Hacker News new | past | comments | ask | show | jobs | submit login
Review of New Apple and Google Contact Tracing Protocol (medium.com)
91 points by evger 11 days ago | hide | past | web | favorite | 61 comments





Documentation on the Apple site:

https://developer.apple.com/documentation/exposurenotificati...

https://www.apple.com/covid19/contacttracing/

Exposure Notification - Cryptography Specification v1.2:

https://covid19-static.cdn-apple.com/applications/covid19/cu...

The revision history of Cryptography Specification:

v1.2 - April 29, 2020

• Renamed EKRollingPeriod to TEKRollingPeriod.

• Renamed Associated Metadata Encryption Keys to Associated Encrypted Metadata Keys.

• Made grammatical corrections.

v1.1 - April 23, 2020

• Renamed “Contact Tracing” to “Exposure Notification” throughout the document.

• Temporary Exposure Keys (previously known as Daily Tracing Keys) are now randomly generated and no longer derived.

• AES is now used instead of HMAC<SHA256> for improved performance.

• Encryption of associated metadata is now provided.

• Reformatted the title page and table of contents for consistency across documents.


One of the interesting side effects of this is what happens after the pandemic is over but the technology is still implemented. What other things could be worth tracking?

I once did a hackathon where we used ShotSpotter to generate an array of house addresses that should be prioritized after a shooting occurs. The idea was to connect students and parents who witnessed gun violence with community resources (i.e. not just the cops) that could provide guidance and therapy. This same protocol could be adapted to notify everyone "exposed" to the shooter's phone and provide those resources on the fly.

One other semi-dystopian possibility is using the protocol to apprehend criminals. Most people would not accept real-time location tracking by the government, and so such functionality is out of the question (or at least not publicly available to the majority of citizens, local LEO included). However, what if the police could go to Apple and Google and ask them to "blacklist" your phone, so that everyone around you gets a notification with your description, alleged crime, and cash reward? Your phone becomes a walking WANTED poster. And of course, they'd start with AMBER alerts first, and maybe work their way down to trespassing and petty theft. Which is not to say that this world would be far worse off than it is now, but it will be different.


In the semi-dystopian scenario: Supposing I'd committed some crime likely to attract that level of tracking/response... How long do you think I'd actually walk around with that phone? Or would I be more likely to dump it/leave it in some random taxi?

Going further, how many ways can we come up with to use this as a way of swatting someone else?

nth-order consequences matter.


> How long do you think I'd actually walk around with that phone?

Sure, you could also just turn the phone off completely. The problem is that you'll need a phone eventually, and buying a new one would be a no-no if the Feds are watching your bank account (which is more or less accepted practice at this point). Even if you manage to secretly get a new phone, all it takes is one person to report you to burn that one too. Having a cyber-warrant out for your arrest effectively bans you from owning any smartphone ever again.


I'm more entertained by the notion of having the LE chase after some car performing a random-walk around the countryside... :)

> what if the police could go to Apple and Google and ask them to "blacklist" your phone, so that everyone around you gets a notification with your description, alleged crime, and cash reward? Your phone becomes a walking WANTED poster.

Now that would be a very white christmas.

For this to work, the government would need to know which one is your phone, defeating the privacy purpose. This wouldnt be a problem for amber alerts - as family members would willingly provide it.

However, my main concern is that this would lead to mob justice; you'd have a walking "hit me with a bat" poster.


On April 24th 2020 Apple & Google have announced a new version of the Apple & Google Contact Tracing Protocol which they programmed in a joint effort. Now it’s to be called “Exposure Notification Technology”, since this name better describes the nature of the protocol. On 29th of April Apple released the first iOS 13.5 beta implementation of the protocol. This beta version targets developers for API testing and collecting feedback. The access to the API will be limited to apps authorised by public health authorities. This update is a reaction to the criticism (most of which was baseless) as well as several technical changes implemented in versions 1.1 and 1.2 of this protocol. We are going to discuss these changes in this article.

One possible deficiency is that the time of the possible exposure is not revealed, which may make it hard for manual vetting. Only the date is revealed.

Regardless, the fact that no location is revealed will make it hard for manual resolution of false positives. On the other hand, if location was revealed, likely fewer people would opt-in, so there are both advantages and disadvantages of not using location at all.


Which is why I am confused. What stops a person from having 2 phones. 1 at home, so when they need to go to an institution that requires tracing verification, they use the other device they know is clean? Unless the primary you use, will automatically broadcast to that one? But, what stops a user from turning your daily off. Unless BLE can communicate even when off?

I'm not sure if you understand, but your phone keeps a record of when it encountered *other users who were infected, and the time of contact as well. If another user becomes sick, we can assume they were contagious for the whole day.

I mean when the exposure occurred. I reviewed the API, and it seems that it only gives the date. So, if we want to try to manually vet false positives, such as through drywall, etc., it may be harder.

Your device can and probably should save the time and location if available at which rolling identifiers are received along with the rolling identifiers.

In my review of the API, it seems that that information cannot be retrieved.

This is an API issue, not a protocol issue.

Looking at the Android API docs, it looks like Google does not trust government apps and so provides only limited data and alerts the user with a popup when the app asks for information.

It's not clear why Google doesn't provide the UI themselves, although maybe they intend to do so at a later time?


It seems to me one attack vector that they aren't accounting for is the person who maliciously uploads a fake positive diagnosis, causing unnecessary panic and possibly wasteful extra testing.

I guess it's possible to mitigate this attack through controls in the app that reports, but that doesn't stop a rogue developer using a test app, unless even they are prevented from accessing the APIs without approval.


That is why this protocol is only allowed to be used by local official governments where they would have access to test data, each person need add an id to declare themselves pos and is matched against the Covid test db

I think people are missing my point.

Sure you can't publish an app that does this, but unless I'm mistaken, you can access any API you want in your own dev setup, or on a jailbroken phone.

What stops a malicious actor for triggering the API in a dev or jailbroken environment?


> What stops a malicious actor for triggering the API in a dev or jailbroken environment?

Server side authentication stops this.

Sure a jailbroken device can call whatever local APIs they want, but to have a non-local effect you have to update some centralized server where the list of infected keys/users is stored for downloading by other devices. Given that, it's straightforward for the server to require some admin-level credential specific to their service.

The source of truth for covid-19 positive devices/keys is still centralized and gatekept by each state/national agency's contract tracing service. (But identity/location info isn't centralized)


Literally a password page, that the hospital logs into before uploading the infected IDs. Or public key encryption. I think you should read the white paper.

I think that still leaves the question of how you enforce that.

Key export can be done out of band technically. Doesn’t even have to be through API requests from app.

One way is one-time PIN number, valid for 30 seconds. Provided by a public health authority.

On the iOS side you have to apply to Apple for the entitlement to use the API.

> This entitlement is limited to government health organizations or developers who have been endorsed and approved by a government health organization. Please make sure to read the Exposure Notification documentation before submitting your information.

And there’s a form where you provide the relevant information. Presumably there is some mechanism to validate this.

I don’t know about the Google side.


So it sounds like Apple (and Google) just made it very clear to every government where to ask to spy and by enabling the spying there's no more denying "we can't do that" since they clearly are doing it.

I can't imagine say, China, not demanding to be able to use this API for whatever purposes they want and if Apple/Google says no they'll just say "fine, get out of China". I also can't imagine the US government and/or state and local police won't also come knocking eventually.

Of course we should do what's right for the COVID issue but I think the is clearly a foot in the door moment.


> where to ask to spy ... clearly a foot in the door moment.

No. Not sure what people aren't getting about this, but governments have always been able to pressure Apple and Google (and they've been doing it all along). The existence of this API changes nothing.

And when governments do pressure Apple and Google, it isn't for this API, BTW. They want much more useful and immediate information than this API provides.


I'm not super familiar with iOS app development. Do you need to get entitlement just to test the API? Or only to publish an app using that API?

Because if you can test with any API you want, what stops you from making an app in your dev environment and triggering the API?


If your app is trying to use an API needing special entitlement (without having it) it will be not accepted to the App Store.

are you saying “login screen exposed to web means it’s compromised”

Why fake? Just roam with your phone through as many busy locations as you can. Better yet (but statistically entirely optional) , get within (boosted) BTLE range of known positives (offers available, lowest prices in your region, guaranteed two weeks of work or money back! 100% safe!) first (Ten tips on shutting down your competition without lifting a finger!)

The NHS model accounted for these attack vectors by saying that on the server-side they would do some risk modelling to try and identify bad actors and stop those reports from being sent out to 'exposed' users. Specifically, they used an example of someone sitting outside a hospital all day.

I think it is naive to assume they can 'catch' these cases. BTLE radio ranging, which can be manipulated by numerous factors outside the phone, and actual infection risks can easily be decoupled (and correlation is even strenuous at best). So just acting as one of the 20% of people that are completely callous and oblivious to the consequences of their actions, just wearing proper PPE, would be sufficient cover.

Besides, the public is led to believe that no location identification (direct or derived) is possible, so on the basis of that 'sitting outside the hospital all day' should not be identifiable, right?

As for taking out a directed 'hit', that will certainly not show.


You need a code to mark yourself as infected.

But where do the codes come from? How does a legit user get a code?

From Wired[1]:

"In another series of screenshots, the companies show how the apps will likely work when a user is diagnosed as Covid-19 positive. As Apple and Google had suggested earlier, they'll require users to enter a unique code provided by health care providers or a Covid-19 testing lab before allowing them to declare themselves as infected, since otherwise trolls or mistaken self-diagnoses could flood the system with false positives."

[1] https://www.wired.com/story/apple-google-covid-19-contact-tr...


Thanks. So it sounds like they at least took it into consideration.

From what I've read online it seems like hospitals and healthcare organizations will have the ability to generate codes. After a doctor thinks you could possibly be infected they will provide you with a code.

Ok but there must be a code generation API. Presumably you'd need an app to access that API. How is access to that API controlled?

The code generation code is not on the phone. It's on the server, which is controlled by the public health authorities.

I can easily see specific hardware being included in future devices to support improved contact tracing – especially if COVID-19 becomes endemic. That could be new low-power proximity detection hardware, or extensions to BTLE protocol and hardware.

Also likely this gets baked-in with a vendor app (like Apple's Health) and not rely on 3rd parties if it's going to part of life for the foreseeable. Maybe opt-in like the "Emergency Alerts" notification functionality?


Is this API opt in or out out by the user of the device? Or does the app installed by the user determines that?

It's not clear at all from the write up.


> Each user will have to make an explicit choice to turn on the technology. It can also be turned off by the user at any time.

https://covid19-static.cdn-apple.com/applications/covid19/cu...


Would it be available for the public testing or just developers?

Apple and Google aren't making an app, just a framework apps can use to do contact tracing and exposure notifications.

You'll need to wait for your local health jurisdiction to make their official app.

I also remember reading something about Apple and Google only allowing 1 app per country (or more with special permission, I'm guessing 1 app per US state or something like that)


Yes, in the US, it will be one per state (assuming that there isn't some state that thinks that this sort of thing should be handled by county or municipal health departments). One hopes that there won't actually be fifty separately developed codebases, but that states will pool resources and share the cost and effort of developing apps. If only there were some sort of governmental entity at a level above the states to coordinate these things.

My guess is that the western compact states will share an app, and the eastern compact will share an app, or possibly even coordinate on a single app.

At that point one app will cover 1/2 the US population, and there is a good chance many other states would just adopt that one app.

But you're right, it would be nice is there were some authority one level up that could coordinate this.


The US has turned into a broken version of the EU.

Am I misunderstanding this? My phone would broadcast a daily unique key that could theoretically be used to track my location?

No, the daily key is not broadcast; instead it's used to generate a series of rolling identifiers to broadcast. The rolling identifiers change much more frequently. The daily keys don't leave the device until/unless filing a positive diagnosis report.

As we know from the Bitcoin wallet problems, generating random private key and verifying that it's random is an extremely hard problem. For this reason I wouldn't use any contact tracing app that is not open source.

You should be happy to know that it's opt in

Yes, you are. The system would track "I was close enough to persons X, Y, Z phone somewhere at some point in time".

This has absolutely no chance of working in the US.

Imagine you go into an average grocery store with 100 average Americans. What percentage of people in that store have this app on a phone in their pocket?

20% of Americans don’t even own a smartphone. Some non-zero percentage have old phones that won’t work, keep their phones at home, don’t use Bluetooth, don’t know what Bluetooth is, don’t want to use this, don’t trust this, and on and on and on.

In Singapore that grocery store would have had approximately 20 contact tracing app users and 80 non users.

The end result of this will be....

1. No confidence that when you receive an alert that you were actually in contact with someone who had Covid. Could have been a troll, someone in a car next to you, a neighboring apartment, etc.

2. No confidence that you weren’t in contact with someone who had Covid.

The end result for every user will be the same ambiguity we live with now.

We need human contact tracing with real, trained, people making phone calls to other real people based on actual diagnoses of Covid. Not some Silicon Valley pipe dream waste of time that unnecessarily gives people a false sense of hope. This contact tracing app idea will NEVER work in the US.


> 20% of Americans don’t even own a smartphone.

20% of Americans are children. According to most recent estimates, there are 270.66 MM smartphone users in the US — roughly 82%[1]. Assuming that literal toddlers and poor teenagers do not have smartphones, the vast majority (easily 90+%) of American adults are smartphone users.

You also only need ~60% of contacts for contact tracing to be effective [2].

[1] https://internetinnovation.org/general/research-peek-of-the-...

[2] https://science.sciencemag.org/content/368/6491/eabb6936


You used the 2022 number for your calculation. The estimated number for 2020 is 257 million and we can assume that is an EOY number so the actual number would be somewhere between 248M and 257M. If we assume absolute linear growth from 2019 the number as of today would be around 251 million.

That's out of ~330 million US citizens for a rate of ~76%. Toddlers, children, and poor teenagers are people that also exist and can be in a grocery store as asymptomatic carriers of coronavirus. I was generous and went with 80%.

Your second link is just a study that suggests contact tracing COULD work. But the fact that something could work in theory doesn't mean it will work in practice. I don't know where you got your 60% number from because that number isn't mentioned in that study. I don't think it matters anyway because we won't get anywhere near 60%.

Singapore tried this idea and they made it voluntary just like it is being made voluntary in the US. 20-25% of people used it. Now they are trying to make it involuntary by forcing businesses to scan phones at entrances to businesses, schools, and healthcare facilities. Do you really think Americans will accept this? No way. I doubt the legality of this approach in the first place.

It would take Donald Trump signing a law to get to 60%. People want this to work because it makes them feel better. Reality has other ideas.


> That's out of ~330 million US citizens for a rate of ~76%. Toddlers, children, and poor teenagers are people that also exist and can be in a grocery store as asymptomatic carriers of coronavirus. I was generous and went with 80%.

Okay sure, but nit-picking that number doesn't change the core argument: you only need 60% for contact tracing to work, according to the most recent research. Remember that the goal here isn't to ensure that NOBODY gets COVID, it's to drive R0 down to < 1. People in grocery stores will still be exposed, but if R0 < 1, then the disease will eventually die out.

> Your second link is just a study that suggests contact tracing COULD work. But the fact that something could work in theory doesn't mean it will work in practice. I don't know where you got your 60% number from because that number isn't mentioned in that study. I don't think it matters anyway because we won't get anywhere near 60%.

You need to read the full article before attempting to refute it, but I'll help you out.

"The efficacy of contact tracing (the y axis of Fig. 3) is the square of the proportion of the population using the app, multiplied by the probability of the app detecting infectious contacts, multiplied by the fractional reduction in infectiousness resulting from being notified as a contact."

I've taken a screenshot of the diagram for you: https://imgur.com/ZXPLLxk

The solid black line shows the threshold for epidemic control.

While you're right that the paper doesn't claim that it is CERTAIN to work, nobody is sure. In fact, it's odd to me that you are so positive that it WON'T work. "This has absolutely no chance of working in the US." Even scientists don't make claims like this with that level of comical confidence.

> Singapore tried this idea and they made it voluntary just like it is being made voluntary in the US. 20-25% of people used it. Now they are trying to make it involuntary by forcing businesses to scan phones at entrances to businesses, schools, and healthcare facilities. Do you really think Americans will accept this? No way. I doubt the legality of this approach in the first place.

> It would take Donald Trump signing a law to get to 60%. People want this to work because it makes them feel better. Reality has other ideas.

Okay but what happens when Apple and Google build this into the operating system, and contact tracing is always on, like the bluetooth radio, the push notification service, or OS-level location services?


Hate to say I told you so, but...

https://www.axios.com/axios-ipsos-coronavirus-week-9-contact...

66% of respondents said they would not use a contact tracing app developed by a tech company. The remaining 33% may give it a go before they find out how worthless it is and then it will likely settle into the same levels of adoption as Singapore.

This is obvious to I guess everyone outside of HN and Silicon Valley.


I'm not really sure what this proves. All it tells us is that majority of Americans will not download a contact tracing app.

There is nothing stopping Apple and Google from rolling this out in the OS, and they've both confirmed that they intend to do this[1]

"Later this year, Apple and Google will include the tool in software updates, meaning users can log contacts without having to download an app."

They have every right to make it involuntary if they want to, and the only recourse users have is to decide to stop using iPhones or Androids. I'm sure there will be some people that choose to do that, but not nearly enough to keep adoption below the necessary 60%.

[1] https://www.reuters.com/article/us-health-coronavirus-apps-f...


> Okay but what happens when Apple and Google build this into the operating system, and contact tracing is always on, like the bluetooth radio, the push notification service, or OS-level location services?

They aren’t doing this and have said that they never will. It will be purely voluntary.

Are you even going to attempt to refute the absolute failure of this app in Singapore?


> They aren’t doing this and have said that they never will. It will be purely voluntary.

You're really into the authoritative claims, aren't you? :)

They seem to disagree with you: https://www.reuters.com/article/us-health-coronavirus-apps-f...

"Later this year, Apple and Google will include the tool in software updates, meaning users can log contacts without having to download an app."

There is absolutely nothing preventing Apple & Google from turning this on for everyone, at least in the US. To the extent that they've said that they "never will", it's a glorified pinky promise. If it's economically in their best interests for R0 to drop down to < 1, then there is nothing structurally preventing them from rolling out OS updates with this on by default.

> Are you even going to attempt to refute the absolute failure of this app in Singapore?

It's irrelevant if Apple and Google turn this on by default, making it de facto compulsory.


I ponder whether Google and Apple (aka Big Brother) should have given this work to another group and promised implementation/integration. I appreciate that your group is working on making it open source but as you pointed out:

> It is not clarified what [the metadata] will contain and who will have access to it, so let’s try to guess.

At the least, I would want Apple/Google to fully disclose these technical details before I would accept its terms & conditions. If they even put their logic in an open source format (i.e. GitHub), I would feel more comfortable. Google is a much worse player in the game of "making money from users by tracing their every move" than Apple.


Google and Apple have collaborated in the open on this, publicly shared specs and taken feedback.

The framework itself has to be implemented by them because it is part of iOS (in Apple's case) or Android Services (in Google's).

The apps themselves are being implemented by 3rd parties.

There will always be critics but it's hard to see how they could have rapidly developed this much better.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: