28 comments

[ 3.1 ms ] story [ 73.3 ms ] thread
The market for this product is governments who stubbornly refuse to use the exposure notifications framework because they think they know better. It’s a pile of trash that drains the battery, particularly on older phones.

https://github.com/AU-COVIDSafe/mobile-ios/issues?q=is%3Aiss...

is Herald the one Covid-safe in Australia uses?

That thing utterly murders the battery on new phones as well.

I have a Note 10 + 5G and my wife has the S20 Plus and running that means having to recharge the battery multiple times a day or risk running around without any phone.

Sometimes my wife has noticed that the battery will go DOWN while being charged. so we uninstalled the app and the problem has gone.

I was an advocate for it when they were talking about releasing it... but as usual the Australian Gov is technically incompetent.

Yes, Australia’s COVIDSafe app uses Herald.
On iOS it only switched to Herald in v2.0 which - according to my phone - was installed 2 days ago.
After a first app failure (stopcovid19), France uses the ROBERT protocol in its second app TousAntiCOVID (which is just a rebrand+slight pivot into focused news); apparently the protocol is joint-developed between Fraunhofer (Germany) and INRIA (France).

The irony is that Germany uses iOS contact tracing, so as I live near the border I miss detection of a high vector.

Scratch that, I -would miss-, it I used the app, which I don’t because it has to be opened, manually toggled on, and stay in the foreground to do any contact tracing.

Even if it were not for the battery use, the power of defaults means that the app is rarely activated by people, (when it’s installed at all since it’s not listed in the initial iOS alert you get and pick France).

Desperate posters “here I activate TousAntiCOVID” are being placated in shopping malls and stuff.

It’s ridiculous.

https://gitlab.inria.fr/stopcovid19/accueil

But France showed repeatedly that they don't understand science, do want to listen to it, and don't want to learn from it. From the masks to the current christmas holidays who will create a 3rd wave, they proved they don't handle this virus very well.

Add to that a bit of science nationalism from the De Gaulle era, and we ended up with that app.

ROBERT was used in the first app too.
Very interesting how they made this work on iOS, given so many failed (before the Apple/Google protocol was released). A lot of the design documentation references the UK market, I wonder if VMWare were asked/volunteered to help with the NHSX app that tried to ignore the Apple/Google "blessed" approach.

> Provides a number of approaches to workaround the ‘iOS detection in the background’ bug in iOS to a point where detection and continuity is superior to existing protocols

The technical details on the protocol (seperate from the "payload" which is contact tracing specific data) are here[1], and the iOS library here[2]. I would be interested if anyone else has verified these claims.

[1] https://vmware.github.io/herald/specs/protocol [2] https://github.com/vmware/herald-for-ios

Yes. VMWare were one of the lead contractors on the original UK app, but are no longer on the project.
I used the Australian COVIDSafe ios app today which uses herald. The only way it can keep the app receiving Bluetooth while in the background is to request location permissions and show the blue ios bar at the top that says “COVIDSafe is using your location”.

It’s a hack. Nobody seems to spell that out in the media coverage about it. Yes it works some of the time, but only under very specific circumstances.

Someone needs to tell it straight. It doesn’t work, we should just use the platform provided apis and be done with it.

Edit: this is an excellent summary of what’s wrong with the Australian app:

https://github.com/AU-COVIDSafe/mobile-android/issues/30

I was so pleased to see the NZ govt integrate the native ENF from iOS and Android into our Covid app. It took longer than I would have liked, and there were some misguided investigations into alternatives (like the Bluetooth "covid card" that would dangle around people's necks on lanyards) but it's a great result for us.
I'm in awe of the effort Jim Mussared (https://twitter.com/jim_mussared), Vanessa Teague (https://twitter.com/VTeagueAus) and a few others have put into identifying serious issues with the COVIDSafe app (and making sensible, well-informed recommendations).

That ticket is incredibly damning of the Australian Government.

Highly-skilled technologists and cryptographers volunteer significant amounts of time in the hope critical digital infrastructure can be improved and everything is basically dismissed.

Sadly it's the exact same situation as with the German covid app. The limitations of what can be done without the iOS/Android APIs are too high to make the app useful, as can be seen in the official documentation: https://github.com/corona-warn-app/cwa-documentation/blob/ma...
It’s not the exact same situation. It’s a completely different situation.

These apps need to use the OS APIs, otherwise there is no hope for them. The German app uses those APIs, the Australian one does not. While there are obviously trade-offs involved with the OS APIs, it's not hopeless like this clusterfuck.

Why not use the OS APIs when available and provide a hack/fallback for old Phones which don't have those APIs?
Why would that be worth the effort? Support is pretty far-reaching and picking up marginal old phones isn’t that important.
I have no statistics at hand but the Android ecosystem is known for having a lot of old phones. Since the corona apps are not about reaching the wealthiest, but about reaching as many people as possible it might be worth the effort.
The interesting thing about the German covid app is that it is actually pretty good considering the solution space available to its creators. It features a decentralized "privacy first" architecture and utilizes the platform APIs which _should_ be the best implementation for handling the actual contact tracing.

Since it is open source and uses a very common tech stack, it is easy to check and understand for as many people as possible that it is well-crafted and does not contain any obvious security vulnerabilities or backdoors. This makes it very trustworthy from an IT-persons point of view, and should in minimize the number of unsettled people who don't install the application on their handsets since they mistrust the government.

Well-known public instances like the CCC (German IT-Security NGO) did a review on the app and gave it a good testimonial - even on mass media like public television. The government and the involved third-parties like Deutsche Telekom and SAP did a lot to emphasize that there is no harm to be expected from the app and the worst thing that could happen is that it doesn't work - which would be the exact same outcome as if you just didn't use it.

Still, Germans' are hard to convince, once they made up their mind about something. The public image of the government, as well as Deutsche Telekom and SAP is often disconnected from their actual performance. The same people often disregard these instances' and companies' ideas, products and services with the same persistence they welcome or defend equaly debatable innovations and decisions from actors they look favorably upon, like Apple.

It's sad to see that the good work of many smart people is so easily disregarded. The government and the involved companies actually listened to privacy and security experts and made a lot of right choices. That's something I'd like to see more of in the future. A little bit of appreciation could go a long way for shaping such decisions for the years to come.

> The limitations of what can be done without the iOS/Android APIs are too high to make the app useful, as can be seen in the official documentation: https://github.com/corona-warn-app/cwa-documentation/blob/ma...

This is the core reason I'm so against these duopolies. I have a startup idea that I want to implement. I've done it on windows, and it's flawless. Should work on macOS too. But these mobile OS's don't provide the right API's to do it. Android offers access to do it in a half assed way, and the way to do it right is to do it the correct way, flawlessly. So I'm stuck in a limbo, I want to be the first and last to market, prepared for when these companies break up, the OS offers access to some API's I want, and capture the market. There may be little network effects to the idea. But it's going to be a big market for everyone, with plenty of competition if idiots offer the right API's. [edited it gave away a bit too revealing info]. Enough that I don't ever connect my development machine to the internet to make sure no source code ever leaves.

My test users have asked me when will I offer a mobile app? The app needs mobile integration to make it work the way the idea was supposed to be. All OS's that the user uses, together.

And, I have no response to their questions and the mails end up collecting dust.

These fuckers ruin innovation for everyone and it makes me mad.

If these companies don't get broken up with a competitive mobile OS landscape again, don't get mad when I jump ship and go with some OS Huawei makes if it offers the right way and gains adoption.

If America wants competitiveness, innovation and a technological lead, it has work to do at home: Trust busting needs to happen fast.

(comment deleted)
Does IOS normally not need location permissions to enable Bluetooth Low Energy? Because android does.
New York has a bluetooth based app as well. I keep bluetooth off because it drains the battery. So after a while I deleted the app because I couldn't remember to keep turning bluetooth on.
Is there a short summary of what this purports to provide that the Apple/Google APIs do not?
Their claims change depending on the day, but they include:

* Better long tail of older device support

(meaningless if the app doesn't work, and completely debunked now that ENF supports iOS 12)

* They want to control contact tracing, rather than have the app directly notify the user

(this isn't a requirement of ENF, but the Govt falsely claims it is. In fact, ENF can still notify authorities so a contact tracing phone interview can take place. The only difference is that with ENF, you can't force a user to enter their phone number to start using the app)

* They want a better picture of the entire social graph, since ENF gives more vague / anonymous data.

This is the only partially valid claim they make, however, this is predicated on the current app actually working and providing that information, which is does not.