May 8, 2022
"(census etc)" | The Cat Herder, Volume 5, Issue 17
| |
| May 8 · Issue #179 · View online |
|
|
Data brokers and more data brokers and data brokers yet again. Both international and local. The curious case of the Sideshow Bob Rake Department hurriedly deleting a database when the Sideshow Bob Rake Department’s instincts usually lead to it not deleting anything. 😼
|
|
|
The highly unregulated market for personal data in the US collided with the highly partisan and rights eroding Supreme Court of the US during the week.
|
|
|
|
If you think that your data showing when you last menstruated isn't of interest to those who are about to outlaw abortion, whew do I have a wakeup call for YOU.
|
|
|
|
|
|
Surveillance technologists from tech companies big and small have delivered amazing support infrastructure for fascism. @ helps you navigate this world.
https://t.co/JCHsCIy8gi
|
|
|
|
Now that we know those pesky regulators aren’t involved, we can talk about the many, many (many) ways your data bleeds from your devices and into these the paws of data brokers. Last summer, the analytics firm eMarketer put out a good overview of all the ways this bleed can happen: you probably know how sites can drop a cookie on your browser, or how an app can have a sneaky piece of marketing tech chugging behind the scenes. But you also leak data when you pass by a digital billboard, when you walk through the doors of a grocery store, and when you’re waiting on hold for the umpteenth time because your goddamn pharmacy forgot to send your goddamn refills, again.
|
|
|
“It’s bonkers dangerous to have abortion clinics and then let someone buy the census tracks where people are coming from to visit that abortion clinic,” Zach Edwards, a cybersecurity researcher who closely tracks the data selling marketplace, told Motherboard in an online chat after reviewing the data. “This is how you dox someone traveling across state lines for abortions—how you dox clinics providing this service.”
|
|
|
In sum, Veraset is in the business of selling precise, ping-level location data from the smart phones of millions of people. Safegraph itself was in this business until it spun those services off to Veraset. And after this spin-off, Safegraph continued to acquire data from Veraset and steer business there. But a corporate restructuring does not make anyone safer. Highly invasive data about millions of people is still up for sale, putting vulnerable people at serious risk.
|
|
|
|
|
Yes, it’s the Sideshow Bob Rake Department again!
|
The Data Protection Commission (DPC) is examining the alleged excessive data gathering by the Department “through the use of the travel pass when scanning the card on different modes of transport, as well as any issues surrounding the transparency of these processing activities in this regard”.
|
Alleged excessive data gathering by Department of Social Protection being examined
Noteworthy investigation reveals the Department had a database of individual free travel journeys until 2020.
|
There are many more questions raised by this piece than just the ones for the Department of Social Protection and its haste in deleting a database of PSC-related personal data at the same time as it was running an appeal (which was abruptly abandoned) against a direction from the DPC to delete another database of PSC-related personal data.
|
|
|
The Irish Council for Civil Liberties lodged a complaint with the Data Protection Commission over the processing of personal data by a company called GeoDirectory which is jointly owned by An Post and Ordnance Survey Ireland.
|
The Irish Council for Civil Liberties (ICCL) has revealed that An Post and Ordnance Survey Ireland’s GeoDirectory is selling incredibly personal information, such as social class and family status, about us to companies such as Experian and Aviva. ICCL has been able to buy data about people living in Limerick and Dublin and whether they’re “deprived’, “struggling” or “affluent”. Anyone can buy this data about any household in the country.
|
|
|
|
|
|
A few people drew attention to the An Post database when it emerged years ago. What has now come to light is entirely unsurprising.
|
|
|
|
Everybody involved remained fairly silent during the week. As a quick reminder, just because personal data is publicly available it doesn’t make it not personal data, and the protections of the GDPR still apply to it.
|
It’ll be fascinating to see what happens if it turns out a subsidiary of two state bodies (An Post and OSI) has been scraping or acquiring information from another state body (the CSO) without a lawful basis.
|
The company’s website states that “each dimension” of the dataset for sale “is based on data points from the national Census”. Census data is bound as confidential, and is generally withheld for 100 years. When contacted, GeoDirectory again said it “uses only publicly available information (census etc).”
|
An Post declines to reveal nature or source of personal information sales
|
|
|
|
|
Phil Booth, coordinator of medConfidential, a group campaigning for confidentiality and consent in healthcare, said: “Of course pharma and tech companies will always want more data, but ‘speeding up innovation’ should never mean fewer or weakened protections for patients. “Public trust in use of our health data depends on everyone following the same rules. That means no privileged access, no ‘data VIP lanes’ – and certainly doesn’t mean dropping standards or safeguards just so startups can join in. “If the purpose of something is to make patients’ data available for commercial exploitation, then it doesn’t matter how ‘independent’ it is – many simply won’t trust it.”
|
Radical plans to transform NHS drawn up at drug firms and No 10 roundtable | NHS | The Guardian
Exclusive: ideas include reducing trial safeguards and allowing startups to harvest patient data
|
|
|
|
|
|
|
|
|
|
|
-
“The European Data Protection Board (‘EDPB’) recently published draft Guidelines (‘the Guidelines’) on the right of access , bringing some clarity to several operational aspects of responding to access requests. Whilst the Guidelines are informative, they raise the bar in regard to what is expected of controllers. In particular, the EDPB’s rejection of any proportionality limit with regard to the efforts a controller has to take to comply with the data subject’s request is surprising.” From ‘The New Guidelines On Data Access Requests — Is The Bar Now Too High?’ by Davinia Brennan for Matheson. Perhaps our top-tier law firms could advise their clients to reduce the amount of personal data they process and improve their internal systems to facilitate easier responses to subject access requests rather than musing about the height of the bar? Just a thought.
-
“With regard to the decision of the Authority, companies planning to use AI solutions for processing personal data must exercise extreme caution. This also means that such solutions should be gradually tested in cooperation with the manufacturer/service provider partner before being introduced by the company. Firstly, non-personal data should be used to feed the solution and personal data should only be used after effective testing in the above referred first phase with respect to the requirements and specificalities of the given industry and business. After the introduction of the solution, the company also needs to constantly monitor the efficiency of the solution and its effect on data subjects.” From ‘What we can learn from the case resulting in a record GDPR fine by the Hungarian Data Protection Authority for the unlawful use of artificial intelligence’ by Dániel Necz for DLA Piper.
-
“Biometrics imply that the knowledge of the human body reveals something about the human self. These technologies do not just seek to establish the identity of an individual, but they also provide authorities with access to digital files that contain various administrative information about them. Such information can reveal, for example, when and where a migrant applied for asylum, when and where he or she applied for a visa, and so on. Georgios Glouftsios’ work as a postdoctoral researcher at the School of International Studies of the University of Trento has led him to the conclusion that data extracted from bodies and their links with such administrative information are used to make migrants “controllable subjects”. From ‘Power imbalances and freedom of consent in migration management’ by Georgios Glouftsios, Stefania Milan, and Gianclaudio Malgieri for the European Data Journalism Network.
—
|
|
|
|
|
If you know someone who might enjoy this newsletter do please forward it on to them.
|
|
Did you enjoy this issue?
|
|
|
|
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
|
|
|
|
Privacy Kit, Made with 💚 in Dublin, Ireland
|
|
|
Data brokers and more data brokers and data brokers yet again. Both international and local. The curious case of the Sideshow Bob Rake Department hurriedly deleting a database when the Sideshow Bob Rake Department’s instincts usually lead to it not deleting anything.
😼
The highly unregulated market for personal data in the US collided with the highly partisan and rights eroding Supreme Court of the US during the week.
Shoshana Wodinsky: ‘How to Get an Abortion in the Age of Surveillance’
VICE: ‘Data Broker Is Selling Location Data of People Who Visit Abortion Clinics’
EFF: ‘SafeGraph’s Disingenuous Claims About Location Data Mask a Dangerous Industry’
Yes, it’s the Sideshow Bob Rake Department again!
Noteworthy investigation reveals the Department had a database of individual free travel journeys until 2020.
There are many more questions raised by this piece than just the ones for the Department of Social Protection and its haste in deleting a database of PSC-related personal data at the same time as it was running an appeal (which was abruptly abandoned) against a direction from the DPC to delete another database of PSC-related personal data.
—
The Irish Council for Civil Liberties lodged a complaint with the Data Protection Commission over the processing of personal data by a company called GeoDirectory which is jointly owned by An Post and Ordnance Survey Ireland.
ICCL: ‘An Post and Ordnance Survey Ireland are selling intimate personal data about all of us’
Everybody involved remained fairly silent during the week. As a quick reminder, just because personal data is publicly available it doesn’t make it not personal data, and the protections of the GDPR still apply to it.
It’ll be fascinating to see what happens if it turns out a subsidiary of two state bodies (An Post and OSI) has been scraping or acquiring information from another state body (the CSO) without a lawful basis.
Daragh O Brien of Castlebridge wrote a good Twitter thread with more on this.
Exclusive: ideas include reducing trial safeguards and allowing startups to harvest patient data
The EDPB and EDPS published a joint opinion on the EU’s Data Act. Press release | Full Opinion [PDF]
—
The CNIL fined Dedalus Biologie €1.5 million for a personal data breach which exposed the medical information of almost half a million people.
-
“The European Data Protection Board (‘EDPB’) recently published draft Guidelines (‘the Guidelines’) on the right of access , bringing some clarity to several operational aspects of responding to access requests. Whilst the Guidelines are informative, they raise the bar in regard to what is expected of controllers. In particular, the EDPB’s rejection of any proportionality limit with regard to the efforts a controller has to take to comply with the data subject’s request is surprising.” From ‘The New Guidelines On Data Access Requests — Is The Bar Now Too High?’ by Davinia Brennan for Matheson. Perhaps our top-tier law firms could advise their clients to reduce the amount of personal data they process and improve their internal systems to facilitate easier responses to subject access requests rather than musing about the height of the bar? Just a thought.
-
“With regard to the decision of the Authority, companies planning to use AI solutions for processing personal data must exercise extreme caution. This also means that such solutions should be gradually tested in cooperation with the manufacturer/service provider partner before being introduced by the company. Firstly, non-personal data should be used to feed the solution and personal data should only be used after effective testing in the above referred first phase with respect to the requirements and specificalities of the given industry and business. After the introduction of the solution, the company also needs to constantly monitor the efficiency of the solution and its effect on data subjects.” From ‘What we can learn from the case resulting in a record GDPR fine by the Hungarian Data Protection Authority for the unlawful use of artificial intelligence’ by Dániel Necz for DLA Piper.
-
“Biometrics imply that the knowledge of the human body reveals something about the human self. These technologies do not just seek to establish the identity of an individual, but they also provide authorities with access to digital files that contain various administrative information about them. Such information can reveal, for example, when and where a migrant applied for asylum, when and where he or she applied for a visa, and so on. Georgios Glouftsios’ work as a postdoctoral researcher at the School of International Studies of the University of Trento has led him to the conclusion that data extracted from bodies and their links with such administrative information are used to make migrants “controllable subjects”. From ‘Power imbalances and freedom of consent in migration management’ by Georgios Glouftsios, Stefania Milan, and Gianclaudio Malgieri for the European Data Journalism Network.
—
Endnotes & Credits
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
