Tag: privacy

Facebook’s leaky data problem

Vice have seen a leaked document written by Facebook privacy engineers which sounds the alarm on how they deal with users’ data.

Facebook doesn’t know what it does with your data, or where it goes: Leaked documentVice
“We’ve built systems with open borders. The result of these open systems and open culture is well described with an analogy: Imagine you hold a bottle of ink in your hand. This bottle of ink is a mixture of all kinds of user data (3PD, 1PD, SCD, Europe, etc.) You pour that ink into a lake of water (our open data systems; our open culture) … and it flows … everywhere,” the document read. “How do you put that ink back in the bottle? How do you organize it again, such that it only flows to the allowed places in the lake?”

An interesting analogy. Stop polluting the lake?

Photo by Jenn Wood

The future’s so bright?

What could possibly go wrong?

Ray-Ban StoriesLuxottica
Facebook, Inc. and Ray-Ban releases the next generation of smart glasses, Ray-Ban Stories. The highly anticipated collaboration brings forward a new way to seamlessly capture, share and listen through your most authentic moments. […]

We’re introducing an entirely new way for people to stay connected to the world around them and truly be present in life’s most important moments, and to look good while doing it,” said Andrew Bosworth, Vice President, Facebook Reality Labs.

I wish Ray-Ban’s Stories smart glasses were made by anyone but FacebookYahoo Finance
Whether or not you’re willing to make that investment largely depends on how you feel about Facebook and what you are hoping to get out of a pair of “smart glasses.” At best, they feel like a better, more polished version of Snapchat’s Spectacles. It’s still a novelty, but with decent audio, smart glasses are starting to feel a lot more useful. At worst, the glasses are yet another reminder of Facebook’s dominance.

Facebook announces launch of Ray-Ban Stories smart glassesThe Guardian
The company’s hardest sell might not be privacy, but the glasses themselves. Snapchat’s Spectacles are now in their third generation, with improvements each time, yet they’ve failed to catch the imagination of the target market. The company took a $40m write-down on the value of unsold inventory in 2017.

Facebook and Ray-Ban are rolling out smart glasses that actually look cool. Will anyone buy them?CNN
I couldn’t shake the feeling that I was getting away with something while wearing Ray-Ban Stories in public. As far as I could tell, nobody noticed anything unusual about the glasses while chasing my kids around a busy playground, even when I was taking numerous short videos. (It was impossible for me to tell, but perhaps the bright sunlight made the glasses’ white LED less noticeable.) I walked into stores with them on, took pictures of myself in mirrors, and nobody even blinked. It would have been easy to use these glasses to invade other people’s privacy. Was this accidentally furtive photo- and video-taking turning me into a Facehole?

Facebook’s new camera glasses are dangerously easy to useWIRED
During a dinner with friends last weekend, Peter wore the Ray-Ban Stories the whole time—and it wasn’t until he pointed out the tiny sensors embedded at the temples that friends noticed. Once they did, though, Facebook’s biggest issue didn’t take long to surface: “So, you’ve been recording the whole time?” one friend asked, only half joking. Similarly, Lauren recorded (then deleted) a conversation with an editor while fumbling with the glasses. The editor never noticed.

Smart glasses made Google look dumb. Now Facebook is giving them a try.The New York Times
Many of these privacy concerns are beside the point for technologists who see wearables as inexorable for society. For Mark Zuckerberg, Facebook’s chief executive, the ultimate goal is to eventually release a pair of smart glasses that fully augment reality, which puts a kind of virtual overlay onto the world in front of people.

That idea is yet another step on the road to the metaverse, Mr. Zuckerberg’s term for how parts of the virtual and actual world will eventually meld together and share different parts of each other.

Is it getting a little tiring, now, to keep responding to these type of stories with ‘just because we can, doesn’t mean we should’? I did, however, like the comment about determining someone’s age by their taking-a-photo gestures, at the end of this piece from the BBC’s Chris Fox.

Sending a message to WhatsApp

WhatsApp fined $267 million for breaching EU privacy lawThe Verge
Ireland’s Data Protection Commission (DPC) announced the decision in an 89-page summary (PDF), noting that WhatsApp did not properly inform EU citizens how it handles their personal data, including how it shares that information with its parent company.

WhatsApp hit with €225M privacy finePolitico
Ireland’s data regulator on Thursday fined WhatsApp €225 million for violating Europe’s privacy rules — a more than four-fold increase in the penalty compared to what the watchdog had initially proposed.

Ireland watchdog fines WhatsApp record sum for flouting EU data rulesThe Guardian
Four “very serious” infringements violated the core of GDPR, said Dixon. “They go to the heart of the general principle of transparency and the fundamental right of the individual to protection of his/her personal data which stems from the free will and autonomy of the individual to share his/her personal data in a voluntary situation such as this.” The violations affected an “extremely high” number of people, said the watchdog.

Adrian Weckler explains WhatsApp’s €225m fineIndependent.ie: YouTube
The Irish Data Protection Commissioner has imposed a €225m fine on Facebook-owned Whatsapp, Europe’s second largest penalty so far under GDPR privacy laws. However, it did so only after being ordered to raise the amount by an EU data oversight board.

WhatsApp fined €225m for not telling users how it shared data with FacebookFinancial Times
The WhatsApp ruling came after Luxembourg fined Amazon a record €746m in July for breaching GDPR and Ireland fined Twitter €450m in December for not informing regulators about a data leak within 72 hours. The Irish Data Protection Commission has more than two dozen ongoing investigations into big tech companies. Amazon has said it will appeal against its fine.

Facebook: Let us tell you WhatsApp – we don’t want to pay that €225m GDPR fineThe Register
It’s reported to be the heftiest fine ever issued by the DPC and the second-largest handed out under EU data protection laws. It’s also small change for WhatsApp’s parent Facebook, which made a $30bn profit in its latest financial year. The fine is about one per cent of the social network’s annual net income. […]

As well as the fine, the DPC has also ordered WhatsApp to take “a range of specified remedial actions” which some sources claim could make privacy policies even less user friendly.

A horrendous failure

Imagine finally summoning up the courage to start therapy, to disclose your scariest thoughts and feelings, and then this happens.

They told their therapists everything. Hackers leaked it allWIRED
“If we receive €200 worth of Bitcoin within 24 hours, your information will be permanently deleted from our servers,” the email said in Finnish. If Jere missed the first deadline, he’d have another 48 hours to fork over €500, or about $600. After that, “your information will be published for all to see.”

It’s a story that WIRED’s UK version had covered in a very similar way back in December.

A dying man, a therapist and the ransom raid that shook the worldWIRED UK
After a handful of sessions, Puro’s therapist moved on to find new work, supposedly saying he couldn’t do anything more to help. Puro has managed alone since then, but his story has taken another dark twist – one that has shaken him to the core. A data breach at Vastaamo led to Puro and thousands of other vulnerable people being extorted by criminals who threatened to expose their highly sensitive data.

Here’s The Guardian’s report from October.

‘Shocking’ hack of psychotherapy records in Finland affects thousandsThe Guardian
Distressed patients flooded victim support services over the weekend as Finnish police revealed that hackers had accessed records belonging to the private company Vastaamo, which runs 25 therapy centres across Finland. Thousands have reportedly filed police complaints over the breach. Many patients reported receiving emails with a demand for €200 (£181) in bitcoin to prevent the contents of their discussions with therapists being made public.

Devastating for the patients affected as well as the therapy company itself, Vastaamo.

Vastaamo fires CEO, saying he knew about hacking for 18 monthsHelsinki Times
The psychotherapy centre has determined that its database was hacked in November 2018. Nixu, a Finnish cybersecurity company, found later in its investigation that the centre was targeted also in another hacking, in March 2019. “It’s very likely that the chief executive has known about the issue at that point,” Kahri stated to Ilta-Sanomat.

Hacked Finnish therapy business collapsesComputer Weekly
Vastaamo, the Finland-based private psychotherapy practice that covered up a cyber attack on its patient record system in 2018 and then saw its patients directly extorted by cyber criminals, has collapsed into bankruptcy with its services to be acquired by medical services firm Verve.

Hacked psychotherapy centre Vastaamo files for bankruptcyYle Uutiset
The firm was placed under liquidation in late January. Lassi Nyyssönen from Fenno Attorneys at Law was appointed as liquidator, but after assessing the situation decided that it was not feasible to carry out liquidation proceedings. “It very quickly became clear that the company’s clear, undisputed debts exceed the amount of its assets. That does not of course include possible damages that it may have to pay due to the data breach,” Nyyssönen told Yle.

A sign of the times?

Vastaamo breach, bankruptcy indicate troubling trendSearchSecurity
Prior to learning of the Vastaamo hack, Hypponen said he believed that most attackers are motivated by financial information. “If you’re trying to make money with your criminal attacks, medical information is not a very good target for you. Well turns out, I might have been wrong,” he said during the webinar. “It might be now the case that we are seeing the beginning of the next trend — a trend where medical information is becoming a prime target for financially motivated criminals. They might not just be blackmailing the organization with the encryption of data, but the patients themselves.”

Everything’s a game

Two simple but fiendish online puzzles.

Cookie Consent Speed.Run
Since GDPR came into our lives, we’ve all had to struggle with obtaining our basic privacy rights. With each cookie banner we have all been honing our skills, learning to navigate ambiguous options and distrust obvious buttons. Now is your chance to show what you have learnt.

Fontemon: World’s first video game in a font!codeRelay
You read that right! It’s a video game in a font! A font as in “Time New Roman”. The entire game is enclosed in fontemon.otf, no javascript, no html, all font.

Tracking uptake

After a considerable false start, the long-awaited new NHS Covid-19 app is now available. Have you downloaded it yet? Even if take-up is as low as some are gloomily predicting, it could still be worthwhile.

Take-up of NHS contact-tracing app could be only 10%The Guardian
Officials at the test and trace programme, however, believe there will be benefits even if few people adopt it. A recent study by the same data team at Oxford University, looking at the experience of Washington state in the US, found that if 15% used an app that notified them of exposure to an infected person, infections were reduced by 8% and deaths by 6%.

But even the best only got up to 40% take-up.

Everything you need to know about the NHS Covid-19 tracking appWired UK
The country with the highest download rate is Singapore, which was the first nation to introduce a contact tracing app. The TraceTogether system has been downloaded 2.4 million times as of September 9. This accounts for around 40 per cent of Singapore’s population. The country has also moved beyond the contact tracing apps by trialling a Bluetooth ’token,’ a wearable device, that people can use for contact tracing purposes.

Update: 28/09/2020

So far, so good.

How is WFH working out for you?

The future has always been uncertain, in an abstract you-never-know-what’s-round-the-corner kind of way. But these days, goodness me — the very near future has never been so completely uncertain, unknown, and unsettled. For instance, what will our workplaces be like, after all this?

The office is deadMarker
“It’s not something I was even thinking about six weeks ago, but it’s definitely something I’ve been talking about now with my investors,” Haynie says. “Overall it’s a win-win.” This is just the tip of the iceberg. From startups and tech giants to more old-school Wall Street firms, businesses are rethinking the role of office space and whether they even need it. If, in the old world, an office was a form of corporate peacocking — a flashy location in some iconic building with a boutique-hotel level of design for clients, employees, customers, and investors— in the new world, it is becoming a very costly line item that could be reduced to the equivalent of a single flagship store.

Your boss is watching you: Work-from-home boom leads to more surveillanceNPR
Her employer has started using software called Time Doctor. It downloads videos of employees’ screens while they work. It also can enable a computer’s webcam to take a picture of the employee every 10 minutes. “If you’re idle for a few minutes, if you go to the bathroom or whatever, a pop-up will come up and it’ll say, ‘You have 60 seconds to start working again or we’re going to pause your time,’ ” the woman said.

Zoom fatigue is something the deaf community knows very wellQuartz
Posts about “Zoom fatigue” mention struggling with non-verbal cues. This frustration is relatable to how hard of hearing individuals have to accurately lipread, view sign language clearly, or get an unobstructed view of faces and body language. Others point out the stress in understanding what is said with choppy audio, time delays, or pixelated video. The deaf community encounters this difficulty in nearly every setting, like they’re piecing together a jigsaw puzzle.

Less TGI Friday, more WFH Monday

WFH = working from home. An abbreviation I hadn’t heard of until recently. It seems we’re all at it. Well, not all of us.

The great Zoom divide: How working from home is a privilegeNew Statesman
Supporting the WFH and self-isolating economy is an army of factory and warehouse workers who are now busier than ever. There is much awareness and respect, rightfully, for medical staff who are at the frontlines of fighting Covid-19 – but what about those on the industrial frontlines? Who is protecting them? How can we keep essential supplies and functions running without exposing these workers to health risks? Is that even possible?

Avoiding Coronavirus may be a luxury some workers can’t affordNew York Times
For many workers, being sick means choosing between staying home and getting paid. One-quarter of workers have no access to paid sick days, according to Labor Department data: two-thirds of the lowest earners but just 6 percent of the highest earners. Just a handful of states and local governments have passed sick leave laws. Only 60 percent of workers in service occupations can take paid time off when they are ill — and they are also more likely than white-collar workers to come in contact with other people’s bodies or food.

But for those of us who are, there’s no end of advice out there, from kit to clothes.

Stykka designs a temporary workstation so you’ll stay the f*** homeDesign Milk
When Denmark ordered people to stay home, Stykka got creative knowing many people had to share workspaces at home with their families or had to use the dining table. They challenged themselves to use only cardboard, zip ties, and a laser cutter, and in less than 24 hours, they not only had a prototype but they were ready to ship the desks out. Once received, the desk takes less than 10 minutes to assemble.

Don’t mute, get a better headsetMatt Mullenweg
When you’re speaking to a muted room, it’s eerie and unnatural — you feel alone even if you can see other people’s faces. You lose all of those spontaneous reactions that keep a conversation flowing. If you ask someone a question, or they want to jump in, they have to wait to unmute. I also don’t love the “unmute to raise your hand” behavior, as it lends itself to meetings where people are just waiting their turn to speak instead of truly listening.

As population works from home, Walmart reports increased sales for tops but not pantsCBS News
Men’s fashion brand Suitsupply is getting in on both sides of the trend. The company recently posted a photo on Instagram of a model wearing a button-down, tie and blazer on top — and nothing but underwear on the bottom. “Working from home doesn’t mean compromising on style. Keep your look professional—from the waist up at least,” the brand wrote. Scrolling through the Instagram post leads to a picture that says, “Off-camera?” before featuring the same model, this time wearing a sweatshirt.

Careful though.

Zoom announces 90-day feature freeze to fix privacy and security issuesThe Verge
Zoom has never shared user numbers before, but Yuan reveals that back in December the company had a maximum of 10 million daily users. “In March this year, we reached more than 200 million daily meeting participants, both free and paid,” says Yuan. That’s a huge increase that has seen people use Zoom for reasons nobody expected before the coronavirus pandemic.

Security and privacy implications of ZoomSchneier on Security
In general, Zoom’s problems fall into three broad buckets: (1) bad privacy practices, (2) bad security practices, and (3) bad user configurations. […] Zoom is a security and privacy disaster, but until now had managed to avoid public accountability because it was relatively obscure. Now that it’s in the spotlight, it’s all coming out.

Automated tool can find 100 Zoom meeting IDs per hourThe Verge
In addition to being able to find around 100 meetings per hour, one instance of zWarDial can successfully determine a legitimate meeting ID 14 percent of the time, Lo told Krebs on Security. And as part of the nearly 2,400 upcoming or recurring Zoom meetings zWarDial found in a single day of scanning, the program extracted a meeting’s Zoom link, date and time, meeting organizer, and meeting topic, according to data Lo shared with Krebs on Security.

Meanwhile.

Leave us alone

Hot on the heels of Robot Day is Data Protection Day, initiated by the Council of Europe  in 2007.

Data Protection DayCouncil of Europe
The Council of Europe is celebrating this year the 14th edition of Data Protection Day. This initiative aims to raise the individuals awareness about good practices in this field, informing them about their rights and how to exercise them.

Joint statement by Vice-President Jourová and Commissioner Reynders ahead of Data Protection DayEuropean Commission
Data is becoming increasingly important for our economy and for our daily lives. With the roll-out of 5G and uptake of the Artificial Intelligence and Internet of Things technologies, personal data will be in abundance and with potential uses we probably can’t imagine. While this offers amazing opportunities, some cases show that robust rules are needed to address clear risks for individuals and for our democracies. In Europe we know that strong data protection rules are not a luxury, but a necessity. […]

20 months after the entry into application of the landmark General Data Protection Regulation, we see that the GDPR has acted as a catalyst to put data protection at the centre of many of the on-going policy debates. It is a cornerstone of the European approach underpinning several political priorities of the new Commission promoting a human centric approach to Artificial Intelligence and other digital technologies. European Data Protection rules will therefore be a foundation and inspiration for the success of key initiatives in artificial intelligence, health or mobility to name just a few.

Part of me wants to find out how our leaving the EU on Friday will affect this, but a larger part of me is too fed up with the whole stupid act of national self-harm to bother.

Happy “Data Privacy Day” – Now read The New York Times privacy project about total surveillanceForbes
The shocking thing about the obvious and growing loss of privacy is how unconcerned everyone is. Technologists started “snooping” around servers, desktops and data bases years ago to understand the status of hardware and software and how they should be managed. Enterprise snooping is still a best practice. But snooping is now central to entire national and global business models, and has emerged with a scary name: surveillance capitalism. No one predicted how pervasive snooping would become. No one predicted just how much profit snooping would generate, and no one predicted how entire populations would essentially shrug their shoulders about how they’re stalked each and every day – to make someone else money!

I’ve shared a number of articles about surveillance before, including one from The New York Times Privacy Project mentioned above, but there are many more to worry over.

Surprisingly (not really), Google doesn’t seem to be celebrating the day with a Google Doodle, although there is a prompt to complete a privacy check-up.

privacy-day

I quite like Protect Internet health and privacy with Mozilla’s internet health initiative, on the other hand.

Data detox: Five ways to reset your relationship with your phoneThe Firefox Frontier
We use our phones for everything from hailing rides to ordering in, and even to track our literal steps. All that convenience at our fingertips comes at a cost: our personal data and our mental health. It’s hard to be present in the moment when push notifications and texts are enticing us to look down. Meanwhile, the amount of personal data we share, many times without even realizing, can be alarming.

But not all hope is lost! Here are five simple steps you can take to protect your data and sanity.

None for me, thanks

Are you annoyed as I am when adverts for things I may or may not be interested in creepily follow you around the entire web, from one website to another? Maybe you aren’t, it’s not an issue for a lot of people. But for some it is, and Firefox is here to help.

The latest version of Firefox shows the wild scale of web tracking
It’s a big issue. According to cookie tracker tool Web Cookies, there are an average of 12.5 third-party cookies on every site, with a monstrous 412 cookies found on one shady site. Mozilla’s own estimates say there are roughly 170 third-party trackers following each user around the web every single day.

With Firefox 70, Mozilla continues with the universal blocking of all third-party cookies and web trackers for all users, which it introduced with Firefox 69, but it has also added the ability for users to see exactly which trackers are attempting to track them, as well as how many have been blocked.

This is a step in the right direction. I guess it’s a matter of choice, but people need to be aware of the scale of this issue first.

“We’re making it so that people don’t have the opportunity to create a profile of you online that they can use to serve you ads or political information,” says Celeste Kinswood, senior product marketing manager at Mozilla. “The volume of the tracker epidemic is super high, and people don’t know.”

A day without Brexit news? Nope.

I thought I had found some interesting news about the government today.

No 10 request for user data from government website sparks alarm
While officials insist the move to share user data from the Gov.uk website is simply intended to improve the service and that no personal details are collected, campaigners raised concern about the urgency of the task, and the personal involvement of Boris Johnson and his chief adviser, Dominic Cummings.

But then something else caught my eye.

Brexit: Scottish judges rule Parliament suspension is unlawful
[T]he Court of Session judges were unanimous in finding that Mr Johnson was motivated by the “improper purpose of stymieing Parliament”, and he had effectively misled the Queen in advising her to suspend Parliament.

Scottish judges decide Boris Johnson misled the Queen
In effect, though not in express terms, the Scottish court has held that Mr Johnson lied to the Queen. Not only was the advice false, but it was known by the prime minister to be false. Mr Johnson acted in bad faith.

‘This is a huge thing’: Labour Brexit chief Keir Starmer reacts to parliament suspension being ruled unlawful after being told of news while live on stage
He told delegates: “It was obvious to everybody that not only was shutting down parliament at this crucial time obviously, the wrong thing to do, we should be sitting each and every day to resolve this crisis.

Brexit latest news: Downing Street criticised for calling into question impartiality of Scottish judges

I wonder if this turn of events has been considered in these already mind-boggling charts.

These Brexit flowcharts show just how messy UK politics is
Overall, these Brexit charts range from professional-looking diagrams by media outlets and commentators, to, in some cases, non-linear cosmoses that move in a mystifying range of directions.

But for most of us, I think, this is all starting to get a little tedious.

Brexit: how the people are using ‘news avoidance’ to escape the post-truth world of politics
The term “news avoidance” suggests that these people are avoiding reality. The underlying principle of public journalism is that readers are also citizens whose actions in the real world are based on the reality they have come to know from the news. While acknowledging that this “reality” is put together by journalists, in line with the Frankfurt School’s concept of the “culture industry”, many academics accept that “not to know” is to retire from reality.

Yet this way of thinking about journalism and its role in society fails to address the recent experience of Harris’ interviewees and millions more. For them, journos and politicos have combined to produce the “unreal”, distant world of the “Westminster Village”, a world that many ordinary people feel disconnected from, the “post-truth” world. Seen from this perspective, avoiding the news may be an attempt to escape the unreality concocted exclusively by residents of that gated community.

Are we all under surveillance?

We’re used to seeing CCTV cameras absolutely everywhere in this country, but this creepy introduction of facial-recognition technology is something I thought only happens in places like authoritarian China.

‘Deeply concerned’ UK privacy watchdog thrusts probe into King’s Cross face-recognizing snoop cam brouhaha
It emerged earlier this week that hundreds of thousands of Britons passing through the 67-acre area were being secretly spied on by face-recognizing systems. King’s Cross includes Google’s UK HQ, Central Saint Martins college, shops and schools, as well as the bustling eponymous railway station.

“I remain deeply concerned about the growing use of facial recognition technology in public spaces, not only by law enforcement agencies but also increasingly by the private sector,” said Information Commissioner Elizabeth Denham in a statement on Thursday.

“We have launched an investigation following concerns reported in the media regarding the use of live facial recognition in the King’s Cross area of central London, which thousands of people pass through every day.”

So, not only is GDPR’s notion of consent being ignored in our online life, but we are being tracked without our consent outside in the real world, too.

It’s good to see some people are fighting back.

Adversarial fashion designed to trick automated license plate readers
When hacker and fashion designer Kate Rose learned – through a conversation with Dave Maass, a researcher with the Electronic Frontier Foundation – that the plate readers kind of suck at their jobs, she got an idea. Her new line “Adversarial Fashion” is the result. Unveiled at the DefCon cybersecurity conference in Las Vegas last week, the garments spell out the words of the fourth amendment of the US constitution, which protects Americans from “unreasonable searches and seizures.”

under-surveillance.jpg

That dystopian future creeps nearer every day. And here’s more evidence that “Years and Years” will end up being a fact-based documentary rather than a far-fetched satire.

Robotic contact lens that allows users to zoom in by blinking eyes revealed by scientists
The lens is made from polymers that expand when electric current is applied. It is controlled using five electrodes surrounding the eye which act like muscles. When the polymer becomes more convex the lens effectively zooms in.

Scientists hope one day this could help create a prosthetic eye or a camera that can be controlled using eyes alone.

Re-thinking supposedly anonymous data

This is a little alarming.

Anonymised data isn’t nearly anonymous enough – here’s how we fix it
We developed a machine learning model to assess the likelihood of reidentifying the right person. We took datasets and we showed that in the US fifteen characteristics, including age, gender, marital status and others, are sufficient to reidentify 99.98 per cent of Americans in virtually any anonymised data set.

Some more examples.

The simple process of re-identifying patients in public health records
In late 2016, doctors’ identities were decrypted in an open dataset of Australian medical billing records. Now patients’ records have also been re-identified – and we should be talking about it.

‘Anonymous’ browsing data can be easily exposed, researchers reveal
A journalist and a data scientist secured data from three million users easily by creating a fake marketing company, and were able to de-anonymise many users …

“What would you think,” asked Svea Eckert, “if somebody showed up at your door saying: ‘Hey, I have your complete browsing history – every day, every hour, every minute, every click you did on the web for the last month’? How would you think we got it: some shady hacker? No. It was much easier: you can just buy it.”

More data breach fines

Flying off to a nice hotel somewhere?

British Airways gets hammered with a record £183m fine for data breach
The incident came to light last September, when British Airways revealed that a sophisticated hack had led to 380,000 customer accounts being compromised, although that initial figure turned out to be an underestimation, with some 500,000 people actually affected, the ICO reckons.

Those folks had the likes of names, addresses, emails, credit card numbers and expiry dates – as well as the security codes on the rear of cards – stolen over a two-week period beginning on August 21, we were told at the time. Although the ICO claims that the thefts began occurring as early as June 2018.

Marriott to face £99 million GDPR fine from ICO over November 2018 data breach
The breach revealed in November 2018 involved the leak of 500 million customer records from the guest reservation database of Marriott’s Starwood Hotels and Resorts division. The attackers – who are unknown but believed to have links with China’s Ministry of State Security – appear to have had access to the system since 2014.

The organisation only became aware of the compromise in September 2018 following an alert from an internal security tool over an attempt to gain access to the reservation system. The company claims that it “quickly engaged” a group of security experts to investigate the apparent attack and “learned during the investigation that there had been unauthorised access to the Starwood network since 2014”.

Meanwhile.

Facebook’s $5 billion FTC fine is an embarrassing joke
Facebook’s stock went up after news of a record-breaking $5 billion FTC fine for various privacy violations broke today. That, as The New York Times’ Mike Isaac points out, is the real story here: the United States government spent months coming up with a punishment for Facebook’s long list of privacy-related bad behavior, and the best it could do was so weak that Facebook’s stock price went up. […]

From some other perspectives, that $5 billion fine is a big deal, of course: it’s the biggest fine in FTC history, far bigger than the $22 million fine levied against Google in 2012. And $5 billion is a lot of money, to be sure. It’s just that like everything else that comes into contact with Facebook’s scale, it’s still entirely too small: Facebook had $15 billion in revenue last quarter alone, and $22 billion in profit last year. […]

That’s actually the real problem here: fines and punishments are only effective when they provide negative consequences for bad behavior. But Facebook has done nothing but behave badly from inception, and it has only ever been slapped on the wrist by authority figures and rewarded by the market. After all, Facebook was already under a previous FTC consent decree for privacy violations imposed in 2011, and that didn’t seem to stop any of the company’s recent scandals from happening. As Kara Swisher has written, you have to add another zero to this fine to make it mean anything.

MI5’s poor surveillance data handling

It’s not often a data protection or records management news story gets this much press attention.

MI5 accused of unlawful handling of surveillance data
MI5 has been accused of “extraordinary and persistent illegality” for holding on to data obtained from members of the public. The human rights organisation Liberty has taken the security service to court over the way that it gathers and stores information under the Investigatory Powers Act.

MI5 ‘unlawfully’ handled bulk surveillance data, lawsuit reveals
“The documents show extraordinary and persistent illegality in MI5’s operations, apparently for many years,” said civil liberties organisation Liberty, which is bringing the case. “The existence of what MI5 itself calls ‘ungoverned spaces’ in which it holds and uses large volumes of private data is a serious failure of governance and oversight, especially when mass collection of data of innocent citizens is concerned.”

MI5’s use of personal data was ‘unlawful’, says watchdog
The security service MI5 has handled large amounts of personal data in an “undoubtedly unlawful” way, a watchdog has said. The Investigatory Powers Commissioner said information gathered under warrants was kept too long and not stored safely. Civil rights group Liberty said the breaches involved the “mass collection of data of innocent citizens”. The high court heard MI5 knew about the issues in 2016 but kept them secret.

Liberty’s challenge to UK state surveillance powers reveals shocking failures
The challenge, by rights group Liberty, led last month to an initial finding that MI5 had systematically breached safeguards in the UK’s Investigatory Powers Act (IPA) — breaches the Home Secretary, Sajid Javid, euphemistically couched as “compliance risks” in a carefully worded written statement that was quietly released to parliament.

This was first reported last month…

MI5 slapped on the wrist for ‘serious’ surveillance data breach
Home Secretary Sajid Javid has confessed to Parliament that MI5 bungled the security of “certain technology environments used to store and analyse data,” including that of ordinary Britons spied on by the agency. In a lengthy Parliamentary statement made last week, Javid obliquely admitted that spies had allowed more people to help themselves to its treasure troves of data on British citizens than was legally allowed.

Sajid Javid admits MI5 committed serious safeguard breaches
In a written statement to parliament last week that was not widely noticed, Javid said he was notifying MPs of “compliance risks MI5 identified and reported within certain technology environments used to store and analyse data, including material obtained under the Investigatory Powers Act”.

… but now the story has been picked up by everyone, including the Middle East Eye

UK’s MI5 spy agency handled surveillance data unlawfully, court hears
An internal agency review warned more than three years ago that storage systems may have become “ungoverned spaces”, which would mean that they were operating in breach of both UK and European law. Despite this, MI5 continued to build new electronic storage systems which did not allow the agency to review its contents and decide what material should be deleted, as the law requires. The problems were withheld from the official watchdog, the Investigatory Powers Commissioner, until earlier this year, the High Court was told.

… and even Russia Today and Sputnik News are getting in on it.

‘Extraordinary & persistent illegality’: UK’s MI5 accused of mishandling bulk surveillance data
MI5 has no control of its storage of vast volumes of people’s calls, messages, web browsing history, as well as other personal data that the agency has managed to obtain on the basis of surveillance warrants, which were often issued under false pretext, the High Court heard on Tuesday in a legal challenge brought by the human rights organization Liberty.

Outcry as High Court finds MI5 engaged in ‘unlawful’ storage, handling of bulk surveillance
Ten internal documents from senior MI5 officials, including an 11 March letter from director Sir Andrew Parker, revealed significant non-compliance issues in how citizens’ data had been kept and used, including a subsequent cover-up of internal failures and that “data might be being held in ungoverned spaces in contravention of our policies”.

Let’s hope some good comes from all this.

Setting precedents for privacy: the UK legal challenges bringing surveillance into the open
These debates highlight the importance of collective efforts to assert respect for privacy and other rights as a core part of public life. We are on the cusp of a positive shift in power towards open public debate and accountability about data and the way it is used against us.

China’s fear of losing control

This isn’t quite the brave new world we were hoping these new technologies would enable.

Davos: George Soros calls Xi Jinping a “dangerous opponent” of open societies
Soros said he wanted to “call attention to the mortal danger facing open societies from the instruments of control that machine learning and artificial intelligence can put in the hands of repressive regimes.” Echoing recent concerns raised about China’s use of facial-recognition technology, Soros asked: “How can open societies be protected if these new technologies give authoritarian regimes a built-in advantage? That’s the question that preoccupies me. And it should also preoccupy all those who prefer to live in an open society.”

Tracing his critique of authoritarian governments to his own childhood under Nazi occupation in Hungary, Soros, who is now 88, urged the Trump administration to take a harder stance on China. “My present view is that instead of waging a trade war with practically the whole world, the US should focus on China,” he said.

The complicated truth about China’s social credit system
What’s troubling is when those private systems link up to the government rankings — which is already happening with some pilots, she says. “You’ll have sort of memorandum of understanding like arrangements between the city and, say, Alibaba and Tencent about data exchanges and including that in assessments of citizens,” Ohlberg adds. That’s a lot of data being collected with little protection, and no algorithmic transparency about how it’s analysed to spit out a score or ranking. […]

The criteria that go into a social credit ranking depends on where you are, notes Ohlberg. “It’s according to which place you’re in, because they have their own catalogs,” she says. It can range from not paying fines when you’re deemed fully able to, misbehaving on a train, standing up a taxi, or driving through a red light. One city, Rongcheng, gives all residents 1,000 points to start. Authorities make deductions for bad behaviour like traffic violations, and add points for good behaviour such as donating to charity.

Running a red light is one thing, but what if you’re a journalist investigating corruption and misconduct?

Chinese blacklist an early glimpse of sweeping new social-credit control
What it meant for Mr. Liu is that when he tried to buy a plane ticket, the booking system refused his purchase, saying he was “not qualified.” Other restrictions soon became apparent: He has been barred from buying property, taking out a loan or travelling on the country’s top-tier trains.

“There was no file, no police warrant, no official advance notification. They just cut me off from the things I was once entitled to,” he said. “What’s really scary is there’s nothing you can do about it. You can report to no one. You are stuck in the middle of nowhere.”

In China, facial recognition tech is watching you
Megvii, meanwhile, supports the state’s nationwide surveillance program, which China, with troubling inferences, calls Skynet. Launched in 2005, Skynet aims to create a nationwide panopticon by blanketing the country with CCTV. Thanks to Face++, it now incorporates millions of A.I.-enhanced cameras that have been used to apprehend some 2,000 suspects since 2016, according to a Workers’ Daily report. […]

Jeffrey Ding, an Oxford University researcher focused on Chinese A.I., believes there is more pushback in the West against deploying facial recognition technology for security purposes. “There’s more willingness in China to adopt it,” he says, “or at least to trial it.”

But there’s also less freedom to oppose the onslaught. “The intention of these systems is to weave a tighter net of social control that makes it harder for people to plan action or push the government to reform,” explains Maya Wang, senior China researcher at Human Rights Watch.

The line from Soros about the danger from “the instruments of control that machine learning and artificial intelligence can put in the hands of repressive regimes” chimes with what I’m reading in James Bridle’s new book, New Dark Age.

May we live in interesting times.

GDPR is still a thing, right?

Some recent data protection stories that have caught my eye.

French data watchdog dishes out largest GDPR fine yet: Google ordered to hand over €50m
The French agency, CNIL, ruled today that the search giant had offered users inadequate information, spreading it across multiple pages, and had failed to gain valid consent for ads personalisation. […] The CNIL concluded that Google had breached the General Data Protection Regulation in two ways: by failing to meet transparency and information requirements, and failing to obtain a legal basis for processing.

Amazon, Apple and Google face data complaints
General Data Protection Regulation (GDPR) rules say EU customers have the right to access a copy of the personal data companies hold about them. However, privacy group noyb said it found that most of the big streaming companies did not fully comply. It has filed formal complaints, which if upheld could result in large fines.

Google accused of GDPR privacy violations by seven countries
Consumer groups across seven European countries have filed GDPR complaints against Google’s location tracking (via Reuters). The European Consumer Organisation (BEUC), of which each of the groups are a member, claims that Google’s “deceptive practices” around location tracking don’t give users a real choice about whether to enable it, and that Google doesn’t properly inform them about what this tracking entails. If upheld, the complaints could mean a hefty fine for the search giant.

The NOYB organisation gets mentioned a number of times there.

Max Schrems: The privacy bubble needs to start ‘getting sh*t done’
After years locked in numerous long, drawn-out and often bitter legal battles, Schrems decided to launch a nonprofit aiming to help people bring their own consumer privacy cases to court.

The plan is for NOYB (None Of Your Business) to take advantage of the incoming European Union General Data Protection Regulation, which offers more options for collective redress across the bloc, and harness the momentum Schrems has built up with various high-profile court cases.

Seems to be working. (Via)

“Hello? Is this thing on?”

I certainly enjoy reading about these voice assistants more than I do using them.

You bought smart speakers over the holidays. Now what are Amazon and Google doing with your data?
Ultimately, the choice to keep a smart speaker around comes down to what you’re getting out of the product. For some people with physical disabilities or intellectual differences, smart speakers can make household tasks easier or provide an engaging presence in daily life. For tech junkies like my friend, the sheer joy of commanding a smart home network might be enough. For Hoffman-Andrews, though, the benefits of a speaker don’t outweigh the costs. He bought a couple of products for testing, but he admits he couldn’t actually bring himself to set them up. Being able to ask a speaker to dim the lights or play a weather forecast just didn’t seem like a good enough tradeoff for giving companies access to his home.

“Is it normal to have cameras and microphones pointed at you and your guests? Currently the answer is mostly no,” he says. “These devices aim to change the answer to yes.”

Facebook’s very relaxed attitude to our data

The Verge breaks down the latest story from the New York Times about Facebook’s data sharing agreements with Microsoft, Amazon Spotify and others.

Facebook gave Spotify and Netflix access to users’ private messages
I find it helpful to read the allegations in the Times’ story chronologically, starting with the integration deals, continuing with the one-off agreements, and ending with instant personalization. Do so and you read a story of a company that, after some early success growing its user base by making broad data-sharing agreements with one set of companies — OEMs — it grew more confident, and proceeded to give away more and more, often with few disclosures to users. By the time “Instant personalization” arrived, it was widely panned, and never met Facebook’s hopes for it. Shortly after it was wound down, Facebook would take action against Cambridge Analytica, and once again began placing meaningful limitations on its API.

Then basically nothing happened for three years!

Whatever is happening, it’s happening … now. It has been only two months since the largest data breach in Facebook’s history. It has been only five days since the last time Facebook announced a significant data leak.

On and on we go. The more we hear about how Facebook treats our data — and us — the more bored and relaxed we seem to be about it all. I can’t see this changing.

Update 20/12/2018

From Facebook: Facts About Facebook’s Messaging Partnerships
From Ars Technica: Facebook “partner” arrangements: Are they as bad as they look?

I still think Facebook has transparency and trust issues though…