The DOBlog

Author: Daragh

  • TV Licence checks and “Data Protection Principles” [updated]

    This morning’s Irish Times reports this morning that the (current) Irish Communications Minister  is seeking cabinet approval for powers to enable the agency that collects TV Licences (currently An Post, the Irish post office) to access subscriber koi data from subscription TV providers such as Sky or UPC to crack down on TV licence evasion. We are assured by the Minister that the whole thing will be done “ in accordance with strict data protection guidelines”. Ignoring for a moment that “Data Protection” is not a guideline but is a fundamental right of EU citizens enshrined in law and derived from both the TFEU and the European Charter on Fundamental Rights and implemented in Irish law as a result of an EU Directive (ergo… not a guideline but kind of a big thing to keep an eye on), what might those guidelines be?

    [Update] TheJournal.ie are reporting that this proposal has passed the Cabinet. The mechanism that is to be applied is reported as being:

    “An Post will be allowed access the subscription data held by the likes of UPC and Sky to cross-reference their subscriber databases with its own data on TV licence fee payers”

    I address the implications of this below in an update paragraph inserted in the original text. [/update]

    Guidelines

    In general Data Protection terms, once there is a statutory basis for processing (and access to data is processing) then the processing is lawful. What appears to be being proposed here is legislation that will allow subscriber data of one group of companies to be accessed by another company for the purposes of checking if someone is getting moving pictures on a telly box or similar device. So that’s the box ticked and we can move on, right? Oh, so long as we have protocols around the how, when, and why of access to the data right (because they are always followed)? And of course, the legislation will prevent scope creep in terms of  the use of the data and the potential sources of data that might be accessed using the legislation (e.g. telecommunications service providers who might have broadband going into a home or onto a device). Well, since April (and thanks to the great work of Digital Rights Ireland) we actually have some guidance from the Court of Justice of the European Union.

    This is guidance that Minister Rabbitte’s department should be distinctly aware of as it affected legislation that they are responsible for, the Communications Data Retention Directive (from which the Irish Communications Data Retention Act got its authority). In that case, the ECJ was very clear: any processing of personal data needs to be a proportionate for the outcome required. In the Digital Rights Ireland case, the ECJ felt that requiring the retention of call traffic and internet usage data on the off chance it might be useful to authorities to counter terrorism was a disproportionate response. Access to specific data would not be disproportionate, but wholesale data slurping was a breach of fundamental rights to data privacy as enshrined in the EU Charter of Fundamental Rights. This reasoning was followed by Hogan J in the recent case of Schrems vs The Data Protection Commissioner in the High Court where Hogan deftly summarises the constitutional, statutory, and EU Treaty bases for Data Privacy rights in Ireland and the EU.

    The upshot is that, regardless of the existence of a statutory authority to do a particular piece of processing, the processing itself must be a proportionate invasion of an individual’s right to Personal Data Privacy and their right to Privacy – two distinctly separate rights now under EU law. So, what would be a proportionate response in this context? How big is the problem?

    The Proportionality Conundrum

    According to the Minister, 16% of households don’t pay for a TV licence. According to ComReg 73% of households receive TV services via a subscription service. So 27% of people don’t pay for a TV service subscription and 16% don’t have a TV license, so there are more people who don’t have a paid TV subscription then don’t have a TV license? It is not outside the bounds of possibility that the ENTIRETY of the 16% that the Minister seeks to pursue are contained in the 27% that Sky and UPC would also love to separate from their subscriptions. Perhaps these people don’t have a television at all?

    Even assuming that the two groups are unrelated, the question of whether allowing An Post access to the subscriber lists of UPC and Sky is a proportionate response. It’s not. If it is not a proportionate response for serious offences under the now defunct Data Retention Directive to allow law enforcement blanket access to telecommunications call history and internet usage data, it is probably not proportionate for a private company to have access to the subscriber lists of potential competitors (who knows what An Post might want to pivot into, given they are in the telecommunications business ) for the purposes of detecting where people don’t have a TV license.

    [Update] Based on a report on TheJournal.ie, it appears that what is proposed is an en masse cross checking of data between An Post’s TV License database and the databases of Sky and UPC.  This is borders, in effect, on a form of mass surveillance. It is, in my opinion, that this would be unlikely to be seen as a proportionate response to the problem. This is particularly the case where alternatives to the bulk access to data can achieve the same overall objective without the need for the data to be processed in this way. [/update]

    What would be proportionate would be for An Post to be able to make a request, on a case by case basis, for confirmation if a property which does not have a TV license is in receipt of a subscription TV service, once there was a detection that there was someone resident at the address or a business operating at the address which had a receiving device (i.e. a TV). Sky or UPC would simply need to respond with a “Yes they have service” or “No they do not” with no other data being accessed.

    A wrinkle though…

    One wrinkle is that Sky and UPC are not just TV service companies. They are telecommunications service providers as well. They provide home phone and broadband services. So the scope of the potential legislation is to allow a telecommunications company (An Post) access to the subscriber data of other telecommunications companies. This raises significant issues from a Data Protection perspective under SI336 ,where telecommunications providers have very serious security obligations to their subscribers around notifying of potential security issues on their network and also notifying subscribers and the Data Protection Commissioner where there has been a breach of data security.

    It also raises the spectre of other telecommunications companies being required to provide the same data, depending on how the legislation is drafted.

    Almost inevitably, the telecommunications providers would be asked to provide data to An Post about users who were accessing particular types of services or IP addresses (e.g. RTE online services or TV3 Player, or Netflix, or similar). This is EXACTLY the type of data that the ECJ has ruled on in the Digital Rights Ireland case. Proportionality raises its head again, along with the need to avoid information security breaches on the part of the telecommunications companies being asked to provide access to their data.

    The Upshot

    At this remove I can identify a few mechanisms that would be a proportionate interference in personal data privacy rights, and would minimise the risks of unauthorised access to or disclosure of subscriber data by a telecommunications service provider.

    1. An Post would need to make their requests as part of an investigation of a specific instance of an offence with a view to prosecution. Each request would need to relate to the investigation of a specific offence (“Mr X, at address Y, has no TV license but has a receiving apparatus he claims is not connected to any service, please verify he is not a subscriber”). The subscription TV service providers or Telecommunications service providers would simply respond back with a “Yes” or “No” to the specific question. But that answer may not confirm if they use their broadband to access streamed broadcast services. It is very easy to mask internet usage by using VPN tunnelling services, so the net may not catch all the fishes the Minister is trawling for.
    2. Another option would be to simply add the cost of the TV license to the subscription fee for Sky or UPC television services and, potentially, to the cost of broadband services in the State.  This would require zero sharing of data and a single annual transaction between the service providers and the State. It would also avoid entirely the risk of unauthorised access to or disclosure of subscriber data as a result of An Post (or any other entity) having access to subscriber data.

    (Of course, just because you have a broadband connection doesn’t mean you are watching TV programmes on your device. I have a good friend who has a very large computer monitor and watches DVDs streamed from a laptop. They have broadband. For email, internet access, and work stuff. Their TV and movie viewing is entirely DVD boxed set driven.  A mechanism would be required for people in that category to opt-out, unless this is a flat-rate tax on telecommunications services flying under a false flag. That is a matter for a different blog post.)

    What ever approach is ultimately taken it will need to constitute an invasion of data privacy that is proportionate to the problem that presents itself. THAT is the Data Protection requirement that must be met. It is not a guideline. It is the law, and it is a matter of fundamental rights.

    For the Minister to view Data Protection as a “guideline” further evidences the horridly discordant tone at the top in the Irish State about Data Protection (which I’ve written about here and here and here and here).

  • Serendipity

    So, within hours of me blogging about data protection consent issues in the Facebook mood manipulation study, the Register has the EXCLUSIVE that Facebook is being investigated by the irish DPC with specific questions around the consent relied upon. http://www.theregister.co.uk/2014/07/01/uk_and_irish_data_watchdogs_wade_in_on_facebook_messin_with_your_head_scandal/

    I’m not saying anyone in an office above a Centra in Portarlington reads this blog but it is a serendipitous co-incidence.

    And it may turn out that manipulating user timelines to provoke emotional responses could make Facebook management very sad.

  • Facebook, Manipulation, and Data Protection – part 2

    Right. Having gotten some day job work out of the way I return to this topic to tease out the issues further.

    One aspect that I didn’t touch on in the last post was whether or not Data Protection exemptions exist for research and if those exemptions apply in this case. This discussion starts from the premise that EU Data Protection law applies to this Facebook research and that Irish Data Protection law is the relevant legislation.

    The Exemption

    Section 2(5) of the Data Protection Acts 1988 and 2003 provides an exemption for processing for research purposes:

    (a) “do not apply to personal data kept for statistical or research or other scientific purposes, and the keeping of which complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects.

    And

    (b) “the data or, as the case may be, the information constituting such data shall not be regarded for the purposes of paragraph (a) of the said subsection as having been obtained unfairly by reason only that its use for any such purpose was not disclosed when it was obtained, if the data are not used in such a way that damage or distress is, or is likely to be, caused to any data subject

    The key elements of the test therefore are:

    1. The data is being processed for statistical or scientific purposes
    2. And the processing of the data complies with requirements that might be prescribed for safeguarding fundamental rights and freedoms

    This means that for research which is being undertaken for scientific purposes with an appropriate ethics review that has identified appropriate controls to safeguard fundamental rights of Data Subjects, which since the enactment of the Charter of Fundamental Rights in the EU includes a distinct right to personal data privacy. This was reaffirmed by the Digital Rights Ireland case earlier this year.

    The question arises: was the Facebook study as scientific purpose? It would appear to be so, and in that context we need to examine if there was any processing requirements set out to safeguard fundamental rights and freedoms of Data Subjects. That is a function of the IRB or Ethics committee overseeing the research. Cornell University are clear that the issues of personal data processing were not considered in this case as their scientists were engaged in a review and analysis of processed data and they did not believe that there was human research being undertaken.

    Whether or not you consider that line of argument to be Jesuitical bullshit or not is secondary to the simple fact that no specific requirements were set out from any entity regarding the controls that needed to be put in place to protect the fundamental rights and freedoms (such as freedom of expression) that the Data Subject should enjoy.

    Legally this means that the two stage test is passed.  Data is being processed for a scientific purpose and there has been no breach of any provision set down for the processing of the data to safeguard fundamental rights, so consent etc. is not required to justify the processing and the standard around fair obtaining is looser.

    Apparently if your review doesn’t consider your research to be human research then you are in the clear.

    Ethically that should be problematic as it suggests that careful parsing of the roles of different participants in research activity can bypass the need to check if you have safeguarded the fundamental rights of your research subjects. That is why ethics reviews are important, and especially so when it comes to the ethics of “Big Data” research. Rather than assessing if a particular research project is human research we should be asking how it isn’t, particularly when the source of the data is identifiable social media profiles.

    A Key Third test…

    The third part of the test is whether or not the data is being used in a way that would cause damage or distress to the data subject. This is a key test in the context of the Facebook project and the design of the study. Consent and fair obtaining requirements can be waived where there is no likelihood of damage or distress being caused to the research subject.

    However, this study specifically set out to create test conditions that would cause distress to data subjects.

    It may be argued that the test is actually whether or not the distress would be measured as an additional level of distress that would be caused over and above the normal level of distress that the subject might suffer. But given that the Facebook study was creating specific instances of distress to measure a causation/correlation relationship between status updates and emotional responses, it’s hard to see how this element of the exemption would actually apply.

    Had Facebook adopted a passive approach to monitoring and classifying the data rather than a directed approach then their processing would not have caused distress (it would have just monitored and reported on it).

    The Upshot?

    It looks like Facebook/Cornell might get off on a technicality under the first two stages of the test. They were conducting scientific research and there was no prerequisite from any Ethics committee to have any controls to protect fundamental rights. However that is simply a technicality and it could be argued that, in the absence of a positive decision that no controls were needed, it may not be sufficient to rely on that to avail of the Section 2(5) exemption.

    However, it may be that the direct nature of the manipulation and the fact that it was intended to cause distress to members of the sample population might negate the ability to rely on this exemption in the first place, which means that consent and all the other requirements of the Data Protection Acts should apply and be considered in the conduct of the research.

    The only saving grace might be that the level of distress detected was not found to be statistically large. But to find that they had to conduct the questionable research in the first place.

    And that brings us back to the “wibbly-wobbly, timey-wimey” issues with the consent relied upon in the published paper.

    Ultimately it highlights the needs for a proactive approach to ethics and data privacy rights in Big Data research activities. Rather than assuming that the data is not human data or identifiable data, Ethics committees should be invoked and required to assess whether the data is and ensure that appropriate controls are defined to protect fundamental rights. Finally, the question of whether distress will be caused to data subjects in the course of data gathering needs to be a key ethical question as it can trigger Data Protection liability in otherwise valuable research activities.

  • Facebook Research, Timeline Manipulation, & EU Data Protection Law

    This is an initial post based on the information I have to hand today (1st July 2014). I’ve written it because I’ve had a number of queries this morning about the Data Protection implications of Facebook’s research activity. I’m writing it here and not on my company’s website because it is a work in progress and is my personal view. I may be wrong on some or all of these questions.

    Question 1: Can (or should) the Data Protection Commissioner in Ireland get involved?

    Facebook operates worldwide. However, for Facebook users outside the US and Canada, the Data Controller is Facebook Ireland, based in Dublin. Therefore EU Data Protection laws, in the form of the Irish Data Protection Acts 1988 and 2003 applies to the processing of personal data by Facebook. As a result, the Irish Data Protection Commissioner is the relevant regulator for all Facebook users outside the US and Canada. The key question then is whether or not Facebook constrained their research population to data subjects (users) within the US and Canada.

    • If yes, then this is not a matter for investigation by EU data protection authorities (i.e. the Data Protection Commissioner).
    • If no, then the Irish Data Protection Commissioner and EU Data Protection laws come into play.

    If Facebook didn’t constrain their population set, it is therefore possible for Facebook users outside of the US and Canada to make a complaint to the DPC about the processing and to have it investigated. However, the DPC does not have to wait for a complaint. Section 10 of the Data Protection Acts empowers the Commissioner to undertake “such investigations as he or she considers appropriate” to ensure compliance with legislation and to “identify any contravention” of the Data Protection Acts 1988 and 2003.

    [update] So, it is clear that the data was obtained from a random sample of facebook users. Which raises the question of the sampling method used – was it stratified random sampling (randomised within a sub-set of the total user base) or random sampling across the entire user base? If the former then the data might have been constrained. If the latter, the data inevitably will contain data subjects from outside the US/Canada region. [/update]

    Answer: If Facebook hasn’t constrained their population to just North America (US/Canada) then… Yes.

    Question 2: If Irish/EU Data Protection Law applies, has Facebook done anything wrong?

    Tricky question, and I wouldn’t want to prejudge any possible investigation by the Data Protection Commissioner (assuming the answer to Question 1 would get them involved).  However, based on the information that is available a number of potential issues arise, most of them centred on the question of consent. Consent is a tricky issue in academic research, market research, or clinical research. The study which was conducted related to the psychological state of data subjects. That is categorised as “Sensitive Personal Data” under the Data Protection Acts. As such, the processing of that data requires explicit consent under Section 2B of the Acts. Beyond the scope of the Data Protection Acts, clinical research is governed by ethical standards such as the Nuremburg Code which also requires a focus on voluntary and informed consent:

    The voluntary consent of the human subject is absolutely essential… and should have sufficient knowledge and comprehension of the elements of the subject matter involved as to enable him to make an understanding and enlightened decision. This latter element requires that before the acceptance of an affirmative decision by the experimental subject there should be made known to him the nature, duration, and purpose of the experiment

    Question 2A: Was Consent Required? Consent is required for processing of sensitive personal data. For that data to be sensitive personal data it needs to be data that is identifiable to an individual and is sensitive in nature. However, if the data being processed was anonymised or pseudonymised then it falls outside the scope of personal data, assuming appropriate controls are in place to prevent re-identification. The Irish Data Protection Commissioner has published guidance in 2007 on Clinical Research in the Healthcare sector which provides some guidance on the question of consent, albeit from the perspective of a pure clinical healthcare perspective. A key point in the guidance is that while anonymising data may remove the Data Protection question around consent, it doesn’t preclude the ethical questions around conducting research using patient data. These kind of questions are the domain of Ethics Committees in Universities or commercial research organisations. Research of this kind are governed by Institutional Review Boards (IRB) (aka Ethics Committees).

    Apparently Cornell University took the view that, as their researchers were not actually looking at the original raw data and were basing their analysis of results produced by the Facebook Data Science team they were not conducting human research and as such the question of whether consent was required for the research wasn’t considered. The specifics of the US rules and regulations on research ethics are too detailed for me to go into here. There is a great post on the topic here which concludes that, in a given set of circumstances, it is possible that an IRB might have been able to approve the research as it was conducted given that Facebook manipulates timelines and algorithms all the time. However, the article concludes that some level of information about the research, over and above the blanket “research” term contained in Facebook’s Data Use policy would likely have been required (but not to the level of biasing the study by putting all cards on the table), and it would have been preferable if the subjects had received a debrief from Facebook rather than the entire user population wondering if it was them who had been manipulated. Interestingly, the authors of the paper point to Facebook’s Data Use Policy as the basis of their “informed consent” for this study:

    As such, it was consistent with Facebook’s Data Use Policy, to which all users agree prior to creating an account on Facebook, constituting informed consent for this research.

    Answer: This is a tricky one. For the analysis of aggregate data no consent is required under DP laws and, it appears, it raises no ethical issues. However, the fact that the researchers felt they needed to clarify that they had consent under Facebook’s Data Use policy to conduct the data gathering experiments suggests that they felt they needed to have consent for the specific experimentation they were undertaking, notwithstanding that they might have been able to clear ethical hurdles over the use of the data once it had been obtained legally.

    Question 2b: If consent exists, is it valid? The only problem with the assertion by the researchers that the research was governed by Facebook’s Data Use policy is that, at the time of the study (January 2012) there was no such specified purpose in Facebook’s Data use policy. This has been highlighted by Forbes writer Kashmir Hill.

    The text covering research purposes was added in May 2012. It may well have been a proposed change that was working its way through internal reviews within Facebook, but it is impossible for someone to give informed consent for a purpose about which they have not been informed. Therefore, if Facebook are relying on a term in their Data Use Policy which hadn’t been introduced at the time of the study, then there is no valid consent in place, even if we can assume that implied consent would be sufficient for the purposes of conducting psychological research. If we enter into a degree of speculation and assume that, through some wibbly-wobbly timey-wimey construct (or Kashmir Hill having made an unlikely error in her analysis), there was a single word in the Data Use Policy for Facebook that permitted “research”, is that sufficient?

    For consent to be valid it must be specific, informed, unambiguous, and freely given. I would argue that “research” is too broad a term and could be interpreted as meaning just internal research about service functionality and operations, particularly in the context in which it appears in the Facebook Data Use Policy where it is lumped in as part of “internal operations”. Is publishing psychological and sociological research part of Facebook’s “internal operations”? Is it part of Facebook’s “internal operations” to try to make their users sad? Interestingly, a review of the Irish Data Protection Commissioner’s Audit of Facebook in 2012 reveals no mention of “Research” as a stated purpose for Facebook to be processing personal data. There is a lot of information about how the Facebook Ireland User Operations team process data such as help-desk queries etc. But there is nothing about conducting psychometric analysis of users through manipulation of their timelines. Perhaps the question was not asked by the DPC?

    So, it could be argued by a Data Protection regulator (or an aggrieved research subject) that the consent was insufficiently specific or unambiguous to be valid. And, lest we forget it, processing of data relating to Sensitive personal data such as psychological health, philosophical opinions etc. requires explicit consent under EU law. The direct manipulation of a data subject’s news feed to test if it made them happier or sadder or had no effect might therefore require a higher level of disclosure and a more positive and direct confirmation/affirmation of consent other than “they read the document and used the service”. There are other reasons people would use Facebook other than to be residents of a petri dish.

    Does this type of research differ from A/B testing in user interface design or copywriting? Arguably no, as it is a tweak to a thing to see if people respond differently. However A/B testing isn’t looking for a profound correlation over a long term between changes to content and how a person feels. A/B testing is simply asking, at a point in time, whether someone liked presentation A of content versus presentation B. It is more functionally driven market research than psychological or sociological analysis.

    Answer: I’d have to come down on the negative here. If consent to the processing of personal data in the manner described was required, it is difficult for me to see how it could be validly given, particularly as the requirement is for EXPLICIT consent. On one hand it appears that the magic words being relied up on by the researchers didn’t exist at the time of the research being conducted. Therefore there can be no consent. Assuming some form of fudged retroactivity of consents given to cover processing in the past, it is still difficult to see how “research” for “internal operations” purposes meets the requirement  of explicit consent necessary for psychological research of this kind. It differs to user experience testing which is more “market research” than psychological and therefore is arguably subject to a higher standard.

    Question 3: Could it have been done differently to avoid Data Protection Risks

    Short answer: yes. A number of things could have been done differently.

    1. Notification of inclusion in a research study to assess user behaviours, with an option to opt-out, would have provided clarity on consent.
    2. Analysis of anonymised data sets without directed manipulation of specific users timelines would not have raised any DP issues.
    3. Ensure validity of consent. Make sure the text includes references to academic research activities and the potential psychological analysis of user responses to changes in Facebook environment. Such text should be clearly highlighted and, ideally, the consent to that element should be by a positive act to either opt-in (preferred) or to opt-out
    4. Anonymise data sets during study.
    5. Restrict population for study to US/Canada only – removes EU Data Protection issues entirely (but is potentially a cynical move).

    Long Answer: It will depend on whether there is any specific finding by a Data Protection Authority against Facebook on this. It does, however, highlight the importance of considering Data Protection compliance concerns as well as ethical issues when designing studies, particularly in the context of Big Data. There have been comparisons between this kind of study and other sociological research such as researchers walking up to random test subjects and asking them to make a decision subject to a particular test condition. Such comparisons have merit, but only if we break them down to assess what is happening. With those studies there is a test subject who is anonymous, about whom data is recorded for research purposes, often in response to a manipulated stimulus to create a test condition. The volume of test subjects will be low. The potential impact will be low. And the opportunity to decline to participate exists (the test subject can walk on by… as I often did when faced with undergrad psychology students in University) With “Big Data” research, the subject is not anonymous, even if they can be anonymised. The volume of test subjects is high. Significantly (particularly in this case) there is no opportunity to decline to participate. By being a participant in the petri-dish system you are part of the experiment without your knowledge. I could choose to go to the University coffee shop without choosing to be surveyed and prodded by trainee brain monkeys. I appear to have no such choice with Data Scientists. The longer answer is that a proper consideration of the ethics and legal positioning of this kind of research is important.

  • Examples of poor Data Protection Practice in Public Sector

    Earlier this week the Data Protection Commissioner bemoaned the lack of attention to detail and the poor culture of Data Protection compliance practices in the Irish Public Service.

    He was right to do so. My experience as both a service user and as a consultant has been that there are excellent people making excellent efforts to swim against a tide of indifference and short-cutting that results in breaches of legislation and puts personal data of citizens at risk.

    In a “brain fart” moment yesterday I googled the words “Election”, “Training” and “Ireland” by accident. It brought back a website called ElectionTrainingIreland.ie. This website announces itself to be the “Official Presiding Officer Online Training “. Apparently Presiding Officers in this year’s Local and European Elections are required to complete this training, which I understand consists of a series of videos. It’s actually a rather good idea.

    However it has been badly implemented from a Data Protection perspective.

    1. It requires a PPS Number to login. This is not a permitted use of the PPS Number. For a start, ElectionTrainingIreland is not registered as a Registered User of the PPSN under the 2005 Social Welfare Consolidation Act.
    2. Using PPS Numbers as a login is not good information security practice.
    3. As I understand it, Presiding Officers receive a letter that contains their PPS Number and a password for this site – which suggests that passwords are stored somewhere in an unencrypted freetext format (again BAD Information Security practice)
    4. There is no information about who Election Training Ireland are. They are NOT an official state body or division of the Department of the Environment. There is no privacy statement on the website that explains the purposes of processing of data, the retention of data, or (for that matter) where Election Training Ireland got the PPSN that they are using in the background to verify your identity.
    5. The website, which asks you to key in your PPS Number, does not have a valid SSL certificate. There is no encrypted transfer of information. Given the value of the PPS Number, that’s simply not good enough from a Data Protection point of view.

    Looking at the process from the outside, armed only with nearly two decades of experience in designing and reviewing information management processes for regulatory compliance, I suspect that this might be the underlying process:

    1. A list of all people who registered to be Presiding officers was provided to Election Training Ireland. This list included PPS Numbers, names, and home addresses. [Issue #1 below]
    2. This list was used to create a database of Presiding Officers which in turn was used to create a list of user logins for the website. These user logins used PPSN as the user id [issue #2 below]
    3. This list was used to generate a mailmerge to each Presiding Officer at the address provided by them for contact (which is almost inevitably a home address) which contained their password [Issue #3 below]
    4. The website is not encrypted. [Issue #4 below]
    5. This list was provided to and processed by Election Training Ireland, who are an external contractor working (one assumes) for the Department of the Environment [See: “Who are ETI?” below]

    Issue #1: Transfer of data about candidate Presiding Officers

    Data constituting a significant portion of what is defined in the 2005 Social Welfare Consolidation Act as the “Public Service Identity” has been transferred to a 3rd party by local authorities and/or the Dept of Environment. What was the lawful basis for this transfer? Was there a statutory basis (which is the DPC’s favoured basis for data transfers in the Public Sector)? What was the protocols regarding security of transfer, retention, security of storage, restrictions on use etc? Is there a Data Processor contract in place (if there is it will be a doozy IMHO because of questions under “Who is ETI” below)?

    As ETI is not registered as a User of the PPSN with the Department of Social Protection, issues potentially arise with the legality of transfer here. And even assuming that ETI has a valid contract etc. with either EVERY local authority or the Dept of Environment, the PPS numbers would have been obtained originally from Presiding Officers for the purposes of processing their payments and making appropriate deductions for taxation and PRSI etc. Not for using them as a unique identifier in a system hosted by a 3rd party.

    Issue #2: Creation of lists and user logins

    As mentioned above, the creation of a central database of presiding officers and the use of their PPS Number as an identifier in that database constitutes a new purpose within the context of the Data Protection Acts. Using PPS Number as a login is just dumb (a proxy could easily have been created). This database has PPS Numbers, names, and addresses of Presiding Officers. Where is it being stored? Under what security protocols? Who has access to it? How long will it be retained for? (Please don’t let them have saved it to Google Docs, otherwise I’ll have to get cross).

    Issue #3 Mail merge and posting out passwords

    Passwords are stored in plaintext if they could be mailed out in a mail merge. Being able to do a mail merge means that who ever sent the letters to Presiding Officers has their PPS Number, name, and addresss. That’s a heck of a lot of personal data. And if they are not thinking of the implications of storing passwords in an encrypted for and not sending them out in unsecured plain text, what’s the level of confidence in back-end security and security of related data transfers?

    Issue #4 No SSL on the site

    Using PPSN as a login is not great. Doing it in a way that could result in the data being intercepted by anyone minded to do so compounds the issue. Some might say it’s overkill for “just a login”, but the PPS Number is a significant identifier for people using public services in Ireland.

    Who are ETI?

    The site is not owned or operated by any Local Authority or Government Department. It is owned and operated by a partnership of three people based in Co. Meath. It took me 90 seconds to find that information on the CRO website, a basic due diligence test. If they are a partnership, each individual member of that partnership is a Data Processor acting on behalf of the Data Controller that engaged them (which might wind up being EVERY local authority or the Dept of the Environment – that is still unclear to me). There is nothing on the website identifying that the holder of the data doing this processing is not a government body.

    So a private sector organization has been given a chunk of the Public Service identifier for a defined population of people, has implemented a solution that is arguably illegal in its design and is certainly not good information security practice. There is a questionable lawful basis for the transfer of data to this 3rd party. (I haven’t looked for the tender for this training solution, I’m assuming it went to tender and there was some specification of information security and data protection standards in that document. But I’ve got a day job to do).

    What could be done better/differently?

    Lots of stuff.

    1. Use a proxy identifier. If the data controller holding the PPSN had created a proxy identifier (an alphanumeric string that was NOT the PPSN) and provided that to ETI to use as a login the PPSN issue would not arise.
    2. Ensure proper contracts in place with the data processor
    3. Use SSL by default.
    4. Use an encrypted (salted and hashed) password that could be generated from a link that a user could follow that would bring them to a page where they set their own password, rather than having a plaintext password sent in the post.
    5. Improve transparency and communication about who the actors are in the process and their role.

    That’ just my first four. Depending on the detail of the processes etc. there could be a LOT more. But none of them would cost a heck of lot of money and would result in a more compliant and less insecure processing of personal data.

  • The Strife of Reilly (Tone at the Top revisited)

    Scanning twitter over my post-breakfast intra-planning pre-work coffee this morning I noticed tweets that were agog at a Minister for Health who is a medical doctor asking non-medical doctor political colleagues for lists of people who should have been given a medical card. The agogness was triggered by this news story on the RTE website.

    Yes. It is a cause for agogness.

    However my gog was a’d by one line in the middle of that story that actually links into a story covered (briefly) by Irish media yesterday. Minister Reilly has also asked for a list of names of people who have given information to the Primary Care Reimbursement Service who have had their information “misplaced”.

    Only yesterday the Data Protection Commissioner was scathing in his comments about the level of “sloppiness” around the handling of personal and sensitive personal data in the Public Sector.

    Today, buried in a story that was likely sourced from the Office of the Minister for Health himself, we find a disclosure that sensitive personal data and potentially personal financial data have been “misplaced” by a unit of the HSE.

    However, the Minister is asking his colleagues for the names of people who might be affected. So that’s OK then.

    No. It’s not.

    If the PCRS has “misplaced” information that was provided to them in either electronic or hard copy form this constitutes a breach of Section 2(d) of the Data Protection Acts 1988 and 2003. Under the Voluntary Code of Practice for Data Security Breach Notification, the HSE is required to notify the Data Protection Commissioner where there is a risk that Personal Data, Sensitive Personal Data, or Personal Financial Data have been lost, or accessed or disclosed without authorization. The affected Data Subjects are supposed to be notified (unless it affects less than 100 people and doesn’t relate to Sensitive Personal Data or Personal Financial Data). The HSE, as Data Controller, is required to maintain a Data Breach Register for any reported incidents where the security of personal data has been put at risk. If the Minister is having to effectively do a ring around his mates in the Dáil to find out what the scale of the problem is, that should be a bit of a worry.

    So. Riddle me this…

    1. Why is the Minister asking for a list of names of people whose data has been “misplaced”?
    2. Why is he asking for this list if the HSE PCRS has been maintaining a Register of incidents of reported loss of data?
    3. Why has the Minister not referred the issue to the Data Protection Commissioner?

    The answer is, as ever, the Tone at the Top in the Public Service in Ireland. Unerringly it is a discordant “BLAAARRRRRRPPPPP” when it comes to matters of Data Protection. Organisation restructurings are undertaken without consideration for effective Data Governance, Information Quality, or Data Protection controls. Training in these things is seen as an overhead not an investment. Kludged manual processes are put in place without documentation and standardization (sure documentation takes AGES), and Ministers give undertakings to do things RIGHT NOW (immediately) rather than doing them RIGHT NOW (error proofed, proper controls, designed for efficiency, consistently executed).

    This problem is not confined to the Public Sector. However the Public Sector is, as Billy Hawkes has pointed out many times, the one actor that processes our personal data who can REQUIRE us to provide information by law and which requires us to provide information to avail of key Public Services and functions.

    “BLLLAAAAARRRRRPPPPP” is an insufficient response from the leadership.

  • Tone at the Top revisited

    I’ve written in the past about the problems with the “tone at the top” around Data Protection and Data Privacy in Irish government and political circles.

    Bluntly, with few exceptions, it seems they don’t get it, don’t like it, and would rather it go away. That attitude cascades down into government departments where it is almost (again with few exceptions) impossible to sack staff members who blatantly breach basic Data Privacy rights of individuals. Whether it is Social Welfare staff providing information to private detectives without authority or snooping on the personal details of lotto winners or celebrities, or formal political policies that presume a panopticon and damn the data privacy implications and risks.

    The icing on the cake for me was Minister for Justice not seeing the problem with disclosing sensitive personal data about a political opponent on national television. I’ve written about that last year.

    But the bum notes at the top are resonating higher and further. Our candidates for the European Parliament, the body which only recently has managed to push back against a wholesale dilution of data privacy rights of over 500 million people, are almost unanimous in their silence on the issue of Data Protection. Even those such as Sean Kelly who were active in European Parliament committees looking at the Draft Data Protection Regulation are silent on the issue. (And remember it was only last year that Sean Kelly won an award from the IAB Europe (an internet advertising representative body) for his work on the Data Protection Regulation, and only a few weeks ago that he was voted “MEP of the Year for the Digital Agenda”)

    Of a total of 37 candidates only THREE have signed up to support a Charter to oppose any measure “that removes the power to make decisions on matters that affect European citizen’s fundamental rights from the judiciary or democratically-elected policy-makers”.

    Three. Out of 37. Less than 10%. 8.1% to be precise. And every single one of them in Dublin.

    But the Charter is not perfect. I would have an issue with item 10 which calls for the promotion of Free/Open Source software in public sector environments if was to be interpreted as a “thou shalt not purchase commercial technologies that have warranties and approvals and proper liability if things go tits up”, but that’s not the interpretation I’d put on it – I read that as a “closed source is not the only fruit” and personally think that individuals pushing an ‘Open Source or bust’ approach to things are often missing the total cost of ownership (risk, compliance, learning curves, stability, longevity etc.). However, as @Treasa pointed out to me on Twitter, FOSS ideologies are often presented and pushed as dogmatic mantras which brook no potential use of closed source or proprietary technologies for any reason. She is right of course. That is a risk. And perhaps it is a barrier to candidates endorsing the Charter, in which case candidates should flag that they can do anything for love (or votes) but they won’t do that.

    (disclosure: my company makes minimal use of some Open Source technologies, but only where the platform is stable, reasonably standardized, and interoperable. We advise clients to consider total cost of operation and governance if putting Open Source in the mix on projects, based in part on personal experience of having to abandon tools that became unsupported or just unworkable)

    And the use of a list (albeit one which is non-exhaustive and not overly prescriptive) might be off putting. But I’m not sure what other mechanism might have been used for the effective presentation of the key points of the charter. Perhaps keeping it focused on privacy issues might have been enough?

    But overall the Charter is a positive statement of position and opinion on a range of fundamental information rights. It doesn’t mandate any other position other than to ensure that the Parliament have a democratic decision making role and that the Judiciary have an oversight function in the development of policy and legislation in this space.

    And only 8.1% of Irish candidates have expressed a preference in favour of their having a role in defending data privacy rights or ensuring oversight on the selection of suppliers to EU projects, and all of them representing Dublin.

    Our political classes don’t appear to care enough – either to sign the charter or explain why they won’t and what their position is on key principles.

    The “tone at the top” drones on it seems.

  • Stand up for Digital Rights, Ireland.

    In the Western world our rights are under attack. In the UK for example the policy of the Tory party is to abolish the Human Rights Act (http://www.bbc.co.uk/news/uk-politics-21726612). In the fast changing world of data and information private companies and governments alike go to great lengths to peer inside our digital lives in a manner often disproportionate to or ineffective for the stated purposes of ‘national security’ or copyright enforcement. The revelations over the summer from Edward Snowden, and a variety of other stories relating to the use, misuse, and abuse of our private personal data by companies and governments alike have resulted in Dictionary.com making “Privacy” its Word of the Year for 2013 (http://blog.dictionary.com/privacy/)

    Last year saw the Irish Government, in its presidency of the European Union, preside over a significant watering down of rights and protections for individual data privacy in the proposed EU Data Protection Regulation. This regulation was subject to 4000 proposed amendments and one of the most intrusive lobbying campaigns by organisations seeking to reduce the protections over personal data privacy afforded to EU citizens. But last year also saw Digital Rights Ireland punch significantly above it’s weight on the European stage, with their appeal to the ECJ on the retention of telephone, sms, and internet usage data by telecoms companies on behalf of governments – precisely the same information that was at the centre of Snowden’s PRISM disclosures.

    Digital Rights Ireland plays a valuable role in the evolution of our personal digital rights, particularly as we struggle to define where we must draw the line between an Information Economy, where the users of services are the means of production, and an Information Society, where powerful tools for communication and interaction allow us to engage, but to wear a mask or withdraw to our personal fortresses of solitude where we can define and redevelop our sense of self as people. Not as products.

    However, DRI had one set back in 2013 which puts their ability to stand up for our rights, your rights, in an Information Society. They were on the losing side in litigation about copyright issues. Their role in the case – to be a counterpoint voice for the people and to bring additional information and perspective to the Court. The impact: the music industry looked for costs of the guts of €30,000 against DRI for one day in Court. This was reduced to €13,000 on appeal to the Taxing Master. No other party to the case is seeking costs against DRI.

    The risk now is that DRI might be liquidated by the music industry representatives. For standing up and suggesting alternative solutions might be needed, for pointing out how web filtering is easily circumvented, and basically being a devil’s advocate on the side of the individuals who make up our society.

    Money must be found. DRI runs on a shoestring, favours, and jellybabies. There is no salary for its directors,  no top ups, no big dinners or extravagant radio adverts. Just people who care and give up time from their day jobs to provide a voice for Digital Rights. That voice will fall silent if they cannot raise the €13,000 needed as soon as possible.

    It is time to stand up for Digital Rights, Ireland. Rather than buying a data slurping tablet in the sales, or downloading another privacy invading smartphone app\tracking device, go to www.digitalrights.ie and check out what they do for you. Then go here (http://www.digitalrights.ie/support-us-in-2014/) to learn more about their problem. Then go here http://www.digitalrights.ie/support/ to donate, either a once off payment or a recurring donation.

    And if you don’t, you risk waking up one day as a just another unit of production in an Orwellian dystopia.

  • My letter to Brendan Howlin re: FOI Fees

    Below is an edited version of the letter I faxed to Brendan Howlin today regarding Freedom of Information Act fees proposed last Friday at the end of legislative drafting before the Committee Stage in the Irish Parliament.

    While I agree that public service resources need to be utilised efficiently, particularly in the current (apparently getting better) economic context, I disagree that putting a paywall up (which is the practical effect of the fees proposed) is the solution. Better results could be achieved by actually managing information as an asset and ensuring appropriate governance and joined up thinking.

    Dear Minister Howlin,

    It was with dismay that I learned of the proposals in the current draft Freedom of Information Bill regarding the charging of fees. Simply put: the proposal regarding fees is dangerously retrograde, belies a failure of customer/citizen-centricity in Public Sector thinking and a missed opportunity to mandate improvements in Data Governance, runs counter to your own initiatives in relation to “Open Data”, and may indeed serve to weaken any strategy to break down ‘silo thinking’ in Public Service organisations to achieve operational efficiencies through better use of data internally.

    · Dangerously Retrograde:

    Creating an uncapped initial application fees structure for simple exercise of Freedom of Information rates is a dangerously retrograde step. Much of the waste in Public Service organisations over the past few years has been uncovered through journalists and others using FOI rights carefully.

    An uncapped application fees structure, particularly the provisions which give rise to additional charges where data requests span multiple “administrative units”, creates a financial disincentive for budget-conscious editors or freelance investigative journalists to seek information which might be in the Public Interest.

    By effectively curtailing the avenues of information access for citizens to only those who have resources to take an unknown punt on the final costs or to the official press releases our FOI regime that was weakened in 2003 will have been replaced with a model for ‘mushroom management’ in which citizens will be kept in the dark and fed what’s good for mushrooms.

    · Failure of Customer/Citizen-centricity and Data Governance:

    The erection of a “paywall” that will inevitably act as a disincentive to exercise of FOI rights belies a failure of Customer/Citizen-centricity in the Irish Public Sector. In tandem it highlights a failure to seize a valuable opportunity to drive strategic change in Data Governance processes, practices, and methodologies in the Public Service.

    Rather than seeing the challenges raised by requests as an issue which must be curtailed through charges, the Irish Government can choose to invest some effort to understand the root causes of the issues that are reported. For example

    o Could it be that multi-part requests being submitted under the current system are likely a function of journalists needing to maximize the ‘bang for their buck’ on each individual request. Removing this may remove the multi-part queries?

    o How many queries relate to ‘standard’ information or reports which might be ‘pre-packaged’, perhaps in formats that require additional analysis by the requestor, but which meet the requirement for access to information?

    o Are FOI access and accessibility a primary consideration in the design of new systems and processes? If not, should the Data Governance structures of departments be addressed to ensure “FOI-by-design” (producing standardized core reports etc), in the same way as “Privacy by Design” will be a requirement under the forthcoming EU Data Protection Regulation?

    I am currently engaged in a project [details of project redacted for publication] where FOI requirements under regulations such as the Aarhus Convention as well as their voluntary compliance with various regulatory standards have been identified as key strategic drivers for precisely this kind of Data Governance change and re-alignment. The project team has identified further substantial benefits arising from the improvements in Data Governance and Information Quality in this organization that go beyond simple Freedom of Information capabilities.

    By opting for a “paywall” that will keep enquiries out the Government is ignoring an internal dissatisfaction with status quo that can be leveraged to trigger and hopefully sustain Data Governance change in the Irish Public Sector. By knowing the cost of everything and the value of nothing, an opportunity to improve is being foregone.

    · Free Information, Open Data: Fees are inconsistent with Open Data Strategy

    Frankly my head is spinning trying to figure out what the strategic position regarding information is from the Government.

    On one hand you are promoting “Open Data”, while on the other you are proposing changes that will make it harder for citizens (not just journalists) to get access to information in accordance with their rights.

    Ultimately, it is my professional view that the very Data Governance and Information Quality benefits that the proposed “paywall” is forgoing in the context of FOI will inevitably emerge as challenges and barriers to producing Open Data that can be relied upon for service planning, development of applications, guiding investment strategies etc.

    The “pre-packed” reporting solutions outlined above (which I believe were raised by Gavin Sheridan during the legislative consultation period) are Open Data. By implementing these and addressing root causes for current issues and inefficiencies in the FOI model in Ireland the Government has an opportunity for a double-win. Instead we are presented with cognitive dissonance where the Government trumpets Open Data with one hand but claws back Information Freedom with the other, while forgoing any operational efficiency benefits which would arise from tackling root causes in Data Governance practices.

    · Breaking Down Silo Thinking in the Public Service

    The Haddington Road Agreement aims to improve efficiency and effectiveness in the Public Sector and to reduce costs. Ultimately it will need to break down the traditional “silo” thinking that exists in all large organisations, and the provisions regarding staff mobility hint to that.

    However the proposed charging structures under the FOI proposals run counter to this strategic vision. If one was cynical it could be described as a “Silos Charter” given that additional charging will be tied to the number of administrative units in which data is being processed.

    What controls are being implemented to ensure that there is no fragmentation of administrative units to split data processing within FOI-able entities? In the absence of controls it is inevitable that fragmentation will exist, particularly in the context of processes, projects, or functions that might be of notable interest to people seeking to exercise their FOI rights.

    On the other hand, improving Data Governance (data standards, meta-data, master data, clarification of data ownership rights, rules and accountabilities) and seeking to identify common methods for developing and delivering standardized reports would inevitably result in a breaking down of silos and the promotion of cross-functional ways of working within the Public Service.

    However, hiding the silos behind a paywall appears to be the easy path which the preferred choice of the Government.

    Conclusion

    There is a significant potential opportunity to drive change in the governance and management of information in the Irish Public Sector. This change aligns with the objectives of Open Data and has potentially far reaching benefits beyond just FOI effectiveness.

    A PayWall, which is what an uncapped open-ended application fee is in practice, removes this driver and allows both current inefficiencies to fester and current efficiencies to remain siloed, and deprives the citizen of their opportunity to find out answers to their questions of Government. Raising the paywall potentially beyond the reach of individuals, freelance journalists, and mainstream media is a dangerous retrograde step for transparent democracy.

    FOI is the Parliamentary Question for the individual – it should not be locked away behind a paywall

  • DPC, Prism, Safe Harbor and stuff

    The Irish DPC has come under fire in the international media on foot of their failure to act on a complaint by Europe v Facebook about US multinationals with bases in Ireland allowing data to be accessed by the NSA.

    The gist of EVF’s complaint is that this access invalidates Safe Harbor and therefore makes the transfer of data by these companies to the US is therefore illegal.

    EVF may indeed be right. The key 2-legged test to be passed is whether the access by law enforcement/national security agencies to the data that is being transferred is necessary for the national security/law enforcement purpose, and whether the access/processing is in turn proportionate to the objective when balanced against the fundamental right to privacy.

    Prism and similar programmes quite probably fail either or both legs of that test. Certainly the ECJ seemed to be very concerned with whether European governments had done enough to demonstrate necessity and proportionality with regard to EU communications data retention (http://www.contentandcarrier.eu/?p=435).

    This is the ECJ case that the Irish DPC refers to in the written response to Europe-v-Facebook.

    Safe Harbor is a scheme entered into by the European Commission and the US Dept of Commerce to facilitate transfers of data to the US. It is decidedly imperfect and had been the subject of criticism since it was introduced in 2000.

    It is one of the mechanisms under which organisations can transfer personal data outside the EEA (28 EU member states plus Norway, Iceland & Liechtenstein) under S11 of the Data Protection Acts

    S11 does give the DPC the power to prohibit such transfers in certain circumstances. The DPC needs to be of the view that data protection rules are likely to be contravened and individuals are likely to be harmed as a result. This power is limited in that it does not apply where the transfer is required or authorised by law.

    And here’s the rub:

    • Safe Harbor is a scheme that authorises the transfer. So the DPC can’t unilaterally prohibit the transfer of data where Safe Harbor is being applied.
    • The Irish DPC does not have statutory authority to second guess the EU Commission on the legality of Safe Harbor
    • PRISM is, at this time, understood to have a statutory basis in the US and no-one court has yet ruled on the necessity and proportionality of its data gathering, so there is no breach of Data Protection rules per se. If the ECJ gives guidance re similar EU laws this could alter things.

    In short, the Irish DPC’s hands are probably tied by the law.

    Billy Hawkes lacks the legal authority to rule on the validity of Safe Harbor, so while transfers under Safe Harbor are valid in the EU Commissions eyes he probably can’t prohibit a transfer that is based on Safe Harbor. That is probably for the EU Commission to do.

    Nor is he empowered to make a finding of fact against the NSA regarding the necessity and proportionality of their processing (that’s for the US courts, or for the EU Commission to adopt as part of their review of Safe Harbor) – but will be bound by whatever principles of proportionality and necessity for communications meta-data processing emerge from the ECJ Data Retention Directive case, which is likely in my view to be more of a steer to the EU Commission regarding controls that would be required in “Son of Safe Harbor” than empowering the DPC to torpedo Safe Harbor himself.

    I suggest that it is this reasoning which the German DPAs have applied in their action which has had the effect of prohibiting transfers in scenarios where they had direct competence but served only to send up a warning flare that Safe Harbor and Model Contract Clauses might be broken – but DPAs lack the statutory competence to actually do anything about it and it must be addressed by the Commission.

    Rather than “regulator fails to enforce law”, this story is more correctly “Regulators hampered by broken law unsuited for modern age”