# "SARS-CoV-2-privacy?" paper ORGA BUFFER ###### tags: `work` `scientific` `buffer` > :wave: Welcome! This Buffer's purpose is to document everything related to the "SARS-CoV-2, a threat to privacy" project. To understand how to work with this and similar documents, check out [>> the Buffer Standard <<](https://hackmd.io/u9ViiQ7PR9a0_Fb1fbKGEg) for an introduction. [ToC] ## Introduction Hello, great that you're interest in helping. A great way to get started is to read the [minutes of past meetings](#Meeting-Buffer). Feel free to ask us how to contribute. See the [communication](#Communication) section of this document to see how you can reach us. ## Goal It's our goal to ask ourselves the question if SARS-CoV-2 is a threat to all of our privacy. For that reason, we've written [a position paper at the wirvsvirus hackathon](#Latest-paper-draft). It was submitted. Now we're looking to publish this paper on Arxiv and to conferences. We're now working in overleaf.com (LaTex). To contribute, see [this section](#Contributing). ## Communication: - We use the English language - [WirVsVirus Slack](https://wirvsvirushackathon.org/) channel "1_xxx_critical-infra-covid-19" - We use jitsi for video calls - We use overleaf.com to write papers - We use hackmd to organize ## Contributing - Ask in our Slack channel #1_xxx_critical-infra-covid-19 how you can contribute. - Read our [current paper](#Latest-paper-draft) If you don't know exactly how to contribute, please reach out to: - Tim Daubenschütz: <tim@daubenschuetz.de> - (please add yourself if you have admin privileges) ## Resources ### Collected after hackathon (up-to-date) - Google is making location data public: https://www.welt.de/wirtschaft/article207002161/Corona-Krise-Berliner-nutzen-laut-Google-Daten-Parks-weniger-als-Hamburger.html (via Oksana) - Overtone window as political phenomenon observed in crisis: https://aboutintel.eu/covid-surveillance-china-europe/ (via Oksana) :::info Oksana comments on Overtone article: [...] It is also relevant in light of the Nissenbaum framework. The framework basically relies on cultural norms as a measure on whether something is privacy-violating or not, and an open question remains, what if these norms change (and how can we take into account whether this change is good or bad). And this is kind of what the Overton window concept touches upon. ::: - chaos computer club discusses corona tracking apps: https://www.ccc.de/de/updates/2020/contact-tracing-requirements (via Tim) - Contract tracing without surveilance: https://github.com/vteague/contactTracing (via Oksana) - Social networks and contextual integrity: https://dl.acm.org/doi/pdf/10.1145/2207676.2207727 (via Oksana) - Prospect theory: https://en.wikipedia.org/wiki/Prospect_theory (via Tim) - RKI releases app: https://twitter.com/piracybydesign/status/1247521169252560899?s=21 (via Oksana) - "Also relevant (a pre-covid article): cell data is of limited help when fighting the pandemic: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6175342/. I think this is something we can note - in all our scenarios handing RKI/Telekom case we assume that data is needed or at least helpful for fighting the epidemic, but we might as well articulate this assumption and mention that it remains an open question yet" (Oksana) - https://github.com/DP-3T/documents/blob/master/DP3T%20-%20Data%20Protection%20and%20Security.pdf (Oksana) - https://www.aclu.org/aclu-white-paper-limits-location-tracking-epidemic (Oksana) ### Collected during hackathon (potentially outdated) - https://media.ccc.de/v/36c3-11008-server_infrastructure_for_global_rebellion - https://en.wikipedia.org/wiki/Conway%27s_law - https://criticalengineering.org/de - https://en.wikipedia.org/wiki/Bus_factor - https://avc.com/2018/04/are-we-decentralized-yet/ (website down unfortunately) - https://twitter.com/WirvsVirusHack/status/1241045228829753349 - http://www.european-big-data-value-forum.eu/wp-content/uploads/2017/12/Signe-Horn-Rosted-Energinet-EBDVF17.pdf (via clemensv) - https://edpb.europa.eu/our-work-tools/our-documents/other/statement-processing-personal-data-context-covid-19-outbreak_en (via Daniel Klemm) - https://de.wikipedia.org/wiki/DE-CIX#Inlandsspionage_am_DE-CIX_durch_den_Bundesnachrichtendienst (via Volker Neff) - Example of a position paper: https://web.cs.ucdavis.edu/~rogaway/papers/moral.pdf - https://www.eff.org/deeplinks/2020/03/protecting-civil-liberties-during-public-health-crisis (via Paula and Oksana) - https://futurezone.at/netzpolitik/ausgangsbeschraenkung-a1-liefert-bewegungsprofile-an-regierung/400783565 (via Isabella) - https://www.bloomberg.com/news/articles/2020-03-19/wristband-trackers-jail-used-to-control-virus-travelers-in-asia (via Tim) - http://theconversation.com/coronavirus-south-koreas-success-in-controlling-disease-is-due-to-its-acceptance-of-surveillance-134068 (via Flosch) https://www.theguardian.com/world/2020/mar/17/israel-to-track-mobile-phones-of-suspected-coronavirus-cases (via Flosch) - https://www.bfdi.bund.de/DE/Datenschutz/Themen/Gesundheit_Soziales/GesundheitSozialesArtikel/Datenschutz-in-Corona-Pandemie.html?nn=5217154 (via Flosch) - https://academic.oup.com/jtm/advance-article/doi/10.1093/jtm/taaa039/5804843 (via Flosch) ## Ideas & Topics ### Brainstorming by Paula  ## Meeting Buffer ### Thu, April 16 2020 4pm Attendees: Oksana, Tim, Flosch, Carmen Minute takers: Tim, - T: Publish the paper? - F: Abstract puts focus on critical infrastructure? Or leaving to privacy. - O: Abstract is fine. - T: - F: Technical papers, you keep it really close to what you've done. Don't think it's bad. - O: Sentence on by one. Abstract should summarize what we've done. We should say what we've done. We discuss privacy issues, we know previous research and we discuss in context of pandemic. - T: What do you not like about the term "critical infrastructure". - O: What's the definition of "critical infrastructure" - T: https://criticalengineering.org/de - O: Tools like jitsi and zoom become critical infrastructure. - T: Add sentence to abstract: "We're discussing evaluating past research and apply it in the crisis." I send it to two of you. - T: Next steps? - F: Last paper we discussed lockdown vs loss of privacy. We can further stress this point. Is it truly like this? Are ppl willing to give data if their movement is restricted. We can do survey. We look at different locations. Different measures of locations. What is the change in the emotions? Idea was to find connection between e.g. twitter, facebook insta, check the amount emotions or keywords and find correlation. If it's possible to find correlation between sentiment and survey, we can use it as time stamp to see if sentiment changes. - O: With survey what do you mean? Existing data? - F: Not sure. Do we need a control group? Carmen is more into that? - O: If you track it through time. But it's difficult to track through time with surveys. - F: My point was to use different locations so that we can cleanly correlate. - O: Use surveys in different countries. Paper asks questions if people are willing to give up human rights if you pressure them. I'll look for the paper and send it. We could repeat the study. - T: facebook.tracking.exposed - F: We should find a way to connect these two aspects. - O: I don't have much experience with AI stuff. - T: We don't have to do much work? - C: What's your research question? - T: "SARS-CoV-2, a Threat to Privacy?" - O: 2 ways of submitting we can do both, the current version: - arxiv - submit to conference (no changes required) - O: Survey takes time. Interesting stuff. - T: I thought we're gonna write another paper. Maybe I've read the room incorrectly. - F: For new paper, research paper: Measures of countries affect different people. - O: Any kind of survey requires some work. It takes more time than you expect. I'd not do any survey if there's time pressure. - T: It's urgent. - O: - contact tracking: If there's one person, who did this person potentially infected? - Location tracking: Are ppl staying at home? Can be used fairly authoritarian - Where are geographical hotspots. What about individual liberty - O: We can take these cases of applying contextual integrity there. Which data should be public? If someone gets tested positive, who should get notified (neighbors, friends, family). There are guidelines from epidemologists. - O: One way, we look at different applications of location data. - O: Another way is to look at different solutions. China, Denmark. Denmark they're going to collect all location data. - Discussion voluntary + forcable usage of an app. - Centralized and decentralized solutions. - Israeli solution: "Supermarket warning" - Norway: Centralized tracking. App sending all data to government. Norway government can tell who can be infected. - T: [App idea about birthdays.] - F: https://www.zeit.de/digital/datenschutz/2020-04/corona-app-tracking-handydaten-bluetooth-datenschutz Apps that are not using GPS location. Not sure if we should discuss solutions or failures. - O: We shouldn't give guidelines on how an app should look like. We can analyze apps. We can use the contextual framework to analyze apps. - F: Homework: Think about existing article about submitting to conference. What's the point of further research? More emotional topic? Is trust exploited right now, should apps be made. - O: - 2 next steps: - short term: submit paper - long term: What do we want to do after publishing? App, trust, exploitation, emotional T: ### Tue, April 7 2020, 4pm O: Read through the paper. Did some small changes. I: Someone reformatted. Looks much better. Affiliations are at the top. Good T: I removed website from affiliation. No affiliation but Oksana. OK? O: I can ask Stephan if he wants affiliation. Ask others if they want to be included on paper (Flo, Carmen, Paula, etc.). T: OK I ask. Are we allowing any new authors too? O: Let's focus on authors from hackathon. T: I checked the spelling using Grammarly. O: Similar tools. Careful with these tools when they want to replace specific words. T: OK. I: Hypothesis full stops? I can check them. T: Also, seems like we've resolved all comments? I: Correct. Which section of arXiv do we want to publish the paper? Computer Science? OK: Social Sciences? I: Economics? O: There's this one https://arxiv.org/list/cs.CY/recent T: Can you submit into more than 1 track? I: It's about target communities. For now, one track is enough.. O: Cryptography and Security might fit too. T: Are we OK with authors and order of the paper? I: CS primary is author and last one indicates something? All: OK with order. T: What will happen after we publish to Arxiv? Are we interested in promoting? O: I just do Twitter. T: I'll submit to hacker news and check if we get some eyes on it. I: Share on my home page. O: Google Scholar will index it too. T: Conference is coming up. What about it? O: 15 April, we can try to submit. Conference is quite competitive. Workshops, end of April/May 1. Workshops are receptive to position papers + we have more time to prepare. We still have to make some decisions on where we wanna go for the paper? T: So what we have right now is not enough? O: I'm not sure. I: Given situation, not many people will be traveling to the workshop location. O: paper will be presented remotely. I: Delaying submission deadlines. Everyone is delaying September. T: What's worth most to be discussed in our paper? How can we optimize for success? O: Original content and what hasn't been discussed is usually quite well received. E.g. we could talk about what's culturally appropriate to a society and how are norms changing currently, e.g. Overtone window (https://aboutintel.eu/covid-surveillance-china-europe/) T: Is there resources that we can use to argue O: Idea: PPL are using context of social media. What would I say to a person in the real world, this I can also post to social media (current cultural norm "what I tell my parents"). But cultural norms are rapidly changing today, e.g. today we post much more than we tell our parents. Paper: https://dl.acm.org/doi/pdf/10.1145/2207676.2207727 O: But there's much more arguments we've made and could make: (1) Privacy Paradox: People care about privacy but then they post about social media. How it's explained: People care about privacy but they make choice e.g. "I'm on Facebook because all of my friends are on it and that's really valuable and I'm fine giving up some privacy for that." (https://www.bornoe.org/papers/CSCW2011-Collaborative-Privacy-Workshop-bornoe.pdf) (2) People are scared of virus, so they give up rights more easily. (3) Trading lockdown right vs. privacy right (4) Promises to the future "Give up privacy but life without Covid-19". Does it really work? Look at Singapore. Apparently giving up privacy doesn't help that much, because Singapore is now in lockdown. T: Also there's this whole angle that maybe we don't have to limit any fundamental rights if we had good health systems, e.g. Extremely wide-spread testing could also help the population without allowing anyone to collect meta data. O: We should put a section of solutions and mention different nation states. Island e.g. is extremely testing right now. Germany, Israel. Catalogue solutions. This allows us to more easily reason about emerging patterns. T: We could build a portal to catalogue all solutions and extract patterns. Can be similar to privacypatterns.eu. T: I can upload the paper to arXiv. O: Additional stuff we could do: We could still conduct a survey. Or check comment sections of articles or social media. Or sentiment analysis. Google search trends. Check Twitter posts. Sentiment analysis. To get a better picture of people's opinion. And then reason about it. T & O: I will think about this. O: We can use Slack for now. I: Slack will be running for 2-3 more months. O: I suggest we keep Slack open. T: What about this Solution Enabler email the organizers sent? I: Phase already ended. You could apply until Friday. T: Should I send emails to hackathon organizors? I think I'll just try my luck. O: We can use money for surveys. Would be opportunity to ask for money. T: OK, I'll try. I: Surveymonkey is useful for surveys. O: Conducting normal survey see all questions etc. We've been using SocialSurvey. We pay people to participate in the survey. clickworker.com. Idea is to pay people for participation. More quickly if you want to collect data. T: Still OK with regular calls? O: Yes, let's schedulde a call for after Easter. O: I'll think about what we can do until next time. T: I'll post paper on arxiv + share link in Slack chat. O: Can we also make our Slack channel private? T: I'll try to do that. All: See you next week. ### Fri, April 3 2020 1pm Attendees: Oksana, Isabella, Tim O: What about apps in Germany? T: Bluetooth app is being developed by Frauenhofer Institute. O: Is Darmstadt Frauenhofer doing this? Because they have good ppl O: Israel citizens can download an app. They map cases to locations. Citizens can check e.g. a supermarket if there was a case O: Not following China because what they do is not privacy-friendly. I: Did u read through the text? O: I didn't but Stephan left a few comments. Last week there have been lots of questions about practically allow for privacy preserving apps. How can we notify people in a privacy-preserving way. I: Yes, on-going discussions. And we can participate. But we'll have to have a clean line how far we discuss. Privacy harms: Hungarian government issue. We could take it in there. Study from RKI, I'd summarize it in a table at end of chapter. O: We can make a bridge, e.g. what if the data was hacked. We can also talk about data anonymization. We can say the RKI used the data for good intentions but we should focus on risk of third-party entrance from hackers. And then we build a bridge to app idea solutions. Topic is developing really quickly. But I'd be super difficult to keep up with the development. T: Is our message sufficient? O & I: It's good that many ppl talk about coronavirus + privacy. We don't say anything new or novel. But it's still worth saying. Contextual framework hasn't been applied to this concrete case yet. It's useful that we apply it in our paper. O: For publishing at conference, we need something more. T: After the paper, we can think about solution I & T: What about interoperability between apps? T: A standard or protocol privacy-preserving would be best for corona app. O: https://www.pepp-pt.org/ They're a research group and they're trying interoperability. You can register on the website. Pan-european. I agree there should be a protocol. Question is how is protocol is governed and by who it is governed. I: Interoperability, I have also interest. But my interest is more on autonomous driving. EU is asking for interoperability of autonomous driving. T: My professor from Ulm University ad-hoc autonomous driving networks. There must be cool projects that already do this in a privacy-preserving manner. I: Additional interesting chase: Data market Austria. Distributed service cloud for data exchange. Here interoperability also big question. I: One more thing: Establishment of trust. Interested, I work with it in deep-enforcement learning. Trust very complex topic. O: Trust is crucial here. E.g. in RKI case we have to trust them. But still in cryptography you have to put trust in the system e.g. "where do you store your keys", etc.? Also point of view of user is relevant. O: I'm working on an empirical study/survey. We asked if people believe if companies are able to protect a user's privacy in a smart home. I: Already we were looking at a complex system O: We looked at Alexa, etc. This is project with red cross. We want to understand why people are trusting these systems. Might be interesting to make a similar survey in relation to corona virus + app. Would be interesting to see if people trust this and understand what the app is doing with their data etc. I: What was the idea about the "arxiv paper"? O: Deadline is in 14 days. We can look at more cases + apps that are more privacy preserving. We could look at the app that they're using in Israel. Israel is publishing the locations. So as a user I can look at the map and see who was in the supermarket and had corona virus. Unclear how the accuracy is affected by mapping cases to locations. O: Singapore has published the code. Experts are saying it's reasonable + privacy preserving. I: Austrian app is also tracking and notifying people with an app. App asks users for consent. It's by a big Austrian insurance company. Would be interesting to compare apps. O: Not sure we can find information about Israel. System was developed to track terrorists. Paper will be political. But shouldn't be too political. Would be good if we compared some European countries. In the RKI case, we can check more scenarios that haven't been covered. T: What about Cambridge Analytica and that data that is innocent rn, can be powerful in the future. O: We can find papers that can support this claim. Location data is reveal lots of information (address, etc.). Data might be misused. T: Fingerprinting of location data. O: Combined data can be used to identify. T: App needs to be really careful with collecting data because everything could be used to identified the user. I: How was experience in hackathon? O: Frustrating in terms of privacy. I talked to them as a mentor. They want to implement MVPs. We can leave privacy or security as problems for later. Made me little bit concerned. But people were quite interested. Germans are concerned about their data vs. other countries. T: Why are Germans so aware? O: Did study about privacy aware. Germans were most aware. Asked colleagues, they didn't know. I: As an example of a previous experience: Austrians would start working. Germans would start discussing about privacy. Typical for Germany. T: History e.g. Stasi in GDR? O: Yes, but other countries had intelligence services too. O: - Arxiv, proof reading really really basic - and then submit to conference I: But which track do you want to go for the conference? We should try to find where it fits. O: We could submit to the workshop for the conference. O: Might help to have another case. Let's try this. We only have 10 days. T: How are we working together All: Overleaf works well. I: 15 April is deadline. T: Should we have a call? OK: Arxiv should be prepared for next week. Maybe we can still communicate in Slack. Ares, we'll look at Austrian case and write more in the discussion. O: Call on April 7, Tues? T: I can upload to arxiv. O: We might need fix the authors and affiliations and styling errors. Minor issues that we should fix. It's fine rewriting but not huge rewrites. Stay active in Slack. All: 4pm april 7. We can use jitsi. ### Sun, March 22 2020 11am Notes of HM before meeting: - Purpose: We want to finish our position paper "COVID-19, a threat to privacy?" - Context: - We've worked really hard and smart so far and we almost have smth to publish! - German media picked up our topic: https://www.tagesschau.de/inland/coronavirus-forschung-bab-101.html - We'll have to find the common thread and review the paper - We'll have to convert to LaTex - Paper submission stops at: 12pm - Video submission stops at: 6pm - Today: - Let's make commitments and manage expectations Attendees: HerrMüller, Florian Scheible, Isabella Hinterleitner, Oksana Kulyk, Paula Ramos - O: Are we going to say smth about other countries? I think it will take too much time. Maybe a short overview is nice! - I: I can do the summary. - O: Maybe the paper structure can be: - 1 what is privacy and why is it important? - 2: current state in countries - 3: Details into germany - F: Maybe we can expand mass surveillance vs lockdown. Maybe we can expand this section. - O: Maybe that's more of a intro section. Two approaches: China (lockdown) vs. South Korea (surveillance). We should mention it. - HM: Maybe put this stuff into outlook - F: I saw it more as a current situation. Maybe mass surveillance is becoming a "tool" for virus fighting - O: Most countries are doing both rn, e.g. Israel. They surveil their citizens and have lockdown. Does Germany have lockdown? - HM: Not yet. - I: There's specific rules "Infektionsgesetz" - P: Parties are suggesting lockdowns for 3 days - F: Lockdown is just buying time. It's lockdown + surveillance that's gonna win against the virus. - O & F: We shouldn't give recommendations to the government. We can give a description of what has been done and analyze the situation - O: - Overview of sitation - General discussions about privacy: What it is, violation, etc., considerations - Overview what's happening in different countries - Focus on German chase - End: Information security. I'll move into chapter of privacy. - Recommendations? - HM: Maybe we don't give recommendations - O: How far my loss of privacy may be accepted? Scare tactics can help get consent. PPL are not making informed decision with fear today. Giving voluntary data might a nice solution using contextual integrity framework (transparency, informed consent, measures to prevent the data) - O: Many projects in the hackathon rely on private data. - O: We need to stress: It's OK to collect data, but do it responsibly. - O & F: It'd be good to have a recommendation section. - HM: Framing should be that we're analyzing the situation. - O: We're not saying smth groundbreaking. We're just reminded that there's tools and research that can be applied to collect data responsibly. - HM: Is the outline OK? - HM: Focus on analyzing German situation for now. - O: Information security in preamble. Would be nice to have section on technical details e.g. for anonymization - HM & O: Paper is a starting point. Cut scope - O: We need a recommendations section (not much details) - P: Already written some recommendations. Maybe we can share notes. - O: I'll read through the recommendation section. - HM: Benevolent Dictator - O: HM you should do it. - I: One person is fine. If it's OK for you, you do it. - P: Will u have the time. - HM: I'm not super experienced. And tired. Oksana? - O: I can do it! - I: We have content for other country section, Italy, France. Could go further up - O: We mention other countries, but we talk about Germans in detail - O: It'd be nice to have GDPR somewhere - HM: I have lawyer friend but didn't respond - F: I have GDPR friend - I: What would you like to write in GDRP field. I have some experience - HM: Would be nice to understand what's the EU's stance on COVID-19+DATA+GDPR - I: I'd like to write about it. - O: Put it into introduction. Mass surveillance vs. lockdown + here's what the EU is saying and then we look at the situation and what Germany is doing - O: Taiwan delete - O: Organize the references. Or are we moving to LaTeX? - I: Are we going to switch the document? - F: What style are we going for? Overleaf is limited to three people. - F: I can organize the references. But how? What standard. - O: Do whatever you want... - F & I: IEEE is fine - O: Do you need the links? - F: I take them for the bibliography and delete them. - O & P & F: What about generational map? - I: Project where we had problem with privacy of data. Should go somewhere and we should mention that this problem in the past already. I can mingle the problem into the EU statements. - O: Privacy in times of crisis. Put the map stuff there. - I: OK! - O to all: Write me a short message in the Slack when you're done with your section then I'll have a look - F & I: If there's a link to a references, what do I do? - I: You mean what the syntax should look like? - F: Not talking about syntax. - I: Most ppl put links in the text. Another option is to have a separate section where we put all the references. You can find the syntax for markdown of hackmd when you click on the "?" on top of the page - HM: What about mini lecture and video? - I: Unclear if we have to submit until 6pm. - HM: Priority 1 is paper, second is video. - P: I don't know what to do. I have done all my stuff. I have time to do a Prezi. Unsure about sound. German? - HM & O: We should use English - HM & P: Let's do the German situation together - O: Someone should read the whole paper. Someone that didn't write much - I: I can do that. - O: Add your names to the paper (authors) - HM: I can convert markdown to PDF: https://www.markdowntopdf.com/ - I: How can we upload. - HM: I shared a contact from the ORGA with you. Ask him. - HM: Anything else? - O: We all keep in touch in Slack. Please write a message in Slack so that we know the status. I'll let you know when I'm done with organizing the paper. - O: Also write me a message if u have questions. - I: We can have individual calls. Big call might not be necessary anymore. - HM: Has been a pleasure to working with you - O: really impressed too - D: read the whole paper. impressive. Thanks Great job - F: As well, let's keep in touch - O: Keep in touch in Slack - All: Bye! ### Sat, March 21 2020 9pm Notes of HM before meeting: - Purpose: We want to write a position paper named "COVID-19, a threat to privacy?" - What happened so far: - Friday night, we weren't exactly sure what we were supposed to write a paper about - Saturday morning, we had an interesting meeting where we discussed specific ideas about a paper on privacy in critical infrastructure - Saturday evening, we have an Abstract, Preamble and already some section filled with content. This is going well! - Going ahead: - How do we establish a common thread throughout the paper? **Minutes start here:** Attendees: HerrMüller, Volker Neff, Isabella Hinterleitner, Paula Ramos, Florian Scheible, Oksana - I: Common thread. Everyone needs to go through the document and start reviewing the sections. Reviewing the claims, to make sure that we don't have peaks in there that won't argue against earlier claims. It might be good if we meet tomorrow morning. Tomorrow, we can split the reviewing tasks too. E.g. a small table to distribute work among team members. - P: OK with reviewing. I think everyone should go through the whole paper when reviewing. In the end we're all authors. - I: Agreed, everyone should read it through. - V: Can't work tomorrow on the paper. I'm busy. I'll read some stuff tonight and write comments in the Slack Channel. - P: Some bullet points are still supposed to be written. How is it handled? - O: Regarding bullet points on information security. A friend of mine added them. Either I or he will extend it. - HM: I'll formulate out my bullet points too. - P: O, are we going to do that survey on how much privacy loss is acceptable? - O: Maybe after we've submitted the paper. Not now. - I: Are there constraints on the survey? - O: Contact out mailing group or some groups on Facebook. We take people that we know. Most of you are based in German-speaking countries. Cross-cultural comparison might be interesting too. But let's come back to this discussion after finishing the paper. - V: How are we going to present our paper in the end? - O: I have no idea how to make a video. - T: Video is not totally necessary. - I: Maybe we can do a sketch. Still needs some time. - V & O & I: Another idea would be a nice power point presentation. We can upload it to the web. Or a mini lecture! Someone could record themselves and then upload the video. - O: Who wants to prepare the power point? - I: PPT can only be done after text. - O: 6pm is video submission deadline. - P: "Prezi" (?), similar to PPT but looks much nicer. - F & I: Can we work together on the presentation. We can use "Prezi" or Google Slides. That is probably the fastest way. - P: Prezi allows us all to modify stuff in the presentation. - I: Let's go for that. - O: Migration to LaTex? - F: Regarding references, you can just add them in "squared". There's not automatic numeration. - O: We don't have too many references. But let's be careful for when we need to migrate to LaTeX. - I: Send me your email addresses so that I can add you to devpost.com so that you're listed as contributor to the hackathon submission. - F: Are we thinking about submitting paper to a journal? - O: We can submit it. But let's discuss after hackathon. Before publishing, we should revisit it without extreme time-constraints. - HM: I'm gonna schedule a meeting for tomorrow morning roughly 11am. ### Sat, March 21 2020 11am Attendees: HerrMüller, Daniel Klemm, Isabella Hinterleitner, Volker Neff, Sindhu, Paula Ramos, Oksana, Wucke - HM: How can we get started on the paper today? I want people to be able to write their thoughts down! - I: From Austria, Medical computer science + ML + Computer vision. Works for Bosch. Trying to connect technicians to lawyers. - D: Distributed systems and cloud computing. Scalable and reliable platforms - O: Assistant professor uni for Copenhagen. Background Crypto + IT security. Now more interdisciplinary. Privacy is close to my heart. - P: Spain, living in Germany. PHD in medical imaging + post-processing. I'd like to learn how I can contribute. - S: Currently in Berlin, living in Munich. From India. Product manager in Startup. Are we talking about IT infrastructure or how software should be designed? - V: Hamburg. Bachelor student in computer science. Interested in many topics. Not sure how to contribute. I hope I can help with ideas or that I can learn something. - S: Can u explain what you mean by critical software infrastructure? Do you mean the cloud? - W: Master Student Computer Science. Dependable Systems, Embedded, Rust, Drones & aeronautical informatics/avionic. Mostly interested in how to make fire & forget software which actually works. - HM: Explains last meeting points. - S: Power grid infrastructure. Privacy. Everyone might not be covered by privacy. But maybe ppl wanna know who's infected. So maybe privacy is a bad thing to have? - O: No. There's different definitions about privacy. You can argue that we need less privacy to track COVID-19 cases. But we need to be careful of the government tracking the location of citizens. Currently there's notifications sent to all peers of a COVID-19 infected. It's good because it lessens the impact of COVID-19 spread. But the contact data, they shouldn't be using. - O: Also note: Governments can collect this network data right now but they can abuse it once COVID-19 is over. Privacy is contextual integrity. It's ok for my doctor to know my health data but not for my boss. In case of an epidemic, network data can be used now to fight COVID-19 but we need to make sure that this data is not misused in the future! - S: Position paper should be: "Data is used now, but should be deleted later?" - O: Lemme give you a link to an article: https://www.eff.org/deeplinks/2020/03/protecting-civil-liberties-during-public-health-crisis - O: There's another aspect of privacy. All comms are digital right now. Before comms were also physical and private. It's not only governments that are collecting data but also by companies. Many companies are based in the US right now. What are they gonna do to our data? - W: There is plenty solutions towards companies and governenments collecting data. The problem is not the availability, but the convenience. Convenience is key to adoption, everything else is unimportant for consumers. - O: Yes, this is what my research is about. Students are saying they have to use facebook because otherwise they're missing out on a social circle. We're often forced into a tool that has bad privacy. In this crisis we even have less options of tools as we e.g. can't talk to friends/family/colleagues f2f. - D: We need to raise awareness about privacy. - W: Have you checked out deltachat? I honestly think it could be a solution for it, as there is few reason to not use it an the passive userbase is basically everyone. - O: Don't understand Wucke. - W: It's an instant messenger which uses your existing mail account. Everyone has email, and with it you can use your email for instant messenging. Supports PGP e2e encryption as well. Most other fine messenger have the problem of adoption, but not this one - everyone who has an email address can be contacted. - HM: How can we start writing? - O: We're not gonna do original research. We can write a position paper. "The current infrastructure is not suitable". Can be more open ended: "Here are the problems right now". "This is what the problems are gonna be in the future". - S: We don't propose regulation? - O: We can propose ideas, but we don't have much time. Maybe topics for future collaboration. - I: Should we start with a section explaining terms that we agree on? Should be for a big audience right. - O: Yes - D: I'd love to start with a problem statement. Are we on the same page. What do we want to focus on. - HM: It's OK to focus on privacy. - O: We also have experts in medicine. Maybe we can leverage them somehow. We list the problems and then we contribute. - D: [minutes taker: not sure what was said here] - O: Focus on what are the problems we have with corona virus crisis. - D: It'd be great if engineers could look at our paper and make decisions. We already had first data leaks in Austria. We need privacy by design. - HM: We need to focus on raising awareness on the problems of privacy. - S: Let's discuss problems that could happen in the future. - O: Paper shouldn't about privacy. There's other problems in other fields too. - HM: Should we write this as one paper or many? - S: As a product manager I see problems from a product-manager-perspective. - I: My sister is working in a hospital in Vienna. Patients that are not highly critical are not allowed to enter the hospital. Can lead to disasters. If u have a stroke, that's considered critical. But if you had an operation a few weeks ago and have minor issues you might not be allowed in. So hospital critical infrastructure is vital! - P: My parents are nurses in Spain. Plan is to limit that people go to the hospital for anything non-necessary. Home-visits from doctors. I'm sceptical. - I: Very bad cases are prioritized. Everything else is queued backwards. - P: Unfortunately, we need more ventilators. - I: There's other critical infrastructure as you can see. Ventilators, hospital infrastructure. - D: We shouldn't spread the theme too much. We should narrow it down. - O: Capacity of hospitals is important. - P: Hospitals should anonymize network data of COVID-19 patients. Right now, they're just rushing to cure people. So they don't care about the data gathering. - HM: Why don't we write a paper about this problem that Paula has described! - O: Suggestion Tim prepare structure of data. And then we fill in the blanks. And then tomorrow we prove-read. - I: Later everyone can take a look at the other sections. - HM: Privacy in hospitals is specialized. We should open it up. - P, O & W: Scalability is important. - D: I have experience. Any questions I can answer. - O: Think about problems that might touch scalability. - I: We can put the hospital case in the outlook. - W: I think, privacy should be _a_ topic, but not _the_ topic. I'm not sure one paper will make it out of this process, I do prefer not lowering the chances even more. - HM: OK, I'll share a outline of the paper at 2pm. ### Fri, March 20 2020 9pm Attendees: HerrMüller, Oksana, clemensv - C: Outline is interesting. Open Source is not equal to critical infrastructure. - O: Open source is better audited - HM: Software needs to be built with different assumptions today - O: Let's intro ourselves. - HM: I work as freelancer in crypto currency space - C: I work in MS Azure. We've seen three-fold surge in our cloud. Expert in critical infrastructure. - O: Academia, Professor in Copenhagen. Security and privacy. Data protection on social networks - HM: Should I lead this? - C: Yes, you should lead this! - HM: What if zoom stops functioning? - C: What if the power grid goes down? Then everything stops working. It's really critical infrastructure. EnergyNet (danish power grid) needs information from smart meters. They need weather forecast. And other data. And if the smart meters don't work anymore, we have a problem! - C: We have thousands of energy producers. And we need to keep the grid alive. Data flow towards energy producers equals working power grid. We need to automate lots of stuff in the power grid. - HM: Can you please send us resources that you have. - HM: I thought you cannot overload the internet because TCP is throttles itself. - C: Once TCP drops packages, things can go bad. Netflix and Youtube are doing a good job in limiting quality. - HM: Can p2p help reduce stress on big nodes on the internet? Think IPFS or Bittorrent when it comes to video streaming. Seems like p2p has geo-preference because a peer looks for locally-close nodes. - C: Problem with p2p is that nobody gives you an assurance that it's gonna work in the end. All systems are susceptible to bad actors. Central control cannot be be asserted. p2p networks are susceptible to network attacks. There was an attack on Bittorrent from ISP through traffic analysis. E.g. Bitcoin traffic might be detected super easily. - HM: What if the state goes away? - C: There's always a dial-tone of civilization. - HM: What if states isolate their internet? So e.g. US cuts internet connection and then all websites in the world that have a Google Analytics link included will fail? - C: Yes, that's a good point. Especially, the inward-focus of US is problematic. MS is committed to fight around this inward-focus. It's a shame that Europe hasn't invested in infrastructure projects/companies. If US shuts-off EU, then Europe has a big problem in terms of data infrastructure? - O: It's not just about building good software. Policy, politics. Data collection is happening currently, it's a big problem. All of our communications today are digital and they're gonna get mined. Transparency and policy is key here. - C: Interesting on the policy point. When there's gonna be legal obligations being put on internet companies e.g. Facebook. There's a law that can tame companies: GDPR. Because penalties are so steep. - C: MS killed some products because they couldn't make GDPR compliant. - O: GDPR isn't always enforced e.g. cookie banner. PPL are often not aware of the data that is collected from them. GDPR is only enforced for companies that are in the spotlight (like MS), but not for companies that are acting in the background. - C: GDPR is more going after big fish than small fish. MS consent with regard to IE. MS was told to create window. - HM: Sorry to interrupt, but the zoom call is gonna kick us out soon. Do you guys have more time to talk today? - C & O: No, but we're gonna read the messages on the channel. - HM: OK. I'll try to organize another meeting for tomorrow morning. - O: Good. Just to set expectations, I don't think we're gonna be able to write a paper in 2 days. Also there were other people that wanted to join the channel but couldn't. ## Appendix ### Latest paper draft - [download](https://timdaub.github.io/assets/sars-cov-2-privacy.pdf) ## Deprecated Sections ### Timeline and Submission - [Submission closes Sun, March 22 2020 11:59pm](https://docs.google.com/document/d/1O1ewO6vhR-CDLPSm7kScPt8-xjsb-hKI2rXISRN8LI4/preview) - Submission is done through a tool called https://devpost.com/. If you want to co-submit, you'll have to create an account. - Videos can be submitted too. [In the meeting on Saturday evening](https://hackmd.io/0dHCPANOQ7ec0L1ju4mXig?both#Sat-March-21-2020-9pm), we concluded that a power point presentation or mini lecture might nicely fit here. - The orga team has shared a [guide](https://docs.google.com/document/d/1O1ewO6vhR-CDLPSm7kScPt8-xjsb-hKI2rXISRN8LI4/preview) on how to submit via devpost (it's in German though) - Isabella suggested we could also submit the paper to arxiv.org :+1: (HM), however it's not time critical - To invite members to devpost, Isabella is collecting email addresses in [Slack](https://wirvsvirus.slack.com/archives/C010G2H7T7F/p1584808065064800) ### Problems + steep increase in usage of services + increased CPU load + increased IO load (namely network) + scaling can be tricky + issues with maintenance of existing software + homeoffice -> breaks communication habits + economic recession -> less money to pay developers + security + Technical security: lack of secure connection/intranet, vulnerabilities of remote communication tools + Human factors: psychological vulnerabilities (people are stressed because of the crisis, hence, more prone to deception/social engineering), having to learn how to use new tools (again, potential for human error), lack of alternative communication channels (i.e. hard to come by to the IT helpdesk or a colleague and ask whether a suspicious email is a phish)... + privacy + data collection on an even larger scale (no face-to-face interaction due to social isolation, all is digital) + unknown/obscure privacy policies of remote communication/collaboration tools + lack of choice, e.g. if everyone uses a particular tool, there is no way for a particular user to refuse and communicate in a different way + as with security, user errors due to unfamiliar tools leading to unintended data disclosure e.g. via wrong privacy settings ### Fortunes + More people at home -> potential contributors ### Solutions + decentralisation + Personal Communication + [fediverse](https://fediverse.party/) + [matrix](https://matrix.org/) + [jitsi](https://jitsi.org/) + [deltachat](https://delta.chat/en/) (nice as almost everybody has email already) + maintainability of code + good documentation + + scalability + container + "cloud" whatever it means to you :) + + runtime efficiency + languages + C/C++ + Go + Rust + + environments + container instead of vms + lightweight containers `systemd-nspawn` + + development efficiency + digital communication + git + slack + trello + + maintenance cost + languages with high safety + high test coverage + tighly integrated CI/CD + effective documentation +