Relevant Ads Save Lives | The Cat Herder, Volume 4, Issue 16

Bank Holiday edition. Get the most relevant ads or people could die. Get the most relevant ads or Fac   May 3 · Issue #129 · View online Bank Holiday edition. Get the most relevant ads or people could die. Get the most relevant ads or Facebook might no longer be free. Is the Irish government developing a quasi identity management system using the data collected by the HSE’s vaccination booking system? 😼 ashkan soltani @ashk4n Well that escalated quickly ;) "The @weathernetwork helps SAVE LIVES! Allow us to track your activity across apps?" (Subtext: people will *die* if you block tracking in @Apple iOS14...) #darkpatterns (HT @pdolanjski) https://t.co/ELF9GZ0jJ8 7:04 PM - 2 May 2021 This of course relates to the introduction of Apple’s AppTrackingTransparency Framework in iOS 14.5. Facebook has naturally continued its war on Apple’s war on tracking by introducing similar scaremongering language to the notifications on its properties, ominously hinting that if you don’t allow tracking then Facebook will have no option but to charge you for use of its services. Facebook and Instagram notices in iOS apps tell users tracking helps keep them ‘free of charge’ - The Verge www.theverge.com – Share Facebook has been a vocal critic of Apple’s privacy rules in iOS 14. including the opt-in requirement that lets users decide whether to allow apps to track them across other apps and websites. Open Rights Group has a good explainer of the issue in ‘Adtech vs. iOS, explained’. Initial feedback indicates that 96% of people aren’t too keen on allowing apps to track them. Alex Bauer @alexdbauer Today's IDFA Apocalypse hot takes from @branchmetrics platform traffic: 🔹7% of all iOS app sessions are currently from iOS 14.5. 🔹Aggregate ATT opt-in rate (authorized / authorized + denied) = 4%. 7:19 PM - 30 Apr 2021 The Minister for eGovernment told the Sunday Independent that some unspecified state entity (the HSE? the Department of Health? DPER?) has been running a pilot programme for domestic vaccination certificates. “Our pilot system on digital certificates has been running with a sample group of healthcare workers over the last couple of months,” said Smyth. “Anyone who has been vaccinated will be able to get one of these certs, either digitally or on paper.” The digital certificate system is being developed and managed separately to the vaccination rollout, he said. Which is a curious thing for him to say since the data protection notice for the HSE’s vaccination appointment portal says the following, unambiguously bundling the digital vaccination certificate in as part of the purpose of processing the (rather excessive amount of) personal data the portal is collecting. It is intended that your personal and special category data collected as part of the vaccine programme will be used only for the purposes of programme management and reporting. This will include at a future date your enablement to access a smart digital vaccination certificate as evidence of your COVID-19 vaccination in Ireland. This is in line with on-going coordinated European Council and WHO efforts in this area. It also seems somewhat at odds with what the Taoiseach told his parliamentary party meeting during the week about any domestic use of the EU Digital Green Certificate. Gavan Reilly @gavreilly At FF PP, Taoiseach also rules out any domestic use of the ‘green cert’ or vaccine bonus to access any services, citing civil liberties issues - its use will be for overseas travel only. (This is a slight clash with Leo Varadkar who had left the door open for mass gatherings) 8:30 PM - 27 Apr 2021 So what is this domestic vaccination certificate to be used for? In other online advertising news it seems Google’s plan to reshape what the participants are fond of referring to as the adtech ‘ecosystem’ doesn’t have many fans outside of Google. Regulators in Germany, France and Belgium are all scrutinising Google’s proposals. At the same time, some of the world’s biggest websites have decided to skip Google’s trials entirely, with a number of companies developing ways for people to dodge the system. It owns the world’s largest browser, biggest search engine, a huge advertising network, and can collect huge swathes of data. For many people, Google’s services are the internet. Nine of its apps are used by more than a billion people each. That’s an awful lot of data and an awful lot of power. Google’s historic abuse of people’s information has led many not to trust it – and that includes competitors and regulators, as well as consumers. Wired: ‘Google’s plan to eradicate cookies is crumbling’ 9to5 Google: ‘Now EU regulators are worried about Google’s FLoC initiative, too’ Given that the DPC is supposed to have expertise in data protection law, it grates when one hears the DPC say that data protection is very complex. It does not give us confidence that our regulator and adjudicator is fit for purpose when it thinks data protection is complex. It is not that complex, in my view. It is complex because the scales might be tipped back in favour of ordinary people. That is not complexity. It might upset powerful interests, particularly within the State or big business, but that is what the GDPR and the regulator are supposed to do. - Fred Logue The Oireachtas Joint Committee on Justice held a hearing during the week. The topic was unmanageably broad. “General Data Protection Regulation (GDPR)”. Amidst quite a lot of noise some good points were made. Many salient issues were not addressed. Unsubtle attempts to score domestic political points were made. Flights of fancy about a discussion draft of a possible draft Bill currently being circulated in Washington somehow crashing the Irish economy were indulged in. The idea that the DPC carries the burden of preventing “a slide towards a dystopia” was floated. The implausible theory that the DPC is sufficiently well funded was aired. In the same week that many of the companies supervised by the DPC reported extraordinary results. For reference, Facebook now has a market cap of approximately $930 billion; Alphabet now has a market cap of approximately $1.6 trillion. The DPC has the power to make decisions which will threaten aspects of the business models of these organisations. Tinkering around the edges by increasing funding and conducting external reviews is unlikely to noticeably change this mismatch in resources. Of the three witnesses who were not the Data Protection Commissioner only one covered the issue of compliance by data controllers. One committee member raised it but only in the context of the cost of compliance being too high for businesses. While the DPC’s statutory obligation to seek amicable resolution in cases was discussed there was no mention of its distinctiveness. To the best of my knowledge no other European DPA has such an obligation. There was no mention of the ongoing grinding war of attrition being conducted against the regulator by State bodies. Facebook may not have directly learned its ‘appeal against, object to, obfuscate, dissemble, refuse to accept’ approach to the DPC from watching the behaviour of State bodies but there was certainly a well and noisily trodden path to follow. The transcript of the whole hearing is here [PDF]. — Counsel for the ICO made a rather extraordinary intervention in the Lloyd v Google case. “If the word ‘damage’ in this regime does not include mere loss of control, it would have to be taken into account in the exercise of those regulatory barriers.” — The Dutch DPA fined the city of Entschede €600,000 for WiFi tracking without a lawful basis. — The Belgian DPA fined a financial services company €100,000 for allowing unauthorised access by a staff memebr to the national credit register. — The EDPS and the AEPD published a very accessible joint paper on anoymisation myths. This informative Twitter thread by Kirsten Han on how quickly and efficiently Singapore’s tech solutions to the pandemic have morphed into a state-wide always on exclusionary surveillance network. “The app, which initially launched without a privacy policy, leveraged “dark patterns” and algorithmic discoverability tactics to gain access to users’ phone contacts and even required users to grant this access before they could invite friends to the platform. After pushback from users and privacy advocates, Clubhouse made some minor tweaks; it now allows users to manually enter phone numbers to invite their friends and contacts. It is uncertain whether this change actually prevents Clubhouse from harvesting the contacts of its users even when they do not opt-in. These concerns are particularly problematic in Europe, where the law mandates data protection by design and default. Clubhouse’s privacy policy, which is only available in English, does not reference European regulations or provide any way for users to exercise their data protection rights.” More on Clubhouse from Elizabeth Renieris for the Center for International Governance Innovation, ‘The $4 Billion App That Doesn’t Value Privacy, Security or Accessibility’. “But The Markup has learned that not only does the Android version of the contact tracing tool contain a privacy flaw, but when researchers from the privacy analysis firm AppCensus alerted Google to the problem back in February of this year, Google failed to change it. AppCensus was testing the system as part of a contract with the Department of Homeland Security. The company found no similar issues with the iPhone version of the framework. ‘This fix is a one-line thing where you remove a line that logs sensitive information to the system log. It doesn’t impact the program, it doesn’t change how it works,’ said Joel Reardon, co-founder and forensics lead of AppCensus. ‘It’s such an obvious fix, and I was flabbergasted that it wasn’t seen as that.’” From ‘Google Promised Its Contact Tracing App Was Completely Private—But It Wasn’t’ by Alfred Ng for The Markup. Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Bank Holiday edition. Get the most relevant ads or people could die. Get the most relevant ads or Facebook might no longer be free. Is the Irish government developing a quasi identity management system using the data collected by the HSE’s vaccination booking system?

😼

This of course relates to the introduction of Apple’s AppTrackingTransparency Framework in iOS 14.5. Facebook has naturally continued its war on Apple’s war on tracking by introducing similar scaremongering language to the notifications on its properties, ominously hinting that if you don’t allow tracking then Facebook will have no option but to charge you for use of its services.

Facebook has been a vocal critic of Apple’s privacy rules in iOS 14. including the opt-in requirement that lets users decide whether to allow apps to track them across other apps and websites.

Open Rights Group has a good explainer of the issue in ‘Adtech vs. iOS, explained’.

Initial feedback indicates that 96% of people aren’t too keen on allowing apps to track them.

The Minister for eGovernment told the Sunday Independent that some unspecified state entity (the HSE? the Department of Health? DPER?) has been running a pilot programme for domestic vaccination certificates.

Which is a curious thing for him to say since the data protection notice for the HSE’s vaccination appointment portal says the following, unambiguously bundling the digital vaccination certificate in as part of the purpose of processing the (rather excessive amount of) personal data the portal is collecting.

It also seems somewhat at odds with what the Taoiseach told his parliamentary party meeting during the week about any domestic use of the EU Digital Green Certificate.

So what is this domestic vaccination certificate to be used for?

In other online advertising news it seems Google’s plan to reshape what the participants are fond of referring to as the adtech ‘ecosystem’ doesn’t have many fans outside of Google.

Wired: ‘Google’s plan to eradicate cookies is crumbling’

9to5 Google: ‘Now EU regulators are worried about Google’s FLoC initiative, too’

The Oireachtas Joint Committee on Justice held a hearing during the week. The topic was unmanageably broad. “General Data Protection Regulation (GDPR)”. Amidst quite a lot of noise some good points were made. Many salient issues were not addressed.

Unsubtle attempts to score domestic political points were made. Flights of fancy about a discussion draft of a possible draft Bill currently being circulated in Washington somehow crashing the Irish economy were indulged in. The idea that the DPC carries the burden of preventing “a slide towards a dystopia” was floated. The implausible theory that the DPC is sufficiently well funded was aired. In the same week that many of the companies supervised by the DPC reported extraordinary results. For reference, Facebook now has a market cap of approximately $930 billion; Alphabet now has a market cap of approximately $1.6 trillion. The DPC has the power to make decisions which will threaten aspects of the business models of these organisations. Tinkering around the edges by increasing funding and conducting external reviews is unlikely to noticeably change this mismatch in resources.

Of the three witnesses who were not the Data Protection Commissioner only one covered the issue of compliance by data controllers. One committee member raised it but only in the context of the cost of compliance being too high for businesses.

While the DPC’s statutory obligation to seek amicable resolution in cases was discussed there was no mention of its distinctiveness. To the best of my knowledge no other European DPA has such an obligation.

There was no mention of the ongoing grinding war of attrition being conducted against the regulator by State bodies.

Facebook may not have directly learned its ‘appeal against, object to, obfuscate, dissemble, refuse to accept’ approach to the DPC from watching the behaviour of State bodies but there was certainly a well and noisily trodden path to follow.

The transcript of the whole hearing is here [PDF].

—

Counsel for the ICO made a rather extraordinary intervention in the Lloyd v Google case. “If the word ‘damage’ in this regime does not include mere loss of control, it would have to be taken into account in the exercise of those regulatory barriers.”

—

The Dutch DPA fined the city of Entschede €600,000 for WiFi tracking without a lawful basis.

—

The Belgian DPA fined a financial services company €100,000 for allowing unauthorised access by a staff memebr to the national credit register.

—

The EDPS and the AEPD published a very accessible joint paper on anoymisation myths.

• This informative Twitter thread by Kirsten Han on how quickly and efficiently Singapore’s tech solutions to the pandemic have morphed into a state-wide always on exclusionary surveillance network.
• “The app, which initially launched without a privacy policy, leveraged “dark patterns” and algorithmic discoverability tactics to gain access to users’ phone contacts and even required users to grant this access before they could invite friends to the platform. After pushback from users and privacy advocates, Clubhouse made some minor tweaks; it now allows users to manually enter phone numbers to invite their friends and contacts. It is uncertain whether this change actually prevents Clubhouse from harvesting the contacts of its users even when they do not opt-in. These concerns are particularly problematic in Europe, where the law mandates data protection by design and default. Clubhouse’s privacy policy, which is only available in English, does not reference European regulations or provide any way for users to exercise their data protection rights.” More on Clubhouse from Elizabeth Renieris for the Center for International Governance Innovation, ‘The $4 Billion App That Doesn’t Value Privacy, Security or Accessibility’.
• “But The Markup has learned that not only does the Android version of the contact tracing tool contain a privacy flaw, but when researchers from the privacy analysis firm AppCensus alerted Google to the problem back in February of this year, Google failed to change it. AppCensus was testing the system as part of a contract with the Department of Homeland Security. The company found no similar issues with the iPhone version of the framework. ‘This fix is a one-line thing where you remove a line that logs sensitive information to the system log. It doesn’t impact the program, it doesn’t change how it works,’ said Joel Reardon, co-founder and forensics lead of AppCensus. ‘It’s such an obvious fix, and I was flabbergasted that it wasn’t seen as that.’” From ‘Google Promised Its Contact Tracing App Was Completely Private—But It Wasn’t’ by Alfred Ng for The Markup.

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.