From top: Johnny Ryan, Of the Irish Council for Civil Liberties; Helen Dixon, Ireland’s Data Protection Commissioner: A video explaining Real-Time Bidding (RTB) and ‘the biggest data breach in history’
Google and several data brokers are violating the EU’s privacy rules by harvesting people’s personal information to build highly detailed online profiles including some firms’ collection of information on sexual orientation, health status and religious beliefs, according to a report published today.
The accusations — from Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, an NGO — come 18 months after Ireland’s privacy regulator began a probe into how Google collects and shares people’s online information for its advertising business.
Several other European data protection authorities subsequently received separate complaints into so-called real-time bidding (RTB), a system by which advertisers use data to target people with paid-for messages when they surf the web.
Ryan said the real-time bidding system, which broadcasted web users’ online behavior and habits to multiple advertising companies and data brokers, infringed on the region’s privacy rules that required data to be kept secure and used proportionately.
“The [Irish Data Protection] Commission has failed to stop that ongoing biggest data breach in history and as a consequence people across Europe and in Ireland are exposed to intimate profiling including of health conditions and political views and location over time, because the RTB system leaks that data into the data broker market,” he told POLITICO.
— Thread Reader App (@threadreaderapp) September 21, 2020
From top (from left): former chairman of INM Leslie Buckley; INM’s largest shareholder Denis O’Brien; IT expert Derek Mizak; former INM CEO Robert Pitt
There were a number of developments in the INM data breach story over the weekend.
Earlier this year, the Office of the Director of Corporate Enforcement (ODCE) asked the High Court to appoint inspectors to investigate Independent News and Media (INM), the largest shareholder of which is Denis O’Brien, following protected disclosures made to it by former Group CEO of INM Robert Pitt and former Group CFO Ryan Preston.
This was granted by Mr Justice Peter Kelly in the High Court in September with Justice Kelly appointing Richard Fleck and Seán Gillane to investigate the claims.
An affidavit filed by ODCE director Ian Drennan claimed data involving 19 listed people was removed from the company’s premises in October 2014, taken out of the jurisdiction and “interrogated” by at least six companies external to INM.
IT expert and director of the information security and digital forensics firm DMZ IT Derek Mizak was allegedly involved in this interrogation, along with Trusted Data Solutions (TDS), an American company based in Wales.
The list included Jerry Healy SC and Jacqueline O’Brien SC (both of whom acted as counsel for the Moriarty Tribunal) as well as former INM board members and employees Karl Brophy, Mandy Scott, Vincent Crowley, Donal Buggy, Joe Webb and James Osborne; journalists Sam Smyth, Maeve Sheehan, Brendan O’Connor; and public relations executive Rory Godson.
Approximately €60,000 was paid by Blaydon Limited, an Isle of Man company owned by Denis O’Brien, to Trusted Data Solutions, according to Ian Drennan, the Director of the Office of Corporate Enforcement, in relation to this alleged interrogation.
Separately, the Office of the Data Protection Commissioner (ODPC) also announced earlier this year that it would also investigate the alleged data breach at INM.
Yesterday, in the Sunday Business Post, Tom Lyons reported that the ODPC will now widen its investigation into INM to include matters beyond the timespan of the alleged breach.
Mr Lyons reported the ODPC will specifically look at why, in 2015, hard drives of up to six editors in INM were allegedly taken by INM in the middle of the night and copied before being returned to the journalists’ desks before they got into work – while using software to hide the fact data had been copied.
Mr Mizak was also involved in this alleged action.
Mr Lyons reported:
“The decision to search the six computers was requested by INM’s then chief executive Robert Pitt, who was trying to identify who had leaked a memo that his personal assistant had sent to editors. The memo ended up being reprinted verbatim in the Phoenix magazine.
“Pitt is understood to have asked that all data be kept on site in INM, and that only the memo be looked for. However, Derek Mizak, a computer expert who carried out the operation with the aid of INM’s own IT team, gives a different version of events. He describes various interactions with Pitt, which INM’s former chief executive is believed not to recall.
Mr Lyons added:
“Pitt is one of two whistleblowers relied on by the ODCE when it successfully argued that High Court inspectors should be appointed to INM. Why the 2015 incident has not emerged in any affidavit to date is unclear.”
In addition, back in 2013, (before Pitt was INM’s CEO) INM’s then chairman Leslie Buckley asked Mizak for a report on emails that were allegedly being sent by a number of INM members – including former head of corporate affairs at INM Karl Brophy and former CEO of INM Gavin O’Reilly – to their private email addresses.
Mr Lyons noted:
“There is no suggestion of wrongdoing in anyone forwarding INM emails to their private addresses, and the media group never took any action as a result.”
Of this work allegedly carried out by Mr Mizak, Mr Lyons reported:
“INM did not ask for an invoice from DMZ. Neither did DMZ bill the listed media company. No written instruction setting out what work DMZ was to do was ever produced. Notes were taken, but these were destroyed afterwards by DMZ as was its practice when jobs concluded.”
Mr Lyons reported that INM declined to respond to questions as to why “it had not told the High Court so far about all of its interactions with Mizak”.
He also reported:
“INM is on notice from a number of parties who wish to find out what happened to their data, including Brophy, [Joe] Webb, Gavin O’Reilly and the journalist Sam Smyth.
“A number of former staff, including various journalists, have also written to the company to try and find out if their data was looked at. Much remains to unravel as the ever more disturbing investigation rumbles on.”
Previously: Look Hack In Anger
Almost 62,000 applications for access to landline, mobile phone and internet data were made to companies providing services to the Irish public by State authorities in a five-year period.
An Garda Síochána made almost all of the requests, security sources have told The Irish Times.
…The information received for the five-year period to the end of 2012 has been made available by the Irish authorities to the European Commission. Between 2008 and 2012 the number of applications for data reached 61,823; a rate of more than 1,000 a month. Of those, 98.7 per cent were granted.
… In 2012, half of the requests made by the Garda and other agencies such as GSOC, Defence Forces and Revenue Commissioners related to mobile phone records. The remaining applications for data were split roughly evenly between landlines and internet services.
Previously: GSOC Snoop Guide