The Case For Contact Tracing Apps Built On Apple And Google's Exposure Notification System

from the tradeoffs dept

Apple and Google have now released their update to their mobile operating systems to include a new capability for COVID-19 exposure notification. This new technology, which will support contact tracing apps developed by public health agencies, is technically impressive: it enables notifications of possible contact with COVID-positive individuals without leaking any sensitive personal data. The only data exchanged by users are rotating random keys (i.e., a unique 128-digit string of 0s and 1s) and encrypted metadata (i.e., the protocol version in use and transmitted power levels). Keys of infected individuals, but not their identities or their locations, are downloaded by the network upon a positive test with the approval of a government-sanctioned public health app.

Despite being a useful tool in the pandemic arsenal and adopting state-of-the-art techniques to protect privacy, the Apple-Google system has drawn criticism from several quarters. Privacy advocates are dreaming up ways the system could be abused. Anti-tech campaigners are decrying “tech solutionism.” None of these critiques stands up to scrutiny.

How the exposure notification API works

To get a sense for how the Apple-Google exposure notification system works, it is useful to consider a hypothetical system involving raffle tickets instead of Bluetooth beacons. Imagine you were given a roll of two-part raffle tickets to carry around with you wherever you go. Each ticket has two copies of a randomly-generated 128-digit number (with no relationship to your identity, your location, or any other ticket; there is no central record of ticket numbers). As you go about your normal life, if you happen to come within six feet of another person, you exchange a raffle ticket, keeping both the ticket they gave you and the copy of the one you gave them. You do this regularly and keep all the tickets you’ve exchanged for the most recent two weeks.

If you get infected with the virus, you notify the public health authority and share only the copies of the tickets you’ve given out—the public health officials never see the raffle tickets you’ve received. Each night, on every TV and radio station, a public health official reads the numbers of the raffle tickets it has collected from infected patients (it is a very long broadcast). Everyone listening to the broadcast checks the tickets they’ve received in the last two weeks to see if they’ve “won.” Upon confirming a match, an individual has the choice of doing nothing or seeking out a diagnostic test. If they test positive, then the copies of the tickets they’ve given out are announced in the broadcast the next night. The more people who collect and hand out raffle tickets everywhere they go, and the more people who voluntarily announce themselves after hearing a match in the broadcast, the better the system works for tracking, tracing, and isolating the virus.

The Apple-Google exposure notification system works similarly, but instead of raffle tickets, it uses low-power Bluetooth signals. Every modern phone comes with a Bluetooth radio that is capable of transmitting and receiving data over short distances, typically up to around 30 feet. Under the design agreed to by Apple and Google, iOS and Android phones updated to the new OS, that have their Bluetooth radios on, and that have a public health contact tracing app installed will broadcast a randomized number that changes every 10 minutes. In addition, phones with contact tracing apps installed on them will record any keys they encounter that meet criteria set by app developers (public health agencies) on exposure time and signal strength (say, a signal strength correlating with a distance up to around six feet away). These parameters can change with new versions of the app to reflect growing understanding of COVID-19 and the levels of exposure that will generate the most value to the network. All of the keys that are broadcast or received and retained are stored on the device in a secure database.

When an individual receives a positive COVID-19 diagnosis, she can alert the network to her positive status. Using the app provided by the public health authority, and with the authority’s approval, she broadcasts her recent keys to the network. Phones download the list of positive keys and check to see if they have any of them in their on-device databases. If so, they display a notification to the user of possible COVID-19 exposure, reported in five-minute intervals up to 30 minutes. The notified user, who still does not know the name or any other data about the person who may have exposed her to COVID-19, can then decide whether or not to get tested or self-isolate. No data about the notified user leaves the phone, and authorities are unable to force her to take any follow-up action.

Risks to privacy and abuse are extremely low

As global companies, Google and Apple have to operate in nearly every country around the world, and they need to set policies that are robust to the worst civil liberties environments. This decentralized notification system is exactly what you would design if you needed to implement a contact tracing system but were concerned about adversarial behavior from authoritarian governments. No sensitive data ever leaves the phone without the user’s express permission. The broadcast keys themselves are worthless, and cannot be tied back to a user’s identity or location unless the user declares herself COVID-positive through the public health app.

Some European governments think Apple and Google’s approach goes too far in preserving user privacy, saying they need more data and control. For example, France has indicated that it will not use Apple and Google’s API and has asked Apple to disable other OS-level privacy protections to let the French contact tracing app be more invasive (Apple has refused). The UK has also said it will not use Apple and Google’s exposure notification solution. The French and British approach creates a single point of failure ripe for exploitation by bad actors. Furthermore, when the government has access to all that data, it is much more likely to be tempted to use it for law enforcement or other non-public health-related purposes, risking civil liberties and uptake of the app.

Despite the tremendous effort the tech companies exerted to bake privacy into their API as a fundamental value, it is not enough for some privacy advocates. At Wired, Ashkan Soltani speculates about a hypothetical avenue for abuse. Suppose someone set up a video camera to record the faces of people who passed by, while also running a rooted phone—one where the user has circumvented controls installed by the manufacturer—that gave the perpetrator direct access to the keys involved. Then, argues Soltani, when a COVID-positive key was broadcast over the network, the snoop could be able to correlate it with the face of a person captured on camera and use that to identify the COVID-positive individual.

While it is appropriate for security researchers like Soltani to think about such hypothetical attacks, the real-world damage from such an inefficient possible exploit seems dubious. Is a privacy attacker going to place cameras and rooted iPhones every 30 feet? And how accurate would this attack even be in crowded areas? In a piece for the Brookings Institution with Ryan Calo and Carl Bergstrom, Soltani doubles down, pointing out that “this ‘decentralized’ architecture isn’t completely free of privacy and security concerns” and “opens apps based on these APIs to new and different classes of privacy and security vulnerabilities.”

Yet if “completely free of privacy and security concerns” is the standard, then any form of contact tracing is impossible. Traditional physical contact tracing involves public health officials interviewing infected patients and their recent contacts, collecting that information in centralized government databases, and connecting real identities to contacts. The Google-Apple exposure notification system clearly outperforms traditional approaches on privacy grounds. Soltani and his collaborators raise specious problems and offer no solution other than privacy fundamentalism.

Skeptics of the Apple-Google exposure notification system point to a recent poll by the Washington Post that found “nearly 3 in 5 Americans say they are either unable or unwilling to use the infection-alert system.” About 20% of Americans don’t own a smartphone, and of those who do, around 50% said they definitely or probably would not use the system. While it’s too early to know how much each component of coronavirus response contributes to suppression, evidence from Singapore and South Korea suggests that technology can augment the traditional public health toolbox (even with low adoption rates). In addition, there are other surveys with contradictory results. According to a survey by Harris Poll, “71% of Americans would be willing to share their own mobile location data with authorities to receive alerts about their potential exposure to the virus.” Notably, cell phone location data is much more sensitive than the encrypted Bluetooth tokens in the Apple-Google exposure notification system.

Any reasonable assessment of the tradeoff between privacy and effectiveness for contact tracing apps will conclude that if the apps are at all effective, they are overwhelmingly beneficial. For cost-benefit analysis of regulations, the Environmental Protection Agency has established a benchmark of about $9.5 million per life saved (other government agencies use similar values). By comparison, the value of privacy varies depending on context, but the range is orders of magnitude lower than the value of saving a life, according to a literature review by Will Rinehart.

If we have any privacy-related criticism of the tech companies’ exposure notification API, it is that it requires the user to opt in by downloading a public health contact tracing app before it starts exchanging keys with other users. This is a mistake for two reasons. First, it signals that there is a privacy cost to the mere exchange of keys, which there is not. Even the wildest scenarios concocted by security researchers entail privacy risks from the API only when a user declares herself COVID-positive. Second, it means that the value of the entire contact tracing system is dependent on uptake of the app at all points in time. If the keys were exchanged all along, then even gradual uptake of the app would unlock value in the network that had built up even before users installed the app.

The exposure notification API is part of a portfolio of responses to the pandemic

Soltani, Calo, and Bergstrom raise other problems with contact tracing apps. They will result in false positives (notifications about exposures that didn’t result in transmission of the disease) and false negatives (failures to notify about exposure because not everyone has a phone or will install the app). If poorly designed (without verification from the public health authority), apps could allow individuals who are not COVID-positive to “cry wolf” and frighten a bunch of innocent people, a practice known in the security community as “griefing.” They want their readers to understand that the rollout of a contact tracing app using this API will not magically solve the coronavirus crisis.

Well, no shit. No one is claiming that these apps are a panacea. Rather, the apps are part of a portfolio of responses that can together reduce the spread of COVID and potentially avoid the need for rolling lockdowns until a cure or vaccine is found (think of how many more false negatives there would be in a world without any contact tracing apps). We will still need to wear masks, supplement phone-based tracing methods with traditional contact tracing, and continue some level of distancing until the virus is brought fully under control. (For a point-by-point rebuttal of the Brookings article, see here from Joshua B. Miller).

The exposure notification API developed by Google and Apple is a genuine achievement: it will enable the most privacy-respecting approach to contact tracing in history. It was developed astonishing quickly at a time when the world is in desperate need of additional tools to address a rapidly spreading disease. The engineers at Google and Apple who developed this API deserve our applause, not armchair second-guessing from unpleasable privacy activists.

Under ordinary circumstances, we might have the luxury of interminable debates as developers and engineers tweaked the system to respond to every objection. However, in a pandemic, the tradeoff between speed and perfection shifts radically. In a viral video in March, Dr. Michael J. Ryan, the executive director of the WHO Health Emergencies Programme, was asked what he’s learned from previous epidemics and he left no doubt with his answer:

Be fast, have no regrets. You must be the first mover. The virus will always get you if you don’t move quickly. [...] If you need to be right before you move, you will never win. Perfection is the enemy of the good when it comes to emergency management. Speed trumps perfection. And the problem in society we have at the moment is that everyone is afraid of making a mistake. Everyone is afraid of the consequence of error. But the greatest error is not to move. The greatest error is to be paralysed by the fear of failure.

We must move forward. We should not be paralyzed by the fear that somewhere someone might lose an iota of privacy.

Filed Under: apis, contact tracing, privacy
Companies: apple, google


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • This comment has been flagged by the community. Click here to show it
    icon
    tz1 (profile), 20 May 2020 @ 4:12pm

    Don't minimize the problems

    So you get a notification that you were "near" someone. What is the probability it is a false positive? That the contact was on the other side of a shield, wearing PPG, etc? The app detects NONE of that, but assumes proximity=positive. Now what? An EXPENSIVE test you have to pay for yourself to see if you test positive? And again when the app goes off next week? Rinse, lather, repeat? Isolate yourself and use DoorDash for 2 weeks? Oh, and you are in your 20's where you are more likely to die of a flu infection than a covid infection. But keep forcing the nursing homes with ocotgenarians to accept the covid positive patients - app or not. So what if half die? We can virtue signal using spread spectrum and feel good we are doing our part.

    reply to this | link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 20 May 2020 @ 4:26pm

      Re: Don't minimize the problems

      This is quite an odd criticism, given that basic contact tracing has the same issue, and yet multiple experts have noted that it is key to stopping the spread of COVID.

      And yet you call it "virtue signalling" which says pretty much all we need to know about your credibility here.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 May 2020 @ 4:41am

        Re: Re: Don't minimize the problems

        It is highly insulting that the most truthful and insightful comment is branded as hate speech.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 May 2020 @ 4:45pm

      Re: Don't minimize the problems

      The contact tracing API is not a policy forcing sick people into nursing homes. Any contact tracing of any form has zero to do with bad policies wherever that is happening.

      reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 21 May 2020 @ 12:17am

      Re: Don't minimize the problems

      "Now what? An EXPENSIVE test you have to pay for yourself to see if you test positive?"

      Only if you live in a country whose healthcare system is built around profiting from rather than helping the sick. If you do, then you have a larger problem than how people are to b protected from this specific pandemic.

      "Oh, and you are in your 20's where you are more likely to die of a flu infection than a covid infection"

      ...and you can also be a Typhoid Mary needlessly infecting those who aren't so lucky, regardless of age. Maybe when you've grown up a bit you might understand that a lot of things here are not about you, even if your claim is correct (and people who still compare this to the flu are rarely correct).

      "virtue signal"

      It's generally my experience that anyone using this term seriously is either an idiot or getting their news from places that assume they're an idiot.

      reply to this | link to this | view in chronology ]

    • icon
      rozinator (profile), 21 May 2020 @ 11:03am

      Re: Don't minimize the problems

      It's a hassle to get more tests but it means that people can go on with their lives and the disease is controlled - that's awesome. That saves a lot of people terrible pain and trouble.

      The point is that we need to make testing easy to get and then if you get an alert, retest. That's it.

      As time goes on, we get less and less alerts, with data we solved the pandemic and grandma doesn't have to die for a hug.

      reply to this | link to this | view in chronology ]

      • icon
        urza9814 (profile), 21 May 2020 @ 11:52am

        Re: Re: Don't minimize the problems

        We can't manufacture tests fast enough for that. And the tests that we CAN manufacture are currently showing false negative rates as high as 50%. We do NOT want people going back outside right now just because one test said they were OK. Even if this system was working perfectly right now, if you get an alert, you need to quarantine, even after you test negative.

        reply to this | link to this | view in chronology ]

        • icon
          rozinator (profile), 22 May 2020 @ 4:49pm

          Re: Re: Re: Don't minimize the problems

          You might be right on both points, in practice. I tried to look up the virus test accuracy and with a know virus sample it is 85-95% but I have also heard that in practice the virus is not always immediately detected and a test might need to be repeated which supports your point.
          In terms of the test availability, if we don't have enough but the best investment we can make is in that capacity. I hope we do it. I don't think we should undermine good efforts because other things are not happening well. We need to address the defects and move forward on all fronts.

          reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 25 May 2020 @ 4:54am

      Re: Don't minimize the problems

      "Oh, and you are in your 20's where you are more likely to die of a flu infection than a covid infection."

      Either you're unaware that an asymptomatic covid-carrier is a far greater threat than the visibly ill senior citizen...or you simply don't give a rat's ass that every healthy young infected person moving around will be infecting hundreds of others every week, many of whom will NOT be as lucky.

      As a few have implied, you need to go google "typhoid mary" before you start railing about how young people should force everyone else into playing russian roulette.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 May 2020 @ 4:27pm

    So, in short, this thing is nearly perfectly safe when compared to preinstalled apps on existing smartphones.

    What were they thinking. After years of megaslurp and centuries of "truth in advertising" no one will ever believe it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 May 2020 @ 4:27pm

    So, in short, this thing is nearly perfectly safe when compared to preinstalled apps on existing smartphones.

    What were they thinking. After years of megaslurp and centuries of "truth in advertising" no one will ever believe it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 May 2020 @ 4:28pm

    It seems a double click results in a duplicate post. Mea culpa.

    reply to this | link to this | view in chronology ]

  • icon
    mvario (profile), 20 May 2020 @ 5:40pm

    Contact tracing

    Security Now did their assessment and agreed that the Google/Microsoft API was well done for preserving privacy. On the other hand I wonder what you think about Bruce Schneier's take on it...
    https://www.schneier.com/blog/archives/2020/05/me_on_covad-19_.html
    ...which appears to consider contact tracing apps as theatre.

    reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 20 May 2020 @ 5:59pm

      Re: Contact tracing

      I have a tendency to agree with Bruce. False positives and false negatives are a big issue. Additionally, as pointed out above, not everyone has a cell phone. I don't, though I do have some tablets I don't carry them with me everywhere, and both Bluetooth and WiFi are turned off, unless I have a personal need for them, after which they are turn off again. Then there are the issues with testing, which include cost, accuracy, and availability and maybe some I haven't thought of.

      On the other hand, knowing that you have had contact with a person suspected of being a Covid-19 carrier is better than not knowing. I have some doubts about how many will sit through some TV program where they read out numbers for you to see if your a winner. I don't have TV, so it wouldn't work for me. They might be better off with a website where you could look up to see if you 'won'. But not much better. How many times will any individual check, or how often?

      Contact tracing would be better if it was comprehensive (included everybody) and easier, but that is not actually practical. And given Bruce's issues, as well as the above, not likely to become comprehensive.

      The most practical solution I see is to test everyone, weekly, for several weeks. But then again that isn't actually practical either.

      reply to this | link to this | view in chronology ]

      • icon
        reticulator (profile), 20 May 2020 @ 7:43pm

        Re: Re: Contact tracing

        There's a wee bit of confusion in your comment. May I try to clear it up?

        AAC: I have some doubts about how many will sit through some TV program where they read out numbers for you to see if your a winner. I don't have TV, so it wouldn't work for me.

        The "radio program" is part of the introductory analogy using raffle tickets, not part of any actual implementation. Apps implementing tracing using the facility provided by Apple and Google would download lists from the public health agency providing the app [the agencies might confederate the data so the app would work as the phone travels from one jurisdiction to another]:

        Article: Phones download the list of positive keys and check to see if they have any of them in their on-device databases.

        As for

        AAC: How many times will any individual check, or how often?

        Again, there's an app. The app does the checking. Perhaps the implementer provides a default frequency, and the user may have a preference to modify it.

        reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 21 May 2020 @ 12:31am

        Re: Re: Contact tracing

        "False positives and false negatives are a big issue."

        It really depends on what happens to someone who get those. False positives are an issue, but if all that happens is that people who are tagged as positive is that they have to stay home while everyone else gets back to normal faster, and/or they have to be tested to confirm, it's a low price to pay compared to what's happening right now. Similarly, false negatives are also a real issue, but the question is does it catch more people than operating without the app does? If the answer to that is yes, then it's silly to let perfection be the enemy of the good.

        "Additionally, as pointed out above, not everyone has a cell phone"

        The idea of these apps to anyone sensible is not catch 100% of everything without fail or error. It's to get better information than is available without the apps, and use that information to better target the response to the pandemic while getting things back to normal. There will always be mistakes, people who slip through the net and people who cannot be tracked. But, is it a better tool than not having it?

        "The most practical solution I see is to test everyone, weekly, for several weeks"

        No, that's not at all practical. Most effective in theory, but definitely not practical. But, even then there will be a non-zero error rate due to faulty tests, tests that are not run correctly due to overworked and undertrained staff, and so on.

        I think the main thing here is that since most people are already carrying devices on them and most people will accept installing the app as the price for returning to a normal life, then it possibly respresents a better option than not having it.

        reply to this | link to this | view in chronology ]

    • icon
      reticulator (profile), 20 May 2020 @ 8:38pm

      Re: Contact tracing

      Thank you for the link. Schneier usually says something sensible to think about. In this case, though I can't name it, I believe there's an informal fallacy in his argument:

      Schneier: And without ubiquitous, cheap, fast, and accurate testing, you can't confirm the app's diagnosis. So the alert is useless.
      [There's a straw man hiding there -- the app doesn't claim to provide diagnosis -- but it's not the fallacy I'm concerned with.]

      Testing is an essential predicate for control until we have a vaccine or "herd immunity" (don't hold your breath for that). The general plan for control of the pandemic before a vaccine is available is

      A(testing) + B(knowledge of contacts) => C(hope of control through isolation measures)

      Schneier says without A, an app to help with contact tracing is useless. I agree. But then, "without ubiquitous, cheap, fast, and accurate testing" you can't do effective contact tracing (neither with nor without an app, especially if there's asymptomatic spreading).

      But that doesn't mean an app to help with contact tracing is useless under all circumstances" does it?

      That doesn't mean that an app to provide some help with contact tracing is useless. It seems more accurate to say it may be premature. Testing capability varies from place to place, and may improve with time.

      reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 21 May 2020 @ 12:37am

        Re: Re: Contact tracing

        "And without ubiquitous, cheap, fast, and accurate testing, you can't confirm the app's diagnosis. So the alert is useless."

        I wouldn't say useless, unless there are a lot of false positives. The question is, what's the real alternative? With a for-profit medical system and a bunch of idiots who are convinced that tests and vaccines are some secret plot to imbed chips into everyone in a way that magically can't happen with normal medical interactions, is there really anything easier, cheaper and more effective than an app download, whatever the problems that has?

        "It seems more accurate to say it may be premature."

        I'd call it a stop-gap measure. The idea of the app is not to provide a full permanent fix. It's to provide better intelligence to better target limited resources until the pandemic is over and everyone can be tested/vaccinated as required.

        reply to this | link to this | view in chronology ]

  • icon
    Code Monkey (profile), 20 May 2020 @ 6:37pm

    Not 100% convinced.

    "The notified user, who still does not know the name or any other data about the person who may have exposed her to COVID-19, "(..as of TODAY...)
    "can then decide whether or not to get tested or self-isolate" (.. as of TODAY....)
    "No data about the notified user leaves the phone" (.. as of TODAY...)
    "and authorities are unable to force her to take any follow-up action." (.. as of TODAY...)

    For those who believe this tech is safe and secure, or can't or won't be abused: Here's a list of things you'll probably need to stock your shelves

    Ascorbic acid
    Artificial color
    BHA
    Calcium phosphate
    Citric acid
    Maltodextrin
    Natural flavor
    Salt

    Let's hope the tech is as advertised, and is safe and secure. Like Zoom. And Facebook......

    reply to this | link to this | view in chronology ]

  • icon
    urza9814 (profile), 20 May 2020 @ 8:20pm

    Verification?

    That all sounds...actually pretty decent.

    But here's the question -- who has verified that this is exactly how it works in practice? Because the last reports I saw (in Wired) indicated that Google wasn't even willing to state that on the record, let alone any kind of independent verification. Keep in mind that this is the same company that said they weren't and didn't intend to be snooping on a bunch of peoples' wifi...and then three years later we found out that they actually were when then they lost a lawsuit and were ordered to stop...and then six years after that they lost another lawsuit over the same issue and had to be ordered to stop AGAIN. And that was only a couple months ago so who knows if they even bothered to comply this time, since they apparently didn't before. So yeah, I'm not exactly going to take their word for it when they swear that THIS product is different and THIS time they're really truly honestly not spying.

    I'll consider believing it when someone like the EFF analyzes some packet captures over at least a couple days...but even that seems pretty difficult to do in a realistic scenario (the average Android user sends so much data to Goog, it'd be a needle in a haystack...)

    Not that it matters to me...given that my newest phone is an LG V20 with no play services, and a Librem 5 is on my wishlist, there's a good chance I'll never actually own a device capable of running this stuff... :)

    reply to this | link to this | view in chronology ]

    • icon
      urza9814 (profile), 20 May 2020 @ 9:00pm

      Re: Verification?

      Here is one other more practical problem...this is part of the operating system. How many Android manufacturers basically never release updated roms after the first couple months? Best case you get two years, worst case you get nothing. And often they're significantly delayed, although I'd hope that at least the updates that do ship will rush to include this. Still, I wonder how long it's going to take before a significant portion of Android users even have this feature...?

      Google has said before that they want to pull more control away from the manufacturers...soon they might be able to claim that doing so is a critical public health issue...

      reply to this | link to this | view in chronology ]

      • icon
        urza9814 (profile), 20 May 2020 @ 9:29pm

        Re: Re: Verification?

        I really need to stop talking to myself and get to sleep...but one more thought... :)

        But...the ID number is a 128 bit value that changes every 10 minutes? With 1.5 million active cases right now in the US, that certainly would be a long broadcast...
        (1,500,000(624)*128)/8 = 3456000000 bytes per day. Three and a half gigs if I'm understanding this right....

        Sure, we aren't gonna get 100% market saturation, but we want as much as possible, right? And this might not be only for the USA? And we can't just broadcast today's numbers...you might have been infected two weeks ago and just now installed the update...so that count is going to be a bit larger than just the current active cases too. And the number of cases is still rising. So what, everyone downloads a couple gigs on their cellphone every night? I feel like that could be a problem for a lot of people...and sure, you can save the list and only download updates, but a couple gigs of storage space could also be a problem for a lot of people.

        But I guess it'll be alright...I'm sure if that's a problem then someone can figure out a way to do all of that processing in the cloud instead... :)

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 20 May 2020 @ 11:09pm

          Re: Re: Re: Verification?

          The download volume might be a problem where data caps exist, but the phone does not need to store that data, only compare it with its own much smaller list of contacts. Also, so long as a download timestamp is used, it need only download numbers added since its last download.

          The phone only stores those numbers it obtained in the last two weeks, or whatever time frame is decided on as relevant. The app also assumes social distancing, and going clubbing every night could cause a data storage problem, as well as helping the virus spread.

          reply to this | link to this | view in chronology ]

          • icon
            urza9814 (profile), 21 May 2020 @ 10:12am

            Re: Re: Re: Re: Verification?

            So...the phone doesn't need to store the data, and it can reduce the volume transmitted by...storing the data? You need either a few gigs transmitted or a few gigs stored, you can do one or the other and not both, but you need at least one. Probably you want to have ways of doing both, because neither option is going to work for everyone.

            I don't think it really matters if you're going clubbing every night. You need to transmit the IDs of everyone infected, not the IDs of people they were in contact with. Of course going clubbing every night might increase the transmission rate, but it's not directly increasing the number of IDs to be transmitted. Now, if you manage to isolate yourself pretty well, there's a possibility you can reduce the volume by not transmitting keys that you were using when nobody was around -- this assumes that the key exchange is an exchange rather than a broadcast though, if it's a broadcast you have no way of knowing who received it or when. And broadcast would seem to be more reliable. But if it is an exchange, you can distribute only the keys which were actually exchanged with someone. However...people who live with family or a spouse or roommates, or even some people who live alone in apartments and things, are going to be recording contacts all the time. And it's a random number, so your phone shouldn't have any way of knowing that this is the same contact over and over again. So for some reasonably large percentage of the people, I think you will have to broadcast nearly every single one of those codes, for every day that they might be contagious.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 21 May 2020 @ 11:49am

              Re: Re: Re: Re: Re: Verification?

              You need either a few gigs transmitted or a few gigs stored,

              You store you contacts for the past two weeks, which should not be a vast amount of data. When somebody is confirmed infected, their store of contacts, for the past two weeks, is transmitted, and you compare those numbers to the ones you have stored, and if one matches, you are notified by your phone. Note you do not need to store the numbers that are transmitted because they are historic, and you only need to see each number once to make a comparison.

              A bit of time information allows the central database to know what numbers you have seen. A bit of time data for the time of the last number you have seen, and maybe geographic fencing, i.e a US citizen only need to check against European numbers if they have visited Europe in the preceding fortnight, and the volume of the download is reduced. As a practical matter, the time data can be treated as imprecise, and numbers repeated to you, rather than miss one due to time data jitter.

              The principle is that you need to see the numbers from an infected person once to make the comparison with your store of contacts, and it can be disposed of once the comparison has been made. You were either within six feet of them during the past fortnight, or you weren't, and that won't change after you have seen their numbers. Your phone only needs to store the numbers it is given for a fortnight on a rolling basis, presumably in a hash based store for fast lookup against transmitted numbers, and those numbers are kept for the full fortnight.

              reply to this | link to this | view in chronology ]

              • icon
                urza9814 (profile), 21 May 2020 @ 12:17pm

                Re: Re: Re: Re: Re: Re: Verification?

                Sure you could do geofencing or time boundaries or other methods to cut down that data...but it's not mentioned exactly what that would be and how it would work. You could also just upload the GPS coordinates of everywhere you've been. Those are all different systems than what is described above, which all sacrifice privacy and security for convenience. Can you get away with a bit of that without any real harm? Probably. But that's a different system, and we have no data on how that would be implemented.

                And I do need to see each number more than once to make a comparison, unless I'm telling the server exactly which numbers I've seen and when. If I don't store the data, then someone I met today might have been in last week's list, so I need the full two weeks of data every night. If I do store the data, then that's potentially a gig or two per day for two weeks that I've gotta store. Also, two weeks is an average. I've seen some doctors stating that the incubation period can in some cases be as long as a month. So we probably don't want to limit tracing efforts to only two weeks.

                Storing hashes might help a little, you can maybe reduce the memory requirements by half...but if you go much further than that I think you're going to start having collisions, so you'll have to start checking in with the server to see if those matches are actually valid, and once again you've started sending a bunch of data back to the server beyond the specifications given above.

                So the given plan is potentially infeasible for a lot of users, and there are no plans to address that, so nobody can say what kind of system we might end up with if they have to start hacking in solutions to these issues...but it won't be what they've described so far.

                reply to this | link to this | view in chronology ]

                • identicon
                  Anonymous Coward, 21 May 2020 @ 3:24pm

                  Re: Re: Re: Re: Re: Re: Re: Verification?

                  And I do need to see each number more than once to make a comparison, unless I'm telling the server exactly which numbers I've seen and when.

                  No, you only need to see a number once, and compare it with your local list once, as it is either n that list and you are notified, or it is not in that list and will not appear in that list. Don't forget that the numbers being sent over blue tooth are random and changing on something like a 10 minute Interval. All the phone needs to store is those numbers you have received over blue tooth, and for a period of a fortnight.

                  Sure you could do geofencing or time boundaries or other methods to cut down that data..

                  A time boundary is easy, just cut a little slack to ensure all data is received. and geofencing can be wide area, probably by country. Also note the time is the timestamp of the last time you downloaded the list, and bears no relation to when you close to someone who was infected when you were close.

                  The system has been carefully designed to protect privacy, in that the only data given the server is the list of numbers from the infected person, and those are raw, without time stamp, or location data. All a match does is tell you you were close to an infected person, but not when or where. the system specifically does not identify who the store numbers belong to, or where they were collected, or who has matches to those numbers.

                  The system is specifically designed to tell the phone owner, or some one with access to the phone, that the phone was close to somebody who was infected. That is why some countries are rejecting the system, it does not identify contacts to the government, so could not be used to identify contacts, or be used for instance, for finding out who you you near to during the past fortnight.

                  reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 May 2020 @ 9:27pm

    Privacy advocates are dreaming up ways the system could be abused. Anti-tech campaigners are decrying “tech solutionism.” None of these critiques stands up to scrutiny.

    The authors did not define "tech solutionism", so I can't be sure what precisely they're arguing against, but I can't help but notice the post lacks even the most basic statistical analysis. Saying "no shit, it won't magically solve the crisis" is just lazy, casting aspersions on detractors based on nothing—nobody said Apple and Google were claiming a magic solution.

    This seems like talking heads arguing back and forth. For a bunch of academics, I'd have expected better from Soltani et al. too. Where are the numbers and the simulations that would estimate how much safer this could make someone, how many lives it could save, given various levels of penetration and compliance?

    Of course the public will base their opinions of this on their perceptions of the companies. They don't have the expertise to analyze the code and protocols or run the statistics, and nobody seems to be giving them any real information—just "trust us, you're overreacting" or "maybe it could help". And they've seen how "trust us, it's anonymous" often goes with tech companies.

    reply to this | link to this | view in chronology ]

  • icon
    sehlat (profile), 20 May 2020 @ 11:12pm

    Dr. Ryan's Video Doesn't Work

    I've tried both Firefox and Chrome and all I get in the video the "viral video" link provides is an endless circle. However, I was able to find it on YouTube:

    https://www.youtube.com/watch?v=GJwaeynSkFY

    reply to this | link to this | view in chronology ]

  • icon
    127.0.0.1 (profile), 21 May 2020 @ 4:17am

    I can't fathom the six foot rule.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 May 2020 @ 4:56am

    "No sensitive data ever leaves the phone without the user’s express permission"

    Google can't give any such guarantee. Even if the API itself is secure, it feeds into a third-party app with internet access that can send out anything the developers want it to.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 May 2020 @ 5:35am

    What if I lie? Can I shut down my competitors by hiring somebody to walk past all their employees and then claim to be infected?

    reply to this | link to this | view in chronology ]

  • identicon
    Jesse, 21 May 2020 @ 9:40am

    An iota of privacy

    Re: “We should not be paralyzed by the fear that somewhere someone might lose an iota of privacy.” Ben Franklin argued, “Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety.”

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 21 May 2020 @ 12:15pm

    Voluntary..or not?

    Does it test you??
    nope.
    Can it do anything if you turn it off or erase it, NOPE.
    Who will use it? Paranoid persons with problems about Virus and dirt..
    So you run around with an open BT channel that scans looking to hook up with other SIMILAR programs running, so it bypasses our BT and probably Wifi, to check or warn others, that we have or Dont have a virus.

    LOGS that data and sends it the next time we are near our Own wifi, or send it via cellphone to the same location.

    How many of you have figured out What causes your phone to BLEEEEDD power? while out doing things it nice to Cut the wifi off, Turn off the GPS, and turn down the Brightness on the phone, so that you can get 1-3 days of use on the phone.. And if you use it for Video, you know you have taken off at least 4-10 times the amount of time used to watch the video.

    reply to this | link to this | view in chronology ]

  • identicon
    Covid per Capitas, 21 May 2020 @ 3:06pm

    I can imagine the phone scams we will soon be subjected to.

    Hello, (insert name here)
    Were you at Joe's Bar & Grill last weekend? Well if you were .......

    reply to this | link to this | view in chronology ]

  • identicon
    @b, 23 May 2020 @ 4:50am

    Pseudoscience 101

    1. Pretend it works
    2. Side effects were listed, before downloads began
    3. When a phone app gets an update, it's now a different app
    4. The users are not in a position to use such a tool properly
    5. Governments aren't trusted to resist coercing user adoption
    6. None of the players here are trustworthy at any step.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt

Tech & COVID is a new project by
Techdirt, with sponsorship from

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.