Posts by Adam 52

Re: GDPR

No it doesn't.

Re: GDPR

So much misunderstanding about GDPR. So much ignorance about Strava.

This is going to be the "I heard it from a friend who read it on an Internet forum" level of proof. Possibly based on the dubious syllogism issued by the Welsh police - "There are more bike thefts. More cyclists are using Strava therefore Strava causes bike thefts".

It might be true, and possibly is in a few cases. Being seen wheeling an expensive bike into your shed is a much more likely explanation.

Re: It's not the first time it's been said

Fantastically obvious to my girlfriend too. And me. Can't honestly remember if it was obvious because it's mentioned on the site when you set one up.

"Well they get paid a lot more than I do. A little common sense isnt too much to ask surely?"

The only cases that make the headlines are the ones where common sense went missing. The other x thousand get no press attention at all.

However the specific problem is that *if* Bloggs goes on to do something naughty then the Daily Mail, Guardian and El Reg readers will all go "why was he allowed out at all when the computer said he should be arrested". And the PC will then go on trial for misconduct in a public office. Or manslaughter if the naughty thing involved someone dying.

So much, much less risk to just make the arrest.

Whilst we don't have Police false positive stats we do have research papers from Facebook, Google and university researchers and they show false positive rates on a par with humans (although not trained ones). So it's reasonable to assume the Police face recognition will be as accurate as a human spotter.

Nobody much complains about human Police spotters identifying trouble makers at football matches. So is this just luddite objections? Or are we concerned about effective enforcement of rules we're unhappy with and picking on the wrong target?

Re: I like this guy

"He seems to actually know what he's talking about."

He's one of the finest legal minds currently alive. And, as a barrister, is very good at appearing convincing!

"So I fully expect uk.gov to try and discredit him and ignore every word he says."

Quite the reverse. He claims, and the evidence backs him up, to be the inspiration for large quantities of the Investigatory Powers Act, including the mass surveillance provisions.

Re: GMC regulates health professionals

And also NHS England:

"GPs or GP Practices are “data controllers” and have a legal duty to ensure all processing of personal data of their registered patients complies with all eight data protection principles of the Data Protection Act, Failure to do so carries significant risks.

"A data controller may assign some or all of the responsibility for data processing to another person, but their overall legal responsibility cannot be delegated or contracted out."

Re: GMC regulates health professionals

The BMA disagrees with you:

"GP practices are data controllers for the information they hold about their patients. Most practices will have 'data processing' arrangements with third parties, for example IT system suppliers carry out a wide range of clinical and administrative processes within the practice, but it is the data controller who retains responsibility for compliance under the Act."

Re: Free

"worsen the health of illegal immigrants."

Disease (mostly) doesn't respect national or Daily Mail prejudices, so it will worsen the health of everyone.

c.f. government abolishing the absolute privacy in sexual health clinics and the rise in gonorrea.

Re: GMC regulates health professionals

"If those doctors record confidential patient data into a system then they cannot be held responsible by the GMC for it being shared in bulk at an organisational IT level."

Absolutely they can. Any Data Controller who uploads sensitive data into any system is responsible for having adequate contractual clauses in place to protect that data.

If doctors don't have those clauses in place with the NHS then they shouldn't be uploading data.

Otherwise doctors could upload sensitive data to Facebook, and then claim innocence when Facebook share it with the world.

Re: glad I moved

Why would anyone pay Heart £15/month when you can get something better from AWS for $10/month?

Scotland has completely different trespass law so it was impossible for the dodgy parking firms to operate in the first place, hence no need for the botched Cameron era regulation.

A long time ago I tried to sell a dataset giving the demographics and rough volume of people passing particular sites (advertising billboards and retail sites, but it could have been anywhere). I had a few people interested but nobody actually bought it.

Re: Collect all the data, ignore users privacy...

"This amounts to an offence under GDPR"

I'm almost certain it won't.

It's a cool thing, just as a work of art.

It's a nice little way to boast about the scope of their services.

It's handy for traffic planners to see how runners/cyclists move about a city.

I tend to use it when going somewhere new to find out where the good cycling is, and I've used it to get off the bog of a bridleway I was on onto something decent.

I really doubt that the chain of command encourage Strava use anywhere really sensitive. El Reg's Pine Gap example, for instance, has its own Wikipedia page so its location isn't exactly secret and nor is the fact that people work there.

Re: Fail!

"By 'like', We're well into serious BDSM style stalker levels of 'like'."

What? Care to describe how stalking is a BDSM activity?

Re: "consider consequences on multiple levels prior to publishing private data"

"And, no, opt-out is not enough - people should at least have to opt-in to any data collection"

Strava is a data-collection site. That's what it does. You opt-in by uploading your stuff to jt, it doesn't magically track you without consent.

When I signed up the privacy zone was in the initial setup wizard, so it's a little deceptive for the article to call it off by default. It has to be off as far as it is, because Strava doesn't know where to put it unless you tell it.

Heatmap is just another example of it being really hard to anonymise through aggregation.

Re: "github provides many workflow features"

"If you're incompetent enough to post your keys to github"

When it comes to posting keys to source control, there are those who have and those who have yet to.

When you do it yourself, remember who you called incompetent.

(no, I haven't, but members of my team have and so have the people who laughed at them).

Re: Personal information

B2B was/is different under the current regulations. What was permitted under the rules (marketing to business email domains without consent) won't be any more.

Unless you have an ongoing relationship with them, where it's reasonable to assume implied consent.

Organisations have no additional rights under the new rules but the people within those organisations are now treated as people in their own right, not as parts of the organisation. Does that makes sense?

That's how the lawyers explained it to me this morning when I asked!

We are taking advantage of the current rules to ask for consent now - before we aren't allowed to even ask.

Re: Reminds me of PCI Compliance

I think they are likely to argue that you're wrong. The right to object to processing isn't absolute so they can refuse your request if there are compelling grounds.

The headline fines are maximums. Initially fines are unlikely to be anywhere near the maximums.

Sigh.

https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/