Forced Data Octopus | The Cat Herder, Volume 3, Issue 13

Bank Holiday edition, for those of you who are still keeping track of which day is which. Two main th   April 13 · Issue #77 · View online Bank Holiday edition, for those of you who are still keeping track of which day is which. Two main things this week. The coronopticon abides, it grows, it morphs, it’s inconclusive and quite possibly ineffectual but we’re going to get it anyway. No doubt about that since Apple and Google announced a partnership on Friday.  Also this week the Data Protection Commission published its report on the use of cookies and other tracking technologies. The Indo called it damning. Techcrunch said the report described a “compliance trash-fire”. Both of these comments made while standing in a lake of tracking technologies wearing a pair of waders. 😼 This week’s title brought to you by machine translation from the German eine Zwangs-Datenkrake. Ian Brown @1Br0wn Also true >> "I would like to say to people who see such a data protection-friendly project as negative: the alternative is not an app, but a forced data octopus based on the South Korean model. Some are just waiting for the liberal app to fail ... #corona #COVID19” (GT) https://t.co/CDoAU0WXcu 7:14 AM - 6 Apr 2020 it is our view that almost all of the sites continue to have compliance issues, ranging from minor to serious. (page 5) The biggest deal this week was the publication of the DPC’s report on the use of cookies and other tracking technologies (PDF). The report is comprehensive, clear, wide-ranging and does indeed describe a trash-fire of non-compliance. What is more, it very politely says that many data controllers either don’t know what they’re doing or they do know and are deliberately misinterpreting definitions, the applicable laws and their obligations. It was clear that some controllers may either misunderstand the ‘strictly necessary’ criteria, or that their definitions of what is strictly necessary are rather more expansive than the definitions provided in Regulation 5(5). (page 3) One controller did not respond to any of the DPC’s correspondence or reminders and the DPC may consider further action in that regard. (page 2) In some cases, controllers also had tracking technologies such as Facebook pixels embedded in their websites, but they did not list these in their responses to the sweep and limited their list of cookies to http browser cookies only. It was not clear, therefore, whether some controllers were aware of some of the tracking elements deployed on their websites – this was particularly the case where small controllers had outsourced their website management and development to a third-party (page 3) The use of dark patterns to confuse and mislead was covered. The judgment in the Planet49 case was explained, although controllers are obliged to be aware of relevant CJEU judgments such as this one themselves. The sample excerpts from the responses which were received by the DPC make for some entertainingly alarming reading, and even the occasional unexpected glimpse into the past: “Two controllers had social buttons for Google +” One controller listed the purpose of one Google Analytics cookie as being “used to determine a user’s inclusion in an experiment and the expiry of experiments a user has been included in”. This cookie is set before a user gives consent. some [controllers] appeared to be of the belief that they had no responsibility for any third-party cookies or tracking on their websites. The full list of sins of omission and commission is far too long to repeat here. While no enforcement action is being taken now, the DPC has given controllers six months to get their houses in order and issued new guidance (PDF). While I and many others have been critical of the sometimes glacial speed at which the DPC moves we can at least be hopeful that the methodical approach being taken here will lead to swift and visible enforcement actions for any non-compliance after this six month period expires. Which will be approximately a year since the Planet49 judgment was delivered. Coverage Irish Independent: ‘Irish data watchdog says healthcare companies may be sharing details with Google and Facebook’ Techcrunch: ‘Cookie consent still a compliance trash-fire in latest watchdog peek’ Irish Times: ‘Health websites may be sharing information ‘without lawful basis’’ — The DPC is liaising with other European data protection authorities over concerns about Zoom (see last week’s Cat Herder, or anywhere news has been reported over the last month or more.) — The EDPB adopted a couple of mandates in its twentieth plenary, a Mandate on the processing of health data for research purposes in the context of the COVID-19 outbreak  and a Mandate on geolocation and other tracing tools in the context of the COVID-19 outbreak. — The EDPS gave the Apple-Google tracking partnership a cautious welcome, while promising to keep a close eye on it. A little over two weeks ago the HSE confirmed it was working on an app for “real-time symptom tracking and digital contact tracing” which would be available within the next ten days or so. In providing this amount of information and no more an information vacuum was created. Ten days later these scam messages began circulating. Fergal Bowers @FergalBowers Beware of this dangerous scam: Do not click on the link. If you get such a text. Delete the text but also alert family & friends to this - especially the elderly. This is not how the HSE would contact you, if you were a close contact. https://t.co/GmhNwmnOoz 6:29 PM - 8 Apr 2020 — Digital Rights Ireland had some correspondence with the HSE about the app. Antoin O'Lachtnain is quoted by The Irish Times as saying “It will, we are told, also collect information about users health status. We are told that the app is going to be opt-in [require user consent] at launch, but as time goes on we are concerned that further functions are added to it, and that we will eventually end up with an app to monitor covid-19 status that is ‘mandatory but not compulsory for people who deal with the public or work in a shared space,” The Irish Times goes on to note The Government is consulting with the Data Protection Commissioner over the app, and told the group it will publish all associated documents, a Data Protection Impact Assessment, the source code and other documents when it is launched As has been said repeatedly, this is not the correct order in which to do things. The DPIA should be published before the app is launched so that it can be examined by experts and non-experts alike. The DPIA should have been carried out before any design and development work started. This all happened before the big Apple-Google announcement on Friday: ‘Apple and Google launch a joint contact-tracing system for iOS and Android’. We’ve no way of knowing whether the HSE will plough on down the furrow they’ve already started and ignore the Apple-Google venture or change their plans and timelines, since the APIs are not slated to be available until mid May. To do the former seems foolish from the point of view of the HSE. Especially if it means people have to leave their phone screens on all the time in order for the app to function, as might be the case. The latest morsel of information about the HSE’s app appeared in the Irish Examiner yesterday. It’s known as CovidTracker Ireland. “The implementation timeline will be determined by the technical progress and the results from the security and product testing that is under way,” a spokesperson said. So still no information about who is making the product design decisions, what the purpose of the app is, what data will be collected, who the data controller is, who the data will be shared with, how long the data will be retained for and how any required changes to legislation will be made given the lack of a properly constituted government. It should be blindingly obvious to all of those involved in the development of this app that people are not going to use what is intended to be a population-scale surveillance tool unless they trust it. The continuing secrecy surrounding almost all elements of this project is not helping to foster any trust. The state as a whole has spent several years burning both credibility and trust on the altar of the Public Services Card. Adding a second botched implementation of a large scale digital project to this will do serious damage to future projects for years to come. — Coronavirus is not primarily a technological problem, nor one that can be solved by new, experimental and unproven technology, and any attempts to convert it into a technological problem are, well, problematic. We think it is necessary and overdue to rethink the way technology gets designed and implemented, because contact tracing apps, if implemented, will be scripting the way we will live our lives and not just for a short period. They will be laying out normative conditions for reality, and will contribute to the decisions of who gets to have freedom of choice and freedom to decide … or not. Contact tracing apps will co-define who gets to live and have a life, and the possibilities for perceiving the world itself. (From ‘The long tail of contact tracing’ by Miriyam Aouragh, Helen Pritchard, and Femke Snelting of The Institute for Technology in the Public Interest.) ashkan soltani @ashk4n While I suspect these tools will be framed as 'voluntary / opt-in' -- they will eventually become compulsory once policymakers begin to rely on them in order to decide, for example, who can leave the house or who can return to work -- setting an incredibly dangerous precedent. 6:11 PM - 10 Apr 2020 — The effectiveness of digital contact tracing tools is questionable, and the shortcomings are laid out comprehensively by Ross Anderson in ‘Contact Tracing in the Real World’, in which he assesses the proliferation of tracing apps as “really just do-something-itis” But the real killer is likely to be the interaction between privacy and economics. If the app’s voluntary, nobody has an incentive to use it, except tinkerers and people who religiously comply with whatever the government asks. If uptake remains at 10-15%, as in Singapore, it won’t be much use and we’ll need to hire more contact tracers instead. Apps that involve compulsion, such as those for quarantine geofencing, will face a more adversarial threat model; and the same will be true in spades for any electronic immunity certificate. There the incentive to cheat will be extreme, and we might be better off with paper serology test certificates, like the yellow fever vaccination certificates you needed for the tropics, back in the good old days when you could actually go there. Expect to hear a lot more about immunity certificates and immunity passports over the coming weeks as various kites are flown about reopening the economy and the cure being worse than the disease. Bear in mind that if the authorities currently developing a plethora of techno-magical solutions worldwide were honest with themselves they’d admit that what they’re really creating are ‘Apps for the next pandemic’. Dan Grover | How Chinese Apps Handled Covid-19 dangrover.com – Share Chinese apps launched myriad features in response to Covid 19, directly supporting the most effective tactics the health system employed. What can we do in Silicon Valley? It probably is happening here University of Warwick hiding data security risks from students and staff. Security systems at the university were so bad that they could neither prevent nor even detect if hackers had broken in. news.sky.com – Share Security systems at the university were so bad that they could neither prevent nor even detect if hackers had broken in. Reading and watching and listening this week. “This is why data protection is uniquely equipped to let us fight the pandemic using personal data. It has literally been conceived and developed to allow the use of personal data by automated systems in a way that guarantees the rule of law and the respect of all fundamental rights. This might be the golden hour for data protection.” ‘Why data protection law is uniquely equipped to let us fight a pandemic with personal data’ by Gabriela Zanfir-Fortuna is a must read. Remember folks, ‘If you mean Data Protection, don’t say Privacy’. 📹 Wojciech Wiewiórowski, the European Data Protection Supervisor, recorded a short video ‘EU Digital Solidarity: a call for a pan-European approach against pandemic’. There’s a transcript here. If you’re interested in how the location data sausage is made, Charles Levinson has a good piece in Protocol, ‘Phone tracking is having a moment, but gay dating app Scruff wants no part of it’.  ‘“It’s like (zero calorie) icing on the cake,” wrote a salesman from the Canadian mobile data company Tutela Technologies last July, touting the effortless revenue that selling users’ location data could yield.‘  🎧 New Zealand’s Privacy Commissioner John Edwards on RNZ. 'Contact tracing technology. What are the privacy pitfalls?’. Council of Europe: ‘Algorithms and automation: new guidelines to prevent human rights breaches’ 🎧 The Vergecast: ‘Apple and Google are building a coronavirus tracking system into iOS and Android’. European Commission: ‘Coronavirus: Recommendation for the use of mobile data in response to the pandemic’ —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Bank Holiday edition, for those of you who are still keeping track of which day is which. Two main things this week. The coronopticon abides, it grows, it morphs, it’s inconclusive and quite possibly ineffectual but we’re going to get it anyway. No doubt about that since Apple and Google announced a partnership on Friday. 

Also this week the Data Protection Commission published its report on the use of cookies and other tracking technologies. The Indo called it damning. Techcrunch said the report described a “compliance trash-fire”. Both of these comments made while standing in a lake of tracking technologies wearing a pair of waders.

😼

This week’s title brought to you by machine translation from the German eine Zwangs-Datenkrake.

The biggest deal this week was the publication of the DPC’s report on the use of cookies and other tracking technologies (PDF). The report is comprehensive, clear, wide-ranging and does indeed describe a trash-fire of non-compliance. What is more, it very politely says that many data controllers either don’t know what they’re doing or they do know and are deliberately misinterpreting definitions, the applicable laws and their obligations.

The use of dark patterns to confuse and mislead was covered. The judgment in the Planet49 case was explained, although controllers are obliged to be aware of relevant CJEU judgments such as this one themselves.

The sample excerpts from the responses which were received by the DPC make for some entertainingly alarming reading, and even the occasional unexpected glimpse into the past: “Two controllers had social buttons for Google +”

The full list of sins of omission and commission is far too long to repeat here.

While no enforcement action is being taken now, the DPC has given controllers six months to get their houses in order and issued new guidance (PDF). While I and many others have been critical of the sometimes glacial speed at which the DPC moves we can at least be hopeful that the methodical approach being taken here will lead to swift and visible enforcement actions for any non-compliance after this six month period expires. Which will be approximately a year since the Planet49 judgment was delivered.

Coverage

Irish Independent: ‘Irish data watchdog says healthcare companies may be sharing details with Google and Facebook’

Techcrunch: ‘Cookie consent still a compliance trash-fire in latest watchdog peek’

Irish Times: ‘Health websites may be sharing information ‘without lawful basis’’

—

The DPC is liaising with other European data protection authorities over concerns about Zoom (see last week’s Cat Herder, or anywhere news has been reported over the last month or more.)

—

The EDPB adopted a couple of mandates in its twentieth plenary, a Mandate on the processing of health data for research purposes in the context of the COVID-19 outbreak  and a Mandate on geolocation and other tracing tools in the context of the COVID-19 outbreak.

—

The EDPS gave the Apple-Google tracking partnership a cautious welcome, while promising to keep a close eye on it.

A little over two weeks ago the HSE confirmed it was working on an app for “real-time symptom tracking and digital contact tracing” which would be available within the next ten days or so. In providing this amount of information and no more an information vacuum was created. Ten days later these scam messages began circulating.

—

Digital Rights Ireland had some correspondence with the HSE about the app.

Antoin O'Lachtnain is quoted by The Irish Times as saying

The Irish Times goes on to note

As has been said repeatedly, this is not the correct order in which to do things. The DPIA should be published before the app is launched so that it can be examined by experts and non-experts alike. The DPIA should have been carried out before any design and development work started.

This all happened before the big Apple-Google announcement on Friday: ‘Apple and Google launch a joint contact-tracing system for iOS and Android’.

We’ve no way of knowing whether the HSE will plough on down the furrow they’ve already started and ignore the Apple-Google venture or change their plans and timelines, since the APIs are not slated to be available until mid May.

To do the former seems foolish from the point of view of the HSE. Especially if it means people have to leave their phone screens on all the time in order for the app to function, as might be the case.

The latest morsel of information about the HSE’s app appeared in the Irish Examiner yesterday. It’s known as CovidTracker Ireland. “The implementation timeline will be determined by the technical progress and the results from the security and product testing that is under way,” a spokesperson said.

So still no information about who is making the product design decisions, what the purpose of the app is, what data will be collected, who the data controller is, who the data will be shared with, how long the data will be retained for and how any required changes to legislation will be made given the lack of a properly constituted government.

It should be blindingly obvious to all of those involved in the development of this app that people are not going to use what is intended to be a population-scale surveillance tool unless they trust it. The continuing secrecy surrounding almost all elements of this project is not helping to foster any trust. The state as a whole has spent several years burning both credibility and trust on the altar of the Public Services Card. Adding a second botched implementation of a large scale digital project to this will do serious damage to future projects for years to come.

—

Coronavirus is not primarily a technological problem, nor one that can be solved by new, experimental and unproven technology, and any attempts to convert it into a technological problem are, well, problematic.

(From ‘The long tail of contact tracing’ by Miriyam Aouragh, Helen Pritchard, and Femke Snelting of The Institute for Technology in the Public Interest.)

—

The effectiveness of digital contact tracing tools is questionable, and the shortcomings are laid out comprehensively by Ross Anderson in ‘Contact Tracing in the Real World’, in which he assesses the proliferation of tracing apps as “really just do-something-itis”

Expect to hear a lot more about immunity certificates and immunity passports over the coming weeks as various kites are flown about reopening the economy and the cure being worse than the disease.

Bear in mind that if the authorities currently developing a plethora of techno-magical solutions worldwide were honest with themselves they’d admit that what they’re really creating are ‘Apps for the next pandemic’.

Chinese apps launched myriad features in response to Covid 19, directly supporting the most effective tactics the health system employed. What can we do in Silicon Valley?

Security systems at the university were so bad that they could neither prevent nor even detect if hackers had broken in.

Reading and watching and listening this week.

• “This is why data protection is uniquely equipped to let us fight the pandemic using personal data. It has literally been conceived and developed to allow the use of personal data by automated systems in a way that guarantees the rule of law and the respect of all fundamental rights. This might be the golden hour for data protection.” ‘Why data protection law is uniquely equipped to let us fight a pandemic with personal data’ by Gabriela Zanfir-Fortuna is a must read. Remember folks, ‘If you mean Data Protection, don’t say Privacy’.
• 📹 Wojciech Wiewiórowski, the European Data Protection Supervisor, recorded a short video ‘EU Digital Solidarity: a call for a pan-European approach against pandemic’. There’s a transcript here.
• If you’re interested in how the location data sausage is made, Charles Levinson has a good piece in Protocol, ‘Phone tracking is having a moment, but gay dating app Scruff wants no part of it’.  ‘“It’s like (zero calorie) icing on the cake,” wrote a salesman from the Canadian mobile data company Tutela Technologies last July, touting the effortless revenue that selling users’ location data could yield.‘ 
• 🎧 New Zealand’s Privacy Commissioner John Edwards on RNZ. 'Contact tracing technology. What are the privacy pitfalls?’.
• Council of Europe: ‘Algorithms and automation: new guidelines to prevent human rights breaches’
• 🎧 The Vergecast: ‘Apple and Google are building a coronavirus tracking system into iOS and Android’.
• European Commission: ‘Coronavirus: Recommendation for the use of mobile data in response to the pandemic’

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.