June Roundup

Unfortunately there was quite an amount of data daftness on display last month.

1. EU Proposes to Mandate end-to-end encryption; UK still trying to break it

In May the US Senate approved the use of encrypted messaging app Signal for staff. A European Parliament committee followed suit in June in a draft proposal “that will enforce end-to-end encryption on all communications to protect European Union citizens’ fundamental privacy rights. The committee also recommended a ban on backdoors.”

The government in the UK is still making noises about creating a backdoor in encryption. This is one of those very silly ideas that refuses to go away.  The argument is almost always made in the name of national security, but in reality crippling encryption in this way would weaken or even entirely nullify the security encryption provides for everyone.

Notes for humans

As well as providing secure messaging channels, encryption makes your online banking more secure. Encryption makes your online shopping more secure. Yes, bad people can use encryption to do bad things. Bad people also use cars, public transport and forks. Nobody is calling for these things to be banned.

While at a cursory glance creating a backdoor available to law enforcement to increase security may seem like a good idea, the world doesn’t work that way. As soon as a form of encryption with a backdoor is created, a mass of skilled people will work diligently to find it and exploit it. A useful way to think of a backdoor is as if the builder of your house kept a copy of your front door key when she handed the house over to you. Changing the lock on your door is not an option. You can’t stop the builder from coming into your house or lending the key to someone else, who can make a copy of it and pass it to yet another person.

+ ‘European Parliament Committee Recommends End-To-End Encryption For All Electronic Communications’, Tom’s Hardware

+ ‘Why We Encrypt’, Bruce Schneier

+ ‘Reason To Encrypt Your Data’, Kaspersky

+ ‘Amber Rudd is Wrong About Encryption’, Hackernoon

2. Data Protection Demotion

There’s an old saying that the longer the (departmental or ministerial) title, the less power the holder actually has. In Leo Varadkar’s reshuffle the data protection portfolio was removed from Dara Murphy,  plucked from its ritzy location in the Department of the Taoiseach, given to Pat Breen in the Department of Social Welfare and bundled in with a bewildering array of other responsibilities. This was a daft move irrespective of the reasons why it was made, as Karlin Lillington eloquently explains.

Shortly before that the Data Protection Commissioner was in with the Oireachtas Justice Committee discussing the general scheme of the 2017 Data Protection Bill. She was opposed to the state’s plan  to broadly exempt public bodies from fines as laid out in the draft bill.

the DPC’s firm position is that all organisations should be treated in the same way without distinction as to whether they are engaged in commercial activity or any other activity, so  that, in principle,all public bodies and authorities are  capable  of being fined where they infringe the GDPR. If this is not the case, the deterrent value of administrative fines in the public sector would be nullified. Based on its experience in regulating the public sector to date,  the DPC’s position is that making all public authorities/ bodies liable to administrative fines is crucial if we are to encourage greater levels of compliance with data protection law amongst public authorities and public bodies than that sector has traditionally demonstrated.

Notes for humans

To an outside observer the Irish state appears to be downgrading the role of data protection within government,  restricting the ability of the Data Protection Commissioner to impose meaningful sanctions on public sector bodies guilty of misbehaviour with personal data while simultaneously forging ahead with multiple questionable population scale identity registries. This is concerning as the state’s record in safeguarding and properly using individuals’ data is frankly poor. A trial collapsed in June after the state was unable to vouch for the accuracy of data from the Pulse system. This casts renewed doubt on the state’s ability to manage any sort of large data register competently.

+ ‘Data protection ministry lost in Pat Breen’s vast portfolio’, Irish Times

+ ‘‘Serious concern’ over exemption of public bodies from data protection fines’, Irish Times

+ ‘Trial collapses after State unable to vouch for accuracy of Pulse data’, Irish Times

+ ‘The Identity Card That Most Assuredly Isn’t An Identity Card’, Privacy Kit

 

3. Facebook doxxes Its own contractors

Facebook inadvertently doxxed some of its own employees. Some of these employees were working in Facebook’s counter-terrorism unit in Dublin. One of them, who was paid just €13 an hour, had to flee the country and has filed a legal claim for compensation.

Notes for humans

Facebook is not a trustworthy actor in many of the areas in which it operates. You’d be better off not using it but, being realistic, that’s probably not going to happen any time soon. If Facebook is this casual in protecting the sensitive information of employees carrying out extremely high risk work how much can you trust it with your information?

+ ‘Revealed: Facebook exposed identities of moderators to suspected terrorists’, Guardian

+ ‘Learn a thing or two about Facebook’, Privacy Kit

 

4. 198 million voter records leaked in the US

Researchers found personal information and profiling data on what is believed to be every registered US voter dating back a decade.

Each record lists a voter’s name, date of birth, home address, phone number, and voter registration details, such as which political party a person is registered with. The data also includes “profiling” information, voter ethnicities and religions, and various other kinds of information pertinent to a voter’s political persuasions and preferences, as modeled by the firms’ data scientists, in order to better target political advertising.

This is what happens when security of data, even massive amounts of data, is not taken seriously. These records were found lying around on an unsecured Amazon server, visible to anyone who went looking for it.

There’s a delicious little shot of irony in the name of one of the companies involved: Data Trust.

Notes for humans

Data leaks are a common news item, fast becoming unremarkable. We check to see if our details may have been compromised, change our passwords if that’s the case, and move on. Only the larger ones such as the US voter database mentioned above attract much media attention. But behind every row in a database there is an individual’s information. Also in June it was reported that the University of East Anglia sent out confidential and highly sensitive student data in a mass email.

Megan Baynes, a 23-year-old American Literature and Creative Writing student, told the BBC that she was granted extensions for her coursework due to an illness suffered by a family member.

“I felt sick at seeing my personal situation written in a spreadsheet, and then seemingly sent to everyone on my course,” she said. “My situation was not the worst on there but there are some on there that are so personal. There are people I know and I feel so awful for them and can’t imagine how they are feeling.”

+ ‘198 million Americans hit by ‘largest ever’ voter records leak’, ZDNet

+ ‘The RNC Files: Inside the Largest US Voter Data Leak’, upguard.com

+ ‘University of East Anglia leaks confidential and highly sensitive student data in mass email’, International Business Times

 

5. Law Enforcement use of familial DNA record searches Approved in New York State

The New York state Commission on Forensic Science voted to allow police to perform what are described as ‘familial DNA searches’ when investigating certain cases. Rather than being limited to looking for specific matches in DNA databases they can now also search for close matches, i.e. your relatives.

“This first level of doing familial searching is a genetic look. And then the information of the relatives is handed over to law enforcement, and then there’s absolutely no guidance as to what they can and can’t do,” she said. She continued, “It’s this really invasive sort of secret government surveillance, that we may not even see, to the point where they could knock on your door, knock on your neighbor’s door, reveal that actually you fathered the boy downstairs, reveal all sorts of private things about the structure of your family.”

Notes for humans

The Data Protection Commissioner told the Irish government’s inaugural Data Summit in June that genetic testing websites still don’t outline the privacy implications for you of sending them your genetic material. There are very large amounts of possible consequences to sharing this information with anyone. The results may be reasonably benign. On the other hand they most certainly may not. Where a database exists it will be put to use. This may well not be accurate or to your benefit so as always, think twice before giving your DNA to someone in exchange for more information about your family tree.

+ ‘Many genetic testing sites ‘fail to outline privacy implications’’, Irish Times

+ ‘State Panel Approves Police Use Of Controversial Familial DNA Records Searches’, Gothamist

 

Honourable mentions

Leave a Reply

Your email address will not be published. Required fields are marked *