View profile

Still A Problem Six Years Later | The Cat Herder, Volume 4, Issue 7

Biometric registers, vaccination passports, draft adequacy decisions, TikTok complaints. It's been a
February 21 · Issue #120 · View online
The Cat Herder
Biometric registers, vaccination passports, draft adequacy decisions, TikTok complaints. It’s been a busy week.

Under the plan, America Movil, AT&T Inc and other carriers would be responsible for collecting customers’ data, including fingerprints or eye biometrics, to submit to a registry managed by Mexico’s telecoms regulator.
Many of those countries which do retain biometric data have questionable records on human rights, including China, Saudi Arabia and Pakistan. No Western countries collect biometric data from cellphone users.
Kidnap capital Mexico eyes biometric phone registry, sparking privacy fears | Reuters
“No Western countries collect biometric data from cellphone users.” But the Department of Employment Affairs and Social Protection here in Ireland has a database of the biometric data of around two-thirds of the people in the country which was collected without a clear lawful basis.
El Reg has reviewed evidence showing the firm seemed more concerned with knowledge of the flaws being made public than with remediation, similar to last week’s Footfallcam debacle (where Kao’s fellow Footfallcam Ltd director, Edward Wong, threatened an infosec bod with a police report unless he deleted Twitter criticism of another product’s poor design). While there were no specific threats made, it appeared removing this criticism was of greater importance to the company than fixing its product’s security shortcomings, which seemingly were still a problem six years later.
Nurserycam horror show: 'Secure' daycare video monitoring product beamed DVR admin creds to all users
Or could they?
Or could they?
European consumer organization BEUC has filed a complaint to the European Commission against TikTok, a Chinese short video sharing platform. National consumer organizations in European countries have also alerted their respective authorities, asking them to investigate the company.
European consumer groups file complaint on TikTok – POLITICO
It’s interesting to note that despite TikTok having its main establishment for data protection purposes in Ireland the Irish Competition and Consumer Protection Commission is not among the national consumer organisations participating in this complaint. Data protection regulation and enforcement is increasingly overlapping with consumer and competition regulation and enforcement so this is a surprising absence.
The repression sold overseas has a habit of returning home sooner or later …
Oracle representatives have marketed the company’s data analytics for use by police and security industry contractors across China, according to dozens of company documents hosted on its website. In at least two cases, the documents imply that provincial departments used the software in their operations.
Exclusive: How Oracle Sells Repression in China
The European Commission put out two draft adequacy decisions for Brexit Britain. At first glance they seem as wonky as the Commission’s chatter around a replacement for Privacy Shield in that they ignores a lot of the recent case law of the CJEU. Which is where this will more than likely end up.
TJ McIntyre
Perhaps the Commission has forgotten about the time when the UK hacked the main Belgian telecoms firm (its own communications provider); was that an example of necessity and proportionality?
The Spanish DPA fined Caixabank a total of €6 million. €4 million for unlawfully processing clients’ personal data ( consent was invalid and legitimate interests were not adequately justified), and €2 million for not providing sufficient information about its processing of personal data.
The DPC published a blog post on ‘CCTV, Discovery and Access Requests’. Making it clear that the right of access applies regardless of whether the person making the request is involved in litigation.
  • “The Government will need to take a clear position outlining the specific purposes and use cases for which, if any, vaccine passports can be legally and legitimately used. In allowing some uses or actively facilitating vaccine passport apps, governments must address the issues and risks arising from such schemes or the creation of related digital infrastructure, and whether and how these risks could be mitigated.” The Ada Lovelace Institute published a rapid expert deliberation on the place of Covid-19 vaccination passports in society during the week.
  • “TikTok fails to clearly and consistently connect each personal data point with a specific processing operation, with a specific processing purpose, with a specific lawful ground. This is problematic not just from a theoretical perspective, but has very concrete implications for effective and complete protection of data subjects. Notably, because it prevents a proper evaluation of GDPR compliance as well as significantly thwarts the effectiveness of data subject rights.” From ‘Confusing by design - A data protection law analysis of TikTok’s privacy policy’ [PDF], a report by Jef Ausloos and Valerie Verdoodt which accompanies the BEUC complaint about TikTok .
  • “The complexity and feature-rich nature of modern browsers often lead to the deployment of seemingly innocuous functionality that can be readily abused by adversaries,” the paper explained. “In this paper we introduce a novel tracking mechanism that misuses a simple yet ubiquitous browser feature: favicons.” From ‘Browser ‘Favicons’ Can Be Used as Undeletable ‘Supercookies’ to Track You Online’ by Matthew Gault for Vice.

Endnotes & Credits
Find us on the web at and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland