On and on and on the Public Services Card rolls despite almost all the wheels having fallen off, even the mandatory but not compulsory wheels that have been hastily repaired and reapplied to the shambling mess as it drags itself from pothole to ditch to pothole. The potholes and ditches in this case are rules, laws, international best practice, the independent regulator and other trifling things like that. Facebook continues to show the world why amassing personal data and creating ad targeting tools that work with an accuracy never seen before mightn’t be the best of ideas. In the European Parliament advertisers and adtech lobby groups were rebuffed over the ePrivacy Directive which resulted in sulking and ominous warnings of a future without media. Manufacturers continued to connect things to the internet which really have no business being connected to the internet.
1. Public services card: DPC Announces Investigation
In October the most important news about the Public Services Card and the national biometric identity register behind it was that the Data Protection Commissioner’s patience with the increasingly bizarre communications from various arms of government finally expired and a formal investigation of the whole mess began.
The statement added that in the last week, the Data Protection Commissioner’s office had signalled its intention to the department to use its investigation powers under section 10 of the Irish Data Protection Acts “to examine details of the above matters further with a view to establishing whether there is full compliance with the requirements of the Acts”.
Rather than fix the problems with the entire system, the government’s response to this was to throw money at an advertising campaign. This decision will doubtless come back to haunt the ministers, departments and agencies involved.
The Irish Council of Civil Liberties hosted a public meeting about the project which featured local experts and speakers from the UK, where a similar project was scrapped entirely after severe public concerns about its scope and purposes.
A subsequent opinion piece in the Irish Examiner (registration-walled) curiously did not mention that the Data Protection Commissioner is exercising her investigative powers. This piece featured the head of a childrens’ charity opining that he worked “in a world where we have to safeguard people’s privacy when they ask us to, and that’s absolutely as it should be.” Unfortunately, this is a bad and very wrong interpretation of the legal obligations of a data controller. At the same time it is a wonderful real-life demonstration of why better education for people at all levels in any organisations which handle personal data is urgently needed.
I wrote a piece back in August about the need for far better media understanding and coverage of privacy issues. Nothing has changed here. This is still much needed.
Notes for humans
If the government wants to collect, store and use your personal data the government must be trustworthy. The only way you can accurately gauge that is by the actions of the government. Has the behaviour of the last six months around a radical modification of the relationship between individual and state, granting the State even greater powers in an already unbalanced information relationship, been trustworthy?
+ ‘Data watchdog to open investigation into public services card’, Irish Times
+ ‘Government plans €200,000 public services card campaign’, Irish Times
+ ‘‘Massive privacy issues’ in State’s public services card scheme’, Irish Times
+ ‘Ministers in 2004 saw potential of public services card as ‘national ID’’, Irish Times
2. “One of the worst lobby campaigns I have ever seen”
The European Parliament agreed a text for the ePrivacy Regulation, which is a companion piece to the General Data Protection Regulation and aims to provide stronger rules and guarantees around electronic communications. Without getting too bogged down in the marshes of European Parliament procedures, this vote was a good result for individual privacy rights and protections. Lobbyists were upset.
Notes for humans
This is not a binary choice between privacy protections and commercial interests. Innovation can happen without the infringements of user privacy advertisers and publishers seem to think is necessary. If you examine the votes of the Irish MEPs you’ll see that all the Fine Gael members voted on the side of the advertising industry and against greater privacy controls for individuals.
+ ‘European Parliament Agrees Text For Key ePrivacy Regulation; Online Advertising Industry Hates It’, Techdirt
+ ‘Respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)’, Votewatch.eu
3. Facebook, Oh Facebook
In May I wrote that Facebook had a very bad month. I didn’t think then that Facebook would have a worse month this year but they’ve managed it, and in some style.
Dealing only with the bigger stories here, in October Facebook
- got another ‘not so fast now’ reprimand from the Article 29 Working Party (the advisory body composed of all European data protection authorities) over its attempts to combine personal info in the WhatsApp user database with that in the Facebook database. Which Facebook must find quite galling as that’s the only reason they shelled out many billions for WhatsApp a few years ago.
- was accused of facilitating genocide in Myanmar. It’s indicative of what a bad month Facebook had that enabling genocide (and being the catalyst for lynchings in India) seems to be quite a way down the list of priorities for Facebook management right now. Genocide.
- ‘fessed up to being played like a fiddle by the Russians during the 2016 U.S. presidential election campaign. This one certainly isn’t going away.
- ran a quick trial which severely disrupted the media landscape in several countries. Just because they could.
- is facing a court order in Belgium to stop collecting user information for advertising purposes
- was told by the advocate general of the ECJ that in his opinion action could be taken against Facebook by any national data protection authority in any European country if it is suspected Facebook has breached data protection laws in that country. Previously actions had to be taken here in Ireland where Facebook is headquartered. The opinion is non-binding but “opinions from Advocate Generals tend to be followed by the Court’s judges in a majority of cases. A final ruling should follow in the coming months.”
Notes for humans
Facebook continues to behave badly across a number of fronts. If I was feeling more charitable I might have said irresponsibly rather than badly, but all of these problems are of Facebook’s own making. These could be fixed by Facebook. They should have been fixed before now.
Remember, there is a life without Facebook. If you can’t abandon it entirely you can certainly minimise the time you spend on it.
+ ‘WhatsApp? You still don’t get EU privacy laws, that’s WhatsApp’, The Register
+ ‘Data Protection Commissioner’s Statement on the Article 29 Working Party Public Letter to WhatsApp’, Data Protection Commissioner
+ ‘Facebook Is Watching You, Belgian Privacy Agency Warns In Court’, Bloomberg
+ ‘Facebook moving non-promoted posts out of news feed in trial’, Guardian
+ ‘How to Fix Facebook? We Asked 9 Experts’, New York Times
+ ‘Forget Washington. Facebook’s Problems Abroad Are Far More Disturbing.’, New York Times
+ ‘Facebook dealt setback by EU court adviser in privacy dispute’, Reuters
4. Won’t Somebody Think Of The Children?
Children’s toymaker Mattel has been forced to cancel plans to produce an AI-powered babysitter, after a raft of complaints that the product would inflict psychological damage on young children.
There’s a thing called a Privacy Impact Assessment. Anyone planning a project which does anything with the personal data of individuals should do one of these before they start that project. If the impact on individuals’ privacy is deemed too great, the project shouldn’t proceed any further.
Notes for humans
This grotesque idea hits a number of whatever the opposite of sweet spots are. Sour spots? Attempting to apply AI to everything and dramatically overselling the capabilities of the device. Putting microphones, cameras and other sensors into devices that patently do not need them. Leveraging a trusted brand into a space far beyond its area of competency to extend sales . And of course sucking up a treasure trove of data that can be analysed and sold on at a later date.
Will this make adults pay attention to the always-on listening devices they’re installing in their homes? You’d hope so.
+ ”Kids should not be guinea pigs’: Mattel pulls AI babysitter’, Guardian
5. It Says In The Papers
Two columns in the Financial Times caught my eye this October, both by Rana Foroohar. One is titled ‘Privacy is a competitive advantage’ and one headlined ‘Big Tech makes vast gains at our expense’. In the accompanying video in the second piece the author and the FT’s comments editor identify personal data and the issues around it as the biggest business story of the next five years. Some of us have been saying that for quite a while.
Notes for humans
While this isn’t in any way a scientific approach to taking the temperature of the broad debate about personal data and privacy, it’s pretty significant that the paper read by most senior decision makers is making these noises. Couple this with the revelations about the threats posed to democracy tumbling out of the examination of the role data-rich beasts such as Facebook and Google may have played in last year’s U.S. presidential election and you have a scales finally tipping in favour of greater individual control over personal data, however that may be achieved. Add in the new protections, rights and notifications that the GDPR introduces and privacy is indeed becoming a competitive advantage. Public attitudes towards the tech titans, many of whom have built their empires on predominantly unrestrained and ever-increasing intrusion into the personal information of their users, are changing.
+ ‘Privacy is a competitive advantage’, Financial Times
+ ‘Big tech makes vast gains at our expense’, Financial Times
+ ‘The Verge Tech Survey’, The Verge
- The Murray Report into data-retention practices in Ireland was published. Damning is the word. “A report by the former chief justice John Murray has found that current data-retention legislation amounts to mass surveillance of the entire population of the State.”
- Genomics Medicine Ireland announced another data acquisition project during the month, in collaboration with Tallaght and St. Vincent’s hospitals. This follows their announcement in September that in return for a full mini-health check you can have your DNA whisked off to parts unknown for detailed scrutiny by persons unknown.
- Google announced a clever-sounding dinky little camera called Clips which makes its own decisions about when to start recording video. No thank you.
- In the UK the NHS is planning to make questions asked of patients about their sexuality mandatory. This is not a good thing to do.
- Around these parts we’re firm believers in the notion that all stored data will leak eventually whether through accident or design. It’s only a matter of time. This is why data protection principles recommend only storing personal data for the absolute minimum amount of time possible. John Koskinen, Internal Revenue Service Commissioner over in the US agrees. He says you might as well assume your identity has been stolen and work from there. Which is a rather sombre note to end on this month.
[Image credit: Igor Ovsyannykov on Unsplash]