A lot of the arguments against this were rehashed the last few weeks over and over. As an passive participant to such discussions I can't express how tiring it is to see new people drop into these conversations without reading up on what already has been discussed beforehand.
Which part guarantee it won’t be repurposed later to track if you have been in contact with a terrorist or not?
I understand this is already possible with current tech. However not sure why we should empress to make it things even easier. Specially if the only thing that protects you if the absence of mandatory uploads of your daily hashed list. It seems super easy to switch that on.
It’s totally useless for tracking “contacts with terrorists”, especially compared to phone records or chat metadata.
Location data is far more valuable for a surveillance state, and it is already recorded in several places, including servers that are easier to get to (legally) than your phone.
There’s an argument for it being more useful than location data. If you are actively watching a target you do not need their location. But what is useful are the ability to track the movements of their social network, who they interact with, etc.
But you can't identify anyone in the social network, because the identifiers you get aren't tied to any individual unless the individual chooses to reveal them.
So unless you're tracking a terrorist and their social network comes down with Coronavirus and you subpoena the hospital they were tested at for records, you aren't able to tie the IDs to individuals.
Exactly. This is better than many existing surveillance because you are now using other people as sensors and the meta data is higher than ever before.
X and Y were connected to the same tower at 12:52... vs X and Y were feet from each other and Z who we didn’t even know about from 12:50.430 to 12:55.001
I agree that people should be reading the paper. Crucially, the whitepaper explains why it doesn't preserve privacy.
For example, section 5.4 (design trade-offs) says that individuals who have declared themselves as infected can be retroactively tracked and identified. Tracking only requires a bluetooth receiver which is aware of its own location - government agencies could easily do this.
Because the keys, from my understanding, change every day. So if someone is infected, you can only track them for the relevant days because those are the keys they would give you.
You could simply set it up to delete your own keys after 14 days, for example.
This is obviously just all obfuscation. The entire plan is that you are uniquely identifiable, you are being pinged by every person you walk near, there is protection from Target, Bestbuy, “Ze Russians” but not Apple, Google, Gov.
You can put as many crypto or “random” or key derivation layers you want in there, you just also need to admit they are surface deep and really “just for show”.
This is constant person tracking, that’s the whole point.
Is it really worth it to track 0.1-1% of the population for a few days?
I don't really see how this level of investment is worth it.
I'm also not sure as to how widespread it has to be, with the 2. proposal from DP-3P, you won't be able to link EPIDs, so you would need to infer the new infected epids from the last known position. That seems only feasible if there are sensors everywhere.
There is some psychology to this. A person's instinct is to fear and, as if a predator were stalking them, fear of being watched. In the digital age, that means fear of how their data is being used/watched. That isn't to say they are doing anything wrong, per se, but the act of being watched instills fear. Thus, even though they don't read the article, they respond instinctively with skepticism.
The reality of how this data is used is probably not as dire as is feared. Even though fear is a useful tool, it should be used to push us to investigate (e.g. read the paper). Fear should inform some objective discussion.
In this case, I think that the fear is relevant due to how companies have notoriously failed in preserving anonymity. I think in order for us to usefully data mine people's lives and actions (which is what we're talking about), we need to come up with better ways of ensuring that the data can't be used for draconian purposes by those in power (whether state, media or other). We need some way to assuage the fear to get the benefits of the data. After all, this isn't a technology problem. It's a people problem.
I'm not sure if you'll read this; but I replied a bit curtly and unusefully earlier today, and want to apologize for that.
It's stressful seeing messages that appear negative in a situation like this because the stakes are potentially so high. Unfortunately I didn't do a great job of making my own message and tone more positive.
Thanks for sharing the whitepaper link here and leading a lot more folks to discover it that way.
But that's how every policy discussion goes. Nothing anyone says at a town hall meeting is novel or unique to the staffs/politicians your talking to. It doesn't mean a person shouldn't speak their mind on topical issues.
If you only want to have a discussion once, then only partake when in the company of actual power, or within rule-making bodies.
Anyone who thinks this will “go away” eventually is naive. We don’t even have a definition for what the end of the pandemic looks like, nevermind an exit strategy for social distancing or these draconian tracking measures.
It’s optional until it’s not, and it’s anonymous until it’s not. I don’t like this one bit.
Phone locations are already heavily tracked. It's naive to think otherwise.
As @Pinboard is repeatedly pointing out, the choice isn't between being tracked and not being tracked, it's between using data that is already collected to fight the virus and not using the data to fight the virus.
(this scheme is different than what phone operators collect, but phone operators are out there collecting)
Let's put aside the question whether the pandemic will end in June or September or whenever. Take the example of the National Raisin Reserve. Established 1949, abolished 2015. These things, once they're in force, are quite hard to roll back.
This "going away" is more likely in some places than others depending on legislation and entrenched interests. That said, it's probably going to stick around in the US, if anything pandemic watch is going to be the next TSA where unfathomable resources will be diverted. The only rival to US security lobby is the US medical lobby. Though it'll probably be more useful than security theater in the long run.
Considering that I’ve only heard these stories in the UK I’m guessing the GP is in the UK as well.
And I agree the media and the public are mocking the police that does this and are quite outraged.
Social distancing is to stop large gatherings not to put people in isolation.
I have no problems with using technology to do contact tracing as long as there are sufficient controls around it, it’s extremely difficult to do contact tracing without it especially since people not only forget but outright lie.
While it's very encouraging that the (current) technology is being developed by such a capable group, there are plenty of tangential worries to be had, especially if this is viewed as a "foot in the door." Who's to say such an emphasis will be placed on privacy going forward? Ultimately, this is the government and large corporations conditioning people to being tracked on an ongoing basis and blindly self-isolating themselves because they got a notification on their phone. It may be opt-in and privacy-preserving now, but my experience with governments suggests that's unlikely to remain the case for long.
>> The problem is that the public are fully on the side of the Stassi -- clammouring for police to arrest people in their front gardens, confiscating inappropriate food etc.
>in my locality (South-West UK) your description doesn't appear to fit.
This whole scheme is vastly more complex than strictly needed just to make it anonymous.
It takes a bit of motivated reasoning to see this as evidence of bad faith.
Also: this is part of the “missing” exit strategy for social distancing. It doesn’t even make sense in a world in lockdown, because there wouldn’t be any contact data to trace.
I wish people would remember that “slippery slope” is a fallacy as easily as they do with those that support their believes.
There is no full lockdown nearly anywhere you can still go to shops, exercise and go to work if you are a key worker or you do not work in a public facing business.
People over estimate the extent of the lockdown in many countries.
Lots of comments on these topics seem to revolve around fear that democratic governments have an interest in making tracking permanent and mandatory. From the more nuanced “I don’t trust that they don’t abuse the data” to the downright dystopian paranoia “you will be chipped”.
I don’t get it. We should worry about privacy issues of course, but isn’t this nearly as good as it could be and still be effective?
Which democratic government could mandate the use of this type of tracking forever yet not be able to impose it against people’s will?
The privacy fears feel somewhat rational but the fear that governments act with some interest that is separate from the voters’ interests seems irrational to me. Maybe I’m used to governments that people trust and that are simply doing what voters want, rather than having an agenda.
> Which democratic government could mandate the use of this type of tracking forever yet not be able to impose it against people’s will?
First they'd have to coerce two US-based companies to implement the technology. For example, imagine UK.gov ( pop 60 million ) telling Apple ( 250 million annual iPhone sales ) to do so.
Secondly they'd have to coerce their population into using the feature. Without a clear public benefit I suspect there would be workarounds and hacks within days to dilute its effectiveness.
However, implement it under global public health reasons and coercion is much easier. Protect the NHS, keep your tracking app active! Don't turn your phone off when out exercising! Keep your phone with you at all times... for the public good.
> Maybe I’m used to governments that people trust and that are simply doing what voters want
> Without a clear public benefit I suspect there would be workarounds and hacks within days to dilute its effectiveness.
Exaxtly. Governments can easily do this, because they already have the bigger tool at their disposal: lockdowns.
People in prisons choose to wear an electronic tracker to spend the last year of a sentence at home. Their freedom was already taken, and the monitoring is a way to get some of it back. No one turns that down out of fear the government won’t remove the tracking thing around their ankle. “No thanks I don’t trust them to take it off after a year so I’m staying in the cell”, said no one ever. If you don’t trust them to take it off after a year why would you trust them to unlock your cell door?
Of course the public will choose to use this tech if the alternative is less freedom.
So yes people will voluntarily use this because of peer pressure and because the alternative is worse. At least they will do so in countries with high trust in goverment, the public healthcare system and a strong sense of community in crisis (this is where I would have thought the UK would be the obvious example!). “For the public good” is very persuasive to me - while “for your own good” might work better in other places.
> Any such governments come to mind?
Most Western European governments I would have thought? I (Scandinavian) always considered the government to be “me”, not “them”.
And the way governments would take advantage of this is by having devices everywhere exchanging IDs so that when somebody has a disease, those devices will let the government figure out some of the places they've been? This sounds too roundabout to make any sense. The government can already request location history from cell phone providers and Google if it has a warrant. Why go through all that trouble to get lower quality data?
didn't see any info on how the "download list of infected people's keys" would work in the documents, but it seems like k-anonymity[0][1] would be a good choice for saving data on peoples' phones and mitigating the potential DOS threat.
Another way the DOS attack could be prevented is perhaps requiring you to get a QR code from a government or testing facility before you can report your keys as being infected.
This technology is meant to be used by local health agencies like city or county. If you have the app provided by the county and you are tested positive by them, they would then ask you if you would like to share that information with others. So the chance of DOS is nil since you actually have to test positive to broadcast the keys.
DTKs are derived rather than random so that the device doesn't have to store its own keys or identifiers, saving both space and flash wear. It can start with the initial seed and re-derive all the rest as needed.
You phone already stores lots of data every 10minutes, I am not sure if flash wear is a problem. Same with storage space.
A guid is 16 bytes per key * 6 keys per hour 24 hours per day 365 days makes less than a megabyte. Even accounting for additional data stored where guid is the key it feels not a big concern.
I imagine data stored like:
Key: guid
Contacts made: <timestamp, guid>[]
Armchair prognosticator here, but is there not a zero-knowledge proof way of doing this? A way so that neither side (or intermediate) can learn the identity of the other?
Although I think tge aproach is correct. I think the DTK period is far too long. 1 day may reveal to much information regarding movement patterns if someone has enough distributed trackers at critical spots. Also if everyone uses it I see a slight chance of bruteforcing in often visited spaces (didn't do the math). Adding more hierarchicies would allow people to share information more finegranuarly. Putting RPIs into a bloom filter and releasing them might be another idea. Critical contact would mean multiple bloom filter matches anyways .
I guess you are not aware what contact tracing is. If you get a disease like this most governments have the right to ask you where you have been and who you have seen and the need for society to be protected from your disease is seen as to trump your privacy rights. This is just another mechanical way to get the same information, except privacy gets much more protection here.
But most people won’t know very well who they have seen. For example, I went shopping this morning and probably saw around 50 people. I would recognize less than 10 of them, if I were to meet them again. I know the names of none of them.
Since most governments can’t ask their entire population “were you in the neighborhood of this walking path”, there’s no simple way for them to find those people (t.v. broadcasts and canvassing in the neighborhood would work, but are labor-intensive and slow)
That’s where this will help. The people who came into close contact will get informed, and, hopefully, will self-isolate. The government doesn’t have to know who they are, where they were, etc.
It will require a significant part of the population to opt-in on this, though. That’s challenging. In Singapore, only 20% of people did. That’s why privacy is so important for this for many countries.
This is true in general but the stated issue is that this system would make it possible for governments to find out where an infected person has been. Manual contact tracing is the same thing, but manual. You can always opt to not tell them about something, you can always opt to leave your phone at home or turn it off.
> If you get a disease like this most governments have the right to ask you where you have been and who you have seen
> disease is seen as to trump your privacy rights
If you are using the US as an example; can you kindly point me to any law or case precedent that is a citation?
Fundamentally I disagree the government has any “rights” at all, rather rights are for people and just restrictions placed on the gov, but that’s a small nitpick.
I’d like to see where you are liable or required in any way to break your 4th and/or 5th amendments because you picked up a disease.
This is one of the few issues that is indeed real. I’m not sure if tracking only infected people would be worth the effort and the risk of bad publicity though.
My comment was about the fact that the keys need to released to the general public. This is a decentralized scheme. People won't participate in the first place if it is not secure or controlable. This thing could be run centralized but imagine the cross-government / legislation data sharing. Have fun...
So it’s just a generic ‘technology is scary’ handwave. With the right intonation you can make it sound kind of convincing but it’s still not helping anyone.
If you get infected you spread the daily key to the other users. They generate all the keys you could have sent and compare them with the ones they have seen. It makes sense to have somewhat of a limit here, the work is multiplied by the number of infected people and every user needs to run it everyday.
Aren’t you just created obfuscation layers and calling them security?
The whole point of the system is that you are individually and exotically identifiable. Please don’t try and hide that with layers of hand waving, it’s Apple, Google, NSA, etc that I don’t want to supply info to, not necessarily concerned about Target or Bestbuy.
The idea is that every 15 minutes you create a new byte string and start spreading that. This makes it impossible to track who is seeing who or who is going where over longer periods. That is, unless someone releases their own key, which makes it possible to derive all the strings they would have spread.
This is not obfuscation or hand waving. You are not actually identifiable unless you choose to be.
Then again, if you want to avoid giving data to Apple and Google I would advise against a smartphone. I don’t think there is a way to use them that would satisfy your requirements.
In countries with a working social security system, getting into proximity of a known infected person can be rather easily achieved.
In countries without a working social security system, staying 'clear' is easily achieved by turning of your BT or phone or even just lining your pocket with tin foil.
South Korea and Israel both have working social security systems, universal health care, mandatory national IDs no devolution of administrative or legislative powers to local authorities, a single police force and both are relatively small countries geographically with a relatively dense population and both had to use mobile data to do contact tracing effectively.
I agree with that, but still think it will happen sooner rather than later.
Just like banks are making it harder and harder to use cash, and yes, you can shop without a 'loyalty card' if you are willing to pay the markup (aka forgo the reduction).
> Why does it have to be anonymous? The coronavirus is not HIV, there is no social stigma in knowing someone was infected.
Fear of contagion is strong and not always rational.
Healthcare workers in the UK have been attacked. Sometimes that was to get hold of their NHS ID badge, but at least once it was because the attacker didn't want covid-19 to be spread.
Maybe you work in an American office with me, a mentally unstable individual. You were the first person to get sick in the office, everyone knows it. Now I'm sick and my family is sick. Maybe I take a severe financial hit or someone is my family gets really sick, perhaps even dies. Now I'm VERY upset with you. Maybe I follow you to your car after work... maybe I follow you home. Maybe to the store. Either way, there's a gun in my waistband and I stopped giving a fuck. You sure you want me knowing you were patient zero?
Unfortunately, when you add severe mental health disorders into the mix you can't really follow this "logical implication" path you seem so hellbent on. Add to that the fact that we as a society tend to not treat these problems as an unfortunate disease (but treatable), and put down this part of our population as if they weren't humans too doesn't help either.
Yes, I too, like everyone else, have a trait that a many people would hate and if murder is legal, I would be dead already but I'm not so worry about it because fortunately murder is illegal and carry severe punishment. I understand its not perfect but at least significantly lower my concern.
It's anonymous, so nobody can learn your contact network as a side-effect of contact tracing. Your contact network much more valuable information than the fact that you have the virus.
People have been best for having been associated with outbreak regions in China India and the US. People have been attacked for looking different like Muslims in India or Black's/Whites in China, Asian in Europe/Americas.
Being different has always cause issue but we should not fix by hiding it but we should fix it by other way be it changing perception or find sameness among the difference, etc.
Do you see where this is going? The end game is treating every individual in the world as a convict and potential murderer that requires 24/7 mandatory surveillance and an injected digital ID that they can't remove. Heck, we should add an immobilization capsule so we can just knock out anyone with remotely electronically released drugs who isn't obeying quarantine.
Yes. Bill Gate's ID 2020 program is a underskin implant that holds a vaccine record that he is proposing that all will have to get to do just about anything in the future. You probably think this is a good thing and will love getting scanned everywhere and getting your regular lightly tested compulsory vaccines. It's basically parolee ankle bracelets for everyone.
None other than the Attorney General recently commented on this and said it's a "slippery slope."[1] Slippery slope privacy arguments used to be totally normal on Hacker News. Now everyone's demanding their rights and privacy be taken away!
> Bill Gate's ID 2020 program is a underskin implant that holds a vaccine record that he is proposing that all will have to get to do just about anything in the future.
This is complete and utter nonsense. It is a fantasy made up by conspiracy theorists.
I really hope you're right, but there's quantum dot technology, which is more like a smart phone readable tattoo that's delivered with a vaccine that the Gates foundation sponsored [1].
"By selectively loading microparticles into microneedles, the patches deliver a pattern in the skin that is invisible to the naked eye but can be scanned with a smartphone that has the infrared filter removed. The patch can be customized to imprint different patterns that correspond to the type of vaccine delivered."
"The research was funded by the Bill and Melinda Gates Foundation"
Gates has also been funding implantable microchips that are remote controlled to deliver birth control medicine.[2]
The 2nd link, to the implant that contains a small computer and injects drugs via remote control feels like the kind of technology that could be misused.
> Given all those unknowns, I shouldn’t express an opinion on ‘do we need this’ and so I won’t.
A blog post is a form of expression / opinion, isn't it?
The technique is limited in time, after the pandemic I'm hoping usage will drop to zero. Coming from the two major OS vendors, we now have a point where we can get it to be shut off after the threat is contained. The proposal by Google / Apple does not touch upon the serverside other than recommending restrictions on usage of the data that is gathered and shared.
> Find out if someone specific is sick
Many countries already have mandatory reporting paths for infectious diseases, if you operate an office building it is likely that you will find out if somebody using that building has to quarantine themselves for a few weeks already.
You will want to know if someone specific that you have been in contact with is sick. This reads like you are pointing out the main reason for why we do contact tracing in the first place as a negative leakage path.
> I won’t know who they are, but I can at least grab aggregate information about where coronavirus getters travel.
You do not know who they are, you can track an infected persons movement (assuming 100% coverage) at most over a single day. Existing tracking using Bluetooth and other signals a typical smartphone puts out already allows you to do more. The problem in this scenario is a lack of customer protection rights, not one of the proposal being bad.
> Increased hit rate of stationary / marketing beacons
Again, that's a policy issue more than a technical one and pretty US centric. As you correctly point out it also isn't new. The data they gather now will likely be less useful than what they can get with the broken MAC randomization stuff phones put out before.
> Leakage of information when someone isn’t sick
The alternative to the first bullet point is running around infected. The second point seems unrelated to the method of contact tracing. With existing manual contact tracing, the health authority could also tell you that you're infected and get your DNA.
> Fraud resistance
Most civilized countries have central reporting for positive test results, making the fraud resistance argument moot. This supplements existing, manual, contact tracing. The proposal itself has nothing to do with that part of the workflow, it merely helps app developers to take care of a crucial and previously hard part of the stack and suggests a well designed crypto scheme to ensure privacy in the scope of the exchanged data itself.
The only realistic scenario in here seems like that of existing stationary marketing beacons, which I'd propose to look at in terms of realism and the tradeoff between the status quo of manual contact tracing (which is inefficient, labor intensive, and error prone). In the realism aspect, marketing firms are hardly on the edge of technology. How likely is it for a major player to upgrade their systems with this tracking capability in the timeframe of the pandemic? What insight do they gather on those infected? If you're infected you would have to realistically share a few days worth of keys.
> The technique is limited in time, after the pandemic I'm hoping usage will drop to zero.
Do you think it's likely that, if successful, this same technique would be proposed to reduce the negative economic impact from the traditional seasonal flu in future?
I'm not a doctor but it is my understanding that the traditional flu is an impractical target for this type of contact tracing due to various reasons and would not make much sense. At any rate, this is a huge measure even if the privacy impact is limited. As a German I don't particularly like tracking of any kind and am relatively certain that extending the measure beyond the scenario of a pandemic wouldn't go over well with the population where I live.
Yeah but that's one of these constructed arguments. "People" outside of our community already had BT enabled all the time. That's not a new "leakage path" introduced by a protocol designed with privacy in mind.
I can only speak for the situation in Germany, here manual contact tracing and tracking of infectious diseases is done through a chain of local and federal health authorities and data is processed by them together with some, publicly funded I believe, institutes. I would assume the CDC to have a similar role in the US.
A lot of the arguments against this were rehashed the last few weeks over and over. As an passive participant to such discussions I can't express how tiring it is to see new people drop into these conversations without reading up on what already has been discussed beforehand.