The Vulnerability Of Everything | The Cat Herder, Volume 2, Issue 5

Some actual good news this week. Though apologies in advance as it might be a bit geeky and down in t   February 10 · Issue #21 · View online Some actual good news this week. Though apologies in advance as it might be a bit geeky and down in the weeds. The Dutch Justice Ministry, acting as a customer of Microsoft, commissioned a third party (Privacy Company) to carry out a Data Protection Impact Assessment of Microsoft’s Office Pro Plus product and more specifically to examine the diagnostic data this product sends back to Redmond. You can read the DPIA here. It’s very good and we highly recommend you have at least a quick glance at it. Bear in mind that a DPIA as specified by the GDPR must not only examine possible impacts on the data protection rights of individuals but be an “assessment of the risks to the rights and freedoms of data subjects”. As a result of the DPIA Microsoft has committed to make changes to the product which it seems will be rolled out to all customers globally. This is an interesting and novel tactical use of one of the GDPR’s accountability tools. So now we’ve got that good news out of the way, on with the disasters. 😼 It’s a decade since Apple gave the world the iPhone 3G and its accompanying catchphrase “There’s an app for that.” iPhone 3g Commercial "There's An App For That" 2009 These days there really is an app for just about anything. A surveillance system has been set up by the Saudi government to control women and prevent them from fleeing the country, known as the ‘Absher’ application, it allows guardians of women (brothers, husbands, and fathers) to track down their movements. Saudi Arabia: An app to track women | The Algiers Herald algiersherald.com – Share “It is the height of irony that the very company that faced direct criticism in its role facilitating US immigration authorities’ human rights abuses is now promoting itself as trustworthy of working in humanitarian aid.” New UN deal with data mining firm Palantir raises protection concerns | IRIN www.irinnews.org – Share The UN’s food relief agency says it can become more efficient and save costs by tying up with the controversial US defense contractor. Department says Public Services Card has clear legal basis www.rte.ie – Share The Department of Social Protection has said it is confident there is a clear legal basis for the Public Services Card. “We are also examining if there are appropriate security measures implied in relation to the personal data processed, in relation to the registration of the card and also to evaluate the information that has been made available to the public and whether this information meets the transparency requirement of data protection regulation.”  Asked if the Commissioner has plans to publish that report, Mr Doyle said a summary of the final findings would be published at an appropriate stage. It’s unclear why the Public Services Card was covered on Morning Ireland this past week but whatever the reason it seems there may still be a reluctance to publish the full DPC report into the State’s troubled and troubling efforts to build a biometric identity register. Much of the GDPR isn’t new, it’s just an updated version of its predecessor, the 1995 Data Protection Directive. The accountability principle, however, is new. So let’s have a quick look at that Article 5.2 of the GDPR says “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” Paragraph 1 contains the other six fundamental principles of data protection, including the transparency principle referred to by Mr Doyle of the DPC in the quote above. Article 24 makes it explicitly clear that a data controllers (in this case the Department of Employment Affairs and Social Protection, AKA The Sideshow Bob Rake Department) must be able to demonstrate compliance with the entirety of the GDPR. As the GDPR is all about empowering individuals to take informed decisions about their personal data and what is done with it, this demonstration of compliance must be available for all existing and potential data subjects to view. If an independent supervisory authority has carried out a lengthy and detailed investigation into a processing operation and the full findings are not published it is difficult to see how the data controller in question would be able to satisfactorily demonstrate compliance with the GDPR. Spare a thought for Facebook. Just after celebrating its fifteenth birthday and the streams which Facebook really didn’t want to cross have been well and truly crossed (“don’t cross the streams”). In addition to facing multiple investigations from the Data Protection Commission in Ireland, Facebook’s lead data protection supervisory authority under the GDPR, a powerful competition authority has now weighed in. “Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts,” Andreas Mundt, president of the Federal Cartel Office, the German competition authority, said in a statement on Thursday. “The combination of data sources substantially contributed to the fact that Facebook was able to build a unique database for each individual user and thus to gain market power.” Facebook will appeal this ruling, naturally. A response wafted out from S̶u̶r̶v̶e̶i̶l̶l̶a̶n̶c̶e̶ Silicon Docks and the Bay Area with some plaintive wheedling about all of a sudden wanting to be regulated by data protection authorities and data protection authorities alone. More ‘Bundeskartellamt prohibits Facebook from combining user data from different sources’, Bundeskartellamt ‘German competition watchdog tells Facebook to stop combining user data without consent’, The Register EDPS @EU_EDPS .@Buttarelli_G opens event 'Awareness and Responsibility - Ethics, accountability, effectivness and efficacy: the properties of #GDPR' at the Italian Parliament @Montecitorio #osservatorio679 https://t.co/Ch6KXNjp2U 8:58 AM - 4 Feb 2019 This isn’t a question we have an answer to, so sorry about that. What would it take to get the wonderful Mr. Buttarelli to come to Ireland and have a chat with our lawmakers? Because heaven knows they could do with it. Ladies and gentlemen, the Minister of State for eGovernment. ¯\_(ツ)_/¯ This cracking interview with Dr Paul Vixie by Elaine Edwards in The Irish Times. “When it comes to something like genetics, or something like Big Data, big data analytics, de-anonymisation, there is no hope that [the average person] could possibly give informed consent about how their DNA is used. They can’t.” This New York Times editorial on the “legal fiction of consent” employed by the social surveillance platform companies. “Data is powerful and can inform on us in unexpected ways. Companies learn all about you, but also all about your friends who haven’t signed up for these services.” James Griffiths‘ piece for CNN on how the Japanese government will start trying to hack its own citizens before the end of the month. The intentions are good, the unforeseen outcomes may not be. “The internet of things has fast become the vulnerability of everything. If there’s ever a choice between convenience and security, it’s usually convenience that wins; especially in the world of consumer electronics.” —- Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster this newsletter will be in your inbox again next weekend. See you then. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Some actual good news this week. Though apologies in advance as it might be a bit geeky and down in the weeds.

The Dutch Justice Ministry, acting as a customer of Microsoft, commissioned a third party (Privacy Company) to carry out a Data Protection Impact Assessment of Microsoft’s Office Pro Plus product and more specifically to examine the diagnostic data this product sends back to Redmond.

You can read the DPIA here. It’s very good and we highly recommend you have at least a quick glance at it. Bear in mind that a DPIA as specified by the GDPR must not only examine possible impacts on the data protection rights of individuals but be an “assessment of the risks to the rights and freedoms of data subjects”.

As a result of the DPIA Microsoft has committed to make changes to the product which it seems will be rolled out to all customers globally. This is an interesting and novel tactical use of one of the GDPR’s accountability tools.

So now we’ve got that good news out of the way, on with the disasters.

😼

It’s a decade since Apple gave the world the iPhone 3G and its accompanying catchphrase “There’s an app for that.”

These days there really is an app for just about anything.

The UN’s food relief agency says it can become more efficient and save costs by tying up with the controversial US defense contractor.

The Department of Social Protection has said it is confident there is a clear legal basis for the Public Services Card.

It’s unclear why the Public Services Card was covered on Morning Ireland this past week but whatever the reason it seems there may still be a reluctance to publish the full DPC report into the State’s troubled and troubling efforts to build a biometric identity register.

Much of the GDPR isn’t new, it’s just an updated version of its predecessor, the 1995 Data Protection Directive. The accountability principle, however, is new. So let’s have a quick look at that

1. Article 5.2 of the GDPR says “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” Paragraph 1 contains the other six fundamental principles of data protection, including the transparency principle referred to by Mr Doyle of the DPC in the quote above.
2. Article 24 makes it explicitly clear that a data controllers (in this case the Department of Employment Affairs and Social Protection, AKA The Sideshow Bob Rake Department) must be able to demonstrate compliance with the entirety of the GDPR.
3. As the GDPR is all about empowering individuals to take informed decisions about their personal data and what is done with it, this demonstration of compliance must be available for all existing and potential data subjects to view.

If an independent supervisory authority has carried out a lengthy and detailed investigation into a processing operation and the full findings are not published it is difficult to see how the data controller in question would be able to satisfactorily demonstrate compliance with the GDPR.

Spare a thought for Facebook. Just after celebrating its fifteenth birthday and the streams which Facebook really didn’t want to cross have been well and truly crossed (“don’t cross the streams”). In addition to facing multiple investigations from the Data Protection Commission in Ireland, Facebook’s lead data protection supervisory authority under the GDPR, a powerful competition authority has now weighed in.

Facebook will appeal this ruling, naturally. A response wafted out from S̶u̶r̶v̶e̶i̶l̶l̶a̶n̶c̶e̶ Silicon Docks and the Bay Area with some plaintive wheedling about all of a sudden wanting to be regulated by data protection authorities and data protection authorities alone.

More

• ‘Bundeskartellamt prohibits Facebook from combining user data from different sources’, Bundeskartellamt
• ‘German competition watchdog tells Facebook to stop combining user data without consent’, The Register

This isn’t a question we have an answer to, so sorry about that. What would it take to get the wonderful Mr. Buttarelli to come to Ireland and have a chat with our lawmakers? Because heaven knows they could do with it.

• This cracking interview with Dr Paul Vixie by Elaine Edwards in The Irish Times. “When it comes to something like genetics, or something like Big Data, big data analytics, de-anonymisation, there is no hope that [the average person] could possibly give informed consent about how their DNA is used. They can’t.”
• This New York Times editorial on the “legal fiction of consent” employed by the social surveillance platform companies. “Data is powerful and can inform on us in unexpected ways. Companies learn all about you, but also all about your friends who haven’t signed up for these services.”
• James Griffiths‘ piece for CNN on how the Japanese government will start trying to hack its own citizens before the end of the month. The intentions are good, the unforeseen outcomes may not be. “The internet of things has fast become the vulnerability of everything. If there’s ever a choice between convenience and security, it’s usually convenience that wins; especially in the world of consumer electronics.”

—-

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster this newsletter will be in your inbox again next weekend. See you then.

If you know someone who might enjoy this newsletter do please forward it on to them.