December 5, 2021
"The international optics here are appalling" | The Cat Herder, Volume 4, Issue 47
| |
| December 5 · Issue #160 · View online |
|
|
Predictive modelling. An always-on camera. Crunch time for the one-stop shop? And to wrap up, an editorial from a couple of years back. 😼
|
|
|
|
|
nothing makes me trust and want to use software more than it clearly having a manually-written snooping feature that makes it complain I’m looking at other companies’ websites https://t.co/JPQMOZ5LKA
|
|
|
|
|
|
|
|
“Your phone’s front camera is always securely looking for your face, even if you don’t touch it or raise to wake it.” That’s how Qualcomm Technologies vice president of product management Judd Heape introduced the company’s new always-on camera capabilities in the Snapdragon 8 Gen 1 processor set to arrive in top-shelf Android phones early next year.
|
Qualcomm’s new always-on smartphone camera is a potential privacy nightmare - The Verge
Qualcomm is introducing a new, unsettling feature baked into its Snapdragon 8 Gen 1 processor for smartphones arriving next year. It can use the phone’s front camera to always be looking for your face, even when you’re not using the phone. It’s a next-level step in security and privacy concerns.
|
|
|
Some fine administration by the adminstrators here.
|
According to the Belgian daily Le Soir, representatives of the Wallonia government failed to appear at a court hearing on Nov. 16 because no one dealt with the file in the public administration for five days due to a combination of a weekend and public holidays. The invitation letter was received on Nov. 10, but the day after was Armistice Day commemorating the end of World War I, a public holiday in Belgium. The holiday fell on a Thursday and was extended to a long weekend by most of the officials. The following Monday – Nov. 15. – was King’s Day, which grants a holiday for the public administration. As a consequence, nobody dealt with the file and the hearing took place in the absence of the Wallonia officials.
|
Belgian court rules COVID pass illegal in Wallonia
Region’s representatives did not appear in court to argue case due to public holidays - Anadolu Agency
|
|
|
Speaking at a privacy conference this morning, Vera Jourová, the EU’s commissioner for values and transparency, said enforcement of the General Data Protection Regulation (GDPR) at a national level must buck up — and become “effective” — or else it “will have to change”, warning specifying that any “potential changes” will move toward centralized enforcement. “In my view, it does take too long to address the key questions around processing of personal data for big tech,” said Jourová giving a keynote speech to the Forum Europe data protection & privacy conference. “Yes, I understand the lack of resources. I understand there is no pan-European procedural law to help the cross-border cases. I understand that the first cases need to be rock-solid because they will be challenged in court. “But I want to be honest — we are in the crunch time now. Either we will all collectively show that GDPR enforcement is effective or it will have to change. And there is no way back to decentralised model that was there before the GDPR. Any potential changes will go towards more centralisation, bigger role of the EDPB [European Data Protection Board] or Commission.”
|
|
|
|
|
Should centralisation of oversight of multinationals such as Facebook go ahead the money in fines will probably not end up going to the Irish exchequer. Just a thought.
|
Facebook sets aside €1bn for new Irish data fines as profits soar - Independent.ie
Facebook has set aside over €1bn for data privacy fines it thinks are likely to come from Ireland’s Data Protection Commission, new accounts show.
|
|
|
The UK government has published a transparency standard for algorithms, the series of instructions that a computer follows to complete a task or produce a single outcome. Algorithms have become the focus of increasing controversy, whether through their role in deciding A-level results last year or making decisions about benefit claims. Under the new approach, government departments and public sector bodies will be required to explain where an algorithm was used, why it was used and whether it achieved its aim. There will also be an obligation to reveal the architecture behind the algorithm. It will be tested by several government departments and public sector bodies in the coming months before being reviewed again and formally launched next year.
|
Working of algorithms used in government decision-making to be revealed | Computing | The Guardian
Cabinet Office announces new standard for tools that influence exam results, housing benefit allocations and pothole repairs
|
The Department of Social Protection here in Ireland has a ‘Compliance and Anti-Fraud Strategy 2019-2023’ [direct link to PDF] which mentions that the department will “Examine ways of expanding our data matching capabilities and explore new possible data matches to enhance our control activities, consistent with data protection laws” and “Invest in further predictive modelling” which “will improve our capacity to detect more non-compliant cases, improve non-compliance processes and controls and identify trends that will help to develop more effective control policies.” |
One can only presume that the department which spent several years denying it was processing biometric data will also deny that the systems used for its “data matching” and “predictive modelling” involve algorithmic processing of personal data.
|
|
|
Speaking of predictive modelling, Gizmodo and The Markup published a big investigation into crime predictions made on behalf of law enforcement agencies across the US by a company called PredPol. Which has recently renamed itself Geolitica because presumably the predictive tag is too much of a stretch based on the system’s actual rather than imagined capabilities.
|
Between 2018 and 2021, more than one in 33 U.S. residents were potentially subject to police patrol decisions directed by crime-prediction software called PredPol.
|
For context, one in 33 residents in Ireland would be roughly equivalent to the population of Limerick and Galway cities combined.
|
As is frequently the case with systems of this nature, it appears to have been used in secret and without oversight, and for categories of crime even the vendor itself advised against.
|
Advocates in at least six cities we spoke to were unaware the software was being used locally. Even those involved in government-organized social justice committees said they didn’t have a clue about it.
|
“We provide guidance to agencies at the time we set them up and tell them not to include event types without clear victimization that can include officer discretion, such as drug-related offenses,” he wrote. “If they decide to add other event types later that is up to them.” Thomas Mosier, the police chief in Piscataway, said in an interview that he doesn’t recall receiving any instructions about not predicting certain crime types. The other agencies declined to comment about it or ignored our questions altogether.
|
Crime Prediction Software Promised to Be Free of Biases. New Data Shows It Perpetuates Them
Millions of crime predictions left on an unsecured server show PredPol mostly avoided Whiter neighborhoods, targeted Black and Latino neighborhoods.
|
|
|
|
|
|
|
The outgoing Information Commissioner published a “provisional view to fine Clearview AI Inc over £17 million” on her second last day in the position. Which is a bit of an odd thing to land on your successor’s desk. Unless a lot of your time as regulator has been spent regulating by press announcement. Then it’s simply business as usual, right ‘til the end. |
|
|
A leading Irish privacy advocacy group has “welcomed” reports that the Department of Justice is seeking to expand the number of Data Protection Commissioners from one to three. Digital Rights Ireland has written to the Minister for Justice Helen McEntee to suggest that it is “now time to revisit” how the commission is structured.
|
|
|
|
|
-
“During four years of research, I found privacy impact assessments reduced to simple box-checking. At one company, for example, the general counsel’s office went so far as to reduce a privacy impact assessment to a chart with “yes” and “no” columns next to questions like, “Will there be collection of personal information from customers?” with a note preceding the chart telling employees to “always check no.” Everyone I spoke to reported using privacy impact assessments to assess litigation risks to the company rather than privacy risks to consumers … What’s even worse is that none of this is illegal. Not only is there no law against check-box privacy, but after decades of neoliberal and anti-regulatory hegemony, performative legal compliance is what passes for public governance.” From ‘How Big Tech Turns Privacy Laws Into Privacy Theater’ by Ari Ezra Waldman for Slate. NB: Most of what is described here is in breach of the GDPR but compelling controllers to do Data Protection Impact Assessments in the first place, and to do them properly has proven to be quite a struggle in Europe.
-
“The Skolplattform wasn’t meant to be this way. Commissioned in 2013, the system was intended to make the lives of up to 500,000 children, teachers, and parents in Stockholm easier—acting as the technical backbone for all things education, from registering attendance to keeping a record of grades. The platform is a complex system that’s made up of three different parts, containing 18 individual modules that are maintained by five external companies. The sprawling system is used by 600 preschools and 177 schools, with separate logins for every teacher, student, and parent. The only problem? It doesn’t work .. The work started at the end of November 2020, just days after Stockholm’s Board of Education was hit with a 4 million SEK GDPR fine for “serious shortcomings” in the Skolplattform. Integritetsskyddsmyndigheten, Sweden’s data regulator, had found serious flaws in the platform that had exposed the data of hundreds of thousands of parents, children, and teachers. In some cases, people’s personal information could be accessed from Google searches. (The flaws have since been fixed and the fine reduced on appeal.)” From ‘These Parents Built a School App. Then the City Called the Cops’ by Matt Burgess for Wired.
- One from the ‘How We Got Here’ files. The Irish State’s eagerness to oppose the DPC’s findings against a DPER project which ballooned into a mostly purposeless, intrusive, rights-infringing and costly mess is not at all unconnected with the enthusiasm with which our multinational guests are appealing the DPC’s findings against them. “While such findings had been released earlier in summary form by the DPC, the full report adds significant heft and leaves little legal wriggle room for the Department. Yet the Government intends to defend the card, in direct defiance of a national regulator, with both the Minister and Taoiseach Leo Varadkar suggesting that the DPC should have met with the Department to “discuss” the findings. The international optics here are appalling. If the State continues with a sensitive data-gathering project in defiance of a regulator who also oversees the Irish-based European operations of many of the largest data-gathering multinational companies, it destabilises international confidence in Ireland.” From a September 2019 Irish Times editorial.
—
|
|
|
|
|
If you know someone who might enjoy this newsletter do please forward it on to them.
|
|
Did you enjoy this issue?
|
|
|
|
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
|
|
|
|
Privacy Kit, Made with 💚 in Dublin, Ireland
|
|
|
Predictive modelling. An always-on camera. Crunch time for the one-stop shop? And to wrap up, an editorial from a couple of years back.
😼
The Verge: ‘Microsoft’s new Windows prompts try to stop people downloading Chrome’
—
Qualcomm is introducing a new, unsettling feature baked into its Snapdragon 8 Gen 1 processor for smartphones arriving next year. It can use the phone’s front camera to always be looking for your face, even when you’re not using the phone. It’s a next-level step in security and privacy concerns.
Some fine administration by the adminstrators here.
Region’s representatives did not appear in court to argue case due to public holidays - Anadolu Agency
Techcrunch: ‘EU warns adtech giants over 'legal tricks’ as it moots changes to centralize privacy oversight’
—
Should centralisation of oversight of multinationals such as Facebook go ahead the money in fines will probably not end up going to the Irish exchequer. Just a thought.
Facebook has set aside over €1bn for data privacy fines it thinks are likely to come from Ireland’s Data Protection Commission, new accounts show.
Cabinet Office announces new standard for tools that influence exam results, housing benefit allocations and pothole repairs
The Department of Social Protection here in Ireland has a ‘Compliance and Anti-Fraud Strategy 2019-2023’ [direct link to PDF] which mentions that the department will “Examine ways of expanding our data matching capabilities and explore new possible data matches to enhance our control activities, consistent with data protection laws” and “Invest in further predictive modelling” which “will improve our capacity to detect more non-compliant cases, improve non-compliance processes and controls and identify trends that will help to develop more effective control policies.”
One can only presume that the department which spent several years denying it was processing biometric data will also deny that the systems used for its “data matching” and “predictive modelling” involve algorithmic processing of personal data.
—
Speaking of predictive modelling, Gizmodo and The Markup published a big investigation into crime predictions made on behalf of law enforcement agencies across the US by a company called PredPol. Which has recently renamed itself Geolitica because presumably the predictive tag is too much of a stretch based on the system’s actual rather than imagined capabilities.
For context, one in 33 residents in Ireland would be roughly equivalent to the population of Limerick and Galway cities combined.
As is frequently the case with systems of this nature, it appears to have been used in secret and without oversight, and for categories of crime even the vendor itself advised against.
Millions of crime predictions left on an unsecured server show PredPol mostly avoided Whiter neighborhoods, targeted Black and Latino neighborhoods.
The ICO fined the Cabinet Office in the UK £500,000 for “mistakenly sharing the postal addresses of more than 1,000 New Year Honours recipients online.”
—
The outgoing Information Commissioner published a “provisional view to fine Clearview AI Inc over £17 million” on her second last day in the position. Which is a bit of an odd thing to land on your successor’s desk. Unless a lot of your time as regulator has been spent regulating by press announcement. Then it’s simply business as usual, right ‘til the end.
—
Irish Examiner: “Time to revisit’ structure of watchdog as plans for two more data commissioners reported’
-
“During four years of research, I found privacy impact assessments reduced to simple box-checking. At one company, for example, the general counsel’s office went so far as to reduce a privacy impact assessment to a chart with “yes” and “no” columns next to questions like, “Will there be collection of personal information from customers?” with a note preceding the chart telling employees to “always check no.” Everyone I spoke to reported using privacy impact assessments to assess litigation risks to the company rather than privacy risks to consumers … What’s even worse is that none of this is illegal. Not only is there no law against check-box privacy, but after decades of neoliberal and anti-regulatory hegemony, performative legal compliance is what passes for public governance.” From ‘How Big Tech Turns Privacy Laws Into Privacy Theater’ by Ari Ezra Waldman for Slate. NB: Most of what is described here is in breach of the GDPR but compelling controllers to do Data Protection Impact Assessments in the first place, and to do them properly has proven to be quite a struggle in Europe.
-
“The Skolplattform wasn’t meant to be this way. Commissioned in 2013, the system was intended to make the lives of up to 500,000 children, teachers, and parents in Stockholm easier—acting as the technical backbone for all things education, from registering attendance to keeping a record of grades. The platform is a complex system that’s made up of three different parts, containing 18 individual modules that are maintained by five external companies. The sprawling system is used by 600 preschools and 177 schools, with separate logins for every teacher, student, and parent. The only problem? It doesn’t work .. The work started at the end of November 2020, just days after Stockholm’s Board of Education was hit with a 4 million SEK GDPR fine for “serious shortcomings” in the Skolplattform. Integritetsskyddsmyndigheten, Sweden’s data regulator, had found serious flaws in the platform that had exposed the data of hundreds of thousands of parents, children, and teachers. In some cases, people’s personal information could be accessed from Google searches. (The flaws have since been fixed and the fine reduced on appeal.)” From ‘These Parents Built a School App. Then the City Called the Cops’ by Matt Burgess for Wired.
- One from the ‘How We Got Here’ files. The Irish State’s eagerness to oppose the DPC’s findings against a DPER project which ballooned into a mostly purposeless, intrusive, rights-infringing and costly mess is not at all unconnected with the enthusiasm with which our multinational guests are appealing the DPC’s findings against them. “While such findings had been released earlier in summary form by the DPC, the full report adds significant heft and leaves little legal wriggle room for the Department. Yet the Government intends to defend the card, in direct defiance of a national regulator, with both the Minister and Taoiseach Leo Varadkar suggesting that the DPC should have met with the Department to “discuss” the findings. The international optics here are appalling. If the State continues with a sensitive data-gathering project in defiance of a regulator who also oversees the Irish-based European operations of many of the largest data-gathering multinational companies, it destabilises international confidence in Ireland.” From a September 2019 Irish Times editorial.
—
Endnotes & Credits
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
