(Not) The Safest Place On The Internet | The Cat Herder, Volume 3, Issue 9

Some truly impressive breaches. The Public Services Card (again). Genomics Medicine Ireland (again).   March 15 · Issue #73 · View online Some truly impressive breaches. The Public Services Card (again). Genomics Medicine Ireland (again). COVID-19 Obviously this overtook everything else in Europe this week. Here are a few data protection flavoured bits and pieces. Regulator advice The Data Protection Commission of Ireland published (and updated) several pieces of guidance relating to Covid-19, as did other data protection authorities. Gabriela Zanfir-Fortuna has a useful roundup of the advice as it stood on March 10th. The DPC has a guide to protecting personal data when working remotely and a COVID-19 note which covers health data and how organisations should handle GDPR requests from individuals, among other things. Cyber risk and scams in unprecedented times Lucasz Olejnik has a very good blog post on this, ‘Cyber risk theme and COVID-19 - why scams or unauthorized access attempts using coronavirus theme is something unwelcome but unprecedentedly risky’ Stay safe all. Watch this if you need a lift. 😼 Drew Harwell @drewharwell New: Whisper, the secret-sharing app billed as "the safest place on the Internet," left hundreds of millions of user confessions exposed on the Web - and tied to detailed location data. Researcher: People could “have their lives ruined" because of this https://t.co/VZvqiUM7K4 https://t.co/ieqENz3pvw 11:37 AM - 10 Mar 2020 Anonymous secret sharing app Whisper left sensitive profile data exposed for years - The Verge www.theverge.com – Share Anonymous secret-sharing app Whisper left sensitive user data exposed online in a public database that was not password protected, The Washington Post reports. The information could reveal users’ age and location in some cases, and some of the app’s millions of users include minors. Of course it could Jeroen Terstegge @PrivaSense Oh boy... Dutch government loses 2 hard disks with 6.9 million records of organ donors. Not encrypted 😭😭 https://t.co/gt3KnZomvg #GDPR #databreach #privacy 7:56 PM - 10 Mar 2020 welfare.ie @welfare_ie #CoronaVirusUpdate - Please see here for information about Jobseeker's payments - https://t.co/P7W9gmceEc Applications can be made online at https://t.co/2qT7sKwvGI. Forms can also be downloaded and posted to your nearest Intreo Centre. #covid19Ireland #Coronavirus https://t.co/M1ZKvZFtTV 6:19 PM - 14 Mar 2020 One of my favourite non-fiction books is Systemantics by John Gall. Gall’s dry application of Le Chatelier’s Principle to systems states that “THE SYSTEM ALWAYS KICKS BACK … or, in slightly more elegant language: SYSTEMS TEND TO OPPOSE THEIR OWN PROPER FUNCTIONS”. If one of the functions of the Public Services Card system was to improve efficiency and effectiveness in the delivery of public services - which we have been repeatedly told it was - then it is clearly not doing so in this situation. People who have been laid off recently can apply to claim jobseeker’s payments online, the department tells us. However, in order to do this online an individual must have a MyGovID account. In order to get a MyGovID account an individual must have a Public Services Card. Which requires making an appointment and having a face-to-face meeting. Which defeats the purpose of applying online and maintaining social distancing. However, another function of the system is to collect people’s biometric data. Intentions don’t matter here, the way the system is currently behaving is what counts. The department may wish to allow anyone who wants to apply online. This would make sense. There’s no way of telling if this is what the department wants. But the rigid processes they’ve built around their bafflingly opaque system don’t allow them to do this. A system that has functioned since its beginnings as a mechanism to drag increasing numbers of people into the state’s high-risk biometric database is unable to adapt to circumstances. But it will continue to perform this function because, whether by accident or design, this is now a primary function of the system. Now picture this: you’ve been told that in order to get your hands on the genetic data of 9,000 people, gathered over thirty years and stored with no discernible lawful basis, you have to run a publicity campaign informing individuals and their relatives of their right to withdraw their data from the study. Imagine you’re an advertising executive, interested in reach and frequency. When would you choose to run this publicity campaign if you wanted the maximum amount of people to become aware of their rights? How many different media channels would you use? How many times would you run the message using each of these channels? Budget constraints aren’t that much of a thing because you’ve got somewhere in the region of €70 million in funding from the Irish government, and twice as much again from other venture capital investors. Would you choose one newspaper ad in one newspaper during a pandemic? Do you think that would grab people’s attention? Brian Daly @brian_daly Here’s an ad from Beaumont Hospital in today’s paper informing living patients and relatives of brain tumour patients who have died that they need to opt out their relatives medical samples out of joint research with @GenomicsMed @PrivacyKit @Tupp_Ed https://t.co/xKxnTAWzVK 1:37 PM - 14 Mar 2020 Killian Woods @killianwoods Interesting to see this advert finally in print. Last year myself and @whytebarry reported on why Genomics Medicine Ireland and the hospital are being made run this publicity campaign https://t.co/efDqmUvrpu https://t.co/fevDCk9f8J 10:46 PM - 14 Mar 2020 The Swedish DPA fined Google ~€7 million for failing to fulfill its obligations in respect of the right to request delisting. Google will appeal the fine. — The Greek DPA issued guidelines on cookies and trackers. — Facebook is being sued by Australia’s Information Commissioner over the Cambridge Analytica scandal. “So far as I can find, there have been eight judgments considering substantive claims for damages pursuant to Article 82 (though there have been other cases in which such compensation was claimed but the substantive issue was not reached).” Eoin O'Dell has an overview of Article 82 claims across Europe so far. Vesela Gladicheva looks at Facebook’s adeptness at delaying and defending mass actions arising out of the Cambridge Analytica scandal. “European consumers suing Facebook in coordinated class actions in Belgium, Italy, Portugal and Spain over the Cambridge Analytica scandal are facing an uphill battle that suggests that litigation over privacy rights might not, as previously hoped, be quicker and more successful than regulatory probes.” “Privacy regulation often seeks to give people more privacy self-management, such as the recent California Consumer Privacy Act. Professor Solove argues that giving individuals more tasks for managing their privacy will not provide effective privacy protection. Instead, regulation should employ a different strategy — focus on regulating the architecture that structures the way information is used, maintained, and transferred.” A new paper by Daniel Solove, ‘The Myth of the Privacy Paradox’. “This information can be viewed in pretty much any image viewing app and can be used to put you at a specific time and place—which depending on your work, relationships or general desire for privacy, you may not want to share with whoever might be looking.” Jon Keegan in The  Markup examines what your digital photos can reveal about you. —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Some truly impressive breaches. The Public Services Card (again). Genomics Medicine Ireland (again).

COVID-19

Obviously this overtook everything else in Europe this week. Here are a few data protection flavoured bits and pieces.

Regulator advice

The Data Protection Commission of Ireland published (and updated) several pieces of guidance relating to Covid-19, as did other data protection authorities.

Gabriela Zanfir-Fortuna has a useful roundup of the advice as it stood on March 10th.

The DPC has a guide to protecting personal data when working remotely and a COVID-19 note which covers health data and how organisations should handle GDPR requests from individuals, among other things.

Cyber risk and scams in unprecedented times

Lucasz Olejnik has a very good blog post on this, ‘Cyber risk theme and COVID-19 - why scams or unauthorized access attempts using coronavirus theme is something unwelcome but unprecedentedly risky’

Stay safe all. Watch this if you need a lift.

😼

Anonymous secret-sharing app Whisper left sensitive user data exposed online in a public database that was not password protected, The Washington Post reports. The information could reveal users’ age and location in some cases, and some of the app’s millions of users include minors.

One of my favourite non-fiction books is Systemantics by John Gall.

Gall’s dry application of Le Chatelier’s Principle to systems states that “THE SYSTEM ALWAYS KICKS BACK … or, in slightly more elegant language: SYSTEMS TEND TO OPPOSE THEIR OWN PROPER FUNCTIONS”.

If one of the functions of the Public Services Card system was to improve efficiency and effectiveness in the delivery of public services - which we have been repeatedly told it was - then it is clearly not doing so in this situation.

People who have been laid off recently can apply to claim jobseeker’s payments online, the department tells us. However, in order to do this online an individual must have a MyGovID account. In order to get a MyGovID account an individual must have a Public Services Card. Which requires making an appointment and having a face-to-face meeting. Which defeats the purpose of applying online and maintaining social distancing.

However, another function of the system is to collect people’s biometric data. Intentions don’t matter here, the way the system is currently behaving is what counts.

The department may wish to allow anyone who wants to apply online. This would make sense. There’s no way of telling if this is what the department wants. But the rigid processes they’ve built around their bafflingly opaque system don’t allow them to do this. A system that has functioned since its beginnings as a mechanism to drag increasing numbers of people into the state’s high-risk biometric database is unable to adapt to circumstances. But it will continue to perform this function because, whether by accident or design, this is now a primary function of the system.

Now picture this: you’ve been told that in order to get your hands on the genetic data of 9,000 people, gathered over thirty years and stored with no discernible lawful basis, you have to run a publicity campaign informing individuals and their relatives of their right to withdraw their data from the study.

Imagine you’re an advertising executive, interested in reach and frequency. When would you choose to run this publicity campaign if you wanted the maximum amount of people to become aware of their rights? How many different media channels would you use? How many times would you run the message using each of these channels? Budget constraints aren’t that much of a thing because you’ve got somewhere in the region of €70 million in funding from the Irish government, and twice as much again from other venture capital investors.

Would you choose one newspaper ad in one newspaper during a pandemic? Do you think that would grab people’s attention?

The Swedish DPA fined Google ~€7 million for failing to fulfill its obligations in respect of the right to request delisting. Google will appeal the fine.

—

The Greek DPA issued guidelines on cookies and trackers.

—

Facebook is being sued by Australia’s Information Commissioner over the Cambridge Analytica scandal.

• “So far as I can find, there have been eight judgments considering substantive claims for damages pursuant to Article 82 (though there have been other cases in which such compensation was claimed but the substantive issue was not reached).” Eoin O'Dell has an overview of Article 82 claims across Europe so far.
• Vesela Gladicheva looks at Facebook’s adeptness at delaying and defending mass actions arising out of the Cambridge Analytica scandal. “European consumers suing Facebook in coordinated class actions in Belgium, Italy, Portugal and Spain over the Cambridge Analytica scandal are facing an uphill battle that suggests that litigation over privacy rights might not, as previously hoped, be quicker and more successful than regulatory probes.”
• “Privacy regulation often seeks to give people more privacy self-management, such as the recent California Consumer Privacy Act. Professor Solove argues that giving individuals more tasks for managing their privacy will not provide effective privacy protection. Instead, regulation should employ a different strategy — focus on regulating the architecture that structures the way information is used, maintained, and transferred.” A new paper by Daniel Solove, ‘The Myth of the Privacy Paradox’.
• “This information can be viewed in pretty much any image viewing app and can be used to put you at a specific time and place—which depending on your work, relationships or general desire for privacy, you may not want to share with whoever might be looking.” Jon Keegan in The  Markup examines what your digital photos can reveal about you.

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.