Coronopticon | The Cat Herder, Volume 3, Issue 12

Marriott, Zoom, Morrisons, the Coronopticon. 😼   April 5 · Issue #76 · View online Marriott, Zoom, Morrisons, the Coronopticon. 😼 Personal details for the entire country of Georgia published online | ZDNet www.zdnet.com – Share A file containing personal information for 4,934,863 Georgians has been published on a hacker forum over the weekend. What can you say? Perhaps you could say that it’s surprising this doesn’t happen more often. For this section, and the title of this issue of the newsletter, and for the foreseeable future I am appropriating Hal Hodson’s portmanteau coinage of ‘coronopticon’ in The Economist (€) as a catch all term for the multiple competing (and occasionally conflicting and confusing) efforts to deploy surveillance technology to combat Covid-19. In Ireland we can only assume that the Covid-fighting app the HSE is developing is still in progress and due to become available in the next few days. Initially reported in The Sunday Business Post this day last week, there has been barely any official communication about the app. So we’re still in the dark about precisely what it is for, what data it will collect, who the data will be shared with and how long the data will be retained for. If the app is indeed to launch sometime during the coming week then official communications should have started by now. If the app is similar to that deployed in Singapore, as has been reported, and uses Bluetooth on handsets to do proximity tracking then it will require very high usage figures in order to be effective - probably 70% or more of the adult population will have to install the app. The latest press coverage with any concrete detail about the app appears to be an Irish Examiner report of a government briefing held on Tuesday at which Department of the Taoiseach assistant secretary-general Elizabeth Canavan said As part of the national response to Covid-19, work is underway to develop a new mobile Covid-19 app for real-time symptom tracking and digital contact tracing. Intensive work has been underway, between the Department of Health, the Health Service Executive and direct support from the office of the government chief information officer, and other technical expertise across the public service, and elsewhere. The implementation timeline will be determined by the technical progress and results from intensive testing that is currently taking place. In earlier reporting on this system in The Irish Times Paul Connors, HSE head of communications said that “the HSE is working with a number of agencies, including the Data Protection Commissioner, on issues such as compliance with strict data protection and processing rules”. Long time readers may recognise this. There is a tradition of public authorities claiming to be working with the DPC when the DPC has no such role to play prior to the beginning of any data processing. There is a formal prior consultation mechanism in Article 36 of the GDPR which is only engaged when a data protection impact assessment has indicated the processing activities would present a high risk to the rights and freedoms of individuals. So perhaps this is what is being referred to. Questions There are many. Let’s start with the largest one. Who in the caretaker government is making the ultimate decision about how much surveillance technology is used to combat Covid-19? There are many ways to use the surveillance architecture available. Some more intrusive than others. Who is making this decision? “The threshold question is: has the government shown its proposed surveillance tool would effectively and significantly address the crisis?” said Electronic Frontier Foundation attorney Adam Schwartz. “If not, EFF opposes it. If so, we ask: does the benefit of the surveillance outweigh its costs to privacy, speech, and equal opportunity?“ (From ‘Privacy Experts Say Responsible Coronavirus Surveillance Is Possible’, The Intercept) What is the purpose of the app and all its associated systems? So far all we have to go on is “symptom tracking and digital contact tracing”. These are two separate purposes which require access to healthcare and location data. In other jurisdictions highly intrusive technology has been deployed to serve social control purposes. Facial recognition in Russia (📹). A quarantine enforcement function in Poland - apparently now mandatory for “anyone potentially infected”. The public sector in Ireland does not have a good track record in deploying intrusive rights-restricting technology with a clear purpose. Exhibit A being the mostly purposeless Public Services Card, which has proven to be unnecessary during this crisis. Will the data protection impact assessment be published? If one has been done, that is. Which is a legal requirement before any processing of this type can commence. The DPIA should have been the first piece of work completed, since it is intended to inform the decisions taken later in the lifecycle of the project. In the interest of transparency and the impact assessment should be published. What data will be collected and which technologies will be used? Mobile location data is too vague. Is this location data from towers, handset GPS location data, Bluetooth proximity data? Who is the data controller and who will the data be shared with? Both important, both unclear. How long will the data be retained for? In Poland the government intends to retain personal data for six years. At the other end of the scale, the system proposed by Michael Veale et al (link below) has a graceful dismantling mechanism: “The system will organically dismantle itself after the end of the epidemic. Infected patients will stop uploading their data to the central server and people will stop using the app. Data on the server is removed after 14 days.” Will any required legislation be introduced, and how will this be done? Since a Bluetooth proximity monitoring system will require data to be collected from terminal equipment it may follow that amendments have to be made to the ePrivacy Regulations. The Dutch data protection authority thinks emergency legislation is required (Google translate) in order to allow full parliamentary oversight of any surveillance system. Not having a properly constituted government in Ireland makes this difficult. Zoom, its security shortcomings, and what could be charitably described as its sketchy data protection practices were barely out of the news this week. A Feature on Zoom Secretly Displayed Data From People’s LinkedIn Profiles - The New York Times www.nytimes.com – Share After an inquiry from Times reporters, Zoom said it would disable a data-mining feature that could be used to snoop on participants during meetings without their knowledge. Zoom videos exposed online, highlighting privacy risks - The Washington Post www.washingtonpost.com – Share Many of the videos include personally identifiable information and deeply intimate conversations, recorded in people’s homes. Zoom is Leaking Peoples' Email Addresses and Photos to Strangers - VICE www.vice.com – Share For at least a few thousand people, Zoom has treated their personal email addresses as if they all belong to the same company, letting them video call each other. New York Attorney General Looks Into Zoom’s Privacy Practices - The New York Times www.nytimes.com – Share As the videoconferencing platform’s popularity has surged, Zoom has scrambled to address a series of data privacy and security problems. Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading Marketing theintercept.com – Share The video conferencing service can access conversations on its platform. It is happening here There’s a famous Oscar Wilde quote from The Importance of Being Earnest about losing parents which I shall resist putting in here. Anyway, Marriott did it again. Marriott International hotel chain in second data breach www.computerweekly.com – Share Marriott International notifies customers of a major data breach that unfolded earlier in 2020 – the second it has experienced in the past two years. The DPC published ‘Data Protection Tips for Video-conferencing’. Which coincidentally contains some questions which are worthwhile asking about any app or service, even a Covid-fighting one developed by the HSE. Try to use services which you know and trust, have done some research on, and/or have been vetted and suggested by your employer, etc Take some time to read over the service’s privacy or data protection policy to be sure who your personal data is being shared with, where it will be stored or processed, and what purposes it will be used for, amongst other information. Think twice about what permissions for data or sensors you are being asked for: Do you really need to share your location or your list of contacts for instance? What will that data be used for? — The Polish DPA fined a data controller 20,000 Zloty (~€4,360) for failing to allow the regulator to carry out an inspection. — The EDPB “will prioritise providing guidance on the following issues: use of location data and anonymisation of data; processing of health data for scientific and research purposes and the processing of data by technologies used to enable remote working”, according to a short statement released on Friday. This Twitter thread from Michael Veale on a privacy protecting Bluetooth proximity tracing system, mentioned above. A document with a detailed overview of data protection and security is here. “We often forget, during times of great upheaval, how many of our quality assurances and basic rights protections are embedded in public institutional review. One of the unfortunate outcomes of emergency is that we temporarily suspend many of those systems, making it extremely difficult to determine whether the technology or data systems being proposed actually solve an important problem before we deploy them into vulnerable contexts.” Sean McDonald‘s 'The Digital Response to the Outbreak of COVID-19’ is essential reading as the shape of the Coronopticon begins to appear. The UK Supreme Court judgment (PDF) in the Morrisons case, and this commentary from Stuart Lauchlan on diginomica. CPO Magazine’s ‘Data Protection and Privacy Officer Priorities 2020’ report. “So far, little hard evidence exists that such apps make any significant contribution to limiting the spread of the virus. It’s not that they do not, or will not in future; it’s more that we just do not know.” Karlin Lillington in The Irish Times, ‘Coronavirus: Contact tracing app raises privacy concerns’. —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Marriott, Zoom, Morrisons, the Coronopticon.

😼

A file containing personal information for 4,934,863 Georgians has been published on a hacker forum over the weekend.

What can you say? Perhaps you could say that it’s surprising this doesn’t happen more often.

For this section, and the title of this issue of the newsletter, and for the foreseeable future I am appropriating Hal Hodson’s portmanteau coinage of ‘coronopticon’ in The Economist (€) as a catch all term for the multiple competing (and occasionally conflicting and confusing) efforts to deploy surveillance technology to combat Covid-19.

In Ireland we can only assume that the Covid-fighting app the HSE is developing is still in progress and due to become available in the next few days. Initially reported in The Sunday Business Post this day last week, there has been barely any official communication about the app. So we’re still in the dark about precisely what it is for, what data it will collect, who the data will be shared with and how long the data will be retained for.

If the app is indeed to launch sometime during the coming week then official communications should have started by now. If the app is similar to that deployed in Singapore, as has been reported, and uses Bluetooth on handsets to do proximity tracking then it will require very high usage figures in order to be effective - probably 70% or more of the adult population will have to install the app.

The latest press coverage with any concrete detail about the app appears to be an Irish Examiner report of a government briefing held on Tuesday at which Department of the Taoiseach assistant secretary-general Elizabeth Canavan said

In earlier reporting on this system in The Irish Times Paul Connors, HSE head of communications said that “the HSE is working with a number of agencies, including the Data Protection Commissioner, on issues such as compliance with strict data protection and processing rules”.

Long time readers may recognise this. There is a tradition of public authorities claiming to be working with the DPC when the DPC has no such role to play prior to the beginning of any data processing.

There is a formal prior consultation mechanism in Article 36 of the GDPR which is only engaged when a data protection impact assessment has indicated the processing activities would present a high risk to the rights and freedoms of individuals. So perhaps this is what is being referred to.

Questions

There are many. Let’s start with the largest one.

Who in the caretaker government is making the ultimate decision about how much surveillance technology is used to combat Covid-19?

There are many ways to use the surveillance architecture available. Some more intrusive than others. Who is making this decision?

(From ‘Privacy Experts Say Responsible Coronavirus Surveillance Is Possible’, The Intercept)

What is the purpose of the app and all its associated systems?

So far all we have to go on is “symptom tracking and digital contact tracing”. These are two separate purposes which require access to healthcare and location data.

In other jurisdictions highly intrusive technology has been deployed to serve social control purposes. Facial recognition in Russia (📹). A quarantine enforcement function in Poland - apparently now mandatory for “anyone potentially infected”.

The public sector in Ireland does not have a good track record in deploying intrusive rights-restricting technology with a clear purpose. Exhibit A being the mostly purposeless Public Services Card, which has proven to be unnecessary during this crisis.

Will the data protection impact assessment be published?

If one has been done, that is. Which is a legal requirement before any processing of this type can commence. The DPIA should have been the first piece of work completed, since it is intended to inform the decisions taken later in the lifecycle of the project.

In the interest of transparency and the impact assessment should be published.

What data will be collected and which technologies will be used?

Mobile location data is too vague. Is this location data from towers, handset GPS location data, Bluetooth proximity data?

Who is the data controller and who will the data be shared with?

Both important, both unclear.

How long will the data be retained for?

In Poland the government intends to retain personal data for six years. At the other end of the scale, the system proposed by Michael Veale et al (link below) has a graceful dismantling mechanism: “The system will organically dismantle itself after the end of the epidemic. Infected patients will stop uploading their data to the central server and people will stop using the app. Data on the server is removed after 14 days.”

Will any required legislation be introduced, and how will this be done?

Since a Bluetooth proximity monitoring system will require data to be collected from terminal equipment it may follow that amendments have to be made to the ePrivacy Regulations.

The Dutch data protection authority thinks emergency legislation is required (Google translate) in order to allow full parliamentary oversight of any surveillance system.

Not having a properly constituted government in Ireland makes this difficult.

Zoom, its security shortcomings, and what could be charitably described as its sketchy data protection practices were barely out of the news this week.

After an inquiry from Times reporters, Zoom said it would disable a data-mining feature that could be used to snoop on participants during meetings without their knowledge.

Many of the videos include personally identifiable information and deeply intimate conversations, recorded in people’s homes.

For at least a few thousand people, Zoom has treated their personal email addresses as if they all belong to the same company, letting them video call each other.

As the videoconferencing platform’s popularity has surged, Zoom has scrambled to address a series of data privacy and security problems.

The video conferencing service can access conversations on its platform.

There’s a famous Oscar Wilde quote from The Importance of Being Earnest about losing parents which I shall resist putting in here. Anyway, Marriott did it again.

Marriott International notifies customers of a major data breach that unfolded earlier in 2020 – the second it has experienced in the past two years.

The DPC published ‘Data Protection Tips for Video-conferencing’. Which coincidentally contains some questions which are worthwhile asking about any app or service, even a Covid-fighting one developed by the HSE.

—

The Polish DPA fined a data controller 20,000 Zloty (~€4,360) for failing to allow the regulator to carry out an inspection.

—

The EDPB “will prioritise providing guidance on the following issues: use of location data and anonymisation of data; processing of health data for scientific and research purposes and the processing of data by technologies used to enable remote working”, according to a short statement released on Friday.

• This Twitter thread from Michael Veale on a privacy protecting Bluetooth proximity tracing system, mentioned above. A document with a detailed overview of data protection and security is here.
• “We often forget, during times of great upheaval, how many of our quality assurances and basic rights protections are embedded in public institutional review. One of the unfortunate outcomes of emergency is that we temporarily suspend many of those systems, making it extremely difficult to determine whether the technology or data systems being proposed actually solve an important problem before we deploy them into vulnerable contexts.” Sean McDonald‘s 'The Digital Response to the Outbreak of COVID-19’ is essential reading as the shape of the Coronopticon begins to appear.
• The UK Supreme Court judgment (PDF) in the Morrisons case, and this commentary from Stuart Lauchlan on diginomica.
• CPO Magazine’s ‘Data Protection and Privacy Officer Priorities 2020’ report.
• “So far, little hard evidence exists that such apps make any significant contribution to limiting the spread of the virus. It’s not that they do not, or will not in future; it’s more that we just do not know.” Karlin Lillington in The Irish Times, ‘Coronavirus: Contact tracing app raises privacy concerns’.

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.