"the campaign makes a little money, too" | The Cat Herder, Volume 1, Issue 11

Welcome to Issue 11! From the biggest technology platforms in the world to inaccessible and effective   October 14 · Issue #11 · View online Welcome to Issue 11! From the biggest technology platforms in the world to inaccessible and effectively illegible privacy notices erected on roundabouts in Limerick, the indifference, unawareness and incompetence surrounding data privacy never sleeps. Join us on this week’s trudge through some of the worst examples. If you know someone who might enjoy this newsletter do please send it on to them. 😼 Never forget that every piece of your personal data is worth something to someone, somewhere. This would be illegal here in Europe but that’s not to say someone isn’t thinking about doing it / has already done it / is making a very good living out of doing it. Excelsior is offering the chance to email Mr. Trump’s supporters at a rate of $35 per 1,000 addresses — or more if the renter also wants to push posts into the Facebook timelines of supporters — according to interviews and marketing emails obtained by The New York Times. The firm has also explored the possibility of clients’ being able to send text messages directly to the phones of Mr. Trump’s supporters, according to the marketing emails and interviews. Now for Rent: Email Addresses and Phone Numbers for Millions of Trump Supporters | The New York Times www.nytimes.com – Share It appears to be the first time that the campaign of a sitting president facing re-election has opted to market its list of voter contacts. Yes they did. The more personal data you collect and the longer you store it for, the likelier it becomes that the personal data will leak. Last week Google deigned to let the world know - six months after they’d discovered it themselves and minutes after the Wall Street Journal broke the story - that there’d been a large unnoticed hole in the Google+ API which could have led to personal data being accessed inappropriately. Disclosure will likely result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal”, Google policy and legal officials wrote in a memo obtained by the Journal. It “almost guarantees Sundar will testify before Congress”, the memo said, referring to the company’s CEO, Sundar Pichai. The disclosure would also invite “immediate regulatory interest”. Google to shut down Google+ after failing to disclose user data leak | The Guardian www.theguardian.com – Share Since there’s no remaining evidence to assess whether any data was exfiltrated we can confidently say that the cover up is certainly worse than the crime in this case. Google will lose trust among consumers over their lack of transparency and the incident has attracted the attention of at least two European data protection authorities. One Big Dumb Data Idea Here’s an idea Amazon had which went very wrong. Amazon scraps secret AI recruiting tool that showed bias against women | Reuters www.reuters.com – Share Amazon.com Inc’s machine-learning specialists uncovered a big problem: their new recruiting engine did not like women. Shannon Vallor @ShannonVallor "Amazon's system taught itself that male candidates were preferable." No. This is not what happened. Amazon taught their system (with their own hiring data they fed it) that *they* prefer male candidates. This is not a small semantic difference in understanding the problem. https://t.co/Vtv8YUNxW5 6:03 PM - 10 Oct 2018 Undaunted, Amazon have applied for a patent for this dumb data idea, which could go very wrong. Kate Crawford @katecrawford Meanwhile, Amazon's latest patent is for Alexa to detect when people are sick, bored or unhappy. "Alexa would listen out for if users are crying and then class them as experiencing an “emotional abnormality.” 🙃 https://t.co/omzZV3PA5b https://t.co/e7RharrCVR 1:54 PM - 10 Oct 2018 Amazon patents new Alexa feature that knows when you're ill and offers you medicine www.telegraph.co.uk – Share Ann Cavoukian, Ph.D. @AnnCavoukian And who will Alexa share that information with — that you’re experiencing an “emotional abnormality?” And why do we want Alexa to do this? https://t.co/eNFJOTx5O7 11:45 AM - 11 Oct 2018 Limerick City and County Council is working away on the rollout of their CCTV surveillance scheme despite the Data Protection Commission reportedly examining the legality of all of these sorts of systems across the country. At a guess most of them probably aren’t legal. We wrote a bit about this in The Cat Herder, Issue 2. Rossa McMahon @rossamcmahon I wasn’t able to read the #cctv notices that have gone up in Limerick but @DHurleyLL could. Note the range of purposes listed going well beyond “sole or primary purpose”. These are not s38 authorised purposes. https://t.co/ajuCJxSriy 11:25 PM - 11 Oct 2018 The Modernised Convention 108 opened for signature during the week. Convention 108, officially the ‘Convention for the protection of individuals with regard to automatic processing of personal data’ is a Council of Europe Treaty originally opened for signature in 1981. It’s the only legally-binding international instrument in the field of data protection. Opening for signature of the Protocol amending the Convention 108: here is Convention 108+! www.coe.int – Share Strasbourg 10 October 2018 .... Latest news about Council of Europe work in field of data protection The Council has published a short and accessible list of what’s new in the Modernised Convention, which is available here [direct PDF link]. In a welcome move the Data Protection Commission published guidance for both data subjects and data controllers and processors about the rights of the former and the obligations of the latter, in advance of the presidential election in Ireland. 0DPC publishes guidance on data protection and electoral and canvassing activities - Data Protection Commission - Ireland www.dataprotection.ie – Share As illustrated at the top of this issue, lists of personal data collected by political campaigns are valuable, and that value extends beyond the duration of any one campaign. Time permitting we’re going to do an analysis of the privacy notices on each of the websites of the candidates in the Irish presidential election. Spoiler: So far it’s looking like a case of the good, the bad, the bizarre, the entirely non-compliant and the totally non-existent. The DPC also confirmed during the week that they’re looking into Twitter’s unwillingness to fully respond to a subject access request by Michael Veale related to the data gathered by its link shortening service t.co. Is there a new DPC website yet? No When is it due? Soon When did the GDPR become enforceable? May 25th 2018 What date is it today? October 14th 2018  John Battelle takes a look at how well Amazon probably knows you and how the retailer certainly isn’t using this knowledge to find you the best deals. In the New York Times Kate Conger and Cade Metz talk to some people who worked building systems for the tech giants and became alarmed at the uses these technologies were being put to. Something built for a reasonably harmless purpose can easily be reconfigured and deployed in support of the aims of authoritarian regimes, for example. In a lengthy and wide-ranging piece Evan Selinger and Woodrow Hartzog don’t think privacy is dead, and even find some reasons to be cautiously optimistic. —- Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster this newsletter will be in your inbox again next weekend. See you then. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Welcome to Issue 11! From the biggest technology platforms in the world to inaccessible and effectively illegible privacy notices erected on roundabouts in Limerick, the indifference, unawareness and incompetence surrounding data privacy never sleeps. Join us on this week’s trudge through some of the worst examples.

If you know someone who might enjoy this newsletter do please send it on to them.

😼

Never forget that every piece of your personal data is worth something to someone, somewhere. This would be illegal here in Europe but that’s not to say someone isn’t thinking about doing it / has already done it / is making a very good living out of doing it.

It appears to be the first time that the campaign of a sitting president facing re-election has opted to market its list of voter contacts.

The more personal data you collect and the longer you store it for, the likelier it becomes that the personal data will leak. Last week Google deigned to let the world know - six months after they’d discovered it themselves and minutes after the Wall Street Journal broke the story - that there’d been a large unnoticed hole in the Google+ API which could have led to personal data being accessed inappropriately.

Since there’s no remaining evidence to assess whether any data was exfiltrated we can confidently say that the cover up is certainly worse than the crime in this case.

Google will lose trust among consumers over their lack of transparency and the incident has attracted the attention of at least two European data protection authorities.

Here’s an idea Amazon had which went very wrong.

Amazon.com Inc’s machine-learning specialists uncovered a big problem: their new recruiting engine did not like women.

Undaunted, Amazon have applied for a patent for this dumb data idea, which could go very wrong.

Limerick City and County Council is working away on the rollout of their CCTV surveillance scheme despite the Data Protection Commission reportedly examining the legality of all of these sorts of systems across the country. At a guess most of them probably aren’t legal. We wrote a bit about this in The Cat Herder, Issue 2.

The Modernised Convention 108 opened for signature during the week. Convention 108, officially the ‘Convention for the protection of individuals with regard to automatic processing of personal data’ is a Council of Europe Treaty originally opened for signature in 1981. It’s the only legally-binding international instrument in the field of data protection.

Strasbourg 10 October 2018

The Council has published a short and accessible list of what’s new in the Modernised Convention, which is available here [direct PDF link].

In a welcome move the Data Protection Commission published guidance for both data subjects and data controllers and processors about the rights of the former and the obligations of the latter, in advance of the presidential election in Ireland.

As illustrated at the top of this issue, lists of personal data collected by political campaigns are valuable, and that value extends beyond the duration of any one campaign. Time permitting we’re going to do an analysis of the privacy notices on each of the websites of the candidates in the Irish presidential election. Spoiler: So far it’s looking like a case of the good, the bad, the bizarre, the entirely non-compliant and the totally non-existent.

The DPC also confirmed during the week that they’re looking into Twitter’s unwillingness to fully respond to a subject access request by Michael Veale related to the data gathered by its link shortening service t.co.

Is there a new DPC website yet? No

When is it due? Soon

When did the GDPR become enforceable? May 25th 2018

What date is it today? October 14th 2018 

John Battelle takes a look at how well Amazon probably knows you and how the retailer certainly isn’t using this knowledge to find you the best deals.

In the New York Times Kate Conger and Cade Metz talk to some people who worked building systems for the tech giants and became alarmed at the uses these technologies were being put to. Something built for a reasonably harmless purpose can easily be reconfigured and deployed in support of the aims of authoritarian regimes, for example.

In a lengthy and wide-ranging piece Evan Selinger and Woodrow Hartzog don’t think privacy is dead, and even find some reasons to be cautiously optimistic.

—-

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster this newsletter will be in your inbox again next weekend. See you then.