The Cat Herder

Pay with your face goes live in Moscow's Metro system, don't take pictures of the Big Board in the po   October 17 · Issue #153 · View online Pay with your face goes live in Moscow’s Metro system, don’t take pictures of the Big Board in the police station, a peculiar draft decision, and yet another unlawful biometric national ID scheme. 😼 Is this what happens when an authority tasked with supervising and enforcing transparency in the processing of personal data spends too much time hanging around with multinational technology companies who have a penchant for throwing NDAs around like confetti? Michael Veale @mikarv The DPC also requested I sign an NDA in relation to complaints re FB & Twitter. It would even require me to delete *all* docs/emails from the DPC 5 days after my complaint is decided. I have asked what the legal basis of this demand is. DPC went quiet, no reply in over a month. https://t.co/hhGYCwuNT8 12:24 PM - 16 Oct 2021 It invites questions about how common this practice is. What is the purpose of it? When did the DPC start doing this? How many other complainants - especially those who aren’t legal academics or who don’t have easy access to legal advice - have been sent demands like this? Are these NDA requests only deployed in complaints involving certain data controllers? The DPC had made decent progress in terms of transparency in the last couple of years, beginning to publish decisions on its website and making case studies more accessible. It’s unfortunate to see this apparent lurch backwards. Just by the by … The new law is the result of hard-fought advocacy work by those in the tech industry who have long spoken out against the restrictive confidentiality arrangements, known as nondisclosure agreements or NDAs, which are intended to protect industry secrets but have also created a culture of silence around wrongdoing. Guardian, 8th October 2021: ‘California companies can no longer silence workers in victory for tech activists’ The UK’s information commissioner just told a parliamentary subcommittee on online harms and disinformation that a secret arrangement between her office and Facebook prevents her from publicly answering whether or not Facebook contacted the ICO about completing a much-trumpeted ‘app audit’. Techcrunch, 21st January 2021: ‘Facebook’s secret settlement on Cambridge Analytica gags UK data watchdog’ NDAs have played a central role in a number of recent tech industry controversies, raising new questions about their proliferation and scope. While businesses insist the agreements are necessary, critics say they scare people from talking about the darker sides of the industry. Fortune, April 29, 2019: ‘Why You Should Be Worried About Tech’s Love Affair With NDAs’ Non-disclosure agreements are already common in corporate real estate, and now that tech firms like Google, Apple, and Facebook are building more data centers and office parks across the US, they have become adept at squeezing tax breaks and other perks from local governments hungry for economic development. Expecting negotiations to be kept hush-hush gives companies an advantage, but it’s risky for cities and suburban towns — especially cash-strapped and job-poor ones — to say no. Buzzfeed News, November 20, 2018: ‘When Cities Sign Secret Contracts With Big Tech Companies, Citizens Suffer’ — This one is straight from the Unfathomably Bad Ideas desk. Electrician leaked pictures of Garda intelligence board containing information on 108 people www.irishexaminer.com – Share The court was told that the pictures were captioned with a phrase like: “never let an electrician into a Garda station”. Governments misusing technology? Surely not. (There’s more on this below in the What We’re Reading section.) Governments planned to misuse CSAM scanning tech even before Apple's announcement 9to5mac.com – Share Governments were already discussing how to misuse CSAM scanning technology even before Apple announced its plans, say security researchers … Pesky activist judges at it again! The Kenyan High Court has declared the Kenyan government’s rollout of Huduma Namba cards illegal and required the government to carry out a Data Protection Impact Assessment before proceeding with the biometric identification programme. Sadly “Huduma Namba” doesn’t translate directly into Hiberno-English as “Public Services Card” but you get the idea. High Court declares roll out of Huduma Namba cards illegal, calls for data protection impact assessment - HapaKenya hapakenya.com – Share The High Court has declared the Huduma Namba roll out illegal on grounds of being in conflict with the Data Protection Act, 2019. Today it is exactly two years and one month since the then Minister for Employment Affairs and Social Protection said “her department will not comply with any of the directions from the Data Protection Commissioner (DPC) on its Public Services Card project.” Just because Amazon will sell you a powerful CCTV device off the shelf it doesn’t mean the uses you put it to are going to be compliant with the law. Man may have to pay £100,000 to neighbour as Ring doorbell 'invades her privacy' - Mirror Online www.mirror.co.uk – Share Dr Mary Fairhurst told Oxford County Court how she felt harassed by her neighbour Jon Woodard after he set up four Amazon Ring doorbell devices around his property to deter car thieves The full judgment is available here [direct link to PDF] and is an entertaining read. Face Pay requires metro riders to upload a photo and connect their bank and metro cards to the Mosmetro mobile app. With everything uploaded, all you need to do is look at the camera posted above the turnstiles to make it in time for your next train. Moscow authorities expect 10 to 15 percent of riders to use Face Pay “regularly” in the next two to three years, the hope being less time swiping and paying for rides will translate to shorter lines and waits, and less close contact during the ongoing pandemic. Moscow adds facial recognition payment system to more than 240 metro stations - The Verge www.theverge.com – Share Moscow introduced a new facial recognition payment system called Face Pay to 240 metro stations on Friday. The new system is designed to shorten lines and wait times, but could be a vulnerable hacking target and a privacy risk. Mark Andrejevic @MarkAndrejevic Can't bring myself to retweet RT, but keep an eye on this. The attempt to make checkpoints "frictionless" underwrites the goal of making them ubiquitous. (admittedly, the evidence that this would actually be frictionless in practice is scant). https://t.co/V2RmR7f0bF 12:27 PM - 16 Oct 2021 NOYB published the DPC’s draft decision ‘In the matter of LB (through NOYB) v Facebook Ireland Limited’ [direct link to PDF]. I haven’t had the opportunity to read the draft decision in detail but the DPC appears to have sidestepped directly dealing with what Schrems terms the “GDPR bypass” by reasoning that people are entering into a non-negotiable contract with Facebook to be profiled for the purpose of being served ads when they agree to Facebook’s terms of service. Therefore the lawful basis Facebook is using for this particular processing operation is performance of a contract rather than consent. The DPC then declares itself not directly competent to make any assessment on the “interpretation and validity of national contract law”. The DPC reckons Facebook didn’t try hard enough to inform people they were entering into this contract and that’s what the proposed fine is for. The draft decision is with the EDPB, then it’ll go back to the DPC. In the meantime the DPC and NOYB will no doubt continue squabbling over NOYB’s decision to publish the draft decision, providing an entertaining sideshow for anyone who finds that sort of thing amusing. NOYB: ‘Irish DPC greenlights Facebook’s “GDPR bypass”. Schrems: “Decision undermines key element of GDPR.”’ RTE: ‘DPC proposes €36m fine for Facebook over data complaint’ Euractiv: ‘Irish privacy watchdog endorses Facebook’s approach to data protection’ “Haugen, who revealed internal documents showing that the company was aware of its products’ harms, said that she wishes to fix rather than destroy Facebook, but these are not the only two options. The third, regulation, is at its heart not about patching up broken, dangerous companies and their products but is about changing the social, political, and business landscape that allowed them to grow unchecked, operating as rapacious, destructive entities. It ensures not only that the present companies’ harms are stopped but also that new companies cannot take their place and continue the same destructive business models.” From ‘Facebook’s Fall From Grace Looks a Lot Like Ford’s’ by Mar Hicks in Wired. “Now, in Bugs in our Pockets: The Risks of Client-Side Scanning, colleagues and I take a long hard look at the options for mass surveillance via software embedded in people’s devices, as opposed to the current practice of monitoring our communications. Client-side scanning, as the agencies’ new wet dream is called, has a range of possible missions. While Apple and the FBI talked about finding still images of sex abuse, the EU was talking last year about videos and text too, and of targeting terrorism once the argument had been won on child protection. It can also use a number of possible technologies; in addition to the perceptual hash functions in the Apple proposal, there’s talk of machine-learning models. And, as a leaked EU internal report made clear, the preferred outcome for governments may be a mix of client-side and server-side scanning.” From ‘Bugs in our pockets’ by Ross Anderson. The full paper is here. “The research raises fresh questions about potentially harmful uses of Facebook’s ad targeting tools, and — more broadly — questions about the legality of the tech giant’s personal data processing empire given that the information it collects on people can be used to uniquely identify individuals, picking them out of the crowd of others on its platform even purely based on their interests.” From ‘Researchers show Facebook’s ad tools can target a single user’ by Natasha Lomas for Techcrunch. — Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Pay with your face goes live in Moscow’s Metro system, don’t take pictures of the Big Board in the police station, a peculiar draft decision, and yet another unlawful biometric national ID scheme.

😼

Is this what happens when an authority tasked with supervising and enforcing transparency in the processing of personal data spends too much time hanging around with multinational technology companies who have a penchant for throwing NDAs around like confetti?

It invites questions about how common this practice is. What is the purpose of it? When did the DPC start doing this? How many other complainants - especially those who aren’t legal academics or who don’t have easy access to legal advice - have been sent demands like this? Are these NDA requests only deployed in complaints involving certain data controllers?

The DPC had made decent progress in terms of transparency in the last couple of years, beginning to publish decisions on its website and making case studies more accessible. It’s unfortunate to see this apparent lurch backwards.

Just by the by …

Guardian, 8th October 2021: ‘California companies can no longer silence workers in victory for tech activists’

Techcrunch, 21st January 2021: ‘Facebook’s secret settlement on Cambridge Analytica gags UK data watchdog’

Fortune, April 29, 2019: ‘Why You Should Be Worried About Tech’s Love Affair With NDAs’

Buzzfeed News, November 20, 2018: ‘When Cities Sign Secret Contracts With Big Tech Companies, Citizens Suffer’

—

This one is straight from the Unfathomably Bad Ideas desk.

The court was told that the pictures were captioned with a phrase like: “never let an electrician into a Garda station”.

Governments misusing technology? Surely not. (There’s more on this below in the What We’re Reading section.)

Governments were already discussing how to misuse CSAM scanning technology even before Apple announced its plans, say security researchers …

Pesky activist judges at it again! The Kenyan High Court has declared the Kenyan government’s rollout of Huduma Namba cards illegal and required the government to carry out a Data Protection Impact Assessment before proceeding with the biometric identification programme. Sadly “Huduma Namba” doesn’t translate directly into Hiberno-English as “Public Services Card” but you get the idea.

The High Court has declared the Huduma Namba roll out illegal on grounds of being in conflict with the Data Protection Act, 2019.

Today it is exactly two years and one month since the then Minister for Employment Affairs and Social Protection said “her department will not comply with any of the directions from the Data Protection Commissioner (DPC) on its Public Services Card project.”

Just because Amazon will sell you a powerful CCTV device off the shelf it doesn’t mean the uses you put it to are going to be compliant with the law.

Dr Mary Fairhurst told Oxford County Court how she felt harassed by her neighbour Jon Woodard after he set up four Amazon Ring doorbell devices around his property to deter car thieves

The full judgment is available here [direct link to PDF] and is an entertaining read.

Moscow introduced a new facial recognition payment system called Face Pay to 240 metro stations on Friday. The new system is designed to shorten lines and wait times, but could be a vulnerable hacking target and a privacy risk.

NOYB published the DPC’s draft decision ‘In the matter of LB (through NOYB) v Facebook Ireland Limited’ [direct link to PDF].

I haven’t had the opportunity to read the draft decision in detail but the DPC appears to have sidestepped directly dealing with what Schrems terms the “GDPR bypass” by reasoning that people are entering into a non-negotiable contract with Facebook to be profiled for the purpose of being served ads when they agree to Facebook’s terms of service. Therefore the lawful basis Facebook is using for this particular processing operation is performance of a contract rather than consent. The DPC then declares itself not directly competent to make any assessment on the “interpretation and validity of national contract law”. The DPC reckons Facebook didn’t try hard enough to inform people they were entering into this contract and that’s what the proposed fine is for.

The draft decision is with the EDPB, then it’ll go back to the DPC. In the meantime the DPC and NOYB will no doubt continue squabbling over NOYB’s decision to publish the draft decision, providing an entertaining sideshow for anyone who finds that sort of thing amusing.

NOYB: ‘Irish DPC greenlights Facebook’s “GDPR bypass”. Schrems: “Decision undermines key element of GDPR.”’

RTE: ‘DPC proposes €36m fine for Facebook over data complaint’

Euractiv: ‘Irish privacy watchdog endorses Facebook’s approach to data protection’

• “Haugen, who revealed internal documents showing that the company was aware of its products’ harms, said that she wishes to fix rather than destroy Facebook, but these are not the only two options. The third, regulation, is at its heart not about patching up broken, dangerous companies and their products but is about changing the social, political, and business landscape that allowed them to grow unchecked, operating as rapacious, destructive entities. It ensures not only that the present companies’ harms are stopped but also that new companies cannot take their place and continue the same destructive business models.” From ‘Facebook’s Fall From Grace Looks a Lot Like Ford’s’ by Mar Hicks in Wired.
• “Now, in Bugs in our Pockets: The Risks of Client-Side Scanning, colleagues and I take a long hard look at the options for mass surveillance via software embedded in people’s devices, as opposed to the current practice of monitoring our communications. Client-side scanning, as the agencies’ new wet dream is called, has a range of possible missions. While Apple and the FBI talked about finding still images of sex abuse, the EU was talking last year about videos and text too, and of targeting terrorism once the argument had been won on child protection. It can also use a number of possible technologies; in addition to the perceptual hash functions in the Apple proposal, there’s talk of machine-learning models. And, as a leaked EU internal report made clear, the preferred outcome for governments may be a mix of client-side and server-side scanning.” From ‘Bugs in our pockets’ by Ross Anderson. The full paper is here.
• “The research raises fresh questions about potentially harmful uses of Facebook’s ad targeting tools, and — more broadly — questions about the legality of the tech giant’s personal data processing empire given that the information it collects on people can be used to uniquely identify individuals, picking them out of the crowd of others on its platform even purely based on their interests.” From ‘Researchers show Facebook’s ad tools can target a single user’ by Natasha Lomas for Techcrunch.

—

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.