Three Attachments | The Cat Herder, Volume 1, Issue 6

Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re   September 9 · Issue #6 · View online Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re barely newsworthy and Facebook turning out to be an even worse custodian of personal data than most had anticipated, the domain of data privacy is still in a terrible state o’ chassis. Nice as it would be to publish a regular collection of really excellent privacy practices, those are still pretty hard to find. Examples of organisations doing it wrong, however, are plentiful. Decades of misconceptions can’t be unlearned in a hurry. Join us on our quest to learn from the worst. There’ll be some positives too. Eventually. We hope. 😼 ¯\_(ツ)_/¯ Two weeks ago, after a hacking scare, the DCCC sent an urgent email to all campaigns titled “Reminder About Cybersecurity.” That email included three attachments, one of them advising not to send or open email attachments. This is the digital equivalent of getting a ticking package from the FBI to warn you about the danger of letter bombs. I’m teaching email security to Democratic campaigns. It’s as bad as 2016. www.washingtonpost.com – Share Public sector privacy pratfalls. Last weekend The Sunday Times reported that the Department of Employment Affairs and Social Protection had been given the Data Protection Commission’s report into the operation of the Public Services Card system, and that “the state has been given just weeks to show that there is a legal basis for compelling citizens to have a public services card (PSC) in order to access non-social welfare services”. (€) Data Protection Commissioner queries legal basis for public services card | Ireland | The Sunday Times www.thetimes.co.uk – Share There’s nothing particularly surprising in this. The investigation was announced in October of last year. So it’s taken over ten months to get to this stage. The announcement of the investigation came after the Department had been prodded into reluctantly publishing more information about the workings of the PSC. This prodding had come in the form of a statement from the Data Protection Commissioner almost two months earlier, on the 25th August 2017. The emphasis below is ours. We have strongly conveyed our views on numerous occasions to the Department of Social Protection and in a number of other fora that there is a pressing need for updated, clearer and more detailed information to be communicated to the public and services users regarding the mandatory use of the PPSN and PSC for the provision of public services A fair conclusion would be that the regulator has been attempting for a very long time to get the the Department to explain itself, with little success. A further reasonable conclusion would be that we must have reached last chance saloon for the Sideshow Bob Rake Department. There is no legal basis, the Department knows there is no legal basis, the Department knows the Data Protection Commission knows there is no legal basis, the Data Protection Commission knows the Department knows there is no legal basis and the Department knows the Data Protection Commission knows the Department knows there is no legal basis. There’s probably an elegant Russian word to describe this situation. [Narrator]: They did see it coming. Nobody else listened. Boy, have we got a bargain for you in this section. Three for the price of one this week. ONE For any organisations minded to not pay too much attention to the GDPR since, as we mentioned last week, not all that much enforcement has happened yet, a quick reminder that the regulators aren’t the only ones who can punish you. Bart van Buitenen @BartWhiteWire GDPR audit as part of a due dilligence before buying a company making more and more sense: CEO and CFO sued by shareholder for misleading representation of GDPR compliance (not the same as saying the org is non-compliant!) https://t.co/0BAjcht6lq 8:47 PM - 4 Sep 2018 TWO IBM have been working with the New York Police Department over a lengthy period to develop software which allows the police to search by skin colour. With access to images of thousands of unknowing New Yorkers offered up by NYPD officials, as early as 2012, IBM was creating new search features that allow other police departments to search camera footage for images of people by hair color, facial hair, and skin tone. IBM was once involved in an infamous collaboration in Europe in the 1930s and 1940s. Solipsistic and dazzled by its own swirling universe of technical possibilities, IBM was self-gripped by a special amoral corporate mantra: if it can be done, it should be done. To the blind technocrat, the means were more important than the ends. The destruction of the Jewish people became even less important because the invigorating nature of IBM’s technical achievement was only heightened by the fantastical profits to be made at a time when bread lines stretched across the world. Technology is not neutral. Technological developments have social and human consequences. Left unchecked, unregulated and unsupervised, technology can be deployed to serve any number of wicked purposes. Rigorous ethical considerations of the uses and consequences of any piece of technology must take place before it is developed and put to use. Before we move on, one other point to note: the video footage was provided to IBM in secret. So nobody who features in the footage was aware that their data was being used for this purpose. This is why we have the principle of purpose limitation in European data protection law and why those who collect and process personal data are obliged to tell, clearly and unambiguously what they’re doing with your data. THREE Speaking of telling individuals what’s being done with their data, it is incumbent on organisations to also tell people who else they’re passing that data on to. Many of them are not very good at doing that, it seems. An analysis by University of Toronto researchers found hundreds of Android apps that disclosed the collection of personal information for the app developer’s own purposes — but, at the same time, didn’t disclose the presence of third-party advertising or analytics services that were collecting the personal information, too. Who has your data? Researchers scrutinize apps for undisclosed ties to advertisers, analytics companies | CBC News www.cbc.ca – Share Nearly 60 per cent of apps collected more information than declared in their privacy policies according to a recent study that compared the stated practices of hundreds of apps with how they actually behaved. In other privacy notice news, Apple will require all apps in the App Store to have a privacy policy by October 3rd. Which is about a decade too late but welcome nonetheless. It’s 2002. Mark Zuckerberg has only just turned 18. Google is a search engine with a fledgling email service that’s still in beta and invite-only. A couple of clever chaps have an idea. Why not create a professional equivalent to the dating and social networking sites that are attracting lots of investment at the time? A gigantic repository of professional connections and résumés. What could possibly go wrong there? Exclusive: U.S. accuses China of 'super aggressive' spy campaign on LinkedIn | Reuters www.reuters.com – Share The United States’ top spy catcher said Chinese espionage agencies are using fake LinkedIn accounts to try to recruit Americans with access to government and commercial secrets, and the company should shut them down. Espionage is, after all, just another industry to disrupt. Research into public trust and confidence around data privacy carried out on behalf of the Information Commissioner’s Office in the UK was published during the week. In their newsletter they conclude - there is still a long way to go and organisations need to realise that, unless they are trusted to properly look after people’s personal data, they will fail to realise its potential benefits to their business and the wider economy. The rogues gallery of the very opposite of trust which we’ve assembled above indicates we’ve a long, long way to go. Information rights research | ICO ico.org.uk – Share The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Is there a new DPC website yet? No When is it due? Soon When did the GDPR become enforceable? May 25th 2018 What date is it today? September 9th 2018  An eye-catching press release about a new biometric technology from Idemia, the company who are part of the consortium which produces the public services card for the Department of Employment Assistance and Social Protection. “This contactless technology recognises not only the fingerprint itself, but also the subcutaneous print and the network of sweat pores.” Quite. “tech goes a lot deeper than the phones in our hands, and we must understand some fundamental shifts in society if we’re going to make good decisions about the way tech companies shape our lives” says Anil Dash in ‘12 Things Everyone Should Understand About Tech’. In CPO Magazine Rebecca Herold lists out ‘12 Reasons Why Data Privacy Protection Brings Business Value’. It’s been a year since the Equifax data breach. Senate Democratic leader Chuck Schumer described it at the time as “one of the most egregious examples of corporate malfeasance since Enron”. In Techcrunch Zach Whittaker looks at what the consequences for Equifax have been. So far, not many. — Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster this newsletter will be in your inbox again next weekend. See you then. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re barely newsworthy and Facebook turning out to be an even worse custodian of personal data than most had anticipated, the domain of data privacy is still in a terrible state o’ chassis. Nice as it would be to publish a regular collection of really excellent privacy practices, those are still pretty hard to find. Examples of organisations doing it wrong, however, are plentiful. Decades of misconceptions can’t be unlearned in a hurry. Join us on our quest to learn from the worst. There’ll be some positives too. Eventually. We hope.

😼

Last weekend The Sunday Times reported that the Department of Employment Affairs and Social Protection had been given the Data Protection Commission’s report into the operation of the Public Services Card system, and that “the state has been given just weeks to show that there is a legal basis for compelling citizens to have a public services card (PSC) in order to access non-social welfare services”.

There’s nothing particularly surprising in this. The investigation was announced in October of last year. So it’s taken over ten months to get to this stage. The announcement of the investigation came after the Department had been prodded into reluctantly publishing more information about the workings of the PSC.

This prodding had come in the form of a statement from the Data Protection Commissioner almost two months earlier, on the 25th August 2017. The emphasis below is ours.

A fair conclusion would be that the regulator has been attempting for a very long time to get the the Department to explain itself, with little success. A further reasonable conclusion would be that we must have reached last chance saloon for the Sideshow Bob Rake Department. There is no legal basis, the Department knows there is no legal basis, the Department knows the Data Protection Commission knows there is no legal basis, the Data Protection Commission knows the Department knows there is no legal basis and the Department knows the Data Protection Commission knows the Department knows there is no legal basis.

There’s probably an elegant Russian word to describe this situation.

Boy, have we got a bargain for you in this section. Three for the price of one this week.

ONE

For any organisations minded to not pay too much attention to the GDPR since, as we mentioned last week, not all that much enforcement has happened yet, a quick reminder that the regulators aren’t the only ones who can punish you.

https://twitter.com/BartWhiteWire/status/1037064573071880192

TWO

IBM have been working with the New York Police Department over a lengthy period to develop software which allows the police to search by skin colour.

IBM was once involved in an infamous collaboration in Europe in the 1930s and 1940s.

Technology is not neutral. Technological developments have social and human consequences. Left unchecked, unregulated and unsupervised, technology can be deployed to serve any number of wicked purposes. Rigorous ethical considerations of the uses and consequences of any piece of technology must take place before it is developed and put to use.

Before we move on, one other point to note: the video footage was provided to IBM in secret. So nobody who features in the footage was aware that their data was being used for this purpose. This is why we have the principle of purpose limitation in European data protection law and why those who collect and process personal data are obliged to tell, clearly and unambiguously what they’re doing with your data.

THREE

Speaking of telling individuals what’s being done with their data, it is incumbent on organisations to also tell people who else they’re passing that data on to. Many of them are not very good at doing that, it seems.

Nearly 60 per cent of apps collected more information than declared in their privacy policies according to a recent study that compared the stated practices of hundreds of apps with how they actually behaved.

In other privacy notice news, Apple will require all apps in the App Store to have a privacy policy by October 3rd. Which is about a decade too late but welcome nonetheless.

It’s 2002. Mark Zuckerberg has only just turned 18. Google is a search engine with a fledgling email service that’s still in beta and invite-only. A couple of clever chaps have an idea. Why not create a professional equivalent to the dating and social networking sites that are attracting lots of investment at the time? A gigantic repository of professional connections and résumés. What could possibly go wrong there?

The United States’ top spy catcher said Chinese espionage agencies are using fake LinkedIn accounts to try to recruit Americans with access to government and commercial secrets, and the company should shut them down.

Espionage is, after all, just another industry to disrupt.

Research into public trust and confidence around data privacy carried out on behalf of the Information Commissioner’s Office in the UK was published during the week. In their newsletter they conclude -

The rogues gallery of the very opposite of trust which we’ve assembled above indicates we’ve a long, long way to go.

The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Is there a new DPC website yet? No

When is it due? Soon

When did the GDPR become enforceable? May 25th 2018

What date is it today? September 9th 2018 

An eye-catching press release about a new biometric technology from Idemia, the company who are part of the consortium which produces the public services card for the Department of Employment Assistance and Social Protection. “This contactless technology recognises not only the fingerprint itself, but also the subcutaneous print and the network of sweat pores.” Quite.

“tech goes a lot deeper than the phones in our hands, and we must understand some fundamental shifts in society if we’re going to make good decisions about the way tech companies shape our lives” says Anil Dash in ‘12 Things Everyone Should Understand About Tech’.

In CPO Magazine Rebecca Herold lists out ‘12 Reasons Why Data Privacy Protection Brings Business Value’.

It’s been a year since the Equifax data breach. Senate Democratic leader Chuck Schumer described it at the time as “one of the most egregious examples of corporate malfeasance since Enron”. In Techcrunch Zach Whittaker looks at what the consequences for Equifax have been. So far, not many.

—

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster this newsletter will be in your inbox again next weekend. See you then.