"my target was less obvious" | The Cat Herder - Volume 1, Issue 2

Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they're   August 12 · Issue #2 · View online Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re barely newsworthy and Facebook turning out to be an even worse custodian of personal data than most had anticipated, the domain of data privacy is still in a terrible state o’ chassis. Nice as it would be to publish a regular collection of really excellent privacy practices, those are still pretty hard to find. Examples of organisations doing it wrong, however, are plentiful. Decades of misconceptions can’t be unlearned in a hurry. Join us on our quest to learn from the worst. There’ll be some positives too. Eventually. We hope 😼 ¯\_(ツ)_/¯ As we’re fond of saying in this part of the world, would you look at the state of this. Alexander Hanff explains the problems with the European Data Protection Board website: It has long been a frustration of mine (and many of my colleagues) that several Supervisory Authorities make bad choices with regards to their own compliance efforts on their public facing web sites (such as using Google Analytics which is technically a breach of the ePrivacy Directive unless there is consent from Data Subjects) and despite many efforts to persuade these Supervisory Authorities to take the correct approach, they have hidden behind weak interpretations of the Directive. As is often the case, we struggle for analogies here. A financial regulator not keeping accounts? An environmental regulator burning oak trees to heat their offices? It illustrates the fundamental interconnectedness of all things when it comes to the amount of tracking cruft that lurks just beneath the surface of the web. The standard toolkit for building websites usually includes trackers from Google, Facebook and many others. Much of the time, we suspect, those involved in planning, building and deploying websites and apps really don’t know what third party surveillance equipment they’re decorating their websites with. While this issue with the EDPB website was resolved, we shouldn’t have to ask. It’s blindingly obvious that the people in charge of enforcing protection and respectful and appropriate treatment of personal data should be setting an example themselves. The Irish government has a website which, apparently, will at some point in the future be the one portal to rule them all when it comes to accessing information and services online. Hello gov.ie. Elaine Edwards @ElaineEdwardsIT So you can't use the Irish government's website https://t.co/y7G3HWZcaB without first agreeing to cookies. If you do *actually* read the privacy policy first, you're agreeing to Google Analytics and you can't opt out. Nice. https://t.co/vLh2vYHJNl 9:13 PM - 8 Aug 2018 It’s impossible to tell whether this has been done through a misinterpretation of regulations, a blissful unawareness of regulations, a blissful unawareness of how Google Analytics functions or a little of all three. It doesn’t matter. It’s still wrong and is certainly not a thing the State should be doing if it has any interest in treating personal data in a proper, respectful manner. But hey, there’s been precious little evidence of that over the last couple of decades … Delusional data dreams. There couldn’t possibly be any problem with the government knowing how far you drive every year, could there? There are organisations that would gladly pay for this data and build it into insurance risk models and so on. ‘Motorists may be taxed on distance driven rather than paying excise on fuel’, Irish Times, 07.08,2018 Where others lead, Ireland will surely follow. Much as the default when building a website is to include a lot of surveillance capabilities, so it seems is including a lot of cameras in your shopping mall design, deploying some flavour of facial recognition technology on the backend just because you can, and then scanning people’s faces without their consent. At least this appears to have been the case in the Chinook Mall in Calgary, as reported by multiple media outlets recently. Initial reporting was met with a stock response of the form “oh no, we’re not doing the bad kind of facial recognition, ours is the good kind” Follow-up questions were met with silence - “Gizmodo was unable to reach Cadillac Fairview for comment.” An investigation was announced. The facial recognition functionality was turned off. The president of the Privacy and Access Council of Canada Sharon Polsky is quoted in the final piece as saying “If there was nothing wrong with it, what’s there to suspend?”, which is a very good question. It is also a neat inversion of the dull predictable cry which goes up from the unthinking whenever privacy concerns are raised about anything - “if you’ve nothing to hide you’ve nothing to fear”. If you’re interested we’ve got a short piece on our site dealing with this dim but dangerous assertion. We don’t know whether there are shopping centres in Ireland which have deployed similar technology but due to the fundamental interconnectedness of everything mentioned above the odds are pretty good that they’re at the very least thinking about it. It’s already happening in the UK.  For an example of something remarkably similar happening here we must turn to the public sector, always a reliable source for examples of jaw-droppingly irresponsible behaviour with other people’s personal data. In summary, and borrowing heavily from Rossa McMahon’s dogged work on this which is linked to below: Limerick City & County Council has adorned towns across the county with high specification cameras capable of both facial and automatic number plate recognition. The Data Protection Commission informed Rossa they did not think the cameras were “in operation”. In response to a query from Rossa about the status of the cameras i.e. were the cameras turned on and recording, Limerick City & County Council opted for a new spin on everyone’s favourite secondary school metaphysical brain teaser “if a tree falls in a forest and no one is around to hear it, does it make a sound?” To clarify, in as far as is possible when attempting to interpret the ritually baffling responses of public sector bodies to questions about what they’re doing with personal data: Limerick City & County Council said the cameras are turned on and recording footage but because nobody is monitoring the footage this means the cameras are not in operation. No matter what the Council says, if the cameras are on and recording then the council is processing personal data. That’s what the law says. ‘Community Surveillance & Limerick’s Smart CCTV scheme’, Rossa McMahon, A Clatter of the Law, 18.06.2018 ‘Lights, Camera, Action?’, Rossa McMahon, A Clatter of the Law, 10.07.2018 Is there a new DPC website yet? No When is it due? Soon When did the GDPR become enforceable? May 25th 2018 What date is it today? August 12th 2018 👀 Since we started with a story about the ubiquity of trackers on websites, even websites which should really know better, we’ve run the links in this section through a tool which tests the amount of cookies a site uses and the number of third-parties it checks in with. This week only, that’s a promise. ‘How America Can Stop Being The Wild West of Data’ by Cathy O'Neil in Bloomberg [139 cookies dropped, 376 third-party requests, 98 third-parties contacted]. Christina Bonington in Slate wonders about the wisdom of making activity tracking apps social [unable to run test; redirects to GDPR consent form]. We can advise. It isn’t wise. The Pentagon agrees with us [14 cookies dropped, 58 third-party requests, 21 third-parties contacted]. Not entirely sure how to feel about that.  This single, beautiful tweet from Wolfie Christl.  Wolfie Christl @WolfieChristl Personal data, (non)informed consent, deceptive UIs, dark patterns: What if services with large user bases would be required to let DPAs or independent auditors survey random samples of users and ask them whether they know what they have 'consented' to? 11:26 PM - 8 Aug 2018 Speaking of services with large user bases and Data Protection Authorities, the Information Commissioner’s Office in the UK fined Lifecycle Marketing (Mother and Baby) Ltd, also known as Emma’s Diary, £140,000 for illegally collecting and selling personal information [5 cookies dropped, 8 third-party requests, 4 third-parties contacted] belonging to more than one million people. Harking back to Issue 1 of The Cat Herder and the flailing around over biometrics by the Department of Employment Affairs and Social Protection, this piece by Anne-Marie Slaughter and Stephanie Hare about the change in the nature of the relationship between the individual and the state [27 cookies dropped, 80 third-party requests, 28 third-parties contacted] when biometric data is collected is really worth your time. — Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster this newsletter will be in your inbox again next weekend. See you then. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re barely newsworthy and Facebook turning out to be an even worse custodian of personal data than most had anticipated, the domain of data privacy is still in a terrible state o’ chassis. Nice as it would be to publish a regular collection of really excellent privacy practices, those are still pretty hard to find. Examples of organisations doing it wrong, however, are plentiful. Decades of misconceptions can’t be unlearned in a hurry. Join us on our quest to learn from the worst. There’ll be some positives too. Eventually. We hope 😼

As we’re fond of saying in this part of the world, would you look at the state of this. Alexander Hanff explains the problems with the European Data Protection Board website:

As is often the case, we struggle for analogies here. A financial regulator not keeping accounts? An environmental regulator burning oak trees to heat their offices? It illustrates the fundamental interconnectedness of all things when it comes to the amount of tracking cruft that lurks just beneath the surface of the web. The standard toolkit for building websites usually includes trackers from Google, Facebook and many others. Much of the time, we suspect, those involved in planning, building and deploying websites and apps really don’t know what third party surveillance equipment they’re decorating their websites with.

While this issue with the EDPB website was resolved, we shouldn’t have to ask. It’s blindingly obvious that the people in charge of enforcing protection and respectful and appropriate treatment of personal data should be setting an example themselves.

The Irish government has a website which, apparently, will at some point in the future be the one portal to rule them all when it comes to accessing information and services online. Hello gov.ie.

It’s impossible to tell whether this has been done through a misinterpretation of regulations, a blissful unawareness of regulations, a blissful unawareness of how Google Analytics functions or a little of all three. It doesn’t matter. It’s still wrong and is certainly not a thing the State should be doing if it has any interest in treating personal data in a proper, respectful manner. But hey, there’s been precious little evidence of that over the last couple of decades …

There couldn’t possibly be any problem with the government knowing how far you drive every year, could there? There are organisations that would gladly pay for this data and build it into insurance risk models and so on.

‘Motorists may be taxed on distance driven rather than paying excise on fuel’, Irish Times, 07.08,2018

Much as the default when building a website is to include a lot of surveillance capabilities, so it seems is including a lot of cameras in your shopping mall design, deploying some flavour of facial recognition technology on the backend just because you can, and then scanning people’s faces without their consent.

At least this appears to have been the case in the Chinook Mall in Calgary, as reported by multiple media outlets recently.

• Initial reporting was met with a stock response of the form “oh no, we’re not doing the bad kind of facial recognition, ours is the good kind”

• Follow-up questions were met with silence - “Gizmodo was unable to reach Cadillac Fairview for comment.”

• An investigation was announced.

• The facial recognition functionality was turned off.

The president of the Privacy and Access Council of Canada Sharon Polsky is quoted in the final piece as saying “If there was nothing wrong with it, what’s there to suspend?”, which is a very good question. It is also a neat inversion of the dull predictable cry which goes up from the unthinking whenever privacy concerns are raised about anything - “if you’ve nothing to hide you’ve nothing to fear”. If you’re interested we’ve got a short piece on our site dealing with this dim but dangerous assertion.

We don’t know whether there are shopping centres in Ireland which have deployed similar technology but due to the fundamental interconnectedness of everything mentioned above the odds are pretty good that they’re at the very least thinking about it. It’s already happening in the UK. 

For an example of something remarkably similar happening here we must turn to the public sector, always a reliable source for examples of jaw-droppingly irresponsible behaviour with other people’s personal data.

In summary, and borrowing heavily from Rossa McMahon’s dogged work on this which is linked to below:

• Limerick City & County Council has adorned towns across the county with high specification cameras capable of both facial and automatic number plate recognition.

• The Data Protection Commission informed Rossa they did not think the cameras were “in operation”.

• In response to a query from Rossa about the status of the cameras i.e. were the cameras turned on and recording, Limerick City & County Council opted for a new spin on everyone’s favourite secondary school metaphysical brain teaser “if a tree falls in a forest and no one is around to hear it, does it make a sound?”

• To clarify, in as far as is possible when attempting to interpret the ritually baffling responses of public sector bodies to questions about what they’re doing with personal data: Limerick City & County Council said the cameras are turned on and recording footage but because nobody is monitoring the footage this means the cameras are not in operation.

• No matter what the Council says, if the cameras are on and recording then the council is processing personal data. That’s what the law says.

‘Community Surveillance & Limerick’s Smart CCTV scheme’, Rossa McMahon, A Clatter of the Law, 18.06.2018

‘Lights, Camera, Action?’, Rossa McMahon, A Clatter of the Law, 10.07.2018

Is there a new DPC website yet? No

When is it due? Soon

When did the GDPR become enforceable? May 25th 2018

What date is it today? August 12th 2018 👀

Since we started with a story about the ubiquity of trackers on websites, even websites which should really know better, we’ve run the links in this section through a tool which tests the amount of cookies a site uses and the number of third-parties it checks in with. This week only, that’s a promise.

‘How America Can Stop Being The Wild West of Data’ by Cathy O'Neil in Bloomberg [139 cookies dropped, 376 third-party requests, 98 third-parties contacted].

Christina Bonington in Slate wonders about the wisdom of making activity tracking apps social [unable to run test; redirects to GDPR consent form]. We can advise. It isn’t wise. The Pentagon agrees with us [14 cookies dropped, 58 third-party requests, 21 third-parties contacted]. Not entirely sure how to feel about that. 

This single, beautiful tweet from Wolfie Christl. 

Speaking of services with large user bases and Data Protection Authorities, the Information Commissioner’s Office in the UK fined Lifecycle Marketing (Mother and Baby) Ltd, also known as Emma’s Diary, £140,000 for illegally collecting and selling personal information [5 cookies dropped, 8 third-party requests, 4 third-parties contacted] belonging to more than one million people.

Harking back to Issue 1 of The Cat Herder and the flailing around over biometrics by the Department of Employment Affairs and Social Protection, this piece by Anne-Marie Slaughter and Stephanie Hare about the change in the nature of the relationship between the individual and the state [27 cookies dropped, 80 third-party requests, 28 third-parties contacted] when biometric data is collected is really worth your time.

—

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster this newsletter will be in your inbox again next weekend. See you then.