Vassalage | The Cat Herder, Volume 2, Issue 8

The wonders of patent-trolling and the mysteries of journalism, the dangers of biometric databases an   March 3 · Issue #24 · View online The wonders of patent-trolling and the mysteries of journalism, the dangers of biometric databases and the risks of algorithmic assessment, and a reminder that typing search terms into a box in Microsoft Outlook can be damned difficult, apparently. It’s all here. 😼 Stupid Patent of the Month: Veripath Patents Following Privacy Laws | Electronic Frontier Foundation www.eff.org – Share What if we allowed some people to patent the law and then demand money from the rest of us just for following it?As anyone with a basic understanding of democratic principles can see, that is a terrible idea. In a democracy, elected representatives write laws that apply to everyone, ideally, based… More: Patent troll (Wikipedia) Digital Minds’ email-scanning tool is an example of a growing reliance on automatic-decision-making. Increasingly, we are taking the power out of hands of humans and entrusting it to algorithms that make decisions on criteria we haven’t decided upon. The opacity in exactly how they make those decisions is what poses the biggest risk from these new technologies and approaches. Resist the robot takeover – POLITICO www.politico.eu – Share We must not hand over important decisions to algorithms we don’t understand. As you can see from the datestamp below, the Irish Independent ran a story about the results of a survey commissioned by the Department of Employment Affairs and Social Protection examining attitudes to the Public Services Card on the 18th February. The survey which was published on the Department’s website on the 1st March was dated 26th February. We may never know how those well-connected chaps in the Indo got their hands on the study a week before that. We probably won’t ever find out why they chose to run a 128 word story which contained the department’s talking points and not much else. It will likely remain a mystery why the 128 word story didn’t mention the ongoing investigation into the whole omnishambles by the Data Protection Commission. The accompanying press release (PDF) gives some clues as to what the Department feels are the most important findings of the research. Sharing identity information with other government departments and agencies; allowing DEASP to retain “their documents”; use of the card as proof of identity “when dealing with a non-government body”. It appears from the question asked regarding retention of personal data that the Sideshow Bob Rake Department is not only adding people to the biometric identity register but also keeping scanned copies of documents on their systems, which is news to us. Q. In order to ensure that your identity is protected, that services can continue to be provided and that you can access new services easily it is necessary to retain the personal information you provided, including scanned copies of documents, on the Department’s secure computer systems. How do you feel about that? You can read the findings of the research here (PDF). Measuring sentiment relating to the Public Services Card is a perfectly reasonable thing to do. It won’t conjure up a legal basis for the processing the Department is doing though. Nor will it do much to make the Department’s behaviour as regards the processing of personal data in any way more transparent - and transparency is one of the principles of data protection. Fred Logue @FredPLogue We've entrusted the creation of a massive national biometric database to a bunch of people who don't know how to search Outlook https://t.co/PRG7KgtGDZ 2:58 PM - 24 Feb 2019 On a not entirely unrelated note, the old maxim that all data will eventually leak still holds true. The data, since secured, is the financial giant’s Watchlist database, which companies use as part of their risk and compliance efforts. Other financial companies, like Thomson Reuters, have their own databases of high-risk clients, politically exposed persons and terrorists — but have also been exposed over the years through separate security lapses. Dow Jones’ watchlist of 2.4 million high-risk individuals has leaked – TechCrunch techcrunch.com – Share The Data Protection Commission’s annual report was published during the week. It covers the period from 25th May last until the end of the year i.e. the period after the GDPR came into force. We haven’t had a chance to have a detailed look through it yet but at-a-glance highlights include The 1,258 data breaches notified by the public sector, which wants wider sharing of our personal data, including with private sector organisations. If they’re already reporting that number of data breaches then the probable escalation in these numbers in the years to come will be a sight to behold. The Central Statistics Office accidentally sending the personal data of thousands of individuals to three census enumerators who had requested their own P45 information. This is the same Central Statistics Office which has spent a decade attempting to compel mobile network operators to supply it with location data to enable it to track the movements of all visitors to the country. “The data breach originated from actions taken by the CSO in response to three requests over a five-day period from separate former census enumerators seeking their P45 information. Emails with PDF attachments containing their own P45 and P45s of thousands of third parties were sent to the requesting enumerators. The CSO informed us that the data breach had been identified when a member of CSO staff had reviewed the relevant CSO sent-items mailbox, as part of the CSO’s standard due-diligence practices. The CSO confirmed that the disclosed third-party P45 information contained personal data including PPSNs, dates of birth, addresses and details of earnings from employment as census enumerators.” The report says the “typical” examples of the 12 data breach notifications the DPC received under the Law Enforcement Directive included inappropriate handling or disclosure and unauthorised access by an employee. Which is a reminder of past issues with information from the Garda Pulse system being passed to private investigators. The DPC highlights what they perceive as a lack of ongoing staff training in recognising social engineering and phishing attacks contributing to some of the data breaches they were notified of. The publication of the annual report attracted a reasonable amount of international media attention since the DPC is the lead supervisory authority for a number of large transnational companies which have their main establishment for data protection purposes in Ireland. The standard of some of the local coverage was bafflingly poor. The Irish Examiner reported an increase in the number of data breaches rather than an increase in the number of data breaches which were notified to the DPC - a mandatory requirement for data controllers which did not exist prior to the period covered in this report. The Irish Times‘ reporting didn’t appear to understand the difference between data breaches and breaches of other parts of the GDPR. Once more, with feeling - data protection is about far, far more than merely securing the integrity and confidentiality of personal data. Since successive Irish governments have hitched the country’s wagon to hosting social surveillance companies (see below) the least we can expect is competent reporting on the topic from national newspapers. “Its leading politicians apparently saw themselves as covert lobbyists for a data monster.” A quote from John Naughton on Facebook’s behind the scenes public affairs work gives us this week’s newsletter title. Carole Cadwalladr and Duncan Campbell have this and much more in ‘Revealed: Facebook’s global lobbying against data privacy laws’. “Although relatively little news gets out of Xinjiang to the rest of the world, we’ve known for over a year that China has been testing facial-recognition tracking and alert systems across Xinjiang and mandating the collection of biometric data—including DNA samples, voice samples, fingerprints, and iris scans—from all residents between the ages of 12 and 65.” In ‘Massive Database Leak Gives Us a Window into China’s Digital Surveillance State’ Danny O'Brien has a look at where biometric population registers such as the one being built by the Sideshow Bob Rake Department can end up. “For these women, the consequences of living in a world built around male data can be deadly.” Caroline Criado-Perez on the severe problems caused by a lack of data, or the wrong data in an edited extract from her new book Invisible Women: Exposing Data Bias in a World Designed for Men. —- Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster this newsletter will be in your inbox again next weekend. See you then. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

The wonders of patent-trolling and the mysteries of journalism, the dangers of biometric databases and the risks of algorithmic assessment, and a reminder that typing search terms into a box in Microsoft Outlook can be damned difficult, apparently. It’s all here.

😼

What if we allowed some people to patent the law and then demand money from the rest of us just for following it?As anyone with a basic understanding of democratic principles can see, that is a terrible idea. In a democracy, elected representatives write laws that apply to everyone, ideally, based…

More:

Patent troll (Wikipedia)

We must not hand over important decisions to algorithms we don’t understand.

As you can see from the datestamp below, the Irish Independent ran a story about the results of a survey commissioned by the Department of Employment Affairs and Social Protection examining attitudes to the Public Services Card on the 18th February.

The survey which was published on the Department’s website on the 1st March was dated 26th February. We may never know how those well-connected chaps in the Indo got their hands on the study a week before that. We probably won’t ever find out why they chose to run a 128 word story which contained the department’s talking points and not much else. It will likely remain a mystery why the 128 word story didn’t mention the ongoing investigation into the whole omnishambles by the Data Protection Commission.

The accompanying press release (PDF) gives some clues as to what the Department feels are the most important findings of the research. Sharing identity information with other government departments and agencies; allowing DEASP to retain “their documents”; use of the card as proof of identity “when dealing with a non-government body”.

It appears from the question asked regarding retention of personal data that the Sideshow Bob Rake Department is not only adding people to the biometric identity register but also keeping scanned copies of documents on their systems, which is news to us.

You can read the findings of the research here (PDF).

Measuring sentiment relating to the Public Services Card is a perfectly reasonable thing to do. It won’t conjure up a legal basis for the processing the Department is doing though. Nor will it do much to make the Department’s behaviour as regards the processing of personal data in any way more transparent - and transparency is one of the principles of data protection.

https://twitter.com/FredPLogue/status/1099685104966946816

On a not entirely unrelated note, the old maxim that all data will eventually leak still holds true.

The Data Protection Commission’s annual report was published during the week. It covers the period from 25th May last until the end of the year i.e. the period after the GDPR came into force.

We haven’t had a chance to have a detailed look through it yet but at-a-glance highlights include

• The 1,258 data breaches notified by the public sector, which wants wider sharing of our personal data, including with private sector organisations. If they’re already reporting that number of data breaches then the probable escalation in these numbers in the years to come will be a sight to behold.
• The Central Statistics Office accidentally sending the personal data of thousands of individuals to three census enumerators who had requested their own P45 information. This is the same Central Statistics Office which has spent a decade attempting to compel mobile network operators to supply it with location data to enable it to track the movements of all visitors to the country. “The data breach originated from actions taken by the CSO in response to three requests over a five-day period from separate former census enumerators seeking their P45 information. Emails with PDF attachments containing their own P45 and P45s of thousands of third parties were sent to the requesting enumerators. The CSO informed us that the data breach had been identified when a member of CSO staff had reviewed the relevant CSO sent-items mailbox, as part of the CSO’s standard due-diligence practices. The CSO confirmed that the disclosed third-party P45 information contained personal data including PPSNs, dates of birth, addresses and details of earnings from employment as census enumerators.”
• The report says the “typical” examples of the 12 data breach notifications the DPC received under the Law Enforcement Directive included inappropriate handling or disclosure and unauthorised access by an employee. Which is a reminder of past issues with information from the Garda Pulse system being passed to private investigators.
• The DPC highlights what they perceive as a lack of ongoing staff training in recognising social engineering and phishing attacks contributing to some of the data breaches they were notified of.

The publication of the annual report attracted a reasonable amount of international media attention since the DPC is the lead supervisory authority for a number of large transnational companies which have their main establishment for data protection purposes in Ireland.

The standard of some of the local coverage was bafflingly poor. The Irish Examiner reported an increase in the number of data breaches rather than an increase in the number of data breaches which were notified to the DPC - a mandatory requirement for data controllers which did not exist prior to the period covered in this report. The Irish Times‘ reporting didn’t appear to understand the difference between data breaches and breaches of other parts of the GDPR.

Once more, with feeling - data protection is about far, far more than merely securing the integrity and confidentiality of personal data. Since successive Irish governments have hitched the country’s wagon to hosting social surveillance companies (see below) the least we can expect is competent reporting on the topic from national newspapers.

• “Its leading politicians apparently saw themselves as covert lobbyists for a data monster.” A quote from John Naughton on Facebook’s behind the scenes public affairs work gives us this week’s newsletter title. Carole Cadwalladr and Duncan Campbell have this and much more in ‘Revealed: Facebook’s global lobbying against data privacy laws’.
• “Although relatively little news gets out of Xinjiang to the rest of the world, we’ve known for over a year that China has been testing facial-recognition tracking and alert systems across Xinjiang and mandating the collection of biometric data—including DNA samples, voice samples, fingerprints, and iris scans—from all residents between the ages of 12 and 65.” In ‘Massive Database Leak Gives Us a Window into China’s Digital Surveillance State’ Danny O'Brien has a look at where biometric population registers such as the one being built by the Sideshow Bob Rake Department can end up.
• “For these women, the consequences of living in a world built around male data can be deadly.” Caroline Criado-Perez on the severe problems caused by a lack of data, or the wrong data in an edited extract from her new book Invisible Women: Exposing Data Bias in a World Designed for Men.

—-

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster this newsletter will be in your inbox again next weekend. See you then.

If you know someone who might enjoy this newsletter do please forward it on to them.