Out Of Curiosity | The Cat Herder, Volume 5, Issue 34

A bit of this, a bit of that, a bit of the other. Data brokers getting a bit bothered by the prospect   September 4 · Issue #196 · View online A bit of this, a bit of that, a bit of the other. Data brokers getting a bit bothered by the prospect of legislation in the US, Hikvision cameras a bit vulnerable, a bit of questionable data collection by the Ministry of Justice in the UK, a bit of machines being trained to recognise swimming pools in France, a bit of the consequences of Brexit, a lot of location data. 😼 Thousands of Hikvision Cameras Vulnerable to a Security Bug krispitech.com – Share Analyzing about 285,000 Hikvision web servers online, researchers spotted over 80,000 of them vulnerable to a remote command injection bug. — NHS Orkney sorry after records accessed inappropriately - BBC News www.bbc.com – Share An investigation confirmed records may have been accessed by a staff member “out of curiosity”. A UK edition of Mandatory But Not Compulsory this week. The MoJ denied that Deputy Prime Minister and Justice Secretary Dominic Raab or the MoJ itself requested the names of any barristers. However, information subsequently disclosed to the CBA and shared with the Commissioner shows that – whether or not he requested actual names be given to him personally – Mr Raab did direct the collection in the first place. Information Commissioner investigates collection of criminal barristers' names www.mishcon.com – Share The Information Commissioner, has opened an investigation into concerns that the Ministry of Justice was unlawfully processing barristers’ personal data. Vincent Manancourt @vmanancourt This is significant, and awkward for Britain, which has said that its data protection overhaul will unleash tech investment. Via my colleague @g_lanktree, how an e-vehicle firm pulled a U.K. project in part because of the reform proposals. https://t.co/oNjLOqoAmT 10:35 AM - 3 Sep 2022 — In France you can no longer hide your swimming pool from the taxman. France taxman deploys AI spy to spot hidden swimming pools www.france24.com – Share France’s tax authority said Monday that a new artificial intelligence system had found thousands of undeclared swimming pools, allowing it to collect millions of euros from homeowners who failed to report… What distinguishes Fog Reveal from other cellphone location technologies used by police is that it follows the devices through their advertising IDs, unique numbers assigned to each device. These numbers do not contain the name of the phone’s user, but can be traced to homes and workplaces to help police establish pattern-of-life analyses. “The capability that it had for bringing up just anybody in an area whether they were in public or at home seemed to me to be a very clear violation of the Fourth Amendment,” said Davin Hall, a former crime data analysis supervisor for the Greensboro, North Carolina, Police Department. “I just feel angry and betrayed and lied to.” Tech tool offers police ‘mass surveillance on a budget’ | AP News apnews.com – Share Local law enforcement agencies from suburban Southern California to rural North Carolina have been using an obscure cellphone tracking tool, at times without search warrants, that gives them the power to follow people’s movements months back in time, according to public records and internal emails obtained by The Associated Press. The Italian DPA fined UniCredit €70,000 for “requiring that a data subject submit their access request via a designated form, and for not providing all information required under Article 15 GDPR.” Data controllers in the public sector in Ireland might want to pay attention to this as their love of trying to force data subjects to use unnecessary forms when making subject access requests is almost boundless. — The ICO gave itself a pat on the back for encouraging some platforms to make some mostly cosmetic changes. “Children are better protected online in 2022 than they were in 2021” - ICO marks anniversary of Children’s code The Information Commissioner himself gave an interview to The Telegraph (€) in which he announced some impending decisions on whether to prosecute for breaches of the Children’s Code, without naming who the companies involved are. Thus continuing a tradition established by recent Tory governments of announcing things in paywalled articles in The Telegraph. Natasha Lomas covers this at length for Techcrunch. “we are concerned that the discussions on the effective enforcement of the GDPR only focus on the lack of harmonised procedures and we invite the EDPB to extend the scope of its work when addressing the shortcomings with the enforcement of the GDPR. We, however, understand that the EDPB cannot solve all the issues regarding the enforcement of the GDPR and has limited competences and powers.” From the EDRi‘s response to the European Data Protection Board and its members [PDF] “Even if the bill doesn’t pass, it could still be chalked up as a win for the data broker industry, by maintaining a status quo that privacy advocates say should cease to exist. “Just because data brokers have spent the last 20 years making millions of dollars off of our personal data because Congress hasn’t passed a privacy law doesn’t mean it should continue to be legal,” EPIC’s Fitzgerald said. “The bipartisan consensus behind ADPPA is that we need to rein in these abusive data practices, not codify them into law.” From 'Privacy bill triggers lobbying surge by data brokers’ by Alfred Ng for Politico. "The kind of data that Fog sells to law enforcement originates from third-party apps on smartphones. Apps that have permission to collect a user’s location can share that data with third-party advertisers or data brokers in exchange for extra ad revenue or direct payouts. Downstream, data brokers collect data from many different apps, then link the different data streams to individual devices using advertising identifiers. Data brokers often sell to other data brokers, obfuscating the sources of their data and the terms on which it was collected. Eventually, huge quantities of data can end up in the hands of actors with the power of state violence: police, intelligence agencies, and the military.” From ‘Inside Fog Data Science, the Secretive Company Selling Mass Surveillance to Local Police’ by Bennett Cyphers for the EFF. — Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

A bit of this, a bit of that, a bit of the other. Data brokers getting a bit bothered by the prospect of legislation in the US, Hikvision cameras a bit vulnerable, a bit of questionable data collection by the Ministry of Justice in the UK, a bit of machines being trained to recognise swimming pools in France, a bit of the consequences of Brexit, a lot of location data.

😼

Analyzing about 285,000 Hikvision web servers online, researchers spotted over 80,000 of them vulnerable to a remote command injection bug.

—

An investigation confirmed records may have been accessed by a staff member “out of curiosity”.

A UK edition of Mandatory But Not Compulsory this week.

The Information Commissioner, has opened an investigation into concerns that the Ministry of Justice was unlawfully processing barristers’ personal data.

—

In France you can no longer hide your swimming pool from the taxman.

France’s tax authority said Monday that a new artificial intelligence system had found thousands of undeclared swimming pools, allowing it to collect millions of euros from homeowners who failed to report…

Local law enforcement agencies from suburban Southern California to rural North Carolina have been using an obscure cellphone tracking tool, at times without search warrants, that gives them the power to follow people’s movements months back in time, according to public records and internal emails obtained by The Associated Press.

The Italian DPA fined UniCredit €70,000 for “requiring that a data subject submit their access request via a designated form, and for not providing all information required under Article 15 GDPR.”

Data controllers in the public sector in Ireland might want to pay attention to this as their love of trying to force data subjects to use unnecessary forms when making subject access requests is almost boundless.

—

The ICO gave itself a pat on the back for encouraging some platforms to make some mostly cosmetic changes. “Children are better protected online in 2022 than they were in 2021” - ICO marks anniversary of Children’s code

The Information Commissioner himself gave an interview to The Telegraph (€) in which he announced some impending decisions on whether to prosecute for breaches of the Children’s Code, without naming who the companies involved are. Thus continuing a tradition established by recent Tory governments of announcing things in paywalled articles in The Telegraph. Natasha Lomas covers this at length for Techcrunch.

• “we are concerned that the discussions on the effective enforcement of the GDPR only focus on the lack of harmonised procedures and we invite the EDPB to extend the scope of its work when addressing the shortcomings with the enforcement of the GDPR. We, however, understand that the EDPB cannot solve all the issues regarding the enforcement of the GDPR and has limited competences and powers.” From the EDRi‘s response to the European Data Protection Board and its members [PDF]
• “Even if the bill doesn’t pass, it could still be chalked up as a win for the data broker industry, by maintaining a status quo that privacy advocates say should cease to exist. “Just because data brokers have spent the last 20 years making millions of dollars off of our personal data because Congress hasn’t passed a privacy law doesn’t mean it should continue to be legal,” EPIC’s Fitzgerald said. “The bipartisan consensus behind ADPPA is that we need to rein in these abusive data practices, not codify them into law.” From 'Privacy bill triggers lobbying surge by data brokers’ by Alfred Ng for Politico.
• "The kind of data that Fog sells to law enforcement originates from third-party apps on smartphones. Apps that have permission to collect a user’s location can share that data with third-party advertisers or data brokers in exchange for extra ad revenue or direct payouts. Downstream, data brokers collect data from many different apps, then link the different data streams to individual devices using advertising identifiers. Data brokers often sell to other data brokers, obfuscating the sources of their data and the terms on which it was collected. Eventually, huge quantities of data can end up in the hands of actors with the power of state violence: police, intelligence agencies, and the military.” From ‘Inside Fog Data Science, the Secretive Company Selling Mass Surveillance to Local Police’ by Bennett Cyphers for the EFF.

—

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.