Unfortunately there was quite an amount of data daftness on display last month.
1. EU Proposes to Mandate end-to-end encryption; UK still trying to break it
In May the US Senate approved the use of encrypted messaging app Signal for staff. A European Parliament committee followed suit in June in a draft proposal “that will enforce end-to-end encryption on all communications to protect European Union citizens’ fundamental privacy rights. The committee also recommended a ban on backdoors.”
The government in the UK is still making noises about creating a backdoor in encryption. This is one of those very silly ideas that refuses to go away. The argument is almost always made in the name of national security, but in reality crippling encryption in this way would weaken or even entirely nullify the security encryption provides for everyone.
Notes for humans
As well as providing secure messaging channels, encryption makes your online banking more secure. Encryption makes your online shopping more secure. Yes, bad people can use encryption to do bad things. Bad people also use cars, public transport and forks. Nobody is calling for these things to be banned.
While at a cursory glance creating a backdoor available to law enforcement to increase security may seem like a good idea, the world doesn’t work that way. As soon as a form of encryption with a backdoor is created, a mass of skilled people will work diligently to find it and exploit it. A useful way to think of a backdoor is as if the builder of your house kept a copy of your front door key when she handed the house over to you. Changing the lock on your door is not an option. You can’t stop the builder from coming into your house or lending the key to someone else, who can make a copy of it and pass it to yet another person.
+ ‘Why We Encrypt’, Bruce Schneier
+ ‘Reason To Encrypt Your Data’, Kaspersky
+ ‘Amber Rudd is Wrong About Encryption’, Hackernoon
2. Data Protection Demotion
There’s an old saying that the longer the (departmental or ministerial) title, the less power the holder actually has. In Leo Varadkar’s reshuffle the data protection portfolio was removed from Dara Murphy, plucked from its ritzy location in the Department of the Taoiseach, given to Pat Breen in the Department of Social Welfare and bundled in with a bewildering array of other responsibilities. This was a daft move irrespective of the reasons why it was made, as Karlin Lillington eloquently explains.
Shortly before that the Data Protection Commissioner was in with the Oireachtas Justice Committee discussing the general scheme of the 2017 Data Protection Bill. She was opposed to the state’s plan to broadly exempt public bodies from fines as laid out in the draft bill.
the DPC’s firm position is that all organisations should be treated in the same way without distinction as to whether they are engaged in commercial activity or any other activity, so that, in principle,all public bodies and authorities are capable of being fined where they infringe the GDPR. If this is not the case, the deterrent value of administrative fines in the public sector would be nullified. Based on its experience in regulating the public sector to date, the DPC’s position is that making all public authorities/ bodies liable to administrative fines is crucial if we are to encourage greater levels of compliance with data protection law amongst public authorities and public bodies than that sector has traditionally demonstrated.
Notes for humans
To an outside observer the Irish state appears to be downgrading the role of data protection within government, restricting the ability of the Data Protection Commissioner to impose meaningful sanctions on public sector bodies guilty of misbehaviour with personal data while simultaneously forging ahead with multiple questionable population scale identity registries. This is concerning as the state’s record in safeguarding and properly using individuals’ data is frankly poor. A trial collapsed in June after the state was unable to vouch for the accuracy of data from the Pulse system. This casts renewed doubt on the state’s ability to manage any sort of large data register competently.
3. Facebook doxxes Its own contractors
Facebook inadvertently doxxed some of its own employees. Some of these employees were working in Facebook’s counter-terrorism unit in Dublin. One of them, who was paid just €13 an hour, had to flee the country and has filed a legal claim for compensation.
Notes for humans
Facebook is not a trustworthy actor in many of the areas in which it operates. You’d be better off not using it but, being realistic, that’s probably not going to happen any time soon. If Facebook is this casual in protecting the sensitive information of employees carrying out extremely high risk work how much can you trust it with your information?
+ ‘Learn a thing or two about Facebook’, Privacy Kit
4. 198 million voter records leaked in the US
Researchers found personal information and profiling data on what is believed to be every registered US voter dating back a decade.
Each record lists a voter’s name, date of birth, home address, phone number, and voter registration details, such as which political party a person is registered with. The data also includes “profiling” information, voter ethnicities and religions, and various other kinds of information pertinent to a voter’s political persuasions and preferences, as modeled by the firms’ data scientists, in order to better target political advertising.
This is what happens when security of data, even massive amounts of data, is not taken seriously. These records were found lying around on an unsecured Amazon server, visible to anyone who went looking for it.
There’s a delicious little shot of irony in the name of one of the companies involved: Data Trust.
Notes for humans
Data leaks are a common news item, fast becoming unremarkable. We check to see if our details may have been compromised, change our passwords if that’s the case, and move on. Only the larger ones such as the US voter database mentioned above attract much media attention. But behind every row in a database there is an individual’s information. Also in June it was reported that the University of East Anglia sent out confidential and highly sensitive student data in a mass email.
Megan Baynes, a 23-year-old American Literature and Creative Writing student, told the BBC that she was granted extensions for her coursework due to an illness suffered by a family member.
“I felt sick at seeing my personal situation written in a spreadsheet, and then seemingly sent to everyone on my course,” she said. “My situation was not the worst on there but there are some on there that are so personal. There are people I know and I feel so awful for them and can’t imagine how they are feeling.”
+ ‘The RNC Files: Inside the Largest US Voter Data Leak’, upguard.com
+ ‘University of East Anglia leaks confidential and highly sensitive student data in mass email’, International Business Times
5. Law Enforcement use of familial DNA record searches Approved in New York State
The New York state Commission on Forensic Science voted to allow police to perform what are described as ‘familial DNA searches’ when investigating certain cases. Rather than being limited to looking for specific matches in DNA databases they can now also search for close matches, i.e. your relatives.
“This first level of doing familial searching is a genetic look. And then the information of the relatives is handed over to law enforcement, and then there’s absolutely no guidance as to what they can and can’t do,” she said. She continued, “It’s this really invasive sort of secret government surveillance, that we may not even see, to the point where they could knock on your door, knock on your neighbor’s door, reveal that actually you fathered the boy downstairs, reveal all sorts of private things about the structure of your family.”
Notes for humans
The Data Protection Commissioner told the Irish government’s inaugural Data Summit in June that genetic testing websites still don’t outline the privacy implications for you of sending them your genetic material. There are very large amounts of possible consequences to sharing this information with anyone. The results may be reasonably benign. On the other hand they most certainly may not. Where a database exists it will be put to use. This may well not be accurate or to your benefit so as always, think twice before giving your DNA to someone in exchange for more information about your family tree.
- 7 in 10 smartphone apps share your data with third-party services. It’s nigh on impossible for you to know where your personal data and location information ends up and who is building a profile of you.
- A piece of privacy news which bubbled into the mainstream slightly in June was the announcement that Google is to stop reading the contents of emails sent through Gmail. Google will continue reading and processing the metadata associated with emails however – who you email, when you email them, who emails you and so on. This could be interpreted as Google having decided that the message metadata was just as valuable if not more so than the message contents for profiling purposes. After all, they’ve had more than a decade to weigh up the benefits of the two. It also heads off some potentially bruising future encounters with regulators.
- Snapchat introduced a new map feature which allows users to track other users’ location in real time. As with all of these services, we’d advise you turn it off unless you have a really good reason to use it.
- Donald Trump’s United States continues to deploy surveillance measures originally designed to track terror suspects to locate and deport immigrants. Scanning people’s fingerprints on the street and before they are taken into custody.
- As rapidly as the US is moving to increase surveillance and monitoring of citizens, it’s miles behind China. The road intersections know your face and your name there now. In Mexico the government has been caught using spyware to target journalists, activists and their families.