Uh, btw - better not get a Corona test, if you dont have to - because data will be shared with local town mayors. Bistdudeppat! (What?)
https://www.derstandard.at/story/20...zeiten-wenn-daten-an-big-buergermeister-gehen (german)
It - hurts - it hurts... Stupidity hurts so much.
Effing green party in the government playacting liberal values...
-
Oh and in case you'd want to use the voluntary Red Cross app - data will be shared with:
Accenture, Google and Microsoft, can be stored and processed outside the EU (USA is specifically mentioned) - and funding was provided by a UNIQUA endowment fund (owned by Raiffeisen).
See AGB:
https://www.roteskreuz.at/fileadmin…0_V1.1.pdf
For stuff like this, the derstandard comments section is still invaluable..
edit: Read it: Server infrastructure is hosted in the Azure cloud, transmitted data is 'encrypted' (ssl?
), google services are used to be able to send push notifications, data processing for that stuff can also happen in the US.
Now reading the rest.
Apps that were discussed for germany just stored contact data locally, I've not read up on how the Austrian app handles this.
-
Personal data stored serverside: Unique identifier (ok), has covid 19 diagnosis flag (ok), since when (ok) telephone number (WHAT!!!??!!??!). As soon as you download the app, the app store provider also gets your email address (you know, with your name in it), but thats ok - because thats just automated, on part of the app stores... They say they have no direct access to email addresses, app store provider would act as an intermediary.
Handshake data only is stored locally on your phone at first. (good)
Telephone number is first queried, if you have corona and want to transmit that fact to the world. (ok+)
In that case people in your movement history (locally stored) are read out for the past three days, and transmitted serverside (?????), because they have to contact them - which will not happen trough SMS - but through an internal messaging tool, so the individual users never see your phone number.
Aehem???
Lets say 70% of people in Austria get Covid 19. When they hit button 'i have it' - contact logs for tree days will be sent serverside (based on unique IDs), so personal networks are mappable (data quality isnt the best), linked to unique ids - that then is also linked to a phone number each - which can be used to deanonymize people.
Just so you know.
At least it doesnt automatically jump ('seven degrees of Kevin Bacon') degrees, only when people hit the button 'I want to report that I have Covid 19'.
So its the same issue as within our 3 days google maps example - just that you cant map movement patterns based on geolocation, but only based on 'other telephone numbers that were within a meter in proximity to you'. (More potential deniability I guess..)
Anyone that gets their hands on that dataset, and has an extensive set of phonenumbers to name records (= phonebook), can start deanonymizing.
Dataset will be more valuable at the end of the pandemic (when many people have hit the button 'I want to share my 3 day proximity history and phone number'). Microsoft has access to it - for sure, but apparently its 'encrypted'.
Problem: No words on weither just transport encrypted or not. No words on how swarm notification is done once that information reaches servers and 'I want to tell everyone I have it' intent is declared. (Via google messaging services? So now google gets 3 days worth of your proximity contact data? And they can identify everyone of the contacted users using their accounts email addresses and names? And credit card info, and...)
Data should be deleted (from Azure) 30 days after you hit the 'i have it' button.
edit: HAHA! The app doesnt automatically exchange handshakes, that has to be an active act. On part of both parties. Haha. Very funny. Which means data set is now VERY HIGH QUALITY in terms of connection quality. Value and abuse risk just increased manyfold.
HAHAHAH! Prank potential!
I've mistakenly sent out that I've been infected with Covid-19 - how can I change that?
Currently you cant deactivate that message. Please uninstall and reinstall the app again. If you already had stored contacts within your contact logs, please inform them personally, that the alert is not valid.
src:
https://www.roteskreuz.at/site/faq-app-stopp-corona/ (german)
Also - what happens if the same phone number registers I'm now infected at a later point?
edit: It gets better and better....
Automatic handshake will be added as an update on thursday, as an opt in.
Developed by Accenture (what?). (One of the worlds biggest consulting agencies.)
Our chancelor also thinks of people without smartphones - they should be able to be tracked with keychains!
https://futurezone.at/netzpolitik/s...acking-auch-per-schluesselanhaenger/400803626 (german)
(No joke.)
But sadly someone saved him making sure - none of it will become compulsory...
How technologically illiterate can a millennial college dropout/chancellor be? How fiscally illiterate. (What does a used smarphone cost?) Now 'we'll order a bunch of luggage trackers in bulk on aliexpress, and then people should use them on themselves and then hrow them away, once the battery runs out?'.
India ships smartphones to africa, the Austrian chancelor ships tracking keychains from china to austria. What an absolute...
