Share this page!

Michael Veale Profile picture
Twitter logo
4 May, 10 tweets, 4 min read
The Luca QR code Covid app, (for-profit system flogged to 🇩🇪 Länder) has been compromised (in a way that the official CoronaWarnApp’s QR system can’t be), through a website that lets you check in any phone number to wherever you want—even regional prime ministers! 🧵 on the saga:
While hard to believe, Luca was adopted by Länder after huge lobbying from hospitality who convinced them that a hasty app w a 6 mo free trial for venues & big cost for health authorities would i) allow reopening, ii) help Länder win upcoming 🗳 by making national gov look slow
Luca’s slick PR campaign, where they became mostly known to health authorities by aggressive marketing w celebrities, meant that no-one discussed or scrutinised the technical details. Politicians have even admitted this, and DPAs accepted statements of ‘encryption’ as secure.
Despite it being an infrastructure they had no control or say over, local governments were already shelling out money which, in practice, was just subsidising Luca’s attempt to make a platform. It had even partnered with ticket companies! netzpolitik.org/2021/digitale-…
Luca was also careful to never mention the pandemic, coronavirus or COVID in its app description on app stores, as not to trigger extra checks (and in line with its platform dreams). Not that app stores should govern the world, but it betrays the firm’s mentality.
@thsStadler led an analysis of how misleading the app’s security claims were, even when you gave its under specified schematic (belatedly published) every benefit of the doubt arxiv.org/abs/2103.11958. A letter from hundreds of IT experts was published here digikoletter.github.io
If you speak 🇩🇪 or don’t mind translating, there’s an extensive and surreal thread on the Luca saga here from MP @anked
More on some of the political and technical absurdity around Luca zeit.de/digital/datens…
There’s a legal angle too. Unlike in England, where the law states that those using the official QR code that permits notification do not need to manually provide details, in Germany, regional laws (eg Bavaria GVB 562 (23 June 2020) s 3 verkuendung-bayern.de/baymbl/2020-56…) do not permit this
(I’ve written on the English QR code legal regime here michae.lv/law-of-qr/)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Michael Veale

Michael Veale Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mikarv

Michael Veale Profile picture
14 Apr
Lots of selected thoughts on the draft leaked EU AI regulation follow. Not a summary but hopefully useful. 🧵
Blacklisted art 4 AI (except general scoring) exempts include state use for public security, including by contractors. Tech designed to ‘manipulate’ ppl ‘to their detriment’, to ‘target their vulnerabilities’ or profile comms metadata in indiscriminate way v possible for states. ImageImage
This is clearly designed in part not to eg further upset France in the La Quadrature du Net case, where black boxes algorithmic systems inside telcos were limited. Same language as CJEU used in Art 4(c). Clear exemptions for orgs ‘on behalf’ of state to avoid CJEU scope creep.
Read 30 tweets
Michael Veale Profile picture
12 Apr
As expected. France not a fan of fundamental rights.
also
Read 4 tweets
Michael Veale Profile picture
5 Apr
Updates announced to England and Wales presence tracing (QR checkin) app functionality. (short thread translating what these things mean) Image
1st point isn't actually a change to the app or regulations. The regulations have always required everyone individually to scan in if they used the app, but allowed a 'lead member' to represent a group of up to six. This would abolish the latter. More: michae.lv/law-of-qr/
Venue history upload is controversial. The DPIA has not yet been updated to show the privacy-preserving method that the press release claims to use. May also make people wary to upload venue data. Cannot analyse without further information.
Read 10 tweets
Michael Veale Profile picture
4 Jan
Want to probe underneath a company, technology or phenomenon drenched in personal data?

In our new OA paper @TechRegJournal, Researching with Data Rights, @Jausl00s & I explain how you might, can & should use GDPR data rights in your research projects. techreg.org/index.php/tech… 1/ Image
We outlines current approaches to accessing enclosed data, and argue that GDPR transparency, access, portability rights can be a powerful bottom-up, adversarial data access tool, if used well. Image
We outline the nature of those transparency provisions for those unfamiliar, and show how they can be used, elaborating on legal, ethical and methodological challenges — a bit like a mini-manual. A lot more could be said — but we hope this helps researchers make a good start.
Read 6 tweets
Michael Veale Profile picture
15 Dec 20
Digital Markets Act Thread
Core to the DMA is the idea of "core platform services" and providers thereof, listed here and defined either within the reg or in previous regs. Big and powerful providers of these are in scope, basically.
The juicy parts of the DMA are Articles 5 and 6. These contain obligations for gatekeepers in relation to core services. Art 6 obligations can be further specified by the EC through implementing acts.
Read 33 tweets
Michael Veale Profile picture
15 Dec 20
Today's Online Harms consultation response is perhaps the first major UK divergence from a big principle of EU law not tied to Brexit directly: it explicitly proposes a measure ignoring the prohibition on requiring intermediaries like platforms to generally monitor content.
the e-Commerce Directive art 15 prohibits member states from requiring internet intermediaries to actively look for illegal content; this is because the awareness would make them liable.
The Online Harms White Paper roughly kept with this, indicating that automatic detection systems were an approach platforms could use, but they would not be required to. Consultation responses (unsurprisingly) agreed.
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @mikarv has new unrolls!

Check out other threads from @mikarv!

Read all threads by @mikarv