Privacy – Page 6 – Maverisk / Étoiles du Nord

Chasing the GDPR hippo

As I was reminded of the ‘Kill the Hippo’ meme, I realised its application is valid in specific circumstances, too.
Where the Hippo is of course here. And the application that I was thinking of, is here.
Not this one, that may stay where appropriate (which is much less than always)…

No, your Usual Suspect isn’t the CEO or whatever, and suggesting the CISO is just a pun, but … the lawyer(s) involved…
All you have to do, is take a look at their billing rates. And at the hippo-original abbrev meaning (sometimes, even the original meaning outright qua looks but in the most-expensively-dressed-in-the-room version, hopefully?) — pointing at the need to not listen to them as the most effective way to deal with the issue(s) at hand since they may on occasion (50,1%++) have the least useful insights to bring to the table…

Oh well. I’ll leave you with:

[Dead straight, according to your lawyer. Cromhouthuis Ams]

Panoptic business

Recently, I heard the gross error of thinking again “When people use their business IT for private purposes, they have no right to privacy” – rightly countered from the room that standing European law most clearly has the opposite: Employer has zero rights to see anything unless there’s prior evidence of some malfeasance or malfunctioning (e.g., performance problems – of the employee, not of the infra…). So, blanket or categorical surveillance (or blocking, which presupposes monitoring how the heck else would you detect the to-be-blocked URLs..!?): No sir.

What about the recent spat where a bank blocked Netflix because employees’ use of it at home, using company laptops that Citrixed back to the bank and from there onward, overloaded networks of sad (typo not said, intended to characterise the) bank? Well, a. how dumb can you be to Netflix over Citrix etc, or is one so incredibly cheap (hey, works at bank; apart from the exceptions you know, go figure) that bandwidth cost is an issue? Then maybe you’re too scroogy to be allowed to wok at a bank in the first place; monumental failure of ethics wise, b. in this case, clearly there are performance issues – when it’s noticable on the company network level, certainly it goes for a number of individuals, even if only by disturbing the performance (bandwidth availability) of others. c. there’s no absolutes in what employers cannot do.

But clearly, in just about every case considered today where categorical blocking by blacklisting would be attempted because managers sideways involved in HR stuff would understand what the URL is about, i.e., not-business-related entertainment however SFW or N-, skipping the blacklisting of the really to be blacklisted sites (torrents, malware shops and other rogue tooling),
we have again the panopticon argument of “observation changes behaviour” – and in these times of clueless managers (the less they know that of themselves, the worse cases they are!), you need in particular those ‘users’/employees that go beyond monkey typing away to be creative in their work and find new revenu / cost reduction directions. Which means that when you observe, or only log to be able to observe, you squelch productivity and profitability… Way to go!

Oh, and:

[Not the one mentioned above; HypoVereins München on a heat-hazy day]

D-raacdronische maatregelen

Okay, for those of you unable to understand the disastrous (understatement) word-play in the title because it’s in Dutch… It’s about a court case (verdict here) where neighbours were in this vendetta already and now one flew a camera drone over the other’s property succinctly the other shot down the drone.
Qua culpability for the damage to the drone, the Judge ruled that a. the drone pilot was trespassing so put the drone illegally where it was shot down, b. the gunman [an experienced shot, apparently] was not to damage other peoples’ property, both are guitly and should share the damage (and share the legal expense).

Side note: the verdict also states through witnesses, that the damage incurred was to one rotor only (after which the drone made a controlled landing; not such a good shot after all) and it had been flown into a tree before the incident (not such a good pilot in the first place), so the damage amount as reported by an independent expert were doubtful, even more so since the independent expert nowhere indicated in the report how the assessed drone was identified or identifyable, as the drone in question or otherwise.
Stupid amateurs.

Moreover, the Judge stated that a breach of privacy weighed no more of less that a breach of property rights. Now there‘s the Error [should be all-caps] in the assessment of current-day societal ethics which in this case, where the Judge appears to demonstrate a sensibility of the case i.e., the vendetta between the neighbours having dropped to a state where mediation is an option no more, would have called for understanding of the derogation of property rights by the privacy concerns as is prevalent (yes; fact) in society in which the verdict should fit. Apparently, neighbour considered the privacy breach already of more value that the risk to his property otherwise would have abstained from the risk of property damage. And the property rights should be compared with the privacy rights one has when e.g., throwing away printed materials; when discarded in the dumpster, one has surrendered one’s right to privacy-through-property re the dumped information. When voluntarily move into or over another one’s property, certainly without consent and against that other one’s want, does one not surrender one’s [protection of!] property rights to the other one? Of course one can ask one’s property back but what if the other one refuses or uses it as security re exchange for something else?

Legal scholars don’t seem to Always have a “hackers’ mentality” when it comes to finding all the side roads … Most unfortunately!
And:

[From the department of infinitely high control; Ronchamps]

Profiling the politics of the GDPR

When looking up the definition of ‘politics’, no-one can escape the notion that it regards something-choice or in any form the application of power to make decisions applying to all members of a group.
When looking up what leeways for profiling there is in the GDPR, even when so completely fellow-traveller-like as e.g., here [apart from the many, many more errors of logical reasoning, of thought, and of morality and ethics in that piece], the special category of data immediately springs to mind … that is about political opinion – representing the individuals’ autonomy in matters of choice. As any behaviour in public of said individuals is a matter of display of preference qua conduct in social affairs. As hence anything that has to do with profiling [even if only for the mundane making decisions of what ads to show to certain groups or not; abstracting even from the right (…) to have a human in the loop, seriously], has to do with political preferences.

Where is the field of study, by the way [not so much; rather a both parallel and intertwined track], of metadata and inference being special² categories of data, not requiring consent but should’ve been outlawed per se ..?

Plus:

[Artful bars, but suppressing; Brittas Museum London]

Not there yet; an OK Signal but …

But the mere fact that Congress will use ~~strong crypto~~ Signal, can mean many things. Like, “we” won the crypto wars, as Bruce indicated, or the many comments to that post are correct and it’s for them only and will be prohibited for the rest (us), or … nobody cares anymore who uses Signal, it’s broken and those that balked in the past, now have some backdoors or other coercive ways to gain access anyway. [Filed under: Double Secrets]

But hey, at least it’s something, compared to nitwittery elsewhere… And:

[Ode to careless joy; NY]

Generate some positivity, please

Something I believe(d) in for a long time already. Being, that I don’t belong. Nor do you, or anyone, to some dreamt-up category of whatever dimension. Didn’t I refer to this (at 0:30) over and over and over again ..?
To change the tack of the posts of late, let’s take a more positive attitude. E.g., by reading Brian Solis’ story here, and elsewhere: There exists no typical generation of any characterisation. Which leaves you free to pursue your own Happiness, in whatever way you’d want — with the caveat of not inroading of the freedom of others, and respecting the Commons in various directions.

Also, contra profiling, filter bubbles, echo chambers, social isolation, shallows, etc. Contra the dark side, who wouldn’t want that ..?
Pro the eternal fact that any average is, except for rare and particular cases, unequal to about all elements over which you took the avg. Even more so when talking multidimensional elements, and hoomans are possibly infinite in that.

So, be Free(d). And:
[Spread that word! Riga]

Predictable consequences

Dutch police start with ‘predicting’ crime.

For graduation, at kindergarten level:

Can you prevent bias?

What happens to accidental bypassers?

What will be the effect on Free society?

How many years in prison will the police chiefs get for this outright attempt to overthrow (the core principles of freedom of movement, innocent until proven guilty, etc.etc., of) the constitution and the UDHR whilst failing to fulfill the duties, to protect and serve [whatever variation] those?

Remember, this is at kindergarten level. Have fun, kids! Plus:
[Is this still a thing? Yoga at Briant Park, NY]

Having fun with voice synth

In particular, having fun the wrong way.
Remember, we wrote about how voice synth improvements, lately, will destroy non-repudiation? There’s another twist. Not only as noted, contra voice authentication for mere authentication (banks, of all, would they really have been in the lead, here, without back-up-double auth?), but in particular now that your voice has also become much more important again [after voice had dwindled in use for any sorts of comms, giving way to socmed typed even when with pixels posts of ephemeral or persistent kinds; who actually calls anyone anymore ..?], we see all sorts of Problems surfacing.

Like, mail order fraud. When hardly anyone still goes on a shopping spree through dozens of stores before buying something in store but rather orders online, of course Alexa / Home/Assistant / Siri / Echo / Cortana are all the rage. For a while; for a short while as people will find out that there was something more to shopping than getting something — but recognising the equilibrium that’ll turn out, may be in favour of on-line business, with physical delivery either at home, or at the mall.
The big ‘breakthrough’ currently being of course some half-way threshold / innovation speed bump overcome, with the home assistant gadgets that were intended to be much more butler first, (even-more-) mall destructor second. But that second … How about some fun and pranking, by catuyrig just some voice snippets from your target, even when just in line behind ’em at Wallmart, and then synthesizing just about any text? When a break-in on the backside of your home assistant (very doable; the intelligence is too complex and voluminous to sit in the front-end device anyway [Is it …!? Haven’t seen anything on this!] so at least there’s some half-way intelligent link at the back) may be feasible per principle but doing a MiM on the comms to some back-end server would be much more easy even, and much easier to obfuscate (certainly qua location, attribution), a ‘re’play of just any message is feasible.

Like, a ‘re’play of ordering substances that would still be suspicious even when for ‘medicinal purposes’. Or only embarassing, like ordering tools from the sort of fun-tools shop you wouldn’t want to see your parents order from. Of course, the joke is at delivery time [be that couriers, DEA/cops, or just non-plain packages] — oh wait we could just have the goods delivered to / picked up at, any address of our liking and have the felons/embarressed only feel that part plus non-repudiability.

This may be a C-rated-movie plot scenario, hence it will happen somewhere, a couple of times at least. Or become an epidemic. And:
[No mall, but a fun place to shop anyway; Gran Vía Madrid]

Golden Newie Pic of the Day

Hey that’s a new category yes it is; no Throwback Thur but Forward-looking Friday.
With …
your GDPR compliance program in one picture!
[After Wednesday’s post …]

GDPR is just a legal attempt at Y2k

Suddenly I realised, as one who profited handsomely (not in money but in perks’ way), that the whole GDPR compliance thingy is becoming quite similar, all too similar, to the hype that was called The Millennium Problem … too bad we now know how that ended, otherwise an illustrative movie could be made of the latter – now only (?) a documentary review is worthwhile, as history writing. Too bad it isn’t out in the open that despite all efforts then made, actually quite a lot of companies ended up having to hire temps to do all sorts of manual corrections in their administrations due to e.g., spreadsheets [the very things the toughest, most important business decisions hinged, and still hinge on!] going heywire over date fields.

To come back to the Issue … Are you not hit by that, almost sudden, avalanche of GDPR compliance warnings lately, like, the past couple of weeks ..? Is it not a warning that you need to do loads of things now, starting with hiring consultants (call to action; they’re Sales messages of course) this time not of the tech kind – engineers that see a problem, craft a solution and we’re done –, but of the legal kind – profiting only from prolongation of your insecurity.

And ah, there’s the snag! Multifaceted it is;

One: With some deadline suitably near to instill fear of lurking deadlines but suitably far to be able to still write you up with many, many ticks (per 6 or 3 minutes ..!?) at ridiculous rates, will be written;
Two: Unlike the patching that was the core solution (after Inventory – you did keep that in appropriate order in your wide-scope CMDB ever after 31/12/00, right ..? Even with some global outpost in the corner writing that down as 12/31/00. What stupid value loss if you didn’t! We’re only 17 years on! Did you really think legacy problems would have gone away by now …!?), we now see there is no solution but just getting compliant with all sorts of stupidly unprofitable, inefficient (and might we add, ineffective! yes if you are realistic, that’s what it is) good-for-nothing overhead;
Three: The good-for-nothing part — maybe not fully nothing, but oh so limitedly good for anything that you should’ve done already long ago not only for any ‘privacy’ compliance but for effective and efficient IT, -security included.

Following on this Lotus list, indeed there’s a lot of work to be done to become compliant … on the Legal side. On the IT side maybe also, but what needs to be done there, is (re)implementation of sound practices that should have been common daily practice anyway, and when implemented as such, ready; done.

The legal side on the other hand, sees all sorts of enduring challenges, like many cultural changes; no leaning back and await questions for advice to be answered out of hand with “It depends…” / “Come with a proposed solution and I’ll tell you whether it may or may not be permissible”, but for once being actively engaged and delivering definitive answers, and designing, implementing, and carrying out your (Legal) selves reams of procedural stuff. Acting on assessments, acting in communications, acting in control(s), etc.

You get it — the GDPR brings many problems for many organisations, the biggest of the problems being how to manage back the (Legal) consultancy fees… Remember, when data leakage isn’t preventable (as some dunces might still believe, many on the Legal side of GDPR compliance among them – hey they even think pseudonymisation amounts to anything), bad things are bound to happen. When (not if) not already via the avalanche of information requests …

I rest my case now, for you to have time to process the above, get it, and leave you with:

Your GDPR compliance looks much, much worse (this is actually quite good!); Toronto]