Covid Tracking App - Now Live

greencharade

Well-known member
Joined
May 10, 2019
Messages
764
Why is a state entity using processing facilities outside the EU for this service? Particularly in the US, given what we know from Snowden about data monitoring there.

Not only is an SMS service from Twilio in the US being used, but it looks like some of the AWS services are provided from its US-east-1 region (that's Virginia, close to the home of many of those nice three letter agencies).
 


greencharade

Well-known member
Joined
May 10, 2019
Messages
764
Why is a state entity using processing facilities outside the EU for this service? Particularly in the US, given what we know from Snowden about data monitoring there.

Not only is an SMS service from Twilio in the US being used, but it looks like some of the AWS services are provided from its US-east-1 region (that's Virginia, close to the home of many of those nice three letter agencies).
Now, some of that AWS US access may be related to AWS account set-up and billing - but you might expect the HSE to have some way of having such information asked and answered.
 

alaimacerc

Well-known member
Joined
Dec 9, 2010
Messages
5,175
Why is a state entity using processing facilities outside the EU for this service? Particularly in the US, given what we know from Snowden about data monitoring there.

Not only is an SMS service from Twilio in the US being used, but it looks like some of the AWS services are provided from its US-east-1 region (that's Virginia, close to the home of many of those nice three letter agencies).
They are? Source?

I dunno where they're being processed -- but I'm pretty confident that Irish and EU data law is applicable nonetheless. Amazon have, after all, a large corporate footprint here, they're not just beaming in data from across the Atlantic beyond any legal recourse.

What I'm especially sure of, though, is that wherever it is, you'd be scandalised. In Ireland? Crony capitalism, featherbedding, and undue expense to the taxpayer! Elsewhere in the EU? OMGEUSUPERSTATE. The US? See above.

Start with the outrage, work backwards to premises. Swerve around any inconvenient facts in the way.
 

greencharade

Well-known member
Joined
May 10, 2019
Messages
764
They are? Source?

I dunno where they're being processed -- but I'm pretty confident that Irish and EU data law is applicable nonetheless. Amazon have, after all, a large corporate footprint here, they're not just beaming in data from across the Atlantic beyond any legal recourse.

What I'm especially sure of, though, is that wherever it is, you'd be scandalised. In Ireland? Crony capitalism, featherbedding, and undue expense to the taxpayer! Elsewhere in the EU? OMGEUSUPERSTATE. The US? See above.

Start with the outrage, work backwards to premises. Swerve around any inconvenient facts in the way.
Your view is not held by the CJEU, which today found against the type of Standard Contractual Clauses typically involved.

 

greencharade

Well-known member
Joined
May 10, 2019
Messages
764
Your view is not held by the CJEU, which today found against the type of Standard Contractual Clauses typically involved.

More detail here


TLDR: US Privacy Shield is invalid. Standard contractual clauses can still be used, but must demonstrate that EU data protection can be complied with. Hard to see how this can be done for the US (maybe if everything is encrypted and the key has been thrown away.)
 

jmcc

Well-known member
Joined
Jun 12, 2004
Messages
46,239
Are you complaining that the (publicly released) source code of this project is hosted on github.com?
I think that the point being made was that the configuration was set for Amazon's US East servers.
 

alaimacerc

Well-known member
Joined
Dec 9, 2010
Messages
5,175
Your view is not held by the CJEU, which today found against the type of Standard Contractual Clauses typically involved.
Some key work being done here by 'typically'. There's indeed some 'typicality' going on here all right...

What 'view' are you here attempting to attribute to me that the ECJ has just just ruled on? That an EU court has just ruled on this argues against my statement that Irish and EU law pertain here? Counterintuitive!

Game attempt at topicality, though -- however botched and disingenuous it might actually be.
 

alaimacerc

Well-known member
Joined
Dec 9, 2010
Messages
5,175
Here you go

An infrastructure configuration script. As opposed the the backend code, for example. Perhaps your first clue that user data may not be involved...

It's setting up four AWS providers, and the US ones only appear to be being used here:
covid-tracker-infra/dns.tf said:
resource "aws_acm_certificate" "wildcard_cert_us" {
count = local.enable_certificates_count
provider = aws.us
domain_name = var.wildcard_domain
validation_method = "DNS"

lifecycle {
create_before_destroy = true
}
}
[...]
resource "aws_acm_certificate_validation" "wildcard_cert_us" {
count = local.enable_certificates_count
provider = aws.us
certificate_arn = aws_acm_certificate.wildcard_cert_us[0].arn
validation_record_fqdns = [aws_route53_record.wildcard_cert_validation_us[0].fqdn]

lifecycle {
create_before_destroy = true
}
}
Now, some of that AWS US access may be related to AWS account set-up and billing - but you might expect the HSE to have some way of having such information asked and answered.
Like say... by publishing a detailed data privacy statement -- which says the following, inter alia:
https://covidtracker.gov.ie/privacy-and-data/data-protection/ said:
The following companies provide services to the HSE but do not have access to your data.
[...]
  • Amazon Web Services (AWS) provide cloud storage and cloud services for the data uploaded from your phone. This is processed in Ireland
... and publishing all the source code? Oh wait, you disbelieve the first, and can't follow the second. So they should have set up a 24h hotline to talk you through it, perhaps? Weren't you complaining just a while ago on them spending too much money on this already?
 
Last edited:

greencharade

Well-known member
Joined
May 10, 2019
Messages
764
An infrastructure configuration script. As opposed the the backend code, for example. Perhaps your first clue that user data may not be involved...

It's setting up four AWS providers, and the US ones only appear to be being used here:



Like say... by publishing a detailed data privacy statement -- which says the following, inter alia:

... and publishing all the source code? Oh wait, you disbelieve the first, and can't follow the second. So they should have set up a 24h hotline to talk you through it, perhaps? Weren't you complaining just a while ago on them spending too much money on this already?
It's great that you can act as the guarantor for the HSE, which has shown itself quite capable of being deceitful to pursue its own purposes.

How do you know what activities are being carried out in the background by AWS, once those permissions have been established? My first thought when I saw this was some form of inter-region fail-over facility, which would involve data processing in the US. But as you are now the HSE's expert, tell us why this is not possible.
 

jmcc

Well-known member
Joined
Jun 12, 2004
Messages
46,239
How do you know what activities are being carried out in the background by AWS, once those permissions have been established?
In terms of security, most people think that the little padlock symbol in their browser's address bar means that their data is secure. A lot of that is down to relying on clueless "technology" journalists who really haven't a clue about Technology and wouldn't know which end of a soldering iron to hold. As for security, it would be better to rely on people with a clue about the field.

The padlock only means that the data is encypted. Think of it like A, B, C where A is the user, B is the front if the website and C is what happens behind the website. The data is only secure between A and B. Beyond that, it is in the hands of the operator of the site and only as good as the security measures taken.

The HSE documentation does mention that the IP address data is deleted. IP addresses are a relatively crude method of identifying people. For example, there are (01 July 2020 figures), 146,657,717 .com domain names and of these, 131,322,544 have websites. There are 4,294,967,296 IPv4 (aaa.bbb.ccc.ddd) IP addresses. It is possible to determine who owns these IP addresses. Determining the country of an IP address is actually quite simple Determining ownership is a bit more complex. The problem is that the ownership changes. Most of the non-business users on ISPs don't have fixed IP addresses and the only data available from a simple lookup is the ISP ownership data. There are other methods where the location of a user on an ISP can be narrowed down but that means that a network map of each ISP would have to be maintained.

The Covid app is an opt-in system and people effectively choose to make their data available. This is quite different to passive tracking where people have no idea of what is being tracked. The SMS aspect might be an issue given the ruling but there are a lot more safeguards for this app than there are for the average Google/Apple app.
 
Last edited:

greencharade

Well-known member
Joined
May 10, 2019
Messages
764
The Covid app is an opt-in system and people effectively choose to make their data available. This is quite different to passive tracking where people have no idea of what is being tracked. The SMS aspect might be an issue given the ruling but there are a lot more safeguards for this app than there are for the average Google/Apple app.
That may be so. The issue is whether people are capable of making an informed choice, given the level and quality/nature of information that is provided. And indeed, whether people are being/have been misled.
 
Last edited:

Orbit v2

Well-known member
Joined
Dec 8, 2010
Messages
12,494
To be honest, you have no idea whether the source code that is published bears any relationship to the app on your phone or running on the server. You could however, check where your phone is connecting back to: ie whether it is Amazon in the US or in Ireland. If someone really cared about this stuff (rather than talking about it on the internet) they'd probably do that. Personally, I trust the app does what they say (leaving aside the possibility for unintentional bugs, of which there are some). Might be better also to encourage people to make sure their phone is fully up to date with security patches as that is a more likely area for something nasty to happen, rather than the HSE slurping information they aren't entitled to.
 

greencharade

Well-known member
Joined
May 10, 2019
Messages
764
That is just a few lines of code??
Here again is the need for explanation - as I understand it, they have automated the infrastructure set-up, which is actually quite impressive if you think about it. But broad permissions can be used broadly.
 

greencharade

Well-known member
Joined
May 10, 2019
Messages
764
To be honest, you have no idea whether the source code that is published bears any relationship to the app on your phone or running on the server. You could however, check where your phone is connecting back to: ie whether it is Amazon in the US or in Ireland. If someone really cared about this stuff (rather than talking about it on the internet) they'd probably do that. Personally, I trust the app does what they say (leaving aside the possibility for unintentional bugs, of which there are some). Might be better also to encourage people to make sure their phone is fully up to date with security patches as that is a more likely area for something nasty to happen, rather than the HSE slurping information they aren't entitled to.
So the HSE want us to adhere to government "guidelines" on this, that and the other, but when it comes to legal compliance regarding personal data processing, well that is for others to be concerned with.
 

jmcc

Well-known member
Joined
Jun 12, 2004
Messages
46,239
Might be better also to encourage people to make sure their phone is fully up to date with security patches as that is a more likely area for something nasty to happen, rather than the HSE slurping information they aren't entitled to.
The cutoff for older versions (ensuring that the app only runs on more recent phones) of the phone OSes might help with that.
 

Orbit v2

Well-known member
Joined
Dec 8, 2010
Messages
12,494
The cutoff for older versions (ensuring that the app only runs on more recent phones) of the phone OSes might help with that.
The app runs on Android 6 or higher and some phones running those versions are no longer receiving updates. It's hard to know exactly how many though. And of course any issues are not specific to the Covid app.

So the HSE want us to adhere to government "guidelines" on this, that and the other, but when it comes to legal compliance regarding personal data processing, well that is for others to be concerned with.
Are you saying they are not legally compliant as a result of this recent EU court decision? It's a bit soon to be pointing the finger as a result of that. The Data Protection Commissioner seems to be happy enough.
 


New Threads

Most Replies

Top Bottom