10 petitions

Started 2 days ago

Petition to UK Parliament, Theresa May MP

NHS should respect privacy online

For a noticeable amount of the NHS websites, when you use it, you get tracked. Not the nice kind of a nurse or doctor checking your bed notes, but the kind where advertising companies and business analytics companies get to spy on you instead. This is not just unethical, it is illegal and those responsible for the NHS website should be facing criminal investigations. Now this campaign is a little technical in the details, but fundamentally it is about who has access to your usage of an NHS online services and who is explicitly sent data on what you do: if you think that the only services that should get your data are the NHS and the company operating its servers, then sign up. I've been complaining privately to the NHS and Public Health England about this since October, but the complaints date back for years. Tom Watson MP raised these concerns in Houses of Parliament in 2010, this issue is not new and someone needs to answer for why Facebook got 7 years of tracking data and they're likely not the only ones. Since October, my complaints demonstrated that multiple social media, advertising and analytics companies were getting identifiable information on what users were looking at on the site. My complaints weren't completely in vain, some of the trackers got removed... quite quickly after I showcased how NHS Choices had given Facebook access to NHS Choices accounts. However, much still remains and Public Health England believes it has consent to include tracking, read their privacy policy: who are the companies mentioned? AppNexus? RadiumOne? Facebook still gets data, like if you're interested in donating blood or organs the privacy policy explain this? It is not just what they are sent... this is the most worrying concern to start with, but the companies executing scripts in the NHS websites, to do tracking, typically have a lot more access. This was showcased earlier this year by another company executing scripts ( and whether they get hacked or maliciously try to gain more data than they should, these third party companies have the access to act as you and steal your data. You don't leave reception open for Facebook to walk in, so they shouldn't leave the website open to them either: only appropriate medical and administrative personal please: get rid of advertisers access. Look for yourself If you work in IT you know what to do: Developer console, check cookies and referers. If you don't try a trusted privacy tool to identify what trackers are turned on. Two not for profit tools: Firefox Lightbeam will tell you who is being contacted. Privacy Badger can spot trackers (beware, it learns what tracks you, so browse around for a bit so it can identify what tracks you before you goto the nhs site). What should the solution be?As soon as possible, let's just get them removed. The NHS doesn't need trackers from analytics, advertisers or social media on it's own site. There are open source analytics suites: free software that the NHS can self host and avoid Google, WebTrends, etc getting data on you Social Media campaigns can remain on Social Media Audience data can be captured in consensual manners: explicit opt ins, questionnaires/surveys, paid user groups - in most cases, I don't mind sharing this data in a form to the NHS, do you? Better than WebTrends and Google Analytics. NHS doesn't need any third party site to host analytics to maintain their site technically,metrics are essentially a table of data, storage is a Time Series Database and Visualisation is a graphing engine. In the tech industry there are multiple solutions that can be used for this like ELK, Grafana/Graphite, InfluxDB, Matomo, ... and they're used on large sites. Further ahead, I hope criminal investigations do start and a public enquiry looks into why so many foreign companies, outside of healthcare, with a history of invading privacy, were handed so much data about our browsing habits when seeking medical advice online. The video This video was from not too long ago and showcases the extent to which third parties have had access to your usage of the site. NHS Choices site was sharing medical condition data with WebTrends and WebTrends gets identifiable data. (if you want details, I can send them, but they use global ids and when third parties like Virgin East Coast leaking email addresses into their system, it identifies the users of the NHS that have had tracking data sent on them). If you know how to get to this panel, then look at  - referer headers - cookies - query parameters - who executes JavaScript and can do whatever they like. An example

Mark Richards
31 supporters
Started 3 weeks ago

Petition to European Parliament, European Commission

Save street photography from the threat of EU's GDPR

Street photography is at risk with the new EU’s GDPR, in force starting from the 25th May 2018.Your dreamy picture of that girl in the sunflower field is the “collection and sharing of personal data” in the eyes of a data protection officer and eurocrats. Many things in a photo are personal data: her face, the location, the time and date and everything that is tied to her identity. The legal consequence is that  you need to provide some kind of justification to take that picture and to save it on your hard disk or — much worse — to share it on Instagram or elsewhere. If you’re a professional photographer, you are supposed to have a model release. If you’re just a friend, it’s out of the scope of the GDPR (it is considered “personal or household activity”). But if you are a photo enthusiast, you are sitting uncomfortably in the middle. Street photography especially becomes a legal nightmare with GDPR. You cannot get consent before you take the shot because that would usually destroy the moment. According to the data protection law, you’re not allowed to only ask for it afterward. If you take a picture as an event photographer, you might argue that taking pictures of visitors at a conference is “necessary for the purposes of the legitimate interests” (Art. 6 lit f GDPR). You don’t need consent then. But can you do that if you shoot that amazing shot of an elegant business guy in a light cone on the street? Probably not. And you certainly cannot do it when a child is in your picture. That “legitimate interests”-argument does not apply “where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”. Over the years, our courts had found an acceptable balance between privacy rights and photography freedom. Very recently, the German Constitutional Court even ruled that street photography is protected by the constitution because it is “art”!  That fair balance is at peril with the GDPR. The nature of an EU regulation is brutal and relentless (like many of the crazy EU regulations and directives): these laws come into force in every country and the courts have to ignore all national laws that contravene. There is some hope though: some lawyers argue that Member States need “to reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information” — also for “artistic expression”, read: street photography. However, the current situation remains tragic. The EU has traditionally had a thing for data protection. No wonder it was a German guy from the Green Party who pushed for the GDPR… Not a surprise considering that Germany does not even allow Google Street View differently than other countries. Let’s keep privacy-freaks away from policy-making. Their obsession with privacy is killing art and freedom of expression and business. We need to ask the EU institutions to make an exception for street photography as it has always been. Otherwise we would not have anymore great artists such as Henri Cartier-Bresson, Robert Doisneau, Gianni Berengo-Gardin and more.[ Text adapted from PetaPixel: ]

Paolo Margari
17 supporters