Tag Archives: General Data Protection Regulation

London Bridge had fallen

This is not some event involving Mike Banning as the never failing US Secret Agent, it is also not a movie involving Gerard Butler in command of a Nuclear Submarine (Cool movie though). No this is reality!

In 2017, on June 3rd an attack took place, the inquest is still going on 2 years later. 3 people ramming pedestrians and after that ran into the public in the Borough Market area and decided to stab a whole lot more people. They were wearing fake explosives, carrying knives. That pretty much sums it up. In the end 8 died and 48 were wounded, the three ‘terrorists’ were killed in the process.

According to all sources these three were ‘inspired’ by ISIS.

I took notice of it initially, but it was not high on my radar, it got my attention again last week, but i was looking into the Strait of Hormuz issue. It kept at the back of my mind. So let’s start with last week: ‘MI5 admin errors meant attackers link ‘was missed’‘, it got to me as MI-5 does a whole lot of things, errors are actually quite rare and anyone stating that there should not be any errors is an idiot. Anything involving intelligence gathering is prone to issues. The right stage, the right interpretation, the right connections and the right actions. These are all matters that influence the stage. You can check this for yourself, go to any recruiter and apply for a job, what are the chances that he/she places you wrong or gives you less useful advice, considers you not to be the ‘right’ person for the job? That chance is rather high.

So when I see the BBC article (at https://www.bbc.com/news/uk-48626134) giving me: “Youssef Zaghba was stopped at Bologna airport in 2016 after telling staff he was going to Turkey to be a terrorist“, so in the clear setting of a first, a terrorist does not tell anyone he/she is one. The more verbose version is: “Asked why he was going to Turkey, he said to be “a terrorist” before quickly changing his answer to “tourist”, the court heard“, o now we get a person who is basically an idiot and customs has to deal with hundreds if not thousands on a daily basis. This part is already numb and done for. So at best we have a video game wannabe, at worst we have a person with mental health issues. At present neither two score high on the list, at most a police chat would have been warranted.

Regarding Zaghba we also see (at https://www.bbc.com/news/uk-40169985) In 2016, Zaghba was stopped at Bologna Guglielmo Marconi Airport by Italian officers who found ISIS-related materials on his mobile phone. So what materials were they? He apparently was placed on a watch list, which is shared with many countries including the UK, as such is he merely watched when he travelled or 24:7? There is a difference and one does not warrant the other.

Yet now there is a clarity of optional failure that is increased with: “Witness L, who is head of policy, strategy and capability for MI5’s international counter-terrorism branch, told the court MI6 did not translate the Italian request for two months – and then sent it to the wrong person in MI5“, not only is my question:

  1. How could this be send to the wrong person and why was there no return/response on wrongful send information?
  2. Then we get: ‘The optional escalation had 1 year to find corrections and optional change in surveillance. Why was this not done?
  3. How often is the shared list vetted and checked for additional information whether the watch list is still accurate and more important useful?

Three direct questions that now put MI-5 on the radar for a few failings. In addition we also need to enlarge the scope, if SIGINT is GCHQ, how was this optionally missed twice over?

There are also serious questions regarding the Lawyer of the 6 victims. When we see that he had: ‘previously told the court there had been missed opportunities to prevent the attack.‘ It is important to see this part. In another story we get: “Gareth Patterson, the lawyer representing several victims’ families, said there was evidence the attackers had been in contact since January 2017“, here I disagree to some degree, and with ““any reasonably competent investigation” had the chance to detect the planning that was going on between the three men” I disagree even further.

You see, when we look at the elements. The fake explosives means that it could have been made in any way, for the most stuff from a toy store might have sufficed, at most a stroll through B&Q or Wickes would have sufficed. Then there is the stage of interpreting the Zaghba part, a terrorist claiming to be one is not one. I would have been able to do all the needed parts without setting off any flags or alarms. The biggest risk I run is getting a lorry, they did not get one either for mere payment issues that one element also shows that they commenced a terrorist act, but were not terrorists (or almost the worst prepared one). The absence of planning, the absence of dotting the ‘i‘ and crossing the ‘t‘ is what sets them apart. Merely three men with water bottles, pretending that to be explosives, knives that one can buy at IKEA and when we learn that the Guardian (at https://www.theguardian.com/uk-news/2017/jun/10/worse-terror-attack-on-london-bridge-foiled-by-chance-police-say) that the van had “13 wine bottles containing flammable liquid with rags stuffed in them, essentially Molotov cocktails” that were either forgotten, or just ignored by these three, we see a wannabe terrorist who forgot that they had options to increase the death count by a lot. These are all elements that count, because MI-5 is there for serious threats and these three were seemingly ignoring all their options even during the event. Going back to the lorry, that one might be easy when I stalk the right bars and mickey the right person, with him tied up in the back of the van I could start my spree, no flag raised at all. In my case I would have been able to get the stuff that goes boom; I merely needed to change perspective on the how. All issues that would never raise a flag; that is what MI-5 has to deal with and they have the one additional benefit that they are on an island.

We agree that steps were missed on Zaghba, but none of this is still evident that it would have prevented the attack. The higher part is Khuram Shazad Butt, he has enough flags that warrant consideration, his presence is a real issue, yet how much flags did he raise before the attack? We seem to blame after the effect, yet in the UK we see more whingers and whiners on freedom and privacy than in most other places in the world, well, congratulations! If MI-5 had that data this might have been prevented, they did not. You wanted the Data Protection Act 2018, you got it, you wanted General Data Protection Regulation (GDPR) and it was handed to you, you also face additional dangers because of it, so stop crying!

Back to the attack! I see Rachid Redouane as the actual fuse here. An illegal immigrant, a failed asylum seeker and he remained under the radar, also implying he could get a lot of stuff done whilst not being noticed, not getting noticed and working as a pastry chef, so how did he get that job? He was the part that Butt needed, and as such MI-5 had optionally even less to work with.

You see, when we look after the event, we might see issues to blame MI-5 (optionally GCHQ) with, but there are a lot more markers making at least 1 out of the three a dud from the start. And in all this, no one seems to realise that a failed Asylum seeker was hopping back and forth between the UK and Ireland, there is a larger failing in all this, yet I am stating that MI-5 was not it.

Yesterday

The Guardian yesterday (at https://www.theguardian.com/uk-news/2019/jun/17/communication-issues-left-london-bridge-attack-casualties-without-first-aid) gives us the larger failing, but not in regards to the attack. When we see: ‘police waited for help that wasn’t coming‘ we feel anger and frustration, yet in which direction?

The first is seen with: “police and members of the public being left to treat victims of the London Bridge terror attacks and not knowing why paramedics were not coming to their aid“, as well as “when paramedics were told to evacuate the area, the officers in the courtyard were left treating the casualties on their own awaiting help that did not arrive” we get the first gist of it. You cannot send paramedics in a dangerous situation, we get it we understand it and we accept it. I believe that an alteration to the armed response unit is required. I believe that any armed response unit requires a trained medic to give first aid like in a metropolitan war zone. Yes, it would be great to send in the paramedics, but let’s be honest how would you feel when a police officer tells you: “Look, there are three terrorists over there somewhere, can you go into that place ad see if you can treat some of the wounded people?” I get it, plenty of them medics would, but it is optionally super reckless and highly irresponsible. The fact that the police was not properly warned on the spot could have been for several reasons, all unintentional. This is a situation that is not merely fluid, it involves a lot of people thinking on their feet, whilst running trying to scope the size of the issue in absence of reliable information. These are not mistakes made, they are to some extent coming from experience and actual successful attacks have been really rare, besides that at some point you cannot just call for boy scouts (SAS) at any point, time is a factor. So when I see: “Five people died in or around the courtyard, one of whom, Sebastian Belanger, 36, a French chef, could possibly have been saved if he had received swifter, higher-quality medical attention“, I accept the stage and I accept the premise, but the score on getting ‘higher-quality medical attention‘ is optionally not a realistic one, not in a location of armed conflict and so there we see the stage of time versus location versus available intelligence. We can jump high and low, but reality is a factor and I feel that the after the fact Monday morning quarterbacks are now feeding an inquest of what ‘might have been done’, and I accept I am in this view a Monday morning quarterback as well.

For the larger view we need to go to the actual inquest and I noticed something in day 20 (at https://londonbridgeinquests.independent.gov.uk/wp-content/uploads/2019/06/LBI-Day-20.pdf). The transcript gives us a side that was not part of the actual attack, yet it does involve Khuram Butt, it is actually a lot more important than you think for two reasons on opposite sides of the scale. The transcript gives us:

Witness M, you will appreciate that the investigation that you are here to help us with lasted for something in the region of two years, so I ’ ve got a fair amount to cover but I ’ ll try to be as concise as I can be.

You were asked questions by Mr Hough about the Transport for London employment and you told us that there came a time when you and your team learnt about this job that Khuram Butt obtained working at Westminster underground station.

A: That is correct , yes.

Q: So can I be clear : you learnt about this after he had begun working at that station ?

A: I cannot recall at what stage we learnt about him either seeking out employment or having that employment.

Q: Was that something that you – –

A: But we were aware of the fact that he was working at London Underground.

Q: So it wasn’t something that you learned at the application stage before the decision had been made as to whether they should give him the job?

A: I cannot answer that.

Q: Were arrangements in place at the time for the counter terrorism police to be notified by Transport for London of the names of people applying to be employed by Transport for London in vulnerable locations ?

A: I ’m not aware of any such arrangement. That’s not to say it doesn’t exist , but it ’ s not something I’m aware of .

Q: So to this day can Transport for London receive applications by people who might be terrorist suspects, the subject of ongoing investigations , and then a decision made to employ them without you or your partner agency being notified ?

A: So, again, I can’ t categorically say whether that process exists . That sounds to me that it’s something, if it did exist , would be more in the ”protect” side of our business.

It is important, and let us look at both sides of this equation. On the one hand if there was stronger vetting there was a chance that Khuram Butt might have been stronger on the radar, yet the attack would not have been prevented as the London Underground was not a stage and was not used to set the stage, more importantly there was a chance to set off alarms within Khuram Butt making him a lot more cautious, optionally resorting to a different style of attack. On the other hand, we see that this path would have given MI-5 up to 1500% more work, so a lot less resources to deal with optional more serious threats.

We see more in Day 20 (on page 4, paragraph 9, 10). Here we see the flags issue I raised earlier and the questioning party who is seemingly not all up to date on intelligence, more on finding a part to blame. When we see:

Q: In September 2016 the categorisation was downgraded to P2M, so the risk is now a medium risk, you told us?

A: That is correct. Yes, it was categorised down to a P2M.

Q: And when you dealt with this in your report at paragraph 5.9, you linked this decision to the fact that there had been no indications of actual steps to plan an attack.

A: That’s correct, that is in my report.

Q: But as you’ve accepted a number of times, from the very start, this is somebody who had, throughout, exhibited a degree of operational security.

A: We see that across the entire range of individuals we investigate.

Q: Yes. But an ordinary member of the public with nothing to hide is unlikely to be taking steps to avoid surveillance or to hide their activities; would you agree?

A: He’s not an ordinary member — he was not an ordinary member of the public; he was under investigation.

Q: But that of itself rings alarm bells, doesn’t it , if he is positively taking steps to disguise what his activities are?

A: It’s concerning, but it becomes more concerning when it is attached to other intelligence around other activity. And that will elevate the risk and elevate our posture and our response.

Q: After that decision to recategorise as medium risk, he then re-engaged, you told us, with ALM in the autumn of 2016.

A: So that – – that’s correct, that was the assessment at the time that he started to re-engage with other ALM individuals.

Q: He was also identified as having an inflammatory presence around other extremists, wasn’t he?

A: How do we know that?

Q: Well, you confirmed yesterday that you were aware of that and that’s information that reached you via MI5. We see it in the report of Witness L at paragraph 116.

A: Okay. So I can’t say with any certainty I was aware of that before that time, but just the mere presence — the mere fact that he was associating with other ALM individuals or becoming further engaged is of concern

I see this as an issue. The issue is not the interview, the issue is the available resources and the questioning party seems to live in la la land as there is the consideration that at any time all resources are available, that one clear failure makes the inquest a problem to some extent and that is merely looking at one day, merely Day 20. The focus on Khuram Butt being an ‘inflammatory presence‘, we could argue that this is a good thing, we could argue that pushing other extremists before they are ready is one clear sign to botch attacks (MI-5 will be pleased), the two parts in the transcript give rise to a larger failing, in part the inquest is set to a stage it does not comprehend, it does not facilitate a stage of comprehension where it concerns lone wolves and wannabe’s. In the second degree we see the push regarding re-engagement and the consideration of a medium risk person. Even as there is no valid intelligence giving us that direct action was called for (implied at least). So when I see ‘there had been no indications of actual steps to plan an attack‘, my less diplomatic view towards the barrister would be ‘move the fuck onwards barrister‘, if there is no indication of actual steps, there is no indication for acceleration of increasing profile surveillance, the resources are just not there.

It is the largest failing, not merely the fact that there is no SIGINT working on data that could have been worked on, the stretch on resources, what is available, its definition and the stage of recognising on how to use resources are in the wind and that failing matters, because that recognition is essential to stop attacks by an actual terrorist, a lone wolf or a wannabe, and as long as that part is not clearly in play, there will be more successful attacks and here I regard the premise of a successful attack any attack where more than 5 lives were lost.

We need to accept that choices have impact, we need to see that the attacks will continue and until we find a better way to register dangers this is how it will be and we need to see that the failing was larger, but there is no one to actually blame.

Consider blaming customs for allowing a failed asylum seeker (Rachid Redouane) going back and forth between the UK and Ireland, getting other places to live, is that landlord to blame? There are cogs that are not working for numerous reasons and when we realise that ‘the machine‘ is off its mark by a decent amount, we do not get to blame MI-5 (or GCHQ for that matter). When we consider that Youssef Zaghba might have made a claim and if GCHQ had a right at that point to capture all data regarding that person, there might have been a chance that together with the Khuram Butt data there was a decent chance that this could have been stopped (in theory), but that was not an option was it? Here the Data Protection Act 2018, as well as the application of the General Data Protection Regulation (GDPR) stopped GCHQ from getting essential results to report to MI-5, you wanted this so from my point of view you have to accept the dead people too. You cannot get it both ways, it is just not on.

There is, as I personally see it a larger failure in play, it is not MI-5, it is not GCHQ, it is not the police, it is us and the bullshit setting of privacy whilst we hand over all of our private lives to Facebook and mobile game data collectors, we are doing this too, we ourselves. We can optionally argue that there needs to be a better direct action armed response unit with a trained medic in these teams, but that is an optional investigation for another day, one that is far far away.

 

Leave a comment

Filed under Law, Media, Military, Politics

Want a cake? Buy a bakery!

There was a man (not me) who loved cakes so much (definitely me) that he decided to buy a bakery (not on my income), so he spend £1,475,000 and now he has a cake every day until he dies, and that was the happy ending, or was it?

Consider that at the Cake Store, an outlandishly super cake (birthdays) from £45 onwards (up to £850) which will give you colour choice for inscription, 4 levels of cake (the 4th being a Rubik cube cake), choice of filling and selections of candles and sparklers. So it does not get any better than that. Yet we all agree that the most expensive cake is not a daily choice, anything below that tends to be around £100, so a fair cake and there plenty of cakes are 16″ and a mere £69. So at that stage we see that the man paid upfront for 19,666 cakes, implying that he will have a daily cake for 53 years; and that is when we ignore the interest he could have gotten on the £1,475,000 which in an optimum stage is interest that pays for 983 daily cakes a year, we call that a bad choice when the goal is to have cake every day. Now when it is about government policy it is not that simple.

And this gets us to the actual story, the fact that the Guardian gives us: ‘Government spends almost £100m on Brexit consultants‘ (at https://www.theguardian.com/politics/2019/may/29/government-spends-almost-100m-brexit-consultants), I get that consultant might be needed to some degree, but Brexit is something new, so how would they know? Yes, I very much understand that one of Deloitte, PricewaterhouseCoopers (PwC), or Ernst & Young was needed, but all three? Even if that was the case, for example manpower, the issue is not merely the £100 million; it is the stage of what knowledge did these civil servants not have?

Before we go bashing civil servants left, right and centre, we need to acknowledge that you want consultancy to some degree on international tax issues, on international legislation, yet is that knowledge not available within the government? We apparently have Law lords, we apparently have treasury and tax experts and the fact that they came up short by £100 million in knowledge is a much larger issue than I am happy about.

The fact that the end of this is not near, a premise we see with: “Marked “official sensitive”, the investigation warns Whitehall spending on Brexit consultancy work could hit £240m by 2020, as officials scramble to plan for departure from the EU” should be a larger concern. Then I notice a name which I have stumbled upon. With the mention of the Boston Consulting Group (BCG), I go back to ‘The Repetitive Misrepresentation‘, A May 2016 story (at https://lawlordtobe.com/2016/05/28/the-repetitive-misrepresentation/) where I stated: “The quote in the Business Insider gives you “I got the analyst who wrote one of the reports on the phone and asked how he got his projections. He must have been about 24. He said, literally, I sh*t you not, “well, my report was due and I didn’t have much time. My boss told me to look at the growth rate average over the past 3 years an increase it by 2% because mobile penetration is increasing.” There you go. As scientific as that“, this was at the core of the issue I had with PwC earlier. The final Gem the Business Insider offered was “They took the data from the analysts. So did the super bright consultants at McKinsey, Bain and BCG. We all took that data as the basis for our reports. Then the data got amplified. The bankers and consultants weren’t paid to do too much primary research. So they took 3 reports, read them, put them into their own spreadsheet, made fancier graphs, had professional PowerPoint departments make killer pages and then at the bottom of the graph they typed, “Research Company Data and Consulting Company Analysis” (fill in brand names) or some derivative. But you couldn’t just publish exactly what Gartner Group had said so these reports ended up slightly amplified in message; even more so with journalists. I’m not picking on them. They were as hoodwinked as everybody was. They got the data feed either from the research company or from the investment bank“. This all from an article in The Business Insider from February 18th 2010! (Yes, more than 6 years ago).” I am not stating that BCG did anything wrong, illegal or immoral, I merely wonder how they got their numbers, Brexit is an unseen event and there are no scenarios that fit the bill, so how were their results gotten (or is that begotten?); these are questions that reside with Bain & Company, as well as the BCG. PwC is not out of that firing line, it is for the most only Deloitte who gets a pass (based on previous work), as well as some of the people I know (from) there.

If there is one part I get then it is the entire Defra mess (mess still an optional word). The Department for Environment, Food and Rural Affairs has to deal with all kinds of legal and policy issues that have never been transparent, I would be surprised if there is not a whole range of other issues floating up from there in regards to food matters from all over Europe (France being an obvious first). An example that was seen last year when those reading Wine magazines were introduced to: “It’s made from outlawed jacquez and herbemont grapes, he explains, and is produced by a coop of rebellious vignerons in the Ardéche region of southern France.” Wine that is banned by the EU, so that is one part that Defra might not have been prepared for at present and that is merely a top line result I looked at, when we start looking at the Romanian Equine Beef Burgers the matter becomes truly adventurous. None of it is the fault of Defra mind you, merely the stage in which they find themselves at.

That also raises the issue seen with: “Whitehall report criticises departments for lack of transparency“, at that point, what are the chances that the Border Delivery Group with £10.2m and Defra with £8m have been doubling up on data and reports? More important, if they are from different sources, the data will not match and cannot be compared, or better stated, until the questions and data are not rigorously inspected, there will never be a way to tall on a few levels how valid and optionally how replicated the issues are. There is clear overlap between the two, yet the lack of transparency implies that they are not aware of each other’s work until the final report was handed to all the players.

In addition when I see: the DHSC employed Deloitte for “management support … in ensuring the supply of medical devices in case the UK leaves the EU without a deal”“, questions are shaped in my mind. I get it; there are questions, very valid questions. Yet in all this, Philips Healthcare has 6 locations in the UK, the same for Siemens Healthineers UK. So suddenly they would not be able to provide? They had their tax breaks for decades; as such they are responsible for delivery. It is time to look at these places and see just what tax breaks they got and hold them accountable (to some degree). I am merely mentioning two elements, there are many more where they had the deductibles and now they would walk away? Did the Department of Health and Social Care ever look at that part of the equation? Because if these people ‘walk away’ we can undo these tax breaks immediately, for the next decade or two.

It could be my version of ‘the sun also rises’.

It all comes to blows when we see: “But the report says it has taken an average of 161 days for basic details of Brexit consultancy contracts to be published, compared with 83 days for all consultancy contracts“, the fact that details are withheld for almost 6 months, beckons the question, was that before or after the contract was signed? In addition to this, when we look at “In February, analysis found government and public sector bodies had awarded contracts worth £107m for “professional services” in relation to Brexit planning. Tussell, a private firm that analyses public contracts, said the figure included 28 consultancy contracts worth nearly £92m.” gives me the questions on how much Tussel costs to check all this and are these contracts checked for doubling up, or are the merely checked for validity, hours versus billed, as well as how the contract was set up and what was required to be delivered? Merely the basic stuff and as such, as these contracts are compared, will I find a doubling of data as similar questions are to be answered?

Even as I partially agree with the government spokesperson giving us: “It is often more cost-efficient to draw upon the advice of external specialists for short-term projects requiring specialist skills. These include EU exit priorities such as ensuring the uninterrupted supply of medical products and food to the UK.” I do end up with questions on the arrangement of short term contracts and the fact that the treasury coffer is now out of £100 million. The fact that we see ‘such as’ is also a problem, the people were so over the moon on being a member of the EU, the fact that the government never looked at contingency issues within any government since the UK became a member of the EU is also a failure on several levels, especially when we consider the fact that this looks like an impairment of national security (or is that on levels of national security) whilst we see unproven Huawei accusation left, right and centre, an issue that does matter as you are about to find out.

The Washington Post gave us two days ago (at https://www.washingtonpost.com/technology/2019/05/28/its-middle-night-do-you-know-who-your-iphone-is-talking) ‘It’s the middle of the night. Do you know who your iPhone is talking to?‘ with the added: “Our privacy experiment showed 5,400 hidden app trackers guzzled our data — in a single week“. It relates in a simple way, we accuse Huawei whilst apps are according to the Washington Post: “On a recent Monday night, a dozen marketing companies, research firms and other personal data guzzlers got reports from my iPhone. At 11:43 p.m., a company called Amplitude learned my phone number, email and exact location. At 3:58 a.m., another called Appboy got a digital fingerprint of my phone. At 6:25 a.m., a tracker called Demdex received a way to identify my phone and sent back a list of other trackers to pair up with. And all night long, there was some startling behavior by a household name: Yelp. It was receiving a message that included my IP address -— once every five minutes.

It seems that there is a flaw, not merely in transparency and regarding the consultancy groups, there is a flaw in the way we think, the government is set to a stage, what would we have to do, whilst the tax breaks have been ignored to the stage where companies have a responsibility to deliver, which of these reports takes a look at that part and when we see that Apple did not do enough, when we are told that the user should not have installed a certain app, the fact that the app should not have been allowed in the apple store (or android store) is equally a setting to look at, the lack of transparency implies that this was not done, not once.

So when we divert (for a moment) to: “According to privacy firm Disconnect, which helped test my iPhone, those unwanted trackers would have spewed out 1.5 gigabytes of data over the span of a month. That’s half of an entire basic wireless service plan from AT&T.” I made a similar mention in January 2017 (at https://lawlordtobe.com/2017/01/30/taking-xbox-to-court/) where in ‘Taking Xbox to Court?‘ where Microsoft uploaded almost 6 GB in a fortnight whilst playing single players games. The fact that Microsoft hid behind: “we have no influence on uploads, that is the responsibility of your ISP!“, as response the Xbox helpdesk (read: party line) that their support gave me when I called still makes me angry. But now it is not merely consoles, it is happening all over the place and the government either does not care, or has no clue, so when we see ‘privacy’ driven issues, I wonder who they are trying to fool. Especially when I was confronted with ‘possible civil contingency need‘, there are optionally so many contingency needs transgressed upon (as I personally see it), how about recognising that in all the elements clear transparency was an essential first, the fact that the large players are not willing to be transparent, we see a much larger issue all over the place.

Even as part of one of the DHSC reports gives us: “It is difficult to prepare detailed predictions or plans for such unpredictable concerns“, so if we see the impact of ‘unpredictable concerns‘, at what point do we ask more serious question on where the foundation of £100 million came from? And it is not merely the spending, those who asked the questions and the exact questions themselves would also need to be scrutinised, because the private firms merely facilitated and they did nothing wrong, the other side needs to be looked at, to a much higher degree than ever before.

Now consider a paper by DLA Piper (at https://www.dlapiper.com/en/uk/insights/publications/2019/04/no-deal-brexit/data-protection/) only a month ago where we see: “UK data protection law is governed by the General Data Protection Regulation (GDPR), which came into effect across all EU member states (including the UK) on 25 May 2018, and creates a harmonised legal framework regulating the way in which personal data is collected, used and shared throughout the EU. Should the UK leave the EU, the GDPR will cease to have direct effect in the UK. However, as the UK is committed to maintaining an equivalent data protection regime, a UK version of the GDPR will effectively apply following the departure date (exit-day)“. This is fair enough, yet as the Washington Post two days ago and I was able to show (850 days ago) that the collection of personal data is already off the wall, so at what point will we see recognition that the point of no return was passed a few hundred days ago?

So at what point are there questions on DLA Piper (who did nothing wrong) regarding; “The GDPR imposes restrictions on the transfer of personal data to a ‘third country’” and as the Washington Post gives us an iPhone example, we see that Huawei is clearly 0% guilty in that part, so how is the entire: ‘President Trump is clueless on true national security in the first place‘ not directly on the mind of all, especially when the transgressions are seemingly global. Perhaps when we realise that these are American Apps there is optional no national security infringement and privacy is merely a concept for all the players of that issue in town. At what point will the UK realise that they have much larger issues?

Even as there is complete acceptance of: “It is important to be aware that SCCs cannot be used to safeguard all transfers – for example SCCs do not exist for transfers between an EU-based processor and a UK-based controller (ie where a UK controller hosts personal data with an EU processor). This is a known area of risk to regulators, which impacted organisations may decide to ‘risk manage’ where data repatriation is not a realistic options“, I am willing to state that not only is ‘data repatriation is not realistic‘, it was not an option well over two years ago and the loss of data  (read: data copy transfer) under 5G will merely increase by a speculated 500%.

It is the realisation of these elements where we need to revisit: ‘those who asked the questions and the exact questions themselves would also need to be scrutinised‘.

I wonder if that was done and more important to what degree. We can agree that investigation on what might happen might have a steep price, I get that, yet overall there are larger issues regarding the exact question what was asked, the model, the data, the collection and the integrity of data regarding the question that needed to get answered. I wonder (because I actually do not know), how far did Tussel go regarding that part of the equation?

So how did this get from a bakery cake to 4G and 5G privacy?

It is about the cost of doing business, not merely the stage of prepared for what comes next and I feel that in light of what we are shown by the Guardian, the ‘cost of doing business’ and the ‘next stage of enterprising’ is not aligned, when we realise that there is a large non-alignment of issues, how large is the gap in these reports, not merely on legislation and policy, but on operational levels that will get hit first. The DLA Piper part makes perfect sense, yet when you realise that the mobile application status is already nowhere near it needs to be, how useful is the DLA Piper part, which is technically speaking flawless? When we see that part of non-alignment, how many reports costing £100 million have an operational discrepancy when tested to the actuality of the events?

In equal measure we get the additional question, would transparency have solved that, which is likely to give the answer that require us to take a hard look at those phrasing the questions. One led to the other, and I merely looked at the digital part, when we look at actual shipping (and ships), we see the realisation that the UK is still an island, one tunnel does not solve that, how do we see the filling of the prospect of the danger that a lot more contingency plans are missing, not because of Brexit, but because they already should have been there, the IOS data tracking part is evidence of that.

 

Leave a comment

Filed under Finance, IT, Media, Politics, Science

Grand Determination to Public Relation

It was given yesterday, but it started earlier, it has been going on for a little while now and some people are just not happy about it all. We see this (at https://www.theguardian.com/technology/2018/may/25/facebook-google-gdpr-complaints-eu-consumer-rights), with the setting ‘Facebook and Google targeted as first GDPR complaints filed‘, they would be the one of the initial companies. It is a surprise that Microsoft didn’t make the first two in all this, so they will likely get a legal awakening coming Monday. When we see “Users have been forced into agreeing new terms of service, says EU consumer rights body”, under such a setting it is even more surprising that Microsoft did not make the cut (for now). So when we see: “the companies have forced users into agreeing to new terms of service; in breach of the requirement in the law that such consent should be freely given. Max Schrems, the chair of Noyb, said: “Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the agree button – that’s not a free choice, it more reminds of a North Korean election process.”“, which is one way of putting it. The GDPR isd a monster comprised of well over 55,000 words, roughly 90 pages. The New York Times (at https://www.nytimes.com/2018/05/15/opinion/gdpr-europe-data-protection.html) stated it best almost two weeks ago when they gave us “The G.D.P.R. will give Europeans the right to data portability (allowing people, for example, to take their data from one social network to another) and the right not to be subject to decisions based on automated data processing (prohibiting, for example, the use of an algorithm to reject applicants for jobs or loans). Advocates seem to believe that the new law could replace a corporate-controlled internet with a digital democracy. There’s just one problem: No one understands the G.D.P.R.

That is not a good setting, it tends to allow for ambiguity on a much higher level and in light of privacy that has never been a good thing. So when we see “I learned that many scientists and data managers who will be subject to the law find it incomprehensible. They doubted that absolute compliance was even possible” we are introduced to the notion that our goose is truly cooked. The info is at https://www.eugdpr.org/key-changes.html, and when we dig deeper we get small issues like “GDPR makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not“, and when we see “Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it” we tend to expect progress and a positive wave, so when we consider Article 21 paragraph 6, where we see: “Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest“, it reflects on Article 89 paragraph 1, now we have ourselves a ballgame. You see, there is plenty of media that fall in that category, there is plenty of ‘Public Interest‘, yet when we take a look at that article 89, we see: “Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject.“, so what exactly are ‘appropriate safeguards‘ and who monitors them, or who decided on what is an appropriate safeguard? We also see “those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation“, you merely have to look at market research and data manipulation to see that not happening any day soon. Merely setting out demographics and their statistics makes minimisation an issue often enough. We get a partial answer in the final setting “Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.” Yet pseudonymisation is not all it is cracked up to be, When we consider the image (at http://theconversation.com/gdpr-ground-zero-for-a-more-trusted-secure-internet-95951), Consider the simple example of the NHS, as a patient is admitted to more than one hospital over a time period, that research is no longer reliable as the same person would end up with multiple Pseudonym numbers, making the process a lot less accurate, OK, I admit ‘a lot less‘ is overstated in this case, yet is that still the case when it is on another subject, like office home travel analyses? What happens when we see royalty cards, membership cards and student card issues? At that point, their anonymity is a lot less guaranteed, more important, we can accept that those firms will bend over backward to do the right thing, yet at what state is anonymisation expected and what is the minimum degree here? Certainly not before the final reports are done, at that point, what happens when the computer gets hacked? What was exactly an adequate safeguard at that point?

Article 22 is even more fun to consider in light of banks. So when we see: “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her“, when a person applies for a bank loan, a person interacts and enters the data, when that banker gets the results and we no longer see a approved/denied, but a scale and the banker states ‘Under these conditions I do not see a loan to be a viable option for you, I am so sorry to give you this bad news‘, so at what point was it a solely automated decision? Telling the story, or given the story based on a credit score, where is it automated and can that be proven?

But fear not, paragraph 2 gives us “is necessary for entering into, or performance of, a contract between the data subject and a data controller;” like applying for a bank loan for example. So when is it an issue, when you are being profiled for a job? When exactly can that be proven that this is done to yourself? And at what point will we see all companies reverting to the Apple approach? You no longer get a rejection, no! You merely are not the best fit at present time.

Paragraph 2c of that article is even funnier. So when I see the exception “is based on the data subject’s explicit consent“, We cannot offer you the job until you passed certain requirements that forces us to make a few checks, to proceed in the job application, you will have to give your explicit consent. Are you willing to do that at this time? When it is about a job, how many people will say no? I reckon the one extreme case is dopey the dwarf not explicitly consenting to drug testing for all the imaginable reasons.

And in all this, the NY Times is on my side, as we see “the regulation is intentionally ambiguous, representing a series of compromises. It promises to ease restrictions on data flows while allowing citizens to control their personal data, and to spur European economic growth while protecting the right to privacy. It skirts over possible differences between current and future technologies by using broad principles“, I do see a positive point, when this collapses (read: falls over might be a better term), when we see the EU having more and more issues trying to get a global growth the data restrictions could potentially set a level of discrimination for those inside and outside the EU, making it no longer an issue. What do you think happens when EU people get a massive boost of options under LinkedIn and this setting is not allowed on a global scale, how long until we see another channel that remains open and non-ambiguous? I do not know the answer; I am merely posing the question. I don’t think that the GDPR is a bad thing; I merely think that clarity should have been at the core of it all and that is the part that is missing. In the end the NY Times gives us a golden setting, with “we need more research that looks carefully at how personal data is collected and by whom, and how those people make decisions about data protection. Policymakers should use such studies as a basis for developing empirically grounded, practical rules“, that makes perfect sense and in that, we could see the start, there is every chance that we will see a GDPRv2 no later than early 2019, before 5G hits the ground, at that point the GDPR could end up being a charter that is globally accepted, which makes up for all the flaws we see, or the flaws we think we see, at present.

The final part we see in Fortune (at http://fortune.com/2018/05/25/ai-machine-learning-privacy-gdpr/), you see, even as we think we have cornered it with ‘AI Has a Big Privacy Problem and Europe’s New Data Protection Law Is About to Expose It‘, we need to take one step back, it is not about the AI, it is about machine learning, which is not the same thing. With Machine learning it is about big data, see when we realise that “Big data challenges purpose limitation, data minimization and data retention–most people never get rid of it with big data,” said Edwards. “It challenges transparency and the notion of consent, since you can’t consent lawfully without knowing to what purposes you’re consenting… Algorithmic transparency means you can see how the decision is reached, but you can’t with [machine-learning] systems because it’s not rule-based software“, we get the first whiff of “When they collect personal data, companies have to say what it will be used for, and not use it for anything else“, so the criminal will not allow us to keep their personal data, to the system cannot act to create a profile to trap the fraud driven individual as there is no data to learn when fraud is being committed, a real win for organised crime, even if I say so myself. In addition, the statement “If personal data is used to make automated decisions about people, companies must be able to explain the logic behind the decision-making process“, which comes close to a near impossibility. In the age where development of AI and using machine learning to get there, the EU just pushed themselves out of the race as they will not have any data to progress with, how is that for a Monday morning wakeup call?

 

Leave a comment

Filed under IT, Law, Media, Politics, Science