
Leakage paths for the Apple / Google Bluetooth tracing system - awinter-py
https://abe-winter.github.io/2020/04/10/leaky.html
======
the_mitsuhiko
I recommend everybody to look at the whitepaper which discusses this type of
protocol extensively:
[https://github.com/DP-3T/documents/blob/master/DP3T%20White%...](https://github.com/DP-3T/documents/blob/master/DP3T%20White%20Paper.pdf)

A lot of the arguments against this were rehashed the last few weeks over and
over. As an passive participant to such discussions I can't express how tiring
it is to see new people drop into these conversations without reading up on
what already has been discussed beforehand.

~~~
FartyMcFarter
I agree that people should be reading the paper. Crucially, the whitepaper
explains why it doesn't preserve privacy.

For example, section 5.4 (design trade-offs) says that individuals who have
declared themselves as infected can be retroactively tracked and identified.
Tracking only requires a bluetooth receiver which is aware of its own location
- government agencies could easily do this.

~~~
sudosysgen
Obviously. I think having your location tracked for a few days, _if you are
infected_ , is not a serious concern.

In fact, there is absolutely no way I can see that can get around that.

~~~
SlowRobotAhead
Where is the “few days” coming from?

Once a system like this exists, you can plan on it being a feature that
doesn’t disable at some point. Great intentions, but no thanks.

~~~
sudosysgen
Because the keys, from my understanding, change every day. So if someone is
infected, you can only track them for the relevant days because those are the
keys they would give you.

You could simply set it up to delete your own keys after 14 days, for example.

~~~
SlowRobotAhead
This is obviously just all obfuscation. The entire plan is that you are
uniquely identifiable, you are being pinged by every person you walk near,
there is protection from Target, Bestbuy, “Ze Russians” but not Apple, Google,
Gov.

You can put as many crypto or “random” or key derivation layers you want in
there, you just also need to admit they are surface deep and really “just for
show”.

This is constant person tracking, that’s the whole point.

~~~
joshuamorton
Well no, the point, as the whitepapers explain, is that there is provable
cryptographic protection from Apple or Google tracking you.

------
TechBro8615
Anyone who thinks this will “go away” eventually is naive. We don’t even have
a definition for what the end of the pandemic looks like, nevermind an exit
strategy for social distancing or these draconian tracking measures.

It’s optional until it’s not, and it’s anonymous until it’s not. I don’t like
this one bit.

~~~
dirtyid
This "going away" is more likely in some places than others depending on
legislation and entrenched interests. That said, it's probably going to stick
around in the US, if anything pandemic watch is going to be the next TSA where
unfathomable resources will be diverted. The only rival to US security lobby
is the US medical lobby. Though it'll probably be more useful than security
theater in the long run.

~~~
KKKKkkkk1
_The only rival to US security lobby is the US medical lobby. Though it 'll
probably be more useful than security theater in the long run._

Given how big pharma's previous big win gave us the opioid crisis, I wouldn't
count on it.

------
alkonaut
Lots of comments on these topics seem to revolve around fear that democratic
governments have an interest in making tracking permanent and mandatory. From
the more nuanced “I don’t trust that they don’t abuse the data” to the
downright dystopian paranoia “you will be chipped”.

I don’t get it. We should worry about privacy issues of course, but isn’t this
nearly as good as it could be and still be effective?

Which democratic government could mandate the use of this type of tracking
forever yet _not_ be able to impose it against people’s will?

The privacy fears feel somewhat rational but the fear that governments act
with some interest that is separate from the voters’ interests seems
irrational to me. Maybe I’m used to governments that people trust and that are
simply doing what voters want, rather than having an agenda.

~~~
dingaling
> Which democratic government could mandate the use of this type of tracking
> forever yet not be able to impose it against people’s will?

First they'd have to coerce two US-based companies to implement the
technology. For example, imagine UK.gov ( pop 60 million ) telling Apple ( 250
million annual iPhone sales ) to do so.

Secondly they'd have to coerce their population into using the feature.
Without a clear public benefit I suspect there would be workarounds and hacks
within days to dilute its effectiveness.

However, implement it under global public health reasons and coercion is much
easier. Protect the NHS, keep your tracking app active! Don't turn your phone
off when out exercising! Keep your phone with you at all times... for the
public good.

> Maybe I’m used to governments that people trust and that are simply doing
> what voters want

Any such governments come to mind?

~~~
alkonaut
> Without a clear public benefit I suspect there would be workarounds and
> hacks within days to dilute its effectiveness.

Exaxtly. Governments can easily do this, because they already have the bigger
tool at their disposal: lockdowns.

People in prisons choose to wear an electronic tracker to spend the last year
of a sentence at home. Their freedom was already taken, and the monitoring is
a way to get some of it _back_. No one turns that down out of fear the
government won’t remove the tracking thing around their ankle. “No thanks I
don’t trust them to take it off after a year so I’m staying in the cell”, said
no one ever. If you don’t trust them to take it off after a year why would you
trust them to unlock your cell door?

Of course the public will choose to use this tech if the alternative is less
freedom.

So yes people will voluntarily use this because of peer pressure and because
the alternative is worse. At least they will do so in countries with high
trust in goverment, the public healthcare system and a strong sense of
community in crisis (this is where I would have thought the UK would be the
obvious example!). “For the public good” is _very_ persuasive to me - while
“for your own good” might work better in other places.

> Any such governments come to mind?

Most Western European governments I would have thought? I (Scandinavian)
always considered the government to be “me”, not “them”.

~~~
lern_too_spel
And the way governments would take advantage of this is by having devices
everywhere exchanging IDs so that when somebody has a disease, those devices
will let the government figure out some of the places they've been? This
sounds too roundabout to make any sense. The government can already request
location history from cell phone providers and Google if it has a warrant. Why
go through all that trouble to get lower quality data?

------
judge2020
didn't see any info on how the "download list of infected people's keys" would
work in the documents, but it seems like k-anonymity[0][1] would be a good
choice for saving data on peoples' phones and mitigating the potential DOS
threat.

Another way the DOS attack could be prevented is perhaps requiring you to get
a QR code from a government or testing facility before you can report your
keys as being infected.

0: [https://blog.cloudflare.com/validating-leaked-passwords-
with...](https://blog.cloudflare.com/validating-leaked-passwords-with-k-
anonymity/)

1: [https://developers.google.com/safe-browsing/v4#update-
api-v4](https://developers.google.com/safe-browsing/v4#update-api-v4)

~~~
donarb
This technology is meant to be used by local health agencies like city or
county. If you have the app provided by the county and you are tested positive
by them, they would then ask you if you would like to share that information
with others. So the chance of DOS is nil since you actually have to test
positive to broadcast the keys.

------
sowbug
DTKs are derived rather than random so that the device doesn't have to store
its own keys or identifiers, saving both space and flash wear. It can start
with the initial seed and re-derive all the rest as needed.

~~~
tehlike
You phone already stores lots of data every 10minutes, I am not sure if flash
wear is a problem. Same with storage space.

A guid is 16 bytes per key * 6 keys per hour _24 hours per day_ 365 days makes
less than a megabyte. Even accounting for additional data stored where guid is
the key it feels not a big concern.

I imagine data stored like: Key: guid Contacts made: <timestamp, guid>[]

~~~
gorgoiler
Because you want to use the same protocol for 89¢ devices?

------
shireboy
Armchair prognosticator here, but is there not a zero-knowledge proof way of
doing this? A way so that neither side (or intermediate) can learn the
identity of the other?

------
saagarjha
Aside: you look like you might be the author, so I thought I'd mention that
the link for "one-way hash" seems to be empty.

~~~
awinter-py
eek fixed thanks

------
snovv_crash
Since they generate the keys anyways, why not just make a new one every 30
seconds? This would address the main concern IMO.

~~~
riedel
Although I think tge aproach is correct. I think the DTK period is far too
long. 1 day may reveal to much information regarding movement patterns if
someone has enough distributed trackers at critical spots. Also if everyone
uses it I see a slight chance of bruteforcing in often visited spaces (didn't
do the math). Adding more hierarchicies would allow people to share
information more finegranuarly. Putting RPIs into a bloom filter and releasing
them might be another idea. Critical contact would mean multiple bloom filter
matches anyways .

~~~
tinus_hn
I guess you are not aware what contact tracing is. If you get a disease like
this most governments have the right to ask you where you have been and who
you have seen and the need for society to be protected from your disease is
seen as to trump your privacy rights. This is just another mechanical way to
get the same information, except privacy gets much more protection here.

~~~
Someone
But most people won’t know very well who they have seen. For example, I went
shopping this morning and probably saw around 50 people. I would recognize
less than 10 of them, if I were to meet them again. I know the names of none
of them.

Since most governments can’t ask their entire population “were you in the
neighborhood of this walking path”, there’s no simple way for them to find
those people (t.v. broadcasts and canvassing in the neighborhood would work,
but are labor-intensive and slow)

That’s where this will help. The people who came into close contact will get
informed, and, hopefully, will self-isolate. The government doesn’t have to
know who they are, where they were, etc.

It will require a significant part of the population to opt-in on this,
though. That’s challenging. In Singapore, only 20% of people did. That’s why
privacy is so important for this for many countries.

~~~
tinus_hn
This is true in general but the stated issue is that this system would make it
possible for governments to find out where an infected person has been. Manual
contact tracing is the same thing, but manual. You can always opt to not tell
them about something, you can always opt to leave your phone at home or turn
it off.

------
PeterStuer
Gamification:

In countries with a working social security system, getting into proximity of
a known infected person can be rather easily achieved.

In countries without a working social security system, staying 'clear' is
easily achieved by turning of your BT or phone or even just lining your pocket
with tin foil.

~~~
dogma1138
South Korea and Israel both have working social security systems, universal
health care, mandatory national IDs no devolution of administrative or
legislative powers to local authorities, a single police force and both are
relatively small countries geographically with a relatively dense population
and both had to use mobile data to do contact tracing effectively.

~~~
PeterStuer
No, both used it, they didn't 'have to'. There is strong doubt in both cases
as to whether the app had any effect at all.

~~~
awinter-py
If you have links about the efficacy of the tracing programs, please post --
I'm trying to educate myself about this

------
softwarejosh
crazy to think where this tech is going after the epidemic

------
user_50123890
Why does it have to be anonymous? The coronavirus is not HIV, there is no
social stigma in knowing someone was infected.

The biggest problem is exactly the fact that since it spreads so easily, it's
impossible to reach all who have to been exposed

~~~
DanBC
> Why does it have to be anonymous? The coronavirus is not HIV, there is no
> social stigma in knowing someone was infected.

Fear of contagion is strong and not always rational.

Healthcare workers in the UK have been attacked. Sometimes that was to get
hold of their NHS ID badge, but at least once it was because the attacker
didn't want covid-19 to be spread.

[https://www.thesun.co.uk/news/11347158/nurses-scrubs-
superma...](https://www.thesun.co.uk/news/11347158/nurses-scrubs-supermarket-
coronavirus/)

[https://abc13.com/nurse-attacked-as-man-accuses-her-of-
tryin...](https://abc13.com/nurse-attacked-as-man-accuses-her-of-trying-to-
spread-covid-19/6076346/)

[https://wwmt.com/news/coronavirus/nurse-attacked-on-her-
way-...](https://wwmt.com/news/coronavirus/nurse-attacked-on-her-way-to-work-
suspect-believed-she-was-spreading-covid-19)

[https://www.bbc.co.uk/news/world-asia-
india-52151141](https://www.bbc.co.uk/news/world-asia-india-52151141)

~~~
gruez
> Sometimes that was to get hold of their NHS ID badge

What's the point of that?

~~~
DanBC
I don't know, but people think it's to get access to "key worker" shopping
times.

Supermarkets over here are opening for an hour or so in the morning and
leaving that hour for only key workers.

But I don't know if that's why.

------
narrator
Good thing I have a removable battery on my phone.

~~~
DagAgren
What, so you can more effectively spread a dangerous infectious disease?

~~~
narrator
Do you see where this is going? The end game is treating every individual in
the world as a convict and potential murderer that requires 24/7 mandatory
surveillance and an injected digital ID that they can't remove. Heck, we
should add an immobilization capsule so we can just knock out anyone with
remotely electronically released drugs who isn't obeying quarantine.

~~~
DagAgren
Are you really expecting any sane person to take you seriously when you say
shit like that.

~~~
narrator
Yes. Bill Gate's ID 2020 program is a underskin implant that holds a vaccine
record that he is proposing that all will have to get to do just about
anything in the future. You probably think this is a good thing and will love
getting scanned everywhere and getting your regular lightly tested compulsory
vaccines. It's basically parolee ankle bracelets for everyone.

None other than the Attorney General recently commented on this and said it's
a "slippery slope."[1] Slippery slope privacy arguments used to be totally
normal on Hacker News. Now everyone's demanding their rights and privacy be
taken away!

[1] [https://www.dailywire.com/news/ag-barr-on-bill-gates-
wanting...](https://www.dailywire.com/news/ag-barr-on-bill-gates-wanting-
digital-vaccine-certificates-im-very-concerned-about-slippery-slope)

~~~
DagAgren
> Bill Gate's ID 2020 program is a underskin implant that holds a vaccine
> record that he is proposing that all will have to get to do just about
> anything in the future.

This is complete and utter nonsense. It is a fantasy made up by conspiracy
theorists.

~~~
narrator
I really hope you're right, but there's quantum dot technology, which is more
like a smart phone readable tattoo that's delivered with a vaccine that the
Gates foundation sponsored [1].

"By selectively loading microparticles into microneedles, the patches deliver
a pattern in the skin that is invisible to the naked eye but can be scanned
with a smartphone that has the infrared filter removed. The patch can be
customized to imprint different patterns that correspond to the type of
vaccine delivered."

"The research was funded by the Bill and Melinda Gates Foundation"

Gates has also been funding implantable microchips that are remote controlled
to deliver birth control medicine.[2]

[1] [http://news.mit.edu/2019/storing-vaccine-history-
skin-1218](http://news.mit.edu/2019/storing-vaccine-history-skin-1218)
[2][https://nationalpost.com/news/bill-gates-funds-birth-
control...](https://nationalpost.com/news/bill-gates-funds-birth-control-
microchip-that-lasts-16-years-inside-the-body-and-can-be-turned-on-or-off-
with-remote-control)

~~~
DagAgren
None of which is anything like the utter nonsense you just sprouted.

Time to get off the conspiracy theory addiction, dude.

~~~
narrator
The 2nd link, to the implant that contains a small computer and injects drugs
via remote control feels like the kind of technology that could be misused.

------
tastroder
> Given all those unknowns, I shouldn’t express an opinion on ‘do we need
> this’ and so I won’t.

A blog post is a form of expression / opinion, isn't it?

The technique is limited in time, after the pandemic I'm hoping usage will
drop to zero. Coming from the two major OS vendors, we now have a point where
we can get it to be shut off after the threat is contained. The proposal by
Google / Apple does not touch upon the serverside other than recommending
restrictions on usage of the data that is gathered and shared.

> Find out if someone specific is sick

Many countries already have mandatory reporting paths for infectious diseases,
if you operate an office building it is likely that you will find out if
somebody using that building has to quarantine themselves for a few weeks
already.

You will want to know if someone specific that you have been in contact with
is sick. This reads like you are pointing out the main reason for why we do
contact tracing in the first place as a negative leakage path.

> I won’t know who they are, but I can at least grab aggregate information
> about where coronavirus getters travel.

You do not know who they are, you can track an infected persons movement
(assuming 100% coverage) at most over a single day. Existing tracking using
Bluetooth and other signals a typical smartphone puts out already allows you
to do more. The problem in this scenario is a lack of customer protection
rights, not one of the proposal being bad.

> Increased hit rate of stationary / marketing beacons

Again, that's a policy issue more than a technical one and pretty US centric.
As you correctly point out it also isn't new. The data they gather now will
likely be less useful than what they can get with the broken MAC randomization
stuff phones put out before.

> Leakage of information when someone isn’t sick

The alternative to the first bullet point is running around infected. The
second point seems unrelated to the method of contact tracing. With existing
manual contact tracing, the health authority could also tell you that you're
infected and get your DNA.

> Fraud resistance

Most civilized countries have central reporting for positive test results,
making the fraud resistance argument moot. This supplements existing, manual,
contact tracing. The proposal itself has nothing to do with that part of the
workflow, it merely helps app developers to take care of a crucial and
previously hard part of the stack and suggests a well designed crypto scheme
to ensure privacy in the scope of the exchanged data itself.

The only realistic scenario in here seems like that of existing stationary
marketing beacons, which I'd propose to look at in terms of realism and the
tradeoff between the status quo of manual contact tracing (which is
inefficient, labor intensive, and error prone). In the realism aspect,
marketing firms are hardly on the edge of technology. How likely is it for a
major player to upgrade their systems with this tracking capability in the
timeframe of the pandemic? What insight do they gather on those infected? If
you're infected you would have to realistically share a few days worth of
keys.

~~~
jka
> The technique is limited in time, after the pandemic I'm hoping usage will
> drop to zero.

Do you think it's likely that, if successful, this same technique would be
proposed to reduce the negative economic impact from the traditional seasonal
flu in future?

~~~
tastroder
I'm not a doctor but it is my understanding that the traditional flu is an
impractical target for this type of contact tracing due to various reasons and
would not make much sense. At any rate, this is a huge measure even if the
privacy impact is limited. As a German I don't particularly like tracking of
any kind and am relatively certain that extending the measure beyond the
scenario of a pandemic wouldn't go over well with the population where I live.

~~~
SlowRobotAhead
> I'm hoping usage will drop to zero

>impractical target

It seems like you might not be empathizing with how governments or bad actors
or opportunistic companies think.

