Unintentionally Uploaded | The Cat Herder, Volume 2, Issue 14

Bank Holiday edition. Facebook has been peerless in its dissembling this week. Also a fair bit about   April 22 · Issue #30 · View online Bank Holiday edition. Facebook has been peerless in its dissembling this week. Also a fair bit about facial recognition. File this issue under FAC. 😼 Facebook’s communications team - 300 strong according to this piece in Wired which is well worth a read - achieved new levels of chicanery this past week. At the start of April researcher e-sushi discovered [thread] that Facebook had been asking for the personal email passwords of some new users, ostensibly as a verification step in their registration process. Following up on this story Business Insider discovered that Facebook appeared to be harvesting the contacts of new users without informing them that it was doing this. On Wednesday evening “Facebook disclosed to Business Insider that 1.5 million people’s contacts were collected this way and fed into Facebook’s systems, where they were used to improve Facebook’s ad targeting, build Facebook’s web of social connections, and recommend friends to add.” Facebook’s statement said this contact data had been “unintentionally uploaded to Facebook.” This prompted much grim mirth among people who had ever had even a passing acquaintance with software and user interface design. Dan Curtis Johnson @dcurtisj Someone designed that UI. Someone else approved the wording of the request it was making. Someone else had to *test that the data was successfully translated into their system for their use*. Likely many people at all stages. No part of this can have been “unintentional”. https://t.co/b1FBFKX60V 3:07 AM - 18 Apr 2019 Dare Obasanjo @Carnage4Life How do you unintentionally write & ship code that asks users for their email password, scans their address book then uploads their contacts to your server without asking permission? For Facebook "unintentional" always means "we got caught? aw shucks". 🤷🏾‍♂️ https://t.co/Cckgk5jRYM 1:59 PM - 18 Apr 2019 Then on Thursday, the same day the redacted Mueller report (Mueller Lite?) was released … Ryan Mac @RMac18 Facebook went with the ol' update-a-month-old-blog-post-with-new-bad-info-on-a-crazy-news-day technique. It's a bold strategy, Cotton. https://t.co/KcFCqsWKtL https://t.co/3kg82MA76y 6:41 PM - 18 Apr 2019 Naturally opinion was divided as to whether this topped previous episodes of disingenuous Zuckering. There have been so many examples that there’s plenty of space for competing favourites. Donie O'Sullivan @donie I actually think the most cynical thing Facebook has done in this space is releasing its report into its role in a genocide in Myanmar the night before the US midterm elections. https://t.co/IAvCfJVW4w 4:37 PM - 19 Apr 2019 More: ‘Who’s using Mueller Report Day to bury bad news? If you guessed Facebook, you’re right: Millions more passwords stored in plaintext’, The Register ‘Facebook says it 'unintentionally uploaded’ 1.5 million people’s email contacts without their consent’, Business Insider ‘Facebook says it stored millions of Instagram passwords unencrypted on its servers’, Recode ‘Federal investigation of Facebook could hold Mark Zuckerberg accountable on privacy, sources say’, Washington Post In recent weeks Facebook has been putting significant communications effort into evangelising Mark Zuckhole’s sudden conversion to privacy advocate. So you’ll all be shocked to discover that Facebook and its peers have also been investing in think tanks. Silicon Valley-Funded Privacy Think Tanks Fight in D.C. to Unravel State-Level Consumer Privacy Protections theintercept.com – Share Silicon Valley-funded privacy think tanks’ positions on a federal online privacy bill mirror the tech industry’s lobbying priorities. The BBC reports that the Canadian Civil Liberties Association is suing Waterfront Toronto and three levels of government over the Alphabet / Google front Sidewalk Labs and its plans for the smartest of smart cities. “Canada is not Google’s lab rat,” said the association’s executive director and general counsel MJ Bryant. “We can do better. Our freedom from unlawful public surveillance is worth fighting for.” Bianca Wylie has more detail on Sidewalk Lab’s attempts to quantify everything. Here’s the real data play to worry about: this project is a push to privatize every possible type of interaction or event in public space through data collection. To broker and mediate physical spaces through a digital layer. It may be a digital layer of open standards. It may be an interoperable layer. But as long as it’s there, it’s game on.  ‘Sidewalk Toronto: Violating Democracy, Entrenching the Status Quo, Making Markets of the Commons’ — In a related surveillance matter, there’s been an uptick in the amount of press coverage of facial recognition technology. The Financial Times took a detailed look at the murky manner in which images are sourced and the uses to which they are being put in ‘Who’s using your face? The ugly truth about facial recognition’. “We’ve seen facial recognition shifting in purpose,” says Dave Maass, a senior investigative researcher at the EFF, who was shocked to discover that his own colleagues’ faces were in the Iarpa database. “It was originally being used for identification purposes . . . Now somebody’s face is used as a tracking number to watch them as they move across locations on video, which is a huge shift. [Researchers] don’t have to pay people for consent, they don’t have to find models, no firm has to pay to collect it, everyone gets it for free.” The New York Times constructed and deployed a working facial recognition system for the princely sum of $60. “Once the government has the ability to track us and identify us wherever we go, it is impossible to speak and participate in society anonymously,” Ms. Lynch said. All that is required to build such a system are cameras and a database of pictures of people’s faces. Regular readers will be aware of the Public Services Card, which is the visible token aspect of the Department of Employment Affairs and Social Protection’s biometric database. That’s a very large database of pictures of people’s faces. The CCTV schemes which have become beloved by many local authorities around Ireland provide the cameras. In a decision with consequences for many marketing activities that some have come to regard as routine, the Bavarian Data Protection Authority has said that matching contact details which have been acquired from customer interactions with Facebook identities is not legal without explicit consent. As we were talking about the shenanigans of Facebook’s communications operation earlier, it was delightful to see this addition at the bottom of the story. After we published the interview on netzpolitik.org, a PR agency that represents Facebook reached out to us and pointed us towards the following section in the terms and conditions for Facebook’s Custom Audience tool … We’ve asked Facebook’s PR agency to explain how Facebook actually uses custom audience data, and specifically comment on claims that Facebook adds the data it obtains from advertisers to existing user profiles. Facebook declined to answer repeatedly. — The French Data Protection Authority, the CNIL, published their annual report for 2018. “We test and control drugs, so why do we freely allow the spread of potentially harmful products by unregulated entrepreneurs?” ‘Facial recognition is big tech’s latest toxic ‘gateway’ app’ by John Naughton in the Observer. “So, as you can see, the ICO isn’t kidding around here. Every single thing that Bounty did is also what most publishers do, and ICO ruled that all of it was illegal.” Thomas Baekdal unpicks some of the stark implications for all online publishers of the £400,000 fine the ICO handed out to Bounty. “[location] data isn’t useful just for tracking you but also for inferring things about you. What were you doing at a cancer clinic? Why were you leaving the house of a woman who is not your wife at 5 a.m.?” Zeynep Tufekci in The New York Times on inference and how even the most cautious of us are revealing far more than we can know. —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster we’ll be in your inbox again next weekend. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Bank Holiday edition. Facebook has been peerless in its dissembling this week. Also a fair bit about facial recognition. File this issue under FAC.

😼

Facebook’s communications team - 300 strong according to this piece in Wired which is well worth a read - achieved new levels of chicanery this past week.

At the start of April researcher e-sushi discovered [thread] that Facebook had been asking for the personal email passwords of some new users, ostensibly as a verification step in their registration process. Following up on this story Business Insider discovered that Facebook appeared to be harvesting the contacts of new users without informing them that it was doing this.

On Wednesday evening “Facebook disclosed to Business Insider that 1.5 million people’s contacts were collected this way and fed into Facebook’s systems, where they were used to improve Facebook’s ad targeting, build Facebook’s web of social connections, and recommend friends to add.”

Facebook’s statement said this contact data had been “unintentionally uploaded to Facebook.” This prompted much grim mirth among people who had ever had even a passing acquaintance with software and user interface design.

Then on Thursday, the same day the redacted Mueller report (Mueller Lite?) was released …

Naturally opinion was divided as to whether this topped previous episodes of disingenuous Zuckering. There have been so many examples that there’s plenty of space for competing favourites.

More:

• ‘Who’s using Mueller Report Day to bury bad news? If you guessed Facebook, you’re right: Millions more passwords stored in plaintext’, The Register
• ‘Facebook says it 'unintentionally uploaded’ 1.5 million people’s email contacts without their consent’, Business Insider
• ‘Facebook says it stored millions of Instagram passwords unencrypted on its servers’, Recode
• ‘Federal investigation of Facebook could hold Mark Zuckerberg accountable on privacy, sources say’, Washington Post

In recent weeks Facebook has been putting significant communications effort into evangelising Mark Zuckhole’s sudden conversion to privacy advocate. So you’ll all be shocked to discover that Facebook and its peers have also been investing in think tanks.

Silicon Valley-funded privacy think tanks’ positions on a federal online privacy bill mirror the tech industry’s lobbying priorities.

The BBC reports that the Canadian Civil Liberties Association is suing Waterfront Toronto and three levels of government over the Alphabet / Google front Sidewalk Labs and its plans for the smartest of smart cities.

Bianca Wylie has more detail on Sidewalk Lab’s attempts to quantify everything.

‘Sidewalk Toronto: Violating Democracy, Entrenching the Status Quo, Making Markets of the Commons’

—

In a related surveillance matter, there’s been an uptick in the amount of press coverage of facial recognition technology. The Financial Times took a detailed look at the murky manner in which images are sourced and the uses to which they are being put in ‘Who’s using your face? The ugly truth about facial recognition’.

The New York Times constructed and deployed a working facial recognition system for the princely sum of $60.

All that is required to build such a system are cameras and a database of pictures of people’s faces.

Regular readers will be aware of the Public Services Card, which is the visible token aspect of the Department of Employment Affairs and Social Protection’s biometric database. That’s a very large database of pictures of people’s faces.

The CCTV schemes which have become beloved by many local authorities around Ireland provide the cameras.

In a decision with consequences for many marketing activities that some have come to regard as routine, the Bavarian Data Protection Authority has said that matching contact details which have been acquired from customer interactions with Facebook identities is not legal without explicit consent.

As we were talking about the shenanigans of Facebook’s communications operation earlier, it was delightful to see this addition at the bottom of the story.

—

The French Data Protection Authority, the CNIL, published their annual report for 2018.

• “We test and control drugs, so why do we freely allow the spread of potentially harmful products by unregulated entrepreneurs?” ‘Facial recognition is big tech’s latest toxic ‘gateway’ app’ by John Naughton in the Observer.
• “So, as you can see, the ICO isn’t kidding around here. Every single thing that Bounty did is also what most publishers do, and ICO ruled that all of it was illegal.” Thomas Baekdal unpicks some of the stark implications for all online publishers of the £400,000 fine the ICO handed out to Bounty.
• “[location] data isn’t useful just for tracking you but also for inferring things about you. What were you doing at a cancer clinic? Why were you leaving the house of a woman who is not your wife at 5 a.m.?” Zeynep Tufekci in The New York Times on inference and how even the most cautious of us are revealing far more than we can know.

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster we’ll be in your inbox again next weekend.

If you know someone who might enjoy this newsletter do please forward it on to them.