I wouldn't think it is excessive - if you're cycling and pass someone then the contact period would be very brief (but if you're passing through their sneeze cloud then it could be critical).
Not a dupe. This article explains in detail how the contact tracing API can work while preserving privacy.
Random identifiers not linked to you or your device, identifiers change every 10 minutes so third parties can't track you over time, processing locally on the device instead of by Apple or Google or the government, etc.
>>how the contact tracing API can work while preserving privacy.
It cant, and any claims it can is sheer arrogance on the part of the developers.
you can not simultaneously assign an identifier to everyone, and maintain privacy, they are mutually exclusive. If you can ID someone, and trace that ID back then it is not private
It absolutely does, and broadcasts it via BlueTooth, then other phones track which ID's you have been near.
The idea that can not be used for something other than COVID is moronic, this type of system has been done in Marketing for a long time, Google knows this very well.
This is not a new or novel idea, nor it is private
Except for people that Test Positive, which then it uploads each of the Daily Tracing keys to a central server for each of the day you were positive, this is reversible, and has to be in order to identify all of the contacts the person came in contact with
you can not have an anonymous system that also provides aways to trace back to individuals you came in contact with
it is impossible
and their complex Hash of hashes is just a way to make it seems private for people that do not understand what is really going on, it sounds good on the surface, but that is all it is surface level
that is with out getting into the ways to compromise the device to get the original Tracking key that all of the other tracking keys are generated from
Really you are going to come back at me with a Privacy vs Safety fallacy.
If that is all the justification you have, you have already lost the debate. That kind of justification can be used for all manner of dystopian programs. Authoritarians have been limiting privacy and freedom for centuries on the basis of safety.
Right now in congress the EARNIT act is attempting to use that very argument for the "safety of children" we all need to give up E2E encryption
No I completely reject your premise that because of safety I need to give up my privacy
No, there is no fallacy. There really isn't. You privacy is NOT more important than a human life, which is exactly what is at stake here. Claiming otherwise is utterly sociopathic.
No, it does not mean that. It means you would rather let OTHER people die with your privacy. You are literally valuing your privacy higher than the life of other people. And yes, that is sociopathic.
So do you draw any line on this, or should all privacy be void as long as it saves 1 life?
For example should I have my every moment monitored because I might hurt someone? Should everyone have to have a BAC monitor on their cars so save people from drunk driving?
Just trying to see if there is any limits in your Authoritarian world
Of course I draw lines. Any sane person draws lines. And the current situation is far, far beyond that line, as should be blatantly obvious to anyone with a functioning sense of empathy.
Voluntary compliance for public health today; mandatory compliance by government edict tomorrow -- or we flag your account and you're prohibited from buying anything. And what if I chose to stop using a smart phone and just use a flip phone that doesn't have Bluetooth? Am I a de facto enemy of public health (or just public enemy)?
Anyone else see this as a MASSIVE slippery slope with too much potential for exploitation?
That's what makes no sense at all: the CIA and NSA have been running social network graph systems for years; they know who talks to whom and what the social circles are. The only thing this does is answer who gets within proximity of another... something the NSA and others can probably do already with pervasive video surveillance and biometric identification. This project seems like a massive overreach and I won't be taking part, even if it means pulling the SIM from my iPhone and using a flip phone until sanity returns (or for the rest of my life).
I have several wrenches in my toolbox. But if someone is going to give me a new one, I'm gonna accept it.
That's the same idea here; sure, maybe the CIA and NSA already have the capability. But what's the harm in having it twice? There's actually benefits from the aspect of checking one against the other, not to mention one may reveal something the other doesn't.
I'm not saying this is what will happen. I'm simply saying that power seeks more power.
Absolutely. "Anti-tracers" will be called the "new anti-vaxxers" and it will likely happen very soon, too (within a few short years) or when the next pandemic happens (which would also be in a few short years).
_This_ particular version of the system does, yes. But the next iteration may slightly weaken the privacy for some "legitimate" reason. And the next version slightly more. Then just a bit more. All for seemingly legitimate reasons. That's the slippery slope.
Great. Then we should keep an eye out for the actual thing that's down the slope. Forgoing useful technologies because a slope exists is like refusing to mine coal because the uranium nearby could some day be used to build atomic bombs.
But we can agree there's a world of difference. There isn't a massive international storage and handling agreement for coal and its waste products, and no country has ever been preemptively bombed over mining too much coal.
Why not just ask telecom companies for all their data? Quicker, stealthier and much easier.
There is not NEED to use this scheme in such a convoluted way. There are far better ways to spy, and the way to protect against it is through politics and laws.
Exactly. People worrying about what their smartphones could be leaking via a convoluted point-to-point aggregation process while every telephone conversation and email is routed through dozens of third-party machines with unaccountable auditing going on.
The authors of DP-3T have already explained the privacy holes in their scheme. It's in the trade-offs section of the paper; eavesdroppers, savvy hackers and governments can identify and track infected users (to varying extents) without much trouble.
A tech-savvy person could drive by your house and find out your IDs for that day. If you reveal them later on (as you would if infected), that person would know you're infected. In small towns a single person could in practice publish a database of all infected households.
A government can install Bluetooth receivers throughout a city and find out where an infected user passed by.
It will compliment CCTV quite nicely... and since the former can do biometric identification then cross referencing that ID# 04d07402e5a502fb7ae0a7847853f1ac5d2a280729901a29738fb3b017135934 is really Bob Smith who lives at 1234 Main Street will be easy enough.
I recommend actually reading the specification before imagine how to abuse it. There is no fixed, per-user ID being broadcast.
Or if you don't want to, a tl;dr is:
1. Your phone broadcasts a message via BLE every X milliseconds with a "random" ID. The ID is only predictable with a secret key which never leaves user device before "voluntarily revealing" (I agree this can be shaddy). The "random" ID is rotated every Y minutes.
2. The secret key will be rotated daily. The user device only reveals last 14 keys if user voluntarily do so.
3. Note that every BLE advertisement already contains a hardware address and your phone does this regularly. Guess how they mitigate this privacy issue? Rotating the hardware address every Y minutes. So no additional entropy being leaked here, unless you have the user's secret key.
I think that was the point. This is useful for coronavirus patient tacking, yes, but it's also useful for people tracking in general, and malcontent (whomever defines that) tracking in particular.
But it's not. There are far better ways to do that, if that is the path you're going down. This is specifically designed to make that kind of thing much harder.
"OMG! We know ID 04d07402e5a502fb7ae0a7847853f1ac5d2a280729901a29738fb3b017135934 is infected and not quarantining but we have no idea who they are! If only this system weren't built for security we could save the elderly! Won't someone please think of grandma?"
You really think that won't be the predicate for abandoning security and anonymity?
But wait, with this system the infected ones have to voluntarily reveal their ID, otherwise nobody knows what their ID are. So how is "We know ID .... is infected but we have no idea who they are" possible?
edit: and no, the observable "ID" is not fixed, so you can't link two unknown IDs.
"Slippery Slope" is a logical fallacy. It's right there alongside "appeal to authority" and "confirmation bias", to name two examples people somehow tend to remember far easier. It's a fallacy because it applies to everything: "Now, they're just requiring cars to emit less CO2[0]. Next, they'll prohibit breathing!"
This program goes out of its way to achieve provable anonymity. That is, in fact, the only reason Google and Apple are needs to implement this. Google Maps has actual location data, with similar precision at least in cities. That data has been there for sliding/skating governments to grab for years now. It's on servers, where it's easier to get to than data on your phone, legally. And location data is far more valuable than "X and Y came within 5 minutes at least once in the three days beginning April 15th".
If all that doesn't convince, rest assured it will convince the public. As would anything, really, because they already see this pretty clearly. With that in mind, consider that going to the barricades for privacy now means certain failure on this issue, and possibly lasting repetitional damage for the cause.
In the US at least, I think you just argued exactly how the slippery slope isn't a slippery slope. The US government is never going to spring for getting every American a smartphone.
The government requires auto insurance for every driver without paying a cent. They just make it mandatory and leave you to figure out how to pay for it.
America almost had a Constitutional crisis over whether making people who don't have health insurance pay more taxes is allowed. I don't think the Fed will have the authority to mandate purchase of a particular class of phone when another class does the job just as well.
Oh, I definitely do. That's a huge improvement over the current status quo where I contracted COVID-19 from passing a stranger in a park, have no idea I've done so because I thought that I was doing a good job of self isolation and never even saw that person, and two weeks later I'm wildly ill and have already infected everyone in my household.
More information gives me more tools to protect myself and those I love.
You say that as if avoiding having a driver's license and credit card for privacy reasons doesn't already cause huge complications in an American's day-to-day life.
Don't forget the third option: ignore high-consensus advice from health experts, contract a novel deadly disease, and spread it, become seriously ill, or die.
I don’t understand why we go through all this trouble? If we’re talking about Apple and Google they already have all information about where the majority of people have been (everyone that didn’t explicitly turn off their location tracking services).
It also doesn’t require anyone to install an app...
Maybe the world is more then the USA, so if in country X a doctor finds a person with something and he wants to warn all the people this person had contact with, this doctor would have to ask nicely Google and Apple to grep trough logs and find who meet who and where? Would Google and Apple respond to a doctor in a small country?
You can have a national app that is under the control of the health department and doctors ,t hat only does things like "send a notification to all users that were in contact with person with this ID to come to hospital and get a test".
I understand that this could be potentially abused for evil or that evil people already do this using WiFi or cell towers, I am thinking that we should also think at the good that could come of this.
No they don’t. Nobody has data that granular and fit for purpose.
If my purpose-built wirst watch shows me veering dozens of meters of course even if I explicitly tell it to precisely track my location then that’s not fit for purpose.
Privacy issues aside, if the 10 minute key is only 16bits, and this is being used by hundreds of millions of people, wouldn't there be a lot of false positives?
The size of the graph doesn't matter, only the average vertex degree, which should be pretty low if you are social distant, because you only share identifiers with nearby people.
But wouldn't that mean the list of infected keys would have to be location-indicated in some way? I guess I was under the impression it would be one list for the country.
It's going to be a problem to get rid of it later .. but right now we can barely go outside! It's not a simple tradeoff between tracking and no tracking, it's a tradeoff between tracking and lockdown.
US deaths just passed 22k, over seven times 9/11 and over four times the total Iraq war death toll. It is likely we will see five to ten times that total number before the pandemic is ended.
People have been happily arguing to let the old die as a means to end the lockdown. How about cellphone tracking instead?
(And remember that every cellphone knows your approximate location by necessity of which cell you're connected to.)
Framing this as an either/or choice (surrender some privacy or the elderly die) is a reductio ad absurdum.
There are easier and less blatantly intrusive ways of achieving 80% or 90% of the mitigation, like for example a combination of nonstop education of the public and issuing tickets for breaking social distancing rules as is being done in some places.
After the 9/11 attacks, Americans passively accepted huge intrusions on privacy that have still not been rolled back, 19 years later.
We should be very careful what we wish for. This tracking thing is a very slippery slope.
Won't this cause false positives from people, for example, walking in front of my house while I'm inside, and also while for example, stopped at a stoplight next to other cars?
The tl;dr is that at least in the context of a pandemic like this one, lack of access to a smartphone and lack of willingness to enable tracking puts a person in the new second-class-citizen category. It's not the stick that government would use to restrict freedom; it's the carrot of granting more freedom to those who are more trusting of authority.
Not only do I personally not see much of a way around that scenario, the Vox article notes it's entirely possible that Americans' general mistrust of authority means the country may recover more slowly and painfully than nations that are willing to let the government data-tag and monitor everyone.
At what point does the value of participating in society and the economy outweigh the value of one's privacy? It seems this question is going to rapidly become even more non-academic than it already is.
80 comments
[ 3.6 ms ] story [ 58.0 ms ] threadhttps://news.ycombinator.com/item?id=22834959 (805 points, 459 comments)
Random identifiers not linked to you or your device, identifiers change every 10 minutes so third parties can't track you over time, processing locally on the device instead of by Apple or Google or the government, etc.
It cant, and any claims it can is sheer arrogance on the part of the developers.
you can not simultaneously assign an identifier to everyone, and maintain privacy, they are mutually exclusive. If you can ID someone, and trace that ID back then it is not private
The idea that can not be used for something other than COVID is moronic, this type of system has been done in Marketing for a long time, Google knows this very well.
This is not a new or novel idea, nor it is private
you can not have an anonymous system that also provides aways to trace back to individuals you came in contact with
it is impossible
and their complex Hash of hashes is just a way to make it seems private for people that do not understand what is really going on, it sounds good on the surface, but that is all it is surface level
that is with out getting into the ways to compromise the device to get the original Tracking key that all of the other tracking keys are generated from
You can afford to give up a few days of your privacy for that. Really, you can.
If that is all the justification you have, you have already lost the debate. That kind of justification can be used for all manner of dystopian programs. Authoritarians have been limiting privacy and freedom for centuries on the basis of safety.
Right now in congress the EARNIT act is attempting to use that very argument for the "safety of children" we all need to give up E2E encryption
No I completely reject your premise that because of safety I need to give up my privacy
it is not sociopathic to put an extremely high value on privacy and liberty
For example should I have my every moment monitored because I might hurt someone? Should everyone have to have a BAC monitor on their cars so save people from drunk driving?
Just trying to see if there is any limits in your Authoritarian world
I thought having a third party track everyone over time was the entire point of contact tracing?
Anyone else see this as a MASSIVE slippery slope with too much potential for exploitation?
That's the same idea here; sure, maybe the CIA and NSA already have the capability. But what's the harm in having it twice? There's actually benefits from the aspect of checking one against the other, not to mention one may reveal something the other doesn't.
I'm not saying this is what will happen. I'm simply saying that power seeks more power.
https://amp.reddit.com/r/AskReddit/comments/fhkcw8/what_are_...
If you are going to attack it, you need to actually address what it does and explain why you don't think that is sufficient.
If this system goes to some lengths to preserve privacy, slippery slope argument doesn't really apply.
There is not NEED to use this scheme in such a convoluted way. There are far better ways to spy, and the way to protect against it is through politics and laws.
A tech-savvy person could drive by your house and find out your IDs for that day. If you reveal them later on (as you would if infected), that person would know you're infected. In small towns a single person could in practice publish a database of all infected households.
A government can install Bluetooth receivers throughout a city and find out where an infected user passed by.
Or if you don't want to, a tl;dr is:
1. Your phone broadcasts a message via BLE every X milliseconds with a "random" ID. The ID is only predictable with a secret key which never leaves user device before "voluntarily revealing" (I agree this can be shaddy). The "random" ID is rotated every Y minutes.
2. The secret key will be rotated daily. The user device only reveals last 14 keys if user voluntarily do so.
3. Note that every BLE advertisement already contains a hardware address and your phone does this regularly. Guess how they mitigate this privacy issue? Rotating the hardware address every Y minutes. So no additional entropy being leaked here, unless you have the user's secret key.
A government can do much more with less effort using other means. And it's hard to see the value of making that kind of attack as an individual.
You really think that won't be the predicate for abandoning security and anonymity?
edit: and no, the observable "ID" is not fixed, so you can't link two unknown IDs.
This program goes out of its way to achieve provable anonymity. That is, in fact, the only reason Google and Apple are needs to implement this. Google Maps has actual location data, with similar precision at least in cities. That data has been there for sliding/skating governments to grab for years now. It's on servers, where it's easier to get to than data on your phone, legally. And location data is far more valuable than "X and Y came within 5 minutes at least once in the three days beginning April 15th".
If all that doesn't convince, rest assured it will convince the public. As would anything, really, because they already see this pretty clearly. With that in mind, consider that going to the barricades for privacy now means certain failure on this issue, and possibly lasting repetitional damage for the cause.
[0]: One wishes...
Also: that central server has got to be pretty powerful.
More information gives me more tools to protect myself and those I love.
Might be possible with iOS devices as it's pretty easy to test each of them. Harder to do with the 1000s of Android devices that exist.
I knew crap like this was going to happen. Hello Big Brother.
Nothing. Except a slightly elevated chance of getting infected.
Remember: The goal is not to (make your Grandmother) die for your cause, but to make the virus die for their ill-calibrated conspiracy theory.
It also doesn’t require anyone to install an app...
You can have a national app that is under the control of the health department and doctors ,t hat only does things like "send a notification to all users that were in contact with person with this ID to come to hospital and get a test".
I understand that this could be potentially abused for evil or that evil people already do this using WiFi or cell towers, I am thinking that we should also think at the good that could come of this.
If my purpose-built wirst watch shows me veering dozens of meters of course even if I explicitly tell it to precisely track my location then that’s not fit for purpose.
BLE only has a range of 20 meters or so indoors.
US deaths just passed 22k, over seven times 9/11 and over four times the total Iraq war death toll. It is likely we will see five to ten times that total number before the pandemic is ended.
People have been happily arguing to let the old die as a means to end the lockdown. How about cellphone tracking instead?
(And remember that every cellphone knows your approximate location by necessity of which cell you're connected to.)
There are easier and less blatantly intrusive ways of achieving 80% or 90% of the mitigation, like for example a combination of nonstop education of the public and issuing tickets for breaking social distancing rules as is being done in some places.
After the 9/11 attacks, Americans passively accepted huge intrusions on privacy that have still not been rolled back, 19 years later.
We should be very careful what we wish for. This tracking thing is a very slippery slope.
https://en.wikipedia.org/wiki/Casualties_of_the_Iraq_War
The tl;dr is that at least in the context of a pandemic like this one, lack of access to a smartphone and lack of willingness to enable tracking puts a person in the new second-class-citizen category. It's not the stick that government would use to restrict freedom; it's the carrot of granting more freedom to those who are more trusting of authority.
Not only do I personally not see much of a way around that scenario, the Vox article notes it's entirely possible that Americans' general mistrust of authority means the country may recover more slowly and painfully than nations that are willing to let the government data-tag and monitor everyone.
At what point does the value of participating in society and the economy outweigh the value of one's privacy? It seems this question is going to rapidly become even more non-academic than it already is.