Loose Flashcards Sink Safeguards | The Cat Herder, Volume 4, Issue 20

"So there is no way to give a third party app your location and not Google?" The naiveté of those who   May 30 · Issue #133 · View online “So there is no way to give a third party app your location and not Google?” The naiveté of those who work for the data slurping monsters can be so charming. 😼 Jason Kint @jason_kint Most damning in newly unsealed evidence (1) Google’s employees admitting there's almost no way NOT to provide your location to Google (2) Google designs its ecosystem for location data collection. “This doesn’t sound like something we would want on the front page of the NYT.” /4 https://t.co/Ke7d8IDDoQ 8:06 PM - 28 May 2021 'Apple is eating our lunch': Google employees admit in lawsuit that the company made it nearly impossible for users to keep their location private www.businessinsider.com – Share Google misled phone makers into hiding privacy settings users liked in order to collect more location data, according to newly unredacted documents. Including some public sector shenanigans from the UK for a change It would seem that officials in Heather Humphreys’ Department of Justice understand how European Regulations work, based on this written answer to a parliamentary question, supplied on the third anniversary of the GDPR becoming enforceable. “The Deputy will appreciate that the General Data Protection Regulation (GDPR) is an EU wide instrument and Member States including Ireland cannot deviate from its provisions, nor will guidelines supersede that position.” Perhaps these officials could have a word with their counterparts in the Department of Children, Equality, Disability, Integration and Youth who have been very publicly struggling to come to terms with this fact since at least last September when they produced the General Scheme of a Preservation and Transfer of Specified Records of the Commission of Investigation (Mother and Baby Homes and certain related Matters) Bill, which attempted to ‘seal’ records for thirty years. This Bill became the Commission of Investigation (Mother and Baby Homes and certain related Matters) Records, and another Matter, Act 2020 less than six weeks later, with the Minister and his officials still insisting the GDPR didn’t apply for … reasons. Minister O’Gorman has said that the advice he was given from the Attorney General is that GDPR does not apply to the archive. Mother and baby homes: Children's Minister says he will meet with survivors and academics over '30-year issue' - Independent.ie www.independent.ie – Share After a controversial vote in the Dáil last night on mother-and-baby home legislation which was passed, Children’s Minister Roderic O’Gorman said he will meet with survivor groups. Nobody outside of the Department ever seems to have clapped eyes on the advice from the AG before the AG said it wasn’t his advice a few days after the Act had been signed into law by the President. The Department of Children has recently embarked on another legislative adventure in this area with the publication of the Draft Heads and General Scheme of Birth Information and Tracing Bill. While much detail needs to be added this draft could be read as the Department, rather than simply accepting that all the provisions of the GDPR apply to these records, attempting to create a parallel system by which individuals can access their records, with no supervision by the independent supervisory authority and no timelines for responses from data controllers which must be adhered to. — The NHS is continuing with its plan to compel GPs to hand over all patient data - people’s entire medical histories - and store it all in one big ol’ database which will be accessible by third-parties both academic and commercial. Not only that, the NHS is going about it in just about the most system-wide-dark-patterns-writ-large way imaginable. This is utterly corrosive to trust. Axel Heitmueller @axelheitmueller A brilliant and well thought through example of nudge in practice: ✅Don’t advertise change other than through a blog ✅Opt out not in ✅Requires finding the right form ✅Requires printing the form ✅Requires posting the form to a GP All this from a digital agency. https://t.co/p56ObR8glc 7:22 AM - 29 May 2021 The surge in online-proctoring services has launched a wave of complaints … Other anecdotes call attention to the biases that are built into proctoring programs. Students with dark skin described the software’s failure to discern their faces. Low-income students have been flagged for unsteady Wi-Fi, or for taking tests in rooms shared with family members. Transgender students have been outed by Proctorio’s “ID Verification” procedure, which requires that they pose for a photograph with an I.D. that may bear a previous name. In video calls with live proctors from ProctorU, test-takers have been forced to remove bonnets and other non-religious hair coverings—a policy that has prompted online pushback from Black women in particular—and students accessing Wi-Fi in public libraries have been ordered to take off protective masks. Is Online Test-Monitoring Here to Stay? | The New Yorker www.newyorker.com – Share Despite students’ complaints and the coming return to in-person learning, Proctorio and its rivals are betting on a lucrative future. Perhaps not to this extent ... This is what happens when you put things on the internet. Which is of course just a series of interconnected and frequently poorly secured someone-else’s-computers. Like their analogue namesakes, flashcard learning apps are popular digital learning tools that show questions on one side and answers on the other. By simply searching online for terms publicly known to be associated with nuclear weapons, Bellingcat was able to discover cards used by military personnel serving at all six European military bases reported to store nuclear devices. US Soldiers Expose Nuclear Weapons Secrets Via Flashcard Apps - bellingcat www.bellingcat.com – Share Online study aids used by US soldiers contained detailed information about base security and the location of nuclear devices in Europe. If you use Alexa, Echo, or any other Amazon device, you have only 10 days to opt out of an experiment that leaves your personal privacy and security hanging in the balance. On June 8, the merchant, Web host, and entertainment behemoth will automatically enroll the devices in Amazon Sidewalk. The new wireless mesh service will share a small slice of your Internet bandwidth with nearby neighbors who don’t have connectivity and help you to their bandwidth when you don’t have a connection. Amazon devices will soon automatically share your Internet with neighbors | Ars Technica arstechnica.com – Share Amazon’s experiment wireless mesh networking turns users into guinea pigs. The Garante warned the Campania region that the vaccination certification system used in the region was not compliant with the GDPR. On a number of grounds. Including perennial favourite, no DPIA. — Privacy International, the Hermes Center for Transparency and Digital Human Rights, Homo Digitalis and noyb filed complaints against Clearview AI with regulators in France, Austria, Italy, Greece and the UK. “The recent renaming of the certificate from a generic ‘Green Digital Certificate’ into ‘EU Digital COVID Certificate’, seemingly limits its scope to the COVID pandemic. But as we know from the USA PATRIOT Act that was introduced short after 9/11 and never fully retracted, or anti-terrorism measures in France that were extended five times, once in place––when dependencies are created, "crisis measures” risk becoming permanent. Although the Regulation has attempted to address this concern by including a clause that deals with rollback by stating that it “should be lifted as soon as the epidemiological situation allows”, this does not guarantee it is just a temporary measure.“ The Institute for Technology in the Public Interest submitted a bug report to the. Seda Gürses has an accompanying thread on Twitter setting out some unanswered questions about the project. "It appears the Government has three choices: appeal to the Supreme Court (which takes time) or ask the European Commission for time extension to sort out the data protection adequacy mess (e.g. the Government commits to amending the DPA2018 in the current Parliamentary session to include the missing safeguards). Alternatively, the UK in the guise of the Home Office (Prop. Ms Priti Patel) could decide to state that it is taking back control of its “data protection laws and borders”- in which case, there is no change to UK law and a European Commission adequacy determination becomes a pipe-dream.” From ‘Judgement in immigration exemption case could cause chaos and threaten any adequacy determination for the UK’ on the Hawktalk blog. “Wiewiórowski believes there is a “danger” that a lack of consensus in the decision-making process could lead to DPAs “disowning decisions they don’t like” while the lead supervisory authority is forced to uphold a decision with which it disagrees. He says the one-stop shop is “not practical.” From ‘Three years of GDPR: Many milestones, but calls for change increase’ by Neil Hodge for Compliance Week. "Coming up with laws and policies to stop it from doing so is a vital task for governments. As the Biden administration and Congress contemplate federal privacy legislation they must not succumb to a common fallacy. Laws guarding the privacy of people’s data are not only about protecting individuals. They are also about protecting our rights as members of groups—as part of society as a whole.” From ‘Collective data rights can stop big tech from obliterating privacy’ by Martin Tisne for MIT Technology Review. Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

“So there is no way to give a third party app your location and not Google?” The naiveté of those who work for the data slurping monsters can be so charming.

😼

Google misled phone makers into hiding privacy settings users liked in order to collect more location data, according to newly unredacted documents.

It would seem that officials in Heather Humphreys’ Department of Justice understand how European Regulations work, based on this written answer to a parliamentary question, supplied on the third anniversary of the GDPR becoming enforceable.

Perhaps these officials could have a word with their counterparts in the Department of Children, Equality, Disability, Integration and Youth who have been very publicly struggling to come to terms with this fact since at least last September when they produced the General Scheme of a Preservation and Transfer of Specified Records of the Commission of Investigation (Mother and Baby Homes and certain related Matters) Bill, which attempted to ‘seal’ records for thirty years.

This Bill became the Commission of Investigation (Mother and Baby Homes and certain related Matters) Records, and another Matter, Act 2020 less than six weeks later, with the Minister and his officials still insisting the GDPR didn’t apply for … reasons.

After a controversial vote in the Dáil last night on mother-and-baby home legislation which was passed, Children’s Minister Roderic O’Gorman said he will meet with survivor groups.

Nobody outside of the Department ever seems to have clapped eyes on the advice from the AG before the AG said it wasn’t his advice a few days after the Act had been signed into law by the President.

The Department of Children has recently embarked on another legislative adventure in this area with the publication of the Draft Heads and General Scheme of Birth Information and Tracing Bill.

While much detail needs to be added this draft could be read as the Department, rather than simply accepting that all the provisions of the GDPR apply to these records, attempting to create a parallel system by which individuals can access their records, with no supervision by the independent supervisory authority and no timelines for responses from data controllers which must be adhered to.

—

The NHS is continuing with its plan to compel GPs to hand over all patient data - people’s entire medical histories - and store it all in one big ol’ database which will be accessible by third-parties both academic and commercial.

Not only that, the NHS is going about it in just about the most system-wide-dark-patterns-writ-large way imaginable.

This is utterly corrosive to trust.

Despite students’ complaints and the coming return to in-person learning, Proctorio and its rivals are betting on a lucrative future.

This is what happens when you put things on the internet. Which is of course just a series of interconnected and frequently poorly secured someone-else’s-computers.

Online study aids used by US soldiers contained detailed information about base security and the location of nuclear devices in Europe.

Amazon’s experiment wireless mesh networking turns users into guinea pigs.

The Garante warned the Campania region that the vaccination certification system used in the region was not compliant with the GDPR. On a number of grounds. Including perennial favourite, no DPIA.

—

Privacy International, the Hermes Center for Transparency and Digital Human Rights, Homo Digitalis and noyb filed complaints against Clearview AI with regulators in France, Austria, Italy, Greece and the UK.

• “The recent renaming of the certificate from a generic ‘Green Digital Certificate’ into ‘EU Digital COVID Certificate’, seemingly limits its scope to the COVID pandemic. But as we know from the USA PATRIOT Act that was introduced short after 9/11 and never fully retracted, or anti-terrorism measures in France that were extended five times, once in place––when dependencies are created, "crisis measures” risk becoming permanent. Although the Regulation has attempted to address this concern by including a clause that deals with rollback by stating that it “should be lifted as soon as the epidemiological situation allows”, this does not guarantee it is just a temporary measure.“ The Institute for Technology in the Public Interest submitted a bug report to the. Seda Gürses has an accompanying thread on Twitter setting out some unanswered questions about the project.
• "It appears the Government has three choices: appeal to the Supreme Court (which takes time) or ask the European Commission for time extension to sort out the data protection adequacy mess (e.g. the Government commits to amending the DPA2018 in the current Parliamentary session to include the missing safeguards). Alternatively, the UK in the guise of the Home Office (Prop. Ms Priti Patel) could decide to state that it is taking back control of its “data protection laws and borders”- in which case, there is no change to UK law and a European Commission adequacy determination becomes a pipe-dream.” From ‘Judgement in immigration exemption case could cause chaos and threaten any adequacy determination for the UK’ on the Hawktalk blog.
• “Wiewiórowski believes there is a “danger” that a lack of consensus in the decision-making process could lead to DPAs “disowning decisions they don’t like” while the lead supervisory authority is forced to uphold a decision with which it disagrees. He says the one-stop shop is “not practical.” From ‘Three years of GDPR: Many milestones, but calls for change increase’ by Neil Hodge for Compliance Week.
• "Coming up with laws and policies to stop it from doing so is a vital task for governments. As the Biden administration and Congress contemplate federal privacy legislation they must not succumb to a common fallacy. Laws guarding the privacy of people’s data are not only about protecting individuals. They are also about protecting our rights as members of groups—as part of society as a whole.” From ‘Collective data rights can stop big tech from obliterating privacy’ by Martin Tisne for MIT Technology Review.

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.