Repair Snooping | The Cat Herder, Volume 5, Issue 46
HOUSEKEEPING NOTE: If all goes well this email should land in your inbox. If it ends up in spam you may need to add the sending address (PrivacyKit@buttondown.email) to your whitelist. It’ll probably take a few weeks for me to figure out the capabilities of this new platform compared to the old so please bear with me! Anyway, onwards we go with what is issue two hundred and eight of this newsletter.
A whole lot of Facebook, sandboxing biometrics in the UK, potential trouble ahead in the education sector for Microsoft and Google, be very wary of device repairs.
😼
--------
Futuendi Gratia
The ICO is looking for new projects to join its regulatory sandbox.
🐦 “if your organisation is working on innovative ideas involving biometrics, such as fingerprints or voice recognition then get in touch!” – Tweet, @ICOnews
On following the link in the above tweet we discover the ICO is especially interested in biometric innovation in
- “the public sector;
- the education sector;
- recruitment; or
- employment monitoring.”
It’s hard to imagine many applications which might emerge from this which aren’t discriminatory surveillance-based rights-infringing dumpster fires but we shall see.
It Could Never Happen Here
The French minister of national education and youth has said that free versions of Microsoft Office 365 and Google Workspace should not be used in schools – a position that reflects ongoing European concerns about cloud data sovereignty, competition, and privacy rules.
The Register: ‘France says non to Office 365 and Google Workspace in school’
According to Wolfie Christl similar moves are afoot in Germany.
🐦 “After two years of negotiations with Microsoft, the joint committee of the German federal data protection authority and 17 state regulators (DSK) published a devastating statement that essentially says that organizations currently cannot use MS365 in a lawful way under the GDPR.” – Tweet, @WolfieChristl
—
RCMP officials told the ethics committee that spyware — or on-device investigative tools, in their parlance — had been used in 32 investigations since 2017, targeting 49 devices. They also revealed the agency has been using similar technology as far back as 2002. The RCMP had not alerted the federal privacy watchdog to its use of spyware, and Privacy Commissioner Philippe Dufresne told the committee he was not aware of the agency’s spyware program until POLITICO reached out in June.
Politico: ‘RCMP use of spyware warrants update to Canada’s privacy laws, MPs say’
Nobody Could Have Seen This Coming
If you’ve ever worried about the privacy of your sensitive data when seeking a computer or phone repair, a new study suggests you have good reason. It found that privacy violations occurred at least 50 percent of the time, not surprisingly with female customers bearing the brunt. Researchers at University of Guelph in Ontario, Canada, recovered logs from laptops after receiving overnight repairs from 12 commercial shops. The logs showed that technicians from six of the locations had accessed personal data and that two of those shops also copied data onto a personal device. Devices belonging to females were more likely to be snooped on, and that snooping tended to seek more sensitive data, including both sexually revealing and non-sexual pictures, documents, and financial information.
Ars Technica: ‘Thinking about taking your computer to the repair shop? Be very afraid’
Regulators
The DPC intends to fine TikTok, according to TikTok’s accounts filings. Which is certainly interesting but doesn’t include any detail on what other sanctions may be imposed. Which are frequently of far more significant than monetary penalties which are trivial to large organisations.
—
What We’re Reading
-
“Technically, Facebook uses tracking cookies in a misleading way: Facebook pretends that the datr tracking cookie is a strictly necessary cookie. Facebook collects a lot of data about Page visitors’ behaviour, but does not reveal the logic of using those data to show personalised posts, recommended other content and ads. On top of that, there are problems with the transfer of personal data to the United States, a country without an adequate level of data protection. Transparency statistics published by Facebook about disclosure to law enforcement and intelligence services in the US show that there is a real risk that such orders include data from visitors to Dutch Facebook Pages. The DPIA concludes that there are 7 high privacy risks, and 1 low, when a government organisation uses a Facebook Page to communicate with a mass audience.” From a blog post summarising the findings of a Data Protection Impact Assessment on the Dutch government’s use of Facebook Pages carried out by Privacy Company on behalf of the Dutch Ministry of the Interior and Kingdom Relations.
-
“When users sign up to file their taxes with the popular service TaxAct, for example, they’re asked to provide personal information to calculate their returns, including how much money they make and their investments. A pixel on TaxAct’s website then sent some of that data to Facebook, including users’ filing status, their adjusted gross income, and the amount of their refund, according to a review by The Markup. Income was rounded to the nearest thousand and refund to the nearest hundred. The pixel also sent the names of dependents in an obfuscated, but generally reversible, format.” From ‘Tax Filing Websites Have Been Sending Users’ Financial Information to Facebook’ by Simon Fondrie-Teitler, Angie Waller, and Colin Lecher for The Markup.
-
“As well as a declaration that Meta breaches the U.K. GDPR’s right to object, the claimant is seeking to force it to stop processing her data for the purpose of direct marketing — and stop related profiling of her, such as Meta drawing inferences about her to micro target ads or assigning ‘ad interests,’ ‘ad topics’ or ‘your topics’ for marketing purposes. The claim document includes (long) lists of “ad interests” Meta assigned to O’Carroll between 16 June 2021 and 14 October 2022 — including a number of topics containing sensitive interests, despite changes it announced a year ago, when Meta said it would be removing as targeting options “topics that people may perceive as sensitive.”” From ‘Meta’s surveillance biz model targeted in UK ‘right to object’ GDPR lawsuit ‘ by Natasha Lomas for Techcrunch.