Sorcerer's Apprentices | The Cat Herder, Volume 3, Issue 16

Bank Holiday edition, if anyone is still keeping track of such things. This week's title is courtesy   May 4 · Issue #80 · View online Bank Holiday edition, if anyone is still keeping track of such things. This week’s title is courtesy of La Quadrature du Net. 😼 Next up for coronavirus tech: A corporate back-to-work app - Protocol www.protocol.com – Share ​As the coronavirus crisis drags on, Appian is the latest to roll out a product that aims to help companies cope. Some concrete details about the Irish contact tracing app emerged via a briefing note prepared for Simon Harris which was subsequently distributed to TDs. This is a good thing. The Irish app will use the decentralised model of Bluetooth proximity monitoring. This is also a good thing and was practically an inevitability since Apple and Google announced that the API they are making available would allow for this model but not the centralised model. They are the owners of the operating systems and means of distribution after all. (As an aside, the HSE should consider the reasons Apple and Google are making an API available now and subsequently promising changes at the OS level to facilitate contact tracing apps using Bluetooth Low Energy, but are not building their own apps. One of these, as reported by Buzzfeed, is that they are “fearful of losing public trust by overstepping privacy, according to sources at Apple.” In other words they’ve done their reputational risk assessment.) There are also not-so-good things contained in the briefing note. The Irish app will also come with a symptom reporting function and the ability to share location data with as yet unspecified entities. This is an entirely separate purpose which will require a distinct lawful basis. It will engage data subject rights in a far more extensive manner than the Bluetooth proximity monitoring purpose. It will require a separate DPIA. It will require significantly more commitment from users and interaction with the app. It unnecessarily introduces far more points of failure for the overall project. It seems foolish to take the Bluetooth proximity monitoring system which is itself entirely unproven then bolt on additional entirely unproven systems and attempt to deliver them all in one package. Effectiveness: evidence? An editorial in Nature raises a number of issues. As does a piece for Brookings by Ashkan Soltani, Ryan Calo and Carl Bergstrom. As does a piece in Wired by Matt Burgess. Quoted in the Buzzfeed piece linked to above, Bruce Schneier went so far as to clarify his thoughts on his own site - “The end result is an app that doesn’t work. People will post their bad experiences on social media, and people will read those posts and realize that the app is not to be trusted. That loss of trust is even worse than having no app at all.” All of them come to the same conclusions. There is no evidence this works. The potential is being oversold by governments. The possibility of it working may well not be adequate justification for deploying invasive surveillance technology across entire populations. If it doesn’t work then it could quite possibly do far more harm than good. The DPIA still needs to be published in advance of the system going live. A commitment to publishing the source code for all releases of the app must be made. A list of all entities from both public and private sectors with which data will be shared must be published and updated. A description of how the system will be shut down must be published. Continuing the coronopticon theme into this section, the scope of the Indian contact tracing app Aarogya Setu has rapidly expanded so that it now appears to be mandatory (and compulsory) for all. This is closer to scope gallop than scope creep. In Australia prime minister Scott Morrison has stated - within a week of the launch of the app and before the Australian health authorities are actually able to use any of the data from the app - that numbers of downloads of the app are explicitly linked to the possible easing of lockdown restrictions. So one of the purposes of the COVIDSafe app in Australia is now unambiguously to “open up the economy”. As ever, lots of things could go wrong There are reports from Australia that the COVIDSafe contact tracing app “may interfere with medical devices such as those used by people with diabetes”. In the UK, which is determined to go ahead with a centralised model for the app being developed by NHSX, an entirely predictable feedback loop which will limit user willingness to download and use the app has sprung into life. If you have a centralised store of sensitive and valuable information, that store becomes an attractive target for hackers. In order to defend your centralised store from hacking attempts you need to call in the heavy gang. The heavy gang in this case being GCHQ. When people get wind of the involvement of actual spies in the project they become less willing to use the app. Which makes the app less useful to public health authorities. A large number of academics signed a joint statement sent to the NHS and NHSX expressing concerns over plans for the app. We hold that the usual data protection principles should apply: collect the minimum data necessary to achieve the objective of the application. We hold it is vital that if you are to build the necessary trust in the application the level of data being collected is justified publicly by the public health teams demonstrating why this is truly necessary rather than simply the easiest way, or a “nice to have”, given the dangers involved and invasive nature of the technology. It could. Nine million logs of Brits' road journeys spill onto the internet from password-less number-plate camera dashboard | The Register www.theregister.co.uk – Share The ANPR camera system’s internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles, identified by their number plates, travel through Sheffield’s road network. No word yet whether Simon Coveney has responded to Philip Alston’s request that he point out the factual errors alleged, as covered here last week. The Swedish DPA fined the National Government Service Centre ~€18,700 for failing to notify affected individuals and the supervisory authority of a data breach. The Belgian DPA published an opinion on contact tracing apps. Yves-Alexandre de Montjoye summarises the key points in a Twitter thread here. The CNIL published an opinion on the proposed French contact tracing app StopCovid. An English translation is available here (direct link to PDF). The Sunday Times reports that “Three European consumer rights bodies have launched a legal action in Dublin against the Data Protection Commission (DPC) over how it is investigating Google’s tracking of smartphone users.” The DPC published a podcast episode going into more detail on their recently published report on the use of cookies and other tracking technologies - see issue 13 for more on this. “As we discuss digital solutions to manage the pandemic, and we subject them to public and democratic debate, we shall keep sight of the endemic problems of the digital ecosystem and have them subject to democratic oversight and deliberations.” A blog post from the European Data Protection Supervisor Wojciech Wiewiórowski. Johnny Ryan of Brave published a report on the severe shortfalls in funding for national data protection authorities - ‘Europe’s governments are failing the GDPR’. The New York Times covered this in ‘Europe’s Privacy Law Hasn’t Shown Its Teeth, Frustrating Advocates’. Gabriela Zanfir-Fortuna has a very detailed review of all the recommendations from many, many bodies (the EDPB, the EDPS, the European Commission, the European Parliament, sub-groups and committees etc.) with a table setting out which guidance came out when. European Union’s Data-Based Policy Against the Pandemic, Explained Ali Alkhatib‘s 'We Need to Talk About Digital Contact Tracing’ has a great explanation of how the Bluetooth Low Energy system is supposed to function, then goes on to point out how many vulnerable groups in society will be excluded. In ‘The boring side of tech, transparency and contact tracing’ Richard Pope sets out eight things that the NHS should do to make sure the process enables a healthy and open public debate. The HSE should do the same. Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Bank Holiday edition, if anyone is still keeping track of such things. This week’s title is courtesy of La Quadrature du Net.

😼

​As the coronavirus crisis drags on, Appian is the latest to roll out a product that aims to help companies cope.

Some concrete details about the Irish contact tracing app emerged via a briefing note prepared for Simon Harris which was subsequently distributed to TDs. This is a good thing.

The Irish app will use the decentralised model of Bluetooth proximity monitoring. This is also a good thing and was practically an inevitability since Apple and Google announced that the API they are making available would allow for this model but not the centralised model. They are the owners of the operating systems and means of distribution after all.

(As an aside, the HSE should consider the reasons Apple and Google are making an API available now and subsequently promising changes at the OS level to facilitate contact tracing apps using Bluetooth Low Energy, but are not building their own apps. One of these, as reported by Buzzfeed, is that they are “fearful of losing public trust by overstepping privacy, according to sources at Apple.” In other words they’ve done their reputational risk assessment.)

There are also not-so-good things contained in the briefing note. The Irish app will also come with a symptom reporting function and the ability to share location data with as yet unspecified entities.

This is an entirely separate purpose which will require a distinct lawful basis. It will engage data subject rights in a far more extensive manner than the Bluetooth proximity monitoring purpose. It will require a separate DPIA. It will require significantly more commitment from users and interaction with the app. It unnecessarily introduces far more points of failure for the overall project.

It seems foolish to take the Bluetooth proximity monitoring system which is itself entirely unproven then bolt on additional entirely unproven systems and attempt to deliver them all in one package.

Effectiveness: evidence?

An editorial in Nature raises a number of issues. As does a piece for Brookings by Ashkan Soltani, Ryan Calo and Carl Bergstrom. As does a piece in Wired by Matt Burgess. Quoted in the Buzzfeed piece linked to above, Bruce Schneier went so far as to clarify his thoughts on his own site - “The end result is an app that doesn’t work. People will post their bad experiences on social media, and people will read those posts and realize that the app is not to be trusted. That loss of trust is even worse than having no app at all.”

All of them come to the same conclusions. There is no evidence this works. The potential is being oversold by governments. The possibility of it working may well not be adequate justification for deploying invasive surveillance technology across entire populations. If it doesn’t work then it could quite possibly do far more harm than good.

The DPIA still needs to be published in advance of the system going live. A commitment to publishing the source code for all releases of the app must be made. A list of all entities from both public and private sectors with which data will be shared must be published and updated. A description of how the system will be shut down must be published.

Continuing the coronopticon theme into this section, the scope of the Indian contact tracing app Aarogya Setu has rapidly expanded so that it now appears to be mandatory (and compulsory) for all. This is closer to scope gallop than scope creep.

In Australia prime minister Scott Morrison has stated - within a week of the launch of the app and before the Australian health authorities are actually able to use any of the data from the app - that numbers of downloads of the app are explicitly linked to the possible easing of lockdown restrictions. So one of the purposes of the COVIDSafe app in Australia is now unambiguously to “open up the economy”.

There are reports from Australia that the COVIDSafe contact tracing app “may interfere with medical devices such as those used by people with diabetes”.

In the UK, which is determined to go ahead with a centralised model for the app being developed by NHSX, an entirely predictable feedback loop which will limit user willingness to download and use the app has sprung into life.

If you have a centralised store of sensitive and valuable information, that store becomes an attractive target for hackers. In order to defend your centralised store from hacking attempts you need to call in the heavy gang. The heavy gang in this case being GCHQ. When people get wind of the involvement of actual spies in the project they become less willing to use the app. Which makes the app less useful to public health authorities.

A large number of academics signed a joint statement sent to the NHS and NHSX expressing concerns over plans for the app.

The ANPR camera system’s internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles, identified by their number plates, travel through Sheffield’s road network.

No word yet whether Simon Coveney has responded to Philip Alston’s request that he point out the factual errors alleged, as covered here last week.

The Swedish DPA fined the National Government Service Centre ~€18,700 for failing to notify affected individuals and the supervisory authority of a data breach.

The Belgian DPA published an opinion on contact tracing apps. Yves-Alexandre de Montjoye summarises the key points in a Twitter thread here.

The CNIL published an opinion on the proposed French contact tracing app StopCovid. An English translation is available here (direct link to PDF).

The Sunday Times reports that “Three European consumer rights bodies have launched a legal action in Dublin against the Data Protection Commission (DPC) over how it is investigating Google’s tracking of smartphone users.”

The DPC published a podcast episode going into more detail on their recently published report on the use of cookies and other tracking technologies - see issue 13 for more on this.

• “As we discuss digital solutions to manage the pandemic, and we subject them to public and democratic debate, we shall keep sight of the endemic problems of the digital ecosystem and have them subject to democratic oversight and deliberations.” A blog post from the European Data Protection Supervisor Wojciech Wiewiórowski.
• Johnny Ryan of Brave published a report on the severe shortfalls in funding for national data protection authorities - ‘Europe’s governments are failing the GDPR’. The New York Times covered this in ‘Europe’s Privacy Law Hasn’t Shown Its Teeth, Frustrating Advocates’.
• Gabriela Zanfir-Fortuna has a very detailed review of all the recommendations from many, many bodies (the EDPB, the EDPS, the European Commission, the European Parliament, sub-groups and committees etc.) with a table setting out which guidance came out when. European Union’s Data-Based Policy Against the Pandemic, Explained
• Ali Alkhatib‘s 'We Need to Talk About Digital Contact Tracing’ has a great explanation of how the Bluetooth Low Energy system is supposed to function, then goes on to point out how many vulnerable groups in society will be excluded.
• In ‘The boring side of tech, transparency and contact tracing’ Richard Pope sets out eight things that the NHS should do to make sure the process enables a healthy and open public debate. The HSE should do the same.

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.