| |
Promising opt-in is a bit disingenuous. These tech giants are creating a technological capability. Whether or not it is opt-in, opt-out or mandatory is then decided by governments, now and in the future.This is of course nothing new. But it's worth noting considering how high the tolerance for extremely intrusive government action currently is and how extremely weak any resistance is bound to be. I'm not saying I'm against contact tracing in the current situation. But that shiny new button that governments get to press will never go away. Edit: Reading the spec, I found a piece of information that may be of interest: This technology allows contact tracing without necessarily revealing the location where that contact has taken place. So that could indeed be a privacy benefit over alternative approaches. https://covid19-static.cdn-apple.com/applications/covid19/cu...
|
|
| |
They already have the shiny button. They can compel cell phone companies to give this data to the government already, without you knowing about it.At least this way you will get some control of the info and you'll know what was collected and have control of it's disclosure (for now). In other words, this is no worse than what the government is already capable of, it just makes it easier for you to share the data with health care providers. The government already has all these abilities.
|
|
| |
> They can compel cell phone companies to give this data to the government alreadyBluetooth has a quite small range, which may give higher tracking precision (to anyone receiving the signal) than the data cell phone companies have.
|
|
| |
Bluetooth 5.1 devices can do both distance and direction, so if you have a bunch of beacons you can determine your location to sub-meter accuracy.
|
|
| |
I'm pretty sure he was referring to cell tower location data, not bluetooth. Though cell tower location data has low resolution, in the order of a few 100 feet to several miles. Not useful for contact tracing.
|
|
| |
Currently, yes, but "numerical results with a system operating at 39 GHz show that sub-meter 3D positioning accuracy is achievable in future mmW 5G networks" :)https://arxiv.org/abs/1803.09478
|
|
| |
There is also another idea floating - let the phones emit an ultrasound - then the other phone can estimate proximity, by the volume or delays.
|
|
| |
The capability of using the Bluetooth stack for tracking is not new, this proposal limits the way that data can be used. See the cryptographic specification linked below.
|
|
| |
The alternative would be GPS which some governments are looking at now. It might give higher precision with a grid of location data to enhance it, but I would assume the protocol prevents this eg by some randomization of ids?
|
|
| |
GPS is completely unidirectional from satellites to receivers and thus the satellites cannot be used to track the receivers
|
|
|
| |
The receivers can be made to report their GPS data back for tracking purposes.
|
|
| |
They can compel, but also what they typically do is to purchase from them the data. That way they don't even need warrants. We tally need stronger regulations about sensitive information like that.
|
|
| |
It's much worse because it won't have judicial oversight.
|
|
| |
Unfortunately neither does existing location data collecting.
|
|
| |
> At least this way you will get some controldoubt it.
|
|
| |
that isn't a reason to be complacent about furthering governmental/corporate surveillance capabilities.in fact, it should remind us to take away those prior surveillance capabilities, and demand any contact tracing system to give control to users and be fully off-limits to large power structures (e.g., only shared between users and researchers). and being hard to do so is no excuse. we have millions of people we can work on the problem if it's so important to warrant such massive effort.
|
|
| |
People are working on contact tracing, this takes care of one of the harder parts without dictating central control in a pretty sensible manner. Being wary of privacy adverse interests in this context is good but in this context makes little sense. This specification only touches the question of data leaving the device in ways that restrict what the outside party, in an RFC manner MUST wording, can do with the data.It's pretty clear that we will get contact tracing applications in many parts of the world, regardless of any action Apple or Google might have taken. Might as well base it on something that does not compromise the user base wholesale.
|
|
| |
how high the tolerance for extremely intrusive government actionYou could also view it as high demand for government functionality, with an accompanying commandeering of the governmental power by the public, which has leverage of its own. Consider, for example, that 1/3 of the country is on a rent strike right now, a proportion which will likely grow. That part of the polity is learning to flex its political muscle for the first time in a while, because the economic and political establishment suddenly finds itself at a severe disadvantage. Of course, the government commands asymmetrical strength through police and (less directly) military force, but that's only effective insofar as disparate groups rarely have broad common interests that transcend regional, economic, or social boundaries. Since the internet provides many of the tools to facilitate collective action and COVID-19 has provided a sufficiently broad incentive, political incumbents are discovering that their powers are only as extensive as the willingness of people to cooperate and that they do in fact require the consent of the governed.
|
|
| |
After a quit scan of the protocol and API outlined by Apple and Google: it looks privacy & technically sound to me.I would remove the Android FAILED_REJECTED_OPT_IN status code (https://www.blog.google/documents/55/Android_Contact_Tracing...). I cannot find it in the Apple API specs, but maybe it's not defined in there yet.
|
|
| |
If it's a shiny button users get to press I have no problem with it, even if govs make it mandatory in the short term for things like public transport use or non-essential shops.This should be an app users can install and uninstall, not a feature governments control. PS Governments are already accessing your phone records and tracking behaviour without your permission, along with recording everything you do online for at least 30 days. O Tempora, o mores! https://news.sky.com/story/coronavirus-government-using-mobi... https://en.m.wikipedia.org/wiki/Tempora
|
|
| |
This functionality is already live in Find My iPhone. iPhones are performing these associations already. The bigger change is Android joining and sharing the data with researchers.
|
|
| |
The proposed technology is quite different from a service that located located devices. Rather, it would track what devices have been in proximity of each other, and not necessarily where.
|
|
| |
I was speaking to the question of whether governments would then demand access to the data. They could force Apple and the Telcos to turn over the data they are already collecting pre-corona. I was just saying that that risk isn't new.
|
|
| |
You do know that there also is a Find My Device service for Android that runs on all Android phones?
|
|
|
| |
Do you really think that this feature has drawn a line in the sand where previously they couldn't track you and now they can?
|
|
| |
No, it was already terrible before.But it was labelled as terrible. I was for the secret service. Now it's going to be culturally accepted, and in the hand regular administrators. This is on order or magnitude worse, for something that was awful.
|
|
| |
Because it's being used to fight something even more awful.There are no good choices in a pandemic.
|
|
| |
I wish I could share your optimism
|
|
| |
> But that shiny new button that governments get to press will never go away.I think that framing is slightly counterproductive to be honest. The alternative are efforts that, from what I see so far, seem to fall on one of two sides: a) sensible privacy defaults like the proposal by Google/Apple, open development, limited traction in the community and not well connected to political decision makers b) company initiatives, closed developments and promises of openness while working on centralized solutions I feel like your scenario would be more worrying in terms of privacy if Google/Apple didn't introduce this protocol extension. They are essentially forcing the b) group to adapt something sensible. Another positive is that this seems limited to the OS level, whereas both have more extensive infrastructure they could have pushed for but intentionally did not. tl;dr: I think it is a beneficial proposal and well placed, the alternative would likely be worse for the user base.
|
|
| |
There is surprisingly little discussion about the actual spec here. It looks really good to me!- Advertisements change every 15 minutes, are not trackable unless keys are shared. - The only central bit is a repository of "infected" daily keys. - No knowledge about contacts is shared with a central authority. Nothing is shared unless you are infected and decide to share your keys, which are only valid for one day. I don't see how you could have a real argument against this unless you are a privacy extremist. It also seems more privacy friendly than the Singapore or German apps.
|
|
| |
> I don't see how you could have a real argument against this unless you are a privacy extremist.The authors of DP-3T (which seems quite similar to this spec) have a huge list of privacy caveats in their whitepaper [1], in section "5.4 Summary of centralised/decentralised design trade-offs". I haven't seen any analysis on how the Apple/Google spec prevents those problems. [1] https://github.com/DP-3T/documents/raw/master/DP3T%20White%2...
|
|
| |
The Apple/Google design drops this DP-3T requirement:2) Enable epidemiologists to analyse the spread of SARS-CoV-2 So anything in that table with epidemiologists is gone. The remaining caveats are pretty boring: To do so, the attacker uses strategically placed Bluetooth receivers
and recording devices to receive EphIDs. The app’s Bluetooth broadcasts of non-infected
people and infected people outside the infectious window remain unlinkable. ... On the other end, a proactive tech-savvy person can abuse any proximity tracing
mechanism to narrow down the group of individuals they have been in contact with to
infected individuals. To do so they must, 1) they keep a detailed log of who they saw when.
2) they register many accounts in the proximity tracing system, and use each account for
proximity tracing during a short time window. When one of these accounts is notified, the
attacker can link the account identifier back to the time-window in which the contact with an
infected individual occurred. So, yeah, these vulnerabilities still exist and have been pointed out on this thread... but I find it hard to care about these at all.
|
|
| |
> The app’s Bluetooth broadcasts of non-infected people and infected people outside the infectious window remain unlinkable.The group of non-infected people is getting smaller and smaller. The infectious window is presumably weeks long (times the number of diseases this system will track). These risks don't seem that easy to downplay, even before we get into the "security concerns" section.
|
|
| |
In widely distributed and important spec like this it may be useful to look for what is conspicuously absent or unstated, rather than simply reading the precise positive language.To my mind this phrase under 'Privacy Considerations' in the Cryptography Specification stands out: "A server operator implementing this protocol does not learn who users have been in proximity with or users’ location unless it also has the unlikely capability to scan advertisements from users who recently reported Diagnosis Keys." That phrase explicitly mentions that server operators cannot learn about user proximities. What I reckon may be unstated there is that it could be possible for adversaries with sidechannel / network monitoring capability to learn those kind of details about users (i.e. internet, cell data, and other data network operators). If such a side door did exist, it would seem in the public interest to be aware of the scope of the availability of that data, especially given the potential (physical, social) vulnerability and risk of those users. I'd also like to be proven wrong about the possibility of such sidechannel attacks by anyone who understands the spec in more detail. [1] - https://covid19-static.cdn-apple.com/applications/covid19/cu...
|
|
| |
This is huge. A limiting factor has been iOS not being able to (on purpose, for privacy, and battery life) do BLE scanning (edit: or advertising, thanks Slartie) in the background. I imagine this will enable that for specific apps, and I have high confidence privacy will be well-implemented by Apple's involvement (edit: see tastroder's comment for technical docs). Having a single, well-designed spec for Bluetooth advertisement will prevent a world where there are different contact tracing apps, none of which can see each other. Doing this at the platform level will enable enough density of installs to make this effective at scale.
|
|
| |
You can, in fact, do BLE scans in the background on iOS. It's tricky and requires some workarounds, like basically everything related to background tasks in iOS.Source: Providing apps with that functionality.
|
|
| |
The even bigger obstacle was apps not being able to broadcast beacon signals while they are in background. You could devise workarounds for the scanning problems, but this particular problem of having to be able to continuously advertise your beacon signals did not have a workaround AFAIK. The "workaround" was requiring people to have the tracing app active in foreground all the time, which obviously sucks from a UX perspective and means nobody will do it.That's why this involvement is really huge and welcome! And besides clearing out existing arbitrary API limitations, Apple's involvement in potential protocol design for such tracing technology is a welcome addition in my view as well, because in contrast to Google, Apple at least earned a modicum of trust when it comes to putting the privacy interests of their customers first.
|
|
| |
Also excited because they can likely push both advertisement and scanning into the BLE chips themselves, letting the rest of the system (CPU, etc) sleep. Big win for battery life.
|
|
| |
Exactly, this is an important narrative. I've read the spec and I'm really positive (hmm). This could be a game-changer for dealing with the pandemic in a systematic way.
|
|
| |
While background scanning is limited you can key off iBeacon devices via the location framework. This allows your app to wake up when certain devices are near.
|
|
| |
Thinking this might be different. I've been curious what the BLE packet structure might look like. Looks like there's 16 bytes of unique id needed for the "Rolling Proximity Identifier" in the spec. Typically iBeacon would have 16 bytes of unchanging UUID, and 4 bytes that can change: https://support.kontakt.io/hc/en-gb/articles/201492492-iBeac....Could probably flip it to be a 4 byte prefix (to identify this packet for contact tracing), followed by 16 bytes of the Rolling Proximity Identifier, but not sure if the underlying hardware (the BLE chips) can do low-power matching on a pattern like that. Something only Apple and Google could make work, so this is exciting. (Or, it could be iBeacon to wake, then making a connection to fetch the Rolling Proximity Identifier. Though, in my experience, not requiring a connection will be more reliable in practice, especially for Android.)
|
|
| |
Am i the only one who thinks it's mindblowing that people use Facebook, Instagram, Linkedin, etc. however now that Apple + Google release a tool to prevent thousands of people from dying in a pandemic they start thinking/complaining about the possible privacy implications? (without even having read the specs or knowing the details...)
|
|
| |
Agreed. Majority of people have their location history, chats, emails, browsing history, etc. saved on the cloud. This Bluetooth tracker is a complete privacy nothingburger.
|
|
| |
Most people probably uploaded their contact list to WhatsApp without thinking about it twice.
|
|
| |
This is dangerously close to Feinstein's "think of the children" argument.If people complain about EARN IT, they should investigate privacy implications of this "enhanced" tracking technology.
|
|
| |
Yes, they should investigate. But they should investigate before reaching a conclusion.
|
|
| |
It's more than reasonable to be suspicious of big tech companies, especially the ones residing in Silicon Valley. They haven't earned people's trust and that is the outcome. Just like you would be skeptical of Chinese communist party releasing app promising to help the world with covid19.
|
|
| |
People aren't forcefully sharing their health status. Imagine if Facebook published if you had an STD to your friends.
|
|
| |
Given the number of deaths caused by STDs, it is perhaps justifiable for such data to be shared in the same fashion as one's Covid-19 status, assuming the sharing of the latter is justified.
|
|
| |
1) Covid19 was largely dangerous for old people cumulatting other comorbidities, mostly retired people. 2) Old people don't move that much and don't meet that many other people.It leads me to believe that the proposed loss of privacy isn't the best way to fight a virus such as a flu
|
|
| |
1. It's old people AND people with comorbidities, which is a ton of people.2. Lots of old people, which for Covid is about 65, still work full time jobs. Some of them fly every week. These aren't 95+ year olds. 3. I'm sure people of all ages think their life is very valuable, and very few people consider themselves candidates for sacrifice. Certainly not for privacy concerns. 4. 10x deadlier than the flu.
|
|
| |
It could only work if everyone wear a phone. And then what's next? Forcing everyone by law to always wear a phone at all time?I would rather see new phone sensors that scan the air, the breath and the body for diseases than a new tracking technology. We could also develop new medicines, etc. Not tracking. Edit : we also don't have much knowledge about why the virus is more lethal for some people than others. We should focus effort at predicting who will be asymptomatic and who will develop complications, rather than trying to stop the virus from spreading by isolating people
|
|
|
| |
They're not the same and I think Google/Apple's is a bit better. In DP3T the infected person shares a single daily key from which all future daily keys can be derived. In Google/Apple's each daily key is HKDF derived from a master key and they are not linkable. Infected people share the relevant daily keys from their infection period. THat's more data to push around, but it is better for privacy.It means that contacts with infected persons can't be linked across days, and it means that I can't build an app that alerts me that someone who was previously infected just walked by.
|
|
|
| |
GP is correct, but it doesn’t matter much. They were referring to daily key, not the EphID (RPI in the Apple/google spec).DP3T specifies that SK _t = H( SK _{t-1} ). In that design, you share the daily key when from when you started to become infectious, and then the subsequent ones can be computed. Then you go into quarantine, stop being infectious, and (see spec) create a new random daily key going forward (or delete the app). In the A/G proposal, daily keys can’t be correlated, and you share the daily key for each day you were infectious. The end result seems pretty much the same for me.
|
|
| |
The difference is that you can continue tracking a person indefinitely, even after they are no longer infectious. It requires explicit user action to avoid that (opt-out vs opt-in).
|
|
| |
I see: SK_(t) = H(SK_(t-1)), where SK_(t) is the secret key for day t.This seems to align with the statement that knowing the key for one day (i.e. once it is uploaded following diagnosis) allows one to derive all future keys. Is there another section I am missing? Edit: clarified that daily keys are shared post-diagnosis, to trace prior contact.
|
|
| |
An interesting Twitter thread on why the stand-alone contact tracing apps that many others are building won't work, and why integrated platform solutions like this are necessary: https://twitter.com/zainy/status/1248482486524379137 (but of course, necessary does not mean sufficient)
|
|
| |
Yes. If ever there was the necessity for one standard that almost everyone uses, and not 20 competing incompatible ones, then here.
|
|
| |
Also, efficiency depends on how many persons can be tested. If it's 10000 a day, in my country, it's about 1/500 th of the population a day... If it's enough to test say 1/10 of the population to have some results, this will take 1-2 months...I have the impression that all of this is forced upon us as to make us believe that it is safe to get back to work ASAP. Wouldn't it be better to just wait ? (I'm not interested in the economical debate : this will invariably lead to compromises such as how many victims can we afford to keep the economy going ? (nobody will tell it that way, but in the end that's the truth behind those arguments))
|
|
| |
I've spent the last 3 weeks with my team building exactly this - contact tracing apps for both android and ios that use bluetooth tech[1]. This will probably require us to redo the app completely to fit into their API plans, but I'm glad they are, in a way, acknowledging our idea.The troubling thing is, bluetooth-based contact tracing is in no way easy. Different android phones handle background bluetooth scanning / advertising differently and some tend to require additional config changes - such as disabling battery saving features - to even make it work.
And iOS bluetooth advertising in background is just bad. Since u can't add custom UUIDs to the advertisement package, just advertising data is often not enough, so u have to connect too, which creates a range of other problems.
I suspect they will release OS upgrades to solve some of these issues, but not all devices will be fixable (eg, older Android devices). This, combined with the fact that they will start rolling out this feature in May, makes me think it will not help us much for the latest wave of COVID-19 infections. Might come in handy for the next epidemic, though. [1] - https://github.com/cryptekio/corridorapp-android
|
|
| |
Thanks for that. One path to greater longevity is to explore the idea of what else you could do with it besides contact tracing for disease that users might find useful. For example, what if users with a common interest had the ability to identify themselves to each other but not those who don't share that interest? If it's useful for something else besides coronavirus mitigation, you'll have the rare opportunity to reach almost everyone at once.
|
|
| |
Do you think that GPS coordinates will be exposable with the API so that there can be public tracing maps online? Obviously a big privacy issue where the actual bluetooth ID and the person's identity have to be fully anonymized but if GPS coordinates of contact points can be exposed publicly, there can be good public tracing maps that can show where contact events are happening and in what numbers so that people can avoid certain areas (and on the other end where other areas are safe where there's no contact). This can publicly also be used to display R0 counts in different zip codes and geographic areas.
|
|
| |
Just to clarify, the Apple/Google proposal discussed here does not require geo location (and I’d assume that you don’t have to give it access to location data).
|
|
| |
I dont see any mention of it in the current context of bluetooth device proximity tracing. It is possible, however, that apps that will build up on this API will also fetch location history separately from already established mechanisms on each OS.As a matter of fact I see this as a very likely scenario as this is precisely what South Korea has already done.[1] [1] - https://www.youtube.com/watch?v=BE-cA4UK07c
|
|
| |
Pretty good illustration of how private and secure contact tracing can work here: https://ncase.me/contact-tracing/Not sure whether that's what this implementation would look like.
|
|
| |
I'm not a security expert. However, this part looks worrying:> alice can also hide messages from times she wants to keep private If there's a need for this, doesn't that imply that the scheme does not actually keep Alice's privacy in all situations? Furthermore: > the random messages give the hospital NO INFO on where Alice was This seems to assume that the hospital (or anyone with access to the data, such as governments) didn't capture the broadcast messages together with their location. With enough Bluetooth receptors in busy areas, a government could easily find out where Alice had been by looking up each of her messages in their list of message/location pairs? Experts can probably come up with nastier and/or easier exploits...
|
|
| |
This definitely isn't "private". It's just obfuscated.
|
|
| |
Agreed, whenever you divulge any info, you're always losing bits of randomness (obviously, more or less depending on how good the protocol is!).In particular, given an adversary who has several points (receiving these codes) and knows the receiving location of each of these points can de-anonymize a person "A" who is COVID positive if they know, e.g., a minimal amount of A's usual daily movements (from cellphone tower location, for example). That being said, the government probably has better ways of knowing who has COVID-19 and other infectious diseases :)
|
|
| |
"The phone warns Bob to self-quarantine". So the app knows, and the crisis will indoctrinate people to trust such apps.Once the crisis is over, they'll continue to use such "safe" apps, for other purposes ...
|
|
| |
The problem with doing any sort of effective contact tracing requires special APIs for iOS and Android because newer versions of both OS disallow background communication and location gathering
|
|
| |
You don’t need location gathering for this. All you do is store anonymous identifiers from people in the vicinity.
|
|
| |
That combination Apple-Google logogram is scary! It’s like an image from some corporate future dystopian sci-fi.
|
|
| |
It's like you don't trust Weyland-Yutani at all.
|
|
| |
I only trust Tyrell Corporation for my off-world needs.
|
|
| |
I just re-watched Blade Runner. Eerie.
|
|
| |
"Building better worlds."
|
|
|
| |
A comes before G? Logo designs typically have a logo followed by text. Seems to apply here too. It might not be anything about who can pee further.
|
|
| |
> Logo designs typically have a logo followed by textThis. It would look weird if the order were the other way around.
|
|
| |
My guess (hope) is a group of reasonable adults talking about this collaboration (remotely) decided that the order of logos was of far less importance than them working together.Someone probably said — "how about this?" and scribbled something. May have even been a Googler. Then everyone else just said "sure". At least, that’s how I’d like to think it went.
|
|
| |
While we're on topic: Apple forgot the anti-aliasing on their joint logo. Not that it matters though.
|
|
| |
Alphabetically and/or birthdate
|
|
|
| |
Line crossed. Prepare for trouble.
|
|
|
|
|
| |
There's a presentation linked at the bottom which explains in brief how contact tracing will work:https://blog.google/documents/57/Overview_of_COVID-19_Contac... Apple and Google should have included the chart in their announcements, IMO. It illustrates the process in a way that's easier to understand than text alone.
|
|
|
| |
> Looks like it was inspired by the TraceTogether app built by the Singapore Government and recently Opensourced.Not really. This is based on the TCN approaches by Covid-Watch, Co-Epi and DP-3T (submission to PEPP-PT). TraceTogether fundamentally functions very differently.
|
|
| |
I know it is about APIs - but no mention of any Free or at least Open Source Software example implementations makes me worry.I was expecting that people would organize around git repos - but no, just one of the many COVID tracing initiatives published their code. It is https://github.com/tripleblindmarket/covid-safe-paths by the way.
|
|
| |
https://covid19-static.cdn-apple.com/applications/covid19/cu...> Upon a positive test of a user for COVID-19, their Diagnosis Keys and associated DayNumbers are uploaded to the Diagnosis Server. A Diagnosis Server is a server that aggregates the Diagnosis Keys from the users who tested positive and distributes them to all the user clients who are using contact tracing. Is this scalable? Earlier in the document they mentioned that the tracing keys are 16 bytes long. Let's assume that there are 3 million patients in a country. That'd be 48 megabytes each user has to download and process per day to check whether they've been in contact with an infected person (processing involves calculation of 144 HMACs per tracing key). I don't think this is feasible at scale and one can't avoid thinking about area recognizing diagnosis servers. E.g. Smartphones of patients would upload not just the diagnosis keys, but also the areas (county, district, something like that) they've been inside during that day. Then smartphones querying the diagnosis servers would have to send the areas they are interested in. But it's easy to see that this approach is then quite privacy invading. On the bright side, this info is already available to carriers so it's already a sunken cost so to speak.
|
|
| |
3 million is way too high. Old infections aren't interesting for this; users only need to download newly reported infections since yesterday. Limiting to broad geographic regions would also help reduce scope and not be especially privacy invasive.
|
|
| |
> Old infections aren't interesting for thisYes, healed patients who don't produce viruses any more aren't important, but anyone still infectious is still a danger. Even if you are supposed, often even legally required, to stay at home while being infected, there is no guarantee you aren't. I'd bet that most of these people also take their phones with them, after all far more serious criminals like actual murderers are often taking their phones to sites of crimes as well. The IDs of those devices are still relevant. Quarantine after diagnosis may last up to 14 days, so your phone should be uploading IDs for 14 days to the diagnosis server. Given continuation of exponential spread, we aren't far from having 3 million new patients within a span of two weeks in populous countries like the US.
|
|
| |
It’s new patients only, but for each day they might have been infectious. So, if it’s 100k new cases a day, and each uploads 5 days of keys, then it’s 8 MB.Seems doable, especially considering that you’d want to have fully blown lockdown during the exponential growth, and only then switch over to this contact tracing phase once the initial wave has abated.
|
|
|
| |
48MB per day just isn't that much these days.
|
|
|
| |
Is your calculation correct? You only need to download the Diagnosis Keys. How would that be 48MB?
|
|
| |
I used the definition 1 MB == 1 000 000 bytes (there are several definitions for what a megabyte is). Each diagnosis key has 16 bytes. 16 bytes * 3 million patients = 48 million bytes = 48 MB. Note that not just the diagnosis are uploaded but also day numbers. Those follow strict power laws and compress pretty well with even the simplest entropy coding schemes to a sub byte size.
|
|
| |
There wouldn't be 3 million new patients per day. Wouldn't each phone just need to download the newly-discovered cases since the last time they checked?
|
|
| |
Each patient creates a new key per day. Only those keys are uploaded. So everyone who is positive in the app needs their keys to be uploaded. At least this would be a reasonable design choice of the app. Maybe the designers of the app assume you actually follow the quarantine that infected people should do and don't leave your home. In that case, the app can stop uploading of those daily keys.
|
|
| |
Say a newly identified case is assumed to have been infectious for the preceding week. My reading of the spec is that they’d upload 7 diagnosis keys (which all devices would have to download).
|
|
| |
I think this would be a good solution for essential workers to track their personal health while social distancing is in effect.I can foresee a large second wave due to this falling short if we relax social distancing measures. There have been cases where people test positive then test negative and then positive again. It would require redundant testing per individual on a schedule. There are a lot of people who will not be tested, there are a lot of people without smartphones. This virus has spread so far at this point we’d need to test every US citizen to know the blast radius. I understand people are hopeful and want things to return to ‘normal’ but I can’t imagine it without a vaccine in the US.
|
|
| |
Contact tracing has a time and place, and it's early in isolated outbreaks. The cat is out of the bag at this point and thinking we're going to contact trace our way to safety is a false promise. You'd have to be naive and short-sighted to accept their pinky-promise of privacy-first in this context.
|
|
| |
If you assume the goal of contact tracing is to literally find every infection, yes, this isn't going to work. If you assume the point of this is to reduce R0, then this will work just fine at any stage of the pandemic.There's obviously a question of what you should do when you find out you have been in contact, and that will differ depending on the stage. We probably want to be in a position where everyone who has come into contact with an infected person can get a test asap and if necessary then go into full isolation, not just going out less.
|
|
| |
That's literally what both Iceland and South Korea rely on. Neither country has SIPs (Iceland even has primary schools open) and the peak is behind them.(Iceland's outbreak is at about the same infection rate as the Bay Area if you estimate with hospitalizations/deaths. Daegu was significantly worse than the Bay Area per capita).
|
|
| |
> Contact tracing has a time and place, and it's early in isolated outbreaks. The cat is out of the bag at this point and thinking we're going to contact trace our way to safety is a false promise.It’s quite obvious that more intrusive measures (lockdowns) are needed now, but what do you do once they’ve Had their effect? You can’t just abolish all measures, as you’d be back to square one. That’s where this comes in handy. > You'd have to be naive and short-sighted to accept their pinky-promise of privacy-first in this context. Or, more constructively, you could examine the spec and see whether it’s privacy preserving as promised, and ensure that the deployed software confirms to the spec. How about that?
|
|
| |
It just takes one erroneous logging call in the wrong place and all this niceness goes away. Hopefully we don't get a headline in the future of "Bug found with contact tracing app, we actually had access to everything but we're sorry and we'll fix it". Not entirely against this work, it will provide benefit but let's hope for the best.
|
|
| |
This is why it'd be nice for the APK/installable file to have a hash that can be verified against an open source version. In theory someone should spot anything that doesn't look right.But that can't/won't undo the effects of something being called "private" being exposed not to be afterall...
|
|
| |
This is a good thing, and I think in the absence of this solution we would see intrusive solutions backed by governments and mandated by law. I do have two questions:Is there a plan to verify test results?
Are public health authorities in small countries/regions expected to build and maintain an app and a server from scratch?
|
|
| |
Two major OS platforms covering majority of the population working together in an attempt to better track current populations at behest of the government. How could anyone even begin to feel a wee bit cynical? To question this effort it worse than wanting PATRIOT ACT to expire. It is downright unamerican.I hate the fact that I definitely see a good reason for it and the goverment is more than happy to accommodate this power grab.
|
|
| |
Have you even read the spec before dumping your thoughts? They address the privacy concerns explicitly. A short summary:- Doesn't collect personally identifiable information or user location data - People who test positive are not identified to other users, Google or Apple - List of people you’ve been in contact with never leaves your phone https://blog.google/documents/57/Overview_of_COVID-19_Contac...
|
|
| |
I will admit that I did not, but having seen trends over the past few decades taught me to be rather skeptical. In other words, today's specs are little more to me than promises. I am ok with being downvoted for this.edit: I just "read" it ( it is not even a spec - it is not even a powerpoint presentation ). You are down voting me for questioning a couple of pictograms?
|
|
|
| |
Thank you for this. It may take me a little longer to digest.
|
|
| |
There is nothing wrong with being skeptical, I just think your objections are out of place. If you are really concerned then it's probably best not to use Android or iOS at all, who knows what data might be shared with the government without your knowing? This spec (or any app built on top of this spec) doesn't really change anything about that.Edit: I wasn't downvoting you, and the link was the source for the summary for the privacy considerations. The details are in the actual spec.
|
|
| |
I disagree. You base your opinion on nothing more than a couple of icons. Having now read it, I cannot in good faith even call it specs. It is a step above infomercial. Hardly something trustworthy.
|
|
|
| |
No worries. I apologize for jumping to conclusions like this. I will be going over these soon.
|
|
| |
This doesn't appear to be a way for the government or tech companies to track people. Looking through the API docs I think it's designed just to alert people who may have been exposed.It lets someone identify as Covid-19 positive and then if people have come into contact with them, you can be alerted. Most of the processing happens on device and it doesn't use location data. It looks like it would be very hard to abuse by governments or businesses, but I'm not an expert on these kind of things.
|
|
| |
Indeed, if I understand correct, the device locally stores a bunch of keys of people you've been in contact to, and there is no way of working backward from the keys to who it was, and these keys also change daily. Then when someone marks themselves as infected for days A through Z, their keys for those days is sent to devices, where the devices check locally if they have the given person-day keys stored.Do I understand this correctly? It's almost all done locally, there's nothing about location, and almost nothing is send up until you mark yourself as infected, right? EDIT: This is the best high level explained I've found: https://blog.google/documents/57/Overview_of_COVID-19_Contac...
|
|
| |
It is possible I am not expressing myself clearly. The API may not directly access location data ( though I have a hard time believing that either ). Processing may be local, but I just find it very difficult to believe that the information gleamed from that common platform would not be used. And if it can be used, it will be used. And then it will correlated with information that was previously gathered via regular means. I am not sure how that is not a concern? To Trump's credit, he seems hesitant to go all in on this front.edit: There is something that occurred to me after writing this. FB had an API at the beginning of their game when they were shooting to get developers' attention. They did. As the leaked documents show what really end up happening, API evolved in ways that benefited big boys. I guess my rambling point is that whatever current specs say, may quickly become rather distant past.
|
|
| |
Is this at the behest of the government? Seems privately driven?
|
|
| |
Sure. DPA was not invoked only few days ago. Companies were not already threatened openly ( and not so openly ) to obey or else. Companies are effectively expected to volunteer their services or risk consequences from government( and potential bad PR ).
|
|
|
| |
The interest in "privacy" around contact tracing seems like a ship that sailed a long time ago to me. Verizon etc all already have this data, and it isn't "private", and so does uber, lyft, and every other overly-aggressive-permission-askning-app that anybody has ever installed.Privacy is really important: but we lost it all a long long time ago. Maybe saying "well now we can do a good job of contact tracing" is at least some good coming out of that loss of privacy. I just hope we don't end up wasting time trying to make the contact tracing "private" as if by doing otherwise we'd be giving something up that we didn't already give up long ago.
|
|
| |
That's too defeatist: these contact tracing tools will be gathering data that isn't available any other way - otherwise, they'd just be going straight to Verizon etc for what they need.Presumably the bluetooth recording will give much better fidelity/precision about who is close to who, in all conditions (in buildings, in the subway, etc), where simple phone triangulation or GPS won't be accurate enough. That's far more data than the phone companies have on us right now, so it is a good thing that people are considering the privacy issues. Just saying "we've already lost" only makes things worse.
|
|
|
| |
In this context I think you can distinguish between three different kinds of location-related data:* cell tower data * phone GPS data * Bluetooth data about proximity to specific other people For most purposes these are increasing in precision and sensitivity. But also, governments can demand that carriers turn over the first kind, but the second two are generally under some kind of user control according to mobile OS designs. There is no single place that automatically gets this data about every smartphone user. Some of the discussions about privacy for the kind of technology that Apple and Google are working on here are based on observations like * there actually is no existing way that health authorities could get detailed Bluetooth proximity information about all smartphone users * this information is potentially more useful for epidemiological purposes, and also more privacy-sensitive, than just GPS sensor data, because it may more reliably map individual people's interactions with one another (for example, potentially confirming that people were likely in the same room rather than just in the same building) * there are cryptographic concepts that could potentially make this data useful for contact tracing, if users cooperate to a certain extent, in a way that would still make it difficult to obtain or use the data for a different purpose Another way of putting it is that many people looking at this question think that there is an incremental privacy harm from disclosing Bluetooth proximity data (compared to data that is already available), and an incremental benefit to epidemiology from finding a way to process this data for contact tracing purposes (compared to data that is already available).
|
|
| |
I would think that for contact tracing, you need more than Uber/Lyft/Verizon-level GPS/WiFi triangulation/cell tower triangulation accuracy inside cities. With contact tracing, a proximity of 1 or 20 meters probably makes a large difference. Hence these apps will also have to use Bluetooth Low Energy continuously.https://www.imec-int.com/en/articles/imec-sets-new-benchmark...
|
|
| |
Since so many companies have it, why not take it back and make it a public commons?
|
|
| |
This would have a lot more detailed data than Verizon since BLE can calculate distance relatively well. Verizon just knows which tower you are on.
|
|
| |
I downvoted you because this is false. This is enhanced individual tracing and will only get worse over time. We should fight tooth and nail against all new anti-privacy schemes like this.
|
|
| |
Right. But it's not like they're going to "just" announce that."Hey everyone - so yeah, we're using all your data you're willingly providing all these apps on your phone, like location, contacts, camera...So thanks for helping...Okay, bye!". But you're right. Every day there is so much information from the spies we carry around with us as they communicate that it'd be unfathomable they're just "ignoring" all of this information. The chances are in some privacy policy it says they can share that data with their "partners" which silently gets back to the government. Just use what you already have, what we already know you have, and if it saves lives then at least it was put to good use.
|
|
| |
I'm worried about security implications of this technology.First of all how reliable this technology will be since its results will or can be used in courts. Secondly how contact tracing logs will be secured since they can be stolen or sniffed in a real time. I didn't read technology documentation drafts and I used Bluetooth last time on old generation of phones way before smart phones and I'm interested for how long this tracing sessions will last since you can map devices that have turned on bluetooth in any given area(Tran stations,libraries etc.)
You can do something similar to Wardriving (en.wikipedia.org/wiki/Wardriving).
|
|
| |
This project may be necessary to enable fair elections in the United States and other democratic countries through November. On the other hand if built improperly it could usher in a 1984-style future with gerrymandering, vote-rigging, and huge increases in surveillance based government suppression. When the government is granted emergency powers it almost never gives them back.Please do not fuck this up.
|
|
| |
How would this contact tracing technology help with vote-rigging?
|
|
| |
If you can track the detailed movements of voters and connect that to party affiliation you would have complete visibility into meetings, social networks, and up-and-coming politicians, such that you can prioritize suppression efforts on those regions. Similar as a whole to gerrymandering, but imagine key political opponents being shut down "as the data shows a cluster of CV-19 may appear here at this exact date and time".
|
|
| |
I feel like Facebook is basically already doing this?
|
|
| |
It's mentioned elsewhere on this thread, but this project likely will take things further to more accurately measure the distance between individuals in small spaces in order to better track the contagion. This project may also have more liberal visualization tools, search tools, etc., geared for a task other then advertising.No doubt much of this data is already collected in one form or another. But it is a big step from collecting data, to analyzing it in new contexts, to visualizing it well, to making it highly accessible to federal non-technical agencies.
|
|
|
| |
Thinking big, if this works against covid: could it later be used to severely limit or eliminate diseases such as the common cold and the flu?That would be an incredible win for humanity.
|
|
| |
Nobody does contact tracing for flu, let alone common cold (which is caused by a bunch of different viruses)Also, common cold mortality is extremely low.
|
|
| |
We could, though, It's not practical today, but it's definitely something that humanity could achieve, especially with technology like this.Even if it's not the most important thing we could do, eliminating influenza and the common cold would be pretty fricking awesome.
|
|
| |
Could the cons be as incredible as the pros?
|
|
| |
Can we put the genie back in the bottle after this is over? I feel like once there's a precedent to do this, it becomes a slippery slope to less palatable things, even if not the worst possible things.
|
|
| |
It says this is opt-in - is this just the sending of covid information, or is it the entire contact-tracing key-exchange enterprise?
|
|
| |
If I understand correctly, it's up to every infected person to manually click "upload" (edit: here was "who I was close to", but it's not correct, see note 1 here) once he gets diagnosed, i.e. completely voluntary.That is so that once one is diagnosed others can check if they were close to that one (and when?). And even these lists aren't supposed to be any typical metadata but something that stays local and the third parties can't reconstruct. The idea is, again if I understood, that those who remain negative never have to upload anything that gives any traceable information about them. See my other post here with other relevant quotes from the specification. ---- Edit: 1) Actually what is uploaded is: "the Daily Tracing Keys for days where the user could have been affected" "Upon a positive test of a user for COVID-19, their Diagnosis Keys and associated DayNumbers are
uploaded to the Diagnosis Server. A Diagnosis Server is a server that aggregates the Diagnosis Keys
from the users who tested positive and distributes them to all the user clients who are using contact
tracing." The matching is done locally on every device: "In order to identify any exposures, each client frequently fetches the list of Diagnosis Keys. Since
Diagnosis Keys are sets of Daily Tracing Keys with their associated Day Numbers, each of the clients
are able to re-derive the sequence of Rolling Proximity Identifiers that were advertised over Bluetooth
from the users who tested positive. In order to do so, they use each of the Diagnosis Keys with the
function defined to derive the Rolling Proximity Identifier. For each of the derived identifiers, they
match it against the sequence they have found through Bluetooth scanning."
|
|
| |
You can’t upload who you were close to because you only have a set of pieces of data that can’t be traced back to people without their key. Only if infected, you upload your key to the server which distributes it to the others who can then tell if they’ve been close to you.
|
|
| |
> Only if infected, you upload your key to the serverYou are more right than I was initially, thanks! Actually, to be even more precise: only if infected, you upload the set of your own derived keys, and apparently only for the days you could have transmitted the virus to other people. From the documentation: "Upon a user testing positive, the Daily Tracing Keys for days where the user could have been affected
are derived on the device from the Tracing Key. We refer to that subset of keys as the Diagnosis Keys.
If a user remains healthy and never tests positive, these Daily Tracing Keys never leave the device."
|
|
| |
As I read it, the specification doesn't enforce whether upload is voluntary. local custom and laws can be implemented to vary degrees of freedom on this aspect.
|
|
| |
This is really hard to keep private and anonymous, but I'm glad that the world's to biggest mobile OS makers are working on this.If this does really work, it could trace millions of people and give this pandemic some sort of order. Identify hotspots and show a heat map of spread. Definitely a step in the right direction, hopefully it's executed well too. I'm pretty sure Microsoft be jealous they didn't win the Mobile OS market.
|
|
| |
The Indian Government launched a contact tracing app that has more than 10m+ downloads: https://www.mygov.in/aarogya-setu-app/Not sure how ubiquitous it is. Nevertheless, given that Android is 90 percent of the market in India, may be this can help overcome the iPhone OS-level constraints that makes it necessary for both platforms to work together in markets like the US.
|
|
|
| |
This has a very serious potential to be misused to target an individual for nefarious purposes.
|
|
|
| |
How? Or is this just some non specific idea about any contact tracing concept?
|
|
| |
By "apps from public health authorities", that you have to install yourself?
|
|
| |
We could be discriminated (by public and private actors) for not having this app installed. We should be able to convincingly deny the opt out...
|
|
| |
> would allow more individuals to participate, if they choose to opt inI don't see how this can work unless it gets very high distribution. I wonder if local governments might do something where the shelter-in-place orders are lifted for some categories of people conditional on running the app?
|
|
| |
Given the number of people wearing masks, I think this would have a decent opt-in rate. Especially since, for most people, this is much easier than wearing a mask.
|
|
| |
How many of those people are wearing masks for selfish reasons , ie. they don't want to get infected themselves?
|
|
| |
People can easily tell whether you're wearing a mask, so social "norm building" factors work.
|
|
| |
I wouldn't be shocked if some businesses - movie theaters, malls, etc. - asked people to show their contract tracing status for entry.
|
|
| |
Well, I would think that would be met with a you-can-fuck-right-off by most people.
|
|
| |
I really doubt that.Hell, vast numbers of people have been doing it voluntarily already with loyalty cards.
|
|
| |
I’m sorry, I might be misunderstanding how loyalty cards work... do they detect each other and report back to home with what other cards they have been in proximity to?
|
|
| |
They're a scenario where people have willingly given away privacy to corporations in exchange for pretty minor benefits (largely, discounts that just bring the prices back to where they'd have originally been).
|
|
| |
Depends on how you define "work".To get to 0 you need very high participation. Even modest adoption will have some impact on the rate of spread.
|
|
| |
Not sure I agree. This only works if both ends of a contact have a conforming app. As such, the proportion of contacts you can trace is not linear, but quadratic in adoption.(If 20% of people adopt it, you’d catch only 4% of contacts).
|
|
| |
I’d be ok with this as long is it doesn’t require one of those awful nose swabs.
|
|
| |
That is absolutely the last thing you should want. Are you seriously saying you support invasive government tracking under the guise of this?
|
|
|
| |
> But for the moment, we are united by fear and have some latitude to act.We're literally still fighting the wars that arose out of the last time we acted in a moment where we were "united by fear."
|
|
| |
And living with the erosion of Constitutional protections that seem all too easy to push through in times like these, but impossible to roll back afterward.
|
|
| |
And this is why it's done during a crisis: it works. All the education and talk about how the last time the government overstepped their bounds goes out the window the moment a crisis hits. Then it's all about "why isn't the government doing more?"
|
|
| |
This is wonderful news for any surveillance state. As the three-page brief on DP-3T [1] says:"A tech-savvy adversary could reidentify identifiers of infected people that they have
been physically close to in the past by i) actively modifying the app to record more
specific identifier data and ii) collecting extra information about identities through
additional means, such as a surveillance camera to record and identify the
individuals. This would generally be illegal, would be spatially limited, and high effort." If I read this correctly, this means that a government could collect identifier data on a per-location basis and later link this to someone's identity (for example with cameras or by tracking the IP address of uploaded identifiers). Unfortunately I can think of quite a few entities (e.g. governments) who are not too worried about doing high effort, spatially limited things in order to track people's locations. Saying that this is "illegal" (which is probably not even true in all countries) does not give me confidence it wouldn't happen either. [1] https://github.com/DP-3T/documents/raw/master/DP3T%20-%20Sim...
|
|
| |
I was under the impression that the NSA already was tracking most people anyway?
|
|
| |
GPS / phone network tracking probably has lower precision than short-range bluetooth. Bluetooth receivers can be present even in places without network reception or GPS, and receive signal passively and without a trace.
|
|
| |
I guess I'm not clear to that extent the NSA hacks people phones. I would imagine for most users they would have good access to our GPS data, e.g. via Google Maps?Edit: I'm assuming that GPS level precision is sufficient to start the dystopia
|
|
|
| |
I am much happier Apple is in the mix here, versus say Google x Amazon. Will that be enough to reign in the privacy concerns though, who knows
|
|
| |
They have to, as they ship a mobile OS that a large portion of the country uses.
|
|
| |
Yes. The point was (I think) that Apple respects user privacy, having a very different business model from the data-slurping advertisement firm that ships the other OS. As such, having Apple’s participation can be seen as guaranteeing some decent privacy standards (as seems borne out by the spec).
|
|
| |
Does this then allow us to run this in the background on iphone. The Danish and Norwegian governments are looking at using a GPS+Bluetooth based version because iPhone is so common and not able to work with Bluetooth when the app is not active is their argument. Also based on a centralized server. My hope was apple would in this circumstance allow Bluetooth to work differently so avoid unnecessary location data.
|
|
| |
Of course you can use Bluetooth in the background. You just have to enable Background Location Access permission as a user.
|
|
| |
> We will openly publish information about our work for others to analyze.Great!
|
|
| |
The relevant privacy details:https://covid19-static.cdn-apple.com/applications/covid19/cu... "Privacy Considerations • The key schedule is fixed and defined by operating system components, preventing applications
from including static or predictable information that could be used for tracking. • A user’s Rolling Proximity Identifiers cannot be correlated without having the Daily Tracing Key. This
reduces the risk of privacy loss from advertising them. • A server operator implementing this protocol does not learn who users have been in proximity with
or users’ location unless it also has the unlikely capability to scan advertisements from users who
recently reported Diagnosis Keys. • Without the release of the Daily Tracing Keys, it is not computationally feasible for an attacker to
find a collision on a Rolling Proximity Identifier. This prevents a wide-range of replay and
impersonation attacks. • When reporting Diagnosis Keys, the correlation of Rolling Proximity Identifiers by others is limited to
24h periods due to the use of Daily Tracing Keys. The server must not retain metadata from clients
uploading Diagnosis Keys after including them into the aggregated list of Diagnosis Keys per day." It doesn't look bad, at least, at the first sight. A detail: I hope the "day begin" for the "Daily Tracing Key" is the same for all users? I.e. not a local day but e.g. GMT+0 day or something.
|
|
| |
Good. I always thought if we really want to implement this the two mobile giants need to propose a standard and implement it on the OS level. It of course needs to be opt-in and the privacy and security needs to be provable and auditable.
|
|
| |
Does this all depend on people's opt-in and self-report? What is the minimum opt-in percentage to keep the system functional?
|
|
|
| |
Ok so looks like the key to understand is flow diagram from ContactTracing-BluetoothSpecification.pdf page 6 scanning:
CFUserNotification "App would like to access time and duration of your %d contacts. Approve?"What it looks like it's application framework based on system service I hope they won't start advertising ios bluetooth all the time and only allow application to do it. In that case application can be safely removed. I am also concerned about cloud Diagnosis_Keys
|
|
| |
That logo at the bottom gives me chills.
|
|
|
| |
I wish we’d just stick with flatten the curve and get in with our lives :-(
|
|
| |
OK, that's me putting the smartphone in a drawer and picking up a Nokia 3310.
|
|
| |
Is contact tracing technology categorically different from mass surveillance technology?
|
|
| |
Yes. This has an identifier (RPI) that changes every 10 minutes (in a way that can’t feasibly be tied back together, unless you declare yourself infected and upload your diagnosis key), and it does not share or upload any location data whatsoever.All it does is store the RPIs it sees, downloads diagnosis keys, and checks whether any of the RPIs it has stored "belongs" to one of the diagnosis keys it has downloaded.
|
|
| |
If the individuals can’t be personally identified, yes.
|
|
|
| |
You could work with rotating anonymous uuids.
1. You log which uuids you see.
2. When someone is tested positively, you add the list of uuids you used to a public list (run e.g. by the government)
3. Clients fetch updates to the list and compare it to the logged uuids and alert the user if there is a match.This way the government could not identify individuals, and individuals would be in control.
|
|
| |
Yeah thats pretty much how the spec works. But with key pairs instead of UUIDs.
|
|
| |
I said if they can’t be personally identified. Note the qualifier.
|
|
| |
we need to collectively take a step back and put this pandemic into proper perspective so we don't fall for privacy and liberty erosions like this. the panic is unproductive and dangerous to our civil rights.for context, roughly 8000 people die per day in the US. the virus has killed 2 days worth of people in the US in the 80 days of known infection, and probably ~100 days of undiagnosed infection. so covid has killed 2% of the expected number of dead. it's serious, but it's not the black plague, or even the 1918 flu. and we're already seeing transmissions curb. the virus overwhelmingly infects others in close and closed proximity with a lot of cross-breathing going on. random airborne infections or surface infections are likely small, certainly less than 10%, probably less than 1% of infections. so, you don't need to social distance outside unless the other person is actively coughing/sneezing (or maybe singing/talking extra forcefully) in your direction within 6 feet. you don't need a mask unless you are in close proximity (less than 6 feet) to random other people for more than a couple minutes at a time. grocery clerks, and other service workers in close proximity to strangers, on the other hand, should wear non-n95 masks (but probably not gloves) during work. same with those who are often near folks with comorbidities like age, auto-immune disease, diabetes, etc. medical providers should wear n95 masks, gloves, gowns, and take many other precautions that make no sense for the general public. you are not lowering your risks in any percepitble way by doing so. allay your anxieties with those basics, rather than looking to buy more toilet paper. it's enough, really. the overwhelmingly most effective way to prevent transmission is to not breath in a sick person's exhaust. that's it. that's all we need to do. and yes, we don't know everyone who's carrying the virus, so it makes sense to reasonably physically distance in enclosed places like grocery stores. but not more than that as you've already reduced risk to background noise with these basic distancing rules. contact tracing only makes sense when groups of strangers come into close proximity. it doesn't need to track every single person you brush past on the street. so for instance, you could just provide "contact tracing" with beacons in stores rather than always-on phone tracing. let's not lose our heads, and our rights, over this.
|
|
| |
> contact tracing only makes sense when groups of strangers come into close proximity. it doesn't need to track every single person you brush past on the street. so for instance, you could just provide "contact tracing" with beacons in stores rather than always-on phone tracing.The part of this comment that actually addresses contact tracing proposes a method (beacons in stores that would have to rely on fixed identifiers, known geolocation, and central storage) that would not only be worse for privacy than what is proposed here, it is also the likely outcome without employing a technique that at least considers privacy concerns. The other paragraphs read like a compilation of Facebook-based science, where not simply factually incorrect, all points made are debatable and by no means as clear as you make it out to be. This is a opt-in API and a technical protocol specification which we can discuss on technical grounds. Nothing proposed and discussed here even affects data leaving the end user device, or your rights for that manner, yet.
|
|
|
| |
My thoughts at the time:Close contact detection and alerts at the mobile OS level We need to get better and faster at stopping the spread of infectious diseases. Covid is already catastrophic. Next time R could be 5, and mortality could be 5, 10 or 20%. I believe we can use mobile technology to track close contact between individuals, and alert at-risk individuals to potential infections. I believe this could drastically reduce R and the impact of infections diseases could be substantially mitigated. Simulations should be able to determine the effective reduction of R. Apple and Google should work together to implement a worldwide close contact logging framework. It will use bluetooth to track close contact encounters. The architecture will be anonymised and encrypted to make it somewhat privacy centric. Obviously privacy zealots will make noises, but to save millions of lives and economic disaster the general population could be convinced it's acceptable. iOS and Android should have an always-on bluetooth scanner that logs the bluetooth ID of nearby devices. If a device stays nearby for a certain amount of time, a close contact is triggered. The severity of the close contact is determined by the amount of time the devices were close together for, and other bluetooth data. This is anonymised, encrypted and logged. When an individual is diagnosed with an infectious disease, they activate a feature in their phone which displays a QR code. The health professional has an app that scans the QR code. The health professional will enter details about the disease, and how far into the past the person was estimated to be contagious. Alternatively if the individual hasn't been tested or is unable to reach a health professional, they can answer a set of questions about their symptoms that will determine how likely they are to be infected. Obviously this method of self diagnosis is less reliable so the framework will take this into account when deciding who to deliver alerts to. The system alerts people that have had close contact with the infected individual, giving advice about local testing centers or self quarantine. The system will be tuned to only notify the more severe close contacts as needed. Data about available local testing capacity could be used to further refine this tuning. Problems: * Privacy: how to make the data private / anonymous.
Communication: how to convince the public that their data is private / anonymous? * Power: Bluetooth on all the time - battery drain? * Health professionals: how to make sure only health professionals can use the alert app, but also deploy worldwide without delays. * Deployment: how to get this system onto all Android phones with such a fragmented ecosystem. * Detection: how to most effectively determine infection risk from available bluetooth data. * Tuning: too many alerts for low risk encounters and people will ignore them - tuning is needed.
|
|
| |
> Power: Bluetooth on all the time - battery drain?I doubt this is an issue anymore for modern devices. Things like smartwatches connect via Bluetooth but still manage to keep the phone’s almost-all-day battery life.
|
|
| |
The easiest way to convince the public is to lie to them, because that data is not going to be private. There is no chance that this won't be misused. NSA employees misused their power to spy on their neighbors and partners. There is virtually no chance that this won't be abused.Every single authoritarian regime is salivating over something like this.
|
|
| |
Is this the approach that South Korea and Singapore used?
|
|
| |
Not really. For contact tracing, S.Korea is using a much more aggressive approach built upon a framework to join cellphone location from mobile providers, credit card usages and potentially CCTV.
|
|
| |
Sort of, but not really: both of their apps were unable to track in the background due to privacy restrictions. This partnership enables that at the OS level, and will remove the need to download an additional app
|
|
| |
About time, we need it now!
|
|
| |
Wait what.. apple and google devices can ping over bluetooth? Clearly an apocalipse sign
|
|
| |
BLE works between IOS and Android, why wouldn’t it? It’s a standard 2.4Ghz radio protocol.The thing created here is a standard BLE characteristic that says I’M PERSON X and your phone is always looking for PEOPLE and recording when it sees them... then uploading that to Google and Apple. You can decide for yourself if a contact recording system could ever be abused.
|
|
| |
Sorry for that but sharing files in between iOS or Android wasn’t possible, that is my point
|
|
| |
This contact tracing has nothing to do with "sharing files".
|
|
| |
it is just shockingly important that we come out of this _without_ a dystopian nightmare of a surveillance state.That apple's involved in this is hopeful -- their earlier work on anonymizing Maps.app directions is well worth thinking about here. tl;dr your route is broken up into n chunks, each chunk gets a uuid that isn't tied to your handset, and so serverside nobody knows where Bob's Iphone just asked to go. [0] Doing this kind of "differential privacy" or whatever we want to call it today properly is very hard, but it is also very, very important to get right. [0] https://www.idownloadblog.com/2019/03/13/apple-maps-navigati...
|
|
|
| |
I am hoping that Apple being involved will keep this as privacy respecting as it reasonably can be given what it is doing.I am generally someone that takes privacy very seriously, I mostly avoid Google products and others for this reason. But... this may be a time that the privacy concerns are worth loosening a bit for the good of this. But that comes with the caveat that I hope this is disabled when this is all done, and preferably the code removed completely. I trust Apple to do this, not sure if I would trust google too.
|
|
| |
> But... this may be a time that the privacy concerns are worth loosening a bit for the good of this. But that comes with the caveat that I hope this is disabled when this is all done, and preferably the code removed completely.Any right you're willing to give up now, you've demonstrated a willingness to give up. You won't get it back. Either it'll remain lost forever, or it'll be used as evidence for a future proposal to take it away permanently (rhetoric: you agreed to it for X, and clearly any person who isn't morally bankrupt values Y over merely X; you're not morally bankrupt are you? And the need for Y will never go away...). By all means, let's carefully give people tools to supplement their memory, to help people voluntarily notify others who need to be tested. Let's not, however, make that information available to anyone other than the owner of the device.
|
|
| |
I mean, I agree to a point.The problem is, what's the better option right now. Clearly the measures that are being taken are not actually working, people are still being infected and the ability to track the person you happen to walk past or stand next to waiting for your pickup. I am conflicted about this... but as of right now I also feel like its necessary.
|
|
| |
I don't understand this absolutist mindset. It doesn't have to work this way. We can have, say, the draft - an absolutely whopping restriction on civil liberties - during WWII but get rid of it when it's no longer needed.
|
|
| |
(From a UK perspective, though I now live in the USA):Can anyone think of a recent situation where the UK government has given back a power it has temporarily taken? This is a genuine question - I cannot. The closest was a stand taken by David Davis against 90-day detention without charge during the Blair administration (though he has since proved rather more illiberal than this position would suggest). In the UK at least, while it might not _have_ to work that way, in practice it does.
|
|
| |
We haven't gotten rid of it, it still exists. It just isn't being used right now. Getting rid of it would be to abolish it entirely, and instead require people to voluntarily consent in the future. (And if you can't get people to agree to it, perhaps that should tell you something.) "needed" isn't even a factor here.An involuntary mechanism for contact or location tracing that's accessible to governmental authorities without the consent of the user is a civil rights violation, whether it's being actively used at the moment or not.
|
|
| |
> It just isn't being used right now.The American public exercised their power to elect politicians who'd end the draft as the Vietnam War got progressively more unpopular. It's well within our powers, if we care enough.
|
|
| |
If you care enough, sure. But a draft during war times is something very concrete and threatening.This is something covert, like secret courts, unconstitutional data collection, manipulating the stock market for the 1%. You won't get people to care once a new, barely visible leash is entrenched.
|
|
| |
Is it, in fact, "well within our powers", or do you just believe it is? I don't, in general, believe "we could take this power away from government if we wanted to" is true without an existence proof.
|
|
| |
> Is it, in fact, "well within our powers", or do you just believe it is?Public opposition ended the Vietnam War and the draft. It would be political suicide to reactivate it barring a full-scale world war.
|
|
|
| |
And now it will be up to the carriers to push out the Android update to the end users. And we all know how well that's going to go.
|
|
|
| |
For context, start with https://www.vox.com/2020/4/10/21215494/coronavirus-plans-soc...The tl;dr is that without a huge, nigh-omniscient program to trace individual cases, we have no choice but to go on and off Covid lockdown for a year or more, with potentially devastating economic consequences. Having Apple and Google develop a built-in tracing program to their phones with firm privacy guarantees is not good, but it might be the least-bad solution we have right now.
|
|
| |
> Only an official effort, led by Apple+Google or maybe FB and then forced upon users, can reach the critical mass needed to make contact tracing viable.This may be right, but how will said vendors "force it" on users? A system update? That still takes voluntary cooperation.
|
|
|
| |
Why is this needed? and why would i sign up for it , esp. knowing how much they both know about me already? The text doesn't tell us why contact tracing is important- Did contact tracing apps really save anything in singapore/taiwan/israel? - Is sweden really doing that bad without this kind of surveillance? - What is tracing going to help anyway? it will warn people to go to the hospital early ? To do what? there is no cure and they 'd better stay away from infection nests like hospitals anyway. It's not like people don't get symptoms days before they need hospitalization - Is tracing really going to be workable? this is a highly infectious virus, and people networks have very short path length, which means that, without social distancing, 100% of the people will get notified that they might have been infected in any day - This data does not need to reach anyone's servers. Infected people could just publicly and anonymously upload their location in a public server for other users to crosscheck. The less data are hidden behind walls, the less chance of abuse. Even if tracing might slow down the curve, this slowdown shouldnt last forever and it should be targetted, not anonymous. It is important that the spread speeds up in the parts of the population that carry less risk (children, women). There is really no good way to do that other than specific , local measures of SD. It would be very different if these phones had a thermometer, but i think some regulator removed them.
|
|
| |
It's quite horrible if it becomes a standard API. What a gold mine it is for ad business to be able to tell which groups of people are together. It can be used to track 'idea spreading' as well.
|
|
| |
Sounds like this will only be available for approved public organizations.> First, in May, both companies will release APIs that enable interoperability between Android and iOS devices using apps from public health authorities. These official apps will be available for users to download via their respective app stores.
|
|
| |
Of course it’s potentially rife with abusive power. And we need to make sure that this is a very temporary thing (admittedly it’s hard to put the genie back in the bottle). That said, you can’t advertise to the dead. There’s a very real need here, and some governments are off doing this on their own anyway. I do believe that at least Apple and Google combined can come up with a solution that has some amount of privacy protection that a state actor would never bother with themselves.
|
|
| |
> admittedly it’s hard to put the genie back in the bottleOn iOS, entitlements?
|
|
| |
I meant that once this capability is out there, people will point to it and say "see it can be done. Now do this, it’s law."
|
|
|
| |
We learned so little after 9/11, we still live with TSA security-theater nightmare to this day (ironically now spreading covid19 with their groping and concentrating crowds into small spaces)So now this nightmare is going to give historical tracking data to government entities without warrants forever. And Barr is going to get encryption backdoors with his theater. How about just making a test that costs a few cents in million quantities that you can take at home. It won't be the last time we need that tech for a virus.
|
|
| |
I just can't wait to see this being turned against us.
|
|
| |
I have never carried a cell phone (smart of otherwise) in my life. I leave my dumb phone at home or take the battery out. I hope that these tracking bracelets which others voluntarily carry will not be forced and required in the future.
|
|
|
|