A "C+ grade", but the report seems a little nitpicky.
It loses marks for not being a "single-purpose app" as the same app also provides you a way to track your own symptoms.
It loses a lot of marks for "necessity and proportionality" on the grounds of not providing documents that prove or support such an app as being useful for contact tracing, even if it works. Surely they could give the benefit of the doubt here. And in a separate section they give it a D for "effectiveness" citing studies that it probably just won't work and will have too many false positives.
More marks lost for relying on closed Google/Apple APIs, using Twilio to send text messages, not having a Github issue tracker...
I think they make a lot of good points but when I think about what it would take for an app to move from a C+ to an A under this framework, it looks like 80% box ticking and 20% addressing serious privacy concerns.
To continue, when they actually address the privacy and security implications of the design, they call out the possibility of a replay attack "when an outsider intercepts a communication and fraudulently delays or resends it...there is no known significant mitigation for replay attacks and yet they are not identified in the DPIA."
Firstly, surely there's a known mitigation here - replay attacks involving a delay can be mitigated by including a cryptographically signed timestamp in your beacon messages. Secondly, the damage from an attacker sending false negatives and false positives seems small compared to the privacy implications of deanonymization attacks (e.g. attacker listens for the beacons in several buses, offices or shopping centres, later identifies which ones were reported covid-positive, groups those into clusters each likely associated with an individual, and cross-references the location data with identifying data from another source). Why call out one but not the other?
There isn't enough space in bluetooth IDs to include a cryptographically signed timestamp, there isn't even really enough space to include a cryptographic signature for everything ... in the the Apple/Google design the Bluetooth power level is left unsigned due to space constraints. It really is a very very small amount of space.
An alternative design involved bluetooth IDs broadcasting small 63-bit ECDH shares and devices performing pair-wise key agreement. This would raise the difficulty level of replay attacks; they'd need to be bi-directional and roughly time synchronized (within a ~15 minute window) but it had other trade-offs including reducing the efficacy of the app due to bi-directional message receipt being required, and ballooning the amount of data that needs to be distributed to detect infection risk. So it wasn't taken.
I'm an advocate that where possible all code paid for by the Irish Government should have to be open sourced under an MIT licence. Its bonkers this is not more wide spread practice.
The FT reported last week that the new UK app will be based on this code, apparently.
I personally find this hilarious, but good as compatibility between the apps is really important given the existence of the Common Travel Area between Ireland and the UK.
It will be, just a shame it cost them many millions of pounds, wasted time and lives to arrive at the same conclusion that the technology industry has been repeatedly shouting at them for months now.
British exceptionalism at its finest: "Why would we do this easy thing when we can do it worse ourselves?"
Yeah, and Singapore - which originally inspired all these Covid-19 tracing apps - is still refusing to go the Apple/Google route for the same reason. There's also a chronological issue, with the original app being well into development when Google and Apple released their approach. But fundamentally, this isn't about facts - it's about the British press having turned Covid-19 into a cynical, Brexit-related partisan football. Somehow starting development early and co-operating with countries like France and Germany on a shared approach turns into letting people die through "British exceptionalism", merely through the media carefully omitting the details that contradict that narrative and letting readers fill them back in differently in their heads.
I think smartphone based contact tracing and notification that uses actual geolocation might well work, but the whole advantage of the minimally disclosive smartphone apps based on BT radio was that they didn't share your every movement with big brother.
There seem to broadly have been three schools of thought:
1) Because of how radio propagation works, BT based contact tracing simply will not work.
2) BT based contact tracing will work but if Apple/Google don't support it through special permissions / an API then it will not work in practice.
3a) BT based contact tracing will work and workarounds can be designed even without phone OEM special treatment.
3b) Phone OEMs can be pressured to support our app.
NHSX was either in camp 3a or 3b, their view was that without certain characteristics that neither Apple nor Google were willing to support, it wouldn't be particularly useful. We don't know whether they genuinely thought they might be able to change the OEM's minds about this or whether they thought they could get their (admittedly very clever) system of ping pong keepalive signals to work. Incidentally, in lab and controlled conditions, it did work. If you switch on the app on your iphone and then walk into a crowd, it works. That's because there will be enough android devices around to ping your app into life. The problem is that if you switch the app on at home, walk down an empty street to your train station, and then get on the train, the app will have backgrounded already by the time you're back in BT range of an android device. This is the kind of thing where it is really easy to say ahead of time that it isn't likely to work but impossible to know for sure.
Many others here on HN were in camp 2. They believed that BT contact notification was possible and useful but that in practice, it would not be possible to make it work on iphones without special treatment from Apple. That has proved correct.
However it may be the case that in everyone's collective excitement, not enough people listened to RF engineers in camp 1. I think it was easy for people without much RF experience to think that while this would be an obstacle, it was still much better than nothing.
It now looks like they were indeed right, in a very wide class of enclosed space situations like buses, it just doesn't work at all. Once you remove public transport (I assume trains will have the same issue) as a use class, why does this even add anything to human contact tracing? Since in many places we are already requiring all restaurants and bars to keep contact details for every person in a party, that seems well covered. Most other interactions will be subject to traditional contact tracing.
Additionally it seems (and this may be UK specific, but I bet not) that one of the outcomes of the Isle of Wight trial was that people really did not like finding out that they would have to self isolate for 14 days from an app notification. It just doesn't have the gravitas of a human being calling and asking you to do it. I have to admit that I would not have guessed that. I suspect I share some personality traits with other HN users in that I would not in fact mind receiving that information from an app.
I think it may be Gibraltar's app that is based on this code:
'Mr Johnson claimed on Wednesday that “no country in the world has a working contact-tracing app”. But the German app has been downloaded 13m times and Gibraltar’s has had good initial take-up.
The British territory started working on a tracing app based on open source code developed by the Irish government and the Google-Apple platform in early May. As the UK was taking the decision to scrap its £12m app effort on June 18, Gibraltar launched its version.
Officials estimate a fifth of the population has downloaded it so far, at a cost of less than £100,000.'
Not sure (from a quick read) if the rest of the UK is going to go with the same/similar codebase.
Got a link? That's truly hilarious. As an Irishman I hope Dominic Cummings reads this, as he looks for things on HN reference so he may keep up appearances as an "intellectual".
Given that the UK already has an ExposureFramework based app (albeit unreleased) and that the German implementation has been open sourced for weeks, I'm not sure why they would buy it.
Any reason for me not to use this? As someone living in Ireland who uses a smartphone and whose security model doesn't include worrying about targeted attacks by nation-level actors, but would like to avoid everything else.
From skimming respectable non-technical sources it's apparently not very invasive of my privacy, and won't kill my battery. But this is likely copied from the HSE press release, I'd like to hear the same from an independent reviewer.
To answer my own question, the top comment from urschrei links to an analysis from the Irish Council for Civil Liberties and Digital Rights Ireland, giving it a "C+ grade" on its adherence to "experts' best practice principles regarding government surveillance technologies".
I like their molecules, atoms, organisms approach to component organization. I hadn't seen that terminology used in an app before but it was immediately intuitive.
Timely reminder for everyone that there is as of yet no evidence that Apple/Google/DP3T/ExposureFramework based apps deployed in the wild actually work effectively. They've been deployed in a number of countries but there is currently insufficient available data to show that they actually work.
(of course we also know that limited disclosure apps not based on this framework developed in Australia, the UK, and France definitely don't work because of bluetooth issues)
One of the best use cases for apps like this is public transport, except that it doesn't seem to work on buses. Hopefully it works better on trains but given the similarly complex metal environment, I wouldn't hold out much hope.)
It partially works as in it gives people who live in a technological society (like ours) the illusion and hope that technology can solve problems that don't have immediate technology-related solutions (if at all).
Tracker apps are partially what the massive TSA-implementation programme was in the States post 9/11, i.e. security theater combined with the illusion that the dominant paradigm of that time (force/projecting power in the early 2000s, technology in our present times) is a silver bullet.
Honestly, to me I feel the entire concept of 'apps' has been an abysmal failure. There's no evidence to suggest they've helped in any capacity. I think any contact tracing system is far more effective than using BT which was never designed to be used in such a capacity and feels more of a best-case 'hack' with current smartphone technology.
History will look at these 'apps' and will make conclusions based on their effectiveness, and the ones that are more privacy preserving will likely not rate highly on impact or usefulness.
If anything, this pandemic has enabled authoritarian regimes the capability of monitoring their populous 24/7 with wearable gadgets and apps that collect location/contact and other information.
To me, it highlights the importance of not using apps where possible and further highlighting how smartphones are spies for the governments around the world.
This data is intended to be used in concert with manual contact tracing, not instead of it. The problem with contact tracing, as people get more mobile, is that while you can say "I was in contact with my friend X" you probably can't tell the contact tracer the name of the person sitting behind you in the restaurant. This will help with that, potentially.
The problem is that they are currently not mandatory (at least in most countries).
I think Apple and Google should make contact tracing built-in and on by default, plus ideally there should be enforcement of activation by all places that require to pass a thermal scanner to enter.
The Apple/Google protocol is privacy preserving, so there is no "spy" concern.
The report is thorough, informative, and technically competent, IMO.