
The Italian Covid contact-tracing app is now developed in open source - giovannibajo1
https://github.com/immuni-app/immuni-documentation
======
giovannibajo1
This shows the application and gives an overview of how the product works for
the citizen: [https://github.com/immuni-app/immuni-
documentation/blob/mast...](https://github.com/immuni-app/immuni-
documentation/blob/master/Product%20Description.md)

This the main technical documentation document: [https://github.com/immuni-
app/immuni-documentation/blob/mast...](https://github.com/immuni-app/immuni-
documentation/blob/master/Technology%20Description.md)

All the documentation is here: [https://github.com/immuni-app/immuni-
documentation](https://github.com/immuni-app/immuni-documentation)

~~~
lultimouomo
I have looked a bit at the documentation (not the code yet) and I have to say
that I am pleasantly surprised.

They seem to be doing this right, including an attention to the
reproducibility of the builds, which IMO is of utter importance in such a
sensitive app:

[https://github.com/immuni-app/immuni-
documentation/blob/mast...](https://github.com/immuni-app/immuni-
documentation/blob/master/Technology%20Description.md#reproducible-builds)

(long story short: Android builds are substantially reproducible, iOS are not
because there doesn't seem to be a way to achieve that. They are doing the
best they can.)

~~~
NSMyself
Bending Spoons are top notch. Super glad they're the ones handling this

------
bwblabs
Summary of all European (EU+) apps initiatives: [https://github.com/ct-
report/summary](https://github.com/ct-report/summary)

~~~
contravariant
Maybe a bit of a weird question, but does anyone know why there isn't just a
single EU-wide effort? Or is it just politics as usual?

~~~
riffraff
there was an attempt at initial coordination around the DP-3T and PEPP-PT
working groups to get a single shared protocol, but that fell apart, while at
the same time many countries decided to go different ways.

Timing was relevant, plus different countries also have different regulations
that make specific implementations possible or not.

In the middle of this Google and Apple announced their contract tracing
framework so some switched once more.

This can be seen clearly in the documents that the italian governmental task
force submitted when evaluating the various apps: proponents suggested home
grown protocols, reusing existing apps, or deferred to PEPP-PT or DP-3T.

Even the Immuni app which won the selection was supposed to use PEPP-PT, but
then switched to the Google/Apple CTF.

------
Mvandenbergh
Interesting. I am curious to see how well it works. The UK (which is
developing two apps in parallel, one based on the Google/Apple API and one
based on a proprietary protocol similar to PEPP-PT) has found in a large scale
trial that though the technology worked relatively well, people did not
respond well to being told to isolate by an app.

It would be ironic if after weeks of passionate arguments on HN and other
places about the technology and about finding the right balance between
efficacy and privacy, the whole thing fails because people don't like the
principle.

~~~
mcintyre1994
Where are you getting information about the UK trial? I don't think I've heard
the finding you said from ministers, they just seem to say it's all great and
refuse to engage on it. I don't think they've even admitted developing the
second app actually.

~~~
Mvandenbergh
The second app we know because there was a work-order modification posted
publicly a while ago instructing their app developers to develop a second app
as well. You're right that ministers have never formally acknowledged that
they are doing it. I do not understand this but then I am from the: people
will accept 100x as much incompetence as deceit school of communication and
they are not.

The other information comes from Lord Bethel's house of lords testimony and
also from this blog: [https://www.ncsc.gov.uk/blog-post/nhs-covid-19-app-
security-...](https://www.ncsc.gov.uk/blog-post/nhs-covid-19-app-security-two-
weeks-on) and things linked to from it.

------
nautical
Some other countries recently took same path, relevant discussion here :

1) Singapore :
[https://news.ycombinator.com/item?id=22702701](https://news.ycombinator.com/item?id=22702701)

2) India :
[https://news.ycombinator.com/item?id=23311298](https://news.ycombinator.com/item?id=23311298)

3) Germany :
[https://news.ycombinator.com/item?id=23376682](https://news.ycombinator.com/item?id=23376682)
( no discussion, link to repository )

4) France :
[https://news.ycombinator.com/item?id=23321137](https://news.ycombinator.com/item?id=23321137)

~~~
fomine3
Japan: An open source community built a contact tracing app but the government
doesn't adopt the app and building different app. I expect the app won't be
open sourced.

[https://github.com/mamori-i-japan/mamori-i-japan-
ios](https://github.com/mamori-i-japan/mamori-i-japan-ios)

~~~
glandium
It's not entirely clear what's going to happen with the source of that
governmental app, but at least, it's mentioned in
[https://cio.go.jp/sites/default/files/uploads/documents/tech...](https://cio.go.jp/sites/default/files/uploads/documents/techteam_20200526_01.pdf)
(last page)

~~~
fomine3
Oh, I haven't read the sentence. thanks.

------
etqwzutewzu
Switzerland's app is opensource.

[https://github.com/DP-3T](https://github.com/DP-3T)

~~~
ubanholzer
All Repositories:

Android repository: [https://github.com/DP-3T/dp3t-app-android-
ch](https://github.com/DP-3T/dp3t-app-android-ch)

iOS repository: [https://github.com/DP-3T/dp3t-app-ios-
ch](https://github.com/DP-3T/dp3t-app-ios-ch)

Covidcode Frontend: [https://github.com/admin-ch/CovidCode-
UI](https://github.com/admin-ch/CovidCode-UI)

App backend: [https://github.com/DP-3T/dp3t-sdk-
backend](https://github.com/DP-3T/dp3t-sdk-backend)

App config backend: [https://github.com/DP-3T/dp3t-config-backend-
ch](https://github.com/DP-3T/dp3t-config-backend-ch)

Covidcode backend: [https://github.com/admin-ch/CovidCode-
Service](https://github.com/admin-ch/CovidCode-Service)

------
isseu
What happened to the US Apple/Google app?

~~~
rootusrootus
The API is supposed to be available once 13.5 goes live (and it is available
in public beta now, I believe). Here is a list of states who are participating
with compatible apps: [https://9to5mac.com/2020/05/21/covid-19-exposure-
notificatio...](https://9to5mac.com/2020/05/21/covid-19-exposure-notification-
api-states/)

TL;DR: Hardly any.

Edit: Whoops, I am out of date, I thought 13.5 was not out yet! Apparently it
is, and then some.

~~~
Nas808
13.5 went live on May 20. They just released 13.5.1 yesterday to patch the
unc0ver jailbreak.

[https://support.apple.com/en-us/HT211214](https://support.apple.com/en-
us/HT211214)

~~~
rootusrootus
Ah my bad, thanks for the correction. I'm still at 13.4 and I haven't been
overtly refusing upgrade notifications, so I thought it hadn't been released
yet.

------
flurdy
> and it is released under a GNU Affero General Public License version 3.

AGPL for these apps is probably a good match.

------
jlokier
Last I read the UK intends to centrally retain proximity-contact data for 20
years. Rather than deleting when it is decided it's no longer needed to deal
with the pandemic.

The UK has also refused to legally commit to not sharing the data with other
government departments such as the Home Office (immigration and policing) and
DWP (benefits).

So much for data protection and obtaining data for a designated purpose.
Whatever happened to the GDPR.

I know enough people that will be inappropriately harmed by this sort of data,
whether it is used against them directly or not (it's still a miserable life
living in constant fear of "doing something wrong", which now includes "being
somewhere you shouldn't be" or "being near someone you shouldn't be"), that
I'm firmly against this sort of surveillance state expansion, and firmly in
favour of data protection.

As it stands currently I will not install the UK app, and I advise all my
friends to steer well clear of it as well.

-

(If they meaningfully improve data protection then I'll change my mind and be
all in. E.g. the Google-Apple approach and zero-knowledge methods are enough
for me. If epidemiologists and public health would find data useful, let's use
some differential privacy. I'm not against data collection done properly in
such a way that actually protects people.)

~~~
fatline
> Last I read the UK intends to centrally retain proximity-contact data for 20
> years. Rather than deleting when it is decided it's no longer needed to deal
> with the pandemic. The UK has also refused to legally commit to not sharing
> the data with other government departments such as the Home Office
> (immigration and policing) and DWP (benefits).

that's scary..

any chance you can share the references for these?

~~~
mattsouth
One reference: [https://www.theguardian.com/world/2020/may/31/privacy-
campai...](https://www.theguardian.com/world/2020/may/31/privacy-campaigners-
prepare-legal-challenge-to-uks-test-and-trace-scheme)

------
zubairq
Finland has an open source fever tracking system too Fevermap at
[https://fevermap.net/](https://fevermap.net/)

------
MrDresden
Iceland:
[https://github.com/aranja/rakning-c19-app](https://github.com/aranja/rakning-c19-app)

------
tomatocracy
Good to see they have open sourced the full backend/server code (including
analytics code) as well as the client.

The UK has open sourced only the clients source code from what I can tell.
This comes on top of the initial refusal to use the Google/Apple API and some
downright awful data retention and privacy control policies. What a contrast.

------
Fire-Dragon-DoL
I'm surprised and pleased to see this app being developed properly.

When I was working in Italy, the state of software development was terrible.
It looks like now there are great developers too.

------
slynn12
This is a great tool for Italy. It's too bad the US government can't step up
their game with contact tracing -- we could really use something like this
right now.

------
evolve2k
Has anyone done an analysis of the various open source government contract
tracing app? I’d love to read some tear down/code review articles on what each
country has released.

~~~
evolve2k
Australia’s code is also open source.

[https://github.com/AU-COVIDSafe](https://github.com/AU-COVIDSafe)

~~~
giovannibajo1
It's not under an open source license, though. Any idea why?

~~~
askvictor
Because lawyers and a secretive, untrusting government.

Interestingly, much of the code is forked from Singapore's OpenTrace
initiative, which is GPL3, so Australia's app is most likely a copyright
violation. Whether anyone will take action is another story.

~~~
ShinTakuya
As far as I'm aware, the Australian government got permission from Singapore
to make the fork in that way, so as long Singapore didn't accept external
contributions (or if they did, under a contributor's agreement) then they're
in the clear. GPL doesn't automatically make it impossible to copy code under
other licenses. You can license code out in multiple ways. GPL is just the
default license that can be used without explicit permission.

~~~
askvictor
Thanks for the info, though I would have imagined that the government, which
already has a trust deficit, might have mentioned this somewhere.

~~~
ShinTakuya
I feel like they did, but a quick Google can't turn it up - strange. But I
agree they could have been more clear about it. Just one of many issues with
how they've handled this situation.

------
unstatusthequo
These will fail. 1) Not accurate enough; 2) Don’t account for walls/floors; 3)
Will have low adoption where anything less than full adoption means fail; 4)
can’t account for actually having a virus.

False positives and false negatives combined with lack of rapid result testing
will also make this useless. This is why Google and Apple looked around the
room and slowly tiptoed away.

Then we have the GDPR. Beat of luck making sure you’re compliant.

Just don’t. Humans do a better job with contact tracing. Not everything needs
to be hit over the head with a technology cudgel.

~~~
Fragoel2
I don't think these apps will be a success either but Immuni (the Italian
contact tracing app) had more than 500k downloads in a single day on iOS and
it's still in testing regime, available only in 4 regions out of 20

~~~
grabball
Is available for download in the whole country, not only the 4 testing regions

~~~
riffraff
just for completeness: it's even available abroad, though that probably
doesn't impact the numbers much.

------
riffic
Stop building tools to enable fascists. Has anyone not learned the lessons of
history?

~~~
scarlac
I would encourage you to read up on the technology behind it. It was intended
to be anonymous to such an extend that some governments went out and said they
wouldn't use it because of the lack of tracking. The methodology has also been
laid out quite extensively, and it's an opt-in approach.

~~~
riffic
It's not about tracking locations, it's about tracking social connections. I'm
a skeptic it won't see abuses.

~~~
devilmoon
How can it track social connections when the codes are anonymous by default
and can be deanonymized only with an OTP code you generate yourself?

~~~
jlokier
If lots of people are pressured to deanonymize, which they are in this case
(it's your civic duty!), that's not a very strong system because a lot can be
inferred from "gaps" between people that you are linked to in other contexts.

Just like I can avoid using Facebook but they can still, in principle, keep a
shadow profile with lots of details about my life, inferred by putting
together knowledge from other people. Just like when I joined LinkedIn it
already knew who I knew, without me entering anything except my name and email
address (that was spooky, I didn't give it contacts or anything). Just like
Google knows your personal interests, even if you delete all cookies at the
end of every browsing session.

------
ed25519FUUU
Honestly Covid tracing seems fairly moot at this point. With tens of thousands
of people marching in the streets every night, aren’t we all basically exposed
if we’re part of _any_ network?

~~~
gregwebs
Contact tracing is exactly the kind of tool that would help track outbreaks
from protests. Unfortunately in the US we have almost no contact tracing going
on.

It is unclear how bad the spread from protests will be since protesters are
outside and often wear masks, and the density of protesters can vary greatly.
I haven't read of documented super spreader events that occurred exclusively
outdoors, it would be great science to track the spread due to protests.

~~~
usaar333
* no mobile contact tracing - lots of actual.

I'm not sure how much the mobile protocols would even help in protests. Don't
you need proximity with someone for 30 minutes or so to be tagged a contact?

~~~
crushthecurve
If there was a mobile contact tracing app that used AGPS with accuracy down to
~1m _maybe_ it would be useful?

Existing contact tracing apps use Bluetooth which can't be used to determine
proximity with any reliability - solid objects (particularly human bodies)
absorb significant signal.

Unless all protestors were holding their phones up high for unimpeded line-of-
site connections then even protestors next to each other could 'appear' 20-30m
away.

In most cases (especially in a protest situation) all Bluetooth-based contact
tracing apps can tell you is that two devices are in Bluetooth range (so
accuracy of ~30m?).

