Privacy International http://privacyinternational.org/rss.xml en Bulk surveillance is unlawful, says the High Court of South Africa http://privacyinternational.org/news-analysis/3212/bulk-surveillance-unlawful-says-high-court-south-africa <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><span>Today, the High Court of South Africa in Pretoria in <a href="https://amabhungane.org/wp-content/uploads/2019/09/Judgment-AMABHUNGANE-v-MIN-JUSTICE-OTH.pdf">a historic decision</a> declared that bulk interception</span><span> by the South African National Communications Centre</span><span> </span><span>is</span><span> unlawful and invalid.</span></p> <p><span>The judgment is a powerful rejection of years of secret and unchecked surveillance by South African authorities against millions of people - irrespective of whether they reside in South Africa.</span></p> <p><span>The case was brought by two applicants, the amaBhungane Centre for Investigative Journalism and journalist Stephen Patrick Sole, after learning that state spies had been recording journalist Sam Sole’s phone communications for (at least) six months in 2008. The applicants <a href="https://privacyinternational.org/legal-action/amabhungane-and-sole-case-south-africa">challenged</a></span><span> the constitutionality of certain sections of the regulatory framework of South Africa. Specifically, they argued that the Regulation of Interception of Communications Act of 2002 (RICA) and the National Strategic Intelligence </span><span>A</span><span>ct 39 of 1994 (NSIA) violate the right to privacy and the Court should therefore declare them unconstitutional. Privacy International together with the Right2Know <a href="https://privacyinternational.org/legal-action/amabhungane-and-sole-case-south-africa">intervened to the case as </a></span><a href="https://privacyinternational.org/legal-action/amabhungane-and-sole-case-south-africa"><span><em>friends of the court</em></span></a><span>.</span></p> <p><span>Six years ago</span><span>,</span><span> Edward Snowden revealed mass surveillance program</span><span>me</span><span>s in the US and the UK, among other states. Governments' refusal to avow these program</span><span>me</span><span>s beg</span><span>a</span><span>n to crumble then. But</span><span>, <a href="https://privacyinternational.org/long-read/3164/two-states-admit-bulk-interception-practices-why-does-it-matter">as we already highlighted in anticipation of this decision</a></span><span>,</span><span> it still takes significant amount of pressure to shed a light on these practices</span><span>, including taking </span><span>governments to court.</span></p> <p><span>The rule of law prevailed today. The High Court concluded that such intrusive powers could not be read into other provisions or be construed as implied by the law. </span><span>Such powers must be explicitly stated in law so they can be considered and debated. </span><span>The Court was </span><span>not persuaded</span><span> by </span><span>the </span><span>South African intelligence authorities</span><span>'</span><span> plea that other states have similar practices. It stated </span></p> <blockquote> <p><span>Our Law demands such clarity, especially when the claimed power is so demonstrably at odds with the Constitutional norm that guarantees privacy.</span></p> </blockquote> <p><span>The High Court also refuted any claims that </span><span>South African bulk </span><span>interception concerned only communications coming from outside South Africa. </span></p> <blockquote> <p><span>It is common cause that this form of monitoring would also capture communications between two South Africans, both of whom are in South Africa, if the signal passes through a server located outside South Africa.</span></p> </blockquote> <p><span>It was not necessary for the Court to decide whether a law permitting bulk interception would be constitutionally compliant, as it concluded that there was no such law to begin with. However, the Court made it clear that it would not automatically accept</span><span> the consitutionality of</span><span> any such law</span><span>, declaring that the need for clarity was especially acute "when the claimed power is so demonstrably at odds with the Consitutional norm that guarantees privacy."</span></p> <p><span>Beyond the bulk interception practices, the High Court sided with the applicants </span><span>o</span><span>n all six counts. The High Court concluded that "in several respects RICA is deficient in meeting the threshold required by section 36 of the Constitution to justify the subtraction of the rights" protected by the Constitution, including the right to privacy. </span><span>It continued, </span><span>"</span><span>[l]</span><span>ess restrictive means than those in force are feasible and ought to be enacted." </span></p> <p><span>Specifically, the Court declared that RICA 1) did not provide a notification procedure for subjects of interception; 2) did not ensure </span><span>sufficient judicial independence for authorising authorities</span><span>; 3) failed to provide appropriate safeguards when an order was granted </span><span><em>ex parte</em></span><span>; 4) lacked appropriate procedures to be followed when state officials examine, copy, share, sort through, use, destroy and/store data obtained from interceptions; and finally, 5) failed to prescribe special procedures for cases when the subject of surveillance was either a practicing lawyer or a journalist.</span></p> <p><span>In short, t</span><span>oday the South African High Court found that secret, unregulated mass surveillance is unlawful. </span></p> <p><span>In Europe, we are still waiting for the Grand Chamber of the European Court of Human Rights to pronounce <a href="https://privacyinternational.org/legal-action/10-human-rights-organisations-v-united-kingdom">on the legality of </a></span><a href="https://privacyinternational.org/legal-action/10-human-rights-organisations-v-united-kingdom"><span>bulk</span></a><span><a href="https://privacyinternational.org/legal-action/10-human-rights-organisations-v-united-kingdom"> interception in the United Kingdom</a></span><span> and for the European Court of Justice to respond to <a href="https://privacyinternational.org/legal-action/cjeu-bulk-challenge">three cases challenging </a></span><a href="https://privacyinternational.org/legal-action/cjeu-bulk-challenge"><span>bulk </span><span>data retention</span><span> and collection</span></a><span>.</span></p></div> <div class="field field--name-field-large-image field--type-image field--label-above"> <div class="field__label">Large Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-09/Screenshot%202019-09-16%20at%2016.37.53.png" width="897" height="507" alt="screenshot of decision" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-09/Screenshot%202019-09-16%20at%2016.37.53_0.png" width="897" height="507" alt="screenshot of decision" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-09/Screenshot%202019-09-16%20at%2016.37.53_1.png" width="897" height="507" alt="screenshot of decision" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-above"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><a href="/what-we-do/investigate-surveillance-powers-and-industry-sustaining-them" hreflang="en">Investigate Surveillance Powers and the Industry Sustaining Them</a></div> <div class="field__item"><a href="/what-we-do/modernise-rule-law-and-strengthen-surveillance-safeguards" hreflang="en">Modernise the Rule of Law and Strengthen Surveillance Safeguards</a></div> <div class="field__item"><a href="/what-we-do/fight-data-retention-law" hreflang="en">Fight Data Retention Law</a></div> <div class="field__item"><a href="/our-interventions/protecting-civic-spaces" hreflang="en">Protecting Civic Spaces</a></div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/communications-surveillance" hreflang="en">Communications Surveillance</a></div> <div class="field__item"><a href="/topics/interception-communications" hreflang="en">Interception of Communications</a></div> <div class="field__item"><a href="/topics/mass-surveillance" hreflang="en">Mass Surveillance</a></div> </div> </div> <div class="field field--name-field-location-region-locale field--type-entity-reference field--label-above"> <div class="field__label">Location</div> <div class="field__items"> <div class="field__item"><a href="/location/south-africa" hreflang="en">South Africa</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-above"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/defending-democracy-and-dissent" hreflang="en">Defending Democracy and Dissent</a></div> </div> </div> <div class="field field--name-field-resource-type field--type-entity-reference field--label-above"> <div class="field__label">Web Resource</div> <div class="field__items"> <div class="field__item"><a href="/type-resource/legal-cases" hreflang="en">Legal Cases</a></div> </div> </div> <div class="field field--name-field-partner field--type-entity-reference field--label-above"> <div class="field__label">Our Partner organisation</div> <div class="field__items"> <div class="field__item"><a href="/partners/right2know-campaign" hreflang="en">Right2Know Campaign</a></div> </div> </div> <div class="field field--name-field-type-of-intervention field--type-entity-reference field--label-above"> <div class="field__label">Related work PI does</div> <div class="field__item"><a href="/how-we-fight/court-case" hreflang="en">Court Case</a></div> </div> <div class="field field--name-field-type-of-impact field--type-entity-reference field--label-above"> <div class="field__label">Type of Impact</div> <div class="field__items"> <div class="field__item"><a href="/impact/communications-data-surveillance-restrained" hreflang="en">Communications Data Surveillance Restrained</a></div> </div> </div> <div class="field field--name-field-legal-proceedings field--type-entity-reference field--label-above"> <div class="field__label">Legal Action</div> <div class="field__items"> <div class="field__item"><a href="/legal-action/amabhungane-and-sole-case-south-africa" hreflang="en">amaBhungane and Sole case (South Africa)</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/secret-surveillance-networks" hreflang="en">Secret surveillance networks</a></div> </div> </div> <div class="field field--name-field-education-course field--type-entity-reference field--label-above"> <div class="field__label">Education material</div> <div class="field__items"> <div class="field__item"><a href="/education/data-and-surveillance" hreflang="en">Data and Surveillance</a></div> </div> </div> </div> </div> Mon, 16 Sep 2019 15:28:27 +0000 staff 3212 at http://privacyinternational.org How difficult is it to understand why you’re seeing a political ad on social media? http://privacyinternational.org/long-read/3207/how-difficult-it-understand-why-youre-seeing-political-ad-social-media <span class="field field--name-title field--type-string field--label-hidden">How difficult is it to understand why you’re seeing a political ad on social media? </span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="">tech-admin</span></span> <span class="field field--name-created field--type-created field--label-hidden">Friday, September 13, 2019</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><em>We found this image <a href="https://www.flickr.com/photos/bjornmeansbear/4495318473">here</a>.</em></p> <p><span><span><span><span><span>Using Facebook, Google, and Twitter’s ad libraries, PI has tried to understand how political ads are targeted in the UK. This information – which should be very clear on political ads – is instead being squirreled away under multiple clicks and confusing headings. </span></span></span></span></span></p> <p><span><span><span><span><span>Importantly, in most countries around the world, users cannot understand why they’re being targeted with political ads on these platforms at all. This is because Facebook, Google, and Twitter have taken the deliberate decision to provide some of their users with increased transparency and some of their users with zilch. PI is advocating for 1) platforms to give all users heightened ad transparency and 2) for transparency into targeting and funding of ads to be <em>meaningful</em>.</span></span></span></span></span></p> <p><span><span><span><span><span>Here’s a few examples of ads that have run or are running in the UK at the moment. We’ve aimed to provide examples from across the political spectrum.</span></span></span></span></span></p> <p> </p> <h3><span><span><strong><span><span><span>Facebook</span></span></span></strong></span></span></h3> <p><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>Facebook’s Ad Library provides little information about how political and political issue ads are targeted. It takes navigating to two pages to finally land on the page with targeting information, which is very basic and includes only the ad’s actual audience (instead of the advertiser’s intended audience), a general break down by gender and location, a range of how many impressions the ad made, and a range of how much was spent on the ad.</span></span></span></span></p> <p><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>Step 1: You see an ad. </span></span><a href="https://www.facebook.com/ads/library/?active_status=all&amp;ad_type=all&amp;country=GB&amp;q=UNN&amp;view_all_page_id=432832003805922"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>Click</span></span></a><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span> “See ad details”.</span></span></span></span></p></div> <div class="field field--name-field-repeating-image-and-text field--type-entity-reference-revisions field--label-hidden field__items"> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-09/Picture%201_0.png" width="479" height="610" alt="1" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>Step 2: This takes you to an information </span></span><a href="https://www.facebook.com/ads/library/?active_status=all&amp;ad_type=all&amp;country=GB&amp;q=UNN&amp;view_all_page_id=432832003805922"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>page</span></span></a><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span> about the ad and advertiser, with the general targeting information. </span></span></span></span></p> <p> </p> <p> </p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-09/Picture%202.png" width="939" height="670" alt="2" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><span><span><strong><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>Google</span></span></strong></span></span></p> <p><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>Google’s Ad Library provides less targeting information than Facebook’s Library. Google archives election ads, which are </span></span><a href="https://support.google.com/adspolicy/answer/6014595?hl=en-GB"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>ads</span></span></a> <span><span>for political organisations, political parties, political issue advocacy or fundraising, and individual candidates and politicians, in India, EU member states including the UK, and the US.</span></span></span></span></p> <p><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>When searching ads from 31 August – 12 September 2019, ads appear from the UK's Labour Party,  the Partidul National Liberal party in Romania, and the Irish Fianna Fail party. The ads state that they were “Paid for by” Partidul National Liberal, the Labour Party, or Fianna Fail respectively.</span></span></span></span></p> <p><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>Step 1: You see an </span></span><a href="https://transparencyreport.google.com/political-ads/region/GB?creative_by_advertiser=region:GB;q:;start:1567209600000;end:1568332800000;spend:;impressions:;type:;sort:3&amp;lu=creative_by_advertiser"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>ad</span></span></a><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>. Click on the ad.</span></span></span></span></p> <p> </p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-09/Picture%203_0.png" width="939" height="331" alt="3" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>Step 2: Here is the </span></span><a href="https://transparencyreport.google.com/political-ads/advertiser/AR338691087918956544/creative/CR35683275489935360"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>information</span></span></a><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span> Google makes available. </span></span><span><span>In the EU, India, and US, Google provide broad range data about ad spend [for example &lt;$10K] – for other countries it appears that Google does not even provide this level of transparency.</span></span> <span><span>Google does not </span></span><a href="https://transparencyreport.google.com/political-ads/advertiser/AR488306308034854912/creative/CR247585554441437184"><span><span>appear</span></span></a><span><span> to provide sponsor contact information.</span></span></span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-09/Picture%204_0.png" width="939" height="414" alt="4" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>There are other </span></span><a href="https://transparencyreport.google.com/political-ads/advertiser/AR302539695353495552/creative/CR246474497941569536"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>examples</span></span></a><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span> in the archive with amount spent ranges such as 500€ to 25,000€ and the impression data ranges from 1 million to 10 million people, which provides no meaningful transparency into the intended or actual audience of the ad.</span></span></span></span></p> <p> </p> <h3><span><span><strong><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>Twitter</span></span></strong></span></span></h3> <p><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>Twitter’s Ad Transparency Centre archives election-related ads (ads related to and</span></span><span><span> that advocate for or against a candidate or political party, ads that appeal directly for votes in an election, referendum, or ballot measure, or ads that solicit financial support for an election, referendum, or ballot measure – although this definition differs by country!)</span></span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span> and promoted tweets (commercial ads). Within Promoted tweets are ads that by normal standards would be considered “political” but because they are not tied to an election, they seem to not be considered political ads by Twitter. Promoted tweets are archived for seven days only, which is problematic because it becomes impossible to track political issue ads over time or to understand what political actors are buying ads and how they are targeting users. It’s not clear how long election-related ads are archived. </span></span></span></span></p> <p><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>Twitter does not seem to provide any targeting information for Promoted ads in its Ad Library, including ads that by normal standards would be considered political. The election Ad Library provides some information about this.</span></span></span></span></p> <p> </p> <p><strong><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>Election Ad Library</span></span></span></span></strong></p> <p><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>Step 1: You see an </span></span><a href="https://ads.twitter.com/transparency/Andrews4Europe"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>ad</span></span></a><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span> and click “Ad details”.</span></span></span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-09/Picture%205_0.png" width="870" height="668" alt="5" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>Click 2: You </span></span><a href="https://ads.twitter.com/transparency/Andrews4Europe/tweet/1131626055301771264"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>click</span></span></a><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span> on the dates the ads run under “Targeting”.</span></span></span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-09/Picture%206_0.png" width="485" height="814" alt="6" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>On this page you can see information about the advertiser’s target audience and actual audience.</span></span></span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-09/Picture%207_0.png" width="541" height="727" alt="7" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><strong><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>Promoted tweets</span></span></span></span></strong></p> <p><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>Click 1: Via Twitter’s Ad Library, it does not seem possible to view any information beyond what is seen in the screenshot below. For example, the <a>below </a></span></span><a href="https://ads.twitter.com/transparency/brexitparty_uk"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>ad</span></span></a><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span> [accessed 13 September 2019] is being run by a political party but it appears it will only be archived for a limited time and provides very little insight into how it was targeted. Overtime ads like this will be deleted and lost.</span></span></span></span></p> <p> </p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-09/Picture%208_0.png" width="733" height="560" alt="8" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><h3><span><span><strong><span><span>What should be done?</span></span></strong></span></span></h3> <p><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>It is problematic that companies do not provide users with complete information about why they are targeted with ads, particularly political ads. Given the granularity with which advertisers are able to target users on Facebook, Google, and Twitter, the companies must provide much more information about why users are seeing an ad.</span></span></span></span></p> <p><span><span><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>This information should include at least: 1) the source of the data used to target ads, 2) the target audience of the advertiser and actual audience of the advertiser, 3) information about if the ad was micro-targeted [more details on the kind of information needed to make transparency meaningful </span></span><a href="https://blog.mozilla.org/blog/2019/03/27/facebook-and-google-this-is-what-an-effective-ad-archive-api-looks-like/"><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>here</span></span></a><span lang="EN-US" xml:lang="EN-US" xml:lang="EN-US"><span>]. </span></span></span></span></p></div> </div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-inline"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/data-and-elections" hreflang="en">Data and Elections</a></div> <div class="field__item"><a href="/topics/data-exploitation" hreflang="en">Data Exploitation</a></div> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-inline"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><a href="/what-we-do/develop-protections-against-data-intensive-systems-global-south" hreflang="en">Develop Protections Against Data Intensive Systems in the Global South</a></div> <div class="field__item"><a href="/what-we-do/expose-data-exploitation-data-profiling-and-decision-making" hreflang="en">Expose Data Exploitation: Data, Profiling, and Decision Making</a></div> <div class="field__item"><a href="/what-we-do/modernise-data-protection-law" hreflang="en">Modernise Data Protection Law</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-inline"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/defending-democracy-and-dissent" hreflang="en">Defending Democracy and Dissent</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/when-your-data-becomes-political" hreflang="en">When Your Data Becomes Political</a></div> </div> </div> Fri, 13 Sep 2019 16:20:16 +0000 tech-admin 3207 at http://privacyinternational.org No Body's Business But Mine - What You Can Do If You Are A Menstruation App User http://privacyinternational.org/news-analysis/3199/no-bodys-business-mine-what-you-can-do-if-you-are-menstruation-app-user <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><em><span>Photo by <a href="https://unsplash.com/@jakehills?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Jake Hills</a> on <a href="https://unsplash.com/collections/4402110/period?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></span></em></p> <p> </p> <p><span><span><a href="https://privacyinternational.org/long-read/3196/no-bodys-business-mine-how-menstruation-apps-are-sharing-your-data">Our research has shown </a>how some apps like Maya by Plackal Tech and MIA by Mobbap Development Limited were – at the time of the research – sharing your most intimate data about your sexual life and medical history with Facebook.</span></span></p> <p><span><span>Other apps like Mi Calendario, Ovulation Calculator by Pinkbird and Linchpin Health were letting Facebook know every time you open the app. </span></span></p> <p><span><span>We think companies like theses should do better and we are pleased to see some of them have already started changing their practices. But there are a few things you can do. </span></span></p> <p> </p> <p><span><span><strong>Not having a Facebook account does not spare you   </strong></span></span></p> <p> </p> <p><span><span>We wish we could tell you that not having a Facebook account protects you from Facebook tracking you. Unfortunately, it doesn’t. Our report shows that your data is shared with Facebook before you even get to agree to the privacy policy of the app you are using. The data is shared with your unique advertiser ID so Facebook knows who you are, even if you don’t have an account or use a different name. </span></span></p> <p><span><span>Last month, Facebook launched a tool for its users to allow them to stop Facebook from tracking them on other apps. That is a good first step, but it only protects Facebook users. </span></span></p> <p> </p> <p><span><span><strong>But there are steps you can take to limit tracking </strong></span></span></p> <p> </p> <p><span><span>These steps may not affect the kind of tracking we have described in our report, but they will help to protect your privacy by limiting how much your data can be used for profiling and advertising. </span></span></p> <p><span><span>If you are an Android user:</span></span></p> <p> </p> <ul><li><span><span>Reset your advertising ID regularly – this won’t stop you from being tracked and profiled, but it can temporarily limit the invasiveness of your profile. This can be found on most Android devices under: Settings &gt; Google &gt; Ads &gt; Reset Advertising ID. </span></span></li> </ul><p> </p> <ul><li><span><span><span><span>Limit ad personalization by opting out in the Android settings. This can be found on most Android devices under: Settings &gt; Google &gt; Ads &gt; Opt out of personalized advertising. </span></span></span></span></li> </ul><p> </p> <ul><li><span><span><span><span>Regularly review the permissions that you have given to different apps and limit them to what it strictly necessary. Permissions can be found on most Android devices under: Settings &gt; Apps or Application Manager (depending on your device, this may look different) &gt; tap the app you want to review &gt; Permissions. For example, setting apps that collect location information, to collect this information not “always” but only “when in use” etc. </span></span></span></span></li> </ul><p> </p> <p><span><span><span>In the meantime, we will carry on campaigning for apps to do a lot better and protect your privacy. Check out our social media accounts if you want to join us, and make sure app developers listen!  </span></span></span></p></div> <div class="field field--name-field-large-image field--type-image field--label-above"> <div class="field__label">Large Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-09/jake-hills-0hgiQQEi4ic-unsplash_2.jpg" width="1920" height="1280" alt="menstruation" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-09/jake-hills-0hgiQQEi4ic-unsplash_3.jpg" width="1920" height="1280" alt="menstruation" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-09/jake-hills-0hgiQQEi4ic-unsplash_4.jpg" width="1920" height="1280" alt="menstruation" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/sexual-and-reproductive-health" hreflang="en">Sexual and reproductive health</a></div> <div class="field__item"><a href="/topics/gender" hreflang="en">Gender</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-above"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/safeguarding-peoples-dignity" hreflang="en">Safeguarding Peoples&#039; Dignity</a></div> </div> </div> <div class="field field--name-field-target field--type-entity-reference field--label-above"> <div class="field__label">Target Stakeholders</div> <div class="field__items"> <div class="field__item"><a href="/target/industry" hreflang="en">Industry</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/no-bodys-business-mine" hreflang="en">No Body’s Business But Mine</a></div> </div> </div> <div class="field field--name-field-targeted-adversary field--type-entity-reference field--label-above"> <div class="field__label">More about this Adversary</div> <div class="field__items"> <div class="field__item"><a href="/taxonomy/term/577" hreflang="en">Facebook</a></div> </div> </div> </div> </div> Wed, 11 Sep 2019 13:37:00 +0000 staff 3199 at http://privacyinternational.org No Body’s Business But Mine http://privacyinternational.org/node/3044 <span class="field field--name-title field--type-string field--label-hidden">No Body’s Business But Mine</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/user/43" typeof="schema:Person" property="schema:name" datatype="">staff</span></span> <span class="field field--name-created field--type-created field--label-hidden">Saturday, September 7, 2019</span> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">Campaign name</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/no-bodys-business-mine" hreflang="en">No Body’s Business But Mine</a></div> </div> </div> <div class="field field--name-field-large-image field--type-image field--label-above"> <div class="field__label">Large Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-07/Josefin%20from%20unsplash%20-%20no%20body_2.jpg" width="3899" height="2315" alt="Josefin from unspash" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-07/Josefin%20from%20unsplash%20-%20no%20body_3.jpg" width="3899" height="2315" alt="Josefin from unspash" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-07/Josefin%20from%20unsplash%20-%20no%20body_4.jpg" width="3899" height="2315" alt="Josefin from unspash" typeof="foaf:Image" /> </div> </div> Sat, 07 Sep 2019 17:59:48 +0000 staff 3044 at http://privacyinternational.org Privacy International study shows your mental health is for sale http://privacyinternational.org/long-read/3194/privacy-international-study-shows-your-mental-health-sale <span class="field field--name-title field--type-string field--label-hidden">Privacy International study shows your mental health is for sale</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="">tech-admin</span></span> <span class="field field--name-created field--type-created field--label-hidden">Tuesday, September 3, 2019</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><strong>A new study by Privacy International reveals how popular websites about depression in France, Germany and the UK share user data with advertisers, data brokers and large tech companies, while some depression test websites leak answers and test results with third parties. The findings raise serious concerns about compliance with European data protection and privacy laws.</strong></p> <p><em>This article is part of a research led by Privacy International on mental health websites and tracking. <a href="/node/3193">Read our full report</a>.</em></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>According to the <a href="http://www.euro.who.int/en/health-topics/noncommunicable-diseases/mental-health/news/news/2012/10/depression-in-europe/depression-in-europe-facts-and-figures">World Health Organisation (WHO)</a>, 25% of the population in Europe experience depression or anxiety each year, yet about 50% of people with major depression remain untreated. Opening up about depression to friends, family, colleagues and medical professionals can be crucial for getting help and support. But when data brokers, advertisers and online tracking companies collect data about our mental health without our knowledge or consent, this is highly intrusive. Information that reveals when exactly someone is feeling low or anxious - especially if combined with other data about their interests and habits - can be misused to target people when they are at their most vulnerable. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>This is not the world we want to live in. Privacy International fights for a world in which people are in control of their data and the technology they use, and in which governments and companies are no longer able to use technology to monitor, track, analyse, profile, and ultimately manipulate and control us. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>To understand how data relating to mental health is currently protected, <strong>Privacy International analysed 136 popular mental health web pages in France, Germany and the UK</strong> related to depression using the open-source tool <a href="https://webxray.org/">webxray</a>.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Our findings show that many mental health websites don’t take the privacy of their visitors as seriously as they should. This research also shows that some mental health websites treat the personal data of their visitors as a commodity, while failing to meet their obligations under European data protection and privacy laws (see our full legal analysis in the report).</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>We found that:</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><strong>97.78% of all web pages we analysed contained a third-party element</strong><span>, such as third-party cookies, third-party JavaScript or an image hosted on a third-party server. We understand and acknowledge that some third-party elements provide useful features, such as fonts or visual effects and are not primarily designed to collect data from the users visiting the page that load these resources. That said, </span><strong>integrating third-party services comes with an inherent privacy risk for users</strong><span>. Websites that contact third parties typically communicate the fact that a particular browser has opened a specific URL (often, in combination with more data related to the operating system, browsers, language settings etc.). Mental health websites often reveal lots of information, simply because it is contained in the URL (i.e. /symptoms/depression/help)</span></p> <ul><li><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>While third parties can provide useful services, our research shows that the predominant motivation to include third-party elements on mental health websites seems to be tracking for advertising and marketing purposes.</strong> According to webxray’s classification, 76.04% of web pages contained third-party trackers for marketing purposes. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></li> <li><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Google, Facebook and Amazon trackers were present on many of the web pages we scanned</strong>, <strong>which shows how hard it is to escape these companies.</strong> Google’s advertising services DoubleClick and AdSense, for instance, were used by the vast majority of web pages we analysed. 70.39% of all web pages we analysed use trackers by DoubleClick. <strong>Facebook is the second most common third-party tracker </strong>after Google<strong> and</strong> <strong>Amazon Marketing Services is also one of the most common third parties </strong>present on the web pages analysed.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></li> <li><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Depression-related web pages also used a large number of third-party tracking cookies, which were placed before users were able to express (or deny) consent. </strong>On average, mental health web pages placed 44.49 cookies in France, 7.82 for Germany and 12.24 for the UK. <strong>This raises serious questions about compliance</strong> with EU data protection (General Data Protection Regulation) and ePrivacy law (the ePrivacy Directive 2002/58/EC, as implemented by Member State laws).</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></li> <li><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Numerous mental health websites include trackers from known data brokers, and AdTech companies, some of which engage in programmatic advertising, </strong>a practice that is under increasing scrutiny by European regulators and which raises specific privacy concerns when used on health-related websites.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></li> </ul><p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>To further understand which data is exchanged between websites and third parties, we selected a small sub-set of depression-related websites for additional analysis. We chose the first three Google search results for “depression test” in France, Germany and the UK and inspected and examined traffic, as well as cookies, on websites that offer free depression tests.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>We found that:</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <ul><li><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Some depression test websites (netdoktor.de, passeportsante.net and doctissimo.fr) use programmatic advertising with Real-Time Bidding (RTB). </strong>RTB is <a href="https://privacyinternational.org/adtech-complaints-timeline">subject to complaints across Europe</a> and Privacy International has complained about the practices of companies involved in RTB. That is because websites that use programmatic advertising with RTB risk sharing data relating to health with hundreds of companies in the RTB ecosystem. Typically, this includes information about the device used, or where a user is located. We found that in the case of some depression test websites we analysed this also included granular information about the exact web page people visited, and, as a result, what health conditions they been looking at. For example, as part of an RTB prebid request, the French website Doctissimo.fr sends content keywords (such as ‘dépression’, ‘déprimé’ (depressed), or ‘quizz’), the page URL (psychologie/tests-psycho/tests-psychologiques/coup-de-blues-ou-depression), as well as information about the page content (‘psychologie’, ‘test psychologiques’, ‘coup de blues ou dépression ?’) to the page <a href="https://europe-west1-realtime-logging-228816.cloudfunctions.net/realtime-logs">https://europe-west1-realtime-logging-228816.cloudfunctions.net/realtime-logs</a>(a cloud function hosted by Google that will process the request). </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></li> <li><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>A number of depression test websites store user’s answers to the test as variables (e.g. 1 = yes, and 0 = no) and share answers, as well as test results with third parties in the URL</strong>. Two websites (PasseportSanté and depression.org.nz<em>) </em>stored test results as variables in the URL, which is being shared with all third parties that the website contacts.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></li> <li><strong>Doctissimo.fr shares data with a third party directly.</strong> The website sends test answers, together with a unique identifier, to player.qualifio.com. Because Qualifio provides the test form, the company knows the test’s questions and answers. As a result, the company knows how uniquely identifiable individuals have responded to each question of the depression test. Because the request is sent in HTTP, instead of HTTPS, the request is potentially susceptible to interception.</li> <li>Finally, we observed that two depression test websites (the NHS mood test and depression.org.nz) use Hotjar, a company that, among other services, provides “session replay scripts” that could be used to log (and then playback) everything users typed or clicked on a website. In response to a query by Privacy International, a spokesperson for the NHS DIGITAL explained: "We do not record the session using Hotjars ‘session replay scripts’ when a user starts to complete the ‘mood self assessment quiz’.” (see our report for the full statement)</li> </ul><p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>The findings of this study are part of a broader, much more systemic problem: the ways in which companies exploit people's data to target ads with ever more precision is fundamentally broken. It is exceedingly difficult for people to seek mental health information and for example take a “depression test” without countless of third parties watching. All website providers have a responsibility to protect the privacy of their users and comply with existing laws, but this is particularly the case for websites that share unusually granular or sensitive data with third parties. Such is the case for mental health websites.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>We're hopeful that the UK regulator is currently probing the AdTech industry and the many ways it uses special category data in ways that are neither transparent nor fair and often lack a clear legal basis.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><a href="/node/3193">Download the full report here</a> to learn more about the methodology we used, our full legal analysis, as well as company responses.</span></span></span></p></div> <div class="field field--name-field-topic field--type-entity-reference field--label-inline"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/adtech" hreflang="en">AdTech</a></div> <div class="field__item"><a href="/topics/data-exploitation" hreflang="en">Data Exploitation</a></div> <div class="field__item"><a href="/topics/e-privacy" hreflang="en">e-privacy</a></div> <div class="field__item"><a href="/topics/general-data-protection-regulation-gdpr" hreflang="en">General Data Protection Regulation (GDPR)</a></div> <div class="field__item"><a href="/topics/health-data" hreflang="en">Health Data</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-inline"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/challenging-corporate-data-exploitation" hreflang="en">Challenging Corporate Data Exploitation</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/your-mental-health-sale" hreflang="en">Your mental health for sale</a></div> </div> </div> <div class="field field--name-field-date field--type-datetime field--label-above"> <div class="field__label">Date</div> <div class="field__item"><time datetime="2019-09-04T12:00:00Z" class="datetime">Wednesday, September 4, 2019</time> </div> </div> Tue, 03 Sep 2019 12:53:31 +0000 tech-admin 3194 at http://privacyinternational.org Your mental health for sale http://privacyinternational.org/node/3192 <span class="field field--name-title field--type-string field--label-hidden">Your mental health for sale</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="">tech-admin</span></span> <span class="field field--name-created field--type-created field--label-hidden">Tuesday, September 3, 2019</span> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">Campaign name</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/your-mental-health-sale" hreflang="en">Your mental health for sale</a></div> </div> </div> <div class="field field--name-field-large-image field--type-image field--label-above"> <div class="field__label">Large Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-09/small-PI-Depression-graphics-man-1_4.png" width="1600" height="1263" alt="depression graphic man" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-09/small-PI-Depression-graphics-man-1_5.png" width="1600" height="1263" alt="depression graphic man" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-09/small-PI-Depression-graphics-man-1_6.png" width="1600" height="1263" alt="depression graphic man" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-above"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/challenging-corporate-data-exploitation" hreflang="en">Challenging Corporate Data Exploitation</a></div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learning Topic</div> <div class="field__items"> <div class="field__item"><a href="/topics/adtech" hreflang="en">AdTech</a></div> <div class="field__item"><a href="/topics/data-exploitation" hreflang="en">Data Exploitation</a></div> <div class="field__item"><a href="/topics/e-privacy" hreflang="en">e-privacy</a></div> <div class="field__item"><a href="/topics/general-data-protection-regulation-gdpr" hreflang="en">General Data Protection Regulation (GDPR)</a></div> <div class="field__item"><a href="/topics/health-data" hreflang="en">Health Data</a></div> </div> </div> <div class="field field--name-field-type-of-intervention field--type-entity-reference field--label-above"> <div class="field__label">Type of Intervention</div> <div class="field__item"><a href="/how-we-fight/public-campaigns" hreflang="en">Public Campaigns</a></div> </div> <div class="field field--name-field-date field--type-datetime field--label-above"> <div class="field__label">Date</div> <div class="field__item"><time datetime="2019-09-04T12:00:00Z" class="datetime">Wednesday, September 4, 2019</time> </div> </div> Tue, 03 Sep 2019 09:48:09 +0000 tech-admin 3192 at http://privacyinternational.org Taking a depression test online? Go ahead, they're listening http://privacyinternational.org/news-analysis/3188/taking-depression-test-online-go-ahead-theyre-listening <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><em>This article is part of a research led by Privacy International on mental health websites and tracking. <a href="/node/3193">Read our full report</a>.</em></p> <p><span><span><a href="http://www.euro.who.int/en/health-topics/noncommunicable-diseases/mental-health/news/news/2012/10/depression-in-europe/depression-in-europe-facts-and-figures"><span><span>According to the World Health Organisation (WHO</span></span></a><span><span>)</span>, 25 percent of the European population suffers from depression or anxiety each year, yet about 50% of major depressions remain untreated. This means that everyday thousands of people are looking for information about depression online. They take tests to find out how serious their symptoms are, they try to access resources, or seek information on how best to support a loved one. </span></span></span></p> <p><span><span><span>Given that the </span><a href="https://privacyinternational.org/long-read/2967/ad-supported-internet-broken-inefficient-and-privacy-nightmare-lets-fix-it"><span><span>internet is plagued with trackers</span></span></a><span><span>,</span></span><span> whose sole purpose is to collect data to target people with ads, we wondered whether online depression tests are also sharing information about their visitors with others. Privacy International decided to take an in-depth look at the top three depression tests websites in France, Germany and the UK to find out whether the information you provide to these websites are processed securely. Spoiler alert: they are not. </span></span></span></p> <p><em><span><span><span>Disclaimer: </span></span></span>Our findings of this report show that many mental health websites don’t take the privacy of their visitors as seriously as they should. But shame and silence around mental health problems can be as bad as the problem itself and Privacy International supports campaigns that aim to change the way we all think and act about mental health. <span>Don’t refrain from searching for information about mental health online, or from taking a qualified depression test.</span></em></p> <h2><span><span><strong><span><span>Trackers, trackers everywhere</span></span></strong></span></span></h2> <p><span><span><span>The first thing we noticed is that the web pages analysed contain a shocking number of third-party trackers. In the case of the French website <a href="http://www.doctissimo.fr">doctissimo.fr</a>, for instance, the depression test page contacted <span>48</span> third parties the moment we opened it. Another example is the depression test of the German site <a href="https://www.netdoktor.de">netdoktor.de</a>, which contacted <span>30</span> trackers. </span></span></span></p> <p><span><span><span>Third parties offer additional features that are not necessarily nefarious, such as fonts or analytics. However, our research shows that most trackers are used to collect data about people to target ads at them ever more granular levels. We found trackers from all the large tech companies - Google, Facebook, and Amazon - but also from data brokers, and AdTech companies, such as the native advertising companies Outbrain or Taboola. This is a pattern we have observed at a much larger scale in <a href="/node/3194">our research on 136 depression-related web pages</a>. </span></span></span></p> <p><span><span><span>The key point is this: when a website integrates a third party service or tracker, this third party receives a certain number of information about the user. Typically, this includes the URL of the website they are currently visiting, which in the case of depression test websites almost always includes the words "depression" and "test", as well as information about their browser and device. In many cases, this data is also shared with a unique identifier, which can be stored in a cookie, allowing third parties to track people across the web (and often even across devices) to profile people according to their interests and behaviours.</span></span></span></p> <p><span><span><span>In practice, this means that <strong>countless of third parties know that you are taking a depression test right now.</strong></span></span></span></p> <h2>Online "behavioral" advertising on depression test websites</h2> <p>The fact that depression test websites include marketing trackers is already problematic but we also observed a number of websites that use a particularly invasive technology to serve ads. <span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Netdoktor.de, passeportsante.net and doctissimo.fr seem to use programmatic advertising with Real-Time Bidding (RTB), a practice <a href="https://fixad.tech/about/">subject to complaints across Europe</a> and <a href="https://privacyinternational.org/adtech-complaints-timeline">examined in Privacy International complaints against AdTech companies</a>.Through RTB, vast amounts of personal data exchange hands between a large number of players a billion times a day. Any mental health websites that uses RTB could potentially share personal data with thousands of third parties.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>For example, Doctissimo.fr share content keyword such as ‘dépression’, ‘déprimé’ (depressed), or ‘quizz’, the page URL (psychologie/tests-psycho/tests-pstchologiques/coup-de-blues-ou-depression), as well as information about the page content (‘psychologie’, ‘test psychologiques’, ‘coup de blues ou dépression ?' with<a> </a><a href="https://europe-west1-realtime-logging-228816.cloudfunctions.net/realtime-logs">https://europe-west1-realtime-logging-228816.cloudfunctions.net/realtime-logs</a>. These keywords clearly communicate that a user is looking for information about depression and is very likely taking a depression test.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <h2><span><span><strong><span><span>Some online depression tests share your answers with third parties</span></span></strong></span></span></h2> <p><span><span><span>Among the nine websites we scanned, four shared test answers with at least one third party.</span></span></span></p> <p>Most notable is t<span><span><span>he French website </span><span><a href="http://www.doctissimo.fr/psychologie/tests-psycho/tests-psychologiques/coup-de-blues-ou-depression">doctissimo.fr</a>, which</span><span> shares </span></span></span>test answers as variables and in clear text with a third party. When taking a depression test on doctissimo.fr, answers to the test’s questions are sent to a company called <span><span><span>Qualifio. <span><span><span><span><span><span><span><span><span><span><span><span><span>Because <a>Qualifio provides the test form, the company knows the test’s questions, as well as which answer is associated with the response value</a>. Qualifio places a cookie in the user’s browser, which contains a unique identifier.  As a result, the answers to the depression test questions that Doctissimo sends to Qualifio, can be linked to a uniquely identifiable individual.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span>Here is what the POST queries look like:</span></span></span></p> <img alt="screenshot doctissimo sending data to qualifio" data-entity-type="file" data-entity-uuid="17869f29-c876-42ce-bad2-ac768ba351a4" src="/sites/default/files/inline-images/doctissimo-qualifio%20post%20answer.png" class="align-center" /><p><span><span><em><span>Note: "reponse" mean "answer" in French.</span></em></span></span></p> <p><span><span><span>Another example is the GET response that Qualifio sends back to Doctissimo where we can clearly see the question and the answer the user gave. </span></span></span></p> <img alt="Screenshot GET request to qualifio including answers to test" data-entity-type="file" data-entity-uuid="7882a13d-bb96-44dc-9920-79954dba2c31" src="/sites/default/files/inline-images/doctissimo-qualifio%20get%20body%20answer.png" class="align-center" /><p>We also noted that the <a href="https://www.nhs.uk/conditions/stress-anxiety-depression/mood-self-assessment/">NHS's mood assessment test</a> shares its URL, the test name ‘Mood self-assessment quiz’, as well as the final test score with Adobe. Adobe’s documentation page for tracking servers suggests that the purpose of this tracking is measurement or analytics, rather than advertising or marketing, even though this is a service that Adobe also offers. When we shared key findings with the NHS, we received the following clarification via e-mail:</p> <p><em>“It is not possible to identify any individual from the data collected in the mood self-assessment quiz and no data is shared with any third parties. All analytics data and test scores are linked to a unique, anoymised user ID which cannot be traced back to an individual - it is not linked to an IP address and is randomly generated. In order to ensure privacy of visitors to our website, IP addresses are anonymised.”</em></p> <p><span><span><span>The two other websites (</span><a href="https://www.passeportsante.net/fr/VivreEnSante/Test/faites-vous-une-depression-48"><span>passeportsante.net</span></a><span> and </span><a href="https://depression.org.nz/is-it-depression-anxiety/self-test/depression-test/"><span>depression.org.nz</span></a><span>) engage in a different kind of data sharing. Instead of sharing the answers to the test with a specific third party directly, test results and test answers are stored as a variable (e.g.: yes = 1, no = 0) in the URL. Given that the URL is part of the default header sent to all third parties (in the <em>referer</em> field), this means that all third parties that are loaded when visiting the page receive all answers to each test question (and in the case of depression.org.nz, the final score of users taking the test). <span><span><span><span><span><span><span><span><span><span><span><span><span>PasseportSanté contacts 41 third-party services when taking the test.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span>Here's what the URL looks like for depression.org.nz:</span></span></span></p> <blockquote> <p><span><span><a href="https://depression.org.nz/is-it-depression-anxiety/self-test/depression-test/result"><span><span>https://depression.org.nz/is-it-depression-anxiety/self-test/depression-test/result</span></span></a><span><span>?<strong>q[1]=3&amp;q[2]=0&amp;q[3]=2&amp;q[4]=1&amp;q[5]=3&amp;q[6]=3&amp;q[7]=1&amp;q[8]=2&amp;q[9]=3&amp;priority=16&amp;score=18</strong></span></span></span></span></p> </blockquote> <p><br /><span><span><span>We can see the answer to each question ranging from 0 ("not at all") to 3 ("nearly every day"), as well as the final score. In the case of depression.org.nz, this URL is shared with Surveygizmo, Youtube, Google DoubleClick, Cloudfront, Hotjar, Facebook, hap.org.nz and Crazyegg. </span></span></span></p> <p><span><span><span>We also noticed that the NHS and depression.org.nz test page place a Hotjar cookie associated with a unique identifier. This company provides heatmaps and “session replay scripts” that can be used to log (and then playback) everything you did on a page (scroll, clicks, text typed…). </span></span></span>In response to a query by Privacy International, a spokesperson for the NHS DIGITAL explained: "We do not record the session using Hotjars ‘session replay scripts’ when a user starts to complete the ‘mood self assessment quiz’.” (see our report for the full statement)</p> <h2><span><span><strong><span><span>You often don’t have a choice</span></span></strong></span></span></h2> <p><span><span><span>Given that health websites can reveal such sensitive data about us we would expect that they are 100% transparent about what happens to your data and give people a genuine choice. Unfortunately, that’s not what we found. We found many websites that don’t ask for user consent before placing a cookie on their browser. We also found websites that ask for consent, but don’t offer a straightforward option to reject consent. The French website doctissimo.fr is a negative example in this regard. The website does not offer a clear option to reject consent and the consent box disappears the moment the user takes any action on the site (such as scrolling). This is interpreted as consent to data sharing with 448 advertising partners, all of which may all process the user’s personal data. </span></span></span><span><span><span> </span></span></span></p> <h2><span><span><span>Where things went wrong and how to fix</span></span></span></h2> <p><span><span><span>Our findings show that many mental health websites don’t take the privacy of their visitors as seriously as they should. This research also shows that some mental health websites treat the personal data of their visitors as a commodity, while failing to meet their obligations under European data protection and privacy laws (read our report for an in-depth legal analysis).</span></span></span></p> <p><span><span>Our analysis teaches us three things:</span></span></p> <ol><li><span><span>Consent is optional for many of the websites we analysed, while they should be giving users clear information and a real choice</span></span></li> <li><span><span>There are way too many trackers for advertising purposes on websites about mental health</span></span></li> <li><span><span>Websites sometimes unknowingly share more that they should</span></span></li> </ol><p><span><span>Our suggestion to fix this</span></span>:</p> <ul><li><span><span><span>Websites should be transparent about third-party tracking, limit third-party tracking to what is strictly necessary, and obtain valid and informed consent from users by offering them a genuine choice. You should respect their preferences and browser settings, such as DO NOT TRACK, instead of nudging them to consent with annoying and deceptive cookie banners.</span></span></span></li> <li><span><span><span>For websites that want to use a select number of third parties, we recommend that they remove the <em>referer </em>header to avoid sharing the webpage currently visited.</span></span></span></li> <li><span>We also recommend that websites that cover potentially sensitive issues, such as mental health, refrain from using programmatic advertising, especially involving RTB, on health-related websites. </span></li> <li><span>Websites sometimes unknowingly share a lot more data than visitors can reasonably expect. We recommend that websites that offer tests should change the way the results are stored so that they are not shared with any third parties. </span></li> </ul><p><em><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>As it is our strong desire to present as accurate an assessment as possible prior to the publication of our <span>reports, we reached out to Netdoctor.de, doctissimo.fr, the NHS and PasseportSanté and the the Health Promotion Agency of New Zealand via email. So far, we have only received a response from the NHS. Please read our report Your Mental Health For Sale for a full legal analysis, further evidence and an explanation of the tools and methodology used.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></em></p></div> <div class="field field--name-field-large-image field--type-image field--label-above"> <div class="field__label">Large Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-09/small-PI-Depression-graphics-woman-1.png" width="2000" height="2000" alt="depression-graphic-woman" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-09/small-PI-Depression-graphics-woman-1_0.png" width="2000" height="2000" alt="depression-graphic-woman" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-09/small-PI-Depression-graphics-woman-1_1.png" width="2000" height="2000" alt="depression-graphic-woman" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/adtech" hreflang="en">AdTech</a></div> <div class="field__item"><a href="/topics/data-exploitation" hreflang="en">Data Exploitation</a></div> <div class="field__item"><a href="/topics/e-privacy" hreflang="en">e-privacy</a></div> <div class="field__item"><a href="/topics/general-data-protection-regulation-gdpr" hreflang="en">General Data Protection Regulation (GDPR)</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-above"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/challenging-corporate-data-exploitation" hreflang="en">Challenging Corporate Data Exploitation</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/your-mental-health-sale" hreflang="en">Your mental health for sale</a></div> </div> </div> </div> </div> Mon, 02 Sep 2019 09:29:05 +0000 tech-admin 3188 at http://privacyinternational.org Facebook, Google, Twitter: Upgrade Your Ad Archive API! http://privacyinternational.org/advocacy/3183/facebook-google-twitter-upgrade-your-ad-archive-api <div class="node node--type-advocacy-briefing node--view-mode-token group-one-column ds-2col-stacked-fluid clearfix"> <div class="group-header"> <div class="field field--name-field-image field--type-image field--label-above"> <div class="field__label">Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-08/Screen%20Shot%202019-02-19%20at%2010.19.33_1.png" width="780" height="610" alt="Facebook, Google, Twitter: Upgrade Your Ad Archive API!" typeof="foaf:Image" /> </div> </div> </div> <div class="group-left"> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>On 28 August 2019 PI joined <a href="https://privacyinternational.org/partners">International Privacy Network</a> partner <span><a href="https://adc.org.ar/">Asociación por los Derechos Civiles</a> and others in writing to the </span><span lang="en" xml:lang="en" xml:lang="en">Directors of Public Policy for Latin America at Facebook, Google, and Twitter. The letters outline what steps are needed to make the social media giants' ad archives effective. Earlier this year organisations across Europe, led by the Mozilla, <a href="https://blog.mozilla.org/blog/2019/03/27/facebook-and-google-this-is-what-an-effective-ad-archive-api-looks-like/">wrote</a> to the companies with similar guidelines - the letters sent today say that </span>equivalent<span lang="en" xml:lang="en" xml:lang="en"> steps should be taken for ad archive API in <span>Latin America and the Caribbean. Full letters are linked below.</span></span></p></div> <div class="field field--name-field-repeating-image-and-text field--type-entity-reference-revisions field--label-inline"> <div class="field__label">Repeating Image and Text</div> <div class="field__items"> <div class="field__item"><div class="paragraph-formatter"><div class="paragraph-info"></div> <div class="paragraph-summary"></div> </div> </div> </div> </div> </div> <div class="group-footer"> <div class="field field--name-field-partner field--type-entity-reference field--label-inline"> <div class="field__label">Our Partner organisation</div> <div class="field__items"> <div class="field__item"><div about="/partners/asociacion-por-los-derechos-civiles" id="taxonomy-term-131" class="taxonomy-term vocabulary-partners"> <h2><a href="/partners/asociacion-por-los-derechos-civiles"> <div class="field field--name-name field--type-string field--label-hidden field__item">Asociación por los Derechos Civiles</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>The Association for Civil Rights (ADC) is a non-governmental organisation based in Buenos Aires that promotes civil and social rights in Argentina and other Latin American countries. It was founded in 1995 with the aim of fostering a legal and institutional culture to guarantee fundamental rights, based on respect for the constitution and democratic values.</p></div> <div class="field field--name-field-country-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Country of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/argentina" hreflang="en">Argentina</a></div> </div> </div> <div class="field field--name-field-region-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Region of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/latin-america" hreflang="en">Latin America</a></div> </div> </div> <div class="field field--name-field-website field--type-link field--label-above"> <div class="field__label">Website</div> <div class="field__items"> <div class="field__item"><a href="http://adc.org.ar/">http://adc.org.ar/</a></div> <div class="field__item"><a href="https://adcdigital.org.ar/acerca-de/">https://adcdigital.org.ar/acerca-de/</a></div> </div> </div> </div> </div> </div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-inline"> <div class="field__label">What PI is campaigning on</div> <div class="field__items"> <div class="field__item"><div about="/campaigns/when-your-data-becomes-political" id="taxonomy-term-618" class="taxonomy-term vocabulary-campaigns"> <h2><a href="/campaigns/when-your-data-becomes-political"> <div class="field field--name-name field--type-string field--label-hidden field__item">When Your Data Becomes Political</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p><strong><span>Have you ever wondered why you're seeing an ad online? In your social media feed, in apps, or while browsing the internet?</span></strong></p> <p><span>What you see is determined in large part by your data.</span><span> The exploitation of data dominates the news these days - and the use of advertising </span><span>in politics</span><span> is front and centre to this exploitation. Advertisers are able to buy access to very personal information about you and</span><span> then</span><span> infer</span><span> even more about you.</span><span> They are able to use this information to target ads at you with heightened precision, and to send you unique messages that are specially created to appeal to you and people like you.</span><span> There are many actors in the business of amassing our data and using it to segment and profile us based on our behaviour - data brokers, ad tech</span><span>,</span><span> and platforms we use.</span></p> <p><span>It's not only </span><span>brands and </span><span>advertisers selling t-shirts who are targeting you. Political parties, political campaigns and those who work for them tap into and further exploit our data  - and it's happening in the dark. <a href="https://privacyinternational.org/long-read/2850/data-exploitation-and-democratic-societies">Privacy International believes that you should be told and understand how your data is being used by companies and by political actors</a>, and that there must be limits - </span><span>your data should not be used against you.</span></p> <p><span>In the <a href="https://privacyinternational.org/topics/data-and-elections">run up to an election</a>, concern at such attempts to influence and manipulate our views are heightened. This is why at PI we are working to challenge such practices.</span></p> <p> </p></div> </div> </div> </div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-inline"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"> <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>Political campaigns around the world have turned into sophisticated data operations. They rely on data- your data- to facilitate a number of decisions: where to hold rallies, which States or constituencies to focus resources on, which campaign messages to focus on in which area, and how to target supporters, undecided voters, and non-supporters.</p> <p> </p></div> </div> </div> </div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-inline"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><div about="/programmes/building-global-privacy-movement" id="taxonomy-term-2" class="taxonomy-term vocabulary-programmes"> <h2><a href="/programmes/building-global-privacy-movement"> <div class="field field--name-name field--type-string field--label-hidden field__item">Building the Global Privacy Movement</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p><strong>We are building the global movement for the protection of privacy. </strong></p></div> </div> </div> </div> <div class="field__item"><div about="/strategic-areas/defending-democracy-and-dissent" id="taxonomy-term-585" class="taxonomy-term vocabulary-programmes"> <h2><a href="/strategic-areas/defending-democracy-and-dissent"> <div class="field field--name-name field--type-string field--label-hidden field__item">Defending Democracy and Dissent</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>The seamless way we communicate using some of these technologies has helped many to organise politically and to express dissent online and offline. But the hidden data harvesting on which many of these technologies rely also threatens our ability to challenge power, no matter the type of government.</p></div> </div> </div> </div> </div> </div> </div> </div> Thu, 29 Aug 2019 11:17:33 +0000 tech-admin 3183 at http://privacyinternational.org Identity schemes and data protection: lessons from Ireland's Public Services Card http://privacyinternational.org/news-analysis/3177/identity-schemes-and-data-protection-lessons-irelands-public-services-card <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>The Irish Data Protection Commissioner has made a ruling on the controversial Public Services Card (PSC) that has described much of what is is done with the card as unlawful. The PSC has proven controversial: introduced in 2012 for welfare claimants, it's use <a href="https://www.independent.ie/regionals/enniscorthyguardian/news/is-the-government-sneaking-national-id-cards-in-through-the-back-door-36596609.html">expanded</a> to more and more uses, including its use to get a driving licence or passport. Now, following campaigns from civil liberties organisations, this expansion of use has now been found to be <a href="//www.irishtimes.com/news/ireland/irish-news/irish-state-told-to-delete-unlawful-data-on-3-2m-citizens-1.3987606">unlawful</a> by Ireland's Data Protection Commissioner.</p> <p>The nature of the findings are highly relevant for how we must look at ID schemes all over the world.</p> <ul><li>It is essential that there is an effective data protection regime <em>prior</em> to the introduction of an identity system. Across the world, we see schemes introduced without these protections, or the data protection regime emerging as almost an afterthought. It is increasingly clear that this is no longer acceptable. International organisations, such as the <a href="http://documents.worldbank.org/curated/en/213581486378184357/pdf/Principles-on-identification-for-sustainable-development-toward-the-digital-age.pdf">World Bank</a>, stand by the principle that a legal and regulatory framework surrounding "data privacy" is essential for an ID system. Rather than emerging later, or in response to court action against a system, we need data protection legislation implemented in an effective regime from the start. To continue to promote and fund ID systems without these protections in place leaves a system open to abusing the rights of individuals and communities.</li> <li> The 'function creep' of ID schemes is a feature we also see all over world, as the uses of a system are put to more and more purposes. But the Irish case highlights the issue that the implications of this function creep are often not considered. As the Data Protection Commissioner <a href="https://www.dataprotection.ie/en/dpc-statement-matters-pertaining-public-services-card-0">said</a>, "As new uses of the card have been identified and rolled-up from time to time, it is striking that little or no attempt has been made to revisit the card’s rationale or the legal framework on which it sits, or to consider whether adjustments may be required to safeguards built into the scheme to accommodate new data uses." It's essential that a scheme, once implemented, any potential new uses are interrogated and critiqued, for their compatibility with data protection and human rights law but also taking into accounts the risks surrounding exclusion, exploitation, and surveillance. Introducing an ID scheme through the 'back door', like in Ireland, is not acceptable.</li> <li>The Irish scheme also illustrated how ID schemes can also lead to the creation of new ID requirements where, previously, ID was not required. The Data Protection Commissioner <a href="//www.irishtimes.com/news/ireland/irish-news/irish-state-told-to-delete-unlawful-data-on-3-2m-citizens-1.3987606">highlighted</a> the case of its use in the school transport system, for a use which previously did not have any ID requirement at all: “There may be a real artificiality in terms of embedding the requirement for the [card] in processes that heretofore did not require identification to that standard.” Thus the Ireland example is ID used not to empower, but the creation of new barriers.</li> </ul><p>There are valuable lessons to be learnt from the experience of Ireland: for those places looking to adopt ID cards, but also those organisations promoting their use. The lessons from the experience of Ireland must be heeded for there to be a future where ID respects everyone's rights.</p> <p><em>[Image source: <a href="https://www.publicdomainpictures.net/en/view-image.php?image=256956&amp;picture=ireland-flag">George Hodan</a>]</em></p></div> <div class="field field--name-field-large-image field--type-image field--label-above"> <div class="field__label">Large Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-08/Ireland%20flag.jpg" width="1920" height="1280" alt="Ireland flag" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-08/Ireland%20flag_0.jpg" width="1920" height="1280" alt="Ireland flag" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2019-08/Ireland%20flag_1.jpg" width="1920" height="1280" alt="Ireland flag" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-above"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><a href="/what-we-do/id-identity-and-identification" hreflang="en">ID, Identity and Identification</a></div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/id-systems" hreflang="en">ID Systems</a></div> <div class="field__item"><a href="/topics/identity" hreflang="en">Identity</a></div> </div> </div> <div class="field field--name-field-location-region-locale field--type-entity-reference field--label-above"> <div class="field__label">Location</div> <div class="field__items"> <div class="field__item"><a href="/location/ireland" hreflang="en">Ireland</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-above"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/safeguarding-peoples-dignity" hreflang="en">Safeguarding Peoples&#039; Dignity</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/demanding-identity-systems-our-terms" hreflang="en">Demanding identity systems on our terms</a></div> </div> </div> </div> </div> Wed, 21 Aug 2019 16:13:28 +0000 staff 3177 at http://privacyinternational.org Your adversary has a face http://privacyinternational.org/long-read/3030/your-adversary-has-face <span class="field field--name-title field--type-string field--label-hidden">Your adversary has a face</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/user/45" typeof="schema:Person" property="schema:name" datatype="">harmitk</span></span> <span class="field field--name-created field--type-created field--label-hidden">Tuesday, August 20, 2019</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><span><em>This blog is about our new Twitter bot, called <a href="https://twitter.com/adversarybot">@adversarybot</a>. If you want to follow the account, please do watch the pinned 'Privacy Policy' tweet before you do so.</em></span></p> <p> </p></div> <div class="field field--name-field-repeating-image-and-text field--type-entity-reference-revisions field--label-hidden field__items"> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><span>Everyday at PI we campaign against adversaries to your privacy. Whether it's the <a href="https://privacyinternational.org/report/2647/how-apps-android-share-data-facebook-report">social media platforms that you use - or indeed don’t use</a> - trying to learn, deduce and predict everything they can about you; smartphones manufacturers that make <a href="https://privacyinternational.org/examples-abuse/850/cheap-phones-leave-poorer-users-vulnerable">cheap handsets bundled with ‘free’ apps</a> that spew your data out to other companies for purposes you don’t know about; the companies and state bodies that <a href="https://privacyinternational.org/long-read/2776/surveillance-company-cellebrite-finds-new-exploit-spying-asylum-seekers">investigate asylum seekers’ claims at borders</a> by extracting all of their personal data from their phones; the list goes on and on. </span></p> <p><span>There’s a great irony within all this. While our identities, personalities, political opinions, sexuality and even our moods are available to our adversaries, in turn we know nothing little or nothing about them. Those adversaries that we have actually heard of often obscure their true identities and intentions behind slick PR campaigns</span>.</p> <p><span>While Mark Zuckerberg, Founder and CEO of Facebook assures us that the '<a href="https://www.theverge.com/2019/4/30/18524188/facebook-f8-keynote-mark-zuckerberg-privacy-future-2019">future is private</a>', let's not forget that in 2010 he told us that <a href="https://archive.nytimes.com/www.nytimes.com/external/readwriteweb/2010/01/10/10readwriteweb-facebooks-zuckerberg-says-the-age-of-privac-82963.html?em=&amp;pagewanted=all">privacy is no longer a 'social norm'</a>. Which is the true 'face' of Facebook?</span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-07/privacy-is-no-longer-a-social-norm-colours_0.gif" width="1920" height="1080" alt="Privacy is no longer a social norm" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><span>So, we are giving those that want to know your identity an identity of their own. We are giving the faceless a face. The face of the ‘Adversary’. </span></p> <p><span>As part of our work in showing the true face(s) of our adversaries, we have created a Twitter bot (<a href="https://twitter.com/adversarybot">@adversarybot</a>). If you follow the bot, it will follow you back and analyse your tweets and give you regular feedback reports with a simple ’<a href="https://en.wikipedia.org/wiki/Sentiment_analysis">sentiment analysis</a>’. It gives a taste of what ‘<a href="https://privacyinternational.org/topics/social-media-surveillance-socmint">social media intelligence</a>’ is, as well as hopefully providing a wider warning that while our adversaries take great interest in who we are, it is not necessarily with our interests in mind. </span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-07/Screen%20Shot%202019-07-08%20at%2013.52.302_0.png" width="943" height="443" alt="Adversary bot screenshot" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><span>The idea that '<a href="https://www.ted.com/talks/glenn_greenwald_why_privacy_matters?language=en">if you have nothing to hide, you have nothing to fear</a>' is in danger of becoming axiomatic. It has permeated into our cultural psyche and emboldened governments to develop ever more sophisticated apparatus to <a href="https://privacyinternational.org/topics/mass-surveillance">intercept and hack our personal data</a> on a massive scale. But all we really tend to see of GCHQ, NSA and other state surveillance agencies are impressive yet anonymous looking buildings or patriotic emblems. We rarely see the faces of the people who want to know everything about us.  </span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-07/Screen%20Shot%202019-07-08%20at%2014.52.13_0.png" width="952" height="368" alt="GCHQ building and NSA logo" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><span>And while we're on the subject of government surveillance, below we reveal the world's most famous spy's real face.</span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2019-07/normal%20speed_1.gif" width="1000" height="625" alt="James Bond gif" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><span>You will see the Adversary from time to time in <a href="https://privacyinternational.org/explainer-graphic/140/how-bulk-interception-works">our communications</a>. Whenever you do see his face, we hope it will act as  a reminder that while our adversaries want to remain in the shadows, we are facing them down.</span></p> <p><span> </span></p></div> </div> </div> </div> Mon, 19 Aug 2019 23:01:40 +0000 harmitk 3030 at http://privacyinternational.org