User blogs

More details have emerged today about the European Commission’s legislative proposal for a pan-EU ‘digital green pass’ to show verified COVID-19 status. The plan is controversial from a human rights and civil liberties perspective, given the clear risk of discrimination. But privacy and security experts are also raising concerns about the technology architecture that will underpin the system — which has yet to detailed in full.

“The proposal does not yet meet the requirements of data protection and protection against discrimination,” said German Pirate MEP Patrick Breyer in a statement today. “It does not ensure that the digital variant of the certificate is stored decentrally on devices of the person concerned and not in a central vaccination register.”

The European Union’s intention for COVID-19 vaccine passports — or rather what it’s branded a “digital green pass” or a “digital COVID-19 certificate” — will show whether the holder has been vaccinated against COVID-19 or had a recent negative test or if they have recovered from the disease and have antibodies, Commission president, Ursula von der Leyen, said today during a press briefing to give more details of its legislative proposal for the “common instrument”.

“The certificate will make sure that the results of what it shows — the minimum set of data — are mutually recognized in every Member State,” she also said, adding that the aim for the system is to help Member States reinstate freedom of movement “in a safe, responsible and trusted manner”.

Justice commissioner Didier Reynders said the intention is for every EU citizen to be able to receive the certificate free of charge and ask other Member States to accept it. He said the Commission will largely not be regulating use of the pass. Rather it will be up to Member States to set specific requirements related to the common instrument.

He gave the example of a European country being able to specify that they would accept a vaccination status of a person who has had a vaccine that’s not yet been approved for use in the EU, for example. But Reynders said the Commission will be obliging Member States to accept pass holders who have been vaccinated with an EMA approved vaccine.

The Commission wants the system to be ready to use “before the summer”, he also said. However that timeline looks incredibly ambitious for what is a complex technical project that involves sensitive personal data being used for a purpose which is inherently controversial, given the clear risk of COVID-19 status being used to discriminate or unfairly infringe on individuals’ civil liberties.

The digital certificates being ready means not only the Commission implementing/procuring any central components and ensuring Member States implement the necessary technical pieces at a national level for the system to work as intended but also getting the required legislation approved by the EU Council and Parliament — and doing all that “maybe” as early as June, per Reynders.

Asked during the press briefing if there was a ‘plan b’, given how ambitious the questioner suggested the Commission’s plan is, he said there is no other plan — as the only plan is to avoid fragmentation by implementing a common instrument to prevent Member States making unilateral choices over COVID-19 at their borders.

Still, the proposal currently leaves room for European countries to apply different rules, according to Breyer — who has also warned it could lead to discrimination by allowing freedom of travel to be linked purely to vaccination if Member States choose not allow negative tests to be accepted as an alternative, for example. “This needs to be improved,” the MEP suggested today.

“On the other hand, I welcome the fact that the retention of medical information after showing the certificate is excluded,” he added.

EU lawmakers avoided too much discussion of what Member States might do with the common tool but they confirmed the digital pass would be available in both a paper and digital form (although, again, Breyer expressed concern counties may choose not to implement the paper form, thereby discriminating against those who do not have access to a smartphone).

Reynders also confirmed the digital pass would incorporate a QR code to verify what’s on the certificate and check if it’s validated.

The Commission scheme shares at least one component with a system that was recently reported by Spiegel as under procurement in Germany — which it said involves QR codes but also blockchain technology (with IBM and a local company called Ubirch winning the tender) — and which is intended to be compatible with the EU’s digital pass requirements.

There was no mention of blockchain during today’s Commission press briefing. Internal market commissioner Thierry Breton said only that the technical solution “is also part of trust”.

“That’s why we have worked with Member States so that we are now all together on the same page. We share exactly the same technology,” he went on, adding: “We keep of course the GDPR at very high level. We will not exchange data and the good news is that all Member States have shared this view now. And this is extremely important because of course trust is also when you will move from one country to the other one that everybody will know just with a QR code you will know what is on your certificate and if it is validated.”

Asked after the briefing whether or not the pan-EU system will incorporate blockchain components a Commission spokesman sidestepped the question, saying only: “The gateway will link the national public key directories for the signature keys.”

“We cannot yet tell you who will implement this technically,” he added.

The spokesman went on to say that the “trust framework” (provided for by article 4 of the draft regulation) will be developed by the Commission “based on the outline on which Member States agreed in the eHealth Network on Friday” — referring to the voluntary network of Member State representatives which was established by EU directive in 2011 to facilitate cross-border data sharing for an e-health purpose.

On a related webpage the Commission also writes: “The eHealth Network has published an outline of the trust framework needed for [e]stablishing the Digital Green Certificate infrastructure, and continues to develop mechanisms for the mutual recognition and interoperability of vaccination, test and recovery certificates.”

“Further work is being conducted by the eHealth Network in collaboration with EU agencies, the Health Security Committee, the World Health Organization and other institutions,” it adds there.

The eHealth Network’s current outline for the “trust framework for the interoperability of health certificates” is available here — as a 16-page PDF (v.1.0, dating from March 12, 2021).

The document discusses some design choices and intended outcomes but does not provide details of the chosen technical solutions as decisions appear to have not yet been taken — despite the Commission’s goal of the whole thing being wrapped up and ready to run in a little over two months’ time.

Pressure from southern European nations worried about the impact of the coronavirus on heavily tourism-dependent economies is one driving force for the Commission to scramble to roll out a common approach for mutual recognition of vaccination documentation. Although fear of fragmentation of the bloc’s Single Market is likely the bigger accelerant for the Commission. (It’s notable, for instance, that other Member States, including France and Germany, have previously expressed concerns over linking the right to travel to a pass. So how ‘on the same page’ European countries are on this issue looks debatable.)

Also questionable is how trusted the technical underpinnings of the digital pass will be — as plenty of detail is still to be confirmed.

In the eHealth Network’s outline, a section on “data security by design and default”, for example, asserts that the trust framework “should by design and default ensure the security and the privacy of data in the compliant implementations of digital vaccination certificate systems, ensuring both security and privacy” — but it does not explain how this will be achieved.

“The design should prevent the collection of identifiers or other similar data which might be cross-referenced with other data and re-used for tracking (‘Unlinkability’),” it goes on before adding: “Further discussions are needed as to the technological aspects and timeline for the incorporation of these features in the trust framework.”

Another section offering an “overall description” notes that the EU trust framework is designed to be “largely decentralised”. However it confirms there will be “some centralised elements”: Namely “roots of trust” stored in a common directory/gateway (aka “EU Public Key Directory/Gateway”), and the “Governance model” — raising core questions of trust over those key elements. 

On the EU Public Key Directory the document envisages the gateway “shall be provided by a public sector body, such as the European Commission”. But evidently there’s still room for alternative bodies to take on that role.

Elsewhere, the outline confirms that offline verification will involve the use of 2D barcodes containing a digital signature used in conjunction with dedicated verification software that will periodically fetch verified public keys. While it states that online verification “will rely on the UVCI [Unique Vaccination Certificate/assertion Identifier] and it will be incorporated in the next version of the specifications (V2)”.

A section on presentation formats confirms that 2D barcodes will be used — but also raises the possibility of “W3C Verifiable Credentials” being utilized, stating only that a decision “will be made later”.

Harry Halpin, a CEO and research scientist (and formerly a staff member at the W3C) — who has been critical of the lack of openness around the technical design of the Commission’s digital green pass, and who presented a paper last year critiquing immunity passport schemes that involved what he describes as “a stack of little-known standards, such as Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) from the World Wide Web Consortium (W3C)” — is concerned the Commission is considering incorporating what his paper describes as “questionable use of blockchain technology” into the digital green pass.

He argues that use of W3C Verifiable Credentials in immunity passports would be dangerous to privacy and security.

“Technologically there’s ways to prove test results digitally without involving any global identity at all,” he told us. “If you really just want to prove with medical authenticity that I have ‘A attribute’ — where this attribute is I have negative COVID-19 test in the last 72 hours or I’ve been immunized with a vaccine in the last year, whatever it is that you want to prove, there’s another form of identity… called attribute-based credentials. Which is a perfectly fine way to do it. Attribute-based credentials just prove attributes without revealing identity. You don’t need a global identity for any of these use-cases.”

“Maybe the metaphysical angle is that because of corona all my previously private health data should now be public but then just come out and say that — don’t hide it behind some blockchain nonsense,” he added.

Discussing the eHealth Network’s outline, security and privacy researcher Dr Lukasz Olejnik — who has also written about the privacy risks and wider ramifications of vaccine passports — said the document raises some questions such as who will be the source of trust and whether there’s a risk of function creep related to the proposed design.

“This technical document confirms that the user’s ID will be bound to the certificate. This may mean that the passport would mediate a proof of ID,” he told TechCrunch. “Considering today’s proposal of a regulation it is pertinent to wonder whether a function-creep-like expansion couldn’t lead to these passports becoming actual proofs of identity in the future.

“Other than that, the eHealth document is descriptive but contains no details as to the future solution. The source of trust in this system will be the key problem of interest,” Olejnik added. “It seems that we will need to wait longer for the details.”

During today’s briefing Reynders raised the spectre of future expansion from another angle — saying that while the digital pass would be a “temporary” instrument, and the legislation would provide for the system to be “suspended” at the end of the pandemic, it would also bake in the possibility of re-activation at a later point if necessary, such as in the event of another pandemic.

“We have the possibility to suspend the certificate when the WHO declares the pandemic over. So this is dedicated to COVID-19,” he said. “I’m saying ‘suspend’ but through a delegated act and with the European Parliament we could use this instrument if there were another pandemic. But basically we’re talking about a temporary solution with the Member States and with the European Parliament.”

“We don’t want to prolong that,” he added. “When it will be possible for the World Health Organization to say that we are at the end of the pandemic we’ll stop with such an instrument. And of course we are just thinking about the possibility to reactivate the instrument later — but I’m not hoping that — if we have a new pandemic in the future. But that will be with a dedicated act — always with the Parliament involved in the process.”

On the issue of function creep, Reynders conceded that European countries might seek to use the digital pass for other purposes, i.e. outside the Commission’s target of facilitating the free movement of EU people.

But he suggested it’s no different to Member States requiring masks be worn or a rapid test taken as they may already do in certain situations — while emphasizing any such uses would need to comply with wider EU laws and fundamental rights.  

“If there are other uses well it’s already the case you can perhaps use other things like masks that are also imposed. There are also test, self tests which are used by people. But if we go into using the certificate in other ways we have to see if that use is necessary proportional and non discriminatory and also compatible with EU legislation,” he said.

“Of course we will examine the situation on a case by case basis but I don’t think we necessarily need to draw a distinction between the certificate and other measures for example rapid antigen tests, masks and so forth. These are other tools that have been used… We need to make sure that any further use is proportional and non-discriminatory and obviously in line with the rules on free movement.” 

The EU’s digital COVID-19 pass has been in the active mix since January when the Commission said it was pushing for “an appropriate trust framework” to be agreed upon by the end of the month “to allow member states’ certificates to be rapidly useable in health systems across the EU and beyond.”

It followed up earlier this month when it announced it was coming with a legislative plan for the pass, emphasizing its hopes of facilitating safe cross-border travel this summer. Albeit, those hopes look more fragile now — given the slow pace of the EU’s vaccine rollout in the first quarter.

The Commission president also warned today that some Member States are on the cusp of a third wave of COVID-19.

The EU executive’s plan to speed full-steam ahead with a digital pass to verify COVID-19 status remains controversial — not least in light of the still highly limited access to vaccinations across the bloc which only underlines the risks of the tool being unfairly applied.

Civil liberties concerns can’t be disconnected from ‘vaccine passports’. Nor will they be swept away by an anodyne rebranding to a ‘digital pass’. But there are now additional questions stacking up around the Commission’s technology choices for the common instrument — and whether the architecture of the system will live up to Von der Leyen’s tweeted promise that the EU digital green pass “will respect data protection, security and privacy”.

For EU citizens to trust in that claim full transparency is essential. 

Uber changes driver classification following a legal defeat in the U.K., Facebook says it will crack down on rule-breaking Groups and Snap makes an e-commerce acquisition. This is your Daily Crunch for March 17, 2021.

The big story: Uber to classify UK drivers as workers

Following a Supreme Court ruling, Uber said it will classify all drivers in the United Kingdom as workers — a category between self-employed and employed that entitles those designated to a minimum wage and holiday pay.

That doesn’t mean the dispute is fully resolved, however. Uber said that it will calculate working time starting when drivers accept a trip, excluding the time after they’ve signed into the app and are waiting for a ride. A statement by the App Drivers and Couriers Union described the company’s new approach as “a day late and a dollar short, literally.”

The tech giants

In expanded crackdown, Facebook increases penalties for rule-breaking groups and their members — The changes follow what has been a steady, but slow and sometimes ineffective crackdown on Facebook Groups that produce and share harmful, polarizing or even dangerous content.

Snap acquires Fit Analytics, a fitting technology startup, to double down on fashion and e-commerce — Fit Analytics has built technology to help shoppers find the right-sized apparel and footwear from online retailers.

Apple Maps updated with COVID-19 vaccination locations in the US — To access this information through a voice command, users can ask Siri something like “where can I get a COVID vaccination?” which will direct them to Maps.

Startups, funding and venture capital

Incredibuild gets $140M to speed up games and other software development with distributed processing tech — Incredibuild is a private tech company, but it has been around since 2000, and it counts Epic, Microsoft and Nintendo as clients.

SoftBank-backed Indian insurance platform Policybazaar raises $75M — Policybazaar is among a handful of startups that is attempting to upend India’s insurance market, which is largely commanded by state and bank-backed insurers.

The Robinhood competitor landscape intensifies as Invstr raises $20M — Via social gamification, Invstr has set out to make the financial educational process fun.

Advice and analysis from Extra Crunch

Dear Sophie: What type of visa should we get to fundraise in Silicon Valley? — The latest edition of “Dear Sophie,” the advice column that answers immigration-related questions about working at technology companies.

How to recruit data scientists without paying top dollar — When it comes to building a data science team, many companies fail at the first step: creating a job posting.

Olo prices IPO sharply above its target, valuing company as high as $4.6B — We’re checking in on the price investors paid for a block of Olo shares before it began trading.

(Extra Crunch is our membership program, which helps founders and startup teams get ahead. You can sign up here.)

Everything else

The Voter Formation Project puts an experimental spin on reaching Black and brown first-time voters — This new group is a 501(c)3 laser-focused on reaching Black and brown first-time voters using every trick in the digital toolbox.

On Friday the EU will put startup-friendly legislation to member states — will they sign up? — The EU Startup Nations Standard aims to make the European Union the most attractive place to create a startup.

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.

When it comes to building a data science team, many companies fail at the first step — creating a job posting. These mistakes have been amplified in the age of COVID-19.

The increasing demand for AI and data science experts, driven in part by the pandemic’s economic impact, is showing no sign of abating. Many employers are failing to identify viable job candidates, much less interviewing or hiring them.

What’s the biggest obstacle holding them back? In our experience, it is often a poorly drafted job posting. And with the pandemic completely stopping all in-person recruiting events, hiring success hinges on an effective job rec. Previously tolerable mistakes are now fatal.

At The Data Incubator, a data science training and placement firm, we’ve helped hundreds of companies successfully hire data science teams. Honestly, it pains me to see amazing companies undersell themselves in this area.

Companies inevitably gravitate toward the same generic buzzwords, promoting themselves as “cutting edge,” “creative,” “collaborative,” “data driven,” “passionate” or “insightful” (just peruse Indeed for examples of these lackluster postings). Or they delve into industry jargon, which may be lost on candidates who are not familiar with the industry.

To streamline the writing process, we recommend that clients break down their competitive advantage into three buckets: compensation, mission and tech. Only by understanding where their strength lies can they successfully market their job openings.

Compensation

Compensation is an important component of making a position competitive. Managers certainly need to fight to ensure their remuneration range is appropriate for their data science roles. However, budget constraints are difficult to overcome, especially given the ability of tech and finance to pay top dollar for these sought-after skills. How to combat this when you don’t have the same budget? Consider listing compensation in job ads.

If you’re one of (the majority of) employers who cannot afford to compete on salary, this will help job seekers understand what to expect. Neither you, nor a potential candidate, wants to spend hours interviewing just to discover that it would have never worked out because of compensation. Save yourself the time and frustration by listing remuneration upfront.

What if you are one of the few employers able to pay major-league salaries? Congratulations, but don’t throw away your hard-won budget! Companies develop reputations for compensation. Unless you are one of the select firms with a reputation for paying top dollar, you will need to signal that to top talent. Otherwise, strong candidates may assume the remuneration is low and not apply, defeating the purpose of paying a high salary in the first place.

Obviously, listing salaries is controversial and there are plenty of reasons why employers are weary of listing salary ranges. However, a recent survey by SHRM found that 70% of professionals want to hear about salary upfront and Glassdoor.com reports that salary is the No. 1 consideration for 67% of job seekers. With all these benefits, employers should seriously consider being more upfront and transparent about what they are able to pay, if only to save themselves time and frustration.

Mission

In the COVID-19 workplace, employees are finding themselves increasingly isolated. With work from home poised to stay even after the virus has dissipated, the risk of isolation will continue. Companies need to double down on articulating their mission and galvanizing employees around that. This doesn’t just start with employment but the very first step of the hiring process: the job posting. Emphasizing mission in the job posting will attract employees.

BMW plans to have 25 electrified cars in its lineup by 2025 and it’s taking a few more steps in this direction this year with the launch of the all-electric iX SUV and the i4 sedan. Today, for the first time, the German automaker shared a few more details of what we can expect from the i4, its first fully-electric sedan, in addition to sharing the first exterior shots of the new model.

At the top end, the i4 will have a power output of 390kW / 530HP. Going from zero to 100km/h will take four seconds.

BMW promises up to a 300 miles range, according to its own preliminary tests based on the EPA’s test procedures. Enough to go from L.A. to Las Vegas. That’s the same range as the iX will be able to cover on a single charge and a slight increase in horsepower compared to BMW’s new SUV. And while that range is less than what Tesla and some other competitors can offer, it’s still more than what’s possible with comparable all-electric Porsche and Audi models like the eTaycan and e-tron GT, which are in the lower 200s.

Image Credits: BMW

“With its sporty looks, best in class driving dynamics and zero local emissions, the BMW i4 is a true BMW. It makes the heart of the BMW brand now beat fully electric,” said Pieter Nota, member of the Board of Management of BMW AG responsible for Customer, Brands, Sales.

For now, we don’t have any pricing details or additional specs for the i4. It will become available later this year, so we’ll likely see more details in the summer.

“The iX is purpose-built, it’s spectacular and it’s a completely new BMW X product,” Frank Weber, BMW’s head of development, said at a press event earlier this week. “But what people are longing for is to see that we have a sport sedan that is fully electric. […] And the i4 has everything it takes to have a real sporty sedan from BMW that is fully electric.”

And indeed, unlike the somewhat quirky i3, BMW’s first all-electric car, the i4 is a standard, four-door sedan (with real passenger doors, unlike the i3) — something that buyers in the market for a sporty yet roomy electric car from BMW in the spirit of the existing 4-series will likely appreciate.

Earlier this week, BMW also announced version 8 of its iDrive operating system, which will feature a new dashboard layout and visual design, with two curved screens. It will make its debut in the i4 and iX.

Amazon is apparently pleased with how its Amazon Care pilot in Seattle has gone, since it announced this morning that it will be expanding the offering across the U.S. this summer, and opening it up to companies of all sizes, in addition to its own employees. The Amazon Care model combines on-demand and in-person care, and is meant as a solution from the search giant to address shortfalls in current offering for employer-sponsored healthcare offerings.

In a blog post announcing the expansion, Amazon touted the speed of access to care made possible for its employees and their families via the remote, chat and video-based features of Amazon Care. These are facilitated via a dedicated Amazon Care app, which provides direct, live chats via a nurse or doctor. Issues that then require in-person care is then handled via a house call, so a medical professional is actually sent to your home to take care of things like administering blood tests or doing a chest exam, and prescriptions are delivered to your door as well.

The expansion is being handled differently across both in-person and remote variants of care; remote services will be available starting this summer to both Amazon’s own employees, as well as other companies who sign on as customers, starting this summer. The in-person side will be rolling out more slowly, starting with availability in Washington, D.C., Baltimore, and “other cities in the coming months” according to the company.

As of today, Amazon Care is expanding in its home state of Washington to begin serving other companies. The idea is that others will sing on to make Amazon Care part of its overall benefits package for employees. Amazon is touting the speed advantages of testing services, including results delivery, for things including COVID-19 as a major strength of the service.

The Amazon Care model has a surprisingly Amazon twist, too – when using the in-person care option, the app will provide an updating ETA for when to expect your physician or medical technician, which is eerily similar to how its primary app treats package delivery.

While the Amazon Care pilot in Washington only launched a year-and-a-half ago, the company has had its collective mind set on upending the corporate healthcare industry for some time now. It announced a partnership with Berkshire Hathaway and JPMorgan back at the very beginning of 2018 to form a joint venture specifically to address the gaps they saw in the private corporate healthcare provider market.

That deep pocketed all-star team ended up officially disbanding at the outset of this year, after having done a whole lot of not very much in the three years in between. One of the stated reasons that Amazon and its partners gave for unpartnering was that each had made a lot of progress on its own in addressing the problems it had faced anyway. While Berkshire Hathaway and JPMorgan’s work in that regard might be less obvious, Amazon was clearly referring to Amazon Care.

It’s not unusual for large tech companies with lots of cash on the balance sheet and a need to attract and retain top-flight talent to spin up their own healthcare benefits for their workforces. Apple and Google both have their own on-campus wellness centers staffed by medical professionals, for instance. But Amazon’s ambitious have clearly exceeded those of its peers, and it looks intent on making a business line out of the work it did to improve its own employee care services — a strategy that isn’t too dissimilar from what happened with AWS, by the way.