Re: <nettime> CfP: Critical reflections on pandemic politics:, left-wing, feminist and anti-racist critiques

[Geoffrey Goodell <goodell@oxonia.net>]

Hi Carlo

On Sat, 05 Feb 2022 at 04:23:59PM +0100, carlo von lynX wrote:
> Politicians and even the technicians and cryptographers involved in developing
> this technology are assuming the proprietary operating systems provided with
> our devices will not spy on such data. Snowden has shown us, that this is not
> a realistic assumption, but we failed to take the drastic measures that need
> to be taken since 2013, so now we are walking this slippery line by which some
> entities on the planet have a totalitarian knowledge about us - but it's the
> same entities that also digest all of our emails and automatically transcribe
> all of our phone calls, so a vaccination document is not going to enhance that
> database all that much. Also, recent attacks on democracy have not originated
> from the powers in place, but from players who learned to aggregate gullible
> human beings. Still, I chose not to scan that QR code into my phone so that
> there's a ghost of a chance left that my identifying data isn't aggregated
> with the communications I do over the phone.

> It's nothing compared to having Facebook or Whatsapp installed, which I also
> don't have. But most users do - it isn't even illegal to ship phones with
> such spyware preinstalled in many parts of the world. We have much bigger
> issues in technological madness than CoViD-19 measures.

Part of what makes the 'vaccine passport' scheme so worrisome is the extent to
which it makes the decision to not carry a mobile phone less tenable and more
difficult.  Speaking personally, I do not use a mobile phone, largely for the
reasons you rightly describe.

> > (Also, the argument about counterfeit documentation has often been combined
> > with distrust of human document verifiers to promote the use of digital
> > identity proofing, e.g. via biometrics, thus raising even more human rights
> > concerns along with the question of whose security we are protecting.)
> 
> I only see such kind of promotion on covid anti-science channels.

I sincerely hope you're right about that.  My experience suggests otherwise.
Admittedly this is a bit off-topic, but consider how prominent digital identity
system providers tout their solutions.

> That's why it isn't considered a privacy issue, that the QR code contains all
> of your identification data, because within the architecture of the solution,
> that data never leaves the phone neither of the citizen nor of the venue.

This is too much to trust without the ability to verify.  To be clear, data
subjects are not only being forced to trust that the intentions of the software
developers are purely benign and that the software is free of security bugs,
but also that the devices that read QR codes (and, depending upon
implementation, possibly share what they read with the network) are not
compromised.  So data subjects are also trusting the intentions and security
practices of the venue operators, their service providers, and the owners of
the devices that read the QR codes as well.

> If that were the case, the CCC or other privacy groups that have a very
> strong media presence would have brought this aspect to public attention.
> I also doubt such an approach is legal within the EU privacy framework.

Absence of evidence is not evidence of absence.  I'd like to see a detailed
analysis by CCC or Privacy International on these schemes.

> > (3) Even if we assume that the governments issuing 'vaccine passports' are
> > truly benign, the data subject is expected to present the same barcode
> > every time, meaning that the venues doing the scanning can pool their
> > knowledge of the barcodes they have seen to build profiles of data
> > subjects.  We could
> 
> If they make a custom modified version of the app, they could potentially
> abuse the data. It would be a felony, like any other illegal collection of
> data, too.

Suggesting that a relying party or issuer would go to jail, if it is proven
that they abused the data to which their systems had access, is little solace
to someone whose information had already been collected.  The fact is that
governments are forcing users to trust the intentions and security of all of
the actors, including technology developers and platform service providers, who
potentially have access to sensitive data.  This is a bridge too far.  The only
solution is privacy by design, wherein the data subject knows that he or she is
not providing information to a computer, either via a device or via a sheet of
paper, that could be used to construct a profile.  This is technically possible
as long as we avoid computer-mediated identity proofing, but to my knowledge,
it has not yet been done with 'vaccine passports'.

> Smart cryptographers could probably come up with improvements to the system,
> yes.

Until they do, we are exposed.

Best wishes --

Geoff
#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mx.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime@kein.org
#  @nettime_bot tweets mail w/ sender unless #ANON is in Subject: