
NHS open-sources contract tracing iOS and Android apps - orangepanda
https://github.com/NHSX
======
stephenheron
Some quite interesting stuff around how they might be getting around the
background iOS restrictions[1] can be found in the Android source.

Looking at the Apple documentation on background peripheral bluetooth, they
state "All service UUIDs contained in the value of the
CBAdvertisementDataServiceUUIDsKey advertisement key are placed in a special
“overflow” area; they can be discovered only by an iOS device that is
explicitly scanning for them"[2]

I wonder if they have managed to reverse engineer this overflow area so it is
accessible via Android.

Someone did some looking into this and it seems at least feasible[3]

[1]: [https://github.com/nhsx/COVID-19-app-Android-
BETA/blob/maste...](https://github.com/nhsx/COVID-19-app-Android-
BETA/blob/master/app/src/main/java/uk/nhs/nhsx/sonar/android/app/ble/Scanner.kt#L58)

[2]:
[https://developer.apple.com/library/archive/documentation/Ne...](https://developer.apple.com/library/archive/documentation/NetworkingInternetWeb/Conceptual/CoreBluetooth_concepts/CoreBluetoothBackgroundProcessingForIOSApps/PerformingTasksWhileYourAppIsInTheBackground.html)

[3]: [https://crownstone.rocks/2018/06/27/ios-advertisements-in-
th...](https://crownstone.rocks/2018/06/27/ios-advertisements-in-the-
background)

~~~
crushthecurve
It's interesting to consider that Bluetooth cannot be used to estimate
distance between two devices in any meaningful way in real-world environments.

A recent article [1] confirmed this in interviewing the inventors of
Bluetooth.

The environmental factors were explored in a recent conference on contact
tracing [2] with leading researchers.

So in a UK context, what is the plan in dealing with the huge number of false
positives captured by this system, which in reality cannot estimate a 2 metre
distance?

The Australian COVIDSafe app sends all contacts in Bluetooth distance, which
obviously includes people in other rooms, and on entirely different levels of
a building - because there's no directional information.

Separate to the issue of proximity is the issue that this system cannot really
work unless it's mandatory, as others have outlined.

Does any purpoted health benefits have to be modelled, proved and measured
against the issues of shifting Western society to one which requires mandatory
install and carry of a mobile phone which records all nearby devices?

It gets us closer to a society where political actors will be tempted to
provide a rationale which justifies permanent extreme surveillance of
citizens.

The limited analysis of the particular client implementations appears to miss
this wider geopolitical point, and responsible technologists might want to
consider these more carefully.

In the Australian situation all we are currently told is that if the app
registers you as a close contact then it is used for 'usual contact tracing'
and that contact tracing involves determining whether you are a 'close
contact' and have to self-isolate for 14 days - a huge cost in a re-opened
society if it is an unnecessary false positive.

It's been quite strange to see leading technologists such as Mike Cannon
Brookes of Atlassian and Troy Hunt of HaveIBeenPwned strongly urge Australians
to download it as an 'unequivocally safe app' when the most important part -
the server-side algorithm to 'guesstimate' proximity - has not been shared by
the Australian Government [3].

How can a technologist give the thumbs up to a proximity app when there is no
evidence of it reliably estimating proximity in the real-world scenarios it is
meant to operate in?

[1] [https://theintercept.com/2020/05/05/coronavirus-bluetooth-
co...](https://theintercept.com/2020/05/05/coronavirus-bluetooth-contact-
tracing/)

[2]
[https://www.youtube.com/watch?v=KgKbllhgESc&feature=youtu.be...](https://www.youtube.com/watch?v=KgKbllhgESc&feature=youtu.be&t=2988)

[3]
[https://www.abc.net.au/news/science/2020-05-06/coronavirus-c...](https://www.abc.net.au/news/science/2020-05-06/coronavirus-
contact-tracing-app-covid-safe-lockdown-lift/12217146)

~~~
g_p
Interestingly, and purely anecdotally (so not designed to replace the study
itself), I've been experimenting with the RSSI being reported by the NHSx app
through the debug menu. At least based on what I've seen so far on my devices
(and noting the NHSx model considers device model ID to allow for antenna
variations going forwards), there was a ~25 dBm change in signal strength
(from -32 to around -57) between phones being sat together, and through a wall
yet still close.

Clearly this is going to vary depending on building construction, but I
suspect the most relevant factor will be determining whether a contact event
takes place through a wall or not. The real question is whether or not this
can be modelled into the app and it proves reproducible.

My understanding is there's no claimed intention to measure the 2m distance,
and this is accepted as a known factor, at least for now. I suspect in an
indoor setting the initial challenge will be preventing spurious triggers from
indoor use (although arguably if people are that close they might live in an
apartment block, and they could have been exposed through contact with door
handles or lift buttons etc). But once people are outside more and returning
to normality, all bets seem to be off - I imagine a lot of false positives.

My instinct would be that contact exposure duration will become more of a
factor than the RSSI, or that a min/max/median/standard deviation might be
captured in addition to a "raw" RSSI, to perhaps get a better idea. If the
RSSI never goes "above" -60 (noting it's a negative number) then that's not
likely to be a hugely close contact event.

~~~
7952
I wonder if WiFi connection information could help. Being on different
networks would suggest greater social distance.

~~~
g_p
During current "distance under all circumstances, stay at home", that is
likely going to be true (modulo people using multi-AP setups that aren't
meshed under one SSID, assuming you use SSID, or who use 2.4 and 5 GHz SSIDs).

Going forward though, I imagine that as restrictions loosen, the usefulness of
WiFI connections would drop significantly, as people aren't always at home. It
would also not really help in the workplace, assuming a large campus WiFi
setup, since everyone would probably be joined to the same network anyway.

The challenge would be privacy - you'd have to send some kind of information
(or unique derivative) of the BSSID/SSID, which would introduce some privacy
impact too. At that point, assuming you got access to the hashed SSID/BSSIDs,
someone like Google with a street view dataset of AP MAC addresses could
"enrich" the anonymised dataset with "ordinary location".

------
jamieweb
I'm delighted to see that they have a vulnerability disclosure program for the
app too [1].

That's fairly rare for the public sector - the UK Gov and NCSC are really
leading on this sort of stuff.

[1] [https://github.com/nhsx/COVID-19-app-iOS-
BETA/blob/master/SE...](https://github.com/nhsx/COVID-19-app-iOS-
BETA/blob/master/SECURITY.md)

~~~
IshKebab
Agreed. I think the decision to go it on their own and not use Google/Apple's
API is completely bone-headed and won't work at all. But given that they made
that decision, everything else they've done seems pretty good.

------
tomduncalf
There’s some good initial investigation into this at
[https://reincubate.com/blog/staying-alive-
covid-19-backgroun...](https://reincubate.com/blog/staying-alive-
covid-19-background-tracing/), which I posted to
[https://news.ycombinator.com/item?id=23108867](https://news.ycombinator.com/item?id=23108867)
in case it warrants a separate discussion.

Sounds like their approach is fairly privacy conscious and clever in terms of
taking advantage of how each platform works - whether it works well enough and
whether people will use it despite “not using the Apple/Google way” I guess we
will see

~~~
danieltillett
Tom do you know if anyone has told the developers of the useless Australian
app about this?

~~~
tomduncalf
I’d be amazed if they weren’t aware of it. It does sound like they’ve found
ways round some of the issues.

Whether it is worth the trade offs vs the Google/Apple system remains to be
seen, but the fact that they’ve released the source already and people smarter
than me seem impressed is a better situation than I expected it to be in. Also
good to hear they may be open to switching to the Apple/Google way if needed.

Hopefully contact tracing apps prove to be helpful given the amount of hope
being put in them!

~~~
danieltillett
Yes. There seems to be a huge amount of hope invested in these apps with
little evidence they will make much difference.

~~~
chimprich
Given the human and economic cost of this virus, "not much" difference in R
could still make it worth it. It's supposed to be complement human tracing and
social distancing, not control the virus spread on its own.

If it allows you to reopen some business sectors, say, half a week earlier, I
can't imagine that wouldn't pay for the resources invested in the app.

There has been some modelling carried out that suggests use of the app would
be worth it, but even with a level of uncertainty it seems like it's worth
trying.

~~~
g_p
There's one other angle too here - a future version of the UK app will give
people feedback on their level of distancing via a "social mixing score",
which is basically the number of unique people they were recorded as being in
contact with per day. This looks like it will give people an idea of "You were
close to X people today, and really close to Y people".

"Close" will be locally determined, probably based on the RSSI model and
duration of contact. This will give people feedback on how well they are
distancing.

There's a lot of research which shows people struggle to know if they are
doing well without feedback, and that people's perception of how well they can
do it will influence if they try.

Couple this with a differential privacy daily voluntary "upload" (add a
random, zero-mean number sampled from a normal distribution to their daily
number) and people can find out if they're doing well, or if others are
reducing contact more. NHS also gets an idea of average number of contacts and
close contacts, and nobody actually needs to reveal their own number.

------
londons_explore
> Each two hours, we merge any changes from master into internal

Not hiding the fact the published source code isn't that built into the app
then...

~~~
m0xte
Yes indeed. I'm not buying it isn't patched in some way before it's pushed to
any app stores. Especially with all the noise beforehand about how it operates
and the involvement of GCHQ/NCSC in development.

Edit: some digging. NHSX is run by Matthew Gould. Former Israel diplomat and
tied via UK-Israel technology hub to NICE (Neptune Intelligence Computer
Engineering) Ltd which is a former Israeli army surveillance and data security
company among other functions.

So basically a hotpot of reasons not to install this thing.

~~~
sixstringtheory
It's the same story as with Signal for iOS. How do we know the version
downloaded from the App Store is the same code hosted on GitHub? I'd like to
have the option to sideload it. Clearly that would involve some work on their
backend, but I think that's fairer than the stuff described in this Signal
GitHub issue [0] and Telegram's website [1] regarding the same thing.

EDIT: if I'm wrong please leave some details for myself and others to learn
more. I've worked on iOS apps for several years, and as far as I know there's
no way to verify if an app downloaded from the App Store was compiled from a
particular code revision. Even the same code compiled on separate machines can
produce different unique binary IDs. And on the scale of difficulty, I'd say
that sideloading is less difficult than jailbreaking, if that method even
really works for this problem.

[0]: [https://github.com/signalapp/Signal-
iOS/issues/641](https://github.com/signalapp/Signal-iOS/issues/641)

[1]: [https://core.telegram.org/reproducible-
builds#reproducible-b...](https://core.telegram.org/reproducible-
builds#reproducible-builds-for-ios)

~~~
withzombies
It's not possible to side-load iOS apps and still get push notifications.
Also, Apple doesn't allow you to distribute applications outside of the app
store (unless you violate the terms of your enterprise developer account).

~~~
saagarjha
While I'm not an expert on push notifications, shouldn't you be able to
receive push notifications if you entitle your application for them and create
the right certificate online?

~~~
sixstringtheory
This is my understanding. You would have to register your device in ADP and
create an ad-hoc certificate for the app. If people are doing this on their
own ADP accounts, then they're just testing their own builds, not receiving an
enterprise deployment from some single developer.

------
aboringusername
From [1]:

// TODO: We need a real device to test Bluetooth scanning if
isMultipleAdvertisementSupported == false

// TODO: We need analytics to identify number of devices that fall into this
bucket

I don't know whether to laugh or cry reading those comments, the fact that
this is a "to do" whilst the app is in "testing" and the fact they've decided
the appropriate procedure is to reinvent the work Google and Apple have
already done.

Google already published their code/APIs in [2]. I'm sure these considerations
are taken care of by the framework the OS vendors have published themselves.
It's absolute pure arrogance that anyone would even attempt to re-create the
work that is being done at the OS level and not 'fall in line'. Germany back
tracked, Australia back tracked, and the UK too, will back track and implement
Google's APIs.

In a time where the message is "saving lives", those TODOs are not living up
to that motto. This app is a complete waste of time, resources and money. Use
the official APIs and be done with it, anything else is putting people in
harms way because you think you "know best". The UK government claimed they
reached 100k tests, fudged the numbers, and haven't hit that target since. But
it's okay, they'll hit 200k by the end of this month too!

Pure 100% incompetence.

[1]: [https://github.com/nhsx/COVID-19-app-Android-
BETA/blob/maste...](https://github.com/nhsx/COVID-19-app-Android-
BETA/blob/master/app/src/main/java/uk/nhs/nhsx/sonar/android/app/DeviceDetection.kt)

[2]: [https://github.com/google/exposure-notifications-
android](https://github.com/google/exposure-notifications-android)

~~~
ealexhudson
This app is many things, but it does not reimplement the Google/Apple scheme,
and works very differently. If you believe knowing contacts who tested
positive is enough, the Google/Apple scheme is fine. If you need to know
earlier and/risk assess based on exposure, only the NHSX approach works. It's
not a clear cut Central v Not Central decision.

~~~
aboringusername
Yet, reading a recent report in [1]:

"The NHS contact-tracing app must not be rolled out across the UK until the
government has increased privacy and data protections, an influential
parliamentary committee has said".

The app requests location permission on Android, something that Google doesn't
allow when using their implementation.

I suspect this app, in this form, is DOA and will be quickly replaced. Even if
they do somehow roll it out widely, there are concerns in [2] about its
effectiveness working in the background. This app is a complete disaster, and
will be unviable for the mass tracing they will want to conduct. They've
pushed and pushed for "why" a centralized approach is the "right" one, made
blog posts, issued justifications.

Yet the app isn't likely to see mass adoption and isn't going to work due to
restrictions within the OS. This app represents the disastrous approach the
government took to this virus. Flip flopping around, shutting down way too
late, no clear guidelines or approach, and a high death rate to solidify their
failure. Then, they decide the official approach is "wrong" or "not good
enough".

Heads should roll over this.

[1]: [https://www.theguardian.com/world/2020/may/07/uk-
coronavirus...](https://www.theguardian.com/world/2020/may/07/uk-coronavirus-
contract-tracing-app-could-fall-foul-of-privacy-law-government-told)

[2]: [https://github.com/nhsx/COVID-19-app-iOS-
BETA/issues/2](https://github.com/nhsx/COVID-19-app-iOS-BETA/issues/2)

~~~
ealexhudson
Location permission is a technical requirement for using Bluetooth in this way
because of beacons.

Lots of people keep saying the app can't work due to restrictions. Maybe, I'm
not sure that has really been shown yet. A lot of the criticism doesn't really
withstand the light of day.

~~~
aboringusername
The problem is, there's no way to disassociate the two flaws with this:

1: people see "government app wants your location"

2: the government possibly using that location access at a later time

I don't want to accept location on a government app, and the UK has some
history with facial recognition cameras and other privacy invasive laws. So
there's no way for me to know this location is _only_ for them to use BT LE
and they won't make an API call to getLocation and uploadLocationToServer. I
assume once you grant location permission even for BT LE purposes it can be
(ab)used in some other way.

They've made their own bed with their actions, public confidence might not
trust an app like this with a permission like that.

~~~
jka
It's probably exactly your concern about the ability for apps with network
access to upload user data that led the Android team to introduce the
locations permissions for BLE identifier scanning.

Without a location requirement, an app could claim to use only Wi-Fi and BLE
permissions, yet it could combine beacon scanning and data access to de-
anonymize user locations.

This permission requirement was introduced in Android 6.0 (see the release
notes[1]) in October 2015, so it's been around for a while.

If you have some suggestions around how to improve the tracking of permission
usage (static analysis? run-time requests (preferably avoiding times when
users are under duress and likely to click 'OK' by default)?) then you may
wish to file some requests with them and/or contribute to other projects that
you feel are taking a better approach.

Your concerns around trust in app developers -- regardless of whether they are
a government or any other entity -- are best handled by two means:

\- Open sourcing the code (which NHSX have done)

\- Enabling reproducible builds[2] so that users can confirm they have an
authentic binary build of the source code

[1] -
[https://developer.android.com/about/versions/marshmallow/and...](https://developer.android.com/about/versions/marshmallow/android-6.0-changes#behavior-
hardware-id)

[2] - [https://reproducible-builds.org/](https://reproducible-builds.org/)

~~~
antpls
I may be misunderstanding this thread, but what the parent is saying is that
the BLE permission in Android was _never_ meant for privacy focused contact
tracing, and you are saying this is not a secret.

This is why Google and Apple developed the Exposure API, which is more private
because it doesn't save as many metadata than the classical BLE permission,
and at least Google does _not_ allow apps to declare both the Exposed API and
the location permission at the same time.

This gives more guarantee to the users than just trusting the app developers.

In other words, any serious privacy-focused contact tracing apps should use
the Google/Apple Exposure API, and not a custom made solution on tops of the
older BLE permissions.

However, I still think digital contact tracing, even private, is a bad idea.

------
azinman2
I’m shocked to see all the Firebase and Google analytics in there. I‘m quite
surprised that a gov built app would include this. Disappointing from the UK
(along with the fact that they really just should use the Apple/Google
framework to begin with, which will in the end better integrate with the
device and thus will perform better from a technical perspective).

~~~
RandallBrown
I assume they want to know if people are actually using this app and I don't
know if building an analytics platform is the best way for them to spend their
time right now.

It does undermine any privacy claims they might make.

~~~
AJRF
I agree around usage of Firebase here because no one really knows what data is
being sucked up there but it looks like the intent of usage here is pretty
clean;

If you look at the code Firebase is in there because the push notifications to
notify of infection are sent via Firebase Cloud Messaging.

I also grabbed the Google plist out of the IPA from the app store and it has
analytics turned off.

~~~
Sephiroth87
Then why is the Analytics SDK even there? It’s not required for messaging

~~~
RandallBrown
The directions for integrating SDKs are usually something along the lines of
"Add Firebase to your Podfile", which often adds way more than you need.

Given that these devs were likely in a hurry, it wouldn't surprise me if they
forgot to go back and clean this up after getting it working.

------
tomduncalf
One mildly interesting thing I noticed is that some of the files date back to
12th March (possibly earlier, I’m on my mobile so can’t search properly) -
back before the UK was taking this particularly seriously in public, if I
remember correctly (restaurants and pubs weren’t closed until 20th). Suggests
at least someone realised the gravity of the situation!

------
aclelland
As someone from the UK, I'm really appreciative of all of the people who are
actively looking into the app and highlighting privacy, security and other
concerns.

My main concern with all of the contact tracing apps is that I live near a
very busy road, hundreds of people per day walk past my house and they're
going to be about 3 meters away from my phone, albeit through a brick wall and
a 6' hedge. My concern is that the apps will pick up the random passers by and
I'll be forced to isolate my family based on a false detection.

Maybe this isn't an issue and these apps will have protection against this
sort of false positive. I've yet to hear either way.

edit: Thanks for all the answers! Definitely helped calm the concerns about
this sort of false-positive.

~~~
chimprich
> I'll be forced to isolate my family based on a false detection.

Installation of the app is voluntary, and there's no sign that's going to
change. Forced installation would probably be politically and logistically
impossible.

If this was a problem, workarounds include deciding that the app wasn't usable
in your situation, or turning off bluetooth on your phone while at home.

------
sschueller
Here is the approach Switzerland it taking [2]. All open source and
decentralised privacy-preserving. Available for any other state to use.

It is the responsibility of the app user to get tested or quarantine
themselves if the app shows you have been in contact. No central authority
knows who you have been in contact with or who you are.

The installation of the App will also most likely be voluntary.

[1] [https://github.com/DP-3T/documents](https://github.com/DP-3T/documents)

[2] [https://github.com/DP-3T/dp3t-app-android-
ch](https://github.com/DP-3T/dp3t-app-android-ch)

------
davb
Interesting to see from the docs that it seems to have been built by VMWare
Pivotal, rather than an internal NHS(X) team.

~~~
darrenf
This was mentioned by the media some days ago, eg
[https://www.bbc.co.uk/news/technology-52551273](https://www.bbc.co.uk/news/technology-52551273)

------
filleokus
This is again one of those cases where, even though it's nice to see the
source code, it's very hard to verify what's actually running on our devices.
The same case with Signal and other secure messaging apps.

How would a scheme work, that (within the confines of the current App Store
regime) allowed users to verify the source code look? Could Apple/Google maybe
hash every file as part of the compilation/linking process, and then
concatenate that in some way and include it in the signed binary and expose it
in the App Store?

It would be really neat with some process where I can clone a repo on my
machine, run some script and get an identifier, and verify that it is the same
as what is being shown in the App Store on my device.

~~~
emdowling
It’s pretty simple to reverse engineer an Android binary. While most Android
apps ship with code obfuscation, it’s relatively easy to get around. Using
that method, one could determine if the publicly available app came from the
same source code (it would at least allow you to determine no extra nasty bits
had been added).

iOS is a little harder. If you have the dsym files it’s pretty trivial to the
same exercise as Android. NHSX could choose to release them so people could
again verify it more or less matches.

~~~
g_p
There's no obfuscation that I could see on the Android app, which should help
with this. Certainly when looking across to the source release, it was a
familiar codebase (modulo the fact the reversed version was in pseudo-java,
and the original codebase is in Kotlin).

------
noodlesUK
This is a big step. I’ve previously been pretty against the NHS’s approach
(being mostly centralised etc), but I’m very happy to see that they’ve open
sourced it. Does this also contain the server side that does the matching?

~~~
spzb
No it doesn't. Neither does it include some of the configuration values you
need to build the mobile apps. It looks like this was a last minute political
decision to open source the code in the face of growing public disquiet rather
than a co-ordinated effort.

~~~
g_p
It takes about 5 minutes to obtain the API keys from the Android app to be
able to build it. It was also a pretty well-documented process to get the
Android app to build (unlike some Android "open source" projects that seem to
be designed to be impossible to actually build!)

Open sourcing the app was actually planned all along - when Matt Hancock
announced the app several weeks ago [1], he said it would be open sourced at
the time.

[1] [https://www.theguardian.com/politics/2020/apr/12/uk-app-
to-t...](https://www.theguardian.com/politics/2020/apr/12/uk-app-to-track-
coronavirus-spread-to-be-launched)

------
Mvandenbergh
Very interesting. We probably won't need it fully up and running for another
week or two so hopefully bugs will be out by then.

For context, there are two ways of doing digital contact tracing.

A centralised system which tracks everyone all the time and runs a central
algorithm for deciding whether someone is at risk on all that data. This is
what China, South Korea, and Taiwan have done. Advantage: it seems to work.
Disadvantage: government has a database of literally everyone's movements. In
SK they also use CCTV and other data, it's a nightmarish panopticon.

"Minimally disclosive" contact tracing. This keeps as much data as possible on
the device and only share some of it with other devices or central servers.
Obviously, designing these protocols is a balancing act between privacy and
functionality. Different groups have designed protocols that make different
choices there.

The two main competing protocols are DP-3T, on which Google/Apple have based
their API and PEPP-PT / ROBERT which some countries including the UK have been
building their solution. Until very recently, Germany was also using PEPP-PT
but they have switched to DP-3T.

Both protocols make trade-offs between the amount of information which leaks
and the usefulness of the tool. That's important. Installing an app based on
either will strictly reduce your current privacy.

Both frameworks use pseudo-random rotating keys which are exchanged over
Bluetooth. In PEPP-PT a central server manages a rotating private key which is
used to generate a set of time-gated ephemeral IDs for each device. Devices
exchange and log these IDs. When a health authority determines that someone is
infected, they issue them a key which allows them to upload all their logged
IDs to the central server. (Optionally, they can just allow them to self
report which NHSX seems to be doing) The server is able to determine who the
infected person's phone has logged a contact with and notify those people. A
random sample of additional people also receive notification messages which
their phones are able to discard as invalid decoy messages. Because relatively
rich data goes to the server, real time data on interaction patterns of the
infected is available and notification algorithms can be tested and tweaked.
Since we don't know exactly how Bluetooth propagation and covid infection map
to each other, this may end up being an important step.

In DP-3T, the keys are generated on the devices and IDs are stored only on the
devices. If a central server authorises you to do so (based on a confirmed
diagnosed infection), you broadcast the IDs of all the devices you have been
in proximity to. All devices regularly download a list of IDs and check the
list for one of their own rotating ID numbers. If they match, the user is
notified and is able to pre-emptively isolate.

The second approach reduces the consequences of a nefarious central operator
but at the cost of sharing more information with more people (since everyone
sees the list of possibly-infected IDs). In other words, even in privacy
terms, this is not a perfect approach either. That information can be used to
carry out re-identification attacks and reveal infected users if certain
conditions are met.

From a privacy point of view, I think many people would prefer the latter
(possibly allow malicious attacker, if they are able to do certain not-so-easy
things to determine that they were infected) since most people in the UK will
not consider that deeply private and secret information about themselves. Many
of my friends who got it have posted about it on FB, twitter, etc. The former,
which gives a state actor more information seems like a greater breach of
privacy.

A final point which I think is super important: we don't know if either of
these minimally disclosive options work in practice. No-one has used them in
the wild yet. If they both worked then we could say - DP-3T has fewer privacy
implications, they both work, therefore it is strictly superior.

Since we don't know whether they both work (or even if either one works), we
are instead left with a balancing act between privacy and usefulness which is
not an easy one.

Of course, if due to API support reasons, only the OEM supported protocol can
be made to work then regardless of any theoretical arguments, that is the one
that we will need to use. I suspect we will know by the end of the weekend if
their implementation works in practice.

I would like to see statutory safeguards put in place for this data. If they
really need it then I get that, but it is important that if we do not have the
technical safeguard we have legal ones.

(Also, Google/Apple had a difficult choice to make here because they operate
everywhere. They had to pick something that they feel comfortable rolling out
to their devices in every country.)

~~~
nfg
Thanks for the explanation - very helpful. I was wondering if you might have
time to go into more detail on this:

> A random sample of additional people also receive notification messages
> which their phones are able to discard as invalid decoy messages

~~~
Mvandenbergh
Basically, if you didn't do this, then people could snoop on your message
traffic and even though the payload was encrypted, they would be able to tell
that you received a warning message about having been in contact with an
infected person.

By sending decoys, everyone gets the occasional such message as far as any
attacker is concerned, and no information is disclosed.

------
seanwilson
Did the NHS have any good reasons why they weren't going to work with Google
and Apple (who surely have more expertise for this)?

Why not work on a single open source iOS + Android app that is shared and used
in all countries so we can get cross border tracing?

If governments are concerned about Google and Apple getting access to data,
what's the argument against the above where each country uses their own
servers to store tracing data?

~~~
g_p
The NHS wanted the ability to model "risk-from" a contact, rather than only
"risk-to". In the decentralised approach, infected users upload a list of
their own identifiers, these are broadcast, and everyone checks if they've
been near one. There needs to be a threshold picked that will trigger to alert
you - probably "contact-minutes" with an infected person.

The NHS approach is less binary, as they believe based on the rate of spread
that it's necessary to request people report symptoms and share their own
anonymous contact log. Based on the level of exposure the "suspected
individual" had with other known/suspected infected people, combined with the
number of other known/suspected infected people you were near, your advice can
be tailored. You might be told to isolate, but then you're asked to report
symptoms regularly. Others in the same position as you will be doing so as
well - there is potential here to actually tell people they no longer need to
self isolate if the "group" don't have any symptoms emerging, based on the
epidemiology and the rate people are believed to develop symptoms in the
population.

There's a good write-up of this actually in the NCSC security report and post
- [https://www.ncsc.gov.uk/files/NHS-app-security-
paper%20V0.1....](https://www.ncsc.gov.uk/files/NHS-app-security-
paper%20V0.1.pdf) and [https://www.ncsc.gov.uk/blog-post/security-behind-nhs-
contac...](https://www.ncsc.gov.uk/blog-post/security-behind-nhs-contact-
tracing-app). It explains a lot about the rationale, and not only for
security, also in terms of the approach and how the app is designed to work
when people have symptoms etc.

~~~
seanwilson
Thanks for that I'll have a read.

Is there any discussion about other countries using this NHS app (the repo
says MIT license)?

Each country could customise the alert heuristic but it seems like a waste of
resources for each country to code their own app for a global problem.

~~~
g_p
> Thanks for that I'll have a read.

> Is there any discussion about other countries using this NHS app (the repo
> says MIT license)?

> Each country could customise the alert heuristic but it seems like a waste
> of resources for each country to code their own app for a global problem.

Not seen any other country talking about this yet although it only came out
today in source form, and still is technically in limited beta. I imagine
Australia and Singapore will be interested in the iOS Bluetooth in sleep
workaround method, as that does appear to be novel and not really done before.

If you implement the same basic API, it would be easy for another country to
implement. The nice aspect of this design is that you can have an MVP (like UK
has right now) while you evolve the more complex heuristics and models on the
backend, and add those as you develop them. I'd agree it's a waste to build
multiple apps, and I imagine countries will be looking at this approach now,
and the value of an app with real working code, versus trying to build
something.

The Bluetooth protocol itself is designed to support multiple countries using
it - the outer message contains a country code flag so you know which
country's health system you'd need to communicate with in order to exchange
info of a proximity event.

~~~
seanwilson
> the iOS Bluetooth in sleep workaround method

Why do they need to find a workaround? Can't Apple tell them the best way or
push an iOS patch to help?

~~~
g_p
> > the iOS Bluetooth in sleep workaround method

> Why do they need to find a workaround? Can't Apple tell them the best way or
> push an iOS patch to help?

Apple seem to take the view governments should use their decentralised
approach, or not do it, and don't seem to have been willing to help
governments do this without using their "joint approach" with Google.

I am normally the first to back anything decentralised. But in this case, the
stated goals of the app (from a very good NCSC writeup I've linked elsewhere
in these comments) simply don't work with a decentralised approach (namely
being able to do risk-from calculation, not just risk-to, and being able to
gather and model from symptoms whether others should keep isolating or can go
back to normal).

Given Apple said it wouldn't help anyone not wanting to go "their" way, it's
quite reassuring to see that engineers do what they do best, finding a new
workaround, and making details of it available for any other devs... Perhaps
Australia can use this in their app now to fix their issues with Bluetooth and
iOS.

------
holri
For reference Austrias Red Cross App is here:
[https://github.com/austrianredcross](https://github.com/austrianredcross)

~~~
g_p
Interesting - it looks like they've gone down the route of having a way for
people to do a "digital handshake" (both press the button, and have devices
within a short distance of each other) to create their contact pairings.

I do wonder how many people will use this feature, or remember to use it. This
would seem to reduce false positives, but make it much less useful at scale
(i.e. it won't help trace people who were on a train or bus).

------
ngcc_hk
Contact not contract in the title?

------
flattone
Twitter user probing for safety & security issues ‘india now NHS next’

[https://mobile.twitter.com/fs0c131y/status/12584360338400215...](https://mobile.twitter.com/fs0c131y/status/1258436033840021504)

------
eternalban
Any contract tracing system that is not time limited and disposable by design
is a surveillance system being introduced in the guise of contact tracing.

My ideal tracing system would include disposable components, such as time-
boxed smart cards, that are disposed of when an epidemic wave (cycle) ends. If
the pandemic has multiple waves, each wave will entail producing a new series
of disposable components.

Another important aspect of a genuine tracing system would be that it does not
hook into infrastructure of surveillance capitalism behemoths.

The regrettable fact is that this contact tracing app will definitely become a
requirement for getting a job, and very likely at some point a de facto
identity and civil passport for being able to access modern infrastructure and
urban areas.

~~~
ryeights
>The regrettable fact is that this contact tracing app will definitely become
a requirement for getting a job, and very likely at some point a de facto
identity and civil passport for being able to access modern infrastructure and
urban areas.

Should be an easy fix now that the app is open-sourced: just build a version
of the app with all the tracking code stripped out, leaving a mock UI that
always says "no contact detected"

~~~
eternalban
The issue is not that. This is raising private corporate infrastructure
(Google, Apple, etc.) to a quasi-governmental role. Something so tightly bound
with fundamental civil and human rights concerns, should not depend on these
giants. Think China's Baidu.

And here is a deliciously ironic title and article:

 _China 's Dystopian Tech Could Be Contagious_

[https://www.theatlantic.com/technology/archive/2018/02/china...](https://www.theatlantic.com/technology/archive/2018/02/chinas-
dangerous-dream-of-urban-control/553097/)

------
scared2
Contact not contract

------
gurjeet
s/contract/contact/

------
3fe9a03ccd14ca5
Whelp, we've sure entered into the twilight zone of digital privacy quickly. A
month ago we were saying "15 days to flatten the curve", today we have MRAPS
busting up protests and digital privacy continuing to circle the drain... and
THE PEOPLE LIKE IT THIS WAY?

------
cs02rm0
There's a code review, of sorts, (from an ex-Googler) here:

[https://lockdownsceptics.org/code-review-of-fergusons-
model/](https://lockdownsceptics.org/code-review-of-fergusons-model/)

~~~
zimpenfish
I'm not entirely convinced a site called "lockdownsceptics" where almost every
article is about how the lockdown is stupid, unconstitutional, fascist, etc.
and uncritically reposting articles by people like Toby Young is going to be
even slightly unbiased about that model.

~~~
chimprich
From the article:

> On a personal level, I’d go further and suggest that all academic
> epidemiology be defunded.

That's a hell of an extremist position to take.

It's also an anonymous report, not a code review, with the evidence presented
being some graphs produced with no idea the author had any idea they knew what
they were doing.

Pretty ironic that the author says "this situation has come about due to
rampant credentialism and I’m tired of it" \- but implies they know what
they're talking about because they used to work at Google.

------
ck2
Can we stop pretending that if half the population refuses to wear masks
and/or stay-at-home to spare others that they are going to be open and honest
and assist contact tracing when there is no obligation to do so? Why would
they bother?

~~~
flattone
Im pretty opposite to those folks. Still im not installing anything.

