The Zuckhole grows larger | The Cat Herder, Volume 1, Issue 9

Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re   September 30 · Issue #9 · View online Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re barely newsworthy and Facebook turning out to be an even worse custodian of personal data than most had anticipated*, the domain of data privacy is still in a terrible state o’ chassis. Nice as it would be to publish a regular collection of really excellent privacy practices, those are still pretty hard to find. Examples of organisations doing it wrong, however, are plentiful. Decades of misconceptions can’t be unlearned in a hurry. Join us on our quest to learn from the worst. There’ll be some positives too. Eventually. We hope. 😼 (*) even worse, squared Dawn Foster @DawnHFoster The Conservatives have sent out a statement to delegates https://t.co/rQmd4zHrIQ 11:14 AM - 30 Sep 2018 As the Conservative Party is more than likely the data controller in this situation, releasing a statement saying ‘It’s not our fault!’ is probably not going to satisfy the ICO at all. Conservative Party conference app reveals MPs' numbers - BBC News www.bbc.com – Share Boris Johnson was among those whose details could be accessed through the party’s conference app. [Narrator]: They did see it coming. Nobody listened. Barton Gellman @bartongellman This is why you should not say yes when an app asks for access to your address book. You are breaching the privacy of every one of your contacts. I never gave Facebook my cell phone, but someone I know surely did. Now Facebook lets advertisers find me with that number. https://t.co/6kMYP6daeH 9:42 PM - 26 Sep 2018 Facebook was already having a bad news week, even by the low, low standards of Facebook’s year to date when the story of the data breach everybody with an interest in privacy has been waiting for finally broke. Facebook Security Breach Exposes Accounts of 50 Million Users - The New York Times www.nytimes.com – Share The attack added to the company’s woes as it contends with fallout from its role in a Russian disinformation campaign. All data leaks eventually. The means by which it leaks is unimportant. The longer the data is held for the greater the likelihood of it leaking becomes. Facebook chooses the path of maximum advantage for Facebook at every opportunity. This path frequently is also frequently the path of maximum disadvantage for users of the service. Facebook shows no respect for the fundamental privacy rights of individuals. Facebook cannot be trusted with your personal data.  Yes it will The Today Show @TheTodayShow The Australian Defence Department has spent more than a million dollars buying up Australia's social media data. #9Today https://t.co/6oO6ZJlsOk 10:19 PM - 25 Sep 2018 The Department of Employment Affairs and Social Protection AKA the SIdeshow Bob Rake Department issued a tender for a similar service recently, as covered in the Irish Times and discussed in The Cat Herder, Issue 5. If it happens anywhere else in the world, it can happen here. Bad ideas can become state projects very rapidly. What appears to be a lack of understanding of and disregard for data protection principles is not limited to any one country, region or political persuasion. Daragh O Brien @CBridge_Chief Oh look... Indian Supreme Court has made Aadhaar ID “compulsory not mandatory” #psc https://t.co/GA4S4kVU1L 7:35 AM - 26 Sep 2018 A long-awaited Indian Supreme Court judgement on the constitutionality of the biggest of all biometric databases finally appeared. In the opinion of the court Aadhaar is constitutional but “private entities including mobile phone operators and banks would no longer have the authority to demand customers’ Aadhaar numbers and instructed the government to "bring out a robust data protection law urgently”.“ EDPB @EU_EDPB GDPR consistency in practice: the EDPB has just adopted its opinions establishing common criteria for Data Protection Impact Assessment lists. DPIAs help organisations to build and demonstrate compliance by managing the risks resulting from the processing of personal data. #DPIA https://t.co/XE04B3h4f2 5:51 PM - 25 Sep 2018 This means individual data protection authorities will soon be publishing lists of data processing operations for which a Data Protection Impact Assessment must be carried out. Data Protection Commission Ireland @DPCIreland Taking account of the opinion of the @EU_EDPB we will shortly be publishing our final list of processing operations for which a #GDPR DPIA #DataProtection Impact Assessment will be a mandatory requirement. https://t.co/J7ybcPozxy 7:51 PM - 25 Sep 2018 A Data Protection Impact Assessment is a process which helps data controllers and data processors identify and minimise the risks to the rights and freedoms of individuals of a particular project. It’s a legal requirement per Article 35 of the GDPR. The Data Protection Commission has more information about DPIAs on their ‘GDPR And You’ website. Speaking of the DPC and websites, here’s this week’s question, for the ninth time. Is there a new DPC website yet? No When is it due? Soon When did the GDPR become enforceable? May 25th 2018 What date is it today? September 30th 2018  “At the end of the day, I sold my company,” Acton says. “I sold my users’ privacy to a larger benefit. I made a choice and a compromise. And I live with that every day.” The founder of WhatsApp Brian Acton there, in an interview with Forbes’ Parmy Olson. This interview goes very well with Privacy International’s Facebook timeline of abuse. Tim Berners-Lee, taking aim at Facebook and Google, plans to upend his creation. Katrina Brooker has an interview with him in Fast Company. imagine data not as a pristine resource, but as a waste product, a bunch of radioactive, toxic sludge that we don’t know how to handle. In particular, I’d like to draw a parallel between what we’re doing and nuclear energy, another technology whose beneficial uses we could never quite untangle from the harmful ones. That quote is from Maciej Ceglowski‘s 'Haunted By Data’, a talk given at the Strata+Hadoop World conference in 2015. There’s a video of it here if you prefer that. — Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster this newsletter will be in your inbox again next weekend. See you then. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re barely newsworthy and Facebook turning out to be an even worse custodian of personal data than most had anticipated*, the domain of data privacy is still in a terrible state o’ chassis. Nice as it would be to publish a regular collection of really excellent privacy practices, those are still pretty hard to find. Examples of organisations doing it wrong, however, are plentiful. Decades of misconceptions can’t be unlearned in a hurry. Join us on our quest to learn from the worst. There’ll be some positives too. Eventually. We hope.

😼

(*) even worse, squared

As the Conservative Party is more than likely the data controller in this situation, releasing a statement saying ‘It’s not our fault!’ is probably not going to satisfy the ICO at all.

Boris Johnson was among those whose details could be accessed through the party’s conference app.

Facebook was already having a bad news week, even by the low, low standards of Facebook’s year to date when the story of the data breach everybody with an interest in privacy has been waiting for finally broke.

The attack added to the company’s woes as it contends with fallout from its role in a Russian disinformation campaign.

All data leaks eventually. The means by which it leaks is unimportant. The longer the data is held for the greater the likelihood of it leaking becomes.

Facebook chooses the path of maximum advantage for Facebook at every opportunity. This path frequently is also frequently the path of maximum disadvantage for users of the service. Facebook shows no respect for the fundamental privacy rights of individuals. Facebook cannot be trusted with your personal data. 

The Department of Employment Affairs and Social Protection AKA the SIdeshow Bob Rake Department issued a tender for a similar service recently, as covered in the Irish Times and discussed in The Cat Herder, Issue 5.

If it happens anywhere else in the world, it can happen here. Bad ideas can become state projects very rapidly. What appears to be a lack of understanding of and disregard for data protection principles is not limited to any one country, region or political persuasion.

A long-awaited Indian Supreme Court judgement on the constitutionality of the biggest of all biometric databases finally appeared. In the opinion of the court Aadhaar is constitutional but “private entities including mobile phone operators and banks would no longer have the authority to demand customers’ Aadhaar numbers and instructed the government to "bring out a robust data protection law urgently”.“

This means individual data protection authorities will soon be publishing lists of data processing operations for which a Data Protection Impact Assessment must be carried out.

A Data Protection Impact Assessment is a process which helps data controllers and data processors identify and minimise the risks to the rights and freedoms of individuals of a particular project. It’s a legal requirement per Article 35 of the GDPR. The Data Protection Commission has more information about DPIAs on their ‘GDPR And You’ website.

Speaking of the DPC and websites, here’s this week’s question, for the ninth time.

Is there a new DPC website yet? No

When is it due? Soon

When did the GDPR become enforceable? May 25th 2018

What date is it today? September 30th 2018 

The founder of WhatsApp Brian Acton there, in an interview with Forbes’ Parmy Olson.

This interview goes very well with Privacy International’s Facebook timeline of abuse.

Tim Berners-Lee, taking aim at Facebook and Google, plans to upend his creation. Katrina Brooker has an interview with him in Fast Company.

That quote is from Maciej Ceglowski‘s 'Haunted By Data’, a talk given at the Strata+Hadoop World conference in 2015. There’s a video of it here if you prefer that.

—

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster this newsletter will be in your inbox again next weekend. See you then.