Autumn roared in. The Public Services Card rolled on despite one minister admitting in a roundabout way that there is no legal basis for what’s currently happening and another cooing softly that the thing which should have been done before the project started many years ago will certainly be done “very soon”. Massive amounts of personal information leaked from a company you probably hadn’t ever heard of before. CCTV cameras continue to be deployed casually around the country, and oh my is Facebook having an annus horribilis or what?
1. The Continuing Public Services Card ‘Controversy’
This becomes more and more farcical as time passes. Unfortunately as the treatment of the personal data of millions of people is at issue it is also far less amusing.
Large population-scale data projects which rely on personal data will fail if the state cannot convince the owners of the data it wishes to use – you and me – that it is trustworthy. Failures decrease levels of public trust in the state generally and have a knock-on effect of future large data projects which require trust.
At the end of August the Data Protection Commissioner gave the Department of Employment Affairs and Social Protection a list of questions about the Public Services Card project which were to be published in the form of a Frequently Asked Questions document.
This publication was described as “imminent” on the 30th August in a statement from the DPC. The answers would be published “very soon”, according to Regina Doherty on the 20th September in the Dáil
Deputy O’Dea: When does the Minister envisage that this information will be published? The Department has got the questions from the Data Protection Commissioner and I presume it envisages issuing answers to those questions. What is the approximate timescale within which that will be done?
Minister Doherty: Very soon. I do not wish to mislead the Deputy. We have been working on it for the past two weeks.
Two weeks’ work eh? Sounds like a fast turnaround until you consider how long this project has been running. It is approaching laughable that five years into the rollout of a national biometric identity register the department which is the data controller for the project is unable to furnish the answers to the independent regulator’s questions. Especially as the independent regulator had been privately raising concerns about the scope and aims of the project over a year ago.
A week later, on the 26th, Róisín Shortall questioned Minister for Public Expenditure and Reform Paschal Donohoe about informing the public what their data would be used for, who could access it and the safeguards around this access.
“For the Government’s strategy to succeed, the public needs to know exactly what their data is being used for, who can access it and what are the penalties for those who abuse that access,’’ Ms Shortall added.
In response Minister Donohoe cited legislation which does not exist. I’m not joking.
Mr Donohoe said legislation covering data sharing and governance was currently being considered by the Oireachtas.
The Office of the Data Protection Commissioner has some thoughts on this legislation currently being considered, the Data Sharing and Governance Bill. These thoughts are not in any way helpful to Minister Donohoe’s nonsensical argument that a bill which has not yet passed pre-legislative scrutiny will magically and retroactively solve all the problems with the national identity register his department has helped build. This below, as pointed out by Daragh O’Brien on Twitter, is the most salient part of the Office of the Data Protection Commissioner’s opening statement to the Joint Committee on Finance, Public Expenditure and Reform on the general scheme of the Data Sharing and Governance bill. (If you have time, do read the whole thing [PDF]. It’s only five pages long.)
Therefore, it must be clearly understood that the General Scheme of the Bill before the committee cannot create a new legal basis for sharing data in any given case that does not otherwise exist. In itself, this legislation will not be sufficient to validate processing of personal data to the standard required under EU law and it cannot provide a basis for automatically sanctioning public sector authorities to share personal data. Instead, what this bill seeks to do is provide a process for public sector managers to assess whether sharing can lawfully occur in respect of purpose limitation, transparency and with appropriate safeguards. It is the assessment process in the proposed Bill that is key and the outcome of that assessment will dictate if sharing of data can occur and on what basis it can occur.
I also want to emphasise that legislation on its own is not sufficient to prevail over data protection law in light of its status as a fundamental right as set out in Article 8 of the European Charter of Fundamental Rights.
Deputy Shortall also inquired about the answers to the questions from the Office of the Data Protection Commissioner.
Ms Shortall said serious concerns had been raised by the Data Protection Commissioner who was waiting for responses from the Government.
“The public has still not seen those responses,’’ she added. “If the system is secure, and if it is properly based, then why is there such a delay in providing those responses ?’’
The Department of Employment and Social Protection’s once gnomically garrulous Twitter account (“Software!” “Photographs ……” ) has remained tight-lipped on this issue despite repeated questioning as to when the FAQ the department gave an undertaking to the regulator in August to publish might appear.
Notes for humans
Does the continued obfuscation, confusion and inability to explain in plain English what the state is doing currently and plans to do in the future with your personal data inspire trust? If not, get in touch with your elected representatives and ask them to seek further information on your behalf.
2. CCTV continues Without all that much Apparent oversight
In a piece in the Irish Times TJ McIntyre pointed out that the Gardai also have plenty of plans that would appear to infringe on individuals’ fundamental privacy rights.
That plan also says that, from 2017, the Garda will start using “face-in-the-crowd and shape-in-the-crowd biometrics” to identify people on CCTV systems. Again, all of this is to take place without any legal basis, in a manner that appears to be contrary to data protection law. It seems the Garda has not learned any institutional lessons from the 2014 scandal around the recording of calls to and from Garda stations, nor from the ongoing concerns about abuse of the Pulse system.
We previously wrote about the rapid creep of CCTV schemes around the country, which it would seem are being deployed as a substitute for more policing resources. As reported in the Irish Examiner during the month, Justice Minister Charlie Flanagan has said there will be extra funding made available for CCTV schemes. Flanagan encouraged community groups around the country to apply for this funding.
Some community groups are also raising money for CCTV schemes from local employers. There seems to be confusion about the legal actors involved – who is the data controller, who is authorised to view the footage, what’s being done with the stored footage and so on.
In the UK concerns have recently been raised about the use of facial recognition technology by police forces going far beyond the scope of what was originally planned. In the Netherlands the Supreme Court recently ruled that number plate data acquired through similar systems to those popping up around Ireland at the moment was acquired illegally by the tax authority.
Notes for humans
Facial recognition and number plate recognition technologies are now advanced and affordable. There is, however, scant evidence to suggest that they act as an effective deterrent to criminals when compared to traditional policing. They do offer impressive whole-population surveillance powers though.
+ ‘Extra funding pledged for rural CCTV’, Irish Examiner
3. Equifax Data Breach
It wasn’t the biggest data breach so far but it was probably the most significant and damaging.
Most people whose data was leaked by Equifax more than likely weren’t aware of the existence of Equifax, let alone the vast, vast amount of their personal information it had hoovered up from every possible source.
From birth to death, the record grows. Decades’ worth of addresses and identifying information, including drivers’ licenses and Social Security numbers. Utility accounts like telephone and cable subscriptions. Criminal records, medical debt, as well as rental and eviction histories.
Equifax’s records on any given individual, scattered throughout dozens of databases, typically stretch across hundreds or thousands of pages.
Notes for humans
Five years ago the Electronic Frontier Foundation were raising concerns about Facebook’s determined and successful efforts to combine your online data and offline data, allowing them to create a more detailed profile of you.
The argument deployed by some people in favour of letting the Public Services Card project continue in its underhand and quite likely illegal manner, namely ‘it’ll be grand because we all share everything with Facebook anyway’ is comprehensively undermined by a very basic awareness of data brokers and the data economy. Facebook collects a lot of data. Facebook also buys in a lot of data and matches these databases to each other.
So too does Equifax. Here’s Bruce Schneier, who’s forgotten more about this stuff than you or I will probably ever know
The market can’t fix this. Markets work because buyers choose between sellers, and sellers compete for buyers. In case you didn’t notice, you’re not Equifax’s customer. You’re its product.
This happened because your personal information is valuable, and Equifax is in the business of selling it. The company is much more than a credit reporting agency. It’s a data broker. It collects information about all of us, analyzes it all, and then sells those insights.
The reason we have data protection rules is to minimise the impact of these inevitable breaches. All data will eventually leak so we must have proper systems in place to ensure the damage done to individuals is minimised. It’s to make sure that data collection and sharing is done for a clearly understood purpose and is proportional to that purpose.
+ ‘As Equifax Amassed Ever More Data, Safety Was a Sales Pitch’, New York Times
+ ‘On the Equifax Data Breach’, Bruce Schneier
+ ‘Equifax blames known web app glitch for hacking’, Financial Times
4. Reach Anyone You Want On Facebook
A ProPublica investigation found that Facebook was selling ads to people who really don’t like Jews.
Until this week, when we asked Facebook about it, the world’s largest social network enabled advertisers to direct their pitches to the news feeds of almost 2,300 people who expressed interest in the topics of “Jew hater,” “How to burn jews,” or, “History of ‘why jews ruin the world.’”
Meanwhile Facebook admitted it had found evidence that accounts connected to Russia had purchased ads on the platform during the 2016 presidential election campaign. The irresistible benefits for Facebook of a largely automated ad sales process meant removing almost all human intervention and scrutiny, as outlined by Zeynep Tufekci in the New York Times. Facebook is now trying to deal with the consequences of this.
But anyone who understands how Facebook works shouldn’t have been surprised. That’s because the same digital platform that offers us social interaction, news, entertainment and shopping all in one place makes its money by making it cheap and easy to send us commercial or political messages, often guided by algorithms. The recent scandal is just a reminder.
Notes for humans
In another incisive piece in the New York Times Kevin Roose speculated that there are far larger problems with Facebook as a system than just these current examples.
If I were a Facebook executive, I might feel a Frankensteinian sense of unease these days. The company has been hit with a series of scandals that have bruised its image, enraged its critics and opened up the possibility that in its quest for global dominance, Facebook may have created something it can’t fully control.
Facebook may well now be both too big to fail and too big for its executive team to manage. In response to the revelations of misuse of Facebook’s advertising platform by foreign actors during the 2016 US presidential election Gavin Sheridan wrote a piece in the Irish Times about the potential for similar behaviour in upcoming referendums in Ireland. The Irish Times followed this up with an editorial on the same topic. This is a very real concern and a very real threat to transparent democracy in this country and any other where Facebook is the main conduit for information and news.
+ ‘Facebook’s Ad Scandal Isn’t a ‘Fail,’ It’s a Feature’, New York Times
+ ‘Abortion referendum: shadow campaigns’, Irish Times
+ ‘Data power could make 1984 ‘look like a Teddy bear’s picnic’‘, Irish Times
+ ‘Facebook’s Frankenstein Moment’, New York Times
+ ‘Zuckerberg’s Preposterous Defense of Facebook’, New York Times
5. Privacy Shield Review
If you only skimmed the headlines and press releases you could be forgiven for assuming that the first review of the Privacy Shield data arrangement between the EU and the US had gone quite well.
Notes for humans
The European Union has stricter privacy rules than the US. The companies that collect the most personal data in order to make money from it are American. For example, the presently troubled Facebook. The EU would like these American companies to abide by EU standards for dealing with personal data. Privacy Shield was a hastily cobbled together arrangement to allow large American companies continue their data operations without interruption after a preceding data arrangement, Safe Harbour, was struck down in 2015.
This first review remains mostly mute on the main concern EU officials had, that the US security services will still be able to gain access to the personal data of Europeans.
+ ‘US tests EU patience over Privacy Shield’, EU Observer
+ ‘Trump vacancy raises consternation with Europe’, The Hill
- The continued rollout of the HSE’s Maternal and Newborn Clinical Management System was put on hold. Everyone involved agreed that connecting it to other systems such as those belonging to GPs might be a good idea.
- The WSJ ran a piece urging caution when buying internet-connected toasters and other favourites of the Internet Of Things That Really Shouldn’t Be Connected To The Internet. The Wall Street Journal. Meanwhile when Apple announced that the latest version of Safari would block cookies which track people across multiple websites; the people who make a living from dropping cookies on your devices and tracking and profiling you using them were understandably upset.
- Scaremongering about the GDPR finally reached the Irish media during September. Behold this terrifying headline – ‘Almost one quarter of Irish firms will be forced to close if subject to GDPR fines – survey’. This isn’t going to happen. The regulator is not in the business of putting other businesses out of business. But these headlines do help drum up business for unscrupulous businesses who are aiming to profit from scaring other businesses into doing business with them. Srs business.
- Kerry County Council served up a nice example of the lack of awareness of both data protection rules and what is acceptable behaviour with other people’s information among our elected representatives. “Listowel Fine Gael councillor Mike Kennelly said he had been contacted by a constituent whom he had represented when she had been allocated a house. In the morning, before Mr Kennelly’s post arrived telling him she had got the house, “a certain deputy was on the phone wishing her well”, he said. “She asked me how the deputy got her mobile number,” added Mr Kennelly.”
- Finally, moving up the western seaboard we find Allied Irish Banks losing printouts with customer information. A spreadsheet was somehow “mislaid” between two branches and hasn’t been seen since. ¯\_(ツ)_/¯
Image credit: Gilles Lambert on Unsplash