Privacy International http://privacyinternational.org/rss.xml en Big Brother says ‘No’: Surveillance and income management of asylum seekers though the ASPEN Card http://privacyinternational.org/long-read/3259/big-brother-says-no-surveillance-and-income-management-asylum-seekers-though-aspen <span class="field field--name-title field--type-string field--label-hidden">Big Brother says ‘No’: Surveillance and income management of asylum seekers though the ASPEN Card</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/user/43" typeof="schema:Person" property="schema:name" datatype="">staff</span></span> <span class="field field--name-created field--type-created field--label-hidden">Wednesday, October 16, 2019</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><em><span>Photo by <a href="https://unsplash.com/@mikoguz?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Miko Guziuk</a> on <a href="https://unsplash.com/@mikoguz?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></span></em></p> <p><span><span><em><span>This research is the result of a collaboration between Grace Tillyard, a doctoral researcher in the Media, Communications and Cultural Studies department at Goldsmiths College, London, and Privacy International.</span></em></span></span></p> <p> </p> <h2><strong><span>Social Protection Systems in the Digital Age </span></strong></h2> <p><span><span><span><span>In the digital age, governments across the world are building technologically integrated programmes to allow citizens to access welfare payments. While smart and digital technologies hold the potential to streamline administrative processes and reach millions, they can also have adverse effects on those they should be supporting. Social protection systems around the world are increasingly ‘conditional’, meaning that aspects of state support, usually financial or practical, are dependent on claimants complying with a set of rules or conditions. </span><a href="https://privacyinternational.org/news-analysis/3112/stage-1-applying-social-benefits-facing-exclusion"><span>These processes</span></a><span> are increasingly tied to rigid identification systems and determined by algorithmic and Automated Decision Making (ADM) processes. Those who fail to comply with the rules can find themselves automatically cut-off, have their assistance reduced or are subject to sanctions and fines. </span></span></span></span></p> <p><span><span><span><a href="https://pad.riseup.net/p/reproductive_health_surveillance_blog-keep"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">As Privacy International has argued</span></a><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">, the discrimination inherent to certain conditional welfare systems does not affect everyone equally. There is increasing evidence that welfare systems are driven by </span><a href="https://www.thenation.com/article/josh-levin-the-queen-book-review/"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">racialised and gendered assumptions</span></a><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"> about people in need that also perpetuate baseless societal tropes that mothers, people of colour and migrants are undeserving abusers of social protection and welfare. </span></span></span></span></p> <h4><span><span><span><strong><span>Private-Public Partnerships and Smart Debit Cards </span></strong></span></span></span></h4> <p><span><span><span><span>The global drive to </span><a href="https://privacyinternational.org/advocacy/2996/privacy-internationals-submission-digital-technology-social-protection-and-human"><span>streamline and automate welfare systems</span></a><span> also lines the pockets of private sector companies. Many government agencies in charge of administrating welfare choose to outsource the design and management of their technological infrastructure to private sector partners or corporations, instead of managing the system internally. The companies which provide tech solutions to governments thus also play a role by supplying services and products that can enable surveillance and the monitoring of those receiving welfare support.</span></span></span></span></p> <p><span><span><span><a href="https://privacyinternational.org/news-analysis/3208/we-read-all-submissions-thematic-report-un-general-assembly-digital-technology"><span>The introduction of Smart (Debit) Cards</span></a><span> is one of many other ways that governments are attempting to streamline the distribution and management of public benefits. These programmes provide social assistance through Smart (Debit) Cards, provided and administrated by corporations. </span></span></span></span></p> <p><span><span><span><span>In 2012 a partnership was formed between the </span><a href="https://www.google.com/url?sa=t&amp;rct=j&amp;q=&amp;esrc=s&amp;source=web&amp;cd=2&amp;ved=2ahUKEwjplOGuupTlAhWoVBUIHQGsDicQFjABegQIABAC&amp;url=https%3A%2F%2Fwww.ohchr.org%2FDocuments%2FIssues%2FPoverty%2FDigitalTechnology%2FBlackSash.pdf&amp;usg=AOvVaw1GTnZnvObWIjn7gyBicTnG"><span>South African Social Security Agency, Grinrod Bank</span></a> <a href="https://www.mastercard.us/content/dam/mccom/en-us/documents/sassa-case-study.pdf"><span>and MasterCard</span></a><span> aiming to expand access to social protection through a smartcard. The programme was discontinued </span><a href="https://www.google.com/url?sa=t&amp;rct=j&amp;q=&amp;esrc=s&amp;source=web&amp;cd=12&amp;ved=2ahUKEwjo2NnbvpvlAhWPI1AKHUZGBokQFjALegQIAxAC&amp;url=https%3A%2F%2Fwww.ohchr.org%2FDocuments%2FIssues%2FPoverty%2FDigitalTechnology%2FBlackSash.pdf&amp;usg=AOvVaw1GTnZnvObWIjn7gyBicTnG"><span>after the South African Supreme court argued</span></a><span> there was a fault in the tender process.</span></span></span></span></p> <p><span><span><span><span>In 2017, </span><a href="https://a2i.gov.bd/"><span>the government of Bangladesh</span></a><span>, in cooperation with USAID and the Bill and Melinda Gates Foundation, created a similar programme known as ‘a2i’ (Access to Information) that built a system for citizens to receive social assistance on a pre-paid debit card. Access to the programme<a href="https://govinsider.asia/smart-gov/bangladesh-a2i-mobile-payments/"> requires</a> people to register with their biometric data. </span></span></span></span></p> <p><span><span><span><span>In Australia, a Cashless Debit Card programme in partnership with Indue Ltd. aimed to reduce fraud and streamline welfare administration in the poorest region of the country. However, it soon came to light that the Department of Social Services was </span><a href="https://www.theguardian.com/australia-news/2018/feb/13/cashless-welfare-card-trials-extended-for-a-year-in-sa-and-wa"><span>disproportionately targeting</span></a><span> areas inhabited by indigenous Australians and using cashless debit cards to institute the further surveillance and income management of these communities. </span></span></span></span></p> <h2><span><span><span><span><span><strong><span><span>The ASPEN Card for asylum seekers in the UK</span></span></strong></span></span></span></span></span></h2> <p><span><span><span><span><span><span><span><span>People seeking asylum in the UK, as in many other countries, </span></span></span></span></span><a href="https://www.migrationwatchuk.org/briefing-paper/4.24"><span>are excluded from claiming support from the welfare state and in most cases they are also not allowed to work</span></a><span><span><span><span><span> whilst their asylum application is being reviewed. But in some countries like the UK </span></span></span></span></span><span>they can access support in the form of housing and also receive a minimal allowance while in the UK through a scheme administered by the Home Office.</span></span></span></span></p> <p><span><span><span><span><span><span><span><span>In the past, asylum seekers collected this small sum of money from a Post Office with their Asylum Registration Card or through a prepaid payment card known as the </span></span></span></span></span><a href="https://www.gov.uk/government/publications/stores-that-accept-azure-cards-for-asylum-section-4-support"><span>AZURE Card</span></a><span><span><span><span><span>. But the process of withdrawing money at a Post Office was sometimes cumbersome, requiring people to travel long distances and tying them to a single Post Office location. The Azure Card was also only accepted in selected stores. </span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span>In May 2017, </span></span></span></span></span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">the </span><a href="https://www.google.com/url?sa=t&amp;rct=j&amp;q=&amp;esrc=s&amp;source=web&amp;cd=1&amp;ved=2ahUKEwjpk7rRi5TlAhVTr3EKHWlwCPUQFjAAegQIAhAC&amp;url=https%3A%2F%2Fwww.refugeecouncil.org.uk%2Fwp-content%2Fuploads%2F2019%2F03%2FASPEN_card_brief__August_2018_.pdf&amp;usg=AOvVaw3QYxsYXnbRt9LTIEeQRGcN"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">Asylum Support Enablement (ASPEN) Card was rolled-out nationally</span></a><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"> replacing cash payments previously given to asylum seekers whose application had been refused, and to asylum seekers with an on-going application</span></span></span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">.</span></span></span></span></p> <p><span><span><span><span><span><span><span><span>When </span></span></span></span></span><a href="https://www.parliament.uk/business/publications/written-questions-answers-statements/written-question/Commons/2019-06-04/260049/"><span>asked by a Member of Parliament on 4 June 2019</span></a><span><span><span><span><span> for what reason the Home Department had decided to move the provision of financial support to asylum seekers from post offices to ASPEN cards, the Minister for Immigration responded that: “Primarily, the sub-contractual arrangements were coming to an end, and the Asylum Registration Card (ARC) used for identification and payment purposes was being upgraded. Other factors included improved convenience and accessibility for service users, and a reduction in processing costs associated with reduced cash handling.”</span></span></span></span></span></span></span></span></p> <h4><span><span><span><span><span><span><span><span>Who receives support through the ASPEN card, and how does it work?</span></span></span></span></span></span></span></span></h4> <p><span><span><span><span><span><span><span><span>The ASPEN Card operates differently depending on if the recipient of the assistance is an</span></span></span><strong><span><span><span> </span></span></span></strong></span></span><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">asylum seeker whose application had been refused or an asylum seeker with an on-going application</span></span></span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">.</span></span></span></span></p> <p><span><span><span><a href="https://www.asaproject.org/uploads/Factsheet-2-section-4-support.pdf"><span>Section 4 of the Immigration and Asylum Act 1999</span></a><span> provides for support to asylum seekers whose applications have been refused (known as Section 4 support) and includes provision of accommodation and £35.39 a week via a payment card, which at the moment is the ASPEN card. They can only make chip and pin payments, i.e. no card withdrawals are permitted. </span></span></span></span></p> <p><span><span><span><span>Those whose asylum claims are on-going can apply for </span><a href="https://www.asaproject.org/uploads/Factsheet-1-section-95.pdf"><span>‘section 95 support’</span></a><span> under the Immigration and Asylum Act 1999. The purpose of this support is to assist those who are destitute or about to become destitute, and their dependents whilst their asylum claim is pending. Those seeking assistance under section 95 must demonstrate that they meet ‘the destitution test’ which means that they must provide evidence that they do not have adequate accommodation or enough money to meet living expenses for themselves and any dependants. </span><a href="https://www.gov.uk/asylum-support/what-youll-get"><span>‘Section 95 support’</span></a><span> provides for housing as well as £37.75 per week (current rate) for each person. The subsistence support is provided through a debit card, which is currently the ASPEN Card, which allows the withdrawal of cash and direct card payments.</span></span></span></span></p> <p><span><span><span><span>These situations are far from temporary. Asylum seekers are forced to live off this menial stipend while the Home Office processes their application, which can take years. During this time whole families are left to struggle to make ends meet, unable to work or settle. </span></span></span></span></p> <h2><span><span><span><span><span><strong><span><span>So…what’s the problem?</span></span></strong></span></span></span></span></span></h2> <p><span><span><span><span><span><span><span><span>In April 2017, The Unity Centre in Glasgow </span></span></span></span></span><a href="https://unitycentreglasgow.org/aspencard/"><span>sounded the alarm</span></a><span><span><span><span><span> that the ASPEN cards were being used by the Home Office to monitor the expenses of cardholders and track the locations where they were used. According to The Unity Centre, the Home Office </span></span></span></span></span><span>explicitly said that they were “analysing card usage data”. <span><span><span><span><span>This surveillance was largely possible because Asylum seekers eligible for Section 4 support were also not able to withdraw cash from ATMs.</span></span></span></span></span> <span><span><span><span><span>This restrictive way of providing support created the conditions of heightened surveillance of Asylum seekers on Section 4 support, whose every purchase are monitored and partial surveillance of asylum seekers on Section 95 </span></span></span></span></span>support<span><span><span><span><span>, who could still withdraw their allowance in cash.  </span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span>In January 2019, reports by </span><a href="https://www.thetimes.co.uk/article/home-office-tracks-debit-card-use-to-spy-on-asylum-seekers-lkgcdm7d7"><span>The Sunday Times</span></a><span> and </span><a href="https://www.independent.co.uk/news/uk/home-news/asylum-seeker-home-office-spying-debit-card-aspen-hostile-environment-a8748781.html"><span>The Independent</span></a><span> provided more evidence that the Home Office was monitoring ASPEN cards. In particular, Home Office officials were reported as monitoring purchases made outside a person’s ‘authorised’ city where they are given temporary housing, in order to make a case that the person was fraudulently living elsewhere or did not qualify as destitute making them ineligible for financial support and shelter. </span></span></span></span></p> <p><span><span><span><span>The Sunday Times, also notes that one leaked letter seen by The Sunday Times  stated, “It is observed from your ASPEN transactions that you have been spending your support out of area . . . you are now required to provide all information and evidence requested within five working days.”</span><span>.</span></span></span></span></p> <p><span><span><span><span>A closer look at </span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">Home Office policy from their “</span><a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/425519/Breach_of_Conditions_v8.pdf"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">Breach of conditions instruction”, addressed to their members of staff, </span></a><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"> reveals that the procedures for establishing whether or not fraud has been committed are vague and seem to be largely at the discretion of the individual caseworker. </span><span>The policy states that if there is a suspicion of fraudulent activity, the person in question will be required to justify to the caseworker</span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"> what happened and “should the explanation lead a caseworker to believe that the breach of condition was unavoidable the explanation may be deemed a ‘Reasonable Excuse’.” If, however, the caseworker finds that there are ‘reasonable grounds’ to believe that the supported person has failed to comply with the conditions, their support will be suspended or discontinued.   </span></span></span></span></p> <p><span><span><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">When asked on 6 February 2019 by a Member of Parliament about </span><span>“ how many asylum seekers have had their asylum support (a) suspended and (b) discontinued as a result of information obtained by the monitoring of the usage of an ASPEN card.”, t</span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">he Minister for Immigration at the time, responded that: “Where evidence comes to light that would suggest a supported asylum applicant has access to alternative accommodation and support, we would invite the applicant to give an account of their activity. Evidence can come from a number of sources, including ASPEN usage data. Suspension and any subsequent discontinuation of support due to a breach of conditions carries a right of appeal. Data is not held in a publishable format.”</span></span></span></span></span></p> <p><span><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">A source at Asylum Matters told Privacy International that caseworkers have access to the card data and it is believed that an automated system flags locations and certain retailers. The source was also told by the Home Office that monitoring through the ASPEN Card is justified on the grounds that patterns of transactions that take place a significant distance away from the person’s address can indicate that the person is not complying with their accommodation agreement or that they may have fallen victim to trafficking. The source also explained that the ASPEN Card program was expanding to include provisions for its use for transport costs of asylum seekers. </span></span></span></span></p> <p><span><span><span><span>Some of the people reported by The Sunday Times as being punished for making trips included </span><a href="https://www.independent.co.uk/news/uk/home-news/asylum-seeker-home-office-spying-debit-card-aspen-hostile-environment-a8748781.html"><span>a teenage schoolgirl</span></a><span> who bought a train ticket using a donation from a local church to attend her father’s wake and a </span><a href="https://www.independent.co.uk/news/uk/home-news/asylum-seeker-home-office-spying-debit-card-aspen-hostile-environment-a8748781.html"><span>Sudanese man living in the Midlands</span></a><span> who had his benefits withdrawn after attending a court hearing in London. </span><span>The Sunday Times reported that the Home Office confirmed that 186 people had their support stopped in 2018 ‘</span><a href="https://www.thetimes.co.uk/article/home-office-uses-debit-cards-to-spy-on-asylum-seekers-3xtxsklcx"><span>as a result of a referral regarding the ASPEN card usage’</span></a></span></span></span></p> <h3><span><span><span><strong><span>The surveillance of asylum seekers: a lucrative business for Sodexo </span></strong></span></span></span></h3> <p><span><span><span><span>But there is more to the ASPEN Card than meets the eye. To date, investigative </span><a href="https://www.thetimes.co.uk/article/home-office-tracks-debit-card-use-to-spy-on-asylum-seekers-lkgcdm7d7"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">reports</span></a><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"> have highlighted some of the harrowing effects of Home Office surveillance on asylum seekers but have paid less attention to how and by whom the program is run. </span></span></span></span></p> <p><span><span><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">The administration service around the ASPEN card is provided by Sodexo, </span><a href="https://sodexoengage.com/what-we-do/government-services/payment-solutions/"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">a global outsourcing company</span></a><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">, which has a contract with the Home Office for the operation of the system. </span><a href="https://www.livingwage.org.uk/news/sodexo-makes-living-wage-commitment"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">In the UK alone Sodexo employs 34 000 people</span></a><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">. The company has a global annual revenue of around </span><a href="https://uk.reuters.com/article/us-sodexo-leisure/sodexos-sport-and-leisure-business-targets-china-in-growth-drive-idUKKCN1Q121U"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">20 Billion Euros</span></a><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"> and are the world’s </span><a href="https://www.sodexo.com/home/careers.html"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">19th largest employer</span></a><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">. </span><span>The company delivers the </span><a href="https://uk.sodexo.com/home/your-industry/justice/services-in-prisons.html"><span>total operation of five prisons in England and Scotland</span></a><span>, managing over 5,000 prisoners in high and medium security facilities. Sodexo also manage a large number of public facilities including schools, NHS facilities and universities. </span><a href="https://sodexoengage.com/what-we-do/government-services/payment-solutions/"><span>According to the company’s UK website</span></a><span>, Sodexo provides and manages prepaid cards, vouchers and online payment platforms with more than 500,000 users across the UK, with over £1 billion loaded onto the cards or spent using their solutions. </span></span></span></span></span></p> <p><span><span><span><span>Sodexo’s partnership with the Home Office </span><a href="https://sodexoengage.com/our-success-stories/the-home-office/"><span>dates back to the year 2000</span></a><span>, when they first helped to introduce the Azure card – as noted above, the first debit card created for asylum seekers in the UK on Section 4 support and the litmus test for the ASPEN card. This paved the way to roll out pre-paid cards </span><a href="https://www.gov.uk/asylum-support/what-youll-get"><span>to all asylum seekers</span></a><span> and eliminated any other form of paying support. </span><a href="https://sodexoengage.com/our-success-stories/the-home-office/"><span>Sodexo’s website hails</span></a><span> the partnership explaining that the system allows the Home Office to “ring-fence certain funds for specific purposes; for example, to be used only to pay for transport services”, and to configure “whether cards are ATM enabled or not, and if so to set the limit of funds that can be withdrawn”.</span></span></span></span></p> <p><span><span><span><span>On the </span><a href="https://www.parliament.uk/business/publications/written-questions-answers-statements/written-question/Commons/2019-09-24/290395/"><span>3 September 2019, when asked by a Member of Parliament</span></a><span> how much the Home Department paid to Sodexo to provide the Aspen card service in each year for which data is available; and what estimate her Department has made of the future costs of that service, the Government responded that: “The Home Office does not publish data on the costs of the Sodexo contract as it is considered commercially sensitive.”, and “As we [the Home Office] are in the process of retendering for the payment card we are unable to provide any information on future costs”. A <a href="https://www.gov.uk/government/publications/home-office-spending-over-25000-2019">manual informal calculation of reported monthly expenditure</a> provides a rough estimation that the Home Office may have sent around £ 84,000,000 of taxpayer’s money to SODEXO MOTIVATION SOLUTIONS UK LTD for services under the line items,<strong> ‘</strong>Voluntary Assisted Returns’, ‘Asylum Provision &amp; Services and Public Order’, ‘Security &amp; Safety’. </span></span></span></span></p> <p><span><span><span><span>The Home Office website that provides information to asylum seekers, </span><a href="https://www.gov.uk/asylum-support/what-youll-get"><span>refers to the ASPEN Card</span></a><span> as a payment mechanism but as far as we are aware it does not mention who administrates it. <a href="https://www.migranthelpuk.org/news/migrant-help-awarded-new-contract">Migrant Help</a>, an organisation sub-contracted by the Home Office to deal with asylum claims, also appears to have no available information online concerning the ASPEN Card. The Home Office does state <a href="https://privacyinternational.org/sites/default/files/2019-10/Home%20Office_ASPEN%20Letter.pdf">in a letter sent out to ASPEN Card users</a> and obtained by Privacy International, from a source we will refer to as Mishka, that by enrolling in the programme they are agreeing to, “the Home Office and authorised contractors collecting and storing information about card usage for the purposes of fraud prevention and ensuring compliance”. They do not, however, as far as we are aware, provide a way of opting-out of the system, making the allowance conditional on this Home Office monitoring. </span></span></span></span></p></div> <div class="field field--name-field-repeating-image-and-text field--type-entity-reference-revisions field--label-hidden field__items"> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-10/Letter%20screenshot_Individual%20support%20profile.png" width="918" height="1108" alt=" Letter screenshot_Individual support profile" typeof="foaf:Image" /> </div> <div class="field field--name-field-caption field--type-string field--label-hidden field__item">Letter sent out by UK Home Office to ASPEN Card users and obtained by Privacy International, from a source we will refer to as Mishka.</div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><h2><span><span><span><strong><em><span>A data protection and human rights lens: the ASPEN Card</span></em></strong></span></span></span></h2> <p><span><span><span><span>Digital technology has created what can be described as ‘government-industry complex’ that manages and regulates social protection programmes. Concerning features of this ‘government-industry complex’ around the world include poor governance of <a href="https://www.ohchr.org/Documents/Issues/Poverty/A_74_48037_AdvanceUneditedVersion.docx">social protection policies</a>, a lack of open, inclusive and transparent decision-making processes and limited transparency and accountability of the systems and infrastructure.</span></span></span></span></p> <h4><span><span><span><em><span>The ASPEN Card: A means of exerting control over and limiting autonomy of asylum seekers and their dependents </span></em></span></span></span></h4> <p><span><span><span><span> Information published by the Home Office on the ASPEN Card provides details on what the card can and can’t be used for, and where it can and can’t be used, i.e. selected shops, not abroad, etc. This is an example of how such a programme creates a system which enables the monitoring, tracking and general exertion of control over recipients, which directly undermines asylum seekers’ autonomy and dignity. </span></span></span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-10/You%20will%20be%20able%20to%20use%20your%20Aspen%20card%20to_Home%20Office%20document.png" width="1598" height="460" alt="You will be able to use your Aspen card to_Home Office document" typeof="foaf:Image" /> </div> <div class="field field--name-field-caption field--type-string field--label-hidden field__item">Screenshot from &quot;A Home Office Guide to Living in Asylum Accommodation&quot;</div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><span><span><span><span>Making surveillance and income management a condition of access to support leaves Asylum Seekers who are unable to work with no choice but to submit to Home Office scrutiny. This means that asylum seekers are currently having to accept a trade-off between accessing support and their fundamental right to privacy but also non-discrimination, amongst others.  Given the time it takes to process an asylum application, entire families seeking refuge from conflict or disaster can be subjected to income management and degrading surveillance for years. </span><span>Considering this invasive monitoring and recording of asylum seekers’ intimate details of their lives, questions remain about the proportionality of such practices , and to how and if safeguards are integrated into the system to ensure compliance with the UK’s national and international human rights obligations, and data protection standards.</span></span></span></span></p> <h4><span><span><span><em><span>Data protection and privacy obligations</span></em></span></span></span></h4> <p><span><span><span><span>Systems such as the ASPEN card highlight some key concerns in relation to the protection, respect and promotion of the right to privacy as protected by the UK’s international human rights commitments, Article 7 of the EU Charter of Fundamental Rights and Article 8 of the European Convention on Human Rights enshrined in national law through the Human Rights Act 1998.</span></span></span></span></p> <p><span><span><span><span><span>Any interference with the right to privacy must meet the following standards: be in accordance with the law, and pursuant to a legitimate aim, in a democratic society. Furthermore, it is essential that social protection systems are not exempt from data protection laws. Rather they must build in and respect safeguards including the principles of transparency, lawfulness, fairness, data minimisation, accuracy, storage limitation, integrity and confidentiality of data and significantly accountability. Each of these principles is extremely pertinent in the context of a social protection system such as the support systems provided to asylum seekers.</span></span></span></span></span></p> <p><span><span><span><span><a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/821324/Pack_A_-_English_-_Web.pdf"><span>Documentation published by the Home Office</span></a><span> on the ASPEN Card, indicates that “the Home Office and our providers will protect and keep your personal information confidential.” </span></span></span></span></span></p> <p><span><span><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">In response to a written question submitted by a Member of Parliament on 6 February 2019 </span><a href="https://www.parliament.uk/business/publications/written-questions-answers-statements/written-question/Commons/2019-02-06/217612/"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">the Government</span></a><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"> claimed that “The terms and conditions relating to Aspen usage received appropriate legal scrutiny prior to being published and make it clear that personal data will be used only for the prevention of fraud and to preserve the integrity of the scheme which includes ensuring the welfare of card user”. </span><span>But it is not clear what safeguards, such as privacy policies, agreements, impact assessments are in place or have been carried out in relation to the processing activities of both the Home Office and partners, i.e. such as Sodexo or agencies with whom the Home Office may share this information.</span></span></span></span></span></p> <p><span><span><span><span><span>In response to </span><a href="https://www.parliament.uk/business/publications/written-questions-answers-statements/written-question/Commons/2019-02-06/217611/"><span>another questioned submitted</span></a><span> by a Member of Parliament which asked whether the Home Officer had undertaken “a Data protection impact assessment (a) or (b) after the introduction of the Aspen card in asylum support arrangements”, the </span><span> Government responded that: “The introduction of Aspen (2016) pre-dates the requirement for a data protection impact assessment (DPIA), which was introduced as part of the General Data Protection Regulation (GDPR). Appropriate legal advice was nevertheless obtained prior to the scheme being launched. In line with good practice, a review of current practice is being conducted to ensure that it is compliant with the GDPR, which will include the completion of a DPIA.” </span></span></span></span></span></p> <p><span><span><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">Whilst undertaking a DPIA is a new obligation under </span><span>GDPR, such assessments (also referred to previously as Privacy Impact Assessments, PIAs) “have been used for many years as a good practice measure to identify and minimise privacy risks associated with new projects” as </span><a href="https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/what-s-new-under-the-gdpr/"><span>noted by the UK Information Commissioner’s Office</span></a><span>. That in spite of such guidance and what is now a legal requirement to carry out a DPIA for this type of processing, it is deeply concerning if no such assessment has been carried out.   Given the rights implications of this programme it is imperative that if not done already a DPIA as well as an Equality and Human Rights Impact Assessment be carried out and made public.</span></span></span></span></span></p> <h4><span><span><span><span><em><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">What does the “immigration enforcement” exemption under DPA 2018 mean for the recipients of support through the ASPEN card?</span></em></span></span></span></span></h4> <p><span><span><span><span>It is unclear how the collection, use and sharing of ASPEN Card data is impacted by the exemption in <a href="http://www.legislation.gov.uk/ukpga/2018/12/schedule/2/enacted">paragraph 4 of Schedule 2 to the Data Protection Act 2018</a>,  which provides broad exemption for “the maintenance of effective immigration control” or “the investigation or detection of activities that would undermine the maintenance of immigration control.” </span></span></span></span></p> <p><span><span><span><span>Privacy International together with others <a href="https://privacyinternational.org/blog/2074/uk-data-protection-act-2018-339-pages-still-falls-short-human-rights-protection">raised significant human rights concerns</a> about the inclusion of this exemption during the passage of the Data Protection Act 2018. It is currently the subject of a </span><a href="https://www.openrightsgroup.org/press/releases/2019/open-rights-group-and-the3million-seek-to-appeal-immigration-exemption-judgment"><span>legal challenge</span></a><span><span><span> and <a href="https://privacyinternational.org/news-analysis/3064/privacy-international-joining-migrant-organisations-challenge-uks-immigration">a complaint</a></span></span></span><span>. In the meantime, this exemption renders the use of data, such as through the ASPEN card even more problematic and worrisome for the protection of asylum seekers who already find themselves in vulnerable and precarious situations with limited avenues of redress.</span></span></span></span></p> <h4><span><span><span><em><span>Scrutinising and regulating public-private partnerships</span></em></span></span></span></h4> <p><span><span><span><span>Concerns around the partnership between the Home Office’s ASPEN card programme, and Sodexo are exacerbated by the lack of transparency, as highlighted </span><a href="https://www.parliament.uk/business/publications/written-questions-answers-statements/written-question/Commons/2019-09-24/290395/"><span>by the refusal of the Home Office</span></a><span> to comment on the current and future contract with Sodexo as recently as September 2019. As noted above, it is also unclear what data protection and privacy policies, agreements and impact assessments (if any) govern this partnership between the Home Office and Sodexo.</span></span></span></span></p> <p><span><span><span><span>Inviting corporate partners like Sodexo to manage smart (debit) card systems for welfare management has had consequences in other contexts and Sodexo has been at the centre of a fair few controversies. For example, in 2016, </span><a href="https://www.theguardian.com/world/2016/dec/08/revealedrio-tinto-surveillance-station-plans-to-use-drones-to-monitors-staffs-private-lives"><span>privacy advocates raised concerns</span></a><span> after the Rio Tinto mining company contracted Sodexo to create a surveillance system of staff in mining camps in Western Australia. It was reported that the contract was for ten years of facilities management and included a plan to dramatically increase surveillance of the Rio Tinto assets via a platform that live streamed information to a monitoring station in Perth staffed by 50 people. </span></span></span></span></p> <p><span><span><span><span>In the UK, Sodexo </span><a href="https://www.independent.co.uk/news/business/sodexo-is-ruining-probation-centres-officers-claim-there-is-no-privacy-a6859946.html"><span>came under fierce criticism</span></a><span> back in 2016 for their management of the outsourced probation service, and in particular for the company’s disregard for the privacy and wellbeing of service users. A separate incident surfaced in June 2019, as United Voices of the World (UVW), a trade union which supports precarious, low-paid and predominantly migrant workers in the UK, </span><a href="https://www.uvwunion.org.uk/stmarysworkers?fbclid=IwAR0vrsA0QsU79IFYslYwI8Hu5LxgpfLJHGeCCjE9R7LwXyClRRH4_HchoD8"><span>initiated a campaign</span></a><span> to fight against the poor treatment and unequal pay of Sodexo employees at Saint Mary’s Hospital, London the majority of whom are migrant workers. </span></span></span></span></p> <p><span><span><span><span>Going back to the Aspen Card contract, in response to <a href="https://www.parliament.uk/business/publications/written-questions-answers-statements/written-question/Commons/2019-06-04/260051/">questions submitted by a Member of Parliament in June 2019</a>, the Government responded that “The Home Office’s contract to provide financial support to asylum seekers through an Aspen Card will expire on 27 November 2019 (with the option to extend for a further 6 months to 27 May 2020).” When asked in early September 2019 by a Member of Parliament as to whether the contract between Sodexo and the Home Office would be extended, the answer given by the Government was that “The Home Office intend to extend the contract for three months but reserve the right to extend for a further three months if required.”</span></span></span></span></p> <h2><span><span><span><strong><span>Conclusion</span></strong></span></span></span></h2> <p><span><span><span><span>The imposition of the ASPEN Card on those who are marginalised and unable to resist is no accident. It enables the Home Office and those they work with (in this case Sodexo) to test and develop new forms of surveillance, relying on the general public to turn a blind-eye to deeply concerning practices, because they seemingly only affect people on the margins. The Home Office gathers information about asylum seekers under the pretext of streamlining administrative processes. But as the ASPEN programme gradually expands, it would be short sighted not to wonder whether similar systems may be rolled out to other benefit claimants in the UK in the future.  </span></span></span></span></p> <p><span><span><span><span>Systems designed to support asylum seekers must be designed to protect rights from the onset and where they fail to do so, human rights, data protection and other legal tools should and must be used to scrutinise and where necessary challenge them. “All human rights are universal, indivisible and interdependent and interrelated", and so asylum seekers should not have to trade off their right to privacy to enjoy their right to asylum and to social protection and their ability to live in dignity. Current practices in the UK, as highlighted by the ASPEN Card programme, risk doing just the opposite.</span></span></span></span></p></div> </div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-inline"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/public-services-recipients" hreflang="en">Public services recipients</a></div> <div class="field__item"><a href="/topics/economic-social-and-cultural-rights" hreflang="en">Economic, social and cultural rights</a></div> <div class="field__item"><a href="/learning-topics/immigration-enforcement" hreflang="en">Immigration Enforcement</a></div> <div class="field__item"><a href="/learning-topics/migrants" hreflang="en">Migrants</a></div> <div class="field__item"><a href="/topics/social-protection-programmes" hreflang="en">Social protection programmes</a></div> <div class="field__item"><a href="/topics/data-exploitation" hreflang="en">Data Exploitation</a></div> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-inline"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><a href="/what-we-do/realise-our-rights-live-dignity" hreflang="en">Realise Our Rights to Live with Dignity</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-inline"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/safeguarding-peoples-dignity" hreflang="en">Safeguarding Peoples&#039; Dignity</a></div> </div> </div> <div class="field field--name-field-attachments field--type-file field--label-inline"> <div class="field__label">Attachments</div> <div class="field__items"> <div class="field__item"> <span class="file file--mime-application-pdf file--application-pdf"> <a href="http://privacyinternational.org/sites/default/files/2019-10/Home%20Office_ASPEN%20Letter.pdf" type="application/pdf; length=1358251" title="Home Office_ASPEN Letter.pdf">Home Office_Aspen Letter</a></span> </div> </div> </div> <div class="field field--name-field-target field--type-entity-reference field--label-above"> <div class="field__label">Target Stakeholders</div> <div class="field__items"> <div class="field__item"><a href="/target/government" hreflang="en">Government</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/when-big-brother-pays-your-benefits" hreflang="en">When Big Brother Pays Your Benefits</a></div> </div> </div> <div class="field field--name-field-type-of-abuse field--type-entity-reference field--label-above"> <div class="field__label">Type of abuse</div> <div class="field__items"> <div class="field__item"><a href="/examples/migrants" hreflang="en">Migrants</a></div> <div class="field__item"><a href="/examples/recipients-aid" hreflang="en">Recipients of aid</a></div> </div> </div> <div class="field field--name-field-audience-and-purpose field--type-entity-reference field--label-above"> <div class="field__label">Audiences and Purpose</div> <div class="field__items"> <div class="field__item"><a href="/taxonomy/term/630" hreflang="en">Helping experts with our analyses</a></div> </div> </div> Wed, 16 Oct 2019 19:49:02 +0000 staff 3259 at http://privacyinternational.org #PrivacyWins: EU Border Guards Cancel Plans to Spy on Social Media (for now) http://privacyinternational.org/long-read/3288/privacywins-eu-border-guards-cancel-plans-spy-social-media-now <span class="field field--name-title field--type-string field--label-hidden">#PrivacyWins: EU Border Guards Cancel Plans to Spy on Social Media (for now)</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/user/43" typeof="schema:Person" property="schema:name" datatype="">staff</span></span> <span class="field field--name-created field--type-created field--label-hidden">Tuesday, November 19, 2019</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>As any data protection lawyer and privacy activist will attest, there’s nothing like a well-designed and enforced data protection law to keep the totalitarian tendencies of modern Big Brother in check.</p> <p>While the EU’s data protection rules aren’t perfect, they at least provide some limits over how far EU bodies, governments and corporations can go when they decide to spy on people.</p> <p>This is something the bloc’s border control agency, Frontex, learned recently after coming up with a plan to monitor the internet use of migrants and civil society. After publishing a tender inviting surveillance companies to bid for the project, they mysteriously cancelled it less than a month later while facing questions as to whether such spying was even allowed under data protection regulations.</p> <h3 id="Cancelled">#Cancelled</h3> <p><a href="https://etendering.ted.europa.eu/cft/cft-display.html?cftId=5471">Published in September</a>, the agency planned to give up to €400,000 to a surveillance company to track people on social media so that border guards “<em>would have an understanding of the current landscape</em>” as well as “<em>a strategical warning system on changes such as the socio-political, economic or human security environment that could pose challenges to Frontex policies</em>.” (Essentially, they wanted to spy on their social media to see what they were up to).</p> <p>But why stop short at spying on migrants themselves? In addition to gathering “<em>data and analysis of relevant actors using social media: migrants; traffickers/smugglers</em>”, Frontex also wanted to monitor “<em>civil society and diaspora communities in destinations (EU).</em>”</p> <p>To be clear, it makes absolutely no difference if a border authority wants to monitor a migrant abroad or someone residing in Europe. But legally, people in the EU are afforded better legal protections, so in reality this was a particularly problematic thing to try and pull off.</p> <p>At this stage, NGOs such as <a href="https://www.statewatch.org/">Statewatch</a> and journalists at <a href="https://www.mediapart.fr/journal/international/181019/migrants-frontex-veut-detecter-la-menace-grace-aux-reseaux-sociaux">Mediapart</a> had noticed the tender, leading to Frontex having to defend the project by claiming, to the bemusement of some of Privacy International’s data protection experts, that “<em>the required service does not entail collecting, processing, sharing or storing of any personal data by the European Border and Coast Guard Agency</em>”.</p> <h3 id="Hey-Frontex-let-me-ask-you-a-question…">Hey Frontex, let me ask you a question…</h3> <p>So with that in mind, Privacy International set up an account on the procurement website, and asked them some pretty detailed questions to find out how they came to the conclusions they did, and if they had gone through the necessary checks to make sure their plan was legal.</p> <p> </p></div> <div class="field field--name-field-repeating-image-and-text field--type-entity-reference-revisions field--label-hidden field__items"> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-11/Screenshot%202019-11-19%20at%2011.12.32_1.png" width="634" height="546" alt="PI questions" typeof="foaf:Image" /> </div> <div class="field field--name-field-caption field--type-string field--label-hidden field__item">As Yet Unanswered Questions Submitted by Privacy International on eTendering Website</div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p> </p> <p>These questions were based on a single legal instrument, Regulation 2018/1725, which is the equivalent of the <a href="https://privacyinternational.org/topics/general-data-protection-regulation-gdpr/all">GDPR</a> for EU institutions and is thus meant to regulate how EU bodies like Frontex process personal data. Similar to other questions, the agency would have had to publish the answers on the tender site.</p> <p>Two days later however, they issued this update:</p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-11/Screenshot%202019-11-19%20at%2011.13.52_0.png" width="645" height="198" alt="Cancellation" typeof="foaf:Image" /> </div> <div class="field field--name-field-caption field--type-string field--label-hidden field__item">Notification of Tender Cancellation</div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p> </p> <p>They told the journalist it was because of “<em>the upcoming entry into force of the new European Border and Coast Guard Regulation</em>.” But this doesn’t seem credible, suggesting that the agency has only now become aware of the Regulation which governs its own mandate and <a href="https://www.consilium.europa.eu/en/press/press-releases/2019/04/01/european-border-and-coast-guard-council-confirms-agreement-on-stronger-mandate/">proposed</a> last year.</p> <h3 id="Is-Fortress-Europe-Monitoring-you">Is Fortress Europe Monitoring You?</h3> <p>Contrary to some reporting, the EU isn’t some border-free zone full of refugees – it currently <a href="https://www.unhcr.org/5d08d7ee7.pdf">hosts</a> some 14% of the world’s refugees (if you exclude Turkey, which by itself hosts some 18%). Instead, as authoritarians and populists have come to power “Fortress Europe” has never been more fortified. Frontex is likely to get a budget of €420.6m next year <a href="https://euobserver.com/tickers/145089">according</a> to EUObserver, a 34.6 percent increase compared to 2019. Frontex <a href="https://frontex.europa.eu/faq/key-facts/">started</a> with a budget of €6m in 2005.</p> <p>So what will Frontex use all this money on? Well, hopefully not on spying on <a href="https://privacyinternational.org/what-we-do/protect-people-and-communities-online">people</a> because they’re <a href="https://privacyinternational.org/campaigns/protecting-migrants-borders-and-beyond">migrants</a> or somehow in contact with migrants.</p> <p>If they do, there will be some equally good monitoring by journalists and civil society looking to keep them in check. Watch this space.</p> <p> </p> <p> </p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><div class="video-js vjs-default-skin vjs-big-play-centered" style="width: 100%; height: 0; position: relative; padding-bottom: 56.25%;">Watch our 1 minute video about trying to get answers out of Frontex: <iframe width="560" height="315" sandbox="allow-same-origin allow-scripts" src="https://media.privacyinternational.org/videos/embed/9caa9bfa-ef73-4a38-9ea9-3d6f6e1ccaeb?warningTitle=0" frameborder="0" allowfullscreen=""></iframe> <div> <p> </p> </div> </div> </div> </div> </div> </div> Tue, 19 Nov 2019 11:20:33 +0000 staff 3288 at http://privacyinternational.org Op-ed: The Unequal Application of Advertising Transparency http://privacyinternational.org/news-analysis/3283/op-ed-unequal-application-advertising-transparency <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>This op-ed originally <a href="https://disinfoportal.org/the-unequal-application-of-advertising-transparency/">appeared</a> on the Atlantic Council's Disinfo Portal.</p> <p><em>While these concerns are held by societies globally, Privacy International’s (PI) recent analysis shows that in jurisdictions where companies have been under pressure to act—by governments and institutions such as the EU, or civil society—they have adopted self-regulatory practices. But they have failed to apply this heightened transparency elsewhere. </em></p> <p>The role of social media and search engine companies in political campaigning and elections is under scrutiny. Concerns range from the spread of disinformation and profiling users without their knowledge, to micro-targeting users with tailored messages, and foreign election interference. Significant attention has been paid to the transparency of political ads, and more broadly to the transparency of online ads.</p> <p>While these concerns are held by societies globally, Privacy International’s (PI) recent <a href="https://privacyinternational.org/sites/default/files/2019-10/cop-2019_0.pdf">analysis</a> shows that in jurisdictions where companies have been under pressure to act—by governments and institutions such as the EU, or civil society—they have adopted self-regulatory practices. But they have failed to apply this heightened transparency elsewhere.</p> <p>In our analysis, PI examined the steps Facebook, Google, and Twitter have taken to provide advertising transparency to their users globally. We found that the companies have taken a blatantly fragmented approach to providing users with such transparency. Most users around the world lack meaningful insight into how ads are being targeted through these platforms.</p> <p>For example, we found that Facebook requires heightened transparency for political ads in just thirty-five countries—roughly 17 percent. This means that in 83 percent of countries the company does not require political advertisers to become authorized, for political ads to carry disclosures, or for ads to be archived. However, even when Facebook requires political advertisers in a country to become authorized—in advance of the 2019 elections in Argentina and Ukraine, for example—PI <a href="https://privacyinternational.org/long-read/2822/truth-exists-you-have-find-it-fighting-disinformation-facebook-ukraine">has heard from local organizations</a> that the timing of the roll out was far too late to be meaningful, among other problems. PI’s Indonesian partners ELSAM found that the problem was particularly bad in their country, which has a population of 264 million, recently held elections, and where Facebook is the most-used social media platform. There the social media network provides no political ad transparency.</p> <p>Google, on the other hand, provides heightened transparency for political ads in just thirty countries—roughly 15 percent of the countries in the world. The transparency it provides users about who is being targeted with those ads is shockingly lax—it provides only ranges of impressions that an ad made, such as ten thousand to one hundred thousand, instead of exact impression data. This means that, in effect, it is not possible to understand political micro-targeting on Google.</p> <p>Furthermore, Google has not defined what it considers to be political issues, and therefore insight into what issue ads have run or are running, and to whom they are being shown, is impossible. It is telling that Google has in the past <a href="https://www.washingtonpost.com/technology/2019/10/14/what-you-do-internet-is-worth-lot-exactly-how-much-nobody-knows/">earned</a> 32.6 billion US dollars in one quarter from digital ads, but is unwilling to provide users with meaningful transparency about how those ads target them. Google did not respond to PI requests.</p> <p>Twitter recently announced that it would ban political advertising. PI is concerned that such a ban will let the platform off the hook for its invasive and opaque ad-targeting capabilities. Before the announcement, Twitter provided heightened transparency for ads tied to specific elections rather than political ads more generally in only thirty-two countries, roughly 16 percent of the countries in the world.</p> <p>Outside of the United States, Twitter did not treat political ads or political issue ads differently from promoted tweets, meaning that these ads—which are political, but not tied to an election—ran without transparency. For example, within the analysis, PI showed how a United Kingdom Brexit campaign ad was run without being marked as political, and therefore no targeting information was provided. The ad has since been deleted from Twitter’s archive. It’s unclear if and how Twitter’s ban on political ads will also address promoted ads, which are political in nature but do not related to an election.</p> <p>Unfortunately, well-financed political actors will likely be able to work around the bans and find other ways to use the platforms’ advertising systems to reach their desired audiences, and smaller political actors—whose budgets depend on reaching people via these platforms—may be sidelined and silenced.</p> <p>But, simply banning political ads misses the larger picture; Twitter, Facebook, and Google’s business models are dependent on problematic data collection and opaque targeting. PI believes that the ‘back end’ of content—the design choices, algorithms, and data which ultimately drive and shape the content that we see—deserves more attention and consideration for the knock-on role it can have on political campaigns and democratic debate.</p> <p>Facebook, Google, and Twitter’s deliberate decision to provide some users with better transparency and others with nothing, is unacceptable. At present, people using these platforms are not able to understand why they are targeted with any ad, much less a political one. How advertisers target users on social media and search engine platforms is incredibly complex and can involve targeting tools provided by platforms, or data compiled by advertisers and their sources, such as data brokers. Given the granularity with which advertisers are able to target users on these platforms, they ought to provide much more information about how advertisers are targeting users and why users are seeing an ad.</p> <p><em>Sara Nelson works on advertising transparency as a part of <a href="https://www.privacyinternational.org/">Privacy International’s</a> Defending Democracy and Dissent portfolio. She headed up PI’s analysis on shortcomings of online platforms commitments as outlined in European Commission Code of Practice on Disinformation, as well as globally, in relation to online political and issue-based advertising transparency.</em></p></div> <div class="field field--name-field-large-image field--type-image field--label-above"> <div class="field__label">Large Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-11/PI_Map_1.gif" width="1024" height="512" alt="The Unequal Application of Advertising Transparency" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-11/PI_Map_1_0.gif" width="1024" height="512" alt="The Unequal Application of Advertising Transparency" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-11/PI_Map_1_1.gif" width="1024" height="512" alt="The Unequal Application of Advertising Transparency" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/learning-topics/data-and-elections" hreflang="en">Data and Elections</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-above"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/defending-democracy-and-dissent" hreflang="en">Defending Democracy and Dissent</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/empowering-people-advertising-transparency" hreflang="en">Empowering people with advertising transparency</a></div> </div> </div> <div class="field field--name-field-targeted-adversary field--type-entity-reference field--label-above"> <div class="field__label">More about this Adversary</div> <div class="field__items"> <div class="field__item"><a href="/taxonomy/term/577" hreflang="en">Facebook</a></div> <div class="field__item"><a href="/taxonomy/term/578" hreflang="en">Google</a></div> </div> </div> </div> </div> Mon, 18 Nov 2019 17:07:38 +0000 tech-admin 3283 at http://privacyinternational.org Can the police limit what they extract from your phone? http://privacyinternational.org/news-analysis/3281/can-police-limit-what-they-extract-your-phone <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Photo by <a href="https://unsplash.com/@alexkixa?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Alexandre Debiève</a> on <a href="https://unsplash.com/s/photos/digital?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></p> <p>In the last few months strong concerns have been raised in the UK about how police use of mobile phone extraction dissuades rape survivors from handing over their devices: according to a <a href="https://www.theguardian.com/society/2019/nov/10/half-of-victims-drop-out-of-cases-even-after-suspect-is-identified">Cabinet Office report leaked to the Guardian</a>, almost half of rape victims are dropping out of investigations even when a suspect has been identified. The length of time it takes to conduct extractions (with <a href="https://www.standard.co.uk/news/crime/rape-victims-paying-phone-bills-for-months-while-police-search-mobiles-investigation-finds-a4283391.html">victims paying bills whilst the phone is with the police</a>) and the volume of data obtained by the police are key areas. </p> <blockquote> <p>&gt; Mobile phone extraction involves the collection of vast quantities of data. Read the types of data that can be extracted <a href="https://privacyinternational.org/news-analysis/2840/what-types-data-can-law-enforcement-extract-my-phone">here</a>  </p> </blockquote> <p>To address fears that the police unreasonably grab everything - from your browsing history to all your messages and photos, potentially going back many years, one response is that they should limit what they extract. But is selective extraction possible, the idea that you can reduce what the police obtain from mobile phones? </p> <p><img alt="extracted data" data-entity-type="file" data-entity-uuid="57b2d434-70ff-43a3-8c04-e6846a925515" src="/sites/default/files/inline-images/MPE2_0_1.png" /></p> <p>Israeli company Cellebrite, a lead manufacturer of data extraction devices<a href="https://privacyinternational.org/sites/default/files/2019-11/How%20Selective%20Extraction%20can%20help%20to%20deliver%20a%20better%20justice%20system%20for%20the%20victims%20and%20survivors%20o.pdf"> states that the</a> "Cellebrite Digital Intelligence Platform now supports Selective Extraction, meaning that police investigators need only collect data from a device that is strictly relevant to the case in question."</p> <p>Our <a href="https://privacyinternational.org/report/3202/old-law-new-tech-and-continue-opacity-police-scotlands-use-mobile-phone-extraction">investigation into Police Scotland's Cellebrite</a> 'cyber kiosks' reveals that the reality is perhaps more complicated. Despite stating they can limit what is 'viewed' by police, it is unclear whether the police still extract everything and then apply search parameters. </p> <p>In addition, there are questions about whether it would be technically possible and forensically sound to limit a data type by date and time, given that you are then relying on the accuracy of a phone's time zone settings and how the data is stored. So is the reality, that the police could only limit via type e.g. messages and browsing history, but not by time or date? </p> <p>It is imperative that there is honesty as to the capabilities of extraction devices and clarity on what is taking place at a technical level. This is not only so that victims rights are protected, but to ensure against the potential for abuse and misuse of personal data and to guarantee highly sensitive data is held securely. We've put some key questions that need to be asked in relation to selective extraction below. </p> <h3><strong>What did we find out in Scotland</strong></h3> <p>The Scottish Justice Sub-Committee on policing have conducted a <a href="https://privacyinternational.org/report/3202/old-law-new-tech-and-continue-opacity-police-scotlands-use-mobile-phone-extraction">lengthy inquiry</a> into the proposed deployment of 'cyber kiosks' by Police Scotland. The process is different to how extraction is conducted in the rest of England and Wales - whilst cyber kiosks have the capability to store data, this has not been enabled. Instead the cyber kiosks are used as a 'triage' to identify devices that are of evidential value. If as a consequence of the kiosk triage items of evidential value are identified, then progression would be made for that device to be submitted to one of the Police Scotland Digital Forensic Hubs for detailed examination. </p> <p>The kiosks are only used 'where the evidential relevance of the device is unknown' which may not in fact be the case in relation to a rape survivor who states what evidence is on their phone. Nevertheless, the comments made in relation to the ability to view data in a targeted and focused way may be informative of how selective extraction is purported to work. Unfortunately Police Scotland have refused to provide any information on Digital Forensic Hubs, where they do indeed extract data.</p> <p>Police Scotland's <a href="https://privacyinternational.org/report/3202/old-law-new-tech-and-continue-opacity-police-scotlands-use-mobile-phone-extraction">data protection impact assessment</a> states that cyber kiosks can<em> 'view data on a device in a targeted and focused way i.e. only looking at what is necessary.'</em> This is done via 'selected parameters' which <em>'refer to the areas of the device within which the kiosk has detected the existence of data available to view and to which filters are applied such as Text Messages, Cal Data, Chat (Whatsapp/Snapchat), Multimedia (Audio, Video, Photographs), Internet history, Email, etc - This also includes the ability to limit the search using a date range or keyword search criteria.'</em></p> <p><strong>&gt; What is not clear, is whether using search parameters means that selective extraction is only applied at the viewing stage. But in order to obtain the data for the police officer to view, a broader extraction takes place. This is where clarity is essential. </strong></p> <p>It is further unclear, if the purpose is not simply 'view only' as is the case in Scotland using cyber kiosks, but to copy or extract the data, whether extraction can be limited in the way that may be possible if you are just wanting to view the data. Put simply, we don't know whether selective extraction is possible at the collection stage, what selective means in terms of the level of granularity and whether in fact selective extraction refers to search parameters at the later analysis stage. </p> <p>Whether it is technically possible to limit at the extraction/collection stage relates to the fact that <a href="https://privacyinternational.org/long-read/3256/technical-look-phone-extraction">extracting data is complicated</a>. It can depend on what phone you are using, the operating system and which types of extraction is used. The types of data that Police Scotland state in the data protection assessment that they can obtain, such as deleted data, indicates the use of certain methods of extraction (i.e. physical extraction) where it may not be possible to limit the types of data extracted, simply because of the way this extraction works.</p> <p>In <a href="https://www.youtube.com/watch?v=7B1zf8nFJr8">Cellebrite video on selective extraction using the UFED Ultimate 7.15</a> it instructs that a file system extraction is the method to use. Does this mean that selective extraction only works if you are able to carry out a file system extraction? The video explainer then instructs that you can 'Select the required apps to extract', but does not indicate any further limitation by date and time for example. So if the police inform a victim that they will only use selective extraction, this doesn't mean one or two messages, but all your WhatsApp messages, being communications with numerous individuals, including contact information, shared links, images and going back potentially years. </p> <p><img alt="Cellebrite video" data-entity-type="file" data-entity-uuid="95e01199-3646-4b35-8d45-6f195f2c8c06" src="/sites/default/files/inline-images/Screenshot%202019-11-14%20at%2016.46.06.png" /></p> <p>Even limiting by type still means a lot more data is collected than the owner of the phone may realise or understand. <a href="https://www.youtube.com/watch?v=7B1zf8nFJr8">Cellebrite state in their video</a> that <em>"the extracted app data includes folders and files associated with the app such as databases, APKs, images and keys"</em>. The paucity of information means we just do not know the technical reality. </p> <p><img alt="app data obtained" data-entity-type="file" data-entity-uuid="2e464231-6531-4f43-a07b-42c67905d208" src="/sites/default/files/inline-images/Screenshot%202019-11-14%20at%2016.47.20.png" /></p> <p>Police Scotland have <a href="https://privacyinternational.org/report/3202/old-law-new-tech-and-continue-opacity-police-scotlands-use-mobile-phone-extraction">stated</a> that whilst search parameters can be used, they would not guarantee they would be used on every occasion because<em> 'the data that would potentially be pertinent to an inquiry depends on what is under investigation.'</em> They have also said that<em> "it is possible that much of the data on a device may not be relevant to the investigation, but some of this may be assessed during triage and if irrelevant will be disregarded."</em></p> <p>That it is possible to search without parameteres and to look and then 'disregard' again raises questions about how selective extraction works on a technical level. </p> <p>All these questions not only support the need for clarity, but the complexity of the issue means that strict safeguards and independent audit must be in place. Unfortunately, to date, Privacy International have discovered that for many police forces, information that extractions have taken place, against whom, why and for what (i.e. not the data obtained itself but whether extractions have taken place) is not centrally recorded which makes audit impossible. </p> <p><strong>Detailed questions must be asked if we are to accept, on a technical level that the police really could and will limit what they extract, analyse and retain. </strong>As we have repeatedly said, mobile phone extraction is an area that needs effective scrutiny, clear legislation and public consultation. We are further concerned that a <a href="https://privacyinternational.org/news-analysis/2901/push-button-evidence">failure of the police to understand the tech</a> or a failure to properly explain how it is working, could further undermine individuals' right to privacy.</p> <h3><img alt="MPE extraction flow" data-entity-type="file" data-entity-uuid="f480cd4c-0507-41d5-8512-3c5dbf8fd276" src="/sites/default/files/inline-images/mobile-extraction-graphic-07_1_0.jpg" /></h3> <h3>Ideas for questions to ask</h3> <p>If you are looking at the use of selective extraction, whether you are a lawyer, organisation working with victims or individual seeking to make a Freedom of Information request, we think the follow questions should be considered: </p> <blockquote> <p>1. Does the extraction device work by extracting all data and then limiting what a police officer can view via searches? i.e. the selective extraction is actually selective at the analysis stage rather than the collection stage. <br /> 2. Or can you limit the types of data that are extracted from the phone? <br /> 3. Or can you limit the type and date range of data that is extracted from a phone? <br /> 4. Is it technically possible to apply search parameters to search the phone without conducting extraction?<br /> 5. If you extract all data / all data of a certain type and then limit at the analysis stage, is all the data collected and retained, even if it is not searched or subject to analysis?<br /> 6. What processes and procedures do you have in place to ensure that selective extraction is in fact carried rather than broader search. <br /> 7. Is the system set up to ensure that it possible for independent audit to take place to review whether selective extraction has been misused, abused or officers have collected, analysed or retained more data than was expected / reasonable.</p> </blockquote> <h3>Is selective extraction enough?</h3> <p>Even should selective extraction be achieved, this is insufficient on its own to protect the rights of those subject to mobile phone extraction. </p> <p>Mobile phone extraction technologies present great risks to privacy and we make the following recommendations in relation to use of this technology:</p> <p><strong>1. A search of a person’s phone can be more invasive than a search of their home, not only for the quantity and detail of information but also the historical nature. The state should not have unfettered access to the totality of someone’s life and the use of Mobile Phone Extraction requires the strictest of protections.</strong></p> <p><strong>2. The police must have a warrant issued on the basis of reasonable suspicion by a judge before forensically examining any suspect’s smartphone, or otherwise accessing any content or communications data stored on the phone.</strong></p> <p><strong>3. A clear legal basis must be in place to inspect, collect, store and analyse data from devices. </strong></p> <p><strong>4. Reliance on consent is fundamentally problematic given the power imbalance inherent in the relationship between an individual and the police. Reliance on consent as the sole legal basis falls short of the requirements of the Law Enforcement Directive and there must be a basis in law.</strong></p> <p><strong>5. There must be adequate safeguards to ensure intrusive powers are only used when necessary and proportionate. If law enforcement are to use vulnerabilities that constitute hacking, given the risk to device security, it needs to be considered whether this is ever proportionate.</strong></p> <p><strong>6. The analysis of necessity and proportionality should include any effect the police action may have on the security and integrity of the mobile phone examined, or mobile devices more generally.</strong></p> <p><strong>7. The owner and user(s) of any phone examined should be notified that the examination has taken place.</strong></p> <p><strong>8. Anyone who has had their phone examined should have access to an effective remedy where any concerns regarding lawfulness can be raised.</strong></p> <p><strong>9. There must be independent oversight of the compliance by the police of the lawful use of these powers.</strong></p> <p><strong>10. Cyber security standards should be agreed specifying how data must be stored, when it must be deleted, and who can access. </strong></p></div> <div class="field field--name-field-large-image field--type-image field--label-above"> <div class="field__label">Large Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-11/alexandre-debieve-FO7JIlwjOtU-unsplash_0.jpg" width="4608" height="3073" alt="processor board" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-11/alexandre-debieve-FO7JIlwjOtU-unsplash_2.jpg" width="4608" height="3073" alt="processor board" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-11/alexandre-debieve-FO7JIlwjOtU-unsplash_4.jpg" width="4608" height="3073" alt="processor board" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-above"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><a href="/what-we-do/expose-invisible-data-placed-beyond-our-control" hreflang="en">Expose Invisible Data Placed Beyond Our Control</a></div> <div class="field__item"><a href="/our-interventions/protecting-civic-spaces" hreflang="en">Protecting Civic Spaces</a></div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/policing" hreflang="en">Policing</a></div> <div class="field__item"><a href="/topics/policing-and-technology" hreflang="en">Policing and Technology</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-above"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/defending-democracy-and-dissent" hreflang="en">Defending Democracy and Dissent</a></div> </div> </div> <div class="field field--name-field-attachments field--type-file field--label-hidden field__items"> <div class="field__item"><table data-striping="1"> <thead> <tr> <th>Attachment</th> <th>Size</th> </tr> </thead> <tbody> <tr class="odd"> <td> <span class="file file--mime-application-pdf file--application-pdf"> <a href="http://privacyinternational.org/sites/default/files/2019-11/How%20Selective%20Extraction%20can%20help%20to%20deliver%20a%20better%20justice%20system%20for%20the%20victims%20and%20survivors%20o.pdf" type="application/pdf; length=202772">How Selective Extraction can help to deliver a better justice system for the victims and survivors o.pdf</a></span> </td> <td>198.02 KB</td> </tr> </tbody> </table> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/phone-data-extraction" hreflang="en">Phone Data Extraction</a></div> </div> </div> <div class="field field--name-field-targeted-adversary field--type-entity-reference field--label-above"> <div class="field__label">More about this Adversary</div> <div class="field__items"> <div class="field__item"><a href="/taxonomy/term/584" hreflang="en">Cellebrite</a></div> </div> </div> </div> </div> Thu, 14 Nov 2019 11:59:10 +0000 staff 3281 at http://privacyinternational.org Give Google an inch and they’ll take a mile! http://privacyinternational.org/news-analysis/3280/give-google-inch-and-theyll-take-mile <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Yesterday, we found out that Google has been reported to collect health data records as part of a project it has named “<a href="https://www.wsj.com/articles/google-s-secret-project-nightingale-gathers-personal-health-data-on-millions-of-americans-11573496790">Project Nightingale</a>”. In a partnership with Ascension, Google has purportedly been amassing data for about a year on patients in 21 US states in the form of lab results, doctor diagnoses and hospitalization records, among other categories, which amount to a complete health history, including patient names and dates of birth.</p> <p>This comes <strong>just days after the news of <a href="https://privacyinternational.org/news-analysis/3276/google-wants-acquire-fitbit-and-we-shouldnt-let-it">Google's acquisition of FitBit</a></strong>, a fitness tracking and health data company for $2.1 billion.</p> <p>Google is currently <a href="https://www.ft.com/content/abcc5070-f68f-11e9-a79c-bc9acae3b654">under investigation in the US</a>, and has a long track record of mergers and acquisitions, as well as competition law infringements in the EU, including <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1516198535804&amp;uri=CELEX:52018XC0112(01)">violations of competition on the search market</a>, on <a href="https://ec.europa.eu/commission/presscorner/detail/en/IP_18_4581">Google Play Store and Android</a>, and on the market for <a href="https://ec.europa.eu/commission/presscorner/detail/en/IP_19_1770">online advertising intermediation</a>.</p> <p>Even if yesterday’s news comes as no big surprise, here’s why it is deeply disturbing:</p> <ul><li> <p>In 2018 alone, Alphabet, Google’s parent company, generated <a href="https://abc.xyz/investor/static/pdf/20180204_alphabet_10K.pdf?cache=11336e3"><strong>85% of its $136.22 billion in revenue from delivering targeted advertisements</strong></a> to the users of their many user-facing services, which include the Android operating system, Google Search, YouTube, Gmail, and many others.</p> </li> <li> <p>Any <strong>additional data</strong> Google gets to have their hands on will only <strong>make them <a href="https://privacyinternational.org/learning-topics/competition-and-data">more powerful</a></strong><a href="https://privacyinternational.org/learning-topics/competition-and-data"> to the detriment of people</a>.</p> </li> <li> <p>Health data is incredibly <strong>sensitive</strong>.</p> </li> <li> <p>In 2015, already, <strong><a href="https://medconfidential.org/whats-the-story/health-data-ai-and-google-deepmind/">1.6 million records were shared</a> from Royal Free Hospital (RFH) in the UK to Google’s DeepMind AI</strong>.</p> </li> <li> <p>Clearly <strong>what Google wants is to be the provider of the infrastructure of healthcare</strong>. All over the world, we are seeing the emergence of a ‘<a href="https://privacyinternational.org/what-we-do/realise-our-rights-live-dignity">government-industry complex</a>’, which designs, manages and implements access to and delivery of health services, amongst other social protection programmes.</p> </li> <li> <p>The <strong>scope of Google’s <a href="https://cloud.google.com/blog/topics/inside-google-cloud/our-partnership-with-ascension">agreement</a> with Ascension is immense</strong>!</p> </li> <li> <p>Even outside of these contracts and efforts, Google already knows a lot about people’s health through their searches, locations and the <a href="https://privacyinternational.org/campaigns/your-mental-health-sale">website they visit</a>.</p> </li> <li> <p>Google also has a <a href="https://cloud.google.com/blog/topics/customers/how-google-and-mayo-clinic-will-transform-the-future-of-healthcare">research agreement with the Mayo Clinic</a> for use of their Cloud; and Google can access anonymised patient information to train algorithms.</p> </li> <li> <p>The Google Page said in 2014: “We’re not really thinking about the tremendous good that can come from people sharing information with the right people in the right ways.” But <strong>patients are being forgotten in this</strong>.</p> </li> </ul><p>It’s high time we acted on this!</p> <p>We are all wiser since the DeepMind and Royal Free Hospitals case.</p> <p>We cannot accept that such an <strong>intrusive data sharing is taking place without users’ explicit consent</strong>.</p> <p>We should not let governments excited about AI sacrifice dignity over profit that secretly feeds into corporate surveillance and allows Google to manipulate, profile and exploit users, and in particular those having to tackle issues of health and well-being. Our health care needs should not be seen as a new market to exploit.</p> <p>We ask for transparency. Was there a public call for this project? If so were the details made public? Patient, citizens and public society should be able to look at the data processing. Necessity of external oversight is crucial for this type of project.</p> <p>We ask for regulators like <a href="https://privacyinternational.org/advocacy/3101/response-cmas-online-platforms-and-digital-advertising-market-study">competition</a> and <a href="https://privacyinternational.org/advocacy/2426/our-complaints-against-acxiom-criteo-equifax-experian-oracle-quantcast-tapad">data protection authorities</a> to scrutinise Google’s data-greedy appetite. If the FitBit and Ascension events don’t act as wake up call, then we honestly don’t know what will.</p> <p>We wonder whether it is possible to build a world where you and your healthcare professionals are involved in decisions about your data and who has access to it. We hope it’s not too late before we find out.</p></div> <div class="field field--name-field-large-image field--type-image field--label-above"> <div class="field__label">Large Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-11/small-PI-Depression-graphics-woman-1.png" width="2000" height="2000" alt="health_data" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-11/small-PI-Depression-graphics-woman-1_0.png" width="2000" height="2000" alt="health_data" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-11/small-PI-Depression-graphics-woman-1_1.png" width="2000" height="2000" alt="health_data" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-above"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><a href="/what-we-do/expose-data-exploitation-data-profiling-and-decision-making" hreflang="en">Expose Data Exploitation: Data, Profiling, and Decision Making</a></div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/adtech" hreflang="en">AdTech</a></div> <div class="field__item"><a href="/learning-topics/competition-and-data" hreflang="en">Competition and Data</a></div> <div class="field__item"><a href="/topics/data-exploitation" hreflang="en">Data Exploitation</a></div> <div class="field__item"><a href="/learning-topics/data-protection" hreflang="en">Data Protection</a></div> <div class="field__item"><a href="/topics/profiling" hreflang="en">Profiling</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-above"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/challenging-corporate-data-exploitation" hreflang="en">Challenging Corporate Data Exploitation</a></div> </div> </div> <div class="field field--name-field-legal-proceedings field--type-entity-reference field--label-above"> <div class="field__label">Legal Action</div> <div class="field__items"> <div class="field__item"><a href="/legal-action/challenge-hidden-data-ecosystem" hreflang="en">Challenge to Hidden Data Ecosystem</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/empowering-people-advertising-transparency" hreflang="en">Empowering people with advertising transparency</a></div> <div class="field__item"><a href="/campaigns/enhancing-data-protection-standards" hreflang="en">Enhancing Data Protection Standards</a></div> </div> </div> <div class="field field--name-field-targeted-adversary field--type-entity-reference field--label-above"> <div class="field__label">More about this Adversary</div> <div class="field__items"> <div class="field__item"><a href="/taxonomy/term/578" hreflang="en">Google</a></div> </div> </div> </div> </div> Wed, 13 Nov 2019 18:31:39 +0000 staff 3280 at http://privacyinternational.org Google wants to acquire Fitbit, and we shouldn’t let it! http://privacyinternational.org/news-analysis/3276/google-wants-acquire-fitbit-and-we-shouldnt-let-it <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><span>Photo by Ashstar01  (CC BY-SA 3.0)</span></p> <p><em>The lead author of this piece is Elettra Bietti, a doctoral student at Harvard Law School and volunteer for Privacy International.</em></p> <p>Yesterday, we found out that <span><span><span>Google<em> </em>has been collecting a wide range of health data as part of a project it has named “<a href="https://www.wsj.com/articles/google-s-secret-project-nightingale-gathers-personal-health-data-on-millions-of-americans-11573496790">Project Nightingale</a>.” Google has purportedly been amassing data for about a year on patients in 21 U.S. states in the form of lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, including patient names and dates of birth. <a>Today’s </a>news adds to our concerns around the Google / FitBit merger.</span></span></span></p> <p><span><span><span><strong>The transaction</strong></span></span></span></p> <p><span><span><span>Just a few days ago, Privacy International learned of <a href="https://blog.google/products/hardware/agreement-with-fitbit">Google’s parent Alphabet’s proposed acquisition of Fitbit</a>. </span></span></span></p> <p><span><span><span><a href="https://abc.xyz/investor/">Alphabet</a> is Google’s parent company. In <a href="https://abc.xyz/investor/static/pdf/20180204_alphabet_10K.pdf?cache=11336e3">2018</a>, it generated 85% of its $136.22 billion in revenue from delivering targeted advertisements to the users of their many user-facing services, which include the Android operating system, Google Search, YouTube, Gmail, and many others. </span></span></span></p> <p><span><span><span>Google has a long track record of competition law infringements in the EU, including violations of competition on the <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1516198535804&amp;uri=CELEX:52018XC0112(01)">search market</a>, on <a href="https://europa.eu/rapid/press-release_IP-18-4581_en.htm">Google Play Store and Android</a> and on the market for <a href="https://europa.eu/rapid/press-release_IP-19-1770_en.htm">online advertising intermediation</a>. The company is also currently under investigation in the <a href="https://www.ft.com/content/abcc5070-f68f-11e9-a79c-bc9acae3b654">United States</a> and has a <a href="https://en.wikipedia.org/wiki/List_of_mergers_and_acquisitions_by_Alphabet">long track record of mergers and acquisitions</a>.</span></span></span></p> <p><span><span><span><a href="http://www.fitbit.com">Fitbit</a> is a company that produces and sells health tracking technologies and wearables including smartwatches, health trackers, smart scales and other health tracking services including via mobile. Fitbit reported a revenue of $1.51 billion in <a href="http://www.annualreports.com/Click/23901">2018</a> and its revenues have increased in <a href="https://investor.fitbit.com/financials/sec-filings/default.aspx">2019</a>. </span></span></span></p> <p><span><span><span>A big part of Fitbit’s value <a href="https://www.techradar.com/uk/news/5-likely-reasons-why-google-just-bought-fitbit">is said</a> to lie in the quality of the health data it possesses. The company’s technologies can track individuals’ daily steps, distance walked or traveled, calories burned, sleep patterns and heart rate. In the recent past, Fitbit has increased its health-related database and health tracking capabilities by acquiring a number of other actors on the health tracking and wearables market, including FitStar, Pebble, Vector and Twine Health. Some of these acquisitions include <a href="https://www.projectcensored.org/business-partnerships-fitbit-health-insurance-companies/">partnerships with health insurers</a> <a href="https://www.fastcompany.com/40578138/how-fitbit-is-trying-to-transform-healthcare-and-itself">as part of efforts to diversify its revenue stream</a>. </span></span></span></p> <p><span><span><span>The merger between these two companies would effectively allow Google/Alphabet to establish itself as an even stronger player in the markets for health data-related services including health tracking devices. Most significantly perhaps, the merger could potentially allow the company to enrich any large datasets and detailed consumer profiles it may hold with sophisticated real time data about individuals’ health conditions and needs, as well as general information about their daily behaviour and bodily rhythms. <a href="https://www.wired.co.uk/article/google-buying-fitbit-health-data-privacy">Anything</a> Google/Alphabet is planning to do with Fitbit’s data is concerning to us.</span></span></span></p> <h3><span><span><span><strong>Our concerns</strong></span></span></span></h3> <p><span><span><span>A merger between these two companies raises a number of significant competition and privacy concerns, related to the potential uses that Google could make of Fitbit’s valuable health data, to the pooling of data between these two entities, and to the exclusionary potential of Google’s entry on the health tracking market. We are dismayed that sensitive health data such as the data currently controlled by Fitbit could become combined with that of a dominant digital platform such as Google, with the potential to be spread and reused in circumstances likely to impair people’s privacy, <a href="https://privacyinternational.org/long-read/3065/pi-presents-our-strategy-safeguarding-peoples-dignity">dignity</a> and entitlement to <a href="https://privacyinternational.org/campaigns/when-big-brother-pays-your-benefits">equal treatment</a>.</span></span></span></p> <p><span><span><span>Privacy International has already <a href="https://assets.publishing.service.gov.uk/media/5d6e29c3ed915d53adcf51e2/190730_Privacy_International_-_Response_to_Statement_of_Scope_-_non-confidential.pdf">asked the Competition and Markets A</a><span><span>uthority in the UK</span></span> to consider the impact of data concentration on the operation of digital markets, particularly how the use of large amounts of personal data by dominant platforms like Google can lead to various forms of consumer exploitation in the form of microtargeting and discrimination. In this regard, the European Data Protection Board (EDPB) has also noted that the increase in the concentration of digital markets “<a href="https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_economic_concentration_en.pdf"><em>has the potential to threaten the level of data protection and</em> <em>freedom enjoyed by consumers of digital services</em></a>”.</span></span></span></p> <p><span><span><span>While in their Press Release, Fitbit state that their “<a href="https://investor.fitbit.com/press/press-releases/press-release-details/2019/Fitbit-to-Be-Acquired-by-Google/default.aspx">health and wellness data will not be used for Google ads,</a>” in the past similar statements have been made to the European Commission in relation to mergers that have resulted in pervasive and problematic data sharing schemes between the merging entities. Two examples are the <a href="https://ec.europa.eu/competition/mergers/cases/decisions/m4731_20080311_20682_en.pdf">Google / Doubleclick</a> merger and the <a href="https://ec.europa.eu/competition/mergers/cases/decisions/m7217_20141003_20310_3962132_EN.pdf">Facebook / Whatsapp</a> merger, which led to a number of decisions finding that the parties had misled competition regulators (see e.g. <a href="https://europa.eu/rapid/press-release_IP-17-1369_en.htm">here</a>).</span></span></span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span><span> In light of Google’s own efforts to gather health data independently, we are concerned about the effects on individuals of possible combinations of the two merging parties’ already large health databases.</span></span></span></p> <h3><span><span><span><strong>The harms at stake</strong></span></span></span></h3> <p><span><span><span>Google is dominant on the market for online and mobile advertising practices, at least since its acquisition of Doubleclick in 2008, and has been <a href="https://europa.eu/rapid/press-release_IP-19-1770_en.htm">abusing</a> its dominance on that market. If this merger goes through, the merged entity could significantly contribute to creating a state of affairs where individuals are shown online advertisements and are sold products not only – and alarmingly - in connection to their sensitive health conditions, but also in relation to their general bodily sensitivity, including real-time physical reactions, moods and behaviors. We would thus quickly be verging toward an environment in which our moods and physical reactions could be second-guessed before we even have an ability to understand them.</span></span></span></p> <p><span><span><span>Medical data is probably among the most sensitive of data; you would not share them with anyone besides your doctor or close family members, if at all. Last year we learned that <a href="https://www.vox.com/2018/4/2/17189078/grindr-hiv-status-data-sharing-privacy">Grindr, the LGBT dating app, shared its users’ HIV status</a> with third parties. The data Google can gather about individuals’ health-related searches and the data that Fitbit possesses through their tracking devices might be equally sensitive and cause as much concern. </span></span></span></p> <p><span><span><span>Privacy International recently looked into <a href="https://privacyinternational.org/long-read/3196/no-bodys-business-mine-how-menstruation-apps-are-sharing-your-data">menstruation apps’ data practices</a>, discovering that several of these apps seem to disregard the sensitive nature of the data they collect and use, and that some of them in fact are sharing personal data about women’s health, sexual life and mood with Facebook. Similarly, Privacy International previously conducted a <a href="https://privacyinternational.org/report/3193/report-your-mental-health-sale">study on 136 mental depression sites in France, Germany and the UK</a> showing that most of these websites fail to comply with data protection and privacy law and <a href="https://privacyinternational.org/long-read/3194/privacy-international-study-shows-your-mental-health-sale">share sensitive data</a> about website visitors’ depression concerns and symptoms with advertisers, brokers and dominant platforms. The sharing and combination of health data across different websites, apps or services in the digital ecosystem is a cause for scrutiny not only because it largely fails to comply with data protection rules, but also because it leads to a surveillance-as-a-default environment that is harmful to personal <a href="https://privacyinternational.org/long-read/3065/pi-presents-our-strategy-safeguarding-peoples-dignity">dignity</a> and <a href="https://privacyinternational.org/campaigns/demanding-identity-systems-our-terms">identity</a> and leads to <a href="https://privacyinternational.org/campaigns/when-big-brother-pays-your-benefits">discrimination</a> and <a href="https://privacyinternational.org/campaigns/protecting-migrants-borders-and-beyond">exclusion</a>.</span></span></span></p> <p><span><span><span>The location data the merging parties will be combining is also extremely sensitive. Recently on 29 October, Google was <a href="https://www.accc.gov.au/media-release/google-allegedly-misled-consumers-on-collection-and-use-of-location-data">accused by the Australian Competition and Consumer Commission</a><span><span> (ACCC)</span></span> of misleading consumers regarding its collection and use of geolocation data in breach of consumer protection laws. The ACCC’s case is premised on the fact that individuals were not warned that by switching off their “Location History” they would not be stopping Google from continuing to track their location through Android and the web browser. In November 2018, the Norwegian Consumer Council similarly <a href="https://www.forbrukerradet.no/side/google-manipulates-users-into-constant-tracking">found</a> that Google continuously tracks its users through a number of tracking devices including mobile phones, a practices that breaches of European Data Protection, a number of consumer protection organisations across Europe have <a href="https://www.beuc.eu/press-media/news-events/gdpr-complaints-against-google%E2%80%99s-deceptive-practices-track-user-location">complained to data protection authorities</a> about this practice. The <a href="https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html?mtrref=undefined&amp;assetType=PAYWALL">New York Times</a> also conducted extensive reporting on geolocation tracking by Google in December 2018 causing public outrage and demonstrating that we have privacy expectations when it comes to the sharing of our location data. </span></span></span></p> <p><span><span><span>A combination of Google / Alphabet’s potentially extensive and growing databases, user profiles and dominant tracking capabilities with Fitbit’s uniquely sensitive health data could have pervasive effects on individuals’ privacy, dignity and equal treatment across their online and offline existence in future. We therefore strongly urge competition regulators in charge of scrutinizing this merger to not let it go through and err on the side of caution in favoring the fundamental freedoms of the many over the financial profits of the few.</span></span></span></p></div> <div class="field field--name-field-large-image field--type-image field--label-above"> <div class="field__label">Large Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-11/fitbit_pic_2.jpg" width="1549" height="1981" alt="fitbit" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-11/fitbit_pic_3.jpg" width="1549" height="1981" alt="fitbit" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-11/fitbit_pic_4.jpg" width="1549" height="1981" alt="fitbit" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-above"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><a href="/what-we-do/expose-data-exploitation-data-profiling-and-decision-making" hreflang="en">Expose Data Exploitation: Data, Profiling, and Decision Making</a></div> <div class="field__item"><a href="/what-we-do/expose-invisible-data-placed-beyond-our-control" hreflang="en">Expose Invisible Data Placed Beyond Our Control</a></div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/adtech" hreflang="en">AdTech</a></div> <div class="field__item"><a href="/learning-topics/competition-and-data" hreflang="en">Competition and Data</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-above"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/challenging-corporate-data-exploitation" hreflang="en">Challenging Corporate Data Exploitation</a></div> </div> </div> <div class="field field--name-field-resource-type field--type-entity-reference field--label-above"> <div class="field__label">Web Resource</div> <div class="field__items"> <div class="field__item"><a href="/type-resource/data-exploitation-principles" hreflang="en">Data Exploitation Principles</a></div> </div> </div> <div class="field field--name-field-legal-proceedings field--type-entity-reference field--label-above"> <div class="field__label">Legal Action</div> <div class="field__items"> <div class="field__item"><a href="/legal-action/challenge-hidden-data-ecosystem" hreflang="en">Challenge to Hidden Data Ecosystem</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/enhancing-data-protection-standards" hreflang="en">Enhancing Data Protection Standards</a></div> <div class="field__item"><a href="/campaigns/our-data-not-trade" hreflang="en">Our data is not for trade</a></div> </div> </div> <div class="field field--name-field-targeted-adversary field--type-entity-reference field--label-above"> <div class="field__label">More about this Adversary</div> <div class="field__items"> <div class="field__item"><a href="/taxonomy/term/578" hreflang="en">Google</a></div> </div> </div> </div> </div> Wed, 13 Nov 2019 15:11:31 +0000 staff 3276 at http://privacyinternational.org Submission to the Scottish Parliament’s Justice Sub-Committee on Policing inquiry into facial recognition policing http://privacyinternational.org/advocacy/3274/submission-scottish-parliaments-justice-sub-committee-policing-inquiry-facial <div class="node node--type-advocacy-briefing node--view-mode-token group-one-column ds-2col-stacked-fluid clearfix"> <div class="group-header"> </div> <div class="group-left"> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>On November 1, 2019, we submitted evidence to an inquiry carried out by the <a href="https://www.parliament.scot/parliamentarybusiness/CurrentCommittees/113104.aspx">Scottish Parliament into the use of Facial Recognition Technology (FRT) for policing purposes</a>.</p> <p><span><span><span><span>In our submissions, we noted that the rapid advances in the field of artificial intelligence and machine learning, and the deployment of new technologies that seek to analyse, identify, profile and predict, by police, have and will continue to have a seismic impact on the way society is policed. </span></span></span></span></p> <p><span><span><span><span>The implications come not solely from privacy and data protection perspectives, but from the ethical question for a democratic society of permitting the roll out of such intrusive technology. </span></span></span></span></p> <p><span><span><span><span>As the <a href="https://edps.europa.eu/press-publications/press-news/blog/facial-recognition-solution-search-problem_en. ">European Data Protection Supervisor</a> recently confirmed:</span></span></span></span></p> <blockquote> <p><span><span><span><span>A person’s face is a precious and fragile element her identity and sense of uniqueness. It will change in appearance over time and she might choose to obscure or to cosmetically change it – that is her basic freedom. Turning the human face into another object for measurement and categorisation by automated processes controlled by powerful companies and governments touches the right to human dignity – even without the threat of being used as a tool for oppression by an authoritarian state. </span></span></span></span></p> <p><span><span><span><span>Moreover, it tends to be tested on the poorest and most vulnerable in society, ethnic minorities, migrants and children.</span></span></span></span></p> </blockquote> <p><span><span><span><span>We are deeply concerned that the use of FRT by the police, including Police Scotland, raises significant problems for fundamental rights and individual freedoms. So far, this technology has offered law enforcement new opportunities to experiment with or engage in novel forms of surveillance, in an arbitrary or unlawful fashion, which <a href="https://www.privacyinternational.org/advocacy/2835/our-response-westminster-hall-debate-facial-recognition">lacks transparency and proper justification</a>, and fails to satisfy both international and European human rights law standards.</span></span></span></span></p> <p><span><span><span><span>Due to the impermissibly intrusive nature of this technology, Privacy International submits that live or real-time FRT should never be deployed. Moreover, police should not be allowed to make use of this technology without justification that relies on concrete and specific threats to national security or public safety, as well as in absence of legal safeguards, such as publicly available legal frameworks, existence of reasonable suspicion, independent authorisation, ex post notification. Such requirements effectively mean the situations in which such technology can be used in accordance with law are so few so as to render any further testing or expenditure of resources on FRT disproportionate. </span></span></span></span></p> <p><span><span><span><span>It is only at the point the bare minimum actions above are taken that it is possible to take an informed approach as to whether FRT should ever be deployed.  As the <a href="https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-90051%22]}">European Court of Human Rights has underlined</a>:</span></span></span></span></p> <blockquote> <p><span><span><span><span>a state that claims a pioneer role in the development of new technologies bears special responsibility for striking the right balance in this regard.</span></span></span></span></p> </blockquote> <p><span><span><span><span>* </span></span></span></span>The image was provided by our partner organisation <a href="https://elsam.or.id/en/">ELSAM</a> (Indonesia) and is available under Creative Commons terms.</p></div> <div class="field field--name-field-repeating-image-and-text field--type-entity-reference-revisions field--label-inline"> <div class="field__label">Repeating Image and Text</div> <div class="field__items"> <div class="field__item"><div class="paragraph-formatter"><div class="paragraph-info"></div> <div class="paragraph-summary"></div> </div> </div> </div> </div> </div> <div class="group-footer"> <div class="field field--name-field-target field--type-entity-reference field--label-inline"> <div class="field__label">Target Stakeholders</div> <div class="field__items"> <div class="field__item"><div about="/target/parliament" id="taxonomy-term-149" class="taxonomy-term vocabulary-target"> <h2><a href="/target/parliament"> <div class="field field--name-name field--type-string field--label-hidden field__item">Parliament</div> </a></h2> <div class="content"> </div> </div> </div> </div> </div> <div class="field field--name-field-type-of-intervention field--type-entity-reference field--label-inline"> <div class="field__label">Related work PI does</div> <div class="field__item"><div about="/how-we-fight/advocacy-policy-outreach" id="taxonomy-term-169" class="taxonomy-term vocabulary-intervention-type"> <h2><a href="/how-we-fight/advocacy-policy-outreach"> <div class="field field--name-name field--type-string field--label-hidden field__item">Advocacy, Policy, &amp; Outreach</div> </a></h2> <div class="content"> <div class="field field--name-field-icon field--type-image field--label-above"> <div class="field__label">Icon</div> <div class="field__item"> <img src="/sites/default/files/2017-12/APT_page.png" width="1200" height="1200" alt="APT" typeof="foaf:Image" /> </div> </div> </div> </div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-inline"> <div class="field__label">What PI is campaigning on</div> <div class="field__items"> <div class="field__item"><div about="/campaigns/police-spy-tech-public-places" id="taxonomy-term-435" class="taxonomy-term vocabulary-campaigns"> <h2><a href="/campaigns/police-spy-tech-public-places"> <div class="field field--name-name field--type-string field--label-hidden field__item">Police spy tech in public places</div> </a></h2> <div class="content"> </div> </div> </div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-inline"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"> <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>Advances in technology significantly advance the capabilities of police, with few safeguards and no transparency.</p></div> </div> </div> </div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-inline"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><div about="/strategic-areas/defending-democracy-and-dissent" id="taxonomy-term-585" class="taxonomy-term vocabulary-programmes"> <h2><a href="/strategic-areas/defending-democracy-and-dissent"> <div class="field field--name-name field--type-string field--label-hidden field__item">Defending Democracy and Dissent</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>The seamless way we communicate using some of these technologies has helped many to organise politically and to express dissent online and offline. But the hidden data harvesting on which many of these technologies rely also threatens our ability to challenge power, no matter the type of government.</p></div> </div> </div> </div> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-inline"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><div about="/our-interventions/protecting-civic-spaces" id="taxonomy-term-716" class="taxonomy-term vocabulary-issue"> <h2><a href="/our-interventions/protecting-civic-spaces"> <div class="field field--name-name field--type-string field--label-hidden field__item">Protecting Civic Spaces</div> </a></h2> <div class="content"> </div> </div> </div> </div> </div> </div> </div> Mon, 11 Nov 2019 15:57:40 +0000 staff 3274 at http://privacyinternational.org Inside Niger's New Biometric Voting System http://privacyinternational.org/long-read/3273/inside-nigers-new-biometric-voting-system <span class="field field--name-title field--type-string field--label-hidden">Inside Niger&#039;s New Biometric Voting System</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="">tech-admin</span></span> <span class="field field--name-created field--type-created field--label-hidden">Monday, November 11, 2019</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><em>Photo by Francesco Bellina</em></p> <p><em>The wars on terror and migration have seen international funders sponsoring numerous border control missions across the Sahel region of Africa. Many of these <a href="https://privacyinternational.org/campaigns/challenging-drivers-surveillance">rely on funds supposed to be reserved for development aid</a> and lack vital transparency safeguards. After looking at <a href="https://privacyinternational.org/news-analysis/3223/europes-shady-funds-border-forces-sahel">Europes's shady funds to border forces</a> in the Sahel area, freelance journalist Giacomo Zandonini looks at how Niger has recently joined other countries in creating a biometric database that will be used in the upcoming elections.</em></p> <p dir="ltr"> </p> <p dir="ltr"><span>Sitting on the ground inside an unadorned courtyard in Koira Tegui, one of Niamey’s most popular districts, Halimatou Hamadou shows a copy of what, she’s been told, is a certificate of birth. </span></p> <p dir="ltr"><span>The 33 year old woman, who’s unable to read and write, received it days earlier during a crowded public ceremony at a nearby primary school. </span></p> <p dir="ltr"><span>“It’s my first document ever,'' she says, with surprise. </span></p> <p dir="ltr"><span>Thanks to the paper, she’ll be able to take part in a crucial passage for the future of Niger: the double-turn electoral round scheduled for late 2020 and early 2021, which will mark the end of President Mahamadou Issoufou’s ten year era, and will be a test for the young Nigerien democracy. It will also be a test of a brand-new biometric voting system, based on personal biometric information. </span></p> <p dir="ltr"><span>Niger is the latest of more than 30 nations in Africa that </span><a href="https://www.jeuneafrique.com/275213/politique/carte-interactive-tchad-rejoint-club-de-biometrie-electorale-afrique/"><span>adopted a biometric voting card</span></a><span> over the last decade, creating databases with fingerprints and facial images. A decision that might seem at odds with a country where eighty percent of the population has no regular access to electricity, and malnutrition is a recurrent danger for hundreds of thousands of people each year. </span></p> <p dir="ltr"><span>Indeed, Hamadou’s concerns seem to be far more immediate, and tangible, than the distant election, whose chip-equipped electoral cards will be produced in France. </span></p> <p dir="ltr"><span>“I hope to provide my four kids with enough food and with education, and that we’ll all be in good health,'' says the woman, who settled down in the district as a kid, when her parents migrated from the countryside, and defines the family’s living conditions as “poor and precarious”. </span></p> <h2 dir="ltr"><strong>No plan ‘B’</strong></h2> <p dir="ltr"><span>Hamadou’s document is one out of five million, released since mid-2018 as a part of a huge, country-wide exercise to fill gaps in a weak civil register system, where registration rates reach barely 30 percent of the population of Niger. </span></p> <p dir="ltr"><span>Leaning against an overcrowded desk in his office on the opposite side of town, lawyer Issaka Souna is the man at the centre of this challenging process. At 64, Souna says he could have “earned five times more per month” had he kept his position as a UN top electoral observer but preferred serving his country in a delicate moment. </span></p> <p dir="ltr"><span>When he was nominated at the head of Niger’s Independent Electoral Commission, in late 2017, a new electoral code had just been approved by the Parliament. The use of a </span><a href="http://www.ceniniger.org/conference-de-presse-sur-lelaboration-du-fichier-electoral/"><span>biometric identification system</span></a><span> was included.</span></p> <p dir="ltr"><span>“There was no plan B, we needed to make the new system work,'' says Souna. </span></p> <p dir="ltr"><span>“Biometrics, he explains, have been seen as a panacea by a fragmented and distrustful political class, and supported by both the majority coalition and the opposition, afraid of rigged elections.” </span></p> <p dir="ltr"><span>According to the </span><em>fonctionnaire</em><span>, “biometrics represent an effective tool to avoid that the same person votes twice, a common problem in the region, but they are also expensive and technically complex, in a country with lots of emigrants, nomadic communities and hostile climatic conditions”. </span></p> <p><span>So far, the absence of a reliable civil register has been the main obstacle in building a proper electoral one. </span>Since mid-2018, the electoral commission organises mobile court hearings, known as 'audiences foraines'. These are simplified procedures to release identitity documents in different districts and areas of the country. In this way, millions of Nigeriens, including Halimatou Hamadou, obtained their first identity document ever, a prerequisite to apply for the new voting card.</p> <h2 dir="ltr"><strong>Money for fingerprints</strong></h2> <p dir="ltr"><span>Starting October 15, Nigeriens wanting to obtain a card need to enter their document, signature, facial image, and fingerprints in a database, at one of hundreds of stations set up by the Electoral Commission in the country’s seven regions. Sixty seven hundred agents have been contracted for the process, and aim to release about eight million voting cards in 2019 to a quickly growing population of 23 million citizens.</span></p> <p dir="ltr"><span>Fingerprints won’t be checked at poll stations, but cross-matched by the database’s software to guarantee that nobody is issued more than one card.  Personal information will be stored in the card’s chip and in a centralized database, while “through matching the photo on the card with that in the database, agents at poll stations will have a further option to verify the identity of the voter,'' says Souna. </span></p> <p dir="ltr"><span>“We’re influenced by neighbours such as Mali, Chad, Ivory Coast, Senegal, Nigeria, Togo and Benin, that have already adopted biometric solutions for the vote,'' admits Souna, adding that, differently than in Niger, “most of these countries had a working civil register database, that was used as a source for the electoral one”. </span></p> <p dir="ltr"><span>Souna seems aware of the huge challenge of bringing one of the youngest and poorest countries in the world to vote, but shows the confidence of a seasoned professional. Money, he says, are his only source of preoccupation.</span></p> <p dir="ltr"><span>French company Gemalto was selected as the provider for the biometric system and awarded a 20 million euros contract in early 2019, after a complex selection process, the results of which was questioned by German competitor Dermalog. Still, the sum excludes the salaries of thousands of people employed to make the system work and resist through the long-awaited local elections, a double-turn presidential and legislatives. </span></p> <p dir="ltr"><span>The </span><a href="http://www.ceniniger.org/2eme-rencontre-dinformation-ceni-et-les-partenaires-aux-elections/"><span>overall cost</span></a><span> might bypass 130 million euros, more than five times the cost of the 2016 electoral round, which was based on a traditional register of voters. It’s not a surprise then if, despite the government's announcements that Niger can fund its own elections, its high officials are knocking at donor’s doors. </span></p> <p dir="ltr"><span>Yet Niger’s main partners are not rushing up to open. </span></p> <p dir="ltr"><span>The UN development programme, a </span><a href="https://reliefweb.int/report/niger/nigeriens-vote-new-president-and-parliament-key-vote"><span>traditional contributor</span></a><span> to the electoral process in Niger since the 2011 transition from military rule to an elected government, guaranteed a </span><a href="https://www.niameyetles2jours.com/la-gestion-publique/politique/1607-4114-elections-generales-de-2021-le-pnud-s-engage-a-aider-le-niger-pour-un-scrutin-transparent"><span>2,2 million euros support</span></a><span>. Swiss promised about 260,000 million euros. </span></p> <p dir="ltr"><span>Big donors as the EU and the US, however, seem to be more cautious. Brussels’ contribution, a bloc’s official told us, “will be relevant, but we’re still fine-tuning it and discussing with Nigerien authorities”. </span></p> <p dir="ltr"><span>In principle, over the last decade the EU delegation in Niger had opposed a biometric register of voters, prioritizing civil register reinforcement. But by inserting biometrics into the electoral code, Nigerien authorities “blackmailed their partners: now if we want to support democracy, we need to fund indirectly a biometric system,'' said another official. </span></p> <p dir="ltr"><span>Both France and Germany, he added, had lobbied in favour of electoral biometrics. Paris’ interests seem evident. </span><a href="https://www.biometricupdate.com/201910/thales-details-plans-for-integrating-gemalto-biometrics-and-digital-identity-business"><span>Gemalto’s recent takeover</span></a><span> by their state-controlled security giant Thales, approved by the EU Commission in December 2018, contributes to reinforcing one of the biggest players in the global competition over identity technologies. </span></p> <h2><strong>A vulnerable setting</strong></h2> <p dir="ltr"><span>Niger’s electoral database is just the latest sign of the growing penetration of biometrics in the African continent, in the public administration as well as in banks, the health sector, passports, or humanitarian aid. Its main actors are Western identity giant firms such as Thales, Idemia, Zetes, Accenture, Veridos, that look at Africa as a </span><a href="https://www.crossmatch.com/behind-biometrics-boom/future/"><span>huge market opportunity</span></a><span>. </span></p> <p dir="ltr"><span>According to Oumarou Sanda Kadri, one of Niger’s most renowned lawyers, this process doesn’t come without inconveniences. “Our countries are vulnerable and can fall prey to technological illusions,'' he says in his office in Niamey’s east side. </span></p> <p dir="ltr"><span>An long-time Vice-President of the National Electoral Commission, Kadri was nominated as the Director of a new national authority for the protection of personal data, in compliance with </span><a href="http://www.anp.ne/?q=article/le-gouvernement-du-niger-adopte-une-loi-relative-la-protection-des-donnees-caractere"><span>Niger’s first privacy law</span></a><span>, adopted in 2017. He refused the position. Since then, the authority hasn’t been fully installed. </span></p> <p dir="ltr"><span>“Niger has now several laws protecting personal data, but so far they’re an empty box, there’s no actual control,'' the lawyer says. When creating the new biometric database of electors, he adds, “we need to ensure that the data collected will be used only for the purpose of election, and not others.''</span></p> <p dir="ltr"><span>“The EU has strong guarantees on data protection inside its territory, but when it comes to their partnerships in Africa, is it careful enough?”, wonders Kadri. </span></p> <p dir="ltr"><span>Still, more than from concerns over the protection of personal data, the slow pace of partners’ contribution seems to be due to the tense political atmosphere, where divides between the ruling majority and the opposition appear incurable. </span></p> <h2><strong>Stability at risk</strong></h2> <p dir="ltr"><span>Former foreign affairs minister Ibrahim Yacouba, who left the government in 2017 in protest against the new electoral code, told the author that “the next elections will be the first test for democratic alternance since Niger’s independence, but the president’s party is already manipulating them”. </span></p> <p dir="ltr"><span>Opposition parties, including Yacouba’s MPN, are boycotting the electoral process, denouncing imbalances in the composition of the electoral commission and in the vote’s monitoring process - and occasionally recurring to </span><a href="https://www.actuniger.com/politique/15478-manifestation-du-frddr-l-opposition-denonce-la-mauvaise-gouvernance-et-exige-un-dialogue-inclusif-message.html"><span>street protests</span></a><span>. </span></p> <p dir="ltr"><span>Biometrics, says Yacouba, can be a tool against fraud, but “the transcription of vote remains the most delicate passage, and it will still be done by hand, with no guarantee that opposition watchers can control it”.</span></p> <p dir="ltr"><span>These tensions add to the anxieties of Western countries, that look at Niger’s stability as a key factor in guaranteeing their interests in the Sahel, from security to migration control, to vital mineral resources. </span></p> <p dir="ltr"><span>“We already have external problems - from war in Libya to terrorist groups entering our territory from Nigeria and Mali - and we can’t afford having internal ones: the next elections need to be peaceful,'' stresses Electoral Commission President, Issaka Souna.</span></p> <p dir="ltr"><span>While little debate has accompanied the decision to adopt a biometric register of voters in the country, enrolment operations have already been launched, starting from the northern region of Agadez, where less than a million people are scattered in an immense, hard to reach, barren territory. </span></p> <p dir="ltr"><span>“It’s a huge task,'' says Souna, who has overseen some of the most troubled elections in Africa in the last decade, “but I’m sure we’ll make it”. </span></p> <p dir="ltr"><span>While Nigeriens race against the clock to make elections happen, will Western partners look at the protection of their personal data, or will they prioritie their geopolitical interests?</span></p></div> <div class="field field--name-field-topic field--type-entity-reference field--label-inline"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/learning-topics/biometrics" hreflang="en">Biometrics</a></div> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-inline"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><a href="/what-we-do/demand-humane-approach-immigration" hreflang="en">Demand a Humane Approach to Immigration</a></div> <div class="field__item"><a href="/what-we-do/uncover-surveillance-transfer-how-governments-assist-other-governments-develop" hreflang="en">Uncover Surveillance Transfer: How Governments Assist other Governments to Develop Surveillance Powers</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-inline"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/government-exploitation" hreflang="en">Government Exploitation</a></div> <div class="field__item"><a href="/strategic-areas/safeguarding-peoples-dignity" hreflang="en">Safeguarding Peoples&#039; Dignity</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/challenging-drivers-surveillance" hreflang="en">Challenging the Drivers of Surveillance</a></div> <div class="field__item"><a href="/campaigns/state-sponsors-surveillance-governments-helping-others-spy" hreflang="en">State Sponsors of Surveillance: The Governments Helping Others Spy</a></div> </div> </div> <div class="field field--name-field-principle-or-recommendatio field--type-entity-reference field--label-above"> <div class="field__label">What is PI calling for</div> <div class="field__items"> <div class="field__item"><a href="/recommendation-principle-or-safeguard/security-all" hreflang="en">Security for all</a></div> <div class="field__item"><a href="/recommendation-principle-or-safeguard/identities-under-our-control" hreflang="en">Identities under our control</a></div> </div> </div> Mon, 11 Nov 2019 08:35:20 +0000 tech-admin 3273 at http://privacyinternational.org PI and other rights groups demand political parties come clean on user of voters personal data in the UK general election http://privacyinternational.org/press-release/3268/pi-and-other-rights-groups-demand-political-parties-come-clean-user-voters <span class="field field--name-title field--type-string field--label-hidden">PI and other rights groups demand political parties come clean on user of voters personal data in the UK general election</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/user/43" typeof="schema:Person" property="schema:name" datatype="">staff</span></span> <span class="field field--name-created field--type-created field--label-hidden">Thursday, October 31, 2019</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><h4>Privacy International, Open Rights Group, the Institute for Strategic Dialogue, Fair Vote, Who Targets Me? and Demos have today <a href="https://privacyinternational.org/sites/default/files/2019-10/Letter-to-Political-Parties.pdf">written</a> to all the main UK political parties, demanding that they are transparent with the public about how they are using voters’ personal data in their electioneering. Twitter's announcement yesterday of their ban on political advertising is just the latest wake up call to politicians about the risks to democracy of personal data driven microtargeting of political messages. </h4> <p>We have today written to The Conservatives, Labour, The Liberal Democrats, the Scottish National Party and others, with 10 concrete steps they should take, to ensure transparency and compliance with the law, including:</p> <ol><li>Publishing how they source voters’ personal data;</li> <li>Ensure political messages, the organisation behind them, and the targeting criteria for them are easily recognisable to the public;</li> <li>Publishing information on the companies they contract with as part of campaigns.</li> </ol><p>Political campaigns have become sophisticated data operations over recent years. The Facebook / Cambridge Analytica data scandal in 2018 highlighted the stark dangers to democracies and elections when voters’ personal data is harvested, enabling political parties and other campaigning groups to build highly detailed profiles about voters, and then using these profiles as the basis for microtargeting messages to them.<br /> As civil society organisations dedicated to defending rights, we are deeply concerned about the exploitation of people’s data in the political sphere and its impact on privacy and democracy. Political parties must shoulder some responsibility.</p> <p>Ailidh Callander, Legal Officer, Privacy International, said:</p> <blockquote> <p>The integrity of our democracy and voter trust is at stake. Our political parties need to reflect on their own practices, reflect on public concern, and reflect on why Twitter has taken the step to ban political advertising altogether. Our elections can't be built on politicians exploiting our personal data. It's a race to the bottom.</p> <p>We are demanding that political parties in the UK stand up for democracy by coming clean about their use of voters’ personal data, publicly committing to total transparency, and complying with data protection law.</p> </blockquote> <p>Pascal Crowe, Data and Democracy Officer at Open Rights Group, said:</p> <blockquote> <p>We are putting all the political parties on notice. Political microtargeting is corroding public debate with an Orwellian ’two minutes hate’, and treating citizens like lab rats in an experiment that they did not sign up to. Trust in our political culture is fragile. These practices damage it further. Politicians have been vocal in their condemnation of Facebook but they bear responsibility too. It is time for them to put their own houses in order.</p> </blockquote> <p>Elliot Jones, Researcher, Demos, said:</p> <blockquote> <p>Current electoral laws are not up to the challenges of the digital age. Until they are comprehensively updated, political parties must hold themselves to a higher standard of transparency and accountability or risk undermining trust in the democratic process even further.</p> </blockquote></div> <div class="field field--name-field-location-region-locale field--type-entity-reference field--label-above"> <div class="field__label">Location</div> <div class="field__items"> <div class="field__item"><a href="/location/united-kingdom" hreflang="en">United Kingdom</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-above"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/defending-democracy-and-dissent" hreflang="en">Defending Democracy and Dissent</a></div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/learning-topics/data-and-elections" hreflang="en">Data and Elections</a></div> </div> </div> <div class="field field--name-field-image field--type-image field--label-above"> <div class="field__label">Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-10/Screenshot%202019-10-31%20at%2014.05.53.png" width="2252" height="800" alt="letterhead" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-attachments field--type-file field--label-above"> <div class="field__label">Attachments</div> <div class="field__items"> <div class="field__item"> <span class="file file--mime-application-pdf file--application-pdf"> <a href="http://privacyinternational.org/sites/default/files/2019-10/Letter-to-Political-Parties.pdf" type="application/pdf; length=74318" title="Letter-to-Political-Parties.pdf">Letter to political parties</a></span> </div> </div> </div> Thu, 31 Oct 2019 14:04:19 +0000 staff 3268 at http://privacyinternational.org Submission to the ICO on Code of Practice for the use of personal data in political campaigning http://privacyinternational.org/advocacy/3267/submission-ico-code-practice-use-personal-data-political-campaigning <div class="node node--type-advocacy-briefing node--view-mode-token group-one-column ds-2col-stacked-fluid clearfix"> <div class="group-header"> </div> <div class="group-left"> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>In October 2019, PI <a href="https://privacyinternational.org/sites/default/files/2019-10/ICO Code of Practice Submission.pdf">responded </a>to the UK Information Commissioner’s (ICO) consultation on a draft Code of Practice for the use of personal data in political campaigning.</p> <p>This follows on from <a href="https://privacyinternational.org/advocacy/2838/pi-response-ico-call-views-code-practice-use-personal-information-political-campaigns">PI's submission in December 2018</a>, to the ICO’s Call for Views.</p> <p>PI welcomes the draft Code of Practice as a first step. However, much remains to be done to close the implementation and enforcement gap and strengthen existing regulatory frameworks.  </p> <p>In response to the ICO’s questions, PI’s submission calls for the following.</p> <ul><li>Inclusion of guidance on: <ul><li>Rights of data subjects</li> <li>Sanctions/ Remedies</li> <li>Campaigning outside of an election</li> <li>Digital and experimental campaign techniques<br />  </li> </ul></li> <li>More detail/ clarity on: <ul><li>Transparency</li> <li>Profiling</li> <li>DPIAs and assessments re lawful basis</li> <li>Purpose Limitation</li> <li>Fairness</li> <li>Processors</li> <li>Special category personal data</li> <li>Data from third party sources</li> <li>Electoral register - opt-out</li> <li>Digital/ online campaigning techniques and tools such as Apps and targeted digital advertising on TV</li> <li>Actors other than political parties/ candidates</li> </ul></li> </ul><p> </p> <p> </p></div> <div class="field field--name-field-repeating-image-and-text field--type-entity-reference-revisions field--label-inline"> <div class="field__label">Repeating Image and Text</div> <div class="field__items"> <div class="field__item"><div class="paragraph-formatter"><div class="paragraph-info"></div> <div class="paragraph-summary"></div> </div> </div> </div> </div> </div> <div class="group-footer"> <div class="field field--name-field-topic field--type-entity-reference field--label-inline"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"> <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>Political campaigns around the world have turned into sophisticated data operations. They rely on data- your data- to facilitate a number of decisions: where to hold rallies, which States or constituencies to focus resources on, which campaign messages to focus on in which area, and how to target supporters, undecided voters, and non-supporters.</p></div> </div> </div> </div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-inline"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><div about="/strategic-areas/defending-democracy-and-dissent" id="taxonomy-term-585" class="taxonomy-term vocabulary-programmes"> <h2><a href="/strategic-areas/defending-democracy-and-dissent"> <div class="field field--name-name field--type-string field--label-hidden field__item">Defending Democracy and Dissent</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>The seamless way we communicate using some of these technologies has helped many to organise politically and to express dissent online and offline. But the hidden data harvesting on which many of these technologies rely also threatens our ability to challenge power, no matter the type of government.</p></div> </div> </div> </div> </div> </div> </div> </div> Tue, 29 Oct 2019 13:26:19 +0000 tech-admin 3267 at http://privacyinternational.org