Spot On | The Cat Herder, Volume 2, Issue 25

Amazon has a surprise for you. As does Sony. 😼   July 7 · Issue #41 · View online Amazon has a surprise for you. As does Sony. 😼 When You Listen, They Watch: Pre-Saving Albums Can Allow Labels to Track Users on Spotify www.billboard.com – Share Users who “pre-save” upcoming releases to their Spotify accounts can hear music as soon as it’s out — but may not realize how much data they’re giving up in order to do so. The only access labels need to pre-save music to a Spotify account is permission to “add and remove items in your Library.” But the submenus for Sony’s Little Mix campaign asked users for 16 additional permissions, including to “control Spotify on your device” and “stream and control Spotify on your other devices.” In its campaign for Chris Brown’s new single “No Guidance,” featuring Drake, Sony asked to “upload images to personalize your profile or playlist cover” and manage who you follow on Spotify. (Spotify, Sony and the other major labels declined to comment for this story.) The urge to grab all the personal data that can be grabbed remains strong, clearly. Despite the equally clear data protection principles of data minimisation and purpose limitation. Some readers may remember previous Sony misadventures like the time they installed rootkits on millions of people’s computers. Not exactly a company that trusts its paying customers a whole lot and therefore probably not one that can be trusted with personal data. Yes they did. Surprise! Amazon has a surprise for all you Alexa users out there, and any of you who have been in the same room as an Alexa. Amazon confirms it keeps your Alexa recordings basically forever | Ars Technica arstechnica.com – Share The recordings, and their transcripts, never expire automatically. The Romanian  Authority for the Supervision of Personal Data Processing announced that it had handed out its first fine under the GDPR. The data controller in this case, a bank, was fined circa €130,000 for a personal data breach which affected 337, 042 data subjects over 6 months. Of particular interest here is that the fine was issued for a breach of Article 25, data protection by design and default, rather than breach of the data minimisation principle. Accountability and the ability to demonstrate compliance through documentation of internal processes and procedures is also mentioned. More: ‘First fine by the Romanian Supervisory Authority’, EDPB ‘In First GDPR Fine, the Romanian DPA mixes the old and the new’, Roxana Ionescu, Nestor Nestor Diculescu Kingston Petersen — The Irish Data Protection Commission has opened a third investigation into Apple, apparently related to an inadequate response to a subject access request. This was reported widely (Reuters, CNBC, Irish Times, New York Times, Apple Insider) but is not as of now mentioned on the DPC’s website ¯\_(ツ)_/¯ — The CNIL launched a design resources site and Slack community. It’s a bit bare bones at the moment but this is a really welcome move because those tasked with developing systems, designing interfaces and writing copy could really do with some support and guidance from regulators in language they understand. It will. It probably already is. The Metropolitan Police Service says the facial recognition software it has been (extremely controversially) trialling is 99.9% accurate. An independent report which emerged during the week says the system is 80% inaccurate. A gentleman named Ken Marsh, the chairman of the Metropolitan Police staff association, decided to get involved in the debate sparked by these competing reports of the accuracy of the system. Rather than merely offer an opinion on the system his own force is chomping at the bit to deploy more widely, Ken decided to go all in. China’s use of facial recognition is the ne plus ultra towards which we should all be working according to Ken. Presumably he hasn’t been reading the news over the last few months. Facial recognition in China 'spot on', say Metropolitan Police Federation news.sky.com – Share The chairman of the Met Police staff association said the “fantastic” technology could be used to catch criminals and terrorists. “It seems that the investment of public funding in GMI was considered as a purely commercial decision – there seems to be limited public benefit from companies such as GMI for patients, doctors, researchers or public institutions.” Writing in The Irish Times, Orla Hardiman and David McConnell had a look at who will benefit from our favourite DNA harvesting operation, Genomics Medicine Ireland. “It’s not that we’ve failed to rein in Facebook and Google. We’ve not even tried” writes Shoshana Zuboff for The Guardian. “in 2013, Google co-founder Larry Page complained that “old institutions like the law” impede the company’s freedom to “build really great things”. Meanwhile, the head of Facebook and Google’s lead European supervisory authority Helen Dixon said some rather alarming things about the law she’s in charge of enforcing at an event in Israel. This earned her a mention in The Phoenix. The keynote speech in question is here. "What makes these examples of abuse more significant than what we’ve seen in the past? They show how Facebook’s strategy has the ability to push its problems into the shadows.” Facebook may be pivoting to something worse says Dave Lee. Sarah Jeong wrote a welcome takedown of the whole notion of data ownership as the solution to current data protection and privacy problems in The New York Times. “A property right is alienable — once you sell your house, it’s gone. But the most fundamental human rights are inalienable, often because the rights become meaningless once they are alienable. What’s the point of life and liberty if you can sell them?” —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster we’ll be in your inbox again next weekend. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Amazon has a surprise for you. As does Sony.

😼

Users who “pre-save” upcoming releases to their Spotify accounts can hear music as soon as it’s out — but may not realize how much data they’re giving up in order to do so.

The urge to grab all the personal data that can be grabbed remains strong, clearly. Despite the equally clear data protection principles of data minimisation and purpose limitation.

Some readers may remember previous Sony misadventures like the time they installed rootkits on millions of people’s computers. Not exactly a company that trusts its paying customers a whole lot and therefore probably not one that can be trusted with personal data.

Surprise! Amazon has a surprise for all you Alexa users out there, and any of you who have been in the same room as an Alexa.

The recordings, and their transcripts, never expire automatically.

The Romanian  Authority for the Supervision of Personal Data Processing announced that it had handed out its first fine under the GDPR. The data controller in this case, a bank, was fined circa €130,000 for a personal data breach which affected 337, 042 data subjects over 6 months.

Of particular interest here is that the fine was issued for a breach of Article 25, data protection by design and default, rather than breach of the data minimisation principle. Accountability and the ability to demonstrate compliance through documentation of internal processes and procedures is also mentioned.

More:

• ‘First fine by the Romanian Supervisory Authority’, EDPB
• ‘In First GDPR Fine, the Romanian DPA mixes the old and the new’, Roxana Ionescu, Nestor Nestor Diculescu Kingston Petersen

—

The Irish Data Protection Commission has opened a third investigation into Apple, apparently related to an inadequate response to a subject access request. This was reported widely (Reuters, CNBC, Irish Times, New York Times, Apple Insider) but is not as of now mentioned on the DPC’s website ¯\_(ツ)_/¯

—

The CNIL launched a design resources site and Slack community. It’s a bit bare bones at the moment but this is a really welcome move because those tasked with developing systems, designing interfaces and writing copy could really do with some support and guidance from regulators in language they understand.

The Metropolitan Police Service says the facial recognition software it has been (extremely controversially) trialling is 99.9% accurate. An independent report which emerged during the week says the system is 80% inaccurate.

A gentleman named Ken Marsh, the chairman of the Metropolitan Police staff association, decided to get involved in the debate sparked by these competing reports of the accuracy of the system. Rather than merely offer an opinion on the system his own force is chomping at the bit to deploy more widely, Ken decided to go all in. China’s use of facial recognition is the ne plus ultra towards which we should all be working according to Ken. Presumably he hasn’t been reading the news over the last few months.

The chairman of the Met Police staff association said the “fantastic” technology could be used to catch criminals and terrorists.

• “It seems that the investment of public funding in GMI was considered as a purely commercial decision – there seems to be limited public benefit from companies such as GMI for patients, doctors, researchers or public institutions.” Writing in The Irish Times, Orla Hardiman and David McConnell had a look at who will benefit from our favourite DNA harvesting operation, Genomics Medicine Ireland.
• “It’s not that we’ve failed to rein in Facebook and Google. We’ve not even tried” writes Shoshana Zuboff for The Guardian. “in 2013, Google co-founder Larry Page complained that “old institutions like the law” impede the company’s freedom to “build really great things”.
• Meanwhile, the head of Facebook and Google’s lead European supervisory authority Helen Dixon said some rather alarming things about the law she’s in charge of enforcing at an event in Israel. This earned her a mention in The Phoenix. The keynote speech in question is here.
• "What makes these examples of abuse more significant than what we’ve seen in the past? They show how Facebook’s strategy has the ability to push its problems into the shadows.” Facebook may be pivoting to something worse says Dave Lee.
• Sarah Jeong wrote a welcome takedown of the whole notion of data ownership as the solution to current data protection and privacy problems in The New York Times. “A property right is alienable — once you sell your house, it’s gone. But the most fundamental human rights are inalienable, often because the rights become meaningless once they are alienable. What’s the point of life and liberty if you can sell them?”

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster we’ll be in your inbox again next weekend.

If you know someone who might enjoy this newsletter do please forward it on to them.