We call App Britain
I thought this was Peter Mannion?
Move over, Zuckerberg, there's a new social media overlord in town: grime aficionado and Tory MP Matt Hancock. In his new role as the UK government's digital secretary, Matt Hancock has decided to up his tech game by launching his very own app – but reports have emerged that it doesn't adhere to the data protection policies he …
No! If he wanted to try, then surely he could get a lot better advice on how to go about it, though consultancy rates in this area are not cheap. Now, of course, he has crapped all over what little reputation he may have had. Perhaps a decent web security consultant might have been a better investment?
"Perhaps a decent web security consultant might have been a better investment?"
I think an "app" security consultant would be better as apps also store data on the phone and synchronise between devices, which doesn't feature in web security.
I have trained so many web developers over the years in iOS programming and they are blown away about how much more complicated it is dealing with a device that can hold data and process it locally (plus synchronise through a cloud that they have no control over).
Web security is a very centralised view of the world, app development is far more distributed and can catch you out.
He probably had a web security consultant, which might be where he went wrong in the first place.
:)
My guess is that whoever of his assistants was in charge of coming up with this application did not know any better and/or couldn't care less about the finer points of online communication and publishing, neither at a technical (somewhat understandable) nor at a legal (less understandable) level.
Ok Boff, I am now Digital Secretary and you I'm promoting you to "my assistant" . First things first , As Digital Secretary I should make my mark by having my own "app" to engage with my public on issues of Digital security , privacy , industry , digital security, ICT developments etc....
So nip down the market and get the cheapest / first one you see.
> apps also store data on the phone and synchronise between devices, which doesn't feature in web security.
I don't really agree. Both local storage, whether transient or persistent, and multiple end-point synchronisation are features of web development also.
My guess is that whoever of his assistants was in charge of coming up with this application did not know any better and/or couldn't care less about the finer points of online communication and publishing, neither at a technical (somewhat understandable) nor at a legal (less understandable) level.
Even if you are concerned about costs, as you legitimately should, and end up choosing a made-to-measure application rather than going fully bespoke, you would still want to make sure that it meets both your requirements and regulatory ones. Especially if you are the one making the law.
Says data will be shared with third parties but cannot specify, and may provide them with unspecifiable information about what I do with the set microphone data etc. It, in essence says, anything we capture or infer from your presence here can be shared with anyone, in any way, and we can't tell you about it.
I havn't been brave enough to accept that one with the loss of "suggested content" feature being the only obvious casualty.
I am not a lawyer/solicitor but the policy wording is so vague as to make it not worth writing all the words they wasted below with details.
Question is, is there anyone to complain to (that may care?)
@ AC: It, in essence says, anything we capture or infer from your presence here can be shared with anyone, in any way, and we can't tell you about it.
You mentioned a "policy"; what "policy" is it, and did you find out about it before or (more likely IMHO) after you had paid for it?
The expression "unfair contract terms" springs to mind.
WTF is the world coming to when you buy what is essentially a domestic appliance and it comes with a "privacy policy"?
In reverse order:
"Question is, is there anyone to complain to (that may care?)"
Yes (if they don't tell you about that in advance of 25 May, they're in breach anyway). Any or all of the relevant Supervisory Authorities, for a start. Choose from the 46-odd regulators, for a start (28 Member State data protection.agencies, see http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm, plus the EDPS, plus the German lander authorities).
Then there's the Article 80-promoted non-profit class action companies, such as Max Schrems' http://noyb.eu.
Then there's the Member State Courts. If you can't work out which of your rights have been breached, just plead in respect of the "washup" Article 79. A small claim is sufficient (if your jurisdiction supports that) and is recommended as they are likely to eliminate all legal costs beyond the (usually recoverable if you win) dozen-beers money the Court charges you to file the claim. Post-GDPR the legal burden of proof is now on the defendant, so you arguably don't have to prove a thing beyond providing factual context, it's for them to prove their own compliance. (In England the standard thing is to add a claim, alongside the basic DPA 1998 or now the GDPR/DP Bill, in the new worldwide English tort of misuse of private information, but that uses tort rules so you'd have to prove stuff to Court standards of proof so don't try that in DIY litigation).
"I am not a lawyer/solicitor but the policy wording is so vague as to make it not worth writing all the words they wasted below with details."
If that is right, then it might be inferred that their "privacy policies" already clearly breach Article 12 GDPR, despite it being enacted into all Member States' laws since 2016. To detect breach you're not required to be a lawyer any more, that's the whole point.
Article 12(1) of the GDPR (see p39 http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN), specifying the modalities of information to be provided to data subjects, requires that information be provided in, inter alia, "... concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child...". Ambiguity, or failure to address any material point of the Articles 13/14 Notification requirements, arguably equals non-compliance. In turn non-compliance might equal fines (from any of the 46 empowered regulators in the EU) plus criminal prosecution of directors (conceivably including overseas following extradition). Even the CPS in England has prosecuted data protection offences using anti-racketeering law (POCA) to confiscate profits. Plus private injunctive relief (money for old rope), and compensation/class actions, including tort in or from common law jurisdictions.
Some other fun stuff controllers must get right in advance: see for example https://www.gdpr360.com/gdpr-what-are-the-lawful-bases-under-which-data-can-be-processed
Pro tip: avoid complaining until 1st July 2018 if you can resist. For technical reasons, waiting five weeks may "improve" evidence against defendants, both qualitatively and quantitatively.
HTH
Nothing communicated or referenced above is legal advice.
Question is, is there anyone to complain to (that may care?)
Even if this app is entirely above board (and the apparent lack of a data protection registration makes me wonder if it is), then what is the point?
Yes, in theory, it enables us to approach the MPs more easily, but what about in practice? In practice, it'll probably go the same way as other dedicated social networks (such as Microsoft's Yammer), in that it'll become a place where we can get a little valuable information and a lot of noise. It is likely to ultimately become just one thing on a long list of things we need to check for messages, and another app we can leak data to.
At the very least, if the MPs aren't responding to existing methods of communication (email, fax, phone, snail mail, twitter and facebook), then adding one more to the list isn't going to make them more likely to respond.
then what is the point?
Being from the US, I don't know who this guy is and don't really care. But if the problem is nobody is listening to you, the solution isn't a new platform.
More likely, he rarely says anything worth listening to.
Anyone who can fix that with an app wins the internet.
He's my local MP. All I can say about him is he's very good at being the very important Matt Hancock and getting his face in the local papers.
A whole f'n page about him, his likes and dislikes, how he likes walking, big picture... like bloody Hello magazine or something. I'm giving them a few weeks to see if they have a right-to-reply page for the other local politicians... all in the name of fairness (no chance in hell!)
I don't really object to him... he doesn't really do anything to object to, or applaud. Just another stuffed suit with the appropriate vocab.
This post has been deleted by its author
If the app uses UIImagePickerController then the app asks the OS to ask the user to choose a photo, and if one is chosen then the app is given access to that one photo.
This is different from the app going through the gallery and opening as many photos as it likes with possibly no warning given to the user, which is what the photos permission covers.
By an amazing coincidence, Sharon Brittan (a director of Disciple Media Ltd) is on same school (Michaela) governors board as Tory MP Suella Fernandes.
But being minister for "digital" & taking his job seriously there's obviously no way Hancock would have gone for friend of one of his fellow Tory MPs approach in picking app designers, no he would have rigorously researched this and ensured a best practice solution was created, and he decided Disciple Media met that brief
Cronyism or incompetence?
Or both..
Agreed, and I can't stand the Tories.
One of Hancock's 316 fellow MPs is one of the 12 officers of a school, and one of the other directors of that school is also one of four directors of a media company (in addition to being an officer of about 20 other companies), and that media company did an app for Hancock...and this shows it's some kind of procurement stitch-up? Tenuous indeed.
It has also been pointed out that the developer, Disciple Media Ltd, which pinches off dime-a-dozen apps for anyone who will pay them, does not appear on the data protection registry of the Information Commissioner's Office.
Why would an app developer necessarily need an ICO registration? Is this a cloudy "App as a Service" thing rather than actual software development?
I'm assuming Disciple Media store lots of backend data (be it directly, or they themselves using cloud providers).
Though there are lots of loosely worded "get outs" that allow you to not need to register with the ICO, depending what services you provide and how data is processed - people could just use ICOs own "do I need to register" tool and see what hoops to jump through to avoid need to register.
"Our registration was renewed recently but this has not been reflected on the ICO registry yet," a spokesperson said.
Didn't you follow that up with a query to the ICO? Indeed, didn't you ask the ICO about any of the other interesting aspects of the app? Go on, you know you want to.
Maybe there's also scope for some questions next time it's his turn in the barrel in the HoC. A nice general question about privacy of apps in general followed up by asking how that applies to his own. Are there any MPs with sufficient technical knowledge to make a decent job of it?
...He is a complete and utter $%)*&!"
The classic example of the totally insincere career politician who lives in London, never visits his constituency except for a photo op, hand who has hung onto Osborne's coat tails in the hope of political advancement.
I cannot think of anyone less likely to be effective in the position he now occupies, except possibly Diane Abbott.
"Other users and news outlets have also reported a bug in the iOS version that seems to allow the app to access to pictures even when permission is denied."
Whaaat? Aside from this idiot MP making a mockery of our system of government by clearly demonstrating he is driving the bus as efficiently as a muppet baby , the bigger issue for me is:
How come Apple have delevoped their IOS in such a way thats its up to the programmers of a 3rd party app wether they comply with the answers to the "This app wants to ..." questions? I mean why even have the questions if the results are optional?
What the fuck* is a "deet"?
(Apparently, according to Urban Dictionary, it's a "detail)"
There's another journalist who writes for The Register who insists on using "peeps".
For fucks* sake, you're professional journalists, not children. Use proper language.
*Apologies for the swearing, but this pointless neo-millenial abbreviation drives me up the wall...