View profile

No Longer Normal Practice | The Cat Herder, Volume 4, Issue 12

April 5 · Issue #125 · View online
The Cat Herder
Bank Holiday edition. All the old favourites are back. Facebook, the Irish state in the form of the Department of Health, backdoors in encrypted messaging services.

The personal data of 550 million people which leaked from Facebook in 2019 is floating around online. But not to worry, Facebook’s comms shop says it’s “old data”.
Liz Bourgeois
This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.
For your own peace of mind you should probably look into changing your phone number, name and date of birth though, just to be sure.
This list of Facebook users is searchable by phone number.
Coincidentally it’s almost exactly two years since Hildegarde Naughton proposed giving Faceberg the entire country’s PPS and passport numbers. A suggestion so outlandish even Mark Zuckerberg, Emperor of All Information, politely demurred.
The story of the Department of Health’s compilation of dossiers on autistic children and their families rumbled along in bizarre fashion in the early part of last week.
The DPC announced it had launched a statutory inquiry on Tuesday morning. The significance of this seemed to be lost on many politicians and commentators, perhaps because other organs of the State have conditioned casual observers to assume the State will without fail object to any and all actions of the supervisory authority and take any opportunity presented to interfere with the regulator’s ability to act. All part of the State’s free provision of UTRAAS (Undermining The Regulator As A Service) to grateful multinationals headquartered here.
On Tuesday afternoon the Disabilities Minister told the AsIAm autism charity that “as many as 400 families may have had dossiers compiled on them by the Department of Health”.
On Wednesday at Leaders’ Questions the Taoiseach claimed the Department of Health “do not accept that assertion [that the Department had sought to breach something the Taoiseach called ‘patient-client confidentiality’], and they’re conducting a very rigorous review of that and as I have said the Government will appoint a multidisciplinary team to assess that situation.”
This was despite the Department of Health describing its behaviour as “normal practice” on several occasions the week before. The only denying the Department had done at that stage was to deny that compiling the dossiers was unlawful. It had invoked a report or review carried out last year by a Senior Counsel as evidence of the lawfulness of what was going on.
Last Thursday four things happened .
  1. RTÉ broadcast a follow-up piece on Morning Ireland, with a companion piece on their website.
  2. The Data Protection Commission sent authorised officers under the supervision of the Deputy Commissioner who heads up its Special Investigations Unit into the Department of Health.
  3. The Department of Health sent Minister Anne Rabbitte into a Dáil debate on this matter without adequate briefing notes.
  4. The interim Secretary General of the Department of Health published a second open letter in less than a week ‘addressing’ the issue.
The RTÉ follow-up story
The key new revelation in the follow-up story was that the senior counsel who prepared the 2020 report had not seen other legal advice given to the Department in 2017 which considered “whether the release of information by the HSE to the Department was permissible under data protection legislation, and as to whether any further legislation could be relied upon to "underpin/protect” the release of such information.“
Excerpts of the report seen by RTÉ Investigates also reveal that the senior counsel had not seen key legal advice relating to whether the HSE could provide information to the Department of Health without the consent of parents.
In a statement to RTÉ Investigates, the Department of Health last week said that the senior counsel who had reviewed the practice found it to be “entirely lawful, proper and appropriate”.
However, in his report, the senior counsel notes that he had not seen any legal advice that may have been furnished to officials in the Department after a medically qualified person in the HSE raised concerns in 2017.
So we have a situation where as-yet-unpublished legal advice (2020 version) accepted unseen legal advice (2017 version). The longer both of these remain concealed the harder it is for the department to argue it’s demonstrating compliance as Article 5.2 GDPR requires, or meeting its transparency obligations under Article 5.1.
There was also some unsavoury colour to the story in the form of an email sent by a senior civil servant which ‘went on to thank a staff member “who sought out, followed up, hunted down, chased up, followed up again and obtained the required updates from HSE units’. This was raised in the Dáil debate later.
This story was published on the RTÉ website at 8:21am and broadcast on Morning Ireland at around the same time.
The DPC inspection
The Irish Independent reported later in the day that “authorised officers of the DPC, led by deputy commissioner Tony Delaney, conducted an inspection at the Department of Health this morning”. This is not a common occurrence. A decision that it was important to secure information before the Easter holiday period must have been taken.
The Minister and the Dáil debate
A Dáil debate on the situation began at approximately 2pm. The Minister for Disabilities noted in her opening statement that she had not been given additional briefing notes by her department, which she had expected to receive by 2pm.
At around 3:10pm the Minister said “Perhaps I should have started by apologising but I will certainly do so in my concluding remarks.” Presumably by this point she had realised that the promised briefing notes from the Department were not going to materialise, and even if they did they would not contain an apology.
In a remarkable closing statement the Minister abandoned her script and read into the record the questions she had asked the officials in her Department, and the answers or lack thereof.
The second open letter
The second open letter from the interim Secretary General of the Department of Health was published late on Thursday afternoon. It is topped and tailed with news of the appointment of an Independent Support Liason Officer and some blurb about what the government and the Department are providing in the way of disability services. The latter being material far more suited to a press release, the former containing no detail about what the Independent Support Liason Officer will actually do.
In between these we get the non-apology apology. In an interesting twist on the usual form these take - ‘I’m sorry if you were upset’ - this lays the blame for any distress caused on the reporting of the behaviour of the Department, not the behaviour itself.
Readers will remember that last week’s newsletter was titled ‘Normal Practice’. This title was taken from the Department of Health’s own description of its behaviour in compiling these dossiers.
In this second letter Mr Watt says he is reiterating something, though he does not specify what. In this reiteration which is not a reiteration of any of the Department’s earlier statements it is clear that the denial has now become significantly more narrow than that of the previous week. It only extends to “in the manner portrayed in recent media reports.” The collection of the information may have been done in some other manner, since the Department isn’t denying it has the information.
With a bound Mr Watt fancies himself and the Department free of the shackles imposed by the flurry of statements from the previous week which described the Department’s behaviour as “normal practice”.
It seems the Department’s intention is to drag this problem into the undergrowth of nit-picking, policy reviews, the meaning of “open litigation” and raising the smallest of issues with the reporting, and by doing so avoiding addressing any of the larger topics raised.
In another piece of disarming spin Mr Watt welcomes the statutory inquory by the DPC. In fact, he and his officials are looking forward to the outcome. He then characterises any possible findings of the inquiry as “recommendations”.
The findings of a statutory inquiry are not recommendations.
The timing of this tender issued by the Department of Health is awkward, to say the least.
Brian Daly
@PrivacyKit Meanwhile ... more data please! Anybody buying or selling? @Tupp_Ed
No 10 said it did not want the scheme, which it is describing as “Covid-status certification”, to be used on public transport or in essential shops.
Businesses in England which can reopen in the coming weeks, including pubs, restaurants and non-essential retail will not have to use the system for now.
However, sources say requiring a certificate to access hospitality further down the line - perhaps to reduce the need for social distancing - has not been ruled out.
Covid: Trials to begin for return of England mass events - BBC News
This. Never. Ends.
This. Never. Ends.
It seems as long as people are having private conversations then state security organisations will always feel an uncontrollable urge to eavesdrop on those conversations.
Ministers are considering forcing Facebook to implement a backdoor to allow security agencies and police to read the contents of messages sent across its Messenger, WhatsApp and Instagram chat services.
Industry sources say they understand that the Home Office is threatening to use a special legal power called a technical capability notice to compel Facebook to develop a system to allow for the eavesdropping of messages.
UK may force Facebook services to allow backdoor police access | Technology | The Guardian
The Dutch DPA fined €475,000 for a data breach in which the personal data of more tha 4,000 people was exposed and wasn’t reported within the mandatory three days.
The CNIL’s grace period for controllers to comply with its guidance on cookies and the general mess of tracking technologies which make up contemporary advertising ended on the last day of March.
  • “The industry itself is hard to define—many companies, including tech giants, make money off of personal data, though the technical details of how they use that data vary. So The Markup relied on companies that self-reported to Vermont and California as members of the industry. The list, 480 companies long, shows just how pervasive it has become for companies to traffic in personal information.” Alfred Ng and Maddy Varner have a look at the amount of money the data broking industry is pouring into lobbying efforts in Washington for The Markup.
  • “The concerns went beyond performance when the EU’s privacy watchdog, the European data protection supervisor, began inspections. Heavily redacted copies of their reports in 2018 and 2019 register the inspectors’ concern that Gotham was not designed to ensure that the Europol analysts made it clear how people’s data had come to be entered into the system. The absence of this “personal implication” meant the system could not be guaranteed to distinguish whether someone was a victim, witness, informant or suspect in a crime. This raises the prospect of people being falsely implicated in criminal investigations or, at the very least, that their data may not have been handled in compliance with data protection laws.” In the Guardian Daniel Howden, Apostolis Fotiadis, Ludek Stavinoha and Ben Holst examine “Palantir’s troubling reach in Europe”.
  • “While this incident was a big story in South Korea, it received very little attention elsewhere. But this incident highlights the general trend of the A.I. industry, where individuals have little control over how their personal information is processed and used once collected. It took almost five years for users to recognize that their personal data were being used to train a chatbot model without their consent. Nor did they know that ScatterLab shared their private conversations on an open-source platform like Github, where anyone can gain access.” From ‘A South Korean Chatbot Shows Just How Sloppy Tech Companies Can Be With User Data’ by Heesoo Jang for Slate.

Endnotes & Credits
Find us on the web at and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland