Case study: how the use of Progressive Web Apps may trigger data protection

栏目: IT技术 · 发布时间: 4年前

内容简介:I was hesitant to speak about contact tracing apps because so many people speak on the subject and the ratio of repeating the same cliches over and over is also high. Little insightful things are left to be said in this rather simple problem. But recently

I was hesitant to speak about contact tracing apps because so many people speak on the subject and the ratio of repeating the same cliches over and over is also high. Little insightful things are left to be said in this rather simple problem. But recently it emerged that a particular contact-tracing app is using an approach that triggers a potentially controversial issue.

Covid-19 contact tracing is a sensitive area. Not only concerns the health data of millions of users. It is also about tracking proximity and contacts between those people, and about installing state-supplied apps. The topic is so big that Google/Apple updated  operating systems to deliver a special API. Until now most controversies in contact tracing revolved about the collection of geolocation data, or the architectural approach - centralized or decentralized . Now there is another case in point.

A particular contact tracing app, ProtegoSafe (developed for Poland as an official state-supported app) is dynamically loading (like, from the internet) some logic of its operation using Progressive Web Application approach  (documented here: 1 , 2 ).

Progressive Web Applications( PWA ) is a design method that allows building rich web applications that from a user point of view behave (look and feel) just like native apps. PWA allows a simple way of updating the app. When used in mobile apps, PWA could provide faster updates than through the official Android or iPhone app stores.

The way it works is that when an application is using the PWA model, some of its parts must be downloaded from remote servers . In case of a web browser this is typically about downloading a file called Manifest , with definitions describing the app configuration (look also at my privacy analysis of Progressive Web Applicationshere). This happens for example when the app is first installed or when PWA is updated dynamically. In practice, this is an HTTP(s) request to the site. Meaning - the IP address of the application user is communicated to the server controlled by authorities (here in the case of this particular app, the Ministry of Digital Affairs ).

But because the Ministry is a public institution and so it has authority over resolving the IP address to the actual identity of the user , IP addresses in this context may potentially be regarded as personal data, singling out individuals .

This means that the already sensitive data processed in contact tracing app would be even more sensitive because they - if so happens - would be of identified persons . This then would make the case of the system being even more sensitive and forms a fascinating GDPR case study . In line with EDPB opinion , this should of course be reconciled in the privacy impact assessment (which is advised to be made public, as of this day this did not happen).

But this is also a much broader and so more interesting issue.

Is the use of Progressive Web Applications by public institutions in line with data protection or does it violate user’s privacy? Court of Justice of the European Union has ruled that indeed IP addresses are in some cases personal data . It’s the influential Breyer case :

IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.

Which, one could imagine that it may apply to the particular situation of using Progressive Web Applications by public institutions, in general ?

But if in some contexts the use of PWAs brings certain consequences that may be different than in some native standalone applications, the issues must be tackled. In general, systems (so apps) should always ensure that the right  grounds for data processing exist. The particular point described in this note may in certain cases need to be taken into consideration by the development teams.

Did you like the assessment and analysis? Any questions, comments, complaints or offers? Feel free to reach out: me@lukaszolejnik.com


以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

实用程序育儿法

实用程序育儿法

(美)特蕾西·霍格、(美)梅林达·布劳 / 张雪兰 / 北京联合出版社 / 2009-1 / 39.00元

《实用程序育儿法》作者世界闻名的实战型育儿专家特蕾西·霍格(Tracy Hogg)以“宝宝耳语专家(Baby Whisperer)”享誉全球,她深入到数千名宝宝的家里解决宝宝和妈妈面临的日常难题,通过演讲、电台、电视台、信件、电子邮件以及住她的网站上发帖跟她交流、向她请教的妈妈们更是不计其数。由她亲自实景示范拍摄的“和宝宝说悄悄话(Thc Baby Whisperer)”DVD全球发行上千万张。她......一起来看看 《实用程序育儿法》 这本书的介绍吧!

JSON 在线解析
JSON 在线解析

在线 JSON 格式化工具

随机密码生成器
随机密码生成器

多种字符组合密码

HTML 编码/解码
HTML 编码/解码

HTML 编码/解码