August 22, 2021
The Cat Herder
| |
| August 22 · Issue #145 · View online |
|
|
A couple of lessons for the Irish state this week, a week in which we also celebrate the second anniversary of the DPC completing the first part of its investigation into the PSC. Whether the Irish state is in the mood to learn these lessons is, as always, an open question. 😼
|
|
|
|
|
|
What’s the German word for “don’t build security systems that rely on obscurity but can’t keep important details confidential for more than two weeks.”
|
|
|
|
Apple Defends Its Anti-Child Abuse Imagery Tech After Claims of ‘Hash Collisions’
Apple said the version of NeuralHash analyzed by researchers is not the final version that will be used for iCloud Photos CSAM detection.
|
|
|
What data controllers like to characterise as sophisticated attacks frquently are nothing of the sort.
|
|
|
Just to be clear, T-Mobile doesn't get to call this a "sophisticated cyberattack" when it's been hacked at least four other times in as many years — and neither should you. https://t.co/26f9fMDvns
|
|
|
|
|
|
|
|
After a number of senior executives at the artists formerly known as Genomics Medicine Ireland quietly jumped ship over the past while the company was acquired earlier this week by HiberCell in an all stock deal.
|
Government investment in DNA-collecting company Genuity Science loses value
The Ireland Strategic Investment Fund had invested €66m in the private genetics company acquired in a deal announced yesterday.
|
The questionable business model of harvesting DNA from Irish people on exceedingly shaky legal grounds accompanied by the equally questionable decision of the state’s investment vehicle to pour tens of millions into the entity operating said business model demands answers which, sadly, are unlikely to be forthcoming.
|
|
|
|
|
|
|
When reading about the Taliban takeover of Afghanistan it is worth remembering that the Department of Social Protection and the Department of Public Expenditure and Reform have created a centralised database which contains the biometric information of somewhere between two-thirds and three-quarters of the people in Ireland.
|
The purpose of doing this, and especially of doing it in a centralised way which is against all best practice advice, remains maddeningly vague. Identity fraud prevention? Turns out there isn’t anywhere near enough of that to justify the database. Of course, creative timewasting by the Department of Social Protection means the investigation of the biometric database by the DPC remains incomplete and unpublished. |
|
|
My quote in this article on the biometrics disaster in Afghanistan: this catastrophe was entirely avoidable. It must serve as a watershed moment, prompting immediate review of the very existence and use of biometric databases - and lead to potential deletion pending review. https://t.co/1nbbKVLLzW
|
|
|
|
As stated above, a full review of the Irish state’s digital identity system (MyGovID and the PSC) should be carried out immediately.
|
According to investigative reporter Annie Jacobsen, the Pentagon had a goal to gather biometric data on 80 percent of the Afghan population to locate terrorists and criminals.
|
The Taliban Have Seized U.S. Military Biometrics Devices
Biometric collection and identification devices were seized last week during the Taliban’s offensive.
|
But there’s nothing you can do about biometric and other personal data that’s held on the kinds of official databases that will be accessible to whatever government that happens to be in power. And what makes the Afghan case so ironic is that many of those databases were created by western advisers as part of an attempt to “modernise” society … anyone who still believes the state can be trusted to respect the privacy of its citizens (or, in the case of the UK, its subjects) simply hasn’t been paying attention to what’s been going on.
|
Beware state surveillance of your lives – governments can change for the worse | John Naughton | The Guardian
With Afghan citizens’ data now in the hands of the Taliban, assumptions about controls that check misuse of intelligence are wide of the mark
|
|
|
Following the completion of a detailed and lengthy investigation, the Data Protection Commission (DPC) has today published its findings on certain aspects of the Public Services Card (“PSC”).
|
As new uses of the card have been identified and rolled-up from time to time, it is striking that little or no attempt has been made to revisit the card’s rationale or the legal framework on which it sits, or to consider whether adjustments may be required to safeguards built into the scheme to accommodate new data uses. Instead, the development of the card has proceeded by way of one-off, piece-meal changes to existing social welfare legislation, resulting in a situation where, in our view, the approach to the project from a data protection perspective is lacking in coherence and where, more importantly, there is little or no evidence of any attempt to balance the interests of the State, acting through those public bodies who participate in the scheme, and the interests of those members of the public who are required to obtain and produce the card (and provide their personal information when registering for it). Certainly, there is no evidence of any such balance being re-examined on each occasion when a new form of use is identified for the card. That cannot be considered acceptable in a data protection context where careful calibration is required when considering adjustments to any scheme that, by its very nature, interfaces with established and important legal rights.
|
This statement and the report which the then Department of Employment Affairs and Social Protection sulkily published some time later came after a two year investigation. So we’re four years down this road with a horrifying real time example of why building biometric databases like this is a very bad idea unfolding before us. What next?
|
|
|
The Hamburg Data Protection Authority told authorities to stop using Zoom.
|
The German state’s data protection agency (DPA) took the step of issuing a public warning yesterday, writing in a press release that the Senate Chancellory’s use of the popular videoconferencing tool violates the European Union’s General Data Protection Regulation (GDPR) since user data is transferred to the US for processing.
|
|
|
|
|
As an aside, having just celebrated the second anniversary of the Irish DPA telling a government department to comply with EU law, does this bit from the Techcrunch story sound in any way familiar (emphasis added)?
|
In a statement, Ulrich Kühn, the acting Hamburg commissioner for data protection and freedom of information, dubbed it “incomprehensible” that the regional body was continuing to flout EU law in order to use Zoom — pointing out that a local alternative, provided by the German company Dataport (which supplies software to a number of state, regional and local government bodies) is readily available.
|
|
|
|
|
-
“We were so disturbed that we took a step we hadn’t seen before in computer science literature: We warned against our own system design, urging further research on how to mitigate the serious downsides. We’d planned to discuss paths forward at an academic conference this month. That dialogue never happened. The week before our presentation, Apple announced it would deploy its nearly identical system on iCloud Photos, which exists on more than 1.5 billion devices. Apple’s motivation, like ours, was to protect children. And its system was technically more efficient and capable than ours. But we were baffled to see that Apple had few answers for the hard questions we’d surfaced.” From ‘We built a system like Apple’s to flag child sexual abuse material — and concluded the tech was dangerous’ by Jonathan Mayer and Anunay Kulshrestha for the Washington Post.
-
“NHS Digital announced in mid-July that it was abandoning the September deadline, and pausing the scheme, with no new launch date. It will soon start a “listening exercise” and consultation process before launching a public information campaign. In a major concession to critics, patients will now be allowed to opt out at any stage, with their data deleted even if it has already been uploaded. NHS Digital is also pledging to increase the security and privacy of the data, even while researchers are working with it.” From ‘NHS data grab on hold as millions opt out’ by Chaminda Jayanetti for The Observer.
|
|
|
|
|
If you know someone who might enjoy this newsletter do please forward it on to them.
|
|
Did you enjoy this issue?
|
|
|
|
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
|
|
|
|
Privacy Kit, Made with 💚 in Dublin, Ireland
|
|
|
A couple of lessons for the Irish state this week, a week in which we also celebrate the second anniversary of the DPC completing the first part of its investigation into the PSC. Whether the Irish state is in the mood to learn these lessons is, as always, an open question.
😼
Apple said the version of NeuralHash analyzed by researchers is not the final version that will be used for iCloud Photos CSAM detection.
—
What data controllers like to characterise as sophisticated attacks frquently are nothing of the sort.
Lesson One
After a number of senior executives at the artists formerly known as Genomics Medicine Ireland quietly jumped ship over the past while the company was acquired earlier this week by HiberCell in an all stock deal.
The Ireland Strategic Investment Fund had invested €66m in the private genetics company acquired in a deal announced yesterday.
The questionable business model of harvesting DNA from Irish people on exceedingly shaky legal grounds accompanied by the equally questionable decision of the state’s investment vehicle to pour tens of millions into the entity operating said business model demands answers which, sadly, are unlikely to be forthcoming.
Karlin Lillington, Irish Times (subscriber only): ‘Why did State put €66m into a private DNA firm instead of national genomics research?’
Lesson Two
When reading about the Taliban takeover of Afghanistan it is worth remembering that the Department of Social Protection and the Department of Public Expenditure and Reform have created a centralised database which contains the biometric information of somewhere between two-thirds and three-quarters of the people in Ireland.
The purpose of doing this, and especially of doing it in a centralised way which is against all best practice advice, remains maddeningly vague. Identity fraud prevention? Turns out there isn’t anywhere near enough of that to justify the database. Of course, creative timewasting by the Department of Social Protection means the investigation of the biometric database by the DPC remains incomplete and unpublished.
As stated above, a full review of the Irish state’s digital identity system (MyGovID and the PSC) should be carried out immediately.
Biometric collection and identification devices were seized last week during the Taliban’s offensive.
With Afghan citizens’ data now in the hands of the Taliban, assumptions about controls that check misuse of intelligence are wide of the mark
Two years ago this week the DPC issued a statement “on Matters Pertaining to the Public Services Card”.
This statement and the report which the then Department of Employment Affairs and Social Protection sulkily published some time later came after a two year investigation. So we’re four years down this road with a horrifying real time example of why building biometric databases like this is a very bad idea unfolding before us. What next?
The Hamburg Data Protection Authority told authorities to stop using Zoom.
Techcrunch: ‘Stop using Zoom, Hamburg’s DPA warns state government’
Comment thread on Twitter by Gabriela Zanfir-Fortuna.
As an aside, having just celebrated the second anniversary of the Irish DPA telling a government department to comply with EU law, does this bit from the Techcrunch story sound in any way familiar (emphasis added)?
—
-
“We were so disturbed that we took a step we hadn’t seen before in computer science literature: We warned against our own system design, urging further research on how to mitigate the serious downsides. We’d planned to discuss paths forward at an academic conference this month. That dialogue never happened. The week before our presentation, Apple announced it would deploy its nearly identical system on iCloud Photos, which exists on more than 1.5 billion devices. Apple’s motivation, like ours, was to protect children. And its system was technically more efficient and capable than ours. But we were baffled to see that Apple had few answers for the hard questions we’d surfaced.” From ‘We built a system like Apple’s to flag child sexual abuse material — and concluded the tech was dangerous’ by Jonathan Mayer and Anunay Kulshrestha for the Washington Post.
-
“NHS Digital announced in mid-July that it was abandoning the September deadline, and pausing the scheme, with no new launch date. It will soon start a “listening exercise” and consultation process before launching a public information campaign. In a major concession to critics, patients will now be allowed to opt out at any stage, with their data deleted even if it has already been uploaded. NHS Digital is also pledging to increase the security and privacy of the data, even while researchers are working with it.” From ‘NHS data grab on hold as millions opt out’ by Chaminda Jayanetti for The Observer.
Endnotes & Credits
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
