Identifiable | The Cat Herder, Volume 3, Issue 23

It's ten weeks since the growth of prospective Covid-related surveillance technologies prompted the a   June 21 · Issue #87 · View online It’s ten weeks since the growth of prospective Covid-related surveillance technologies prompted the addition of the Coronopticon section to this newsletter. The Coronopticon section has now very definitely expanded into the other sections as the Norwegian Data Protection Authority shut down the Norwegian Institute of Public Health’s Covid tracking app. It should be noted that the response of the Institute of Public Health to the instructions given by the Norwegian DPA stands in stark contrast to the behaviour of the Irish Department of Employment Affairs and Social Protection over the Public Services Card. 😼 Mortgage blunder forces EBS to issue apology - Independent.ie www.independent.ie – Share Leading lender EBS has written to 16,000 mortgage holders to apologise after mistakenly reporting them to the Irish Credit Bureau for missing payments. This is more than just a blunder. This is a breach of (at the very least) the accuracy principle and has likely caused distress to a significant proportion of the 16,000 data subjects affected. Health Minister Simon Harris answered a question from Ossian Smyth in the Dáil during the week about “the status of the Covid tracking app”. There is good progress being made and I hope that I, or possibly my successor, will be in a position soon to seek formal Government approval to roll out the app. I have quite a lot of information here and I can arrange for a further updated briefing. It is about making sure that we get the app entirely right. The data protection impact assessment and the source code have not yet been published but I have given a commitment that they will both be published before the launch of the app because that is very important for public buy-in. Over in the UK came capitulation and an admission that they absolutely hadn’t got the app entirely right. Post-mortems appeared in Wired, MIT Technology Review, the BBC and elsewhere. From the BBC piece by Rory Cellan-Jones: At the end of March, I got a text from a senior figure in the UK’s technology industry. This person said they were helping the NHS “on a very substantial project that will launch in days and potentially save hundreds of thousands of British lives.” It is in some ways sad to think we here in Ireland will never make the acquaintance of the first iteration of the HSE app which was also ready to launch “within ten days” back on the 29th March. Jack Horgan-Jones @JackHoJo HSE head of comms confirms @susmitchellSBP scoop on contact tracing app from this morning. Says it is likely to be available in the next ten days or so. Working with @DPCIreland and others on GDPR etc. 11:54 AM - 29 Mar 2020 FBI used Instagram, an Etsy review, and LinkedIn to identify a protestor accused of arson - The Verge www.theverge.com – Share It took an Etsy review, a LinkedIn profile, a handful of Instagram videos, and a few Google searches for FBI agents to identify a masked woman they say set two police vehicles on fire during protests in Philadelphia after the killing of George Floyd by law enforcement. This could be a useful case study if you ever come across somebody who’s struggling with the European concept of personal data as opposed to the (predominantly) American concept of Personally Identifiable Information (PII). Anything which is personal data falls within the scope of European data protection law, that definition is extremely broad and has been confirmed as such by several judgements of the CJEU such as Breyer and Nowak. There is no list of what constitutes personal data and what does not. What is personal data hinges on identifiability and individuation, the ability to single out a person from a group. Recital 26 of the GDPR reads To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. The story above highlights what identifiable can mean in a world with so much personal data being processed by so many data controllers at every second of every day. Much of this data is then linked together, as is illustrated in this story about a data breach of mind-boggling proportions, ‘Oracle’s BlueKai tracks you across the web. That data spilled online’. According to the data, Tim Hortons had recorded my longitude and latitude coordinates more than 2,700 times in less than five months, and not just when I was using the app. For those unfamiliar with the brand, Tim Hortons is Canada’s favourite purveyor of coffee and doughnuts. Not an entity that has any pressing need to carry out any surveillance of its customers at all, let alone surveillance this intrusive and on this scale. “Radar, as described, is turning your phone into a device that’s constantly streaming your location to a remote server,” Atwater said. “It’s unexpected. It’s certainly far more invasive than I would consider acceptable for a coffee shop app. I don’t think any of us want corporations watching every single move we make without any insight into it.” Double-double tracking: How Tim Hortons knows where you sleep, work and vacation | Financial Post business.financialpost.com – Share Tim Hortons is logging detailed location data of customers through its app — and many may not realize it’s happening at all In the Irish Times Karlin Lillington highlighted some interesting findings from research carried out by the EU’s Agency for Fundamental Rights. When people were asked about sharing an image of their face: Ireland falls about in the middle, with only about one in 20 willing to share with private companies and one in five with public administrations. This is interesting, given the widespread rollout of the controversial Public Services Card by the Government, which contains a biometric facial scan that’s even more revealing than a “facial image”. These findings from more than 1,000 Irish people sit at odds with the Government’s continuing insistence that most people are happy to be issued a PSC. Either the Government’s surveys are wrong, or people do not realise the PSC contains a surveillance-based facial image. It won’t be all that surprising if DEASP sallies forth brandishing a survey of its own, carried out on its behalf at the beginning of 2019. This has happened on many previous occasions in the intervening period. As was mentioned in Volume 2, Issue 9 of this newsletter in March of last year, the findings of this research have also on occasion been misrepresented. This piece also states “research commissioned by the Department has found that 96% of those with a Public Services Card (PSC) are either very satisfied or fairly satisfied with them.” The research published on the Department’s website says no such thing. 96% of those surveyed were either very satisfied or fairly satisfied with the SAFE registration process. As the department’s website has been shifted onto the gov.ie domain since then and the link to the survey no longer works, here it is on archive.org for those interested (direct link to PDF). The results of a survey do not make for a lawful basis for processing personal data, nor do they meet a data controller’s transparency, information and accountability obligations. Following a warning from the watchdog Friday, the Norwegian Institute of Public Health (FHI) said today it will stop uploading data from tomorrow — ahead of a June 23 deadline when the DPA had asked for use of the app to be suspended so that changes could be made. It added that it disagrees with the watchdog’s assessment but will nonetheless delete user data “as soon as possible.” Techcrunch: ‘Norway pulls its coronavirus contacts-tracing app after privacy watchdog’s warning’ — Helen Dixon said at a (virtual) event during the week that the DPC will “shortly start an enforcement campaign against organizations that have failed to appoint a DPO, or failed to properly notify the appointment of a DPO to the DPC”. She also said “The GDPR has become the law of everything and the law of everyone”, which is accurate given the scope of the GDPR and its ambition to guarantee protection of all the rights and freedoms of data subjects, not just data protection rights. “So far, the heads of every major app-based contact tracing deployment that has come forward, including Singapore, Iceland, and South Korea — have all said the apps played a small role, if any. Public health officials in Israel have raised concerns about negative effects on response efforts and Australia and the United Kingdom have been beset by a number of stumbling blocks. Said a different way, even if a government does a good job of building and deploying app inside of strong health systems, which isn’t guaranteed, there’s no indication it’s worth the effort or cost.” Sean McDonald and Bianca Wylie in ‘Building a Multi-Step Plan for Canada’s Long Road Ahead’. “But what would happen, instead, if we could occupy digital products and services and start to bend them to our will? Take the fact that our actions and reactions inspire their development, and so behave intentionally — hold space, be thoughtful, do unexpected things —and be benevolent hackers and adapters?” asks Rachel Coldicutt in ‘Let’s occupy technology with love’. “When people are afraid for their own health and that of their family members, we tend not to balance that immediate fear with the long-term harm to our freedoms and rights. That’s precisely the sort of imbalance that many states are counting on right now—that individuals will give up the idea that there is a realm of privacy that is rightly theirs, that individuals will give away the most intimate of their health and biometric data to the government.” Fionnuala Ní Aoláin talks to Esquire as part of a collection of twenty individual stories. Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

It’s ten weeks since the growth of prospective Covid-related surveillance technologies prompted the addition of the Coronopticon section to this newsletter. The Coronopticon section has now very definitely expanded into the other sections as the Norwegian Data Protection Authority shut down the Norwegian Institute of Public Health’s Covid tracking app.

It should be noted that the response of the Institute of Public Health to the instructions given by the Norwegian DPA stands in stark contrast to the behaviour of the Irish Department of Employment Affairs and Social Protection over the Public Services Card.

😼

Leading lender EBS has written to 16,000 mortgage holders to apologise after mistakenly reporting them to the Irish Credit Bureau for missing payments.

This is more than just a blunder. This is a breach of (at the very least) the accuracy principle and has likely caused distress to a significant proportion of the 16,000 data subjects affected.

Health Minister Simon Harris answered a question from Ossian Smyth in the Dáil during the week about “the status of the Covid tracking app”.

Over in the UK came capitulation and an admission that they absolutely hadn’t got the app entirely right.

Post-mortems appeared in Wired, MIT Technology Review, the BBC and elsewhere.

From the BBC piece by Rory Cellan-Jones:

It is in some ways sad to think we here in Ireland will never make the acquaintance of the first iteration of the HSE app which was also ready to launch “within ten days” back on the 29th March.

It took an Etsy review, a LinkedIn profile, a handful of Instagram videos, and a few Google searches for FBI agents to identify a masked woman they say set two police vehicles on fire during protests in Philadelphia after the killing of George Floyd by law enforcement.

This could be a useful case study if you ever come across somebody who’s struggling with the European concept of personal data as opposed to the (predominantly) American concept of Personally Identifiable Information (PII).

Anything which is personal data falls within the scope of European data protection law, that definition is extremely broad and has been confirmed as such by several judgements of the CJEU such as Breyer and Nowak.

There is no list of what constitutes personal data and what does not. What is personal data hinges on identifiability and individuation, the ability to single out a person from a group.

Recital 26 of the GDPR reads

The story above highlights what identifiable can mean in a world with so much personal data being processed by so many data controllers at every second of every day.

Much of this data is then linked together, as is illustrated in this story about a data breach of mind-boggling proportions, ‘Oracle’s BlueKai tracks you across the web. That data spilled online’.

For those unfamiliar with the brand, Tim Hortons is Canada’s favourite purveyor of coffee and doughnuts. Not an entity that has any pressing need to carry out any surveillance of its customers at all, let alone surveillance this intrusive and on this scale.

Tim Hortons is logging detailed location data of customers through its app — and many may not realize it’s happening at all

In the Irish Times Karlin Lillington highlighted some interesting findings from research carried out by the EU’s Agency for Fundamental Rights. When people were asked about sharing an image of their face:

It won’t be all that surprising if DEASP sallies forth brandishing a survey of its own, carried out on its behalf at the beginning of 2019. This has happened on many previous occasions in the intervening period. As was mentioned in Volume 2, Issue 9 of this newsletter in March of last year, the findings of this research have also on occasion been misrepresented.

As the department’s website has been shifted onto the gov.ie domain since then and the link to the survey no longer works, here it is on archive.org for those interested (direct link to PDF).

The results of a survey do not make for a lawful basis for processing personal data, nor do they meet a data controller’s transparency, information and accountability obligations.

Techcrunch: ‘Norway pulls its coronavirus contacts-tracing app after privacy watchdog’s warning’

—

Helen Dixon said at a (virtual) event during the week that the DPC will “shortly start an enforcement campaign against organizations that have failed to appoint a DPO, or failed to properly notify the appointment of a DPO to the DPC”.

She also said “The GDPR has become the law of everything and the law of everyone”, which is accurate given the scope of the GDPR and its ambition to guarantee protection of all the rights and freedoms of data subjects, not just data protection rights.

• “So far, the heads of every major app-based contact tracing deployment that has come forward, including Singapore, Iceland, and South Korea — have all said the apps played a small role, if any. Public health officials in Israel have raised concerns about negative effects on response efforts and Australia and the United Kingdom have been beset by a number of stumbling blocks. Said a different way, even if a government does a good job of building and deploying app inside of strong health systems, which isn’t guaranteed, there’s no indication it’s worth the effort or cost.” Sean McDonald and Bianca Wylie in ‘Building a Multi-Step Plan for Canada’s Long Road Ahead’.
• “But what would happen, instead, if we could occupy digital products and services and start to bend them to our will? Take the fact that our actions and reactions inspire their development, and so behave intentionally — hold space, be thoughtful, do unexpected things —and be benevolent hackers and adapters?” asks Rachel Coldicutt in ‘Let’s occupy technology with love’.
• “When people are afraid for their own health and that of their family members, we tend not to balance that immediate fear with the long-term harm to our freedoms and rights. That’s precisely the sort of imbalance that many states are counting on right now—that individuals will give up the idea that there is a realm of privacy that is rightly theirs, that individuals will give away the most intimate of their health and biometric data to the government.” Fionnuala Ní Aoláin talks to Esquire as part of a collection of twenty individual stories.

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.