In Perpetuity | The Cat Herder, Volume 1, Issue 5

Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re   September 2 · Issue #5 · View online Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re barely newsworthy and Facebook turning out to be an even worse custodian of personal data than most had anticipated, the domain of data privacy is still in a terrible state o’ chassis. Nice as it would be to publish a regular collection of really excellent privacy practices, those are still pretty hard to find. Examples of organisations doing it wrong, however, are plentiful. Decades of misconceptions can’t be unlearned in a hurry. Join us on our quest to learn from the worst. There’ll be some positives too. Eventually. We hope. 😼 ¯\_(ツ)_/¯ Facebook Reportedly Targeted LGBTQ Users with “Gay Cure” Ads www.out.com – Share One user was shown a video titled, ‘Homosexuality Was My Identity.’ Facebook removed these ads when users complained. So perhaps this isn’t Facebook’s fault, strictly speaking, but it does go to show how Facebook’s platform can and will be used in unanticipated and damaging ways. Facebook has a moral and ethical obligation to try and anticipate the ways in which their platform can be used to cause harm and prevent this before it happens. Richard Purcell was Microsoft’s first Chief Privacy Officer. He once described the difference between security and privacy like this: “Security is protecting companies from the world. Privacy is all about protecting the world from companies.” It’s a good one to remember when things like this happen. Facebook are also pleading an inability to easily find personal data because they have so much of it as a reason not to fulfil their obligations. Get away out of that. It most definitely is Facebook’s fault if Facebook took some technical decisions which led to the deployment of a storage system that wasn’t designed with the interests and rights of data subjects in mind but rather Facebook’s institutional desire and compulsion to acquire and keep all the data. Facebook: It’s too tough to find personal data in our huge warehouse – Naked Security nakedsecurity.sophos.com – Share GDPR: it means give users their data when they ask for it, and Facebook’s refusal to do so has provoked an inquiry by the Irish DPC. Public sector privacy pratfalls. 450,000 child protection and welfare cases now accessible in new Tusla IT system www.irishtimes.com – Share Child and Family Agency launches €10m childcare database to replace 17 separate systems across the State We shall probably never know why Fergal Collins of Tusla’s programme management office chose the phrase “in perpetuity” at the launch of the National Childcare Information System. People do strange things at press conferences. A press conference is, after all, frequently a promotional event at which overambitious claims are made in the hope they will be reported. Hyperbole is common. Why say you’re going to keep something for a long time when you can say you’re going to keep it forever? Forever sounds much more impressive. It would be reasonable to say this phrase may come back to haunt him - and Tusla - over a long period of time but even this stretch will be nowhere near as long as in perpetuity. Saying out loud that you plan to keep personal data forever rightly sets off huge, clanking alarm bells in the heads of people even slightly versed in the principles of data protection. Because one of these core principles is that personal data should be stored for only as long as is necessary. This would appear to be impossible to achieve if, as Mr Collins has extravagantly claimed, Tusla plans to keep this personal data until the heat death of the universe. The Irish state has what could be generously described as an inauspicious track record with projects that handle large amounts of personal data. The Primary Online Database (partially deceased, for the moment) and the biometric register which powers the Public Services Card (still lurching onwards, bending, twisting and crushing reality beneath its digital caterpillar tracks as it goes) are the largest recent examples. (If you aren’t familiar with the story of the Primary Online Database, start with Rossa McMahon’s podcast where he chats to Simon McGarr about it. If podcasts aren’t your thing there are links to further reading on the same page.) Since this gleaming new database of Tusla’s has been launched with what seems to be close to no awareness of data protection principles or law, it appears that the Irish state is still determined not to learn any lessons from previous failures. [Narrator]: They did see it coming. Nobody else listened. Spyware Company Leaves ‘Terabytes’ of Selfies, Text Messages, and Location Data Exposed Online - Motherboard motherboard.vice.com – Share A company that sells surveillance software to parents and employers left “terabytes of data” including photos, audio recordings, text messages and web history, exposed in a poorly-protected Amazon S3 bucket. All data leaks eventually. The longer the data is held for the greater the chance it will leak. This is why reasonable people don’t attempt to hold personal data in perpetuity. Tech Industry Pursues a Federal Privacy Law, on Its Own Terms - The New York Times www.nytimes.com – Share With California setting a benchmark for restrictions, companies are lobbying to supersede it with proposals that would give them wide leeway on how they handled personal data. Having fiercely resisted privacy regulation and legislation up until this year, the large technology companies have performed an adroit u-turn in the face of seeming inevitability in the United States. And now they are bending over backwards to help. But they have concerns that some unfortunates might miss out on discounts. Their lobbyists might even recommend “voluntary standards”. Standards written by them, for them to live up to. Which is self-regulation. Which is no regulation at all. Nobody could have seen that coming, eh? Heather Burns @WebDevLaw Pro tip: whenever I T I C enters the room, start laughing. The tech equivalent of the 1950s car manufacturers who said mandatory seatbelts were government infringement on personal freedom. https://t.co/nUo0TdWUKB 8:29 AM - 27 Aug 2018 Do you remember that time before May 25th when there was much talk in corners of the business press of the eye-popping fines that would be handed out for non-compliance with the GDPR? Often apparently based on the assumption that traditionally cautious, conservative and enterprise-friendly regulators would suddenly go wild and hit anyone and everyone with the maximum fines available just for the hell of it. That hasn’t happened. As anyone with an ounce of sense predicted. The International Association of Privacy Professionals (IAPP) has a good piece on what the regulators across Europe are up to when it comes to fines and processing bans. TL;DR: the wheels of enforcement are turning, but slowly. Is there a new DPC website yet? No When is it due? Soon When did the GDPR become enforceable? May 25th 2018 What date is it today? September 2nd 2018  Susan Crawford in Wired makes a strong argument for ‘Public Interest Technology’ courses to be taught at third-level. “In an era in which data is everything, the risks to core democratic principles—equity, fairness, support for the most vulnerable, delivery of effective government services—caused by technological illiteracy in policymakers, and policy illiteracy in computer scientists, are staggering.” “Who owns me (as a site of valuable data), and what happens to the economic value of the data extracted from me?” asks Nicholas Carr in ‘I am a data factory (and so are you)’. Andrew Smith in the Guardian takes on algorithms and the many (deliberate?) misunderstandings of what they are, how they work and how inscrutable they have become. In Dark Reading Dana Simberkoff unpicks a few studies to reveal that the only area of technology where a gender gap doesn’t appear to exist is in data protection and privacy. “Tech industry leaders can look to the data privacy industry as an example of what happens when stereotypes, toxic subcultures and pay inequities are taken off the table.” — Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster this newsletter will be in your inbox again next weekend. See you then. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re barely newsworthy and Facebook turning out to be an even worse custodian of personal data than most had anticipated, the domain of data privacy is still in a terrible state o’ chassis. Nice as it would be to publish a regular collection of really excellent privacy practices, those are still pretty hard to find. Examples of organisations doing it wrong, however, are plentiful. Decades of misconceptions can’t be unlearned in a hurry. Join us on our quest to learn from the worst. There’ll be some positives too. Eventually. We hope.

😼

One user was shown a video titled, ‘Homosexuality Was My Identity.’

Facebook removed these ads when users complained. So perhaps this isn’t Facebook’s fault, strictly speaking, but it does go to show how Facebook’s platform can and will be used in unanticipated and damaging ways. Facebook has a moral and ethical obligation to try and anticipate the ways in which their platform can be used to cause harm and prevent this before it happens.

Richard Purcell was Microsoft’s first Chief Privacy Officer. He once described the difference between security and privacy like this: “Security is protecting companies from the world. Privacy is all about protecting the world from companies.” It’s a good one to remember when things like this happen.

Facebook are also pleading an inability to easily find personal data because they have so much of it as a reason not to fulfil their obligations. Get away out of that. It most definitely is Facebook’s fault if Facebook took some technical decisions which led to the deployment of a storage system that wasn’t designed with the interests and rights of data subjects in mind but rather Facebook’s institutional desire and compulsion to acquire and keep all the data.

GDPR: it means give users their data when they ask for it, and Facebook’s refusal to do so has provoked an inquiry by the Irish DPC.

Child and Family Agency launches €10m childcare database to replace 17 separate systems across the State

We shall probably never know why Fergal Collins of Tusla’s programme management office chose the phrase “in perpetuity” at the launch of the National Childcare Information System. People do strange things at press conferences. A press conference is, after all, frequently a promotional event at which overambitious claims are made in the hope they will be reported. Hyperbole is common. Why say you’re going to keep something for a long time when you can say you’re going to keep it forever? Forever sounds much more impressive.

It would be reasonable to say this phrase may come back to haunt him - and Tusla - over a long period of time but even this stretch will be nowhere near as long as in perpetuity.

Saying out loud that you plan to keep personal data forever rightly sets off huge, clanking alarm bells in the heads of people even slightly versed in the principles of data protection. Because one of these core principles is that personal data should be stored for only as long as is necessary. This would appear to be impossible to achieve if, as Mr Collins has extravagantly claimed, Tusla plans to keep this personal data until the heat death of the universe.

The Irish state has what could be generously described as an inauspicious track record with projects that handle large amounts of personal data.

The Primary Online Database (partially deceased, for the moment) and the biometric register which powers the Public Services Card (still lurching onwards, bending, twisting and crushing reality beneath its digital caterpillar tracks as it goes) are the largest recent examples.

(If you aren’t familiar with the story of the Primary Online Database, start with Rossa McMahon’s podcast where he chats to Simon McGarr about it. If podcasts aren’t your thing there are links to further reading on the same page.)

Since this gleaming new database of Tusla’s has been launched with what seems to be close to no awareness of data protection principles or law, it appears that the Irish state is still determined not to learn any lessons from previous failures.

A company that sells surveillance software to parents and employers left “terabytes of data” including photos, audio recordings, text messages and web history, exposed in a poorly-protected Amazon S3 bucket.

All data leaks eventually. The longer the data is held for the greater the chance it will leak. This is why reasonable people don’t attempt to hold personal data in perpetuity.

With California setting a benchmark for restrictions, companies are lobbying to supersede it with proposals that would give them wide leeway on how they handled personal data.

Having fiercely resisted privacy regulation and legislation up until this year, the large technology companies have performed an adroit u-turn in the face of seeming inevitability in the United States. And now they are bending over backwards to help. But they have concerns that some unfortunates might miss out on discounts. Their lobbyists might even recommend “voluntary standards”. Standards written by them, for them to live up to. Which is self-regulation. Which is no regulation at all. Nobody could have seen that coming, eh?

Do you remember that time before May 25th when there was much talk in corners of the business press of the eye-popping fines that would be handed out for non-compliance with the GDPR? Often apparently based on the assumption that traditionally cautious, conservative and enterprise-friendly regulators would suddenly go wild and hit anyone and everyone with the maximum fines available just for the hell of it. That hasn’t happened. As anyone with an ounce of sense predicted.

The International Association of Privacy Professionals (IAPP) has a good piece on what the regulators across Europe are up to when it comes to fines and processing bans. TL;DR: the wheels of enforcement are turning, but slowly.

Is there a new DPC website yet? No

When is it due? Soon

When did the GDPR become enforceable? May 25th 2018

What date is it today? September 2nd 2018 

Susan Crawford in Wired makes a strong argument for ‘Public Interest Technology’ courses to be taught at third-level. “In an era in which data is everything, the risks to core democratic principles—equity, fairness, support for the most vulnerable, delivery of effective government services—caused by technological illiteracy in policymakers, and policy illiteracy in computer scientists, are staggering.”

“Who owns me (as a site of valuable data), and what happens to the economic value of the data extracted from me?” asks Nicholas Carr in ‘I am a data factory (and so are you)’.

Andrew Smith in the Guardian takes on algorithms and the many (deliberate?) misunderstandings of what they are, how they work and how inscrutable they have become.

In Dark Reading Dana Simberkoff unpicks a few studies to reveal that the only area of technology where a gender gap doesn’t appear to exist is in data protection and privacy. “Tech industry leaders can look to the data privacy industry as an example of what happens when stereotypes, toxic subcultures and pay inequities are taken off the table.”

—

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster this newsletter will be in your inbox again next weekend. See you then.