Privacy Kit

Subscribe
Archives
April 19, 2020

Demanding Transparency Requirements | The Cat Herder, Volume 3, Issue 14

A weird standards war rages; the HSE coughs up a couple of sentences describing its contact tracing a
 
April 19 · Issue #78 · View online
The Cat Herder
A weird standards war rages; the HSE coughs up a couple of sentences describing its contact tracing app, though these sentences are buried in an EU document; sewage surveillance.
😼

TJ McIntyre
TJ McIntyre
@tjmcintyre
That didn’t take long. https://t.co/nD167DHq1C https://t.co/mFrM7STyNP
1:21 PM - 18 Apr 2020
The Australian Prime Minister aired similar sentiments earlier in the week.
The Guardian reported at the start of the week that the ability to “de-anonymise” users of the NHS app had been discussed in a memo.
Some more crumbs of information about the Irish contact tracing and symptom tracking app called CovidTracker Ireland emerged, though precious little of it came directly from the HSE.
To quote last week’s newsletter, there is “still no information about who is making the product design decisions, what the purpose of the app is, what data will be collected, who the data controller is, who the data will be shared with, how long the data will be retained for and how any required changes to legislation will be made given the lack of a properly constituted government.”
At a briefing on Friday we discovered the app is “still being tested”, that the HSE “are working through some of the privacy and data issues” and that it might be available next month.
If they’re testing an app which is due to be deployed within a few weeks and encountering “privacy and data issues” then it’s hard to see how this process could possibly fit with Article 25 of the GDPR, which specifies that data protection by design and default must be baked into all processing of personal data from “the time of the determination of the means for processing” onward.
A quick recap before we go any further. It is three weeks since the HSE told us an app for “real-time symptom tracking and digital contact tracing” would be launched within ten days.
That didn’t happen. Since then some far larger entities than the HSE have rumbled into action. Most significantly Apple, Google and the institutions of the EU.
The EU’s eHealth Network published version 1 of a ‘Common EU Toolbox for Member States’ relating to ‘Mobile applications to support contact tracing in the EU’s fight against COVID-19’. (direct link to PDF)
This document includes a summary of apps currently available and in development. The Irish entry (on page 11) is as follows
Provides citizens with a way to check their Covid-19 symptoms and receive reliable advice. This data can be submitted to inform national heat maps. Contact tracing app also informs national heat maps and modelling of the spread of the disease. Currently in test. Will launch in advance of the lifting of restrictions on movement of citizens (or just before)
Of interest here is that, with the exception of Portugal, Ireland is the only member state in the list attempting to do symptom checking as well as contact tracing.
The European Data Protection Board wrote a letter to the Commission (direct link to PDF) on the subject of the toolbox, stressing that source code should be made available, a Data Protection Impact Assessment must be carried out, that the preferred lawful basis should be necessity for the performance of a task for public interest and not user consent, and that individuals should be “free to install and uninstall the app at will”.
The European Commission published the ‘Joint European Roadmap towards lifting COVID-19 containment measures’. (direct link to PDF). Some quotes below, emphasis added -
When using tracing apps, users should remain in control of their data. National health authorities should be involved in the design of the system. Tracing close proximity between mobile devices should be allowed only on an anonymous and aggregated basis, without any tracking of citizens, and names of possibly infected persons should not be disclosed to other users. Mobile tracing and warning applications should be subject to demanding transparency requirements, be deactivated as soon as the COVID-19 crisis is over and any remaining data erased.
Confidence in these applications and their respect of privacy and data protection are paramount to their success and effectiveness.
The European Parliament adopted a resolution (direct link to PDF) on Friday, the relevant parts of which are worth quoting in full, emphasis added -
51. Takes note of the Commission’s plan to call on telecoms providers to hand over anonymised and aggregated data in order to limit the spread of COVID-19, of national tracking programmes already in force, and of the introduction of apps allowing authorities to monitor movements, contacts and health data;
52. Takes note of the emergence of contact-tracing applications on mobile devices in order to warn people if they were close to an infected person, and the Commission’s recommendation to develop a common EU approach for the use of such applications; points out that any use of applications developed by national and EU authorities may not be obligatory and that the generated data are not to be stored in centralised databases, which are prone to potential risk of abuse and loss of trust and may endanger uptake throughout the Union; demands that all storage of data be decentralised, full transparency be given on (non-EU) commercial interests of developers of these applications, and that clear projections be demonstrated as regards how the use of contact tracing apps by a part of the population, in combination with specific other measures, will lead to a significantly lower number of infected people; demands that the Commission and Member States are fully transparent on the functioning of contact-tracing apps, so that people can verify both the underlying protocol for security and privacy, and check the code itself to see whether the application functions as the authorities are claiming; recommends that sunset clauses are set and the principles of data protection by design and data minimisation are fully observed;
53. Calls on the Commission and the Member States to publish the details of these schemes and allow for public scrutiny and full oversight by data protection authorities (DPA); notes that mobile location data can only be processed in compliance with the ePrivacy Directive and the GDPR; stresses that national and EU authorities must fully comply with data protection and privacy legislation, and national DPA oversight and guidance;
So this gives us yet more questions about the HSE app to add to those which are as yet unresolved.
  • Will the generated and collected data be decentralised?
  • Are there sunset clauses?
  • What guarantees are there that the use of this app will not be made obligatory?
In summary, the mystifying secrecy about the HSE’s app continues despite all external prodding to steer them in the direction of a bare minimum of transparency.
This quote from David Davis seems apt. The virus can’t hear ye lads, it’s alright to talk about what you’re doing. In fact it’s both mandatory and compulsory.
David Anderson
David Anderson
@bricksilk
Rather a good point from ⁦@DavidDavisMP⁩ ... https://t.co/lNf6v9S1md
9:53 AM - 18 Apr 2020
Standoff
There is a thoroughly peculiar and probably ultimately pointless row going on over the standards framework to be used for contact tracing apps. This row is covered in a far more comprehensive and concise way than I could manage in Simon McGarr’s The Gist newsletter from yesterday - ‘Whats with the Covid Apps?’. I say pointless because as Simon points out, when you’re up against the proprietors of the two dominant mobile operating systems it is overwhelmingly likely you’re going to end up having to play by their rules.
Since Simon’s newsletter went out there have been a couple of further developments.
Yes, the HSE does appear to be involved, or at least involved enough to have their logo displayed on the PEPP-PT website. As the PEPP-PT body keeps losing members (three at the latest count) and therefore credibility the HSE would be well advised to back away from this promptly.
Some documents were published on GitHub describing a system which sounds very centralised despite the claims of decentralisation from the group.
Nighat Dad
Nighat Dad
@nighatdad
Thank you everyone who is posting their pictures under #MeAt20 , it will greatly help big and small tech giants and eventually governments, their biometric databases to track and monitor you via artificial intelligence in future. You just made their work easy. #RespectYourPrivacy
8:53 PM - 18 Apr 2020
It might
It might
All front-line workers in Liechtenstein who come into contact with vulnerable and high-risk people are to receive weekly coronavirus tests, while this week equipment was installed to monitor the country’s entire sewage output for coronavirus signifiers, in order to alert authorities to the presence of infected persons within the country’s borders.
‘Liechtenstein rolls out radical Covid-19 bracelet programme’, Financial Times
The ICO issued an Opinion on the Apple-Google initiative. (direct link to PDF)
  • There was some commentary on the DPC’s cookies and tracking report. ‘Irish data protection authority launches new cookie guidance and indicates cookie investigations are on the horizon’ from Norton Rose Fulbright and ‘DPC Publishes Guidance on Cookies and Report on Cookie Sweep’ from Arthur Cox.
  • “While decisions such as Vectaury and Planet49 indicate a hardening of attitudes towards the notification and consent thresholds necessary for the data collection practices [of] AdTech, there has not been, as yet any consideration of the need for stricter regulation of the AdTech market or the practices it operates in light of the privacy harms which its operation facilitates.” ‘The Impacts of AdTech on Privacy Rights and the Rule of Law’ by Róisín Costello.
  • “Some of the promises of what are sometimes called proximity tracing [tools] may be a little bit over the top,” Tom Frieden, a former director of the CDC, told STAT when asked about such efforts. He added that it’s not yet clear whether digital surveillance methods used in several Asian countries truly helped to control the spread of infections. “What we’ve seen from various countries is information that this was done, but not information that it was effective”. ‘5 burning questions about tech efforts to track Covid-19 cases’ by Casey Ross in STAT.
  • “When I asked a Singaporean friend about the TraceTogether App, he told me, “It’s a pain to use,” because it needs Bluetooth to be running all the time. But because Bluetooth is a digital blabbermouth, dishing out your data to any local device that wants to know, Apple devices don’t allow it to run in the background while you’re doing anything else, or while your phone is locked. Google’s newer Android systems run along the same lines.” Timandra Harkness asks ‘Can your smartphone crack Covid?’
  • “There’s a strong argument that much of what we build for this pandemic should have a sunset clause—in particular when it comes to the private, intimate, and community data we might collect. The decisions we make to opt in to data collection and analysis now might not resemble the decisions we would make at other times. Creating frameworks that allow a change in values and trade-off calculations feels important too.” Genevieve Bell for the MIT Technology Review - ‘We need mass surveillance to fight covid-19—but it doesn’t have to be creepy’.
Endnotes & Credits
  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
  • Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
Did you enjoy this issue?
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland

A weird standards war rages; the HSE coughs up a couple of sentences describing its contact tracing app, though these sentences are buried in an EU document; sewage surveillance.

😼

That didn’t take long. https://t.co/nD167DHq1C pic.twitter.com/mFrM7STyNP

— TJ McIntyre is @tjmcintyre@mastodon social (@tjmcintyre) April 18, 2020

The Australian Prime Minister aired similar sentiments earlier in the week.

The Guardian reported at the start of the week that the ability to “de-anonymise” users of the NHS app had been discussed in a memo.

Some more crumbs of information about the Irish contact tracing and symptom tracking app called CovidTracker Ireland emerged, though precious little of it came directly from the HSE.

To quote last week’s newsletter, there is “still no information about who is making the product design decisions, what the purpose of the app is, what data will be collected, who the data controller is, who the data will be shared with, how long the data will be retained for and how any required changes to legislation will be made given the lack of a properly constituted government.”

At a briefing on Friday we discovered the app is “still being tested”, that the HSE “are working through some of the privacy and data issues” and that it might be available next month.

If they’re testing an app which is due to be deployed within a few weeks and encountering “privacy and data issues” then it’s hard to see how this process could possibly fit with Article 25 of the GDPR, which specifies that data protection by design and default must be baked into all processing of personal data from “the time of the determination of the means for processing” onward.

A quick recap before we go any further. It is three weeks since the HSE told us an app for “real-time symptom tracking and digital contact tracing” would be launched within ten days.

That didn’t happen. Since then some far larger entities than the HSE have rumbled into action. Most significantly Apple, Google and the institutions of the EU.

The EU’s eHealth Network published version 1 of a ‘Common EU Toolbox for Member States’ relating to ‘Mobile applications to support contact tracing in the EU’s fight against COVID-19’. (direct link to PDF)

This document includes a summary of apps currently available and in development. The Irish entry (on page 11) is as follows

Of interest here is that, with the exception of Portugal, Ireland is the only member state in the list attempting to do symptom checking as well as contact tracing.

The European Data Protection Board wrote a letter to the Commission (direct link to PDF) on the subject of the toolbox, stressing that source code should be made available, a Data Protection Impact Assessment must be carried out, that the preferred lawful basis should be necessity for the performance of a task for public interest and not user consent, and that individuals should be “free to install and uninstall the app at will”.

The European Commission published the ‘Joint European Roadmap towards lifting COVID-19 containment measures’. (direct link to PDF). Some quotes below, emphasis added -

The European Parliament adopted a resolution (direct link to PDF) on Friday, the relevant parts of which are worth quoting in full, emphasis added -

So this gives us yet more questions about the HSE app to add to those which are as yet unresolved.

  • Will the generated and collected data be decentralised?
  • Are there sunset clauses?
  • What guarantees are there that the use of this app will not be made obligatory?

In summary, the mystifying secrecy about the HSE’s app continues despite all external prodding to steer them in the direction of a bare minimum of transparency.

This quote from David Davis seems apt. The virus can’t hear ye lads, it’s alright to talk about what you’re doing. In fact it’s both mandatory and compulsory.

Rather a good point from ⁦@DavidDavisMP⁩ ... pic.twitter.com/lNf6v9S1md

— David Anderson (@bricksilk) April 18, 2020

Standoff

There is a thoroughly peculiar and probably ultimately pointless row going on over the standards framework to be used for contact tracing apps. This row is covered in a far more comprehensive and concise way than I could manage in Simon McGarr’s The Gist newsletter from yesterday - ‘Whats with the Covid Apps?’. I say pointless because as Simon points out, when you’re up against the proprietors of the two dominant mobile operating systems it is overwhelmingly likely you’re going to end up having to play by their rules.

Since Simon’s newsletter went out there have been a couple of further developments.

Yes, the HSE does appear to be involved, or at least involved enough to have their logo displayed on the PEPP-PT website. As the PEPP-PT body keeps losing members (three at the latest count) and therefore credibility the HSE would be well advised to back away from this promptly.

Some documents were published on GitHub describing a system which sounds very centralised despite the claims of decentralisation from the group.

Thank you everyone who is posting their pictures under #MeAt20 , it will greatly help big and small tech giants and eventually governments, their biometric databases to track and monitor you via artificial intelligence in future. You just made their work easy. #RespectYourPrivacy

— Nighat Dad (@nighatdad) April 18, 2020

‘Liechtenstein rolls out radical Covid-19 bracelet programme’, Financial Times

The ICO issued an Opinion on the Apple-Google initiative. (direct link to PDF)

  • There was some commentary on the DPC’s cookies and tracking report. ‘Irish data protection authority launches new cookie guidance and indicates cookie investigations are on the horizon’ from Norton Rose Fulbright and ‘DPC Publishes Guidance on Cookies and Report on Cookie Sweep’ from Arthur Cox.
  • “While decisions such as Vectaury and Planet49 indicate a hardening of attitudes towards the notification and consent thresholds necessary for the data collection practices [of] AdTech, there has not been, as yet any consideration of the need for stricter regulation of the AdTech market or the practices it operates in light of the privacy harms which its operation facilitates.” ‘The Impacts of AdTech on Privacy Rights and the Rule of Law’ by Róisín Costello.
  • “Some of the promises of what are sometimes called proximity tracing [tools] may be a little bit over the top,” Tom Frieden, a former director of the CDC, told STAT when asked about such efforts. He added that it’s not yet clear whether digital surveillance methods used in several Asian countries truly helped to control the spread of infections. “What we’ve seen from various countries is information that this was done, but not information that it was effective”. ‘5 burning questions about tech efforts to track Covid-19 cases’ by Casey Ross in STAT.
  • “When I asked a Singaporean friend about the TraceTogether App, he told me, “It’s a pain to use,” because it needs Bluetooth to be running all the time. But because Bluetooth is a digital blabbermouth, dishing out your data to any local device that wants to know, Apple devices don’t allow it to run in the background while you’re doing anything else, or while your phone is locked. Google’s newer Android systems run along the same lines.” Timandra Harkness asks ‘Can your smartphone crack Covid?’
  • “There’s a strong argument that much of what we build for this pandemic should have a sunset clause—in particular when it comes to the private, intimate, and community data we might collect. The decisions we make to opt in to data collection and analysis now might not resemble the decisions we would make at other times. Creating frameworks that allow a change in values and trade-off calculations feels important too.” Genevieve Bell for the MIT Technology Review - ‘We need mass surveillance to fight covid-19—but it doesn’t have to be creepy’.

Endnotes & Credits

  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
  • Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.

Don't miss what's next. Subscribe to Privacy Kit:
X
Powered by Buttondown, the easiest way to start and grow your newsletter.