Promising opt-in is a bit disingenuous. These tech giants are creating a technological capability. Whether or not it is opt-in, opt-out or mandatory is then decided by governments, now and in the future.
This is of course nothing new. But it's worth noting considering how high the tolerance for extremely intrusive government action currently is and how extremely weak any resistance is bound to be.
I'm not saying I'm against contact tracing in the current situation. But that shiny new button that governments get to press will never go away.
Edit: Reading the spec, I found a piece of information that may be of interest: This technology allows contact tracing without necessarily revealing the location where that contact has taken place. So that could indeed be a privacy benefit over alternative approaches.
They already have the shiny button. They can compel cell phone companies to give this data to the government already, without you knowing about it.
At least this way you will get some control of the info and you'll know what was collected and have control of it's disclosure (for now).
In other words, this is no worse than what the government is already capable of, it just makes it easier for you to share the data with health care providers.
Realistically, what does sub-metre accuracy help with "evil" (catch-all for all non-disease-related) surveillance that, say, a 5-10m is insufficient for?
Hyper localized association. Like, for example, a dissident organizing a local chapter of some organization who disperses information via in person hand offs of handwritten papers every. In this example, their hand off point, in a small town of tens of thousands, is the Saturday farmers' market that runs from 8 until 5 or so. They and their conspirators all went to the farmers' market regularly before so it's completely natural for them to appear within 5-10 meters of each other a few Saturdays a month (usually because the three most popular food trucks have long lines right next to each other). Except now "evil" can roll up the ringleader and see a pattern of who passed within an arm's reach every time the ringleader got a message from the head organization without actually spending the resources to surveil anyone in person.
"Evil" usually doesn't care enough about most people to spend significant resources surveiling them. The danger in dropping that threshold is that "evil" invents new ways to exploit any efficiency.
"Evil" is a bit loaded, but what that level of accuracy does is let you say "this person was in front of the shelves for products X, Y and Z" as opposed to "this person was probably in the store".
This app appears to use peer to peer Bluetooth between phones, not beacons. The intention is to determine relative proximity between users, not absolute position.
Tracking isn't just by connection. Their point is that bluetooth tracking (by beacon or otherwise) is already a thing - many major retailers and franchises already do it.
It's ridiculously easy to turn any Bluetooth device into a beacon. All you have to do is configure the BLE advertising frame for the device and then set the device to advertise. I can turn my laptop into a beacon in about 5 minutes(some web searching to remember exact commands and formats).
Currently, yes, but "numerical results with a system operating at 39 GHz show that sub-meter 3D positioning accuracy is achievable in future mmW 5G networks" :)
I'm pretty sure he was referring to cell tower location data, not bluetooth. Though cell tower location data has low resolution, in the order of a few 100 feet to several miles. Not useful for contact tracing.
The capability of using the Bluetooth stack for tracking is not new, this proposal limits the way that data can be used. See the cryptographic specification linked below.
The alternative would be GPS which some governments are looking at now. It might give higher precision with a grid of location data to enhance it, but I would assume the protocol prevents this eg by some randomization of ids?
What skuhn said. That is what the solution the Norwegian and Danish government is implementing is supposedly doing. Reporting the GPS data back to a central server. If you’re using iPhone.
that isn't a reason to be complacent about furthering governmental/corporate surveillance capabilities.
in fact, it should remind us to take away those prior surveillance capabilities, and demand any contact tracing system to give control to users and be fully off-limits to large power structures (e.g., only shared between users and researchers).
and being hard to do so is no excuse. we have millions of people we can work on the problem if it's so important to warrant such massive effort.
People are working on contact tracing, this takes care of one of the harder parts without dictating central control in a pretty sensible manner. Being wary of privacy adverse interests in this context is good but in this context makes little sense. This specification only touches the question of data leaving the device in ways that restrict what the outside party, in an RFC manner MUST wording, can do with the data.
It's pretty clear that we will get contact tracing applications in many parts of the world, regardless of any action Apple or Google might have taken. Might as well base it on something that does not compromise the user base wholesale.
The protocol is explicitly designed to not share information - the data does not contain location information, and the only thing that someone can do with that data is verify if they have seen some of the identifiers that were published by someone else.
They can compel, but also what they typically do is to purchase from them the data. That way they don't even need warrants. We tally need stronger regulations about sensitive information like that.
how high the tolerance for extremely intrusive government action
You could also view it as high demand for government functionality, with an accompanying commandeering of the governmental power by the public, which has leverage of its own. Consider, for example, that 1/3 of the country is on a rent strike right now, a proportion which will likely grow. That part of the polity is learning to flex its political muscle for the first time in a while, because the economic and political establishment suddenly finds itself at a severe disadvantage.
Of course, the government commands asymmetrical strength through police and (less directly) military force, but that's only effective insofar as disparate groups rarely have broad common interests that transcend regional, economic, or social boundaries. Since the internet provides many of the tools to facilitate collective action and COVID-19 has provided a sufficiently broad incentive, political incumbents are discovering that their powers are only as extensive as the willingness of people to cooperate and that they do in fact require the consent of the governed.
> Consider, for example, that 1/3 of the country is on a rent strike right now
Errr - no, no they aren’t. This month had approximately 12% more people miss their rent payment than last April.
That’s high - and bad news for people like my retired aunt and uncle, or father in law, who rely on the income from their rental property - but it’s hardly a national rent strike.
Not sure if the 1/3 is correct or not but consider this- that's the rise for April. Even people who live paycheck to paycheck can often find a way to scrounge together that money if they just lost their job. I'd say reserve judgement until we see how many people pay their rent in May.
If it's a shiny button users get to press I have no problem with it, even if govs make it mandatory in the short term for things like public transport use or non-essential shops.
This should be an app users can install and uninstall, not a feature governments control.
PS Governments are already accessing your phone records and tracking behaviour without your permission, along with recording everything you do online for at least 30 days. O Tempora, o mores!
Both Apple and Google have the exact location for all users for all time. Both can tell you right now, who you have been in contact with and how many folks they in turn have been in contact with.
They aren't building anything new, in fact, this is much less than they already have.
> Both Apple and Google have the exact location for all users for all time.
This is a false statement. With location services off, the providers only get coarse location via tower strengths and also via IP geolocation (everything phones home and leaks your IP constantly). It’s not exact, not by a long stretch.
Depends on the platform. Ultimately all you need is a list of the routers around you; SSID is often sufficient, but mac adddress is optimal since it can be sent to Google API [0] or similar for geolocation. I'm not sure about Android permissions. With iOS, it used to be (like 2 years ago) that any app could get the list of nearby access points, without permission. But AFAIK that was recently changed to be behind a prompt. Not sure if it's the same permission as location services or a different one.
This is a false dichotomy and assumes there are only two choices:
- not handling the pandemic
- tracking the population
You can get information about people assembling in other ways:
- helicopters
- intel gathering
- cops and army patrolling dressed as civilian
- create groups of citizen in town responsible to patrolling
And probably many I don't know about.
Then you add to that: keeping to communicate with the public, testing a lot, providing masks, etc.
The fact you are using this argument shows how much powerful the culture about "the end justify the mean" and "trusts the authority to deal with this" is.
I remember the first time I saw Jack Bauer on TV decapitating a terrorist in 24 to get an information. I though, "wow, they are really creating a new normal here".
That's what it is about: creating a new normal. And pretending there is no other choice, while nobody is trying to provide any.
There's no pretending there is no other choice, this already is a proposal for that "other choice". Contact tracing certainly isn't new, it's a required step in tackling many infectious diseases and will happen whether or not it is assisted by digital means. The technical alternatives to the tiny part proposed here are coarse and many of them more invasive in terms of privacy. This proposal is specifically designed to prevent tracking populations, it also limits the number of necessary off switches to the two OS vendors. What exactly is the part of the "new normal" you are worried about here? I hope it's not people walking around with tracking beacons in their pocket, they already do that without giving it a single thought.
It’s not about “people assembling” at all. It’s about individual prolonged contacts, possibly accidental (mass transit), with an infected person, allowing much more targeted (as opposed to current blunt tools like shelter at home orders) suppression of the disease.
> Public safety is not a human right, while privacy is.
Seriously? “Everyone has the right to life, liberty and security of person” is literally Article 3 of The Universal Declaration of Human Rights - and 1&2 are “this applies to everyone; yes, we mean it”. Privacy is all the way down in Article 12.
I’ll take my life, health and freedom, for which targeted suppression of this disease is essential, over my privacy any time, thank you very much.
there's no button the government can press - the broadcast data is short term identifiers that can't be linked without know the day key. The identifiers are literally just a random 16 byte number derived sequentially from the day key.
The day key is only known if the user elects to publish those keys.
If you have a collection of day keys you don't know who published them as there's no device information in that.
> But that shiny new button that governments get to press will never go away.
I think that framing is slightly counterproductive to be honest. The alternative are efforts that, from what I see so far, seem to fall on one of two sides:
a) sensible privacy defaults like the proposal by Google/Apple, open development, limited traction in the community and not well connected to political decision makers
b) company initiatives, closed developments and promises of openness while working on centralized solutions
I feel like your scenario would be more worrying in terms of privacy if Google/Apple didn't introduce this protocol extension. They are essentially forcing the b) group to adapt something sensible. Another positive is that this seems limited to the OS level, whereas both have more extensive infrastructure they could have pushed for but intentionally did not.
tl;dr: I think it is a beneficial proposal and well placed, the alternative would likely be worse for the user base.
This functionality is already live in Find My iPhone. iPhones are performing these associations already. The bigger change is Android joining and sharing the data with researchers.
The proposed technology is quite different from a service that located located devices. Rather, it would track what devices have been in proximity of each other, and not necessarily where.
I was speaking to the question of whether governments would then demand access to the data. They could force Apple and the Telcos to turn over the data they are already collecting pre-corona. I was just saying that that risk isn't new.
every new method of geo-tracking is a new risk because it provides yet another hole for politicians to legally exploit into a privacy concern.
Speaking about the US -- GPS and tower-tracking pose many of the same risks, but since the legal mandates were discussed at different parts in history, their legal allowed uses are different from one another.
If yet another geo-tracking capability comes online that just allows legislators to put forward legislation that will allow them to abuse that specific technology rather than the previous ones that allow them the same access, but were mandated more responsibly.
In other words : each new law has to be inspected from so many angles that eventually the angles will exceed the inspection ability, and our privacy will dwindle without much argument as we'll be unable to modify legislation quickly enough to keep up with tracking technologies; this seems to be on purpose and being abused actively in the United States.
it doesn't track which phones are next to each other, just identifiers it has seen. Those identifiers roll frequently, and the material to find contact only occurs if a person chooses to publish that information, and all that information does is say what their keys were.
Determining if you were in the vicinity is also done on device - you get a list of all the day keys from a person who has chosen to share that information, then from that you can create all the keys they would have used in that period, and see if your device has ever seen one of those keys. Presumably if it finds a match the device/app would post a "you should get tested" message.
This is very different than what you think when you hear "find my iPhone|Android". Iirc the find my iPhone tech does phone to phone association to identify the location.
This technology which has been announced but not released would, as your link states, ‘let you track down your stolen laptop, but not let anyone track you. Not even Apple.’ What issue do you have with that?
It'll be opt-in until an HN headline says it's not and then there are subsequent "post mortem" articles from Google with a bunch of PR gibberish saying "whoops it was an engineering mistake", by which point everyone's become acclimated to their technological presence.
There is surprisingly little discussion about the actual spec here. It looks really good to me!
- Advertisements change every 15 minutes, are not trackable unless keys are shared.
- The only central bit is a repository of "infected" daily keys.
- No knowledge about contacts is shared with a central authority.
Nothing is shared unless you are infected and decide to share your keys, which are only valid for one day. I don't see how you could have a real argument against this unless you are a privacy extremist. It also seems more privacy friendly than the Singapore or German apps.
In widely distributed and important spec like this it may be useful to look for what is conspicuously absent or unstated, rather than simply reading the precise positive language.
To my mind this phrase under 'Privacy Considerations' in the Cryptography Specification stands out:
"A server operator implementing this protocol does not learn who users have been in proximity with or users’ location unless it also has the unlikely capability to scan advertisements from users who recently reported Diagnosis Keys."
That phrase explicitly mentions that server operators cannot learn about user proximities.
What I reckon may be unstated there is that it could be possible for adversaries with sidechannel / network monitoring capability to learn those kind of details about users (i.e. internet, cell data, and other data network operators).
If such a side door did exist, it would seem in the public interest to be aware of the scope of the availability of that data, especially given the potential (physical, social) vulnerability and risk of those users.
I'd also like to be proven wrong about the possibility of such sidechannel attacks by anyone who understands the spec in more detail.
The approach outlined by Apple and Google is very similar to, and likely based on, the TCN protocol developed by a coalition of open source projects. If you'd like to discuss possible vulnerabilities and propose further improvements, there's an active community already doing that who would be happy to have one more contributor. :-)
I’m part of the CoEpi project, one of the member projects of the TCN Coalition. I see that some of my teammates are searching through the OpenTrace code to see if anything there is worth taking, such as their device-specific bluetooth range calibrations. I don’t think there’s been any two-way communication between these teams.
The projects I've seen inside of TCN seem aware of OpenTrace and the code / data they put out over the last few days, not sure if direct contacts exist yet.
> I don't see how you could have a real argument against this unless you are a privacy extremist.
The authors of DP-3T (which seems quite similar to this spec) have a huge list of privacy caveats in their whitepaper [1], in section "5.4 Summary of centralised/decentralised design trade-offs".
I haven't seen any analysis on how the Apple/Google spec prevents those problems.
The Apple/Google design drops this DP-3T requirement:
2) Enable epidemiologists to analyse the spread of SARS-CoV-2
So anything in that table with epidemiologists is gone.
The remaining caveats are pretty boring:
To do so, the attacker uses strategically placed Bluetooth receivers
and recording devices to receive EphIDs. The app’s Bluetooth broadcasts of non-infected
people and infected people outside the infectious window remain unlinkable.
...
On the other end, a proactive tech-savvy person can abuse any proximity tracing
mechanism to narrow down the group of individuals they have been in contact with to
infected individuals. To do so they must, 1) they keep a detailed log of who they saw when.
2) they register many accounts in the proximity tracing system, and use each account for
proximity tracing during a short time window. When one of these accounts is notified, the
attacker can link the account identifier back to the time-window in which the contact with an
infected individual occurred.
So, yeah, these vulnerabilities still exist and have been pointed out on this thread... but I find it hard to care about these at all.
> The app’s Bluetooth broadcasts of non-infected people and infected people outside the infectious window remain unlinkable.
The group of non-infected people is getting smaller and smaller. The infectious window is presumably weeks long (times the number of diseases this system will track). These risks don't seem that easy to downplay, even before we get into the "security concerns" section.
One issue I see is that when I query the central repository of infected IDs I expose to the central server the IDs I've been in contact with (unless I always download all of them, but that doesn't seem feasible).
It seems like this could be solved by providing a K-anonymous query interface like the one exposed by Have I Been Pwned. I wrote to the contact email address of Pepp-Py, which is a European initiative do develop a system that seems pretty much the same as this, suggesting this, but I got no answer (not that I was really expecting one).
Ah you mentioned the HIBP example, although for this search space you may be able to get by with just a download of all of them. If you stick to, say, state by state sharding, you get around 30 MB of hashes for the worst case (NYC).
If you further reduce that by only providing new confirmed hashes since a timestamp, the client can track when they last downloaded the data and pull only the delta, you end up with a few MB a day, which compares quite well to say, a video call.
Geographical based sharding seems to break down once people travel though. Just a single visit to a hub airport might have gotten you in contact with people form all around the world (I assume that the objective of this initiative is to try and get us at least part way back to normal). Even if you don't travel, but other people are, you will be in contact with people who are registered as infected in a different region.
Also I don't think NYC is at all the worst case in the world, there are a lot of megacities that dwarf it in size...
You could still have geo sharding if the device also saved the location locally and shared the diagnosis for every zone it’s been in / downloaded the data for all zones. Ofc that would mean more data to process for travelers but it should still be way less than the data of the entire globe.
I think it has a flaw: if you find out you are infected mid-day, then if you reveal your key for the day others can impersonate you for the rest of the day, and if you don't those who you had contact with in the first part of the day won't be notified.
So my suggestion for a minimal fix would be to also reveal all advertised rolling IDs for the current day in addition to the keys for the past days.
A better fix would be to generate ID in a hierarchical fashion from the daily keys with power-of-two-length time slots, so that you only need to share O(d + log(n)) values where d is the number of days and n is the number of subdivisions in a day.
Another potential fix is to use public-key cryptography and only reveal the daily public keys; however, this requires twice as large IDs and matching requires to try to decrypt/signature-check all received IDs instead of being able to generate and lookup.
Your suggestions don't seem different from what the spec already describes. Tests are not immediate and the incubation period of the disease dictates that you have to share multiple diagnosis keys (days) of infected persons anyway. You don't have to share timeslots within a day, they can be derived from the daily key. Impersonation risk is unlikely, whatever health authority applies can just invalidate all newly identified keys from generating new contacts, preventing replay attacks derived from known infected with simple and coarse timestamps.
A simple solution using virus properties would be to just delay the release of the last id. It takes a while before the viral load inside someone becomes high enough to be infectious, so there is no significant harm in the last id being delayed by 24h in the worst case.
Which part of the spec do you think people who care about privacy will object to? I agree with you that this is a poor choice of wording but I think your interpretation is uncharitable.
I think this is a very innovative solution that enables contact reporting without knowing location or personal details at all, and its exclusively opt-in.
I see some people arguing that "yes but it could be subverted" but this isn't a really good place to begin if you just want to monitor people and know who is talking to who, there are much better ways to do that already available.
Think of the daily key as the seed to a random number generator. If two people pass the same seed into the same random number generator, they can generate the same list of 500 random numbers. This provides a compact way for someone to say: "I just learned that I was infected. These are the 500 identifiers I broadcast on that day. If you recognize one of them, then you might also be infected."
I understand that aspect of it; I'm just confused as to how only having the daily key is enough to generate the identifiers. Wouldn't they also need the TimeIntervalNumber, according to the function?
If each phone generated 500 numbers per day, then TimeIntervalNumber is a number in the range of 1...500. So generate 500 codes using all of the numbers in that range. If any of those 500 codes match one of the codes that you actually saw in the wild, then you were near that person.
Thanks! I actually brainstormed with a friend later that day on how it'd work and we finally came to a similar conclusion.
According to the spec, the phone only generates a new identifier when the MAC address changes or on a new day. But since it's generated in accordance to a 10-minute time window, that means you'd try to derive their key with all 144 possible time windows for that day. And if you find one of those ID's in your list of contacts, then you know you were in contact with someone infected.
This is huge. A limiting factor has been iOS not being able to (on purpose, for privacy, and battery life) do BLE scanning (edit: or advertising, thanks Slartie) in the background. I imagine this will enable that for specific apps, and I have high confidence privacy will be well-implemented by Apple's involvement (edit: see tastroder's comment for technical docs). Having a single, well-designed spec for Bluetooth advertisement will prevent a world where there are different contact tracing apps, none of which can see each other. Doing this at the platform level will enable enough density of installs to make this effective at scale.
The even bigger obstacle was apps not being able to broadcast beacon signals while they are in background. You could devise workarounds for the scanning problems, but this particular problem of having to be able to continuously advertise your beacon signals did not have a workaround AFAIK. The "workaround" was requiring people to have the tracing app active in foreground all the time, which obviously sucks from a UX perspective and means nobody will do it.
That's why this involvement is really huge and welcome! And besides clearing out existing arbitrary API limitations, Apple's involvement in potential protocol design for such tracing technology is a welcome addition in my view as well, because in contrast to Google, Apple at least earned a modicum of trust when it comes to putting the privacy interests of their customers first.
Also excited because they can likely push both advertisement and scanning into the BLE chips themselves, letting the rest of the system (CPU, etc) sleep. Big win for battery life.
You can, in fact, do BLE scans in the background on iOS. It's tricky and requires some workarounds, like basically everything related to background tasks in iOS.
While background scanning is limited you can key off iBeacon devices via the location framework. This allows your app to wake up when certain devices are near.
Thinking this might be different. I've been curious what the BLE packet structure might look like. Looks like there's 16 bytes of unique id needed for the "Rolling Proximity Identifier" in the spec. Typically iBeacon would have 16 bytes of unchanging UUID, and 4 bytes that can change: https://support.kontakt.io/hc/en-gb/articles/201492492-iBeac....
Could probably flip it to be a 4 byte prefix (to identify this packet for contact tracing), followed by 16 bytes of the Rolling Proximity Identifier, but not sure if the underlying hardware (the BLE chips) can do low-power matching on a pattern like that. Something only Apple and Google could make work, so this is exciting.
(Or, it could be iBeacon to wake, then making a connection to fetch the Rolling Proximity Identifier. Though, in my experience, not requiring a connection will be more reliable in practice, especially for Android.)
Exactly, this is an important narrative. I've read the spec and I'm really positive (hmm). This could be a game-changer for dealing with the pandemic in a systematic way.
Am i the only one who thinks it's mindblowing that people use Facebook, Instagram, Linkedin, etc. however now that Apple + Google release a tool to prevent thousands of people from dying in a pandemic they start thinking/complaining about the possible privacy implications? (without even having read the specs or knowing the details...)
How many people complaining in this thread use or don't use Facebook, Instagram and Linkedin? Unless you actually know then it seems like you've contrived a group of hypothetical hypocrite 'complainers' to complain against.
I only use LinkedIn and when I do, I use it in a container so it can't spread its cookies.
LinkedIn is pretty mild anyway in contrary to anything Facebook with their tracking pixels. And unfortunately you can't really do without LinkedIn if you want a job in IT.
> Am i the only one who thinks it's mindblowing that people use Facebook, Instagram, Linkedin, etc. however now that Apple + Google release a tool to prevent thousands of people from dying in a pandemic they start thinking/complaining about the possible privacy implications?
No. Where have you been? People complain about facebook, instagram, linkedin, etc all the time and encourage others to stop using it all the time.
What is mindblowing is the amount of worship for Apple here and the amount of support this has. And preventing "thousands of people from dying" is no excuse for this because we know this has nothing to do with preventing deaths.
The amount of love that Apple, Microsoft, etc has on every apple/microsoft thread is a tad bit suspect in my opinion.
> (without even having read the specs or knowing the details...)
Why would the specs or details matter? It's a matter of principle.
"People might die" so we need to spy/monitor/track you is a very north korean mindset. But then again, they also use an existential fear ( US invasion ) to enforce complaince amongst their population.
Agreed. Majority of people have their location history, chats, emails, browsing history, etc. saved on the cloud. This Bluetooth tracker is a complete privacy nothingburger.
I for one use neither Facebook Instagram not LinkedIn.
The reason why I worry so much about privacy details is because it can be implemented in a way that respects privacy. If it doesn't, then that is highly suspicious and doubly unfortunate given the circumstances.
But if it is implemented right then I will use it. And thankfully, it seems to be implemented right, so if that holds I will use it and try to convince other people to do so as well.
Given the number of deaths caused by STDs, it is perhaps justifiable for such data to be shared in the same fashion as one's Covid-19 status, assuming the sharing of the latter is justified.
COVID is unlikely dramatically more deadly than the flu, so the question is, if you're okay sharing your health data over COVID, why not the flu? It kills 650,000 people (60,000 Americans) every single year. The reality is widespread panic moments are when we lose our civil rights.
Remember 9/11? That year more people died slipping and falling in the shower than died in the twin towers. More people died because they chose to drive short distances instead of flying than died in the twin towers. And we got the Patriot act and a trillion dollar war. Humans have a way of overreacting.
> It kills 650,000 people (60,000 Americans) every single year.
That's over a ~6 month season. If you average that out it's 10k per month. We'll have 20k dead tomorrow from covid and it hasn't even peaked yet. This is with extreme lockdown measures implemented. How much worse would those numbers be if everyone was going about their business as usual the way they do the flu?
Well, a study of a German town showed 15% are already immune/have had it and a mortality rate of 0.37% vs the flu at 0.1%. [1] If you run the numbers and project that onto the US population we'd see an incremental 600K deaths this year. Unlike the flu, which mutates aggressively and recurs, we haven't seen much mutation of COVID. That means, unlike the flu which will kill 60K next year, and the following and so on, this will kill 600K once. [2]
So, my answer to your question, is an incremental 600K once. Although given those numbers are averaged and the impact is 100X worse for the elderly than the young, I question whether these would be incremental deaths at all.
In Italy the average dead its 80.5 years old with 3 underlying conditions. If COVID hadn't taken them, the flu may well have. One study showed a case fatality rate of 10% in the over-75s for H1N1.
Ideally, we'd isolate them, and let everyone else out like the Swedes.
> Well, a study of a German town showed 15% are already immune/have had it and a mortality rate of 0.37% vs the flu at 0.1%
You are comparing apples to oranges and calling it grapes.
It is 0.37% infection fatality rate (including clinically non-significant cases) vs flu 0.1% case fatality rate (from clinically significant cases). case fatality rate for covid-19 is much higher (say 2 % in Germany). Note that these are fatality rates, not mortality rates.
Second factor is that population has no imunity to SARS-CoV-2, while has some immunity to flu strains. Which means much more infected and therefore higher mortality rate even with the same fatality rates.
Overall, it seems to me that without any precautions it would be 10x-25x higher overal mortality (say 0.2 %) than seasonal influenza (say 0.01-0.02 %). Not great, not terrible.
Well, the link says 39-56 M illnesses, which means symptomatic infections (although some of them may be not diagnosed by doctor), while the 0.37% for covid-19 is just number of seroconversions (including asymptomatic infections, which are not considered illness), so not a comparable number.
With 39M-56M estimated cases, 24k-62k deaths and 330M population, you have 0.06%-0.11% fatality rate and 0.007%-0.018% mortality rate.
Less than 40% of cases result in any visit to a medical professional (# medical visits is about 0.4-0.5 of # cases, but some people will need >1 medical visit)
It's worse, about 3.7X worse according to the latest data, with impact massively skewed towards the older (100X more lethal to them than to a 20-40 year old).
It's more than reasonable to be suspicious of big tech companies, especially the ones residing in Silicon Valley. They haven't earned people's trust and that is the outcome. Just like you would be skeptical of Chinese communist party releasing app promising to help the world with covid19.
1) Covid19 was largely dangerous for old people cumulatting other comorbidities, mostly retired people. 2) Old people don't move that much and don't meet that many other people.
It leads me to believe that the proposed loss of privacy isn't the best way to fight a virus such as a flu
1. It's old people AND people with comorbidities, which is a ton of people.
2. Lots of old people, which for Covid is about 65, still work full time jobs. Some of them fly every week. These aren't 95+ year olds.
3. I'm sure people of all ages think their life is very valuable, and very few people consider themselves candidates for sacrifice. Certainly not for privacy concerns.
> 3. I'm sure people of all ages think their life is very valuable, and very few people consider themselves candidates for sacrifice. Certainly not for privacy concerns.
This guy also brought us, “childfuckers bad, no crypto for you”.
And don’t forget, “Arab scary, we track your emails”
4. And there's no preexisting immunity, unlike with the seasonal flu. Left unchecked, CoVID-19 will infect a much larger share of the population than flu.
That's not actually true. The seasonal flu affects 45,000,000 americans every year, and in part because it (a) mutates and (b) there's a huge number of strains, and different ones are dominant in different years. The flu shot is not particularly effective for those reasons (19-60% depending on the year).
COVID however, does not mutate, or has not yet. This means herd immunity is on the table, and so is a ~100% reliable vaccine -- like MMR, not like flu shot.
It is true. A substantial fraction of the population is immune to the circulating seasonal flu, both through vaccination and previous infection with closely related strains.
Only 5-20% of the population gets the flu each year. 60-70% of the population would have to get CoVID-19 before herd immunity brought the reproductive number below 1.
That doesn't make what I'm saying un-true. 20% of the population getting it is enourmous and demonstrates that the effect of herd immunity on the flu is negligible. At 20% infection rate annually after a few years, everyone's had it. But due to the virus propensity to mutate, we don't see herd immunity for the flu. Each new strain resets the counters.
We would see it for COVID. And chances are 15% of us have already had it according to the Gangelt survey.
Without pre-existing immunity, a much larger fraction of the population would get flu each year. That's one of the primary reasons why people worry about pandemic flu, as opposed to the regular seasonal flu. An entirely new strain has the potential to infect a much larger share of the population than the regular seasonal flu, precisely because there's no pre-existing immunity.
> chances are 15% of us have already had it according to the Gangelt survey.
No, that's a completely unfounded conclusion to draw from that study. Gangelt was chosen precisely because it was an extremely hard-hit town. Researchers wanted wanted good statistics, so they went to the place that has the largest case density. There was an early superspreading event in Gangelt, during Carnival celebrations back in February. Hundreds of people came into close contact with a known infected person. The population of the town is only 12,000 to begin with.
1. It's old people AND people with comorbidities, which is a ton of people.
Yep, and they should shelter in place. Nobody else should.
2. Lots of old people, which for Covid is about 65, still work full time jobs. Some of them fly every week. These aren't 95+ year olds.
Yep, and they should shelter in place, because they're in a risk category.
3. I'm sure people of all ages think their life is very valuable, and very few people consider themselves candidates for sacrifice. Certainly not for privacy concerns.
That's an unfortunate way of looking at this. The reality is everything we do in life involves risk. There's risk of harm in shutting down the economy, and there's risk of harm in opening the doors. The lifetime risk of death being involved in a car accident is 1%. The lifetime risk of dying of an opioid overdose is 2%. COVID is much lower than both. Locked inside domestic violence is up, alcoholism is up -- liquor stores are considered essential so alcoholics won't come in to hospital due to withdrawal.
What we do know is if we lock things down, then one person flies in from a foreign country with the disease the whole thing starts over. Hiding inside is not a sustainable strategy.
Which is why Sweden remains open for business. And you know what? They're doing just fine [1].
4. 10x deadlier than the flu.
It is not. We do not know how deadly it is, all we know is that of people who go to the hospital (implying that they're showing serious symptoms) between 0% and 9% of people, depending on their age and comorbidities, die.
That's adverse selection sampling bias. Studies show there's huge, huge quantities of people who either show no symptoms at all (which is the thing that makes this disease a challenge) or exhibit mild flu-like symptoms.
The numbers we're seeing are an upper-bound, by an order of magnitude. It's likely in line with the flu, although we should consider in line with the flu is bad -- it kills 650,000 people each and every year we've been alive.
It's also much harder to immunize against the flu (19-60% effective) due to its propensity to mutate and the huge number of strains that show up each season, with different ones being dominant each year.
On the other hand, COVID does not mutate -- or has not yet.
1. A healthy 30 something has an IFR of something like 0.1%. Doesn't justify a lockdown for a year; does for a couple months.
3. Sweden has experienced over 500 covid deaths in a week. That's a 30% excess death rate. Hardly "fine".
4. I see little evidence it is in line with the flu, unless you are talking about historically deadly flus, not seasonal ones. Flu would not have killed 1.5% of the Diamond Princess population that was infected. 0.7% IFR seems about right (Diamond Princess, Iceland, etc. suggest around this) and that's >7x bad seasonal flu years.
> A healthy 30 something has an IFR of something like 0.1%. Doesn't justify a lockdown for a year; does for a couple months.
It's not 0.1% for a 30-something. The Gangelt survey showed a total population fatality rate of 0.37%, and so far the CFR has ranged from 0% in children to 0.1% for 30-somethings to 15% for 85 year olds.
The Gangelt survey showed 0.37% actual vs. a CFR of 2% overall in Germany so we can divide the CFR for each age group likely by 10. It's probably close to 0.01% for a healthy 30-something.
> Sweden has experienced over 500 covid deaths in a week. That's a 30% excess death rate. Hardly "fine".
It ... is fine, when you take into account that they're never going to get it again, whereas every other country in the world is vulnerable to a single person showing up and re-starting the entire process for everyone. It's not this lockdown I'm worried about it's the next one, when a single person shows up in downtown NYC and we're right back at it again.
Hiding inside is not solving the problem because it's an incredibly infectious disease. Unless you can lock down every single person in the entire world for the entire duration, it will fail.
> I see little evidence it is in line with the flu, unless you are talking about historically deadly flus, not seasonal ones. Flu would not have killed 1.5% of the Diamond Princess population that was infected. 0.7% IFR seems about right (Diamond Princess, Iceland, etc. suggest around this) and that's >7x bad seasonal flu years.
The Gangelt survey showed 0.37% vs the flu at 0.1%. It's worse, I've long maintained it's worse, but it's not massively worse. Certainly not stop-the-world worse. [1]
(It's currently (among other points) debated how well the tests used for the Gangelt survey can tell SARS-CoV-2 from other coronaviruses, and given how little they've published unclear how they corrected for that. Hopefully they'll release more info soon, but lots of experts are skeptical of this specific study, they might very well have classified a bunch of folks that had a cold as "corona")
We have to be pretty careful about demographic adjustments. Does the town surveyed have any nursing homes or hospitals? If not, that'll drastically drop the death rate.
By my napkin math, you get to about a 2-fold difference which explains the 0.37% vs. 0.7% numbers. But remember the flu 0.1% also includes those highly susceptible people.
Heh, the delta is likely because: (1) Iceland has had 6 deaths so it's way, way too early to draw any conclusions from Iceland and (2) everyone onboard the Diamond Princess was onboard a cruise ship, and cruises tend to skew old. The median age of passengers was 69. That age group is affected ~100X harder than young folks (9% CFR vs 0.1% CFR) [1]. If you've got more data to back 0.7% please do share but I've found none compelling so far.
Although for what it's worth Iceland is showing 6 deaths and 1600 confirmed cases for a fatality rate of --- wait for it --- 0.35%.
That paper would give about 3% for a 70 year old. But remember that cruise passengers are healthy enough to be on cruises. 1.5% death rate seems about reasonable when you correct for that (again, this is where you might see that 2x difference).
Iceland has a considerable number of unresovled cases. Whether you use 7 deaths out of 751 recovered, or 20% hospitalization death rate, you get somewhere on the order of 0.9% CFR.
This is all case data, not population studies. The Gangelt study is different because they tested the entire population and not just people walking into hospitals. They found the CFR in Germany (2%) was roughly 10X higher than the actual mortality rate in town.
The CFR is always going to suffer from adverse selection bias at this stage because they're only including people sick enough to walk into a hospital, and not folks who were asymptomatic, and not folks who got mild symptoms and didn't tell anyone. That's going to be basically every young person. Only the old end up in hospital and they're dramatically worse hit.
Population studies are not directly comparable. A global CFR of 1.5-2.5% sounds right, but that doesn't mean that's a mortality rate. The mortality rate is closer to 0.37% based on the population study I cited.
You seem to be arbitrarily multiplying and dividing CFR by 2 to fit a narrative. I'd love to see other population data but I think this was the first and only study, which is why the numbers are much different than you're citing.
Does the town have any nursing homes? Those are accounting for a large percent of deaths in the United States. (Around 20% in California). If a small town has already shipped its least healthy population away, its IFR will look lower.
The ratio of asymptomatic to symptomatic people has been measured, and it's not nearly as high as you're saying. China has been quarantining and testing every single person entering the country, and they find that 2/3rds of cases are asymptomatic.
Moreover, Germany has conducted a randomized serological survey of the population of one town where there was a large outbreak, and determined that the true mortality rate was about 0.4%, which is an order of magnitude higher than mortality due to the flu. That's the mortality if there's excellent healthcare and the system isn't overwhelmed. Mortality will also depend on the age structure of the population, rates of obesity and smoking, etc.
Because a large fraction of the population is immune to the seasonal flu (both through vaccination and previous infection), far fewer people contract it than would contract CoVID-19 in an uncontrolled epidemic.
The combination of a much larger rate of infection than the flu and far higher mortality means that CoVID-19 would kill orders of magnitude more people in one year.
> Moreover, Germany has conducted a randomized serological survey of the population of one town where there was a large outbreak...
1. Results showed 0.37% mortality rate, which is an order of magnitude lower than the fatality rates being published, which is what I claimed -- so I re-iterate: "The numbers we're seeing are an upper-bound, by an order of magnitude." [1]
2. 14% of their town has had it already. [1]
3. That 0.37% rate includes all the old and at-risk folks which I was already suggesting we isolate. Since we know the fatality rate for them is 9% in hospital vs 0.1%, I'd suggest that the actual mortality rate of my plan would be incredibly low. [1] We don't know the demographic distribution of the town, and we do know that the disease is incredibly age-dependent so it's hard to project that onto the population.
Either way the flu is 0.1% so this isn't 10X worse, it's 3.7X worse. At most.
4. The study shows 15% of them are already immune to COVID.
[edit] I found the data [2]. Out of a population of 12,000, 6500 of them are in a risk group (over 45). So 55% of town. This needs to be projected onto the world population factoring into account non-linear risk response.
> Because a large fraction of the population is immune to the seasonal flu (both through vaccination and previous infection), far fewer people contract it than would contract CoVID-19 in an uncontrolled epidemic.
I don't think they are. The flu mutates regularly, and there's a ton of strains. Vaccinations are only 19-60% effective depending on the year. This is evidenced by the 650,000 worldwide deaths (60,000 US) and the 45,000,000 US cases of the flu each year.
> The flu mutates regularly, and there's a ton of strains.
... which a substantial fraction of the population is immune to. Only 5-20% of the population gets the flu each year. CoVID-19 will infect 60-70% of the population, at a minimum, unless measures are taken to contain its spread.
> Results showed 0.37% mortality rate, which is an order of magnitude lower than the fatality rates being published
I've seen most people assuming a mortality around 1%, which is not that far off from these results. In Italy, 1% may well be correct, given how the healthcare system was overwhelmed there.
> I'd suggest that the actual mortality rate of my plan would be incredibly low.
If you can successfully shield the entire at-risk population, which easily approaches half the population of many countries. Once you add up old people, obese people, people with diabetes, smokers, people with heart conditions, and all the other at-risk groups, you come to a sizeable fraction of the total population. Trying to shield those people while the virus infects most of the rest of the population sounds incredibly risky to me. It's not even obvious that you can achieve natural herd immunity without at-risk people getting sick, because you need 60-70% of the population to get sick.
Overall, I don't understand the motivation behind such a risky plan. Why not just go through a 6-week period of lockdown, and then control the epidemic afterwards with extensive testing, good contact tracing and social distancing measures? Countries other than the US appear to be successfully implementing this strategy. Some, such as South Korea, were acted competently enough that they didn't even require the lockdown phase.
> Only 5-20% of the population gets the flu each year.
Only 20% of America is 70,000,000 people. That's staggering. The economic impact of the flu is enormous.
> I've seen most people assuming a mortality around 1%, which is not that far off from these results. In Italy, 1% may well be correct, given how the healthcare system was overwhelmed there.
It may be 1% in Italy because the population of Lombardy was overwhelmingly old, and overwhelmingly sick. The average age of death in Italy was 80.5 and the average number of underlying medical conditions was three.
> Only 20% of America is 70,000,000 people. That's staggering.
So imagine 4x as many people getting infected with a virus that is many times as lethal.
> It may be 1% in Italy because the population of Lombardy was overwhelmingly old, and overwhelmingly sick.
And the US has other problems, such as obesity. But the mortality will be much higher wherever the virus overwhelms healthcare systems. As we've seen, that can happen very quickly.
If we, again, assume that 15% of the US has already had it (as in Gangelt), and that herd immunity kicks in at 60-70%, that means we'd expect to see another 45-55% of the population -- 147-179 million cases. If we actually isolate the vulnerable, basically nobody would die.
That would be an incorrect assumption. The Gangelt study is about one small town in Germany where there was a known superspreading event at the Carnival festival.
If 15% of the US had already been infected, then based on the Gangelt study, there would be 200 thousand deaths, and millions hospitalized with severe illness.
> The lifetime risk of death being involved in a car accident is 1%.
You're off by a factor of 100. It's .01%.
> The lifetime risk of dying of an opioid overdose is 2%.
For who? Someone who uses opioids? Maybe, on average, again you're off by a factor of 100 or more.
> We do not know how deadly it is, all we know is that of people who go to the hospital
No, of people who test positive, which includes people with relatively mild symptoms that don't go to the hospital, but had reason or ability to get tested.
South Korea is probably the best current testbed here, they had very widespread testing and they've had very, very slow growth recently so the CFR numbers are probably relatively accurate. They see a 3% CFR.
> Which is why Sweden remains open for business. And you know what? They're doing just fine [1].
Normalized by population, Sweden has seen more deaths and more infections than California, by about 50%, and it will likely continue to grow at a similar rate. The problem with exponential growth is that things look like they're doing just fine until suddenly they aren't and there's no way to fix things.
> For who? Someone who uses opioids? Maybe, on average, again you're off by a factor of 100 or more.
No, lol, it's not. Those are averages across the US population. Your lifetime odds in the US of dying in an automotive accident is 1:103 [1].
I should have said accidental poisoning which is 1:64 [2] but half of that is actually opioids (1:96) so you're still more likely to die of an opioid overdose than being a party to a car accident. Most people don't set out to get hooked on Oxy, they get hurt or undergo surgery, are prescribed them, and that's that.
There's 40,000 deaths per year related to car accidents, which if you multiply out by the average lifetime (78.69 years) is right around 3.2 million, or 1%.
This is fair to compare against COVID because due to its extremely limited propensity for mutation, the COVID mortality rate does represent what approximates lifetime risk. (i.e. unlike the flu, you won't get it again).
> South Korea is probably the best current testbed here...
I argue the best testbed is the German study I cited where they actually tested... everyone. CFR is not mortality rate, its about an order of magnitude higher, again, I cited my data. And in my intuitive explanation that you're not factoring out adverse selection risk of only very sick people going to the hospital in the first place.
> Normalized by population, Sweden has seen more deaths and more infections than California.
Because everyone in California is inside. I'm sure they've seen an order of magnitude more flu deaths too because nothing spreads when you're inside. They're probably seeing infinitely more car accident deaths, too. Life's risky, and you're not comparing honestly.
> Your lifetime odds in the US of dying in an automotive accident is 1:103 [1].
No they're not. The lifetime odds for the average American are. For opioids as an example, as someone who doesn't use opioids, my lifetime odds of dying from an overdose are essentially nil. The distribution is bimodal.
> This is fair to compare against COVID because due to its extremely limited propensity for mutation, the COVID mortality rate does represent what approximates lifetime risk. (i.e. unlike the flu, you won't get it again).
You claim this with great certainty, but it hasn't been around long enough to know that it won't mutate in annoying ways.
Further, it's still not fair to compare that way. In the past 2 decades, we've had 4 or more dangerous flus that aren't seasonal (SARS, MERS, H1N1, H5N1, COVID-19). Of these, most weren't infectious enough to be super dangerous, but two were (H1N1, COVID-19), each of which killed at least 100K people worldwide, and COVID-19 is on the path to claim a million lives worldwide this year.
That's not a once-in-a-lifetime event, it's once a decade or even once every few years.
> I argue the best testbed is the German study I cited where they actually tested... everyone.
And the flaws in that study have been noted elsewhere. SK is a better testbed since they also tested huge swaths of people, even those not showing symptoms, and
> CFR is not mortality rate
The CFR of the flu is .1%, which would make COVID more contagious, and 30x more deadly. I'm not sure why the mortality rate matters since given the higher infection rate, COVID would have an even higher mortality rate.
> Life's risky, and you're not comparing honestly.
And the risk from COVID goes up if everyone catches it simultaneously. The CFR goes up even further if hospitals are overwhelmed.
> No they're not. The lifetime odds for the average American are. For opioids as an example, as someone who doesn't use opioids, my lifetime odds of dying from an overdose are essentially nil. The distribution is bimodal.
So now you accept that I wasn't off by 2 orders of magnitude, but are pedantically calling out that I wrote "your" even though I specifically wrote "Your lifetime odds in the US" -- which, if we're going to be entirely pedantic, applies to everyone on earth. Maybe look up your numbers and share them?
You're ignoring how people end up addicted to opioids. The shape of the distribution is both entirely irrelevant and you haven't cited your source.
This makes me think your goal is to win an argument instead of having a genuine discussion.
> You claim this with great certainty, but it hasn't been around long enough to know that it won't mutate in annoying ways.
I'm citing data from experts [1].
> ...we've had 4 or more dangerous flus that aren't seasonal (SARS, MERS, H1N1, H5N1, COVID-19).
SARS, MERS and COVID are not flu viruses, they're coronaviridae. H1N1 and H5N1 are mutations/subtypes of the Influenza A virus. The coronaviridae are different.
> And the flaws in that study have been noted elsewhere. SK is a better testbed since they also tested huge swaths of people, even those not showing symptoms...
SK has not tested huge swaths of the population, they've tested around 1%. [2] They may have tested more than most people, but that's not what you claimed. They've tested some not showing symptoms. Huge difference as compared to testing 100% of the population.
> The CFR of the flu is .1%, which would make COVID more contagious, and 30x more deadly.
The study I referenced mentioned 0.1% for the flu vs 0.37% for COVID. Feel free to read it. That would make it 3.7X not 30X. Because the flu has been around so long the fatality rates are largely determined by mathematical modeling, and are very close to the actual fatality rate. On the other hand, we're still figuring it out for COVID.
Yes, its is more contagious. Nobody's argued that.
> And the risk from COVID goes up if everyone catches it simultaneously. The CFR goes up even further if hospitals are overwhelmed.
Which is why, scroll back up, we isolate the vulnerable.
> So now you accept that I wasn't off by 2 orders of magnitude.
You're right, but it doesn't make the numbers you're citing any more relevant.
> SARS, MERS and COVID are not flu viruses, they're coronaviridae. H1N1 and H5N1 are mutations/subtypes of the Influenza A virus. The coronaviridae are different.
Who is being pedantic now? The point is that novel viruses are not a once in a lifetime occurrence, so you can't compare the risk of "COVID-19" to "lifetime death rate", since a new novel virus will come along in a few years. The danger is not covid-19 in particular, but novel viruses in general, and doing nothing would lead to a 1-year fatality rate for a novel virus on par with the lifetime danger of driving. Which means the lifetime danger of the virus is 20x or more the danger of driving. That's
> The study I referenced mentioned 0.1% for the flu vs 0.37% for COVID. Feel free to read it. That would make it 3.7X not 30X. Because the flu has been around so long the fatality rates are largely determined by mathematical modeling, and are very close to the actual fatality rate. On the other hand, we're still figuring it out for COVID.
Yes, but the CFR of the flu is well understood. The CFR of COVID-19 is not, and your entire argument is based on one study which is not conclusive, has had some flaws pointed out elsewhere in this thread, and generally doesn't match observed CFR elsewhere.
> Which is why, scroll back up, we isolate the vulnerable.
Which, ask any epidemiologist, doesn't work, since hospitals get overwhelmed anyway. The hospitalization rate of young people is still pretty high (maybe not quite 20% as it is for the overall population, but still more than 10%), they just don't die with reasonable care. There's a fair number of cases of healthy 20-something year olds who end up hospitalized for a week due or more due to COVID and need ventilators. Not to mention healthy something 40 year olds.
Even if you manage to perfectly isolate every at risk person, there's still a nontrivial risk of overwhelming ICUs anyway. And then the fatality rate among young people would go up as they couldn't get good care. And you're not going to perfectly isolate every at risk person. So the you have more young people hospitalized, more old people hospitalized, and well you're in a bad spot.
Or you end up expanding the definition of "at risk" to include "obese, heart disease, diabetes, or high blood pressure", and you've ended up essentially where we are now, with the majority of the US population in an "at risk" group.
> SK has not tested huge swaths of the population, they've tested around 1%
You realize that for population level statistics, that's fine. That means that 490000 tests have returned negative. If, as the Italians think, 10x as many people are infected, somehow there would need to exist 100K+ infected people, showing no symptoms, basically none of whom appeared in the 490000 negative samples. Such a probability is negligible. The sample sizes are large enough to remove the possibility.
Well, in the US for seasonal flu the deaths estimation [1] for this season are 24k-60k deaths, for covid19 is 60k-240k, where 60k is applying lockdown, not "everybody work normally". And obviously they are on top of the typical deaths.
The German survey showed an actual fatality rate of 0.37% vs the flu at 0.1%. We know herd immunity is in the cards due to the lack of mutation of COVID, and that kicks in at 60-70% of the population.
The German study also suggested up to 15% of people may already have it, so we can further reduce this number (an incremental 45-55% of the population getting infected) -- So, if we run some simple arithmetic, we'll see the number of fatalities will be approximately 60-70K.
This is in line with the number of fatalities in a difficult flu season. The difference is because COVID does not mutate (or has not yet), this will be a one-off, one-time, one-year issue. The flu kills 60,000 each and every year. The Swedes have it right.
We can mitigate this by isolating the vulnerable.
So yes, we are, in fact, overreacting.
[EDIT] I wonder if this is in fact in excess of deaths we'd see anyways. I'd imagine an 80.5 year old with 3 underlying medical conditions (average in Italy of the dead) isn't just as vulnerable to a bad flu as they are to COVID, so if COVID takes them, the flu won't.
Firstly, the German study analysed one small particularly hard hit town, so how you are extrapolating this to "people" in general is puzzling.
Secondly, there is a very wide range of reported fatality rates, with myriad factors known and unknown, so why you've chosen the lowest one globally (which, by the by, has always been an outlier and in any case is edging up past 1%) as the "actual" rate is, again, puzzling.
Finally, you are making a giant but unfortunately common logical error in using these already questionable death counts to make the case for an overreaction without attending to the obvious fact that without this "overreaction" every town, village and city on Earth would be Bergamo, where army lorries are conscripted to transport the dead from overwhelmed mortuaries, or worse.
> Finally, you are making a giant but unfortunately common logical error in using these already questionable death counts to make the case for an overreaction without attending to the obvious fact that without this "overreaction" every town, village and city on Earth would be Bergamo, where army lorries are conscripted to transport the dead from overwhelmed mortuaries, or worse.
Italy has the highest average age in Europe, and we know the virus is about 100X worse for people over 65 than it is for a 20 year old. Lombardy is the oldest region in the oldest country in Europe. The average age of the dead in Italy is 80.5 and has 3 underlying medical conditions. That's why it's so high there. I specifically called that out in the [EDIT].
I'd suggest doing some more reading.
The demographics in Gangelt skew older too, but otherwise they appear thoroughly average, and a totally reasonable representative sample. Especially as you yourself call out they were "particularly hard hit."
This actually isn't entirely on top of the typical deaths, as many of the folks dying of COVID are folks that were very likely to have died from their other underlying conditions anyway this year.
Especially now that we are counting all deaths in COVID-positive or presumed-positive individuals as COVID deaths regardless of cause of mortality.
The estimate for the "no mitigation" scenario by the Imperial College is 2.2 million deaths [1] in the US. There is a large range of estimates that have come out since then to take into account the mitigation that has happened and how effective they have been. Lately things have been looking better but without some comprehensive contact tracing and isolation system we cannot "reopen" and drop those mitigations without moving back into the range of hundreds of thousands of casualties.
That write-up was based on extremely early CFR data, with no population studies having been conducted at the time. Latest data is pointing to, as I called out, a fatality rate of 1/10th the CFR. This is especially true as we're counting anyone who tested positive for COVID as a COVID death, even if they were hit by a truck.
It could only work if everyone wear a phone. And then what's next? Forcing everyone by law to always wear a phone at all time?
I would rather see new phone sensors that scan the air, the breath and the body for diseases than a new tracking technology. We could also develop new medicines, etc. Not tracking.
Edit : we also don't have much knowledge about why the virus is more lethal for some people than others. We should focus effort at predicting who will be asymptomatic and who will develop complications, rather than trying to stop the virus from spreading by isolating people
They're not the same and I think Google/Apple's is a bit better. In DP3T the infected person shares a single daily key from which all future daily keys can be derived. In Google/Apple's each daily key is HKDF derived from a master key and they are not linkable. Infected people share the relevant daily keys from their infection period. THat's more data to push around, but it is better for privacy.
It means that contacts with infected persons can't be linked across days, and it means that I can't build an app that alerts me that someone who was previously infected just walked by.
> It means that contacts with infected persons can't be linked across days, and it means that I can't build an app that alerts me that someone who was previously infected just walked by.
Edit: This actually turns out to be correct, but your conclusion:
> It means that contacts with infected persons can't be linked across days, and it means that I can't build an app that alerts me that someone who was previously infected just walked by.
Is not possible, because every time secrets are made public, the secret key is reset.
I see: SK_(t) = H(SK_(t-1)), where SK_(t) is the secret key for day t.
This seems to align with the statement that knowing the key for one day (i.e. once it is uploaded following diagnosis) allows one to derive all future keys. Is there another section I am missing?
Edit: clarified that daily keys are shared post-diagnosis, to trace prior contact.
Indeed, sorry. I was under the impression that every daily ratchet-key was independent, and only the inter-day keys were linked. The conclusion of your post still is not possible however. I edited my post.
GP is correct, but it doesn’t matter much. They were referring to daily key, not the EphID (RPI in the Apple/google spec).
DP3T specifies that SK _t = H( SK _{t-1} ). In that design, you share the daily key from when you started to become infectious, and then the subsequent ones can be computed. Then you go into quarantine, stop being infectious, and (see spec) create a new random daily key going forward (or delete the app).
In the A/G proposal, daily keys can’t be correlated, and you share the daily key for each day you were infectious.
The difference is that you can continue tracking a person indefinitely, even after they are no longer infectious. It requires explicit user action to avoid that (opt-out vs opt-in).
With the DP3T derivable day keys, you could identify that you were actually in contact with the same infected person multiple days.
If the server ships 14 * (# of people infected) every day to every user, instead of just (# of people infected) and have the client generate the 14 keys for each infected person, you would only be able to identify that you were in contact with an infected person. With the DP3T proposal, it looks like you can identify that you were around the same infected user multiple days, which might be slightly worse for privacy (in the sense that it would help you identify who you got it from).
But in either case, because the secret key is reset after being made public, it would not help you identify who was previously infected.
Check the second half of the DP3T white paper - the 'high cost' version does not do that, and unlike the Apple/Google version, allows you to redact more specific times of day you do not want to upload, for whatever reason. It is important to also weigh up these issues against daily bandwidth concerns for usability.
An interesting Twitter thread on why the stand-alone contact tracing apps that many others are building won't work, and why integrated platform solutions like this are necessary: https://twitter.com/zainy/status/1248482486524379137 (but of course, necessary does not mean sufficient)
Also, efficiency depends on how many persons can be tested. If it's 10000 a day, in my country, it's about 1/500 th of the population a day... If it's enough to test say 1/10 of the population to have some results, this will take 1-2 months...
I have the impression that all of this is forced upon us as to make us believe that it is safe to get back to work ASAP. Wouldn't it be better to just wait ? (I'm not interested in the economical debate : this will invariably lead to compromises such as how many victims can we afford to keep the economy going ? (nobody will tell it that way, but in the end that's the truth behind those arguments))
FWIW, I’ll “tell it that way”. I think it’s a interesting topic. And a real one manifest in our actions all the time. There is a real cost to life and trade offs.
The argument is OK, but fails to mention fact that Singapore's TraceTogether and Stanford's Covid Watch are pursuing a common Bluetooth covid tracing standard that everyone can adopt. So you don't need mass adoption of a single app.
I've spent the last 3 weeks with my team building exactly this - contact tracing apps for both android and ios that use bluetooth tech[1]. This will probably require us to redo the app completely to fit into their API plans, but I'm glad they are, in a way, acknowledging our idea.
The troubling thing is, bluetooth-based contact tracing is in no way easy. Different android phones handle background bluetooth scanning / advertising differently and some tend to require additional config changes - such as disabling battery saving features - to even make it work.
And iOS bluetooth advertising in background is just bad. Since u can't add custom UUIDs to the advertisement package, just advertising data is often not enough, so u have to connect too, which creates a range of other problems.
I suspect they will release OS upgrades to solve some of these issues, but not all devices will be fixable (eg, older Android devices). This, combined with the fact that they will start rolling out this feature in May, makes me think it will not help us much for the latest wave of COVID-19 infections. Might come in handy for the next epidemic, though.
Do you think that GPS coordinates will be exposable with the API so that there can be public tracing maps online? Obviously a big privacy issue where the actual bluetooth ID and the person's identity have to be fully anonymized but if GPS coordinates of contact points can be exposed publicly, there can be good public tracing maps that can show where contact events are happening and in what numbers so that people can avoid certain areas (and on the other end where other areas are safe where there's no contact). This can publicly also be used to display R0 counts in different zip codes and geographic areas.
I dont see any mention of it in the current context of bluetooth device proximity tracing. It is possible, however, that apps that will build up on this API will also fetch location history separately from already established mechanisms on each OS.
As a matter of fact I see this as a very likely scenario as this is precisely what South Korea has already done.[1]
I think the real interesting private sector utility will come from implementations of the contact-tracing map instead of just the bluetooth app (which there will likely be "official" ones or ones being worked on directly by Google/Apple themselves).
Just to clarify, the Apple/Google proposal discussed here does not require geo location (and I’d assume that you don’t have to give it access to location data).
Thanks for that. One path to greater longevity is to explore the idea of what else you could do with it besides contact tracing for disease that users might find useful. For example, what if users with a common interest had the ability to identify themselves to each other but not those who don't share that interest? If it's useful for something else besides coronavirus mitigation, you'll have the rare opportunity to reach almost everyone at once.
I'm not a security expert. However, this part looks worrying:
> alice can also hide messages from times she wants to keep private
If there's a need for this, doesn't that imply that the scheme does not actually keep Alice's privacy in all situations?
Furthermore:
> the random messages give the hospital NO INFO on where Alice was
This seems to assume that the hospital (or anyone with access to the data, such as governments) didn't capture the broadcast messages together with their location. With enough Bluetooth receptors in busy areas, a government could easily find out where Alice had been by looking up each of her messages in their list of message/location pairs?
Experts can probably come up with nastier and/or easier exploits...
Agreed, whenever you divulge any info, you're always losing bits of randomness (obviously, more or less depending on how good the protocol is!).
In particular, given an adversary who has several points (receiving these codes) and knows the receiving location of each of these points can de-anonymize a person "A" who is COVID positive if they know, e.g., a minimal amount of A's usual daily movements (from cellphone tower location, for example).
That being said, the government probably has better ways of knowing who has COVID-19 and other infectious diseases :)
The problem with doing any sort of effective contact tracing requires special APIs for iOS and Android because newer versions of both OS disallow background communication and location gathering
• The key schedule is fixed and defined by operating system components, preventing applications
from including static or predictable information that could be used for tracking.
• A user’s Rolling Proximity Identifiers cannot be correlated without having the Daily Tracing Key. This
reduces the risk of privacy loss from advertising them.
• A server operator implementing this protocol does not learn who users have been in proximity with
or users’ location unless it also has the unlikely capability to scan advertisements from users who
recently reported Diagnosis Keys.
• Without the release of the Daily Tracing Keys, it is not computationally feasible for an attacker to
find a collision on a Rolling Proximity Identifier. This prevents a wide-range of replay and
impersonation attacks.
• When reporting Diagnosis Keys, the correlation of Rolling Proximity Identifiers by others is limited to
24h periods due to the use of Daily Tracing Keys. The server must not retain metadata from clients
uploading Diagnosis Keys after including them into the aggregated list of Diagnosis Keys per day."
It doesn't look bad, at least, at the first sight.
A detail: I hope the "day begin" for the "Daily Tracing Key" is the same for all users? I.e. not a local day but e.g. GMT+0 day or something.
Many years ago I was at a black market in Beijing filled with every possible fashion counterfeit, and I found one black leather belt that had both Gucci and Calvin Klein logos on it.
It similarly seemed natural for a second ("even more fashion, right") until my brain did a double-take.
Personally, I would choose to put the Apple logo first on aesthetic grounds.
Not because I like that logo better but because it is smaller. Since English reads left to right, if the short thing comes after the long thing, it looks lopsided.
Also, since the Google logo is larger, it is going to be more prominent no matter what, so putting the Apple logo first balances that out a bit. Seems fair to me.
My guess (hope) is a group of reasonable adults talking about this collaboration (remotely) decided that the order of logos was of far less importance than them working together.
Someone probably said — “how about this?” and scribbled something. May have even been a Googler.
> Looks like it was inspired by the TraceTogether app built by the Singapore Government and recently Opensourced.
Not really. This is based on the TCN approaches by Covid-Watch, Co-Epi and DP-3T (submission to PEPP-PT). TraceTogether fundamentally functions very differently.
Apple and Google should have included the chart in their announcements, IMO. It illustrates the process in a way that's easier to understand than text alone.
The interest in "privacy" around contact tracing seems like a ship that sailed a long time ago to me. Verizon etc all already have this data, and it isn't "private", and so does uber, lyft, and every other overly-aggressive-permission-askning-app that anybody has ever installed.
Privacy is really important: but we lost it all a long long time ago. Maybe saying "well now we can do a good job of contact tracing" is at least some good coming out of that loss of privacy. I just hope we don't end up wasting time trying to make the contact tracing "private" as if by doing otherwise we'd be giving something up that we didn't already give up long ago.
That's too defeatist: these contact tracing tools will be gathering data that isn't available any other way - otherwise, they'd just be going straight to Verizon etc for what they need.
Presumably the bluetooth recording will give much better fidelity/precision about who is close to who, in all conditions (in buildings, in the subway, etc), where simple phone triangulation or GPS won't be accurate enough.
That's far more data than the phone companies have on us right now, so it is a good thing that people are considering the privacy issues. Just saying "we've already lost" only makes things worse.
US public institutions seem frankly sclerotic. The fact that the government has or has not done something provides almost no signal on whether something is possible or not.
In this context I think you can distinguish between three different kinds of location-related data:
* cell tower data
* phone GPS data
* Bluetooth data about proximity to specific other people
For most purposes these are increasing in precision and sensitivity. But also, governments can demand that carriers turn over the first kind, but the second two are generally under some kind of user control according to mobile OS designs. There is no single place that automatically gets this data about every smartphone user.
Some of the discussions about privacy for the kind of technology that Apple and Google are working on here are based on observations like
* there actually is no existing way that health authorities could get detailed Bluetooth proximity information about all smartphone users
* this information is potentially more useful for epidemiological purposes, and also more privacy-sensitive, than just GPS sensor data, because it may more reliably map individual people's interactions with one another (for example, potentially confirming that people were likely in the same room rather than just in the same building)
* there are cryptographic concepts that could potentially make this data useful for contact tracing, if users cooperate to a certain extent, in a way that would still make it difficult to obtain or use the data for a different purpose
Another way of putting it is that many people looking at this question think that there is an incremental privacy harm from disclosing Bluetooth proximity data (compared to data that is already available), and an incremental benefit to epidemiology from finding a way to process this data for contact tracing purposes (compared to data that is already available).
I would think that for contact tracing, you need more than Uber/Lyft/Verizon-level GPS/WiFi triangulation/cell tower triangulation accuracy inside cities. With contact tracing, a proximity of 1 or 20 meters probably makes a large difference. Hence these apps will also have to use Bluetooth Low Energy continuously.
I downvoted you because this is false. This is enhanced individual tracing and will only get worse over time. We should fight tooth and nail against all new anti-privacy schemes like this.
Right. But it's not like they're going to "just" announce that.
"Hey everyone - so yeah, we're using all your data you're willingly providing all these apps on your phone, like location, contacts, camera...So thanks for helping...Okay, bye!".
But you're right. Every day there is so much information from the spies we carry around with us as they communicate that it'd be unfathomable they're just "ignoring" all of this information.
The chances are in some privacy policy it says they can share that data with their "partners" which silently gets back to the government.
Just use what you already have, what we already know you have, and if it saves lives then at least it was put to good use.
Two major OS platforms covering majority of the population working together in an attempt to better track current populations at behest of the government. How could anyone even begin to feel a wee bit cynical? To question this effort it worse than wanting PATRIOT ACT to expire. It is downright unamerican.
I hate the fact that I definitely see a good reason for it and the goverment is more than happy to accommodate this power grab.
I will admit that I did not, but having seen trends over the past few decades taught me to be rather skeptical. In other words, today's specs are little more to me than promises. I am ok with being downvoted for this.
edit: I just "read" it ( it is not even a spec - it is not even a powerpoint presentation ). You are down voting me for questioning a couple of pictograms?
There is nothing wrong with being skeptical, I just think your objections are out of place. If you are really concerned then it's probably best not to use Android or iOS at all, who knows what data might be shared with the government without your knowing? This spec (or any app built on top of this spec) doesn't really change anything about that.
Edit: I wasn't downvoting you, and the link was the source for the summary for the privacy considerations. The details are in the actual spec.
I disagree. You base your opinion on nothing more than a couple of icons. Having now read it, I cannot in good faith even call it specs. It is a step above infomercial. Hardly something trustworthy.
I mistakenly gave you the impression that I was linking to the spec. I was in fact linking to the infomercial that had a summary of the privacy considerations. The actual spec can be found here:
This doesn't appear to be a way for the government or tech companies to track people. Looking through the API docs I think it's designed just to alert people who may have been exposed.
It lets someone identify as Covid-19 positive and then if people have come into contact with them, you can be alerted. Most of the processing happens on device and it doesn't use location data.
It looks like it would be very hard to abuse by governments or businesses, but I'm not an expert on these kind of things.
Indeed, if I understand correct, the device locally stores a bunch of keys of people you've been in contact to, and there is no way of working backward from the keys to who it was, and these keys also change daily. Then when someone marks themselves as infected for days A through Z, their keys for those days is sent to devices, where the devices check locally if they have the given person-day keys stored.
Do I understand this correctly? It's almost all done locally, there's nothing about location, and almost nothing is send up until you mark yourself as infected, right?
It is possible I am not expressing myself clearly. The API may not directly access location data ( though I have a hard time believing that either ). Processing may be local, but I just find it very difficult to believe that the information gleamed from that common platform would not be used. And if it can be used, it will be used. And then it will correlated with information that was previously gathered via regular means. I am not sure how that is not a concern? To Trump's credit, he seems hesitant to go all in on this front.
edit: There is something that occurred to me after writing this. FB had an API at the beginning of their game when they were shooting to get developers' attention. They did. As the leaked documents show what really end up happening, API evolved in ways that benefited big boys. I guess my rambling point is that whatever current specs say, may quickly become rather distant past.
Sure. DPA was not invoked only few days ago. Companies were not already threatened openly ( and not so openly ) to obey or else. Companies are effectively expected to volunteer their services or risk consequences from government( and potential bad PR ).
None of those facts indicate directly that this wasn't privately driven. They suggest reasons to be skeptical but, at the same time, it's highly unlikely they developed this spec since the DPA was invoked. These companies have been threatened by the Trump White House for years and did nothing to show they succumbed to them. The risk of bad PR hasn't stopped companies from committing sins.
Sometimes, especially in crises, people like actually want to help other people.
It just takes one erroneous logging call in the wrong place and all this niceness goes away. Hopefully we don't get a headline in the future of "Bug found with contact tracing app, we actually had access to everything but we're sorry and we'll fix it". Not entirely against this work, it will provide benefit but let's hope for the best.
This is why it'd be nice for the APK/installable file to have a hash that can be verified against an open source version. In theory someone should spot anything that doesn't look right.
But that can't/won't undo the effects of something being called "private" being exposed not to be afterall...
The key in all this is the users ability to choose to disclose when they were tested as infected. If this choice isn't baked deep into the protocol, it will be far to easy for things to go horribly wrong down the road as this technology is adapted for other roles.
As an obvious (and not all that impossible) example, consider a Bluetooth device owning person who is, in fact, physically isolated. No amount of "privacy preserving" anything will fix the issue if they know they've only been within range of 2 other people in the last <insert time window here>.
The paranoid user would want to change their disclosure settings upon entering the domain of this isolated individual, since they can be sure they would be able to identified.
Sadly, not all users will know who was and who was not isolated, so the notion of privacy is simply impossible as far as I can tell. You are weighing the social good vs the potential personal harm based on your unique environment. Nothing fundamentally changes this.
> Upon a positive test of a user for COVID-19, their Diagnosis Keys and associated DayNumbers are uploaded to the Diagnosis Server. A Diagnosis Server is a server that aggregates the Diagnosis Keys from the users who tested positive and distributes them to all the user clients who are using contact tracing.
Is this scalable? Earlier in the document they mentioned that the tracing keys are 16 bytes long. Let's assume that there are 3 million patients in a country. That'd be 48 megabytes each user has to download and process per day to check whether they've been in contact with an infected person (processing involves calculation of 144 HMACs per tracing key). I don't think this is feasible at scale and one can't avoid thinking about area recognizing diagnosis servers.
E.g. Smartphones of patients would upload not just the diagnosis keys, but also the areas (county, district, something like that) they've been inside during that day. Then smartphones querying the diagnosis servers would have to send the areas they are interested in. But it's easy to see that this approach is then quite privacy invading. On the bright side, this info is already available to carriers so it's already a sunken cost so to speak.
3 million is way too high. Old infections aren't interesting for this; users only need to download newly reported infections since yesterday. Limiting to broad geographic regions would also help reduce scope and not be especially privacy invasive.
Yes, healed patients who don't produce viruses any more aren't important, but anyone still infectious is still a danger. Even if you are supposed, often even legally required, to stay at home while being infected, there is no guarantee you aren't. I'd bet that most of these people also take their phones with them, after all far more serious criminals like actual murderers are often taking their phones to sites of crimes as well. The IDs of those devices are still relevant. Quarantine after diagnosis may last up to 14 days, so your phone should be uploading IDs for 14 days to the diagnosis server.
Given continuation of exponential spread, we aren't far from having 3 million new patients within a span of two weeks in populous countries like the US.
It’s new patients only, but for each day they might have been infectious. So, if it’s 100k new cases a day, and each uploads 5 days of keys, then it’s 8 MB.
Seems doable, especially considering that you’d want to have fully blown lockdown during the exponential growth, and only then switch over to this contact tracing phase once the initial wave has abated.
Bloom filters aren't good for privacy because if there is a hit, you have to upload the id to check it. Which tells the service a) which ID you encountered and b) if it's an ID that was confirmed to be affected, whether you are affected by corona or not, something the system was designed to prevent.
It's enough to upload the bucket that was hit in the Bloom filter to fetch the subset of detailed data that corresponds to the bucket.
If the buckets are coarse enough that doesn't reveal much. And if the Bloom filter is too fine-grained for that, fetch a set of buckets instead of one.
There wouldn't be 3 million new patients per day. Wouldn't each phone just need to download the newly-discovered cases since the last time they checked?
Each patient creates a new key per day. Only those keys are uploaded. So everyone who is positive in the app needs their keys to be uploaded. At least this would be a reasonable design choice of the app. Maybe the designers of the app assume you actually follow the quarantine that infected people should do and don't leave your home. In that case, the app can stop uploading of those daily keys.
Say a newly identified case is assumed to have been infectious for the preceding week. My reading of the spec is that they’d upload 7 diagnosis keys (which all devices would have to download).
I used the definition 1 MB == 1 000 000 bytes (there are several definitions for what a megabyte is). Each diagnosis key has 16 bytes. 16 bytes * 3 million patients = 48 million bytes = 48 MB. Note that not just the diagnosis are uploaded but also day numbers. Those follow strict power laws and compress pretty well with even the simplest entropy coding schemes to a sub byte size.
Both are one time downloads with comparatively rare updates. Users can visit a place with WiFi for doing the download. The daily dataset of infected users however can't wait for manual prompting and is thus likely downloaded in the background. Users might not always be able to connect their devices to WiFi. In many countries, traffic quotas are quite limited.
I had thought that Apple and Google are in the best position to distribute contact tracing widely [1] but couldn’t figure out if they were working on it. It turns out they were.
Can we put the genie back in the bottle after this is over? I feel like once there's a precedent to do this, it becomes a slippery slope to less palatable things, even if not the worst possible things.
And living with the erosion of Constitutional protections that seem all too easy to push through in times like these, but impossible to roll back afterward.
And this is why it's done during a crisis: it works. All the education and talk about how the last time the government overstepped their bounds goes out the window the moment a crisis hits. Then it's all about "why isn't the government doing more?"
Except that in this case Google are trying to produce a new contact tracing dataset rather than just giving the government access to the location data they already have.
Some ideas as to why:
- lots of people have iPhones and Apple have made efforts to make them less trackable so maybe there isn’t enough data about enough people
- google are scared that this would lead to their data collection/retention being more regulated
- The location data google collect just isn’t granular enough
- google don’t want to give the government access to their location data because they believe strongly that it should be private between google and the people being tracked/they’re scared that people will react badly as they begin to realise how much data google collects about them
I think this would be a good solution for essential workers to track their personal health while social distancing is in effect.
I can foresee a large second wave due to this falling short if we relax social distancing measures. There have been cases where people test positive then test negative and then positive again. It would require redundant testing per individual on a schedule.
There are a lot of people who will not be tested, there are a lot of people without smartphones. This virus has spread so far at this point we’d need to test every US citizen to know the blast radius.
I understand people are hopeful and want things to return to ‘normal’ but I can’t imagine it without a vaccine in the US.
If I understand correctly, it's up to every infected person to manually click "upload" (edit: here was "who I was close to", but it's not correct, see note 1 here) once he gets diagnosed, i.e. completely voluntary.
That is so that once one is diagnosed others can check if they were close to that one (and when?). And even these lists aren't supposed to be any typical metadata but something that stays local and the third parties can't reconstruct.
The idea is, again if I understood, that those who remain negative never have to upload anything that gives any traceable information about them.
See my other post here with other relevant quotes from the specification.
----
Edit:
1) Actually what is uploaded is: "the Daily Tracing Keys for days where the user could have been affected"
"Upon a positive test of a user for COVID-19, their Diagnosis Keys and associated DayNumbers are
uploaded to the Diagnosis Server. A Diagnosis Server is a server that aggregates the Diagnosis Keys
from the users who tested positive and distributes them to all the user clients who are using contact
tracing."
The matching is done locally on every device:
"In order to identify any exposures, each client frequently fetches the list of Diagnosis Keys. Since
Diagnosis Keys are sets of Daily Tracing Keys with their associated Day Numbers, each of the clients
are able to re-derive the sequence of Rolling Proximity Identifiers that were advertised over Bluetooth
from the users who tested positive. In order to do so, they use each of the Diagnosis Keys with the
function defined to derive the Rolling Proximity Identifier. For each of the derived identifiers, they
match it against the sequence they have found through Bluetooth scanning."
As I read it, the specification doesn't enforce whether upload is voluntary. local custom and laws can be implemented to vary degrees of freedom on this aspect.
You can’t upload who you were close to because you only have a set of pieces of data that can’t be traced back to people without their key. Only if infected, you upload your key to the server which distributes it to the others who can then tell if they’ve been close to you.
> Only if infected, you upload your key to the server
You are more right than I was initially, thanks!
Actually, to be even more precise: only if infected, you upload the set of your own derived keys, and apparently only for the days you could have transmitted the virus to other people.
From the documentation:
"Upon a user testing positive, the Daily Tracing Keys for days where the user could have been affected
are derived on the device from the Tracing Key. We refer to that subset of keys as the Diagnosis Keys.
If a user remains healthy and never tests positive, these Daily Tracing Keys never leave the device."
The idea is that nobody ever shares who they were close to. Think of it as walking around in a mask, then if you were sick you opt in to being on a list so everyone knows they may have been exposed if they saw someone in "a pink fox mask."
Your identity is pseudorandomly generated and cycles every 15 minutes, so you won't be identifiable/trackable - until you choose to share you were sick, and release the inputs to the KDF publicly. A third party app determines who can share they were sick, but the OS appears to require user consent before your information can be shared.
Even then, the people who did see you haven't shared any information.
The biggest vector of privacy abuse IMHO is that once you have opted in to letting an app check whether you had contact with an affected person, the app is responsible for behavior - informing you, helping you schedule testing, or potentially more abusive behavior like informing you and the state of a mandatory quarantine.
This specific one came out a few hours ago and is pretty auditable even if those two don't disclose their implementation for this tiny part.
Other than that many, in fact most of those I know to be active, tracing efforts are pretty open, the one you linked is definitely not the only one that currently publishes their source or plans to do so in the near future. There's even been others in this thread.
I believe the idea here is that the tracing is done at the platform level, where you can both have different capabilities with the wireless functions of the device, and can have different privacy constraints on usage compared to those of application sandboxing.
Went over the docs (Google and Apple's), but there are a few things that are not clear to me.
This is my summary of how I interpreted it works:
- A [Tracing Key] is stored locally in every device.
- A [Rolling Key] gets regenerated every day based on the [Tracing Key]
- A [Proximity Identifier] gets regenerated every 15 minutes and broadcasted to other bluetooth devices.
- The Contact Tracing Bluetooth Specification does not require the user’s location; any use of location is completely
optional to the schema.
- Other devices save the [Proximity Identifier] locally.
- History is stored for a couple of weeks
Some questions about how I interpreted the rest:
- The device wakes up once a day and downloads the list of identifiers that have been known/reported to have COVID. It compares on device that you are on that list. Q: Wouldn't this list be insanely long? More so if it doesn't have any concept of location?
- If you have COVID-19, you can report to the servers that you were found to have it. Your rolling identifiers gets uploaded to the "cloud server". Q: Which "cloud server"? Whose cloud server?
Any clarifications are strongly welcomed :)
- If diagnosed with COVID-19, users consent to sharing Diagnosis Keys with the server.
Thanks for the answer. Now, I am not sure your tracing key gets updated as far as I understood. Isn't the individual 15-minute long identifiers that get updated?
Also, not sure you can limit to surroundings just yet... people are still moving too much.
The "location" data would be self size limiting since its based on the users who are using the app provided by a local public health agency, like a city or county.
Apple/Google are providing the API to public health systems who would write an app that uses the API. So your city/county/state would distribute an app used by people who live there. The server would be owned by the entity that wrote the app.
Contact tracing has a time and place, and it's early in isolated outbreaks. The cat is out of the bag at this point and thinking we're going to contact trace our way to safety is a false promise. You'd have to be naive and short-sighted to accept their pinky-promise of privacy-first in this context.
If you assume the goal of contact tracing is to literally find every infection, yes, this isn't going to work. If you assume the point of this is to reduce R0, then this will work just fine at any stage of the pandemic.
There's obviously a question of what you should do when you find out you have been in contact, and that will differ depending on the stage. We probably want to be in a position where everyone who has come into contact with an infected person can get a test asap and if necessary then go into full isolation, not just going out less.
It's about maintaining an R0 < 1 after social distancing is relaxed. Without contact tracing we're destined for a cycling of lockdowns until we have a vaccine.
if you re not social distancing there s no way you can stop this virus with an app. it's a highly highly infectious airborne virus. you can ease the lockdown and keep distancing rules. not sure if the app will help in that case
> Contact tracing has a time and place, and it's early in isolated outbreaks. The cat is out of the bag at this point and thinking we're going to contact trace our way to safety is a false promise.
It’s quite obvious that more intrusive measures (lockdowns) are needed now, but what do you do once they’ve Had their effect? You can’t just abolish all measures, as you’d be back to square one. That’s where this comes in handy.
> You'd have to be naive and short-sighted to accept their pinky-promise of privacy-first in this context.
Or, more constructively, you could examine the spec and see whether it’s privacy preserving as promised, and ensure that the deployed software confirms to the spec. How about that?
> It’s quite obvious that more intrusive measures (lockdowns) are needed now...
Or less intrusive measures. We should shelter in place the vulnerable and let everyone else out like Sweden, and this will sort itself out amicably in a few weeks. Leaving the entire population with lasting immunity, preventing any chance of resurgence. [1]
> Leaving the entire population with lasting immunity
Based on what we know, I don't see how you could carve a large enough population group out where you have < 1/300 chance of death and < 1/50 chance of being hospitalized. Your timeline is realistically years to not overrun hospitals, if this is even an acceptable death rate [which it won't be in developed countries]
That's literally what both Iceland and South Korea rely on. Neither country has SIPs (Iceland even has primary schools open) and the peak is behind them.
(Iceland's outbreak is at about the same infection rate as the Bay Area if you estimate with hospitalizations/deaths. Daegu was significantly worse than the Bay Area per capita).
iceland launched the C19 app on april 1, 1 week after their epidemic had already peaked. I havent seen their install statistics , but i m not sure it s as effective as people here think it is
exactly. do we have data about whether contact tracing of this kind ever worked? S.Korea started testing+tracing somewhere midway in their epidemic, far earlier than where the epidemic is now in france, uk and USA. maybe other countries can benefit from this tracing, but it remains to be proved. In Singapore, which does well, apparently only 6% of ppl installed the contact tracing app. Israel seems to be using carrier data. People seem to be missing the forest in here
> Let’s start with China, where citizens in hundreds of cities have been required to download cellphone software that broadcasts their location to several authorities, including the local police. The app combines geotracking with other data, such as travel bookings, to designate citizens with color codes ranging from green (low risk) to red (high risk). High-risk individuals can be banned from apartment complexes, offices, and even grocery stores. Many human-rights advocates fear that what has been rolled out as a public-health app is moonlighting as a tool of government espionage and mass discrimination.
> Next, let’s look at South Korea, a democracy that has arguably been more successful than any other in containing the spread of the virus. The government uses several sources, such as cellphone-location data, CCTV, and credit-card records, to broadly monitor citizens’ activity. When somebody tests positive, local governments can send out an alert, a bit like a flood warning, that reportedly includes the individual’s last name, sex, age, district of residence, and credit-card history, with a minute-to-minute record of their comings and goings from various local businesses. “In some districts, public information includes which rooms of a building the person was in, when they visited a toilet, and whether or not they wore a mask,” Mark Zastrow, a reporter for Nature, wrote. “Even overnight stays at ‘love motels’ have been noted.”
if this rolled out, just the knowledge of its existence would probably put some fear in people to comply with whatever the government was asking people to do. it's a case being made for total surveillance.
I'm surprised that there isn't more discussion of leveraging the extensive location data that Google already routinely collects via Android and Google Maps mobile apps.
I'd love any feedback on this simple proposal for a way to enable individuals to contribute their Google location history data to health care organizations: http://covidcontacttracing.com.
This uses public Google APIs and Google Takeout to get raw gps data and inferred semantic locations from Google to COVID-19 response organizations. I've got a prototype that's essentially ready to deploy if anyone has suggestions for potential partners.
I think the Google/Apple proposal is very promising, but I don't see any reason not to also put existing data to work on this problem.
> would allow more individuals to participate, if they choose to opt in
I don't see how this can work unless it gets very high distribution. I wonder if local governments might do something where the shelter-in-place orders are lifted for some categories of people conditional on running the app?
Given the number of people wearing masks, I think this would have a decent opt-in rate. Especially since, for most people, this is much easier than wearing a mask.
I bet there'll be a few different ways to 'prove' yourself to public places, and people who decide to tell them to 'go fuck off' - well they'll become social pariahs.
After all - the first amendment allows for the freedom of assembly, and the freedom of assembling with whom they wish. Property rights also and all of that.
Is it a matter of losing freedom for safety? Yeah. There's been a lot of 'reasonable' losses of freedom in various things. For example, isn't it a loss of freedom to require a drivers license and insurance (or proof of financial responsibility for California)? Or security at airports? And so on. This may become yet another loss of freedom, maybe temporary maybe not.
I’m sorry, I might be misunderstanding how loyalty cards work... do they detect each other and report back to home with what other cards they have been in proximity to?
They're a scenario where people have willingly given away privacy to corporations in exchange for pretty minor benefits (largely, discounts that just bring the prices back to where they'd have originally been).
The cards themselves detect each other without me knowing it?
Checking into to JimmyJohns with a loyalty card is not the same as the guy I passed on the street's phone checking my phone and both letting JimmyJohns HQ that we passed each other at 12:53 on at 643 West Main St.
Not sure I agree. This only works if both ends of a contact have a conforming app. As such, the proportion of contacts you can trace is not linear, but quadratic in adoption.
(If 20% of people adopt it, you’d catch only 4% of contacts).
Interesting in the Android version they request ACCESS_FINE_LOCATION (i.e., access to GPS) instead of ACCESS_COURSE_LOCATION (i.e., access to BLE). They have also include Firebase analytics (which captures city-level location data) into the app as well.
Wouldn't bluetooth be preferable to GPS since GPS requires a direct line of sight? And Singapore being an urban area with underground mass transit and lots of shopping malls I would have though that bluetooth would provide better accuracy of contact/proximity.
The spec seems nice, but we need a unique app with a unique set of "diagnosis servers".
When you take an international flight with one or multiple connections you are in contact with people from many different countries,
should you install all the available contact tracing app available on the app store ?
If you have one app per country, you could have the "diagnosis servers" of all the countries federate and exchange data,
but in the end it's easier and more effective to have 1 official open-source app from say the WHO.
This is excellent news. Many open source projects have been working on this contact tracing approach for a while now and have been asking Apple and Google to provide this kind of support.
TCN Coalition is an umbrella group for open source projects who have agreed on a common protocol, which Apple and Google are also following fairly closely. I am one of the developers for CoEpi, a member of the TCN Coalition.
Not sure how ubiquitous it is. Nevertheless, given that Android is 90 percent of the market in India, may be this can help overcome the iPhone OS-level constraints that makes it necessary for both platforms to work together in markets like the US.
As far as I understand the actual risk assessment is done by the Contact Tracing Framework.
I wonder why this design decision was made. The risk assessment will change and the apps done by health organization have the expertise on that subject and shall do the assessment and not the CT framework. It will require an update of the OS to get latest findings published.
Privacy and other technical decisions are sound and legit.
Has somebody some background information on the reasoning driving that design decision?
Oh those 5G conspiracy theories are now an inch less crazy..still crazy but contact tracing is indeed big brother. Though for now it's only opt in until there's an outbreak in a city or state then the government will recommend then mandate it in those areas. Then as time goes on it becomes the norm and the majority are fine with being monitored and watched by the government. Public health vs. human rights/privacy.
This is really hard to keep private and anonymous, but I'm glad that the world's to biggest mobile OS makers are working on this.
If this does really work, it could trace millions of people and give this pandemic some sort of order. Identify hotspots and show a heat map of spread.
Definitely a step in the right direction, hopefully it's executed well too. I'm pretty sure Microsoft be jealous they didn't win the Mobile OS market.
Does this then allow us to run this in the background on iphone. The Danish and Norwegian governments are looking at using a GPS+Bluetooth based version because iPhone is so common and not able to work with Bluetooth when the app is not active is their argument. Also based on a centralized server. My hope was apple would in this circumstance allow Bluetooth to work differently so avoid unnecessary location data.
You can troll by falsely claiming to be infected. With strategically placed beacons you could scare a lot of people. If the system is as private as they claim it will be hard to filter out serial trolls.
I suspect they will try to join whatever data is present in your "I'm infected" report (at least IP, idk if there will be other stuff. advertiser id?) with their other databases, using trolls as a justification.
In the comic someone posted above they talk about how you must have a code given to you by a doctor to upload your identifiers. That seems pretty effective. Similar to prescriptions preventing people from abusing harmful drugs (yes I know prescription abuse still happens)
I would imagine it would be possible to only declare one infection per phone/device? If that's possible that should be a sufficient barrier to all but the most dedicated trolls?
The app using the API is provided by a local health authority. In order to trigger an alert to other users you need to have tested positive by the agency whose app you are using.
This project may be necessary to enable fair elections in the United States and other democratic countries through November. On the other hand if built improperly it could usher in a 1984-style future with gerrymandering, vote-rigging, and huge increases in surveillance based government suppression. When the government is granted emergency powers it almost never gives them back.
If you can track the detailed movements of voters and connect that to party affiliation you would have complete visibility into meetings, social networks, and up-and-coming politicians, such that you can prioritize suppression efforts on those regions. Similar as a whole to gerrymandering, but imagine key political opponents being shut down "as the data shows a cluster of CV-19 may appear here at this exact date and time".
It's mentioned elsewhere on this thread, but this project likely will take things further to more accurately measure the distance between individuals in small spaces in order to better track the contagion. This project may also have more liberal visualization tools, search tools, etc., geared for a task other then advertising.
No doubt much of this data is already collected in one form or another. But it is a big step from collecting data, to analyzing it in new contexts, to visualizing it well, to making it highly accessible to federal non-technical agencies.
Yes. The point was (I think) that Apple respects user privacy, having a very different business model from the data-slurping advertisement firm that ships the other OS. As such, having Apple’s participation can be seen as guaranteeing some decent privacy standards (as seems borne out by the spec).
The tl;dr is that without a huge, nigh-omniscient program to trace individual cases, we have no choice but to go on and off Covid lockdown for a year or more, with potentially devastating economic consequences.
Having Apple and Google develop a built-in tracing program to their phones with firm privacy guarantees is not good, but it might be the least-bad solution we have right now.
> Only an official effort, led by Apple+Google or maybe FB and then forced upon users, can reach the critical mass needed to make contact tracing viable.
This may be right, but how will said vendors "force it" on users? A system update? That still takes voluntary cooperation.
This is wonderful news for any surveillance state. As the three-page brief on DP-3T [1] says:
"A tech-savvy adversary could reidentify identifiers of infected people that they have
been physically close to in the past by
i) actively modifying the app to record more
specific identifier data and
ii) collecting extra information about identities through
additional means, such as a surveillance camera to record and identify the
individuals. This would generally be illegal, would be spatially limited, and high effort."
If I read this correctly, this means that a government could collect identifier data on a per-location basis and later link this to someone's identity (for example with cameras or by tracking the IP address of uploaded identifiers).
Unfortunately I can think of quite a few entities (e.g. governments) who are not too worried about doing high effort, spatially limited things in order to track people's locations. Saying that this is "illegal" (which is probably not even true in all countries) does not give me confidence it wouldn't happen either.
The alternative approach to contact tracing means that a central server can learn most of or the entire of the social graph. This is a considerable reduction of power in comparison.
GPS / phone network tracking probably has lower precision than short-range bluetooth. Bluetooth receivers can be present even in places without network reception or GPS, and receive signal passively and without a trace.
I guess I'm not clear to that extent the NSA hacks people phones. I would imagine for most users they would have good access to our GPS data, e.g. via Google Maps?
Edit: I'm assuming that GPS level precision is sufficient to start the dystopia
I guess court order could be used to get daily tracking keys from you regardless of covid-19 status, so it could be used for tracking for other cases.
While it does not directly encode position, with sufficient large network of bluetooth trackers on key places (like mass transit stations) one can be tracked sufficiently well by that.
This is a good thing, and I think in the absence of this solution we would see intrusive solutions backed by governments and mandated by law. I do have two questions:
Is there a plan to verify test results?
Are public health authorities in small countries/regions expected to build and maintain an app and a server from scratch?
As an aside, I'm not clear why tech startups and VC panicked over this catastrophe. Given their extreme flexibility, I would think this is the most promising sector to do some good stuff at the moment and do well after in any disrupted future environment.
Good. I always thought if we really want to implement this the two mobile giants need to propose a standard and implement it on the OS level. It of course needs to be opt-in and the privacy and security needs to be provable and auditable.
I've been pondering over the idea of offering the option to use physical device, like e.g. a Bluetooth bracelet, for contact tracing in addition to apps.
For contact tracing to have an impact at all, we need a quite large percentage of the population to use one of these apps.
Even if 60% of the population had some kind of app installed and this app worked properly, we would still only detect just 36% of all new infections, since both parties (infected person and person to be infected) need to use the app.
There is a significant portion of the population that does not want to or cannot use such an app, e.g. the elderly, kids too young to have their own smartphone, people with certain disabilities, people that can't carry their phone with them all the time (e.g. while doing sports / working) etc.
This population can still be relevant in spreading the virus - for instance, when loosening lockdowns, young children attending kindergarten / school can bridge the gap between families.
Moreover, even among those that own a smartphone and that want to use the app, I just can't see it all work flawlessly.
Outside of the tech bubble, I see many people with older Android / iOS versions that don't receive updates (which might be crucial for contact tracing to function without having to keep the app open at all times) or people simply failing to install updates.
We also don't want the app to be too sensitive (an infected person that happens to be at the opposite end of the same subway car shouldn't trigger quarantine for you), but also not too insensitive (people might put their phone in handbags or attenuate BLE radio waves with their body).
I think that these problems could be solved by offering something like a standalone Bluetooth bracelet, compatible with whatever App becomes the standard.
It should be possible to mass-produce these relatively cheaply (<5$, which a BLE beacon currently costs).
They would use a Bluetooth chip with know characteristics and are worn at a defined location (wrist), so it's going to be much easier to correctly tune their sensitivity.
The time-to-market will of course be longer than that of a potential app, but it currently seems like we're going to have to live with the virus for a couple of months to come.
The only technical problem I see is that the physical bracelet would need to receive a (trusted) "list of infected IDs" somehow.
Maybe a mesh network of bracelets with smartphones as information providers could work? Maybe bracelets could connect to public WiFi? Or maybe we could leverage some existing low-tech data broadcast infrastructure such as RBDS/RDS (Radio Data System)?
Apple's press release seemed to say that much of the functionality will be pushed in the coming months via iOS updates (since the iPhone to iPhone communication isn't exposed normally except for Find my iPhone). It's unlikely that you'll need to install an app except to say you are infected.
Google could do a similar thing via a Google Play Services update (or, you know, use this as the kick-in-the-pants to get manufacturers to start updating Android to protect the public from COVID-19).
I'm worried about security implications of this technology.
First of all how reliable this technology will be since its results will or can be used in courts.
Secondly how contact tracing logs will be secured since they can be stolen or sniffed in a real time.
I didn't read technology documentation drafts and I used Bluetooth last time on old generation of phones way before smart phones and I'm interested for how long this tracing sessions will last since you can map devices that have turned on bluetooth in any given area(Tran stations,libraries etc.)
You can do something similar to Wardriving (en.wikipedia.org/wiki/Wardriving).
Ok so looks like the key to understand is flow diagram from ContactTracing-BluetoothSpecification.pdf page 6 scanning:
CFUserNotification "App would like to access time and duration of your %d contacts. Approve?"
What it looks like it's application framework based on system service I hope they won't start advertising ios bluetooth all the time and only allow application to do it. In that case application can be safely removed.
Yes. This has an identifier (RPI) that changes every 10 minutes (in a way that can’t feasibly be tied back together, unless you declare yourself infected and upload your diagnosis key), and it does not share or upload any location data whatsoever.
All it does is store the RPIs it sees, downloads diagnosis keys, and checks whether any of the RPIs it has stored “belongs” to one of the diagnosis keys it has downloaded.
You could work with rotating anonymous uuids.
1. You log which uuids you see.
2. When someone is tested positively, you add the list of uuids you used to a public list (run e.g. by the government)
3. Clients fetch updates to the list and compare it to the logged uuids and alert the user if there is a match.
This way the government could not identify individuals, and individuals would be in control.
Close contact detection and alerts at the mobile OS level
We need to get better and faster at stopping the spread of infectious diseases. Covid is already catastrophic. Next time R could be 5, and mortality could be 5, 10 or 20%.
I believe we can use mobile technology to track close contact between individuals, and alert at-risk individuals to potential infections. I believe this could drastically reduce R and the impact of infections diseases could be substantially mitigated. Simulations should be able to determine the effective reduction of R.
Apple and Google should work together to implement a worldwide close contact logging framework. It will use bluetooth to track close contact encounters. The architecture will be anonymised and encrypted to make it somewhat privacy centric.
Obviously privacy zealots will make noises, but to save millions of lives and economic disaster the general population could be convinced it's acceptable.
iOS and Android should have an always-on bluetooth scanner that logs the bluetooth ID of nearby devices. If a device stays nearby for a certain amount of time, a close contact is triggered. The severity of the close contact is determined by the amount of time the devices were close together for, and other bluetooth data. This is anonymised, encrypted and logged.
When an individual is diagnosed with an infectious disease, they activate a feature in their phone which displays a QR code. The health professional has an app that scans the QR code. The health professional will enter details about the disease, and how far into the past the person was estimated to be contagious.
Alternatively if the individual hasn't been tested or is unable to reach a health professional, they can answer a set of questions about their symptoms that will determine how likely they are to be infected. Obviously this method of self diagnosis is less reliable so the framework will take this into account when deciding who to deliver alerts to.
The system alerts people that have had close contact with the infected individual, giving advice about local testing centers or self quarantine. The system will be tuned to only notify the more severe close contacts as needed. Data about available local testing capacity could be used to further refine this tuning.
Problems:
* Privacy: how to make the data private / anonymous.
Communication: how to convince the public that their data is private / anonymous?
* Power: Bluetooth on all the time - battery drain?
* Health professionals: how to make sure only health professionals can use the alert app, but also deploy worldwide without delays.
* Deployment: how to get this system onto all Android phones with such a fragmented ecosystem.
* Detection: how to most effectively determine infection risk from available bluetooth data.
* Tuning: too many alerts for low risk encounters and people will ignore them - tuning is needed.
> Power: Bluetooth on all the time - battery drain?
I doubt this is an issue anymore for modern devices. Things like smartwatches connect via Bluetooth but still manage to keep the phone’s almost-all-day battery life.
The easiest way to convince the public is to lie to them, because that data is not going to be private. There is no chance that this won't be misused. NSA employees misused their power to spy on their neighbors and partners. There is virtually no chance that this won't be abused.
Every single authoritarian regime is salivating over something like this.
Sort of, but not really: both of their apps were unable to track in the background due to privacy restrictions. This partnership enables that at the OS level, and will remove the need to download an additional app
Not really. For contact tracing, S.Korea is using a much more aggressive approach built upon a framework to join cellphone location from mobile providers, credit card usages and potentially CCTV.
we need to collectively take a step back and put this pandemic into proper perspective so we don't fall for privacy and liberty erosions like this. the panic is unproductive and dangerous to our civil rights.
for context, roughly 8000 people die per day in the US. the virus has killed 2 days worth of people in the US in the 80 days of known infection, and probably ~100 days of undiagnosed infection. so covid has killed 2% of the expected number of dead. it's serious, but it's not the black plague, or even the 1918 flu. and we're already seeing transmissions curb.
the virus overwhelmingly infects others in close and closed proximity with a lot of cross-breathing going on. random airborne infections or surface infections are likely small, certainly less than 10%, probably less than 1% of infections.
so, you don't need to social distance outside unless the other person is actively coughing/sneezing (or maybe singing/talking extra forcefully) in your direction within 6 feet. you don't need a mask unless you are in close proximity (less than 6 feet) to random other people for more than a couple minutes at a time. grocery clerks, and other service workers in close proximity to strangers, on the other hand, should wear non-n95 masks (but probably not gloves) during work. same with those who are often near folks with comorbidities like age, auto-immune disease, diabetes, etc. medical providers should wear n95 masks, gloves, gowns, and take many other precautions that make no sense for the general public. you are not lowering your risks in any percepitble way by doing so. allay your anxieties with those basics, rather than looking to buy more toilet paper. it's enough, really.
the overwhelmingly most effective way to prevent transmission is to not breath in a sick person's exhaust. that's it. that's all we need to do. and yes, we don't know everyone who's carrying the virus, so it makes sense to reasonably physically distance in enclosed places like grocery stores. but not more than that as you've already reduced risk to background noise with these basic distancing rules.
contact tracing only makes sense when groups of strangers come into close proximity. it doesn't need to track every single person you brush past on the street. so for instance, you could just provide "contact tracing" with beacons in stores rather than always-on phone tracing.
let's not lose our heads, and our rights, over this.
> contact tracing only makes sense when groups of strangers come into close proximity. it doesn't need to track every single person you brush past on the street. so for instance, you could just provide "contact tracing" with beacons in stores rather than always-on phone tracing.
The part of this comment that actually addresses contact tracing proposes a method (beacons in stores that would have to rely on fixed identifiers, known geolocation, and central storage) that would not only be worse for privacy than what is proposed here, it is also the likely outcome without employing a technique that at least considers privacy concerns.
The other paragraphs read like a compilation of Facebook-based science, where not simply factually incorrect, all points made are debatable and by no means as clear as you make it out to be.
This is a opt-in API and a technical protocol specification which we can discuss on technical grounds. Nothing proposed and discussed here even affects data leaving the end user device, or your rights for that manner, yet.
you don't need to know the names, just that two bluetooth-enabled devices were in close proximity in a given time window. you'd do all the processing on the device to maximize privacy.
each device would record beacons (which could be fixed, active bluetooth devices rather than just passive beacons) on entry and exit for relevant locations (like grocery stores). you'd tell your device when you got symptoms and give permission to upload the relevant location/time pairs (but no personal id) in the last N days to a research database (not hosted by google, amazon, ibm, and the like).
with user permission, other devices would subscribe to such data for a given region(s), which would be downloaded periodically to the device. the device wouldthen determins if you've had any crossings with known location/time pairs and alert the user.
no need to share extraneous personally identifying info with giant third-parties and potentially with (hidden) state actors. this cuts apple and google out of the data collection game, especially from making it part of the underlying OS, which is particularly dangerous.
it is just shockingly important that we come out of this _without_ a dystopian nightmare of a surveillance state.
That apple's involved in this is hopeful -- their earlier work on anonymizing Maps.app directions is well worth thinking about here. tl;dr your route is broken up into n chunks, each chunk gets a uuid that isn't tied to your handset, and so serverside nobody knows where Bob's Iphone just asked to go. [0]
Doing this kind of "differential privacy" or whatever we want to call it today properly is very hard, but it is also very, very important to get right.
I am hoping that Apple being involved will keep this as privacy respecting as it reasonably can be given what it is doing.
I am generally someone that takes privacy very seriously, I mostly avoid Google products and others for this reason.
But... this may be a time that the privacy concerns are worth loosening a bit for the good of this. But that comes with the caveat that I hope this is disabled when this is all done, and preferably the code removed completely. I trust Apple to do this, not sure if I would trust google too.
> But... this may be a time that the privacy concerns are worth loosening a bit for the good of this. But that comes with the caveat that I hope this is disabled when this is all done, and preferably the code removed completely.
Any right you're willing to give up now, you've demonstrated a willingness to give up. You won't get it back. Either it'll remain lost forever, or it'll be used as evidence for a future proposal to take it away permanently (rhetoric: you agreed to it for X, and clearly any person who isn't morally bankrupt values Y over merely X; you're not morally bankrupt are you? And the need for Y will never go away...).
By all means, let's carefully give people tools to supplement their memory, to help people voluntarily notify others who need to be tested. Let's not, however, make that information available to anyone other than the owner of the device.
The problem is, what's the better option right now. Clearly the measures that are being taken are not actually working, people are still being infected and the ability to track the person you happen to walk past or stand next to waiting for your pickup.
I am conflicted about this... but as of right now I also feel like its necessary.
I don't understand this absolutist mindset. It doesn't have to work this way. We can have, say, the draft - an absolutely whopping restriction on civil liberties - during WWII but get rid of it when it's no longer needed.
(From a UK perspective, though I now live in the USA):
Can anyone think of a recent situation where the UK government has given back a power it has temporarily taken? This is a genuine question - I cannot. The closest was a stand taken by David Davis against 90-day detention without charge during the Blair administration (though he has since proved rather more illiberal than this position would suggest).
In the UK at least, while it might not _have_ to work that way, in practice it does.
We haven't gotten rid of it, it still exists. It just isn't being used right now. Getting rid of it would be to abolish it entirely, and instead require people to voluntarily consent in the future. (And if you can't get people to agree to it, perhaps that should tell you something.) "needed" isn't even a factor here.
An involuntary mechanism for contact or location tracing that's accessible to governmental authorities without the consent of the user is a civil rights violation, whether it's being actively used at the moment or not.
The American public exercised their power to elect politicians who'd end the draft as the Vietnam War got progressively more unpopular. It's well within our powers, if we care enough.
Is it, in fact, "well within our powers", or do you just believe it is? I don't, in general, believe "we could take this power away from government if we wanted to" is true without an existence proof.
Won't work. Lockdowns are like trying to hold your breath for a year. You have to give it up once most of the country is unemployed, or everyone will starve, and eventually infections will be flattened but still not zero.
So those of us without cell phones or with cell phones that we don't activate, we can definitely opt out of the tracking and this will be respected forever without exception through a constitutional privacy amendment, right?
Also we're all going to continue to be "allowed" to turn off bluetooth to save on battery right? (Spoiler: no, the system only works if it's bluetooth on all the time for everyone no exceptions even though bluetooth is absolute low quality poorly engineered garbage as a technology.)
And those of us who are brainless and perfectly compliant sheeple obeying everything the government and media tells us without questioning or rational thought will be allowed to keep our old cell phones with the previous obsolete bluetooth standards correct and not be forced to buy a very expensive brand new phone we don't really need and can't afford, even though that severely damages the ability of the powers that be to mitigate the latest crisis they have intentionally created, right? (Ha ha ha.)
It's quite horrible if it becomes a standard API. What a gold mine it is for ad business to be able to tell which groups of people are together. It can be used to track 'idea spreading' as well.
Sounds like this will only be available for approved public organizations.
> First, in May, both companies will release APIs that enable interoperability between Android and iOS devices using apps from public health authorities. These official apps will be available for users to download via their respective app stores.
Of course it’s potentially rife with abusive power. And we need to make sure that this is a very temporary thing (admittedly it’s hard to put the genie back in the bottle). That said, you can’t advertise to the dead. There’s a very real need here, and some governments are off doing this on their own anyway. I do believe that at least Apple and Google combined can come up with a solution that has some amount of privacy protection that a state actor would never bother with themselves.
BLE works between IOS and Android, why wouldn’t it? It’s a standard 2.4Ghz radio protocol.
The thing created here is a standard BLE characteristic that says I’M PERSON X and your phone is always looking for PEOPLE and recording when it sees them... then uploading that to Google and Apple.
You can decide for yourself if a contact recording system could ever be abused.
All those actions look unprofessional and chaotic, why not use cellphone data, surveillance needs to use their power, to track down cases and contacts. They doing that anyway, why not leverage that. Call it emergency whatever.
I have never carried a cell phone (smart of otherwise) in my life. I leave my dumb phone at home or take the battery out. I hope that these tracking bracelets which others voluntarily carry will not be forced and required in the future.
It’s odd that the folks picking this apart looking for surveillance risks don’t seem to be one-tenth as bothered by Facebook censoring wackos (and indeed anyone determined to be guilty of wrong-thinking), or you know, the government literally arresting people for leaving their houses.
This is a fallacy. You don't know how people commenting on this thread think about other topics.
Just because there is worse (apparently to you) things happening, doesn't mean you can't be critical of contact tracing.
We learned so little after 9/11, we still live with TSA security-theater nightmare to this day (ironically now spreading covid19 with their groping and concentrating crowds into small spaces)
So now this nightmare is going to give historical tracking data to government entities without warrants forever.
And Barr is going to get encryption backdoors with his theater.
How about just making a test that costs a few cents in million quantities that you can take at home. It won't be the last time we need that tech for a virus.
For the last 4 years I've read a constant stream of articles about how "This will be the end of our democracy", "Democracy is under threat!", etc.
If we as a society agree to ubiquitous, mandatory location tracking and a complete suspension of the right to assembly in response to this virus then we never deserved a democracy in the first place.
What part? Deriving location from contact tracing is trivial. The fact that its being discussed as opt-in? If participating in society requires that you "opt-in" then what about it is really opt-in?
For starters, I would assume that most people's daily rotating keys could easily be fingerprinted based on identifiable patterns of movement that could be picked up by any number of municipal devices people come into contact with throughout the day.
In order for contact tracing to work as advertised, each person's device has to keep a log of daily ids that they contacted that has a TTL of at least a few weeks. That means that whenever a law breaker gets arrested, law enforcement would be able to confiscate their device and be able to construct a list of everyone that they've been in contact with in the last few weeks.
The Daily Tracing Key cannot be "easily fingerprinted" since it does not leave the device (see page 5). Your LE threat model seems like grasping at straws, the majority of users already have location services enabled anyway, people breaking the law would have to change exactly nothing from the common practice of not bringing your phone when committing crimes.
I miss-spoke. I meant to say the rolling proximity identifier could be tracked and fingerprinted.
Furthermore, it's not the same as a phone's location implicating you in a crime. It's a persistent log of your in-person social network that can be reverse engineered every time you get arrested or go through customs at the airport.
The rolling proximity identifier is short-lived and put through a non reversible cryptographic hash function to prevent exactly that, same page. You're not going through airports in a pandemic, after which you can uninstall whatever app you're using in this crisis.
I know on HN we are not supposed to allege that someone hasn’t read TFA, but please, could you read the spec and then give some details on how to (“trivially”) derive location from the contact tracing as described?
Why is this API even necessary? Isn't every individual with a smart phone already tracked de facto?
Why add a technological fig-leaf to what is by now a deplorable privacy situation? Just roll with it, change whatever laws need to be changed, and be done with it. The data collection capabilities already exist to do contact tracing, it seems.
Why is this needed? and why would i sign up for it , esp. knowing how much they both know about me already? The text doesn't tell us why contact tracing is important
- Did contact tracing apps really save anything in singapore/taiwan/israel?
- Is sweden really doing that bad without this kind of surveillance?
- What is tracing going to help anyway? it will warn people to go to the hospital early ? To do what? there is no cure and they 'd better stay away from infection nests like hospitals anyway. It's not like people don't get symptoms days before they need hospitalization
- Is tracing really going to be workable? this is a highly infectious virus, and people networks have very short path length, which means that, without social distancing, 100% of the people will get notified that they might have been infected in any day
- This data does not need to reach anyone's servers. Infected people could just publicly and anonymously upload their location in a public server for other users to crosscheck. The less data are hidden behind walls, the less chance of abuse.
Even if tracing might slow down the curve, this slowdown shouldnt last forever and it should be targetted, not anonymous. It is important that the spread speeds up in the parts of the population that carry less risk (children, women). There is really no good way to do that other than specific , local measures of SD.
It would be very different if these phones had a thermometer, but i think some regulator removed them.
This is of course nothing new. But it's worth noting considering how high the tolerance for extremely intrusive government action currently is and how extremely weak any resistance is bound to be.
I'm not saying I'm against contact tracing in the current situation. But that shiny new button that governments get to press will never go away.
Edit: Reading the spec, I found a piece of information that may be of interest: This technology allows contact tracing without necessarily revealing the location where that contact has taken place. So that could indeed be a privacy benefit over alternative approaches.
https://covid19-static.cdn-apple.com/applications/covid19/cu...