
Corona App – 10 requirements for the evaluation of “Contact Tracing” apps - errnesto
https://www.ccc.de/en/updates/2020/contact-tracing-requirements
======
chimprich
This is one of those rare cases where you have to directly balance lives
against privacy.

My feeling is that while privacy is important, it's being taken a bit too
seriously given the severity of the crisis.

Google and Facebook et al. carry out far more involved and intimate
surveillance of people's lives than would be required for an app as described
in the article.

~~~
majewsky
This is one of the few cases where more privacy might literally save lives,
because people will be more inclined to install the app if the privacy is
taken more seriously. There was a poll where Germans were asked if they would
install a contact tracing app. Some 40% sayed yes outright. Another 40% said
"only if privacy concerns are addressed". So you're looking at a potential 40%
market penetration without proper privacy and 80% with, which greatly changes
the impact the app can have on reducing the spread of the virus.

(Disclosure: I'm a member of CCC and chairman of a local chapter.)

~~~
jklhwtoy
This is one of the few cases where mandatory installation of apps will save
lives, as seen in China/SK.

For those "40% only if privacy concerns are addressed" there is a gradient of
privacy. How many of them will still have concerns no matter what? And how
many will not install anything out of laziness/comfort?

Meanwhile, Google and Facebook are installed in 90%+ of phones and happily
scoop up location data every day.

~~~
Freak_NL
Mandatory how? How will you address people without suitable devices? Not
everyone has a (suitable) smartphone.

Making owning _and_ carrying a smartphone with required app mandatory won't
fly in any healthy democracy.

~~~
shmel
Really? 6 months ago I'd have said that putting the entire nation under house
arrest won't fly in any healthy democracy, but here we are. Turns out no
country is more democratic than China.

~~~
Freak_NL
In increasing degrees of difficulty, how does a government get:

* people who own an Android or IOS smartphone to install a required app? (Might work if Google or Apple pushes the software, but does this outlaw non-stock-Android and IOS operating systems on a smartphone? Will Apple/Google do this for every country with an app?)

* people who don't own a smartphone to buy one? (Subsidized? Black-box devices that only need to be charged at home as an alternative for this group? How do you deal with people who don't want one for valid reasons besides privacy? E.g., people who got rid of them because they are vulnerable to the addictive properties of smartphone apps? And of course people who can't afford them.)

* people who can't use a smartphone to carry one around? (The digitally or otherwise illiterate or mentally incapable, and people with physical limitations won't just disappear overnight. This includes many elderly; exactly the weakest group with this virus.)

~~~
shmel
Gradually. It will be used to provide your freedom back. Lockdown is still in
place, but if you agree to use the app, you can go outside and chill in a
park, maybe even meet up with family members (groups fewer than N). Then you
can introduce checkpoints in public places (just like China did btw): wanna go
to malls, cinemas or airports? Install the app. But no, you are not forced to
do this. You can just sit at home if you'd like until the lockdown is fully
lifted. But we can't tell you when it happens, nobody knows. Perhaps after
everybody is vaccinated.

Surely, they can also add a smartphone-free version that is a huge pain in the
ass to use. It checks the box "you can survive without smartphone", but makes
it practically unreasonable.

It will be the same situation as with CCTV and bag searches nowadays. The vast
majority of people will accept this as reality and perhaps even support this.
London is full of CCTV and mostly people are okay with this because they
believe it is for their own safety. Sure, you are not forced into this, feel
free to live in mountains off-grid.

The bottom line is you just wait until the lockdown is normalized in people's
minds and then reward them with freedoms if they agree to use the app. And 99%
will be okay with this.

------
robjan
TraceTogether[1] by the Singapore government meets most of these requirements
and is/will be open sourced soon.

1: [https://www.tracetogether.gov.sg](https://www.tracetogether.gov.sg)

~~~
A4ET8a8uTh0
In this case, even if it only does exactly what it says it does, the data
gathered is more valuable than anything else. Complete movement profiles of an
entire nation. Can you put a price tsg on that?

From that perspective whether it is open source is a secondary consideration.

~~~
robjan
Everyone generates an anonymous ID, if they come within Bluetooth proximity
the devices trade these anonymous IDs. No location data is collected and none
of the data is sent over the internet.

If you become infected you have the option of broadcasting your ID as being
infected and others can compare the infected list against the IDs collected on
their phones.

None of the data you mentioned is being collected.

~~~
A4ET8a8uTh0
Hmm, does that anonymous ID change? If not, it is not going to stay anonymous
for very long as patterns will remain largely unchanged. People do tend to be
creatures of habit.

I mentioned location data and if there is one thing we have learned over the
past decade or so, it is that location is not gathered just from GPS ( which
is the argument I assume you were making ).

edit: As for the claim, no data is sent over the internet.. I just plainly do
not believe that statement. I do not understand how anyone would.

------
thinkingemote
To those saying "its a real urgent emergency" you might be too young to
remember the immediate response after 9/11, but you might be old enough to
remember the fall out, Manning, Snowden etc which continues almost twenty
years later.

This time around shouldn't we aim for a better response and no fall out that
will last decades on our responses?

------
the_mitsuhiko
> Even if the transmission of a message is observed in the system (e.g. via
> communication metadata), it must not be possible to conclude that a person
> is infected himself or herself or has had contact with infected persons.
> This must be ensured both with regard to other users and to infrastructure
> and network operators or attackers who gain insight into these systems.

I don't think this is doable. All protocols that we currently have have the
ability to reveal this information in one way or another.

There are two fundamental approaches at the moment: soemthing like DP-3T which
uses TCNs (temporary contact numbers) where contacts exchange temporary
numbers. On infection you download the list of infected people and compare on
your device for matches. This fundamentally reveals who was infected. Then you
have centralized approaches where you hand out encrypted IDs which a central
authority can decrypt. In the latter case you can just create new device IDs
which again lets you easily figure out which of your contacts was infected.

In the latter case you have the theoretical possibility to detect such
behavior due to the sheer amount of IDs generated by participants.

Generally the attack vector would be someone putting a beacon to a super
market and making pictures of people going in and out and capture their IDs.
Then they could figure out later which of the people got infected.

------
asaddhamani
I installed the contact tracing app from the Indian government on my phone. It
won't let me use it without giving location access, not even just to see the
app.

The Indian government does not have a great track record when it comes to
privacy and information security. ([https://www.firstpost.com/india/aadhaar-
data-leak-details-of...](https://www.firstpost.com/india/aadhaar-data-leak-
details-of-7-82-cr-indians-from-ap-and-telangana-found-on-it-grids-
database-6448961.html)) Aadhar is the Indian equivalent of the US SSN.

While the cause is noble, there is always the problem with setting precedents,
and as governments are known to use Riders
([https://en.wikipedia.org/wiki/Rider_(legislation)](https://en.wikipedia.org/wiki/Rider_\(legislation\))),
I don't trust them they won't use Covid-19 to further their agenda either.

This is what happens when you erode peoples trust. I for one will not be using
these apps.

~~~
raphaelj
As a side note, Android requires an app to get location access when using
Bluetooth (not sure about iOS). So any Bluetooth contract tracing app will
request location access.

------
alex_young
San Francisco has demonstrated that just asking people to social distance and
observe some shelter in place rules works for the most part.

Why do we need to implement a surveillance state on top of that?

~~~
troydavis
> Why do we need to implement a surveillance state on top of that?

Most contact tracing comes up as part re-opening businesses (and schools,
though in the US that will probably be in the fall), not as much for the
current complete shutdown.

[https://www.aei.org/research-products/report/national-
corona...](https://www.aei.org/research-products/report/national-coronavirus-
response-a-road-map-to-reopening/) has a good explanation of why contact
tracing is an important part of re-opening. The gist is that any amount of re-
opening is likely to bring R0 much closer to 1 than it is during the current
complete shutdown. The question then becomes how (well, how else) to minimize
spread when new cases do occur.

Think of contact tracing as one way to replace the impact that’s currently
provided by shutting everything down.

------
mantap
Entire countries are under house arrest. I don't trust the government but I
also want my parents to be able to go to store or hospital without risking
their lives. Pretty much everybody is either in at-risk group themselves or
has a close relative or friend who is at-risk.

Maybe this isn't the dystopia we deserve, but it's the dystopia we need.

~~~
eivarv
From a technical perspective, you don't need to trust the government in these
cases - provided that they implement the solutions with built-in privacy.

~~~
A4ET8a8uTh0
I don't want to be snarky, so instead let me ask what solutions would you
recomnend for it?

~~~
eivarv
I just meant that there are technical approaches that don't necessarily
involve centralized storage of everyone's movements and contacts, but achieve
the same goals.

Singapore (and others, for that matter) has allegedly solved some of these
issues in their soon-to-be open source contact tracing app [0].

They basically let every device keep track on itself and it's encounters -
until a diagnosis is made.

Can't remember the details from there off the top of my head, but you'd either
do a lookup via a central authority, or notify peer-to-peer, depending on what
other mechanisms are in play (ephemeral/co-signed IDs, etc.)

[0]: [https://www.tracetogether.gov.sg/](https://www.tracetogether.gov.sg/)

------
A4ET8a8uTh0
I was listening in to yesterday's WH briefing and suveillance and contact
tracing were mentioned multiple times with none of the media reps asking for
details. I do know it is a genuine emegency, but I just don't trust goverment
that much

------
buboard
sure we can write 10 page bioethics essays, but when contact tracing is
implemented it won't even be an app, governments will access data directly
from carriers. and people will be ok because they re scared

