Potential privacy issue of new Exposure Notifications Express? about documents HOT 3 OPEN

Data exchange between countries was always going to be a problem for SwissCovid, especially given DP-3T's rather cavalier approach to what legally constitutes "personal data". It seems - but it is hard to pin down - that SwissCovid operates on the pretense that all those identifiers circulating and then stored in the clear do not constitute "personal data", which flies against existing Swiss case law. This also is opposite to what other European countries have sensibly decided (some walked backwards into this decision, but indeed they had to agree as there was a level-up effect if they wanted to interoperate between them).

Your concerns are valid, but I would address them elsewhere if you want to effect true change. Switzerland has managed to sideline itself completely on issues of legal interoperability, and it has been a few months now anyways since the DP-3T team has had any impact on decisions taken by Google and Apple (if there was ever a time where that was the case).

from documents.

@r-r-liu I was trying to respond to your valid remark. You mentioned privacy and ENE interoperability, with a technical lens. I added a legal layer to your argument, and explained why you are barking at the wrong tree here, talking to the DP-3T collaboration.

I had the poor idea of putting "personal data" in quote because I was referring to the legal definition of what constitutes personal data: "data about an identified or identifiable individual". The legal systems are either EU Member States' (following case law from Court of Justice of the European Union) or the Swiss legal system (following case law such as Google Street View).

The data that I claim are personal data are:

1. Rolling Proximity Identifiers (also called EphIDs) when in flight (because they can be intercepted by others, this data is made public) - as well as the Associated Encrypted Metadata;
2. RPIs once stored on someone else's device - as well as the AEM;
3. Temporary Exposure Keys once stored on the server;
4. Temporary Exposure Keys once downloaded back to the apps.

You mention that GAEN is handling a bunch of stuff, and that "whatever objections [I] have to SwissCovid might well extend to all or some other national Covid-19 apps based on GAEN." It is true that GAEN is handling a bunch of stuff. Nevertheless the party legally responsible for this is the national health authority (see Section 4 of the Exposure Notification APIs Addendum). As you will read there,

You acknowledge and agree that You are, in Your capacity as the legal entity responsible for any user data processed in connection with the use of Your Contact Tracing App, solely responsible for complying with applicable data protection and privacy laws and regulations.

My beef is thus with countries who took shortcuts with that last bit, and this is my basis for telling you those countries might not care very much about the issue you raise, or have put themselves in such a position that they can't do anything about it.

from documents.

A Note to Those Who Believe that This Discussion Does Not Belong Here
Please suggest where it does belong. Admittedly, @pdehaye seems to be taking it in a direction that I had not intended. Interoperability is not the issue that I have with ENE, it was just an example of that issue, based on information in DP3T -Interoperability Decentralized Proximity Tracing Specification (Preview) that suggested that, if DP-3T compatible apps are allowed to take advantage of the designed-in compatibility, the user would have to tell his app the foreign region in which he is operating it so that his regional backend could exchange exposure lists with the other region's. If his region chooses not to develop its own app but to use ENE instead, presumably he would have to communicate that information to the backend through ENE, in which case Apple/Google code would be able to connect the mobile phone's operator to a region that he visits.

@pdehaye:

I believe you are confused. Where exactly (i.e., on which device(s)) is "what legally constitutes 'personal data'" being stored in the manner that you describe, and why do you put quotes around personal data? Is it, or is it not, personal data, and by what criteria and whose legal system? If you wish to continue this discussion, please refer to the components of the system as outlined in DP3T -Data Protection and Security when justifying your objections. Please be aware that some features of the system described in the document have not in fact been implemented. You might also wish to peruse DP-3T White Paper to inform yourself about the three designs for decentralized proximity tracing that DP-3T provides. I believe I read somewhere that GAEN doesn't "do" all designs, just the simplest, which would be the one that provides the least elaborate privacy, but I can't find the reference right now. What is the case, is that GAEN is evidently handling the generation and broadcasting of the EphId's, the logging of received EphId's, the pulling of the possible infections from the backend and even some steps in the calculation of the exposure risk score. Therefore, whatever objections you have to SwissCovid might well extend to all or some other national Covid-19 apps based on GAEN.

If you have been following the discussion about interoperability of various regional versions of the app, you will be familiar with DP3T -Interoperability Decentralized Proximity Tracing Specification (Preview). It is plain and evident that interoperability was designed into the system. Furthermore, Sang-Il Kim, Director Digital Transformation, FOPH, confirmed in one of his first press conferences that interoperability is not a technical problem, but a political one, in this case, having to do with the EU's insistence on a Framework Agreement before discussing any cooperation with Switzerland, in this case, in the area of public health. Neither my nor your view on this political issue is germane to this technical discussion.

from documents.