
Review of New Apple and Google Contact Tracing Protocol - evger
https://medium.com/@OpenTrace/review-of-new-apple-and-google-contact-tracing-protocol-7696c9203967
======
acqq
Documentation on the Apple site:

[https://developer.apple.com/documentation/exposurenotificati...](https://developer.apple.com/documentation/exposurenotification)

[https://www.apple.com/covid19/contacttracing/](https://www.apple.com/covid19/contacttracing/)

Exposure Notification - Cryptography Specification v1.2:

[https://covid19-static.cdn-
apple.com/applications/covid19/cu...](https://covid19-static.cdn-
apple.com/applications/covid19/current/static/contact-
tracing/pdf/ExposureNotification-CryptographySpecificationv1.2.pdf)

The revision history of Cryptography Specification:

v1.2 - April 29, 2020

• Renamed EKRollingPeriod to TEKRollingPeriod.

• Renamed Associated Metadata Encryption Keys to Associated Encrypted Metadata
Keys.

• Made grammatical corrections.

v1.1 - April 23, 2020

• Renamed “Contact Tracing” to “Exposure Notification” throughout the
document.

• Temporary Exposure Keys (previously known as Daily Tracing Keys) are now
randomly generated and no longer derived.

• AES is now used instead of HMAC<SHA256> for improved performance.

• Encryption of associated metadata is now provided.

• Reformatted the title page and table of contents for consistency across
documents.

------
nexuist
One of the interesting side effects of this is what happens after the pandemic
is over but the technology is still implemented. What other things could be
worth tracking?

I once did a hackathon where we used ShotSpotter to generate an array of house
addresses that should be prioritized after a shooting occurs. The idea was to
connect students and parents who witnessed gun violence with community
resources (i.e. not just the cops) that could provide guidance and therapy.
This same protocol could be adapted to notify everyone "exposed" to the
shooter's phone and provide those resources on the fly.

One other semi-dystopian possibility is using the protocol to apprehend
criminals. Most people would not accept real-time location tracking by the
government, and so such functionality is out of the question (or at least not
publicly available to the majority of citizens, local LEO included). However,
what if the police could go to Apple and Google and ask them to "blacklist"
your phone, so that everyone around you gets a notification with your
description, alleged crime, and cash reward? Your phone becomes a walking
WANTED poster. And of course, they'd start with AMBER alerts first, and maybe
work their way down to trespassing and petty theft. Which is not to say that
this world would be far worse off than it is now, but it will be different.

~~~
mikro2nd
In the semi-dystopian scenario: Supposing I'd committed some crime likely to
attract that level of tracking/response... How long do you think I'd actually
walk around with that phone? Or would I be more likely to dump it/leave it in
some random taxi?

Going further, how many ways can we come up with to use this as a way of
swatting someone else?

nth-order consequences matter.

~~~
nexuist
> How long do you think I'd actually walk around with that phone?

Sure, you could also just turn the phone off completely. The problem is that
you'll need a phone eventually, and buying a new one would be a no-no if the
Feds are watching your bank account (which is more or less accepted practice
at this point). Even if you manage to secretly get a new phone, all it takes
is one person to report you to burn that one too. Having a cyber-warrant out
for your arrest effectively bans you from owning any smartphone ever again.

~~~
mikro2nd
I'm more entertained by the notion of having the LE chase after some car
performing a random-walk around the countryside... :)

------
evger
On April 24th 2020 Apple & Google have announced a new version of the Apple &
Google Contact Tracing Protocol which they programmed in a joint effort. Now
it’s to be called “Exposure Notification Technology”, since this name better
describes the nature of the protocol. On 29th of April Apple released the
first iOS 13.5 beta implementation of the protocol. This beta version targets
developers for API testing and collecting feedback. The access to the API will
be limited to apps authorised by public health authorities. This update is a
reaction to the criticism (most of which was baseless) as well as several
technical changes implemented in versions 1.1 and 1.2 of this protocol. We are
going to discuss these changes in this article.

------
anon946
One possible deficiency is that the time of the possible exposure is not
revealed, which may make it hard for manual vetting. Only the date is
revealed.

Regardless, the fact that no location is revealed will make it hard for manual
resolution of false positives. On the other hand, if location was revealed,
likely fewer people would opt-in, so there are both advantages and
disadvantages of not using location at all.

~~~
rubatuga
I'm not sure if you understand, but your phone keeps a record of when it
encountered *other users who were infected, and the time of contact as well.
If another user becomes sick, we can assume they were contagious for the whole
day.

~~~
anon946
I mean when the exposure occurred. I reviewed the API, and it seems that it
only gives the date. So, if we want to try to manually vet false positives,
such as through drywall, etc., it may be harder.

------
jedberg
It seems to me one attack vector that they aren't accounting for is the person
who maliciously uploads a fake positive diagnosis, causing unnecessary panic
and possibly wasteful extra testing.

I guess it's possible to mitigate this attack through controls in the app that
reports, but that doesn't stop a rogue developer using a test app, unless even
they are prevented from accessing the APIs without approval.

~~~
m3kw9
That is why this protocol is only allowed to be used by local official
governments where they would have access to test data, each person need add an
id to declare themselves pos and is matched against the Covid test db

~~~
jedberg
I think people are missing my point.

Sure you can't publish an app that does this, but unless I'm mistaken, you can
access any API you want in your own dev setup, or on a jailbroken phone.

What stops a malicious actor for triggering the API in a dev or jailbroken
environment?

~~~
varenc
> What stops a malicious actor for triggering the API in a dev or jailbroken
> environment?

Server side authentication stops this.

Sure a jailbroken device can call whatever local APIs they want, but to have a
non-local effect you have to update some centralized server where the list of
infected keys/users is stored for downloading by other devices. Given that,
it's straightforward for the server to require some admin-level credential
specific to their service.

The source of truth for covid-19 positive devices/keys is still centralized
and gatekept by each state/national agency's contract tracing service. (But
identity/location info isn't centralized)

------
andrewgleave
I can easily see specific hardware being included in future devices to support
improved contact tracing – especially if COVID-19 becomes endemic. That could
be new low-power proximity detection hardware, or extensions to BTLE protocol
and hardware.

Also likely this gets baked-in with a vendor app (like Apple's Health) and not
rely on 3rd parties if it's going to part of life for the foreseeable. Maybe
opt-in like the "Emergency Alerts" notification functionality?

------
starik36
Is this API opt in or out out by the user of the device? Or does the app
installed by the user determines that?

It's not clear at all from the write up.

~~~
comex
> Each user will have to make an explicit choice to turn on the technology. It
> can also be turned off by the user at any time.

[https://covid19-static.cdn-
apple.com/applications/covid19/cu...](https://covid19-static.cdn-
apple.com/applications/covid19/current/static/contact-
tracing/pdf/ExposureNotification-FAQv1.1.pdf)

------
snoopt
Would it be available for the public testing or just developers?

~~~
RandallBrown
Apple and Google aren't making an app, just a framework apps can use to do
contact tracing and exposure notifications.

You'll need to wait for your local health jurisdiction to make their official
app.

I also remember reading something about Apple and Google only allowing 1 app
per country (or more with special permission, I'm guessing 1 app per US state
or something like that)

~~~
dhosek
Yes, in the US, it will be one per state (assuming that there isn't some state
that thinks that this sort of thing should be handled by county or municipal
health departments). One hopes that there won't actually be fifty separately
developed codebases, but that states will pool resources and share the cost
and effort of developing apps. If only there were some sort of governmental
entity at a level above the states to coordinate these things.

~~~
jedberg
My guess is that the western compact states will share an app, and the eastern
compact will share an app, or possibly even coordinate on a single app.

At that point one app will cover 1/2 the US population, and there is a good
chance many other states would just adopt that one app.

But you're right, it would be nice is there were some authority one level up
that could coordinate this.

~~~
selectodude
The US has turned into a broken version of the EU.

------
ngz00
Am I misunderstanding this? My phone would broadcast a daily unique key that
could theoretically be used to track my location?

~~~
aiiane
No, the daily key is not broadcast; instead it's used to generate a series of
rolling identifiers to broadcast. The rolling identifiers change much more
frequently. The daily keys don't leave the device until/unless filing a
positive diagnosis report.

~~~
xiphias2
As we know from the Bitcoin wallet problems, generating random private key and
verifying that it's random is an extremely hard problem. For this reason I
wouldn't use any contact tracing app that is not open source.

~~~
rubatuga
You should be happy to know that it's opt in

------
cwhiz
This has absolutely no chance of working in the US.

Imagine you go into an average grocery store with 100 average Americans. What
percentage of people in that store have this app on a phone in their pocket?

20% of Americans don’t even own a smartphone. Some non-zero percentage have
old phones that won’t work, keep their phones at home, don’t use Bluetooth,
don’t know what Bluetooth is, don’t want to use this, don’t trust this, and on
and on and on.

In Singapore that grocery store would have had approximately 20 contact
tracing app users and 80 non users.

The end result of this will be....

1\. No confidence that when you receive an alert that you were actually in
contact with someone who had Covid. Could have been a troll, someone in a car
next to you, a neighboring apartment, etc.

2\. No confidence that you weren’t in contact with someone who had Covid.

The end result for every user will be the same ambiguity we live with now.

We need human contact tracing with real, trained, people making phone calls to
other real people based on actual diagnoses of Covid. Not some Silicon Valley
pipe dream waste of time that unnecessarily gives people a false sense of
hope. This contact tracing app idea will NEVER work in the US.

~~~
bhupy
> 20% of Americans don’t even own a smartphone.

20% of Americans are children. According to most recent estimates, there are
270.66 MM smartphone users in the US — roughly 82%[1]. Assuming that literal
toddlers and poor teenagers do not have smartphones, the vast majority (easily
90+%) of American adults are smartphone users.

You also only need ~60% of contacts for contact tracing to be effective [2].

[1] [https://internetinnovation.org/general/research-peek-of-
the-...](https://internetinnovation.org/general/research-peek-of-the-week-
smartphone-users-in-the-us-expected-to-reach-over-270-million-by-2020/)

[2]
[https://science.sciencemag.org/content/368/6491/eabb6936](https://science.sciencemag.org/content/368/6491/eabb6936)

~~~
cwhiz
You used the 2022 number for your calculation. The estimated number for 2020
is 257 million and we can assume that is an EOY number so the actual number
would be somewhere between 248M and 257M. If we assume absolute linear growth
from 2019 the number as of today would be around 251 million.

That's out of ~330 million US citizens for a rate of ~76%. Toddlers, children,
and poor teenagers are people that also exist and can be in a grocery store as
asymptomatic carriers of coronavirus. I was generous and went with 80%.

Your second link is just a study that suggests contact tracing COULD work. But
the fact that something could work in theory doesn't mean it will work in
practice. I don't know where you got your 60% number from because that number
isn't mentioned in that study. I don't think it matters anyway because we
won't get anywhere near 60%.

Singapore tried this idea and they made it voluntary just like it is being
made voluntary in the US. 20-25% of people used it. Now they are trying to
make it involuntary by forcing businesses to scan phones at entrances to
businesses, schools, and healthcare facilities. Do you really think Americans
will accept this? No way. I doubt the legality of this approach in the first
place.

It would take Donald Trump signing a law to get to 60%. People want this to
work because it makes them feel better. Reality has other ideas.

~~~
bhupy
> That's out of ~330 million US citizens for a rate of ~76%. Toddlers,
> children, and poor teenagers are people that also exist and can be in a
> grocery store as asymptomatic carriers of coronavirus. I was generous and
> went with 80%.

Okay sure, but nit-picking that number doesn't change the core argument: you
only need 60% for contact tracing to work, according to the most recent
research. Remember that the goal here isn't to ensure that NOBODY gets COVID,
it's to drive R0 down to < 1\. People in grocery stores will still be exposed,
but if R0 < 1, then the disease will eventually die out.

> Your second link is just a study that suggests contact tracing COULD work.
> But the fact that something could work in theory doesn't mean it will work
> in practice. I don't know where you got your 60% number from because that
> number isn't mentioned in that study. I don't think it matters anyway
> because we won't get anywhere near 60%.

You need to read the full article before attempting to refute it, but I'll
help you out.

"The efficacy of contact tracing (the y axis of Fig. 3) is the square of the
proportion of the population using the app, multiplied by the probability of
the app detecting infectious contacts, multiplied by the fractional reduction
in infectiousness resulting from being notified as a contact."

I've taken a screenshot of the diagram for you:
[https://imgur.com/ZXPLLxk](https://imgur.com/ZXPLLxk)

The solid black line shows the threshold for epidemic control.

While you're right that the paper doesn't claim that it is CERTAIN to work,
nobody is sure. In fact, it's odd to me that you are so positive that it WON'T
work. "This has absolutely no chance of working in the US." Even scientists
don't make claims like this with that level of comical confidence.

> Singapore tried this idea and they made it voluntary just like it is being
> made voluntary in the US. 20-25% of people used it. Now they are trying to
> make it involuntary by forcing businesses to scan phones at entrances to
> businesses, schools, and healthcare facilities. Do you really think
> Americans will accept this? No way. I doubt the legality of this approach in
> the first place.

> It would take Donald Trump signing a law to get to 60%. People want this to
> work because it makes them feel better. Reality has other ideas.

Okay but what happens when Apple and Google build this into the operating
system, and contact tracing is always on, like the bluetooth radio, the push
notification service, or OS-level location services?

~~~
cwhiz
Hate to say I told you so, but...

[https://www.axios.com/axios-ipsos-coronavirus-
week-9-contact...](https://www.axios.com/axios-ipsos-coronavirus-
week-9-contact-tracing-bd747eaa-8fa1-4822-89bc-4e214c44a44d.html)

66% of respondents said they would not use a contact tracing app developed by
a tech company. The remaining 33% may give it a go before they find out how
worthless it is and then it will likely settle into the same levels of
adoption as Singapore.

This is obvious to I guess everyone outside of HN and Silicon Valley.

~~~
bhupy
I'm not really sure what this proves. All it tells us is that majority of
Americans will not download a contact tracing app.

There is nothing stopping Apple and Google from rolling this out in the OS,
and they've both confirmed that they intend to do this[1]

"Later this year, Apple and Google will include the tool in software updates,
meaning users can log contacts without having to download an app."

They have every right to make it involuntary if they want to, and the only
recourse users have is to decide to stop using iPhones or Androids. I'm sure
there will be some people that choose to do that, but not nearly enough to
keep adoption below the necessary 60%.

[1] [https://www.reuters.com/article/us-health-coronavirus-
apps-f...](https://www.reuters.com/article/us-health-coronavirus-apps-
factbox/factbox-the-race-to-deploy-covid-19-contact-tracing-apps-
idUSKBN22Q2KU)

------
smithza
I ponder whether Google and Apple (aka Big Brother) should have given this
work to another group and promised implementation/integration. I appreciate
that your group is working on making it open source but as you pointed out:

> It is not clarified what [the metadata] will contain and who will have
> access to it, so let’s try to guess.

At the least, I would want Apple/Google to fully disclose these technical
details before I would accept its terms & conditions. If they even put their
logic in an open source format (i.e. GitHub), I would feel more comfortable.
Google is a much worse player in the game of "making money from users by
tracing their every move" than Apple.

~~~
nl
Google and Apple have collaborated in the open on this, publicly shared specs
and taken feedback.

The framework itself has to be implemented by them because it is part of iOS
(in Apple's case) or Android Services (in Google's).

The apps themselves are being implemented by 3rd parties.

There will always be critics but it's hard to see how they could have rapidly
developed this much better.

