April Roundup

This month brings some revealing peeks behind a few data curtains and an exploration of the soft soothing language of sharing with partners and keeping it all in the family (of companies).

1. Facial Recognition, As It’s Happening

We’re essentially building an IT backbone, which can allow TSA or potentially air carriers or any other partner to tie into our backbone.

Thus spake Larry Panetta of the United States Customs and Border Protection service as he enthused about the possibilities of scanning travellers’ faces in airports as they exited the US.  If the whole notion isn’t alarming to you, the phrase “any other partner” certainly should be. Hold that phrase in your head as you read on.

The police in the UK plan to use facial recognition at the Champions League final in Cardiff in June. Not just in the stadium and its environs but across the city. In Ireland we seem to have received confirmation that some kind of unified facial recognition system is in the works (see below).

Notes for humans

Once you’re flagged in one of these systems the likelihood is that it will be extremely difficult for you to unflag yourself. Since the agencies are all keen to share information with each other there’s a good chance that you will have to contact multiple agencies to remove you from multiple databases. Most of these things are far less accurate than the marketing departments of facial recognition systems vendors would have you believe.

+ ‘Hitachi built an AI security system that follows you through a crowd’, Quartz

+ ‘Facial-recognition software and our fear of ‘Big Brother’’, Irish Times

+ ‘More airports are rolling out facial recognition technology’, The Economist

2. Your Single Customer View May Be More Revealing Than You Think

A not entirely unsurprising sequence of events pratfalls led to a Department of Foreign Affairs and Trade statement revealing more about the Irish state’s data sharing plans than was perhaps intended. The Department launched its online passport renewal process in March. This included the ability to submit your photo online. If you wished to, you could use the services of a third-party company called Photo-Me to take your photo. The process went as follows – you made your way to an approved Photo-Me photo booth, composed yourself and let the booth capture you at your best. A digital copy of this photograph was stored on the company’s servers and you were given a unique token as part of your receipt. When you went through the passport renewal process on the Department’s website all you had to do was input your unique token and the photo was retrieved and attached to your application. So far so good.

A problem arose when the privacy policy was examined by the Irish Times. When the service went live the policy stated that personal data might be transferred to and processed in countries outside the European Economic Area. In short, moving personal data like this outside the EEA is bold. After the almost obligatory fudging and faffing around, the Department got the message and ensured the photo provider fixed their privacy policy.

In clarifying the situation and reassuring us that all was now well with our personal data, the Department gave  a statement to the Irish Times which included this bit of enthusiastic trumpet-blowing –

The service is supported by a sophisticated facial recognition system that can readily spot identity theft. In addition, there are links to a single customer view that provides identity-related information drawn from other government departments within the provisions of data protection legislation.

Simon McGarr provided some commentary on Twitter about this, which we collected on Storify, along with a few comments. Suffice it to say this is also bold and wrong.

Notes for humans

Hanlon’s razor in its most popular form states  that we should never attribute to malice that which is adequately explained by stupidity. It is becoming increasingly difficult to decide whether it is applicable in these data sharing projects. Until the relevant departments and their contractors can manage to

  • abide by EU data protection law on sharing of personal information
  • acquire valid consent from individuals for their personal data to be gathered and processed or point to another legal basis for the processing
  • write coherent privacy policies that don’t have to be rewritten multiple times

you would be well advised to treat any government request for personal information with a healthy dose of skepticism and be prepared to ask them a few questions.

  • Why do they need the data?
  • Is the data being shared with any third parties? Other government and state organisations count as third parties in this case. ‘The government’ is not a monolithic being which can collect and do as it pleases with your personal information, for good reason.
3. An Interview With The Commissioner

The Irish Independent published an interview with Helen Dixon, the Irish Data Protection Commissioner which mostly covered preparations for the introduction of the General Data Protection Regulation next year. Tucked away in the middle was this nugget  –

It looks likely that the Irish State will legislate for a position where pure public sector bodies that don’t have competitors in the private sector will not have administrative fines levied against them. Rather, they would be subject to the equivalent sanctions, including the ability for us as a regulator to highlight any deficiencies that we find and to investigate and to set out why we’re naming and shaming them effectively.

It’s an admirable attempt by the Commissioner to put some positive spin on a rather awkward situation it seems the government plans to put her in. Naming and shaming as a sanction for public bodies has not worked thus far, so there isn’t really any reason to expect that doing a bit more naming and shaming might work in the future. The notion that these are ‘equivalent’ sanctions is not worth entertaining.

Over in the UK the Information Commissioner’s Office routinely hits public bodies with hefty fines. They’re likely to fine them a lot more once the GDPR comes into force.

Notes for humans

Although it’s a highly unlikely scenario for private sector services which have become nigh-on indispensable such as Facebook and Google, it is still a possibility for individuals who are unhappy with the behaviour of these entities when it comes to their personal data to forgo using the services entirely. This is absolutely not the case with services the state provides. As there have been recent attempts by government departments to limit access to services until personal data is handed over, with inadequate reassurances about the future uses to which the data will be put, the removal of financial sanctions from the Commissioner’s arsenal of sanctions for dealing with personal data related misbehaviour is concerning.

4. Halt!

In Hamburg a German court threw out Facebook’s appeal against a ruling by the Hamburg Data Commissioner last September that Facebook stop importing German WhatsApp users’ data. In Facebook’s language it was merely sharing this information between members of the Facebook family of companies. For a quick explanation of just why Facebook wants to share all this personal data within the bosom of its family, watch this talk by Mikko Hypponen‏ from twelve minutes onwards.

This decision may impact on the reported deal Facebook was close to agreeing with the Irish Data Protection Commissioner over WhatsApp user data.

Notes for humans

There appears to be what could be described as something of a cultural struggle going on in Europe between jurisdictions which believe strongly in the sacrosanctness of privacy as a fundamental right and those which are perhaps more positively disposed towards the multinationals headquartered in their jurisdictions. Many German citizens have a very real memory of the impacts of mass surveillance of a population and are understandably opposed to it.

+ ‘Influential German data commissioner prohibits mass data sharing between WhatsApp and Facebook’, VentureBeat

+ ‘Court to Facebook: Stop harvesting users’ WhatsApp personal data without consent’, ZDNet

5. Unroll.me unravels

You may be familiar with Uber, darling of venture capitalists and evangelists of the cosy-sounding sharing economy. There’s that word again. Sharing.  Uber have been in the news a lot over the last few years, initially because even people inside Silicon Valley couldn’t quite believe how much money investors were prepared to throw at what is at its core the world’s largest experiment in predatory pricing to date, with an alluring technology skin carefully grafted on top. More recently Uber has been in the news for other, less abstract unflattering reasons. Chief among these are alleged widespread sexual harassment and possible theft of trade secrets.

The New York Times ran a lengthy profile of Uber founder and CEO Travis Kalanick which caused more than a bit of a stir, mostly for the colourful account of Kalanick’s dressing down by Tim Cook for breaking the rules of the App Store.

There was also a revelation that Uber bought what was described as anonymised data from a company named Slice Intelligence. Uber acquired email receipts issued by its competitor Lyft from Slice. Slice was able to sell these receipts to Uber because it had purchased an email inbox digest service called Unroll.me. Users of Unroll.me provided the service with access to their email inboxes. In addition to doing some email managing tasks, Unroll.me / Slice also pocketed any Lyft receipts that showed up in inboxes and passed them on to Uber. Yes, this is a little similar to someone fishing receipts out of your green bin and selling them to somebody else.

What happened next shouldn’t amaze you.

Jojo Hedaya, co-founder of Unroll.me issued a standard non-apology apology. Any readers who have watched politicians in their natural habitat will be familiar with this. I’m sorry that you’re upset is the usual formula.

Perri Chase, the other co-founder of Unroll.me then took to Medium to defend Hedaya against the accusations of sharp practice and dodgy data dealing. As in the case of the Department of Foreign Affairs above, this defence was more revealing than perhaps intended.

You can’t expect companies such as Uber, Slice Intelligence and Unroll.me to abide by data protection norms, regulations or laws if there is a financial reward for them not to do so.

Notes for humans

Organisations in the private and public sectors have a huge interest in sharing your information and combining databases. These combined databases truly are greater than the sum of their parts. As Ms. Chase somewhat bluntly points out, “if you think this is the worst thing that tech companies do with your data then you have your head in the sand.”

Despite your best efforts it is frequently very difficult to ascertain what someone who’s collecting your data intends to do with it. In this case Unroll.me was acquired by Slice Intelligence. Companies changing hands like this makes keeping track of who has access to your data close to impossible.

Honourable Mentions

[Image credit: Mike Wilson on Unsplash]

Leave a Reply

Your email address will not be published. Required fields are marked *