80 comments

[ 3.6 ms ] story [ 58.0 ms ] thread
5 times a second? That seems excessive, and a waste of power.
I wouldn't think it is excessive - if you're cycling and pass someone then the contact period would be very brief (but if you're passing through their sneeze cloud then it could be critical).
Huge discussion about this topic one-two days ago:

https://news.ycombinator.com/item?id=22834959 (805 points, 459 comments)

Not a dupe. This article explains in detail how the contact tracing API can work while preserving privacy.

Random identifiers not linked to you or your device, identifiers change every 10 minutes so third parties can't track you over time, processing locally on the device instead of by Apple or Google or the government, etc.

>>how the contact tracing API can work while preserving privacy.

It cant, and any claims it can is sheer arrogance on the part of the developers.

you can not simultaneously assign an identifier to everyone, and maintain privacy, they are mutually exclusive. If you can ID someone, and trace that ID back then it is not private

Well good news: This system does not assign an identifier to everyone, so it works.
Private until someone flags someone or everyone as infected.
It absolutely does, and broadcasts it via BlueTooth, then other phones track which ID's you have been near.

The idea that can not be used for something other than COVID is moronic, this type of system has been done in Marketing for a long time, Google knows this very well.

This is not a new or novel idea, nor it is private

It does not transmit "an ID". It transmits random IDs, that cycle often.
Except for people that Test Positive, which then it uploads each of the Daily Tracing keys to a central server for each of the day you were positive, this is reversible, and has to be in order to identify all of the contacts the person came in contact with

you can not have an anonymous system that also provides aways to trace back to individuals you came in contact with

it is impossible

and their complex Hash of hashes is just a way to make it seems private for people that do not understand what is really going on, it sounds good on the surface, but that is all it is surface level

that is with out getting into the ways to compromise the device to get the original Tracking key that all of the other tracking keys are generated from

Yes, that is the tradeoff you are making to keep actual human beings from dying painfully.

You can afford to give up a few days of your privacy for that. Really, you can.

Really you are going to come back at me with a Privacy vs Safety fallacy.

If that is all the justification you have, you have already lost the debate. That kind of justification can be used for all manner of dystopian programs. Authoritarians have been limiting privacy and freedom for centuries on the basis of safety.

Right now in congress the EARNIT act is attempting to use that very argument for the "safety of children" we all need to give up E2E encryption

No I completely reject your premise that because of safety I need to give up my privacy

No, there is no fallacy. There really isn't. You privacy is NOT more important than a human life, which is exactly what is at stake here. Claiming otherwise is utterly sociopathic.
No it means I would rather die with privacy and liberty than to live in an Authoritarian Dystopia with no liberty or privacy

it is not sociopathic to put an extremely high value on privacy and liberty

No, it does not mean that. It means you would rather let OTHER people die with your privacy. You are literally valuing your privacy higher than the life of other people. And yes, that is sociopathic.
So do you draw any line on this, or should all privacy be void as long as it saves 1 life?

For example should I have my every moment monitored because I might hurt someone? Should everyone have to have a BAC monitor on their cars so save people from drunk driving?

Just trying to see if there is any limits in your Authoritarian world

Of course I draw lines. Any sane person draws lines. And the current situation is far, far beyond that line, as should be blatantly obvious to anyone with a functioning sense of empathy.
If you haven’t already, you should read the linked article. It does a great job explaining the features of the system in easy language.
> third parties can't track you over time

I thought having a third party track everyone over time was the entire point of contact tracing?

Voluntary compliance for public health today; mandatory compliance by government edict tomorrow -- or we flag your account and you're prohibited from buying anything. And what if I chose to stop using a smart phone and just use a flip phone that doesn't have Bluetooth? Am I a de facto enemy of public health (or just public enemy)?

Anyone else see this as a MASSIVE slippery slope with too much potential for exploitation?

This was my first thought. Feels like an NSA goal, to build a web of association for everyone in the country.
That's what makes no sense at all: the CIA and NSA have been running social network graph systems for years; they know who talks to whom and what the social circles are. The only thing this does is answer who gets within proximity of another... something the NSA and others can probably do already with pervasive video surveillance and biometric identification. This project seems like a massive overreach and I won't be taking part, even if it means pulling the SIM from my iPhone and using a flip phone until sanity returns (or for the rest of my life).
I have several wrenches in my toolbox. But if someone is going to give me a new one, I'm gonna accept it.

That's the same idea here; sure, maybe the CIA and NSA already have the capability. But what's the harm in having it twice? There's actually benefits from the aspect of checking one against the other, not to mention one may reveal something the other doesn't.

I'm not saying this is what will happen. I'm simply saying that power seeks more power.

Absolutely. "Anti-tracers" will be called the "new anti-vaxxers" and it will likely happen very soon, too (within a few short years) or when the next pandemic happens (which would also be in a few short years).
This system goes to quite some lengths to preserve privacy.

If you are going to attack it, you need to actually address what it does and explain why you don't think that is sufficient.

_This_ particular version of the system does, yes. But the next iteration may slightly weaken the privacy for some "legitimate" reason. And the next version slightly more. Then just a bit more. All for seemingly legitimate reasons. That's the slippery slope.
That's not a very impressive slippery slope if we've just concluded that the first step of it is horizontal.

If this system goes to some lengths to preserve privacy, slippery slope argument doesn't really apply.

That's a false sense of security. Change often starts with a lateral move, but one closer to the slope being acceptable.
Great. Then we should keep an eye out for the actual thing that's down the slope. Forgoing useful technologies because a slope exists is like refusing to mine coal because the uranium nearby could some day be used to build atomic bombs.
Neither of your example minerals are particularly healthy for humans, nor can they be made so without extreme efforts.
But we can agree there's a world of difference. There isn't a massive international storage and handling agreement for coal and its waste products, and no country has ever been preemptively bombed over mining too much coal.
Why not just ask telecom companies for all their data? Quicker, stealthier and much easier.

There is not NEED to use this scheme in such a convoluted way. There are far better ways to spy, and the way to protect against it is through politics and laws.

Exactly. People worrying about what their smartphones could be leaking via a convoluted point-to-point aggregation process while every telephone conversation and email is routed through dozens of third-party machines with unaccountable auditing going on.
The authors of DP-3T have already explained the privacy holes in their scheme. It's in the trade-offs section of the paper; eavesdroppers, savvy hackers and governments can identify and track infected users (to varying extents) without much trouble.

A tech-savvy person could drive by your house and find out your IDs for that day. If you reveal them later on (as you would if infected), that person would know you're infected. In small towns a single person could in practice publish a database of all infected households.

A government can install Bluetooth receivers throughout a city and find out where an infected user passed by.

Installing bluetooth receivers throughout a city is only feasible if you plan to use it for way more than just coronapatient tracking.
It will compliment CCTV quite nicely... and since the former can do biometric identification then cross referencing that ID# 04d07402e5a502fb7ae0a7847853f1ac5d2a280729901a29738fb3b017135934 is really Bob Smith who lives at 1234 Main Street will be easy enough.
I recommend actually reading the specification before imagine how to abuse it. There is no fixed, per-user ID being broadcast.

Or if you don't want to, a tl;dr is:

1. Your phone broadcasts a message via BLE every X milliseconds with a "random" ID. The ID is only predictable with a secret key which never leaves user device before "voluntarily revealing" (I agree this can be shaddy). The "random" ID is rotated every Y minutes.

2. The secret key will be rotated daily. The user device only reveals last 14 keys if user voluntarily do so.

3. Note that every BLE advertisement already contains a hardware address and your phone does this regularly. Guess how they mitigate this privacy issue? Rotating the hardware address every Y minutes. So no additional entropy being leaked here, unless you have the user's secret key.

I think that was the point. This is useful for coronavirus patient tacking, yes, but it's also useful for people tracking in general, and malcontent (whomever defines that) tracking in particular.
But it's not. There are far better ways to do that, if that is the path you're going down. This is specifically designed to make that kind of thing much harder.
But are any of those at all realistic attack scenarios?

A government can do much more with less effort using other means. And it's hard to see the value of making that kind of attack as an individual.

"OMG! We know ID 04d07402e5a502fb7ae0a7847853f1ac5d2a280729901a29738fb3b017135934 is infected and not quarantining but we have no idea who they are! If only this system weren't built for security we could save the elderly! Won't someone please think of grandma?"

You really think that won't be the predicate for abandoning security and anonymity?

But wait, with this system the infected ones have to voluntarily reveal their ID, otherwise nobody knows what their ID are. So how is "We know ID .... is infected but we have no idea who they are" possible?

edit: and no, the observable "ID" is not fixed, so you can't link two unknown IDs.

"Slippery Slope" is a logical fallacy. It's right there alongside "appeal to authority" and "confirmation bias", to name two examples people somehow tend to remember far easier. It's a fallacy because it applies to everything: "Now, they're just requiring cars to emit less CO2[0]. Next, they'll prohibit breathing!"

This program goes out of its way to achieve provable anonymity. That is, in fact, the only reason Google and Apple are needs to implement this. Google Maps has actual location data, with similar precision at least in cities. That data has been there for sliding/skating governments to grab for years now. It's on servers, where it's easier to get to than data on your phone, legally. And location data is far more valuable than "X and Y came within 5 minutes at least once in the three days beginning April 15th".

If all that doesn't convince, rest assured it will convince the public. As would anything, really, because they already see this pretty clearly. With that in mind, consider that going to the barricades for privacy now means certain failure on this issue, and possibly lasting repetitional damage for the cause.

[0]: One wishes...

In the US at least, I think you just argued exactly how the slippery slope isn't a slippery slope. The US government is never going to spring for getting every American a smartphone.
The government requires auto insurance for every driver without paying a cent. They just make it mandatory and leave you to figure out how to pay for it.
America almost had a Constitutional crisis over whether making people who don't have health insurance pay more taxes is allowed. I don't think the Fed will have the authority to mandate purchase of a particular class of phone when another class does the job just as well.
Seems better than what I came up with, but one of my issues with Bluetooth is: how would you determine distance? Power?

Also: that central server has got to be pretty powerful.

Yeah I don't want to be commanded to self-isolate because I was 25 feet away from a stranger in a park...
Oh, I definitely do. That's a huge improvement over the current status quo where I contracted COVID-19 from passing a stranger in a park, have no idea I've done so because I thought that I was doing a good job of self isolation and never even saw that person, and two weeks later I'm wildly ill and have already infected everyone in my household.

More information gives me more tools to protect myself and those I love.

I wonder if they could reduce the power to the Bluetooth chipset to artificially reduce the range?

Might be possible with iOS devices as it's pretty easy to test each of them. Harder to do with the 1000s of Android devices that exist.

I keep Bluetooth disabled when I'm not using it. What happens then?

I knew crap like this was going to happen. Hello Big Brother.

Maybe using the system is optional, but it gets you into the high priority group when you're waiting in line for hospital access
This is precisely what worries me. Submit to big brother, or you’re a second class citizen.
You say that as if avoiding having a driver's license and credit card for privacy reasons doesn't already cause huge complications in an American's day-to-day life.
Don't forget the third option: ignore high-consensus advice from health experts, contract a novel deadly disease, and spread it, become seriously ill, or die.
If a pandemic doesn't strike you as the appropriate time to temporarily cede some personal rights then what situation does, exactly?
> What happens then?

Nothing. Except a slightly elevated chance of getting infected.

Remember: The goal is not to (make your Grandmother) die for your cause, but to make the virus die for their ill-calibrated conspiracy theory.

(comment deleted)
I don’t understand why we go through all this trouble? If we’re talking about Apple and Google they already have all information about where the majority of people have been (everyone that didn’t explicitly turn off their location tracking services).

It also doesn’t require anyone to install an app...

How do Google and apple access each others' data?
Maybe the world is more then the USA, so if in country X a doctor finds a person with something and he wants to warn all the people this person had contact with, this doctor would have to ask nicely Google and Apple to grep trough logs and find who meet who and where? Would Google and Apple respond to a doctor in a small country?

You can have a national app that is under the control of the health department and doctors ,t hat only does things like "send a notification to all users that were in contact with person with this ID to come to hospital and get a test".

I understand that this could be potentially abused for evil or that evil people already do this using WiFi or cell towers, I am thinking that we should also think at the good that could come of this.

No they don’t. Nobody has data that granular and fit for purpose.

If my purpose-built wirst watch shows me veering dozens of meters of course even if I explicitly tell it to precisely track my location then that’s not fit for purpose.

GPS isn't very accurate indoors.

BLE only has a range of 20 meters or so indoors.

How about letting nature take it's course? They didn't have Google Apple and Facebook before and we survived plagues that make Covid look like a joke.
Privacy issues aside, if the 10 minute key is only 16bits, and this is being used by hundreds of millions of people, wouldn't there be a lot of false positives?
The size of the graph doesn't matter, only the average vertex degree, which should be pretty low if you are social distant, because you only share identifiers with nearby people.
But wouldn't that mean the list of infected keys would have to be location-indicated in some way? I guess I was under the impression it would be one list for the country.
I see, that's a good point. The article implies the "infected" list is global, not location specific.
It's 16 bytes, not 16 bits.
Ah I misread. That definitely fixes the problem!
It's going to be a problem to get rid of it later .. but right now we can barely go outside! It's not a simple tradeoff between tracking and no tracking, it's a tradeoff between tracking and lockdown.

US deaths just passed 22k, over seven times 9/11 and over four times the total Iraq war death toll. It is likely we will see five to ten times that total number before the pandemic is ended.

People have been happily arguing to let the old die as a means to end the lockdown. How about cellphone tracking instead?

(And remember that every cellphone knows your approximate location by necessity of which cell you're connected to.)

Framing this as an either/or choice (surrender some privacy or the elderly die) is a reductio ad absurdum.

There are easier and less blatantly intrusive ways of achieving 80% or 90% of the mitigation, like for example a combination of nonstop education of the public and issuing tickets for breaking social distancing rules as is being done in some places.

After the 9/11 attacks, Americans passively accepted huge intrusions on privacy that have still not been rolled back, 19 years later.

We should be very careful what we wish for. This tracking thing is a very slippery slope.

What are your sources on nonstop education plus tickets being sufficient to get to 80% / 90% mitigation?
Won't this cause false positives from people, for example, walking in front of my house while I'm inside, and also while for example, stopped at a stoplight next to other cars?
Likely yes. The system will need some fine-tuning to achieve its goals.
What a vast understatement
There's an interesting article on Vox regarding how this all fits into a larger plan for getting Americans out of their homes (https://www.vox.com/platform/amp/2020/4/10/21215494/coronavi...).

The tl;dr is that at least in the context of a pandemic like this one, lack of access to a smartphone and lack of willingness to enable tracking puts a person in the new second-class-citizen category. It's not the stick that government would use to restrict freedom; it's the carrot of granting more freedom to those who are more trusting of authority.

Not only do I personally not see much of a way around that scenario, the Vox article notes it's entirely possible that Americans' general mistrust of authority means the country may recover more slowly and painfully than nations that are willing to let the government data-tag and monitor everyone.

At what point does the value of participating in society and the economy outweigh the value of one's privacy? It seems this question is going to rapidly become even more non-academic than it already is.