This is one of my series of lists of opinionated, high-signal but low-noise links on topics I care about.
If you like my advocacy, my point-of-view, and my writing, as well as my travel to support local communities, my talks for those communities, and my work with organizations such as Blockchain Commons, Rebooting the Web of Trust, and the W3C Credentials CG, I invite you to sponsor me.
Plus, it’s a way to plug into an advocacy network that’s not focused on the “big guys”. Most of the large corporations have full-time people representing their desires in the various standards orgs, making it hard for small companies and lone developers to fully participate. I work to represent smaller developers in a vendor-neutral, platform-neutral way, helping us all to work together.
You can become a monthly patron on my GitHub Sponsor Page for as little as $5 a month; and your contributions will be multipled, as GitHub is matching the first $5,000! Alternatively, you can support my efforts by sponsoring Blockchain Commons and our vision of the open web via a monthly GitHub Sponsorship or with Bitcoin via our BTCPay contribution page, Bitcoin contribution.
But please don’t think of this as a transaction. It’s an opportunity to advance the open web, digital civil liberties, and human rights together. You get to plug into my various projects, and hopefully will find a way to actively contribute to the digital commons yourself. Let’s collaborate!
– Christopher Allen <ChristopherA@LifeWithAlacrity.com>, Github: @ChristopherA, Twitter: @ChristopherA
For information on this versioning scheme, see Status & Versioning.
Copyright ©2020 by Christopher Allen, and is shared under CC-BY-SA open-source license. See this repo’s README.md for more details.
This is my most recent presentation explaining why I’m involved in the Self-Sovereign Identity movement, as part of a #Foremembrance this March during an SSI Meetup virtual event. I talk about some important historical context from WWII in the Netherlands and how it is relevant to the impact and risk of COVID-19 for privacy and identity systems:
KEYQUOTE: Some of these things we’ve been fighting for a long time…in this crisis there is the opportunity to identify some best practices that are do-able now, and put some appropriate energy into better solutions that we can implement for maybe not this crisis, but for the next one.
I am co-chair of this World-Wide-Web Consortium (#W3C) community group, where a number of important credentials and identity specifications were nurtured to the point where they could be formalized into international standards. Most notably, the Verifiable Credentials specification is now a full standard, and the Decentralized Identity specification is well on its way.
We meet online weekly via voice and IRC on Tuesdays at 12noon ET, 9am PT, and 5pm CET. At several recent meetings we have had discussion on #COVID19 related privacy topics, and it looks like some standards around #ImmunityCredentials in particular will become official work items. Our meetings are open to the public and are announced on our public mailing list.
Both of these standards are key architectures toward privacy design, in particular in the short term for #ImmunityCertificates (see my other High Signal Low Noise list on #VerifiableClaims #ImmunityCredentials.
Excerpt of one particular email from me to W3C-CCG list, about why we must work on this privacy tech despite the challenges on March 29th 2020:
KEYQUOTE: Despite that I agree with those that a key of the problem is that the task of #LocationPrivacy and anonymity is extremely difficult, I do believe that in the short term we can be pragmatic & not suffer “the perfect is the enemy of the good”. We can share best practices, salute those doing the right thing, shame those who do not, and demonstrate our commitment to both the common good as well as to preventing individual harm. An effective Honor System is not the worst short-term outcome.
We also need to set the stage so that in the long term we can invest in the much more difficult problems of solving these problems more idealistically correctly. We need to fund things like deep requirements engineering, great user centric design including nudge/incentive/mechanism/ approaches, as well implementing the latest secure code practices, privacy protocols, zk-proofs and other modern cryptographic security approaches, etc.
For if we do not be somewhat pragmatic now, and set a stage to be able to invest in a more ideal future, we risk that everything we are currently doing on the privacy front now will fail because in the end, everyone will being tracked at another layer.”
The #LocationPrivacy #ContactTracing #PublicHealthVsPrivacy #COVID19 topics are substantial, and rapidly evolving. In this section I intend to highlight the most interesting content and regularly update it
1/10: Some governments will, and have already begun to, exploit the crisis. History suggests this is the precursor to something more dangerous for individuals and society.
KEY QUOTE: There are also alarming historical precedents in which governments have used an emergency to claim dictatorial powers, which are then left unrepealed. A classic case was Hitler’s use of the Reichstag fire in 1933 to establish the power to rule by decree…An expansion of state-surveillance, once rolled out, could be hard to reverse and will be a potent tool for would-be dictators.
2/10: I am quoted here sharing my concerns specifically with respect to COVID-19 response technology, and digital identity.
KEY QUOTE: …well-intentioned national identity system can be abused if the political winds shift.
3/10: Contact Tracing Technology aims to accelerate the manual, laborious process of Contact Tracing. One of the best things I’ve read recently on the topic is this article that argues that we should call it “Exposure Alerting” and that many of our design problems come from naming it incorrectly:
KEY QUOTE: Digital contact tracing should be called Exposure Alerting. That is what it does. It doesn’t “trace contacts” from an epidemiological perspective. Exposure Alerting could tie in with contact tracing, but we should not conflate these separate technologies. Manual Contact Tracing is essential and is very different than Exposure Alerting Exposure Alerting should be decentralized. Manual contact tracing is centralized. Exposure Alerting has very specific privacy concerns that are very different than Manual Contact Tracing.
4/10: This is the best technical overview of the Apple/Google protocol, which is likely the dominant implementation of #ContactTracing technology:
KEY QUOTE: In the first stage, Apple and Google will make private APIs (application programming interfaces) available in mid-May 2020 strictly limited to health agencies. These APIs will work identically across both iOS and Android and let public-health authorities modify existing apps or build new ones that leverage the tracing features. The companies will also build simple model apps that governments could either put their own logos on or substantially modify. A second stage will appear “in the coming months,” and will build the tracing approach into Android and iOS at the operating system level. Enabling tracing and receiving a basic notification can happen without even installing an app, company representatives said in the briefing. An app will be required for someone to register a diagnosis of COVID-19.
5/10: This is a comprehensive summary of #ContactTracing implementations in the US and in 40+ countries around the world, from USC:
KEYQUOTE: Based on news stories and other online sources, with a focus on February 2020 to present.
6/10: Excellent questionnaire for people designing or evaluating #ContactTracing implementations.
KEYQUOTE: In-depth formal analysis of the protocol is necessary before deployment and should be published. Protecting privacy should rely on mathematical proofs of correctness, with mitigation strategies considered only when necessary. Our questions focus on privacy aspects, but ensuring security is similarly crucial. This means, for example, supervising the integrity and authenticity of the crowdsourced data, evaluating how mobile malware could affect the app’s behavior, or assessing the resilience of the authority’s servers against intrusions. Building a contact tracing app that allows all of us to participate in the fight against COVID19 is possible, but it will require us to go beyond shallow reassurances that privacy is protected.
7/10: A good reply from W3C Credentials CG (where I am co-chair) to the de Montjoye questionnaire in 6/10:
KEYQUOTE: That document raises excellent questions, but I think the range of protocols (designs) for consideration should be broadened even more. All three of the toy protocols that they discuss involved a central authority – presumably a public health agency – that would receive information about infected or exposed individuals. I think it would be good to also consider (list follows)
8/10: Important consideration of equity in #ContactTracing implementations.
KEY QUOTE: As policymakers coalesce around contact tracing as a means to stabilize the coronavirus outbreak while loosening harsh movement restrictions, the main worry has been about privacy qua privacy. But privacy is not the only, or even primary, concern. We must first think carefully about whether a contact-tracing app can be effective in the United States. And if such a technology is to be developed, it must be built on a foundation of fairness. We cannot ethically accept any solution that will systematically work less well for, or disproportionately harm, some communities—especially the groups that are already the hardest hit by this pandemic.
9/10: Some interesting risk modeling approaches to COVID-19 response technology, specifically apps:
KEY QUOTE: What do you need to know so you can confidently trust a piece of technology, such as an app supposedly helping fight COVID-19? That question is at the heart of Project App Assay. It applies to all technology, but is particularly important for the COVID-19 apps, because many of them collect so much information about our health, our friends, our locations and activities around the clock.
10/10: Lastly, this highlights some important data on large COVID-19 infection clusters—or “superspreading events” (SSEs), as they are sometimes referred to in the scientific literature. If we know how it spreads, we know what to control for.
KEY QUOTE: When do COVID-19 SSEs happen? Based on the list I’ve assembled, the short answer is: Wherever and whenever people are up in each other’s faces, laughing, shouting, cheering, sobbing, singing, greeting, and praying. You don’t have to be a 19th-century German bacteriologist or MIT expert in mucosalivary ballistics to understand what this tells us about the most likely mode of transmission.
Contact tracing is one the main methods being proposed to curb the spread of the virus. This is a good explainer:
KEYQUOTE: Contact tracing has been used for decades to control the spread of infectious diseases. The basic idea is simple: track down infected people, then find everyone who has been near them and encourage those people to stay home until it is clear they are not sick.
When we talk about CTT, there are actually 3 approaches/designs. This is a good summary of each: Bluetooth Contact Tracing, Redacted Location Tracing, and Hashing Servers and Mix Nets:
KEYQUOTE: Users may appreciate privacy, but health care workers and governments don’t necessarily want to build a system that prevents them from, say, proactively notifying users who have been potentially exposed to Covid-19, or even actively tracking the location of infected or potentially exposed people.
This is a simple way to understand bluetooth contact tracing, via a comic!
KEYQUOTE via @mikarv: How exactly can #DP3T privacy-preserving Bluetooth COVID-19 alerts work if identifiable personal data never leaves your device? It’s actually not so complicated, and even less so now @ncasenmare has made a fantastic, public domain, comic explaining it.
This explains some of the technical flaws with respect to CTT privacy:
KEYQUOTE: The whole discussion on user and contact tracing opens up a whole lot of questions, and the most fundamental of these is that we don’t actually have any real infrastructure to implement privacy-preserving methods. It is likely that a COVID-19 app would be a pin-point app, and where the data gathered for location and contact tracking could be easily abused, and would have limited scope outside a country’s borders. Our core problem is that we have built data infrastructures that mirror those from the 1980s, and where we care little about the core rights of the data we gather. Once captured, the owner becomes the entity who captured the data, and without the trustworthiness of the transactions involved, we leave it open to abuse for malicious activities.
A real problem in the current crop of #ContactTracing approaches is not precisely the technology, but instead social incentive design and adversarial resistance to attacks:
ABSTRACT: Here are some problems with private contact tracing. We should not give policymakers the false hope that they can avoid hard choices
KEYQUOTE: The performance art people will tie a phone to a dog and let it run around the park; the Russians will use the app to run service-denial attacks and spread panic; & little Johnny will self-report symptoms to get the whole school sent home.
More on adversaries here:
KEY QUOTE: And finally, the issue of malicious use is paramount—particularly given this current climate of disinformation, astroturfing, and political manipulation. Imagine an unscrupulous political operative who wanted to dampen voting participation in a given district, or a desperate business owner who wanted to stifle competition. Either could falsely report incidences of coronavirus without much fear of repercussion. Trolls could sow chaos for the malicious pleasure of it. Protesters could trigger panic as a form of civil disobedience. A foreign intelligence operation could shut down an entire city by falsely reporting COVID-19 infections in every neighborhood. There are a great many vulnerabilities underlying this platform that have still yet to be explored.
This Harvard white-paper also expands on these concerns about #PublicHealthVsPrivacy:
ABSTRACT: There is a growing consensus that we must use a combined strategy of medical and technological tools to provide us with response at a scale that can outpace the speed and proliferation of the SARS-CoV-2 virus. A process of identifying exposed individuals who have come into contact with diagnosed individuals, called “contact tracing,” has been shown to effectively enable suppression of new cases of SARS-CoV-2 (COVID-19). Important concerns around protecting patient’s confidentiality and civil liberties, and lack of familiarity with available privacy-protecting technologies, have both led to suboptimal privacy implementations and hindered adoption. This paper reviews the trade-offs of these methods, their techniques, the necessary rate of adoption, and critical security and privacy controls and concerns for an information system that can accelerate medical response. Proactive use of intentionally designed technology can support voluntary participation from the public toward the goals of smart testing, effective resource allocation, and relaxing some of physical distancing measures, but only when it guarantees and assures an individual’s complete control over disclosure, and use of data in the way that protects individual rights.
A key concern of #ContactTracing apps is the huge adoption required for them to be effective. Other than coercive use in China, Singapore has the largest % acceptance of these apps (16-17% maybe), but many question the efficacy:
KEY QUOTE In the weeks since Singapore released its contact tracing app, the government has seen technology’s shortcomings for tracking COVID-19. Despite the government’s public campaign to the country to download the app, only about one in six people in Singapore have actually done it, Singapore’s national development minister Lawrence Wong said on April 1.
Bay also noted several issues with an overreliance on mobile contact tracing, pointing out that the apps would not have flagged cases where the coronavirus spread, including an incident in Washington where 45 members of a choir were diagnosed with COVID-19.
“If you ask me whether any Bluetooth contact tracing system deployed or under development, anywhere in the world, is ready to replace manual contact tracing, I will say without qualification that the answer is, no,” Bay said in the post.
Former FDA Commissioner Dr. Scott Gotlieb (@ScottGottliebMD) calls for far greater public health surveillance to help stem COVID, but is skeptical of #ContactTracing apps:
KEYQUOTE: Cell phone-based apps recording proximity events between individuals are unlikely to have adequate discriminating ability or adoption to achieve public health utility, while introducing serious privacy, security, and logistical concerns. Instead, timely contact tracing can be achieved through strengthened public health case investigation augmented by technology and community-level collaborations.
Criticism isn’t always about the implementation of these technologies, but also the concerns about the parties doing the implementations and the persistence of the implementations:
KEY QUOTE: Surveillance companies, better known for providing spyware to governments, argue they are better placed to track and check the spread of the coronavirus. Using the same technology they already use to monitor dissidents and terrorists, governments can track the entire population.
But privacy issues loom. Civil liberties advocates fear that anti-virus tracking efforts could open the door to the kind of ubiquitous government surveillance efforts they have fought for decades. Some are especially alarmed by the potential role of spyware firms, arguing that their involvement could undermine the public trust governments need to restrain the spread of the virus.
Some governments will misuse new surveillance technology; my concerns about this continue to be justified:
KEYQUOTE: But, as events wear on, strongman leaders might find that the new environment is even more hospitable to their style of politics. Economic despair and desperation are often the enemies of calm debate and a friend to the conspiracy theories that help populism to flourish. An expansion of state-surveillance, once rolled out, could be hard to reverse and will be a potent tool for would-be dictators.
The NYT Editorial Board makes a key argument that any technology measures implemented today need to end once the threat passes:
KEY QUOTE: In a large self-governing society, civil liberties exist as part of a delicate balance. That balance is being sorely tested right now, and there is often no good solution that does not infringe on at least some liberty. At the same time, the coronavirus provides Americans with an opportunity to reimagine the scope and nature of our civil liberties and our social contract. Yes, Americans are entitled to freedom from government intrusion. But they also have an obligation not to unnecessarily expose their fellow citizens to a deadly pathogen. Protecting Americans from the pandemic while also preserving our economy and our civil liberties is not easy. But it’s essential.
Digital privacy expert, anonmyity researcher, and author of book “Queer Privacy” @SarahJamieLewis’s Twitter thread on the perils of #LocationPrivacy is a must read:
KEYQUOTE: There is no such thing as a robust privacy preserving contact tracing tool because social graphs and location graphs are impossible to anonymity because anonymity is fundamentally about removing social and location context - once you do that all that is left is the honour system.
My Twitter RT about her thread:
KEYQUOTE: Despite that I agree with those like @SarahJamieLewis that a key problem is that the task of #LocationPrivacy & real anonymity is extremely difficult, I do believe that in the short term we can be pragmatic & not suffer “the perfect is the enemy of the good… An effective Honor System is not the worst short-term outcome. We also need to set the stage to invest in the much more difficult problems of solving these problems long-term.
Important academic paper on how easy it is to be able to de-anonymize supposedly anonymized location data:
KEYQUOTE: Moving forward, they question whether current de-identification practices satisfy the anonymization standards of modern data protection laws such as GDPR and CCPA and emphasize the need to move, from a legal and regulatory perspective, beyond the de-identification release-and-forget model.
Even before the pandemic, concerns were raised on the telecom side of #LocationPrivacy. It does have me concerned that work on privacy enhanced bluetooth #ContactTracing (and other such approaches) is moot given what information a cell phone already allows to be correlated:
ABSTRACT/KEYQUOTE: The companies that collect all this information on your movements justify their business on the basis of three claims: People consent to be tracked, the data is anonymous and the data is secure. None of those claims hold up, based on the file we’ve obtained and our review of company practices. Yes, the location data contains billions of data points with no identifiable information like names or email addresses. But it’s child’s play to connect real names to the dots that appear on the maps.
Despite these reservations, governments and private sector players across the world have started developing or deploying a dizzying array of contact tracing apps; with limited/no interoperability:
KEY QUOTE: The proliferation of coronavirus apps has trailed the spread of the pandemic around the globe. Often, the differences among apps are technical ones but can create vast differences in their security, privacy and effectiveness.
For example, it looks like there are twelve regional pandemic-tracking apps in China and one national one. Interestingly, the patchwork of tracking apps across China seems to show that there is actually very little coordination between localities and the central government.
KEYQUOTE: Pandemic-tracking apps are now proliferating as local governments have started trying to gain access to phone GPS location data through the apps, which are more accurate than carrier location data. The test version of the national government’s online services platform links to at least 12 provincial- or major city-level governments’ own health code apps, as well as providing a national-level app.
As is often the case when multiple bureaucracies collide, the health apps have overlapping coverage. On arriving back in Beijing from a trip out of the city, one FT reporter was told by their district authority to ignore the Beijing municipal government’s app and register on another health app used by the district. “One person, six codes”, ran the headline of a local media feature lamenting the multiplication of district- and municipal-level apps.
This is a high-level review of CTT implementations by country:
KEYQUOTE: In an attempt to stem the tide of the coronavirus pandemic, at least 30 governments around the world have instituted temporary or indefinite efforts to single out infected individuals or maintain quarantines. Many of these efforts, in turn, undermine personal privacy.
This is a comprehensive crowdsourced list of projects related to COVID-19 contact tracing:
KEYQUOTE: This site is a crowdsourced list of projects related to COVID-19 contact tracing using smartphones. The goal of contact tracing is to identify the contacts of people who have tested positive for COVID-19 and to advise them to self-quarantine. Large scale, highly accurate contact tracing could control the spread of epidemics and reduce the need for societal lockdowns.
Europe’s data watchdog also pitched a pan-Europe app, but many European countries are all pursuing their own projects or relying on Apple-Google technology (see below).
Early privacy analysis of Apple and Google’s partnership is positive, but it still has potential centralization issues (see Implementations & Analysis section below for more details).
KEYQUOTE: However any decentralised scheme can be turned into a centralised scheme by forcing the phone to report to the authorities that it was at some point in time close to the phone of an infected person. In other words, certain governments or companies — using the decentralised framework developed by Apple and Google — can create an app that (without users being able to prevent this) report the fact that they have been close to a person of interest in the last few weeks. The platform itself may be decentralised. But the app developed on top of it breaks this protective shield and collects the contact information centrally regardless. This effectively turns our smartphones into a global mass surveillance tool.
Despite good practices by others, governments (in this case France, and the UK’s NHS) will demand more than what is safe, to meet their own political desires or for efficiency of connection to their existing legacy systems. This means often they don’t look at the big picture. France/UK should be moving slower, not faster, especially given questions about efficacy of current approaches.
KEY QUOTE: The UK government’s homegrown app is also likely to come under public scrutiny as a result of privacy concerns. The new tool follows a centralized model, which means that when a user reports symptoms of the coronavirus, the warning is sent to a central computer server, which then works out who to send an alert to among the contacts that the infected person’s phone has registered.
KEY QUOTE: The Google-Apple system relies on smartphones’ Bluetooth connections and will allow users to keep their data on their handsets. However, France and the European Union want to feed the data to a central server, managed by state health services, which would alert users if they come into contact with a person infected by Covid-19. Any system that sends data to a centralized location is inherently less secure and is vulnerable to “mission creep,” enabling a form of surveillance on users, according to a letter on Monday from 300 academics in more than two dozen countries, which endorsed Google and Apple’s approach.
Germany has thankfully u-turned and are adopting the Google-Apple model without centralization:
KEY QUOTE: Germany as recently as Friday backed a centralised standard called Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT), which would have needed Apple in particular to change the settings on its iPhones. When Apple refused to budge there was no alternative but to change course, said a senior government source. In their joint statement, Braun and Spahn said Germany would now adopt a “strongly decentralised” approach.
Elsewhere in the world, this solution proposed in New Zealand feels quite implausible to me. I’ve looked at credit card sized Bluetooth before, and the battery tech isn’t quite there for always on devices.
KEY QUOTE: For those who do own a smartphone and do download apps, there will be “too much friction” preventing people from doing so. Users may be afraid of Google having their data, of the Government knowing what they are up to. They may forget their password or turn off the app because it interferes with their Bluetooth headphones. With some back-of-the-napkin math, the presentation estimates just 20 percent uptake in New Zealand - meaning just 4 percent of contacts would be traced. That’s where CovidCard comes in. Built using the same underlying technology as Tile Bluetooth trackers, the tool would be the size of a credit card and distributed to every New Zealander.
Some commentary on Australia, where high expectations early on have become more muted:
KEY QUOTE: Yet nearly a month since launch, the contact tracing app has barely been used – just one person has been reported to have been identified using data from it. And the language from public officials has been toned down. No longer is it the key to freedoms, but an add-on to existing contact tracing methods, to work in concert with social distancing rules and continued testing to keep a lid on outbreaks.
KEY QUOTE: The COVIDSafe app records digital handshakes between smartphones via Bluetooth, and if someone catches the virus, health authorities can track who has been within 1.5 meters of the person for 15 minutes or more.
KEY QUOTE: Australia’s upcoming contact tracing app would put data into an encrypted national store that is only accessible by the states and territories’ “health detectives. The Commonwealth can’t access the data. No government agency at the Commonwealth level, not the tax office, not government services, not Centrelink, not Home Affairs, not Department of Education, not childcare – the Commonwealth will have no access to that data,” Morrison said.
Two early reviews of Singapore’s Trace Together app and the BlueTrace protocol:
It’s not just national or regional governments, but also the private sector that is exploring contact tracing for their own internal purposes:
KEY QUOTE: Companies including PwC, the global consultancy, are racing to build surveillance tools that will monitor the spread of coronavirus inside offices and workplaces…While governments and tech companies are working on voluntary tools that send similar alerts, these may not be widely adopted. By contrast, PwC said companies could make its tool mandatory.
I’m pleased that the Netherlands government had their attorney general take a serious look at several contact tracing proposals, given these concerns:
KEY QUOTE: The government’s problems became even more acute last weekend when attorney general Reimer Veldhuis was asked to assess the final seven contenders for compliance with privacy laws – and found all seven lacking.
Also Israel’s Supreme Court banned the current invasive methods of contact tracing:
KEY QUOTE: The country’s Supreme Court has ruled that the government can’t keep tracking residents’ phones unless it drafts legislation covering the practice. It has to start work on the new law by April 30th and complete it within a few weeks. Officials raised “great difficulties” by using a “preventative security service” for tracking peaceful people without their permission, the court said, and journalists were within their rights to get injunctions to protect their sources.
Human Rights, Privacy Law, and GDPR expert Elizabeth Renieres (Twitter @hackylawyer) regularly has great insights on the intersection of privacy technology and the law, they stated:
KEYQUOTE: So, where does this leave us as a privacy community and what is our role in the time of Corona? It means that before we debate the particulars of a specific technology or application, before we tweak certain features or functionality to better protect individual privacy, or before we impose certain transparency or accountability measures, we take a step back.
Before we concede that a measure is necessary and begin to assess its proportionality, we question that underlying assumption — especially when it’s coming from private companies who stand to gain from it or governments who fear being perceived as lacking control over the situation. We apply the age-old tests of legality, necessity, and proportionality — in that order. We require concrete evidence that a measure will further specific aims or achieve certain measurable outcomes. If privacy advocates don’t step up and do this, who will?
KEY QUOTE: The pandemic is driving home the vast & dangerous divide between technologists who view “privacy” as a technical exercise in approaching anonymity vs. law & policy folks who understand “privacy” as a broad concept necessary to protect the rights & interests of people in practice.
This states a few compelling pros and cons to consider when balancing privacy and public health
KEY QUOTE: …the ultimate decision to track and unleash information regarding COVID-19 will not be made by us, the people. It will be made by government authorities who may or may not understand the full implications of the precedent they are setting in using surveillance in the name of public health. In this case, the cat is already out of the bag. But that happened long before any global health crisis began. The priority now should be for us as a society to understand what data is being captured, how it is being used and what, if anything will change when the health crisis is over.
EFF provides a helpful list of safeguards for technologists to consider when building CTT solutions:
KEY QUOTE: We urge app developers to provide, and users to require, the following necessary safeguards: Consent, Minimization, Information Security, Transparency, Addressing Bias and Expiration.
KEY QUOTE: In general, our advice to organizations that consider sharing aggregate location data: Get consent from the users who supply the data. Be cautious about the details. Aggregate on the highest level of generality that will be useful. Share your plans with the public before you release the data. And avoid sharing “deidentified” or “anonymized” location data that is not aggregated—it doesn’t work.
This highlights the importance of community support for any technological response to COVID-19:
KEY QUOTE: There are hundreds of groups around the world developing contact tracing, symptom reporting and immunity status apps. They range from state actors to hobbyists to private finance. Many of them introduce new privacy technology based on cryptography, blockchain-based decentralized identifiers, and digital credentials. Apple and Google are planning to update their mobile phone operating systems to launch a decentralized contact tracing platform, an attempt to improve privacy that all the while gives them surveillance power that will impact society long after the pandemic is over. A shift in power from the state to private multinational corporations in the name of privacy seems unwarranted. Can we do better?
Specific to Decentralised Privacy-Preserving Proximity Tracing (DP-3T), with a helpful focus on risks and mitigations:
KEY QUOTE: The DP-3T system is designed for national (or regional) deployments, but its protocol is scalable internationally. The requirement for a data protection impact assessment (“DPIA”) will therefore have to be analysed on a country-by-country (or regional) basis. DP^3T is currently intended to be deployed in Switzerland. Pursuant to the Swiss Federal Data Protection Act (“FDPA”)33, there is no mandatory obligation to carry out a DPIA. This DPIA is therefore carried out on a voluntary basis, following best practices. In case of deployment in countries that are subject to the GDPR, the need of a DPIA must be assessed in accordance with Articles 35 and 36 GDPR, which require that a DPIA be carried out before the implementation in case the processing is likely to result in a high risk to the rights and freedoms of natural persons.
Superb analysis of Bluetooth-related bugs in #CovidSafeApp (Australia, but relevant for all BLE implementations) that, if fixed, will substantially improve both privacy and effectiveness
ABSTRACT: The COVIDSafe app has a number of issues which may allow a malicious person to track any user for an indefinite period of time. Some of these are unintentional implementation errors, some are deviations from the specification, and some are issues with the specification.
Governments today are taking legitimate emergency measures to track and manage public health, in particular in the #COVID19 crisis. We need to balance this public good vs. risks of loss of human rights in the future. We can do this!
This is one of the best explainers on the legal considerations around contact tracing apps in the US:
KEY QUOTE Notably, it is not clear that such legislation could be enacted at the federal level, as a constitutional matter. It likely would generate a Sebelius-style challenge, with litigants contending that it amounts to the mandatory use of a product akin to the mandatory purchase of health insurance under the Affordable Care Act. The Supreme Court held in Sebelius that Congress cannot rely on its Interstate Commerce authority to command individuals to engage in a commercial purchase when they would otherwise do no such thing, and even rejected the idea that such an authority can be derived from the Necessary and Proper Clause due to the critical role such purchases played in support of the larger, otherwise-constitutional insurance rules established by the statute. Might the same be true here? True, the requirement to download and use an app for public-health data-collection purposes is not in itself necessarily best viewed as a commercial activity. But then again neither was the must-eat-broccoli hypothetical that Chief Justice John Roberts used to illustrate the dangers of empowering Congress to make us take affirmative actions. Sebelius might best be read as a broad rule against federal legislative authority to compel affirmative activity, not just one barring statutory obligations to buy things.
Recommendations for US states from CAP:
KEY QUOTE: Digital contact tracing recommendations for state leaders: In coordination with mass testing, manual contact tracing, significant investments in public health and health care infrastructure, and sufficient social and financial support for all Americans, voluntary and privacy-protected digital contact tracing may play a role in helping state authorities prevent new outbreaks and more safely reopen society. [1] Embrace distributed technology by default. [2] Voluntary systems are more ethical, useful, and likely to be downloaded. [3] Minimize data for secure and trustworthy systems. [4] Build trust by limiting scope creep. [5] Lead and partner with transparency. [6] Design with public health workers and residents to provide clear benefits for both. [7] States should appoint an independent privacy and civil rights advisory board. [8] Governors must be at the helm. [9] Pursue regional collaboration and national standards.
Again US-centric, the need for a Federal Privacy Law, some senators have started with a proposal:
KEY QUOTE: New federal protections could also improve public trust in apps and devices that require users to opt in to share data with health authorities, said Graham Dufault, senior director for public policy at ACT The App Association, a trade group. “The absence of a federal privacy framework has left us less prepared to respond to the crisis with a coordinated, data-driven, and trusted effort,” Mr. Dufault wrote.
KEY QUOTE: U.S. Sens. Roger Wicker, R-Miss., chairman of the Senate Committee on Commerce, Science, and Transportation, John Thune, R-S.D, chairman of the Subcommittee on Communications, Technology, Innovation, and the Internet, Jerry Moran, R-Kan., chairman of the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security, and Marsha Blackburn, R-Tenn., today announced plans to introduce the COVID-19 Consumer Data Protection Act. The legislation would provide all Americans with more transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data. The bill would also hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic.
Canada’s Privacy Impact Assessment recommendations are a helpful framework for governments:
KEY QUOTE: Privacy protection isn’t just a set of technical rules and regulations, but rather represents a continuing imperative to preserve fundamental human rights and democratic values, even in exceptional circumstances…Government institutions should still apply the principles of necessity and proportionality, whether in applying existing measures or in deciding on new actions to address the current crisis.
And pandemic responses for the Western world may not be suitable for developing nations, here are some useful general guidelines for policymakers with a focus on India as an example:
KEY QUOTE: India needs to find local solutions suited to its unique context to effectively deal with the pandemic. We have collated 10 recommendations for the Indian context, many of which will also apply to other developing countries.
(Most recent first)
In this section, I try to highlight some key articles I found interesting on the topics of #LocationPrivacy #ContactTracing #PublicHealthvsPrivacy #COVID19. There’s a lot of material published daily, so on a rolling basis this will update:
KEY QUOTE: “I’m rebelling against the mandatory nature of this app,” he said. “I don’t want to share my location 24/7 with the government.” He said the Indian app fared poorly against what Google and Apple were helping to build, plans that do not store personal information on centralized servers. “If I was coding this app, I would have chosen to keep data points to a minimum,” he said. “If I have your location information for a month, I can gauge a lot of things about your life.”
KEY QUOTE: In the short run, the most technologically aggressive government plans will only offer software to extract location data from a patient’s smartphone, making it easier to reconstruct timelines. Most smartphones automatically record where they’ve been, unless a user disables the feature. Some states are considering apps that would make it easy to access this data, examine it, and potentially send it to a contact tracer. Knowing where we’ve been can help us remember whom we’ve been with.
KEY QUOTE: A de-centralised smartphone contact tracing system – the type contemplated … by governments across Europe and also Apple and Google – would be likely to comply with both human rights and data protection laws. In contrast, a centralised smartphone system – which is the current UK Government proposal – is a greater interference with fundamental rights and would require significantly greater justification to be lawful. That justification has not yet been forthcoming.
KEY QUOTE: Provisos for a Contact Tracing App argues that – while NHSX is right to undertake research and testing to consider whether this technology could be a valid part of any measures to transition from lockdown – if the Government launches an ineffective app or untrustworthy app, it will not be adopted, is unlikely to be effective and could even be actively harmful to people’s health and trust.
KEY QUOTE: The use of a coronavirus contact tracing app has not yet been demonstrated to be trustworthy, in terms of its purpose, reliability, effectiveness or potential harmfulness. Furthermore, the binary nature of its output must be addressed if trustworthiness is to be achieved.
KEY QUOTE: The Indian government’s covid-19 tracking app may soon be installed on smartphones by default, two sources from the smartphone industry — one a smartphone maker and the other from the Manufacturers Association for Information Technology (MAIT) — confirmed.
KEY QUOTE: Nearly 3 in 5 Americans say they are either unable or unwilling to use the infection-alert system under development by Google and Apple, suggesting that it will be difficult to persuade enough people to use the app to make it effective against the coronavirus pandemic, a Washington Post-University of Maryland poll finds.
KEY QUOTE: The project, known by the codename “Bubble” at Apple, was pushed forward by a handful of employees in the space of a month…The two companies couldn’t formally announce plans to work together until they got a green-light from their CEOs. So Apple CEO Tim Cook and Alphabet CEO Sundar Pichai hashed it out on a virtual meeting several days ahead of the official announcement on April 10th.
The editors of @TheEconomist have clearly not learned the #Foremembrance story of how 75% of Dutch Jews lost their lives in the Holocaust nor connect it to the rise of the right today. This is why Northern Europe has a privacy “religion”. After 75 years is becoming forgotten:
KEY QUOTE: If the eu had an official religion, it would be privacy. A devout priesthood of eu officials and politicians preach that only their privacy laws can lead to salvation. Holy texts, such as the General Data Protection Regulation or the ePrivacy Directive, are held up as wisdom the whole world would be better off following.
KEY QUOTE: Since 9/11, for example, information acquired via surveillance on national-security grounds has been used to prosecute drug crimes, food-stamp and mortgage fraud, and lying on bank statements. Conversations recorded by an Amazon Echo and heart-rate data tracked by a Fitbit have been used in criminal investigations. “There really is such a thing as surveillance creep, and surveillance programs do tend to increase beyond their initial scope,” Rozenshtein said. “Pandemics, like other emergencies, have often been these catalyst moments for the permanent expansion of the government. And the government does not tend to shrink after the moment has passed.”
KEY QUOTE: Any such use of digital tools should continue to raise legal and ethical questions around privacy to avoid unintended consequences for the people being helped. The conversation about the privacy risks should lend itself to a broader conversation on inequality, especially racial and ethnic profiling and the digital divide.
KEY QUOTE A technical document by the Broadcast Engineering Consultant India Limited (BECIL) described the band as an “Intelligence investigation platform & tactical tool to detect, prevent and investigate threats to national security using CDR, IPDR, Tower, Mobile Phone Forensics Data.” The idea is to pair this hardware solution with the Aarogya Setu app, and get information about patients and people under quarantine including their location data and people they’re in contact with.
KEY QUOTE: The survey, commissioned by the Financial Times, suggests that concern over public health is trumping privacy worries as ministers look to technology as a way of managing the outbreak and easing lockdown restrictions. When asked, 65 per cent of people said they agreed with using smartphones to identify people who had been diagnosed with the virus and establish who they had come into close contact with. Support for the idea rose to 73 per cent among 55 to 75-year-olds and fell to 59 per cent in those aged 18 to 34.
KEY QUOTE While the rest of India, along with countries such as the UK and the US, wouldn’t take stringent steps to limit movement for another two months, Shailaja had ordered Kerala’s four international airports to start screening passengers in January. All those with symptoms were taken to a government facility, where they were tested and isolated; their samples were flown to the National Institute of Virology 700 miles away. By February, she had a 24-member state response team coordinating with the police and public officials across Kerala.
KEY QUOTE: The idea that contact tracing can be done with an app, and not human health professionals, is just plain dumb.
KEY QUOTE: With the creation of such systems, come new risks of institutionalisation of mass surveillance.
https://howtosavetheworld.ca/2020/05/01/how-many-dead-whos-social-distancing/
https://translate.google.com/translate?depth=1&nv=1&pto=aue&rurl=translate.google.com&sl=auto&sp=nmt4&tl=en&u=https://www.cnil.fr/fr/publication-de-lavis-de-la-cnil-sur-le-projet-dapplication-mobile-stopcovid
My Twitter list of technologists, advocates, policymakers, lawyers, regulators, etc. w/ a particular focus on privacy.
I worked on some #LocationPrivacy approaches after year one of the iPhone. The target advocacy was not about health care, but personal safety while travelling. Here they are for the record:
A Deep Dive Brought to You by the COVID Tech Task Force, Harvard’s Berkman Klein Center, NYU’s Alliance for Public Interest Technology, TechCrunch, Betaworks Studios, and Hangar.
Three-hour mini-conference (the first in a series of mini-conferences to foster a public dialogue on private automated contact tracing technology) to provide technologists, privacy experts, and public health officials with a forum to discuss how contact tracing can be used to slow the spread of COVID-19, and how privacy-preserving automated contact tracing can augment manual contact tracing.
W3C Credentials CG (where I am co-chair) regularly discusses identity & privacy, and more recently #LocationPrivacy:
I have been hosting Rebooting the Web of Trust, a twice-a-year design workshop that brings together experts in the decentralized digital identity and privacy community in a collaborative “design workshop” that has published 50+ collaborative white papers. It is where the W3C Decentralized Identifier specification, which is on its way to becoming an international standard, was originally incubated.
Unfortunately our last event in Buenos Aires where we planned to discussion #LocationPrivacy and other related Covid-19 privacy topics was cancelled. We are working now on plans for an event in the Fall in the EU, and expect many privacy tech, policy, and regulatory experts coming specifically to work on the next generation of these technologies.
Reminder: You can become a monthly patron on my GitHub Sponsor Page for as little as $5 a month; and your contributions will be multipled, as GitHub is matching the first $5,000! Alternatively, you can support my efforts by sponsoring Blockchain Commons and our vision of the open web via a monthly GitHub Sponsorship or with Bitcoin via our BTCPay contribution page, Bitcoin contribution.
– Christopher Allen <ChristopherA@LifeWithAlacrity.com>, Github: @ChristopherA, Twitter: @ChristopherA