Megashambles | The Cat Herder, Volume 2, Issue 36

The PSC clowning around intensifies into something even more alarming. 😼   September 22 · Issue #52 · View online The PSC clowning around intensifies into something even more alarming. 😼 Tesco has shuttered its parking validation web app after The Register uncovered tens of millions of unsecured ANPR images sitting in a Microsoft Azure blob. The images consisted of photos of cars taken as they entered and left 19 Tesco car parks spread across Britain. Visible and highlighted were the cars’ numberplates, though drivers were not visible in the low-res images seen by The Register. Tesco parking app hauled offline after exposing 10s of millions of Automatic Number Plate Recognition images • The Register www.theregister.co.uk – Share Where to start? Presumably most of you will have been feeling that there weren’t too many big surprises left in the absolute shambles that is the Public Services Card project. The next steps seemed somewhat clear. The DPC would issue an enforcement notice and we’d see how the government reacted to that. But no. This morning The Journal published some of the minutes of a meeting in which the most senior civil servants in the country appear to be conspiring to breach Article 8 of the Charter of Fundamental Rights of the European Union and an assortment of provisions of the GDPR. If the circumstances before the publication of this story were unfortunate, this makes the situation genuinely alarming. This meeting of the Civil Service Management Board took place in June of this year. The draft report from the DPC was sitting on the desks of two of the secretaries-general who took part in this meeting (one of whom was also in the news this week for refusing to appear before the Public Accounts Committee to answer questions about the PSC), the most significant data protection law in a generation had been in force for over a year and yet there is a determination at the highest levels of the public service to ignore the law entirely. If this is how decisions relating to the state’s national-scale handling of personal data projects are being made then the mess is far, far larger than simply the sprawling, embarrassing catastrophe of the Public Services Card and its underlying dodgy database. Going back to the start of the week, on Monday it was reported that the Department of Employment Affairs and Social Protection had refused to release the DPC’s report on foot of an FOI request made by TJ McIntyre of Digital Rights Ireland. The department’s reasons were nothing if not dramatic. ‘making the report public would “have a serious adverse effect on the ability of the Government to manage the national economy and the financial interests of the State”.’ On Tuesday the department published the report. Katherine O'Keefe did some fantastic analysis of it, collected in a Twitter Moment here. The report itself is here (direct PDF link) and the department’s response is here (direct PDF link). The department also took the rather unusual step of publishing what it called a ‘Quick Guide to the Final Investigation Report by the Data Protection Commission’ which is not much more than ten pages of spin. You can read that here (direct PDF link). ‘Government 'will not comply’ with findings on Public Services Card’ Irish Times On Wednesday it was reported that the Passport Office would no longer require the PSC to apply for a passport. On Thursday it was reported that applicants for the new National Childcare Scheme would not be required to have a Public Services Card. In an opinion piece in The Irish Times on Saturday TJ McIntyre put the whole thing in the wider context of systematic mismanagement. So who knows now what the next week will bring. Facebook would like you to attach a camera to your TV so your TV can watch you. Facebook launches Portal TV, a $149 video chat set-top box – TechCrunch techcrunch.com – Share Facebook wants to take over your television with a clip-on camera for video calling, AR gaming and content co-watching. If you can get past the creepiness, the new Portal TV lets you hang out with friends on your home’s biggest screen. It’s a fresh product category that could give the social network a unique foothold […] The Polish DPA fined a data controller ~€645,000 for insufficient organisational and technical safeguards which led to the personal data of over 2.2 million people being exposed. — The Berlin DPA fined a food delivery company €195,000 for failure to respond to subject access requests, failure to delete personal data and retaining personal data for an excessive amount of time, among other things. (Direct link to PDF in German) — The Belgian DPA fined a retailer €10,000 for disproportionate use of the Belgian electronic identity card for the purpose of creating a loyalty card. “There is a troubling lack of transparency in these practices. The Times’s privacy policy does not disclose the vast majority of tracking companies (including BlueKai) on its site, requires users to accept cookies to fully use the site and explicitly states that The Times ignores the “do not track” browser setting.” The New York Times allowed Timothy Limbert to write ‘This Article Is Spying on You’. “Two parties — nonprofit watchdog group Housing Rights Initiative and a D.C. woman seeking to lead a class-action group — filed human rights complaints Wednesday with administrative agencies in D.C. and Maryland. They allege that seven housing companies that lease or manage properties in the metropolitan area used Facebook’s advertising system to target specific age groups, excluding others. They also allege Facebook’s algorithms compounded the issue by disproportionately showing the ads to younger users.” writes Marie C. Baca in the Washington Post. “Where did these images come from? Why were the people in the photos labeled this way? What sorts of politics are at work when pictures are paired with labels, and what are the implications when they are used to train technical systems? In short, how did we get here?” Kate Crawford and Trevor Paglen‘s essay 'Excavating AI: The Politics of Images in Machine Learning Training Sets’. “What DRN has built is a nationwide, persistent surveillance database that can potentially track the movements of car owners over long periods of time. In doing so, highly sensitive information about car owners can be made available to anyone who has access to the tool.” Joseph Cox writes in Motherboard about a surveillance database of 9 billion license plate scans accessible by private investigators in the U.S. —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster we’ll be in your inbox again next weekend. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

The PSC clowning around intensifies into something even more alarming.

😼

Where to start? Presumably most of you will have been feeling that there weren’t too many big surprises left in the absolute shambles that is the Public Services Card project. The next steps seemed somewhat clear. The DPC would issue an enforcement notice and we’d see how the government reacted to that.

But no. This morning The Journal published some of the minutes of a meeting in which the most senior civil servants in the country appear to be conspiring to breach Article 8 of the Charter of Fundamental Rights of the European Union and an assortment of provisions of the GDPR.

If the circumstances before the publication of this story were unfortunate, this makes the situation genuinely alarming. This meeting of the Civil Service Management Board took place in June of this year. The draft report from the DPC was sitting on the desks of two of the secretaries-general who took part in this meeting (one of whom was also in the news this week for refusing to appear before the Public Accounts Committee to answer questions about the PSC), the most significant data protection law in a generation had been in force for over a year and yet there is a determination at the highest levels of the public service to ignore the law entirely.

If this is how decisions relating to the state’s national-scale handling of personal data projects are being made then the mess is far, far larger than simply the sprawling, embarrassing catastrophe of the Public Services Card and its underlying dodgy database.

Going back to the start of the week, on Monday it was reported that the Department of Employment Affairs and Social Protection had refused to release the DPC’s report on foot of an FOI request made by TJ McIntyre of Digital Rights Ireland. The department’s reasons were nothing if not dramatic. ‘making the report public would “have a serious adverse effect on the ability of the Government to manage the national economy and the financial interests of the State”.’

On Tuesday the department published the report. Katherine O'Keefe did some fantastic analysis of it, collected in a Twitter Moment here.

The report itself is here (direct PDF link) and the department’s response is here (direct PDF link). The department also took the rather unusual step of publishing what it called a ‘Quick Guide to the Final Investigation Report by the Data Protection Commission’ which is not much more than ten pages of spin. You can read that here (direct PDF link).

‘Government 'will not comply’ with findings on Public Services Card’ Irish Times

On Wednesday it was reported that the Passport Office would no longer require the PSC to apply for a passport.

On Thursday it was reported that applicants for the new National Childcare Scheme would not be required to have a Public Services Card.

In an opinion piece in The Irish Times on Saturday TJ McIntyre put the whole thing in the wider context of systematic mismanagement.

So who knows now what the next week will bring.

Facebook would like you to attach a camera to your TV so your TV can watch you.

Facebook wants to take over your television with a clip-on camera for video calling, AR gaming and content co-watching. If you can get past the creepiness, the new Portal TV lets you hang out with friends on your home’s biggest screen. It’s a fresh product category that could give the social network a unique foothold […]

The Polish DPA fined a data controller ~€645,000 for insufficient organisational and technical safeguards which led to the personal data of over 2.2 million people being exposed.

—

The Berlin DPA fined a food delivery company €195,000 for failure to respond to subject access requests, failure to delete personal data and retaining personal data for an excessive amount of time, among other things. (Direct link to PDF in German)

—

The Belgian DPA fined a retailer €10,000 for disproportionate use of the Belgian electronic identity card for the purpose of creating a loyalty card.

• “There is a troubling lack of transparency in these practices. The Times’s privacy policy does not disclose the vast majority of tracking companies (including BlueKai) on its site, requires users to accept cookies to fully use the site and explicitly states that The Times ignores the “do not track” browser setting.” The New York Times allowed Timothy Limbert to write ‘This Article Is Spying on You’.
• “Two parties — nonprofit watchdog group Housing Rights Initiative and a D.C. woman seeking to lead a class-action group — filed human rights complaints Wednesday with administrative agencies in D.C. and Maryland. They allege that seven housing companies that lease or manage properties in the metropolitan area used Facebook’s advertising system to target specific age groups, excluding others. They also allege Facebook’s algorithms compounded the issue by disproportionately showing the ads to younger users.” writes Marie C. Baca in the Washington Post.
• “Where did these images come from? Why were the people in the photos labeled this way? What sorts of politics are at work when pictures are paired with labels, and what are the implications when they are used to train technical systems? In short, how did we get here?” Kate Crawford and Trevor Paglen‘s essay 'Excavating AI: The Politics of Images in Machine Learning Training Sets’.
• “What DRN has built is a nationwide, persistent surveillance database that can potentially track the movements of car owners over long periods of time. In doing so, highly sensitive information about car owners can be made available to anyone who has access to the tool.” Joseph Cox writes in Motherboard about a surveillance database of 9 billion license plate scans accessible by private investigators in the U.S.

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster we’ll be in your inbox again next weekend.

If you know someone who might enjoy this newsletter do please forward it on to them.