Spend a vision with me: June 2020

Wednesday, 24 June 2020

Covid-19, how safe is your DNA

I am into sports, football mainly with some recent interest in indoor cricket, and I do use some data analysis to illustrate some points on data (1)(2)(3). So, I was surprised to see who the EPL is partnering with to come up with a covid19-passport that would allow people back in stadia: Prenetics (4)(5). And for those who are not aware, Prenetics is behind circledna, offered all over at Watsons (6).

I blogged about Prenetics two years ago (7) where they collaborated with Prudential to offer an insurance product that offers personalised advice based on your dna. While prudential assured users they did not keep the DNA, guess who did… Prenetics.

So what does that have to do with Covid-19?

I am running a small poll on linked-in. Some countries are going into relaxing their “lock-downs” by introducing/further enforcing contact-tracing. What this means is that some data created by people will be made available, usually to authorities. The 2 major methods are via location (GPS) or proximity (blue-tooth), and the poll is about which of these 2 are people less uncomfortable with (8). The third idea is a health passport.

GPS tracing

Your location is captured 24/7. In order for the system to be effective, the data is transferred back to a central database. So technically, if someone is tested positive, the list of people who were at the same place and time with that person can be extracted and contacted.

Bluetooth tracing

Your device captures data from people close to you (and your data is captured by the devices of people close to you). If someone is tested positive, the device is surrendered to the authorities and the people who data was captured are contacted.

Health Passport

A third idea, which is what the premier league is using, is the idea of health passports. “According to Lasarow, the web-based system would require fans to scan their health passport information, by way of a QR code, upon access to a venue in order to prove their Covid-19 test is valid and has also produced a negative result.” (4)

First of all, as I pointed out (9), the tests are designed to test whether there is enough evidence that someone is covid-19 positive; if there is not enough evidence, the person is not deemed covid-19 positive; not positive does not mean negative. It simply means there is not enough evidence to say the person has been infected with the virus.

Secondly, a test is valid at a point in time. You extract samples from me now for the test. Let’s assume I am isolated until the results come out. The results will indicate whether, when the test was carried out, there was enough evidence to say I was covid-19 positive. This test is valid for a point in time in the past. Since I have isolated myself, then chances are the same status is valid since I isolated myself (unless for example I was at too early a stage to be detected, and even if I am not further exposed, the virus replicates in my body and becomes detectable).

Now I carry this result on my “health passport”, and go to the stadium and “prove” I can be safely allowed in. The key points are

how much time has passed from the test to me entering the stadium
what have I been up to, where have I been, who have I been in close proximity with in the time between the test and me entering the stadium.

This is not as risk-free as many would like. All the passport says is that: at a point in time in the past (I am sure there will be a time-based validity), my test did not indicate that I was covid-19 positive. And this applies to everyone else in the stadium.

To me, the health passport, used in isolation, is insufficient, especially since we know so little about the virus, the incubation period, the contagious period, what factors affect these (diet, temperature, activities, behaviour…).

A health passport would be good if it indicated immunity to covid-19. At this point, it does not.

So, the EPL’s current health passport offers some cover, anywhere from a blanket that keeps your feet uncovered, to a fig leaf. This is because all your activities, all the places you have been and the people in whose proximity you have been in, are all not recorded by this “health passport”. That’s precisely why there are trac(k)ing approaches.

Now, if you add to that the Peltzman effect (10), that is people who now think they are safe tend to take more risks than earlier, this makes going to stadia to watch the EPL a bit scary (fortunately I am a plastic fan from Singapore).

However this is not what this blog is actually about.

What truly scares me is that it is Prenetics behind the initiative.

The covid19 tests are not done by Prenetics, they are done by a third-party lab, the doctors’ laboratory (11). Prenetics simply allows the person to confirm his/her identity, matching the person who took the test to the person entering the stadium. Basically, that’s an IT integration job, not that of a company that deals in DNA.

So what does Prenetics gain from this? If it was only the US$4.8m deal with the EPL (5), I wouldn’t be bothered, but what is left is. Prenetics is in the business of collecting DNA samples. Once the tests are done, who owns the samples? What happens to them? Is the DNA extracted? What is done with it?

It is not unheard of for medical samples to be used for purposes other than the main one they were collected for. In fact, donated blood that is not used (blood doesn’t have that long shelf-life) (12). The unused blood may be used for research purposes.

My fear is that our data (remember, the way the health passport works is that your identity is ties to the sample and to the results) would be used to extract DNA and this can be used somehow – for example insurance companies would love to get their hands on your DNA, and even learn your genetic predisposition to some illnesses even when you don’t. When someone gives a sample for covid-19 testing, I would assume that’s all they’d like the labs to do with the sample.

Ok, so if the health passport is so bad, what is the solution?

There are many solutions, many countries have their own tracing apps, apple/google have their own, a flexible and useful one is goPassport (different from the health passport used by the EPL). GoPassport works across international borders and combines a few methods, including interfacing with local apps, and provides a comprehensive risk assessment from various sources such as tests, other measurements, movements…

If you want to know more about goPassport, please contact Francesca.goh@alphazetta.ai or Alec.gardner@alphazetta.ai , do mention me so I can claim a few drinks from them if they get a deal out of it 😊

Wednesday, 10 June 2020

The Singapore wearable trac(k)er debate, ahum…

A few days ago, I saw the news that Singapore was developing a wearable contact tracing device; this would make it easier to inform people if they were in proximity to someone who turned out to be covid19 positive (1).

The main reasons for a wearable stated are that the current app (tracetogether) does not play well with apple devices (for the Bluetooth on which the app relies to work, it cannot be running in the background, blocking the user from other uses of the phone), and the battery consumption of the app (your bluetooth is on ‘all the time’).

Note that, today, downloading the app is not compulsory, unless you are someone on a work permit, living in a dorm; for these guys who are sadly bearing the brunt of the infection, the government has made it compulsory, 24/7 trac(k)ing.

2 days ago, the minister for smart nation declared contact tracing “absolutely essential”. Mr Balakrishnan specifically highlighted:

This is not a tracking device because it has no GPS component
There is no internet connection hence the data cannot be uploaded
The “data” never leaves the device unless you are found to be covid19 positive
“only a very limited restricted team of contact tracers” would have access to the data

Within the next couple of days, a petition was created on change.org (3) “Singapore says 'No' to wearable devices for Covid-19 contact tracing“. Over 40,000 people have signed.

The author of this petition, Mr Wilson Goh wrote a lengthy explanation that I will try to summarise below:

The device cannot be switched off and the user will have no choice.

“This will be done regardless of whether the person has a phone or not; regardless whether their phone is switched off or on; whether that person is within reception of a cell tower or not; and regardless whether their phone has wifi or Bluetooth switched off or on.”

Having a permanent ‘tracker’ is the final step to the police state
Tracing/tracking infringes on the rights, privacy and freedom of movement of people of Singapore

“We - as free, independent, and lawful members of the public of Singapore - condemn the device's implementation as blatant infringements upon our rights to privacy, personal space, and freedom of movement.”

(4)

“Are you pondering what I am pondering?” Do you think I agree more with the minister or the petitioner?

My answer is:

This is a red herring dragged by a horse that has bolted before someone can close the door.

The question is not whether the phone should be used, or a wearable device used. You most likely are already showing a lot of people your location and more 24/7 via a device you hold dear, so why the fuss now?

That device is called a mobile phone. Many organisations have access to your location. Do you use some map? Is your GPS on? How do you think you can be connected so quickly when calling a mobile phone, do you think the telco searches for the recipient of your call on demand, or do they roughly know where to look (which tower(s))? How do you think you get “relevant” advertising, sometimes even locally (contextual messages)?

If you don’t believe me, while on your phone, just try clicking on myactivity.google.com . I could never afford an iPhone so I don’t really know if there is an equivalent.

(4)

Hmmm, confused? Am I not supposed to be someone who values privacy and who believes that each individual’s data (s)he produces should belong to him/her?

At this stage, we are in a crisis, or trying to manage one, as a society. There may be a call to balance individual privacy against everyone’s safety.

The government is arguing that the data on ‘your’ wearable will only be read if you test positive. Then anyone is the list of people in close proximity to you will be contacted. On top of the proximity, there is a time limit, a maximum data retention period of 25 days.

Sounds reasonable, right?

But what about accusations of police state?

One of the keys here is compulsion, when people are compelled to do anything, they are likely to question. Now the tracetogether app is voluntary (around 20% of people have downloaded it), but it is compulsory for people living in dorms, leading to comparisons to animals being microchipped. Will the wearable device be compulsory?

A second question is that of enforcement. Even if the device is made compulsory, how will the government check if I am wearing one? Will there be Bluetooth scanners and you will be approached if you don’t have one? Will people be stopped and asked to show their thing?

A third question is for how long would people be required to carry the device? At the moment there doesn’t seem to be an end point, and the worry is that, even if covid19 treatment is found the tracing will continue, or one way out will be to take a potential vaccine.

A fourth question is, does that mean that all other systems such as logging visitors to a supermarket for example will be stopped? Or is this a supplementary measure? While the device may not keep location data, if it is added to location specific data (entries to buildings, onto modes of transport…) the journey of people can easily be reconstituted.

The stand of the organisation supposed to protect individual privacy on the safe-entry app is enlightening “In the event of a COVID-19 case, relevant personal data can be collected, used and disclosed without consent during this period to carry out contact tracing and other response measures, as this is necessary to respond to an emergency that threatens the life, health or safety of other individuals.” And “Collection of personal data for Government’s contact tracing purposes should only be done through the use of SafeEntry. The data collected will only be stored in Government’s servers”(5) (highlights are mine)

While the wearable itself may not be what the petitioners deem a police state, adding it to the safe entry app, where all log-ins are captured, is likely to be.

A fifth question is what happens to the data captured. The proliferation of databases today has increased the chances of loss of privacy. A single database may not have enough data to identify people, but if matched with another database, the combined data may be sufficient to identify people. Furthermore, I believe that when people consent to give their data, it is done for a purpose, and data should be used purely for that purpose. This should apply in all cases.

The thing is, despite the PDPA and the PDPC (Personal Data Protection Act and Council respectively), data is being used for purposes other that what it was collected for. In fact, for the Covid19 case, the PDPC is vague “In the event of a COVID-19 case, relevant personal data can be collected, used and disclosed without consent during this period to carry out contact tracing and other response measures” (5) (highlights are mine)

In the same line of thought, OCBC bank, while arguing that data sharing is safe as long as you are in charge of your data (6) (full business times article (7)) actually shows an example of how data from telcos is being used to plan transport(8); unless telcos are now in the transportation business, this looks like misuse of data to me, PDPC or not. This practice has to stop, especially when extremely granular data is being captured centrally.

A sixth question is, how secure is the data on the device? While the government stresses that only in cases of positive tests would individuals be asked to give the data captured, can individuals look into the data captured by their devices? Even if I can’t tell which device and its related information belongs to you when I am in a crowd, if I bump into you often enough (may be 4 times), I could easily figure out your identity and the related captured information.

(4)

So, what is my conclusion?

Basically, if you are worried about the wearable, it is perfectly understandable. However, you need to realise that you have been leaking this information, or this information already culled from you for a long while.

I actually think that, if it is made compulsory to have such a piece of software, I would prefer a standalone device and no other tracing mechanism. However the questions above (and probably more) should be addressed to build trust. At the same time, since the government is looking into this area, it would be fantastic if they made data ownership in all cases to the people who generate it, and force permission, even retroactively, to be required from the owners/creators of the data by other parties who want to have access to the data, including stating the usage of the data.

I think that would be a nice compromise that could meet the aims of most people.

Only after we as individuals are in control of the data we generate, thereby having the right to choose who, for what purpose, and for how long to share it with, and the right to have the data deleted, will there possibly be enough trust to move away from the “police state” idea, and from abuses by corporations (‘cambridge analytica’ is a classic case of data being misused (9)).