
Ireland's Health Service Open Sources Official Covid-19 Tracking App - pauldelany
https://github.com/HSEIreland
======
urschrei
Here's the "report card" (PDF) on the app's data-gathering and privacy
features, prepared by the Irish Council for Civil Liberties:
[https://www.iccl.ie/wp-content/uploads/2020/07/ICCL-DRI-
HSE-...](https://www.iccl.ie/wp-content/uploads/2020/07/ICCL-DRI-HSE-App-Pre-
Release-Report-Card.pdf)

The report is thorough, informative, and technically competent, IMO.

~~~
dmurray
A "C+ grade", but the report seems a little nitpicky.

It loses marks for not being a "single-purpose app" as the same app also
provides you a way to track your own symptoms.

It loses a lot of marks for "necessity and proportionality" on the grounds of
not providing documents that prove or support such an app as being useful for
contact tracing, even if it works. Surely they could give the benefit of the
doubt here. And in a separate section they give it a D for "effectiveness"
citing studies that it probably just won't work and will have too many false
positives.

More marks lost for relying on closed Google/Apple APIs, using Twilio to send
text messages, not having a Github issue tracker...

I think they make a lot of good points but when I think about what it would
take for an app to move from a C+ to an A under this framework, it looks like
80% box ticking and 20% addressing serious privacy concerns.

~~~
dmurray
To continue, when they actually address the privacy and security implications
of the design, they call out the possibility of a replay attack "when an
outsider intercepts a communication and fraudulently delays or resends
it...there is no known significant mitigation for replay attacks and yet they
are not identified in the DPIA."

Firstly, surely there's a known mitigation here - replay attacks involving a
delay can be mitigated by including a cryptographically signed timestamp in
your beacon messages. Secondly, the damage from an attacker sending false
negatives and false positives seems small compared to the privacy implications
of deanonymization attacks (e.g. attacker listens for the beacons in several
buses, offices or shopping centres, later identifies which ones were reported
covid-positive, groups those into clusters each likely associated with an
individual, and cross-references the location data with identifying data from
another source). Why call out one but not the other?

~~~
colmmacc
There isn't enough space in bluetooth IDs to include a cryptographically
signed timestamp, there isn't even really enough space to include a
cryptographic signature for everything ... in the the Apple/Google design the
Bluetooth power level is left unsigned due to space constraints. It really is
a very very small amount of space.

An alternative design involved bluetooth IDs broadcasting small 63-bit ECDH
shares and devices performing pair-wise key agreement. This would raise the
difficulty level of replay attacks; they'd need to be bi-directional and
roughly time synchronized (within a ~15 minute window) but it had other trade-
offs including reducing the efficacy of the app due to bi-directional message
receipt being required, and ballooning the amount of data that needs to be
distributed to detect infection risk. So it wasn't taken.

------
secfirstmd
I'm an advocate that where possible all code paid for by the Irish Government
should have to be open sourced under an MIT licence. Its bonkers this is not
more wide spread practice.

~~~
chapium
At a minimum it should be free to the people of Ireland in some legalese way.
Much simpler just to go full open source.

------
dmurray
Any reason for me not to use this? As someone living in Ireland who uses a
smartphone and whose security model doesn't include worrying about targeted
attacks by nation-level actors, but would like to avoid everything else.

From skimming respectable non-technical sources it's apparently not very
invasive of my privacy, and won't kill my battery. But this is likely copied
from the HSE press release, I'd like to hear the same from an independent
reviewer.

~~~
disgruntledphd2
There is absolutely no reason not to use this.

In fact, using this app will be helpful, as long as enough people do it. So
you should definitely use it.

~~~
dmurray
To answer my own question, the top comment from urschrei links to an analysis
from the Irish Council for Civil Liberties and Digital Rights Ireland, giving
it a "C+ grade" on its adherence to "experts' best practice principles
regarding government surveillance technologies".

~~~
raverbashing
Yeah and that "analysis" is more nitpicking and cheap criticism rather than
actual issues

Because complaining that a Covid contact tracing app includes symptom tracing
is just ridiculous

------
maxehmookau
Sell it to the UK who insisted on _not_ using ExposureFramework because they
knew better.

Except they didn't.

~~~
disgruntledphd2
The FT reported last week that the new UK app will be based on this code,
apparently.

I personally find this hilarious, but good as compatibility between the apps
is really important given the existence of the Common Travel Area between
Ireland and the UK.

~~~
maxehmookau
It will be, just a shame it cost them many millions of pounds, wasted time and
lives to arrive at the same conclusion that the technology industry has been
repeatedly shouting at them for months now.

British exceptionalism at its finest: "Why would we do this easy thing when we
can do it worse ourselves?"

~~~
Angostura
Except of course, they had _reasonable_ reasons for not wanting to go the
Apple/Google route.

That route is designed for applications to alert users that they may have come
in contact with someone ele who was infected.

But its privacy focus means that it doesn't help health authorities trying
spot geographical clusters early.

The UK government want to use the app as part of its track and trace system to
identify the need for local lockdowns.

~~~
makomk
Yeah, and Singapore - which originally inspired all these Covid-19 tracing
apps - is still refusing to go the Apple/Google route for the same reason.
There's also a chronological issue, with the original app being well into
development when Google and Apple released their approach. But fundamentally,
this isn't about facts - it's about the British press having turned Covid-19
into a cynical, Brexit-related partisan football. Somehow starting development
early and co-operating with countries like France and Germany on a shared
approach turns into letting people die through "British exceptionalism",
merely through the media carefully omitting the details that contradict that
narrative and letting readers fill them back in differently in their heads.

~~~
CodeGlitch
The trust in MSM in the UK is currently very low. You've expressed exactly why
this is the case.

~~~
maxehmookau
My trust in those who blame the "MSM" for everything is even lower.

------
ARandomerDude
I like their molecules, atoms, organisms approach to component organization. I
hadn't seen that terminology used in an app before but it was immediately
intuitive.

[https://github.com/HSEIreland/covid-tracker-
app/tree/master/...](https://github.com/HSEIreland/covid-tracker-
app/tree/master/components)

~~~
liminal
Think you meant to reply to
[https://news.ycombinator.com/item?id=23758335](https://news.ycombinator.com/item?id=23758335)

~~~
ARandomerDude
Right you are, thank you!

~~~
dang
We'll move it. You can edit the 'wrong thread' bit out if you want.

------
lifeisstillgood
On a related note, anything that pushes OSS for government is IMO a Good Thing
- forgive my usual self promotion here -
[http://oss4gov.org/manifesto](http://oss4gov.org/manifesto)

------
Mvandenbergh
Timely reminder for everyone that there is as of yet no evidence that
Apple/Google/DP3T/ExposureFramework based apps deployed in the wild actually
work effectively. They've been deployed in a number of countries but there is
currently insufficient available data to show that they actually work.

(of course we also know that limited disclosure apps not based on this
framework developed in Australia, the UK, and France definitely don't work
because of bluetooth issues)

(edited to add

See this paper out of Ireland:
[https://www.scss.tcd.ie/Doug.Leith/pubs/bus.pdf](https://www.scss.tcd.ie/Doug.Leith/pubs/bus.pdf)

One of the best use cases for apps like this is public transport, except that
it doesn't seem to work on buses. Hopefully it works better on trains but
given the similarly complex metal environment, I wouldn't hold out much hope.)

~~~
paganel
It partially works as in it gives people who live in a technological society
(like ours) the illusion and hope that technology can solve problems that
don't have immediate technology-related solutions (if at all).

Tracker apps are partially what the massive TSA-implementation programme was
in the States post 9/11, i.e. security theater combined with the illusion that
the dominant paradigm of that time (force/projecting power in the early 2000s,
technology in our present times) is a silver bullet.

------
dhosek
Have any US-based health authorities deployed contact tracing apps? Back in
May, they were going to be coming soon, and I've not heard anything since.

~~~
catawbasam
I think North Dakota has something.

------
secfirstmd
A decent technical overview here: [https://petertanham.com/the-hses-new-
covid-19-tracking-app/](https://petertanham.com/the-hses-new-
covid-19-tracking-app/)

------
aboringusername
Honestly, to me I feel the entire concept of 'apps' has been an abysmal
failure. There's no evidence to suggest they've helped in _any_ capacity. I
think any contact tracing system is _far_ more effective than using BT which
was never designed to be used in such a capacity and feels more of a best-case
'hack' with current smartphone technology.

History will look at these 'apps' and will make conclusions based on their
effectiveness, and the ones that are more privacy preserving will likely not
rate highly on impact or usefulness.

If anything, this pandemic has enabled authoritarian regimes the capability of
monitoring their populous 24/7 with wearable gadgets and apps that collect
location/contact and other information.

To me, it highlights the importance of _not_ using apps where possible and
further highlighting how smartphones are _spies_ for the governments around
the world.

~~~
rsynnott
This data is intended to be used in concert with manual contact tracing, not
instead of it. The problem with contact tracing, as people get more mobile, is
that while you can say "I was in contact with my friend X" you probably can't
tell the contact tracer the name of the person sitting behind you in the
restaurant. This will help with that, potentially.

