This the main technical documentation document:
All the documentation is here:
They seem to be doing this right, including an attention to the reproducibility of the builds, which IMO is of utter importance in such a sensitive app:
(long story short: Android builds are substantially reproducible, iOS are not because there doesn't seem to be a way to achieve that. They are doing the best they can.)
Edit: I submitted Cov19Tech as a Show HN earlier today:
Timing was relevant, plus different countries also have different regulations that make specific implementations possible or not.
In the middle of this Google and Apple announced their contract tracing framework so some switched once more.
This can be seen clearly in the documents that the italian governmental task force submitted when evaluating the various apps: proponents suggested home grown protocols, reusing existing apps, or deferred to PEPP-PT or DP-3T.
Even the Immuni app which won the selection was supposed to use PEPP-PT, but then switched to the Google/Apple CTF.
Also, the EU is more keen to protect privacy whereas specific EU member states want (to sell) free reign on their citizens.
This lobbying game plays out all the time. You just cherry-pick your targets, find the weakest link so to speak. In this case, he more authoritarian and neo-liberal the parties in charge of the country/region, the easier you will net them.
It would be ironic if after weeks of passionate arguments on HN and other places about the technology and about finding the right balance between efficacy and privacy, the whole thing fails because people don't like the principle.
I would have thought that this depends a lot on the nature of said "message".
It needs to be a personal decision based on evidence you make available to the individual.
For example - if you were to send a message like - here is a photo of you on a bus, this person sitting next to you has tested positive, you sat next to them for 25 minutes - then sure, people will likely take action based on that.
The Government sending a message saying "you need to stay indoors for 2 weeks now because computer said so" is just not compatible with most people's world view, of course that's going to be completely ignored, it's arbitrary house arrest.
It also doesn't help that the UK Government are acting like circus clowns, people are going to say things like "Boris told me to stay indoors, but I needed to test my eyesight".
Instead the policy seems to be a blanket "isolate for 14 days even if you subsequently get a negative test result" which I suspect will go down very poorly, especially when it won't tell you who you were potentially exposed to.
The other information comes from Lord Bethel's house of lords testimony and also from this blog: https://www.ncsc.gov.uk/blog-post/nhs-covid-19-app-security-... and things linked to from it.
1) Singapore : https://news.ycombinator.com/item?id=22702701
2) India : https://news.ycombinator.com/item?id=23311298
3) Germany : https://news.ycombinator.com/item?id=23376682 ( no discussion, link to repository )
4) France : https://news.ycombinator.com/item?id=23321137
However, the copyright holder can grant another party unlimited usage rights as well as waive the right to be mentioned as the actual copyright holder.
Both of these might apply here: SAP's and Deutsche Telekom's employees most likely have waived their right to be mentioned as individual copyright holders (which is a common stipulation in German employment contracts) while SAP and Deutsche Telekom have not, which is why they are mentioned as copyright holders instead of the Federal Republic of Germany.
Like even as a developer, it's just in your employment contract that you grant all rights for work done for the company to the company.
Especially software developers should read those parts of their employment contracts carefully, as they may be overly broad and sometimes accompanied by weird clauses regarding their OSS work.
German law has a clear distinction between authorship rights and usage rights. Usage rights, including reproduction, can be sold, rented, perhaps even taken illegally at gunpoint, I don't know. It's just your run off the mill intellectual property. But authorship rights cannot be transferred at all except through inheritance, it's simply impossible for A to pay B to relinquish the right to state that B is the creator of X. But outside of literature and music where special compensation schemes exist this is only about recognition and has zero economic relevance.
This authorship right is also only available to natural persons, so it's clearly not the reason why SAP and T-Systems are still claiming copyright. It just wasn't something the state buyer cared about and given that they apparently did care to get the code under Apache 2 I can't fault them, the result is almost like a reimentation of the recognition part for companies instead of natural persons.
Another implication that occasionally comes up to freak everybody out is that there is some legal basis for creators to have a word in changes to their work, which can be a total PITA for organizations that once commissioned a building from a famous architect who left assertive offspring.
To your question, yes you can inherit something from your grandmother. Inheritance is designated by the original author, and enacted in the event of their death (As far as I can tell).
Source: https://www.gesetze-im-internet.de/englisch_urhg/englisch_ur... (Section 28)
I don't know about the exact implications for creating very similar future work (what you would call "infringing copyright") though.
Discussion here: https://news.ycombinator.com/item?id=23107553
App config backend:
It up to countries and states to build apps on those APIs.
TL;DR: Hardly any.
Edit: Whoops, I am out of date, I thought 13.5 was not out yet! Apparently it is, and then some.
> To implement its contact tracing functionality, Immuni leverages the Apple and Google Exposure Notification framework (see Apple’s documentation and Google’s documentation). This allows Immuni to overcome certain technical limitations, thus being more reliable than otherwise would be possible.
AGPL for these apps is probably a good match.
The UK has also refused to legally commit to not sharing the data with other government departments such as the Home Office (immigration and policing) and DWP (benefits).
So much for data protection and obtaining data for a designated purpose. Whatever happened to the GDPR.
I know enough people that will be inappropriately harmed by this sort of data, whether it is used against them directly or not (it's still a miserable life living in constant fear of "doing something wrong", which now includes "being somewhere you shouldn't be" or "being near someone you shouldn't be"), that I'm firmly against this sort of surveillance state expansion, and firmly in favour of data protection.
As it stands currently I will not install the UK app, and I advise all my friends to steer well clear of it as well.
(If they meaningfully improve data protection then I'll change my mind and be all in. E.g. the Google-Apple approach and zero-knowledge methods are enough for me. If epidemiologists and public health would find data useful, let's use some differential privacy. I'm not against data collection done properly in such a way that actually protects people.)
any chance you can share the references for these?
"NHS under fire for plans to store track and trace data for 20 years"
"Demand NHSX spell out Covid-19 app privacy risks"
"Hostile environment may stop migrants from using NHSX tracker app"
"NHS test and trace privacy doc throws doubt on app’s “anonymity” claims"
"The privacy risks of the NHSX tracing app are both less and more serious than you think"
"Immigration Bill brings surveillance to EU migrants" (This is about exemptions to data protection law for immigration purposes, which affects citizens and non-citizens alike.)
"Scotland’s different path on contact tracing is to be welcomed, but questions remain"
The UK has open sourced only the clients source code from what I can tell. This comes on top of the initial refusal to use the Google/Apple API and some downright awful data retention and privacy control policies. What a contrast.
When I was working in Italy, the state of software development was terrible. It looks like now there are great developers too.
Note that their app was released quite early, specifically before Apple and Google announced their contact tracing plans, and media reports indicate they want to start using those APIs in the first half of June, which will be a major change.
My department at Johannes Kepler University Linz also published an analysis of the NOVID20 SDK(https://novid20.org) when the code for that was first released:
Interestingly, much of the code is forked from Singapore's OpenTrace initiative, which is GPL3, so Australia's app is most likely a copyright violation. Whether anyone will take action is another story.
False positives and false negatives combined with lack of rapid result testing will also make this useless. This is why Google and Apple looked around the room and slowly tiptoed away.
Then we have the GDPR. Beat of luck making sure you’re compliant.
Just don’t. Humans do a better job with contact tracing. Not everything needs to be hit over the head with a technology cudgel.
Immuni (Italian app) has been analyzed and certified as GDPR compliant by the Italian privacy watchdog, that has a technical department that is actually able to read and understand technical documentation.
But there has been real, high quality progress on handling data in ways that are mathematically designed to conserve privacy and limit surveillance to a specific, socially constructive purpose.
The Google-Apple method is one of those. However, there is a lot of good work being done that is more advanced than that, which alas is not available right now but will be useful in future.
It parallels the high quality progress we have seen in areas like encryption, and in cryptocurrencies.
I think it's completely right to have doubts. E.g. in another of my commments I wrote that I don't trust the UK government's current approach.
But we are, slowly, also building tools to make fascism more difficult as well. If we can persuade the powers that be to use them, and verify that they are.
It may be that if we don't make "good" contact-tracing tools available, someone will make worse contact-tracing tools and force people to use them, on grounds of necessity. It looks like that's already happening, with some countries adopting a central database approach, some countries making it the law to use them (e.g. India), and other countries using newer privacy-oriented contact-tracing approaches.
Just like I can avoid using Facebook but they can still, in principle, keep a shadow profile with lots of details about my life, inferred by putting together knowledge from other people. Just like when I joined LinkedIn it already knew who I knew, without me entering anything except my name and email address (that was spooky, I didn't give it contacts or anything). Just like Google knows your personal interests, even if you delete all cookies at the end of every browsing session.
It is unclear how bad the spread from protests will be since protesters are outside and often wear masks, and the density of protesters can vary greatly. I haven't read of documented super spreader events that occurred exclusively outdoors, it would be great science to track the spread due to protests.
I'm not sure how much the mobile protocols would even help in protests. Don't you need proximity with someone for 30 minutes or so to be tagged a contact?
Existing contact tracing apps use Bluetooth which can't be used to determine proximity with any reliability - solid objects (particularly human bodies) absorb significant signal.
Unless all protestors were holding their phones up high for unimpeded line-of-site connections then even protestors next to each other could 'appear' 20-30m away.
In most cases (especially in a protest situation) all Bluetooth-based contact tracing apps can tell you is that two devices are in Bluetooth range (so accuracy of ~30m?).
It's probably months too late to do it in the US, though.
This seems incredibly ignorant. The "incident" was a murder, in broad daylight, by a police officer.
The majority of whom where very old and/or in ill-health and had a 5-10% chance of dying in the next year anyway.
They're not angry about someone dying!
That's disingenuous, and breaks the basis of your argument.
The problem isn't dying at all, it's why.
They're angry about a murder, which reminds people there are too many murders.
Angry at a murder by a police officer who thought he could casually do so in broad daylight surrounded by onlookers, because he lives in a culture where he expects to get away with it.
Angry at a culture where a police officer can reasonably think he'll get away with it, because they often do.
Angry at the other officers on the scene who went along with it instead of intervening.
Angry at all the other racist murders that keep happening, and systematic racism on a massive scale in general.
That said I thoroughly agree with your point about protecting the elderly. And for that matter, protecting large numbers of young with asthma and diabetes, and conditions nobody knows about because they didn't matter before. (How easily people reduce these things to "just old people" so they can be ageist).
Trouble is, there's a real dilemma over the right and effective things to do. I think there is a deep human social instinct in play. The protests are not about one person dying, or one person being murdered even. They are about a serious systemic problem which undoubtedly results in large numbers of people, more black than not, dying prematurely. As well as a culture problem, which maintains that problem as those with more influence in society treat the problem as unimportant. I would not be surprised if the number of premature black person deaths in the USA, directly or indirectly caused by racism, comfortably exceeds the number of deaths caused directly or indirectly by COVID-19 in the end.
My parents are in that category, but I attach a very high negative value to using violence (or threat of it) to control people's behaviour. From my perspective it's extremely immoral to say to a huge swarth of the population: you can't work or meet your friends for the next few months, or else we'll throw you in jail if you're caught. I.e. human rights (free movement, association) are human rights; they're not compromisable just because somebody decided it's an emergency or there's some greater good that needs to be enforced. Yes it's reasonable to argue that those at risk have a right not to be infected (e.g. to require potential carriers to stay away), but this doesn't extend to requiring people they have no proximity/interaction with to stay at home and not interact with each other.
> 10 years thrown away so some people can go on a march because they're angry about someone dying.
10 years lost by one person, vs 2-3 years lost by 10 people due to the permanent negative effects on lifetime outcomes of poverty resulting from the lockdown-induced depression. Not to mention lifetime reduction in standard of living. In terms of measure that actually account for this, Quality-Adjusted Life Years, it's like the intervention is probably not a net positive: https://theincidentaleconomist.com/wordpress/economic-cost-o....
>I presume that's because no one you care about, including yourself, is in that category.
Also, in general, making decisions based on their emotional effect on you is a selfish and unprincipled approach to any kind of public policymaking.
Well, there is (was?) the Patriot Act because 3000 were killed in a terrorist attack. This allowed for indefinite detentions, unwarranted search and surveillance, etc. If it is still in act, then it lasted almost 20 years.
I don't assume you agree with measures like the Patriot Act, but I think some weeks of quarantine can be justified by the more than 100000 covid victims in the US, so far.
It's not affecting me at all; I work in finance, in a role that's fine with working from home. I actually made a bunch of money from the massive volatility that the lockdown announcements caused. If you're incapable of making decisions that aren't solely based on self-interest, that doesn't mean it's correct to project and assume everybody else thinks the same.
Are you in an at-risk group for police brutality? The benefit if the protests achieved their aims would be a lot less nebulous for those people who are.
The majority of interaction with Americans I have is via this site, and I've seen quite a few comments over the years by people who claim to have received bad treatment at the hands of police in spite of doing nothing wrong.
> I'm not black but I've been subjected to stop and search on the streets of London. I've been taken aside and put in a room by police while they checked me out on entering the UK only to eventually be told "OK, you can go" at the end of it, no apology. But generally I've found with police that if you're polite and cooperative they are respectful in return. My first boss in the UK, who wasn't white, one of the first things he said to me was to be wary of black people, they have a chip on their shoulder. I was pretty shocked to hear him say that actually.
I'm not black either, and I live in the UK.
I've been stopped by police, I've seen others stopped by police, and I've been with people who are stopped by police.
For the most part the interactions have been fine, but I have seen what looked like black folks "hassled" in London which I have not seen happen to white folks. It is just anecdata and may be nothing but random experiences.
For me the most striking difference was on the border between France and Switzerland.
My girlfriend was black; I was white. We were stopped at the border driving across, by men with extremely large guns. I got a cursory skim of my papers, but my black girlfriend had to get out of the car, be detained for a while, have her papers checked other and generally given a hard time. Even though she had a stronger connection to both countries than I did. However we both had UK passports. They basically didn't believe she was a UK citizen, or that she worked for the UN... just down the road!
Eventually they let us drive on, but it was a very striking difference in treatment.
Europe is doing much much better than the US in terms of dealing with the virus, so it's actually not unreasonable to say that it might be a risk worth taking.
As far as I can tell, it's not about that one 'incident' but about all the deaths that weren't recorded, and the many lives that are spent in fear.
Otherwise it's quite expected that in a segregated society, people are killed by in-group members. This would only be different if there is a huge number of lynch mobs.
That said, there is another issue hidden beneath 'by a wide margin'. It's also bizarre that there is so much more crime among black people, and that blacks are over-proportionally incarcerated. The easy answer is that blacks are so much more violent. But if you look closer, don't you think that's a bit puzzling?
Black and Hispanic police are as likely or more likely to kill people of color as white officers
With regard to your second point, you're hinting at something, why don't you spell out your aetiology for the high levels of crime along black people along with your evidence for that causation.
If that's true, it suggests the racism problem is more serious than we thought; that police of all colors may be endemically racist as a group; that it's not just mainly white police.
That said, we don't see black-on-black murders of innocent people so much. This might be due the symbolism of white-on-black murders in broad daylight with onlookers. Or it might not. Regardless, it's all racism if innocent black folks are getting murdered more often.
Really? The murder rate inside the black community is massively higher than within any other community in America. Also black people murder more white people than vice versa. If you take account of the different community sizes the disparity becomes even more extreme.
If this is coming as news to you I don't know where you've been all your life.
What I meant to write was we don't see black-on-black police murders of innocent people hitting the big news and causing mass demonstations so much.
My 'aetiology', I think it comes down to less opportunities. Without discipline that comes from a stable environment, motivation can easily turn to violence and crime. This leads to difference in police behavior. I have nothing to back this up and I don't know how to 'cure' this.
To bring this back to the start: All I want to say is that the protests are not that bizarre.
America is the cultural center of the West, people are as informed about this incident as they are about their local news. Many don't want to live in a racist future, even more so for their children. So they risk the lives of their parents to improve the lives of their children.
Was this a death caused by racism? I don't know. It appears to be. Thus the protests.