
Stop the Apple and Google contact tracing platform - jrepinc
https://blog.xot.nl/2020/04/11/stop-the-apple-and-google-contact-tracing-platform-or-be-ready-to-ditch-your-smartphone/
======
jmull
This guy is wrong about the Apple/Google contact tracing program.

As created, it’s opt-in only and does not report matches to a central
authority.

This guy says, yeah, but the gubment could _abuse_ the tracing mechanism for
things besides an epidemic, _force_ your phone to report matches centrally,
and _force_ the removal of the opt-in part of it.

...except, if a government can pull those off, they don’t need this new
contact tracing platform. These assume the government already has deep,
control of the details of the operating system.

In other words, this contact tracing platform has nothing to do with his
privacy concerns.

There are always people who see a tragic pandemic and just see a chance to use
the concern and attention to highlight their own cause. And then there are the
ones who fight against the efforts to mitigate the suffering to promote their
cause, like this guy. Whew.

~~~
donohoe
First, you make some good points but you could have made them without rudely
characterizing the author ("...but the gubment could.." etc.)

Second, the author is not wrong - when you build in tracking at such a deep-
level it is open to abuse. Read the authors bio, he is not a naive techie.
This is an area he has strong background in and deep technical knowledge.

Maybe this is the path forward, but Apple and Google appear to be rushing into
this without considering the larger picture.

~~~
jmull
It’s exactly because of the Author’s bio that I come down hard on him.

He _knows_ what he’s saying is wrong, and he _knows_ that if the FUD he’s
spreading catches on, a lot of suffering will happen that otherwise would not
have.

> when you build in tracking at such a deep-level it is open to abuse.

True, which is why he should do an analysis of this system rather than this.
He _could_ be using his platform as an authority and presumed skills as a
teacher to explain the system rather than spread misinformation.

~~~
donohoe
No, what he is saying is very plausible and very likely correct. It is not
mis-information. It is a well founded concern. I've been in tech long enough
to know that what he is proposing is very possible.

Other commenters here go into better detail than I.

~~~
jmull
Please do read comments by others. There are some good ones that go through,
point by point, places where the author is wrong.

------
throw0101a
Wait until this fellow hears about Apple's "Find My" feature:

> _In upcoming versions of iOS and macOS, the new Find My feature will
> broadcast Bluetooth signals from Apple devices even when they 're offline,
> allowing nearby Apple devices to relay their location to the cloud. That
> should help you locate your stolen laptop even when it's sleeping in a
> thief's bag. And it turns out that Apple's elaborate encryption scheme is
> also designed not only to prevent interlopers from identifying or tracking
> an iDevice from its Bluetooth signal, but also to keep Apple itself from
> learning device locations, even as it allows you to pinpoint yours._

* [https://arstechnica.com/information-technology/2019/06/the-c...](https://arstechnica.com/information-technology/2019/06/the-clever-cryptography-behind-apples-find-my-feature/)

* [https://blog.cryptographyengineering.com/2019/06/05/how-does...](https://blog.cryptographyengineering.com/2019/06/05/how-does-apple-privately-find-your-offline-devices/)

------
epistasis
> However any decentralised scheme can be turned into a centralised scheme by
> forcing the phone to report to the authorities that it was at some point in
> time close to the phone of an infected person.

If the system was different, it would be bad?

This is a slippery-slope argument that I do not find compelling. The amount of
surveillance that this is supposedly guarding against--govt tracking of an
individual's location--is already possible with no changes to any system.

It is no more slippery a slope for raw unscrambled BTLE identifiers to be
reported to a centralized system. I don't think that the encrypted system
makes it any easier in the least.

These devices that we carry everywhere are huge privacy concerns, but I don't
think this author is even warning about the right things. Does the author even
know the amount of location tracking going on in stores, currently? The amount
of data that is sold back and forth with no user knowledge or understanding?

The concerns raised here ignore the much worse reality that already exists!!

~~~
twhitmore
Generally I agree that location tracking is already relatively widely done,
and the Apple/ Google protocol makes reasonable efforts to preserve privacy.

I do share some caution, however -- tracing 'personal contacts' by BTLE is
likely much more personally specific, and hence significantly more intrusive,
than just location.

If such mechanisms became more generally available they would likely become
used as part of the machinery of repression in states such as China. Or
everywhere (depending on our future).

Location is fairly imprecise as to social contact, but I guess the concern
would be that this will be accurate enough to track dissenters, find their
contacts, and accuse/ imprison you.

------
yuy7878
This seems to misunderstand or dismiss a lot of important details about the
proposal.

> The current specifications allow phones to learn when and where they were in
> contact with another device.

That's over simplifying it massively. First the spec clearly states that no
location data is recorded, since the location is not necessary for the
application of contact tracing.

> By pushing a button on one phone, by reporting it as infected, all other
> phones that were recently in close proximity reveal themselves to the
> central server

This is not true, they clearly state that matches with a Diagnosis key is not
uploaded to the diagnosis server.

> The current specifications allow phones to learn when and where they were in
> contact with another device. It is unclear whether the actual identity of
> that device is also revealed.

This is just not true, they make it abundantly clear in their specifications,
that the identity of the device is never revealed.

> A company could install Bluetooth beacons equipped with this software at
> locations of interest (e.g. shopping malls). By reporting a particular
> beacon as ‘infected’ all phones (that have been lured into installing a
> loyalty app or that somehow have the SDK of the company embedded in some of
> the apps they use) will report that they were in the area.

This is not how this works, this is not how any of this works! It is highly
speculative and extremely unlikely that any random APP will have access to the
tracing key to make that even remotely plausible.

This criticism is obviously written by somebody who has not read the
specification[1] or did not understood key aspects of it.

[1]
[https://www.apple.com/covid19/contacttracing/](https://www.apple.com/covid19/contacttracing/)

~~~
stjohnswarts
You trust them to not log that information when it is all clearly available to
them? You are trusting apple, google, and the US government to not do the
wrong thing? Or to not use this as a stepping stone to a permanent and more
invasive "feature" to insure your safety?

~~~
yuy7878
You can argue this without having to misrepresent or lie about what their
proposal says. It hurts your credibility if you do even if you were to have a
perfectly valid argument.

------
01CGAT
The technology used for this is the same as for locating your lost device and
takes care of privacy in a very smart way, more info:
[https://www.wired.com/story/apple-find-my-cryptography-
bluet...](https://www.wired.com/story/apple-find-my-cryptography-bluetooth/)

"Apple says an elaborate rotating key scheme will soon let you track down your
stolen laptop, but not let anyone track you. Not even Apple."

------
avra
I'm afraid someone has to tell the author that what is already possible is
worse than the concerns raised here. This technology is actually an effort to
not use the available methods that would ignore privacy.

~~~
nickysielicki
Ding ding ding. It’s sad how quickly we forget that we live under dragnet
digital surveillance. We haven’t even really internalized it.

~~~
cinquemb
Yet, still there is a conscious effort on the part of these
companies/orgs/governments to slang the "we're protecting your privacy™"
narrative because it's always easier to these leverage tools against others
when they don't see it as a threat and aren't willing to mitigate against it
to any degree.

------
FabHK
Disagree.

The argument seems to be: the spec is fine and presents little danger, but if
an app went rogue, or a government mandated an app with further capabilities,
then it would be problematic. Yeah, sure. But that also describes the status
quo, and everyone still carries their smartphone around.

------
flixic
I don’t find this convincing at all. Proposed system is incredibly privacy-
conscious, with all the control of self-reporting left to the user.

Let’s not stop this initiative that protects health and safety of societies
that can trust their health authorities— and there are many.

We should be vigilant and try to stop autocratical implementations or misuses
of the system. But it seems that even that will be difficult considering how
the system is designed. And if governments can compel you to install some app
on your phone, no amount of stopping Apple / Google will help.

------
qwerty123457
??? I don't think anybody who catches the coronavirus wants to be anonymous.
There is no social stigma.

The problem is exactly the reverse: infected people would gladly tell
everybody exposed, but they can't reach them since the virus spreads so easily
and the exposed could be delivery drivers, people in the grocery store, etc

~~~
drno123
Unfortunately in my country - Croatia - the social stigma exists. While we
have a very good situation (total of 1500 cases on population of 4M, with 20
deaths), and we are geographicaly very close to Italy, there were multiple
reports of patients’ families being harassed.

~~~
sischoel
In that case, the number of cases might be much higher, as people try to hide
their sickness in order to protect themselves or their relatives.

------
bronzeage
They are trying to prevent both millions of deaths and and worst economic
collapse in modern age. Privacy isn't as important. Fight this thing when
corona-virus is over.

~~~
jchristian-
This is exactly the kind of dumb mentally the government wants, and you fell
right into the trap. They always use situations like that to push bad stuff
that won't be easy to ditch later...

~~~
bronzeage
People can't literally exit their houses right now. Much more basic freedoms
are taken. If you think ditching that later will be hard, ditching it now when
it's desperately needed is impossible.

~~~
xvector
That is no excuse to tell people to give up their privacy. Some people value
their freedoms more than you, it seems.

------
thinkingemote
Note: In China it's private businesses, not the government, that force people
to install the tracing apps on their phones before being let into their
establishments. The same thing can and probably will happen here : get tracked
or be denied service.

The government doesn't have to do anything.

~~~
agustif
Wait a minute, aren't all private businesses owned or controlled by the CCP?

------
xupybd
I'm for this. I'll opt into anything that can give us a chance to slow this
thing without crippling the global economy.

You can stay safe by putting your phone in a Faraday cage if you must.

------
fancyfredbot
Too late. If governments ever want to make a Bluetooth contact tracking app
mandatory, they can already do so, and could have done so before this platform
was created. All Google and Apple are doing is making it very marginally
easier.

~~~
ChrisMarshallNY
I read somewhere that there are beacon detectors throughout many retail stores
that track people throughout the store.

That’s been in place for some time.

~~~
viraptor
That's been also done via cameras in the past:
[https://augustcapital.typepad.com/news/2012/08/e-commerce-
st...](https://augustcapital.typepad.com/news/2012/08/e-commerce-style-big-
data-analytics-meet-brick-and-mortar-retailers.html)

But it's likely wifi pings and bluetooth details would be added to the mix
these days.

------
monkeydust
It seems well thought out from privacy side but I acknowledge their could be
unintended consequences and bad actors that take advantage - but - I feel this
is a price worth paying given the magnitude of the situation we are all in.

------
josefresco
These hand waving, overly dismissive, FUD articles need to stop. Propose an
alternative or shut up and sit down. Complaining about a tactic to combat a
pandemic without a solution of your own is the lowest form of civic
participation.

~~~
jjgreen
I'm sure they'll become illegal soon.

------
andy_ppp
I mean surely mobile phone operators already have this information? I never
hear about them being subpoenaed or attempting to deny requests, makes me
think the make this information fully available.

~~~
g_p
Operators currently have handset location data, based on cell tower
triangulation. I imagine many will store this, but this may vary by network.
The absolute minimum you need, in order to run a network, is to know the
current location of the handset, so you can route calls to it. Historical data
isn't required for delivery of the service. I imagine in countries with weaker
privacy laws, data like this can be used like we saw with the "tracking spring
break beach-goers heading home".

Triangulated location data is far from precise however. It would let you
determine roughly where someone is, but nothing like accurately enough to do
contact tracing or infection monitoring. You'd also need to start storing
historical location data on a huge scale, but it would be accurate to a few
hundred metres typically. Not ideal for contact tracing.

~~~
andy_ppp
DNS + WiFi + Mobile phone masts etc. You could probably get some real location
data by augmentation with coopted social networks add in some AI for expected
locations and regular appointments. Do iPhone photos include location data in
the exif data? I think the information exists but it’s just used by spooks
right now is all.

------
halixand
Moxie Marlinspike has an interesting analysis on this:
[https://twitter.com/moxie/status/1248707315626201088](https://twitter.com/moxie/status/1248707315626201088)

~~~
FabHK
He objects to two things:

1\. Doing it globally would require download of too much data, thus (contra
promise of the spec) location data will have to enter. However, from what I
can tell, that could be very coarse data, on the level of country and/or time
zone (thus, not even necessitating access to GPS location data). I don’t see
it as a major problem.

2\. The “prank” danger: someone just pressing “I’m infected” for fun. One
could introduce a tiered system where “I’m infected” requires some sort of
authentication from a hospital/lab (a QR code on positive test results for
example). There would also need to be a tier for “I have symptoms”, and yes,
that could be abused/“pranked”.

Would be interesting to see a deeper analysis on both points. I don’t think
they’re deal breakers.

~~~
Slartie
His argument No. 1 is self-defeating. If you have rapid exponential growth and
would have to publish hundreds of megabytes of keys per day (and phones only
need to download the delta to the previous day), this approach of contact
tracing is useless and you must instead get the entire population under
lockdown. If everybody is sheltering at home, nobody needs notifications of
possible contacts, because everybody is doing what would be the response to
such a notification already. So you can simply disable the app in a certain
country or don't accept submissions to the diagnosis server during that time.

This approach, just like the manual approach of tracking potential contacts
via paper and phone, is only of use in a scenario with a very limited number
of transmissions and an R (reproduction rate) of around or below 1. Its
purpose is not to reach such a situation, but to aid in keeping that situation
in effect without severe measures. But severe lockdowns must first suppress
the infection counts to such levels before any contact tracing may work at
all.

~~~
cameronbrown
I think the point with this is when the curve starts to flatten, we can
_safely_ reopen the economy. Contract tracing and rapid response can end this.

------
tareqak
If governments and cellular service providers already have the capability to
track cell phones users and generate lists of people in close proximity, then
why does Apple and Google need to create this contact tracing platform? Why
are governments and cellular service providers not using this existing
capability if they possess it?

I am not trying to imply that they do not have this capability. It just seems
odd.

I also have a question: can this feature disabled simply via disabling
Bluetooth?

------
kostarelo
> The police could quickly see who has been close to a murder victim: simply
> report the victims phone as being ‘infected’.

> A company could install Bluetooth beacons equipped with this software at
> locations of interest (e.g. shopping malls). By reporting a particular
> beacon as ‘infected’ all phones (that have been lured into installing a
> loyalty app or that somehow have the SDK of the company embedded in some of
> the apps they use) will report that they were in the area.

I see these as possible exploits indeed. But the points are a bit confusing. I
would love for the police to be able to stop a serial killer from killing more
people. But they will do by exploiting a COVID-19 contact tracing app? And we
will be mad at them?

> Some might say this is not a bug but a feature, but the same mechanism could
> be used to find whistleblowers, or the sources of a journalist.

It's been some time since I read Snowdens' Permanent Record, but I don't
remember him getting in close contact with journalists to hand over
information.

> If you have Google Home at home, Google could use this mechanism to identify
> all people that have visited your place.

That's the reality already.

> Jealous partners could secretly install an app on the phone of their
> significant other, to allow them to monitor who they have been in contact
> with. Overzealous parents could use this spy on their children.

Maybe drill down a bit into your relationship and figure out the core issue.

~~~
kostarelo
Correction: Snowden did indeed met with journalists when he was in Hong Kong
and first disclosed the story.

------
panchtatvam
App based on this technology has started working here at Bharat (a.k.a. India
) ( population 1.3 Billion ). I hope the government uses it wisely.
[https://play.google.com/store/apps/details?id=nic.goi.aarogy...](https://play.google.com/store/apps/details?id=nic.goi.aarogyasetu)

------
mattlondon
> In other words, certain governments or companies ... can create an app that
> report the fact that they have been close to a person of interest in the
> last few weeks.

So this assumes that any random app installed by a user will have open access
to the contact database? That seems unlikely to me, but I have not read the
full spec.

~~~
posnet
Governments don't need it. The model suggested links nearby bluetooth mac
addresses which get linked to the phones IMEI, and governments already have
multitudes of legal ways to link names to IMEIs.

~~~
pdkl95
Cell tower based contact tracking is already used to infer someone's social
graph and pattern-of-life. Bluetooth association data - even with opaque
tokens - can easily be correlated with cell tower movement to refine CO-
TRAVELER style analysis.

Cell-tower-resolution analysis is already very powerful - it can trivially
reveal someone's associations and overall behavior. When correlated with
short-range proximity data, I suspect the same analysis might reveal
behavioral details _within_ a organization ("which meetings you attend"
instead of merely "what address you work at").

[https://www.washingtonpost.com/world/national-
security/nsa-t...](https://www.washingtonpost.com/world/national-security/nsa-
tracking-cellphone-locations-worldwide-snowden-documents-
show/2013/12/04/5492873a-5cf2-11e3-bc56-c6ca94801fac_story.html)

[https://www.eff.org/deeplinks/2013/12/meet-co-traveler-
nsas-...](https://www.eff.org/deeplinks/2013/12/meet-co-traveler-nsas-cell-
phone-location-tracking-program)

~~~
pinkfoot
In a previous life we we also able to identify the owners of anonymous
(burner) SIM cards.

Even crooks and anarchists lead very predictable lives.

------
DangerousPie
If the authors come up with a better spec that achieves the same thing with
improved privacy then sure, let's not use the Apple/Google one. But until
then, this is the best we have.

~~~
iso947
You are starting from the premise “we must implement this feature”

------
sschueller
Why do we need apple and google to do this and not support an open project
like [https://www.pepp-pt.org/](https://www.pepp-pt.org/) ?

------
kujaomega
In my humble opinion, this platform aims to track if people had got contact by
bluetooth with other people that might have the virus.

The virus can remain in surfaces up to 3
days([https://www.immedicohospitalario.es/noticia/18729/new-
corona...](https://www.immedicohospitalario.es/noticia/18729/new-coronavirus-
stable-for-hours-on-surfaces)).

With bluetooth you can not track the surfaces, so the ratio of false positives
and false negatives will be high.

The best way to stop possible infections remains in individual measures anyone
can take. For this reason, I think that the objective of this platform is to
track people, not stop the virus.

~~~
chispamed
That's a logical fallacy. This app not being able to prevent all possible
infections and having false positives / false negatives does not automatically
mean that its sole purpose is to track users.

There are multiple scientific studies that support the use of an app as _one
of many measures_ for ending the lockdown which already takes away many basic
rights at the moment. Even though viral RNA can be found on surfaces after
hours this does not mean that surfaces are an important vector for
transmission and all studies so far point in the opposite direction. What is
very concerning however is that close to 50% of all tranmissions happen during
the first few days of infection when the host is not experiencing any
symptoms. In the absence of symptoms and given the many limitations of
personal follow-up through the authorities (which gives them much more data on
your person than this app ever could btw) an automatic notification system is
the only way short of a complete shutdown to quarantine infected but currently
asymptomatic patients and halt the spread of the virus.

Privacy-wise you would be worse of in any other situation as well. Do you want
the shutdown to continue and police to be able to control you at any time when
you leave your appartement? Do you want government workers asking the infected
who they have been in contact with during the last weeks and them to give your
name, address and contact details to the government? Do you want the
economical crisis to continue and people to have to share all possible details
with the government in order to get unemployment benefits? Also, Apple and
Google already control your operating system and have much more data on you
than this app could provide them with through their OSs and all their apps.
What they could gain would at most be the knowledge of wether you could have
been in contact with an infected person. Leaving aside that their system as
outlined atm would not even allow them to do that, what would they gain? For
most people there won't be any lasting effects so there ara no charateristics
inherent to the group that can be targeted. It will also affect a huge chunk
of the world's population, chances are that most people will have to
quarantine at some point and then that data will be almost worthless.

~~~
kujaomega
> all studies so far point in the opposite direction

Do you have any source of this information?

> close to 50% of all tranmissions happen during the first few days

What's the source of this information?

~~~
chispamed
For the second point, take a look at these studies:

Ferretti et al. (2020). Quantifying dynamics of SARS-CoV-2 transmission
suggests that epidemic control and avoidance is feasible through instantaneous
digital contact tracing. Science.
[https://science.sciencemag.org/content/early/2020/04/09/scie...](https://science.sciencemag.org/content/early/2020/04/09/science.abb6936.abstract)

Ganyani, Tapiwa, et al. "Estimating the generation interval for COVID-19 based
on symptom onset data." medRxiv (2020).
[https://www.medrxiv.org/content/10.1101/2020.03.05.20031815v...](https://www.medrxiv.org/content/10.1101/2020.03.05.20031815v1)

The first study also touches on the point of transmission through surfaces
which they argue should be at the very most 10% of all cases but probably less
and a German virologist who's one of the leading experts in coronaviruses,
Prof. Dr. Drosten, said that he and many others believe that surface
transmission is almost negligible:
[https://www.ndr.de/nachrichten/info/coronaskript162.pdf](https://www.ndr.de/nachrichten/info/coronaskript162.pdf)
(in German).

------
dirtyid
> Or be ready to ditch your smartphone and get yourself a dumbphone.

Isn't this the standard prescription for the extreme privacy conscious
individuals anyways? For the rest of us, we can always turn off bluetooth.
Maybe this will bring back headphone jacks or replace the standards all
together. In the mean time, some of us want security over privacy. Many of us
never valued the latter much in the first place.

------
cletus
Maybe the best thing to come out of this crisis is a chip in the armor for the
privacy-over-everything crowd.

This is a particular problem in the US where in the name of "freedom" people
feel entitled to do whatever they want. I've come around to thinking that this
is little more than a mass rationalization for selfishness and cruelty.

I think back to things like the Trump administration separating children from
parents in detention facilities, a measure so cruel that it was one of the few
times such a policy of this government has been reversed. This has long term
harm on children (seriously, google it) but yet it's justified by some out of
a sense of fear that somehow these immigrants are criminals or just "stealing
their jobs" or "jumping the queue" when most are just trying to escape pretty
terrible situations.

Honestly, I see more outrage over animal cruelty than I did from removing
three year olds from their parents.

In years passed, we as a society endured a lot when required. In the World
Wars, there was rationing and a lot of sacrifice to support the war effort.

But we've somehow transitioned into a society where we don't want to do
anything for anyone. And we want to call that "liberty".

What we have here is something that may help tracking contacts for a disease
we need to fight. That seems like a good thing to me. I don't give an F that
some privacy nut may think "but the government might use this to track us".

Not every surface is a slippery slope.

Just like we had curfews, rations, shortages, blackout blinds and so forth in
WW2 and now we don't. Not everything has to get worse.

~~~
cameronbrown
> But we've somehow transitioned into a society where we don't want to do
> anything for anyone. And we want to call that "liberty".

Agreed - rights without responsibilities are just privileges.

> Not every surface is a slippery slope.

Maybe, maybe not. The whole point of the slippery slope metaphor is that it's
hard to know when to stop. I think this is a better trade-off than the economy
sinking though.

------
chvid
Would you rather be forced to stay at home for all foreseeable future?

------
trasz
It’s opt-in.

------
jka
Improving healthcare outcomes is crucially important at the moment, and
technology can help with that.

That said, there's risk in globally deploying platform-level technology
changes which could be difficult to roll back and are not held democratically
accountable.

It may be worth considering time-limits on rapidly-introduced technology
changes like this. We cannot always anticipate all the side-effects of
technology, and if we do need to introduce them suddenly, we should be
thoughtful and deliberate about evaluating their effect as we do.

It seems apparent that Apple and Google are the entities holding the reins on
this particular implementation. Yes the technology is opt-in; but that could
be seen as a way to make a potentially bitter pill palatable for both citizens
and their governments.

After a global recovery, imagine what the world might be like if nearly all
daily interactions between people with Android or Apple smart devices have to
be assumed known to their local authorities (including in locations with
repressive regimes).

Perhaps that would appear acceptable, under some circumstances, to some people
in some cultures. I think it'd be hard for almost anyone to quantify.

I'd suspect that an environment like this would lead to a significant loss of
privacy and a resulting chilling effect in the types of activities and
relationships that people build.

Even if that's a pessimistic outlook, it may be worth questioning whether two
corporations from a single country should have the power to effect such large
changes without at least constraining their effect to the duration of the
COVID-19 crisis.

