Stolen millions

More announcements of company data (our data) being stolen. The numbers involved each time are just incredible.

Hackers breach Quora.com and steal password data for 100 million users
Compromised information includes cryptographically protected passwords, full names, email addresses, data imported from linked networks, and a variety of non-public content and actions, including direct messages, answer requests and downvotes. […] In a post published late Monday afternoon, Quora officials said they discovered the unauthorized access on Friday. They have since hired a digital forensics and security firm to investigate and have also reported the breach to law enforcement officials.

Whenever these stories are reported, the articles often end with a little summary of other recent snafus. The one above ended with:

Quora’s post is only the latest disclosure of a major breach. On Friday, hotel chain Marriott International said a system breach allowed hackers to steal passport numbers, credit card data, and other details for 500 million customers. In September, Facebook reported an attack on its network allowed hackers to steal personal details for as many as 50 million users. The social network later lowered the number of accounts affected to about 30 million.

A post from The Register, about that massive Marriott breach, concluded with this reminder of previous losses.

Marriott’s Starwood hotels mega-hack: Half a BILLION guests’ deets exposed over 4 years
Few hacks of individual firm’s customer data have come close to the scale of this one. The Yahoo! breach in 2013 saw three billion email accounts breached, while Carphone Dixons, the UK electronics retail chain, managed to lose control of 5.9 million sets of payment card data. In the US, the US Government Office for Personnel Management (which handles sensitive files on millions of government workers) had the personal data of 21 million employees’ breached by hackers.

Searching for digital sovereignty

Have you used Qwant yet?

Qwant – The search engine that respects your privacy
Based and designed in Europe, Qwant is the first search engine which protects its users freedoms and ensures that the digital ecosystem remains healthy. Our keywords: privacy and neutrality.

I must admit I had never heard of this search engine before I read this article from Wired. The French National Assembly and the French Army Ministry have announced that they’ll stop using Google as their default search engines, and use Qwant instead.

France is ditching Google to reclaim its online independence
“We have to set the example,” said Florian Bachelier, one of MPs chairing the Assembly’s cybersecurity and digital sovereignty task-force, which was launched in April 2018 to help protect French companies and state agencies from cyberattacks and from the growing dependency on foreign companies. “Security and digital sovereignty are at stake here, which is anything but an issue only for geeks,” Bachelier added. […]

In France, this all started with the Edward Snowden. In 2013, when the American whistleblower revealed that the NSA was spying on foreign leaders and had important capability to access data stocked on private companies’ clouds, it was a wake up call for French politicians. A senate report that same year fretted that France and the European Union were becoming “digital colonies”, a term that since then has been used by French government officials and analysts to alert about the threat posed by the US and China, on issues of economic, political and technological sovereignty. Recent scandals, including the Cambridge Analytica-Facebook imbroglio, further shook French politicians and public opinion.

A European Duckduckgo, but without the stupid name? Might be something to look further into.

Another day, another data protection issue

We’re generating data all the time, without realising, and without really knowing where it all goes.

Users told to ditch OneDrive and Office 365 to avoid ‘covert’ data harvesting
Microsoft Office and Windows 10 Enterprise uses a telemetry data collection mechanism that breaches the EU’s General Data Protection Regulation (GDPR), according to a 91-page report commissioned by the Dutch government, and conducted by firm Privacy Company.

It’s not just Microsoft in the firing line, of course.

With GDPR now several months into play, data watchdogs across Europe are beginning to take their first steps in the new regulatory landscape. Microsoft is the latest in a line of major companies accused of breaching GDPR, with Oracle and Equifax among seven firms reported for violations by a data rights group last week.

And that story about Google’s AI company having access to NHS data is still rumbling on.

Google: Our DeepMind health slurp is completely kosher
DeepMind told The Reg: “It is false to say that Google is “absorbing” data. This data is not DeepMind’s or Google’s – it belongs to our partners, whether the NHS or internationally. We process it according to their instructions.”

That claim, echoed by DeepMind Health chief Dominic King, brought a swift correction from legal experts. “It doesn’t belong to DeepMind’s partners, it belongs to the individuals,” Serena Tierney partner at lawyers VWV. “Those ‘partners’ may have limited rights, but it doesn’t belong to them.”

I wonder if we’ll be seeing more of these issues, what with one thing and another.

What the potentially useless draft Brexit agreement means for tech
One of the big questions for Brexit is data protection, and the agreement seeks to hold onto the status quo. Scroll through to Article 71 for the text, which says that EU data protection law will continue to cover the UK before and after the transition period, which runs until the end of 2020. That means personal data can continue to flow between the UK and the EU.

“This issue is critical to the tech sector and to every other industry in a modern digitising economy,” says Tech UK CEO Julian David in a blog post. Data’s the oil that greases tech, and all that.

That doesn’t mean that GDPR will continue to apply in the UK post Brexit. Christopher Knight, privacy lawyer at 11KBW, notes that the UK will become a “third state”. That means the UK won’t be required to apply GPDR and other data laws to “wholly internal situations of processing”.

Update: Well, here’s a thing. I’m still getting used to this new Android phone, with its Google news feed thing, and some time after first drafting this post I was browsing through it and came across the article below. How did it know to surface stories about DeepMind? I’m sure I hadn’t searched for it, but came across it in a newsletter. Is Google reading what I type into WordPress?

Inside DeepMind as the lines with Google blur
Last week, the line between the companies blurred significantly when DeepMind announced that it would transfer control of its health unit to a new Google Health division in California. […]

In March 2017, DeepMind also announced it would build a “data audit” system, as part of its public commitment to transparency. The technology would allow NHS partners to track its use of patient data in real time, with no possibility of falsification, DeepMind said. Google did not comment on whether it will finish the project.

Google+, we hardly knew ye

I admit, I did use this for a while, but I’m as surprised as others to learn that Google+ made it this far. ( I still miss Google Reader.)

The death of Google+ is imminent, says Google
Google’s decision follows the Wall Street Journal’s revelation. also published on Oct. 8, that the company exposed hundreds of thousands of Google+ users’ data earlier this year, and opted to keep it a secret:

A software glitch in the social site gave outside developers potential access to private Google+ profile data between 2015 and March 2018, when internal investigators discovered and fixed the issue, according to the documents and people briefed on the incident. A memo reviewed by the Journal prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.

That doesn’t make them look good, does it? But then, should we be surprised anymore?

Remember the hacking cough?

More hacking schadenfreude, but with an added GDPR element this time.

First, the hapless Tories.

Major security flaw in Tory conference app reveals users’ data
Commentators said the flaw raised questions over the ability of the government to harness technology to solve issues around the Irish border and customs checks. The app may also have breached data laws. Its privacy policy states that it “complies with … the European Union’s general data protection regulation (GDPR)”.

Boris Johnson’s profile immediately vandalised with hardcore pornography in Tory conference app security blunder
The highly serious blunder allowed anyone to access details of hundreds of MPs including Foreign Secretary Jeremy Hunt and Defence Secretary Gavin Williamson – who have police protection and warn regularly of the hacking threat from Russia. But it also gave pranksters an opportunity to have fun with the profiles of prominent Conservatives.

And then Facebook. Again.

Facebook says at least 50 million users affected by security breach
Facebook said the FBI is now investigating. Because users in Europe are also affected, the company said it has informed data protection authorities in Ireland — where the company’s European headquarters are located. The Irish Data Protection Commission has asked Facebook to clarify the breach “urgently.” If Facebook is found to have breached European data protection rules — the newly implemented General Data Protection Regulation (GDPR) — the company can face fines of up to four percent of its global revenue.

Facebook hack: Here’s what you need to do to secure your account
Critically, for European users, Facebook has been in touch with the Data Protection Commissioner in Ireland – where it is registered – to inform it of the breach. This will be the first data protection incident from one of the major tech companies since the enforcement of Europe’s General Data Protection Regulation (GDPR) in May. GDPR gives regulators the power to issue huge fines but this is yet to be tested. In a statement the Irish Data Protection Commission said Facebook hasn’t given it many details yet. It is “concerned” that despite Facebook discovering the breach on Tuesday, it hasn’t been able to “clarify the nature of the breach and the risk for users at this point”.

Follow the data

I’m hearing more and more about data ethics. It wasn’t ‘a thing’ before, was it? But it certainly is now. Here’s a very interesting take on it: flow.

The ethics of data flow
In Privacy in Context, Helen Nissenbaum connects data’s mobility to privacy and ethics. For Nissenbaum, the important issue isn’t what data should be private or public, but how data and information flow: what happens to your data, and how it is used. Information flows are central to our expectations of privacy, and respecting those expectations is at the heart of data ethics.

It’s not what they’ve got, but what they do with it that matters.

The infamous Target case, in which Target outed a pregnant teenager by sending ad circulars to her home, is a great example. We all buy things, and when we buy things, we know that data is used—to send bills and to manage inventory, if nothing else. In this case, the surprise was that Target used this customer’s purchase history to identify her as pregnant, and send circulars advertising products for pregnant women and new mothers to her house. The problem isn’t the collection of data, or even its use; the problem is that the advertising comes from, and produces, a different and unexpected data flow. The data that’s flowing isn’t just the feed to the marketing contractor. That ad circular, pushed into a mailbox (and read by the girl’s father) is another data flow, and one that’s not expected.

[…]

Everyone who works with data knows that data becomes much more powerful when it is combined with data from other sources. Data that seems innocuous, like a grocery store purchase history, can be combined with geographic data, medical data, and other kinds of data to characterize users and their behavior with great precision. Knowing whether a person purchases cigarettes can be of great interest to an insurance company, as can knowing whether a cardiac patient is buying bacon.

The article is written by and for data developers, primarily, and poses more questions than it can answer, especially around the thorny concept of data deletion. It’s an interesting read, but it left me wondering if those GDPR data protection principles will ever be fully put into practice.

Facebook gets away with it

Facebook fined for data breaches in Cambridge Analytica scandal
Facebook is to be fined £500,000, the maximum amount possible, for its part in the Cambridge Analytica scandal, the information commissioner has announced.

But talk about good timing.

In the first quarter of 2018, Facebook took £500,000 in revenue every five and a half minutes. Because of the timing of the breaches, the ICO said it was unable to levy the penalties introduced by the European General Data Protection (GDPR), which caps fines at the higher level of €20m (£17m) or 4% of global turnover – in Facebook’s case, $1.9bn (£1.4bn). The £500,000 cap was set by the Data Protection Act 1998.

Elizabeth Denham, the information commissioner, explains her real goal with this fine is to “effect change and restore trust and confidence in our democratic system.”

“Most of us have some understanding of the behavioural targeting that commercial entities have used for quite some time,” Denham said, “to sell us holidays, to sell us trainers, to be able to target us and follow us around the web.”

“But very few people have an awareness of how they can be micro-targeted, persuaded or nudged in a democratic campaign, in an election or a referendum.

“This is a time when people are sitting up and saying ‘we need a pause here, and we need to be sure we are comfortable with the way personal data is used in our democratic process’.”

I think we’re still some way off that; people just seem not to be bothered.

Facebook’s rise in profits, users shows resilience after scandals
Facebook Inc (FB.O) shares rose on Wednesday after the social network reported a surprisingly strong 63 percent rise in profit and an increase in users, with no sign that business was hurt by a scandal over the mishandling of personal data.

But maybe I shouldn’t be so pessimistic.

The digital privacy wins keep coming
Progress can be difficult to measure; it often comes in drips and drops, or not at all for long stretches of time. But in recent weeks, privacy advocates have seen torrential gains, at a rate perhaps not matched since Edward Snowden revealed how the National Security Agency spied on millions of US citizens in 2013. A confluence of factors—generational, judicial, societal—have created momentum where previously there was none. The trick now is to sustain it.

Let’s hope.

Hong Kong librarian has had enough of your tardiness

Librarian Gone Rogue: Impatient bibliophile accused of accessing library members’ accounts to quicken book returns
Patrons were checking out books that she wanted to read, and the woman was just not having it, according to Apple Daily.

The librarian, a 25-year-old contract employee at the Tseung Kwan O Public Library between 2015 and 2018, reported their cards as lost and changed their account passwords so they had to return their books immediately, according to the report.

Well, that’s one way of dealing with overdue library books.

University data breach

With GDPR still getting attention, here’s news that the Information Commissioner has fined the University of Greenwich over a significant data breach that happened in 2016.

Greenwich University fined £120,000 for data breach
The fine was for a security breach in which the personal data of 19,500 students was placed online. The data included names, addresses, dates of birth, phone numbers, signatures and – in some cases – physical and mental health problems. It was uploaded onto a microsite for a training conference in 2004, which was then not secured or closed down.

The Information Commissioner said Greenwich was the first university to receive a fine under the Data Protection Act of 1998 and described the breach as “serious”.

[…]

In a statement, the university said it would not appeal against the decision.

It said it had carried out “an unprecedented overhaul” of its data protection and security systems since the discovery of the breach in 2016, and it had invested in both technology and staff.

So the personal data was added to a website in 2004 and left there for 12 years until the breach was discovered?

The University of Greenwich fined £120,000 by Information Commissioner for “serious” security breach
The investigation centred on a microsite developed by an academic and a student in the then devolved University’s Computing and Mathematics School, to facilitate a training conference in 2004.

After the event, the site was not subsequently closed down or secured and was compromised in 2013. In 2016 multiple attackers exploited the vulnerability of the site allowing them to access other areas of the web server.

A timely warning for others, I guess. Under GDPR, these fines could be significantly higher.

Happy GDPR Day!

Remember though, 25 May is just the beginning, not the deadline. Don’t panic.

US sites block users in Europe: Why are they ghosting EU? It’s not you, it’s GDPR
Visitors in the bloc trying to load articles from the Tribune, or stablemates the Los Angeles Times – the fifth-biggest daily – and the Orlando Sentinel are shown the same error message from publisher Tronc.

“Unfortunately, our website is currently unavailable in most European countries,” it reads. “We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism.”

The finger is pointed at the General Data Protection Regulation, which, although it is only just being enforced today, was adopted on 14 April 2016 – meaning organisations have had more than two years to prepare.

Help, my lightbulbs are dead! How GDPR became bigger than Beyonce
But the potential of huge fines hasn’t been the only reason for GDPR mania. There’s also a growing market of people working in data protection and offering dubious services related to GDPR. In the UK there are more than 100 registered companies with the GDPR acronym in their titles – and the vast majority of these were formed after the regulation was approved in 2016. Their purpose? To offer advice on how companies can get their data in order and create products that can help organise information.

[…]

In a post on LinkedIn, George Parapadakis who formerly worked at IBM, wrote that technology wouldn’t solve GDPR issues. “The nonsense that I read on a daily basis, defies belief,” Parapadakis wrote. Turner adds: “Don’t get me wrong, we’re all in it to pay the mortgage but I think as the panic has increased, there is something of a feeding frenzy of, ’Let’s see how much we can get before the momentum goes out of the market.’” This may have peaked when GDPR became more popular than Beyonce.

Another day, another GDPR e-mail

GDPR finally comes into force on Friday, and there seems to be no let up in the privacy notice update e-mails we’re all getting. This raised a smile though.

Most GDPR emails unnecessary and some illegal, say experts
What’s more, Vitale said, if the business really does lack the necessary consent to communicate with you, it probably lacks the consent even to email to ask you to give it that consent.

“In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email.”

I wonder if we’ll still receive these e-mails after 25 May. If we do, are the companies that send them admitting they weren’t compliant initially? I’m sure the ICO won’t be too concerned, but it’ll be interesting to see what happens.

Last-minute frenzy of GDPR emails unleashes ‘torrent’ of spam – and memes
The whole process has inspired the internet to rope in everyone from Julian Assange to Donald Trump to Prince William in an attempt to illustrate their frustration at the electronic onslaught.

Photocopiers have long memories

They say elephants never forget, and it seems neither do photocopiers.

In light of all the attention currently on GDPR and data protection generally, here’s an interesting article from 2010 about the dangers hiding within our photocopiers. For some time now, our digital copiers contain hard drives that store an image of everything it copies, scans or e-mails. That’s potentially a lot of valuable personal data that can stay on the machine long after you’ve thrown it away.

Digital photocopiers loaded with secrets
It took Juntunen just 30 minutes to pull the hard drives out of the copiers. Then, using a forensic software program available for free on the Internet, he ran a scan – downloading tens of thousands of documents in less than 12 hours.

The results were stunning: from the sex crimes unit there were detailed domestic violence complaints and a list of wanted sex offenders. On a second machine from the Buffalo Police Narcotics Unit we found a list of targets in a major drug raid.

The third machine, from a New York construction company, spit out design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks.

But it wasn’t until hitting “print” on the fourth machine – from Affinity Health Plan, a New York insurance company, that we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.

Something to add to our risk registers, perhaps?

GDPR Day’s getting nearer

The EU’s Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data was signed off on 27 April 2016, two years ago. It becomes enforceable from 25 May 2018. Have we been using these last two years to get ready?

This, from a year ago, sums it up, I think.

Concern that schools are not preparing for new rules on personal data
The General Data Protection Regulations are the ‘biggest change in 25 years’ to how organisations must manage personal data, but only a fifth of schools are aware of the May 2018 deadline.

Employers and schools are all certainly busy now, in these last few weeks, reviewing data asset registers and updating privacy notices. The news that the fines for noncompliance could be as high as  £17 million is certainly a motivator, although here’s Elizabeth Denham, the Information Commissioner, suggesting they won’t be levying such large fines lightly.

What is GDPR? Data protection law is changing in 2018. Here’s what you need to know
But Denham says speculation that her office will try to make examples of companies by issuing large business-crippling fines isn’t correct. “We will have the possibility of using larger fines when we are unsuccessful in getting compliance in other ways,” she says. “But we’ve always preferred the carrot to the stick”.

[…]

“Having larger fines is useful but I think fundamentally what I’m saying is it’s scaremongering to suggest that we’re going to be making early examples of organisations that breach the law or that fining a top whack is going to become the norm.” She adds that her office will be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven’t made any effort.

As well as some of us acting as data controllers or data processors, we’re all data subjects too. These are new rules designed to protect our data. I’m sure we’ve all been getting e-mails from companies like Twitter, Instagram and Fitbit and so on, about their revised data and privacy policies.

Here’s a great summary from Danny O’Brien of the Electronic Frontier Foundation, on what to look out for.

Why am I getting all these terms of service update emails?
The EU regulators are certainly paying attention to these email updates. A strongly-worded blog post this week by EU’s head enforcer, European Data Protection Supervisor (EDPS) Giovanni Buttarelli, warned the public and his fellow regulators to be “vigilant about attempts to game the system”, adding that some of these new terms of service emails could be “travest[ies] of the spirit of the new regulation”.

[…]

As Buttarelli says, such “legal cover” might well be against the spirit of the GDPR, but it’s going to take a while for companies, regulators, and privacy groups to establish what the law’s sometimes ambiguous statements really mean. One particularly knotty problem is whether the language that many of these emails use (“by using our service, you agree to these terms”) will be acceptable under the GDPR. The regulation is explicit that in many areas, you need to give informed, unambiguous consent by “a statement or clear affirmative action.” Even more significantly, if the data being collected by a company isn’t necessary for the service it is offering, under the GDPR the company should give covered users the option to decline that data collection, but still allow them to use the service.

Bad data protection practices save the day

In reviewing our GDPR readiness at work we’ve been discussing the dangers of leaving important documents laying around our offices. Yes, the offices are locked when we’re not there, but what about the cleaners? They have access to all our rooms and offices.

But there are benefits to having nosey school cleaners, it seems.

Woolwich accountant told to pay back £3m or face 8 years in jail
Judge Nicholas Heathcote Williams said in his new judgment: ‘Over nearly seven years Kayode stole and defrauded over £4million from Haberdashers’ by transferring money from their account to his and his wife Grace’s.’

His boss, chief financial officer Paul Durgan, failed to notice any money was missing. Kayode was caught only when a school cleaner spotted bank account statements in his office.

GDPR and a Digital Protection Agency?

Ok, I know I said that I’ll stop reading articles about personal data abuses, but they just keep coming.

Silicon Valley has failed to protect our data. Here’s how to fix it
What’s been unfolding for a while now is a rolling catastrophe so obvious we forget it’s happening. Private data are spilling out of banks, credit-rating providers, email providers, and social networks and ending up everywhere.

[…]

Given that the federal government is currently one angry man with nuclear weapons and a Twitter account, and that it’s futile to expect reform or self-regulation from internet giants, I’d like to propose something that will seem impossible but I would argue isn’t: Let’s make a digital Environmental Protection Agency. Call it the Digital Protection Agency. Its job would be to clean up toxic data spills, educate the public, and calibrate and levy fines.

That sounds like a very sensible, pragmatic and effective approach, so it’s obviously going to be ignored. It was interesting reading that after hearing about another data breach yesterday, this time with a fitness app. It seems the company dealt with it appropriately though. This time.

The MyFitnessPal hack may affect 150 million people. It could’ve been even worse.
Under Armour and MyFitnessPal seem to have some good data practices in place: Payment information was kept separate from general user information, which was stored separately from user-uploaded app data. Under Armour also appears to have reacted swiftly once it learned of the breach and notified users and the public a few days later—a stark comparison to other companies, such as Uber, which hid its 2016 data breach by paying off the hackers. Still, it’s an important reminder that being hacked isn’t a matter of if—it’s when.

What will these companies make of the GDPR, I wonder.

WTF is GDPR?
Last year the company [Facebook] told us it had assembled “the largest cross functional team” in the history of its family of companies to support GDPR compliance — specifying this included “senior executives from all product teams, designers and user experience/testing executives, policy executives, legal executives and executives from each of the Facebook family of companies”.

“Dozens of people at Facebook Ireland are working full time on this effort,” it said, noting too that the data protection team at its European HQ (in Dublin, Ireland) would be growing by 250% in 2017. It also said it was in the process of hiring a “top quality data protection officer” — a position the company appears to still be taking applications for.

And this.

How Europe’s new privacy rule is reshaping the internet
Much of the GDPR builds on rules set by earlier EU privacy measures like the Privacy Shield and Data Protection Directive, but it expands on those measures in two crucial ways. First, the GDPR sets a higher bar for obtaining personal data than we’ve ever seen on the internet before. By default, any time a company collects personal data on an EU citizen, it will need explicit and informed consent from that person. Users also need a way to revoke that consent, and they can request all the data a company has from them as a way to verify that consent. It’s a lot stronger than existing requirements, and it explicitly extends to companies based outside the EU. For an industry that’s used to collecting and sharing data with little to no restriction, that means rewriting the rules of how ads are targeted online.

They know everything about us, and that’s ok?

I really need to stop reading articles about how our personal data is being used and abused by seemingly everyone on the internet. Nothing good can come from going over the same bad news. These from The Guardian are the last ones, I promise.

Why have we given up our privacy to Facebook and other sites so willingly?
If you think you’re a passive user of Facebook, minimising the data you provide to the site or refraining from oversharing details of your life, you have probably underestimated the scope of its reach. Facebook doesn’t just learn from the pictures you post, and the comments you leave: the site learns from which posts you read and which you don’t; it learns from when you stop scrolling down your feed and how long it takes you to restart; it learns from your browsing on other websites that have nothing to do with Facebook itself; and it even learns from the messages you type out then delete before sending (the company published an academic paper on this “self-censorship” back in 2013).

[…]

Lukasz Olejnik, an independent security and privacy researcher, agrees: “Years ago, people and organisations used to shift the blame on the users, even in public. This blaming is unfortunate, because expecting users to be subject-matter experts and versed in the obscure technical aspects is misguided.

“Blaming users is an oversimplification, as most do not understand the true implications when data are shared – they cannot. You can’t expect people to fully appreciate the amount of information extracted from aggregated datasets. That said, you can’t expect users to know what is really happening with their data if it’s not clearly communicated in an informed consent prompt, which should in some cases include also the consequences of hitting ‘I agree’.”

So what kind of data are we talking about? What are we sharing? Everything from where we’ve been, what we’ve ever watched or searched for, to even what we’ve deleted.

Are you ready? This is all the data Facebook and Google have on you
This information has millions of nefarious uses. You say you’re not a terrorist. Then how come you were googling Isis? Work at Google and you’re suspicious of your wife? Perfect, just look up her location and search history for the last 10 years. Manage to gain access to someone’s Google account? Perfect, you have a chronological diary of everything that person has done for the last 10 years.

This is one of the craziest things about the modern age. We would never let the government or a corporation put cameras/microphones in our homes or location trackers on us. But we just went ahead and did it ourselves because – to hell with it! – I want to watch cute dog videos.

And texts and calls too.

Facebook logs SMS texts and calls, users find as they delete accounts
Facebook makes it hard for users to delete their accounts, instead pushing them towards “deactivation”, which leaves all personal data on the company’s servers. When users ask to permanently delete their accounts, the company suggests: “You may want to download a copy of your info from Facebook.” It is this data dump that reveals the extent of Facebook’s data harvesting – surprising even for a company known to gather huge quantities of personal information.

So what can be done?

Beware the smart toaster: 18 tips for surviving the surveillance age
Just over a week ago, the Observer broke a story about how Facebook had failed to protect the personal information of tens of millions of its users. The revelations sparked a #DeleteFacebook movement and some people downloaded their Facebook data before removing themselves from the social network. During this process, many of these users were shocked to see just how much intel about them the internet behemoth had accumulated. If you use Facebook apps on Android, for example – and, even inadvertently, gave it permission – it seems the company has been collecting your call and text data for years.

It’s not me, it’s you! So Facebook protested, in the wake of widespread anger about its data-collection practices. You acquiesced to our opaque privacy policies. You agreed to let us mine and monetise the minutiae of your existence. Why are you so upset?

Most of the tips the article lists fail to really address the issues above, as they are more about how to secure your accounts from hackers, rather than dealing with Facebook and Google intrusions and opaque consent agreements. But a couple are worth highlighting.

12. Sometimes it’s worth just wiping everything and starting over
Your phone, your tweets, your Facebook account: all of these things are temporary. They will pass. Free yourself from an obsession with digital hoarding. If you wipe your phone every year, you learn which apps you need and which are just sitting in the background hoovering up data. If you wipe your Facebook account every year, you learn which friends you actually like and which are just hanging on to your social life like a barnacle.

[…]

18. Finally, remember your privacy is worth protecting
You might not have anything to hide (except your embarrassing Netflix history) but that doesn’t mean you should be blase about your privacy. Increasingly, our inner lives are being reduced to a series of data points; every little thing we do is for sale. As we’re starting to see, this nonstop surveillance changes us. It influences the things we buy and the ideas we buy into. Being more mindful of our online behaviour, then, isn’t just important when it comes to protecting our information, it’s essential to protecting our individuality.

Caught out by their own documents #2

Dutch Data Protection Authority accidentally leaked its employees’ data
“When it comes to data leaks, the same procedures apply to all parties, including us,” Gras added. Still, Gras insisted that the blunder in question was relatively mild and did not require any formal notification.

“A data breach must be reported if it leads to serious adverse consequences for the protection of personal data, or if there is a significant chance that this will happen,” she stated.

So it appears that the leak was too insignificant to necessitate reporting it to themselves.

PDF problems again…

Data, data, everywhere – any of it helping?

Data and education. Educating ourselves with data? On data? Improving education by improving data?

We might have the data, but have we got the answers?
Regarding what he calls ‘technical validity’, are we measuring what we are supposed to be measuring? Then, in what he describes as ‘normative validity’, are we measuring what we value, or are we valuing what we measure? Two important questions for us all to ask about the data that our systems are awash with.

Some great points here, refreshingly honest, about the state of data and information in schools. And here’s a response of sorts, albeit from a higher education perspective:

Taking the data conversation to a new level
The publication of this report is a significant moment in our journey to build a better data infrastructure for UK higher education because it is coming from a very different place. The members of the Higher Education Commission are senior, experienced leaders, strategists and Politicians and previous Commission inquiries have addressed topics like the regulation and the financial sustainability of HE. These are not people whose natural habitat is the world of petabytes, XML and FUNDCOMP; they are perhaps the most un-nerd bunch you could ever assemble. Yet their decision to base this inquiry on data in HE is in itself a recognition of the fundamental transformations that data technology is enabling.

Meanwhile, though:

Students hit by University of Greenwich data breach
Students’ names, addresses, dates of birth, mobile phone numbers and signatures were all uploaded to the university’s website. They were posted alongside minutes from the university’s Faculty Research Degrees Committee, which oversees the registrations and progress of its research students. In some cases, mental health and other medical problems were referenced to explain why students had fallen behind with their work.

Protecting library privacy

You are not what you read: librarians purge user data to protect privacy
“I was approached years ago at a different library about users who’d checked out certain astrological books,” said Thistlethwaite. The NYPD officer told her he was looking for the Zodiac killer. “Most police investigations are a little smarter than that, but sometimes they’re just not.”

Seems pretty clear to me: ​one of the principles in the Data Protection Act is that data should not be kept longer than is necessary. Admittedly this is a news article from the US, where there’s no direct equivalent of the DPA, but still.

Kent Police fined £100K after leaving confidential documents and tapes in disused police station

Kent Police fined £100K after leaving confidential documents and tapes in disused police station
Kent Police must pay a £100,000 fine after a potentially ‘enormous and damaging’ security blunder. It comes after confidential information, including copies of police interview tapes, were left in the basement of the former Gravesend police station.