Privacy and Data Protection – Page 13

August 31, 2020

Pro Huawei (and all national security technology providers)

Passed to manage national security problems caused by the use of Chinese technology, a Prime Minister Decree dictates new and problematic rules for contracts negotiation in the Italian telco market by Andrea Monti – published initially in Italian by Infosec.News

This article analyses the issues related to the practical application of the Conte-Huawei Decree issued last August 7, 2020, which sets out the conditions under which TIM S.p.a. can use Huawei’s 5G technology, reducing to an acceptable level the national security risk also feared by the Italian Parliamentary Committee on Secret Services (COPASIR), after the alarms launched by the USA. The article highlights the critical issues arising from a legally incorrect approach and concludes that the solution adopted by the Italian Government is worse than the problem it tried to fix.

Before going ahead, however, it would be preferable to read another article that analyses the strategic problems affecting the Decree. Continue reading “Pro Huawei (and all national security technology providers)”

August 29, 2020August 29, 2020

Data transfer in the USA, restrictions from the German Data Protection Authority

Unbreakable cryptographic systems requested, but technical requirements are missing
by Andrea Monti – initially published in Italian by IlSole24Ore-Norme e Tributi

On 24 August 2020, the data protection authority of Baden-Württemberg (one of the sixteen federal states of Germany) issued guidelines for the international transfer of personal data, which impose strict rules on interaction with third countries and in particular with the USA. The guidelines, which are only valid within the German state, became necessary following the “Schrems II” ruling issued on 16 July 2020 by which the European Court of Justice annulled the European Commission’s “privacy shield” which allowed the exchange of data with the USA. Continue reading “Data transfer in the USA, restrictions from the German Data Protection Authority”

August 21, 2020August 23, 2020

The TIM-Huawei Decree and the Chinese’knot untangling

The Italian Presidency of the Council sets the conditions to include Huawei’s technology in the Italian 5G network and might ease the overcoming tensions between the USA and China by Andrea Monti

The Prime Ministerial Decree of August 7, 2020, allows TIM (the former Italian telco monopolist) to use Huawei’s 5G technology, having identified adequate measures to prevent the risks of using Chinese equipment for Italy’s new generation network. This news follows, and contradicts, the exclusion of Huawei from the tender to provide TIM with the same 5G devices because of the need for “diversification of partners” (a requirement lately imposed by the Conte-Huawei Decree). Originally published in Italian by Formiche.net Continue reading “The TIM-Huawei Decree and the Chinese’knot untangling”

May 12, 2020May 12, 2020

COVID-19: the fear of a Police State created a State of policemen

Originally published in Italian by Formiche.net

The Italian controversies on contact-tracing highlights a cultural failure: the misunderstanding of privacy and how to protect it. In short: for fear of an abstract danger of a Police State, we have accepted the concrete fact of having transformed Italy into a State of policemen. A State where the concrete and immediate application of the law protecting public order and (health) safety is entrusted with confusing rules applied arbitrarily. Continue reading “COVID-19: the fear of a Police State created a State of policemen”

April 26, 2020April 26, 2020

COVID-19: Contact-Tracing in Italy between Science and Religion

The public debate in Italy on contact tracing is rightly focused on the “obscurity” of how the Government has chosen the software, how does the software works and on concerns – more than about “privacy” – about the way citizens’ data are selected, collected and managed.

There are, however, two issues that would have needed a preemptive consideration.

Firstly, about the technological solution identified – or rather, “blessed” by the Italian Government: Bluetooth.

For days and days, the more or less technically competent narrative had crowned the Bluetooth as the only tool capable of achieving effective contact tracing. Then, some Jiminy Cricket (in English, and therefore unfortunately not intelligible in Italy where the “no spik inglisc” is a boast and not a shame) advanced some doubts about the fact that, for example, the range of the Bluetooth is excessive and therefore can generate unreliable results. The thing is so evident that Google has included the possibility to attenuate the signal strength among the features that can be managed via API by third-party programmers.

class? ?MatchingOptions? {? ?/**
* The signal strength attenuation value that must be reached within the exposure * duration? ?before the match is returned to the client. Attenuation is defined
* as the advertiser's TX power minus the scanner's RSSI.
*
* This value must have range 0-255.
*/

If using Bluetooth has issues, and before Google allowed a way to mitigate it, this was not possible, how did the Government decide that software A was better than software B?

How did the Government decide that this particular software was fit for the job?

Which brings us to the second issue, which is related to providing answers without knowing questions.

In theory, contact-tracing software could:

allow one to understand ex-post, once one was infected, whom they came into contact with,
warn in real-time if somebody is close to an infected person
enable people to avoid dangerous places due to the presence of infected people, crowds or both,
inform the authorities if someone is violating the mandatory quarantine,
allow everything, nothing or maybe anything else – like sharing data with medical-scientific research.

Deciding which options to pursue is not a technical or “privacy” issue but a matter of public policy, i.e. of the definition of public health protection objectives. But since there is no trace of this debate – at least publicly – it is difficult to disagree with the aforementioned Jiminy Cricket when he concludes:

All that said, I suspect the tracing apps are really just do-something-itis. Most countries now seem past the point where contact tracing is a high priority; even Singapore has had to go into lockdown. If it becomes a priority during the second wave, we will need a lot more contact tracers: last week, 999 calls in Cambridge had a 40-minute wait and it took ambulances six hours to arrive. We cannot field an app that will cause more worried well people to phone 999.

Which brings us directly to another important and neglected issue: the relationship between science, technology and the ability of the policymaker to understand to decide. As I write in an (I hope) forthcoming article,

In principle, looking at science as a constituent element of a political choice poses four orders of problems:
– not everything that is called “science” is science;
– science offers explanations and not certainties with limited validity;
– being a good scientist does not imply also having political sensitivity;
– a political decision can diverge from a scientific evaluation by way of opportunity – or ignorance.

In the case of the Italian contact tracing software (which yet another nudging application led Google to rename in a less threatening “Exposure Notification”) there are no elements to understand how the software was selected.

This happens not only and not so much because you don’t know how it works, there is no evidence of what data it collects and how it manages them, but because, precisely, who decides continues to give answers to questions that are not there.