Exposure Notification - Cryptography Specification v1.2:
The revision history of Cryptography Specification:
v1.2 - April 29, 2020
• Renamed EKRollingPeriod to TEKRollingPeriod.
• Renamed Associated Metadata Encryption Keys to Associated Encrypted Metadata Keys.
• Made grammatical corrections.
v1.1 - April 23, 2020
• Renamed “Contact Tracing” to “Exposure Notification” throughout the document.
• Temporary Exposure Keys (previously known as Daily Tracing Keys) are now randomly generated
and no longer derived.
• AES is now used instead of HMAC<SHA256> for improved performance.
• Encryption of associated metadata is now provided.
• Reformatted the title page and table of contents for consistency across documents.
I once did a hackathon where we used ShotSpotter to generate an array of house addresses that should be prioritized after a shooting occurs. The idea was to connect students and parents who witnessed gun violence with community resources (i.e. not just the cops) that could provide guidance and therapy. This same protocol could be adapted to notify everyone "exposed" to the shooter's phone and provide those resources on the fly.
One other semi-dystopian possibility is using the protocol to apprehend criminals. Most people would not accept real-time location tracking by the government, and so such functionality is out of the question (or at least not publicly available to the majority of citizens, local LEO included). However, what if the police could go to Apple and Google and ask them to "blacklist" your phone, so that everyone around you gets a notification with your description, alleged crime, and cash reward? Your phone becomes a walking WANTED poster. And of course, they'd start with AMBER alerts first, and maybe work their way down to trespassing and petty theft. Which is not to say that this world would be far worse off than it is now, but it will be different.
Going further, how many ways can we come up with to use this as a way of swatting someone else?
nth-order consequences matter.
Sure, you could also just turn the phone off completely. The problem is that you'll need a phone eventually, and buying a new one would be a no-no if the Feds are watching your bank account (which is more or less accepted practice at this point). Even if you manage to secretly get a new phone, all it takes is one person to report you to burn that one too. Having a cyber-warrant out for your arrest effectively bans you from owning any smartphone ever again.
Now that would be a very white christmas.
For this to work, the government would need to know which one is your phone, defeating the privacy purpose. This wouldnt be a problem for amber alerts - as family members would willingly provide it.
However, my main concern is that this would lead to mob justice; you'd have a walking "hit me with a bat" poster.
Regardless, the fact that no location is revealed will make it hard for manual resolution of false positives. On the other hand, if location was revealed, likely fewer people would opt-in, so there are both advantages and disadvantages of not using location at all.
Looking at the Android API docs, it looks like Google does not trust government apps and so provides only limited data and alerts the user with a popup when the app asks for information.
It's not clear why Google doesn't provide the UI themselves, although maybe they intend to do so at a later time?
I guess it's possible to mitigate this attack through controls in the app that reports, but that doesn't stop a rogue developer using a test app, unless even they are prevented from accessing the APIs without approval.
Sure you can't publish an app that does this, but unless I'm mistaken, you can access any API you want in your own dev setup, or on a jailbroken phone.
What stops a malicious actor for triggering the API in a dev or jailbroken environment?
Server side authentication stops this.
Sure a jailbroken device can call whatever local APIs they want, but to have a non-local effect you have to update some centralized server where the list of infected keys/users is stored for downloading by other devices. Given that, it's straightforward for the server to require some admin-level credential specific to their service.
The source of truth for covid-19 positive devices/keys is still centralized and gatekept by each state/national agency's contract tracing service. (But identity/location info isn't centralized)
> This entitlement is limited to government health organizations or developers who have been endorsed and approved by a government health organization. Please make sure to read the Exposure Notification documentation before submitting your information.
And there’s a form where you provide the relevant information. Presumably there is some mechanism to validate this.
I don’t know about the Google side.
I can't imagine say, China, not demanding to be able to use this API for whatever purposes they want and if Apple/Google says no they'll just say "fine, get out of China". I also can't imagine the US government and/or state and local police won't also come knocking eventually.
Of course we should do what's right for the COVID issue but I think the is clearly a foot in the door moment.
No. Not sure what people aren't getting about this, but governments have always been able to pressure Apple and Google (and they've been doing it all along). The existence of this API changes nothing.
And when governments do pressure Apple and Google, it isn't for this API, BTW. They want much more useful and immediate information than this API provides.
Because if you can test with any API you want, what stops you from making an app in your dev environment and triggering the API?
Besides, the public is led to believe that no location identification (direct or derived) is possible, so on the basis of that 'sitting outside the hospital all day' should not be identifiable, right?
As for taking out a directed 'hit', that will certainly not show.
"In another series of screenshots, the companies show how the apps will likely work when a user is diagnosed as Covid-19 positive. As Apple and Google had suggested earlier, they'll require users to enter a unique code provided by health care providers or a Covid-19 testing lab before allowing them to declare themselves as infected, since otherwise trolls or mistaken self-diagnoses could flood the system with false positives."
Also likely this gets baked-in with a vendor app (like Apple's Health) and not rely on 3rd parties if it's going to part of life for the foreseeable. Maybe opt-in like the "Emergency Alerts" notification functionality?
It's not clear at all from the write up.
You'll need to wait for your local health jurisdiction to make their official app.
I also remember reading something about Apple and Google only allowing 1 app per country (or more with special permission, I'm guessing 1 app per US state or something like that)
At that point one app will cover 1/2 the US population, and there is a good chance many other states would just adopt that one app.
But you're right, it would be nice is there were some authority one level up that could coordinate this.
Imagine you go into an average grocery store with 100 average Americans. What percentage of people in that store have this app on a phone in their pocket?
20% of Americans don’t even own a smartphone. Some non-zero percentage have old phones that won’t work, keep their phones at home, don’t use Bluetooth, don’t know what Bluetooth is, don’t want to use this, don’t trust this, and on and on and on.
In Singapore that grocery store would have had approximately 20 contact tracing app users and 80 non users.
The end result of this will be....
1. No confidence that when you receive an alert that you were actually in contact with someone who had Covid. Could have been a troll, someone in a car next to you, a neighboring apartment, etc.
2. No confidence that you weren’t in contact with someone who had Covid.
The end result for every user will be the same ambiguity we live with now.
We need human contact tracing with real, trained, people making phone calls to other real people based on actual diagnoses of Covid. Not some Silicon Valley pipe dream waste of time that unnecessarily gives people a false sense of hope. This contact tracing app idea will NEVER work in the US.
20% of Americans are children. According to most recent estimates, there are 270.66 MM smartphone users in the US — roughly 82%. Assuming that literal toddlers and poor teenagers do not have smartphones, the vast majority (easily 90+%) of American adults are smartphone users.
You also only need ~60% of contacts for contact tracing to be effective .
That's out of ~330 million US citizens for a rate of ~76%. Toddlers, children, and poor teenagers are people that also exist and can be in a grocery store as asymptomatic carriers of coronavirus. I was generous and went with 80%.
Your second link is just a study that suggests contact tracing COULD work. But the fact that something could work in theory doesn't mean it will work in practice. I don't know where you got your 60% number from because that number isn't mentioned in that study. I don't think it matters anyway because we won't get anywhere near 60%.
Singapore tried this idea and they made it voluntary just like it is being made voluntary in the US. 20-25% of people used it. Now they are trying to make it involuntary by forcing businesses to scan phones at entrances to businesses, schools, and healthcare facilities. Do you really think Americans will accept this? No way. I doubt the legality of this approach in the first place.
It would take Donald Trump signing a law to get to 60%. People want this to work because it makes them feel better. Reality has other ideas.
Okay sure, but nit-picking that number doesn't change the core argument: you only need 60% for contact tracing to work, according to the most recent research. Remember that the goal here isn't to ensure that NOBODY gets COVID, it's to drive R0 down to < 1. People in grocery stores will still be exposed, but if R0 < 1, then the disease will eventually die out.
> Your second link is just a study that suggests contact tracing COULD work. But the fact that something could work in theory doesn't mean it will work in practice. I don't know where you got your 60% number from because that number isn't mentioned in that study. I don't think it matters anyway because we won't get anywhere near 60%.
You need to read the full article before attempting to refute it, but I'll help you out.
"The efficacy of contact tracing (the y axis of Fig. 3) is the square of the proportion of the population using the app, multiplied by the probability of the app detecting infectious contacts, multiplied by the fractional reduction in infectiousness resulting from being notified as a contact."
I've taken a screenshot of the diagram for you: https://imgur.com/ZXPLLxk
The solid black line shows the threshold for epidemic control.
While you're right that the paper doesn't claim that it is CERTAIN to work, nobody is sure. In fact, it's odd to me that you are so positive that it WON'T work. "This has absolutely no chance of working in the US." Even scientists don't make claims like this with that level of comical confidence.
> Singapore tried this idea and they made it voluntary just like it is being made voluntary in the US. 20-25% of people used it. Now they are trying to make it involuntary by forcing businesses to scan phones at entrances to businesses, schools, and healthcare facilities. Do you really think Americans will accept this? No way. I doubt the legality of this approach in the first place.
> It would take Donald Trump signing a law to get to 60%. People want this to work because it makes them feel better. Reality has other ideas.
Okay but what happens when Apple and Google build this into the operating system, and contact tracing is always on, like the bluetooth radio, the push notification service, or OS-level location services?
66% of respondents said they would not use a contact tracing app developed by a tech company. The remaining 33% may give it a go before they find out how worthless it is and then it will likely settle into the same levels of adoption as Singapore.
This is obvious to I guess everyone outside of HN and Silicon Valley.
There is nothing stopping Apple and Google from rolling this out in the OS, and they've both confirmed that they intend to do this
"Later this year, Apple and Google will include the tool in software updates, meaning users can log contacts without having to download an app."
They have every right to make it involuntary if they want to, and the only recourse users have is to decide to stop using iPhones or Androids. I'm sure there will be some people that choose to do that, but not nearly enough to keep adoption below the necessary 60%.
They aren’t doing this and have said that they never will. It will be purely voluntary.
Are you even going to attempt to refute the absolute failure of this app in Singapore?
You're really into the authoritative claims, aren't you? :)
They seem to disagree with you: https://www.reuters.com/article/us-health-coronavirus-apps-f...
There is absolutely nothing preventing Apple & Google from turning this on for everyone, at least in the US. To the extent that they've said that they "never will", it's a glorified pinky promise. If it's economically in their best interests for R0 to drop down to < 1, then there is nothing structurally preventing them from rolling out OS updates with this on by default.
> Are you even going to attempt to refute the absolute failure of this app in Singapore?
It's irrelevant if Apple and Google turn this on by default, making it de facto compulsory.
> It is not clarified what [the metadata] will contain and who will have access to it, so let’s try to guess.
At the least, I would want Apple/Google to fully disclose these technical details before I would accept its terms & conditions. If they even put their logic in an open source format (i.e. GitHub), I would feel more comfortable. Google is a much worse player in the game of "making money from users by tracing their every move" than Apple.
The framework itself has to be implemented by them because it is part of iOS (in Apple's case) or Android Services (in Google's).
The apps themselves are being implemented by 3rd parties.
There will always be critics but it's hard to see how they could have rapidly developed this much better.