If last month‘s roundup was a bit of a Facebook special, this month is more about that other slavering data monster, Google, and perennial favourites here, eHealth Ireland. However, let’s get started with an update on last month’s story about Facebook’s announcement it would start gently quaffing the delicious personal information it had found on the WhatsApp servers.
1. Not So Fast, Say Some Regulators.
The German Data Protection Authority has told Facebook to stop doing what it’s doing and delete any information it had already acquired from WhatsApp. Facebook, distraught at the thought of not being allowed link all that extra data to the vast amounts of data it already has on all of its German users, is appealing this decision. The UK Information Commissioner has launched an investigation into the data sharing.
The Irish Data Protection Commissioner, meanwhile, has issued a statement reminding us that WhatsApp is an American company.
Notes for humans
Facebook’s European headquarters is in Dublin. The Irish Data Protection Commissioner is responsible for regulating what Facebook does with the data of all it’s European users. WhatsApp and Facebook may be separate companies in name, but, as covered last month, one of the main reasons Facebook acquired WhatsApp was in order to access and combine the information both companies held about their users. That the Irish DPC is currently opting to distance her office from this issue, whilst other authorities across Europe are attempting to stop Facebook’s data sharing plans is concerning, confusing and mysterious, all at the same time.
2. Allo There Google, We See What You’re Doing
Google launched a new messaging app called Allo this month. It will no doubt be very successful, as Google has unparalleled reach to promote any new product. In the months ahead of the launch Google had said it saw the privacy components of this messaging app as being crucial to success and that messages would only be stored transiently. After all, consumers seemed pretty fond of the strong privacy options offered by Signal. Then when Allo hit the Play Store, all the privacy promises had been revoked for performance reasons. So Google will be logging your conversations, and will hand these over to third parties if asked to.
Google’s concerns about user privacy extend so far that it is prepared to spend really rather a lot to support research it likes. There was a big privacy conference in January of this year, at which many talks were given and papers presented.
Authors of a whopping 13 out of 19 papers presented at the conference and 23 out of 41 speakers have financial ties to Google. Only two papers included disclosure of an ongoing or past financial connection to Google.
Other tech companies are also financially linked to speakers at the event. At least two presenters took money from Microsoft, while three others are affiliated with a university center funded by Amazon, Facebook, Google, Microsoft, and Twitter.
If all that makes you a little bit mad, and you feel like sticking it to Google by trying to do something to curtail the amount of information it is able to gather on you you could try turning off some of the location tracking on your Android phone. But the latest version of Android doesn’t want you to do that, and has made it extremely difficult to do so without crippling the usefulness of your phone.
Notes for humans
This is not surprising. Google will keep doing this. Google’s business depends on it being able to tap new sources of data.
3. Keeping Your Data Secure Is Expensive, And We Won’t Pay
This month’s big data breach story was obviously the Yahoo! one. The one that’s more than likely the largest known data breach in the history of data. A likely root cause of the breach is that doing security well is expensive, in terms of both systems and people, and the cost to a company of a data breach is, well, not so expensive at all.
Notes for humans
This, also, will keep happening until the risk of a fine and reputational damage becomes greater than the cost saving that can be made by just not doing security properly. The EU General Data Protection Regulation does not come into effect in Europe until 2018. This regulation allows for substantial fines to be levied against companies which do not secure personal data properly. We may see changes in attitudes towards data stored in Europe in the few months before it comes into effect, but probably not until then.
Of course, that will apply only for the data breaches that are discovered and reported. Since even data controllers as large as Yahoo! are blithely unconcerned with doing data security properly it’s pretty likely that the number of data breaches that occur but remain undetected may be even higher than currently guesstimated. Depending on who you ask, the number of of data breaches that remain undetected could lie anywhere between 40% and 90% of all breaches.
4. Do You Know What Your Internet Enabled Camera Gets Up To At Night?
By day a regular security camera, keeping the streets free of crime. By night a cybercriminal itself. A well known cybersecurity journalist’s website was taken offline by a very large Distributed Denial of Service attack. The first noteworthy aspect of this is the scale of the attack. The second is that this attack is, in effect, censorship of an investigative journalist by actors unknown. What was especially fascinating was the machines that were involved. Not hijacked PCs, as is usually the case. Cameras.
Notes for Humans
Connectivity is cheap, so connectivity is being crammed into all kinds of devices that really don’t need it. As noted above, security, in general, is expensive, so precious little of that is being added into these small connected devices. Unsecured devices attract unscrupulous opportunists looking to recruit them into bot armies, which can then be used for a wide variety of mischief and far, far worse.
5. eHealth Ploughs Ahead
The CIO of the HSE Richard Corbridge and Yvonne Goff, the Chief Clinical Information Officer appeared in front of the Dail Special Committee on the Future of Healthcare on the 14th of this month to chat about eHealth and what they were doing with their rather large budget. Quotes below are from the transcript.
Chairman: What is the total figure over the nine-year programme?
Mr. Richard Corbridge: It is detailed on one of the slides. It is around €840 million over ten years.
We, the somewhat informed public discovered that the Department of Social Protection hasn’t yet quite fully agreed to give the HSE the personal data it would like to use to populate its Individual Health Identifier database.
[Mr. Richard Corbridge:] The Department of Health continues to work with the Department of Social Protection to get agreement on the linkage between datasets, all of which is made clear in legislation. This will allow us to populate many of our current and new information systems with the IHI, ensuring that patient information across a range of systems can be safely connected. The HSE is ready to place the individual health identifier on all electronic referrals as soon as the Department has completed this negotiation.
We also learned that the HSE is relying on ‘help’ from third party technology companies to implement all the wonderful digital things it has planned. Based on past experience, the world’s biggest digital organisations rarely provide help ‘not at cost’ without expecting some quid pro quo.
[Mr. Richard Corbridge:] we see many partners that could help us. The HSE has created something called the eHealth Ireland Ecosystem. That is a group of people, now 300 in number, who come together each quarter to help eHealth Ireland drive forward its agenda. They range from some of the biggest digital organisations globally, which come and provide assistance – not at cost – to make sure we can learn from other jurisdictions and keep driving forward in how we do this.
Furthermore, we found out that this new IHI number will be encoded on the new-ish Public Services Card at some point in the future.
[Mr. Richard Corbridge:] The Deputy also mentioned the public service card. One plan through which the Department of Health is working with the Department of Social Protection is on how the individual health identifier can be on that same card, that is, how in the future that number and code could be part of that same identity and dataset. It is a discussion between the Department of Health and the Department of Social Protection about how to make that happen. It makes complete logical sense to do it;
As an aside, the cost of the Public Services Card is projected to reach €60 million by the end of 2017. A very generous estimate of the savings made so far is in the region of €2.5 million.
Notes for humans
Encoding the IHI information onto the Public Services Card creates a de facto national identification card. If you’re a bit sceptical of this claim, consider that the information to be included in the IHI is as follows
- surname
- forename
- date of birth
- place of birth
- sex
- all former surnames
- mother‘s surname and all former surnames of his or her mother (including mothers surname at mother’s birth)
- address
- nationality
- personal public service number
- date of death in the case of a deceased individual
- signature
- photograph
- and any other particulars as determined by the Minister to be relevant to identifying the individual
This certainly looks like a national identification card.
The HSE says each IHI number will have “no association to any attribute belonging to the person it is generated for” (from IHI privacy impact assessment). Research has repeatedly shown that re-identification of individuals from supposedly de-identified datasets such as this is easily achieved. As recently as last week a publicly available dataset was removed from an Australian government website over concerns that doctors could be identified from the data.
As seen above, there are 300 organisations and individuals involved in the eHealth ecosystem. It doesn’t seem like much of a leap to assume that the vast majority of these are commercial enterprises interested in turning a profit. One of the most prestigious science journals around, Nature, published an editorial in July about the severe risks inherent in the privatisation of health data.
Honourable Mentions
- Don’t ever tweet a picture of your password. If you’re a politician running a campaign, take particular care not to tweet a picture of the URL, username and password needed to access your phone bank system.
- If you’re in the market for some cutting edge surveillance gear, look no further than the Cobham catalogue. This equipment is only currently available at these bargain prices to US police departments, of course. The rest of us will just have to buy our IMSI catchers on Alibaba.
- Snapchat completed a full circle from being a privacy conscious company that allowed users to post images which were automatically deleted after a certain period to a company that sells a video recording device which silently films others without their consent.
- In what’s beginning to feel like a rare victory for common sense and the law in this area, the advocate-general to the Court of Justice of the European Union (CJEU) found that some provisions of a proposed passenger name record sharing agreement between the EU and Canada are “contrary to the EU Charter of Fundamental Rights”.
[Title image credit: London Scout on Unsplash]
2 Comments Add yours