Privacy International http://privacyinternational.org/rss.xml en Here’s the Surveillance the US Exports to Central America as Aid - And it’s Surviving Trump’s Cuts http://privacyinternational.org/news-analysis/3011/heres-surveillance-us-exports-central-america-aid-and-its-surviving-trumps-cuts <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><em>Picture Credit: <a href="https://web.archive.org/web/20190716015838/https://www.flickr.com/photos/usaid_images/">US AID</a></em></p> <p>US President Trump has been cutting aid to Central America, including a surprise <a href="https://web.archive.org/web/20190716015838/https://www.devex.com/news/implementers-missions-in-the-dark-about-central-america-assistance-cuts-94914">cut</a> of approximately $500m in aid to the “Northern Triangle” countries of El Salvador, Guatemala, and Honduras, apparently as <a href="https://web.archive.org/web/20190716015838/https://www.economist.com/the-americas/2019/04/04/donald-trump-cuts-off-aid-to-central-america">punishment</a> for “doing absolutely nothing” to prevent emigration to the US. </p> <p>What remains of the funds is <a href="https://web.archive.org/web/20190716015838/https://fas.org/sgp/crs/row/R44812.pdf">largely and deliberately</a> being repurposed for spending on the US’s own security interests: indeed, one area which his attorney general <a href="https://web.archive.org/web/20190716015838/https://www.reuters.com/article/us-usa-immigration-centralamerica/trump-will-not-cut-police-aid-to-central-america-barr-says-idUSKCN1SM2II">claims will be spared</a> from the cuts to the Northern Triangle is police aid - the provision of financial and technical assistance to law enforcement agencies. Today that also means the provision of surveillance capabilities. </p> <p>The use of the aid budget to fund foreign police agencies is <a href="https://web.archive.org/web/20190716015838/https://privacyinternational.org/report/2159/teach-em-phish-state-sponsors-surveillance">part of the broader use</a> of military and security assistance provided to countries around the world to further the US’s own security and foreign objectives: in 2001, the US <a href="https://web.archive.org/web/20190716015838/http://securityassistance.org/data/country/military/country/2000/2017/is_all/Global">spent</a> $5.7 billion in security aid – in 2017 it spent over $20 billion. </p> <p>In 2015, military and non-military security assistance <a href="https://web.archive.org/web/20190716015838/https://fas.org/sgp/crs/row/R40213.pdf">amounted</a> to an estimated 35% of entire US foreign aid expenditure: managed by various authorities including the Departments of State and Defense, as well as agencies such as the DHS, DEA, NSA, and FBI, it is <a href="https://web.archive.org/web/20190716015838/https://privacyinternational.org/sites/default/files/2018-07/Teach-em-to-Phish-report.pdf">being used</a> to train, fund, and equip surveillance agencies around the world.</p> <p>Not only does this divert aid money away from things like building schools, it spreads invasive and powerful surveillance capabilities around the world. Without the adequate safeguards in legislation and practice, this enforces authoritarianism and human rights abuses – fuelling the very conditions which make people emigrate, while simultaneously cutting the type of aid which gives people opportunities.</p> <p>Below is an overview of how US foreign assistance to El Salvador, Guatemala, and Honduras is spent on surveillance.</p> <p><strong>Surveillance Equipment</strong></p> <p>Trump is diverting his Central American aid budget for security purposes: his 2019 budget request <a href="https://web.archive.org/web/20190716015838/https://fas.org/sgp/crs/row/R44812.pdf">would cut aid</a> to the region by $191 million (30%) compared to 2018, while allocating 58% of the total to the Central America Regional Security Initiative (CARSI) – a broad programme which supplies Central American law enforcement agencies with equipment, training, and technical assistance. </p> <p>Under CARSI, for example, State <a href="https://web.archive.org/web/20190716015838/https://www.foreignassistance.gov/">paid nearly</a> $160,000 in 2018 in aid money to <a href="https://web.archive.org/web/20190716015838/https://www.jsitelecom.com/">JSI Telecom</a>, a surveillance company specialising in data interception and analysis, for implementation in Guatemala. JSI Telecom, which <a href="https://web.archive.org/web/20190716015838/https://privacyinternational.org/news-analysis/2995/ice-paying-millions-surveillance-company-spy-peoples-communications">operates</a> ICE’s wiretapping system in the US, describes itself as a “leading provider of communications intercept collection solution”.</p> <figure role="group" class="caption caption-img align-center"><img alt="Brochure from JSI Telecom" data-entity-type="file" data-entity-uuid="597fc0d7-d944-48da-8cfa-6725da1cb96a" src="/sites/default/files/inline-images/Screenshot%202019-06-07%20at%2014.12.01.png" /><figcaption>Brochure from ​​​​​​<a href="https://privacyinternational.org/news-analysis/2995/ice-paying-millions-surveillance-company-spy-peoples-communications">JSI Telecom</a></figcaption></figure><p>Over $17,000 of aid money <a href="https://web.archive.org/web/20190716015838/https://www.foreignassistance.gov/">was also spent</a> on “surveillance vans maintenance” in El Salvador in 2017 under CARSI. The funds went towards a UK-based <a href="https://web.archive.org/web/20190716015838/https://sii.transparencytoolkit.org/search?company_name_facet=Cellxion">CellXion</a>, a surveillance company which sells IMSI Catchers, devices used to indiscriminately identify mobile phones in public areas and intercept calls. The UK government <a href="https://web.archive.org/web/20190716015838/https://www.caat.org.uk/resources/export-licences/count-by-item?use=dual&amp;region=El+Salvador">approved</a> the export of an IMSI catcher to El Salvador in 2015, though it is not known if it was for CellXion.</p> <p>According to <a href="https://www.foreignassistance.gov/">aid transparency data</a>, in 2018, the Department of State also made over $300,000 in payments of aid money to surveillance company <a href="https://web.archive.org/web/20190716015838/https://www.penlink.com/">Pen-Link</a>for counter narcotics projects in El Salvador. Pen-Link sells systems which intercept data from telecommunications networks as well as analysis platforms, empowering law enforcement agencies with the ability to trawl through data from phones, social media, email, and other internet communications.</p> <p>Other <a href="https://defenseoversight.wola.org/primarydocs/2016_police_aid_report.pdf">government data</a> shows that the Department of State has provided:</p> <ul><li>Investigative equipment for Honduras’s police at the cost of $782,000, which includes a <a href="https://web.archive.org/web/20190716015838/https://privacyinternational.org/taxonomy/term/584">powerful</a> digital forensic analysis system known as UFED used to extract and analyse data from digital devices developed by Israeli company Cellebrite, as well as another $150,000 on three more systems sold by Cellebrite. </li> <li>A drone/surveillance platform for Guatemala’s police at the cost of $75,000.  </li> <li>10 licenses to Honduras’s police worth $70,000 for the use of “I2 intelligence software” – presumably IBM’s I2 intelligence analytics <a href="https://web.archive.org/web/20190716015838/https://www.ibm.com/security/intelligence-analysis/i2">platform</a> used by law enforcement to map and analyse intelligence.</li> </ul><figure role="group" class="caption caption-img"><img alt="Brochure from CellXion" data-entity-type="file" data-entity-uuid="a2ef864e-130e-4156-bdd1-e080fc8d4517" src="/sites/default/files/inline-images/Screenshot%202019-06-07%20at%2013.59.38.png" /><figcaption>Brochure from ​​​​​<a href="https://sii.transparencytoolkit.org/search?utf8=✓&amp;q=cellxion">CellXion</a></figcaption></figure><p><strong>Training</strong></p> <p>Various US security, defense and intelligence agencies train foreign counterparts. <a href="https://www.ice.gov/news/releases/international-students-graduate-elite-federal-law-enforcement-program">In 2015</a>, 94,000 people participated in US-provided police training in more than 100 countries, at a cost of $2 billion. </p> <p>Between 2015 – 2016:</p> <ul><li>El Salvadoran, Honduran, and Guatemalan authorities were all <a href="https://www.foreignassistance.gov/">trained</a> by the DEA on “aspects of conducting a judicial wire intercept investigation. These include undercover operations, advanced operational planning, tactical entries, confidential Source management, and money laundering”.</li> </ul><ul><li>In Guatemala, funds <a href="https://web.archive.org/web/20190716015838/https://defenseoversight.wola.org/primarydocs/2016_police_aid_report.pdf">were used</a> for “Training on the use of wiretaps for improved investigations” for regional officers.</li> <li>El Salvador’s police <a href="https://web.archive.org/web/20190716015838/https://defenseoversight.wola.org/primarydocs/2016_police_aid_report.pdf">were trained</a> in how to use Cellebrite’s UFED – the <a href="https://web.archive.org/web/20190716015838/https://privacyinternational.org/taxonomy/term/584">forensics</a> system used to extract and analyse data from digital devices</li> <li>El Salvador’s police <a href="https://defenseoversight.wola.org/primarydocs/2016_police_aid_report.pdf">were trained</a> on how to perform polygraph tests.</li> <li>El Salvador’s and Guatemala’s police were trained on the use of CompStat, a predictive policing platform which <a href="https://7bdd3377-3bcc-4d25-8d83-6d6914fc86ca/%E2%80%A2%09a%20predictive%20policing%20platform%20criticised%20for%20spurring%20police%20targeting%20of%20people%20in%20poorer%20and%20diverse%20neighboiurhoods">has led</a> to abusive police practices in minority communities in the US.</li> <li>Guatemalan police <a href="https://defenseoversight.wola.org/primarydocs/2016_police_aid_report.pdf">were funded</a> to visit surveillance centres in Porto Rico.</li> <li>Guatemala’s police <a href="https://defenseoversight.wola.org/primarydocs/2016_police_aid_report.pdf">were trained</a> in in computer and network investigations.</li> <li>Honduras’s police <a href="https://defenseoversight.wola.org/primarydocs/2016_police_aid_report.pdf">were trained</a> in electronic and communications intelligence, analysis of criminal communications, and how to investigate computer crimes – which inevitably involves digital surveillance techniques. </li> <li>El Salvador’s police were trained on the use of powers under the Communications Assistance for Law Enforcement Act, which obliges telecommunications carriers to provide government agencies with access to their networks.</li> </ul><figure role="group" class="caption caption-img"><img alt="Brochure from Cellebrite" data-entity-type="file" data-entity-uuid="0faa0809-4536-4cb1-ba12-68f0744f6710" src="/sites/default/files/inline-images/Screenshot%202019-06-07%20at%2014.00.53.png" /><figcaption>Brochure from ​​​​​<a href="https://privacyinternational.org/feature/2776/surveillance-company-cellebrite-finds-new-exploit-spying-asylum-seekers">Cellebrite</a></figcaption></figure><p><strong>Intelligence Sharing &amp; Joint Operations</strong></p> <p>Trump’s attorney general’s promise that police aid will not be cut to the Northern Triangle was made during the signing of an agreement in May this year <a href="https://web.archive.org/web/20190716015838/https://www.reuters.com/article/us-usa-immigration-centralamerica/trump-will-not-cut-police-aid-to-central-america-barr-says-idUSKCN1SM2II">establishing</a> “information exchange mechanisms in the fight against human trafficking and other crimes” between US and law enforcement agencies. In February, DHS said such an agreement <a href="https://web.archive.org/web/20190716015838/https://www.dhs.gov/news/2019/02/22/joint-statement-outlines-clear-path-toward-historic-northern-triangle-compact">would include</a> programmes to “Increase the exchange of information related to transnational organized crime”. </p> <p>One such way this information is exchanged is through ICE’s Transnational Criminal Investigative Units (TCIU), <a href="https://web.archive.org/web/20190716015838/https://www.dhs.gov/news/2017/11/28/written-testimony-ice-senate-committee-judiciary-hearing-titled-s1241-modernizing">in which ICE works with foreign officers</a> who “identify targets, collect evidence, share intelligence, and facilitate the prosecution of [transnational criminal groups] both in-country and through the U.S. judicial system.” In 2015, DHS <a href="https://web.archive.org/web/20190716015838/https://defenseoversight.wola.org/primarydocs/2016_police_aid_report.pdf">spent</a> over $76m in training members of Honduras’s national police at the Federal Law Enforcement Training Center in Georgia to enable TCIU operations.</p> <p><strong>Biometrics</strong></p> <p>The agreement also aims to “increase the collection of biometric data of individuals who cross borders in the Northern Triangle countries without valid documents” and “Align technology platforms to meet information sharing and operational needs”. </p> <p>One such programme is the Biometric Identification Transnational Migration Alert Program (BITMAP). Passed last year <a href="https://web.archive.org/web/20190716015838/https://www.aclu.org/sites/default/files/field_document/vote_recommendation_on_h.r._6439_the_bitmap_authorization_act_of_2018.pdf">despite failing</a> to require adequate privacy protections, it allows Immigration and Customs Enforcement (ICE) agents to provide biometric training and equipment to foreign agencies. The collected data is then <a href="https://web.archive.org/web/20190716015838/https://www.biometricupdate.com/201809/u-s-house-passes-bill-to-expand-biometric-technology-training-data-sharing-with-foreign-partners">shared</a> with US biometric databases, including a new system known as HART developed by arms company Northrop Grumman, which <a href="https://web.archive.org/web/20190716015838/https://privacyinternational.org/blog/648/us-border-cops-set-use-biometrics-build-line-world">according to a DHS presentation</a> seen by Privacy International will scoop up a whopping 180 million new biometric transactions per year by 2022. </p> <p>For example, under BITMAP, the State Department in Costa Rica spent nearly $60,000 last year on <a href="https://web.archive.org/web/20190716015838/https://www.crossmatch.com/wp-content/uploads/2017/06/20160318-DS-En-Guardian-Jump-kit.pdf">Jump Kits</a> for capturing and sharing biometric data, according to US procurement records. As of last year, BITMAP was <a href="https://web.archive.org/web/20190716015838/https://www.govtrack.us/congress/bills/115/hr6439/summary">deployed</a> to 14 countries, “with near-term plans to expand to additional countries.”</p> <p>In addition:</p> <ul><li>In 2015, the State department <a href="https://web.archive.org/web/20190716015838/https://defenseoversight.wola.org/primarydocs/2016_police_aid_report.pdf">provided</a> a fingerprinting system to El Salvador’s police worth $1.4m.</li> <li>In 2016, State <a href="https://web.archive.org/web/20190716015838/http://foreignassistance.gov/">used</a> over $640,000 in aid money to El Salvador to pay 3M Cogent, a biometric company for Automated Fingerprint Identification Systems.</li> <li>In FY2018, State <a href="https://web.archive.org/web/20190716015838/http://foreignassistance.gov/">made</a> payments totalling nearly $500,000 in aid money to Guatemala for a redacted purpose to Gemalto Cogent, a biometrics company. </li> </ul><figure role="group" class="caption caption-img"><img alt="Brochure from Gemalto" data-entity-type="file" data-entity-uuid="c9968ad4-d8f7-41ac-9a7c-e3b0590bdc37" src="/sites/default/files/inline-images/Screenshot%202019-06-07%20at%2016.27.33.png" /><figcaption>Brochure from Gemalto</figcaption></figure><p>The export of biometric data collection, processing and sharing by the US is set to increase: under Trump’s December 2018 <a href="https://web.archive.org/web/20190716015838/https://www.whitehouse.gov/wp-content/uploads/2019/02/NSCTT-Signed.pdf">National Strategy to Combat Terrorist Travel</a>, one of three goals is to “enhance travel security capabilities and capacity of foreign partners” by increasing “efforts by foreign partners to bolster traveler screening, data collection, data analysis, and data sharing, including biometric and other traveler data”. </p> <p><strong>Roving plain clothes US officers</strong></p> <p>The agreement also wants to “Expand Joint Security Program (JSP) operations in El Salvador, Guatemala, and Honduras”. <a href="https://web.archive.org/web/20190716015838/https://www.gao.gov/assets/690/682255.pdf">Under the JSP program</a>, roving plain clothes US officers are deployed abroad and allowed to identify, question, and review documents belonging to travellers and can recommend they be denied the right to travel. </p> <p><em>To find out more some of the sources which can be used to identify surveillance transfers, see Privacy International’s </em><a href="https://web.archive.org/web/20190716015838/https://privacyinternational.org/feature/2225/open-source-guide-researching-surveillance-transfers">guide to open source research</a>.</p> <figure role="group" class="caption caption-img align-center"><img alt="For more information, visit Privacy International's campaign page." data-entity-type="file" data-entity-uuid="3f329474-1d0c-44d1-84e9-3d64ebee8402" src="/sites/default/files/inline-images/US-Surveillance-Animation-2019-v2_2.gif" /><figcaption>For more information about how governments around the world train, fund, and equip foreign surveillance agencies, visit Privacy International's <a href="https://web.archive.org/web/20190716015838/https://privacyinternational.org/campaigns/state-sponsors-surveillance-governments-helping-others-spy">campaign page</a>.</figcaption></figure><p> </p></div> <div class="field field--name-field-large-image field--type-image field--label-above"> <div class="field__label">Large Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-06/4289249636_61860a7a22_b.jpg" width="1023" height="731" alt="US AID" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-06/4289249636_61860a7a22_b_0.jpg" width="1023" height="731" alt="US AID" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-06/4289249636_61860a7a22_b_1.jpg" width="1023" height="731" alt="US AID" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-above"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><a href="/what-we-do/investigate-surveillance-powers-and-industry-sustaining-them" hreflang="en">Investigate Surveillance Powers and the Industry Sustaining Them</a></div> <div class="field__item"><a href="/what-we-do/uncover-surveillance-transfer-how-governments-assist-other-governments-develop" hreflang="en">Uncover Surveillance Transfer: How Governments Assist other Governments to Develop Surveillance Powers</a></div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/biometrics" hreflang="en">Biometrics</a></div> <div class="field__item"><a href="/topics/intelligence-sharing" hreflang="en">Intelligence Sharing</a></div> <div class="field__item"><a href="/topics/security-assistance-arrangements-between-governments" hreflang="en">Security Assistance Arrangements Between Governments</a></div> <div class="field__item"><a href="/topics/surveillance-industry" hreflang="en">Surveillance Industry</a></div> </div> </div> <div class="field field--name-field-location-region-locale field--type-entity-reference field--label-above"> <div class="field__label">Location</div> <div class="field__items"> <div class="field__item"><a href="/location/united-states-america" hreflang="en">United States of America</a></div> <div class="field__item"><a href="/location/honduras" hreflang="en">Honduras</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-above"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/contesting-government-data-and-system-exploitation" hreflang="en">Contesting Government Data and System Exploitation</a></div> </div> </div> <div class="field field--name-field-type-of-impact field--type-entity-reference field--label-above"> <div class="field__label">Type of Impact</div> <div class="field__items"> <div class="field__item"><a href="/impact/uncovering-big-brother-inc" hreflang="en">Uncovering Big Brother Inc</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/state-sponsors-surveillance-governments-helping-others-spy" hreflang="en">State Sponsors of Surveillance: The Governments Helping Others Spy</a></div> </div> </div> </div> </div> Mon, 29 Jul 2019 10:03:50 +0000 staff 3011 at http://privacyinternational.org Identity schemes and data protection: lessons from Ireland's Public Services Card http://privacyinternational.org/news-analysis/3177/identity-schemes-and-data-protection-lessons-irelands-public-services-card <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>The Irish Data Protection Commissioner has made a ruling on the controversial Public Services Card (PSC) that has described much of what is is done with the card as unlawful. The PSC has proven controversial: introduced in 2012 for welfare claimants, it's use <a href="https://www.independent.ie/regionals/enniscorthyguardian/news/is-the-government-sneaking-national-id-cards-in-through-the-back-door-36596609.html">expanded</a> to more and more uses, including its use to get a driving licence or passport. Now, following campaigns from civil liberties organisations, this expansion of use has now been found to be <a href="//www.irishtimes.com/news/ireland/irish-news/irish-state-told-to-delete-unlawful-data-on-3-2m-citizens-1.3987606">unlawful</a> by Ireland's Data Protection Commissioner.</p> <p>The nature of the findings are highly relevant for how we must look at ID schemes all over the world.</p> <ul><li>It is essential that there is an effective data protection regime <em>prior</em> to the introduction of an identity system. Across the world, we see schemes introduced without these protections, or the data protection regime emerging as almost an afterthought. It is increasingly clear that this is no longer acceptable. International organisations, such as the <a href="http://documents.worldbank.org/curated/en/213581486378184357/pdf/Principles-on-identification-for-sustainable-development-toward-the-digital-age.pdf">World Bank</a>, stand by the principle that a legal and regulatory framework surrounding "data privacy" is essential for an ID system. Rather than emerging later, or in response to court action against a system, we need data protection legislation implemented in an effective regime from the start. To continue to promote and fund ID systems without these protections in place leaves a system open to abusing the rights of individuals and communities.</li> <li> The 'function creep' of ID schemes is a feature we also see all over world, as the uses of a system are put to more and more purposes. But the Irish case highlights the issue that the implications of this function creep are often not considered. As the Data Protection Commissioner <a href="https://www.dataprotection.ie/en/dpc-statement-matters-pertaining-public-services-card-0">said</a>, "As new uses of the card have been identified and rolled-up from time to time, it is striking that little or no attempt has been made to revisit the card’s rationale or the legal framework on which it sits, or to consider whether adjustments may be required to safeguards built into the scheme to accommodate new data uses." It's essential that a scheme, once implemented, any potential new uses are interrogated and critiqued, for their compatibility with data protection and human rights law but also taking into accounts the risks surrounding exclusion, exploitation, and surveillance. Introducing an ID scheme through the 'back door', like in Ireland, is not acceptable.</li> <li>The Irish scheme also illustrated how ID schemes can also lead to the creation of new ID requirements where, previously, ID was not required. The Data Protection Commissioner <a href="//www.irishtimes.com/news/ireland/irish-news/irish-state-told-to-delete-unlawful-data-on-3-2m-citizens-1.3987606">highlighted</a> the case of its use in the school transport system, for a use which previously did not have any ID requirement at all: “There may be a real artificiality in terms of embedding the requirement for the [card] in processes that heretofore did not require identification to that standard.” Thus the Ireland example is ID used not to empower, but the creation of new barriers.</li> </ul><p>There are valuable lessons to be learnt from the experience of Ireland: for those places looking to adopt ID cards, but also those organisations promoting their use. The lessons from the experience of Ireland must be heeded for there to be a future where ID respects everyone's rights.</p> <p><em>[Image source: <a href="https://www.publicdomainpictures.net/en/view-image.php?image=256956&amp;picture=ireland-flag">George Hodan</a>]</em></p></div> <div class="field field--name-field-large-image field--type-image field--label-above"> <div class="field__label">Large Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-08/Ireland%20flag.jpg" width="1920" height="1280" alt="Ireland flag" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-08/Ireland%20flag_0.jpg" width="1920" height="1280" alt="Ireland flag" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-08/Ireland%20flag_1.jpg" width="1920" height="1280" alt="Ireland flag" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-above"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><a href="/what-we-do/id-identity-and-identification" hreflang="en">ID, Identity and Identification</a></div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/id-systems" hreflang="en">ID Systems</a></div> <div class="field__item"><a href="/topics/identity" hreflang="en">Identity</a></div> </div> </div> <div class="field field--name-field-location-region-locale field--type-entity-reference field--label-above"> <div class="field__label">Location</div> <div class="field__items"> <div class="field__item"><a href="/location/ireland" hreflang="en">Ireland</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-above"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/safeguarding-peoples-dignity" hreflang="en">Safeguarding Peoples&#039; Dignity</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/demanding-identity-systems-our-terms" hreflang="en">Demanding identity systems on our terms</a></div> </div> </div> </div> </div> Wed, 21 Aug 2019 16:13:28 +0000 staff 3177 at http://privacyinternational.org The "Undeserving Poor:" A framework for researching and challenging aspects of social benefits systems that surveil, control, and punish people http://privacyinternational.org/key-resources/3117/undeserving-poor-framework-researching-and-challenging-aspects-social-benefits <span class="field field--name-title field--type-string field--label-hidden">The &quot;Undeserving Poor:&quot; A framework for researching and challenging aspects of social benefits systems that surveil, control, and punish people</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/user/43" typeof="schema:Person" property="schema:name" datatype="">staff</span></span> <span class="field field--name-created field--type-created field--label-hidden">Wednesday, August 7, 2019</span> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-08/3730001319_d49bf65255_o_5.jpg" width="2304" height="1728" alt="social benefits" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-08/3730001319_d49bf65255_o_6.jpg" width="2304" height="1728" alt="social benefits" typeof="foaf:Image" /> </div> </div> Wed, 07 Aug 2019 16:24:58 +0000 staff 3117 at http://privacyinternational.org Twitter may have used your personal data for ads without your permission. Time to fix AdTech! http://privacyinternational.org/news-analysis/3111/twitter-may-have-used-your-personal-data-ads-without-your-permission-time-fix <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>On Tuesday, <a href="https://help.twitter.com/en/ads-settings"><strong><span>Twitter disclosed</span></strong></a> that it may have shared data on users with advertising partners, even if they have opted out from personalised ads, and shown people ads based on inferences made about the devices they use without permission. According to Twitter, the issue was fixed on Monday, even though it is not yet clear how many users have been affected.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>This is not the first time that Twitter had to admit that it leaked user data to advertisers. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>In May 2019, <a href="https://help.twitter.com/en/location-data-collection">the social network disclosed</a> a bug that resulted in an account’s location data being shared with a Twitter ad partner, in certain circumstances. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <h2><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong><span><span><span>Questions about GDPR compliance</span></span></span></strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></h2> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Companies like Twitter collect vast amounts of data about user behaviour, both on Twitter and across the web on other websites and apps. This data is used to profile users, infer their interests, and show them highly targeted ads (called "promoted stories" on Twitter).</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span> Twitter allows users to decide if they want tracking data from other websites and apps to be used for targeted ads. Now <a href="https://techcrunch.com/2019/08/07/twitter-fesses-up-to-more-adtech-leaks/"><strong><span>the company had to admit</span></strong></a>, that since September 2018, it may have served targeted ads that used inferences made about the user’s interests based on tracking their wider use of the Internet — even when the user had not given permission to be tracked.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>This is hugely concerning. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Twitter has ignored people's choices, thereby raising a number of questions in terms of compliance with Europe's data protection law GDPR, which among other things requires transparency and a legal justification for using and sharing people's data.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <h2><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong><span><span><span>The online advertising ecosystem is out of control</span></span></span></strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></h2> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>What sounds like a series of isolated incidences is embedded in a much more systemic problem of targeted online advertising. Twitter <a href="https://help.twitter.com/en/safety-and-security/data-through-partnerships">uses</a> a technique called <a href="https://privacyinternational.org/explainer/2974/why-am-i-really-seeing-ad-answer-might-be-real-time-bidding-rtb"><strong><span>Real Time Bidding (RTB)</span></strong></a> – an opaque system that allows companies, advertisers and political campaigns to buy access to you and your attention. RTB is </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>an automated process that enables advertisers to target very specific groups of people on different websites, videos, apps. RTB is also a privacy nightmare. Through RTB, vast amounts of personal data exchanges hands between a large number of players a billion times a day. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>RTB is subject to <a href="http://fixad.tech/"><strong><span>complaints across Europe</span></strong></a> and <a href="https://privacyinternational.org/advocacy/2426/our-complaints-against-acxiom-criteo-equifax-experian-oracle-quantcast-tapad"><strong><span>PI has complained about the practices of companies involved</span></strong></a>, including Criteo, one of Twitter's RTB partners.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>The UK’s <a href="https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf%C2%A0"><strong><span>privacy regulator has warned</span></strong></a> that AdTech and RTB is out of control, and in many cases unlawful: </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <blockquote> <p>The creation and sharing of personal data profiles about people, to the scale we’ve seen, feels disproportionate, intrusive and unfair, particularly when people are often unaware it is happening. - Information Commissioner's Office</p> </blockquote> <h2><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong><span><span><span>Targeted ads need to become much more transparent</span></span></span></strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></h2> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Twitter's latest disclosures show how urgently the industry needs to change, but until then, </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>there's something that Twitter could already do right now. Privacy International believes that social media platforms like Twitter need to do much more to increase transparency around how ads are targeted at users. At present is very difficult to understand why you are seeing an ad on Twitter. Finding the "Why you're seeing this ad" button on an ad an requires a sharp eye. Once located, you have to click multiple times before finally arriving at the page meant to tell you why you are seeing an ad, only to be presented with very limited information. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>What Twitter provides you about why you're seeing an ad stands in contrast to the granularity with which advertisers are able to target you. There are targeting categories such as location, age, interests, behaviour and gender which are obviously quite personal. Twitter should provide this level of information to users but instead, we've seen that sometimes they provide no information at all about why an ad is shown to a user. The fact that Twitter may have accidentally used your personal data for ads without your permission is completely outrageous.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <h2><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong><span><span><span>What PI is doing about it</span></span></span></strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></h2> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>You might be wondering how all of this tracking and data sharing is even legal, especially under the General Data Protection Regulation (GDPR) and other data protection laws around the world. We do too! Privacy International has spent the last few years looking at how our data is exploited, this includes investigating and challenging the hidden online data ecosystem built on tracking, profiling and targeting us. Using the new standards set by GDPR, Privacy International is seeking to prompt regulatory scrutiny of the industry and hold specific actors to account. In November 2018, we complained about seven companies in the hidden data ecosystem to Data Protection Authorities in Ireland, the UK, and France. As a result of our submission, the Irish Data Protection Commission (DPC) has now opened a <a href="https://privacyinternational.org/press-release/2859/breaking-following-pi-investigation-exploitation-data-quantcast-under">formal probe</a> into Quantcast’s data practices and our submissions have contributed to the UK Information Commissioner's focus on <a href="https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf">AdTech</a>. We believe AdTech companies' practices are in breach of GDPR and want to continue to hold these companies to account.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>But this alone is not enough. We believe that people should be able to understand what's at stake. To contribute to this, we have written explainers to simplify concepts and topics related to online advertisement:</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <ul><li><span><span><span><span><span><span><a href="https://privacyinternational.org/explainer/2974/why-am-i-really-seeing-ad-answer-might-be-real-time-bidding-rtb"><strong><span>Real Time Bidding</span></strong></a></span></span></span></span></span></span></li> </ul><ul><li><span><span><span><span><span><span><a href="https://privacyinternational.org/explainer/2976/how-do-tracking-companies-know-what-you-did-last-summer"><strong><span>Tracking</span></strong></a>: the reality and mechanism behind AdTech tracking how it turned the internet into a surveillance machine</span></span></span></span></span></span></li> </ul><ul><li><span><span><span><span><span><span><a href="https://privacyinternational.org/explainer/2975/most-cookie-banners-are-annoying-and-deceptive-not-consent"><strong><span>Cookie banners and consent boxes</span></strong></a>: why they are so annoying and deceptive</span></span></span></span></span></span></li> </ul><ul><li><span><span><span><span><span><span><a href="https://privacyinternational.org/explainer/2826/how-minimise-targeted-ads-social-media-google-youtube"><strong><span>How to minimise targeted ads on social media</span></strong></a></span></span></span></span></span></span></li> </ul><p><em>Image: 3 Levels by Panoptykon - Licence: CC BY-SA 4.0 - <a href="http://privacyinternational.org/sites/default/files/flysystem/2019-05/3levels_0.png">Click to see full image</a></em></p> <p> </p></div> <div class="field field--name-field-large-image field--type-image field--label-above"> <div class="field__label">Large Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-08/Screen%20Shot%202019-08-07%20at%2014.34.45.png" width="982" height="966" alt="3 Levels by Panoptykon - Licence: CC BY-SA 4.0" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-08/Screen%20Shot%202019-08-07%20at%2014.34.45_0.png" width="982" height="966" alt="3 Levels by Panoptykon - Licence: CC BY-SA 4.0" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-08/Screen%20Shot%202019-08-07%20at%2014.34.45_1.png" width="982" height="966" alt="3 Levels by Panoptykon - Licence: CC BY-SA 4.0" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/adtech" hreflang="en">AdTech</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-above"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/challenging-corporate-data-exploitation" hreflang="en">Challenging Corporate Data Exploitation</a></div> </div> </div> <div class="field field--name-field-target field--type-entity-reference field--label-above"> <div class="field__label">Target Stakeholders</div> <div class="field__items"> <div class="field__item"><a href="/target/industry" hreflang="en">Industry</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/tell-companies-stop-exploiting-your-data" hreflang="en">Tell companies to stop exploiting your data!</a></div> </div> </div> </div> </div> Wed, 07 Aug 2019 12:37:58 +0000 staff 3111 at http://privacyinternational.org Africa: SIM Card Registration Only Increases Monitoring and Exclusion http://privacyinternational.org/long-read/3109/africa-sim-card-registration-only-increases-monitoring-and-exclusion <span class="field field--name-title field--type-string field--label-hidden">Africa: SIM Card Registration Only Increases Monitoring and Exclusion</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/user/43" typeof="schema:Person" property="schema:name" datatype="">staff</span></span> <span class="field field--name-created field--type-created field--label-hidden">Monday, August 5, 2019</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Image credit: <a href="https://www.flickr.com/photos/emilsjoblom/3490240213/">Emil Sjöblom</a> <a href="https://creativecommons.org/licenses/by-sa/2.0/">[<span>ShareAlike 2.0 Generic</span> <span> (CC BY-SA 2.0)]</span></a></p> <h3><em><span><span>Prepaid SIM card use and mandatory SIM card registration laws are especially widespread in countries in Africa: these two factors can allow for a more pervasive system of mass surveillance of people who can access prepaid SIM cards, as well as exclusion from important civic spaces, social networks, and education and health care for people who cannot.</span></span></em></h3> <p><span><span>Mandatory <a href="https://privacyinternational.org/explainer/2654/101-sim-card-registration">SIM card registration</a> laws require that people provide personal information, including a valid ID or even their <a href="https://privacyinternational.org/topics/biometrics">biometrics</a>, before they can purchase or activate a prepaid SIM card for their mobile device. Such laws can allow the state to identify the owner of a SIM card and infer who is likely to be making a call, sending a message, in a particular location at any particular time, or making a particular financial transaction through <a href="https://privacyinternational.org/explainer/2654/101-sim-card-registration">a money transfer app, such as M-Pesa in Kenya</a>. </span></span></p> <p><span><span>Building off our <a href="https://privacyinternational.org/long-read/3018/timeline-sim-card-registration-laws">timeline of mandatory SIM card registration laws</a>, we examine areas of concern in African countries with such laws. As of February 2019 <em>(source:</em> <a href="https://www.gsma.com/mobilefordevelopment/wp-content/uploads/2019/02/ProofofIdentity2019_WebSpreads.pdf">GSMA p.46-47</a></span></span>)<span><span>:</span></span></p> <ul><li><span><span><span><strong>50 countries in Africa had introduced such laws:</strong> Algeria, Angola, Benin, Botswana, Burkina Faso, Burundi, Cameroon, Central African Republic, Chad, Congo, Côte d'Ivoire, Democratic Republic of Congo, Egypt, Equatorial Guinea, Eritrea, Ethiopia, Gabon, Gambia, Ghana, Guinea, Guinea-Bissau, Kenya, Lesotho, Liberia, Libya, Madagascar, Malawi, Mali, Mauritania, Mauritius, Morocco, Mozambique, Niger, Nigeria, Rwanda, Sao Tome and Principe, Senegal, Seychelles, Sierra Leone, Somalia, South Africa, South Sudan, Sudan, Swaziland, Tanzania, Togo, Tunisia, Uganda, Zambia, and Zimbabwe.</span></span></span></li> <li><span><span><span><strong>2 countries</strong> had not mandated SIM card registration and were not considering doing so: Cabo Verde and Comoros.</span></span></span></li> <li><span><span><span><strong>Namibia</strong> was considering SIM card registration.</span></span></span></li> <li><span><span><span>The state of SIM card registration in <strong>Djibouti</strong> was inconclusive.</span></span></span></li> </ul><p><span><span>Because fixed, long-term contracts with a specific mobile carrier generally require people to prove their credit worthiness, pre-paid SIM cards offer a more accessible and flexible way for millions of people around the world to connect and communicate. Across Africa, almost all mobile connections are made via prepaid SIM cards (94 percent), more than in Central America (87 percent, Asia (80 percent), South America (70 percent), Europe (52 percent), or North America (21 percent) (<em>source:</em> <a href="https://www.gsma.com/mobilefordevelopment/wp-content/uploads/2019/02/ProofofIdentity2019_WebSpreads.pdf">GSMA p. 9)</a>. Furthermore, between 2017 and 2025, the percentage of the population with access to mobile connections is expected to increase most significantly in Sub-Saharan Africa <em>(source:</em> <a href="https://www.gsmaintelligence.com/research/?file=061ad2d2417d6ed1ab002da0dbc9ce22&amp;download">GSMA p. 12)</a>.</span></span></p> <p><span><span>If almost every mobile device has its SIM card registered to a particular person, and the government can get access to that mobile subscriber information, the people who own and use such devices can be more easily tracked and monitored. Not all people with mobile devices may fall equally under the watchful eye of such surveillance systems: people advocating for change, people who disagree with the government’s policies, religious or ethnic minorities, journalists, and human rights defenders are particularly vulnerable. </span></span></p> <h2><span><span>The absence of legal safeguards to protect against abuse</span></span></h2> <p><span><span>There is an absence of robust and adequately enforced data protection laws in the majority of countries in Africa where mandatory SIM card registration laws have been passed. In fact, <a href="https://poseidon01.ssrn.com/delivery.php?ID=448116089123102082104064121120098081056087054032028010066007099074002103073008125030002122118022114055124103026119087103126077014010033010014101099079091069077019021062065111069072097013071012013086004118022099072006026024011127098099071004102091&amp;EXT=pdf">only 43% of African countries have any data privacy laws</a>. In countries that do have data privacy laws, critics and advocates have raised <a href="https://cipesa.org/2018/04/the-stampede-for-sim-card-registration-a-major-question-for-africa/">concerns</a> about the lack of sufficient protections and safeguards.</span></span></p> <p><span><span>In <a href="https://poseidon01.ssrn.com/delivery.php?ID=448116089123102082104064121120098081056087054032028010066007099074002103073008125030002122118022114055124103026119087103126077014010033010014101099079091069077019021062065111069072097013071012013086004118022099072006026024011127098099071004102091&amp;EXT=pdf">57% of countries in Africa</a>, data processing occurs in a legal void, which means that information collected as part of registration today could be kept for an indefinite amount of time and used for different purposes in the future, as technology, corporate incentives, or governments change. In such contexts, there are a lack of requirements for how data is managed and stored, which is particularly concerning in the case of biometric data.</span></span></p> <p><span><span>According to the <a href="https://undocs.org/A/HRC/39/29">U.N. High Commissioner for Human Rights</a>, biometric data</span></span></p> <blockquote> <p><span><span>is particularly sensitive, as it is by definition inseparably linked to a particular person and that person’s life, and has the potential to be gravely abused. For example, identity theft on the basis of biometrics is extremely difficult to remedy and may seriously affect an individual’s rights. Moreover, biometric data may be used for different purposes from those for which it was collected, including the unlawful tracking and monitoring of individuals.  Given those risks, particular attention should be paid to questions of necessity and proportionality in the collection of biometric data. Against that background, it is worrisome that some States are embarking on vast biometric data-based projects without having adequate legal and procedural safeguards in place.</span></span></p> </blockquote> <p><span><span>There is a need for greater regional cooperation regarding the protection of peoples’ data. Only <a href="https://au.int/sites/default/files/treaties/29560-sl-AFRICAN%20UNION%20CONVENTION%20ON%20CYBER%20SECURITY%20AND%20PERSONAL%20DATA%20PROTECTION.pdf">Ghana, Guinea, Mauritius, Namibia, and Senegal</a> have ratified the <a href="https://au.int/sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf">African Union (AU) Convention on Cyber Security and Personal Data Protection</a>, which was established in June 2014 and requires signatories to establish some legal, regulatory, and institutional frameworks. </span></span></p> <p><span><span>However, <a href="https://au.int/sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf">the Convention</a> will only enter into legal force 30 days from when the fifteenth African Union member state ratifies it, but given the <a href="https://journals.muni.cz/mujlt/article/view/8666/9255">slow pace at which only 5 countries have ratified it so far</a>, it remains unclear when that will happen.</span></span></p> <h2><span><span>Fear of being under surveillance has a chilling effect on people’s rights</span></span></h2> <p><span><span>Even if people are not actually being surveilled by the government, the fact that people may fear they are being tracked has a <a href="https://www.eff.org/deeplinks/2016/05/when-surveillance-chills-speech-new-studies-show-our-rights-free-association">chilling effect on innocent and ordinary behaviour</a>, including what information people look up on the Internet, who they contact, and how they express themselves. People may not feel comfortable visiting certain websites, and thus may not obtain the information they need to form and share opinions. </span></span></p> <p><span><span>Journalists and human rights defenders may feel it is unsafe to communicate with confidential sources. Journalists and human rights defenders may also forgo investigations into certain controversial topics for fear of reprisal from the government and be unable to do their essential job of uncovering and challenging human rights violations.</span></span></p> <h2><span><span>People are excluded from mobile services</span></span></h2> <p><span><span>On top of the fact that many countries have not implemented any legal safeguards for personal data, including identity systems and biometric databases, when registration requires official government documents that many people do not possess or cannot afford to procure (whether due to costs the government charges for people to obtain the documents or because of transportation and time required to do so), people face incentives to try to circumvent SIM card registration laws, or else <a href="https://privacyinternational.org/long-read/2544/exclusion-and-identity-life-without-id">face exclusion</a>. Compared to men, women are <a href="https://blogs.worldbank.org/voices/global-identification-challenge-who-are-1-billion-people-without-proof-identity">more likely to lack access</a> to official government identification and be denied access to prepaid SIM cards. </span></span></p> <p><span><span>People who cannot afford to, are unable to, or do not feel comfortable producing a valid form of government ID, or biometric information such as fingerprints, may be unable to purchase or activate prepaid SIM cards: thus, they can be denied access to places where they get information, communicate and share ideas, access government services, and use mobile banking and other mobile applications. </span></span></p> <p><span><span><a href="https://www.thenational.com.pg/whats-deal-registration/">For example</a>, after governments introduced SIM card registration laws, in South Africa, a major operator lost approximately 1 million subscribers, in Zimbabwe, two major operators lost roughly two million subscribers, and, in Kenya, more than 1.2 million subscribers were lost.</span></span></p> <p><span><span>Another element of exclusion is the fact that governments are <a href="https://edri.org/nine-controversies-about-obligatory-prepaid-registration/">shifting costs to society</a> when they mandate pre-paid SIM card registration. Additional burdens are placed on people in terms of requesting, potentially paying for, collecting, and transmitting documentation needed for registration. Depending on where people live and how accessible registration sites are, people may need to travel to a registration site. Mobile providers and retailers need to administer the registration process. Finally, both ordinary people and providers bear costs when new SIM card requirements are introduced, unregistered SIM cards need to be de-registered, and people whose SIM cards were de-registered seek to re-activate them.</span></span></p> <h2><span><span>The ability to participate in society should not be conditioned on providing personal information</span></span></h2> <p><span><span>Mobile devices and mobile services are increasingly becoming necessities—particularly in areas less served by other forms of information-technology infrastructure—for people to access education and health care information, stay informed about current events, buy and sell goods and services, participate in democracy, and stay in touch with one another. Mobile services provide access to important <a href="https://privacyinternational.org/long-read/2852/protecting-civic-spaces">civic spaces</a> that help promote healthy <a href="https://privacyinternational.org/strategic-areas/defending-democracy-and-dissent">democracy and dissent</a>. Access to such services should not be conditioned on turning over personal information that can be used to track and monitor people.</span></span></p> <h2><span><span>Mandatory SIM card registration laws have not been shown to improve security</span></span></h2> <p><span><span>While governments justify mandatory SIM card registration laws on the grounds that they assist in preventing and detecting crime, “there is no convincing empirical evidence that mandatory registration in fact systematically lowers crime rates,” and “no robust empirical studies that show that such measures make a difference in terms of crime detection.” (<em>source: </em><a href="https://www.academia.edu/23357252/Implications_of_mandatory_registration_of_mobile_phone_users_in_Africa">Jentzsch p. 3-5</a>). Thus, the lack of evidence that SIM card registration helps lower crime rates makes this type of interference with the human right to privacy both unnecessary and disproportionate.</span></span></p> <p><span><span>It is also worth noticing that SIM card registration schemes can be <a href="https://edri.org/nine-controversies-about-obligatory-prepaid-registration/">easily circumvented</a> by people determined to engage in crime, by purchasing phones registered in someone else’s name, trading phones, and using fake forms of identification. The fact that these laws can be easily circumvented renders SIM card registration laws ineffective to reduce crime rates and makes them useful mostly as a mass surveillance tool.</span></span></p> <h2><span><span>Resisting mandatory SIM card registration laws</span></span></h2> <p><span><span>Despite the widespread adoption of mandatory SIM card registration schemes, advocates and community members have been challenging these policies.</span></span></p> <p><span><span>In Uganda, <a href="https://www.unwantedwitness.org/">Unwanted Witness</a> has been raising awareness and campaigning against mandatory SIM card registration, exposing it as a <a href="https://www.unwantedwitness.org/unlawful-sim-card-validation-exercise-is-a-threat-to-anonymity-and-privacy/">threat against anonymity and privacy</a>, and requesting that public authorities be held <a href="https://www.unwantedwitness.org/ucc-must-be-held-liable-for-compromising-citizens-anonymous-communication-leading-to-increasing-sim-card-hacking-in-the-country-says-unwanted-witness/">accountable for its implementation</a>. A <a href="https://www.unwantedwitness.org/unwanted-witness-welcomes-ugandas-data-protection-law-calls-for-enforceable-regulations/">new data protection law enacted earlier this year</a> represents a valuable possible mechanism to limit SIM card registration and implement safeguards against data misuse.</span></span></p> <p><span><span>The <a href="https://www.r2k.org.za/">Right2Know Campaign</a> in South Africa <a href="https://techcentral.co.za/court-battle-to-get-rica-data-from-mobile-operators/84945/">went to court</a> to obtain greater transparency about how the government uses information provided during registration, demanding that mobile operators disclose when and how often they accede to requests from law enforcement and other government agencies.</span></span></p> <p><span><span>Although mandatory SIM card registration laws are increasingly widespread, they are not a foregone conclusion. There is still the opportunity for public discussion about the impacts on peoples’ rights, the disproportionate burdens people who are vulnerable may bear, the mass surveillance effects, room for abuse, and exclusion and suppression of peoples’ rights that can result. </span></span></p> <p><span><span>Privacy International, its <a href="https://privacyinternational.org/partners">partner organisations</a>, and other experts are working to push back against the SIM card registration trend by:</span></span></p> <ul><li><span><span><span>raising awareness about the </span><a href="https://privacyinternational.org/topics/sim-card-registration"><span>risks of SIM card registration, which outweigh any possible benefits</span></a><span>;</span></span></span></li> <li><span><span><span>articulating oversight measures that are consistent with international human rights standards to policy makers; and </span></span></span></li> <li><span><span><span>advocating for better safeguards at the national, regional, and international level.</span></span></span></li> </ul><p><span><span>In particular, Privacy International advises governments to: </span></span></p> <ul><li><span><span><span>establish regulatory frameworks that have clearly defined and limited mandates for retention of communications data, and order judicial oversight in their individual request and delivery. </span></span></span></li> <li><span><span><span>limit the collection and use of personal data for the implementation of public policies and the provision of public services to data that is necessary and proportional to the legitimate purpose pursued, by conducting a human rights impact assessment, and ensuring transparent participatory processes prior its implementation. </span></span></span></li> <li><span><span><span>introduce safeguards to ensure that the rights of mobile telephone subscribers in relation to their personal data are guaranteed.</span></span></span></li> <li><span><span><span>if not in place, adopt and enforce a comprehensive data protection law to ensure the protection of the personal data of its citizens.</span></span></span></li> </ul><p><span><span>If you have any updates on SIM card registration laws or court cases in countries in Africa, please email <strong>research@privacyinternational.org</strong>.</span></span></p></div> <div class="field field--name-field-topic field--type-entity-reference field--label-inline"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/new-forms-identity" hreflang="en">New forms of identity</a></div> <div class="field__item"><a href="/topics/protecting-civic-spaces" hreflang="en">Protecting Civic Spaces</a></div> <div class="field__item"><a href="/topics/anonymity" hreflang="en">Anonymity</a></div> <div class="field__item"><a href="/topics/data-protection" hreflang="en">Data Protection</a></div> <div class="field__item"><a href="/topics/identity" hreflang="en">Identity</a></div> <div class="field__item"><a href="/topics/location-and-geographic-surveillance-technology" hreflang="en">Location and Geographic Surveillance Technology</a></div> <div class="field__item"><a href="/topics/social-media-surveillance-socmint" hreflang="en">Social Media Surveillance (SOCMINT)</a></div> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-inline"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><a href="/what-we-do/id-identity-and-identification" hreflang="en">ID, Identity and Identification</a></div> <div class="field__item"><a href="/what-we-do/modernise-data-protection-law" hreflang="en">Modernise Data Protection Law</a></div> <div class="field__item"><a href="/what-we-do/fight-data-retention-law" hreflang="en">Fight Data Retention Law</a></div> <div class="field__item"><a href="/what-we-do/realise-our-rights-live-dignity" hreflang="en">Realise Our Rights to Live with Dignity</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-inline"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/challenging-corporate-data-exploitation" hreflang="en">Challenging Corporate Data Exploitation</a></div> <div class="field__item"><a href="/strategic-areas/contesting-government-data-and-system-exploitation" hreflang="en">Contesting Government Data and System Exploitation</a></div> <div class="field__item"><a href="/strategic-areas/defending-democracy-and-dissent" hreflang="en">Defending Democracy and Dissent</a></div> <div class="field__item"><a href="/strategic-areas/government-exploitation" hreflang="en">Government Exploitation</a></div> <div class="field__item"><a href="/strategic-areas/safeguarding-peoples-dignity" hreflang="en">Safeguarding Peoples&#039; Dignity</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/enhancing-data-protection-standards" hreflang="en">Enhancing Data Protection Standards</a></div> <div class="field__item"><a href="/campaigns/exposing-new-frontiers-identity" hreflang="en">Exposing new frontiers of identity</a></div> </div> </div> <div class="field field--name-field-audience-and-purpose field--type-entity-reference field--label-above"> <div class="field__label">Audiences and Purpose</div> <div class="field__items"> <div class="field__item"><a href="/taxonomy/term/625" hreflang="en">Generalised audience problem articulation</a></div> <div class="field__item"><a href="/taxonomy/term/631" hreflang="en">Helping partners and other NGOs know our stance</a></div> <div class="field__item"><a href="/taxonomy/term/629" hreflang="en">Helping people understand our solutions</a></div> <div class="field__item"><a href="/taxonomy/term/627" hreflang="en">Informing the concerned</a></div> </div> </div> <div class="field field--name-field-principle-or-recommendatio field--type-entity-reference field--label-above"> <div class="field__label">What is PI calling for</div> <div class="field__items"> <div class="field__item"><a href="/recommendation-principle-or-safeguard/data-should-be-protected" hreflang="en">Data should be protected</a></div> <div class="field__item"><a href="/recommendation-principle-or-safeguard/identities-under-our-control" hreflang="en">Identities under our control</a></div> </div> </div> Mon, 05 Aug 2019 15:46:48 +0000 staff 3109 at http://privacyinternational.org Letter to the DCMS Sub-Committee on Disinformation - data brokers need to be investigated http://privacyinternational.org/advocacy/3107/letter-dcms-sub-committee-disinformation-data-brokers-need-be-investigated <div class="node node--type-advocacy-briefing node--view-mode-token group-one-column ds-2col-stacked-fluid clearfix"> <div class="group-header"> <div class="field field--name-field-image field--type-image field--label-above"> <div class="field__label">Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-08/Screen%20Shot%202019-08-02%20at%2015.59.26_0.png" width="636" height="424" alt="DCMS Committee" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-targeted-adversary field--type-entity-reference field--label-above"> <div class="field__label">More about this Adversary</div> <div class="field__items"> <div class="field__item"><a href="/taxonomy/term/607" hreflang="en">Acxiom</a></div> </div> </div> <div class="field field--name-field-type-of-abuse field--type-entity-reference field--label-above"> <div class="field__label">Type of abuse</div> <div class="field__items"> <div class="field__item"><a href="/examples/voters" hreflang="en">Voters</a></div> </div> </div> </div> <div class="group-left"> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Dear Chair and Committee colleagues,</p> <p>Privacy International is an international NGO, based in London, which works with partners around the world to challenge state and corporate surveillance and data exploitation. As part of our work, we have a dedicated programme “<a href="https://privacyinternational.org/strategic-areas/defending-democracy-and-dissent">Defending Democracy and Dissent</a>” where we advocate for <a href="https://privacyinternational.org/long-read/2850/data-exploitation-and-democratic-societies">limits on data exploitation throughout the electoral cycle</a>.</p> <p>We have been closely following the important work of the Committee. Prompted by the<a href="https://www.parliament.uk/business/committees/committees-a-z/commons-select/digital-culture- media-and-sport-committee/news/brittany-kaiser-additional-papers-published/"> additional evidence provided to the Committee by Brittany Kaiser</a>, published on 30 July 2019, we would like to draw your attention to aspects of her submission that stood out to us and related points:</p> <ul><li> <p>The ways in which Cambridge Analytica has used segments and inferences is strikingly similar to the techniques we have observed in the data broker industry.</p> </li> <li> <p>In November 2018, <a href="https://privacyinternational.org/advocacy/2426/our-complaints-against-acxiom-criteo-equifax- experian-oracle-quantcast-tapad">Privacy International complained</a> about seven data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) to data protection authorities in France, Ireland, and the UK. As evidenced in the documentary “The Great Hack”, Acxiom is one of the companies, as well as Facebook, that Cambridge Analytica used as a data source. Many of these companies are also involved in or linked to the use of data for political purposes.</p> </li> </ul><ul><li> <p>Our complaints show that these companies fail to comply with data protection law and in some cases seem to work under the assumption that derived, inferred and predicted data and behavioural or demographic segments do not count as personal data, even if they are linked to unique identifiers or linked to or used to target individuals.</p> </li> <li> <p>We noted with concern that the final report of the Committee on Disinformation and‘fake news’ stated that “’inferred data’ is not protected” under GDPR. While we very much agree with your recommendation to extend privacy laws to close existing gaps in this regard, we respectfully disagree with your conclusion that ‘inferred data’ is currently not protected. ‘Inferred data’ does not always fall under the definition of personal data,yet inferences that may be linked to identifiable individuals do constitute personal data.</p> </li> <li> <p>A new aspect of GDPR is an explicit definition of profiling in Article 4(4): “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.</p> </li> <li> <p>Data brokers, ad tech companies, and credit referencing agencies amass vast amounts of data from different sources (offline and online) in order to profile individuals, derive, and infer more data about them and place individuals into categories and segments. The law is clear that there must be transparency and limits, including relating to requirements such as legal basis, fairness and purpose limitation. However, our investigation shows that many companies fail to comply with data protectionrequirements with far reaching consequences for people’s rights.</p> </li> <li> <p>The pervasive nature of data brokers is demonstrated by an example related to anotherof the Committee’s inquires, where you have looked at the way reality TV shows have used targeted advertising on Facebook. In this regard it is important to consider how advertising on television is becoming increasingly targeted, and <a href="https://www.engadget.com/2014/01/15/sky-adsmart-targeted-advertising/">the role that data brokers play as data sources</a>.</p> </li> </ul><p>We urge the Committee to look into the profiling practices used by commercial data brokers (including those that also operate as Credit Reference Agencies) and <a href="//privacyinternational.org/video/2937/video-your-vote- sale-political-advertisers-think-so">the role this industry plays in the use of personal data for political purposes and beyond</a>.</p> <p>We look forward to hearing from you in relation to this request. Should you require any further information or have any questions please do let us know.</p> <p>Yours faithfully,</p> <p>Privacy International</p> <p>Image: <em>screenshot from <a href="https://www.netflix.com/title/80117542">The Great Hack</a></em></p></div> </div> <div class="group-footer"> <div class="field field--name-field-target field--type-entity-reference field--label-inline"> <div class="field__label">Target Stakeholders</div> <div class="field__items"> <div class="field__item"><div about="/target/government" id="taxonomy-term-152" class="taxonomy-term vocabulary-target"> <h2><a href="/target/government"> <div class="field field--name-name field--type-string field--label-hidden field__item">Government</div> </a></h2> <div class="content"> </div> </div> </div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-inline"> <div class="field__label">What PI is campaigning on</div> <div class="field__items"> <div class="field__item"><div about="/campaigns/holding-facebook-account-cambridge-analytica" id="taxonomy-term-494" class="taxonomy-term vocabulary-campaigns"> <h2><a href="/campaigns/holding-facebook-account-cambridge-analytica"> <div class="field field--name-name field--type-string field--label-hidden field__item">Holding Facebook to account for Cambridge Analytica</div> </a></h2> <div class="content"> </div> </div> </div> <div class="field__item"><div about="/campaigns/tell-companies-stop-exploiting-your-data" id="taxonomy-term-542" class="taxonomy-term vocabulary-campaigns"> <h2><a href="/campaigns/tell-companies-stop-exploiting-your-data"> <div class="field field--name-name field--type-string field--label-hidden field__item">Tell companies to stop exploiting your data!</div> </a></h2> <div class="content"> </div> </div> </div> <div class="field__item"><div about="/campaigns/when-your-data-becomes-political" id="taxonomy-term-618" class="taxonomy-term vocabulary-campaigns"> <h2><a href="/campaigns/when-your-data-becomes-political"> <div class="field field--name-name field--type-string field--label-hidden field__item">When Your Data Becomes Political</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p><strong><span>Have you ever wondered why you're seeing an ad online? In your social media feed, in apps, or while browsing the internet?</span></strong></p> <p><span>What you see is determined in large part by your data.</span><span> The exploitation of data dominates the news these days - and the use of advertising </span><span>in politics</span><span> is front and centre to this exploitation. Advertisers are able to buy access to very personal information about you and</span><span> then</span><span> infer</span><span> even more about you.</span><span> They are able to use this information to target ads at you with heightened precision, and to send you unique messages that are specially created to appeal to you and people like you.</span><span> There are many actors in the business of amassing our data and using it to segment and profile us based on our behaviour - data brokers, ad tech</span><span>,</span><span> and platforms we use.</span></p> <p><span>It's not only </span><span>brands and </span><span>advertisers selling t-shirts who are targeting you. Political parties, political campaigns and those who work for them tap into and further exploit our data  - and it's happening in the dark. <a href="https://privacyinternational.org/long-read/2850/data-exploitation-and-democratic-societies">Privacy International believes that you should be told and understand how your data is being used by companies and by political actors</a>, and that there must be limits - </span><span>your data should not be used against you.</span></p> <p><span>In the <a href="https://privacyinternational.org/topics/data-and-elections">run up to an election</a>, concern at such attempts to influence and manipulate our views are heightened. This is why at PI we are working to challenge such practices.</span></p> <p> </p></div> </div> </div> </div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-inline"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"> <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>Political campaigns around the world have turned into sophisticated data operations. They rely on data- your data- to facilitate a number of decisions: where to hold rallies, which States or constituencies to focus resources on, which campaign messages to focus on in which area, and how to target supporters, undecided voters, and non-supporters.</p> <p> </p></div> </div> </div> </div> <div class="field__item"> <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> </div> </div> </div> <div class="field__item"> <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>Automated decision-making, about people, from people's data, will shape their lives -- what they have access to, what they can do, and what they may become.</p></div> </div> </div> </div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-inline"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><div about="/strategic-areas/challenging-corporate-data-exploitation" id="taxonomy-term-1" class="taxonomy-term vocabulary-programmes"> <h2><a href="/strategic-areas/challenging-corporate-data-exploitation"> <div class="field field--name-name field--type-string field--label-hidden field__item">Challenging Corporate Data Exploitation</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p><strong>We want to see a world where we are in control of information about us. </strong></p></div> </div> </div> </div> <div class="field__item"><div about="/strategic-areas/defending-democracy-and-dissent" id="taxonomy-term-585" class="taxonomy-term vocabulary-programmes"> <h2><a href="/strategic-areas/defending-democracy-and-dissent"> <div class="field field--name-name field--type-string field--label-hidden field__item">Defending Democracy and Dissent</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>The seamless way we communicate using some of these technologies has helped many to organise politically and to express dissent online and offline. But the hidden data harvesting on which many of these technologies rely also threatens our ability to challenge power, no matter the type of government.</p></div> </div> </div> </div> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-inline"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><div about="/what-we-do/expose-data-exploitation-data-profiling-and-decision-making" id="taxonomy-term-80" class="taxonomy-term vocabulary-issue"> <h2><a href="/what-we-do/expose-data-exploitation-data-profiling-and-decision-making"> <div class="field field--name-name field--type-string field--label-hidden field__item">Expose Data Exploitation: Data, Profiling, and Decision Making</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p><em>Exposing companies' generation, collection, and exploitation of people's personal information.</em></p> <p> </p></div> </div> </div> </div> <div class="field__item"><div about="/what-we-do/modernise-data-protection-law" id="taxonomy-term-79" class="taxonomy-term vocabulary-issue"> <h2><a href="/what-we-do/modernise-data-protection-law"> <div class="field field--name-name field--type-string field--label-hidden field__item">Modernise Data Protection Law</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p><em>Advocating for strong data protection around the world.</em></p> <p> </p></div> </div> </div> </div> </div> </div> </div> </div> Fri, 02 Aug 2019 14:58:23 +0000 staff 3107 at http://privacyinternational.org Joint letter to new British Home Secretary on the future of the immigration and asylum system http://privacyinternational.org/news-analysis/3102/joint-letter-new-british-home-secretary-future-immigration-and-asylum-system <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Privacy International has joined over 30 organisations working with migrants and refugees to write to the newly appointed <a href="https://www.gov.uk/government/ministers/secretary-of-state-for-the-home-department">British Home Secretary </a>to raise a number of pressing issues, which require action if the immigration and asylum system is to regain the trust of the public.</p> <p>The letter below was sent to the Home Secretary on Wednesday, 30 July 2019.</p> <p>Find out more about PI’s work to demand <a href="https://privacyinternational.org/what-we-do/demand-humane-approach-immigration">a more humane approach to immigration</a> based on the principles of fairness, accessibility, and respect for human rights.</p> <p> </p> <p><span><span><span><span>Rt Hon Priti Patel MP     </span></span></span></span></p> <p><span><span><span><span>Home Secretary                                                           <br /> 2 Marsham Street<br /> London<br /> SW1P 4DF</span></span></span></span></p> <p><span><span><span><span>30th</span><span> July 2019</span></span></span></span><br />  </p> <p><span><span><span><strong><span>Re: The future of the immigration and asylum system</span></strong></span></span></span></p> <p><span><span><span><span>Dear Home Secretary, </span> </span></span></span></p> <p><span><span><span><span>Congratulations on your appointment to one of the great offices of state. You will lead the Home Office through a period of great challenge, but at a moment of great opportunity for reform. We are writing to you as organisations that work with, are led by, or represent people who have moved to the UK and have made it their home. We want to raise a number of pressing issues, which require action if the immigration and asylum system is to regain the trust of the public.</span> </span></span></span></p> <p><span><span><span><strong><span>Allowing people who seek safety in the UK to re-build their lives</span></strong><br /><span>As a global power and as the fifth richest country in the world with a proud history of providing safety to those in need, Britain has an obligation to lead by example and guarantee shelter and safe passage to those who seek asylum or refuge from conflict, persecution and crisis. We can and must build a system where safe, legal routes to asylum are accessible to all who need them. We must build a system where asylum decisions are made quickly and fairly, so that people can rebuild their lives in the UK. Currently, people seeking asylum in the UK are effectively banned from working, meaning that they are at a high risk of destitution and denied the opportunity to provide for their families and contribute to the economy. Funding cuts to ESOL (English for speakers of other languages) classes must be reversed and new long-term funding guaranteed. We need comprehensive support systems which help those who seek asylum to navigate life here and become active members of their local communities by allowing them to work and study.</span></span></span></span></p> <p><span><span><span><strong><span>Keep families together</span></strong><br /><span>All families belong together. Under current rules however, British nationals must demonstrate they earn an income well above the minimum wage in order to live with their partner in the UK. British nationals with parents abroad find it almost impossible to bring them here as they grow older. As a result, tens of thousands of British families live in separation, with children unable to see their parents except through Skype. The UK should make it easier for its citizens to build a life here with the people they love. Refugees in the UK who have lost everything should have the right to be reunited with their close family in the UK so that they can make a fresh start together and integrate in their new community. Reintroducing legal aid is vital for them to navigate the complicated process of being reunited with their families.</span></span></span></span></p> <p><span><span><span><strong><span>Secure the rights of European citizens</span></strong><span> <strong>and their family members and protect vulnerable groups</strong><br /> We welcome the Prime Minister’s announcement to guarantee the rights of European citizens in the UK, but we urge the government to enshrine those rights in UK law. The Home Office must step up its efforts to provide adequate and concrete information about the EU Settlement Scheme to EU citizens and their family members who are often non-EU nationals. This should include targeted outreach activities to vulnerable EU citizens such as elderly people, children in care, disabled people, rough sleepers and victims of domestic violence. These groups are at risk of not being aware of the scheme at all, of being misinformed, of not having access to accurate information and support services to navigate the scheme and of eventually facing the hostile environment if they miss the application deadline.</span></span></span></span></p> <p><span><span><span><strong><span>Stable work and study routes</span></strong><br /><span>Our current immigration system ties workers to employers, distorting the market and creating opportunities for exploitation and short-term visas. Ever-changing requirements make workers’ lives unstable. We need more sensible, more flexible rules that encourage long-term integration and stability for families. Children and young people who grew up in the UK or were born in this country should have equal access to education and work as their British peers regardless of their parents’ immigration status. The Home Office should guarantee easy and affordable access to citizenship for this young generation.</span></span></span></span></p> <p><span><span><span><strong><span>Treat human beings with humanity</span></strong><span> <strong>and end indefinite detention</strong><br /> Our immigration enforcement system treats people brutally: families are woken in the middle of the night by immigration raids and parents are taken away in front of their children. Too many people are detained unlawfully and with no idea when they may be set free. Access to healthcare within detention is often inadequate. The Home Office under your predecessors started to take important steps in reforming immigration detention and pursuing alternatives to detention. There is cross-party support in Parliament for a 28-day time limit on detention. We ask you to pursue these reforms with urgency.  </span></span></span></span></p> <p><span><span><span><strong><span>End the Hostile Environment</span></strong><br /><span>Our communities, our public spaces, our public services and our workplaces should be places open to us all, where no one fears discrimination or persecution. The hostile environment builds a border through our hospitals, homes, schools, police stations and communities. Doctors, landlords, police officers and teachers have been tasked with verifying immigration status and often people who look or sound ‘foreign’ are asked to show their papers in order to see a doctor or go to school. We are also concerned about the collection and processing of increasing amounts of personal data of migrants and the lack of safeguarding in place to regulate its use in the broader immigration process. We must end the hostile environment so that discrimination is effectively challenged and communities can unite, build bridges and prosper. Additionally, the recommendations of Wendy Williams’ Lessons Learned Review must be published immediately. We ask you to commit to ending the Hostile Environment.  </span></span></span></span></p> <p><span><span><span><strong><span>Build a better Home Office</span></strong><br /><span>The Home Office should make timely, correct and fair decisions about people’s status, supporting people to get on with their lives and become active members of their community. It should not price people out of status or citizenship and should be transparent and accountable. Cuts to funding and a lack of investment in training and support mean that caseworkers are overstretched and the department struggles to retain staff. Only a department that works efficiently, values its staff, embraces transparency and uses evidence to make policy can deliver an immigration system that earns public trust. We ask you to invest in that reform as a matter of urgency.</span></span></span></span></p> <p><span><span><span><span>Recent governments have seen scandal after scandal rooted in the failure of the immigration and asylum system to work effectively and fairly. Building a better one will not be easy, but it is more essential than ever. We look forward to working with you and your department to make it happen. </span></span></span></span></p> <p> </p> <p><span><span><span><span>Yours sincerely</span></span></span></span></p> <p> </p> <p><span><span><span><span>Leila Zadeh, Executive Director, UK Lesbian &amp; Gay Immigration Group</span></span></span></span></p> <p><span><span><span><span>Tahmid Chowdhury, Joint-CEO, Here for Good</span></span></span></span></p> <p><span><span><span><span>Kerry Smith, Chief Executive Officer, Helen Bamber Foundation</span></span></span></span></p> <p><span><span><span><span>Emma Harrison, CEO, IMIX</span></span></span></span></p> <p><span><span><span><span>Satbir Singh, </span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US">Chief Executive, the Joint Council for the Welfare of Immigrants (</span><span>JCWI)</span></span></span></span></p> <p><span><span><span><span>Rosario Guimba-Stewart, Chief Executive Officer, Lewisham Refugee and Migrant Network</span></span></span></span></p> <p><span><span><span><span>Josie Naughton, Chief Executive Officer, Help Refugees</span></span></span></span></p> <p><span><span><span><span>Eiri Ohtani, Project Director, The Detention Forum</span></span></span></span></p> <p><span><span><span><span>Arten Llazari, CEO, The Refugee and Migrant Centre (Black Country and Birmingham)</span></span></span></span></p> <p><span><span><span><span>Toni Soni, Centre Director, CRMC, Coventry Refugee and Migrant Centre </span></span></span></span></p> <p><span><span><span><span>Wayne Myslik, Chief Executive, Consonant</span></span></span></span></p> <p><span><span><span><span>Emily Crowley, Chief Executive, Student Action for Refugees </span></span></span></span></p> <p><span><span><span><span>Dr Laura Miller, Interim Director, Solidarity with Refugees</span></span></span></span></p> <p><span><span><span><span>Nazek Ramadan, Director of Migrant Voice, Migrant Voice</span></span></span></span></p> <p><span><span><span><span>Alice Lucas, Advocacy and Policy Manager, Refugee Rights Europe</span></span></span></span></p> <p><span><span><span><span>Maya Mailer, Campaigns Director, Asylum Matters</span></span></span></span></p> <p><span><span><span><span>Kate Smart, Director, Asylum Welcome</span></span></span></span></p> <p><span><span><span><span>Sarah Teather, Director, Jesuit Refugee Service UK</span></span></span></span></p> <p><span><span><span><span>Jo Cobley, Director, Young Roots</span></span></span></span></p> <p><span><span><span><span>Jill Rutter, Director of Strategy and Relationships, British Future.</span></span></span></span></p> <p><span><span><span><span>Dr Edie Friedman, Executive Director, The Jewish Council for Racial Equality (JCORE)</span></span></span></span></p> <p><span><span><span><span>Nicolas Hatton, CEO, the3million</span></span></span></span></p> <p><span><span><span><span>Hazel Williams, National Director, NACCOM Network</span></span></span></span></p> <p><span><span><span><span>Rt Revd Jonathan Clark, Chair, Churches’ Refugee Network</span></span></span></span></p> <p><span><span><span><span>Kat Smithson, Director of Policy and Campaigns, National Aids Trust</span></span></span></span></p> <p><span><span><span><span>Siân Summers-Rees, Chief Officer, City of Sanctuary</span></span></span></span></p> <p><span><span><span><span>Lucy Jones, Director of Programmes, Doctors of the World UK </span></span></span></span></p> <p><span><span><span><span>Clare Moseley, Founder &amp; CEO, Care4Calais</span></span></span></span></p> <p><span><span><span><span>Dr Ruvi Ziegler, Chair, New Europeans</span></span></span></span></p> <p><span><span><span><span>Anna Jones, Co-Founder, RefuAid </span></span></span></span></p> <p><span><span><span><span>Dr Mohamed Nasreldin, Director, North of England Refugee Service</span></span></span></span></p> <p><span><span><span><span>Ali Harris, CEO, Equally Ours</span></span></span></span></p> <p><span><span><span><span>Kush Chottera, Executive Director of Europia </span></span></span></span></p> <p><span><span><span><span>Gus Hosein. Executive Director, Privacy International</span></span></span></span></p> <p><span><span><span><span>Eleanor Harrison, CEO, Safe Passage</span></span></span></span></p> <p><span><span><span><span>James Wilson, Acting Director, Detention Action</span></span></span></span></p> <p><span><span><span><span>Sally Daghlian OBE, CEO, Praxis</span></span></span></span></p> <p><span><span><span><span>Salah Mohamed, Chief Executive, Welsh Refugee Council</span></span></span></span></p></div> <div class="field field--name-field-large-image field--type-image field--label-above"> <div class="field__label">Large Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-07/HO%20image.jpg" width="1024" height="699" alt="HO building" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-07/HO%20image_0.jpg" width="1024" height="699" alt="HO building" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-07/HO%20image_1.jpg" width="1024" height="699" alt="HO building" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-above"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><a href="/what-we-do/demand-humane-approach-immigration" hreflang="en">Demand a Humane Approach to Immigration</a></div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/learning-topics/migrants" hreflang="en">Migrants</a></div> <div class="field__item"><a href="/topics/migration-and-borders" hreflang="en">Migration and Borders</a></div> </div> </div> <div class="field field--name-field-location-region-locale field--type-entity-reference field--label-above"> <div class="field__label">Location</div> <div class="field__items"> <div class="field__item"><a href="/location/united-kingdom" hreflang="en">United Kingdom</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-above"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/safeguarding-peoples-dignity" hreflang="en">Safeguarding Peoples&#039; Dignity</a></div> </div> </div> <div class="field field--name-field-target field--type-entity-reference field--label-above"> <div class="field__label">Target Stakeholders</div> <div class="field__items"> <div class="field__item"><a href="/target/government" hreflang="en">Government</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/protecting-migrants-borders-and-beyond" hreflang="en">Protecting migrants at borders and beyond</a></div> </div> </div> </div> </div> Tue, 30 Jul 2019 11:14:20 +0000 staff 3102 at http://privacyinternational.org Response to the CMA’s online platforms and digital advertising market study http://privacyinternational.org/advocacy/3101/response-cmas-online-platforms-and-digital-advertising-market-study <div class="node node--type-advocacy-briefing node--view-mode-token group-one-column ds-2col-stacked-fluid clearfix"> <div class="group-header"> <div class="field field--name-field-image field--type-image field--label-above"> <div class="field__label">Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-07/New%20Response%20to%20the%20CMA.png" width="595" height="842" alt="Response to the CMA’s online platforms and digital advertising market study " typeof="foaf:Image" /> </div> </div> </div> <div class="group-left"> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><span><span>Today, we have responded to the </span></span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>UK Competition and Markets Authority’s </span></span><span><span><a href="https://www.gov.uk/cma-cases/online-platforms-and-digital-advertising-market-study">online platforms and digital advertising market study</a></span></span></p> <p><span><span>In the last year, Privacy International has conducted research into the ad tech and the data brokers industry <a href="https://privacyinternational.org/long-read/1721/snapshot-corporate-profiling">exposing</a> and <a href="https://privacyinternational.org/advocacy/2426/our-complaints-against-acxiom-criteo-equifax-experian-oracle-quantcast-tapad">complaining</a> about their exploitation of personal data and the lack of transparency of their activities.</span></span></p> <p><span><span>Based on our research and analysis of the current trends, Privacy International provided observations on the three broad potential sources of harm to consumers in connection with the market for digital advertising: dominant position of online platforms; the lack of consumers’ control over how their personal data is used and collected online; and the lack of transparency of the digital advertising market and its effects on competition and on consumers.</span></span></p> <p><span><span>We believe that <strong>the digital advertising market is shrouded in opacity</strong>. The lack of transparency in the online advertising ecosystem, as well as the unlawful personal data-gathering practices, in which online platforms, ad tech companies and data brokers seem to engage, have undermined consumers’ fundamental rights and affected their control over the personal data they surrender to these platforms. Ultimately, this has resulted in a significant loss of consumers’ trust in the online market. </span></span></p> <p><span><span><strong>Privacy International therefore urges the CMA to address the inherent lack of transparency and the consumer detriment in the online advertising market</strong>, by making a market investigation reference, scrutinising the role of dominant or strategic platforms in the digital advertising market, and strengthening the enforcement of consumers’ rights against abusive practices. In carrying out this investigation, <strong>we encourage the CMA to liaise closely with its competition and data protection counterparts both domestically and internationally</strong>.</span></span></p></div> <div class="field field--name-field-repeating-image-and-text field--type-entity-reference-revisions field--label-inline"> <div class="field__label">Repeating Image and Text</div> <div class="field__items"> <div class="field__item"><div class="paragraph-formatter"><div class="paragraph-info"></div> <div class="paragraph-summary"></div> </div> </div> </div> </div> </div> <div class="group-footer"> <div class="field field--name-field-type-of-intervention field--type-entity-reference field--label-inline"> <div class="field__label">Related work PI does</div> <div class="field__item"><div about="/how-we-fight/advocacy-and-policy" id="taxonomy-term-169" class="taxonomy-term vocabulary-intervention-type"> <h2><a href="/how-we-fight/advocacy-and-policy"> <div class="field field--name-name field--type-string field--label-hidden field__item">Advocacy and Policy</div> </a></h2> <div class="content"> <div class="field field--name-field-icon field--type-image field--label-above"> <div class="field__label">Icon</div> <div class="field__item"> <img src="/sites/default/files/2017-12/APT_page.png" width="1200" height="1200" alt="APT" typeof="foaf:Image" /> </div> </div> </div> </div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-inline"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"> <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p><span><span>Effective competition is necessary for privacy and innovation. Increasingly the digital economy is characterised by a few companies in dominant positions. These companies are able to impose terms and conditions onto users that exploit their data, and which are detrimental to users’ privacy.</span></span></p> <p> </p></div> </div> </div> </div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-inline"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><div about="/strategic-areas/challenging-corporate-data-exploitation" id="taxonomy-term-1" class="taxonomy-term vocabulary-programmes"> <h2><a href="/strategic-areas/challenging-corporate-data-exploitation"> <div class="field field--name-name field--type-string field--label-hidden field__item">Challenging Corporate Data Exploitation</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p><strong>We want to see a world where we are in control of information about us. </strong></p></div> </div> </div> </div> </div> </div> </div> </div> Mon, 29 Jul 2019 17:32:06 +0000 staff 3101 at http://privacyinternational.org Welcome to 5G: Privacy and security in a hyperconnected world (or not?) http://privacyinternational.org/long-read/3100/welcome-5g-privacy-and-security-hyperconnected-world-or-not <span class="field field--name-title field--type-string field--label-hidden">Welcome to 5G: Privacy and security in a hyperconnected world (or not?)</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/user/43" typeof="schema:Person" property="schema:name" datatype="">staff</span></span> <span class="field field--name-created field--type-created field--label-hidden">Tuesday, July 23, 2019</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><em>image from <a href="https://www.flickr.com/photos/135518748@N08/">portal gda</a> (cc)</em></p> <p><span><span><span>Many people are still confused by what is 5G and what it means for them. With cities like London, New York or San Francisco now plastered with ads, talks about national security, and the deployment of 5G protocols being treated like an arms race, what happens to our privacy and security?</span></span></span></p> <p><span><span><span>5G is the next generation of mobile networks, which is meant to be an evolution of the current 4G protocols that mobile providers have deployed over the last decade, and there are already several </span><a href="https://uk.pcmag.com/cell-phone-service-providers/82400/what-is-5g"><span>explainers</span></a><span> that analyse the technology. </span></span></span></p> <p><span><span><span>For the sake of this piece, we will focus on the technology’s main features: 5G will enable higher download and upload rates, lower latency, and more connection density. This means that users will be able to download more megabytes per second, with less delay in the connections, and with more users being connected at the same time in a single geographical point (so mobile data will actually work in crowded places.)</span></span></span></p> <h2><span><span><span>The attack surface is not really being reduced</span></span></span></h2> <p><span><span><span>First of all, we need to clarify what isn’t changing with 5G, and the most important aspect of this is that the underlying physical infrastructure of the Internet will remain the same. In other words, 5G antennas will still need to be connected to the internet through fibre optics cables, which are typically run by internet service providers, which are interconnected with other ISPs and the broader Internet through more fibre optic cables.</span></span></span></p> <p><span><span><span>What does it mean? </span></span></span><span><span><span>In practice, whatever exploitation of our data governments or companies are currently capable of doing will remain possible, including communications surveillance, data retention, information sharing or traffic analysis, amongst many others exploitative techniques.</span></span></span></p> <p><span><span><span>On the security side, 5G protocols have upgraded standards to protect the communication between the devices and the antennas, bringing some improvements that should prevent the abuse of signalling protocols (necessary for roaming) or the deployment of IMSI catchers to gather metadata, bringing some needed improvements.</span></span></span></p> <p><span><span><span>But the story is not that simple, since new protocols like 5G will need to coexist with older ones, such as 4G, 3G or even 2G. Those protocols are still vulnerable, resulting in security risks for devices still operating on older networks. This happens either because of a downgrade attack, where devices are tricked into operating in older protocols, or because of the lack of availability of 5G networks, or finally, because some devices are actually designed to operate on older networks, like payment devices or industrial control systems.</span></span></span></p> <p><span><span><span>On top of that, there is another problem to consider: with 5G, most antennas will have </span><a href="https://www.businessinsider.com/5g-high-speed-internet-cellular-network-issues-switch-2019-4?r=US&amp;IR=T"><span>much shorter distance range</span></a><span>, meaning that pinpointing the geographic location of specific users within a mobile network will be </span><a href="https://www.fastcompany.com/90314058/5g-means-youll-have-to-say-goodbye-to-your-location-privacy"><span>much more precise</span></a><span>, adding significant privacy and security risks to users, particularly those already vulnerable.</span></span></span></p> <h2><span><span><span><span>Your device is out of control (and other security risks)</span></span></span></span></h2> <p><span><span><span><span>The adoption of 5G networks will likely generate risks on its own. Most of them are not exactly fault of the new protocol itself, but rather a consequence of the increased speed and lower latency that 5G affords. This will very likely lead to an expansion of connected devices, such as Internet of Things (IoT) devices, with many of them being directly connected to the network, without any intervention of the user.</span></span></span></span></p> <p><span><span><span><span>As has been well documented by researchers on the privacy and security risks of IoT, a widespread adoption of the Internet of Things under current regulatory frameworks, will likely come at a huge risk for consumers. That means that many devices will be connected by design and by default, without user intervention, like some cars are already today. One of many problems is that many devices will not have the same level of attention and level of technical support that a car manufacturer has, and the widespread adoption of devices connected without user intervention could lead to a security nightmare.</span></span></span></span></p> <p><span><span><span><span>In this security nightmare, we can envision an exponential increase of design flaws, from </span><a href="https://www.beyondtrust.com/blog/entry/hardcoded-and-embedded-credentials-are-an-it-security-hazard-heres-what-you-need-to-know"><span>hardcoded credentials</span></a><span><span><span>,</span></span></span><span> where some devices have a ‘master password’ that anybody can exploit (see: </span><a href="https://en.wikipedia.org/wiki/Mirai_(malware)"><span>Mirai</span></a><span>), to unpatched vulnerabilities that allows skilled attackers to control devices regardless how it is being configured (See: </span><a href="https://en.wikipedia.org/wiki/WannaCry_ransomware_attack"><span>Wannacry</span></a><span>). </span></span></span></span></p> <p><span><span><span><span>All of this would happen with us not being able to control our devices, disconnect them from a wi-fi network, and not even the option to install a firewall to protect them, since the device will be directly connected to the internet.</span></span></span></span></p> <h2><span><span><span>A dream come true for corporate exploitation</span></span></span></h2> <p><span><span><span>On top of all the security risks, another huge issue derived from having connected-by-default devices is the issue of not being in control of them. There is the risk that always-connected devices could translate into powerless users, putting us in risk of abuse.</span></span></span></p> <p><span><span><span>One of the problems has to do with increasing the indiscriminate data collection and transmission that is currently taking place. The ability to have everything directly connected without connection density issues, could lead device manufacturers into negotiating the connectivity of their devices directly with mobile providers, and people would lose even more control over whether their devices are connected and <a href="https://www.cnet.com/news/google-calls-nests-hidden-microphone-an-error/">what they can do</a>.</span></span></span></p> <p><span><span><span>But losing control of devices could also happen in a very literal way: devices will work (or not) outside of the control of a given user. A house appliance we buy using credit instalments, might decide not to work unless we are up to date with its instalments. 5G could be the gateway for new and dystopic future in which the meaning of property has radically changed, leading to an era where we don’t really own our devices, but instead possess a device that works as a service.</span></span></span></p> <p><span><span><span>5G can also make power abuse even worst, with devices controlled by people outside the household, including </span><a href="https://www.ucl.ac.uk/steapp/steapp-news-publication/2018/iot-and-gender-violence"><span>gender and domestic violence</span></a><span> and users - and victims! - not being allowed to disconnect those devices, or maybe not even aware of their existence, since they could be easily be concealed </span></span></span>and remain connected, sending data to somebody else.</p> <h2><span><span><span>Wait... there's more!</span></span></span></h2> <p><span><span><span>Even though it isn't necessarily a privacy or security issues by itself, we need to make clear that 5G might not be able to fulfill the promise for more connectivity. As mentioned before, antennas will have shorter reach, so its main use-case is not to increase connectivity in rural areas that are in need of Internet access: 5G is rather designed for densely populated cities. As a result, rural areas will remain underserved, and probably will still be operating under current 3G-4G protocols, which will remain vulnerable to known attacks.</span></span></span></p> <p><span><span><span>In addition to that, mobile communications do need spectrum to work, which is a limited resource, and each part of the spectrum has different abilities, so every time a new mobile generation is implemented, there is the need to assign that spectrum, which require solid public policies to guarantee a fair distribution of that resource, keeping in mind its impact on community owned networks and even the ability to do reliable </span><a href="https://www.theguardian.com/world/2019/may/04/5g-mobile-networks-threat-to-world-weather-forecasting"><span>weather forecasting</span></a><span>.</span></span></span></p> <p><span><span><span>At Privacy International, we have also compiled a <a href="https://staging.privacyinternational.org/examples?field_type_of_abuse_target_id_4%5B%5D=318">list of examples of abuse related to the Internet of Things</a>. Many of those examples should be of use to demonstrate its risks and how much worse they can become when users have even less control over those devices.</span></span></span></p> <h2><span><span><span>Is there a way forward? (Spoiler: maybe)</span></span></span></h2> <p><span><span><span>In general, the debate around the risks of new communication protocols would be way more productive if we started by focusing more on the actual risks for users and less around geopolitical speculation around countries and companies. </span></span></span></p> <p><span><span><span>In any case, there are some valid concerns about countries with a dubious human rights record taking over the deployment of new protocols. And we are not only talking about China, likely the biggest offender, but also about the </span><a href="https://www.infoworld.com/article/2608141/snowden--the-nsa-planted-backdoors-in-cisco-products.html?page=2"><span>United States</span></a><span><span><span> as well as </span></span></span><span>other countries and companies. In an ideal world, tech companies would be transparent about their governance and practices (ahem, </span><a href="https://www.scmp.com/comment/insight-opinion/article/3011179/win-us-credibility-huawei-needs-be-transparent-and-show-it"><span>Huawei</span></a><span>), and governments should allow and encourage the use of secure communications protocols, including the use of solid encryption standards.</span></span></span></p> <p><span><span><span>But the truth is that poorly designed protocols and software are as risky for users as hypothetical ‘super-secret cyber backdoors’ installed by governments or their companies. And whilst finding those backdoors is like finding a needle in a haystack, implementing measures that empower users and people, especially those at risk, can be a more sensible approach and benefit us all.</span></span></span></p> <p><span><span><span>We also need to keep in mind that despite the focus of this article, many of the risks derived from 5G are not necessarily because the protocols are at fault, but because they need to coexist in a complex ecosystem with multiple fabricants, vendors, governments and users.</span></span></span></p> <p><span><span><span>How to move forward, then? Here are some suggestions:</span></span></span></p> <p><span><span><strong><span>For corporations:</span></strong></span></span></p> <ul><li>Implement a holistic approach to digital security, considering the protection of people, devices and networks.</li> <li><span><span><span>Improve corporate transparency and human rights due diligence in the assessment and adoption of new communication protocols.</span></span></span></li> <li><span><span><span>Conduct privacy and security assessments according to the highest possible standards, minimising the data they collect and retain, and testing their security measures before the launch of their products, monitoring them through their lifecycle.</span></span></span></li> <li><span><span><span>Give users enough information and control over how their devices work, including indicators and interface elements that allow them to know and control their connection status, without regard as to where the devices operate.</span></span></span></li> </ul><p><span><span><strong><span>For governments and policy making bodies:</span></strong></span></span></p> <ul><li>The focus on 5G should start from privacy and security considerations, and national security debates should be conducted from a human rights perspective and based in available evidence and risk assessments.</li> <li><span><span><span>Data Protection Authorities should issue guidelines and conduct investigations on the functionality of connected devices and their data processing activities.</span></span></span></li> <li>Cybersecurity bodies should support the adoption of strong security standards for always-connected devices, and abstain from recommending any measure that could weaken it, such as the establishment of legal requirements for government access or mandated backdoors.</li> <li>Review digital privacy legislation, including provisions that guarantee the security and confidentiality by design and by default of machine-to-machine communications.</li> <li>In case there is any, removing legal and policy barriers for security research, such as cybercrime laws that criminalise ethical hacking.</li> <li><span><span><span>Consumer Authorities should issue guidelines and conduct investigations on the functionality of connected devices, and its potential harms on consumers.</span></span></span></li> <li><span><span><span>Telecommunications regulators should conduct oversight over how companies are providing connectivity to IoT producers, in order to guarantee that minimum standards are in place and that end users have control over their devices.</span></span></span></li> <li>Given its improved accuracy, the sale of location data should be banned, and its access by law enforcement bodies should be restricted solely to judicial authorisation.</li> </ul></div> <div class="field field--name-field-topic field--type-entity-reference field--label-inline"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/connected-cars" hreflang="en">Connected Cars</a></div> <div class="field__item"><a href="/topics/cyber-security" hreflang="en">Cyber Security</a></div> <div class="field__item"><a href="/topics/data-exploitation" hreflang="en">Data Exploitation</a></div> <div class="field__item"><a href="/topics/interception-communications" hreflang="en">Interception of Communications</a></div> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-inline"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><a href="/what-we-do/protect-people-and-communities-online" hreflang="en">Protect People and Communities Online</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-inline"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/challenging-corporate-data-exploitation" hreflang="en">Challenging Corporate Data Exploitation</a></div> <div class="field__item"><a href="/strategic-areas/safeguarding-peoples-dignity" hreflang="en">Safeguarding Peoples&#039; Dignity</a></div> </div> </div> <div class="field field--name-field-target field--type-entity-reference field--label-above"> <div class="field__label">Target Stakeholders</div> <div class="field__items"> <div class="field__item"><a href="/target/industry" hreflang="en">Industry</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/security-should-protect-people-not-exploit-them" hreflang="en">Security should protect people, not exploit them</a></div> </div> </div> <div class="field field--name-field-audience-and-purpose field--type-entity-reference field--label-above"> <div class="field__label">Audiences and Purpose</div> <div class="field__items"> <div class="field__item"><a href="/taxonomy/term/625" hreflang="en">Generalised audience problem articulation</a></div> <div class="field__item"><a href="/taxonomy/term/627" hreflang="en">Informing the concerned</a></div> </div> </div> Tue, 23 Jul 2019 19:24:30 +0000 staff 3100 at http://privacyinternational.org Part 1: how anti-abortion activism is exploiting data http://privacyinternational.org/long-read/3096/part-1-how-anti-abortion-activism-exploiting-data <span class="field field--name-title field--type-string field--label-hidden">Part 1: how anti-abortion activism is exploiting data</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="">tech-admin</span></span> <span class="field field--name-created field--type-created field--label-hidden">Monday, July 22, 2019</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><em>Photo by <a href="https://unsplash.com/@bigkids?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">David Werbrouck</a> on <a href="https://unsplash.com/">Unsplash</a></em></p> <p> </p> <p><span><span><em>This is an ongoing series about the ways in which those searching for abortion information and procedures are being traced and tracked online. This work is part of a broader programme of work aimed at </em><a href="https://privacyinternational.org/strategic-areas/safeguarding-peoples-dignity"><em>safeguarding the dignity of people</em></a><em> by challenging current power dynamics, and redefining our relationship with governments, companies, and within our own communities. As an enabling right, privacy plays an important role in supporting the exercise of reproductive rights as </em><a href="https://www.ohchr.org/Documents/Publications/NHRIHandbook.pdf"><em>recognised</em></a><em> in international human rights law.</em></span></span></p> <p> </p> <h3><span><span>Intrusive data collection software and digital marketing systems are being developed and promulgated around the world by powerful and politically connected <a href="https://twitter.com/gavinsblog/status/990582509162418176">US-based</a> anti-abortion organisations. </span></span></h3> <p><span><span>As anti-abortion organisations wake up to the utility of personal data to tailor and target messages online, data-intensive technologies and tools are being specifically developed for crisis pregnancy centres – which reportedly sometimes <a href="https://www.huffingtonpost.co.uk/entry/crisis-pregancy-centers-supreme-court_n_5a09f40ae4b0bc648a0d13a2?guccounter=1&amp;guce_referrer=aHR0cHM6Ly9jb25zZW50LnlhaG9vLmNvbS8&amp;guce_referrer_sig=AQAAAH1adad1LR9ZOIdnAoGKFMFwyRWZl93RF7OPspdlMzIydLj63-EPzNAxr2imx0fswpG5qUEOmMSJCjfJ2ndHvcieAP1b1lmEisgi2UrXu_WPs-DSouu6IKfH8O6DtgzEPEym1pXNiUcpIN83icmMMSLOgYu1OrLNpPMQZdk_o7yk">masquerade</a> as licensed medical facilities and which have been criticised for providing those seeking medical help with <a href="https://www.telegraph.co.uk/women/womens-health/10622816/Abortion-scandal-abortions-increase-breast-cancer-risk-claims-counsellor.html">false</a> and <a href="https://rewire.news/article/2017/12/08/google-removes-misleading-anti-choice-fake-clinic-ads/">misleading</a> information. </span></span></p> <p><span><span>There have been a number of recent examples of data being used to target people seeking information about abortion online – through <a href="https://foreignpolicy.com/2018/06/01/abortion-referendum-how-ireland-resisted-bad-behaviour-online/">advertising</a>, <a href="https://www.maltatoday.com.mt/news/national/95506/antiabortion_groups_using_deception_and_intimidation_tactics_prochoice_coalition_warns?fbclid=IwAR23xTJEVkCsjoPAZFfKUbMutxK45GO23TOqBpKzRZkC4j9-qFiu2YZDil0#.XSiT45NKhxh">misleading information</a>, and <a href="https://www.thetimes.co.uk/article/fake-abortion-website-faces-legal-action-kmbmrl8f0">misleading</a> websites. In this context, as more and more data is collected by and made available to anti-abortion organisations, understanding how they and their political allies are aiming to use this information is crucial. </span></span></p> <p><span><span>Heartbeat International is an international anti-abortion organisation that is <a href="https://www.nextlevelcms.com/about-us">particularly focused</a> on using data to understand the needs and trends of anti-abortion centres. The organisation <a href="https://www.nextlevelcms.com/about-us">powers</a> a data-intensive content management system that was developed <a href="https://www.nextlevelcms.com/better-together">specifically</a> to remove data silos between anti-abortion centres globally. </span></span></p> <p> </p> <blockquote> <p><span><span><em>“While in Washington, Heartbeat was invited to attend an intimate Pro-Life Advocate roundtable with Vice President Mike Pence. Sitting next to the Vice President of the United States of America, Heartbeat President Jor-El Godsey had the opportunity to share the… life-changing work of pregnancy help organisations.” </em></span></span></p> <p><span><span>This quote was featured in <a href="https://www.heartbeatinternational.org/images/AR18.pdf">Heartbeat International’s 2018 annual report</a><span><span>. </span></span><span><span><span><span><span>It illustrates Heartbeat’s close proximity to US political power.</span></span></span></span></span> Such political allies may limit the likelihood that the development and use of data-intensive systems by centres will be regulated or challenged.</span></span></p> </blockquote> <p> </p> <p><span><span>The ability to exercise reproductive rights, as recognised in international human rights law, depends in part on the political will of those in power in a particular country. As an enabling right, privacy plays an important role in supporting the exercise of reproductive rights. In countries where there is opposition to reproductive rights as well as limited data privacy laws, there is a significant risk of people’s data being exploited in an attempt to restrain reproductive rights.  </span></span></p> <p> </p> <h2> </h2> <h2><span><span><em>Heartbeat International</em></span></span></h2> <blockquote> <p><span><span><em>“We believe we’re better together, and so is our data. Knowing the real-time trends of the larger life-affirming community is a crucial, yet untapped gateway to breakthrough success on the local level—until now, that is.”</em></span></span></p> <p><span><span><a href="https://www.heartbeatservices.org/services-home">Source: Heartbeat International website</a></span></span></p> </blockquote> <p> </p> <p><span><span>Heartbeat International is an important player in the global anti-abortion scene. <a href="https://www.heartbeatservices.org/services-home">Self-described</a> as “the largest worldwide network of pregnancy help organizations”, Heartbeat International runs a network of “over 2,700 affiliated pregnancy help organizations worldwide and affiliated pregnancy help organizations in more than 60 countries” – it says it <a href="https://www.heartbeatservices.org/international/international-affiliates">has</a> “700 affiliate locations outside the US”. </span></span></p> <p><span><span>Becoming a an affiliate <a href="https://www.heartbeatservices.org/about-us/why-affiliate/benefits">provides</a> discounted access to Heartbeat’s anti-abortion web design and digital marketing service, Extend Web Services, as well as its helpline, Option Line. Heartbeat <a href="https://www.heartbeatservices.org/services-home/">markets</a> to its network of affiliates its content management system called Next Level, which “harnesses the power of big data” and gives anti-abortion centres “the ability to enter and access information anywhere at any time”.</span></span></p> <p><span><span>Heartbeat also offers its training courses at a discount to its affiliates, which <a href="https://www.heartbeatservices.org/resources/resources-by-topic/networking/8-steps-for-advancing-your-social-media-strategy">include</a> courses such as “<a href="https://www.heartbeatservices.org/resources/resources-by-topic/networking/8-steps-for-advancing-your-social-media-strategy">8 steps for advancing your social media strategy</a>”, “<a href="https://www.heartbeatservices.org/resources/store/hb-conference-recordings/2019-conference-recordings/7-keys-to-google-ad-grants">7 keys to Google Ad Grants</a>”, “<a href="https://www.heartbeatinternational.org/resources/resources-by-topic/networking/search-engine-marketing-101">search engine marketing 101</a>”, and “<a href="https://www.heartbeatinternational.org/resources/store/heartbeat-academy/online-marketing-the-good-the-bad-the-ugly">online marketing</a>”.</span></span></p> <p> </p> <h2><span><span><em>Extend Web Services</em></span></span></h2> <blockquote> <p><span><span><em>“She’s looking online. Be there for her.” </em></span></span></p> <p><span><span>This is the message displayed on the homepage of Extend Web Services’ website, promoted by Heartbeat International, which builds campaign tools and websites for anti-choice pregnancy centres.</span></span></p> <p> </p> </blockquote> <p><span><span>In some cases, those searching for abortion information or procedures are in desperate circumstances. Heartbeat International-supported Extend Web Services, is developing websites that attract “<a href="https://extendwebservices.com/about">abortion-minded</a>” people, make them “<a href="https://extendwebservices.com/about">feel comfortable</a>”, and “<a href="https://extendwebservices.com/services/websites">effectively reach women in crisis online</a>”. This can become problematic when a person searching for abortion information online is targeted with misleading information. For <a href="https://rewire.news/article/2017/12/08/google-removes-misleading-anti-choice-fake-clinic-ads/">example</a>, a person may be delayed in obtaining abortion care if they see an ad for what they think is a medical clinic but is in reality a crisis pregnancy centre.</span></span></p> <p><span><span>Extend Web Services was developed to provide anti-abortion crisis pregnancy centres and other related organisations with websites, campaign optimisation tools, local search tools, and design services. The company’s mission in part <a href="https://extendwebservices.com/about">states</a>: <em>“We are experts at making sure your website is attracting the abortion-minded client and representing your center in a way that will make your clients feel comfortable with the service they will receive.”</em></span></span></p> <p><span><span>The services of Extend are being used by a variety (for example <a href="https://nlpregnancy.org/">here</a>, <a href="https://www.embarazoayuda.org/ser-informado/educacion-sobre-el-aborto">here</a>, <a href="https://www.carenetpcc.org/be-informed/abortion-information">here</a>, <a href="https://natlhousingcoalition.org/">here</a>, <a href="https://www.apcbrevard.com/">here</a>, <a href="https://www.aaapregnancyoptions.org/about-us/who-we-are">here</a>, <a href="https://www.jdwcenter.org/contact">here</a>) of anti-choice  pregnancy centres inside the US and globally, such as <a href="https://www.lifelinemalta.eu/contact-us">in Malta</a>, where abortion remains illegal. </span></span></p> <p><span><span>Extend’s out-of-the-box website templates suggest guarded anti-abortion language for the website homepage, navigation, and elsewhere. In a response to a request to comment from  PI, an Extend representative told PI [emphasis added] that the company restricts the ability for their clients to change the language used on “<strong>5 medical pages</strong>” which are “provided and managed by Extend Web Services/Heartbeat International”. These pages, the representative told PI, include: “<strong>Abortion Information/Education”, “Abortion Recovery”, “Sexual Health”, “Pregnancy”, and “Emergency Contraception</strong>”. The representative further told PI “<em><span><strong>All other pages of the website are able to be fully customized by the client in terms of content, imagery, etc. They are able to request one of the 5 pages listed above to be completely removed from the site if they don't like the content. They can provide their own content to fully replace one of those pages as well - they just aren't allowed to edit the content on those pages that we provided.</strong>”</span></em></span></span></p> <p><span><span><span>The closeness of Extend’s relationship to Heartbeat International, which isn’t immediately made clear on their respective websites, is confirmed in the above exchange.</span></span></span></p> <p><span><span>Extend also <a href="https://extendwebservices.com/services/pay-per-click">offers</a> assistance to anti-abortion centres for obtaining Google’s AdWords Grant for Non-Profits. Earlier in 2019 it was <a href="https://www.theguardian.com/technology/2019/may/12/google-advertising-abortion-obria">reported</a> that another anti-choice network had been given $150,000 worth of free ads by Google. Google has been <a href="https://www.theguardian.com/technology/2019/may/12/google-advertising-abortion-obria">criticised</a> for allowing anti-choice organisations to run misleading advertisements, in violation of Google’s policies.</span></span></p> <p><span><span>Extend’s website design and other tools show a learned understanding of how to communicate to those seeking abortion information online. The increased collection of data from those working at crisis pregnancy centres about people seeking abortion information or procedures could be incredibly valuable to companies like Extend, in honing their targeting techniques and templates online.</span></span></p> <p> </p> <h2><span><span><em>Option Line</em></span></span></h2> <p><span><span>Option Line is a <a href="https://optionline.org/">website</a>, chat service, and call line that was developed by Heartbeat International for deployment on anti-abortion websites. Extend Web Services <a href="https://extendwebservices.com/services/websites">includes</a> Option Line’s chat service, which uses LiveChat software to operate, on the website packages they provide by default and it is visible on many of the anti-choice websites provided to centres by Extend.</span></span></p></div> <div class="field field--name-field-repeating-image-and-text field--type-entity-reference-revisions field--label-hidden field__items"> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-07/1.png" width="616" height="960" alt="Image source: Extend Web Services website" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><em><span><span>Source: Extend Web Services <a href="https://extendwebservices.com/services/websites">website</a></span></span></em></p> <p> </p> <p> </p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-07/Picture2.png" width="1085" height="287" alt="Source: screenshots from two crisis pregnancy centre websites." typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><em><span><span>Source: screenshots from two crisis pregnancy centre websites.</span></span></em></p> <p> </p> <p><span><span>Prior to beginning a chat, the Option Line chat interface requires visitors to enter their name, demographic information, location information, as well as if someone is considering an abortion. Only after submitting this personal information does the chat begin. It is unclear where the data submitted prior to the chat beginning, as well as the data generated during the chat ends up, and who has access to it. When this was raised by PI a representative from Extend responded [emphasis added] “<em><span><strong>All information is safe and secure within Heartbeat International and only Heartbeat International has access to this information</strong>” </span></em><span>but it is still not clear who specifically at Heartbeat has access to this data, if this also includes Heartbeat subsidiary programmes such as Next Level Content Management System, how the data is used, stored, and for how long.</span></span></span></p> <p><span><span>This data has the potential to include medical and health data, which is subject to heightened privacy laws in the US and the EU, as well as other countries around the world. Option Line’s <a href="https://optionline.org/terms-of-use/">terms of use</a> state that “all remarks” sent through the website – other than information directly requested – can be used by Option Line “for any and all purposes” that it believes “to be appropriate to the mission and vision of Option Line”. </span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-07/Picture3.png" width="947" height="641" alt="Image source: Option Line website" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><em><span><span>Source: Option Line <a href="https://extendwebservices.com/services/websites">website</a></span></span></em></p> <p> </p> <p><span><span>While it is unclear how the data is used, and by whom, what is said in the chat could be very valuable to Heartbeat and its affiliate anti-choice organisations. For example, representatives from local anti-abortion clinics could be told of the name of someone who is “abortion-minded”, and attempt to reach them by other <a href="https://www.maltatoday.com.mt/news/national/95506/antiabortion_groups_using_deception_and_intimidation_tactics_prochoice_coalition_warns?fbclid=IwAR23xTJEVkCsjoPAZFfKUbMutxK45GO23TOqBpKzRZkC4j9-qFiu2YZDil0#.XSiT45NKhxh">methods</a>.</span></span></p> <p> </p> <blockquote> <p><span><span><em>“The data your organisation collects needs to work not just for you, but for the rest of the pregnancy help movement.” Source: </em><a href="https://www.nextlevelcms.com/better-together"><em>Next Level website</em></a></span></span></p> </blockquote> <p> </p> <h2><span><span><em>Next Level Content Management Solution </em></span></span></h2> <p><span><span>It may not be clear to those visiting crisis pregnancy centres how the health and medical information collected from them will be used and shared. Especially for those desperate for medical help, those in areas with a limited number of abortion clinics, or those visiting a clinic where their first language is not spoken, people are likely to provide whatever information is asked of them during a visit without question.</span></span></p> <p><span><span>In 2017, Heartbeat International <a href="https://pregnancyhelpnews.com/next-level">unveiled</a> the Next Level Content Management Solution (CMS). The system appears to unify what questions people are asked when seeking a centre’s help, and to centralise the information that visitors to anti-abortion centres are asked to provide during their visit. The types of information that is collected, which is visible in a promotional video on Next Level’s website, <a href="https://www.nextlevelcms.com/">includes</a> name, address, email address, ethnicity, marital status, living arrangement, education, income source, alcohol, cigarette, and drug intake, medications and medical history, sexual transmitted disease history, name of the referring person/organisation, pregnancy symptoms, pregnancy history, medical testing information, and eventually even ultrasound photos.</span></span></p> <p><span><span>Next Level <a href="https://www.heartbeatinternational.org/next-level-supporter">market</a><span><span>s</span></span> the software as a system that “[m]akes seamless data collection possible for pregnancy centres”. They say that it “allows information to move from the receptionist to the client, from the client to the coach or mentor, and from the mentor to the nurse’s office”, and visualise the system as data streams flowing from individual pregnancy centres to a centralised cloud.</span></span></p> <p> </p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-07/Picture4.png" width="947" height="664" alt="Image source: Next Level website" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><em><span><span>Source: Next Level <a href="https://www.nextlevelcms.com/better-together">website</a></span></span></em></p> <p> </p> <p><span><span>Next Level’s privacy policy <a href="https://www.nextlevelcms.com/privacy-policy.pdf">states</a> that the company “may share such information with Next Level affiliates, partners, vendors, or contract organizations, or as legally necessary”, but provides no further information about how people’s personal information is shared or analysed within Heartbeat’s network of 2,700 affiliate organisations and partners, or outside of this network.</span></span></p> <p><span><span>It’s also unclear to what degree Next Level personnel have access to centre client information. The company’s FAQ <a href="https://www.nextlevelcms.com/faq">state</a><span><span>s</span></span> that the company does have administrator-level access to client information but that “[a]ccess is granted only to a limited number of Next Level personnel as is necessary to perform the functions of the Next Level Software”. It provides no clarity as to what “a limited number” means or what it considered “necessary to perform the functions”.</span></span></p> <p><span><span>In an email to PI, Heartbeat President Jor-El Godsey said [emphasis added] that “<strong><em>All data of a personal identifying nature captured by Heartbeat International and its subsidiary programs is protected and kept confidential as a matter of our continuing </em><a href="https://www.heartbeatservices.org/about-us/commitment-of-care"><em>commitment</em></a></strong><em><strong> to confidentiality in accordance with applicable laws of the U.S. and relevant nations. To improve our services and understand the changing needs of those we seek to serve Heartbeat uses only aggregated and de-identified information to formulate and analyze trends.</strong>”</em></span></span></p> <p><span><span>It is unclear what Heartbeat’s subsidiary programmes are – these could include Next Level, Extend, and Option Line – as well as what they have access to. In 2018 Heartbeat <a href="https://www.heartbeatinternational.org/images/AR18.pdf">reported</a> that its affiliates had served 1.5 million clients. It’s also unclear how and who “de-identifies” information provided to Heartbeat, and at what point such de-identification occurs. Next Level, as a part of Heartbeat International, may have access to vast amounts of identifiable information and therefore understanding how such de-identification occurs in crucial.</span></span></p> <p><span><span>In addition to the content management system, Next Level also provides centres with a mobile phone application, which gives them access to client information outside the office – specifically <a href="https://www.nextlevelcms.com/overview">saying</a> “Because God often leads you to do “pro-life work” when we’re away from the office, you need a tool that travels with you. Next Level’s native mobility turns an on-the-fly conversation into an open client file, to help you follow up on these divine, “unexpected” appointments”.</span></span></p> <p><span><span>Next Level also provides a client-side version of the app, that <a href="https://www.nextlevelcms.com/">allows</a> clients to “set and change appointments, look at ultrasounds pictures” and also “click in or text her mentor, and talk to someone at Option Line very quickly”. The Next Level website uses similar language to promote the client app, <a href="https://www.nextlevelcms.com/overview">saying </a>“send her home with an app that includes everything from her ultrasound image and baby’s heartbeat to her proof of pregnancy, and vitally connects her to your organization moving forward”.</span></span></p> <p><span><span>PI was unable to test what information is generated by the Next Level mobile application, which requires a centre-given username and password. </span></span></p> <p><span><span>Phone apps are <a href="https://privacyinternational.org/report/2647/how-apps-android-share-data-facebook-report">notorious</a>, however, for collecting data about users’ activity that most people would not expect. App permissions can reveal information about a user’s <a href="https://www.theguardian.com/technology/2019/jan/04/weather-channel-app-lawsuit-location-data-selling">live location,</a> <a href="https://www.wired.com/story/app-permissions/">access to photos,</a> <a href="https://www.wired.com/story/app-permissions/">contacts</a>, and <a href="https://www.wsj.com/graphics/how-pizza-night-can-cost-more-in-data-than-dollars/">much more</a>. </span></span></p> <p><span><span>Included on the Next Level intake form shown in the promotional video is an “authorisation to release records” disclaimer which states: “In signing this release, I waive any privilege or confidentiality rights that I may have with respect to the specific disclosure authorised herein. I also agree to release Heartbeat International from any and all liability relating to any disclosure made in accordance with this authorisation”.</span></span></p> <p> </p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-07/Picture5.png" width="947" height="597" alt="Source: Screen grab from video available on Next Level’s website shows authorisation to release records field." typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><em><span><span>Source: Screen grab from video available on Next Level’s <a href="https://www.nextlevelcms.com/">website</a> shows authorisation to release records field.</span></span></em></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-07/Picture6.png" width="947" height="597" alt="Source: Screen grab from video available on Next Level’s website shows collection of whether a person is “abortion-minded”." typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><em><span><span>Source: Screen grab from video available on Next Level’s <a href="https://www.nextlevelcms.com/">website</a> shows collection of whether a person is “abortion-minded”.</span></span></em></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-07/Picture7.png" width="947" height="597" alt="Source: Screen grab from video available on Next Level’s website shows other data collected – including “Living Arrangements”." typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><em><span><span>Source: Screen grab from video available on Next Level’s <a href="https://www.nextlevelcms.com/">website</a> shows other data collected – including “Living Arrangements”.</span></span></em></p> <p> </p> <p><span><span>In an email to PI, Heartbeat Director Jor-El Godsey concluded [emphases added], <em>“</em><em><span><strong>Actually, our primary focus is to support and promote alternatives to abortion. It is in service to that effort that data becomes a tool, among others, to help strengthen our services and nurture our network of affiliated locations.</strong>”</span></em></span></span></p> <p> </p> <p> </p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><h2><span><span><em>Looking forward</em></span></span></h2> <p><span><span>Privacy harms are a time-shifted risk. What at one point in our life may seem to be acceptable and harmless information we’re asked to provide, may in the future be used against us in ways we cannot expect or prepare for. It is unclear how information collected from those visiting crisis pregnancy centres is combined, analysed, and shared with other centres, organisations, and networks. People visiting crisis pregnancy centres – intentionally or not – are left unaware of how their personal information is being accessed, analysed, stored, and shared. As people continue their lives after visiting a centre, it remains unclear how the information they provided during their visit will continue to exist and be used.</span></span></p> <p><span><span>Our online-activity – increasingly blurred with our offline-activity – is being <a href="https://privacyinternational.org/long-read/2433/i-asked-online-tracking-company-all-my-data-and-heres-what-i-found">tracked</a> by companies, advertisers, and others, who aim to collect information about our thoughts, fears, desires, and insecurities, and <a href="https://privacyinternational.org/explainer-graphic/2428/have-you-heard-these-companies-because-theyve-likely-heard-you">use these drivers to profile and target us</a>. Some of these companies are already using GPS locations to target advertisements at “abortion-minded women” based on <a href="https://rewire.news/article/2016/05/25/anti-choice-groups-deploy-smartphone-surveillance-target-abortion-minded-women-clinic-visits/">their proximity</a> to abortion clinics. Companies are tailoring online ads to <a href="https://foreignpolicy.com/2018/06/01/abortion-referendum-how-ireland-resisted-bad-behaviour-online/">influence</a> abortion legislation. It is being reported that anti-abortion organisations are pushing <a href="https://www.maltatoday.com.mt/news/national/95506/antiabortion_groups_using_deception_and_intimidation_tactics_prochoice_coalition_warns?fbclid=IwAR23xTJEVkCsjoPAZFfKUbMutxK45GO23TOqBpKzRZkC4j9-qFiu2YZDil0#.XSiT45NKhxh">misinformation</a> through advertising platforms. </span></span></p> <p><span><span>Organisations like Heartbeat International recognise the importance of out-of-the-box anti-abortion websites and templates. They also appear to understand the power of collecting and centralising data. Extend Web Services, Heartbeat, Next Level, and Option Line’s privacy policies and terms of use remain vague in detail as to the extent to which data collected from individual Heartbeat affiliate crisis pregnancy centres is shared within or external to the larger network. This data could be highly valuable in understanding what messaging and which tactics are most effective to furthering Heartbeat’s mission – as well as shaping the larger movement’s political direction.</span></span></p> <p><span><span>The near total lack of transparency around how data is being used and shared by anti-abortion networks such as Heartbeat International is troubling. Such data could be used in ways that those who provide it may not have anticipated or approve of, including to potentially undermine their reproductive rights. Privacy and strong data protection are therefore crucial, in many ways, to ensuring people are able to exercise their reproductive rights. It is important that light continues to shine on the technologies being developed to trace and track those seeking medical help online.</span></span></p></div> </div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-inline"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/data-exploitation" hreflang="en">Data Exploitation</a></div> <div class="field__item"><a href="/topics/gender" hreflang="en">Gender</a></div> <div class="field__item"><a href="/topics/health-data" hreflang="en">Health Data</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-inline"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/safeguarding-peoples-dignity" hreflang="en">Safeguarding Peoples&#039; Dignity</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/free-choose" hreflang="en">Free to Choose?</a></div> </div> </div> Mon, 22 Jul 2019 17:39:14 +0000 tech-admin 3096 at http://privacyinternational.org