Flipchart | The Cat Herder, Volume 3, Issue 31

A showdown with fairness approaches for the department of education, the coronopticon continues expan   August 23 · Issue #96 · View online A showdown with fairness approaches for the department of education, the coronopticon continues expanding. Some regulatory activity and a regulatory bunfight. 😼 A spokesperson from the Home Office has confirmed to PlymouthLive the password, “Passw0rd1,” is indeed used by staff. Home Office responds after password displayed in Plymouth government building window - Plymouth Live www.plymouthherald.co.uk – Share A flipchart with ‘Passw0rd1’ written on it was visible from the street outside HM Passport Office in Ebrington Street Oh yes they have Might as well repeat what was said last week at the start of this section … In Ireland we’re going to find out a lot about the principles of fairness, transparency and accountability in data protection very soon. GDPR, Article 5.1 - “Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)” GDPR, Article 5.2 - “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” Anyway, since last week’s newsletter we’ve had a welcome U-turn by the UK government on the unfair and discriminatory fiasco of calculated grades. In Ireland it appears some lessons have been learned by officials in the department of education. Unfortunately what has been learned has not been about fairness to individuals. In a move of the very deepest self-serving cynicism the department has seen the uproar in Scotland and then England caused by the disparities between the machine-calculated grades and the teachers’ estimated grades, and decided that it wouldn’t like to see a repeat of that here. So the department will not release the teachers’ estimated grades until a week after the machine-calculated grades are issued. In response to queries from the The Irish Times, the department said all Leaving Cert students will get to see their school’s estimated mark in each subject and their class ranking on September 14th – one week after their calculated grades are released on September 7th. September 14th is only two days before the deadline for acceptance of the first round of CAO offers. This does not allow time for any sort of meaningful appeals process after students get to see the difference between the two grades. This is more than just unfair, it shows contempt for the very concepts of fairness and transparency. This timeline was laid out early in the day the Oireachtas Golf Society collected up what shreds and scraps of public trust in the current government still remained and detonated them in an uncontrolled explosion. The blast waves from this show no signs of subsiding. The problems with algorithms - which are nothing more than a series of instructions for a machine to follow - being used to make significant, life-altering decision have been highlighted repeatedly. (ProPublica, ‘Machine Bias’, 2016; TIME, ‘The Police Are Using Computer Algorithms to Tell If You’re a Threat’, 2017; Reuters, ‘Amazon scraps secret AI recruiting tool that showed bias against women’, 2018) To people in Ireland these examples are distant and abstract. Few of us have had dealings with Amazon’s recruitment process or the Chicago Police Department. Practically all of us are familiar with the state examinations process though, the importance of it, the way it can act to insert punctuation marks in a life. If the department continues with its planned use of an algorithm whose workings have not yet been revealed and refuses to release the teachers’ estimated grades until a week later the ensuing scandal could well be the event which delivers the fatal blow to a government which is looking to be very close to mortally wounded already. People know the results process and the subsequent CAO offers, they are accustomed to celebrating and commiserating with friends and relatives over successes and disappointments. One listen to the devastation articulated on Friday’s Liveline programme and the controlled fury that accompanied it should be enough to convince the minister for education that the last thing this country will tolerate is discriminatory unfairness cloaked in tech solutionism and sly bureaucratic attempts to neuter protest and appeal. “It’s kind of a mess,” said Jeffrey Kahn, director of the Johns Hopkins Berman Institute of Bioethics. “So far nothing has been consequential. … We don’t really know if it’s working or not working.” Cellphone apps to track coronavirus infection have received mixed reception - The Washington Post www.washingtonpost.com – Share Widely touted initiatives to introduce privacy-friendly, voluntary smartphone apps to help track the spread of coronavirus have largely foundered. — There are serious risks in allowing unsupervised sharing of personal data across public sector bodies. This is why in Europe we have things such as purpose limitation and no processing of any personal data without a lawful basis. Thunder Bay police accessed the personal health information in the database over 14,800 times — a rate of access that is 10 times higher than the provincial average — even though the area has reported only 100 COVID-19 cases since the outset of the pandemic. CBC: ‘Ontario ends police access to COVID-19 database after legal challenge’ It could, you know In addition to having to install the app, students were told they are not allowed to leave campus for the duration of the semester without permission over fears that contact with the wider community might bring the virus back to campus. If a student leaves campus without permission, the app will alert the school, and the student’s ID card will be locked and access to campus buildings will be revoked, according to an email to students, seen by TechCrunch. We described the app’s vulnerabilities to Will Strafach, a security researcher and chief executive at Guardian Firewall. Strafach said the app sounded like a “rush job,” and that the enumeration bug could be easily caught during a security review. “The fact that they were unaware tells me they did not even bother to do this,” he said. And, the keys left in the source code, said Strafach, suggested “a ‘just-ship-it’ attitude to a worrisome extreme.” Fearing coronavirus, a Michigan college is tracking its students with a flawed app – TechCrunch techcrunch.com – Share Students have no way to opt out of the location tracking. — It is curious that one story can simultaneously contain the two opinions below. Welfare chiefs have yet to address concerns raised more than two weeks ago by Mr Doyle. A spokesperson for the Department of Social Protection said there is ongoing engagement with the Office of the Data Protection Commission. One possible explanation is that the department is using a definition of the word “engagement” known only to itself. A bit like the two years it spent using a definition of “biometric” known only to itself. Irish Examiner: ‘Welfare chiefs face probe over PUP checks at airports’ The letter reads: “Regarding Test and Trace, it is imperative that you take action to establish public confidence – a trusted system is critical to protecting public health.” It highlights the ICO’s powers to demand particular changes through enforcement notices, and even fine the government if it fails to comply. The government hadn’t completed a Data Protection Impact Assessment (DPIA) before carrying out the programme, a legally required document for sensitive data-processing scenarios under GDPR. New Statesman: ‘ICO challenged by MPs over failure on “unlawful” Test and Trace programme’ — In a curious parallel to the above, at least as far as failing to complete a DPIA and apparently escaping meaningful sanction is concerned, the DPC doesn’t seem to have taken any action against Wexford County Council for deploying drones without a DPIA. The core of my complaint actually hasn’t been addressed. No DPIA was undertaken in contravention of Article 35. This needed to be an explicit stated finding of the DPC in my view. After all, I handed them a signed confession to that bit. As it stands, the engagement by the DPC appears to have been one of retrospectively determining if a breach of other rights and freedoms arose rather than taking the easy win of a definite enforcement action for a clear cut infringement of the legislation. Daragh O Brien: ‘Wexford County Council – Send in the Drones’ — European Union privacy regulators are clashing over how much—if anything—to fine Twitter Inc. for its handling of a data breach disclosed last year, delaying progress of the most advanced cross-border privacy case involving a U.S. tech company under the EU’s strict new privacy law … The Irish privacy regulator said Thursday that it had triggered a dispute-resolution mechanism among the bloc’s privacy regulators after failing to resolve disagreements over its draft decision in the Twitter case—the first time that process has been started. Wall Street Journal: ‘Twitter Data Case Sparks Dispute, Delay Among EU Privacy Regulators’ (€) — “The DPC has commenced an inquiry into Bank of Ireland, in particular the Banking365 platform,” a DPC spokesperson said. “This own-volition inquiry will focus on a number of breach notifications received by the DPC between January and April this year.” Irish Examiner: ‘Bank of Ireland to be investigated over reported online banking data breach’ — The Baden-Württemberg DPA announced an investigation into tracking technologies on newspaper websites. — NOYB lodged 101 complaints with regulators in all 30 EU and EEA member states about companies still sending personal data to Google and Facebook. — The Belgian DPA fined mobile operator Proximus €20,000 for several data protection infringements, — The Spanish DPA fined mobile operator Vodafone €75,000 for sending marketing information via SMS to an individual who had exercised their right to erasure in 2015. — The Spanish DPA fined mobile operator Xfera Moviles €70,000 for a breach of the confidentiality principle in Article 5(f) of the GDPR. — In a public sector case with a familiar ring to it the Norwegian DPA fined the Rælingen municipality €47,500 for, among other things, failing to complete a Data Protection Impact Assessment. “Most of us might think of Facebook as the social network of choice for suburban moms and conspiracy theorists, but the company hasn’t been shy about branching out to become much more than an app on our phones, even if that’s the last thing we want. Here’s an example: earlier today, Facebook put out a company blog post outlining its latest venture, this time into the wild world of medicine.” From ‘Please Keep Mark Zuckerberg Away From My Bones’ by Shoshana Wodinsky for Gizmodo. “Given that they are in the purported business of prediction, it is natural to assume that Ofqual could have anticipated the level of public outrage that would ensue from the decision to use an algorithm to moderate unstandardised A-level, BTEC and GCSE teacher assessments.” Ada Lovelace Institute researchers Eliot Jones and Cansu Safak ask ‘Can algorithms ever make the grade? “This catalysed student protests in which young people carried banners proclaiming “Stop the postcode lottery”, and “Students not stats”, which pricked consciences about the dehumanising capacity of this algorithm. What followed was a speech by First Minister Nicola Sturgeon who said: “Despite our best intentions, I do acknowledge we did not get this right and I’m sorry for that.” Arguably, this was also one of the first occasions where politicians have acknowledged the discriminatory potential of algorithmically-informed policy regimes.” 'Algorithmic grading is not an answer to the challenges of the pandemic’, Graeme Tiffany for Algorithm Watch. Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

A showdown with fairness approaches for the department of education, the coronopticon continues expanding. Some regulatory activity and a regulatory bunfight.

😼

A flipchart with ‘Passw0rd1’ written on it was visible from the street outside HM Passport Office in Ebrington Street

Might as well repeat what was said last week at the start of this section …

In Ireland we’re going to find out a lot about the principles of fairness, transparency and accountability in data protection very soon.

Anyway, since last week’s newsletter we’ve had a welcome U-turn by the UK government on the unfair and discriminatory fiasco of calculated grades.

In Ireland it appears some lessons have been learned by officials in the department of education. Unfortunately what has been learned has not been about fairness to individuals. In a move of the very deepest self-serving cynicism the department has seen the uproar in Scotland and then England caused by the disparities between the machine-calculated grades and the teachers’ estimated grades, and decided that it wouldn’t like to see a repeat of that here. So the department will not release the teachers’ estimated grades until a week after the machine-calculated grades are issued.

September 14th is only two days before the deadline for acceptance of the first round of CAO offers. This does not allow time for any sort of meaningful appeals process after students get to see the difference between the two grades. This is more than just unfair, it shows contempt for the very concepts of fairness and transparency.

This timeline was laid out early in the day the Oireachtas Golf Society collected up what shreds and scraps of public trust in the current government still remained and detonated them in an uncontrolled explosion. The blast waves from this show no signs of subsiding.

The problems with algorithms - which are nothing more than a series of instructions for a machine to follow - being used to make significant, life-altering decision have been highlighted repeatedly. (ProPublica, ‘Machine Bias’, 2016; TIME, ‘The Police Are Using Computer Algorithms to Tell If You’re a Threat’, 2017; Reuters, ‘Amazon scraps secret AI recruiting tool that showed bias against women’, 2018)

To people in Ireland these examples are distant and abstract. Few of us have had dealings with Amazon’s recruitment process or the Chicago Police Department. Practically all of us are familiar with the state examinations process though, the importance of it, the way it can act to insert punctuation marks in a life.

If the department continues with its planned use of an algorithm whose workings have not yet been revealed and refuses to release the teachers’ estimated grades until a week later the ensuing scandal could well be the event which delivers the fatal blow to a government which is looking to be very close to mortally wounded already.

People know the results process and the subsequent CAO offers, they are accustomed to celebrating and commiserating with friends and relatives over successes and disappointments. One listen to the devastation articulated on Friday’s Liveline programme and the controlled fury that accompanied it should be enough to convince the minister for education that the last thing this country will tolerate is discriminatory unfairness cloaked in tech solutionism and sly bureaucratic attempts to neuter protest and appeal.

Widely touted initiatives to introduce privacy-friendly, voluntary smartphone apps to help track the spread of coronavirus have largely foundered.

—

There are serious risks in allowing unsupervised sharing of personal data across public sector bodies. This is why in Europe we have things such as purpose limitation and no processing of any personal data without a lawful basis.

CBC: ‘Ontario ends police access to COVID-19 database after legal challenge’

Students have no way to opt out of the location tracking.

—

It is curious that one story can simultaneously contain the two opinions below.

One possible explanation is that the department is using a definition of the word “engagement” known only to itself. A bit like the two years it spent using a definition of “biometric” known only to itself.

Irish Examiner: ‘Welfare chiefs face probe over PUP checks at airports’

New Statesman: ‘ICO challenged by MPs over failure on “unlawful” Test and Trace programme’

—

In a curious parallel to the above, at least as far as failing to complete a DPIA and apparently escaping meaningful sanction is concerned, the DPC doesn’t seem to have taken any action against Wexford County Council for deploying drones without a DPIA.

Daragh O Brien: ‘Wexford County Council – Send in the Drones’

—

Wall Street Journal: ‘Twitter Data Case Sparks Dispute, Delay Among EU Privacy Regulators’ (€)

—

Irish Examiner: ‘Bank of Ireland to be investigated over reported online banking data breach’

—

The Baden-Württemberg DPA announced an investigation into tracking technologies on newspaper websites.

—

NOYB lodged 101 complaints with regulators in all 30 EU and EEA member states about companies still sending personal data to Google and Facebook.

—

The Belgian DPA fined mobile operator Proximus €20,000 for several data protection infringements,

—

The Spanish DPA fined mobile operator Vodafone €75,000 for sending marketing information via SMS to an individual who had exercised their right to erasure in 2015.

—

The Spanish DPA fined mobile operator Xfera Moviles €70,000 for a breach of the confidentiality principle in Article 5(f) of the GDPR.

—

In a public sector case with a familiar ring to it the Norwegian DPA fined the Rælingen municipality €47,500 for, among other things, failing to complete a Data Protection Impact Assessment.

• “Most of us might think of Facebook as the social network of choice for suburban moms and conspiracy theorists, but the company hasn’t been shy about branching out to become much more than an app on our phones, even if that’s the last thing we want. Here’s an example: earlier today, Facebook put out a company blog post outlining its latest venture, this time into the wild world of medicine.” From ‘Please Keep Mark Zuckerberg Away From My Bones’ by Shoshana Wodinsky for Gizmodo.
• “Given that they are in the purported business of prediction, it is natural to assume that Ofqual could have anticipated the level of public outrage that would ensue from the decision to use an algorithm to moderate unstandardised A-level, BTEC and GCSE teacher assessments.” Ada Lovelace Institute researchers Eliot Jones and Cansu Safak ask ‘Can algorithms ever make the grade?
• “This catalysed student protests in which young people carried banners proclaiming “Stop the postcode lottery”, and “Students not stats”, which pricked consciences about the dehumanising capacity of this algorithm. What followed was a speech by First Minister Nicola Sturgeon who said: “Despite our best intentions, I do acknowledge we did not get this right and I’m sorry for that.” Arguably, this was also one of the first occasions where politicians have acknowledged the discriminatory potential of algorithmically-informed policy regimes.” 'Algorithmic grading is not an answer to the challenges of the pandemic’, Graeme Tiffany for Algorithm Watch.

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.