Privacy Kit

Subscribe
Archives
August 6, 2018

"Zuckhole" | The Cat Herder - Volume 1, Issue 1

Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they're
 
August 6 · Issue #1 · View online
The Cat Herder
Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re barely newsworthy and Facebook turning out to be an even worse custodian of personal data than most had anticipated, the domain of data privacy is still in a terrible state o’ chassis. Nice as it would be to publish a regular collection of really excellent privacy practices, those are still pretty hard to find. Examples of organisations doing it wrong, however, are plentiful. Decades of misconceptions can’t be unlearned in a hurry. Join us on our quest to learn from the worst. There’ll be some positives too. Eventually. We hope 😼

¯\_(ツ)_/¯
¯\_(ツ)_/¯
Normally this section would have a mildly witty remark lamenting the poor understanding of data protection and privacy principles and regulations, then would move on to make an impassioned plea for better education for anyone and everyone who deals with personal data but this week, frankly, let’s just let THE HEADLINES SPEAK FOR THEMSELVES. 
  • New Ross councillors move to reverse ‘criminal’ GDPR
  • Bins not emptied ‘due to data protection laws’
  • Mum reunited with purse she lost in Aldi – only to find staff had cut up all of her credit cards just a few hours later for ‘data protection’
In case it’s unclear, all of these things are entirely deranged. At least as mad as a box of frogs. Possibly even madder than a bag of badgers.
Narrator: They did see it coming. Nobody listened to them.
Narrator: They did see it coming. Nobody listened to them.
Peter Sterne
Peter Sterne
@petersterne
Who could have predicted that surveillance techniques used against foreigners and criminal suspects would eventually be used against random American citizens? https://t.co/WplvpydIkT https://t.co/tKVLBt1EQM
11:16 PM - 29 Jul 2018
The Boston Globe story the tweet above refers to opens as follows
Federal air marshals have begun following ordinary US citizens not suspected of a crime or on any terrorist watch list and collecting extensive information about their movements and behavior under a new domestic surveillance program that is drawing criticism from within the agency.
The previously undisclosed program, called “Quiet Skies,” specifically targets travelers who “are not under investigation by any agency and are not in the Terrorist Screening Data Base,” according to a Transportation Security Administration bulletin in March.
This is
  • a daft waste of resources
  • menacing
  • surveillance and profiling without any purpose
In his 1999 book No Equal Justice Professor David Cole collected a list of things law enforcement officers had cited to support suspicions that an individual might fit “drug-courier profiles”.
Are you perhaps a nervous flier? Does the thought of finding parking and standing in queues snaking back on themselves for conceivably hours fill you with dread? Or perhaps you enjoy the whole experience and look forward to getting through security and picking up some bargains in the duty free?
Is there a part of the cabin you prefer to sit in on a long flight? Do you pride yourself on travelling light or do you always check a bag just in case? Do you make a point of making eye contact with the people running the checks at the security gates?
It turns out you fit the profile. All of you. “Acted too nervous”, “acted too calm”, “made eye contact with officer”, “carried a small bag”, “carried four pieces of luggage”, “carried a medium-sized bag”, “walked quickly through airport”, “walked slowly through airport”, “walked aimlessly through airport”, “one of first to deplane”, “one of last to deplane”, “deplaned in the middle”, “bought coach ticket”, “bought first class ticket”, “made eye contact with officer” and “avoided making eye contact with officer” are all things that raised suspicions according to Cole.
Surveillance systems will grow beyond their initial scope and purpose unless strictly controlled. Today the sheer amount of data gathered, stored, combined, repackaged and bought and sold means that any interaction you have which produces data can be a component of a surveillance system.
Delusional data dreams presented without comment.
Delusional data dreams presented without comment.
“For the latest test, which is in a bar in Paris over summer, Havana Club-branded glasses are equipped with near field communication enabled chips that connect to a web app and allows customers to place their order when scanned by a smartphone. Before an order is made — this is Europe in the GDPR era, remember — a person can consent to their name, email address, country of residence and preferred cocktail being tracked. In exchange for the data, drinkers are promised news about new products as well as invites to exclusive events from Pernod Ricard. If the glass is taken home the web app will use the smartphone’s location to serve them cocktail recipes instead of the re-ordering page they get when in a participating bar.”
Pernod Ricard sees connected cocktail glasses as a valuable data source
Where others lead, Ireland will surely follow.
Where others lead, Ireland will surely follow.
The rollout of electronic health records in Australia is not going well. It won’t go well in Ireland either but the HSE is still beavering away.
The man who was in charge of a similar effort in the UK called care.data, which failed spectacularly, has rather bafflingly ended up in charge of this one in Australia. Tim Kelsey once told a Labour Party Conference in the UK that “The surveillance state is in many circumstances a jolly good thing”. The care.data project was quietly shuttered in July 2016. A review by the Major Projects Authority a year earlier had concluded there were
major issues with project definition, schedule, budget, quality and/or benefits delivery, which at this stage do not appear to be manageable or resolvable
Back to Oz and Tim’s latest great adventure. Here’s a short video from the Guardian explaining what an electronic health record is and some of the concerns folks have with the My Health Record project. It glosses over the most basic problem: a design decision was taken at the very start to make this an opt-out rather than an opt-in system.
What is My Health Record? - YouTube
Critics of the system in its current form include the Human Rights Commissioner, the acting Privacy Commissioner and the Australian Medical Association.
On the 23rd July the Parliamentary Library of Australia published a blog post stating that police would be able to access individuals’ health records without a warrant. After pressure from the health department the post was removed on the 26th. The post was republished later that day with significant changes. Trent Yarwood has an analysis of these changes and more discussion of the problems with the way the system is currently being implemented.
If a system which deals with extremely sensitive personal data is to provide benefits both to individuals and society as a whole then those implementing, deploying, operating and controlling the system should be able to explain these benefits to the people whose data they require. It shouldn’t be a hard sell. Who doesn’t want
Using soft coercion via the opt-out mechanism to compel people to take part is not at all appropriate. The “collect all the data and we’ll figure out the finer points of what we’re going to do with it later” mentality has never worked out well in the past. Just look at Facebook’s current woes.
Here at The Cat Herder we were particularly impressed with the similarities between Australia and Ireland when it came to bureaucratic behaviour in the face of a developing data privacy scandal. The specific issue is different but the reactions and administrative instincts are the same across continents. Silencing critics or denying you’re doing what you’re doing doesn’t make the problems go away, it adds to them.
Kristina Keneally
Kristina Keneally
@KKeneally
This is extraordinary. The federal government is now silencing Parliamentary Library, all because its independent & public advice on the MyHealth record debacle is proving all too embarrassing for Minister Greg Hunt.

But the privacy problems with MyHealth Record still remain. https://t.co/5jCuKqNqEa
6:42 AM - 26 Jul 2018
Only a few weeks ago in Ireland changes were made to the privacy notice on the Department of Employment Affairs and Social Protection’s website concerning the personal data the department processes. This was reported in the The Irish Times
The secretary general of the Department of Employment Affairs and Social Protection ordered changes to the department’s new privacy policy last week which removed a reference to the department processing “biometric” data on individuals.
The department’s policy had been changed in May to reflect new data protection laws, and said that at times it needed to collect “special categories” of personal data, such as health and biometric data.
When questions about the new policy were raised by The Irish Times last week, the department said the reference was an “error” and it was subsequently changed to remove the reference to biometric and special categories of data.
As mentioned in the story, Catherine Murphy TD asked a parliamentary question about this change. The response from Minister Regina Doherty carefully describes the processing of biometric data without using the word biometric.
I wish to be clear however that these photographs are, in addition to being printed on the PSC, processed, in a separate process, via facial imaging software to create an arithmetic template which is used to detect potential identity fraud. This arithmetic template is not stored on the Public Services Card, does not form part of the public service identity set, and is not shared with any other third party. 
The Department of Employment Affairs and Social Protection has a peculiarly splenetic and almost paranoid reaction to anyone using the word biometric within earshot of them. The company which produces the cards for the Department changed its name earlier this year, from Biometric Card Services to Security Card Concepts. For some inscrutable, unfathomable reason this company decided it would continue to do exactly the same thing - provide biometric card services - but no longer needed to include the word biometric in its name.
They haven’t bothered changing their website yet. They’re still Biometric Card Services in cyberspace.
To be clear, it is not possible to run a facial recognition tool such as the one the Department of Employment Affairs and Social Protection has been boasting to the media about for several years without processing biometric data.
  • A website called Biometric Update wrote in January 2013 about a contract the Department had signed with 3M “to deploy facial recognition technology into department workflow in an effort to curb welfare fraud.”
  • In November 2014 Joan Burton, then Minister for Social Protection said in a written answer to a parliamentary question that the registration process for the Public Services Card “involves face-to-face registration and the capture of biometric data to prevent identity abuse”
  • A former Secretary General of the Department told the Public Accounts Committee in May 2015 that the department were processing biometric data.
  • In September 2015 The Irish Times reported the apparent success of the Department’s facial recognition software in preventing welfare fraud.
  • In January 2017 The Irish Examiner reported the success of the Department’s facial recognition software in apparently preventing welfare fraud.
  • In March 2017 the academic journal ‘Biometric Technology Today’ (Volume 2017, Issue 3) published a story about the success of the Department’s facial recognition system.
  • A briefing document explaining the mission and activities of the Department was prepared for Minister Doherty by officials in June 2017. It has this to say about the Public Services Card: “The PSC offers significant protections against welfare fraud as it represents a robust identity registration process involving documentary evidence, background database checks, face-to-face questioning, biometric capture and facial image matching.” 
This document, ‘Ministerial Brief June 2017 - Part A’, is still available on the department’s website. Grab a copy and see for yourself. The piece quoted above is on page 135. The document was last modified on the 10th June 2017.
Then
[dramatic pause]
in August 2017
[deep breath]
this happened
The Minister appears pretty certain of this, no?
The Minister appears pretty certain of this, no?
The confusion and contradictions generated by civil servants and ministers in disarray in both countries would perhaps be amusing if the matter wasn’t so serious. In both cases the state is asking people to entrust their personal data to organisations which are either hopelessly incompetent and unable to explain clearly what they are doing or being deliberately obtuse because they do not want to explain what they are doing.
Is there a new DPC website yet? No
When is it due? Soon
When did the GDPR become enforceable? May 25th 2018
What date is it today? August 6th 2018 👀
John Naughton in the Observer on the dishonesty of Facebook, Google and Microsoft’s application of the GDPR. Cameron Kerry with a reasoned U.S. perspective on the GDPR’s strengths and weaknesses, the need for consumer privacy legislation in the U.S. and what this should look like; the American Civil Liberties Union on the serious problems with Amazon’s facial recognition technology (more - Buzzfeed). James Ball in the Columbia Journalism Review on how media organisations should be covering technology. We wrote a piece on a similar theme last year, focused particularly on some editor’s failure to grasp the wide-ranging nature and importance of reporting on privacy and data protection. This thread by Mar Hicks about the origins of Facebook and the way harm remains baked into its business model.
“Zuckhole” is the swear word we need for these times.
—
Endnotes & Credits
  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
Barring a disaster this newsletter will be in your inbox again next weekend. See you then.
Did you enjoy this issue?
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland

Friends, despite the recent interest generated by the GDPR, data breaches becoming so routine they’re barely newsworthy and Facebook turning out to be an even worse custodian of personal data than most had anticipated, the domain of data privacy is still in a terrible state o’ chassis. Nice as it would be to publish a regular collection of really excellent privacy practices, those are still pretty hard to find. Examples of organisations doing it wrong, however, are plentiful. Decades of misconceptions can’t be unlearned in a hurry. Join us on our quest to learn from the worst. There’ll be some positives too. Eventually. We hope 😼

Normally this section would have a mildly witty remark lamenting the poor understanding of data protection and privacy principles and regulations, then would move on to make an impassioned plea for better education for anyone and everyone who deals with personal data but this week, frankly, let’s just let THE HEADLINES SPEAK FOR THEMSELVES. 

  • New Ross councillors move to reverse ‘criminal’ GDPR
  • Bins not emptied ‘due to data protection laws’
  • Mum reunited with purse she lost in Aldi – only to find staff had cut up all of her credit cards just a few hours later for ‘data protection’

In case it’s unclear, all of these things are entirely deranged. At least as mad as a box of frogs. Possibly even madder than a bag of badgers.

Who could have predicted that surveillance techniques used against foreigners and criminal suspects would eventually be used against random American citizens? https://t.co/WplvpydIkT pic.twitter.com/tKVLBt1EQM

— Peter Sterne (@petersterne) July 29, 2018

The Boston Globe story the tweet above refers to opens as follows

This is

  • a daft waste of resources
  • menacing
  • surveillance and profiling without any purpose

In his 1999 book No Equal Justice Professor David Cole collected a list of things law enforcement officers had cited to support suspicions that an individual might fit “drug-courier profiles”.

Are you perhaps a nervous flier? Does the thought of finding parking and standing in queues snaking back on themselves for conceivably hours fill you with dread? Or perhaps you enjoy the whole experience and look forward to getting through security and picking up some bargains in the duty free?

Is there a part of the cabin you prefer to sit in on a long flight? Do you pride yourself on travelling light or do you always check a bag just in case? Do you make a point of making eye contact with the people running the checks at the security gates?

It turns out you fit the profile. All of you. “Acted too nervous”, “acted too calm”, “made eye contact with officer”, “carried a small bag”, “carried four pieces of luggage”, “carried a medium-sized bag”, “walked quickly through airport”, “walked slowly through airport”, “walked aimlessly through airport”, “one of first to deplane”, “one of last to deplane”, “deplaned in the middle”, “bought coach ticket”, “bought first class ticket”, “made eye contact with officer” and “avoided making eye contact with officer” are all things that raised suspicions according to Cole.

Surveillance systems will grow beyond their initial scope and purpose unless strictly controlled. Today the sheer amount of data gathered, stored, combined, repackaged and bought and sold means that any interaction you have which produces data can be a component of a surveillance system.

Pernod Ricard sees connected cocktail glasses as a valuable data source

The rollout of electronic health records in Australia is not going well. It won’t go well in Ireland either but the HSE is still beavering away.

The man who was in charge of a similar effort in the UK called care.data, which failed spectacularly, has rather bafflingly ended up in charge of this one in Australia. Tim Kelsey once told a Labour Party Conference in the UK that “The surveillance state is in many circumstances a jolly good thing”. The care.data project was quietly shuttered in July 2016. A review by the Major Projects Authority a year earlier had concluded there were

Back to Oz and Tim’s latest great adventure. Here’s a short video from the Guardian explaining what an electronic health record is and some of the concerns folks have with the My Health Record project. It glosses over the most basic problem: a design decision was taken at the very start to make this an opt-out rather than an opt-in system.

Critics of the system in its current form include the Human Rights Commissioner, the acting Privacy Commissioner and the Australian Medical Association.

On the 23rd July the Parliamentary Library of Australia published a blog post stating that police would be able to access individuals’ health records without a warrant. After pressure from the health department the post was removed on the 26th. The post was republished later that day with significant changes. Trent Yarwood has an analysis of these changes and more discussion of the problems with the way the system is currently being implemented.

If a system which deals with extremely sensitive personal data is to provide benefits both to individuals and society as a whole then those implementing, deploying, operating and controlling the system should be able to explain these benefits to the people whose data they require. It shouldn’t be a hard sell. Who doesn’t want

Using soft coercion via the opt-out mechanism to compel people to take part is not at all appropriate. The “collect all the data and we’ll figure out the finer points of what we’re going to do with it later” mentality has never worked out well in the past. Just look at Facebook’s current woes.

Here at The Cat Herder we were particularly impressed with the similarities between Australia and Ireland when it came to bureaucratic behaviour in the face of a developing data privacy scandal. The specific issue is different but the reactions and administrative instincts are the same across continents. Silencing critics or denying you’re doing what you’re doing doesn’t make the problems go away, it adds to them.

https://twitter.com/KKeneally/status/1022356342143500289

Only a few weeks ago in Ireland changes were made to the privacy notice on the Department of Employment Affairs and Social Protection’s website concerning the personal data the department processes. This was reported in the The Irish Times

As mentioned in the story, Catherine Murphy TD asked a parliamentary question about this change. The response from Minister Regina Doherty carefully describes the processing of biometric data without using the word biometric.

The Department of Employment Affairs and Social Protection has a peculiarly splenetic and almost paranoid reaction to anyone using the word biometric within earshot of them. The company which produces the cards for the Department changed its name earlier this year, from Biometric Card Services to Security Card Concepts. For some inscrutable, unfathomable reason this company decided it would continue to do exactly the same thing - provide biometric card services - but no longer needed to include the word biometric in its name.

They haven’t bothered changing their website yet. They’re still Biometric Card Services in cyberspace.

To be clear, it is not possible to run a facial recognition tool such as the one the Department of Employment Affairs and Social Protection has been boasting to the media about for several years without processing biometric data.

  • A website called Biometric Update wrote in January 2013 about a contract the Department had signed with 3M “to deploy facial recognition technology into department workflow in an effort to curb welfare fraud.”
  • In November 2014 Joan Burton, then Minister for Social Protection said in a written answer to a parliamentary question that the registration process for the Public Services Card “involves face-to-face registration and the capture of biometric data to prevent identity abuse”
  • A former Secretary General of the Department told the Public Accounts Committee in May 2015 that the department were processing biometric data.
  • In September 2015 The Irish Times reported the apparent success of the Department’s facial recognition software in preventing welfare fraud.
  • In January 2017 The Irish Examiner reported the success of the Department’s facial recognition software in apparently preventing welfare fraud.
  • In March 2017 the academic journal ‘Biometric Technology Today’ (Volume 2017, Issue 3) published a story about the success of the Department’s facial recognition system.

  • A briefing document explaining the mission and activities of the Department was prepared for Minister Doherty by officials in June 2017. It has this to say about the Public Services Card: “The PSC offers significant protections against welfare fraud as it represents a robust identity registration process involving documentary evidence, background database checks, face-to-face questioning, biometric capture and facial image matching.” 

This document, ‘Ministerial Brief June 2017 - Part A’, is still available on the department’s website. Grab a copy and see for yourself. The piece quoted above is on page 135. The document was last modified on the 10th June 2017.

Then

[dramatic pause]

in August 2017

[deep breath]

this happened

The confusion and contradictions generated by civil servants and ministers in disarray in both countries would perhaps be amusing if the matter wasn’t so serious. In both cases the state is asking people to entrust their personal data to organisations which are either hopelessly incompetent and unable to explain clearly what they are doing or being deliberately obtuse because they do not want to explain what they are doing.

Is there a new DPC website yet? No

When is it due? Soon

When did the GDPR become enforceable? May 25th 2018

What date is it today? August 6th 2018 👀

John Naughton in the Observer on the dishonesty of Facebook, Google and Microsoft’s application of the GDPR. Cameron Kerry with a reasoned U.S. perspective on the GDPR’s strengths and weaknesses, the need for consumer privacy legislation in the U.S. and what this should look like; the American Civil Liberties Union on the serious problems with Amazon’s facial recognition technology (more - Buzzfeed). James Ball in the Columbia Journalism Review on how media organisations should be covering technology. We wrote a piece on a similar theme last year, focused particularly on some editor’s failure to grasp the wide-ranging nature and importance of reporting on privacy and data protection. This thread by Mar Hicks about the origins of Facebook and the way harm remains baked into its business model.

“Zuckhole” is the swear word we need for these times.

—

Endnotes & Credits

  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster this newsletter will be in your inbox again next weekend. See you then.

Don't miss what's next. Subscribe to Privacy Kit:
X
Powered by Buttondown, the easiest way to start and grow your newsletter.