The Cat Herder

Minister Regina Doherty has "incredibly strong" advice. She won't say what it is though. 😼   September 8 · Issue #50 · View online Minister Regina Doherty has “incredibly strong” advice. She won’t say what it is though. 😼 Is this better or worse than “password123”? 600,000 GPS trackers left exposed online with a default password of '123456' | ZDNet www.zdnet.com – Share Default password is a danger for customers, but also for the vendor itself. — Mugshots from police officer's notebook sold on eBay | BBC News www.bbc.com – Share The notebook features pictures and details on criminals and people of interest from the 1950s. Graham Smith @cyberleagle Minister: “My legal advice is incredibly strong,” If it were me, I'd prefer it to be credibly strong. https://t.co/jzUJ81PFP3 10:17 PM - 5 Sep 2019 In last week’s newsletter we went over some of the basics of data protection regarding joint data controllers which the Department of Public Expenditure and Reform and the Department of Employment Affairs and Social Protection appeared to be having some difficulties in grasping. That matter, at least, appears to have been resolved. So, let’s recap this week’s events. There was a cabinet meeting on Tuesday. Certain items on the agenda of this cabinet meeting were given to The Irish Times in advance of the meeting, as appears to be now traditional. There was a time when these were called leaks, I think, but as you’re all aware we live in interesting times in which old certainties no longer hold. The Irish Times ran a story headlined ‘Government to challenge order that public services card had no basis in law’ which informed us that in a Government memo, jointly presented with the Department of Public Expenditure, Ms Doherty will tell Ministers that the Government is to fight the decision So the two departments would seem to be acknowledging they are joint data controllers with joint responsibilities. The story continues The Government will challenge the decision in court and defend the continued use of the card. They will also decline to publish the full report of the commissioner’s office. Further coverage of the cabinet meeting after it had occurred appeared to confirm this account of the government’s approach. It even added the tantalising detail that the ministers had told cabinet that it in fact might be “unlawful” for their departments to stop the processing of personal data which the DPC had ruled to be unlawful. On Wednesday morning, after an absence of several weeks, Minister Doherty sallied forth to explain what was what on Morning Ireland. She repeated the line about the dangerous potential illegality of stopping the illegal processing. She mentioned her department wanted to meet with Commissioner Dixon for a bit of a chat. Because obviously the minister and her department feel they weren’t afforded enough opportunities to make their case in the almost two years this element of the larger DPC investigation has taken. Contrary to what was published in Tuesday’s Irish Times it seems the minister and her department will, after all, be publishing the full report of the Data Protection Commission. Sadly the minister was not prepared to say when that might happen. The minister’s legal advice is “incredibly strong”, we were told. She declined to give the audience even a teaser of what that might be, but it seems her officials have been yet again seeking out what they regard as pleasing phrases and sentences in the Social Welfare Consolidation Act which they imagine could, if you squint really hard, make up a legal basis. Cianan Brennan of The Irish Examiner got in touch with the Department of Employment Affairs and Social Protection to make further inquiries about its intentions. Curiously, the department appeared far more circumspect than the minister. However, the Department of Social Protection declined to answer a straight question yesterday — would it be taking the Data Protection Commissioner to court as a plaintiff, that is, as the supposed injured party, regarding her ruling? That would suggest that the State is fully aware of the implications of going the legal route, and of the improbability that it would win. On Thursday evening the DPC said it was having none of the “let’s have a chat” approach. There will be no meeting. Enforcement action will be taken. In a comment piece titled ‘Are we the wild west of data protection?’ for the Irish Examiner yesterday Mick Clifford gets close to what some of the possible motivations for the state’s current line are. A small group of senior officials across both departments have a series of increasingly indefensible decisions over the years to explain, which they would clearly prefer not to have to do. A pair of ministers have a problem they dearly wish to defer until after the next election when there might be someone else in charge. Karlin Lillington wearily pointed out on Thursday in The Irish Times that we’ve been in a very similar situation before and the state appears determined to make the same costly and embarrassing mistakes again. the State has long-term form in bone-headedly pursuing massive data collection projects that it insists are just fine, despite threats and rulings from the regulator, and despite warnings from people who are more familiar with data protection and privacy law than Ministers, the civil service or the attorney general (numerous international experts also have criticised the card). Who knows what next week might bring. Oh yes they did The phone numbers of 419 million Facebook users turned up on the internet. Just lying around. In its headline The Guardian describes this as a “lapse”. That’s where we are now when it comes to Facebook. — The Financial Times (€) reports that Google is secretly using hidden web pages that feed the personal data of its users to advertisers, undermining its own policies and circumventing EU privacy regulations that require consent and transparency, according to one of its smaller rivals. Researcher Lukasz Olejnik pointed out on Twitter that this isn’t even a new thing. Lukasz Olejnik @lukOlejnik Apparently Cookie Matching is being discussed. Not new. Rediscovered by Brave. Context (not cited yesterday) from 2014 work where cookie matching potential and privacy risks are pointed out, many of its users and uses are uncovered #GDPR #ePrivacy https://t.co/t6tud0h9jK https://t.co/5yTy6Jon1j 8:01 AM - 5 Sep 2019 Oh yes it could Police Use of Facial Recognition Is Accepted by British Court - The New York Times www.nytimes.com – Share In a closely watched case, a judge ruled that live facial recognition does not violate privacy rights. There has been little legal precedent about its use. More ‘UK privacy activist to appeal after facial recognition case fails’, Al Jazeera ‘Statement on the High Court judgement on the use of live facial recognition technology by South Wales Police’, Information Commissioner’s Office Full judgement (direct link to PDF) The FTC fined YouTube / Google $170 million “to settle allegations that it illegally collected data about children younger than age 13 who watched toy videos and television shows on YouTube, settling a long-running government investigation but leaving some in Washington once again furious that regulators had been outmatched by Silicon Valley.” Presumably inspired by this settlement, Bloomberg Law asked the Irish Data Protection Commission about the same topic. “The Irish privacy office is “scoping” children’s privacy enforcement actions, Irish Data Protection Commissioner Helen Dixon told Bloomberg Law, without naming specific companies.” — The AEPD published an indicative list of types of data processing which do not require a Data Protection Impact Assessment (direct link to PDF, two pages). — The ICO announced that the Royal Free NHS Foundation has completed the remedial actions required of it after it was found to be not in compliance with the Data Protection Act 1998. — More potential trouble looms for the platform surveillance companies over in the US with antitrust investigations announced in several states. New York is leading a coalition of states in a wide-ranging investigation of Facebook and the Texas attorney general said Friday that he’ll announce a separate multi-state probe Monday into anti-competitive behavior by large tech companies. Bloomberg reported this week that the investigation is targeting Alphabet Inc.’s Google. “our report shows that many mental health websites don’t take the privacy of their visitors as seriously as they should. Some websites treat the personal data of their visitors as a commodity, while failing to meet their obligations under European data protection and privacy laws.” Privacy International published ‘Your mental health for sale: How websites about depression share data with advertisers and leak depression test results’ and it makes for grim reading. The ePrivacy Regulation continues to inch onwards. Not necessarily forwards, but onwards. “Germany has declared its view at a session of the Council of the EU on 7 June 2019 in Luxembourg. The ePrivacy Regulation must guarantee a high level of protection that goes beyond the protection that the GDPR provides. The current draft does not achieve this objective. Germany cannot support the current draft.” —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster we’ll be in your inbox again next weekend. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Minister Regina Doherty has “incredibly strong” advice. She won’t say what it is though.

😼

Is this better or worse than “password123”?

Default password is a danger for customers, but also for the vendor itself.

—

The notebook features pictures and details on criminals and people of interest from the 1950s.

In last week’s newsletter we went over some of the basics of data protection regarding joint data controllers which the Department of Public Expenditure and Reform and the Department of Employment Affairs and Social Protection appeared to be having some difficulties in grasping. That matter, at least, appears to have been resolved.

So, let’s recap this week’s events.

There was a cabinet meeting on Tuesday. Certain items on the agenda of this cabinet meeting were given to The Irish Times in advance of the meeting, as appears to be now traditional. There was a time when these were called leaks, I think, but as you’re all aware we live in interesting times in which old certainties no longer hold. The Irish Times ran a story headlined ‘Government to challenge order that public services card had no basis in law’ which informed us that

So the two departments would seem to be acknowledging they are joint data controllers with joint responsibilities. The story continues

Further coverage of the cabinet meeting after it had occurred appeared to confirm this account of the government’s approach. It even added the tantalising detail that the ministers had told cabinet that it in fact might be “unlawful” for their departments to stop the processing of personal data which the DPC had ruled to be unlawful.

On Wednesday morning, after an absence of several weeks, Minister Doherty sallied forth to explain what was what on Morning Ireland. She repeated the line about the dangerous potential illegality of stopping the illegal processing. She mentioned her department wanted to meet with Commissioner Dixon for a bit of a chat. Because obviously the minister and her department feel they weren’t afforded enough opportunities to make their case in the almost two years this element of the larger DPC investigation has taken.

Contrary to what was published in Tuesday’s Irish Times it seems the minister and her department will, after all, be publishing the full report of the Data Protection Commission. Sadly the minister was not prepared to say when that might happen.

The minister’s legal advice is “incredibly strong”, we were told. She declined to give the audience even a teaser of what that might be, but it seems her officials have been yet again seeking out what they regard as pleasing phrases and sentences in the Social Welfare Consolidation Act which they imagine could, if you squint really hard, make up a legal basis.

Cianan Brennan of The Irish Examiner got in touch with the Department of Employment Affairs and Social Protection to make further inquiries about its intentions. Curiously, the department appeared far more circumspect than the minister.

On Thursday evening the DPC said it was having none of the “let’s have a chat” approach. There will be no meeting. Enforcement action will be taken.

In a comment piece titled ‘Are we the wild west of data protection?’ for the Irish Examiner yesterday Mick Clifford gets close to what some of the possible motivations for the state’s current line are. A small group of senior officials across both departments have a series of increasingly indefensible decisions over the years to explain, which they would clearly prefer not to have to do. A pair of ministers have a problem they dearly wish to defer until after the next election when there might be someone else in charge.

Karlin Lillington wearily pointed out on Thursday in The Irish Times that we’ve been in a very similar situation before and the state appears determined to make the same costly and embarrassing mistakes again.

Who knows what next week might bring.

The phone numbers of 419 million Facebook users turned up on the internet. Just lying around. In its headline The Guardian describes this as a “lapse”. That’s where we are now when it comes to Facebook.

—

The Financial Times (€) reports that

Researcher Lukasz Olejnik pointed out on Twitter that this isn’t even a new thing.

In a closely watched case, a judge ruled that live facial recognition does not violate privacy rights. There has been little legal precedent about its use.

More

‘UK privacy activist to appeal after facial recognition case fails’, Al Jazeera

‘Statement on the High Court judgement on the use of live facial recognition technology by South Wales Police’, Information Commissioner’s Office

Full judgement (direct link to PDF)

The FTC fined YouTube / Google $170 million “to settle allegations that it illegally collected data about children younger than age 13 who watched toy videos and television shows on YouTube, settling a long-running government investigation but leaving some in Washington once again furious that regulators had been outmatched by Silicon Valley.”

Presumably inspired by this settlement, Bloomberg Law asked the Irish Data Protection Commission about the same topic. “The Irish privacy office is “scoping” children’s privacy enforcement actions, Irish Data Protection Commissioner Helen Dixon told Bloomberg Law, without naming specific companies.”

—

The AEPD published an indicative list of types of data processing which do not require a Data Protection Impact Assessment (direct link to PDF, two pages).

—

The ICO announced that the Royal Free NHS Foundation has completed the remedial actions required of it after it was found to be not in compliance with the Data Protection Act 1998.

—

More potential trouble looms for the platform surveillance companies over in the US with antitrust investigations announced in several states.

• “our report shows that many mental health websites don’t take the privacy of their visitors as seriously as they should. Some websites treat the personal data of their visitors as a commodity, while failing to meet their obligations under European data protection and privacy laws.” Privacy International published ‘Your mental health for sale: How websites about depression share data with advertisers and leak depression test results’ and it makes for grim reading.
• The ePrivacy Regulation continues to inch onwards. Not necessarily forwards, but onwards. “Germany has declared its view at a session of the Council of the EU on 7 June 2019 in Luxembourg. The ePrivacy Regulation must guarantee a high level of protection that goes beyond the protection that the GDPR provides. The current draft does not achieve this objective. Germany cannot support the current draft.”

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster we’ll be in your inbox again next weekend.

If you know someone who might enjoy this newsletter do please forward it on to them.