Apple and Google should have included the chart in their announcements, IMO. It illustrates the process in a way that's easier to understand than text alone.
The problem with doing any sort of effective contact tracing requires special APIs for iOS and Android because newer versions of both OS disallow background communication and location gathering
I'm not a security expert. However, this part looks worrying:
> alice can also hide messages from times she wants to keep private
If there's a need for this, doesn't that imply that the scheme does not actually keep Alice's privacy in all situations?
Furthermore:
> the random messages give the hospital NO INFO on where Alice was
This seems to assume that the hospital (or anyone with access to the data, such as governments) didn't capture the broadcast messages together with their location. With enough Bluetooth receptors in busy areas, a government could easily find out where Alice had been by looking up each of her messages in their list of message/location pairs?
Experts can probably come up with nastier and/or easier exploits...
Agreed, whenever you divulge any info, you're always losing bits of randomness (obviously, more or less depending on how good the protocol is!).
In particular, given an adversary who has several points (receiving these codes) and knows the receiving location of each of these points can de-anonymize a person "A" who is COVID positive if they know, e.g., a minimal amount of A's usual daily movements (from cellphone tower location, for example).
That being said, the government probably has better ways of knowing who has COVID-19 and other infectious diseases :)
it is just shockingly important that we come out of this _without_ a dystopian nightmare of a surveillance state.
That apple's involved in this is hopeful -- their earlier work on anonymizing Maps.app directions is well worth thinking about here. tl;dr your route is broken up into n chunks, each chunk gets a uuid that isn't tied to your handset, and so serverside nobody knows where Bob's Iphone just asked to go. [0]
Doing this kind of "differential privacy" or whatever we want to call it today properly is very hard, but it is also very, very important to get right.
I am hoping that Apple being involved will keep this as privacy respecting as it reasonably can be given what it is doing.
I am generally someone that takes privacy very seriously, I mostly avoid Google products and others for this reason.
But... this may be a time that the privacy concerns are worth loosening a bit for the good of this. But that comes with the caveat that I hope this is disabled when this is all done, and preferably the code removed completely. I trust Apple to do this, not sure if I would trust google too.
> But... this may be a time that the privacy concerns are worth loosening a bit for the good of this. But that comes with the caveat that I hope this is disabled when this is all done, and preferably the code removed completely.
Any right you're willing to give up now, you've demonstrated a willingness to give up. You won't get it back. Either it'll remain lost forever, or it'll be used as evidence for a future proposal to take it away permanently (rhetoric: you agreed to it for X, and clearly any person who isn't morally bankrupt values Y over merely X; you're not morally bankrupt are you? And the need for Y will never go away...).
By all means, let's carefully give people tools to supplement their memory, to help people voluntarily notify others who need to be tested. Let's not, however, make that information available to anyone other than the owner of the device.
The problem is, what's the better option right now. Clearly the measures that are being taken are not actually working, people are still being infected and the ability to track the person you happen to walk past or stand next to waiting for your pickup.
I am conflicted about this... but as of right now I also feel like its necessary.
I don't understand this absolutist mindset. It doesn't have to work this way. We can have, say, the draft - an absolutely whopping restriction on civil liberties - during WWII but get rid of it when it's no longer needed.
(From a UK perspective, though I now live in the USA):
Can anyone think of a recent situation where the UK government has given back a power it has temporarily taken? This is a genuine question - I cannot. The closest was a stand taken by David Davis against 90-day detention without charge during the Blair administration (though he has since proved rather more illiberal than this position would suggest).
In the UK at least, while it might not _have_ to work that way, in practice it does.
We haven't gotten rid of it, it still exists. It just isn't being used right now. Getting rid of it would be to abolish it entirely, and instead require people to voluntarily consent in the future. (And if you can't get people to agree to it, perhaps that should tell you something.) "needed" isn't even a factor here.
An involuntary mechanism for contact or location tracing that's accessible to governmental authorities without the consent of the user is a civil rights violation, whether it's being actively used at the moment or not.
The American public exercised their power to elect politicians who'd end the draft as the Vietnam War got progressively more unpopular. It's well within our powers, if we care enough.
Is it, in fact, "well within our powers", or do you just believe it is? I don't, in general, believe "we could take this power away from government if we wanted to" is true without an existence proof.
It just takes one erroneous logging call in the wrong place and all this niceness goes away. Hopefully we don't get a headline in the future of "Bug found with contact tracing app, we actually had access to everything but we're sorry and we'll fix it". Not entirely against this work, it will provide benefit but let's hope for the best.
This is why it'd be nice for the APK/installable file to have a hash that can be verified against an open source version. In theory someone should spot anything that doesn't look right.
But that can't/won't undo the effects of something being called "private" being exposed not to be afterall...
> Looks like it was inspired by the TraceTogether app built by the Singapore Government and recently Opensourced.
Not really. This is based on the TCN approaches by Covid-Watch, Co-Epi and DP-3T (submission to PEPP-PT). TraceTogether fundamentally functions very differently.
> would allow more individuals to participate, if they choose to opt in
I don't see how this can work unless it gets very high distribution. I wonder if local governments might do something where the shelter-in-place orders are lifted for some categories of people conditional on running the app?
Not sure I agree. This only works if both ends of a contact have a conforming app. As such, the proportion of contacts you can trace is not linear, but quadratic in adoption.
(If 20% of people adopt it, you’d catch only 4% of contacts).
Given the number of people wearing masks, I think this would have a decent opt-in rate. Especially since, for most people, this is much easier than wearing a mask.
I’m sorry, I might be misunderstanding how loyalty cards work... do they detect each other and report back to home with what other cards they have been in proximity to?
They're a scenario where people have willingly given away privacy to corporations in exchange for pretty minor benefits (largely, discounts that just bring the prices back to where they'd have originally been).
The cards themselves detect each other without me knowing it?
Checking into to JimmyJohns with a loyalty card is not the same as the guy I passed on the street's phone checking my phone and both letting JimmyJohns HQ that we passed each other at 12:53 on at 643 West Main St.
I bet there'll be a few different ways to 'prove' yourself to public places, and people who decide to tell them to 'go fuck off' - well they'll become social pariahs.
After all - the first amendment allows for the freedom of assembly, and the freedom of assembling with whom they wish. Property rights also and all of that.
Is it a matter of losing freedom for safety? Yeah. There's been a lot of 'reasonable' losses of freedom in various things. For example, isn't it a loss of freedom to require a drivers license and insurance (or proof of financial responsibility for California)? Or security at airports? And so on. This may become yet another loss of freedom, maybe temporary maybe not.
The interest in "privacy" around contact tracing seems like a ship that sailed a long time ago to me. Verizon etc all already have this data, and it isn't "private", and so does uber, lyft, and every other overly-aggressive-permission-askning-app that anybody has ever installed.
Privacy is really important: but we lost it all a long long time ago. Maybe saying "well now we can do a good job of contact tracing" is at least some good coming out of that loss of privacy. I just hope we don't end up wasting time trying to make the contact tracing "private" as if by doing otherwise we'd be giving something up that we didn't already give up long ago.
Right. But it's not like they're going to "just" announce that.
"Hey everyone - so yeah, we're using all your data you're willingly providing all these apps on your phone, like location, contacts, camera...So thanks for helping...Okay, bye!".
But you're right. Every day there is so much information from the spies we carry around with us as they communicate that it'd be unfathomable they're just "ignoring" all of this information.
The chances are in some privacy policy it says they can share that data with their "partners" which silently gets back to the government.
Just use what you already have, what we already know you have, and if it saves lives then at least it was put to good use.
I would think that for contact tracing, you need more than Uber/Lyft/Verizon-level GPS/WiFi triangulation/cell tower triangulation accuracy inside cities. With contact tracing, a proximity of 1 or 20 meters probably makes a large difference. Hence these apps will also have to use Bluetooth Low Energy continuously.
That's too defeatist: these contact tracing tools will be gathering data that isn't available any other way - otherwise, they'd just be going straight to Verizon etc for what they need.
Presumably the bluetooth recording will give much better fidelity/precision about who is close to who, in all conditions (in buildings, in the subway, etc), where simple phone triangulation or GPS won't be accurate enough.
That's far more data than the phone companies have on us right now, so it is a good thing that people are considering the privacy issues. Just saying "we've already lost" only makes things worse.
US public institutions seem frankly sclerotic. The fact that the government has or has not done something provides almost no signal on whether something is possible or not.
I downvoted you because this is false. This is enhanced individual tracing and will only get worse over time. We should fight tooth and nail against all new anti-privacy schemes like this.
In this context I think you can distinguish between three different kinds of location-related data:
* cell tower data
* phone GPS data
* Bluetooth data about proximity to specific other people
For most purposes these are increasing in precision and sensitivity. But also, governments can demand that carriers turn over the first kind, but the second two are generally under some kind of user control according to mobile OS designs. There is no single place that automatically gets this data about every smartphone user.
Some of the discussions about privacy for the kind of technology that Apple and Google are working on here are based on observations like
* there actually is no existing way that health authorities could get detailed Bluetooth proximity information about all smartphone users
* this information is potentially more useful for epidemiological purposes, and also more privacy-sensitive, than just GPS sensor data, because it may more reliably map individual people's interactions with one another (for example, potentially confirming that people were likely in the same room rather than just in the same building)
* there are cryptographic concepts that could potentially make this data useful for contact tracing, if users cooperate to a certain extent, in a way that would still make it difficult to obtain or use the data for a different purpose
Another way of putting it is that many people looking at this question think that there is an incremental privacy harm from disclosing Bluetooth proximity data (compared to data that is already available), and an incremental benefit to epidemiology from finding a way to process this data for contact tracing purposes (compared to data that is already available).
Does this then allow us to run this in the background on iphone. The Danish and Norwegian governments are looking at using a GPS+Bluetooth based version because iPhone is so common and not able to work with Bluetooth when the app is not active is their argument. Also based on a centralized server. My hope was apple would in this circumstance allow Bluetooth to work differently so avoid unnecessary location data.
Why is this API even necessary? Isn't every individual with a smart phone already tracked de facto?
Why add a technological fig-leaf to what is by now a deplorable privacy situation? Just roll with it, change whatever laws need to be changed, and be done with it. The data collection capabilities already exist to do contact tracing, it seems.
The tl;dr is that without a huge, nigh-omniscient program to trace individual cases, we have no choice but to go on and off Covid lockdown for a year or more, with potentially devastating economic consequences.
Having Apple and Google develop a built-in tracing program to their phones with firm privacy guarantees is not good, but it might be the least-bad solution we have right now.
> Only an official effort, led by Apple+Google or maybe FB and then forced upon users, can reach the critical mass needed to make contact tracing viable.
This may be right, but how will said vendors "force it" on users? A system update? That still takes voluntary cooperation.
For the last 4 years I've read a constant stream of articles about how "This will be the end of our democracy", "Democracy is under threat!", etc.
If we as a society agree to ubiquitous, mandatory location tracking and a complete suspension of the right to assembly in response to this virus then we never deserved a democracy in the first place.
What part? Deriving location from contact tracing is trivial. The fact that its being discussed as opt-in? If participating in society requires that you "opt-in" then what about it is really opt-in?
For starters, I would assume that most people's daily rotating keys could easily be fingerprinted based on identifiable patterns of movement that could be picked up by any number of municipal devices people come into contact with throughout the day.
In order for contact tracing to work as advertised, each person's device has to keep a log of daily ids that they contacted that has a TTL of at least a few weeks. That means that whenever a law breaker gets arrested, law enforcement would be able to confiscate their device and be able to construct a list of everyone that they've been in contact with in the last few weeks.
The Daily Tracing Key cannot be "easily fingerprinted" since it does not leave the device (see page 5). Your LE threat model seems like grasping at straws, the majority of users already have location services enabled anyway, people breaking the law would have to change exactly nothing from the common practice of not bringing your phone when committing crimes.
I miss-spoke. I meant to say the rolling proximity identifier could be tracked and fingerprinted.
Furthermore, it's not the same as a phone's location implicating you in a crime. It's a persistent log of your in-person social network that can be reverse engineered every time you get arrested or go through customs at the airport.
The rolling proximity identifier is short-lived and put through a non reversible cryptographic hash function to prevent exactly that, same page. You're not going through airports in a pandemic, after which you can uninstall whatever app you're using in this crisis.
I know on HN we are not supposed to allege that someone hasn’t read TFA, but please, could you read the spec and then give some details on how to (“trivially”) derive location from the contact tracing as described?
Close contact detection and alerts at the mobile OS level
We need to get better and faster at stopping the spread of infectious diseases. Covid is already catastrophic. Next time R could be 5, and mortality could be 5, 10 or 20%.
I believe we can use mobile technology to track close contact between individuals, and alert at-risk individuals to potential infections. I believe this could drastically reduce R and the impact of infections diseases could be substantially mitigated. Simulations should be able to determine the effective reduction of R.
Apple and Google should work together to implement a worldwide close contact logging framework. It will use bluetooth to track close contact encounters. The architecture will be anonymised and encrypted to make it somewhat privacy centric.
Obviously privacy zealots will make noises, but to save millions of lives and economic disaster the general population could be convinced it's acceptable.
iOS and Android should have an always-on bluetooth scanner that logs the bluetooth ID of nearby devices. If a device stays nearby for a certain amount of time, a close contact is triggered. The severity of the close contact is determined by the amount of time the devices were close together for, and other bluetooth data. This is anonymised, encrypted and logged.
When an individual is diagnosed with an infectious disease, they activate a feature in their phone which displays a QR code. The health professional has an app that scans the QR code. The health professional will enter details about the disease, and how far into the past the person was estimated to be contagious.
Alternatively if the individual hasn't been tested or is unable to reach a health professional, they can answer a set of questions about their symptoms that will determine how likely they are to be infected. Obviously this method of self diagnosis is less reliable so the framework will take this into account when deciding who to deliver alerts to.
The system alerts people that have had close contact with the infected individual, giving advice about local testing centers or self quarantine. The system will be tuned to only notify the more severe close contacts as needed. Data about available local testing capacity could be used to further refine this tuning.
Problems:
* Privacy: how to make the data private / anonymous.
Communication: how to convince the public that their data is private / anonymous?
* Power: Bluetooth on all the time - battery drain?
* Health professionals: how to make sure only health professionals can use the alert app, but also deploy worldwide without delays.
* Deployment: how to get this system onto all Android phones with such a fragmented ecosystem.
* Detection: how to most effectively determine infection risk from available bluetooth data.
* Tuning: too many alerts for low risk encounters and people will ignore them - tuning is needed.
> Power: Bluetooth on all the time - battery drain?
I doubt this is an issue anymore for modern devices. Things like smartwatches connect via Bluetooth but still manage to keep the phone’s almost-all-day battery life.
The easiest way to convince the public is to lie to them, because that data is not going to be private. There is no chance that this won't be misused. NSA employees misused their power to spy on their neighbors and partners. There is virtually no chance that this won't be abused.
Every single authoritarian regime is salivating over something like this.
An interesting Twitter thread on why the stand-alone contact tracing apps that many others are building won't work, and why integrated platform solutions like this are necessary: https://twitter.com/zainy/status/1248482486524379137 (but of course, necessary does not mean sufficient)
Also, efficiency depends on how many persons can be tested. If it's 10000 a day, in my country, it's about 1/500 th of the population a day... If it's enough to test say 1/10 of the population to have some results, this will take 1-2 months...
I have the impression that all of this is forced upon us as to make us believe that it is safe to get back to work ASAP. Wouldn't it be better to just wait ? (I'm not interested in the economical debate : this will invariably lead to compromises such as how many victims can we afford to keep the economy going ? (nobody will tell it that way, but in the end that's the truth behind those arguments))
FWIW, I’ll “tell it that way”. I think it’s a interesting topic. And a real one manifest in our actions all the time. There is a real cost to life and trade offs.
The argument is OK, but fails to mention fact that Singapore's TraceTogether and Stanford's Covid Watch are pursuing a common Bluetooth covid tracing standard that everyone can adopt. So you don't need mass adoption of a single app.
Sort of, but not really: both of their apps were unable to track in the background due to privacy restrictions. This partnership enables that at the OS level, and will remove the need to download an additional app
Not really. For contact tracing, S.Korea is using a much more aggressive approach built upon a framework to join cellphone location from mobile providers, credit card usages and potentially CCTV.
And living with the erosion of Constitutional protections that seem all too easy to push through in times like these, but impossible to roll back afterward.
And this is why it's done during a crisis: it works. All the education and talk about how the last time the government overstepped their bounds goes out the window the moment a crisis hits. Then it's all about "why isn't the government doing more?"
Except that in this case Google are trying to produce a new contact tracing dataset rather than just giving the government access to the location data they already have.
Some ideas as to why:
- lots of people have iPhones and Apple have made efforts to make them less trackable so maybe there isn’t enough data about enough people
- google are scared that this would lead to their data collection/retention being more regulated
- The location data google collect just isn’t granular enough
- google don’t want to give the government access to their location data because they believe strongly that it should be private between google and the people being tracked/they’re scared that people will react badly as they begin to realise how much data google collects about them
My guess (hope) is a group of reasonable adults talking about this collaboration (remotely) decided that the order of logos was of far less importance than them working together.
Someone probably said — “how about this?” and scribbled something. May have even been a Googler.
Personally, I would choose to put the Apple logo first on aesthetic grounds.
Not because I like that logo better but because it is smaller. Since English reads left to right, if the short thing comes after the long thing, it looks lopsided.
Also, since the Google logo is larger, it is going to be more prominent no matter what, so putting the Apple logo first balances that out a bit. Seems fair to me.
Many years ago I was at a black market in Beijing filled with every possible fashion counterfeit, and I found one black leather belt that had both Gucci and Calvin Klein logos on it.
It similarly seemed natural for a second ("even more fashion, right") until my brain did a double-take.
If I understand correctly, it's up to every infected person to manually click "upload" (edit: here was "who I was close to", but it's not correct, see note 1 here) once he gets diagnosed, i.e. completely voluntary.
That is so that once one is diagnosed others can check if they were close to that one (and when?). And even these lists aren't supposed to be any typical metadata but something that stays local and the third parties can't reconstruct.
The idea is, again if I understood, that those who remain negative never have to upload anything that gives any traceable information about them.
See my other post here with other relevant quotes from the specification.
----
Edit:
1) Actually what is uploaded is: "the Daily Tracing Keys for days where the user could have been affected"
"Upon a positive test of a user for COVID-19, their Diagnosis Keys and associated DayNumbers are
uploaded to the Diagnosis Server. A Diagnosis Server is a server that aggregates the Diagnosis Keys
from the users who tested positive and distributes them to all the user clients who are using contact
tracing."
The matching is done locally on every device:
"In order to identify any exposures, each client frequently fetches the list of Diagnosis Keys. Since
Diagnosis Keys are sets of Daily Tracing Keys with their associated Day Numbers, each of the clients
are able to re-derive the sequence of Rolling Proximity Identifiers that were advertised over Bluetooth
from the users who tested positive. In order to do so, they use each of the Diagnosis Keys with the
function defined to derive the Rolling Proximity Identifier. For each of the derived identifiers, they
match it against the sequence they have found through Bluetooth scanning."
You can’t upload who you were close to because you only have a set of pieces of data that can’t be traced back to people without their key. Only if infected, you upload your key to the server which distributes it to the others who can then tell if they’ve been close to you.
> Only if infected, you upload your key to the server
You are more right than I was initially, thanks!
Actually, to be even more precise: only if infected, you upload the set of your own derived keys, and apparently only for the days you could have transmitted the virus to other people.
From the documentation:
"Upon a user testing positive, the Daily Tracing Keys for days where the user could have been affected
are derived on the device from the Tracing Key. We refer to that subset of keys as the Diagnosis Keys.
If a user remains healthy and never tests positive, these Daily Tracing Keys never leave the device."
As I read it, the specification doesn't enforce whether upload is voluntary. local custom and laws can be implemented to vary degrees of freedom on this aspect.
The idea is that nobody ever shares who they were close to. Think of it as walking around in a mask, then if you were sick you opt in to being on a list so everyone knows they may have been exposed if they saw someone in "a pink fox mask."
Your identity is pseudorandomly generated and cycles every 15 minutes, so you won't be identifiable/trackable - until you choose to share you were sick, and release the inputs to the KDF publicly. A third party app determines who can share they were sick, but the OS appears to require user consent before your information can be shared.
Even then, the people who did see you haven't shared any information.
The biggest vector of privacy abuse IMHO is that once you have opted in to letting an app check whether you had contact with an affected person, the app is responsible for behavior - informing you, helping you schedule testing, or potentially more abusive behavior like informing you and the state of a mandatory quarantine.
• The key schedule is fixed and defined by operating system components, preventing applications
from including static or predictable information that could be used for tracking.
• A user’s Rolling Proximity Identifiers cannot be correlated without having the Daily Tracing Key. This
reduces the risk of privacy loss from advertising them.
• A server operator implementing this protocol does not learn who users have been in proximity with
or users’ location unless it also has the unlikely capability to scan advertisements from users who
recently reported Diagnosis Keys.
• Without the release of the Daily Tracing Keys, it is not computationally feasible for an attacker to
find a collision on a Rolling Proximity Identifier. This prevents a wide-range of replay and
impersonation attacks.
• When reporting Diagnosis Keys, the correlation of Rolling Proximity Identifiers by others is limited to
24h periods due to the use of Daily Tracing Keys. The server must not retain metadata from clients
uploading Diagnosis Keys after including them into the aggregated list of Diagnosis Keys per day."
It doesn't look bad, at least, at the first sight.
A detail: I hope the "day begin" for the "Daily Tracing Key" is the same for all users? I.e. not a local day but e.g. GMT+0 day or something.
483 comments
[ 3.0 ms ] story [ 321 ms ] threadGreat!
https://covid19-static.cdn-apple.com/applications/covid19/cu... Cryptographic Specification
https://www.blog.google/documents/55/Android_Contact_Tracing... Android API
https://blog.google/documents/57/Overview_of_COVID-19_Contac...
Apple and Google should have included the chart in their announcements, IMO. It illustrates the process in a way that's easier to understand than text alone.
Not sure whether that's what this implementation would look like.
> alice can also hide messages from times she wants to keep private
If there's a need for this, doesn't that imply that the scheme does not actually keep Alice's privacy in all situations?
Furthermore:
> the random messages give the hospital NO INFO on where Alice was
This seems to assume that the hospital (or anyone with access to the data, such as governments) didn't capture the broadcast messages together with their location. With enough Bluetooth receptors in busy areas, a government could easily find out where Alice had been by looking up each of her messages in their list of message/location pairs?
Experts can probably come up with nastier and/or easier exploits...
In particular, given an adversary who has several points (receiving these codes) and knows the receiving location of each of these points can de-anonymize a person "A" who is COVID positive if they know, e.g., a minimal amount of A's usual daily movements (from cellphone tower location, for example).
That being said, the government probably has better ways of knowing who has COVID-19 and other infectious diseases :)
Once the crisis is over, they'll continue to use such "safe" apps, for other purposes ...
That apple's involved in this is hopeful -- their earlier work on anonymizing Maps.app directions is well worth thinking about here. tl;dr your route is broken up into n chunks, each chunk gets a uuid that isn't tied to your handset, and so serverside nobody knows where Bob's Iphone just asked to go. [0]
Doing this kind of "differential privacy" or whatever we want to call it today properly is very hard, but it is also very, very important to get right.
[0] https://www.idownloadblog.com/2019/03/13/apple-maps-navigati...
I am generally someone that takes privacy very seriously, I mostly avoid Google products and others for this reason.
But... this may be a time that the privacy concerns are worth loosening a bit for the good of this. But that comes with the caveat that I hope this is disabled when this is all done, and preferably the code removed completely. I trust Apple to do this, not sure if I would trust google too.
Any right you're willing to give up now, you've demonstrated a willingness to give up. You won't get it back. Either it'll remain lost forever, or it'll be used as evidence for a future proposal to take it away permanently (rhetoric: you agreed to it for X, and clearly any person who isn't morally bankrupt values Y over merely X; you're not morally bankrupt are you? And the need for Y will never go away...).
By all means, let's carefully give people tools to supplement their memory, to help people voluntarily notify others who need to be tested. Let's not, however, make that information available to anyone other than the owner of the device.
The problem is, what's the better option right now. Clearly the measures that are being taken are not actually working, people are still being infected and the ability to track the person you happen to walk past or stand next to waiting for your pickup.
I am conflicted about this... but as of right now I also feel like its necessary.
Can anyone think of a recent situation where the UK government has given back a power it has temporarily taken? This is a genuine question - I cannot. The closest was a stand taken by David Davis against 90-day detention without charge during the Blair administration (though he has since proved rather more illiberal than this position would suggest).
In the UK at least, while it might not _have_ to work that way, in practice it does.
An involuntary mechanism for contact or location tracing that's accessible to governmental authorities without the consent of the user is a civil rights violation, whether it's being actively used at the moment or not.
The American public exercised their power to elect politicians who'd end the draft as the Vietnam War got progressively more unpopular. It's well within our powers, if we care enough.
Public opposition ended the Vietnam War and the draft. It would be political suicide to reactivate it barring a full-scale world war.
This is something covert, like secret courts, unconstitutional data collection, manipulating the stock market for the 1%.
You won't get people to care once a new, barely visible leash is entrenched.
https://twitter.com/MikaelThalen/status/1243281598037913600
Look how fancy the UI is!
But that can't/won't undo the effects of something being called "private" being exposed not to be afterall...
https://www.gov.sg/article/help-speed-up-contact-tracing-wit...
https://github.com/OpenTrace-community
Not really. This is based on the TCN approaches by Covid-Watch, Co-Epi and DP-3T (submission to PEPP-PT). TraceTogether fundamentally functions very differently.
I am one of the developers working on Co-Epi, and am very happy to see that Apple and Google are improving their APIs to support our work.
I don't see how this can work unless it gets very high distribution. I wonder if local governments might do something where the shelter-in-place orders are lifted for some categories of people conditional on running the app?
To get to 0 you need very high participation.
Even modest adoption will have some impact on the rate of spread.
(If 20% of people adopt it, you’d catch only 4% of contacts).
Hell, vast numbers of people have been doing it voluntarily already with loyalty cards.
Checking into to JimmyJohns with a loyalty card is not the same as the guy I passed on the street's phone checking my phone and both letting JimmyJohns HQ that we passed each other at 12:53 on at 643 West Main St.
After all - the first amendment allows for the freedom of assembly, and the freedom of assembling with whom they wish. Property rights also and all of that.
Is it a matter of losing freedom for safety? Yeah. There's been a lot of 'reasonable' losses of freedom in various things. For example, isn't it a loss of freedom to require a drivers license and insurance (or proof of financial responsibility for California)? Or security at airports? And so on. This may become yet another loss of freedom, maybe temporary maybe not.
Privacy is really important: but we lost it all a long long time ago. Maybe saying "well now we can do a good job of contact tracing" is at least some good coming out of that loss of privacy. I just hope we don't end up wasting time trying to make the contact tracing "private" as if by doing otherwise we'd be giving something up that we didn't already give up long ago.
"Hey everyone - so yeah, we're using all your data you're willingly providing all these apps on your phone, like location, contacts, camera...So thanks for helping...Okay, bye!".
But you're right. Every day there is so much information from the spies we carry around with us as they communicate that it'd be unfathomable they're just "ignoring" all of this information.
The chances are in some privacy policy it says they can share that data with their "partners" which silently gets back to the government.
Just use what you already have, what we already know you have, and if it saves lives then at least it was put to good use.
your fatalism is not Truth
https://www.imec-int.com/en/articles/imec-sets-new-benchmark...
Presumably the bluetooth recording will give much better fidelity/precision about who is close to who, in all conditions (in buildings, in the subway, etc), where simple phone triangulation or GPS won't be accurate enough.
That's far more data than the phone companies have on us right now, so it is a good thing that people are considering the privacy issues. Just saying "we've already lost" only makes things worse.
US public institutions seem frankly sclerotic. The fact that the government has or has not done something provides almost no signal on whether something is possible or not.
* cell tower data
* phone GPS data
* Bluetooth data about proximity to specific other people
For most purposes these are increasing in precision and sensitivity. But also, governments can demand that carriers turn over the first kind, but the second two are generally under some kind of user control according to mobile OS designs. There is no single place that automatically gets this data about every smartphone user.
Some of the discussions about privacy for the kind of technology that Apple and Google are working on here are based on observations like
* there actually is no existing way that health authorities could get detailed Bluetooth proximity information about all smartphone users
* this information is potentially more useful for epidemiological purposes, and also more privacy-sensitive, than just GPS sensor data, because it may more reliably map individual people's interactions with one another (for example, potentially confirming that people were likely in the same room rather than just in the same building)
* there are cryptographic concepts that could potentially make this data useful for contact tracing, if users cooperate to a certain extent, in a way that would still make it difficult to obtain or use the data for a different purpose
Another way of putting it is that many people looking at this question think that there is an incremental privacy harm from disclosing Bluetooth proximity data (compared to data that is already available), and an incremental benefit to epidemiology from finding a way to process this data for contact tracing purposes (compared to data that is already available).
Why add a technological fig-leaf to what is by now a deplorable privacy situation? Just roll with it, change whatever laws need to be changed, and be done with it. The data collection capabilities already exist to do contact tracing, it seems.
The tl;dr is that without a huge, nigh-omniscient program to trace individual cases, we have no choice but to go on and off Covid lockdown for a year or more, with potentially devastating economic consequences.
Having Apple and Google develop a built-in tracing program to their phones with firm privacy guarantees is not good, but it might be the least-bad solution we have right now.
This may be right, but how will said vendors "force it" on users? A system update? That still takes voluntary cooperation.
If we as a society agree to ubiquitous, mandatory location tracking and a complete suspension of the right to assembly in response to this virus then we never deserved a democracy in the first place.
In order for contact tracing to work as advertised, each person's device has to keep a log of daily ids that they contacted that has a TTL of at least a few weeks. That means that whenever a law breaker gets arrested, law enforcement would be able to confiscate their device and be able to construct a list of everyone that they've been in contact with in the last few weeks.
Furthermore, it's not the same as a phone's location implicating you in a crime. It's a persistent log of your in-person social network that can be reverse engineered every time you get arrested or go through customs at the airport.
https://twitter.com/dbrophy/status/1241434641250299905
Close contact detection and alerts at the mobile OS level
We need to get better and faster at stopping the spread of infectious diseases. Covid is already catastrophic. Next time R could be 5, and mortality could be 5, 10 or 20%.
I believe we can use mobile technology to track close contact between individuals, and alert at-risk individuals to potential infections. I believe this could drastically reduce R and the impact of infections diseases could be substantially mitigated. Simulations should be able to determine the effective reduction of R.
Apple and Google should work together to implement a worldwide close contact logging framework. It will use bluetooth to track close contact encounters. The architecture will be anonymised and encrypted to make it somewhat privacy centric.
Obviously privacy zealots will make noises, but to save millions of lives and economic disaster the general population could be convinced it's acceptable.
iOS and Android should have an always-on bluetooth scanner that logs the bluetooth ID of nearby devices. If a device stays nearby for a certain amount of time, a close contact is triggered. The severity of the close contact is determined by the amount of time the devices were close together for, and other bluetooth data. This is anonymised, encrypted and logged.
When an individual is diagnosed with an infectious disease, they activate a feature in their phone which displays a QR code. The health professional has an app that scans the QR code. The health professional will enter details about the disease, and how far into the past the person was estimated to be contagious.
Alternatively if the individual hasn't been tested or is unable to reach a health professional, they can answer a set of questions about their symptoms that will determine how likely they are to be infected. Obviously this method of self diagnosis is less reliable so the framework will take this into account when deciding who to deliver alerts to.
The system alerts people that have had close contact with the infected individual, giving advice about local testing centers or self quarantine. The system will be tuned to only notify the more severe close contacts as needed. Data about available local testing capacity could be used to further refine this tuning.
Problems:
* Privacy: how to make the data private / anonymous. Communication: how to convince the public that their data is private / anonymous?
* Power: Bluetooth on all the time - battery drain?
* Health professionals: how to make sure only health professionals can use the alert app, but also deploy worldwide without delays.
* Deployment: how to get this system onto all Android phones with such a fragmented ecosystem.
* Detection: how to most effectively determine infection risk from available bluetooth data.
* Tuning: too many alerts for low risk encounters and people will ignore them - tuning is needed.
I doubt this is an issue anymore for modern devices. Things like smartwatches connect via Bluetooth but still manage to keep the phone’s almost-all-day battery life.
Every single authoritarian regime is salivating over something like this.
I have the impression that all of this is forced upon us as to make us believe that it is safe to get back to work ASAP. Wouldn't it be better to just wait ? (I'm not interested in the economical debate : this will invariably lead to compromises such as how many victims can we afford to keep the economy going ? (nobody will tell it that way, but in the end that's the truth behind those arguments))
We're literally still fighting the wars that arose out of the last time we acted in a moment where we were "united by fear."
Some ideas as to why:
- lots of people have iPhones and Apple have made efforts to make them less trackable so maybe there isn’t enough data about enough people
- google are scared that this would lead to their data collection/retention being more regulated
- The location data google collect just isn’t granular enough
- google don’t want to give the government access to their location data because they believe strongly that it should be private between google and the people being tracked/they’re scared that people will react badly as they begin to realise how much data google collects about them
https://blog.google/inside-google/company-announcements/appl...
Also, the Apple logo is first. I wonder how this was decided?
Someone probably said — “how about this?” and scribbled something. May have even been a Googler.
Then everyone else just said “sure”.
At least, that’s how I’d like to think it went.
This. It would look weird if the order were the other way around.
Not because I like that logo better but because it is smaller. Since English reads left to right, if the short thing comes after the long thing, it looks lopsided.
Also, since the Google logo is larger, it is going to be more prominent no matter what, so putting the Apple logo first balances that out a bit. Seems fair to me.
Many years ago I was at a black market in Beijing filled with every possible fashion counterfeit, and I found one black leather belt that had both Gucci and Calvin Klein logos on it.
It similarly seemed natural for a second ("even more fashion, right") until my brain did a double-take.
That is so that once one is diagnosed others can check if they were close to that one (and when?). And even these lists aren't supposed to be any typical metadata but something that stays local and the third parties can't reconstruct.
The idea is, again if I understood, that those who remain negative never have to upload anything that gives any traceable information about them.
See my other post here with other relevant quotes from the specification.
----
Edit:
1) Actually what is uploaded is: "the Daily Tracing Keys for days where the user could have been affected"
"Upon a positive test of a user for COVID-19, their Diagnosis Keys and associated DayNumbers are uploaded to the Diagnosis Server. A Diagnosis Server is a server that aggregates the Diagnosis Keys from the users who tested positive and distributes them to all the user clients who are using contact tracing."
The matching is done locally on every device:
"In order to identify any exposures, each client frequently fetches the list of Diagnosis Keys. Since Diagnosis Keys are sets of Daily Tracing Keys with their associated Day Numbers, each of the clients are able to re-derive the sequence of Rolling Proximity Identifiers that were advertised over Bluetooth from the users who tested positive. In order to do so, they use each of the Diagnosis Keys with the function defined to derive the Rolling Proximity Identifier. For each of the derived identifiers, they match it against the sequence they have found through Bluetooth scanning."
You are more right than I was initially, thanks!
Actually, to be even more precise: only if infected, you upload the set of your own derived keys, and apparently only for the days you could have transmitted the virus to other people.
From the documentation:
"Upon a user testing positive, the Daily Tracing Keys for days where the user could have been affected are derived on the device from the Tracing Key. We refer to that subset of keys as the Diagnosis Keys. If a user remains healthy and never tests positive, these Daily Tracing Keys never leave the device."
Your identity is pseudorandomly generated and cycles every 15 minutes, so you won't be identifiable/trackable - until you choose to share you were sick, and release the inputs to the KDF publicly. A third party app determines who can share they were sick, but the OS appears to require user consent before your information can be shared.
Even then, the people who did see you haven't shared any information.
The biggest vector of privacy abuse IMHO is that once you have opted in to letting an app check whether you had contact with an affected person, the app is responsible for behavior - informing you, helping you schedule testing, or potentially more abusive behavior like informing you and the state of a mandatory quarantine.
https://covid19-static.cdn-apple.com/applications/covid19/cu...
"Privacy Considerations
• The key schedule is fixed and defined by operating system components, preventing applications from including static or predictable information that could be used for tracking.
• A user’s Rolling Proximity Identifiers cannot be correlated without having the Daily Tracing Key. This reduces the risk of privacy loss from advertising them.
• A server operator implementing this protocol does not learn who users have been in proximity with or users’ location unless it also has the unlikely capability to scan advertisements from users who recently reported Diagnosis Keys.
• Without the release of the Daily Tracing Keys, it is not computationally feasible for an attacker to find a collision on a Rolling Proximity Identifier. This prevents a wide-range of replay and impersonation attacks.
• When reporting Diagnosis Keys, the correlation of Rolling Proximity Identifiers by others is limited to 24h periods due to the use of Daily Tracing Keys. The server must not retain metadata from clients uploading Diagnosis Keys after including them into the aggregated list of Diagnosis Keys per day."
It doesn't look bad, at least, at the first sight.
A detail: I hope the "day begin" for the "Daily Tracing Key" is the same for all users? I.e. not a local day but e.g. GMT+0 day or something.
What is the solution now? Find a new planet to start fresh? Away from government and Apple and Microsoft?
Are there people on this planet who oppose such measures and looking to be voted?