Tag: privacy

Posted on
by

After California, now the Washington State senate has adopted a data protection and privacy act that takes the EU General Data Protection Regulation (GDPR) as an example to emulate.

This is definitely a hoped for effect of the GDPR when it was launched. European environmental and food safety standards have had similar global norm setting impact. This as for businesses it generally is more expensive to comply with multiple standards, than it is to only comply with the strictest one. We saw it earlier in companies taking GDPR demands and applying them to themselves generally. That the GDPR might have this impact, is an intentional part of how the EC is developing a third proposition in data geopolitics, between the surveillance capitalism of the US data lakes, and the data driven authoritarianism of China.

To me the GDPR is a quality assurance instrument, with its demands increasing over time. So it is encouraging to see other government entities outside the EU taking a cue from the GDPR. California and Washington State now have adopted similar laws. Five other States in the USA have introduced similar laws for debate in the past 2 months: Hawaii, Massachusetts, New Mexico, Rhode Island, and Maryland.

Service announcement: I regularly lie to data gathering platforms like FB. So any message from FB telling you it’s my birthday today can be safely ignored. It’s not. They wanted to check my age when I created the account. They don’t need a day and month for that, and for that matter any year before 2000 will do. I lied to FB. You should too.

For those of you sending birthday wishes: thank you, I appreciate hearing from you. It’s good to know you

Posted on
by

This is a very interesting article to read. A small French adtech company Vectaury has been ordered to stop using and delete the personal data of tens of millions of Europeans, as it cannot show proper consent as required under the GDPR. Of interest here is that Vectaury tried to show consent using a branche wide template by IAB. A French judge has ruled this is not enough. This is an early sign that as Doc Searls says GDPR is able to, though at the speed of legal proceedings, put a stake through the heart of ad-tech. Provided enforcement goes forward.

A month after the verdict, Vectaury’s website still proudly claims that they’re GDPR compliant because they use the concept of a ‘consent management provider’. Yet that is exactly what has now been ruled as not enough to show actual consent.

This Twitter thread by NYT’s Robin Berjon about the case is also interesting.

Posted on
by

Does the New York Times see the irony? This article talks about how US Congress should look much less at the privacy terms of big tech, and more at the actual business practices.

Yet it calls upon me to disable my ad blocker. The ad blocker that blocks 28 ads in a single article, all served by a Google advertisement tracker. One which one of my browsers flags as working the same way as cross site scripting attacks work.

If as you say adverts are at the core of your business model, making journalism possible, why do you outsource it?
I’m ok with advertising New York Times, but not with adtech. There’s a marked difference between the two. It’s adtech, not advertising, that does the things you write about, like “how companies can use our data to invisibly shunt us in directions” that don’t benefit us. And adtech is the reason that, as you the say, the “problem is unfettered data exploitation and its potential deleterious consequences.” I’m ok with a newspaper running their own ads. I’m not ok with the New York Times behaving like a Trojan horse, pretending to be a newspaper but actually being a vehicle for, your own words, the “surveillance economy”.

Until then my ad blocker stays.


My browser blocking 28 ads (see the address bar) on a single article, all from 1 Google ad tracker.

Got a new phone (after selecting a new plan with some effort). As I don’t allow my phone to back-up everything to the (google) cloud, it took a few hours to get the new one ready: installing apps, and logging into all the associated accounts (using 1password). On the upside, it means a lot of unnecessary stuff accumulated over the last 2 years has been left behind on the old device.

Posted on
by

Some links I thought worth reading the past few days

Posted on
by

To celebrate the launch of the GDPR last week Friday, Jaap-Henk Hoekman released his ‘little blue book’ (pdf)’ on Privacy Design Strategies (with a CC-BY-NC license). Hoekman is an associate professor with the Digital Security group of the ICS department at the Radboud University.

I heard him speak a few months ago at a Tech Solidarity meet-up, and enjoyed his insights and pragmatic approaches (PDF slides here).

Data protection by design (together with a ‘state of the art’ requirement) forms the forward looking part of the GDPR where the minimum requirements are always evolving. The GDPR is designed to have a rising floor that way.
The little blue book has an easy to understand outline, which cuts up doing privacy by design into 8 strategies, each accompanied by a number of tactics, that can all be used in parallel.

Those 8 strategies (shown in the image above) are divided into 2 groups, data oriented strategies and process oriented strategies.

Data oriented strategies:
Minimise (tactics: Select, Exclude, Strip, Destroy)
Separate (tactics: Isolate, Distribute)
Abstract (tactics: Summarise, Group, Perturb)
Hide (tactics: Restrict, Obfuscate, Dissociate, Mix)

Process oriented strategies:
Inform (tactics: Supply, Explain, Notify)
Control (tactics: Consent, Choose, Update, Retract)
Enforce (tactics: Create, Maintain, Uphold)
Demonstrate (tactics: Record, Audit, Report)

All come with examples and the final chapters provide suggestions how to apply them in an organisation.

Posted on
by

At least I think it is…. Personal blogs don’t need to comply with the new European personal data protection regulations (already in force but enforceable from next week May 25th), says Article 2.2.c. However my blog does have a link with my professional activities, as I blog here about professional interests. One of those interests is data protection (the more you’re active in transparency and open data, the more you also start caring about data protection).

In the past few weeks Frank Meeuwsen has been writing about how to get his blog GDPR compliant (GDPR and the IndieWeb 1, 2 and 3, all in Dutch), and Peter Rukavina has been following suit. Like yours, my e-mail inbox is overflowing with GDPR related messages and requests from all the various web services and mailing lists I’m using. I had been thinking about adding a GDPR statement to this blog, but clearly needed a final nudge.

That nudge came this morning as I updated the Jetpack plugin of my WordPress blog. WordPress is the software I use to create this website, and Jetpack is a module for it, made by the same company that makes WordPress itself, Automattic. After the update, I got a pop-up stating that in my settings a new option now exists called “Privacy Policy”, which comes with a guide and suggested texts to be GDPR compliant. I was pleasantly surprised by this step by Automattic.

So I used that to write a data protection policy for this site. It is rather trivial in the sense that this website doesn’t do much, yet it is also surprisingly complicated as there are many different potential rabbit holes to go down. As it concerns not just comments or webmentions but also server logs my web hoster makes, statistics tools (some of which I don’t use but cannot switch off either), third party plugins for WordPress, embedded material from data hungry platforms like Youtube etc. I have a relatively bare bones blog (over the years I made it ever more minimalistic, stripping out things like sharing buttons most recently), and still as I’m asking myself questions that normally only legal departments would ask themselves, there are many aspects to consider. That is of course the whole point, that we ask these types of questions more often, not just of ourselves, but of every service provider we engage with.

The resulting Data Protection Policy is now available from the menu above.

Funny how #datagovernance companies publishing #gdpr compliance guides aren’t compliant themselves when asking personal data for downloads: no explicit opt-ins, hidden opt-ins (such as hitting download also subscribes you to their newsletter), no specific explanations on what data will be used how, asking more personal information than necessary.

Posted on
by

Yesterday my colleague Paul and I visited the annual conference organized by the Flemish government’s information management / IT office. We were there to speak about the open data experiences of the Netherlands.

The upcoming GDPR, Europe’s new privacy regulations, was mentioned and discussed a lot. Such pan-European laws suggest that there is a generic way to approach a topic like privacy, or even an objective one. Nonetheless the actual perception of privacy is strongly culturally determined as well, Toon van Agt remarked during his presentation, and pointing to us Dutchies sitting on the front row. He gave the example of how in the Netherlands real estate transaction prices and mortgages on a house are publicly available (if not yet as open data I must add. Transaction prices are available as open data in the UK, afaik). Where in the Netherlands this is regarded as necessary to be able to determine who you’re dealing with if you buy or sell a house, in Belgium it would be unthinkable. In my own presentation I showed how open data from the license plate register is used in the Netherlands to prevent theft of petrol at gas stations. Again unthinkable in Belgium, mostly because of the fundamental difference that license plates in the Netherlands are connected to a car (and the car to an owner), and in Belgium to the car owner (and the owner to a car). Calvinism was put forward as a determining difference, resulting in Dutch window curtains being open, so everyone can see a) we have nothing to hide and/or b) we have the coolest stuff in the street :). Similarly the tax amounts and incomes of Norwegians are famously public, whereas in the Netherlands asking how much someone earns or even worse touting how much you earn yourself, is frowned upon and not suitable for polite conversation.

It would be interesting to create an overview of socially acceptable and unacceptable forms of transparency across Europe. To learn where further opportunities for open data are to be found, as well as to see where social barriers can be expected.

The wonderful windows open houses on the Dutch( Volendam) 4 2017-09-23_15-15-25_ILCE-6500_DSC03304
The quintessential difference between Belgium (r) and the Netherlands (l): curtains open or closed. Photos by Miguel Discart and magalibobois

Posted on
by

Some disturbing key data points, reported by the Guardian, from a Congressional hearing in the US last week on the usage of facial recognition by the FBI: “Approximately half of adult Americans’ photographs are stored in facial recognition databases that can be accessed by the FBI, without their knowledge or consent, in the hunt for suspected criminals. About 80% of photos in the FBI’s network are non-criminal entries, including pictures from driver’s licenses and passports. The algorithms used to identify matches are inaccurate about 15% of the time, and are more likely to misidentify black people than white people.” It makes you wonder how many false positives have ended up in jail because of this.

At GEGF2014
Me, if you look closely, reflected in an anonymous ‘portrait’ (part of an exhibit on Stalinist repression and disappearances in Kazakhstan, 2014)

I am in favor of mandatory radical transparency of government agencies. Not just in terms of releasing data to the public, but also / more importantly specifying exactly what it is they collect, for what purpose, and what amount of data they have in each collection. Such openness I think is key in reducing the ‘data hunger’ of agencies (the habit of just collecting stuff because it’s possible, and ‘well, you never know’), and forces them to more clearly think about information design and the purpose of the collection. If it is clear up-front that either the data itself, or the fact that you collect such data and in which form you hold them, will be public at a predictable point in time, this will likely lead to self-restraint / self-censorship by government agencies. The example above is a case in point: The FBI did not publish a privacy impact assessment, as legally required, and tried to argue it would not need to heed certain provisions of the US Privacy Act.

If you don’t do such up-front mandatory radical transparency you get scope creep and disturbing collections like above. It is also self-defeating as this type of all encompassing data collection is not increasing the amount of needles found, but merely enlarging the haystack.

Using tech to flip facial recognition in video stories from Iran, at SXSWi
image by Sheila Scarborough, CC-BY

Posted on
by

Getting a SSL/TLS-certificate for your website has always been a hassle as well as costly. However increasing the amount of default encrypted web traffic is important both in terms of website safety as well as in terms of privacy (when you submit information to websites). The cost and hassle kept most non-commercial websites from using certificates however. Until now. Because now there is Let’s Encrypt, which makes it very easy to add certificates to your website. For free.

When I started using a VPS two years ago to serve as my cloud and as a Dropbox replacement, I needed a certificate to make sure the traffic to my cloud was encrypted. The VPS originally came with one, but that expired after a year. Since then I’ve added a renewing certificate from Comodo (the largest provider at the moment), which I got for a one-time payment as a lifetime service from my VPS provider. But for a range of other domains I use, both hosted on my VPS as well as in various hosting packages with a Dutch hosting provider, I never bothered getting a https certificate, because it was too much work and too expensive to keep up. There already were free certificates available, such as through the Israeli StartCom which I used for one or two domains, but I never felt certain it was secure as a service (it turns out it’s small buth 7th globally, and has received some serious criticism).

Symantec has a certificate problem...
Arranging and renewing certificates can be a pain, even if you’re Symantec, the world’s second certificate provider. (image Lars K. Jensen, CC-BY)

Let’s Encrypt changes all that. Because they are strongly community driven, amongst other with support by the Electronic Frontier Foundation, and because they are going the route of getting their root certificate independently recognized and be a full certificate authority. Currently they use IdenTrust’s (5th globally) existing trusted root certificates, but the Let’s Encrypt root certificate has now been recognized by Mozilla, and they’re working to get it recognized by Google, Apple, Microsoft, Oracle et al. This would increase the independency of Let’s Encrypt. Let’s Encrypt says the growth rate of https traffic has quadrupled since the end of 2015, in part through their efforts. Their certificates are used at over 8 million websites now.

I’ve added a range of my own sites to those 8 million. For the domains on my own VPS that didn’t have valid certificates yet, they were easy to install. I used SSLforFree to generate the Let’s Encrypt certificates, based on me providing proof I have full control over the domains I seek to protect. Then I added the certificates to the domains using the WHM control panel of my server. Certificates are valid for 90 days, but I can set them to auto-renew, although I haven’t done that yet.

For the domains not hosted on my VPS, such as this one for my blog, I depend on my Dutch hosting provider (as I don’t have root access to install certificates myself, although I have full control over the domains such as its DNS settings.) Luckily recently they have started offering auto-renewing Let’s Encrypt certificates (link in Dutch) as a free service for each of the domains you host with them, because they recognize the importance of secure web traffic. All it took was opening a ticket with them, listing the domains I was requesting certificates for. Within two hours eleven certificates were created and installed.

So, from now on you can get my blogpostings from https://zylstra.org/blog.

this blog now with https

Posted on
by

Wuala alpha
Wuala: From alpha in 2007, acquisition by LaCie in 2009, to being deadpooled 2015
(Image by Chris Messina, CC-BY-NC-SA)

Wuala, the Swiss cloud storage service, is closing down. You need to switch services by 30 September when Wuala will become read-only, and remove all your data by 15 November when Wuala will shut down. If you need to move and want an alternative that is end-to-end encrypted (and you should) then Wuala suggests another Switzerland based company, Tresorit.

Last year I briefly contemplated and tested Wuala when I wanted to get out of Dropbox (which is unencrypted and under US law). At the time I wrote

“Wuala, incorporated in Switzerland, is owned by LaCie (incorporated in France) which in turn is owned by Seagate (incorporated in Ireland). Their data centers are geo-redundant and in France, Switzerland and Germany. Although that looks good on paper Seagate HQ is in the US, placing Seagate under the Patriot Act, and thus Wuala ultimately too. Wuala for the desktop requires Java, which is a bad thing. Their encryption and syncing however are a plus, as is the ability to work in teams.”

Wuala was my first two steps away from Dropbox, as it provided client side encryption removing most of the key privacy concerns:

For now I have started using Wuala, as it is at least two steps up from Dropbox because of its encryption and their data centers in Switzerland, Germany and France. Their service is not ‘patriot act proof’ (and they know it, judging by their consistently vague and indirect answers in support fora), but the encryption helps address that. Of course there is no real way to check their encryption either.

My Wuala use lasted all of 1 week. Then I switched to OwnCloud through an Austrian provider, OwnCube, and a month later I started running my own VPS with OwnCloud on it, removing me from using third party services except for the server itself. (I must say OwnCloud does not support end-to-end encryption yet, and uses server side encryption. Hoping to see that change in the future.)

Posted on
by

Sometimes it is ok if your government wants to store your fingerprints. Like, when they use them as artwork on city hall.

Last weekend Elmine and I strolled an afternoon through Deventer an old Hanseatic city in the eastern part of the Netherlands. We came across a shop window where a group of people were busy making clay moulds, which had us intrigued.

Deventer Raamwerk

The clay moulds, it turned out, were made from finger prints, to be cast in metal and then used on the facade of the new city hall as window covers/decorations. A project by local artist Loes ten Anscher.

Deventer Raamwerk Deventer Raamwerk

The finger prints are from citizens in Deventer themselves. One in every forty-three, from the city and surrounding villages, from every age, has been asked to provide a finger or toe print, to be cast in metal. The 2.300 prints are cast in metal and used on the newly built city hall. Every metal cast has a number, and the person providing the finger print gets a pendant with that number. They will know where their finger print is on the building, but noone else.

I really love this project, making citizens part of the building where those that provide public service work, and involving them up to the level where they have their fingerprints all over local government. One example where I think government storing my finger prints is actually not so bad!