Privacy Kit

Subscribe
Archives
May 17, 2020

What Does It Do? How Does It Work? | The Cat Herder, Volume 3, Issue 18

Latest on the HSE app: not much more detail. We still don't know what it will and won't do, nor do we
 
May 17 · Issue #82 · View online
The Cat Herder
Latest on the HSE app: not much more detail. We still don’t know what it will and won’t do, nor do we know who the data controller is. But it may be moving to a live test with 2,000 participants in as little as two weeks. Anonymous testing proves successful in South Korea.
😼

Sam Bright
Sam Bright
@Scram_Sam
I see the coronavirus app test is going well on the Isle of Wight https://t.co/4J0uF2ZeIU
4:08 PM - 15 May 2020
We found out a bit more about the Irish contact tracing (and unspecified other things) app on RTE’s Prime Time on Tuesday 12th May. The app is discussed from about 11.35 onwards.
Dr Sarah Doyle, the HSE Clinical Lead for the Contact Management Programme says a test with about 2,000 participants will begin in early June.
The app appears to be called COVID Care Tracker.
Dr Stephen Farrell of TCD, one of the authors of the study mentioned in last week’s Cat Herder, expressed doubts about the ability of the app as described to be effective in doing what it’s supposed to do.
Dr Katherine O'Keefe of Castlebridge stressed the importance of transparency.
Dr TJ McIntyre of Digital Rights Ireland wanted to know what safeguards will be in place: for example, will people be penalised for not installing the app?
Sarah Doyle agreed with “the concern around privacy” and went on to say “it’s really important that there’s a data protection impact assessment, and that is being done at the moment.”
At the risk of going blue in the face from unnecessary repetition, the DPIA should absolutely not be being done “at the moment”.
The HSE told Prime Time that it will publish the source code prior to the launch, while the app is in its trial period.
Minister Harris said in the Dáil on Thursday “I reiterate that it is my intention to publish the source code and data protection impact assessment, DPIA, for the app before it is launched.”
It’s of concern that the people in charge of developing and deploying the app now seem to think that publishing the source code and the DPIA at the same time is the Goldilocks level of transparency.
The DPIA should have been completed before a line of code was written. When you consider that this app, or an ancestral relative of this app, was apparently ready to launch “within ten days” at the end of March, it does not seem that the people in charge of this were even aware of their legal obligations seven weeks ago.
Even now that they are aware of their obligations they’re determined to commence processing personal data as part of the test phase before anyone has seen the DPIA. Which does not inspire confidence.
What Does It Do? How Does It Work?
On Prime Time the last word was given to TJ McIntyre. Who repeated the basic question which still hasn’t been answered despite weeks of parliamentary questions, newspaper commentary, correspondence with the HSE from civil society groups and evidence of shortcomings and rights infringements from other jurisdictions: “We haven’t had any clear indication of what the app is going to do, how exactly it’s going to work.”
In the UK it emerged that there were more ambitious and risky options being considered for the NHSX app.
The NHS Covid-19 contact tracing app could soon show people’s coronavirus health “status” and ask individuals to share precise location data, internal NHS documents seen by WIRED reveal.
Elsewhere, notes attached to the bottom of one slide reveal that a “Covid-19 status” feature could be introduced in a future version of the app. This lists five options: quarantine, self-isolating, social distancing, shielding and none. It adds that a user would update their status. Such a system has echoes of China’s post-lockdown measures, where apps assign people with a health code. Different health codes in China afford people different freedoms, such as the ability to travel outside their apartment or more widely within China.
Wired: ‘Secret NHS files reveal plans for coronavirus contact tracing app’
The version of the app being tested on the Isle of Wight came with embedded third party trackers, as Gus Hosein of Privacy International explains in this Twitter thread.
Gus
Gus
@GusHosein
Coming out of my contact tracing app-free weekend to note that the privacy impact assessment has been published. It says the app doesn’t have trackers in it. Except we found it does.
11:01 AM - 9 May 2020
Attempts at linguistic sleight of hand around anonymity were exposed.
But under data protection laws the app isn’t anonymous. GDPR and the UK’s data protection rules define ‘personal data’ as something that can identify an individual. Under GDPR, an identifier assigned to a phone can be considered personal data. (In the past a person’s IP address has been ruled to be personal data). While the Bluetooth logging system in the NHS app doesn’t collect location information, or other types of data, it does create an identifier (known as InstallationID) for every phone that uses the app. This counts as something that could lead to the identification of an individual.
Wired: ‘Just how anonymous is the NHS Covid-19 contact tracing app?’
As always, lots of things could go wrong
As always, lots of things could go wrong
Thermal cameras are terrible at exposing COVID-19. Here’s why companies are buying them anyway
www.fastcompany.com – Share
Companies are increasingly turning to tech to help mitigate the spread of COVID-19 among their workers. Individually, these technologies provide limited help, but together they may keep workers vigilant about their health.
India’s Aarogya Setu Covid app continues it’s rapid progress from voluntary to mandatory and compulsory. There’s a hack for that.
Jay started work at 9 a.m. on a Saturday. He chopped away at the app’s code to bypass the registration page that required people to sign up with their cellphone numbers. More pruning let him bypass a page that requested personal information like name, age, gender, travel history, and COVID-19 symptoms. Then, he carved away the permissions that he viewed as invasive: those requiring access to the phone’s Bluetooth and GPS at all times
By 1 p.m., the app had become a harmless shell, collecting no data but still flashing a green badge declaring that the user was at low risk of infection.
Buzzfeed: ‘India’s Contact Tracing App Is All But Mandatory. So This Programmer Hacked It So That He Always Appears Safe.’
—
On the 8th May Vice reported from South Korea that
While the government’s intention is to nip this new cluster in the bud, its contact tracing processes may have unintended social consequences. Some say that by urging those who visited the prominent gay clubs and bars to come forward, they are actually being forced to come out.
Vice: ‘Reports on South Korea’s Second Wave of Coronavirus Cases Are Further Stigmatising the LGBTQ Community’
Less than a week later …
Coronavirus screening has surged in South Korea since authorities introduced anonymous testing, officials said Wednesday, as they scrambled to tackle a nightclub cluster amid concerns anti-gay prejudice could impede the response.
Capital News: ‘Seoul sees virus tests surge after promising anonymity’
It certainly could.
It certainly could.
Auckland woman 'creeped out' after restaurant worker uses her contact tracing details to hit on her | Newshub
www.newshub.co.nz – Share
“I felt pretty gross, he made me feel really uncomfortable.”
The Sunday Times reports (€) that Tusla is the first body to be fined by the Data Protection Commission. €75,000 for three separate breaches.
—
In the Dáil Green Party TD Patrick Costello raised concerns (video) about the government’s lack of funding for the Data Protection Commission. Minister Flanagan made some reassuring noises about preparing a note in response.
The European Commission has accepted and is considering at least two formal complaints against the Irish government in this matter.
No matter what the motivations were for drastically underfunding the DPC in the last budget, this is a problem of the state’s own making and one which will not go away on the promise of the delivery of some notes from the minister.
—
NOYB filed a complaint about Google’s Android Advertising ID with the Austrian DPA.
—
The CNIL issued updated data protection guidance for employers as lockdown restrictions begin to be lifted.
  • “By focusing on the quality of the technology over the equity of impact it has on people, the developers of the many different technological interventions currently under discussion are likely to find that the tech itself won’t help containment. In societies with strong institutional trust and public health systems, COVID-19 has claimed relatively few lives. By contrast, in countries with weaker public health systems and wider socioeconomic disparities, the impact has been far worse.” ‘Contact-tracing apps are political’ writes Sean MacDonald for Brookings.
  • “To make sense of what agreements people across the world are entering into with governments for health alerts, Tortoise Intelligence studied the privacy policies of 48 contact-tracing apps, spanning 26 different countries, based on a list compiled by research site Top10VPN.” ‘Tracking the tracers. We read the privacy policies of 48 contact-tracing apps for Covid-19. They’re often opaque, incomplete and impenetrable to the average reader’
  • In ‘COVIDSafe and Identity: Governance Beyond Privacy’ Kate Galloway and Melissa Castan argue that the“nature of the COVIDSafe app and its purpose have created a novel type of status that lies beyond mere data protection, or privacy. In its desire to ‘encourage public acceptance and uptake’ of a data collection technology, the [Australian] government is creating a new form of identifying feature to distinguish between individuals, based on their data choices or their ability to enter into the data arrangements.”
  • doteveryone’s 2020 Digital Attitudes Report, ‘People, Power and Technology’. “it finds most people (58%) think the industry is under-regulated. They identify government (53%) and independent regulators (48%) as having most responsibility for directing the impacts of technology on people and society.”
Endnotes & Credits
  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
  • Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
Did you enjoy this issue?
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland

Latest on the HSE app: not much more detail. We still don’t know what it will and won’t do, nor do we know who the data controller is. But it may be moving to a live test with 2,000 participants in as little as two weeks. Anonymous testing proves successful in South Korea.

😼

I see the coronavirus app test is going well on the Isle of Wight pic.twitter.com/4J0uF2ZeIU

— Sam Bright (@WritesBright) May 15, 2020

We found out a bit more about the Irish contact tracing (and unspecified other things) app on RTE’s Prime Time on Tuesday 12th May. The app is discussed from about 11.35 onwards.

Dr Sarah Doyle, the HSE Clinical Lead for the Contact Management Programme says a test with about 2,000 participants will begin in early June.

The app appears to be called COVID Care Tracker.

Dr Stephen Farrell of TCD, one of the authors of the study mentioned in last week’s Cat Herder, expressed doubts about the ability of the app as described to be effective in doing what it’s supposed to do.

Dr Katherine O'Keefe of Castlebridge stressed the importance of transparency.

Dr TJ McIntyre of Digital Rights Ireland wanted to know what safeguards will be in place: for example, will people be penalised for not installing the app?

Sarah Doyle agreed with “the concern around privacy” and went on to say “it’s really important that there’s a data protection impact assessment, and that is being done at the moment.”

At the risk of going blue in the face from unnecessary repetition, the DPIA should absolutely not be being done “at the moment”.

The HSE told Prime Time that it will publish the source code prior to the launch, while the app is in its trial period.

Minister Harris said in the Dáil on Thursday “I reiterate that it is my intention to publish the source code and data protection impact assessment, DPIA, for the app before it is launched.”

It’s of concern that the people in charge of developing and deploying the app now seem to think that publishing the source code and the DPIA at the same time is the Goldilocks level of transparency.

The DPIA should have been completed before a line of code was written. When you consider that this app, or an ancestral relative of this app, was apparently ready to launch “within ten days” at the end of March, it does not seem that the people in charge of this were even aware of their legal obligations seven weeks ago.

Even now that they are aware of their obligations they’re determined to commence processing personal data as part of the test phase before anyone has seen the DPIA. Which does not inspire confidence.

What Does It Do? How Does It Work?

On Prime Time the last word was given to TJ McIntyre. Who repeated the basic question which still hasn’t been answered despite weeks of parliamentary questions, newspaper commentary, correspondence with the HSE from civil society groups and evidence of shortcomings and rights infringements from other jurisdictions: “We haven’t had any clear indication of what the app is going to do, how exactly it’s going to work.”

In the UK it emerged that there were more ambitious and risky options being considered for the NHSX app.

Wired: ‘Secret NHS files reveal plans for coronavirus contact tracing app’

The version of the app being tested on the Isle of Wight came with embedded third party trackers, as Gus Hosein of Privacy International explains in this Twitter thread.

Coming out of my contact tracing app-free weekend to note that the privacy impact assessment has been published. It says the app doesn’t have trackers in it. Except we found it does.

— Gus (@GusHosein) May 9, 2020

Attempts at linguistic sleight of hand around anonymity were exposed.

Wired: ‘Just how anonymous is the NHS Covid-19 contact tracing app?’

Companies are increasingly turning to tech to help mitigate the spread of COVID-19 among their workers. Individually, these technologies provide limited help, but together they may keep workers vigilant about their health.

India’s Aarogya Setu Covid app continues it’s rapid progress from voluntary to mandatory and compulsory. There’s a hack for that.

Buzzfeed: ‘India’s Contact Tracing App Is All But Mandatory. So This Programmer Hacked It So That He Always Appears Safe.’

—

On the 8th May Vice reported from South Korea that

Vice: ‘Reports on South Korea’s Second Wave of Coronavirus Cases Are Further Stigmatising the LGBTQ Community’

Less than a week later …

Capital News: ‘Seoul sees virus tests surge after promising anonymity’

“I felt pretty gross, he made me feel really uncomfortable.”

The Sunday Times reports (€) that Tusla is the first body to be fined by the Data Protection Commission. €75,000 for three separate breaches.

—

In the Dáil Green Party TD Patrick Costello raised concerns (video) about the government’s lack of funding for the Data Protection Commission. Minister Flanagan made some reassuring noises about preparing a note in response.

The European Commission has accepted and is considering at least two formal complaints against the Irish government in this matter.

No matter what the motivations were for drastically underfunding the DPC in the last budget, this is a problem of the state’s own making and one which will not go away on the promise of the delivery of some notes from the minister.

—

NOYB filed a complaint about Google’s Android Advertising ID with the Austrian DPA.

—

The CNIL issued updated data protection guidance for employers as lockdown restrictions begin to be lifted.

  • “By focusing on the quality of the technology over the equity of impact it has on people, the developers of the many different technological interventions currently under discussion are likely to find that the tech itself won’t help containment. In societies with strong institutional trust and public health systems, COVID-19 has claimed relatively few lives. By contrast, in countries with weaker public health systems and wider socioeconomic disparities, the impact has been far worse.” ‘Contact-tracing apps are political’ writes Sean MacDonald for Brookings.
  • “To make sense of what agreements people across the world are entering into with governments for health alerts, Tortoise Intelligence studied the privacy policies of 48 contact-tracing apps, spanning 26 different countries, based on a list compiled by research site Top10VPN.” ‘Tracking the tracers. We read the privacy policies of 48 contact-tracing apps for Covid-19. They’re often opaque, incomplete and impenetrable to the average reader’
  • In ‘COVIDSafe and Identity: Governance Beyond Privacy’ Kate Galloway and Melissa Castan argue that the“nature of the COVIDSafe app and its purpose have created a novel type of status that lies beyond mere data protection, or privacy. In its desire to ‘encourage public acceptance and uptake’ of a data collection technology, the [Australian] government is creating a new form of identifying feature to distinguish between individuals, based on their data choices or their ability to enter into the data arrangements.”
  • doteveryone’s 2020 Digital Attitudes Report, ‘People, Power and Technology’. “it finds most people (58%) think the industry is under-regulated. They identify government (53%) and independent regulators (48%) as having most responsibility for directing the impacts of technology on people and society.”

Endnotes & Credits

  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
  • Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.

Don't miss what's next. Subscribe to Privacy Kit:
X
Powered by Buttondown, the easiest way to start and grow your newsletter.