This is silly. There’s a clearly demonstrable reason why Germany switched tack, and why the UK should too. All of this contact tracing can be done in a privacy preserving way. However, the NHSX development of these tools is led by such industry partners as palantir... We aren’t going to see much regard for privacy from them.
Edit: Google and Apple need to get their act together though, and just provide a contact tracing framework as part of the OS that is compatible, and can have data housed in each country where they see fit. It should be optional for people, but it should be part of the OS, and it should just be presented to the countries as ready to go with just a little bit of integration. That way we can force everyone to respect user privacy and not do sketchy contact tracing apps.
>Google and Apple need to get their act together though, and just provide a contact tracing framework as part of the OS that is compatible, and can have data housed in each country where they see fit.
No. They already have their act together by providing only an API that cannot be abused by authoritarian regimes to do whatever, and keep stupid/badly advised politicians such as my own German government at bay. I hope they keep that line.
The reason Germany switched the approach finally was the public pressure by a) having Google/Apple stay course and b) the German public - learning from journalists and other experts - that there in fact was a less privacy-invasive approach that according to many if not most epidemiologists wasn't any worse either for tracking the pandemic.
I will never touch / install contact tracing if it can be backdoored into global surveilance. Apple has built a reputation for at least trying to preserve some user privacy. Their current proposal keeps it simple, your privacy is preserved and benefits for exposure notification (FAR beyond current horrendous govt efforts in terms of speed of notification etc) are there.
They need to get their act together, and ignore folks trying to backdoor their systems.
It should be noted that your privacy is not preserved if you test positive and need to upload your Daily Tracing Keys to a server. Your broadcast IDs for an entire day can be linked together, making it easier to de-anonymize you. I understand that they use Daily Tracing Keys to reduce the demand of the backend server, but I think it would be better for user privacy if they either reduced the linkable period from a day to say an hour, or used an unlinkable design.
In case you test positive, and we actually have the resources to trace your contacts, your privacy will be gone in todays system for sure.
As you'll have to provide information about your recent contacts to the authorities performing the contact tracing. At least that's how I understand our local law (Germany).
So I don't think its necessarily worse doing it with an App than doing it the old fashioned way. Sure digital traces are always easier to abuse, but then on the other hand, because things get automated, actually less people might get access to your data. Which would be a privacy win.
I believe what's even more important than how we design the app, is how we design the legal framework around it. We do need rock solid laws, having enforceable data retention periods, and that limit access to the pare minimum needed.
Unfortunately, our track record for the design of such laws has not been too good over the last years.
I'm not sure if you intended that to be positive (ie tracing might be more complete in some cases) or negative (ie concerns about not wanting to reveal certain data). I'm going to go ahead and respond to the negative interpretation in case any future readers interpret it that way.
This is true, but I think a DP-3T like protocol (ex the Apple-Google spec) doesn't actually pose much risk here. The hypothetical drug dealer or other illicit contact can receive a notification that they were potentially exposed to someone that was infected, but in general no one else (a police officer, a spouse, etc) will be able to determine who was in contact with who.
In order to link someone to a particular location, you would need to observe their broadcast identifier while they were there and also link their diagnosis key back to them (this is likely to be quite difficult for most actors to accomplish).
In order to reveal a contact between two people, you would either need to do the above for both of them or to observe at least one of them at that location and time in some other manner.
I’m sure the protocol is fully privacy preserving, now. But if we give an inch, the government will take a mile. This is about normalizing self-surveillance and isolating ourselves in response to notifications on our phone. Sure, the tech is privacy-preserving now. But who’s to say an emphasis will remain on privacy in future iterations of the technology?
Personally, I will not opt-in to this technology, and if forced to use it, I will leave my phone at home. It’s a small act of civil disobedience but it’s a necessary one IMO.
It’s alarming to me how so many in tech seem welcoming of, even excited for, this technology. I say this as someone who wrote my senior thesis on a subject related to privacy enhancing technology, so I’m familiar with the ideas.
> It’s alarming to me how so many in tech seem welcoming of, even excited for, this technology.
It gets contact tracing right by accomplishing the goal while yielding almost no ground on privacy and remaining almost entirely offline. In an ideal world, all new technologies would be implemented in such a focused manner without regard for turning a profit.
I'm puzzled by your concern about normalization of self-surveillance; everyone I know has already voluntarily made drastic alterations to their behaviors due to current circumstances. I really don't see what introduction of this technology changes.
> who’s to say an emphasis will remain on privacy in future iterations of the technology?
If people don't object to widespread state surveillance later, would they have objected now? I don't see why a decentralized technology specifically built to prevent surveillance should lead to an increase in acceptance of it.
The difference is that the old system relied on human memory which is fallible, not to mention you can omit details which would lead to further trouble (infidelities for one). In this system the only control a user has is to turn off bluetooth, or leave their phone at home if Apple/Google override the users ability to turn this off.
The protocol states that it will upload the Diagnosis Keys, a set of Daily Tracing Keys relevant to your exposure. So in short, if this is the case it forces the user to either upload all their keys or none.
I would like to note that a v1.1 has recently been released, my information is about v1.0.
The specification (at least v1.1) contains nothing about uploading keys. The API appears to provide only the minimum required for protocol implementation.
The ENSelfExposureInfoRequest class can be used by an app to obtain diagnosis keys for the previous 14 days. What an app does with those keys is up to whoever implements it.
Under what circumstances do you think it would be okay for an infected person to hide their contacts? Surely you’re not valuing your marriage over the lives that will be lost in the resulting spread?
If a user is in close confinement with someone they fear will lash out at them if they test positive, for one. Off the top of my head, lets say you take an Uber home and the driver now has your home address, you don't know if they will try and attack you.
This is an example off the top of my head, as other comments in this thread have explained, violence against people who have the virus is happening around the world and is something that must be accounted for in these protocols.
If you have a Bluetooth receiver logging the different IDs you've come in proximity with and when, its easy to deduce who the positive user is by who you were in proximity of at that time.
Well, let's keep in mind it is decentralised, so only people who have been in contact with you can correlate it with your location at a given time in the past. Not the whole world nor a central authority.
And even is someone goes to that extent to track your identity down, I am not sure that local de-anonymisation is a problem. This is not something like HIV. I don't think there is any social stigma to catching the coronavirus. If you catch it you should self-isolate, and it will be obvious to the people around you that you got it. And if you don't want to self-isolate and want to hide it, what is the point to self declare that you got contaminated on the app in the first place?
> I don't think there is any social stigma to catching the coronavirus.
"In Mexico, Colombia, India, the Philippines, Australia and other countries, people terrified by the highly infectious virus are lashing out at medical professionals — kicking them off buses, evicting them from apartments, even dousing them with water mixed with chlorine."
...and these are cases where the victims don't even have the virus.
Disease has always carried stigma. We tend to lash out at things we don't understand. History has seen everything from leper colonies to menstruating women herded into tents.
You or I may be able to rationalize it and say "well, shit, the test was positive-- time to self-isolate" but plenty of plebes will use it as cause to incite a witch hunt, especially if a loved one dies from it and transmission is attributable to you.
OK, that's a fair point, but it would take someone uneducated that believes in the stigma to also be a tech wiz to collect and correlate the data. Presumably the app won't tell you when and where the contact happened (and if so, no implementation of contact tracing is anonymous since the app won't know that you were in a busy bus full of strangers or in a small office with a single colleague).
> it would take someone uneducated that believes in the stigma to also be a tech wiz to collect and correlate the data
Not quite. It takes a wiz to collect and correlate the data, yes. What happens to that data after that? For it to be useful, it's going to get stored somewhere. All it takes is an uneducated clerk or bored intern with access to go snooping around the de-anonymized data to compromise anybody implicated.
And this does happen routinely.
* Facebook, Uber and Google have all had problems with plebes (and tech wizzes!) with god-tier access doing inappropriate things with sensitive data.
* Bored data entry clerks with access to the credit reporting database routinely snoop on neighbors', exes' and celebrities' credit reports in spite of federal law.
* Revenge porn is such a thing that rule 34(a) ought to be that if you produce nudes, your confidant or Geek Squad/iRepair technician will post them on the internet.
* Look at how often people get doxxed by employees leaking customer PII onto reddit and 4chan, then look at how fast the mob descends on people innocent of any actual wrongdoing.
* We've seen a secretary get her hands on the Pepsi formula and try to sell it to Coca-Cola.
* The people living in the geographic center of America continue to receive death threats and harassment because of a flaw in outdated MaxMind databases that attributes ungeolocatable IPs to their location.
* There are people who refuse to participate in the census because of what certain cults of personality have done with such data.
Any chain of confidentiality is only as strong as its weakest link. You presume far too much intelligence and rationality on the part of humanity. Never forget that half of Americans wanted a belligerent narcissist to be "leader of the free world," and he still has supporters despite publicly recommending anti-parasitics and Lysol douches as solutions for a global viral pandemic.
Sensitive data is not created and left to decay in an underground bunker in Yuma. Despite its practical uses, at some level it will be exposed to individuals who lack discretion and will be exploited to malevolent ends.
Not once in human history has it worked out any other way!
It's a bit more complicated than that. What's being suggested here is that it would be possible for a bad actor to observe all Bluetooth activity over a large area. They could then use a diagnosis key to reconstruct someone's path through this monitored area, and then deanonymize that person by combining their path with other data sources. Later, an uneducated and hostile individual might somehow gain access to this deanonymized data and abuse it.
Couldn't they do that for anyone with bluetooth on, whether or not they're using the app? I get that knowing they have Coronavirus might make them a bigger target, though
If you enable the framework but never test positive (and thus never publish any of your keys), it's no different than if you had just kept Bluetooth on all the time.
If you enable the framework, later test positive, and choose to publish your diagnosis keys, each key can be used to link all your rolling identifiers together for the corresponding time period (nominally 24 hours). Contrast this with a randomizing Bluetooth implementation, which never intentionally reveals anything that would allow the different MAC addresses to be linked.
Of course, Bluetooth MAC address randomization itself is trivial to defeat for a reasonably capable and motivated adversary. If they can plant a bunch of radios for the purpose of tracking you, why can't they also use cameras?
That would work if there's just 1 person who is crossing the path, and you're able to physically identify them. If it's a crowd of people, you won't know who was what device unless their device is immediately next to the evil antenna. This isn't very realistic in practice, and is very unlikely to become common place world-wide. However, the virus IS already world-wide, and is a giant threat to many.
> If it's a crowd of people, you won't know who was what device unless their device is immediately next to the evil antenna.
Actually that's not true for the situation I described.
The bad actor would be able to connect any of your broadcast identifiers they observed back to each other via the diagnosis key that you published. Assuming they have a number of nodes monitoring Bluetooth traffic over a broad area that you passed through, they will be able to reconstruct the path you traveled over time.
For a naive implementation, the resolution of this reconstruction would depend on the spacing of the nodes. For a more advanced implementation, other data could be integrated to drastically improve it. Remember, your Bluetooth device is a broadcasting radio at the end of the day.
As to the likelihood of such things becoming commonplace worldwide, do bear in mind that many devices now periodically randomize their Bluetooth MAC addresses due to real world examples of tracking. Thankfully in this case it would only be possible to compromise the privacy of those who tested positive, and only within a singe 24 hour period (ie the daily tracing key rotation time frame) at that.
Yes, I agree this is true if someone was to go to extreme efforts. It seems to me personally quite unlikely, especially since the governments are already the ones who distribute the apps, and at least it seems in the initial implementation, are the ones who confirm your status.
I'm much more concerned about reducing COVID-19 to save millions of lives.
People who are educated tech wizards can also have the same stigma. There are many factors at play in places that have more diversity and existing problems between communities (like race, religion, class, etc.). Hopefully, like you said, the app won’t tell you when and where the contact happened. But we still need to make sure that we have as much privacy protection as possible while making this useful.
> I don't think there is any social stigma to catching the coronavirus.
Sadly, this is not true in India. Infected people have been threatened by their neighbors and friends with death. Infected people have also been harmed. Doctors, nurses and healthcare workers who have been caring for COVID-19 patients have been evicted from their houses or physically harmed (the latter forced the government to bring an emergency law providing for stringent punishment for those who attack healthcare workers).
I’m guessing that there will be a social stigma depending on the culture as well as other factors like the mortality rate (if your area has a higher mortality rate, then you’d likely hate infected people and take matters into your own hands).
Humans can very quickly develop irrational fears and react on that.
So there is a huge need to preserve the privacy of those infected.
So all of the tokens are being put on a central server. Today, governments use WiFi and Bluetooth to track traffic. It is not far fetched to see that your commute from point A to B could be tracked using Bluetooth receivers in transit stations.
This technology is currently being used to track people today. The use of Bluetooth address randomization does not do a sufficient job to prevent this, the only option is to not use Bluetooth.
It is important that people are aware of these risks. I am fortunate to live in a place where I can live my life without scrutiny from the government, but not all are afforded such a luxury.
Even if they do that, they can only track the people who self report as contaminated for the period during which the self reporting applies (i.e. n days before testing positive). Not before, not after.
But I just can't think of a system that achieves contact tracing while no one having any idea of the whereabouts of a person who self declares as contaminated. At one point the person who self declares has to volunteer to disclose some information.
I think its important to give the power to the people by allowing them to omit tokens from sensitive time points. In the current protocol, that means losing a whole days worth of contacts. If you reduce the period to an hour, you still allow people to share the contacts made on their commute or their lunch break without divulging or tracing them back to more sensitive time periods they don't want to be traced back to.
That’s one side of the ethical question, but what about the other side, what about the people who have been in contact during the period where the infected person would rather not have its location disclosed?
And it is a bit theoretical, as the authorities who have the capability to track your blutooth across the city have many other ways to track you (starting by calling your phone service).
What I object here with the NHS is the creation of one more tracking database with the explicit intention to let some researcher roam through it to find something interesting.
I appreciate you looking at the other side. To explain my view point, in this system it seems like all of the risk is put on the infected party who reports themselves. By decreasing the level of control they have, I believe you will see a decrease in the number of adoptions. It is valid to think about the non-infected user wanting to have this information, but today they don't even have this information so to even know they were exposed on their commute is above and beyond what is in place today.
I guess my original comment is a bit vague. When I look at these protocols I am interested in how large scale adversaries (Nation State) would use this technology, but also small scale adversaries (day-to-day person you are not friendly with). I think its also important to note as others have, that being outed as having the virus does put people at risk of violence in some places.
Telling people when they've been exposed is not a kindness we might extend from the goodness of our hearts when convenient. It's something we must get right, every time, or the conditions that require lockdown today persist until vaccination. We cannot afford people out and about making untraceable contacts three weeks for now, any more than we could three weeks ago.
Every person is a danger to society until this is over. Release is out of the question. The choices here are continued incarceration, or parole.
I can sort of imagine a libertarian solution here, with truth in labeling: as long as I can tell before I get within six feet of you whether you share a connected component with any conscientious objectors, then I can make my own decision about risk. But I cannot imagine that many public places would permit entry to such people.
> I don't think there is any social stigma to catching the coronavirus.
Maybe not. But there is definitely a social stigma about certain activities, like meeting your drug dealer or cheating on your spouse, which would be revealed through automated contact tracing.
And to the authoroties, who then promise to not violate that promise.
Except they refuse to be limited by cryptographic means to that.
Why? Because they demand the ability to change their promise in the future ... exact details to be specified. Perhaps “solving drugs” with contact tracing. At which point they have your data, you have zero control, and “your honour we can prove he lied: he was close to that drug dealer 5 times. Further details (such as that this happened in the train station and 5000 other people were also close) cannot be confirmed because that would violate privacy”.
This is the government that got caught letting police officers stalk their ex for 2+ years and then initially arrested the victim for more than 2 weeks when caught. Let’s not pretend they’re above doing this, especially since it’s become increasingly clear this contact tracing is the police’s wet dream.
This is almost never actually the case. Your daily keys are random, so the only way to know it's you is for someone to monitor bluetooth devices near by, and associate those keys with a physical identity... which becomes very difficult unless there's only one other person you come into contact with. In practice, it provides about the best anonymity you could ask for.
Valid point. DP3T (in one configuration) adresses this and lets you filter out certain parts that you do not wish to disclose. Thus, this then requires you to upload all broadcast identities used in the relevant timeframe, but because of space-related issues is then „compressed“ using a Cuckoo-Filter. This, however, yields false-positives. To eliminate those to a managable amount, it further requires more space.
So, this has a tradeoff.
Personally I don‘t think that linking multiple IDs in a day is a big intrusion of your privacy (and remember, it‘s only disclosed to anyone for the timeframe that is epidemologically relevant) - full de-anonymization still requires some second channel, such as cameras or the like - which can be linked together without those Broadcast IDs anyways.
The thing with Bloom/Cuckoo filters is that you can play around with the parameters and, for example, provide a set of filters for a day in such a way that the app users can do a binary search.
It never provides a false negative so all positives can download their set-up filters until they're satisfied.
The filter that DP3T are describing isn't that much bigger than the DTK set anyway.
The unlinked DP-3T is one extreme, there is a happy medium if developers don't want to use Cuckoo Filters or Bloom Filters due to false positives, which is to decrease the linkable period. If the period was an hour, people could freely share legitimate tokens for their commute, but hide the ones where they had an hour long 1-1 with their manager.
It's hard to test positive given the extremely limited supply of tests and all the effort you'd have to go through to get tested. I really can't imagine anybody willingly testing -more so with new invasive tracking- unless they are really ill and in need of medical attention.
The issue is, if your putting the risk on infected users, what is the benefit to them to release their tokens? They are already at risk, this just makes them bigger targets.
The recorded broadcast IDs can be linked together, but only if they are somehow gathered from all of the devices that have been near you. As far as I can tell, the spec doesn't include recorded broadcast IDs ever leaving the device.
> Google and Apple need to get their act together though, and just provide a contact tracing framework as part of the OS that is compatible, and can have data housed in each country where they see fit. It should be optional for people, but it should be part of the OS, and it should just be presented to the countries as ready to go with just a little bit of integration. That way we can force everyone to respect user privacy and not do sketchy contact tracing apps.
I think that's a terrible idea. Think about how somebody can mark themselves as being infected. Normally you'd want this to be authorized by a doctor or similar, or maybe just by reporting symptoms if the situation is dire.
Google and Apple rightfully did not want to be involved with these decisions, they just want to provide a way to detect contacts via bluetooth while still mandating preservation of their users privacy.
Parent said a framework. Technically, the framework could be designed in such a way that they whitelist apps or agencies that can do that. Or you’d be given a code to authenticate the results and so on.
Sure, but look at how much governments resent the current limitations already. If they started mandating how doctors authenticate against the app and other processes that are wildly different between countries, they might end up with no countries using their framework.
My advice to the NHS developers would be: don’t let perfect be the enemy of good.
The effectiveness of a contact tracing app scales with adoption. A sketchy, battery-draining implementation with questionable privacy may not see widespread adoption.
>can have data housed in each country where they see fit
Hadn't thought of this until you mentioned it, but having it only work within a country could significantly hinder the ability to trace imported cases (ie, cases from travelers).
If the data is housed in country-of-citizenship, then travelers would not notify people they contact while abroad.
If the data is housed in country-of-current-location, then people who test positive while abroad might not notify people in their home country whom they contacted before leaving. There might also be failures cases when they return home, but those could probably be solved with careful implementation.
Regardless, this seems like a case where a single international, globally-accessible registry is useful. And therefore privacy becomes a very important concern.
Residents of a country where they are not a citizen, like me (American living in Germany). A year from now, I might decide to visit my home country, and even be allowed back in, and if I stood in the customs line in Amsterdam near a Frenchman who hung out with someone in Montreal who turned up positive, it would be in everyone's interest for me to know I was exposed.
Even traveling between Munich and Nuremberg, a one hour trip, I might be on a train near an Austrian who saw no reason to leave Munich during all this heading up to Berlin to finish a consulting contract, but a week ago had been in a meeting with a German who turned up positive. Our Austrian consultant would have been allowed to stay this past "shelter-in-place" month if she had a lease on an apartment and had registered it as her primary residence - no residence permit required, as she's an EU citizen. Again, it would be in everyone's interest for the three of us (and everyone we had much time around) to know about when the exposure took place and that we might need to self-quarantine/be tested.
Fair point right now, but that's not going to be the case forever. And once things start to open up again and cases are less common, this kind of contact tracing will become even more important to track down new outbreaks.
Note that DP-3T and PEPP-PT are both privacy "preserving" protocols. They make different trade-offs between threat models and ultimate levels of privacy, but these are both vast improvements over the pervasive centralised geolocation data collection used in China and South Korea.
I think DP-3T is the better choice, and Germany has clearly come to that decision as well (helped, no doubt, by the fact that this is the protocol that will receive API support) but I think it is reasonable to come to the conclusion that PEPP-PT is better.
Depends from who you want to be kept private. I've a hard time describing PEPP-PT "privacy preserving" the same way as DP-3T, especially as far as the central server is concerned and the blind trust I must put in it, but I admit this is still better than China like solutions. As for the trade-offs concerning privacy, it is true that DP-3T is not perfectly more private than PEPP-PT from a theoretical point of view (and nor the inverse), but this concern seems weird from a practical point of view and I have a hard time figuring out practical attacks doable against the public with DP-3T but not with PEPP-PT that would not be the sign of far worse problems...
> Google and Apple need to get their act together though, and just provide a contact tracing framework as part of the OS that is compatible, and can have data housed in each country where they see fit.
Absolutely not. That has way too much temptation for any government to utterly abuse. Simply creating it is opening a pandora's box and should not be done.
Apparently you just need to trust GCHQ, who advised them. There isn't another agency privacy minded people would rather trust (apart perhaps its US and Chinese equivalents).
>All of this contact tracing can be done in a privacy preserving way.
Explain how having every person you're in contact with being tracked by governments and corporations can be done in a 'privacy preserving way'. The very concept of contact tracing is probably the greatest violation of privacy I've seen proposed yet.
Read the spec, but in a nutshell you only report your tokens if you test positive. Then other people check to see if they have seen any reported tokens using a clever algorithm that doesn't involve them reporting all the tokens they have seen.
The central authority just has a list of tokens from infected people. A corrupt central authority could also massively deploy token recorders across an area and then see when and where the infected people were seen, but governments already have that capability just from the cellular systems.
Simple. The system doesn't track every person you're in contact with.
A simple method is to have phones directly exchange random numbers over bluetooth. If and only if someone tests positive, they publish their phone's recent random number transmissions. All phones download all published random numbers (just random numbers, no personal info) and see whether they've received any of them via bluetooth.
This way the phone knows whether it's been in contact with someone who tested positive, but nobody else knows. Since the user has a strong incentive to get a covid test at that point, that's fine.
It's totally possible to create an anonymous and decentralised contact tracing app that does not share private data. That is what Apple-Google are working on, and what projects such as D3P-T, or my hobby contact tracing app [1] are trying to achieve.
The point is to get a list of close contacts, if needed (someone has tested positive), for a limited period of time (until the epidemic has ended).
The privacy issue is minimal, certainly compared to the situation we are in.
Do you really think that the government will go over these data to find out that you tend to have close contacts with your neighbour's wife very often? Let's keep a sense of proportion and let's calm down. This is getting very irrational.
Anyway, since they do not seem to be willing to make contact tracing mandatory, these apps will remain a curiosity until this is over. Then historians will be able to debate whether this was all a distraction or a costly lack of political courage.
This is insane. Why would they risk people not adopting the app due to privacy concerns while it's only effective if a majority of the population uses it?
What's the benefit if they can gather better stats with a central approach if it doesn't work because a lot of people aren't installing the app?
Of all the western world, the population of the UK seems to me the least concerned about privacy.
Given the ubiquity of (and willingness to leverage) the UK's camera and social-media surveillance across across all level of law enforcement in the country, I've come under the impression that they've collectively decided that they'll tolerate just about anything in exchange for an orderly and secure society.
Mandatory app installation really doesn't seem out of the question.
Of all the western world, the population of the UK seems to me the least concerned about privacy.
We have a strangely inconsistent pattern on this issue. Up to a point, people here seem willing to trust the government and the police and security services, and therefore to tolerate more intrusion than in many places. On the other hand, if you go too far, you get a situation like No2ID, and any hope the government has of introducing anything even vaguely resembling a sufficiently controversial measure dies for a generation (or probably more, since our younger generations are, as in most places, much more tech savvy and aware of these issues).
Given that people here are already somewhat sceptical of the government's handling of the coronavirus situation in general and of the lockdown measures specifically, but for now people are mostly following the guidance anyway, rocking that boat is probably not a wise move politically.
Not British, but from what I read, don't the British people trust the NHS even more than government and police, and so any pushback against an NHS recommended app or approach might be minor.
The NHS is generally very well-respected, but it's important to remember that "the NHS" is really a large collection of distinct organisations and a huge number of people working within them, and to some extent the shared culture within that community. The professional ethics of those working in the NHS are generally respected, but that mostly refers to clinical staff and to some extent support staff. The management and bean-counters are not necessarily accorded the same trust and respect, nor should they be on the basis of past performance. The NHS has done some shady things with sensitive personal data on their watch, and we absolutely should be cautious of any cavalier attitude towards privacy if the NHS leadership and their political masters try to push out this sort of contact tracing app.
FWIW, I wouldn't install such an app if I didn't consider it to have sufficient safeguards, but then I'm a strong advocate of privacy and civil liberties who is also willing to give up various other "normal" parts of life to avoid compromising those principles in ways that make me uncomfortable. What should concern the powers that be in this case isn't me, but rather the number of my friends and family who typically do tolerate more intrusion into their privacy (for example, being willing to share a lot of personal information on major social networks) but have expressed concern about this app.
I think it's actually that of all the western world, Americans are the most obsessed about government conspiracies.
Which is so weird because despite all this rugged "fight for your rights", Americans have some of the weakest labour and health rights. But I guess you do have the right to say you have very weak rights!
I'd wager that the UK is a little more extreme than most European nations with respect to privacy, at least as described by German and a Dutch friends of mine.
I believe that the American conception of rights is quite distinct from the European one. In the US, the rights outlined in the constitution are independent of the state, which was engineered as their guarantor. These rights restrain the state, and ought ostensibly to be universally applied, but offer no guarantee of service beyond the securement of those rights, and provision for the common defense.
Conversely, European rights seem to be hard-earned privileges or guarantees on quality of life that have been extended to the people by the state. These rights can directly impose duties on either the state, or certain members of the population (I.e. employers).
Functionally, they're pretty similar day to day, but European-style rights benefit from flexibility, but are also much more likely to be subject to provisions or restrictions such as laws around speech, in part because they're closer to a negotiable agreement between the people and their government, as opposed to some inviolate universal law which requires extreme measures to actually amend.
Europeans generally seem to have a higher quality of life, and are afforded better care and services by more broadly competent governments.
They have superior labor protections. I wish we had some of them. I'm not convinced they have more rights, as I would define them.
The US also has a weird dichotomy between rights against the state, which are plentiful (i.e. Bill of Rights) and broadly stronger than anywhere else in the world, and a lack of rights against other citizens or corporations, where they are weaker than the rest of the West.
So you get obnoxious Home-Owner Association rules when you buy a house, you get unions (your right to freely associate and organise with others) curtailed and destroyed, you get no meaningful privacy protection against scummy companies vacuuming up data (e.g. Equifax)
That's true. The US has a lot to work on, and there are trade-offs to be made before we achieve a proper balance. I'm personally quite happy to be in America, and it would take a lot to get me to consider living in a more paternalistic European society, even if it left me better off. Others wouldn't make that exchange, because they have little use for the more absolute liberties we have stateside.
Europeans have the right to free speech, to protest, to assemble (covid excepted), etc.
What they don't have is an army of low paid people, who have no choice but to deliver services cheaply to those who can afford it. I suspect many in America like this part of "capitalism".
-----
reply to effie below as I've talked about something that the HN police don't like and have the fake "you're submitting too fast".
-----
It's a reasonable point, but as you say they have some protections, and this enables them to refuse low pay and bad working conditions, up to a point.
Also although all human life has great value, we are comparing immigrants (and agreeing they have better protection) to citizens in the USA, who have weaker protection.
Actually we have those! Cheap migrant workers from eastern Europe make lots of things move here but their choices are limited. We have protections for them at least on paper, and together with low pay that's still better for them than staying home. Most importantly, (I think) they can (with ordinary medical insurance) go to a doctor for an exam or medicine without getting charged thousands of dollars.
The real difference is how the citizens are protected. In Europe, citizen is treated as human regardless of how much money they have. In U.S. this doesn't seem to be so. The money is more important.
That last can be framed in the opposite direction: America has stronger company rights.
American companies are more free to not pay a worker who is delivering no work on sick or parental leave, and to end employment of a worker they no longer want to employ. American health providers have more right to gain profits from their services. American companies are generally less burdened by things like VAT tracking and customs enforcement and silly cookie disclosures.
There's a reason that the FAANG industry dominators all came from American origins, as well as those of yesteryear like IBM and Intel, or in other industries like Ford or Disney or Visa.
The USA has one of the most insane systems on the planet. There's 50 states plus DC. Each with their own laws which apply to anybody selling in that state, so if a business is selling in 50 states then they need to follow 50 sets of laws, and that's before we get to smaller jurisdictions. The tax system is byzantine and nightmarish even by the standards of tax systems.
What the USA has going for it is that it was very far away from its enemies during WW2, and so while European countries had to rebuild everything, the US economy went into overdrive. Plus it's the 3rd most populous country in the world and that has advantages.
It's certainly nothing to do with simplicity of doing business.
American companies in general have a lot of visible and objectionable protections, that is true. But your example, except for maybe Amazon, doesn't really exemplify this - these companies are successful for various other reasons such as U.S. winning both WWII and the cold war, American market size and world power status, huge government investments into semiconductors in 50's, embargoes on technology exports, lots of wealthy investors willing to invest in American companies. All this and other things helped in various proportions. Maybe Amazon got so big and starved the competition partly because the management treats the workers like serfs and is able to push prices down, but the others I do not really see how they benefit from weak employee rights.
companies are not people, so this amounts to weak rights for people. the beloved constitution was about the rights of people, yet they have weak rights in practice.
I know you are kind of agreeing, but from a diff perspective.
They may have considered this trade-off. Privacy-minded folk who are unaware of the technicalities will be similarly suspicious of an app whether it is made by the government or a private company. Sure, the centralised/decentralised difference is a major technical difference, but if people aren't aware, or don't understand, or don't care, but are concerned about privacy, they may not install the app regardless if it's made by the government or a private company.
Then the cost (a few less people who would have got the decentralised Apple/Google app, but not a government-made one) might be smaller than the benefit (richer data).
What's important now is that we raise awareness of this so we can pressure NHSX to change their plan. If enough people refuse to use a centralized system they'll change track.
> Why would they risk people not adopting the app due to privacy concerns
UKGov has fairly well demonstrated their ambivalence to the well being of the UK population over the past few years. I imagine they're hoping to sneak in new surveillance apparatus with the power of societal pressure - after all, if you don't install the app, You're Riding With Corona. If not enough people install it to make it effective, eh, they'll try a different tack later.
"Why would they risk people not adopting the app due to privacy concerns"
Because they could require people to use it, the may have to anyhow. Also - most people are not at all concerned that the NHS can track them during a pandemic after all Google and FB track them all day.
If it's opt-in, masses of people will be too lazy, won't care, will forget, will have 'good intentions' but won't use it, will let their battery die, forget their phone.
At least with a 'face mask' policy, it becomes apparently clear that someone is 'not wearing a mask if they are supposed to'.
With contact tracing ... there's no way to flag people.
Without extended contact tracing and 'almost everyone on board' it's simply too dangerous for people to be out and about.
People are going to have to use it to go outside, it's as simple as that.
That's assuming perfect compliance rates, right? I cannot estimate what the compliance rate for self-quarantine will be, but if we look at a few rates we get different numbers:
50% compliance? We already lost, too many people will ignore the app and we can't get to 2/3 even if 100% of the population installs.
These are... not great numbers for trying to deviate from what Apple and Google will push as a built-in app. Even assuming >= 90% of the country has a smartphone, you need a huge fraction of the population to participate.
You are assuming only a single input, which is this app. R_t can be - and is - reduced through a multitude of methods, including but not limited to, closing of large public gatherings, high compliance of mask-wearing, increased disinfecting protocols, etc.
That's a really good point! If we can reduce R_t with widespread social distancing, wearing masks, washing hands etc. down to <= 2 we are in much better place and this app could seal the deal and we could just about eradicate the disease.
And even if we "only" drive R_t to almost 1 we can at least buy a lot of time for our healthcare workers, which is valuable.
Either way, I didn't mean to be that pessimistic. I think an ensemble approach is necessary. For now, general (easy to follow) shelter in place rules, followed by test and trace using these apps, and then targeted relaxation of the rules as we discover what we can reopen without causing a spike in R_t.
But do the best estimates? As far as I can tell estimates vary a lot, but an R0 of 6 would be a significant outlier.
But the current R value in the UK under the lockdown is estimated to be somewhere between 0.5 and 1. A contact-tracing app doesn't need to be perfect; any reduction in R would allow for either a swifter reduction in cases or a liberalisation of lockdown measures.
The virus is still spreading in every location in spite of the lockdowns. Don't believe R is below 1 even with the lockdown.
The virus is extremely infectious. Random sampling in NYC was hinting there were 1-2 millions of people infected and that's not the only city like that.
> The virus is still spreading in every location in spite of the lockdowns. Don't believe R is below 1 even with the lockdown.
The virus still spreads as long as R is over 0; you still get new infections if there's any spread. However, an R of 1 is the boundary for exponential spread. If infections are not spreading exponentially it has to be below 1 by definition (as I understand it).
In the UK death rates and hospital admissions have been falling for some time, indicating R is currently well below 1. Neil Ferguson, one of the UK's top infectious disease modellers estimated the current R value at between 0.6 and 0.7 a couple of days ago: https://unherd.com/thepost/imperials-prof-neil-ferguson-resp... .
Is the existence of a log that you came close to someone you probably don't know to be potentially used for a critical public health purpose, for a limited time, any issue?
If feels like refusing to tell your blood type when you're having a massive hemorrhage in order to "protect your privacy"...
Yeah, the government knowing who was close to whom for how long on a whole-population scale is a huge issue. I personally wouldn't mind if there wasn't an alternative that preserves privacy and is just as effective.
Well it isn't a huge issue (let's be honest, they don't care much, and it's hard to imagine why they would care), and it is actually a once-in-a-lifetime opportunity to see the actual spread of a virus in real time, which would keep researchers busy for years.
This shows the limit of individualism, the belief that I am all (this is what the privacy issue is about). An epidemic is when the group must prevail over the individual and cultures that are more group-orientated react much more effectively (China/Taiwan, Korea).
It is a huge issue, there have been plenty regimes that practically wished for this type of technology. What if Nazi Germany had access to all this tech? Perhaps this is a stereotypical example, I would agree, but what makes you so confident there will never be bad actors to abuse systems we put up?
You don't fail to see how it would keep researchers busy for years, but why would only researchers be interested?
Collective benefit over individual rights is not a novel discussion. I see people trying to make a case for individual rights be construed as anti-collective benefit. These people however are also just people, trying to speak for what they think is right, but often times get criticized for it. A lot of times people consider starkly different cost-balance calculations and arrive at different conclusions but this is rarely made explicit. What if you set the time scale a little differently? Corona might be ravaging the world today, but how about in 50 years? 15? Laws to combat terrorism passed during times of crisis that were supposed to be temporary are still here (not a US resident, I might be misinformed, but I hope my point is evident).
I'd be happy to install it for the duration of the outbreak. It's not as if I'm doing anything terribly interesting.
It doesn't sound like it would collect anywhere near as much personal data as Google, or the government, already does.
For the sake of protecting lives and getting out of lockdown quicker to rebuild the economy I'm prepared to sacrifice a little privacy.
Edit: I don't particularly care, but there seems to be a systematic approach from some users to voting down posts for expressing honestly held beliefs that a balanced approach can be taken with respect to privacy.
The question is why they didn't implement it in a decentralized way that works together with OS primitives implemented by Google and Apple. I would also install it for the duration of the outbreak, if there wasn't any effective alternative. My gripe is that there is an alternative that works 100% as well and they chose to ignore it in favor of universal population surveillance.
It's a fair question; the answer to that doesn't seem to have been communicated yet.
We can speculate as to reasons why: one could be that the authors feel that the decentralised approach is lacking some important feature that could save lives, such as insufficient feedback about how it is being used.
Another could be that they feel that they can implement a solution faster than waiting for Google/Apple to finish their platform and then building something on top of it. This leaves open the possibility of changing tack if the new API is superior.
Or maybe they're just hedging their bets in case the Google/Apple approach doesn't work or gets pulled.
(I'm assuming none of this is a nefarious plot by the government to add to their general surveillance powers. I personally don't think they'd care given the considerable abilities they already reputedly have to track mobiles).
That's very bad. Anonymous and (mostly) decentralized contact tracing is definitively possible, and is exactly what the D3P-T and Apple/Google protocols are trying to achieve.
Developing a reasonably anonymous contact-tracing app is not that complex at all. I wrote a very simple (but working) app that also implements contact-tracing in a way similar to D3P-T or Apple/Google, and it only took me a few days: https://github.com/RaphaelJ/covid-tracer/blob/master/README....
Users will also never opt-in for such apps if they don't at least try to slightly protect privacy.
Could someone with a little more understanding of the frameworks and restrictions please explain what this means for locking iPhones while the app is tracking, and using Bluetooth devices like AirPods? Does it prevent them from working and stop you locking your device?
Also not a good look (edit: for the uk) on the day Germany swapped from using this style app to a Google-Apple backed system.
If the true reason for the centralised matching is that they want to have a better oversight of the spread could they not do that with the Google-Apple system by having it (optionally) phone home to a server when there is a match?
On the contrary, it's a very good look for Germany and a terrible blow for privacy-conscious UK denizens. I hope this is reversed somehow. The Apple/Google system is zero-knowledge. The NHS system sounds like a privacy disaster.
>The tech giants believe their effort provides more privacy, as it limits the ability of either the authorities or a hacker to use the computer server logs to track specific individuals and identify their social interactions.
>But NHSX believes a centralised system will give it more insight into Covid-19's spread, and therefore how to evolve the app accordingly.
I certainly prefer the Apple/Google/DP-3T approaches but they are certainly not "zero-knowledge". They are not even strictly "less-knowledge" than PEPP-PT if you trust the central server (but arguably not in ways that can have strong practical consequences, at least not more than the situation in the other direction).
Bluetooth allows 7 devices connected at once, but actually the spec uses bluetooth low energy which is a special low-bandwidth, low-energy mode. You can lock your device. [1]
It sounds to me like NHS wants location data logs of everyone in the country. You can measure contacts and spread that way but it's a privacy disaster. The decentralized approach tells authorities and users if they've been near someone who later on marked themselves as infected. The data is much more limited but still accomplishes the main purpose.
There is no BLE hard limit to device connections here at all.
This whole system works on advertising packets. Beacons are non-connectable, aptly named.
Your phone can be connected n number of BLE devices and also appear to be n number of peripherals itself. No hard limit that I can think of, usually just depends on the stack.
But this isn’t that. This is your phone pumping out <CONTACT: I am 7733> and listening for other people’s phones to say <CONTACT: I am xxxx>.
I can think of no stack that has a connection limit and after that stops allowing for reception of advertising packets.
Nitpicky clarification: at least for the Apple/Google spec it's advertising something more like "my key for the current 15-minute timespan is 7733". ie, not your identity, just a temporary key.
I believe that Bluetooth units are limited to 1 central (master/server/upstream) and 7 peripheral (slave/client/downstream) connections. Mesh networks can be made up of up to 255 units.
Advertising is different, and not limited, but it is not classified as a 'connection'. My understanding is that advertisements are simply broadcast, so there is no bidirectional communication.
I thought I had seen multi master stacks. For peripherals I know I’ve seen 20 concurrent this n the Nordic S132, definitely not 8 as any BLE spec limitation.
Yes. That’s what I said, beacons are advertising packeting with the connectable flag cleared.
You misunderstood, there is no bidirectional in my post. Just two transmitters and two receivers.
Yeah this doesn't actually connect to devices so the limit of 7 doesn't apply. Your phone just broadcasts an advertising beacon (exactly the same as iBeacon or Eddystone) and other phones listen for it.
It's easy to do on Android (though somewhat unreliable because the Android Bluetooth stack is utter shite).
On iOS it is more tricky, but as I recall it is possible if your app has a widget on the home screen. This is what Chrome has to do for the physical web:
It sounds to me like NHS wants location data logs of everyone in the country.
How are they going to get that with either model being discussed? There is no location data being transmitted. In fact there is no data at all leaving the phone until you get ill. And if they could deduce it from some sophisticated analysis of codes sent and matched, it would be far, far easier from the geolocation data users happily donate to Google/Apple free-of-charge 24/7.
Location is not the really interesting thing - the social graph is. Location is interesting because it reveals the social graph, not the other way around.
> In fact there is no data at all leaving the phone until you get ill.
Source? Everything I found that could be interpreted as a statement in that direction sounded like it was part of a description of the Apple-Google approach.
In particular, I wonder if the APIs exposed to non-system apps let them rotate the Bluetooth identifiers, of if this will cause the phones to beacon their non-randomized Bluetooth equivalent of a MAC address nonstop. (The Apple-Google proposal covered this by randomizing that address too.)
> What is worth noting is why Germany changed their approach:
> > Germany as recently as Friday backed a centralized standard called Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT), which would have needed Apple in particular to change the settings on its iPhones. When Apple refused to budge there was no alternative but to change course, said a senior government source.
> This is exactly what I was driving at in Coronavirus Clarity: tech companies are the ones setting the rules, not governments.
I can't read that article without an account but the quotes imply that only Apple was standing in the way of the centralized approach. Did Germany have a centralized contact tracing solution through Android?
Is there more context that might imply that Google wasn't playing ball?
iOS has more restrictions than Android regarding Bluetooth use by applications in the background. Germany may have needed Apple to change those restrictions while Android already provided the access they needed.
I ask an uncomfortable question for debate about this:
Many of us probably think ridiculous the people who are jumping to reopen businesses (and states) in the interest of economic activity, at the cost of putting people's lives at risk.
Why, on the other hand, is privacy so important versus saving lives if a more effective (but slightly less private) information gathering mechanism could be implemented?
How do we judge one not worth the risk, while the other is?
You can't put it back in the box. Once an abusable capability exists, it will be abused.
The most effective time to try to create a pervasive surveillance system is when people are afraid.
Also, there's no evidence that a more invasive system is "more effective". If a privacy-preserving system is equally effective, there's no valid argument. And in any case, if a privacy-preserving system is effective enough to get community transmission under control (bringing R below 1), that may suffice.
If my memory serve, we are talking about a government that would love to kill or backdoor crypto - all in the name of "stop the terrorists" and "protect the children", arguments that are also about saving lives.
People worry about their own privacy, but they should worry about the protection of people engaged in politics - not (only) political activists but (also) "professional" politicians.
These data is an absolutely fabulous weapon to ruin the public credibility of, say, a competitor for the next poll. Or you can use them for blackmail. If you can't blackmail your opponent directly you can always look at what their family members are doing.
The possibilities are so numerous that it's hilarious. The irony is that the MPs who vote those laws seem not to be aware they are shooting themselves in the foot.
Privacy is a human right. Before given up on it, you have to make sure that a) it is temporary and b) the benefits are real (is it an effective way of preventing something bad etc.)
I'm not sure how any of these are not already searchable / discoverable by someone abusing the cellular system that already knows phone locations all the time?
That's utterly broken logic. If you are doing well with a missing finger on your right hand, certainly it won't bother you if we chop the same finger of your left hand ?
Agreed. A lot of the privacy hullaballoo I read on HN feels like tin-foil-hattery. Who cares what kind of app you have tracking your GPS on your phone, when every surveillance camera in London knows exactly where you have been?
If you want real privacy, it has to come from getting the right privacy aware, privacy understanding, people in power. Anything short of that wont make a whit of difference.
So, given the existence of a privacy-preserving option, it is extremely dubious to be pushing a privacy-destroying option for the sake of a small amount of extra data and flexibility.
The harm that a developed surveillance state can do is incredible. See China. We need to balance saving lives from corona with potentially saving lives or quality of lives from privacy abuse. It's a slippery slope argument and those are always hard to discuss as we're discussing potential future abuse.
In this case however it's a reasonably safe and effective system vs an pretty unsafe but slightly more efficient system. To my mind there's a clear winner there.
I think you can look at it another way, in terms of what can be achieved. Whether or not I think it's good that every pub I want to go to is shut, it's obvious that the government have the ability to compel them to do so. If the government want social distancing they have lots of tools to make it happen.
They have far fewer tools to make a contact tracing app happen, when that app needs to be voluntarily installed by everyone. So doing things like turning it into a surveillance system (even if it's just because they want better Covid data) when other countries aren't, is just increasing the risk that the public turn it down and the whole thing fails.
And "this app is bad and you shouldn't install it" can spread really, really fast. A few weeks ago my extended family wanted to do a video call and someone suggested everyone install House Party. The day we were going to do our first call some weird tweets went viral saying that app was hacking people's banking apps and other accounts. I'm not sure what came of that, the accusation makes no sense, but our use of House Party was cancelled because there was something on Facebook saying don't download it and how are non-technical people meant to distinguish it really when basically everything you can click through to on Facebook is a scam?
If something like that happens then you really need credible people to be able to push the messaging that this app is vetted, people can trust it, it's safe. If all the background noise is about privacy and similar concerns, then negative messaging can get a lot of cut through with nothing pushing back. I'm pretty certain nobody in that family chat who saw those Facebook posts will ever install House Party, and I'm pretty sure a few well placed Facebook posts going viral with no credible voice telling them otherwise could stop them installing any contact tracing app as well.
> They have far fewer tools to make a contact tracing app happen
They can get businesses to enforce the requirement for them. Want to enter the grocery store? Be prepared to show a QR code from the tracking app, or you can’t go inside.
Governments have a difficult time giving up powers once they have them. So even if it is morally right to give the government extra privacy infringing powers to save lives today, it is not morally right to compromise the privacy that generations of citizens who come after us will need in order to exercise their right to self governance later.
The best of all worlds is where the government says, "look, our responsibility is to look out for your health AND your other fundamental rights, and so we need this, but we want it to respect your privacy too". Which is what governments who choose DP-3T are saying.
It's a great question, but over the last couple weeks, it's clear (from a number of topics) that 95% of HN would rather have completely perfect privacy more than safety. It seems that counter to things like freedom of speech, there are no qualms about infringing upon other humans when it comes to the right to privacy.
Yes, that's correct. I can do things like isolate myself and my family to protect ourselves (and others) from things like covid 19, but I can't reach out and make governments and business respect my privacy. In the longer scale, I think you and I are more at risk from loss of privacy than I am from a virus that, while nasty right now, is likely to be over soon.
There's no evidence that it's likely to be over soon, in fact, most suggests the opposite. Also, it's either completely ignorant or just highly asinine to suggest anyone besides yourself is at more risk from loss of privacy than the virus.
> How do we judge one not worth the risk, while the other is?
Individually: you can sell your privacy for some temporary security. But you can't sell mine.
Governements will abuse anything, and will never let a good crisis go to waste. It's not a question of if, but when. We still have the "temporary" Patriot Act in the US, while countries like France still live in a "temporary" permanent state of emergency years after it was "temporarily" instaured.
I do not trust google - but I trust government even less, because when caught with their hand in the cookie jars, at least companies have to clean their act, or face loss of customers.
Governments, not so - due to the rigidities preventing immigration.
The Apple-Google protocol is designed to reasonably protect their users even in less-free countries.
Consider every Middle Eastern country; China (Xinjiang, Tibet etc); India (Kashmir etc); Latin American countries that have cozy relationships with gangs and cartels; Russia; even the USA with ICE and other agencies.
Do you really think Apple and Google should be giving information on their users to those governments? They can't possibly say "stronger contact tracing for Canadians, but not for Mexicans" - it has to be one global standard.
> [Apple and Google] can't possibly say "stronger contact tracing for Canadians, but not for Mexicans" - it has to be one global standard.
Why not? Apple and Google could just as easily say, "Only countries that meet the standards we set get access to more data."
On one hand, it seems like the HN community seems okay with giving Apple and Google the power to set norms on technology policy that apply worldwide (e.g., what level of potential privacy loss is acceptable to combat a pandemic), but on the the other hand we don't trust Apple and Google to know how to distinguish a totalitarian regime from a government that respects its citizens' rights?
It's very hard to make such a distinction in practice, because it comes off as Apple saying that some of their customers' lives are worth more than others.
It's worth highlighting the differences between the UK and the rest of the world. The NHS is embedded into the UK's culture. Since the start of lockdown, drawings of rainbows are commonly seen in windows with captions like 'Thank you NHS and key workers' and on Thursdays at 8pm, people stand on doorsteps and clap for the NHS. The NHS is very well trusted and this app, if viewed as a creation of NHS (or NHSX) and not 'the government', could still remain successful despite privacy concerns.
Unlike other countries, the UK has the opportunity to frame this as an NHS-created app, rather than a state-created app. If they're able to do that, then it wouldn't surprise me that the UK's population takes up the app.
Additionally, few people consider data privacy concerns at the best of times. Given the circumstances, I think more people are willing to prioritise public health over privacy concerns.[1] So, they seem to have judged that the richer data trumps the slight reduction in usage.
The combination of these factors could be the rationale behind this judgment call.
I don't think so. They can use a decentralized approach, the Google/Apple APIs, and still call it the NHS app. They can even put additional random opt-in features in their app if they really want to, why could they not?
Plus it won't be practical at all to use a centralized solution on iPhone and it may be less practical to use it on Android, so this won't be just a slight reduction in usage, this risk to be a major one.
This is quite the generalization, equivalent to saying that Americans love the Democratic Party. A poll in 2019 found that satisfaction with the NHS hit an eleven year low, with 53% of respondents satisfied with services in the year prior.
There's a difference between being satisfied with the healthcare it provides and loving the NHS. People in the UK love the NHS as a concept and an institution, even if we're still often critical of the quality of service provided. Additionally most people lay the blame for that quality on underfunding from the government. The NHS is largely believed to be doing a decent job with the resources is has and has been screwed over by austerity again and again.
As far as I know it was a genuinely grassroots initiative, started by Dutch Londoner, after a similar phenomenon in the Netherlands (which I think followed from Italy).
Centralized or not, app-based contact tracing has not worked anywhere. The countries that do successful tracing do it manually, and when personal data is used, it's only infected people's data. Taiwan's minister explains here: https://www.youtube.com/watch?v=ScIVe6STVxI . No need to bug the entire population for this.
As long as new cases are very low, manual tracing by trained personell is superior (because of all the edge cases) and sustainable. If you have too many cases (>100s per million) you re better off shutting down anyway.
What are all these apps other than a new kind of surveillance toys, which we know will be force-installed in many countries and will most likely be abused? Maybe it's solutionism that appeals to world leaders for safety theater.
If I take a subway next to you, and you get Covid from my cough, no amount of probing from manual tracing can reveal our link when we're strangers. You can't categorically say "manual tracing by trained personell is superior".
The apple / google proposal is designed to minimize the ability for abuse from surveillance states.
Doesn't bluetooth give too many false positives anyway (with its range that is far greater than the required 6ft, and its ability to pierce walls?) And how will the general public respond to these false positives? I fear that the effect of a covid app will be somewhere between chaotic and useless.
The protocols I've seen involve using the signal strength, including knowing the transmission strength, which will probably allow treating people on the other side of any semi-solid wall as "not in contact".
It would be nice if we could have a serious discussion, rather than assuming that this must certainly be the wrong decision, made by nefarious spies acting behind the scenes.
First, it is important to understand that there are two protocols, both of them based on the work done by the Oxford epi group and others over the years on minimally disclosive electronic contact tracing.
Both of these are a massive privacy improvement on the pervasive surveillance used in South Korea and China. I don't know enough about the Singapore app to comment on that but I would guess this is also an improvement on what they have.
These protocols are DP-3T, on which Google/Apple have based their API and PEPP-PT which many countries including the UK have been building their solution. Until very recently, Germany was also using PEPP-PT but they have switched to DP-3T.
Both protocols make trade-offs between the amount of information which leaks and the usefulness of the tool. That's important. Installing an app based on either will strictly reduce your current privacy.
It is also important, in understanding the privacy trade-off made, to understand the degree of new privacy loss from either framework. We are already pervasively geolocated based on our phone position, this just adds a possible layer of precision to that data. If GCHQ wants to track your movements, they do have tools which can do that relatively effectively already.
Both frameworks use pseudo-random rotating keys which are exchanged over Bluetooth.
In PEPP-PT a central server manages a rotating private key which is used to generate a set of time-gated ephemeral IDs for each device. Devices exchange and log these IDs.
When a health authority determines that someone is infected, they issue them a key which allows them to upload all their logged IDs to the central server. The server is able to determine who the infected person's phone has logged a contact with and notify those people. A random sample of additional people also receive notification messages which their phones are able to discard as invalid decoy messages.
In DP-3T, the keys are generated on the devices and IDs are stored only on the devices. If a central server authorises you to do so (based on a confirmed diagnosed infection), you broadcast the IDs of all the devices you have been in proximity to. All devices regularly download a list of IDs and check the list for one of their own rotating ID numbers. If they match, the user is notified and is able to pre-emptively isolate.
The second approach reduces the consequences of a nefarious central operator but at the cost of sharing more information with more people (since everyone sees the list of possibly-infected IDs). In other words, even in privacy terms, this is not a perfect approach either. That information can be used to carry out re-identification attacks and reveal infected users if certain conditions are met.
From a privacy point of view, I think many people would prefer the latter (possibly allow malicious attacker, if they are able to do certain not-so-easy things to determine that they were infected) since most people in the UK will not consider that deeply private and secret information about themselves. Many of my friends who got it have posted about it on FB, twitter, etc. The former, which gives a state actor more information seems like a greater breach of privacy.
However, it is worth considering why the NHSX team has made this decision, there are epidemiological reasons to significantly prefer PEPP-PT.
First, it allows tweaking of the notification algorithm over time. DP-3T only allows notification of everyone in the contact with no risk indication, it's binary.
Second, the greater information on the infection graph available to the central authority allows for better aggregate contact measuring which may shape increasing or decreasing distancing measures much more quickly than is currently possible since we currently have to use measures that lag considerably.
DP-3T requires more data exchange and on-phone calculation but I'm not convinced that is a convincing argument against it.
I tend towards selecting the solution with greater protection against state data collection and the fact that it will have API support and will therefore likely be able to run with a lower power requirement means that I would select DP-3T over PEPP-PT but I'm not the one who has to make that decision and I would love to see the internal decision making document. I do not think it is so obvious as many people are making it out to be.
Very good summary. I still think DP-3T is far preferable due to privacy and the ability to more easily implement it. It'll also get more data as more people will actually use it.
One thing I don't see mentioned and may have missed: if this is all (at least allegedly) anonymous and infection status is self-reported, what is to stop trolls and pranksters from marking themselves as "infected" and then going about their day in public/crowded spaces?
Seems like false connections could be spread more easily than the actual virus, no? I would hope this has been addressed somehow but if not, have you ever met people? People* will always figure out a way to break stuff given the opportunity.
Infection status is not self-reported without some kind of authorization from the authority that provides the actual app used for tracing - which is probably some local government entity. That app is built on top of Apple/Google API which does all the BT broadcasting and scanning and key generation stuff, but the government still retains the capability of setting up a system for authorizing app users to flag themselves as infected and thus upload their daily keys to some server (which is probably also operated by the provider of the app, I suppose).
Will iOS - iOS Bluetooth communication be ok with those new API? Wasn't a major problem with other frameworks the iOS Bluetooth turning off for battery capacity?
It can work in a limited fashion using iBeacons. These have special status on iPhones allowing them to be received by an app even in the background. But even these are rate limited and each iBeacon can only wake up the app once when it comes into range.
Weren't Google and Apple going to release an official app along their API? It may be that if the NHS app gets enough bad press (which apparently it should), people naturally use Google and Apple's implementation. Even people who are happy to go along the NHS will likely also want to have the Apple/Google app running as well, as they don't know from which of the two "networks" the notification will come from.
No, Google and Apple announced they are creating APIs and tools for governments to build apps - they are not releasing an App themselves.
"8. Who will create the apps and where do I find them?
Public health authorities will update or create apps which users may install if they choose to participate. Google and Apple will make available, as normal, the public health authority apps for each region in the Play Store and App Store."
This makes no sense, so there will be a consultant firm behind this poor decision. It's sure it'll play out just like the direction the UK took over the lockdown.
The app take up will be poor and they'll start using the goog/appl data 'alongside' the centralised app, eventually sidelining the centralised app altogether.
But the contractors will have been paid and will continue to be paid.
Seems Like Carole Cadwalladr has already joined the dots...
@carolecadwalla
Let’s add another data point. Faculty won this contract back in August, we now know. That’s when NHSX new £250m lab announced. Yet Faculty decided to divulge this news on March 13. Day after SAGE meeting Cummings attended with Ben Warner - brother of Faculty founder, Marc
Apple and Google could force otherwise if they just ban the app from their stores. Especially considering that they seem to be using some questionable workarounds to run in the background on iOS, they could chalk it down to policy, but it probably wouldn't be in their best interests since "Apple blocks NHS from releasing contact tracing app" would not be a good headline.
Forgive my ignorance, but is it possible to create two competing apps? I know this is not at all ideal (kind of defeats the purpose), but I believe people could be steered to the better choice over a little bit of time.
Is the NHSX planning to try and force Google / Apple to change their plan and build the app the way that they want or are they proposing that they will develop a different app?
It’s not often I dare to disagree with Ross Anderson, but most of these objections don’t make a lot of sense to me. There’s nothing to stop the app from phoning home once a contact is identified, so all of the human-in-the-loop stuff is still possible.
The only difference between a centralised and decentralised solution so far as I can tell is whether or not we end up with massive centralised databases of every social contact between people who are not infected. Collecting that data seems completely unjustifiable to me, given that it is by definition unnecessary.
I don't trust Apple and Google but I trust my government even less. And I also do (cynically) think that Google and Apple already have most of this contact tracing information anyway... I mean I would even trust Facebook more than my govt.
> I don't trust Apple and Google but I trust my government even less.
That's a really interesting statement. Could you elaborate on your thinking? Under what form of government do you live? Why do you feel Apple or Google is more trustworthy than your government?
In addition Google and Apple are US companies, and US has worse privacy law than Europe. The future may be each person or entity will self host their own data on a RasberryPi (or better yet BeagleBoard).
I've watched some German TV recently and heard politicians claim that Apple/Google demanded access to the contact tracing data if the government were to get it as well.
It's voluntary, and designed to be anonymous (apple/google proposal). You don't have to install it, but then you'd be a jerk buy putting the health of strangers and loved ones in further jeopardy. World-wide problems require world-wide responses. This isn't the time to bury your head in the sand and hope it goes away.
First off, having a cell phone or having friends over with cell phones means, technologically speaking, you can be tracked and overheard by a sufficiently advanced adversary, given reason. That said, I think this is making waves precisely because it is centralized. If you trust Apple, and their decentralized approach, you can opt in. If you live in a country which forces you to scan QR codes, you either need a lot of friends or you can’t easily escape the surveillance. That said, given the ubiquity of police cameras in London and the way they are spreading to other areas currently for automated speed ticketing, it seems likely that we’re on a path to significantly more surveillance digitally in the future. But... let’s not fool ourselves, what your carrier or ISP knows, your government is one court order away, at best, from knowing...
Yes, your phone could be used to get information on you.
That does not mean there is then no issue with phones doing contact scanning and recording.
You can own a phone, acknowledge the risk, and not want to see that risk expanded recklessly.
The privacy systems “SEEM” ok, but any hesitation is rightfully earned. These companies and governments have abused trust and have not earned it back.
This is system a road paved with best intentions and should absolutely not be implemented until coivd19 is over and people can think clearly. The hard push right now for it is clearly not wanting to “let a crisis go to waste”.
I’m not making an argument that there’s no issue with phones doing contact scanning. Rather, I trust Apple, and maybe Google, to do what they say they will do, and I trust that they will be very closely inspected from a security perspective by third-parties to confirm that. I’m not saying that phones should always report your location, but I am saying that they already have that capability. It’s like complaining about cookies when your phone already has a perfectly unique fingerprint due to Chrome’s origin trials, say.
Those who have control in government set the rules up as they see fit. If Apple and Google don’t support a method to do this, they will be pushed by law to do it differently. If your problem is that something will be made mandatory, either change the law or find a loophole, as anyone else would have to. The current implementation, at least for Apple, is 100% optional, even if you have an app installed allowed to read this data, you can still turn it off in settings. If the point you’re making is that PRISM existed, and therefore SV can’t be trusted, outside of abolishing the NSA, what would actually fix this? The problem is one of legislation, not technology. And it’s worth pointing out that if you’re this afraid of tracking, you should probably set your phone to voicemail and turn on airplane mode on a regular basis. Your ISP knows what devices you have, and where they are. This doesn’t change that. Besides, even without Apple and Google, governments are inventing apps. So I fail to see how tech companies proposing a less-privacy-invading-option is harmful? Would you prefer tech companies outright lied, were caught lying and then had to implement a worse solution anyway? The law is the law... tech companies don’t themselves make it, they just propose the rules for their walled garden within what the law allows.
I think that a few terms appeared that describe superstitious beliefs. These terms are (not a complete list):
* tracking app
* social distancing
* self quarantine
* lockdown
Life is not a video game. There are no game designers able to decide that tracking apps somehow work, for instance.
Can you please not downvote my post?
As the Apple/Google system shows, it's possible to do contact tracing without sacrificing privacy. The blame is entirely with the UK government, not anybody who takes the reasonable step of refusing to support unnecessarily harmful technology.
Why not take measures that don't impact individual rights, like requiring essential jobs to provide their employees with PPE? Where's the accountability for Amazon and Walmart, that continue to allow sick employees to work?
I wonder how many people think they are reasonably health and they are unaware of some pre-existing condition that makes them more vulnerable than acceptable.
Do you know? Are you willing to gamble with other people's lives based on incomplete information?
I know there is a tradeoff, and wrecking the economy and imposing draconian isolation rules can have disastrous consequences on the very same people designed to protect, but your oneliner sounds so confident I wonder whether you've really paused to ponder all the tradeoffs
> [people who might be more vulnerable] should isolate.
and now you appear to be saying:
> [they should] acquire [the virus] and sit around until it's over
That's incredibly bad advice. Now, notice that I'm not going in too hard on you because I'm hoping I've misunderstood what you're saying, but can you clarify it to avoid such confusion, please?
This is more a reflection of the poor reputation towards privacy of Google rather than a rational response to the joint contact tracing specification issued by Google/Apple. The specification was clearly engineered to be as privacy conscious as possible and it would be very difficult to extract PII from stored data, but it looks like the well of trust is unrecoverably poisoned.
An app is not the answer to this. Contact tracing is not necessary as a solution to this. Indeed it is nearly worthless.
People here who make proverbial hammers are liable to want to hit nails, without considering if it is necessary. Especially considering the lockdown and that you can't get tested.
Contact tracing is a known strategy for dealing with epidemics, and has demonstrated effectiveness not only in past epidemics, but is working very well today (manually) in South Korea. This helps it scale and makes it possible to know about exposures to strangers.
The Apple/Google plan just exposes an API to on-device data. There still needs to be an app that retrieves that data and uploads it somewhere (supposed to be implemented by the governments / health officials).
In that way it's similar like e.g. location APIs work - the device handles the resolution and data processing for you, but there still needs to be an app to retrieve it and do something with it.
Hence your original question isn't applicable in context of APIs they've designed.
And further, I don't think Apple/Google intend to provide the database that infected people push their data into - my understanding was that would be per-app and in this case controlled by NHSX.
Edit: Google and Apple need to get their act together though, and just provide a contact tracing framework as part of the OS that is compatible, and can have data housed in each country where they see fit. It should be optional for people, but it should be part of the OS, and it should just be presented to the countries as ready to go with just a little bit of integration. That way we can force everyone to respect user privacy and not do sketchy contact tracing apps.