Privacy Kit

Subscribe
Archives
May 10, 2020

"I dunno, werewolves?" | The Cat Herder, Volume 3, Issue 17

Latest on the HSE app: Government tight-lipped. So no change from the default setting there. Elsewhe
 
May 10 · Issue #81 · View online
The Cat Herder
Latest on the HSE app: Government tight-lipped. So no change from the default setting there. Elsewhere things have not gone smoothly. A regulator throws its hands up and exclaims “Don’t wanna!”
😼

Tesla Data Leak: Old Components With Personal Info Find Their Way On eBay
insideevs.com – Share
If you want to upgrade the computers in your Tesla, know that the company may not erase your data from it, as white hat hacker GreenTheOnly discovered.
This week we didn’t find out very much more about the Irish contact tracing (and other extraneous functionality of unclear purpose) app. There were developments in other parts of the world though.
In Australia it seems the app was live for ten days and people were being exhorted to download it as a precondition for the lifting of lockdown restrictions while no useful data was being provided to contact tracers.
Australia’s “COVIDSafe” contact-tracing app was rushed to market in the knowledge it would perform poorly on some devices and without agreements in place to let actual contact-tracers use the data it collects. As a result, no collected data has been used in at least 10 days since its launch. Meanwhile, security researchers have alleged the app has serious flaws – one of which can broadcast the names of devices running the app - and one has criticised Australia’s government for not offering a formal method to point out such problems.
The Register: ‘Australian contact-tracing app sent no data to contact-tracers for at least ten days after hurried launch’
Australian politicians have stated that their target for what percentage of the population will need to download and use the app properly in order for it to be effective is 40% of the population. Nobody seems to know where that figure came from.
It’s unclear where that figure comes from. Acting Secretary for Health Caroline Edwards on Wednesday told a Senate committee investigating the COVID-19 pandemic response there is no uptake modelling or goal within the department.
ABC News: ‘Can Australia’s coronavirus contact tracing app COVIDSafe lift the country out of lockdown?’
The most commonly cited figure worldwide is 60% of a population. This comes from a model developed by researchers at Oxford University.
In Ireland the folks responsible for writing the minister for health’s briefing notes have settled for an extremely low figure of 25%. This comes from what the briefing note describes as a “recent and robust modelling study of a comparable app in the US”. No further detail on this study is provided.
The Australian app is now switching to the Apple-Google model.
In the UK a trial of the NHSX app went live on the Isle of Wight. This version of the app is a centralised one and does not use the Apple-Google APIs, which are available in beta to developers.
The decision to go it alone and use the centralised model was not well received.
Levy also glossed over the fact that as soon as someone agrees to share their information with UK government – by claiming to feel unwell and hitting a big green button – 28 days of data from the app is given to a central server from where it can never be recovered. That data, featuring all the unique IDs you’ve encountered in that period and when and how far apart you were, becomes the property of NCSC – as its chief exec Matthew Gould was forced to admit to MPs on Monday. Gould also admitted that the data will not be deleted, UK citizens will not have the right to demand it is deleted, and it can or will be used for “research” in future.
The Register: ‘UK finds itself almost alone with centralized virus contact-tracing app that probably won’t work well, asks for your location, may be illegal’
While privacy questions were raised, it was the issue of trust that appeared to be the recurring theme behind much of the parliamentary discussion. Will, and should, the public trust, and therefore use, the technology? Gould commented that, in order to achieve significant levels of download, ‘the message needs to be, if you want to keep your family and yourselves safe … the app is going to be … an essential part of the strategy for doing that … it will require us to earn and keep the trust of the people’.
So this implies that trust is still to be achieved. In my view, the use of a contact tracing app has not yet been demonstrated to be trustworthy. By this, I mean a whole system including the people within it – not just the technological element – that can be relied upon to do what it is supposed to do, and to show that it has done so, while doing nothing it should not. All elements of this definition are currently contested. Only by addressing trustworthiness can NHSX hope to earn the trust that it seeks.
Marion Oswald, Royal United Services Institute: ‘Towards a Trustworthy Coronavirus Contact Tracing App’
By Friday it became clear that a climbdown of sorts had begun and a second NHSX app was in development, this one using the decentralised Apple-Google system.
Financial Times: ‘UK starts to build second contact tracing app’
Guardian: ‘UK may ditch NHS contact-tracing app for Apple and Google model’
The Data Protection Impact Assessment for the trial running on the Isle of Wight was also published on Friday (direct link to PDF). It is incomplete, incorrect in parts, evasive in others, contradicts itself on several points, avoids covering necessity and proportionality, and the entire risk assessment section is inaccessible.
Michael Veale has a comprehensive legal analysis of it here, and an accompanying Twitter thread with the main points of this analysis here.
Last week this section of the Cat Herder wrapped up with the still unresolved question - do any of these apps actually work effectively enough to make a difference? There is still no evidence they do.
New research has cast doubts over the accuracy of contact tracing apps that use a phone’s Bluetooth technology which will be a core feature of the version being worked on by the Irish Government.
The study, by scientists at Trinity College Dublin, found that it is “likely to be challenging to use Bluetooth to reliably detect when people using contact tracing apps are within 2m of one another.”
Irish Times: ‘Covid-19: Precision of tracing apps in doubt after TCD study’
Even the inventors of Bluetooth have their doubts.
“If Bluetooth can play a role in stopping something like the present coronavirus pandemic, that is of course extremely gratifying,” Mattisson told The Intercept. “But, it is smart use of a good technology, not just the technology itself that may see this happen.” The trouble with looking to the technology sector to save the world is that their solution will, of course, be more technology. Even if that technology has trouble getting through bushes and trees.
The Intercept: ‘The Inventors of Bluetooth Say There Could Be Problems Using Their Tech for Coronavirus Contact Tracing’
This week Wired ran a piece which provided a good overview of the use of digital contact tracing solutions across North America.
So far at least, the pandemic response has become a bitter lesson in everything technology can’t do and an example of Silicon Valley’s legendary myopia. States like New York, California, and Massachusetts, and cities like Baltimore and San Francisco, have looked carefully at cutting-edge contact-tracing solutions and largely said, “No thanks,” or “Not now.”
Instead, public health officials in hard-hit states are moving ahead to deploy armies of people, with limited assistance from technology. Massachusetts has budgeted $44 million to hire 1,000 contact tracers. New York State, with funding from Bloomberg Philanthropies, said last week it plans to hire as many as 17,000. California is soon expected to announce plans to hire as many as 20,000 contact tracers.
Wired: ‘Health Officials Say 'No Thanks’ to Contact-Tracing Tech’
In Ireland it seems the people responsible for manual contact tracing are using Microsoft Word (first released 1983) and Microsoft Excel (first released 1987).
Dr Marie Casey
Dr Marie Casey
@marietcasey
11. Our records about our outbreaks and cases are unfortunately held in word documents, excel etc.

Just before COVID-19 hit we had approval from DPER to purchase a national outbreak control system from @PublicHealthW . This will hopefully still happen.
10:44 AM - 9 May 2020
There’s little glamour in building and deploying robust systems to support manual effort. Very few people see those. A little bit like the entire discipline of public healthcare - when it works properly nobody notices it’s there. And that’s how it should be, until someone forgets to invest in it.
On the other hand there’s the allure of creating a widely distributed literal ‘brand in hand’ system - “a government app on every phone!” - which serves as a constant reminder that something is being done. Sales case studies can be written by management consultancies outlining their crucial contributions.
It’s the difference between B2B and B2C systems. The last fifteen years of frantic smartphone-fuelled development of high profile (and highly profitable) B2C software means that the thoughts of officials have naturally turned to solutions in this realm.
I’ve no way of knowing whether the development effort being put into the (second or third iteration of the?) HSE app is drawing resources away from building systems to support manual contact tracing but the nature of finite resources would indicate it might well be.
As ever, lots of things could go wrong
As ever, lots of things could go wrong
Coronavirus France: Cameras to monitor masks and social distancing - BBC News
www.bbc.com – Share
New surveillance software will help French police enforce mask-wearing and social distancing.
It could.
It could.
Always-on webcams, virtual “water coolers,” constant monitoring: Is the tech industry’s new dream for remote work actually a nightmare? With nearly half of office employees working from home to avoid COVID-19 exposure, management tracks their work using: digital avatars in virtual offices; always-on webcams/microphones; productivity stats; monitored web browsing and active work hours; multiple daily check-ins (via email, calls, text messages and Zoom video calls); not-so-optional company happy hours, game nights and lunchtime chats; hidden screen captures; logging of apps used and websites visited; key word flagging; keyboard/mouse usage; unscheduled video conferences; and endless online meetings, meetings, meetings.
Managers turn to surveillance software, always-on webcams to ensure employees are (really) working from home
www.washingtonpost.com – Share
Always-on webcams, virtual “water coolers,” constant monitoring: Is the tech industry’s new dream for remote work actually a nightmare?
The EDPB published an updated version of its guidelines on consent (direct link to PDF).
Natasha Lomas wrote about the guidelines for Techcrunch.
—
The ICO has decided not to do any regulating of adtech for the foreseeable future. This is despite the very same ICO finding many of the practices under investigation to be in breach of data protection law last year.
¯\_(ツ)_/¯
—
The Belgian DPA fined a data controller €50,000 for appointing a DPO who had a conflict of interest and was therefore not independent.
  • It was poor timing for the ICO to announce it wouldn’t be doing anything about adtech in the same week that a report by PwC, the Incorporated Society of British Advertisers (ISBA) and the Association of Online Publishers (AOP) confirmed the existence of the very large adtech black hole. “for publishers, the mere fact that half of the cash vanishes before it reaches them — 15 percent of it to, I dunno, werewolves? — should be enough to prompt some evening brown liquor. Google and Facebook have built giant businesses serving as middlemen between publisher and audience. But don’t forget about the anonymous ad tech firms who profit as middlemen between publisher and advertiser.” Financial Times (€): ‘Half of online ad spending goes to industry middlemen’.
  • “it is important to note that all applications (e.g. centralised or decentralised) are vulnerable to abuses of power, for instance, irrespective of the particular application used individuals may be compelled to produce their device by employers; immigration officers, or even private service providers such as restaurants. These problems are inherent to any system that provides individuals, centrally or locally, with a risk score.” Orla Lynskey and Michael Veale‘s 'Supplementary Written Evidence on COVID-19 Tracing Apps to the Joint Committee on Human Rights’.
  • “a centralised approach requires complete trust in our legislators not to legislate for function creep. By contrast, a decentralised model based on each user’s phone would make it far more difficult to get the technology to work for such function creep purposes.” A good legal analysis of how the GDPR applies to the NHSX app from Hawktalk.
  • “Provisos for a Contact Tracing App argues that – while NHSX is right to undertake research and testing to consider whether this technology could be a valid part of any measures to transition from lockdown – if the Government launches an ineffective app or untrustworthy app, it will not be adopted, is unlikely to be effective and could even be actively harmful to people’s health and trust.” The Ada Lovelace Institute updated its ‘Provisos for a Contact Tracing App’ .
  • “To facilitate buy-in, a communications campaign is forming to make it as easy as possible for people to use the app. However, this approach puts the horse before the cart for an app which is very much under testing and development. It is true that the public needs to further consider production of an app solution. Covid apps have many technical limitations which, together with their extremely invasive potential for generalised surveillance, demand more public consideration of their usefulness before release.” Elizabeth Farries of the Irish Council for Civil Liberties in The Irish Times.
  • “It has taken some time to gel, but something resembling a coherent Pandemic Shock Doctrine is beginning to emerge. Call it the “Screen New Deal.” Far more high-tech than anything we have seen during previous disasters, the future that is being rushed into being as the bodies still pile up treats our past weeks of physical isolation not as a painful necessity to save lives, but as a living laboratory for a permanent — and highly profitable — no-touch future.” On Google and smart cities, as one door closes, another larger one swings open writes Naomi Klein.
Endnotes & Credits
  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
  • Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
Did you enjoy this issue?
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland

Latest on the HSE app: Government tight-lipped. So no change from the default setting there. Elsewhere things have not gone smoothly. A regulator throws its hands up and exclaims “Don’t wanna!”

😼

If you want to upgrade the computers in your Tesla, know that the company may not erase your data from it, as white hat hacker GreenTheOnly discovered.

This week we didn’t find out very much more about the Irish contact tracing (and other extraneous functionality of unclear purpose) app. There were developments in other parts of the world though.

In Australia it seems the app was live for ten days and people were being exhorted to download it as a precondition for the lifting of lockdown restrictions while no useful data was being provided to contact tracers.

The Register: ‘Australian contact-tracing app sent no data to contact-tracers for at least ten days after hurried launch’

Australian politicians have stated that their target for what percentage of the population will need to download and use the app properly in order for it to be effective is 40% of the population. Nobody seems to know where that figure came from.

ABC News: ‘Can Australia’s coronavirus contact tracing app COVIDSafe lift the country out of lockdown?’

The most commonly cited figure worldwide is 60% of a population. This comes from a model developed by researchers at Oxford University.

In Ireland the folks responsible for writing the minister for health’s briefing notes have settled for an extremely low figure of 25%. This comes from what the briefing note describes as a “recent and robust modelling study of a comparable app in the US”. No further detail on this study is provided.

The Australian app is now switching to the Apple-Google model.

In the UK a trial of the NHSX app went live on the Isle of Wight. This version of the app is a centralised one and does not use the Apple-Google APIs, which are available in beta to developers.

The decision to go it alone and use the centralised model was not well received.

The Register: ‘UK finds itself almost alone with centralized virus contact-tracing app that probably won’t work well, asks for your location, may be illegal’

Marion Oswald, Royal United Services Institute: ‘Towards a Trustworthy Coronavirus Contact Tracing App’

By Friday it became clear that a climbdown of sorts had begun and a second NHSX app was in development, this one using the decentralised Apple-Google system.

Financial Times: ‘UK starts to build second contact tracing app’

Guardian: ‘UK may ditch NHS contact-tracing app for Apple and Google model’

The Data Protection Impact Assessment for the trial running on the Isle of Wight was also published on Friday (direct link to PDF). It is incomplete, incorrect in parts, evasive in others, contradicts itself on several points, avoids covering necessity and proportionality, and the entire risk assessment section is inaccessible.

Michael Veale has a comprehensive legal analysis of it here, and an accompanying Twitter thread with the main points of this analysis here.

Last week this section of the Cat Herder wrapped up with the still unresolved question - do any of these apps actually work effectively enough to make a difference? There is still no evidence they do.

Irish Times: ‘Covid-19: Precision of tracing apps in doubt after TCD study’

Even the inventors of Bluetooth have their doubts.

The Intercept: ‘The Inventors of Bluetooth Say There Could Be Problems Using Their Tech for Coronavirus Contact Tracing’

This week Wired ran a piece which provided a good overview of the use of digital contact tracing solutions across North America.

Wired: ‘Health Officials Say 'No Thanks’ to Contact-Tracing Tech’

In Ireland it seems the people responsible for manual contact tracing are using Microsoft Word (first released 1983) and Microsoft Excel (first released 1987).

11. Our records about our outbreaks and cases are unfortunately held in word documents, excel etc.

Just before COVID-19 hit we had approval from DPER to purchase a national outbreak control system from @PublicHealthW . This will hopefully still happen.

— Dr Marie Casey (@marietcasey) May 9, 2020

There’s little glamour in building and deploying robust systems to support manual effort. Very few people see those. A little bit like the entire discipline of public healthcare - when it works properly nobody notices it’s there. And that’s how it should be, until someone forgets to invest in it.

On the other hand there’s the allure of creating a widely distributed literal ‘brand in hand’ system - “a government app on every phone!” - which serves as a constant reminder that something is being done. Sales case studies can be written by management consultancies outlining their crucial contributions.

It’s the difference between B2B and B2C systems. The last fifteen years of frantic smartphone-fuelled development of high profile (and highly profitable) B2C software means that the thoughts of officials have naturally turned to solutions in this realm.

I’ve no way of knowing whether the development effort being put into the (second or third iteration of the?) HSE app is drawing resources away from building systems to support manual contact tracing but the nature of finite resources would indicate it might well be.

New surveillance software will help French police enforce mask-wearing and social distancing.

Always-on webcams, virtual “water coolers,” constant monitoring: Is the tech industry’s new dream for remote work actually a nightmare?

The EDPB published an updated version of its guidelines on consent (direct link to PDF).

Natasha Lomas wrote about the guidelines for Techcrunch.

—

The ICO has decided not to do any regulating of adtech for the foreseeable future. This is despite the very same ICO finding many of the practices under investigation to be in breach of data protection law last year.

¯\_(ツ)_/¯

—

The Belgian DPA fined a data controller €50,000 for appointing a DPO who had a conflict of interest and was therefore not independent.

  • It was poor timing for the ICO to announce it wouldn’t be doing anything about adtech in the same week that a report by PwC, the Incorporated Society of British Advertisers (ISBA) and the Association of Online Publishers (AOP) confirmed the existence of the very large adtech black hole. “for publishers, the mere fact that half of the cash vanishes before it reaches them — 15 percent of it to, I dunno, werewolves? — should be enough to prompt some evening brown liquor. Google and Facebook have built giant businesses serving as middlemen between publisher and audience. But don’t forget about the anonymous ad tech firms who profit as middlemen between publisher and advertiser.” Financial Times (€): ‘Half of online ad spending goes to industry middlemen’.
  • “it is important to note that all applications (e.g. centralised or decentralised) are vulnerable to abuses of power, for instance, irrespective of the particular application used individuals may be compelled to produce their device by employers; immigration officers, or even private service providers such as restaurants. These problems are inherent to any system that provides individuals, centrally or locally, with a risk score.” Orla Lynskey and Michael Veale‘s 'Supplementary Written Evidence on COVID-19 Tracing Apps to the Joint Committee on Human Rights’.
  • “a centralised approach requires complete trust in our legislators not to legislate for function creep. By contrast, a decentralised model based on each user’s phone would make it far more difficult to get the technology to work for such function creep purposes.” A good legal analysis of how the GDPR applies to the NHSX app from Hawktalk.
  • “Provisos for a Contact Tracing App argues that – while NHSX is right to undertake research and testing to consider whether this technology could be a valid part of any measures to transition from lockdown – if the Government launches an ineffective app or untrustworthy app, it will not be adopted, is unlikely to be effective and could even be actively harmful to people’s health and trust.” The Ada Lovelace Institute updated its ‘Provisos for a Contact Tracing App’ .
  • “To facilitate buy-in, a communications campaign is forming to make it as easy as possible for people to use the app. However, this approach puts the horse before the cart for an app which is very much under testing and development. It is true that the public needs to further consider production of an app solution. Covid apps have many technical limitations which, together with their extremely invasive potential for generalised surveillance, demand more public consideration of their usefulness before release.” Elizabeth Farries of the Irish Council for Civil Liberties in The Irish Times.
  • “It has taken some time to gel, but something resembling a coherent Pandemic Shock Doctrine is beginning to emerge. Call it the “Screen New Deal.” Far more high-tech than anything we have seen during previous disasters, the future that is being rushed into being as the bodies still pile up treats our past weeks of physical isolation not as a painful necessity to save lives, but as a living laboratory for a permanent — and highly profitable — no-touch future.” On Google and smart cities, as one door closes, another larger one swings open writes Naomi Klein.

Endnotes & Credits

  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
  • Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.

Don't miss what's next. Subscribe to Privacy Kit:
X
Powered by Buttondown, the easiest way to start and grow your newsletter.