Privacy activists prep legal challenge against UK plan to keep coronavirus contact-tracing data for two decades Privacy rights campaigners are to legally challenge the British government's decision to retain for two decades the data of people that test positive for COVID-19 under the test-and-trace system. The Open Rights Group (ORG) asked data privacy lawyer Ravi Naik to draft a letter outlining its concerns following the policy of …
I've been locked down with two vulnerable octogenarian parents for five months now, would love a tech balm to this - just can't trust Westminster/Cheltenham an inch.
The very fact they are insisting on keeping the data for beyond the pandemic is just expletively untrustworthy and self-defeating.
Pre-lockdown, I found myself at a reunion weekend with a few pals from my university days, and got into a conversation about this very topic. It transpired that he lived and worked in Cheltenham, and looked at the floor as he said that we have nothing to fear if we've got nothing to hide. I pointed out that while I was able to accept their intentions, they have given full access to far too many careless people who routinely leave disks, keys and laptops laying about. Eyes look up; "Hmmm. There is that"
They think they'll actually have any data?
I'm not getting the app.
I'm assuming all texts and calls are frauds. (Statistically it's almost a slam dunk that people will get far more fake texts and calls than real ones).
And the people they really need, tend to be elderly, no mobiles and landlines that reject calls from unknown numbers.
"They think they'll actually have any data?"
If somebody who's tested positive names you as a contact then they'll have data on you. You didn't give it to them but they'll have it. A bit like Facebook and the rest rifling through subscribers' devices' contacts and grabbing data about 3rd parties.
It drives a coach and horses through data protection legislation. About the one hope is that the EU turns round and denies equivalence to GDPR unless it's changed. Just about every aspect of this has a red flag flying over it. It would help if someone in charge had a really solid reputation for safeguarding PII. What we have instead is Dido Harding.
Unfortunately it doesn't. Article 9.2(i) allows unspecified processing of sensitive personal data for reasons of "public health". What it does drive the coach and horses through is the principle of data protection by virtue of the proposed retention time. However if they provide a "justification" for this that will satisfy the ICO (and almost any justification will probably do that as this is a "crisis") it remains entirely lawful.
However, unless they plan to "repurpose" the data later (which could indeed be unlawful) it will still be pointless as the data will become useless very quickly for the expressed purpose of tracing COVID contacts - in fact within a year or so of the pandemic ending - because people move around.
I suspect that they want to keep it around for some time so that they can refine models for the virus spread. It's perfectly normal when refining a model to define a start position, then run the existing data through and compare the results of the model against the actual data. You then see where the differences lay, refine the model, rewind the data and try again.
Of course, you can't just rely on one set of the data, it will be sliced up in various different ways to try to make sure that the model is not just modeling one situation.
This means that they need as much data as they can get. It also means that the personal aspect of the data becomes irrelevant, and indeed it should not matter if it was as completely anonymized as possible.
But that is just for creating the transmission model. They may also want to analyze the ethenic differences, the regional differences and any number of things that I've not yet thought of.
The question is not that the information is useful, but whether it is possible that it could be retrospectively misused to identify individuals behavior after the fact. This is the most worrying thing. In theory it should not be allowed, but who will police the use of the data at a later time.
Imagine if they impose a lockdown again, and then decide at a later date after the lockdown to issue fines to increase the government coffers by mining the location and movement data contained in the dataset to people who could be proved to have violated the lockdown rules.
Or imagine if it had been running, and the press got the actual movement information through a leak of a certain Mr. Cummings, or indeed any of the members of the government or their extended team who have had to apologize (or not) for having a different interpretation of the requirements of the lockdown·
I am a septuagenarian. I have absolutely no intention of participating in contact tracing or antigen testing.
My understanding of infectious disease epidemiology far surpasses that of any member of government and that of most of the so-called experts it has called upon for (sometimes self-serving) advice. Whilst some of those consulted have sound credentials in 'science' (at least by present day standards) the impression is of them ploughing narrow furrows.
What sorely is lacking is advice, this either not sought or not heeded, on risk assessment, weighing one risk against another, and balancing consequences of not taking an action against anticipated deleterious results of that action.
What appears on offer is a patchwork of understanding but with nobody capable of sewing the patches into a tapestry and thereby grasping the big picture. The whole sorry process being overlain by tacky political considerations. It is no consolation to be aware that clowns drawn from any other party at Westminster would have been unlikely to fare better though perhaps their leader might have displayed less hubris than Johnson.
We now have a spooked population with many fearful to emerge from their homes. There are cretinous individuals, sadly including some police officers, who worry over outdoor separation, almost to the inch, whilst not understanding the extreme unlikelihood of contracting infection in that setting. Technological solutions to contact tracing and testing for infection are an utter waste of resources and give false reassurance to the nervous.
Meanwhile, the general public, now very confused, is distracted from deploying the one measure which above all slows spread of the virus: hand hygiene. Somehow all the 'experts' failed to consider the relatively low-cost expedient of issuing, free of charge, hand cleansing gel for people to carry on their persons; its mass manufacture is simple and quickly organised by refocusing breweries and distilleries.
-----
Released under the Creative Commons Attribution 4.0 international license.
Contributions to the author's wine and general comfort fund to the Bitcoin address below please.
1Kz9AteVKnt3xb4wfDtAZH2DhnU3dy1Wkt
The 20 year retention period is so ostentatiously excessive that it might be deliberately provocative. For one thing it is a dead cat that most people are focusing on at the expense of all the other stuff in there - which will consequently get waved through without comment.
And perhaps the Government actually wanted five years. After that time the data is probably too stale to be useful for identifying the friends of people deemed troublemakers. It's still vastly excessive for the infection control purposes stated, so there would still be the firestorm of criticism if they demanded that up front. So they stick 20 years in and then will eventually begrudgingly compromise on ten years. The Government gets everything they want and more, and at the same time fool the plebs into feeling that the Government has listened to criticism, bowed to public opinion etc. It will look like democracy in action.
>The 20 year retention period is so ostentatiously excessive
Is it?
Remember your medical records are retained for circa 30 years - which at times isn't actually long enough when it come to hereditary conditions or as I discovered my adverse reaction to certain strains of penicillin had been deleted from my file....
So if you've tested positive your medical records should contain a note to that effect; also both PHE and the NHS come under the Department of Health...
The incubation period for this disease is well established. It is less than twenty years. It is less than ten years. It is less than one year. It is, by all measurements, much less than one month. As there might be a little doubt, we could compromise on one month. No higher.
In addition, there has not been a valid argument thus far as to why the data for people who have not tested positive needs to be available to the government at all, nor was there a valid argument for why the information has to be connected to identities. Contact tracing would function equally well* with anonymized details which are released publicly and to health authorities only on a positive test and identifiable only by contacting devices using privately-stored information.
*In fact, it would work better. Many people would be willing to use such an app if it worked in this anonymous and private way, but would refuse if it did not. With more uptake, the results would be better.
>The incubation period for this disease is well established. It is less than twenty years. It is less than ten years. It is less than one year. It is, by all measurements, much less than one month.
Oh dear, letting your emotion think rather than use your head...
It doesn't matter what the incubation period is, it is most certainly shorter than the length of time the social networking data contained in the data set will be useful to researchers.
For clarity, I use the term "social network" in the sense used by researchers such as Nickolas A. Christakis and James H. Fowler.
I anticipate very little research of any real value will come out of the data collected by the Apple/Google app.
It does matter what the incubation period is. The stated purpose of the app is to track contacts. You don't need years of data collection to do that. It is not to provide a bunch of unverifiable and possibly polluted data to researchers, and it wouldn't. The data only concerns who is near to whom, and has a lot of noise they couldn't filter out, such as the possibility of barriers between people that the app couldn't detect. It wouldn't be of much use to researchers, and even if it would, nobody ever agreed to turn their lives over to researchers.
I would use an anonymized, secure app. I would use it because I think it has the potential to save lives. I would not use it in order to provide raw data for researchers. It wouldn't help, and it was never part of the stated purpose.
> The stated purpose of the app is to track contacts. You don't need years of data collection to do that.
This is about "data retention", which is different to "data collection"...
Although it is clear that CoViD19 is likely to be doing the rounds for some years to come... So there is no obvious end date when people might delete a tracking app from their phone.
It is about both retention and collection. But primarily, it is about collection. People who intend this as a data stream for research purposes will want to collect and retain more. Neither are needed for contact tracing, and thus neither are justified. Even collecting the unneeded information (contact information for people who have not tested positive, for example) without retaining it for long periods would not be acceptable. Don't fight about retention just yet--fight about collection first and then we can decide about retention of the much smaller set of allowable data.
Oh dear, letting your emotion think rather than use your head...It doesn't matter what the incubation period is, it is most certainly shorter than the length of time the social networking data contained in the data set will be useful to researchers.
If they want to use data about individuals for research then they should be seeking informed consent from the participants. See the Helsinki Declaration and the European Convention on Human Rights etc.
From a practical perspective, the success of the test and trace project is dependent upon public trust, and anything that further erodes that trust will lead to more death.
"Mandating" is very difficult without mandating ownership of a) smartphones* and b) those with certain operating systems. With no difficulty at all my main Android phone could become a home-based terminal whilst any one of my Sailfish or Nokia/Sony Eriksson chocolate bar phones become my everyday carry (perhaps a different one on a cycle only I understand!) I won't be the only one El Reg reader, let alone UK citizen, that does something similar. As I've said many times, if government wants my identifiable data, it should ask for permission. Make it an advantage to me, not solely to them, and persuade me it is going to handled properly, and then we'll begin to talk.
*I know India has developed a system for some feature phones, but only some.
With much fanfare the misleadingly named CovidSafe app was rush-released in Australia. It is subject to the usual dud programming and data slurp overreach
It was downloaded by about 30% of the mobile phone users but has sunk without trace. As far as is known it identified ONE possible case.
Australia's success in containing Covid 19 is not dependent on this bullshit "app"
FYI a few entitled individuals, including politicians, demonstrated their belief that the social isolation and other measures were only for the "little people" - it did not end well.
So... You're not "doing the three" for the greater good? :D
Whenever someone tells me to download some app, my automatic reply is "no" - give me a website or nothing.
It is an interesting exercise to plot the number of covid fines and dollar value of each fine against the percentage of left wing party seats in each Australian state parliament.
From a philosophical point of view, it is also interesting how the "public good" over-rides the good of the individual. The problem with this approach is that it automatically discards all data-points regarding the good of the individual and only measuring the one data point you want for "the public good." I think this is dangerous as it disconnects policy from criticism and thus insulates the policy-makers being answerable to the public, because the state machinery is employed only to collect the data the policy-makers want. We saw this in the changes in ways covid deaths were recorded.
Given that the NHS appears to destroy your health records if they are older than 10 years, regardless of whether there is anything relevant for future treatment I don't understand why they consider 20 years for this.
Having gone through needing an MRI scan but knowing I had an implant from 1998 we needed to establish that it was safe as you have to declare it on the safety form.
There was no record of this ever being fitted. This lead to a stupid back and forth argument as they only had my understanding of what was done.
What was really stupid is the implant was not metallic or had any possibility of being affected by a magnet.
I requested my hospital records to see what there was and everything older than 10 year had been destroyed. This was a mix of paper and digital.
The reasoning is pretty clear. A huge dataset of who is in proximity to who? Brilliant.
Until, of course, twenty years down the line when some men in expensive suits haul you over the coals over your association with a person known to not have the state's best interests in mind. How were you to know that the person at the table behind you (separated by a screen and stairway) was a Guardian journalist...
Still, it's recorded right there. You both spent forty minutes together.
Explain.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
