Google, never not at it | The Cat Herder - Volume 1, Issue 3

Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they're   August 19 · Issue #3 · View online Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re barely newsworthy and Facebook turning out to be an even worse custodian of personal data than most had anticipated, the domain of data privacy is still in a terrible state o’ chassis. Nice as it would be to publish a regular collection of really excellent privacy practices, those are still pretty hard to find. Examples of organisations doing it wrong, however, are plentiful. Decades of misconceptions can’t be unlearned in a hurry. Join us on our quest to learn from the worst. There’ll be some positives too. Eventually. We hope 😼 ¯\_(ツ)_/¯ Websites had two years to get ready for the GDPR. Rather than comply, about a third of the 100 largest U.S. newspapers have opted to block their sites in Europe. They include the Chicago Tribune, New York Daily News, Dallas Morning News, Newsday and The Virginian-Pilot. More than 1,000 U.S. news sites are still unavailable in Europe, two months after GDPR took effect‘, Nieman Lab [Narrator]: They did see it coming. Nobody else listened. BrianHonan @BrianHonan Reading this with my shocked face https://t.co/iuD4kx9dBQ 10:24 PM - 13 Aug 2018 What Brian is referring to is the investigation by the Associated Press into Google’s practice of tracking you even when “you explicitly tell it not to.” Three things about this story - ONE It’s grubbily, unthinkingly unethical. Google will default to collecting as much personal data as possible because that’s just what Google does. To sell advertising, to train algorithms, Google needs vast amounts of data. TWO It has been reported fatalistically in most quarters. Much of the coverage focused on what steps an individual could take to stop Google doing this to them. If a company kept coming around to your house and illegally setting small fires in different rooms the advice offered by commentators should not be which fire extinguisher would be best to use to put out the fires. Yet that is what is being served up in the wake of this surprising-to-nobody-who’s-familiar-with-Google story. Here’s a small sample: Silicon Republic / Irish Times / Irish Independent / Wired / Quartz / CNET / CNBC / Buzzfeed News / Gizmodo / MIT Technology Review Ten stories should be more than enough for you to get the gist. Rather than complaining about the practice itself the articles mostly attempt to educate users in defending themselves against Google’s behaviour. This is an unusual position we collectively find ourselves in, no? Before we move on, there was worse from some corners of the Fourth Estate.  Dr Karlin Lillington @klillington Oh good grief -- cannot believe a tech journalist has just thrown out the 'if you have done nothing wrong you have done nothing to hide' in relation to Google tracking your movements EVEN IF YOU TURNED THE SETTINGS OFF. We do NOT have to trade privacy for services. EVER @TodaySOR 10:34 AM - 14 Aug 2018 The nothing to hide argument is normally trotted out to defend state surveillance. Hearing it being used in defence of a private company by somebody not employed by that company is pretty amazing, and not in a good way. <Insert giant furiously-rolling-eyes emoji here> THREE This story has wider ramifications than just Google being Google and everyone shrugging, sucking it up and sharing tips on how to minimise the impact on themselves individually. Although it’s finally sunk in across the wider media coverage of Google and Facebook that these are advertising companies that make their extraordinary revenues through acquiring and processing personal data in questionable ways, and hacks delightedly trot this line out routinely, they are also large software shops which are influential in moulding and shaping the technologies that are used on the web. If Google are shipping software to their billions of users which does not do what any reasonable person could expect it to then how can we trust any software? Where others lead, Ireland will surely follow. There: ‘South Korean women aren’t safe in public bathrooms - or their homes - because of spy-cam porn’, Quartz Here: ‘Dublin man with 16 CCTV cameras convicted of harassment after secretly filming neighbours’, Irish Independent Anything that happens anywhere else in the world can happen in Ireland because the same technology is available worldwide and human nature is pretty similar across continents and cultures. The European Data Protection Supervisor published an “Opinion on the Proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents”. [Direct PDF link to Opinion] In short, the European Commission wants to increase the security of identity documents and achieve a greater level of consistency and interoperability between member states’ ID cards. The Commission published a proposal document in April setting out their preferred options as to how this could be done. In his Opinion responding to the proposal Giovanni Buttarelli, the current European Data Protection Supervisor, is not convinced that collecting two types of biometric data, facial images and fingerprints, is justified.  The EDPS understands that using biometric data might be considered as a legitimate anti-fraud measure, but the Proposal does not justify the need to store two types of biometric data for the purposes foreseen in it. One option to consider could be to limit the biometrics used to one (e.g. facial image only). (Executive Summary) Of particular interest to the Department of Employment Affairs and Social Protection here in Ireland will be the confidence, conviction and aplomb with which the European Data Protection Supervisor refers to facial images as biometric data throughout his Opinion. It gives one the impression of a man untroubled by any doubts about this fact. In contrast, the Department’s current position still appears to be that facial images are not biometric data. See ‘The Cat Herder’, Volume 1, Issue 1 for more on this continuing ludicrous attempt to dodge reality.   The authors of the impact assessment prepared by the Council as support for their proposal also seem pretty sure facial images are biometric data. Here are a few quotes from the impact assessment, just in case you were wondering if anyone else on the face of the planet besides the Department of Employment Affairs and Social Protection is claiming facial images used for facial recognition aren’t biometric data. [Direct PDF link to impact assessment] Following five-year investigation into the operational needs for a biometric identifier which balances effectiveness to achieve this identification purpose with practicality privacy laws, ICAO specified that facial recognition become the globally interoperable biometric technology, accessed contactlessly, with fingerprints or iris recognitions as options in support. (Page 12, Footnote 44) — It will require citizens to provide biometric data in the form of a photograph (Page 51) — The provisions on ID cards and on uniform format residence cards including biometrics affect the protection of private life and personal data (Article 7 and 8 CFEU), because they involve the collection, storage and processing of personal data, including biometric data (facial image and potentially fingerprints) about the bearer of the card. (Page 59) We’ll wrap this section up with one more quote from the European Data Protection Supervisor about processing biometric data. The EDPS would like to emphasise that the processing of biometric data constitutes a limitation on the fundamental rights to privacy and personal data protection and, like any interference with a fundamental right, must comply with the criteria set out in Article 52(1) of the Charter of Fundamental Rights of the European Union (hereinafter “the Charter”)14 . In addition to being provided for by law, any limitation must respect the essence of the right and, subject to the principle of proportionality, be necessary and genuinely meet objectives recognised by the Union or the need to protect the rights and freedoms of others. (Paragraph 13) Is there a new DPC website yet? No When is it due? Soon When did the GDPR become enforceable? May 25th 2018 What date is it today? August 18th 2018 👀 ‘On Weaponised Design’ by Cade, part of the Our Data Our Selves series from the Tactical Technology Collective. The European Court of Human Rights Factsheet on new technologies, June 2018 [Direct PDF link]. One Redditor’s privacy journey. This interview with Ann Cavoukian in Forbes, ‘Will Privacy First Be The New Normal?’ This New York Times feature by Nicholas Confessore on the people behind California’s new privacy laws. Giovanni Buttarelli (AKA “Mr. GDPR”, apparently) in the Washington Post on how ‘Big tech is still violating your privacy’. Well yes, indeed. See above. — Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster this newsletter will be in your inbox again next weekend. See you then. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re barely newsworthy and Facebook turning out to be an even worse custodian of personal data than most had anticipated, the domain of data privacy is still in a terrible state o’ chassis. Nice as it would be to publish a regular collection of really excellent privacy practices, those are still pretty hard to find. Examples of organisations doing it wrong, however, are plentiful. Decades of misconceptions can’t be unlearned in a hurry. Join us on our quest to learn from the worst. There’ll be some positives too. Eventually. We hope 😼

More than 1,000 U.S. news sites are still unavailable in Europe, two months after GDPR took effect‘, Nieman Lab

What Brian is referring to is the investigation by the Associated Press into Google’s practice of tracking you even when “you explicitly tell it not to.”

Three things about this story -

ONE

It’s grubbily, unthinkingly unethical. Google will default to collecting as much personal data as possible because that’s just what Google does. To sell advertising, to train algorithms, Google needs vast amounts of data.

TWO

It has been reported fatalistically in most quarters. Much of the coverage focused on what steps an individual could take to stop Google doing this to them. If a company kept coming around to your house and illegally setting small fires in different rooms the advice offered by commentators should not be which fire extinguisher would be best to use to put out the fires. Yet that is what is being served up in the wake of this surprising-to-nobody-who’s-familiar-with-Google story.

Here’s a small sample: Silicon Republic / Irish Times / Irish Independent / Wired / Quartz / CNET / CNBC / Buzzfeed News / Gizmodo / MIT Technology Review

Ten stories should be more than enough for you to get the gist. Rather than complaining about the practice itself the articles mostly attempt to educate users in defending themselves against Google’s behaviour. This is an unusual position we collectively find ourselves in, no?

Before we move on, there was worse from some corners of the Fourth Estate. 

The nothing to hide argument is normally trotted out to defend state surveillance. Hearing it being used in defence of a private company by somebody not employed by that company is pretty amazing, and not in a good way. <Insert giant furiously-rolling-eyes emoji here>

THREE

This story has wider ramifications than just Google being Google and everyone shrugging, sucking it up and sharing tips on how to minimise the impact on themselves individually. Although it’s finally sunk in across the wider media coverage of Google and Facebook that these are advertising companies that make their extraordinary revenues through acquiring and processing personal data in questionable ways, and hacks delightedly trot this line out routinely, they are also large software shops which are influential in moulding and shaping the technologies that are used on the web. If Google are shipping software to their billions of users which does not do what any reasonable person could expect it to then how can we trust any software?

There:

‘South Korean women aren’t safe in public bathrooms - or their homes - because of spy-cam porn’, Quartz

Here:

‘Dublin man with 16 CCTV cameras convicted of harassment after secretly filming neighbours’, Irish Independent

Anything that happens anywhere else in the world can happen in Ireland because the same technology is available worldwide and human nature is pretty similar across continents and cultures.

The European Data Protection Supervisor published an “Opinion on the Proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents”. [Direct PDF link to Opinion]

In short, the European Commission wants to increase the security of identity documents and achieve a greater level of consistency and interoperability between member states’ ID cards. The Commission published a proposal document in April setting out their preferred options as to how this could be done.

In his Opinion responding to the proposal Giovanni Buttarelli, the current European Data Protection Supervisor, is not convinced that collecting two types of biometric data, facial images and fingerprints, is justified. 

Of particular interest to the Department of Employment Affairs and Social Protection here in Ireland will be the confidence, conviction and aplomb with which the European Data Protection Supervisor refers to facial images as biometric data throughout his Opinion. It gives one the impression of a man untroubled by any doubts about this fact.

In contrast, the Department’s current position still appears to be that facial images are not biometric data. See ‘The Cat Herder’, Volume 1, Issue 1 for more on this continuing ludicrous attempt to dodge reality.  

The authors of the impact assessment prepared by the Council as support for their proposal also seem pretty sure facial images are biometric data. Here are a few quotes from the impact assessment, just in case you were wondering if anyone else on the face of the planet besides the Department of Employment Affairs and Social Protection is claiming facial images used for facial recognition aren’t biometric data. [Direct PDF link to impact assessment]

—

—

We’ll wrap this section up with one more quote from the European Data Protection Supervisor about processing biometric data.

Is there a new DPC website yet? No

When is it due? Soon

When did the GDPR become enforceable? May 25th 2018

What date is it today? August 18th 2018 👀

‘On Weaponised Design’ by Cade, part of the Our Data Our Selves series from the Tactical Technology Collective. The European Court of Human Rights Factsheet on new technologies, June 2018 [Direct PDF link]. One Redditor’s privacy journey. This interview with Ann Cavoukian in Forbes, ‘Will Privacy First Be The New Normal?’ This New York Times feature by Nicholas Confessore on the people behind California’s new privacy laws. Giovanni Buttarelli (AKA “Mr. GDPR”, apparently) in the Washington Post on how ‘Big tech is still violating your privacy’. Well yes, indeed. See above.

—

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster this newsletter will be in your inbox again next weekend. See you then.