-
Notifications
You must be signed in to change notification settings - Fork 179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential privacy issue of new Exposure Notifications Express? #337
Comments
Data exchange between countries was always going to be a problem for SwissCovid, especially given DP-3T's rather cavalier approach to what legally constitutes "personal data". It seems - but it is hard to pin down - that SwissCovid operates on the pretense that all those identifiers circulating and then stored in the clear do not constitute "personal data", which flies against existing Swiss case law. This also is opposite to what other European countries have sensibly decided (some walked backwards into this decision, but indeed they had to agree as there was a level-up effect if they wanted to interoperate between them). Your concerns are valid, but I would address them elsewhere if you want to effect true change. Switzerland has managed to sideline itself completely on issues of legal interoperability, and it has been a few months now anyways since the DP-3T team has had any impact on decisions taken by Google and Apple (if there was ever a time where that was the case). |
A Note to Those Who Believe that This Discussion Does Not Belong Here I believe you are confused. Where exactly (i.e., on which device(s)) is "what legally constitutes 'personal data'" being stored in the manner that you describe, and why do you put quotes around personal data? Is it, or is it not, personal data, and by what criteria and whose legal system? If you wish to continue this discussion, please refer to the components of the system as outlined in DP3T -Data Protection and Security when justifying your objections. Please be aware that some features of the system described in the document have not in fact been implemented. You might also wish to peruse DP-3T White Paper to inform yourself about the three designs for decentralized proximity tracing that DP-3T provides. I believe I read somewhere that GAEN doesn't "do" all designs, just the simplest, which would be the one that provides the least elaborate privacy, but I can't find the reference right now. What is the case, is that GAEN is evidently handling the generation and broadcasting of the EphId's, the logging of received EphId's, the pulling of the possible infections from the backend and even some steps in the calculation of the exposure risk score. Therefore, whatever objections you have to SwissCovid might well extend to all or some other national Covid-19 apps based on GAEN. If you have been following the discussion about interoperability of various regional versions of the app, you will be familiar with DP3T -Interoperability Decentralized Proximity Tracing Specification (Preview). It is plain and evident that interoperability was designed into the system. Furthermore, Sang-Il Kim, Director Digital Transformation, FOPH, confirmed in one of his first press conferences that interoperability is not a technical problem, but a political one, in this case, having to do with the EU's insistence on a Framework Agreement before discussing any cooperation with Switzerland, in this case, in the area of public health. Neither my nor your view on this political issue is germane to this technical discussion. |
@r-r-liu I was trying to respond to your valid remark. You mentioned privacy and ENE interoperability, with a technical lens. I added a legal layer to your argument, and explained why you are barking at the wrong tree here, talking to the DP-3T collaboration. I had the poor idea of putting "personal data" in quote because I was referring to the legal definition of what constitutes personal data: "data about an identified or identifiable individual". The legal systems are either EU Member States' (following case law from Court of Justice of the European Union) or the Swiss legal system (following case law such as Google Street View). The data that I claim are personal data are:
You mention that GAEN is handling a bunch of stuff, and that "whatever objections [I] have to SwissCovid might well extend to all or some other national Covid-19 apps based on GAEN." It is true that GAEN is handling a bunch of stuff. Nevertheless the party legally responsible for this is the national health authority (see Section 4 of the Exposure Notification APIs Addendum). As you will read there,
My beef is thus with countries who took shortcuts with that last bit, and this is my basis for telling you those countries might not care very much about the issue you raise, or have put themselves in such a position that they can't do anything about it. |
I just installed iOS 13.7 and read about the Exposure Notifications Express (https://developer.apple.com/documentation/exposurenotification/supporting_exposure_notifications_express). This seems to be merely a configurable general purpose app that (a) doesn't need to be installed, but (b) mediates between the user and his PHA's Test verification server and Key server. I see a possible privacy issue here.
Although these servers presumably are under the control of the PHA, on the user side there seems to be nothing but Apple/Google code, and I suppose that Apple and Google are no more likely to submit their code to an audit now than they were when it consisted only of the GAEN api. Yet it might be necessary in the future for a PHA that now decides to the use Exposure Notifications Express to enable certain functionality in the Key server that requires input from the user. That, I suppose, would have to be done in the ENE. That would be the case, for example, if a PHA using ENE decided to support the exchange of exposure notifications with other PHA's. For example, preliminary designs to support, say, users of the Swiss Covid app in Germany, or of the German Covid Warn app in Switzerland, indicate that users might have to specify to their respective backends when they were in the other country, so that each server could pull exposures from the other's backend. Now suppose in this example that one of the countries has no app of its own but is relying on the ENE, and that Apple and Google agree at some point to pass such information through the ENE to the Key server. When that happens, Apple/Google code is effectively handling location information, and absent an audit, nobody knows that it isn't being misused.
I think DP-3T has a vested interest in ensuring that countries, resp. PHA's, that do not wish or cannot afford to develop their own GAEN apps nevertheless enjoy the same level of privacy and security as those that do, and I would encourage you to increase the pressure on Apple/Google to permit a code audit, this independent of any plans that the Swiss FOPH might or might not have to replace SwissCovid by the Exposure Notifications Express.
The text was updated successfully, but these errors were encountered: