
The security behind the NHS contact tracing app - merrvk
https://www.ncsc.gov.uk/blog-post/security-behind-nhs-contact-tracing-app
======
aaron695
"The system then takes that the contact events were 'authentic' and then takes
the transmit power and received signal strengths that each proximity event
produced (remember, these are broadly representative of physical distance),
and runs those through a _sophisticated risk model_ to work out the encounters
that are high risk from a virus transmission point of view. "

This is not possible.

Other countries use humans (Contact Tracers) to do this, working with the
person infected.

Contact Tracer: On this day looks like blah happened, Infected: Yes I forgot.

Infected: On this day I talked to this person for ages but I don't know them.
Contact Tracer: I see, we will contact them.

Fine, fine, move quick and break stuff. Don't think about it.

In Australia-

The App is not anonymous! It reuses the ID, they don't roll. 3rd Parties track
away.

iOS does not work at all. You have to have the phone unlocked and on the
front. If you want to pretend that works, you'll make a great government
consultant like the Australians used.

------
waterishail
The Information Commisioner needs to sign off on this.

It would be entirely possible for someone like google or facebook with tons of
location data to turn those anonymous ids into real people.

------
szc
Ugh. This is dreadful. Chock full of fallacious arguments. This is a very
nuanced problem, but as described this approach is deeply flawed...

I'm cannot determine who is supposed to be the target audience for this
"messaging". The narrative starts out trying to build credibility by telling
stories from history, trying to build support for being able to track the
source of a problem. I should note right here, that electronic surveillance
did not exist in either the Middle Ages or the early 1900's when Typhoid Mary
was alive -- so tracking the source of infection did not really incur other
costs or "side effects".

There is then a middle fluff section, pontificating on the two models:
decentralized, centralized. Yup, there is an agenda here...

The first kicker is "stopping the spread" \-- there is an unjustified
statement that the "decentralized" model doesn't work -- no explanation. There
is an appeal to the non-relevant stories. Then an appeal to "balance" with the
public health authorities having the minimum information necessary to manage
the spread of the virus.

Then there is a "dive" into the Crypto... Partial postcode (so "rough"
geographic location data)... the model of your phone. Seriously -- WTF --
Covid-19 doesn't care what the model of your phone is, this is irrelevant,
unless you want to profile and track individuals -- period. The system also
ends up agreeing a few cryptographic keys, including a key used to
authenticate your installation... and some system parameters. Sorry, this
creates _highly_ identifying information. Covid-19 doesn't care about these.
Why are these items important or relevant?

There is a fabulously contradictory paragraph that starts with "now let's say
you wake up with a cough". I should note that the previous paragraph ends with
"At this point, nothing has been sent back to the NHS". In this paragraph it
explains that analysis will result in a list of (ahem, centrally recorded)
installation IDs that have been in your proximity. Congratulations -- by
reporting yourself as sick, you've filled in part of a social graph by
identifying other people you came into contact with.

There is a paragraph about downsides, but it is fallaciously incorrect. If you
identify as being sick you are no longer anonymous. You reveal your contact
graph.

There are perspectives / options that a very large number of people will
eventually get Covid-19 -- large % numbers of the population in every country.
This type / style of app will leave behind a non-anonymous, persistent and
connectable social graph.

In summary, the pitch and story was based on and contained fallacious
arguments. The crypto "measures" irrelevant things. There is an appeal that
this is the best that can be done.

Could this all have been developed with advisors that "helped" with the design
and how it should be sold? If not, then this suggests that the developers are
naive and need additional assistance regarding privacy, anonymity and forward
secrecy.

~~~
ananom
"The system also ends up agreeing a few cryptographic keys, including a key
used to authenticate your installation... and some system parameters. Sorry,
this creates highly identifying information. Covid-19 doesn't care about
these. Why are these items important or relevant?"

Thanks for this. Almost had me believing that the unique bluetooth bla bla
didn't reveal too much - not that I would have installed it.

------
pcdoodle
Contact snitches

