
Apple and Google partner on Covid-19 contact tracing technology - ikarandeep
https://www.apple.com/newsroom/2020/04/apple-and-google-partner-on-covid-19-contact-tracing-technology/
======
fauigerzigerk
Promising opt-in is a bit disingenuous. These tech giants are creating a
technological capability. Whether or not it is opt-in, opt-out or mandatory is
then decided by governments, now and in the future.

This is of course nothing new. But it's worth noting considering how high the
tolerance for extremely intrusive government action currently is and how
extremely weak any resistance is bound to be.

I'm not saying I'm against contact tracing in the current situation. But that
shiny new button that governments get to press will never go away.

Edit: Reading the spec, I found a piece of information that may be of
interest: This technology allows contact tracing without necessarily revealing
the location where that contact has taken place. So that could indeed be a
privacy benefit over alternative approaches.

[https://covid19-static.cdn-
apple.com/applications/covid19/cu...](https://covid19-static.cdn-
apple.com/applications/covid19/current/static/contact-
tracing/pdf/ContactTracing-BluetoothSpecification.pdf)

~~~
jedberg
They already have the shiny button. They can compel cell phone companies to
give this data to the government already, without you knowing about it.

At least this way you will get some control of the info and you'll know what
was collected and have control of it's disclosure (for now).

In other words, this is no worse than what the government is already capable
of, it just makes it easier for _you_ to share the data with health care
providers.

The government already has all these abilities.

~~~
FartyMcFarter
> They can compel cell phone companies to give this data to the government
> already

Bluetooth has a quite small range, which may give higher tracking precision
(to anyone receiving the signal) than the data cell phone companies have.

~~~
jschwartzi
Bluetooth 5.1 devices can do both distance and direction, so if you have a
bunch of beacons you can determine your location to sub-meter accuracy.

~~~
lwf
Realistically, what does sub-metre accuracy help with "evil" (catch-all for
all non-disease-related) surveillance that, say, a 5-10m is insufficient for?

~~~
akiselev
Hyper localized association. Like, for example, a dissident organizing a local
chapter of some organization who disperses information via in person hand offs
of handwritten papers every. In this example, their hand off point, in a small
town of tens of thousands, is the Saturday farmers' market that runs from 8
until 5 or so. They and their conspirators all went to the farmers' market
regularly before so it's completely natural for them to appear within 5-10
meters of each other a few Saturdays a month (usually because the three most
popular food trucks have long lines right next to each other). Except now
"evil" can roll up the ringleader and see a pattern of who passed within an
arm's reach every time the ringleader got a message from the head organization
without actually spending the resources to surveil anyone in person.

"Evil" usually doesn't care enough about most people to spend significant
resources surveiling them. The danger in dropping that threshold is that
"evil" invents new ways to exploit any efficiency.

------
The_Double
There is surprisingly little discussion about the actual spec here. It looks
really good to me!

\- Advertisements change every 15 minutes, are not trackable unless keys are
shared.

\- The only central bit is a repository of "infected" daily keys.

\- No knowledge about contacts is shared with a central authority.

Nothing is shared unless you are infected and decide to share your keys, which
are only valid for one day. I don't see how you could have a real argument
against this unless you are a privacy extremist. It also seems more privacy
friendly than the Singapore or German apps.

~~~
lultimouomo
One issue I see is that when I query the central repository of infected IDs I
expose to the central server the IDs I've been in contact with (unless I
always download all of them, but that doesn't seem feasible).

It seems like this could be solved by providing a K-anonymous query interface
like the one exposed by Have I Been Pwned. I wrote to the contact email
address of Pepp-Py, which is a European initiative do develop a system that
seems pretty much the same as this, suggesting this, but I got no answer (not
that I was really expecting one).

~~~
joshuamorton
Ah you mentioned the HIBP example, although for this search space you may be
able to get by with just a download of all of them. If you stick to, say,
state by state sharding, you get around 30 MB of hashes for the worst case
(NYC).

If you further reduce that by only providing new confirmed hashes since a
timestamp, the client can track when they last downloaded the data and pull
only the delta, you end up with a few MB a day, which compares quite well to
say, a video call.

~~~
lultimouomo
Geographical based sharding seems to break down once people travel though.
Just a single visit to a hub airport might have gotten you in contact with
people form all around the world (I assume that the objective of this
initiative is to try and get us at least part way back to normal). Even if you
don't travel, but other people are, you will be in contact with people who are
registered as infected in a different region.

Also I don't think NYC is at all the worst case in the world, there are a lot
of megacities that dwarf it in size...

~~~
chispamed
You could still have geo sharding if the device also saved the location
locally and shared the diagnosis for every zone it’s been in / downloaded the
data for all zones. Ofc that would mean more data to process for travelers but
it should still be way less than the data of the entire globe.

------
petedoyle
This is huge. A limiting factor has been iOS not being able to (on purpose,
for privacy, and battery life) do BLE scanning (edit: or advertising, thanks
Slartie) in the background. I imagine this will enable that for specific apps,
and I have high confidence privacy will be well-implemented by Apple's
involvement (edit: see tastroder's comment for technical docs). Having a
single, well-designed spec for Bluetooth advertisement will prevent a world
where there are different contact tracing apps, none of which can see each
other. Doing this at the platform level will enable enough density of installs
to make this effective at scale.

~~~
Slartie
The even bigger obstacle was apps not being able to broadcast beacon signals
while they are in background. You could devise workarounds for the scanning
problems, but this particular problem of having to be able to continuously
advertise your beacon signals did not have a workaround AFAIK. The
"workaround" was requiring people to have the tracing app active in foreground
all the time, which obviously sucks from a UX perspective and means nobody
will do it.

That's why this involvement is really huge and welcome! And besides clearing
out existing arbitrary API limitations, Apple's involvement in potential
protocol design for such tracing technology is a welcome addition in my view
as well, because in contrast to Google, Apple at least earned a modicum of
trust when it comes to putting the privacy interests of their customers first.

~~~
petedoyle
Also excited because they can likely push both advertisement and scanning into
the BLE chips themselves, letting the rest of the system (CPU, etc) sleep. Big
win for battery life.

------
DavideNL
Am i the only one who thinks it's mindblowing that people use Facebook,
Instagram, Linkedin, etc. however now that Apple + Google release a tool to
prevent thousands of people from dying in a pandemic they start
thinking/complaining about the _possible_ privacy implications? (without even
having read the specs or knowing the details...)

~~~
alyz
This is dangerously close to Feinstein's "think of the children" argument.

If people complain about EARN IT, they _should_ investigate privacy
implications of this "enhanced" tracking technology.

~~~
cbsks
Yes, they should investigate. But they should investigate _before_ reaching a
conclusion.

------
soamv
The spec pdf looks a lot like the DP-3T protocol. The DP-3T docs have more
explanation and a good discussion of privacy aspects.

[https://github.com/DP-3T/documents](https://github.com/DP-3T/documents)

paper:
[https://github.com/DP-3T/documents/blob/master/DP3T%20White%...](https://github.com/DP-3T/documents/blob/master/DP3T%20White%20Paper.pdf)

data protection aspects:
[https://github.com/DP-3T/documents/blob/master/DP3T%20-%20Da...](https://github.com/DP-3T/documents/blob/master/DP3T%20-%20Data%20Protection%20and%20Security.pdf)

Here's an overview comparing that approach to some others (such as Singapore's
tracetogether):
[https://github.com/vteague/contactTracing](https://github.com/vteague/contactTracing)

~~~
colmmacc
They're not the same and I think Google/Apple's is a bit better. In DP3T the
infected person shares a single daily key from which all future daily keys can
be derived. In Google/Apple's each daily key is HKDF derived from a master key
and they are not linkable. Infected people share the relevant daily keys from
their infection period. THat's more data to push around, but it is better for
privacy.

It means that contacts with infected persons can't be linked across days, and
it means that I can't build an app that alerts me that someone who was
previously infected just walked by.

~~~
Confiks
> It means that contacts with infected persons can't be linked across days,
> and it means that I can't build an app that alerts me that someone who was
> previously infected just walked by.

Edit: This actually turns out to be correct, but your conclusion:

> It means that contacts with infected persons can't be linked across days,
> and it means that I can't build an app that alerts me that someone who was
> previously infected just walked by.

Is not possible, because every time secrets are made public, the secret key is
reset.

[1]
[https://github.com/DP-3T/documents/blob/master/DP3T%20White%...](https://github.com/DP-3T/documents/blob/master/DP3T%20White%20Paper.pdf)

~~~
sratner
I see: SK_(t) = H(SK_(t-1)), where SK_(t) is the secret key for day t.

This seems to align with the statement that knowing the key for one day (i.e.
once it is uploaded following diagnosis) allows one to derive all future keys.
Is there another section I am missing?

Edit: clarified that daily keys are shared post-diagnosis, to trace prior
contact.

~~~
Confiks
Indeed, sorry. I was under the impression that every daily ratchet-key was
independent, and only the inter-day keys were linked. The conclusion of your
post still is not possible however. I edited my post.

------
pimterry
An interesting Twitter thread on why the stand-alone contact tracing apps that
many others are building won't work, and why integrated platform solutions
like this are necessary:
[https://twitter.com/zainy/status/1248482486524379137](https://twitter.com/zainy/status/1248482486524379137)
(but of course, necessary does not mean sufficient)

~~~
wiz21c
Also, efficiency depends on how many persons can be tested. If it's 10000 a
day, in my country, it's about 1/500 th of the population a day... If it's
enough to test say 1/10 of the population to have some results, this will take
1-2 months...

I have the impression that all of this is forced upon us as to make us believe
that it is safe to get back to work ASAP. Wouldn't it be better to just wait ?
(I'm not interested in the economical debate : this will invariably lead to
compromises such as how many victims can we afford to keep the economy going ?
(nobody will tell it that way, but in the end that's the truth behind those
arguments))

~~~
therealdrag0
FWIW, I’ll “tell it that way”. I think it’s a interesting topic. And a real
one manifest in our actions all the time. There is a real cost to life and
trade offs.

~~~
wiz21c
I'd say that's the pragmatist versus idealist debate. I'm on the latter side
:-)

~~~
therealdrag0
Well if we were hanging out in person it’d be fun to hash this out :)

------
crypt1d
I've spent the last 3 weeks with my team building exactly this - contact
tracing apps for both android and ios that use bluetooth tech[1]. This will
probably require us to redo the app completely to fit into their API plans,
but I'm glad they are, in a way, acknowledging our idea.

The troubling thing is, bluetooth-based contact tracing is in no way easy.
Different android phones handle background bluetooth scanning / advertising
differently and some tend to require additional config changes - such as
disabling battery saving features - to even make it work. And iOS bluetooth
advertising in background is just bad. Since u can't add custom UUIDs to the
advertisement package, just advertising data is often not enough, so u have to
connect too, which creates a range of other problems. I suspect they will
release OS upgrades to solve some of these issues, but not all devices will be
fixable (eg, older Android devices). This, combined with the fact that they
will start rolling out this feature in May, makes me think it will not help us
much for the latest wave of COVID-19 infections. Might come in handy for the
next epidemic, though.

[1] - [https://github.com/cryptekio/corridorapp-
android](https://github.com/cryptekio/corridorapp-android)

~~~
WikipediasBad
Do you think that GPS coordinates will be exposable with the API so that there
can be public tracing maps online? Obviously a big privacy issue where the
actual bluetooth ID and the person's identity have to be fully anonymized but
if GPS coordinates of contact points can be exposed publicly, there can be
good public tracing maps that can show where contact events are happening and
in what numbers so that people can avoid certain areas (and on the other end
where other areas are safe where there's no contact). This can publicly also
be used to display R0 counts in different zip codes and geographic areas.

~~~
crypt1d
I dont see any mention of it in the current context of bluetooth device
proximity tracing. It is possible, however, that apps that will build up on
this API will also fetch location history separately from already established
mechanisms on each OS.

As a matter of fact I see this as a very likely scenario as this is precisely
what South Korea has already done.[1]

[1] - [https://www.youtube.com/watch?v=BE-
cA4UK07c](https://www.youtube.com/watch?v=BE-cA4UK07c)

~~~
WikipediasBad
I think the real interesting private sector utility will come from
implementations of the contact-tracing map instead of just the bluetooth app
(which there will likely be "official" ones or ones being worked on directly
by Google/Apple themselves).

------
justusthane
Pretty good illustration of how private and secure contact tracing can work
here: [https://ncase.me/contact-tracing/](https://ncase.me/contact-tracing/)

Not sure whether that's what this implementation would look like.

~~~
FartyMcFarter
I'm not a security expert. However, this part looks worrying:

> alice can also hide messages from times she wants to keep private

If there's a need for this, doesn't that imply that the scheme does not
actually keep Alice's privacy in all situations?

Furthermore:

> the random messages give the hospital NO INFO on where Alice was

This seems to assume that the hospital (or anyone with access to the data,
such as governments) didn't capture the broadcast messages together with their
location. With enough Bluetooth receptors in busy areas, a government could
easily find out where Alice had been by looking up each of her messages in
their list of message/location pairs?

Experts can probably come up with nastier and/or easier exploits...

~~~
charlesju
This definitely isn't "private". It's just obfuscated.

~~~
LolWolf
Agreed, whenever you divulge any info, you're always losing bits of randomness
(obviously, more or less depending on how good the protocol is!).

In particular, given an adversary who has several points (receiving these
codes) and knows the receiving location of each of these points can de-
anonymize a person "A" who is COVID positive if they know, _e.g._ , a minimal
amount of A's usual daily movements (from cellphone tower location, for
example).

That being said, the government probably has better ways of knowing who has
COVID-19 and other infectious diseases :)

------
acqq
The relevant privacy details:

[https://covid19-static.cdn-
apple.com/applications/covid19/cu...](https://covid19-static.cdn-
apple.com/applications/covid19/current/static/contact-
tracing/pdf/ContactTracing-CryptographySpecification.pdf)

"Privacy Considerations

• The key schedule is fixed and defined by operating system components,
preventing applications from including static or predictable information that
could be used for tracking.

• A user’s Rolling Proximity Identifiers cannot be correlated without having
the Daily Tracing Key. This reduces the risk of privacy loss from advertising
them.

• A server operator implementing this protocol does not learn who users have
been in proximity with or users’ location unless it also has the unlikely
capability to scan advertisements from users who recently reported Diagnosis
Keys.

• Without the release of the Daily Tracing Keys, it is not computationally
feasible for an attacker to find a collision on a Rolling Proximity
Identifier. This prevents a wide-range of replay and impersonation attacks.

• When reporting Diagnosis Keys, the correlation of Rolling Proximity
Identifiers by others is limited to 24h periods due to the use of Daily
Tracing Keys. The server must not retain metadata from clients uploading
Diagnosis Keys after including them into the aggregated list of Diagnosis Keys
per day."

It doesn't look bad, at least, at the first sight.

A detail: I hope the "day begin" for the "Daily Tracing Key" is the same for
all users? I.e. not a local day but e.g. GMT+0 day or something.

------
Reason077
That combination Apple-Google logogram is scary! It’s like an image from some
corporate future dystopian sci-fi.

~~~
mturmon
The logogram in OP suppresses Google’s four colors, and so did the one on
Google’s blog:

[https://blog.google/inside-google/company-
announcements/appl...](https://blog.google/inside-google/company-
announcements/apple-and-google-partner-covid-19-contact-tracing-technology)

Also, the Apple logo is first. I wonder how this was decided?

~~~
dylan604
A comes before G? Logo designs typically have a logo followed by text. Seems
to apply here too. It might not be anything about who can pee further.

~~~
ummonk
> Logo designs typically have a logo followed by text

This. It would look weird if the order were the other way around.

------
olgs
Looks like it was inspired by the TraceTogether app built by the Singapore
Government and recently Opensourced.

[https://www.gov.sg/article/help-speed-up-contact-tracing-
wit...](https://www.gov.sg/article/help-speed-up-contact-tracing-with-
tracetogether)

[https://github.com/OpenTrace-community](https://github.com/OpenTrace-
community)

~~~
the_mitsuhiko
> Looks like it was inspired by the TraceTogether app built by the Singapore
> Government and recently Opensourced.

Not really. This is based on the TCN approaches by Covid-Watch, Co-Epi and
DP-3T (submission to PEPP-PT). TraceTogether fundamentally functions very
differently.

~~~
ericlavigne
Link to the TCN Coalition: [https://tcn-coalition.org/](https://tcn-
coalition.org/)

I am one of the developers working on Co-Epi, and am very happy to see that
Apple and Google are improving their APIs to support our work.

------
kccqzy
Google announcement: [https://www.blog.google/inside-google/company-
announcements/...](https://www.blog.google/inside-google/company-
announcements/apple-and-google-partner-covid-19-contact-tracing-technology/)

~~~
tastroder
Further deep links to the technical side:

[https://covid19-static.cdn-
apple.com/applications/covid19/cu...](https://covid19-static.cdn-
apple.com/applications/covid19/current/static/contact-
tracing/pdf/ContactTracing-CryptographySpecification.pdf) Cryptographic
Specification

[https://www.blog.google/documents/55/Android_Contact_Tracing...](https://www.blog.google/documents/55/Android_Contact_Tracing_API.pdf)
Android API

------
blhack
The interest in "privacy" around contact tracing seems like a ship that sailed
a long time ago to me. Verizon etc all already have this data, and it isn't
"private", and so does uber, lyft, and every other overly-aggressive-
permission-askning-app that anybody has ever installed.

Privacy is really important: but we lost it all a long long time ago. Maybe
saying "well now we can do a good job of contact tracing" is at least _some_
good coming out of that loss of privacy. I just hope we don't end up wasting
time trying to make the contact tracing "private" as if by doing otherwise
we'd be giving something up that we didn't already give up long ago.

~~~
joosters
That's too defeatist: these contact tracing tools will be gathering data that
isn't available any other way - otherwise, they'd just be going straight to
Verizon etc for what they need.

Presumably the bluetooth recording will give much better fidelity/precision
about who is close to who, in all conditions (in buildings, in the subway,
etc), where simple phone triangulation or GPS won't be accurate enough.

That's far more data than the phone companies have on us right now, so it is a
good thing that people are considering the privacy issues. Just saying "we've
already lost" only makes things worse.

~~~
Eridrus
I don't know how effective this was, but Israel did exactly this:
[https://techcrunch.com/2020/03/18/israel-passes-emergency-
la...](https://techcrunch.com/2020/03/18/israel-passes-emergency-law-to-use-
mobile-data-for-covid-19-contact-tracing/)

US public institutions seem frankly sclerotic. The fact that the government
has or has not done something provides almost no signal on whether something
is possible or not.

------
A4ET8a8uTh0
Two major OS platforms covering majority of the population working together in
an attempt to better track current populations at behest of the government.
How could anyone even begin to feel a wee bit cynical? To question this effort
it worse than wanting PATRIOT ACT to expire. It is downright unamerican.

I hate the fact that I definitely see a good reason for it and the goverment
is more than happy to accommodate this power grab.

~~~
RandallBrown
This doesn't appear to be a way for the government or tech companies to track
people. Looking through the API docs I _think_ it's designed just to alert
people who may have been exposed.

It lets someone identify as Covid-19 positive and then if people have come
into contact with them, you can be alerted. Most of the processing happens on
device and it doesn't use location data.

It looks like it would be very hard to abuse by governments or businesses, but
I'm not an expert on these kind of things.

~~~
ehsankia
Indeed, if I understand correct, the device locally stores a bunch of keys of
people you've been in contact to, and there is no way of working backward from
the keys to who it was, and these keys also change daily. Then when someone
marks themselves as infected for days A through Z, their keys for those days
is sent to devices, where the devices check locally if they have the given
person-day keys stored.

Do I understand this correctly? It's almost all done locally, there's nothing
about location, and almost nothing is send up until you mark yourself as
infected, right?

EDIT: This is the best high level explained I've found:
[https://blog.google/documents/57/Overview_of_COVID-19_Contac...](https://blog.google/documents/57/Overview_of_COVID-19_Contact_Tracing_Using_BLE.pdf)

------
nixpulvis
The key in all this is the users ability to _choose_ to disclose when they
were tested as infected. If this choice isn't baked deep into the protocol, it
will be far to easy for things to go horribly wrong down the road as this
technology is adapted for other roles.

As an obvious (and not all that impossible) example, consider a Bluetooth
device owning person who is, in fact, physically isolated. No amount of
"privacy preserving" anything will fix the issue if they know they've only
been within range of 2 other people in the last <insert time window here>.

The paranoid user would want to change their disclosure settings upon entering
the domain of this isolated individual, since they can be sure they would be
able to identified.

Sadly, not all users will know who was and who was not isolated, so the notion
of privacy is simply impossible as far as I can tell. You are weighing the
social good vs the potential personal harm based on your unique environment.
Nothing fundamentally changes this.

------
lalos
It just takes one erroneous logging call in the wrong place and all this
niceness goes away. Hopefully we don't get a headline in the future of "Bug
found with contact tracing app, we actually had access to everything but we're
sorry and we'll fix it". Not entirely against this work, it will provide
benefit but let's hope for the best.

~~~
tcd
This is why it'd be nice for the APK/installable file to have a hash that can
be verified against an open source version. In theory someone should spot
anything that doesn't look right.

But that can't/won't undo the effects of something being called "private"
being exposed not to be afterall...

------
est31
[https://covid19-static.cdn-
apple.com/applications/covid19/cu...](https://covid19-static.cdn-
apple.com/applications/covid19/current/static/contact-
tracing/pdf/ContactTracing-CryptographySpecification.pdf)

> Upon a positive test of a user for COVID-19, their Diagnosis Keys and
> associated DayNumbers are uploaded to the Diagnosis Server. A Diagnosis
> Server is a server that aggregates the Diagnosis Keys from the users who
> tested positive and distributes them to all the user clients who are using
> contact tracing.

Is this scalable? Earlier in the document they mentioned that the tracing keys
are 16 bytes long. Let's assume that there are 3 million patients in a
country. That'd be 48 megabytes each user has to download and process _per
day_ to check whether they've been in contact with an infected person
(processing involves calculation of 144 HMACs per tracing key). I don't think
this is feasible at scale and one can't avoid thinking about area recognizing
diagnosis servers.

E.g. Smartphones of patients would upload not just the diagnosis keys, but
also the areas (county, district, something like that) they've been inside
during that day. Then smartphones querying the diagnosis servers would have to
send the areas they are interested in. But it's easy to see that this approach
is then quite privacy invading. On the bright side, this info is already
available to carriers so it's already a sunken cost so to speak.

~~~
nkohari
There wouldn't be 3 million new patients per day. Wouldn't each phone just
need to download the newly-discovered cases since the last time they checked?

~~~
est31
Each patient creates a new key per day. Only those keys are uploaded. So
everyone who is positive in the app needs their keys to be uploaded. At least
this would be a reasonable design choice of the app. Maybe the designers of
the app assume you actually follow the quarantine that infected people should
do and don't leave your home. In that case, the app can stop uploading of
those daily keys.

------
divbzero
This is the best news I’ve heard all week.

I had thought that Apple and Google are in the best position to distribute
contact tracing widely [1] but couldn’t figure out if they were working on it.
It turns out they were.

[1]:
[https://news.ycombinator.com/item?id=22704460](https://news.ycombinator.com/item?id=22704460)

Big tech can do good and we should applaud their efforts when they do it
right.

------
tlrobinson
Moxie's analysis:
[https://twitter.com/moxie/status/1248707315626201088](https://twitter.com/moxie/status/1248707315626201088)

------
fareesh
Can we put the genie back in the bottle after this is over? I feel like once
there's a precedent to do this, it becomes a slippery slope to less palatable
things, even if not the worst possible things.

------
graeme
Thinking big, if this works against covid: could it later be used to severely
limit or eliminate diseases such as the common cold and the flu?

That would be an incredible win for humanity.

~~~
hdjrork
Nobody does contact tracing for flu, let alone common cold (which is caused by
a bunch of different viruses)

Also, common cold mortality is extremely low.

~~~
disgruntledphd2
We could, though, It's not practical today, but it's definitely something that
humanity could achieve, especially with technology like this.

Even if it's not the most important thing we could do, eliminating influenza
and the common cold would be pretty fricking awesome.

------
jefftk
See
[https://idlewords.com/2020/03/we_need_a_massive_surveillance...](https://idlewords.com/2020/03/we_need_a_massive_surveillance_program.htm)
for why this is really important

~~~
tengbretson
> But for the moment, we are united by fear and have some latitude to act.

We're literally still fighting the wars that arose out of the last time we
acted in a moment where we were "united by fear."

~~~
34679
And living with the erosion of Constitutional protections that seem all too
easy to push through in times like these, but impossible to roll back
afterward.

~~~
Mirioron
And this is why it's done during a crisis: it works. All the education and
talk about how the last time the government overstepped their bounds goes out
the window the moment a crisis hits. Then it's all about "why isn't the
government doing more?"

------
almost_usual
I think this would be a good solution for essential workers to track their
personal health while social distancing is in effect.

I can foresee a large second wave due to this falling short if we relax social
distancing measures. There have been cases where people test positive then
test negative and then positive again. It would require redundant testing per
individual on a schedule.

There are a lot of people who will not be tested, there are a lot of people
without smartphones. This virus has spread so far at this point we’d need to
test every US citizen to know the blast radius.

I understand people are hopeful and want things to return to ‘normal’ but I
can’t imagine it without a vaccine in the US.

------
kian
It says this is opt-in - is this just the sending of covid information, or is
it the entire contact-tracing key-exchange enterprise?

~~~
acqq
If I understand correctly, it's up to every infected person to manually click
"upload" (edit: here was "who I was close to", but it's not correct, see note
1 here) once he gets diagnosed, i.e. completely voluntary.

That is so that once one is diagnosed others can check if they were close to
that one (and when?). And even these lists aren't supposed to be any typical
metadata but something that stays local and the third parties can't
reconstruct.

The idea is, again if I understood, that those who remain negative never have
to upload anything that gives any traceable information about them.

See my other post here with other relevant quotes from the specification.

\----

Edit:

1) Actually what is uploaded is: "the Daily Tracing Keys for days where the
user could have been affected"

"Upon a positive test of a user for COVID-19, their Diagnosis Keys and
associated DayNumbers are uploaded to the Diagnosis Server. A Diagnosis Server
is a server that aggregates the Diagnosis Keys from the users who tested
positive and distributes them to all the user clients who are using contact
tracing."

The matching is done locally on every device:

"In order to identify any exposures, each client frequently fetches the list
of Diagnosis Keys. Since Diagnosis Keys are sets of Daily Tracing Keys with
their associated Day Numbers, each of the clients are able to re-derive the
sequence of Rolling Proximity Identifiers that were advertised over Bluetooth
from the users who tested positive. In order to do so, they use each of the
Diagnosis Keys with the function defined to derive the Rolling Proximity
Identifier. For each of the derived identifiers, they match it against the
sequence they have found through Bluetooth scanning."

~~~
tinus_hn
You can’t upload who you were close to because you only have a set of pieces
of data that can’t be traced back to people without their key. Only if
infected, you upload your key to the server which distributes it to the others
who can then tell if they’ve been close to you.

~~~
acqq
> Only if infected, you upload your key to the server

You are more right than I was initially, thanks!

Actually, to be even more precise: only if infected, you upload _the set of
your own derived keys_ , and apparently only for the days you could have
transmitted the virus to other people.

From the documentation:

"Upon a user testing positive, the Daily Tracing Keys for days where the user
could have been affected are derived on the device from the Tracing Key. We
refer to that subset of keys as the Diagnosis Keys. If a user remains healthy
and never tests positive, these Daily Tracing Keys never leave the device."

------
freakynit
This has a very serious potential to be misused to target an individual for
nefarious purposes.

~~~
tpmx
By "apps from public health authorities", that you have to install yourself?

~~~
kmetan
We could be discriminated (by public and private actors) for not having this
app installed. We should be able to convincingly deny the opt out...

------
zby
I know it is about APIs - but no mention of any Free or at least Open Source
Software example implementations makes me worry.

I was expecting that people would organize around git repos - but no, just one
of the many COVID tracing initiatives published their code.

It is [https://github.com/tripleblindmarket/covid-safe-
paths](https://github.com/tripleblindmarket/covid-safe-paths) by the way.

~~~
tastroder
This specific one came out a few hours ago and is pretty auditable even if
those two don't disclose their implementation for this tiny part.

Other than that many, in fact most of those I know to be active, tracing
efforts are pretty open, the one you linked is definitely not the only one
that currently publishes their source or plans to do so in the near future.
There's even been others in this thread.

~~~
gideon_b
Agreed, most of them are completely open. Here's the best effort I have seen
to document all the parallel efforts:

[https://docs.google.com/document/d/16Kh4_Q_tmyRh0-v452wiul9o...](https://docs.google.com/document/d/16Kh4_Q_tmyRh0-v452wiul9oQAiTRj8AdZ5vcOJum9Y/edit)

------
rburhum
Went over the docs (Google and Apple's), but there are a few things that are
not clear to me.

This is my summary of how I interpreted it works:

\- A [Tracing Key] is stored locally in every device.

\- A [Rolling Key] gets regenerated every day based on the [Tracing Key]

\- A [Proximity Identifier] gets regenerated every 15 minutes and broadcasted
to other bluetooth devices.

\- The Contact Tracing Bluetooth Specification does not require the user’s
location; any use of location is completely optional to the schema.

\- Other devices save the [Proximity Identifier] locally.

\- History is stored for a couple of weeks

Some questions about how I interpreted the rest:

\- The device wakes up once a day and downloads the list of identifiers that
have been known/reported to have COVID. It compares on device that you are on
that list. Q: Wouldn't this list be insanely long? More so if it doesn't have
any concept of location?

\- If you have COVID-19, you can report to the servers that you were found to
have it. Your rolling identifiers gets uploaded to the "cloud server". Q:
Which "cloud server"? Whose cloud server?

Any clarifications are strongly welcomed :)

\- If diagnosed with COVID-19, users consent to sharing Diagnosis Keys with
the server.

~~~
y7
> Q: Wouldn't this list be insanely long? More so if it doesn't have any
> concept of location?

I don't think such a list would be that long:

1\. It's not unreasonable to have some approximate concept of location (e.g.
"New York City and surroundings")

2\. A contract tracing app is only useful when the number of new infections is
low enough, such that all possible contacts can be tested.

3\. For a tracing key 32 bytes would suffice. Even for 15,000 relevant
infections you're only looking at 0.5 MB of data.

~~~
rburhum
Thanks for the answer. Now, I am not sure your tracing key gets updated as far
as I understood. Isn't the individual 15-minute long identifiers that get
updated?

Also, not sure you can limit to surroundings just yet... people are still
moving too much.

------
sneak
PDF of spec draft: [https://covid19-static.cdn-
apple.com/applications/covid19/cu...](https://covid19-static.cdn-
apple.com/applications/covid19/current/static/contact-
tracing/pdf/ContactTracing-CryptographySpecification.pdf)

------
rojobuffalo
Contact tracing has a time and place, and it's early in isolated outbreaks.
The cat is out of the bag at this point and thinking we're going to contact
trace our way to safety is a false promise. You'd have to be naive and short-
sighted to accept their pinky-promise of privacy-first in this context.

~~~
Eridrus
If you assume the goal of contact tracing is to literally find every
infection, yes, this isn't going to work. If you assume the point of this is
to reduce R0, then this will work just fine at any stage of the pandemic.

There's obviously a question of what you should do when you find out you have
been in contact, and that will differ depending on the stage. We probably want
to be in a position where everyone who has come into contact with an infected
person can get a test asap and if necessary then go into full isolation, not
just going out less.

~~~
arcticbull
How much more can you reduce the R0 below "nobody's allowed within 6 feet of
each other"?

~~~
2019-nCoV
It's about maintaining an R0 < 1 after social distancing is relaxed. Without
contact tracing we're destined for a cycling of lockdowns until we have a
vaccine.

~~~
buboard
if you re not social distancing there s no way you can stop this virus with an
app. it's a highly highly infectious airborne virus. you can ease the lockdown
and keep distancing rules. not sure if the app will help in that case

------
devonproctor
I'm surprised that there isn't more discussion of leveraging the extensive
location data that Google already routinely collects via Android and Google
Maps mobile apps.

I'd love any feedback on this simple proposal for a way to enable individuals
to contribute their Google location history data to health care organizations:
[http://covidcontacttracing.com](http://covidcontacttracing.com).

This uses public Google APIs and Google Takeout to get raw gps data and
inferred semantic locations from Google to COVID-19 response organizations.
I've got a prototype that's essentially ready to deploy if anyone has
suggestions for potential partners.

I think the Google/Apple proposal is very promising, but I don't see any
reason not to also put existing data to work on this problem.

------
jefftk
_> would allow more individuals to participate, if they choose to opt in_

I don't see how this can work unless it gets very high distribution. I wonder
if local governments might do something where the shelter-in-place orders are
lifted for some categories of people conditional on running the app?

~~~
CubsFan1060
Given the number of people wearing masks, I think this would have a decent
opt-in rate. Especially since, for most people, this is much easier than
wearing a mask.

~~~
jefftk
People can easily tell whether you're wearing a mask, so social "norm
building" factors work.

~~~
ceejayoz
I wouldn't be shocked if some businesses - movie theaters, malls, etc. - asked
people to show their contract tracing status for entry.

~~~
SlowRobotAhead
Well, I would think that would be met with a you-can-fuck-right-off by most
people.

~~~
ceejayoz
I really doubt that.

Hell, vast numbers of people have been doing it voluntarily already with
loyalty cards.

~~~
SlowRobotAhead
I’m sorry, I might be misunderstanding how loyalty cards work... do they
detect each other and report back to home with what other cards they have been
in proximity to?

~~~
ryanobjc
Kinda at the cash register, right?

~~~
SlowRobotAhead
The cards themselves detect each other without me knowing it?

Checking into to JimmyJohns with a loyalty card is not the same as the guy I
passed on the street's phone checking my phone and both letting JimmyJohns HQ
that we passed each other at 12:53 on at 643 West Main St.

------
bogomipz
Interesting although it seem as though Singapore's "TraceTogether" app was
able to work successfully without any of these APIs no?

Tangentially related - Singapore plans to open source their app. There's a few
details about how it works here:

[https://www.theregister.co.uk/2020/03/26/singapore_tracetoge...](https://www.theregister.co.uk/2020/03/26/singapore_tracetogether_coronavirus_encounter_tracing_app_lessons/)

Also interesting to read some of the reviews of the app here:

[https://play.google.com/store/apps/details?id=sg.gov.tech.bl...](https://play.google.com/store/apps/details?id=sg.gov.tech.bluetrace)

~~~
rct42
They've released their open-source version of the app, OpenTrace

[https://github.com/opentrace-community/](https://github.com/opentrace-
community/)

Interesting in the Android version they request ACCESS_FINE_LOCATION (i.e.,
access to GPS) instead of ACCESS_COURSE_LOCATION (i.e., access to BLE). They
have also include Firebase analytics (which captures city-level location data)
into the app as well.

~~~
bogomipz
Wouldn't bluetooth be preferable to GPS since GPS requires a direct line of
sight? And Singapore being an urban area with underground mass transit and
lots of shopping malls I would have though that bluetooth would provide better
accuracy of contact/proximity.

------
samizdis
OK, that's me putting the smartphone in a drawer and picking up a Nokia 3310.

------
champtar
The spec seems nice, but we need a unique app with a unique set of "diagnosis
servers". When you take an international flight with one or multiple
connections you are in contact with people from many different countries,
should you install all the available contact tracing app available on the app
store ?

If you have one app per country, you could have the "diagnosis servers" of all
the countries federate and exchange data, but in the end it's easier and more
effective to have 1 official open-source app from say the WHO.

------
ericlavigne
This is excellent news. Many open source projects have been working on this
contact tracing approach for a while now and have been asking Apple and Google
to provide this kind of support.

TCN Coalition is an umbrella group for open source projects who have agreed on
a common protocol, which Apple and Google are also following fairly closely. I
am one of the developers for CoEpi, a member of the TCN Coalition.

[https://tcn-coalition.org/](https://tcn-coalition.org/)

------
pzumk
> We will openly publish information about our work for others to analyze.

Great!

------
kncvetko
As far as I understand the actual risk assessment is done by the Contact
Tracing Framework.

I wonder why this design decision was made. The risk assessment will change
and the apps done by health organization have the expertise on that subject
and shall do the assessment and not the CT framework. It will require an
update of the OS to get latest findings published.

Privacy and other technical decisions are sound and legit.

Has somebody some background information on the reasoning driving that design
decision?

------
santhoshr
The Indian Government launched a contact tracing app that has more than 10m+
downloads: [https://www.mygov.in/aarogya-setu-
app/](https://www.mygov.in/aarogya-setu-app/)

Not sure how ubiquitous it is. Nevertheless, given that Android is 90 percent
of the market in India, may be this can help overcome the iPhone OS-level
constraints that makes it necessary for both platforms to work together in
markets like the US.

------
paul7986
Oh those 5G conspiracy theories are now an inch less crazy..still crazy but
contact tracing is indeed big brother. Though for now it's only opt in until
there's an outbreak in a city or state then the government will recommend then
mandate it in those areas. Then as time goes on it becomes the norm and the
majority are fine with being monitored and watched by the government. Public
health vs. human rights/privacy.

------
nojvek
This is really hard to keep private and anonymous, but I'm glad that the
world's to biggest mobile OS makers are working on this.

If this does really work, it could trace millions of people and give this
pandemic some sort of order. Identify hotspots and show a heat map of spread.

Definitely a step in the right direction, hopefully it's executed well too.
I'm pretty sure Microsoft be jealous they didn't win the Mobile OS market.

------
simonsaidit
Does this then allow us to run this in the background on iphone. The Danish
and Norwegian governments are looking at using a GPS+Bluetooth based version
because iPhone is so common and not able to work with Bluetooth when the app
is not active is their argument. Also based on a centralized server. My hope
was apple would in this circumstance allow Bluetooth to work differently so
avoid unnecessary location data.

~~~
xenospn
Of course you can use Bluetooth in the background. You just have to enable
Background Location Access permission as a user.

------
im3w1l
You can troll by falsely claiming to be infected. With strategically placed
beacons you could scare a lot of people. If the system is as private as they
claim it will be hard to filter out serial trolls.

I suspect they will try to join whatever data is present in your "I'm
infected" report (at least IP, idk if there will be other stuff. advertiser
id?) with their other databases, using trolls as a justification.

~~~
3minus1
In the comic someone posted above they talk about how you must have a code
given to you by a doctor to upload your identifiers. That seems pretty
effective. Similar to prescriptions preventing people from abusing harmful
drugs (yes I know prescription abuse still happens)

------
tmpz22
This project may be necessary to enable fair elections in the United States
and other democratic countries through November. On the other hand if built
improperly it could usher in a 1984-style future with gerrymandering, vote-
rigging, and huge increases in surveillance based government suppression. When
the government is granted emergency powers it almost never gives them back.

Please do not fuck this up.

~~~
rosywoozlechan
How would this contact tracing technology help with vote-rigging?

~~~
tmpz22
If you can track the detailed movements of voters and connect that to party
affiliation you would have complete visibility into meetings, social networks,
and up-and-coming politicians, such that you can prioritize suppression
efforts on those regions. Similar as a whole to gerrymandering, but imagine
key political opponents being shut down "as the data shows a cluster of CV-19
may appear here at this exact date and time".

~~~
dmarchand90
I feel like Facebook is basically already doing this?

~~~
tmpz22
It's mentioned elsewhere on this thread, but this project likely will take
things further to more accurately measure the distance between individuals in
small spaces in order to better track the contagion. This project may also
have more liberal visualization tools, search tools, etc., geared for a task
other then advertising.

No doubt much of this data is already collected in one form or another. But it
is a big step from collecting data, to analyzing it in new contexts, to
visualizing it well, to making it highly accessible to federal non-technical
agencies.

------
jborichevskiy
I am much happier Apple is in the mix here, versus say Google x Amazon. Will
that be enough to reign in the privacy concerns though, who knows

~~~
saagarjha
They have to, as they ship a mobile OS that a large portion of the country
uses.

~~~
FabHK
Yes. The point was (I think) that Apple respects user privacy, having a very
different business model from the data-slurping advertisement firm that ships
the other OS. As such, having Apple’s participation can be seen as
guaranteeing some decent privacy standards (as seems borne out by the spec).

------
Analemma_
For context, start with [https://www.vox.com/2020/4/10/21215494/coronavirus-
plans-soc...](https://www.vox.com/2020/4/10/21215494/coronavirus-plans-social-
distancing-economy-recession-depression-unemployment)

The tl;dr is that without a _huge_ , nigh-omniscient program to trace
individual cases, we have no choice but to go on and off Covid lockdown for a
year or more, with potentially devastating economic consequences.

Having Apple and Google develop a built-in tracing program to their phones
with firm privacy guarantees is not good, but it might be the least-bad
solution we have right now.

~~~
mmm_grayons
> Only an official effort, led by Apple+Google or maybe FB and then forced
> upon users, can reach the critical mass needed to make contact tracing
> viable.

This may be right, but how will said vendors "force it" on users? A system
update? That still takes voluntary cooperation.

------
zajio1am
Cannot devices be tracked just by their Bluetooth MAC addresses, or is this
technology uses some special frames that do not use these?

------
FartyMcFarter
This is wonderful news for any surveillance state. As the three-page brief on
DP-3T [1] says:

"A tech-savvy adversary could reidentify identifiers of infected people that
they have been physically close to in the past by

i) actively modifying the app to record more specific identifier data and

ii) collecting extra information about identities through additional means,
such as a surveillance camera to record and identify the individuals. This
would generally be illegal, would be spatially limited, and high effort."

If I read this correctly, this means that a government could collect
identifier data on a per-location basis and later link this to someone's
identity (for example with cameras or by tracking the IP address of uploaded
identifiers).

Unfortunately I can think of quite a few entities (e.g. governments) who are
not too worried about doing high effort, spatially limited things in order to
track people's locations. Saying that this is "illegal" (which is probably not
even true in all countries) does not give me confidence it wouldn't happen
either.

[1]
[https://github.com/DP-3T/documents/raw/master/DP3T%20-%20Sim...](https://github.com/DP-3T/documents/raw/master/DP3T%20-%20Simplified%20Three%20Page%20Brief.pdf)

~~~
dmarchand90
I was under the impression that the NSA already was tracking most people
anyway?

~~~
FartyMcFarter
GPS / phone network tracking probably has lower precision than short-range
bluetooth. Bluetooth receivers can be present even in places without network
reception or GPS, and receive signal passively and without a trace.

~~~
dmarchand90
I guess I'm not clear to that extent the NSA hacks people phones. I would
imagine for most users they would have good access to our GPS data, e.g. via
Google Maps?

Edit: I'm assuming that GPS level precision is sufficient to start the
dystopia

------
zajio1am
I guess court order could be used to get daily tracking keys from you
regardless of covid-19 status, so it could be used for tracking for other
cases.

While it does not directly encode position, with sufficient large network of
bluetooth trackers on key places (like mass transit stations) one can be
tracked sufficiently well by that.

------
gideon_b
This is a good thing, and I think in the absence of this solution we would see
intrusive solutions backed by governments and mandated by law. I do have two
questions:

Is there a plan to verify test results? Are public health authorities in small
countries/regions expected to build and maintain an app and a server from
scratch?

------
amitnme
Check out the Indian version of the technology out there since a couple of
week.

[http://jan-sampark.nic.in/campaigns/2020/04-Apr/Arogya/index...](http://jan-
sampark.nic.in/campaigns/2020/04-Apr/Arogya/index.html)

------
TomMckenny
As an aside, I'm not clear why tech startups and VC panicked over this
catastrophe. Given their extreme flexibility, I would think this is the most
promising sector to do some good stuff at the moment and do well after in any
disrupted future environment.

------
ThePhysicist
Good. I always thought if we really want to implement this the two mobile
giants need to propose a standard and implement it on the OS level. It of
course needs to be opt-in and the privacy and security needs to be provable
and auditable.

------
Jeija
I've been pondering over the idea of offering the option to use physical
device, like e.g. a Bluetooth bracelet, for contact tracing in addition to
apps.

For contact tracing to have an impact at all, we need a quite large percentage
of the population to use one of these apps. Even if 60% of the population had
some kind of app installed and this app worked properly, we would still only
detect just 36% of all new infections, since both parties (infected person and
person to be infected) need to use the app. There is a significant portion of
the population that does not want to or cannot use such an app, e.g. the
elderly, kids too young to have their own smartphone, people with certain
disabilities, people that can't carry their phone with them all the time (e.g.
while doing sports / working) etc. This population can still be relevant in
spreading the virus - for instance, when loosening lockdowns, young children
attending kindergarten / school can bridge the gap between families.

Moreover, even among those that own a smartphone and that want to use the app,
I just can't see it all work flawlessly. Outside of the tech bubble, I see
many people with older Android / iOS versions that don't receive updates
(which might be crucial for contact tracing to function without having to keep
the app open at all times) or people simply failing to install updates. We
also don't want the app to be too sensitive (an infected person that happens
to be at the opposite end of the same subway car shouldn't trigger quarantine
for you), but also not too insensitive (people might put their phone in
handbags or attenuate BLE radio waves with their body).

I think that these problems could be solved by offering something like a
standalone Bluetooth bracelet, compatible with whatever App becomes the
standard. It should be possible to mass-produce these relatively cheaply (<5$,
which a BLE beacon currently costs). They would use a Bluetooth chip with know
characteristics and are worn at a defined location (wrist), so it's going to
be much easier to correctly tune their sensitivity. The time-to-market will of
course be longer than that of a potential app, but it currently seems like
we're going to have to live with the virus for a couple of months to come.

The only technical problem I see is that the physical bracelet would need to
receive a (trusted) "list of infected IDs" somehow. Maybe a mesh network of
bracelets with smartphones as information providers could work? Maybe
bracelets could connect to public WiFi? Or maybe we could leverage some
existing low-tech data broadcast infrastructure such as RBDS/RDS (Radio Data
System)?

~~~
jedieaston
Apple's press release seemed to say that much of the functionality will be
pushed in the coming months via iOS updates (since the iPhone to iPhone
communication isn't exposed normally except for Find my iPhone). It's unlikely
that you'll need to install an app except to say you are infected.

Google could do a similar thing via a Google Play Services update (or, you
know, use this as the kick-in-the-pants to get manufacturers to start updating
Android to protect the public from COVID-19).

------
mrkramer
I'm worried about security implications of this technology.

First of all how reliable this technology will be since its results will or
can be used in courts.

Secondly how contact tracing logs will be secured since they can be stolen or
sniffed in a real time.

I didn't read technology documentation drafts and I used Bluetooth last time
on old generation of phones way before smart phones and I'm interested for how
long this tracing sessions will last since you can map devices that have
turned on bluetooth in any given area(Tran stations,libraries etc.) You can do
something similar to Wardriving (en.wikipedia.org/wiki/Wardriving).

------
intrd
Lots of privacy issues... on the other hand, they've always done it under the
hood for decades, now doing for a greater good with opt-in/out looks ok.

~~~
eddieoz
Since it is verifiable (proof-of-consent) seems to be better.

------
xenospn
And now it will be up to the carriers to push out the Android update to the
end users. And we all know how well that's going to go.

~~~
nhf
It'll roll out through Google Play Services, not an OS update for Android.
[https://twitter.com/markgurman/status/1248667196722573312](https://twitter.com/markgurman/status/1248667196722573312)

------
haoc
Does this all depend on people's opt-in and self-report? What is the minimum
opt-in percentage to keep the system functional?

~~~
tastroder
That kind of depends, there is not a "this many or it fails / succeeds"
number. I believe Figure 3 in
[https://science.sciencemag.org/content/early/2020/04/09/scie...](https://science.sciencemag.org/content/early/2020/04/09/science.abb6936)
suggests a minimum of about 60%

------
szczepano
Ok so looks like the key to understand is flow diagram from ContactTracing-
BluetoothSpecification.pdf page 6 scanning: CFUserNotification "App would like
to access time and duration of your %d contacts. Approve?"

What it looks like it's application framework based on system service I hope
they won't start advertising ios bluetooth all the time and only allow
application to do it. In that case application can be safely removed.

I am also concerned about cloud Diagnosis_Keys

------
briefcomment
That logo at the bottom gives me chills.

~~~
g4nt1
Imagine the merge

------
KCUOJJQJ
I don't want this functionality/software on my phone. Will it be possible not
to get it?

~~~
cmoscoso
I’m sure it will not work on my feature phone.

------
alexbanks
Is contact tracing technology categorically different from mass surveillance
technology?

~~~
mygo
If the individuals can’t be personally identified, yes.

~~~
dependenttypes
They always can.

~~~
nielsole
You could work with rotating anonymous uuids. 1\. You log which uuids you see.
2\. When someone is tested positively, you add the list of uuids you used to a
public list (run e.g. by the government) 3\. Clients fetch updates to the list
and compare it to the logged uuids and alert the user if there is a match.

This way the government could not identify individuals, and individuals would
be in control.

~~~
pat2man
Yeah thats pretty much how the spec works. But with key pairs instead of
UUIDs.

------
davelondon
I tweeted about exactly this last month. Great news!

[https://twitter.com/dbrophy/status/1241434641250299905](https://twitter.com/dbrophy/status/1241434641250299905)

~~~
davelondon
My thoughts at the time:

Close contact detection and alerts at the mobile OS level

We need to get better and faster at stopping the spread of infectious
diseases. Covid is already catastrophic. Next time R could be 5, and mortality
could be 5, 10 or 20%.

I believe we can use mobile technology to track close contact between
individuals, and alert at-risk individuals to potential infections. I believe
this could drastically reduce R and the impact of infections diseases could be
substantially mitigated. Simulations should be able to determine the effective
reduction of R.

Apple and Google should work together to implement a worldwide close contact
logging framework. It will use bluetooth to track close contact encounters.
The architecture will be anonymised and encrypted to make it somewhat privacy
centric.

Obviously privacy zealots will make noises, but to save millions of lives and
economic disaster the general population could be convinced it's acceptable.

iOS and Android should have an always-on bluetooth scanner that logs the
bluetooth ID of nearby devices. If a device stays nearby for a certain amount
of time, a close contact is triggered. The severity of the close contact is
determined by the amount of time the devices were close together for, and
other bluetooth data. This is anonymised, encrypted and logged.

When an individual is diagnosed with an infectious disease, they activate a
feature in their phone which displays a QR code. The health professional has
an app that scans the QR code. The health professional will enter details
about the disease, and how far into the past the person was estimated to be
contagious.

Alternatively if the individual hasn't been tested or is unable to reach a
health professional, they can answer a set of questions about their symptoms
that will determine how likely they are to be infected. Obviously this method
of self diagnosis is less reliable so the framework will take this into
account when deciding who to deliver alerts to.

The system alerts people that have had close contact with the infected
individual, giving advice about local testing centers or self quarantine. The
system will be tuned to only notify the more severe close contacts as needed.
Data about available local testing capacity could be used to further refine
this tuning.

Problems:

* Privacy: how to make the data private / anonymous. Communication: how to convince the public that their data is private / anonymous?

* Power: Bluetooth on all the time - battery drain?

* Health professionals: how to make sure only health professionals can use the alert app, but also deploy worldwide without delays.

* Deployment: how to get this system onto all Android phones with such a fragmented ecosystem.

* Detection: how to most effectively determine infection risk from available bluetooth data.

* Tuning: too many alerts for low risk encounters and people will ignore them - tuning is needed.

~~~
applecrazy
> Power: Bluetooth on all the time - battery drain?

I doubt this is an issue anymore for modern devices. Things like smartwatches
connect via Bluetooth but still manage to keep the phone’s almost-all-day
battery life.

------
pkaye
Is this the approach that South Korea and Singapore used?

~~~
owenwil
Sort of, but not really: both of their apps were unable to track in the
background due to privacy restrictions. This partnership enables that at the
OS level, and will remove the need to download an additional app

------
foobarbazetc
[https://twitter.com/moxie/status/1248707315626201088?s=21](https://twitter.com/moxie/status/1248707315626201088?s=21)

------
clairity
we need to collectively take a step back and put this pandemic into proper
perspective so we don't fall for privacy and liberty erosions like this. the
panic is unproductive and dangerous to our civil rights.

for context, roughly 8000 people die per day in the US. the virus has killed 2
days worth of people in the US in the 80 days of _known_ infection, and
probably ~100 days of undiagnosed infection. so covid has killed 2% of the
expected number of dead. it's serious, but it's not the black plague, or even
the 1918 flu. and we're already seeing transmissions curb.

the virus overwhelmingly infects others in close and closed proximity with a
lot of cross-breathing going on. random airborne infections or surface
infections are likely small, certainly less than 10%, probably less than 1% of
infections.

so, you don't need to social distance outside unless the other person is
actively coughing/sneezing (or maybe singing/talking extra forcefully) in your
direction within 6 feet. you don't need a mask unless you are in close
proximity (less than 6 feet) to random other people for more than a couple
minutes at a time. grocery clerks, and other service workers in close
proximity to strangers, on the other hand, _should_ wear non-n95 masks (but
probably not gloves) during work. same with those who are often near folks
with comorbidities like age, auto-immune disease, diabetes, etc. medical
providers should wear n95 masks, gloves, gowns, and take many other
precautions that make no sense for the general public. you are not lowering
your risks in any percepitble way by doing so. allay your anxieties with those
basics, rather than looking to buy more toilet paper. it's enough, really.

the overwhelmingly most effective way to prevent transmission is to not breath
in a sick person's exhaust. that's it. that's all we need to do. and yes, we
don't know everyone who's carrying the virus, so it makes sense to reasonably
physically distance in enclosed places like grocery stores. but not more than
that as you've already reduced risk to background noise with these basic
distancing rules.

contact tracing only makes sense when groups of strangers come into close
proximity. it doesn't need to track every single person you brush past on the
street. so for instance, you could just provide "contact tracing" with beacons
in stores rather than always-on phone tracing.

let's not lose our heads, and our rights, over this.

~~~
pow_ext
How can you know the names of the people with beacons in the stores

~~~
clairity
you don't need to know the names, just that two bluetooth-enabled devices were
in close proximity in a given time window. you'd do all the processing on the
device to maximize privacy.

each device would record beacons (which could be fixed, active bluetooth
devices rather than just passive beacons) on entry and exit for relevant
locations (like grocery stores). you'd tell your device when you got symptoms
and give permission to upload the relevant location/time pairs (but no
personal id) in the last N days to a research database ( _not_ hosted by
google, amazon, ibm, and the like).

with user permission, other devices would subscribe to such data for a given
region(s), which would be downloaded periodically to the device. the device
wouldthen determins if you've had any crossings with known location/time pairs
and alert the user.

no need to share extraneous personally identifying info with giant third-
parties and potentially with (hidden) state actors. this cuts apple and google
out of the data collection game, especially from making it part of the
underlying OS, which is particularly dangerous.

------
tanilama
About time, we need it now!

------
hprotagonist
it is just shockingly important that we come out of this _without_ a dystopian
nightmare of a surveillance state.

That apple's involved in this is hopeful -- their earlier work on anonymizing
Maps.app directions is well worth thinking about here. tl;dr your route is
broken up into n chunks, each chunk gets a uuid that isn't tied to your
handset, and so serverside nobody knows where Bob's Iphone just asked to go.
[0]

Doing this kind of "differential privacy" or whatever we want to call it today
_properly_ is very hard, but it is also very, very important to get right.

[0] [https://www.idownloadblog.com/2019/03/13/apple-maps-
navigati...](https://www.idownloadblog.com/2019/03/13/apple-maps-navigation-
privacy/)

~~~
nerdjon
I am hoping that Apple being involved will keep this as privacy respecting as
it reasonably can be given what it is doing.

I am generally someone that takes privacy very seriously, I mostly avoid
Google products and others for this reason.

But... this may be a time that the privacy concerns are worth loosening a bit
for the good of this. But that comes with the caveat that I hope this is
disabled when this is all done, and preferably the code removed completely. I
trust Apple to do this, not sure if I would trust google too.

~~~
JoshTriplett
> But... this may be a time that the privacy concerns are worth loosening a
> bit for the good of this. But that comes with the caveat that I hope this is
> disabled when this is all done, and preferably the code removed completely.

Any right you're willing to give up now, you've demonstrated a willingness to
give up. You won't get it back. Either it'll remain lost forever, or it'll be
used as evidence for a future proposal to take it away permanently (rhetoric:
you agreed to it for X, and _clearly_ any person who isn't morally bankrupt
values Y over merely X; you're not morally bankrupt are you? And the need for
Y will never go away...).

By all means, let's carefully give people tools to supplement their memory, to
help people voluntarily notify others who need to be tested. Let's not,
however, make that information available to anyone other than the owner of the
device.

~~~
ceejayoz
I don't understand this absolutist mindset. It doesn't _have_ to work this
way. We can have, say, the draft - an absolutely _whopping_ restriction on
civil liberties - during WWII but get rid of it when it's no longer needed.

~~~
JoshTriplett
We haven't gotten rid of it, it still exists. It just isn't being used right
now. Getting rid of it would be to abolish it entirely, and instead require
people to voluntarily consent in the future. (And if you can't get people to
agree to it, perhaps that should tell you something.) "needed" isn't even a
factor here.

An involuntary mechanism for contact or location tracing that's accessible to
governmental authorities without the consent of the user is a civil rights
violation, whether it's being actively used at the moment or not.

~~~
ceejayoz
> It just isn't being used right now.

The American public exercised their power to elect politicians who'd end the
draft as the Vietnam War got progressively more unpopular. It's well within
our powers, if we care enough.

~~~
JoshTriplett
Is it, in fact, "well within our powers", or do you just believe it is? I
don't, in general, believe "we could take this power away from government if
we wanted to" is true without an existence proof.

~~~
ceejayoz
> Is it, in fact, "well within our powers", or do you just believe it is?

Public opposition ended the Vietnam War and the draft. It would be political
suicide to reactivate it barring a full-scale world war.

------
mrfusion
I wish we’d just stick with flatten the curve and get in with our lives :-(

~~~
astrange
Won't work. Lockdowns are like trying to hold your breath for a year. You have
to give it up once most of the country is unemployed, or everyone will starve,
and eventually infections will be flattened but still not zero.

------
droithomme
So those of us without cell phones or with cell phones that we don't activate,
we can definitely opt out of the tracking and this will be respected forever
without exception through a constitutional privacy amendment, right?

Also we're all going to continue to be "allowed" to turn off bluetooth to save
on battery right? (Spoiler: no, the system only works if it's bluetooth on all
the time for everyone no exceptions even though bluetooth is absolute low
quality poorly engineered garbage as a technology.)

And those of us who are brainless and perfectly compliant sheeple obeying
everything the government and media tells us without questioning or rational
thought will be allowed to keep our old cell phones with the previous obsolete
bluetooth standards correct and not be forced to buy a very expensive brand
new phone we don't really need and can't afford, even though that severely
damages the ability of the powers that be to mitigate the latest crisis they
have intentionally created, right? (Ha ha ha.)

------
Geee
It's quite horrible if it becomes a standard API. What a gold mine it is for
ad business to be able to tell which groups of people are together. It can be
used to track 'idea spreading' as well.

~~~
azinman2
Of course it’s potentially rife with abusive power. And we need to make sure
that this is a very temporary thing (admittedly it’s hard to put the genie
back in the bottle). That said, you can’t advertise to the dead. There’s a
very real need here, and some governments are off doing this on their own
anyway. I do believe that at least Apple and Google combined can come up with
a solution that has some amount of privacy protection that a state actor would
never bother with themselves.

~~~
saagarjha
> admittedly it’s hard to put the genie back in the bottle

On iOS, entitlements?

~~~
azinman2
I meant that once this capability is out there, people will point to it and
say “see it can be done. Now do this, it’s law.”

------
ddmma
Wait what.. apple and google devices can ping over bluetooth? Clearly an
apocalipse sign

~~~
SlowRobotAhead
BLE works between IOS and Android, why wouldn’t it? It’s a standard 2.4Ghz
radio protocol.

The thing created here is a standard BLE characteristic that says I’M PERSON X
and your phone is always looking for PEOPLE and recording when it sees them...
then uploading that to Google and Apple.

You can decide for yourself if a contact recording system could ever be
abused.

~~~
ddmma
Sorry for that but sharing files in between iOS or Android wasn’t possible,
that is my point

~~~
SlowRobotAhead
This contact tracing has nothing to do with “sharing files”.

~~~
ddmma
Please refer to the BlueTrace and iOS bluetooth issues, now Apple is willing
to open up .. [https://abe-
winter.github.io/2020/04/10/leaky.html](https://abe-
winter.github.io/2020/04/10/leaky.html)

~~~
SlowRobotAhead
Again... you seem to be confusing BLE and beacons (non-connectable advertising
packets) with “file transfer”.

------
riffic
I just can't _wait_ to see this being turned against us.

------
maxdo
All those actions look unprofessional and chaotic, why not use cellphone data,
surveillance needs to use their power, to track down cases and contacts. They
doing that anyway, why not leverage that. Call it emergency whatever.

~~~
arrrg
Cellphone data is not precise enough.

------
superkuh
I have never carried a cell phone (smart of otherwise) in my life. I leave my
dumb phone at home or take the battery out. I hope that these tracking
bracelets which others voluntarily carry will not be forced and required in
the future.

------
guscost
It’s odd that the folks picking this apart looking for surveillance risks
don’t seem to be one-tenth as bothered by Facebook censoring wackos (and
indeed anyone determined to be guilty of wrong-thinking), or you know, _the
government literally arresting people for leaving their houses_.

~~~
nielsole
This is a fallacy. You don't know how people commenting on this thread think
about other topics. Just because there is worse (apparently to you) things
happening, doesn't mean you can't be critical of contact tracing.

~~~
guscost
I guess so, but you gotta pick your battles!

------
ck2
We learned so little after 9/11, we still live with TSA security-theater
nightmare to this day (ironically now spreading covid19 with their groping and
concentrating crowds into small spaces)

So now this nightmare is going to give historical tracking data to government
entities without warrants forever.

And Barr is going to get encryption backdoors with his theater.

How about just making a test that costs a few cents in million quantities that
you can take at home. It won't be the last time we need that tech for a virus.

------
billions
I built
[https://sneezemap.com/?zone=eyJjZW50ZXIiOlszNi4zODU5MTI3NzI4...](https://sneezemap.com/?zone=eyJjZW50ZXIiOlszNi4zODU5MTI3NzI4..).
- a crowdsourced Covid-19 symptoms tracker & forecasting system with over
15000 participants. 100% anonymous from day 1.

------
tengbretson
For the last 4 years I've read a constant stream of articles about how "This
will be the end of our democracy", "Democracy is under threat!", etc.

If we as a society agree to ubiquitous, mandatory location tracking and a
complete suspension of the right to assembly in response to this virus then we
never deserved a democracy in the first place.

~~~
CubsFan1060
Did you read about it? This isn't that.

~~~
tengbretson
What part? Deriving location from contact tracing is trivial. The fact that
its being discussed as opt-in? If participating in society requires that you
"opt-in" then what about it is _really_ opt-in?

~~~
CubsFan1060
The part about how it works. Once you've read that (here's a link:
[https://covid19-static.cdn-
apple.com/applications/covid19/cu...](https://covid19-static.cdn-
apple.com/applications/covid19/current/static/contact-
tracing/pdf/ContactTracing-CryptographySpecification.pdf)) Can you describe to
me how you'd track individuals with it?

~~~
tengbretson
For starters, I would assume that most people's daily rotating keys could
easily be fingerprinted based on identifiable patterns of movement that could
be picked up by any number of municipal devices people come into contact with
throughout the day.

In order for contact tracing to work as advertised, each person's device has
to keep a log of daily ids that they contacted that has a TTL of at least a
few weeks. That means that whenever a law breaker gets arrested, law
enforcement would be able to confiscate their device and be able to construct
a list of everyone that they've been in contact with in the last few weeks.

~~~
tastroder
The Daily Tracing Key cannot be "easily fingerprinted" since it does not leave
the device (see page 5). Your LE threat model seems like grasping at straws,
the majority of users already have location services enabled anyway, people
breaking the law would have to change exactly nothing from the common practice
of not bringing your phone when committing crimes.

~~~
tengbretson
I miss-spoke. I meant to say the rolling proximity identifier could be tracked
and fingerprinted.

Furthermore, it's _not_ the same as a phone's location implicating you in a
crime. It's a persistent log of your in-person social network that can be
reverse engineered every time you get arrested or go through customs at the
airport.

~~~
tastroder
The rolling proximity identifier is short-lived and put through a non
reversible cryptographic hash function to prevent exactly that, same page.
You're not going through airports in a pandemic, after which you can uninstall
whatever app you're using in this crisis.

------
aazaa
Why is this API even necessary? Isn't every individual with a smart phone
already tracked de facto?

Why add a technological fig-leaf to what is by now a deplorable privacy
situation? Just roll with it, change whatever laws need to be changed, and be
done with it. The data collection capabilities already exist to do contact
tracing, it seems.

------
buboard
Why is this needed? and why would i sign up for it , esp. knowing how much
they both know about me already? The text doesn't tell us why contact tracing
is important

\- Did contact tracing apps really save anything in singapore/taiwan/israel?

\- Is sweden really doing that bad without this kind of surveillance?

\- What is tracing going to help anyway? it will warn people to go to the
hospital early ? To do what? there is no cure and they 'd better stay away
from infection nests like hospitals anyway. It's not like people don't get
symptoms days before they need hospitalization

\- Is tracing really going to be workable? this is a highly infectious virus,
and people networks have very short path length, which means that, without
social distancing, 100% of the people will get notified that they might have
been infected in any day

\- This data does not need to reach anyone's servers. Infected people could
just publicly and anonymously upload their location in a public server for
other users to crosscheck. The less data are hidden behind walls, the less
chance of abuse.

Even if tracing might slow down the curve, this slowdown shouldnt last forever
and it should be targetted, not anonymous. It is important that the spread
speeds up in the parts of the population that carry less risk (children,
women). There is really no good way to do that other than specific , local
measures of SD.

It would be very different if these phones had a thermometer, but i think some
regulator removed them.

