View profile

PRAM! MOW! ZOW! | The Cat Herder, Volume 3, Issue 46

The ad lads are at it again, Microsoft wants to score you, Amazon does a callback to an earlier era o
November 29 · Issue #110 · View online
The Cat Herder
The ad lads are at it again, Microsoft wants to score you, Amazon does a callback to an earlier era of robber barons, Tusla remains Tusla.

A document detailing the proposal which had been posted to the public Internet — but was taken down after a privacy researcher drew attention to it — suggests they want to put in place a centralized system for tracking Internet users that’s based on personal data such as an email address or phone number.
However the proposal by the online ad industry to centralize Internet users’ identity by attaching it to hashed pieces of actual personal data — and with a self-regulating “Trusted Ads Ecosystem” slated to be controlling the mapping of PII to UID2 — seems unlikely to assuage the self-same privacy concerns fuelling the demise of tracking cookies in the first place (to put it mildly).
Back in the good ol’ days of maybe a decade ago advertising and marketing were still concerned with influencing perception and purchasing decisions. Then the Google workshop elves decided to bolt together bits of an online auction system and pieces of a high frequency trading system and lubricate the workings of the whole thing with a gloopy layer of opacity.
Now the online ad lads and other denizens of the bubble-ripe-for-bursting feel entitled - it’s not a wish anymore, it’s a demand - to track everything that everyone does, everywhere, all the time. In order to deliver them more ads and marketing messages. The primary purpose of contemporary digital marketing and advertising appears to be to do more marketing and advertising.
This doesn’t seem ethical or sustainable.
Microsoft would like to “harmonize productivity and well being,” “enhance organizational resiliency,” “transform meeting culture,” and “increase customer focus.” By tracking and scoring you.
Wolfie Christl
Esoteric metrics based on analyzing extensive data about employee activities has been mostly the domain of fringe software vendors. Now it's built into MS 365.

A new feature to calculate 'productivity scores' turns Microsoft 365 into an full-fledged workplace surveillance tool:
Whether any of this tracking and scoring actually offers real insight—rather than obscure metrics that don’t actually measure real-world productivity—is almost secondary to the fact that it’s now embedded in the tools used by millions of people every day. Its presence, and potential profitability as a bountiful source of granular personal data, means that Microsoft is incentivized to sell Workplace Analytics as a work-from-home solution. Whether Microsoft can hone a people-centered, scientific, analytical platform here—or whether it’s so much apophenia, finding patterns and meaning where there may be none—is mostly a matter of salesmanship.
Fionna O'Leary, 🕯🇪🇺
Gulp. “The leak came to light after a GitHub user spotted the spreadsheet containing the passwords on the personal GitHub account of an employee of the Albert Einstein Hospital in the city of Sao Paolo”
The personal and health information of more than 16 million Brazilian COVID-19 patients has been leaked online after a hospital employee uploaded a spreadsheet with usernames, passwords, and access keys to sensitive government systems on GitHub this month.
[Bernard Gloster, Tusla CEO] also warned that Tusla was “some way off reaching a satisfactory level of GDPR compliance” but noted that “no effort had been spared” in rolling out data protection training for frontline workers.
At the risk of going blue in the face from repetition of these dates, the GDPR came into effect in May 2018, over two and a half years ago. The text of the GDPR was finalised and published two years before that. It should not take this long, and receipt of three fines and a raft of other sanctions from the DPC before basic staff training is rolled out.
Despite the wishful thinking from public sector bodies and elected representatives about changing the GDPR or arbitrarily deciding the GDPR mightn’t apply, which have been covered regularly in this newsletter over the last 110 issues, the GDPR is a European Regulation with direct effect. It isn’t going anywhere.
A trove of more than two dozen internal Amazon reports reveal in stark detail the company’s obsessive monitoring of organized labor and social and environmental movements in Europe, particularly during Amazon’s “peak season” between Black Friday and Christmas. The reports, obtained by Motherboard, were written in 2019 by Amazon intelligence analysts who work for the Global Security Operations Center, the company’s security division tasked with protecting Amazon employees, vendors, and assets at Amazon facilities around the world.
If you’re not familiar with Pinkerton they have plenty of previous form in strike-breaking and subversion of unions stretching back into the 19th century. Perhaps most famously on behalf of a man now better known for his libraries, Andrew Carnegie. Achieving a level of notoriety so great that the Sundry Civil Appropriations Act passed by the US Congress in 1893 in order to prevent the government from hiring mercenaries and private investigators was more commonly known as the Anti-Pinkerton Act.
The Norwegian DPA fined Østfold HF Hospital 750,000 kronor (~ €71,000) for a data breach and not having sufficient technical and organisational measures in place to secure access to special categories of personal data.
The Spanish DPA fined Telefonica €75,000 for processing personal data without a lawful basis.
The Swedish DPA fined the Stockholm Board of Education 4 million kronor (~€394,000) for failing to ensure that the personal data of students and teachers within the schools administration platform was processed securely.
A Swedish court rejected Google’s appeal against a decision of the Swedish DPA to fine Google 75 million kronor (~ €7 million).
The CNIL imposed fines of €2.25 million on Carrefour France and €800,000 on Carrefour Banque respectively.
  • “The online advertising industry has become toxic. Internet users are tracked, surveilled, and targeted with ads that may exploit their vulnerabilities. Publishers – forced to play by the rules set by large online platforms – must prioritise content that rewards engagement, not truth or civility — and then hand up to 70% of profits over to advertising middlemen. Advertisers lose billions of dollars to bots fabricating clicks. And society at large reckons with the misinformation and polarisation that results from all this. Only big online platforms and the data brokers lurking in the background benefit.” Panoptykon has a new report titled ‘To Track or Not to Track? Towards Privacy-friendly and Sustainable Online Advertising’ written by Karolina Iwańska
  • “This extra cost stems from the additional compliance obligations – such as setting up standard contractual clauses (SCCs) – on companies that want to continue transferring data from the EU to the UK,” they write in the report. “We believe our modelling is a relatively conservative estimate as it is underpinned by moderate assumptions about the firm-level cost and number of companies affected.” From ‘Brexit’s data compliance burden could cost UK firms up to £1.6BN, says think tank’ by Natasha Lomas for Techcrunch.
  • “It is notable that the ICO chose to issue Experian an enforcement notice, rather than a monetary penalty notice, as it has recently issued in a number of high profile cases (e.g. to British Airways, Marriott, and Ticketmaster), on the basis that “this is the most effective and proportionate way to achieve compliance in this case, whilst still having a dissuasive and informative impact”. This perhaps reflects a view on the ICO’s part that concerns regarding systemic processing issues are best addressed via enforcement notices, by contrast to security breaches, which it considers to be better addressed by fines. Of course, in Experian’s case, subject to the Notice being upheld on appeal, the cost of complying with the enforcement notice may well significantly outweigh any fine it may otherwise have received, and may fundamentally challenge its operating model.” From ‘Make the invisible visible: Five key takeaways from the Experian enforcement action’ by Katie Hewson and Ben Sigler for Stephenson Harwood.

Endnotes & Credits
Find us on the web at and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland