My Authors
Read all threads
Let’s go through Matt Hancock’s letter to @HarrietHarman @HumanRightsCtte on the NHSX app and take a closer look at some of these statements 1/
While any data collected *by* the user’s smartphone will not be shared, in centralised systems, other people share your identifiable data. All your broadcasts look like the same single device ID to the Gov. Other people upload their contacts with you, without consent.
In decentralised system, data observed abt others NEVER leaves ANYONE’S phone, ever. The reason Hancock can say data never leaves your device without your consent is because it doesn’t need to — it leaves the phone of people who have seen you, without your consent instead!
Publishing the protocol and source code is of a centralised system (hasn’t happened yet) is of little use unless significantly BEFORE an app is rolled out, and it includes the source code of the back-end server, because that’s where everything happens in an centralised system.
In the #DP3T project, upon which the decentralised Apple-Google approach is based, we published our full v1 protocol on 3 April and iOS/Android/Backend code on 13 April. Lots of scrutiny since then which has helped us improve. UK: it’s already in the app store, and nothing yet.
The Information Commissioner has also said in evidence they had not yet seen the DPIA, and their head of technical policy said under two weeks ago that they had not yet seen technical documentation.
It is not possible to use the app without centralising personal data under data protection law. All identifiers decrypt to a unique device ID. All data on the central server is personal data within the meaning of UK law, not anonymous, and which can single a user out.
(Note in the last message Hancock uses the term ‘personally identifiable data’, or PII. This is a US law concept which refers to things like names, passport numbers, which doesn’t exists in UK law and which is much, MUCH narrower than the definitions in the rest of the world)
This sentence is a bit of a sleight of hand. Of course data stored on the phone is deleted when you delete the app. You can also burn the phone. Matthew Gould, CEO of NHSX, said to @HumanRightsCtte that they would not permit users to delete data on the server, in the social graph
There are many reasons why you need to legislate. This app makes automated, significant decisions (or measures) which tell people to fundamentally change their lives. Article 22 of the GDPR and the DPA s 14 make it clear this requires a basis in law. See osf.io/preprints/lawa…
(clarity: there is a high level overview doc released a few days ago by NCSC that could count as a protocol, although it certainly does not cover everything. but better than nothing)
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Michael Veale

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!