Updates announced to England and Wales presence tracing (QR checkin) app functionality. (short thread translating what these things mean)
1st point isn't actually a change to the app or regulations. The regulations have always required everyone individually to scan in if they used the app, but allowed a 'lead member' to represent a group of up to six. This would abolish the latter. More: michae.lv/law-of-qr/
Venue history upload is controversial. The DPIA has not yet been updated to show the privacy-preserving method that the press release claims to use. May also make people wary to upload venue data. Cannot analyse without further information.
The third point makes it seem like the gov are moving to automatic testing (not quarantining) alerts for presence tracing or check-in. Less extreme than automatic quarantining (w/o public health sense check of whether the index case was in the venue in a way that posed a risk)
Unclear what the 'New QR Code Posters' means, although this could be because the original app used a proprietary and inefficient encoding (taken from New Zealand's NZ Diary app) which didn't work well from distances or on screens. (see revk.uk/2020/09/how-no… from @TheRealRevK)
Presumably the 'New QR Codes' not about changing the data within the QR code to facilitate a new protocol, else every venue has to reprint. Have to assume they just encode the same data. @TheRealRevK's blog has helpful comparison between what they are and could be with same data
The England/Wales QR system made some good design choices from start - but still residual abuse risk, needs oversight of use. The Scotland system 'Check In Scotland' (launched after lockdown so no-one knows it) needs a LOT more scrutiny. Appears to be central database of visits.
(I missed the word manually there – somebody could only represent group of up to 6 if providing their details manually, but those who use the app could not represent others, largely as they wouldn’t be notified about where they were at risk so couldn’t tell their friends)
so weirdly the first point in that new release says there will be a change of law but it only affects people who are signing in manually and puts more of an obligation on them
Anyway all the details and references are in the blog post for that aspect
• • •
Missing some Tweet in this thread? You can try to
force a refresh
We outlines current approaches to accessing enclosed data, and argue that GDPR transparency, access, portability rights can be a powerful bottom-up, adversarial data access tool, if used well.
We outline the nature of those transparency provisions for those unfamiliar, and show how they can be used, elaborating on legal, ethical and methodological challenges — a bit like a mini-manual. A lot more could be said — but we hope this helps researchers make a good start.
Core to the DMA is the idea of "core platform services" and providers thereof, listed here and defined either within the reg or in previous regs. Big and powerful providers of these are in scope, basically.
The juicy parts of the DMA are Articles 5 and 6. These contain obligations for gatekeepers in relation to core services. Art 6 obligations can be further specified by the EC through implementing acts.
Today's Online Harms consultation response is perhaps the first major UK divergence from a big principle of EU law not tied to Brexit directly: it explicitly proposes a measure ignoring the prohibition on requiring intermediaries like platforms to generally monitor content.
the e-Commerce Directive art 15 prohibits member states from requiring internet intermediaries to actively look for illegal content; this is because the awareness would make them liable.
The Online Harms White Paper roughly kept with this, indicating that automatic detection systems were an approach platforms could use, but they would not be required to. Consultation responses (unsurprisingly) agreed.
After a long, unnecessary saga, England/Wales launches a decentralised contact tracing app based on the DP-3T work led by @carmelatroncoso, following other regions of the UK.
The original was a triple whammy of hubris: wouldn’t work abroad, wouldn’t work technologically on platforms, centralisation open for abuse and function creep.
This version has much better foundations.
I understand mistrust that may linger — but please do try this new one.
We’ve also learned plenty about platforms. If governments want the citizens to be able to run arbitrary code on mobile devices, making use of all sensors, they’ll need the law to crack open walled gardens. theguardian.com/commentisfree/…
I suspect students in England will make a very large number of subject access requests under the GDPR to schools from tomorrow for their teacher-estimated grade as well as rank-order in the class — information which will likely have determined their university entrance. 1/
There is a relevant exemption/delay provision in the Data Protection Act 2018 sch 2 para 25 for exam scripts, but this only pushes the deadline to a minimum of 22 September 2020. The ICO has confirmed this. ico.org.uk/global/data-pr…
The only time I can see a plausible ground for this grade to be refused is where the rank order reveals data about others, such as in classes of 2 or 3 (wow). Even then, no presumption against disclosure (see DB v General Medical Council [2018] EWCA Civ 1497).