Nine Billion Data Points | The Cat Herder, Volume 1, Issue 10

Welcome to Issue 10! We've reached double figures in our journey down the highways and byways of doin   October 7 · Issue #10 · View online Welcome to Issue 10! We’ve reached double figures in our journey down the highways and byways of doing privacy and data protection wrong. Hopefully you’re still enjoying the trip. If you know someone who might enjoy this newsletter do please send it on to them. 😼 New Zealand’s ‘digital strip searches’: Give border agents your passwords or risk a $5,000 fine - The Washington Post www.washingtonpost.com – Share Travelers who refuse to surrender passwords, codes and encryption keys could be fined up to $5,000, according to a law that took effect Monday. We’re highlighting this here because it’s a very silly thing to do if you want tourists to continue coming to your country, it’s a huge civil rights violation, and it prompted this masterful response from Tim Cushing on Twitter: made in the basement from love @TimCushing New Zealand government decides to one-up Sauron. https://t.co/n3Hp1FMNOK https://t.co/YOT1s0w54y 6:19 PM - 1 Oct 2018 One Big Dumb Data Idea Police super-database prompts Liberty warning on privacy | UK news | The Guardian www.theguardian.com – Share Human rights group boycotts Home Office consultations on vast cloud system, saying they are a sham The government accepts that large amounts of the data will have nothing to do with crime.  What indeed could ever go wrong with such a fine idea as this? Yes it will Since late 2016, the Transport for London has been running a pilot scheme, providing wifi to passengers while logging and retaining all the wifi traffic coming in and out of its access points, compiling a massive dossier on every tube-rider who had wifi turned on for their devices, whether or not they ever accessed the wifi service. In a document obtained under a Freedom of Information request, TfL plans to make £322m “over the next eight years by being able to quantify asset value based on the number of eyeballs/impressions and dynamically trade advertising space.” The London Underground thinks it can sell travelers' attention and wifi data for £322m / Boing Boing boingboing.net – Share As we highlight here almost weekly, a bright idea in one country or region can very rapidly spread to a data-hungry organisation near you. So, what are the Irish transport companies up to in this area? Anyone? Shortcomings in healthcare data system identified in Hiqa report www.irishtimes.com – Share A series of shortcomings, including potential privacy issues, have been identified in the main health information system used in Ireland to inform healthcare planning, delivery and funding. Hiqa makes nine recommendations, including that “necessary arrangements” to meet new legal obligations under European data protection law should be implemented. It added that, as outlined in the General Data Protection Regulation, the office responsible within the HSE “should clearly outline the circumstances in which it is necessary to seek specific consent for using data beyond the purposes for which the data was collected”. It said the office should also undertake a review to assess the need for a data protection impact assessment, which was a mandatory requirement, particularly in light of “data sharing practices” and the impact of the forthcoming introduction of individual health identifiers. The General Data Protection Regulation has been in force since May of this year. The HSE had the two years before that to make these information systems and their own internal processes compliant with the regulation as it was published in May 2016. And yet … The Data Sharing and Governance Bill is currently making its way through the Houses of the Oireachtas. It was in the Seanad at report stage during the week. The Irish Council for Civil Liberties wrote a letter to the Irish Times outlining what they term their “grave concerns” with this bill. It’s well worth a read as it highlights the government’s intent to pay only lip service to the principles of data protection. In addition to the shortcomings around consent and transparency outlined in the letter, the aim of enshrining a “once only” principle relating to data collection across public service policies and procedures, accompanied by widespread sharing of this data between public bodies conflicts with the long-established key data protection principle of purpose limitation and is entirely incompatible with data protection by design and default as required by the General Data Protection Regulation. In promoting this approach across the public service the government is creating an environment where breaches of data protection law will become the norm. Simon McGarr posted a thread on Twitter last month about the timing of this piece of legislation and how it relates to the continuing reality-defying determination of the Irish State to legitimise their biometric register project. As Simon mentions at the end of that thread, contact your representatives if you’re not happy with this. Simon McGarr @Tupp_Ed So, may I ask you a favour- if indeed you’re still here. Please can you let your TDs know that you don’t like the Data Sharing and Governance Bill? Because, believe me, if the people following this account don’t do it, I don’t know who will. Thanks! https://t.co/TKwPj2ccoR 11:12 PM - 16 Sep 2018 They might as well open a new wing in DPC towers and call it the Facebook Scrutinisatory Wing or the Zuckerberg Reform Wing or the Surely This Will Make Facebook Change Its Behaviour Wing or the Derek Zoolander School For Multinationals Who Can’t Read Regulations Good or something similar. Ahem. As expected the Data Protection Commission announced on Wednesday that they were formally opening an investigation into the latest Facebook data breach. Data Protection Commission Ireland @DPCIreland Investigation commenced into Facebook data breach. @DPCIreland statement beneath. #dataprotection #GDPR #eudatap https://t.co/7eHKUigTq5 6:38 PM - 3 Oct 2018 The DPC is also currently looking into Facebook’s refusal to comply with a subject access request because to do so would be just too hard for them. If it was going to be too difficult for them to retrieve the personal data in response to an access request then they shouldn’t have collected it in the first place. There’s nothing complicated about that, surely? For some reason the DPC hasn’t published notification of this latest investigation on their website. They did put it on Twitter though. Maybe they put it up on Facebook too ¯\_(ツ)_/¯  Is there a new DPC website yet? No When is it due? Soon When did the GDPR become enforceable? May 25th 2018 What date is it today? October 7th 2018  This Twitter thread by Miss IG Geek on the Apollo breach. (Yes, there was Yet Another Breach (YAB) in which “Sales intelligence firm Apollo left a "staggering amount” of data exposed online, including 125 million email addresses and nine billion data points.“) We’re watching this short video from Liberty Human Rights. It’s a useful teaching aid should you ever encounter someone who uses the tired old "if you’ve nothing to hide then you’ve nothing to fear” argument. There’s more reading about this on our site if you’re interested. —- Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster this newsletter will be in your inbox again next weekend. See you then. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Welcome to Issue 10! We’ve reached double figures in our journey down the highways and byways of doing privacy and data protection wrong. Hopefully you’re still enjoying the trip. If you know someone who might enjoy this newsletter do please send it on to them.

😼

Travelers who refuse to surrender passwords, codes and encryption keys could be fined up to $5,000, according to a law that took effect Monday.

We’re highlighting this here because it’s a very silly thing to do if you want tourists to continue coming to your country, it’s a huge civil rights violation, and it prompted this masterful response from Tim Cushing on Twitter:

Human rights group boycotts Home Office consultations on vast cloud system, saying they are a sham

What indeed could ever go wrong with such a fine idea as this?

As we highlight here almost weekly, a bright idea in one country or region can very rapidly spread to a data-hungry organisation near you. So, what are the Irish transport companies up to in this area? Anyone?

A series of shortcomings, including potential privacy issues, have been identified in the main health information system used in Ireland to inform healthcare planning, delivery and funding.

The General Data Protection Regulation has been in force since May of this year. The HSE had the two years before that to make these information systems and their own internal processes compliant with the regulation as it was published in May 2016. And yet …

The Data Sharing and Governance Bill is currently making its way through the Houses of the Oireachtas. It was in the Seanad at report stage during the week.

The Irish Council for Civil Liberties wrote a letter to the Irish Times outlining what they term their “grave concerns” with this bill. It’s well worth a read as it highlights the government’s intent to pay only lip service to the principles of data protection.

In addition to the shortcomings around consent and transparency outlined in the letter, the aim of enshrining a “once only” principle relating to data collection across public service policies and procedures, accompanied by widespread sharing of this data between public bodies conflicts with the long-established key data protection principle of purpose limitation and is entirely incompatible with data protection by design and default as required by the General Data Protection Regulation.

In promoting this approach across the public service the government is creating an environment where breaches of data protection law will become the norm.

Simon McGarr posted a thread on Twitter last month about the timing of this piece of legislation and how it relates to the continuing reality-defying determination of the Irish State to legitimise their biometric register project.

As Simon mentions at the end of that thread, contact your representatives if you’re not happy with this.

They might as well open a new wing in DPC towers and call it the Facebook Scrutinisatory Wing or the Zuckerberg Reform Wing or the Surely This Will Make Facebook Change Its Behaviour Wing or the Derek Zoolander School For Multinationals Who Can’t Read Regulations Good or something similar. Ahem.

As expected the Data Protection Commission announced on Wednesday that they were formally opening an investigation into the latest Facebook data breach.

The DPC is also currently looking into Facebook’s refusal to comply with a subject access request because to do so would be just too hard for them.

If it was going to be too difficult for them to retrieve the personal data in response to an access request then they shouldn’t have collected it in the first place. There’s nothing complicated about that, surely?

For some reason the DPC hasn’t published notification of this latest investigation on their website. They did put it on Twitter though. Maybe they put it up on Facebook too ¯\_(ツ)_/¯ 

Is there a new DPC website yet? No

When is it due? Soon

When did the GDPR become enforceable? May 25th 2018

What date is it today? October 7th 2018 

This Twitter thread by Miss IG Geek on the Apollo breach.

(Yes, there was Yet Another Breach (YAB) in which “Sales intelligence firm Apollo left a "staggering amount” of data exposed online, including 125 million email addresses and nine billion data points.“)

We’re watching this short video from Liberty Human Rights. It’s a useful teaching aid should you ever encounter someone who uses the tired old "if you’ve nothing to hide then you’ve nothing to fear” argument. There’s more reading about this on our site if you’re interested.

—-

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster this newsletter will be in your inbox again next weekend. See you then.