Hacker News new | past | comments | ask | show | jobs | submit login
Apple and Google partner on Covid-19 contact tracing technology (apple.com)
823 points by ikarandeep 45 days ago | hide | past | web | favorite | 456 comments



Promising opt-in is a bit disingenuous. These tech giants are creating a technological capability. Whether or not it is opt-in, opt-out or mandatory is then decided by governments, now and in the future.

This is of course nothing new. But it's worth noting considering how high the tolerance for extremely intrusive government action currently is and how extremely weak any resistance is bound to be.

I'm not saying I'm against contact tracing in the current situation. But that shiny new button that governments get to press will never go away.

Edit: Reading the spec, I found a piece of information that may be of interest: This technology allows contact tracing without necessarily revealing the location where that contact has taken place. So that could indeed be a privacy benefit over alternative approaches.

https://covid19-static.cdn-apple.com/applications/covid19/cu...


They already have the shiny button. They can compel cell phone companies to give this data to the government already, without you knowing about it.

At least this way you will get some control of the info and you'll know what was collected and have control of it's disclosure (for now).

In other words, this is no worse than what the government is already capable of, it just makes it easier for you to share the data with health care providers.

The government already has all these abilities.


> They can compel cell phone companies to give this data to the government already

Bluetooth has a quite small range, which may give higher tracking precision (to anyone receiving the signal) than the data cell phone companies have.


Bluetooth 5.1 devices can do both distance and direction, so if you have a bunch of beacons you can determine your location to sub-meter accuracy.


Realistically, what does sub-metre accuracy help with "evil" (catch-all for all non-disease-related) surveillance that, say, a 5-10m is insufficient for?


Hyper localized association. Like, for example, a dissident organizing a local chapter of some organization who disperses information via in person hand offs of handwritten papers every. In this example, their hand off point, in a small town of tens of thousands, is the Saturday farmers' market that runs from 8 until 5 or so. They and their conspirators all went to the farmers' market regularly before so it's completely natural for them to appear within 5-10 meters of each other a few Saturdays a month (usually because the three most popular food trucks have long lines right next to each other). Except now "evil" can roll up the ringleader and see a pattern of who passed within an arm's reach every time the ringleader got a message from the head organization without actually spending the resources to surveil anyone in person.

"Evil" usually doesn't care enough about most people to spend significant resources surveiling them. The danger in dropping that threshold is that "evil" invents new ways to exploit any efficiency.


"Evil" is a bit loaded, but what that level of accuracy does is let you say "this person was in front of the shelves for products X, Y and Z" as opposed to "this person was probably in the store".


This app appears to use peer to peer Bluetooth between phones, not beacons. The intention is to determine relative proximity between users, not absolute position.


Tracking isn't just by connection. Their point is that bluetooth tracking (by beacon or otherwise) is already a thing - many major retailers and franchises already do it.


It's ridiculously easy to turn any Bluetooth device into a beacon. All you have to do is configure the BLE advertising frame for the device and then set the device to advertise. I can turn my laptop into a beacon in about 5 minutes(some web searching to remember exact commands and formats).


iPhones don't have Bluetooth 5.1 yet, and I'm assuming no Android phones either.


Qualcomm's latest flagship soc (865) with 5G has Bluetooth 5.1 support as far as I know.


Currently, yes, but "numerical results with a system operating at 39 GHz show that sub-meter 3D positioning accuracy is achievable in future mmW 5G networks" :)

https://arxiv.org/abs/1803.09478


Little did we know, 5G didn't cause Covid but Covid will cause 5G...


I'm pretty sure he was referring to cell tower location data, not bluetooth. Though cell tower location data has low resolution, in the order of a few 100 feet to several miles. Not useful for contact tracing.


5g, I have heard, allows more fine-grained positioning.


The capability of using the Bluetooth stack for tracking is not new, this proposal limits the way that data can be used. See the cryptographic specification linked below.


The alternative would be GPS which some governments are looking at now. It might give higher precision with a grid of location data to enhance it, but I would assume the protocol prevents this eg by some randomization of ids?


GPS is completely unidirectional from satellites to receivers and thus the satellites cannot be used to track the receivers


What skuhn said. That is what the solution the Norwegian and Danish government is implementing is supposedly doing. Reporting the GPS data back to a central server. If you’re using iPhone.

https://www.simula.no/news/digital-contact-tracing-qa#How%20...?


The receivers can be made to report their GPS data back for tracking purposes.


There is also another idea floating - let the phones emit an ultrasound - then the other phone can estimate proximity, by the volume or delays.


Thanks. I wasn’t using my battery anyways.


none of the proposed tracking methods are without additional battery consumption, as far as I can tell..


Just have everyone wear QR code name tags


that isn't a reason to be complacent about furthering governmental/corporate surveillance capabilities.

in fact, it should remind us to take away those prior surveillance capabilities, and demand any contact tracing system to give control to users and be fully off-limits to large power structures (e.g., only shared between users and researchers).

and being hard to do so is no excuse. we have millions of people we can work on the problem if it's so important to warrant such massive effort.


People are working on contact tracing, this takes care of one of the harder parts without dictating central control in a pretty sensible manner. Being wary of privacy adverse interests in this context is good but in this context makes little sense. This specification only touches the question of data leaving the device in ways that restrict what the outside party, in an RFC manner MUST wording, can do with the data.

It's pretty clear that we will get contact tracing applications in many parts of the world, regardless of any action Apple or Google might have taken. Might as well base it on something that does not compromise the user base wholesale.


The protocol is explicitly designed to not share information - the data does not contain location information, and the only thing that someone can do with that data is verify if they have seen some of the identifiers that were published by someone else.


They can compel, but also what they typically do is to purchase from them the data. That way they don't even need warrants. We tally need stronger regulations about sensitive information like that.


It's much worse because it won't have judicial oversight.


Unfortunately neither does existing location data collecting.


> At least this way you will get some control

doubt it.


> it just makes it easier for you to share the data with health care providers

I don't want to share any more information with these corporate heath care providers based on real world experience with them. Is that "allowed".


how high the tolerance for extremely intrusive government action

You could also view it as high demand for government functionality, with an accompanying commandeering of the governmental power by the public, which has leverage of its own. Consider, for example, that 1/3 of the country is on a rent strike right now, a proportion which will likely grow. That part of the polity is learning to flex its political muscle for the first time in a while, because the economic and political establishment suddenly finds itself at a severe disadvantage.

Of course, the government commands asymmetrical strength through police and (less directly) military force, but that's only effective insofar as disparate groups rarely have broad common interests that transcend regional, economic, or social boundaries. Since the internet provides many of the tools to facilitate collective action and COVID-19 has provided a sufficiently broad incentive, political incumbents are discovering that their powers are only as extensive as the willingness of people to cooperate and that they do in fact require the consent of the governed.


> Consider, for example, that 1/3 of the country is on a rent strike right now

Errr - no, no they aren’t. This month had approximately 12% more people miss their rent payment than last April.

That’s high - and bad news for people like my retired aunt and uncle, or father in law, who rely on the income from their rental property - but it’s hardly a national rent strike.


Not sure if the 1/3 is correct or not but consider this- that's the rise for April. Even people who live paycheck to paycheck can often find a way to scrounge together that money if they just lost their job. I'd say reserve judgement until we see how many people pay their rent in May.


Not paying your rent because you can’t afford it != joining a rent strike.

The rent strike movement is a political one, and has little to do with wether or not one can afford rent.


After a quit scan of the protocol and API outlined by Apple and Google: it looks privacy & technically sound to me.

I would remove the Android FAILED_REJECTED_OPT_IN status code (https://www.blog.google/documents/55/Android_Contact_Tracing...).

I cannot find it in the Apple API specs, but maybe it's not defined in there yet.


If it's a shiny button users get to press I have no problem with it, even if govs make it mandatory in the short term for things like public transport use or non-essential shops.

This should be an app users can install and uninstall, not a feature governments control.

PS Governments are already accessing your phone records and tracking behaviour without your permission, along with recording everything you do online for at least 30 days. O Tempora, o mores!

https://news.sky.com/story/coronavirus-government-using-mobi...

https://en.m.wikipedia.org/wiki/Tempora


Both Apple and Google have the exact location for all users for all time. Both can tell you right now, who you have been in contact with and how many folks they in turn have been in contact with.

They aren't building anything new, in fact, this is much less than they already have.


> Both Apple and Google have the exact location for all users for all time.

This is a false statement. With location services off, the providers only get coarse location via tower strengths and also via IP geolocation (everything phones home and leaks your IP constantly). It’s not exact, not by a long stretch.


Don’t forget WiFi router Mac address triangulation.


With location services off, I don’t believe that occurs.


Depends on the platform. Ultimately all you need is a list of the routers around you; SSID is often sufficient, but mac adddress is optimal since it can be sent to Google API [0] or similar for geolocation. I'm not sure about Android permissions. With iOS, it used to be (like 2 years ago) that any app could get the list of nearby access points, without permission. But AFAIK that was recently changed to be behind a prompt. Not sure if it's the same permission as location services or a different one.

[0] https://developers.google.com/maps/documentation/geolocation...


I am done helping either company. What a breach of trust to hop on the 1984 bandwagon and we haven't even been trough a full cycle of this.


Do you really think that this feature has drawn a line in the sand where previously they couldn't track you and now they can?


No, it was already terrible before.

But it was labelled as terrible. I was for the secret service.

Now it's going to be culturally accepted, and in the hand regular administrators.

This is on order or magnitude worse, for something that was awful.


Because it's being used to fight something even more awful.

There are no good choices in a pandemic.


This is a false dichotomy and assumes there are only two choices:

- not handling the pandemic

- tracking the population

You can get information about people assembling in other ways:

- helicopters

- intel gathering

- cops and army patrolling dressed as civilian

- create groups of citizen in town responsible to patrolling

And probably many I don't know about.

Then you add to that: keeping to communicate with the public, testing a lot, providing masks, etc.

The fact you are using this argument shows how much powerful the culture about "the end justify the mean" and "trusts the authority to deal with this" is.

I remember the first time I saw Jack Bauer on TV decapitating a terrorist in 24 to get an information. I though, "wow, they are really creating a new normal here".

That's what it is about: creating a new normal. And pretending there is no other choice, while nobody is trying to provide any.


There's no pretending there is no other choice, this already is a proposal for that "other choice". Contact tracing certainly isn't new, it's a required step in tackling many infectious diseases and will happen whether or not it is assisted by digital means. The technical alternatives to the tiny part proposed here are coarse and many of them more invasive in terms of privacy. This proposal is specifically designed to prevent tracking populations, it also limits the number of necessary off switches to the two OS vendors. What exactly is the part of the "new normal" you are worried about here? I hope it's not people walking around with tracking beacons in their pocket, they already do that without giving it a single thought.


It’s not about “people assembling” at all. It’s about individual prolonged contacts, possibly accidental (mass transit), with an infected person, allowing much more targeted (as opposed to current blunt tools like shelter at home orders) suppression of the disease.


I wish I could share your optimism


In a pandemic, I think it’s fair to value public safety over privacy. What comes after the pandemic is a separate concern and discussion.


Public safety is not a human right, while privacy is.

If we abandon our commitments to human rights in times of crisis, how important are they to us, really?


> Public safety is not a human right, while privacy is.

Seriously? “Everyone has the right to life, liberty and security of person” is literally Article 3 of The Universal Declaration of Human Rights - and 1&2 are “this applies to everyone; yes, we mean it”. Privacy is all the way down in Article 12.

I’ll take my life, health and freedom, for which targeted suppression of this disease is essential, over my privacy any time, thank you very much.


You can't really have no privacy and freedom. Isn't that obvious?


Life and “security of person” are not the same thing as safety.


> Edit: Reading the spec, I found a piece of information that may be of interest

Shouldn't you read the spec before commenting?


there's no button the government can press - the broadcast data is short term identifiers that can't be linked without know the day key. The identifiers are literally just a random 16 byte number derived sequentially from the day key.

The day key is only known if the user elects to publish those keys.

If you have a collection of day keys you don't know who published them as there's no device information in that.


> But that shiny new button that governments get to press will never go away.

I think that framing is slightly counterproductive to be honest. The alternative are efforts that, from what I see so far, seem to fall on one of two sides:

a) sensible privacy defaults like the proposal by Google/Apple, open development, limited traction in the community and not well connected to political decision makers

b) company initiatives, closed developments and promises of openness while working on centralized solutions

I feel like your scenario would be more worrying in terms of privacy if Google/Apple didn't introduce this protocol extension. They are essentially forcing the b) group to adapt something sensible. Another positive is that this seems limited to the OS level, whereas both have more extensive infrastructure they could have pushed for but intentionally did not.

tl;dr: I think it is a beneficial proposal and well placed, the alternative would likely be worse for the user base.


This functionality is already live in Find My iPhone. iPhones are performing these associations already. The bigger change is Android joining and sharing the data with researchers.


The proposed technology is quite different from a service that located located devices. Rather, it would track what devices have been in proximity of each other, and not necessarily where.


I was speaking to the question of whether governments would then demand access to the data. They could force Apple and the Telcos to turn over the data they are already collecting pre-corona. I was just saying that that risk isn't new.


>I was just saying that that risk isn't new.

every new method of geo-tracking is a new risk because it provides yet another hole for politicians to legally exploit into a privacy concern.

Speaking about the US -- GPS and tower-tracking pose many of the same risks, but since the legal mandates were discussed at different parts in history, their legal allowed uses are different from one another.

If yet another geo-tracking capability comes online that just allows legislators to put forward legislation that will allow them to abuse that specific technology rather than the previous ones that allow them the same access, but were mandated more responsibly.

In other words : each new law has to be inspected from so many angles that eventually the angles will exceed the inspection ability, and our privacy will dwindle without much argument as we'll be unable to modify legislation quickly enough to keep up with tracking technologies; this seems to be on purpose and being abused actively in the United States.


it doesn't track which phones are next to each other, just identifiers it has seen. Those identifiers roll frequently, and the material to find contact only occurs if a person chooses to publish that information, and all that information does is say what their keys were.

Determining if you were in the vicinity is also done on device - you get a list of all the day keys from a person who has chosen to share that information, then from that you can create all the keys they would have used in that period, and see if your device has ever seen one of those keys. Presumably if it finds a match the device/app would post a "you should get tested" message.


You do know that there also is a Find My Device service for Android that runs on all Android phones?


This is very different than what you think when you hear "find my iPhone|Android". Iirc the find my iPhone tech does phone to phone association to identify the location.

See: https://www.wired.com/story/apple-find-my-cryptography-bluet...


This technology which has been announced but not released would, as your link states, ‘let you track down your stolen laptop, but not let anyone track you. Not even Apple.’ What issue do you have with that?


I have nothing against it :-) I was stating that what they were describing is nothing like what was implemented.


It'll be opt-in until an HN headline says it's not and then there are subsequent "post mortem" articles from Google with a bunch of PR gibberish saying "whoops it was an engineering mistake", by which point everyone's become acclimated to their technological presence.


There is surprisingly little discussion about the actual spec here. It looks really good to me!

- Advertisements change every 15 minutes, are not trackable unless keys are shared.

- The only central bit is a repository of "infected" daily keys.

- No knowledge about contacts is shared with a central authority.

Nothing is shared unless you are infected and decide to share your keys, which are only valid for one day. I don't see how you could have a real argument against this unless you are a privacy extremist. It also seems more privacy friendly than the Singapore or German apps.


In widely distributed and important spec like this it may be useful to look for what is conspicuously absent or unstated, rather than simply reading the precise positive language.

To my mind this phrase under 'Privacy Considerations' in the Cryptography Specification stands out:

"A server operator implementing this protocol does not learn who users have been in proximity with or users’ location unless it also has the unlikely capability to scan advertisements from users who recently reported Diagnosis Keys."

That phrase explicitly mentions that server operators cannot learn about user proximities.

What I reckon may be unstated there is that it could be possible for adversaries with sidechannel / network monitoring capability to learn those kind of details about users (i.e. internet, cell data, and other data network operators).

If such a side door did exist, it would seem in the public interest to be aware of the scope of the availability of that data, especially given the potential (physical, social) vulnerability and risk of those users.

I'd also like to be proven wrong about the possibility of such sidechannel attacks by anyone who understands the spec in more detail.

[1] - https://covid19-static.cdn-apple.com/applications/covid19/cu...


The approach outlined by Apple and Google is very similar to, and likely based on, the TCN protocol developed by a coalition of open source projects. If you'd like to discuss possible vulnerabilities and propose further improvements, there's an active community already doing that who would be happy to have one more contributor. :-)

https://tcn-coalition.org/


Thank you, I'll take a look into TCN and the protocol.

Do you know whether TCN have worked with and/or compared notes with OpenTrace[1]?

[1] - https://github.com/OpenTrace-Community


I’m part of the CoEpi project, one of the member projects of the TCN Coalition. I see that some of my teammates are searching through the OpenTrace code to see if anything there is worth taking, such as their device-specific bluetooth range calibrations. I don’t think there’s been any two-way communication between these teams.


The projects I've seen inside of TCN seem aware of OpenTrace and the code / data they put out over the last few days, not sure if direct contacts exist yet.


> I don't see how you could have a real argument against this unless you are a privacy extremist.

The authors of DP-3T (which seems quite similar to this spec) have a huge list of privacy caveats in their whitepaper [1], in section "5.4 Summary of centralised/decentralised design trade-offs".

I haven't seen any analysis on how the Apple/Google spec prevents those problems.

[1] https://github.com/DP-3T/documents/raw/master/DP3T%20White%2...


The Apple/Google design drops this DP-3T requirement:

2) Enable epidemiologists to analyse the spread of SARS-CoV-2

So anything in that table with epidemiologists is gone.

The remaining caveats are pretty boring:

To do so, the attacker uses strategically placed Bluetooth receivers and recording devices to receive EphIDs. The app’s Bluetooth broadcasts of non-infected people and infected people outside the infectious window remain unlinkable.

...

On the other end, a proactive tech-savvy person can abuse any proximity tracing mechanism to narrow down the group of individuals they have been in contact with to infected individuals. To do so they must, 1) they keep a detailed log of who they saw when. 2) they register many accounts in the proximity tracing system, and use each account for proximity tracing during a short time window. When one of these accounts is notified, the attacker can link the account identifier back to the time-window in which the contact with an infected individual occurred.

So, yeah, these vulnerabilities still exist and have been pointed out on this thread... but I find it hard to care about these at all.


> The app’s Bluetooth broadcasts of non-infected people and infected people outside the infectious window remain unlinkable.

The group of non-infected people is getting smaller and smaller. The infectious window is presumably weeks long (times the number of diseases this system will track). These risks don't seem that easy to downplay, even before we get into the "security concerns" section.


One issue I see is that when I query the central repository of infected IDs I expose to the central server the IDs I've been in contact with (unless I always download all of them, but that doesn't seem feasible).

It seems like this could be solved by providing a K-anonymous query interface like the one exposed by Have I Been Pwned. I wrote to the contact email address of Pepp-Py, which is a European initiative do develop a system that seems pretty much the same as this, suggesting this, but I got no answer (not that I was really expecting one).


Ah you mentioned the HIBP example, although for this search space you may be able to get by with just a download of all of them. If you stick to, say, state by state sharding, you get around 30 MB of hashes for the worst case (NYC).

If you further reduce that by only providing new confirmed hashes since a timestamp, the client can track when they last downloaded the data and pull only the delta, you end up with a few MB a day, which compares quite well to say, a video call.


Geographical based sharding seems to break down once people travel though. Just a single visit to a hub airport might have gotten you in contact with people form all around the world (I assume that the objective of this initiative is to try and get us at least part way back to normal). Even if you don't travel, but other people are, you will be in contact with people who are registered as infected in a different region.

Also I don't think NYC is at all the worst case in the world, there are a lot of megacities that dwarf it in size...


You could still have geo sharding if the device also saved the location locally and shared the diagnosis for every zone it’s been in / downloaded the data for all zones. Ofc that would mean more data to process for travelers but it should still be way less than the data of the entire globe.


You have to download the entire database. The check is done inside the framework, recorded ids are not exposed to the frontend apps.


I think it has a flaw: if you find out you are infected mid-day, then if you reveal your key for the day others can impersonate you for the rest of the day, and if you don't those who you had contact with in the first part of the day won't be notified.

So my suggestion for a minimal fix would be to also reveal all advertised rolling IDs for the current day in addition to the keys for the past days.

A better fix would be to generate ID in a hierarchical fashion from the daily keys with power-of-two-length time slots, so that you only need to share O(d + log(n)) values where d is the number of days and n is the number of subdivisions in a day.

Another potential fix is to use public-key cryptography and only reveal the daily public keys; however, this requires twice as large IDs and matching requires to try to decrypt/signature-check all received IDs instead of being able to generate and lookup.


Your suggestions don't seem different from what the spec already describes. Tests are not immediate and the incubation period of the disease dictates that you have to share multiple diagnosis keys (days) of infected persons anyway. You don't have to share timeslots within a day, they can be derived from the daily key. Impersonation risk is unlikely, whatever health authority applies can just invalidate all newly identified keys from generating new contacts, preventing replay attacks derived from known infected with simple and coarse timestamps.


A simple solution using virus properties would be to just delay the release of the last id. It takes a while before the viral load inside someone becomes high enough to be infectious, so there is no significant harm in the last id being delayed by 24h in the worst case.


Now people who simply care about privacy are “extremist”

Perfect way to begin marginalizing people who care for privacy


Which part of the spec do you think people who care about privacy will object to? I agree with you that this is a poor choice of wording but I think your interpretation is uncharitable.

I think this is a very innovative solution that enables contact reporting without knowing location or personal details at all, and its exclusively opt-in.

I see some people arguing that "yes but it could be subverted" but this isn't a really good place to begin if you just want to monitor people and know who is talking to who, there are much better ways to do that already available.


Could someone smarter than me ELI5 how devices are able to "re-derive the sequence of Rolling Proximity Identifiers" of the infected?

I know that the RPI is derived from the daily key + TimeIntervalNumber. But these devices should only be receiving the daily keys + the current day.

Everything else about the spec is pretty easy to follow and gets my a-okay.


Think of the daily key as the seed to a random number generator. If two people pass the same seed into the same random number generator, they can generate the same list of 500 random numbers. This provides a compact way for someone to say: "I just learned that I was infected. These are the 500 identifiers I broadcast on that day. If you recognize one of them, then you might also be infected."

https://tcn-coalition.org/


I understand that aspect of it; I'm just confused as to how only having the daily key is enough to generate the identifiers. Wouldn't they also need the TimeIntervalNumber, according to the function?


If each phone generated 500 numbers per day, then TimeIntervalNumber is a number in the range of 1...500. So generate 500 codes using all of the numbers in that range. If any of those 500 codes match one of the codes that you actually saw in the wild, then you were near that person.


Thanks! I actually brainstormed with a friend later that day on how it'd work and we finally came to a similar conclusion.

According to the spec, the phone only generates a new identifier when the MAC address changes or on a new day. But since it's generated in accordance to a 10-minute time window, that means you'd try to derive their key with all 144 possible time windows for that day. And if you find one of those ID's in your list of contacts, then you know you were in contact with someone infected.


This is huge. A limiting factor has been iOS not being able to (on purpose, for privacy, and battery life) do BLE scanning (edit: or advertising, thanks Slartie) in the background. I imagine this will enable that for specific apps, and I have high confidence privacy will be well-implemented by Apple's involvement (edit: see tastroder's comment for technical docs). Having a single, well-designed spec for Bluetooth advertisement will prevent a world where there are different contact tracing apps, none of which can see each other. Doing this at the platform level will enable enough density of installs to make this effective at scale.


The even bigger obstacle was apps not being able to broadcast beacon signals while they are in background. You could devise workarounds for the scanning problems, but this particular problem of having to be able to continuously advertise your beacon signals did not have a workaround AFAIK. The "workaround" was requiring people to have the tracing app active in foreground all the time, which obviously sucks from a UX perspective and means nobody will do it.

That's why this involvement is really huge and welcome! And besides clearing out existing arbitrary API limitations, Apple's involvement in potential protocol design for such tracing technology is a welcome addition in my view as well, because in contrast to Google, Apple at least earned a modicum of trust when it comes to putting the privacy interests of their customers first.


Also excited because they can likely push both advertisement and scanning into the BLE chips themselves, letting the rest of the system (CPU, etc) sleep. Big win for battery life.


You can, in fact, do BLE scans in the background on iOS. It's tricky and requires some workarounds, like basically everything related to background tasks in iOS.

Source: Providing apps with that functionality.


Which workaround you use?


While background scanning is limited you can key off iBeacon devices via the location framework. This allows your app to wake up when certain devices are near.


Thinking this might be different. I've been curious what the BLE packet structure might look like. Looks like there's 16 bytes of unique id needed for the "Rolling Proximity Identifier" in the spec. Typically iBeacon would have 16 bytes of unchanging UUID, and 4 bytes that can change: https://support.kontakt.io/hc/en-gb/articles/201492492-iBeac....

Could probably flip it to be a 4 byte prefix (to identify this packet for contact tracing), followed by 16 bytes of the Rolling Proximity Identifier, but not sure if the underlying hardware (the BLE chips) can do low-power matching on a pattern like that. Something only Apple and Google could make work, so this is exciting.

(Or, it could be iBeacon to wake, then making a connection to fetch the Rolling Proximity Identifier. Though, in my experience, not requiring a connection will be more reliable in practice, especially for Android.)


Exactly, this is an important narrative. I've read the spec and I'm really positive (hmm). This could be a game-changer for dealing with the pandemic in a systematic way.


Of course you can do BLE scanning in the background on iOS. It works much better than Android and is very reliable.


they're short term ids, setup to explicitly prevent linking to any other hardware characteristics, etc


Am i the only one who thinks it's mindblowing that people use Facebook, Instagram, Linkedin, etc. however now that Apple + Google release a tool to prevent thousands of people from dying in a pandemic they start thinking/complaining about the possible privacy implications? (without even having read the specs or knowing the details...)


How many people complaining in this thread use or don't use Facebook, Instagram and Linkedin? Unless you actually know then it seems like you've contrived a group of hypothetical hypocrite 'complainers' to complain against.


I only use LinkedIn and when I do, I use it in a container so it can't spread its cookies.

LinkedIn is pretty mild anyway in contrary to anything Facebook with their tracking pixels. And unfortunately you can't really do without LinkedIn if you want a job in IT.


And Whatsapp.

And how many people not having already their various metadata collected by Google and not having anything on the Apple servers?


> Am i the only one who thinks it's mindblowing that people use Facebook, Instagram, Linkedin, etc. however now that Apple + Google release a tool to prevent thousands of people from dying in a pandemic they start thinking/complaining about the possible privacy implications?

No. Where have you been? People complain about facebook, instagram, linkedin, etc all the time and encourage others to stop using it all the time.

What is mindblowing is the amount of worship for Apple here and the amount of support this has. And preventing "thousands of people from dying" is no excuse for this because we know this has nothing to do with preventing deaths.

The amount of love that Apple, Microsoft, etc has on every apple/microsoft thread is a tad bit suspect in my opinion.

> (without even having read the specs or knowing the details...)

Why would the specs or details matter? It's a matter of principle.

"People might die" so we need to spy/monitor/track you is a very north korean mindset. But then again, they also use an existential fear ( US invasion ) to enforce complaince amongst their population.


Agreed. Majority of people have their location history, chats, emails, browsing history, etc. saved on the cloud. This Bluetooth tracker is a complete privacy nothingburger.


This is dangerously close to Feinstein's "think of the children" argument.

If people complain about EARN IT, they should investigate privacy implications of this "enhanced" tracking technology.


Yes, they should investigate. But they should investigate before reaching a conclusion.


it's explicitly not a tracking technology.


I for one use neither Facebook Instagram not LinkedIn.

The reason why I worry so much about privacy details is because it can be implemented in a way that respects privacy. If it doesn't, then that is highly suspicious and doubly unfortunate given the circumstances.

But if it is implemented right then I will use it. And thankfully, it seems to be implemented right, so if that holds I will use it and try to convince other people to do so as well.


Most people probably uploaded their contact list to WhatsApp without thinking about it twice.


People aren't being forcefully sharing their health status via FB, IG, etc. Imagine if Facebook published if you had an STD to your friends.


Given the number of deaths caused by STDs, it is perhaps justifiable for such data to be shared in the same fashion as one's Covid-19 status, assuming the sharing of the latter is justified.


COVID is unlikely dramatically more deadly than the flu, so the question is, if you're okay sharing your health data over COVID, why not the flu? It kills 650,000 people (60,000 Americans) every single year. The reality is widespread panic moments are when we lose our civil rights.

Remember 9/11? That year more people died slipping and falling in the shower than died in the twin towers. More people died because they chose to drive short distances instead of flying than died in the twin towers. And we got the Patriot act and a trillion dollar war. Humans have a way of overreacting.


> It kills 650,000 people (60,000 Americans) every single year.

That's over a ~6 month season. If you average that out it's 10k per month. We'll have 20k dead tomorrow from covid and it hasn't even peaked yet. This is with extreme lockdown measures implemented. How much worse would those numbers be if everyone was going about their business as usual the way they do the flu?


Well, a study of a German town showed 15% are already immune/have had it and a mortality rate of 0.37% vs the flu at 0.1%. [1] If you run the numbers and project that onto the US population we'd see an incremental 600K deaths this year. Unlike the flu, which mutates aggressively and recurs, we haven't seen much mutation of COVID. That means, unlike the flu which will kill 60K next year, and the following and so on, this will kill 600K once. [2]

So, my answer to your question, is an incremental 600K once. Although given those numbers are averaged and the impact is 100X worse for the elderly than the young, I question whether these would be incremental deaths at all.

In Italy the average dead its 80.5 years old with 3 underlying conditions. If COVID hadn't taken them, the flu may well have. One study showed a case fatality rate of 10% in the over-75s for H1N1.

Ideally, we'd isolate them, and let everyone else out like the Swedes.

[1] https://www.technologyreview.com/2020/04/09/999015/blood-tes...

[2] https://www.washingtonpost.com/health/the-coronavirus-isnt-m...


> Well, a study of a German town showed 15% are already immune/have had it and a mortality rate of 0.37% vs the flu at 0.1%

You are comparing apples to oranges and calling it grapes.

It is 0.37% infection fatality rate (including clinically non-significant cases) vs flu 0.1% case fatality rate (from clinically significant cases). case fatality rate for covid-19 is much higher (say 2 % in Germany). Note that these are fatality rates, not mortality rates.

Second factor is that population has no imunity to SARS-CoV-2, while has some immunity to flu strains. Which means much more infected and therefore higher mortality rate even with the same fatality rates.

Overall, it seems to me that without any precautions it would be 10x-25x higher overal mortality (say 0.2 %) than seasonal influenza (say 0.01-0.02 %). Not great, not terrible.


Influenza's 0.1% isn't from clinically significant cases.

Influenza is 0.1% from estimated total cases.

Here's the CDC's preliminary in-season influenza report for this year, showing 39,000,000 - 56,000,000 estimated cases, 18,000,000 - 26,000,000 medical visits, and ultimately 24,000-62-000 deaths (0.061% - 0.1107%)

https://www.cdc.gov/flu/about/burden/preliminary-in-season-e...

These preliminary estimates are roughly in line with recent years.


Well, the link says 39-56 M illnesses, which means symptomatic infections (although some of them may be not diagnosed by doctor), while the 0.37% for covid-19 is just number of seroconversions (including asymptomatic infections, which are not considered illness), so not a comparable number.

With 39M-56M estimated cases, 24k-62k deaths and 330M population, you have 0.06%-0.11% fatality rate and 0.007%-0.018% mortality rate.


Less than 40% of cases result in any visit to a medical professional (# medical visits is about 0.4-0.5 of # cases, but some people will need >1 medical visit)


Your citation says nothing about mutations, yet it’s placement seems to indicate that is included.


@deanBlunt my bad, updated.


I'm not sure where you get the source the covid19 is no deadlier than the flu as that seems to be thoroughly debunked at this point


It's worse, about 3.7X worse according to the latest data, with impact massively skewed towards the older (100X more lethal to them than to a 20-40 year old).


It's more than reasonable to be suspicious of big tech companies, especially the ones residing in Silicon Valley. They haven't earned people's trust and that is the outcome. Just like you would be skeptical of Chinese communist party releasing app promising to help the world with covid19.


1) Covid19 was largely dangerous for old people cumulatting other comorbidities, mostly retired people. 2) Old people don't move that much and don't meet that many other people.

It leads me to believe that the proposed loss of privacy isn't the best way to fight a virus such as a flu


1. It's old people AND people with comorbidities, which is a ton of people.

2. Lots of old people, which for Covid is about 65, still work full time jobs. Some of them fly every week. These aren't 95+ year olds.

3. I'm sure people of all ages think their life is very valuable, and very few people consider themselves candidates for sacrifice. Certainly not for privacy concerns.

4. 10x deadlier than the flu.


> 3. I'm sure people of all ages think their life is very valuable, and very few people consider themselves candidates for sacrifice. Certainly not for privacy concerns.

This guy also brought us, “childfuckers bad, no crypto for you”.

And don’t forget, “Arab scary, we track your emails”


4. And there's no preexisting immunity, unlike with the seasonal flu. Left unchecked, CoVID-19 will infect a much larger share of the population than flu.


That's not actually true. The seasonal flu affects 45,000,000 americans every year, and in part because it (a) mutates and (b) there's a huge number of strains, and different ones are dominant in different years. The flu shot is not particularly effective for those reasons (19-60% depending on the year).

COVID however, does not mutate, or has not yet. This means herd immunity is on the table, and so is a ~100% reliable vaccine -- like MMR, not like flu shot.


It is true. A substantial fraction of the population is immune to the circulating seasonal flu, both through vaccination and previous infection with closely related strains.

Only 5-20% of the population gets the flu each year. 60-70% of the population would have to get CoVID-19 before herd immunity brought the reproductive number below 1.


That doesn't make what I'm saying un-true. 20% of the population getting it is enourmous and demonstrates that the effect of herd immunity on the flu is negligible. At 20% infection rate annually after a few years, everyone's had it. But due to the virus propensity to mutate, we don't see herd immunity for the flu. Each new strain resets the counters.

We would see it for COVID. And chances are 15% of us have already had it according to the Gangelt survey.


Without pre-existing immunity, a much larger fraction of the population would get flu each year. That's one of the primary reasons why people worry about pandemic flu, as opposed to the regular seasonal flu. An entirely new strain has the potential to infect a much larger share of the population than the regular seasonal flu, precisely because there's no pre-existing immunity.

> chances are 15% of us have already had it according to the Gangelt survey.

No, that's a completely unfounded conclusion to draw from that study. Gangelt was chosen precisely because it was an extremely hard-hit town. Researchers wanted wanted good statistics, so they went to the place that has the largest case density. There was an early superspreading event in Gangelt, during Carnival celebrations back in February. Hundreds of people came into close contact with a known infected person. The population of the town is only 12,000 to begin with.


1. It's old people AND people with comorbidities, which is a ton of people.

Yep, and they should shelter in place. Nobody else should.

2. Lots of old people, which for Covid is about 65, still work full time jobs. Some of them fly every week. These aren't 95+ year olds.

Yep, and they should shelter in place, because they're in a risk category.

3. I'm sure people of all ages think their life is very valuable, and very few people consider themselves candidates for sacrifice. Certainly not for privacy concerns.

That's an unfortunate way of looking at this. The reality is everything we do in life involves risk. There's risk of harm in shutting down the economy, and there's risk of harm in opening the doors. The lifetime risk of death being involved in a car accident is 1%. The lifetime risk of dying of an opioid overdose is 2%. COVID is much lower than both. Locked inside domestic violence is up, alcoholism is up -- liquor stores are considered essential so alcoholics won't come in to hospital due to withdrawal.

What we do know is if we lock things down, then one person flies in from a foreign country with the disease the whole thing starts over. Hiding inside is not a sustainable strategy.

Which is why Sweden remains open for business. And you know what? They're doing just fine [1].

4. 10x deadlier than the flu.

It is not. We do not know how deadly it is, all we know is that of people who go to the hospital (implying that they're showing serious symptoms) between 0% and 9% of people, depending on their age and comorbidities, die.

That's adverse selection sampling bias. Studies show there's huge, huge quantities of people who either show no symptoms at all (which is the thing that makes this disease a challenge) or exhibit mild flu-like symptoms.

The numbers we're seeing are an upper-bound, by an order of magnitude. It's likely in line with the flu, although we should consider in line with the flu is bad -- it kills 650,000 people each and every year we've been alive.

It's also much harder to immunize against the flu (19-60% effective) due to its propensity to mutate and the huge number of strains that show up each season, with different ones being dominant each year.

On the other hand, COVID does not mutate -- or has not yet.

[1] https://www.forbes.com/sites/jamesasquith/2020/04/04/no-lock...


1. A healthy 30 something has an IFR of something like 0.1%. Doesn't justify a lockdown for a year; does for a couple months.

3. Sweden has experienced over 500 covid deaths in a week. That's a 30% excess death rate. Hardly "fine".

4. I see little evidence it is in line with the flu, unless you are talking about historically deadly flus, not seasonal ones. Flu would not have killed 1.5% of the Diamond Princess population that was infected. 0.7% IFR seems about right (Diamond Princess, Iceland, etc. suggest around this) and that's >7x bad seasonal flu years.


> A healthy 30 something has an IFR of something like 0.1%. Doesn't justify a lockdown for a year; does for a couple months.

It's not 0.1% for a 30-something. The Gangelt survey showed a total population fatality rate of 0.37%, and so far the CFR has ranged from 0% in children to 0.1% for 30-somethings to 15% for 85 year olds.

The Gangelt survey showed 0.37% actual vs. a CFR of 2% overall in Germany so we can divide the CFR for each age group likely by 10. It's probably close to 0.01% for a healthy 30-something.

> Sweden has experienced over 500 covid deaths in a week. That's a 30% excess death rate. Hardly "fine".

It ... is fine, when you take into account that they're never going to get it again, whereas every other country in the world is vulnerable to a single person showing up and re-starting the entire process for everyone. It's not this lockdown I'm worried about it's the next one, when a single person shows up in downtown NYC and we're right back at it again.

Hiding inside is not solving the problem because it's an incredibly infectious disease. Unless you can lock down every single person in the entire world for the entire duration, it will fail.

> I see little evidence it is in line with the flu, unless you are talking about historically deadly flus, not seasonal ones. Flu would not have killed 1.5% of the Diamond Princess population that was infected. 0.7% IFR seems about right (Diamond Princess, Iceland, etc. suggest around this) and that's >7x bad seasonal flu years.

The Gangelt survey showed 0.37% vs the flu at 0.1%. It's worse, I've long maintained it's worse, but it's not massively worse. Certainly not stop-the-world worse. [1]

[1] https://www.technologyreview.com/2020/04/09/999015/blood-tes...


(It's currently (among other points) debated how well the tests used for the Gangelt survey can tell SARS-CoV-2 from other coronaviruses, and given how little they've published unclear how they corrected for that. Hopefully they'll release more info soon, but lots of experts are skeptical of this specific study, they might very well have classified a bunch of folks that had a cold as "corona")


We have to be pretty careful about demographic adjustments. Does the town surveyed have any nursing homes or hospitals? If not, that'll drastically drop the death rate.

By my napkin math, you get to about a 2-fold difference which explains the 0.37% vs. 0.7% numbers. But remember the flu 0.1% also includes those highly susceptible people.


Heh, the delta is likely because: (1) Iceland has had 6 deaths so it's way, way too early to draw any conclusions from Iceland and (2) everyone onboard the Diamond Princess was onboard a cruise ship, and cruises tend to skew old. The median age of passengers was 69. That age group is affected ~100X harder than young folks (9% CFR vs 0.1% CFR) [1]. If you've got more data to back 0.7% please do share but I've found none compelling so far.

Although for what it's worth Iceland is showing 6 deaths and 1600 confirmed cases for a fatality rate of --- wait for it --- 0.35%.

[1] https://www.cdc.gov/mmwr/volumes/69/wr/mm6912e3.htm#T1_down


My numbers generally comes from https://www.thelancet.com/journals/laninf/article/PIIS1473-3....

That paper would give about 3% for a 70 year old. But remember that cruise passengers are healthy enough to be on cruises. 1.5% death rate seems about reasonable when you correct for that (again, this is where you might see that 2x difference).

Iceland has a considerable number of unresovled cases. Whether you use 7 deaths out of 751 recovered, or 20% hospitalization death rate, you get somewhere on the order of 0.9% CFR.


This is all case data, not population studies. The Gangelt study is different because they tested the entire population and not just people walking into hospitals. They found the CFR in Germany (2%) was roughly 10X higher than the actual mortality rate in town.

The CFR is always going to suffer from adverse selection bias at this stage because they're only including people sick enough to walk into a hospital, and not folks who were asymptomatic, and not folks who got mild symptoms and didn't tell anyone. That's going to be basically every young person. Only the old end up in hospital and they're dramatically worse hit.

Population studies are not directly comparable. A global CFR of 1.5-2.5% sounds right, but that doesn't mean that's a mortality rate. The mortality rate is closer to 0.37% based on the population study I cited.

You seem to be arbitrarily multiplying and dividing CFR by 2 to fit a narrative. I'd love to see other population data but I think this was the first and only study, which is why the numbers are much different than you're citing.


Does the town have any nursing homes? Those are accounting for a large percent of deaths in the United States. (Around 20% in California). If a small town has already shipped its least healthy population away, its IFR will look lower.


The ratio of asymptomatic to symptomatic people has been measured, and it's not nearly as high as you're saying. China has been quarantining and testing every single person entering the country, and they find that 2/3rds of cases are asymptomatic.

Moreover, Germany has conducted a randomized serological survey of the population of one town where there was a large outbreak, and determined that the true mortality rate was about 0.4%, which is an order of magnitude higher than mortality due to the flu. That's the mortality if there's excellent healthcare and the system isn't overwhelmed. Mortality will also depend on the age structure of the population, rates of obesity and smoking, etc.

Because a large fraction of the population is immune to the seasonal flu (both through vaccination and previous infection), far fewer people contract it than would contract CoVID-19 in an uncontrolled epidemic.

The combination of a much larger rate of infection than the flu and far higher mortality means that CoVID-19 would kill orders of magnitude more people in one year.


> Moreover, Germany has conducted a randomized serological survey of the population of one town where there was a large outbreak...

1. Results showed 0.37% mortality rate, which is an order of magnitude lower than the fatality rates being published, which is what I claimed -- so I re-iterate: "The numbers we're seeing are an upper-bound, by an order of magnitude." [1]

2. 14% of their town has had it already. [1]

3. That 0.37% rate includes all the old and at-risk folks which I was already suggesting we isolate. Since we know the fatality rate for them is 9% in hospital vs 0.1%, I'd suggest that the actual mortality rate of my plan would be incredibly low. [1] We don't know the demographic distribution of the town, and we do know that the disease is incredibly age-dependent so it's hard to project that onto the population.

Either way the flu is 0.1% so this isn't 10X worse, it's 3.7X worse. At most.

4. The study shows 15% of them are already immune to COVID.

[edit] I found the data [2]. Out of a population of 12,000, 6500 of them are in a risk group (over 45). So 55% of town. This needs to be projected onto the world population factoring into account non-linear risk response.

> Because a large fraction of the population is immune to the seasonal flu (both through vaccination and previous infection), far fewer people contract it than would contract CoVID-19 in an uncontrolled epidemic.

I don't think they are. The flu mutates regularly, and there's a ton of strains. Vaccinations are only 19-60% effective depending on the year. This is evidenced by the 650,000 worldwide deaths (60,000 US) and the 45,000,000 US cases of the flu each year.

[1] https://www.technologyreview.com/2020/04/09/999015/blood-tes...

[2] https://www.citypopulation.de/en/germany/nordrheinwestfalen/...


> The flu mutates regularly, and there's a ton of strains.

... which a substantial fraction of the population is immune to. Only 5-20% of the population gets the flu each year. CoVID-19 will infect 60-70% of the population, at a minimum, unless measures are taken to contain its spread.

> Results showed 0.37% mortality rate, which is an order of magnitude lower than the fatality rates being published

I've seen most people assuming a mortality around 1%, which is not that far off from these results. In Italy, 1% may well be correct, given how the healthcare system was overwhelmed there.

> I'd suggest that the actual mortality rate of my plan would be incredibly low.

If you can successfully shield the entire at-risk population, which easily approaches half the population of many countries. Once you add up old people, obese people, people with diabetes, smokers, people with heart conditions, and all the other at-risk groups, you come to a sizeable fraction of the total population. Trying to shield those people while the virus infects most of the rest of the population sounds incredibly risky to me. It's not even obvious that you can achieve natural herd immunity without at-risk people getting sick, because you need 60-70% of the population to get sick.

Overall, I don't understand the motivation behind such a risky plan. Why not just go through a 6-week period of lockdown, and then control the epidemic afterwards with extensive testing, good contact tracing and social distancing measures? Countries other than the US appear to be successfully implementing this strategy. Some, such as South Korea, were acted competently enough that they didn't even require the lockdown phase.


> Only 5-20% of the population gets the flu each year.

Only 20% of America is 70,000,000 people. That's staggering. The economic impact of the flu is enormous.

> I've seen most people assuming a mortality around 1%, which is not that far off from these results. In Italy, 1% may well be correct, given how the healthcare system was overwhelmed there.

It may be 1% in Italy because the population of Lombardy was overwhelmingly old, and overwhelmingly sick. The average age of death in Italy was 80.5 and the average number of underlying medical conditions was three.


> may be 1% in Italy because the population of Lombardy was overwhelmingly old

Multiple official sources in Italy estimate that the real number of infected is 10 times the reported one. This explains the high dead rate.


> Only 20% of America is 70,000,000 people. That's staggering.

So imagine 4x as many people getting infected with a virus that is many times as lethal.

> It may be 1% in Italy because the population of Lombardy was overwhelmingly old, and overwhelmingly sick.

And the US has other problems, such as obesity. But the mortality will be much higher wherever the virus overwhelms healthcare systems. As we've seen, that can happen very quickly.


If we, again, assume that 15% of the US has already had it (as in Gangelt), and that herd immunity kicks in at 60-70%, that means we'd expect to see another 45-55% of the population -- 147-179 million cases. If we actually isolate the vulnerable, basically nobody would die.


That would be an incorrect assumption. The Gangelt study is about one small town in Germany where there was a known superspreading event at the Carnival festival.

If 15% of the US had already been infected, then based on the Gangelt study, there would be 200 thousand deaths, and millions hospitalized with severe illness.

You're completely misreading the Gangelt study.


> The lifetime risk of death being involved in a car accident is 1%.

You're off by a factor of 100. It's .01%.

> The lifetime risk of dying of an opioid overdose is 2%.

For who? Someone who uses opioids? Maybe, on average, again you're off by a factor of 100 or more.

> We do not know how deadly it is, all we know is that of people who go to the hospital

No, of people who test positive, which includes people with relatively mild symptoms that don't go to the hospital, but had reason or ability to get tested.

South Korea is probably the best current testbed here, they had very widespread testing and they've had very, very slow growth recently so the CFR numbers are probably relatively accurate. They see a 3% CFR.

> Which is why Sweden remains open for business. And you know what? They're doing just fine [1].

Normalized by population, Sweden has seen more deaths and more infections than California, by about 50%, and it will likely continue to grow at a similar rate. The problem with exponential growth is that things look like they're doing just fine until suddenly they aren't and there's no way to fix things.


> You're off by a factor of 100. It's .01%.

> For who? Someone who uses opioids? Maybe, on average, again you're off by a factor of 100 or more.

No, lol, it's not. Those are averages across the US population. Your lifetime odds in the US of dying in an automotive accident is 1:103 [1].

I should have said accidental poisoning which is 1:64 [2] but half of that is actually opioids (1:96) so you're still more likely to die of an opioid overdose than being a party to a car accident. Most people don't set out to get hooked on Oxy, they get hurt or undergo surgery, are prescribed them, and that's that.

There's 40,000 deaths per year related to car accidents, which if you multiply out by the average lifetime (78.69 years) is right around 3.2 million, or 1%.

This is fair to compare against COVID because due to its extremely limited propensity for mutation, the COVID mortality rate does represent what approximates lifetime risk. (i.e. unlike the flu, you won't get it again).

> South Korea is probably the best current testbed here...

I argue the best testbed is the German study I cited where they actually tested... everyone. CFR is not mortality rate, its about an order of magnitude higher, again, I cited my data. And in my intuitive explanation that you're not factoring out adverse selection risk of only very sick people going to the hospital in the first place.

> Normalized by population, Sweden has seen more deaths and more infections than California.

Because everyone in California is inside. I'm sure they've seen an order of magnitude more flu deaths too because nothing spreads when you're inside. They're probably seeing infinitely more car accident deaths, too. Life's risky, and you're not comparing honestly.

[1] https://www.iii.org/fact-statistic/facts-statistics-mortalit...


> Your lifetime odds in the US of dying in an automotive accident is 1:103 [1].

No they're not. The lifetime odds for the average American are. For opioids as an example, as someone who doesn't use opioids, my lifetime odds of dying from an overdose are essentially nil. The distribution is bimodal.

> This is fair to compare against COVID because due to its extremely limited propensity for mutation, the COVID mortality rate does represent what approximates lifetime risk. (i.e. unlike the flu, you won't get it again).

You claim this with great certainty, but it hasn't been around long enough to know that it won't mutate in annoying ways.

Further, it's still not fair to compare that way. In the past 2 decades, we've had 4 or more dangerous flus that aren't seasonal (SARS, MERS, H1N1, H5N1, COVID-19). Of these, most weren't infectious enough to be super dangerous, but two were (H1N1, COVID-19), each of which killed at least 100K people worldwide, and COVID-19 is on the path to claim a million lives worldwide this year.

That's not a once-in-a-lifetime event, it's once a decade or even once every few years.

> I argue the best testbed is the German study I cited where they actually tested... everyone.

And the flaws in that study have been noted elsewhere. SK is a better testbed since they also tested huge swaths of people, even those not showing symptoms, and

> CFR is not mortality rate

The CFR of the flu is .1%, which would make COVID more contagious, and 30x more deadly. I'm not sure why the mortality rate matters since given the higher infection rate, COVID would have an even higher mortality rate.

> Life's risky, and you're not comparing honestly.

And the risk from COVID goes up if everyone catches it simultaneously. The CFR goes up even further if hospitals are overwhelmed.


> No they're not. The lifetime odds for the average American are. For opioids as an example, as someone who doesn't use opioids, my lifetime odds of dying from an overdose are essentially nil. The distribution is bimodal.

So now you accept that I wasn't off by 2 orders of magnitude, but are pedantically calling out that I wrote "your" even though I specifically wrote "Your lifetime odds in the US" -- which, if we're going to be entirely pedantic, applies to everyone on earth. Maybe look up your numbers and share them?

You're ignoring how people end up addicted to opioids. The shape of the distribution is both entirely irrelevant and you haven't cited your source.

This makes me think your goal is to win an argument instead of having a genuine discussion.

> You claim this with great certainty, but it hasn't been around long enough to know that it won't mutate in annoying ways.

I'm citing data from experts [1].

> ...we've had 4 or more dangerous flus that aren't seasonal (SARS, MERS, H1N1, H5N1, COVID-19).

SARS, MERS and COVID are not flu viruses, they're coronaviridae. H1N1 and H5N1 are mutations/subtypes of the Influenza A virus. The coronaviridae are different.

> And the flaws in that study have been noted elsewhere. SK is a better testbed since they also tested huge swaths of people, even those not showing symptoms...

SK has not tested huge swaths of the population, they've tested around 1%. [2] They may have tested more than most people, but that's not what you claimed. They've tested some not showing symptoms. Huge difference as compared to testing 100% of the population.

> The CFR of the flu is .1%, which would make COVID more contagious, and 30x more deadly.

The study I referenced mentioned 0.1% for the flu vs 0.37% for COVID. Feel free to read it. That would make it 3.7X not 30X. Because the flu has been around so long the fatality rates are largely determined by mathematical modeling, and are very close to the actual fatality rate. On the other hand, we're still figuring it out for COVID.

Yes, its is more contagious. Nobody's argued that.

> And the risk from COVID goes up if everyone catches it simultaneously. The CFR goes up even further if hospitals are overwhelmed.

Which is why, scroll back up, we isolate the vulnerable.

[1] https://www.washingtonpost.com/health/the-coronavirus-isnt-m...

[2] https://www.barrons.com/articles/south-korea-coronavirus-cov...


> So now you accept that I wasn't off by 2 orders of magnitude.

You're right, but it doesn't make the numbers you're citing any more relevant.

> SARS, MERS and COVID are not flu viruses, they're coronaviridae. H1N1 and H5N1 are mutations/subtypes of the Influenza A virus. The coronaviridae are different.

Who is being pedantic now? The point is that novel viruses are not a once in a lifetime occurrence, so you can't compare the risk of "COVID-19" to "lifetime death rate", since a new novel virus will come along in a few years. The danger is not covid-19 in particular, but novel viruses in general, and doing nothing would lead to a 1-year fatality rate for a novel virus on par with the lifetime danger of driving. Which means the lifetime danger of the virus is 20x or more the danger of driving. That's

> The study I referenced mentioned 0.1% for the flu vs 0.37% for COVID. Feel free to read it. That would make it 3.7X not 30X. Because the flu has been around so long the fatality rates are largely determined by mathematical modeling, and are very close to the actual fatality rate. On the other hand, we're still figuring it out for COVID.

Yes, but the CFR of the flu is well understood. The CFR of COVID-19 is not, and your entire argument is based on one study which is not conclusive, has had some flaws pointed out elsewhere in this thread, and generally doesn't match observed CFR elsewhere.

> Which is why, scroll back up, we isolate the vulnerable.

Which, ask any epidemiologist, doesn't work, since hospitals get overwhelmed anyway. The hospitalization rate of young people is still pretty high (maybe not quite 20% as it is for the overall population, but still more than 10%), they just don't die with reasonable care. There's a fair number of cases of healthy 20-something year olds who end up hospitalized for a week due or more due to COVID and need ventilators. Not to mention healthy something 40 year olds.

Even if you manage to perfectly isolate every at risk person, there's still a nontrivial risk of overwhelming ICUs anyway. And then the fatality rate among young people would go up as they couldn't get good care. And you're not going to perfectly isolate every at risk person. So the you have more young people hospitalized, more old people hospitalized, and well you're in a bad spot.

Or you end up expanding the definition of "at risk" to include "obese, heart disease, diabetes, or high blood pressure", and you've ended up essentially where we are now, with the majority of the US population in an "at risk" group.

> SK has not tested huge swaths of the population, they've tested around 1%

You realize that for population level statistics, that's fine. That means that 490000 tests have returned negative. If, as the Italians think, 10x as many people are infected, somehow there would need to exist 100K+ infected people, showing no symptoms, basically none of whom appeared in the 490000 negative samples. Such a probability is negligible. The sample sizes are large enough to remove the possibility.


Well, in the US for seasonal flu the deaths estimation [1] for this season are 24k-60k deaths, for covid19 is 60k-240k, where 60k is applying lockdown, not "everybody work normally". And obviously they are on top of the typical deaths.

[1] https://www.statnews.com/2020/04/09/its-difficult-to-grasp-t...


The German survey showed an actual fatality rate of 0.37% vs the flu at 0.1%. We know herd immunity is in the cards due to the lack of mutation of COVID, and that kicks in at 60-70% of the population.

The German study also suggested up to 15% of people may already have it, so we can further reduce this number (an incremental 45-55% of the population getting infected) -- So, if we run some simple arithmetic, we'll see the number of fatalities will be approximately 60-70K.

This is in line with the number of fatalities in a difficult flu season. The difference is because COVID does not mutate (or has not yet), this will be a one-off, one-time, one-year issue. The flu kills 60,000 each and every year. The Swedes have it right.

We can mitigate this by isolating the vulnerable.

So yes, we are, in fact, overreacting.

[EDIT] I wonder if this is in fact in excess of deaths we'd see anyways. I'd imagine an 80.5 year old with 3 underlying medical conditions (average in Italy of the dead) isn't just as vulnerable to a bad flu as they are to COVID, so if COVID takes them, the flu won't.

[1] https://www.technologyreview.com/2020/04/09/999015/blood-tes...


Firstly, the German study analysed one small particularly hard hit town, so how you are extrapolating this to "people" in general is puzzling.

Secondly, there is a very wide range of reported fatality rates, with myriad factors known and unknown, so why you've chosen the lowest one globally (which, by the by, has always been an outlier and in any case is edging up past 1%) as the "actual" rate is, again, puzzling.

Finally, you are making a giant but unfortunately common logical error in using these already questionable death counts to make the case for an overreaction without attending to the obvious fact that without this "overreaction" every town, village and city on Earth would be Bergamo, where army lorries are conscripted to transport the dead from overwhelmed mortuaries, or worse.

Do better friendo.


> Finally, you are making a giant but unfortunately common logical error in using these already questionable death counts to make the case for an overreaction without attending to the obvious fact that without this "overreaction" every town, village and city on Earth would be Bergamo, where army lorries are conscripted to transport the dead from overwhelmed mortuaries, or worse.

Italy has the highest average age in Europe, and we know the virus is about 100X worse for people over 65 than it is for a 20 year old. Lombardy is the oldest region in the oldest country in Europe. The average age of the dead in Italy is 80.5 and has 3 underlying medical conditions. That's why it's so high there. I specifically called that out in the [EDIT].

I'd suggest doing some more reading.

The demographics in Gangelt skew older too, but otherwise they appear thoroughly average, and a totally reasonable representative sample. Especially as you yourself call out they were "particularly hard hit."


You don't see me claiming that the global death rate is 10% though, do you?


This actually isn't entirely on top of the typical deaths, as many of the folks dying of COVID are folks that were very likely to have died from their other underlying conditions anyway this year.

Especially now that we are counting all deaths in COVID-positive or presumed-positive individuals as COVID deaths regardless of cause of mortality.


The spike in mortality across northern Italy contradicts your claim that these people would have died anyways this year.


The estimate for the "no mitigation" scenario by the Imperial College is 2.2 million deaths [1] in the US. There is a large range of estimates that have come out since then to take into account the mitigation that has happened and how effective they have been. Lately things have been looking better but without some comprehensive contact tracing and isolation system we cannot "reopen" and drop those mitigations without moving back into the range of hundreds of thousands of casualties.

https://cleantechnica.com/2020/03/18/imperial-college-epidem...


That write-up was based on extremely early CFR data, with no population studies having been conducted at the time. Latest data is pointing to, as I called out, a fatality rate of 1/10th the CFR. This is especially true as we're counting anyone who tested positive for COVID as a COVID death, even if they were hit by a truck.


With a CFR of 0.4%, 1 million Americans would die.

Of course, if more than 200 million Americans came down with CoVID-19 in a short span of time, the health system would collapse.


Is that why they are digging mass graves in New York?


It could only work if everyone wear a phone. And then what's next? Forcing everyone by law to always wear a phone at all time?

I would rather see new phone sensors that scan the air, the breath and the body for diseases than a new tracking technology. We could also develop new medicines, etc. Not tracking.

Edit : we also don't have much knowledge about why the virus is more lethal for some people than others. We should focus effort at predicting who will be asymptomatic and who will develop complications, rather than trying to stop the virus from spreading by isolating people


The spec pdf looks a lot like the DP-3T protocol. The DP-3T docs have more explanation and a good discussion of privacy aspects.

https://github.com/DP-3T/documents

paper: https://github.com/DP-3T/documents/blob/master/DP3T%20White%...

data protection aspects: https://github.com/DP-3T/documents/blob/master/DP3T%20-%20Da...

Here's an overview comparing that approach to some others (such as Singapore's tracetogether): https://github.com/vteague/contactTracing


They're not the same and I think Google/Apple's is a bit better. In DP3T the infected person shares a single daily key from which all future daily keys can be derived. In Google/Apple's each daily key is HKDF derived from a master key and they are not linkable. Infected people share the relevant daily keys from their infection period. THat's more data to push around, but it is better for privacy.

It means that contacts with infected persons can't be linked across days, and it means that I can't build an app that alerts me that someone who was previously infected just walked by.


> It means that contacts with infected persons can't be linked across days, and it means that I can't build an app that alerts me that someone who was previously infected just walked by.

Edit: This actually turns out to be correct, but your conclusion:

> It means that contacts with infected persons can't be linked across days, and it means that I can't build an app that alerts me that someone who was previously infected just walked by.

Is not possible, because every time secrets are made public, the secret key is reset.

[1] https://github.com/DP-3T/documents/blob/master/DP3T%20White%...


I see: SK_(t) = H(SK_(t-1)), where SK_(t) is the secret key for day t.

This seems to align with the statement that knowing the key for one day (i.e. once it is uploaded following diagnosis) allows one to derive all future keys. Is there another section I am missing?

Edit: clarified that daily keys are shared post-diagnosis, to trace prior contact.


Indeed, sorry. I was under the impression that every daily ratchet-key was independent, and only the inter-day keys were linked. The conclusion of your post still is not possible however. I edited my post.


GP is correct, but it doesn’t matter much. They were referring to daily key, not the EphID (RPI in the Apple/google spec).

DP3T specifies that SK _t = H( SK _{t-1} ). In that design, you share the daily key from when you started to become infectious, and then the subsequent ones can be computed. Then you go into quarantine, stop being infectious, and (see spec) create a new random daily key going forward (or delete the app).

In the A/G proposal, daily keys can’t be correlated, and you share the daily key for each day you were infectious.

The end result seems pretty much the same for me.


The difference is that you can continue tracking a person indefinitely, even after they are no longer infectious. It requires explicit user action to avoid that (opt-out vs opt-in).


If the DP3T app is implemented to spec and creates a new random daily key after the infectious period ends, no.

If the A/G app is not implemented to spec and keeps uploading daily keys even after the infectious period is over, yes.

So, dunno. A/G has a bit more privacy (maybe) for 5x more data volume than DP3T.


With the DP3T derivable day keys, you could identify that you were actually in contact with the same infected person multiple days.

If the server ships 14 * (# of people infected) every day to every user, instead of just (# of people infected) and have the client generate the 14 keys for each infected person, you would only be able to identify that you were in contact with an infected person. With the DP3T proposal, it looks like you can identify that you were around the same infected user multiple days, which might be slightly worse for privacy (in the sense that it would help you identify who you got it from).

But in either case, because the secret key is reset after being made public, it would not help you identify who was previously infected.


Check the second half of the DP3T white paper - the 'high cost' version does not do that, and unlike the Apple/Google version, allows you to redact more specific times of day you do not want to upload, for whatever reason. It is important to also weigh up these issues against daily bandwidth concerns for usability.


An interesting Twitter thread on why the stand-alone contact tracing apps that many others are building won't work, and why integrated platform solutions like this are necessary: https://twitter.com/zainy/status/1248482486524379137 (but of course, necessary does not mean sufficient)


Also, efficiency depends on how many persons can be tested. If it's 10000 a day, in my country, it's about 1/500 th of the population a day... If it's enough to test say 1/10 of the population to have some results, this will take 1-2 months...

I have the impression that all of this is forced upon us as to make us believe that it is safe to get back to work ASAP. Wouldn't it be better to just wait ? (I'm not interested in the economical debate : this will invariably lead to compromises such as how many victims can we afford to keep the economy going ? (nobody will tell it that way, but in the end that's the truth behind those arguments))


FWIW, I’ll “tell it that way”. I think it’s a interesting topic. And a real one manifest in our actions all the time. There is a real cost to life and trade offs.


I'd say that's the pragmatist versus idealist debate. I'm on the latter side :-)


Well if we were hanging out in person it’d be fun to hash this out :)


Yes. If ever there was the necessity for one standard that almost everyone uses, and not 20 competing incompatible ones, then here.


The argument is OK, but fails to mention fact that Singapore's TraceTogether and Stanford's Covid Watch are pursuing a common Bluetooth covid tracing standard that everyone can adopt. So you don't need mass adoption of a single app.


We worked on a project relating to TraceTogether. We could not get Android<>iOS interoperability to work well.


I've spent the last 3 weeks with my team building exactly this - contact tracing apps for both android and ios that use bluetooth tech[1]. This will probably require us to redo the app completely to fit into their API plans, but I'm glad they are, in a way, acknowledging our idea.

The troubling thing is, bluetooth-based contact tracing is in no way easy. Different android phones handle background bluetooth scanning / advertising differently and some tend to require additional config changes - such as disabling battery saving features - to even make it work. And iOS bluetooth advertising in background is just bad. Since u can't add custom UUIDs to the advertisement package, just advertising data is often not enough, so u have to connect too, which creates a range of other problems. I suspect they will release OS upgrades to solve some of these issues, but not all devices will be fixable (eg, older Android devices). This, combined with the fact that they will start rolling out this feature in May, makes me think it will not help us much for the latest wave of COVID-19 infections. Might come in handy for the next epidemic, though.

[1] - https://github.com/cryptekio/corridorapp-android


Do you think that GPS coordinates will be exposable with the API so that there can be public tracing maps online? Obviously a big privacy issue where the actual bluetooth ID and the person's identity have to be fully anonymized but if GPS coordinates of contact points can be exposed publicly, there can be good public tracing maps that can show where contact events are happening and in what numbers so that people can avoid certain areas (and on the other end where other areas are safe where there's no contact). This can publicly also be used to display R0 counts in different zip codes and geographic areas.


I dont see any mention of it in the current context of bluetooth device proximity tracing. It is possible, however, that apps that will build up on this API will also fetch location history separately from already established mechanisms on each OS.

As a matter of fact I see this as a very likely scenario as this is precisely what South Korea has already done.[1]

[1] - https://www.youtube.com/watch?v=BE-cA4UK07c


I think the real interesting private sector utility will come from implementations of the contact-tracing map instead of just the bluetooth app (which there will likely be "official" ones or ones being worked on directly by Google/Apple themselves).


Just to clarify, the Apple/Google proposal discussed here does not require geo location (and I’d assume that you don’t have to give it access to location data).


Thanks for that. One path to greater longevity is to explore the idea of what else you could do with it besides contact tracing for disease that users might find useful. For example, what if users with a common interest had the ability to identify themselves to each other but not those who don't share that interest? If it's useful for something else besides coronavirus mitigation, you'll have the rare opportunity to reach almost everyone at once.


Pretty good illustration of how private and secure contact tracing can work here: https://ncase.me/contact-tracing/

Not sure whether that's what this implementation would look like.


I'm not a security expert. However, this part looks worrying:

> alice can also hide messages from times she wants to keep private

If there's a need for this, doesn't that imply that the scheme does not actually keep Alice's privacy in all situations?

Furthermore:

> the random messages give the hospital NO INFO on where Alice was

This seems to assume that the hospital (or anyone with access to the data, such as governments) didn't capture the broadcast messages together with their location. With enough Bluetooth receptors in busy areas, a government could easily find out where Alice had been by looking up each of her messages in their list of message/location pairs?

Experts can probably come up with nastier and/or easier exploits...


This definitely isn't "private". It's just obfuscated.


Agreed, whenever you divulge any info, you're always losing bits of randomness (obviously, more or less depending on how good the protocol is!).

In particular, given an adversary who has several points (receiving these codes) and knows the receiving location of each of these points can de-anonymize a person "A" who is COVID positive if they know, e.g., a minimal amount of A's usual daily movements (from cellphone tower location, for example).

That being said, the government probably has better ways of knowing who has COVID-19 and other infectious diseases :)


"The phone warns Bob to self-quarantine". So the app knows, and the crisis will indoctrinate people to trust such apps.

Once the crisis is over, they'll continue to use such "safe" apps, for other purposes ...


The problem with doing any sort of effective contact tracing requires special APIs for iOS and Android because newer versions of both OS disallow background communication and location gathering


You don’t need location gathering for this. All you do is store anonymous identifiers from people in the vicinity.


The relevant privacy details:

https://covid19-static.cdn-apple.com/applications/covid19/cu...

"Privacy Considerations

• The key schedule is fixed and defined by operating system components, preventing applications from including static or predictable information that could be used for tracking.

• A user’s Rolling Proximity Identifiers cannot be correlated without having the Daily Tracing Key. This reduces the risk of privacy loss from advertising them.

• A server operator implementing this protocol does not learn who users have been in proximity with or users’ location unless it also has the unlikely capability to scan advertisements from users who recently reported Diagnosis Keys.

• Without the release of the Daily Tracing Keys, it is not computationally feasible for an attacker to find a collision on a Rolling Proximity Identifier. This prevents a wide-range of replay and impersonation attacks.

• When reporting Diagnosis Keys, the correlation of Rolling Proximity Identifiers by others is limited to 24h periods due to the use of Daily Tracing Keys. The server must not retain metadata from clients uploading Diagnosis Keys after including them into the aggregated list of Diagnosis Keys per day."

It doesn't look bad, at least, at the first sight.

A detail: I hope the "day begin" for the "Daily Tracing Key" is the same for all users? I.e. not a local day but e.g. GMT+0 day or something.


That combination Apple-Google logogram is scary! It’s like an image from some corporate future dystopian sci-fi.


It's like you don't trust Weyland-Yutani at all.


I only trust Tyrell Corporation for my off-world needs.


I just re-watched Blade Runner. Eerie.


"Building better worlds."


It's oddly natural to see them together.

Many years ago I was at a black market in Beijing filled with every possible fashion counterfeit, and I found one black leather belt that had both Gucci and Calvin Klein logos on it.

It similarly seemed natural for a second ("even more fashion, right") until my brain did a double-take.


The logogram in OP suppresses Google’s four colors, and so did the one on Google’s blog:

https://blog.google/inside-google/company-announcements/appl...

Also, the Apple logo is first. I wonder how this was decided?


Personally, I would choose to put the Apple logo first on aesthetic grounds.

Not because I like that logo better but because it is smaller. Since English reads left to right, if the short thing comes after the long thing, it looks lopsided.

Also, since the Google logo is larger, it is going to be more prominent no matter what, so putting the Apple logo first balances that out a bit. Seems fair to me.


A comes before G? Logo designs typically have a logo followed by text. Seems to apply here too. It might not be anything about who can pee further.


> Logo designs typically have a logo followed by text

This. It would look weird if the order were the other way around.


My guess (hope) is a group of reasonable adults talking about this collaboration (remotely) decided that the order of logos was of far less importance than them working together.

Someone probably said — “how about this?” and scribbled something. May have even been a Googler.

Then everyone else just said “sure”.

At least, that’s how I’d like to think it went.


Alphabetically and/or birthdate


Alphabetically maybe.


Line crossed. Prepare for trouble.


And make it double?


The less scary and comfort version is CIA/NSA rolling out such a service in minutes. How about that?


Looks like it was inspired by the TraceTogether app built by the Singapore Government and recently Opensourced.

https://www.gov.sg/article/help-speed-up-contact-tracing-wit...

https://github.com/OpenTrace-community


> Looks like it was inspired by the TraceTogether app built by the Singapore Government and recently Opensourced.

Not really. This is based on the TCN approaches by Covid-Watch, Co-Epi and DP-3T (submission to PEPP-PT). TraceTogether fundamentally functions very differently.


Link to the TCN Coalition: https://tcn-coalition.org/

I am one of the developers working on Co-Epi, and am very happy to see that Apple and Google are improving their APIs to support our work.




There's a presentation linked at the bottom which explains in brief how contact tracing will work:

https://blog.google/documents/57/Overview_of_COVID-19_Contac...

Apple and Google should have included the chart in their announcements, IMO. It illustrates the process in a way that's easier to understand than text alone.


The interest in "privacy" around contact tracing seems like a ship that sailed a long time ago to me. Verizon etc all already have this data, and it isn't "private", and so does uber, lyft, and every other overly-aggressive-permission-askning-app that anybody has ever installed.

Privacy is really important: but we lost it all a long long time ago. Maybe saying "well now we can do a good job of contact tracing" is at least some good coming out of that loss of privacy. I just hope we don't end up wasting time trying to make the contact tracing "private" as if by doing otherwise we'd be giving something up that we didn't already give up long ago.


That's too defeatist: these contact tracing tools will be gathering data that isn't available any other way - otherwise, they'd just be going straight to Verizon etc for what they need.

Presumably the bluetooth recording will give much better fidelity/precision about who is close to who, in all conditions (in buildings, in the subway, etc), where simple phone triangulation or GPS won't be accurate enough.

That's far more data than the phone companies have on us right now, so it is a good thing that people are considering the privacy issues. Just saying "we've already lost" only makes things worse.


I don't know how effective this was, but Israel did exactly this: https://techcrunch.com/2020/03/18/israel-passes-emergency-la...

US public institutions seem frankly sclerotic. The fact that the government has or has not done something provides almost no signal on whether something is possible or not.


In this context I think you can distinguish between three different kinds of location-related data:

* cell tower data

* phone GPS data

* Bluetooth data about proximity to specific other people

For most purposes these are increasing in precision and sensitivity. But also, governments can demand that carriers turn over the first kind, but the second two are generally under some kind of user control according to mobile OS designs. There is no single place that automatically gets this data about every smartphone user.

Some of the discussions about privacy for the kind of technology that Apple and Google are working on here are based on observations like

* there actually is no existing way that health authorities could get detailed Bluetooth proximity information about all smartphone users

* this information is potentially more useful for epidemiological purposes, and also more privacy-sensitive, than just GPS sensor data, because it may more reliably map individual people's interactions with one another (for example, potentially confirming that people were likely in the same room rather than just in the same building)

* there are cryptographic concepts that could potentially make this data useful for contact tracing, if users cooperate to a certain extent, in a way that would still make it difficult to obtain or use the data for a different purpose

Another way of putting it is that many people looking at this question think that there is an incremental privacy harm from disclosing Bluetooth proximity data (compared to data that is already available), and an incremental benefit to epidemiology from finding a way to process this data for contact tracing purposes (compared to data that is already available).


I would think that for contact tracing, you need more than Uber/Lyft/Verizon-level GPS/WiFi triangulation/cell tower triangulation accuracy inside cities. With contact tracing, a proximity of 1 or 20 meters probably makes a large difference. Hence these apps will also have to use Bluetooth Low Energy continuously.

https://www.imec-int.com/en/articles/imec-sets-new-benchmark...


I downvoted you because this is false. This is enhanced individual tracing and will only get worse over time. We should fight tooth and nail against all new anti-privacy schemes like this.


This would have a lot more detailed data than Verizon since BLE can calculate distance relatively well. Verizon just knows which tower you are on.


Right. But it's not like they're going to "just" announce that.

"Hey everyone - so yeah, we're using all your data you're willingly providing all these apps on your phone, like location, contacts, camera...So thanks for helping...Okay, bye!".

But you're right. Every day there is so much information from the spies we carry around with us as they communicate that it'd be unfathomable they're just "ignoring" all of this information.

The chances are in some privacy policy it says they can share that data with their "partners" which silently gets back to the government.

Just use what you already have, what we already know you have, and if it saves lives then at least it was put to good use.


Since so many companies have it, why not take it back and make it a public commons?


Two major OS platforms covering majority of the population working together in an attempt to better track current populations at behest of the government. How could anyone even begin to feel a wee bit cynical? To question this effort it worse than wanting PATRIOT ACT to expire. It is downright unamerican.

I hate the fact that I definitely see a good reason for it and the goverment is more than happy to accommodate this power grab.


Have you even read the spec before dumping your thoughts? They address the privacy concerns explicitly. A short summary:

- Doesn't collect personally identifiable information or user location data

- People who test positive are not identified to other users, Google or Apple

- List of people you’ve been in contact with never leaves your phone

https://blog.google/documents/57/Overview_of_COVID-19_Contac...


I will admit that I did not, but having seen trends over the past few decades taught me to be rather skeptical. In other words, today's specs are little more to me than promises. I am ok with being downvoted for this.

edit: I just "read" it ( it is not even a spec - it is not even a powerpoint presentation ). You are down voting me for questioning a couple of pictograms?


A technical outline is here: https://covid19-static.cdn-apple.com/applications/covid19/cu... also linked elsewhere in this thread.


Thank you for this. It may take me a little longer to digest.


There is nothing wrong with being skeptical, I just think your objections are out of place. If you are really concerned then it's probably best not to use Android or iOS at all, who knows what data might be shared with the government without your knowing? This spec (or any app built on top of this spec) doesn't really change anything about that.

Edit: I wasn't downvoting you, and the link was the source for the summary for the privacy considerations. The details are in the actual spec.


I disagree. You base your opinion on nothing more than a couple of icons. Having now read it, I cannot in good faith even call it specs. It is a step above infomercial. Hardly something trustworthy.


I mistakenly gave you the impression that I was linking to the spec. I was in fact linking to the infomercial that had a summary of the privacy considerations. The actual spec can be found here:

1. Bluetooth: https://covid19-static.cdn-apple.com/applications/covid19/cu...

2. Cryptography: https://covid19-static.cdn-apple.com/applications/covid19/cu...

3. Framework: https://covid19-static.cdn-apple.com/applications/covid19/cu...


No worries. I apologize for jumping to conclusions like this. I will be going over these soon.


This doesn't appear to be a way for the government or tech companies to track people. Looking through the API docs I think it's designed just to alert people who may have been exposed.

It lets someone identify as Covid-19 positive and then if people have come into contact with them, you can be alerted. Most of the processing happens on device and it doesn't use location data.

It looks like it would be very hard to abuse by governments or businesses, but I'm not an expert on these kind of things.


Indeed, if I understand correct, the device locally stores a bunch of keys of people you've been in contact to, and there is no way of working backward from the keys to who it was, and these keys also change daily. Then when someone marks themselves as infected for days A through Z, their keys for those days is sent to devices, where the devices check locally if they have the given person-day keys stored.

Do I understand this correctly? It's almost all done locally, there's nothing about location, and almost nothing is send up until you mark yourself as infected, right?

EDIT: This is the best high level explained I've found: https://blog.google/documents/57/Overview_of_COVID-19_Contac...


It is possible I am not expressing myself clearly. The API may not directly access location data ( though I have a hard time believing that either ). Processing may be local, but I just find it very difficult to believe that the information gleamed from that common platform would not be used. And if it can be used, it will be used. And then it will correlated with information that was previously gathered via regular means. I am not sure how that is not a concern? To Trump's credit, he seems hesitant to go all in on this front.

edit: There is something that occurred to me after writing this. FB had an API at the beginning of their game when they were shooting to get developers' attention. They did. As the leaked documents show what really end up happening, API evolved in ways that benefited big boys. I guess my rambling point is that whatever current specs say, may quickly become rather distant past.


Is this at the behest of the government? Seems privately driven?


Sure. DPA was not invoked only few days ago. Companies were not already threatened openly ( and not so openly ) to obey or else. Companies are effectively expected to volunteer their services or risk consequences from government( and potential bad PR ).


None of those facts indicate directly that this wasn't privately driven. They suggest reasons to be skeptical but, at the same time, it's highly unlikely they developed this spec since the DPA was invoked. These companies have been threatened by the Trump White House for years and did nothing to show they succumbed to them. The risk of bad PR hasn't stopped companies from committing sins.

Sometimes, especially in crises, people like actually want to help other people.


The key in all this is the users ability to choose to disclose when they were tested as infected. If this choice isn't baked deep into the protocol, it will be far to easy for things to go horribly wrong down the road as this technology is adapted for other roles.

As an obvious (and not all that impossible) example, consider a Bluetooth device owning person who is, in fact, physically isolated. No amount of "privacy preserving" anything will fix the issue if they know they've only been within range of 2 other people in the last <insert time window here>.

The paranoid user would want to change their disclosure settings upon entering the domain of this isolated individual, since they can be sure they would be able to identified.

Sadly, not all users will know who was and who was not isolated, so the notion of privacy is simply impossible as far as I can tell. You are weighing the social good vs the potential personal harm based on your unique environment. Nothing fundamentally changes this.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: