The Cat Herder

Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re   August 26 · Issue #4 · View online Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re barely newsworthy and Facebook turning out to be an even worse custodian of personal data than most had anticipated, the domain of data privacy is still in a terrible state o’ chassis. Nice as it would be to publish a regular collection of really excellent privacy practices, those are still pretty hard to find. Examples of organisations doing it wrong, however, are plentiful. Decades of misconceptions can’t be unlearned in a hurry. Join us on our quest to learn from the worst. There’ll be some positives too. Eventually. We hope 😼 ¯\_(ツ)_/¯ First, an apology of sorts. This is only the fourth issue of this newsletter and much of it will be devoted to the Department Of Employment Affairs and Social Protection. As was much of the first issue and the third issue. We’re wearing out the thesaurus trying to find synonyms for bizarre when describing the ongoing denial of reality that is the Department’s stance on biometric processing of personal data (more on this below in the ‘Mandatory But Not Compulsory’ slot). We’d love to be writing about other organisations and their dazzling missteps, but since the Department are so doggedly relentless in their pursuit of privacy failures we really can’t overlook their latest. So. They now want a social media monitoring system. TJ McIntyre @tjmcintyre The Sideshow Bob rake department, as it shall henceforth be known, has a request for tender out. The website is a faff to use, and the docs long, so I've put the relevant bits in a PDF here: https://t.co/kIXXnJsS2K 2/ 12:50 AM - 22 Aug 2018 This in itself isn’t at all unusual. Many organisations do this. There are plenty of systems available to purchase off the shelf. Any decent PR agency will offer this as a service to their clients. There’s a whole industry centred around giving consumer brands visibility of conversations about their products and services and the ability to join those conversations. However, a government department is not a consumer brand. ‘Social Media Monitoring and Analysis’ is Lot 3 of a three part tender. Lot 1 is ‘Print and Digital Media Monitoring and Analysis’. Lot 2 is ‘Broadcast Media Monitoring and Analysis’. One of these things is not like the others. Print, digital and broadcast media are all professionally produced by journalists. Mentions of people and organisations in the media have been monitored for a very long time. The first press clipping service was set up in London in 1852. Scraping and archiving the opinions members of the public have expressed about the Sideshow Bob Rake Department is new and entirely different to keeping an eye on what the press are saying. For the avoidance of doubt, collecting these Facebook posts, comments, tweets, blog posts and comments is processing of personal data. In many cases these posts, comments etc. could be interpreted as political opinions which under the GDPR are a special category of data. If the State collecting, analysing, categorising and storing a very large dataset of political opinions for an unspecified amount of time doesn’t sit well with you then you’re not alone. Social media postings shorn of their context and revisited later can easily be misinterpreted and misused. Since the ‘It Could Never Happen Here’ slot is already filled this week and there’s a story up next about the University of Limerick purchasing an automated number plate recognition system with all the bells and whistles including a watch list because they want to do some “traffic management” we’ll just have to put this next story here and leave you to consider the possibilities before you read on. between June 2016 through July 2018, 22 employees working on welfare fraud searched ALPR data more than 1,000 times – all without privacy policies posted online or written anywhere, as required by law. Some employees only dipped a toe into the database, only running a single search, while others ran more than 100 searches. One employee ran 214 searches over the course of 20 months, the EFF found. Sacramento admits to tracking welfare recipients’ license plates – Naked Security nakedsecurity.sophos.com – Share The University of Limerick (UL) is planning to erect special cameras to monitor the 5,000 vehicles that enter and leave the campus every day, including specific cars it would place on a security “watch list”. UL plans new security system to monitor vehicles on campus - The Irish Times www.irishtimes.com – Share It is probably safe to assume that since the UL spokesperson quoted in the story did not mention a data protection impact assessment one has not yet been carried out. Which is entirely the wrong order in which to do things. The impact assessment may well reveal that the project is one that shouldn’t go ahead in its current form, particularly an indiscriminate mass surveillance project such as this. Public sector privacy pratfalls. A privacy rights group has alleged a “grave breach” of data protection legislation by the Department of Social Protection following changes made to a privacy statement on its website. The changes, which removed references to the department’s processing of biometric data in relation to individuals, were ordered by the department’s secretary general in the absence of the data protection officer, who was on leave. Records obtained by The Irish Times under the Freedom of Information Act show the data protection officer subsequently emailed the secretary general, John McKeon, saying he would not have agreed to the changes and that they were not discussed with him. Privacy group alleges ‘grave breach’ of data regulation - The Irish Times www.irishtimes.com – Share Despite it featuring a Secretary General apparently interfering with the activities of a Data Protection Officer for political reasons this story got little traction. Is “political reasons” even the correct term here? Who knows. For reasons known only to itself the Sideshow Bob Rake Department has decided it doesn’t want to say in public that it processes biometric data when it is in fact the largest public sector processor of biometric data in the State. We covered this at length in Issue 1 of this newsletter. TJ McIntyre, the chair of Digital Rights Ireland, posted a thread on Twitter [unrolled one-page version for convenience] with more detail on what was discovered through Freedom Of Information requests and the full text of their letter of complaint which was sent to the Minister. Before we wrap up this section, this past week marked the first anniversary of this story about the Sideshow Bob Rake Department cutting a woman’s pension payments after she refused to get a public services card. A reasonable person might assume there had been some re-evaluation of the entire national biometric register that the Department is building behind the card in the intervening twelve months. As you can see for yourself that is absolutely not the case. Where others lead, Ireland will surely follow. Orig3n, Inc., a Boston-based biotech company and Chinese insurtech ZhongAn Online P&C Insurance Co., Ltd. (6060.HK), announced earlier this week they have formed a partnership to bring health tech solutions to Chinese consumers. According to Orign3n, ZhongAn will now supplement its insurance offerings with the introduction of healthcare solutions including a suite of DNA tests to their extensive customer base of nearly 500 million people, and to the China market as a whole. The product suite will also be backed by Orig3n’s knowledge of genetic testing applications. Chinese E-Insurer ZhongAn Has Teamed Up With BioTech Company Orig3n For Health Tech Solutions - Crowdfund Insider www.crowdfundinsider.com – Share The DNA analysis company featured in this story recently failed to distinguish between human DNA and Labrador retriever DNA. ‘Nuff said. Prognosis: Partnerships such this will keep happening as long as people keep giving their DNA to websites in exchange for some crude guesswork about their family history. Don’t give your DNA to a website. That website might well share it with an insurer and a whole host of other companies. If the DNA analysis outfit has misidentified you as a Labrador retriever then you’re probably going to have difficulty getting any kind of insurance. (Apologies to any fully-insured Labrador retrievers who may be reading this.) Also of note in this area, DNA analysis company 23andMe announced it would stop third-party app developers from accessing the DNA it has collected and Irish Health Minister Simon Harris signed regulations into law which will allow your personal data to be shared with third parties without requiring your consent. Decisions about who your health data can be shared with will be taken by the rather ominous-sounding Health Research Consent Declaration Committee. Is there a new DPC website yet? No When is it due? Soon When did the GDPR become enforceable? May 25th 2018 What date is it today? August 26th 2018  Christina Larson in the MIT Technology Review asks ‘Who needs democracy when you have data?’, a detailed look at the mechanics and social implications of China’s surveillance state. ‘Privacy in Public Spaces: What Expectations of Privacy Do We Have in Social Media Intelligence’ by Lilian Edwards and Lachlan Urquhart and ‘Data Processing for Social Media Monitoring at the European Central Bank’ [Direct PDF link], a prior checking Opinion of the European Data Protection Supervisor are both papers someone in the Sideshow Bob Rake Department should probably have read before issuing the tender discussed above. Joseph Turow in the New York Times on how the phrase ‘Privacy Policy’ should be retired. We agree and we’ll be writing an awful lot more about this in the coming months. — Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster this newsletter will be in your inbox again next weekend. See you then. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re barely newsworthy and Facebook turning out to be an even worse custodian of personal data than most had anticipated, the domain of data privacy is still in a terrible state o’ chassis. Nice as it would be to publish a regular collection of really excellent privacy practices, those are still pretty hard to find. Examples of organisations doing it wrong, however, are plentiful. Decades of misconceptions can’t be unlearned in a hurry. Join us on our quest to learn from the worst. There’ll be some positives too. Eventually. We hope 😼

First, an apology of sorts. This is only the fourth issue of this newsletter and much of it will be devoted to the Department Of Employment Affairs and Social Protection. As was much of the first issue and the third issue. We’re wearing out the thesaurus trying to find synonyms for bizarre when describing the ongoing denial of reality that is the Department’s stance on biometric processing of personal data (more on this below in the ‘Mandatory But Not Compulsory’ slot). We’d love to be writing about other organisations and their dazzling missteps, but since the Department are so doggedly relentless in their pursuit of privacy failures we really can’t overlook their latest. So.

They now want a social media monitoring system.

This in itself isn’t at all unusual. Many organisations do this. There are plenty of systems available to purchase off the shelf. Any decent PR agency will offer this as a service to their clients. There’s a whole industry centred around giving consumer brands visibility of conversations about their products and services and the ability to join those conversations. However, a government department is not a consumer brand.

‘Social Media Monitoring and Analysis’ is Lot 3 of a three part tender. Lot 1 is ‘Print and Digital Media Monitoring and Analysis’. Lot 2 is ‘Broadcast Media Monitoring and Analysis’. One of these things is not like the others.

Print, digital and broadcast media are all professionally produced by journalists. Mentions of people and organisations in the media have been monitored for a very long time. The first press clipping service was set up in London in 1852.

Scraping and archiving the opinions members of the public have expressed about the Sideshow Bob Rake Department is new and entirely different to keeping an eye on what the press are saying.

For the avoidance of doubt, collecting these Facebook posts, comments, tweets, blog posts and comments is processing of personal data. In many cases these posts, comments etc. could be interpreted as political opinions which under the GDPR are a special category of data.

If the State collecting, analysing, categorising and storing a very large dataset of political opinions for an unspecified amount of time doesn’t sit well with you then you’re not alone. Social media postings shorn of their context and revisited later can easily be misinterpreted and misused.

Since the ‘It Could Never Happen Here’ slot is already filled this week and there’s a story up next about the University of Limerick purchasing an automated number plate recognition system with all the bells and whistles including a watch list because they want to do some “traffic management” we’ll just have to put this next story here and leave you to consider the possibilities before you read on.

It is probably safe to assume that since the UL spokesperson quoted in the story did not mention a data protection impact assessment one has not yet been carried out. Which is entirely the wrong order in which to do things. The impact assessment may well reveal that the project is one that shouldn’t go ahead in its current form, particularly an indiscriminate mass surveillance project such as this.

Despite it featuring a Secretary General apparently interfering with the activities of a Data Protection Officer for political reasons this story got little traction. Is “political reasons” even the correct term here? Who knows. For reasons known only to itself the Sideshow Bob Rake Department has decided it doesn’t want to say in public that it processes biometric data when it is in fact the largest public sector processor of biometric data in the State. We covered this at length in Issue 1 of this newsletter.

TJ McIntyre, the chair of Digital Rights Ireland, posted a thread on Twitter [unrolled one-page version for convenience] with more detail on what was discovered through Freedom Of Information requests and the full text of their letter of complaint which was sent to the Minister.

Before we wrap up this section, this past week marked the first anniversary of this story about the Sideshow Bob Rake Department cutting a woman’s pension payments after she refused to get a public services card. A reasonable person might assume there had been some re-evaluation of the entire national biometric register that the Department is building behind the card in the intervening twelve months. As you can see for yourself that is absolutely not the case.

The DNA analysis company featured in this story recently failed to distinguish between human DNA and Labrador retriever DNA. ‘Nuff said.

Prognosis: Partnerships such this will keep happening as long as people keep giving their DNA to websites in exchange for some crude guesswork about their family history. Don’t give your DNA to a website. That website might well share it with an insurer and a whole host of other companies. If the DNA analysis outfit has misidentified you as a Labrador retriever then you’re probably going to have difficulty getting any kind of insurance. (Apologies to any fully-insured Labrador retrievers who may be reading this.)

Also of note in this area, DNA analysis company 23andMe announced it would stop third-party app developers from accessing the DNA it has collected and Irish Health Minister Simon Harris signed regulations into law which will allow your personal data to be shared with third parties without requiring your consent. Decisions about who your health data can be shared with will be taken by the rather ominous-sounding Health Research Consent Declaration Committee.

Is there a new DPC website yet? No

When is it due? Soon

When did the GDPR become enforceable? May 25th 2018

What date is it today? August 26th 2018 

Christina Larson in the MIT Technology Review asks ‘Who needs democracy when you have data?’, a detailed look at the mechanics and social implications of China’s surveillance state. ‘Privacy in Public Spaces: What Expectations of Privacy Do We Have in Social Media Intelligence’ by Lilian Edwards and Lachlan Urquhart and ‘Data Processing for Social Media Monitoring at the European Central Bank’ [Direct PDF link], a prior checking Opinion of the European Data Protection Supervisor are both papers someone in the Sideshow Bob Rake Department should probably have read before issuing the tender discussed above. Joseph Turow in the New York Times on how the phrase ‘Privacy Policy’ should be retired. We agree and we’ll be writing an awful lot more about this in the coming months.

—

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster this newsletter will be in your inbox again next weekend. See you then.