan for the “C-19 One Government Centre (1GC) within the Department of An Taoiseach”.
|
On a more serious note the Department of the Taoiseach should be clearly stating what personal data - if any - was processed as part of this caper.
|
Government consultants discussed ‘war room’ for Covid-19 response
Email outlines plan for ‘integrated insight centre’ that could seek data from State bodies
|
|
|
|
|
The department is committed to publishing the Independent Expert Review by an external Senior Counsel, that was commissioned after allegations were brought to the attention of the department last year. Due to legal implications, including protocols around publishing a protected disclosure and the department’s desire to protect the rights of the discloser, the department is continuing to engage with legal counsel and aims to publish the report next week.
|
Perhaps this commitment was a prank because there has been no sign of the publication of the Independent Expert Review in the interim. Nor has there been any further communication from the Department about its “normal practice” of compiling dossiers on autistic children and their families.
|
|
|
|
|
|
To add to the horror on St Vincent, *only vaccinated* evacuees are being accepted on cruise ships or nearby islands. This is worse than my worst nightmares about vaccine segregation.
This has to redouble our determination to NEVER allow covid passes.
https://t.co/Q2Zx73bFkN
|
|
|
|
Directly related to this, the European Data Protection Board and the European Data Protection Supervisor issued a joint opinion on the European Commission’s proposals for a Digital Green Certificate, a certificate to show vaccination, testing and recovery status which is inteneded to facilitate free movement.
|
The EDPB and the EDPS underline that the use of the Digital Green Certificate may not, in any way, result in direct or indirect discrimination of individuals, and must be fully in line with the fundamental principles of necessity, proportionality and effectiveness. Given the nature of the measures put forward by the Proposal, the EDPB and the EDPS consider that the introduction of the Digital Green Certificate should be accompanied by a comprehensive legal framework.
|
|
|
|
|
Meanwhile “India’s National Health Authority has commenced a pilot of facial recognition software as a means of identifying people as they queue in the nation’s COVID-19 vaccine centres.”
|
India uses controversial Aadhaar facial biometrics to identify COVID vaccination recipients • The Register
Safer than eyeballs or fingerprints, apparently
|
|
Well of course everyone saw this coming
|
An online tool lets customers pay to unmask the phone numbers of Facebook users that liked a specific Page, and the underlying dataset appears to be separate from the 500 million account database that made headlines this week, signifying another data breach or large scale scraping of Facebook users’ data, Motherboard has found.
|
There's Another Facebook Phone Number Database Online
Analysis by Motherboard and a security researcher indicate the database is separate from the recently reported cache of 500 million accounts.
|
|
|
In Facebook’s response to the last week’s revelation of the other data breach there are two unsurprising things. Firstly, Facebook’s traditional slippery evasiveness around dates and details of what actually happened and secondly Facebook’s total and utter unwillingness to pay any attention to warnings going back years.
|
Some details of the recent leak’s timeline remain unclear. Facebook says the scraping took place “prior to September 2019,” but it has not clarified exactly when it happened, how many incidents were involved, or when Facebook learned about the malicious activity. Analysis of the data set seems to indicate that it was cobbled together over a number of scraping sessions that began at least in 2018, if not earlier, and apparently went on into June 2019, if not later. The company’s careful word choice, though, likely reflects a concern that it could be investigated for failing to disclose a data breach under various laws and agreements around the world, including by the US Federal Trade Commission. Facebook entered into agreements with the FTC in both 2011 and June 2019 that seemingly would have required the company to disclose the finding to the agency.
|
Facebook Had Years to Fix the Flaw That Leaked 500M Users’ Data | WIRED
Software makers can’t catch every bug every time, but Facebook had ample warning about the privacy problems with its “contact import” feature.
|
|
|
Over on the other side of town Google has enrolled tens of millions of people in a trial of its ‘solution’ to surveillance advertising. Without telling them.
|
In Google’s FLoC trial announcement, it gave Google Chrome users no option to opt out before the trial began. Instead, Google silently pushed FLoC technology to Chrome users in the US, Canada, Mexico, Australia, New Zealand, Brazil, India, Japan, Indonesia, and the Philippines. While Google described the trial as affecting a “small percentage of users,” according to EFF, that percentage could be as high as 5 percent. That sounds small at first, but take into account that nearly-ancient estimates (circa 2016) put active Google Chrome users around 2 billion, meaning that the FLoC trial could affect up to 100 million people. That is an enormous number of people to subject to a data analysis experiment without their prior consent.
|
Millions of Chrome users quietly added to Google’s FLoC pilot - Malwarebytes Labs | Malwarebytes Labs
Google promised that its third-party cookie replacement—called FLoC—will preserve user privacy. Its trial calls that into question.
|
|
|
Continuing this week’s theme the Italian DPA announced a probe into what appears to be a leak of 500 million people’s information from LinkedIn. |
|
|
-
“What the DGCs do create is a new pan-european infrastructure of automated administrative control that will be hard to disentangle from our health system. And the fast roll-out of this solution will only amplify the problems that come with this type of infrastructure … Notably, in the name of urgency, the proposal is being rolled out without a proper impact assessment: there is no good understanding of its risks or what measures might be absolutely necessary to mitigate these risks”. From this Twitter thread about the Digital Green Certificate by Carmela Troncoso.
-
“European courts struck down or reduced several multimillion-dollar fines in recent months, raising questions about whether judges and privacy regulators disagree about how to enforce the 2018 General Data Protection Regulation. Companies taking note are more willing to challenge authorities’ rulings, according to privacy lawyers and regulators. Many regulators received small or no budget increases when the GDPR took effect and struggle to deal with new investigations. Appeals are an added challenge.” From ‘Wave of Legal Appeals Challenges How European Regulators Enforce Privacy Rules’ by Catherine Stamp for the Wall Street Journal.
-
“The cost is pretty high: Not only can these ad tech companies still collect data about me, but when I use Firefox, they can gather even more than they could before because I dramatically lowered my privacy settings in order to let the opt-out system function. The companies not participating in the opt-out can simply go hog wild. They can track me, load reams of personalized ads wherever I go. The works. Also, if I ever decide to clear all of my cookies, I’m effectively opted back in to personalized advertising because I will have deleted the cookies on my browser that tell the participating companies that I’ve opted out.” Aaron Sankin tries to opt-out in a piece for The Markup. It doesn’t go well.
|
|
|
|
|
If you know someone who might enjoy this newsletter do please forward it on to them.
|
|
Did you enjoy this issue?
|
|
|
|
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
|
|
|
|
Privacy Kit, Made with 💚 in Dublin, Ireland
|
|
|
All data leaks eventually.
😼
https://twitter.com/hypervisible/status/1380601317681463301
The story the above quote is taken from is ‘‘Bro Culture’ at Camera Maker Verkada Pushed Profits, Parties’ in Bloomberg.
There’s a not insignificant chance that footage from yer fancy internet-connected security camera is being viewed for entertainment by people like this. Because they can.
Why is it that the folks involved in these kinds of grand, daft and potentially dangerous schemes always feel the need to give them ominous-sounding names which could have leapt straight from the pages of an Ian Fleming novel? And go on to deploy language lifted directly from Doctor Strangelove?
On a more serious note the Department of the Taoiseach should be clearly stating what personal data - if any - was processed as part of this caper.
Email outlines plan for ‘integrated insight centre’ that could seek data from State bodies
—
Back on April Fools’ Day in his second open letter to unspecified “statekeholders” the interim Secretary General of the Department of Health wrote:
Perhaps this commitment was a prank because there has been no sign of the publication of the Independent Expert Review in the interim. Nor has there been any further communication from the Department about its “normal practice” of compiling dossiers on autistic children and their families.
Directly related to this, the European Data Protection Board and the European Data Protection Supervisor issued a joint opinion on the European Commission’s proposals for a Digital Green Certificate, a certificate to show vaccination, testing and recovery status which is inteneded to facilitate free movement.
+ Press release
+ Full opinion [direct link to PDF]
—
Meanwhile “India’s National Health Authority has commenced a pilot of facial recognition software as a means of identifying people as they queue in the nation’s COVID-19 vaccine centres.”
Safer than eyeballs or fingerprints, apparently
Analysis by Motherboard and a security researcher indicate the database is separate from the recently reported cache of 500 million accounts.
—
In Facebook’s response to the last week’s revelation of the other data breach there are two unsurprising things. Firstly, Facebook’s traditional slippery evasiveness around dates and details of what actually happened and secondly Facebook’s total and utter unwillingness to pay any attention to warnings going back years.
Software makers can’t catch every bug every time, but Facebook had ample warning about the privacy problems with its “contact import” feature.
—
Over on the other side of town Google has enrolled tens of millions of people in a trial of its ‘solution’ to surveillance advertising. Without telling them.
Google promised that its third-party cookie replacement—called FLoC—will preserve user privacy. Its trial calls that into question.
Continuing this week’s theme the Italian DPA announced a probe into what appears to be a leak of 500 million people’s information from LinkedIn.
-
“What the DGCs do create is a new pan-european infrastructure of automated administrative control that will be hard to disentangle from our health system. And the fast roll-out of this solution will only amplify the problems that come with this type of infrastructure … Notably, in the name of urgency, the proposal is being rolled out without a proper impact assessment: there is no good understanding of its risks or what measures might be absolutely necessary to mitigate these risks”. From this Twitter thread about the Digital Green Certificate by Carmela Troncoso.
-
“European courts struck down or reduced several multimillion-dollar fines in recent months, raising questions about whether judges and privacy regulators disagree about how to enforce the 2018 General Data Protection Regulation. Companies taking note are more willing to challenge authorities’ rulings, according to privacy lawyers and regulators. Many regulators received small or no budget increases when the GDPR took effect and struggle to deal with new investigations. Appeals are an added challenge.” From ‘Wave of Legal Appeals Challenges How European Regulators Enforce Privacy Rules’ by Catherine Stamp for the Wall Street Journal.
-
“The cost is pretty high: Not only can these ad tech companies still collect data about me, but when I use Firefox, they can gather even more than they could before because I dramatically lowered my privacy settings in order to let the opt-out system function. The companies not participating in the opt-out can simply go hog wild. They can track me, load reams of personalized ads wherever I go. The works. Also, if I ever decide to clear all of my cookies, I’m effectively opted back in to personalized advertising because I will have deleted the cookies on my browser that tell the participating companies that I’ve opted out.” Aaron Sankin tries to opt-out in a piece for The Markup. It doesn’t go well.
Endnotes & Credits
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
