The "They Are One, We Are Many" problem | The Cat Herder, Volume 2, Issue 42

Lots of commentary on facial recognition this week. The usual helping of slow-burning opaque chaos re   November 3 · Issue #58 · View online Lots of commentary on facial recognition this week. The usual helping of slow-burning opaque chaos related to the Public Services Card. Which, lest we forget, sits atop a database of millions of people’s faces. And also millions of people’s utility bills which the Department of Employment Affairs and Social Protection has decided need to be retained on its servers until the end of time. 😼 The publication of the unredacted list came after the BBC successfully managed to convince the tribunal judges to conceal the name of a senior manager from public documents, who Ahmed alleges told her: “The BBC doesn’t do equal pay.” BBC error reveals names of 120 women who sought equal pay | Media | The Guardian www.theguardian.com – Share Female staff were identified in documents submitted to Samira Ahmed’s tribunal pay claim. As mentioned last week, the Garda Vetting Service had been using the Public Services Card as part of its scoring system. The Department of Employment Affairs and Social Protection has asked the Gardaí to stop doing that. Not mentioned anywhere is how long this might have been going on for. — PAC head accused of ‘wholly untrue’ claims about public services card www.irishtimes.com – Share Irish Rail calls for Seán Fleming to correct record over remarks on use of card by company. This response to Seán Fleming’s remarks from Irish Rail prompts a few thoughts. Firstly, the top brass in Irish Rail, or at least the people advising the top brass are clearly aware they shouldn’t be tracking individual journeys. They may not be aware of why they shouldn’t be doing this, but they’re aware it’s a bad thing. Which is heartening to see from a public body because, dear readers, eighteen months after the GDPR came into force the state of data protection among public bodies in Ireland is still shambolic and incoherent at best. In the last week alone The Cat Herder has encountered a government department citing Bunreacht na hÉireann as a lawful basis for processing personal data. So we should take small glimmers of awareness like this one as the victories they are. ‘Tis a long road we have yet to walk. Secondly, the top brass in Irish Rail also appear aware that being drawn unwillingly into the maelstrom of confusion the Public Services Card (aka DPER’s Great Identity Adventure) generates has potentially serious consequences for any public body. Hence the speed and vehemence with which they’re attempting to put some clear water between themselves and the whirlpool. Thirdly, as repeatedly highlighted in the DPC’s report into the lawfulness and transparency of the Public Services Card project, the workings and purposes of the system remain bafflingly opaque to both those who have found themselves within it and to anyone examining it from the outside. There's every chance it will Frankly, it’s surprising something similar hasn’t happened here yet. A confidential Sidewalk Labs document from 2016 lays out the founding vision of the Google-affiliated development company, which included having the power to levy its own property taxes, track and predict people’s movements and control some public services. Sidewalk Labs document reveals company’s early vision for data collection, tax powers, criminal justice - The Globe and Mail www.theglobeandmail.com – Share Known internally as the ‘yellow book,’ 437-page report from 2016 describes life in a Sidewalk neighbourhood such as Toronto’s proposed Quayside site as an experience based, in part, on how much data people are willing to share. — In the eyes of bureaucrats and legislators there is no situation that can’t be improved or even solved entirely by throwing some facial recognition at it. Australia Proposes Face Scans for Watching Online Pornography - The New York Times www.nytimes.com – Share As a government agency seeks approval of a facial recognition system, it says one use for it could be verifying the age of people who want to view pornography online. — Hundreds of applications, big and small, are being used at schools across the country to do everything from track homework to modify behavior. They can collect data about intelligence, disciplinary issues, personalities and schedules. e-Hallpass is one of many apps tracking students' personal data like trips to the bathroom - The Washington Post www.washingtonpost.com – Share A digital hallpass app that tracks bathroom trips is the latest school software to raise privacy concerns. Austrian Post were fined €18 million by the Austrian Data Protection Authority for using customers’ data “such as ages and addresses, to calculate a probability of which political party they might support and sold its findings.” — The Polish DPA fined the mayor of Aleksandrów Kujawski 40,000 PLN (~€9,400) for not having a data processing agreement in place with two data processors, in breach of Articles 28(3), 5(1)(a) and 5(1)(f) of the GDPR. — The Romanian Data Protection Authority publicised a range of fines which have been levied recently, including, among others “Raiffeisen Bank S.A. infringed the provisions of Article 32 paragraph (4) in conjunction with Article 32 paragraph (1) and paragraph (2) of the GDPR, which led to imposing an administrative fine in the amount of 150,000 Euros” “Vreau Credit S.R.L. infringed the provisions of Article 32 paragraph (4) in conjunction with Article 32 paragraph (1) and paragraph (2) of the GDPR, as well as of Article 33 paragraph (1) of the GDPR, which led to imposing an administrative fine in the amount of 20,000 Euros.” “the National Supervisory Authority completed an investigation at INTELIGO MEDIA SA, finding the following:Violation of the provisions of Article 5 paragraph (1) letters a) and b), Article 6 paragraph (1) letter a) and Article 7 of the GDPR, which led to imposing an administrative fine in the amount of 9000 Euros.” — In Ireland the Coming Soon™ horizon has now been apparently stretched out into next year for the outcomes of the first tranche of investigations into multinationals. “Although her investigators recently wrapped up reports on two cases involving Facebook’s WhatsApp platform and Twitter, Dixon says no final decisions are likely this year.” — The ICO and Facebook reached an agreement in which Facebook agreed to drop an appeal and pay a fine of £500,000 in return for no admission of liability in the Cambridge Analytica scandal. Which seems like far more of a win for Facebook than the ICO. — The Norwegian Data Protection Authority ordered the Arendal municipality to stop processing the personal data of school students with an anti-bullying tool known as Spekter. Original (PDF, in Norwegian) Translation (Google Translate) Geoffrey Fowler names some names in The Washington Post and even gets some commitments from large publishers to stop using browser fingerprinting on their websites. “Fingerprinting happens when sites force your browser to hand over innocent-looking but largely unchanging technical information about your computer, such as the resolution of your screen, your operating system or the fonts you have installed. Combined, those details create a picture of your device as unique as the skin on your thumb. The UN Special Rapporteur on the right to privacy, Joe Cannataci, presented a report to the UN General Assembly on how health data should be used and protected. "Health-related data is very sensitive and has high commercial value. There is a largely hidden industry that is already collecting, using, selling and securing health data. This has a major impact on our privacy and is of enormous concern.” Doc Searls on facial recognition - “A predictable pattern for every new technology is that what can be done will be done—until we see how it goes wrong and try to stop doing that. This has been true of every technology from stone tools to nuclear power and beyond. Unlike many other new technologies, however, it is not hard to imagine ways facial recognition by computers can go wrong, especially when it already has.” “any interference in fundamental rights under the Article 52 of the Charter must be demonstrably necessary. The bar for this test becomes higher the deeper the interference. Is there any evidence yet that we need the technology at all? Are there really no other less intrusive means to achieve the same goal? Obviously, ‘efficiency’ and ‘convenience’ could not stand as sufficient.” Wojciech Wiewiórowski, the European Data Protection Supervisor, on facial recognition. “from a regulator’s perspective, I must ensure that everyone working in this developing area stops to take a breath and works to satisfy the full rigour of UK data protection law. Moving too quickly to deploy technologies that can be overly invasive in people’s lawful daily lives risks damaging trust not only in the technology, but in the fundamental model of policing by consent.” Elizabeth Denham, the UK’s Information Commissioner, on facial recognition. “They are one, and we are many”. John Edwards, New Zealand’s Privacy Commissioner, on Addressing the Power Asymmetry of the Big Tech Companies. —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster we’ll be in your inbox again next weekend. If you know someone who might enjoy this newsletter do please forward it on to them. e-Hallpass is one of many apps tracking students' personal data like trips to the bathroom - The Washington Post www.washingtonpost.com – Share A digital hallpass app that tracks bathroom trips is the latest school software to raise privacy concerns. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Lots of commentary on facial recognition this week. The usual helping of slow-burning opaque chaos related to the Public Services Card. Which, lest we forget, sits atop a database of millions of people’s faces. And also millions of people’s utility bills which the Department of Employment Affairs and Social Protection has decided need to be retained on its servers until the end of time.

😼

Female staff were identified in documents submitted to Samira Ahmed’s tribunal pay claim.

As mentioned last week, the Garda Vetting Service had been using the Public Services Card as part of its scoring system. The Department of Employment Affairs and Social Protection has asked the Gardaí to stop doing that. Not mentioned anywhere is how long this might have been going on for.

—

Irish Rail calls for Seán Fleming to correct record over remarks on use of card by company.

This response to Seán Fleming’s remarks from Irish Rail prompts a few thoughts.

Firstly, the top brass in Irish Rail, or at least the people advising the top brass are clearly aware they shouldn’t be tracking individual journeys. They may not be aware of why they shouldn’t be doing this, but they’re aware it’s a bad thing. Which is heartening to see from a public body because, dear readers, eighteen months after the GDPR came into force the state of data protection among public bodies in Ireland is still shambolic and incoherent at best. In the last week alone The Cat Herder has encountered a government department citing Bunreacht na hÉireann as a lawful basis for processing personal data. So we should take small glimmers of awareness like this one as the victories they are. ‘Tis a long road we have yet to walk.

Secondly, the top brass in Irish Rail also appear aware that being drawn unwillingly into the maelstrom of confusion the Public Services Card (aka DPER’s Great Identity Adventure) generates has potentially serious consequences for any public body. Hence the speed and vehemence with which they’re attempting to put some clear water between themselves and the whirlpool.

Thirdly, as repeatedly highlighted in the DPC’s report into the lawfulness and transparency of the Public Services Card project, the workings and purposes of the system remain bafflingly opaque to both those who have found themselves within it and to anyone examining it from the outside.

Frankly, it’s surprising something similar hasn’t happened here yet.

Known internally as the ‘yellow book,’ 437-page report from 2016 describes life in a Sidewalk neighbourhood such as Toronto’s proposed Quayside site as an experience based, in part, on how much data people are willing to share.

—

In the eyes of bureaucrats and legislators there is no situation that can’t be improved or even solved entirely by throwing some facial recognition at it.

As a government agency seeks approval of a facial recognition system, it says one use for it could be verifying the age of people who want to view pornography online.

—

A digital hallpass app that tracks bathroom trips is the latest school software to raise privacy concerns.

Austrian Post were fined €18 million by the Austrian Data Protection Authority for using customers’ data “such as ages and addresses, to calculate a probability of which political party they might support and sold its findings.”

—

The Polish DPA fined the mayor of Aleksandrów Kujawski 40,000 PLN (~€9,400) for not having a data processing agreement in place with two data processors, in breach of Articles 28(3), 5(1)(a) and 5(1)(f) of the GDPR.

—

The Romanian Data Protection Authority publicised a range of fines which have been levied recently, including, among others

• “Raiffeisen Bank S.A. infringed the provisions of Article 32 paragraph (4) in conjunction with Article 32 paragraph (1) and paragraph (2) of the GDPR, which led to imposing an administrative fine in the amount of 150,000 Euros”
• “Vreau Credit S.R.L. infringed the provisions of Article 32 paragraph (4) in conjunction with Article 32 paragraph (1) and paragraph (2) of the GDPR, as well as of Article 33 paragraph (1) of the GDPR, which led to imposing an administrative fine in the amount of 20,000 Euros.”
• “the National Supervisory Authority completed an investigation at INTELIGO MEDIA SA, finding the following:Violation of the provisions of Article 5 paragraph (1) letters a) and b), Article 6 paragraph (1) letter a) and Article 7 of the GDPR, which led to imposing an administrative fine in the amount of 9000 Euros.”

—

In Ireland the Coming Soon™ horizon has now been apparently stretched out into next year for the outcomes of the first tranche of investigations into multinationals. “Although her investigators recently wrapped up reports on two cases involving Facebook’s WhatsApp platform and Twitter, Dixon says no final decisions are likely this year.”

—

The ICO and Facebook reached an agreement in which Facebook agreed to drop an appeal and pay a fine of £500,000 in return for no admission of liability in the Cambridge Analytica scandal. Which seems like far more of a win for Facebook than the ICO.

—

The Norwegian Data Protection Authority ordered the Arendal municipality to stop processing the personal data of school students with an anti-bullying tool known as Spekter.

Original (PDF, in Norwegian)

Translation (Google Translate)

• Geoffrey Fowler names some names in The Washington Post and even gets some commitments from large publishers to stop using browser fingerprinting on their websites. “Fingerprinting happens when sites force your browser to hand over innocent-looking but largely unchanging technical information about your computer, such as the resolution of your screen, your operating system or the fonts you have installed. Combined, those details create a picture of your device as unique as the skin on your thumb.
• The UN Special Rapporteur on the right to privacy, Joe Cannataci, presented a report to the UN General Assembly on how health data should be used and protected. "Health-related data is very sensitive and has high commercial value. There is a largely hidden industry that is already collecting, using, selling and securing health data. This has a major impact on our privacy and is of enormous concern.”
• Doc Searls on facial recognition - “A predictable pattern for every new technology is that what can be done will be done—until we see how it goes wrong and try to stop doing that. This has been true of every technology from stone tools to nuclear power and beyond. Unlike many other new technologies, however, it is not hard to imagine ways facial recognition by computers can go wrong, especially when it already has.”
• “any interference in fundamental rights under the Article 52 of the Charter must be demonstrably necessary. The bar for this test becomes higher the deeper the interference. Is there any evidence yet that we need the technology at all? Are there really no other less intrusive means to achieve the same goal? Obviously, ‘efficiency’ and ‘convenience’ could not stand as sufficient.” Wojciech Wiewiórowski, the European Data Protection Supervisor, on facial recognition.
• “from a regulator’s perspective, I must ensure that everyone working in this developing area stops to take a breath and works to satisfy the full rigour of UK data protection law. Moving too quickly to deploy technologies that can be overly invasive in people’s lawful daily lives risks damaging trust not only in the technology, but in the fundamental model of policing by consent.” Elizabeth Denham, the UK’s Information Commissioner, on facial recognition.
• “They are one, and we are many”. John Edwards, New Zealand’s Privacy Commissioner, on Addressing the Power Asymmetry of the Big Tech Companies.

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster we’ll be in your inbox again next weekend.

If you know someone who might enjoy this newsletter do please forward it on to them.

A digital hallpass app that tracks bathroom trips is the latest school software to raise privacy concerns.