KARMA POLICE | The Cat Herder, Volume 1, Issue 7

Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re   September 16 · Issue #7 · View online Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re barely newsworthy and Facebook turning out to be an even worse custodian of personal data than most had anticipated, the domain of data privacy is still in a terrible state o’ chassis. Nice as it would be to publish a regular collection of really excellent privacy practices, those are still pretty hard to find. Examples of organisations doing it wrong, however, are plentiful. Decades of misconceptions can’t be unlearned in a hurry. Join us on our quest to learn from the worst. There’ll be some positives too. Eventually. We hope. 😼 ¯\_(ツ)_/¯ Google China Prototype Links Searches to Phone Numbers theintercept.com – Share Google’s plan for a censored search engine in China also blacklists terms like “Nobel Prize” and “human rights.” It’s probably for the best if you think up your own “don’t be evil” joke. [Narrator]: They did see it coming. Nobody listened. Council urged to make disclosure over Cork data breach www.rte.ie – Share A former Lord Mayor of Cork has called on the city council there to make a full disclosure in relation to a data breach which resulted in personal details of more than 5,000 of the council’s Park by Phone customers being accessed. Privacy by design would have prevented this, as would learning from identical mistakes in similar systems. Public shaming can also be useful. Troy Hunt: The Effectiveness of Publicly Shaming Bad Security www.troyhunt.com – Share Yes it will The Intercept published an investigation into how LinkNYC free WiFi kiosks in New York City are fully capable of tracking users’ locations. In the surveillance capitalism equivalent of the public-private partnership, the operator of the kiosks, CityBridge, plans to earn back their investment through advertising. So it comes as no surprise to discover that Google are behind this. The key player in CityBridge is known as Intersection, and one of Intersection’s largest investors is Sidewalk Labs, with whom it also shares the same offices and staff. Sidewalk Labs CEO Daniel Doctoroff is the chair of Intersection’s board. Sidewalk Labs is owned by Google’s holding company, Alphabet Inc. Adrian Short pointed out on Twitter that a similar corporate structure is being used to somewhat obscure Google’s involvement in the InLink system in the UK. Adrian Short @adrianshort @yashalevine Same as the #InLink system in the UK: just another Google front. https://t.co/s7mPxqn3Bq #LinkNYC https://t.co/Bcq3CN2vBr 1:11 PM - 10 Sep 2018 Beware free WiFi, wherever you may find it. This headline speaks for itself.  GCHQ data collection regime violated human rights, court rules | The Guardian www.theguardian.com – Share Surveillance system revealed by Snowden breached right to privacy, Strasbourg judges say Matthew Ryder @mryderqc Today’s judgment is a huge vindication of @Snowden and others. In June 2013, within a week of @Snowden I was representing @libertyhq, in challenging @GCHQ bulk surveillance powers. Today the ECtHR agreed with him and with us. The powers were unlawful. https://t.co/Hi5igTAD1v 10:08 AM - 13 Sep 2018 Graham Smith on Cyberleagle explains why this is significant and of far more than just historical interest:  The fact that the judgment concerns a largely superseded piece of legislation does not necessarily mean it is of historic interest only. The Court held that both the RIPA bulk interception regime and its provisions for acquiring communications data from telecommunications operators violated Article 8 (privacy) and 10 (freedom of expression) of the European Convention on Human Rights. The interesting question for the future is whether the specific aspects that resulted in the violation have implications for the current Investigatory Powers Act 2016. Some more detail from BoingBoing which explains the title of this issue: ‘KARMA POLICE: GCHQ’s plan to track every Web user in the world’ Public sector privacy pratfalls. Is anyone else beginning to feel that maybe, just maybe it’s a bad idea to build a giant biometric database of everyone in a particular country? As far as we’re aware nobody has yet come up with a comprehensive plan for issuing new faces and fingers to everyone in any particular country in the event of a data breach. UIDAI’s Aadhaar Software Hacked, ID Database Compromised, Experts Confirm www.huffingtonpost.in – Share Skilled hackers disabled security features of Aadhaar enrolment software, circulated hack on Whatsapp In the UK former Home Secretary Amber Rudd, renowned for her spirited battles with encryption, mathematics and hashtags, floated the idea of national ID cards again. First it was hashtags – now Amber Rudd gives us Brits knowledge on national ID cards • The Register www.theregister.co.uk – Share What Rudd is suggesting sounds an awful lot like the Public Services Card / MyGovID system in Ireland, as currently administered by the Sideshow Bob Rake Department. One notable difference is that where the Irish State continues to go to surreal lengths to avoid using the word ‘biometric’ (see The Cat Herder, Issue 1), Rudd is refreshingly upfront about it. Coincidentally, as reported in The Irish Times, the Sideshow Bob Rake Department “has just signed a €383,000 contract with UK firm Gemalto for the design, development and implementation of upgraded facial recognition software.” Obviously we’re repeating ourselves here but, once again, it’s not possible to deploy a facial recognition such as this without processing biometric data. The company who sold this upgraded facial recognition software to the Department list facial recognition in the Biometrics section of their catalogue. They seem pretty sure that facial recognition software requires the processing of biometric data. Perhaps the UK’s Information Commissioner shouldn’t have been as surprised that individuals are interested in data privacy as she appeared to be during the week ICO @ICOnews Elizabeth Denham to the @UKHouseofLords : “Individuals have come to our office to exercise their new GDPR rights way more than we anticipated. We thought it might be a 30 or 40% increase. It has been a 100% increase in the first three months of GDPR.” 4:08 PM - 11 Sep 2018 People like exercising their rights once they’re aware of them and they know how to go about it. The Irish Data Protection Commission has an accessible guide to an individuals’ rights available here - scroll down to the bottom of the page for a more detailed PDF.  Is there a new DPC website yet? No When is it due? Soon When did the GDPR become enforceable? May 25th 2018 What date is it today? September 16th 2018  It often feels as though these companies took on their pivotal positions so quickly that no one — not even their employees — had a chance to understand how they really worked or how much influence they had. In a sharp piece in the New York Times Nathaniel Popper explored some of the similarities between where the personal data guzzling tech titans find themselves now and where the banks found themselves a decade ago. New research from the Pew Research Center (fieldwork May / June 2018) shows that Americans are treating Facebook quite differently in 2018. Around two-thirds of younger people have recently adjusted their privacy settings; almost half of the same cohort have taken a break from checking Facebook entirely for several weeks or more and 44% of the 18-29 age group have deleted the app from their phone. A team of nine Engadget reporters in London, Paris, New York and San Francisco filed more than 150 subject access requests – in other words, requests for personal data – to more than 30 popular tech companies, ranging from social networks to dating apps to streaming services. We reached out before May 25th – when previous laws for data access existed in the EU – as well as after, to see how procedures might have changed. Chris Ip‘s 'Who controls your data’ is part of a series on Engadget called ‘Data retrieval: How big tech manages your personal information’. You really should read it all if you have the time. — Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster this newsletter will be in your inbox again next weekend. See you then. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re barely newsworthy and Facebook turning out to be an even worse custodian of personal data than most had anticipated, the domain of data privacy is still in a terrible state o’ chassis. Nice as it would be to publish a regular collection of really excellent privacy practices, those are still pretty hard to find. Examples of organisations doing it wrong, however, are plentiful. Decades of misconceptions can’t be unlearned in a hurry. Join us on our quest to learn from the worst. There’ll be some positives too. Eventually. We hope.

😼

Google’s plan for a censored search engine in China also blacklists terms like “Nobel Prize” and “human rights.”

It’s probably for the best if you think up your own “don’t be evil” joke.

A former Lord Mayor of Cork has called on the city council there to make a full disclosure in relation to a data breach which resulted in personal details of more than 5,000 of the council’s Park by Phone customers being accessed.

Privacy by design would have prevented this, as would learning from identical mistakes in similar systems. Public shaming can also be useful.

The Intercept published an investigation into how LinkNYC free WiFi kiosks in New York City are fully capable of tracking users’ locations. In the surveillance capitalism equivalent of the public-private partnership, the operator of the kiosks, CityBridge, plans to earn back their investment through advertising. So it comes as no surprise to discover that Google are behind this.

Adrian Short pointed out on Twitter that a similar corporate structure is being used to somewhat obscure Google’s involvement in the InLink system in the UK.

Beware free WiFi, wherever you may find it.

This headline speaks for itself. 

Surveillance system revealed by Snowden breached right to privacy, Strasbourg judges say

Graham Smith on Cyberleagle explains why this is significant and of far more than just historical interest: 

Some more detail from BoingBoing which explains the title of this issue: ‘KARMA POLICE: GCHQ’s plan to track every Web user in the world’

Is anyone else beginning to feel that maybe, just maybe it’s a bad idea to build a giant biometric database of everyone in a particular country? As far as we’re aware nobody has yet come up with a comprehensive plan for issuing new faces and fingers to everyone in any particular country in the event of a data breach.

Skilled hackers disabled security features of Aadhaar enrolment software, circulated hack on Whatsapp

In the UK former Home Secretary Amber Rudd, renowned for her spirited battles with encryption, mathematics and hashtags, floated the idea of national ID cards again.

What Rudd is suggesting sounds an awful lot like the Public Services Card / MyGovID system in Ireland, as currently administered by the Sideshow Bob Rake Department. One notable difference is that where the Irish State continues to go to surreal lengths to avoid using the word ‘biometric’ (see The Cat Herder, Issue 1), Rudd is refreshingly upfront about it.

Coincidentally, as reported in The Irish Times, the Sideshow Bob Rake Department “has just signed a €383,000 contract with UK firm Gemalto for the design, development and implementation of upgraded facial recognition software.”

Obviously we’re repeating ourselves here but, once again, it’s not possible to deploy a facial recognition such as this without processing biometric data.

The company who sold this upgraded facial recognition software to the Department list facial recognition in the Biometrics section of their catalogue. They seem pretty sure that facial recognition software requires the processing of biometric data.

Perhaps the UK’s Information Commissioner shouldn’t have been as surprised that individuals are interested in data privacy as she appeared to be during the week

People like exercising their rights once they’re aware of them and they know how to go about it. The Irish Data Protection Commission has an accessible guide to an individuals’ rights available here - scroll down to the bottom of the page for a more detailed PDF. 

Is there a new DPC website yet? No

When is it due? Soon

When did the GDPR become enforceable? May 25th 2018

What date is it today? September 16th 2018 

In a sharp piece in the New York Times Nathaniel Popper explored some of the similarities between where the personal data guzzling tech titans find themselves now and where the banks found themselves a decade ago.

New research from the Pew Research Center (fieldwork May / June 2018) shows that Americans are treating Facebook quite differently in 2018. Around two-thirds of younger people have recently adjusted their privacy settings; almost half of the same cohort have taken a break from checking Facebook entirely for several weeks or more and 44% of the 18-29 age group have deleted the app from their phone.

Chris Ip‘s 'Who controls your data’ is part of a series on Engadget called ‘Data retrieval: How big tech manages your personal information’. You really should read it all if you have the time.

—

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster this newsletter will be in your inbox again next weekend. See you then.