Streetlights | The Cat Herder, Volume 3, Issue 25

The encryption debate which never entirely goes away is back, the HSE gets a C+ and discussions on fa   July 5 · Issue #89 · View online The encryption debate which never entirely goes away is back, the HSE gets a C+ and discussions on facial recognition continue. 😼 In the analog world every police officer does not have a special key in their pocket which allows them to open each and every lock in the world. Such a thing does not exist. Nor does an “electronic key” which breaks encryption, as described in this article in the Irish Examiner headlined ‘Gardaí to get 'electronic key’ to intercept criminal gangs’ encrypted messages’. If encryption is weakened to allow access for some, it is weakened for all. Which renders insecure everything which is currently (somewhat) secure. The article in the Examiner discusses the recent infiltration of Encrochat by French and Dutch law enforcement and quotes Europol as saying this had sent “shockwaves through organised crime across Europe”. The article neglects to mention that all this had happened without a magical electronic key, or the introduction of any new laws ¯\_(ツ)_/¯ Back in January 1991 a chap called Senator Joe Biden added a paragraph to a US Senate bill which would have given law enforcement agencies the ability to access the “plaintext contents of voice, data, and other communications”. This didn’t happen then, nor has it happened subsequently. This tedious debate is now entering its fourth decade and as more and more commerce and human activity comes to rely on encrypted data transit and storage the likelihood of such a law being introduced diminishes. But that has not stopped law enforcement and security authorities from hopefully briefing about the possibility. — Maybe, just maybe if you’re the CEO of a large company which sells surveillance services you shouldn’t be doing this. The chief executive of an exam monitoring software firm that has raised privacy concerns in Australia has apologised for publicly posting a student’s chat logs during an argument on the website Reddit. Mike Olsen, who is the CEO of the US-based Proctorio, has since deleted the posts and apologised, saying that he and Proctorio “take privacy very seriously”. Guardian: ‘CEO of exam monitoring software Proctorio apologises for posting student’s chat logs on Reddit’ No sign of the HSE Covid Tracker app in the Apple and Google stores yet, nor have any significant changes been made to the website except a shift of domain, from covidtracker.ie to covidtracker.gov.ie. The Irish Council for Civil Liberties and Digital Rights Ireland did up a scorecard. The app and its trappings were awarded a C+. The press release is here, the scorecard itself is here (PDF) and some coverage from The Irish Times is here. A HSE spokeswoman said it welcomed external scrutiny of the app and would review the assessment by the groups. As mentioned in last week’s newsletter, this attitude towards outside scrutiny from a state body is in itself extremely welcome and hopefully will continue. — Over in the UK something close to the exact opposite is happening. Lawyers working on behalf of privacy and free speech organisation Open Rights Group (ORG) have issued health secretary Matt Hancock and the Department of Health and Social Care (DHSC) with a pre-action legal letter that says they have breached requirements of the Data Protection Act 2018 and GDPR by failing to properly conduct a Data Protection Impact Assessment (DPIA) for the whole Test and Trace system. Wired: ‘Government faces court over NHS Test and Trace privacy failings’ After a series of protests calling for police reform, the San Diego Police Department accessed the city’s network of streetlight cameras at least 35 times in search of evidence for criminal cases against protesters who police believed vandalized property or threw objects. Voice of San Diego: ‘Police Used Smart Streetlight Footage to Investigate Protesters’ An overview of what these streetlights are capable of by The San Diego Union Tribune was mentioned in Volume 2, Issue 11 of this newsletter, back in March of last year. Detroit police have used highly unreliable facial recognition technology almost exclusively against Black people so far in 2020, according to the Detroit Police Department’s own statistics. The department’s use of the technology gained national attention last week after the American Civil Liberties Union and New York Times brought to light the case of Robert Julian-Borchak Williams, a man who was wrongfully arrested because of the technology. VICE: ‘Detroit Police Chief: Facial Recognition Software Misidentifies 96% of the Time’ — Back over on this side of the Atlantic the European Data Protection Supervisor has called for a moratorium on the use of facial recognition (and more) in public spaces. Applications that should be outlawed for a limited period of time not only include facial recognition technologies but also software that captures “gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioral signals,” the European Data Protection Supervisor said on Tuesday (30 June). Euractiv: ‘EU data watchdog to ‘convince’ Commission to ban automated recognition tech’ EUobserver: Facial-recognition moratorium back on EU agenda The DPC opened an inquiry into the collection of personal data concerning child benefit payments by the Department of Employment Affairs and Social Protection. — The Baden-Württemberg DPA fined AOK Baden-Württemberg, a sweepstakes provider €1,240,000 for breaches of Article 32 of the GDPR, security of processing. Press release (in German) Google Translate — The Berlin DPA published the results of a quick compliance assessment of video conferencing services. “the following services are marked "red”: Cisco WebEx; Google Meet; GoToMeeting; Microsoft Teams; Skype; Skype for Business; Zoom" — The Danish DPA opened an inquiry into TikTok’s handling of children’s personal data. This came one day after TikTok announced it would be moving its main establishment to Dublin at the end of this month. — The Dutch DPA has said it is opposed to legislation which will compel mobile operators to share data with the public health institute RIVM and Statistics Netherlands in order to track the movements of people. Government plans to force phone firms to hand over anonymised data from their clients to the public health institute RIVM for analysis would seriously compromise privacy, according to watchdog Autoriteit Persoonsgevens. The AP is recommending the cabinet does not press ahead with the law in its current form, saying that officials have virtually ignored its earlier recommendations on the draft legislation. — Finally, in some extremely unsurprising regulator news, all the privacy commissioners in Canada have opened an investigation into the extraordinarily levels of surveillance by the Tim Hortons app. This was covered here a couple of weeks back. “It’s commonly said that in the digital world, data is power. This simple view might apply to a company collecting data through an app or a website, such as a supermarket, but doesn’t faithfully capture the source of power of the firms controlling the hardware and software platforms these apps and websites run on. Using privacy technologies, such as “federated” or “edge” computing, Apple and Google can understand and intervene in the world, while truthfully saying they never saw anybody’s personal data.” Michael Veale on the immense power owning the operating systems of our pocket rectangles has granted Apple and Google. Given stark historical context recently by them merely shrugging and saying “fine, do it yourselves and come back to us when it doesn’t work” when hit with demands for special treatment from two of the world’s former imperial powers. “Much of the COVID-19 crisis response, including the disparate impact of the disease on African Americans and people who have been economically and politically abandoned, shows us the limitations, failures and potential harms of Silicon Valley promises. The consequences have been devastating. The inescapable truth is that the fragility and inequality of our social, political and economic systems have been laid bare. We cannot automate the tough decisions, the redistributions of power and the everyday behavior it will take to make just societies. We will not compute our way out of these crises to the better future we want.” Safiya Noble on ‘The Loss Of Public Goods To Big Tech’. Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

The encryption debate which never entirely goes away is back, the HSE gets a C+ and discussions on facial recognition continue.

😼

In the analog world every police officer does not have a special key in their pocket which allows them to open each and every lock in the world. Such a thing does not exist.

Nor does an “electronic key” which breaks encryption, as described in this article in the Irish Examiner headlined ‘Gardaí to get 'electronic key’ to intercept criminal gangs’ encrypted messages’. If encryption is weakened to allow access for some, it is weakened for all. Which renders insecure everything which is currently (somewhat) secure.

The article in the Examiner discusses the recent infiltration of Encrochat by French and Dutch law enforcement and quotes Europol as saying this had sent “shockwaves through organised crime across Europe”. The article neglects to mention that all this had happened without a magical electronic key, or the introduction of any new laws ¯\_(ツ)_/¯

Back in January 1991 a chap called Senator Joe Biden added a paragraph to a US Senate bill which would have given law enforcement agencies the ability to access the “plaintext contents of voice, data, and other communications”. This didn’t happen then, nor has it happened subsequently.

This tedious debate is now entering its fourth decade and as more and more commerce and human activity comes to rely on encrypted data transit and storage the likelihood of such a law being introduced diminishes. But that has not stopped law enforcement and security authorities from hopefully briefing about the possibility.

—

Maybe, just maybe if you’re the CEO of a large company which sells surveillance services you shouldn’t be doing this.

Guardian: ‘CEO of exam monitoring software Proctorio apologises for posting student’s chat logs on Reddit’

No sign of the HSE Covid Tracker app in the Apple and Google stores yet, nor have any significant changes been made to the website except a shift of domain, from covidtracker.ie to covidtracker.gov.ie.

The Irish Council for Civil Liberties and Digital Rights Ireland did up a scorecard. The app and its trappings were awarded a C+. The press release is here, the scorecard itself is here (PDF) and some coverage from The Irish Times is here.

As mentioned in last week’s newsletter, this attitude towards outside scrutiny from a state body is in itself extremely welcome and hopefully will continue.

—

Over in the UK something close to the exact opposite is happening.

Wired: ‘Government faces court over NHS Test and Trace privacy failings’

Voice of San Diego: ‘Police Used Smart Streetlight Footage to Investigate Protesters’

An overview of what these streetlights are capable of by The San Diego Union Tribune was mentioned in Volume 2, Issue 11 of this newsletter, back in March of last year.

VICE: ‘Detroit Police Chief: Facial Recognition Software Misidentifies 96% of the Time’

—

Back over on this side of the Atlantic the European Data Protection Supervisor has called for a moratorium on the use of facial recognition (and more) in public spaces.

Euractiv: ‘EU data watchdog to ‘convince’ Commission to ban automated recognition tech’

EUobserver: Facial-recognition moratorium back on EU agenda

The DPC opened an inquiry into the collection of personal data concerning child benefit payments by the Department of Employment Affairs and Social Protection.

—

The Baden-Württemberg DPA fined AOK Baden-Württemberg, a sweepstakes provider €1,240,000 for breaches of Article 32 of the GDPR, security of processing.

Press release (in German)

Google Translate

—

The Berlin DPA published the results of a quick compliance assessment of video conferencing services. “the following services are marked "red”: Cisco WebEx; Google Meet; GoToMeeting; Microsoft Teams; Skype; Skype for Business; Zoom"

—

The Danish DPA opened an inquiry into TikTok’s handling of children’s personal data. This came one day after TikTok announced it would be moving its main establishment to Dublin at the end of this month.

—

The Dutch DPA has said it is opposed to legislation which will compel mobile operators to share data with the public health institute RIVM and Statistics Netherlands in order to track the movements of people.

—

Finally, in some extremely unsurprising regulator news, all the privacy commissioners in Canada have opened an investigation into the extraordinarily levels of surveillance by the Tim Hortons app. This was covered here a couple of weeks back.

• “It’s commonly said that in the digital world, data is power. This simple view might apply to a company collecting data through an app or a website, such as a supermarket, but doesn’t faithfully capture the source of power of the firms controlling the hardware and software platforms these apps and websites run on. Using privacy technologies, such as “federated” or “edge” computing, Apple and Google can understand and intervene in the world, while truthfully saying they never saw anybody’s personal data.” Michael Veale on the immense power owning the operating systems of our pocket rectangles has granted Apple and Google. Given stark historical context recently by them merely shrugging and saying “fine, do it yourselves and come back to us when it doesn’t work” when hit with demands for special treatment from two of the world’s former imperial powers.
• “Much of the COVID-19 crisis response, including the disparate impact of the disease on African Americans and people who have been economically and politically abandoned, shows us the limitations, failures and potential harms of Silicon Valley promises. The consequences have been devastating. The inescapable truth is that the fragility and inequality of our social, political and economic systems have been laid bare. We cannot automate the tough decisions, the redistributions of power and the everyday behavior it will take to make just societies. We will not compute our way out of these crises to the better future we want.” Safiya Noble on ‘The Loss Of Public Goods To Big Tech’.

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.