ONGOING RESEARCH INTO CONCERNS RELATING TO DATA REGARDING TRUST, PRIVACY, AND AGENCY
THAT CRYSTALLIZED AROUND THE CONTACT TRACING APPS
Data brokers are selling mental-health data online, according to a new report from the Duke Cyber Policy Program. The researcher asked 37 data brokers for mental-health information, and 11 replied willingly. The report details how these select data brokers offered to sell information on depression, ADHD, and insomnia with little restriction. Some of the data was tied to people’s names and addresses.
In an interview with PBS, project lead Justin Sherman explained, “There are a range of companies who are not covered by the narrow health privacy regulations we have. And so they are free legally to collect and even share and sell this kind of health data, which enables a range of companies who can’t get at this normally—advertising firms, Big Pharma, even health insurance companies—to buy up this data and to do things like run ads, profile consumers, make determinations potentially about health plan pricing. And the data brokers enable these companies to get around health regulations.”
On March 3, the FTC announced a ban preventing the online mental health company BetterHelp from sharing people’s data with other companies.
This article is from The Technocrat, MIT Technology Review's weekly tech policy newsletter about power, politics, and Silicon Valley.
If you use Google, Instagram, Wikipedia, or YouTube, you're going to start noticing changes to content moderation, transparency, and safety features on those sites over the next six months.
Why? It’s down to some major tech legislation that was passed in the EU last year but hasn’t received enough attention (IMO), especially in the US. I’m referring to a pair of bills called the Digital Services Act (DSA) and the Digital Markets Act (DMA), and this is your sign, as they say, to get familiar.
The acts are actually quite revolutionary, setting a global gold standard for tech regulation when it comes to user-generated content. The DSA deals with digital safety and transparency from tech companies, while the DMA addresses antitrust and competition in the industry. Let me explain.
A couple of weeks ago, the DSA reached a major milestone. By February 17, 2023, all major tech platforms in Europe were required to self-report their size, which was used to group the companies in different tiers. The largest companies, with over 45 million active monthly users in the EU (or roughly 10% of EU population), are creatively called “Very Large Online Platforms” (or VLOPs) or “Very Large Online Search Engines” (or VLOSEs) and will be held to the strictest standards of transparency and regulation. The smaller online platforms have far fewer obligations, which was part of a policy designed to encourage competition and innovation while still holding Big Tech to account.
https://www.technologyreview.com/2023/03/06/1069391/safer-internet-dsa-dma-eu/?
2022 marked an important year for digital rights across the European Union as the landmark Digital Services Act (DSA) came into force on 16 November seeking to foster a safer and more competitive digital space.
The DSA overhauls the EU’s core platform regulation, the e-Commerce Directive, and is intended to be an important tool in making the internet a fairer place by setting out new legal responsibilities for online platforms and educating users on why content is removed and what they can do about it. The powers of Big Tech are also reined in as the DSA subjects “very large online platforms (VLOPs)” to comply with far-reaching obligations and responsibly tackle systemic risks and abuse on their platform. These risks cover a variety of aspects, including the dissemination of illegal content, disinformation, and negative impact on fundamental rights. VLOPs also face oversight through independent audits, which will assess whether platforms respect the obligations under the DSA.
Health data and the destruction of GDPR
OpenRightsGroup
154 views Nov 11, 2021
Watch this urgent briefing about the current “Data A new direction” proposal, which aims to make it easier to reuse NHS health data for commercial purposes. Learn how patients’ rights will be impacted, and what you can do to fight back. https://www.openrightsgroup.org/campa... SPEAKERS Phil Booth is coordinator medConfidential, an independent, non-partisan organisation working with patients and health care professionals to campaign for confidentiality and consent in health and social care. Martin Blanchard is a retired doctor/academic and a medical campaigner with Keep our NHS Public, a non-party-political organisation campaigning against the privatisation and underfunding of the NHS. Mariano Delli Santi is Open Rights Group’s legal and policy officer. He works on promoting privacy in the online advertising sector, and supports ORG strategic litigation and political advocacy efforts.
INVASIVE APPROACH
The EISS was jointly developed by the KCDC and the Ministry of Land, Infrastructure and Transport, with the help of the Korea Electronics Technology Institute (KETI). Many details of how the system works and some limitations of the programme have not previously been reported. A scientific paper on the system was published in a public health journal only on Wednesday.
Authorities’ power to get information was established by a 2015 law called the Infectious Disease Prevention and Control Act, introduced after the country was hit by Middle East Respiratory Syndrome (MERS).
The law allows South Korean health officials to access a wide range of personal data, including cellphone location information and credit card transactions, without a court order.
While many countries are scrambling to develop smartphone apps that can trace the contacts of patients without revealing detailed personal information, South Korea has forged ahead with a more invasive approach.
Contact tracers turned to the country’s Epidemic Investigation Support System, a digital platform introduced in South Korea amid the pandemic that allows investigators to access cellphone location information and credit card data of infected individuals in as little as 10 minutes.
Cellphone GPS data revealed that the student had briefly overlapped with another known coronavirus patient from a different city and province altogether, a door-to-door saleswoman who had visited Jeonju. Their connection was a first-floor restaurant on the afternoon of June 12 — for just five minutes.
The big lesson from South Korea's coronavirus response
Testing and tracing were the key to slowing the spread of coronavirus.
--------------------------------------------------------------------------------------------
Revellers dance at a nightclub almost a year after the global outbreak of coronavirus in Wuhan, China (Reuters)
In a crowded Wuhan beer hall, Zhang Qiong wipes birthday cake from her face after a food fight with her friends.
“After experiencing the first wave of epidemic in Wuhan, and then the liberation, I feel like I’m living a second life,” says Zhang, 29, who works in a textiles shop in the central Chinese city that was the original epicentre of Covid-19.
For Singaporeans, the covid-19 pandemic has been closely intertwined with technology: two technologies, to be specific. The first is the QR code, whose little black-and-white squares have been ubiquitous all over the country as part of the SafeEntry contact tracing system rolled out in April and May.
Under SafeEntry, anyone entering a public venue—restaurants, stores, malls—must scan a code and register with a name, ID or passport number, and phone number. If somebody tests positive for covid-19, contact tracers use it to track down those who got close enough to be potentially infected.
There’s also TraceTogether, an app that launched in March 2020. It uses Bluetooth to ping close contacts; if two users are in proximity, their devices trade anonymized and encrypted user IDs that can be decrypted by the Ministry of Health should one person test positive for covid-19.
For those who can’t or don’t want to use a smartphone app, the government also offers TraceTogether tokens, small digital fobs that serve the same purpose. And while TraceTogether is currently voluntary, the government has announced that it is going to merge the two systems, which would make it mandatory to either download the app or collect a token.
When the two systems were launched, there wasn’t much space for the public to discuss apprehensions: they were seen as necessary to fight the pandemic, and the Singaporean government acted in typical top-down fashion. It did seek to assuage fears, however, by repeatedly assuring Singaporeans that the data collected with such technology would be used only for contact tracing during the pandemic.
And that’s where things went wrong.
Private data being used by police
Earlier this month, it emerged that the government’s claim was false. The Ministry of Home Affairs confirmed that data could actually be accessed by the police for criminal investigations; the day after this admission, a minister revealed that such data had, in fact, already been used in a murder investigation. It rapidly became clear that despite what ministers had previously said, Singaporean law meant it had been possible for law enforcement to use TraceTogether data all along.
These revelations triggered public anger and criticism, not necessarily because Singaporeans are particularly privacy conscious—in fact, state surveillance is largely normalized in the country—but because people felt they’d been subjected to a bait-and-switch. Many people had reservations about TraceTogether when it was first launched, and only began using it in large numbers after the government indicated that it would soon become mandatory. (According to the cochair of the task force on covid-19, nearly 80% of Singapore’s residents have adopted TraceTogether.)
The government has since announced that it will introduce new legislation to limit law enforcement’s use of contact tracing data to probes into seven specific categories of offense, including terrorism, murder, kidnapping, and the most serious drug trafficking cases. (The MIT Technology Review Covid Tracing Tracker, which monitors the policies around exposure notification apps worldwide, is being updated to reflect this shift.)
“We acknowledge our error in not stating that data from TraceTogether is not exempt from the Criminal Procedure Code,” said the Smart Nation and Digital Governance Office in its statement. The new law, it said, “will specify that personal data collected through digital contact tracing solutions … can only be used for the specific purpose of contact tracing, except where there is a clear and pressing need to use that data for criminal investigation of serious offences.”
Not in the original spirit
There is no timeline yet as to when the proposed legislation will be brought before parliament, and details are scant.
“In Singapore, where laws grant sweeping executive and legislative powers to state actors, I think any commitment to accountability and restraint is welcome,” says digital rights activist Lee Yi Ting. “But it remains to be seen if the bill will make substantive commitment to these proposed limitations. For example, if state actors flout these regulations, what investigative bodies will come into play, and what consequences will state actors be held to?”
Some doubt how useful such data can really be to police investigations and are concerned that even the proposed limits still formally expand its use beyond contact tracing.
“We like to reiterate that extending police powers to [TraceTogether] data is not aligned to the original spirit of what the dataset was intended for,” said the opposition Progress Singapore Party in a statement. “Covid tracing data must solely and strictly be used for fighting the pandemic and nothing else.”
Related Story
Trust is on the line
The confusion could not come at a more difficult time. Concerns that governments could abuse contact tracing systems have been raised around the world. Many of these worries have been misplaced, especially in countries that use Google and Apple’s exposure notification technology, which does not allow centralized collection by local authorities. The Singapore government had previously rejected Apple and Google’s system, saying that it would be “less effective” in the Singaporean context.
But while digital systems could speed up contact tracing and aid in the fight against the virus—one that could be more vital over time, not less—most countries have struggled with adoption. One major issue: trust.
Lee worries that even if legislation is enough to placate many Singaporeans, the implications outside the country could be serious. Singapore’s early move to build digital contact tracing put it in a global leadership position, and TraceTogether’s underlying systems have been used by other nations—though there is no suggestion that the same legislative mistakes were made elsewhere.
Still, “Singaporeans do care about the extent to which the state intrudes into their private lives,” says Lee. And, she adds, the country is setting an international precedent “for repressive governments to likewise normalize the use of contact tracing data for the purposes they define.”
https://medium.com/wintoncentre/coronavirus-and-public-trust-e156c89be5d4
The Winton Centre For Risk and Evidence Communication wanted to find out what it could about how the public is actually reacting, not how it might in theory, which is mostly what the government reasoning goes into.
What does the public think of the information we’re getting? Do people trust it? Do we trust the government? Do we think they’re getting the strategy right? How worried are we?
So, we ran a fast survey, collated overnight, to get a sample of opinion in both the UK and the US. The same survey is now running in Australia with Spain, Germany, Mexico and Italy planned over the weekend, and we’ll run it again soon in the UK to look for changes.
Imperial College London
Real-time Assessment of Community Transmission (REACT) Study
Imperial College London is leading a major programme of home testing for COVID-19 to track the progress of the infection across England. Called REACT, the programme was commissioned by the Department of Health and Social Care, and is being carried out in partnership with Imperial College Healthcare NHS Trust and Ipsos MORI.
Find out more about REACT and read findings from the programme here.
Trackntracer twitter bot
https://twitter.com/trackntracer
Drawing on several previous works, the new work: Pandemonium takes the NHSCovid19 app as it’s focus, with @trackntracer twitter bot (recently followed by Richard Eudes Director of Deloitte*) deployed as a research assistant, taking the temperature of public debate, rt’ing mentions of track and trace since November 2020.
The track and trace apps quite naturally exceed all previous anxieties regarding surveillance, reaching across bio-medical practice to behavioural analysis, and, at the same time, hold the promise of a pragmatic approach, which, seemingly, when used in combination with measures such as mask wearing, social distancing protocols and an effective vaccination programme, could mean the possibility of a return to being able to co-mingle, once again – as can be seen in several countries success in controlling the pandemic, the world over.
A volatile feed where concerns crystallize around biomedical data, privacy, personal freedoms, and a wild variety of conspiritualities, as conspiracy meets the wellness industry.
Many of which relate to practices of data management and analysis, that raise security and privacy concerns, with worries about mission creep made possible by the financial underpinnings of the app, and the expectations of those investing, and contributing. That the app is in any way discussed as the entry point to vaccine passports, confirms the worst fears of a particularly b-movie bio-political sort, whilst the need for mass medical data to provide deep insights into the behaviour of new variants of the virus, doesn’t diminish with our lack of appetite for what seems like surveillance by the back door.
* one of the private companies invested in the app
see further writing on this whilst on the residency on Risk, at Radar, Loughborough University during the pandemic
DATADATADATADATADATADATADATADATADATADATADATADATADATA
DATADATADATADATADATADATADATADATADATADATADATADATADATA
DATADATADATADATADATADATADATADATADATADATADATADATADATA
DATADATADATADATADATADATADATADATADATADATADATADATADATA
DATADATADATADATADATADATADATADATADATADATADATADATADATA