Privacy-Preserving Contact Tracing vs. COVID-19
April 11, 2020 7:30 AM Subscribe
How contact-tracing apps can foil both COVID-19 and Big Brother: a comic strip explanation of privacy-preserving contact tracing.
Apple and Google are launching a joint COVID-19 contact tracing standard for iOS and Android phones.
This will let an app on your phone tell you if you were around a person with coronavirus, without ever checking your location or uploading any data about you. Instead, your phone will broadcast random numbers to nearby phones over Bluetooth, and remember the random numbers it receives from nearby phones in the past couple of weeks. People who test positive will be allowed to upload the random numbers that their phones broadcast during the time they were contagious. Your contact-tracing app will download these numbers and check them against your own recent history.
See the official announcement and technical documentation for more details.
Apple and Google are launching a joint COVID-19 contact tracing standard for iOS and Android phones.
This will let an app on your phone tell you if you were around a person with coronavirus, without ever checking your location or uploading any data about you. Instead, your phone will broadcast random numbers to nearby phones over Bluetooth, and remember the random numbers it receives from nearby phones in the past couple of weeks. People who test positive will be allowed to upload the random numbers that their phones broadcast during the time they were contagious. Your contact-tracing app will download these numbers and check them against your own recent history.
See the official announcement and technical documentation for more details.
Based on the actual paper by the Oxford group that invented this approach, the 60% is of adults who are mobile outside their homes. So the over 70s who are will be asked to continue isolating well after others are able to go out don't need smartphones.
Also, effectiveness is based on a high degree of confidence that any randomly occurring outbreak is fully extinguished in a given period of time. High but sub 60% compliance will lead to outbreak growth slowing substantially (obviously the higher compliance, the slower the growth) but not stopping which is still an extremely valuable outcome and will reduce the % of time we can release social distancing measures before a vaccine is found.
N.b. about 80% of all adults in the UK have a smartphone. I suspect that in the younger demographics and in and around the largest cities that is higher.
posted by atrazine at 7:44 AM on April 11, 2020 [6 favorites]
Also, effectiveness is based on a high degree of confidence that any randomly occurring outbreak is fully extinguished in a given period of time. High but sub 60% compliance will lead to outbreak growth slowing substantially (obviously the higher compliance, the slower the growth) but not stopping which is still an extremely valuable outcome and will reduce the % of time we can release social distancing measures before a vaccine is found.
N.b. about 80% of all adults in the UK have a smartphone. I suspect that in the younger demographics and in and around the largest cities that is higher.
posted by atrazine at 7:44 AM on April 11, 2020 [6 favorites]
Firstly: Yay if this works and stops people getting the rona.
Secondly: The cartoon seems like a load of (cute) bullshit. Just because the app itself doesn't include GPS data doesn't mean that location data cannot be inferred from the connections made through the db. It won't be instant, but once you can combine the covid data with $(all sorts of location data leaking from 99% of people's phones) then all those not-consenting people have been mapped.
Would love to be proved wrong. Have at it.
posted by pompomtom at 7:51 AM on April 11, 2020 [13 favorites]
Secondly: The cartoon seems like a load of (cute) bullshit. Just because the app itself doesn't include GPS data doesn't mean that location data cannot be inferred from the connections made through the db. It won't be instant, but once you can combine the covid data with $(all sorts of location data leaking from 99% of people's phones) then all those not-consenting people have been mapped.
Would love to be proved wrong. Have at it.
posted by pompomtom at 7:51 AM on April 11, 2020 [13 favorites]
It's great to see this particular coalition, since between the two they control the software on pretty much every mobile phone in the world. I also trust them to get it right although with Google there's the inevitable distrust that there's some advertising fuckery hiding in there. I still hold out hope they genuinely are trying to do the right thing though, and trust Apple to help make that true.
There are a bunch of other tech industry efforts to build similar things right now. But I think it's going to be hard to beat "built into the OS by the vendor".
posted by Nelson at 7:59 AM on April 11, 2020 [3 favorites]
There are a bunch of other tech industry efforts to build similar things right now. But I think it's going to be hard to beat "built into the OS by the vendor".
posted by Nelson at 7:59 AM on April 11, 2020 [3 favorites]
pompomtom: You're right of course, paired with other data it can be abused. For instance CCTV + fixed Bluetooth beacons can be used to anonymise data to an extent. I guess the question is: considering how much privacy we have collectively given up, for no compensation, so that people can sell us skin creams, are we willing to accept this now?
Nelson: It actually requires Apple to co-operate since IOS doesn't allow the necessary background Bluetooth beacon under ordinary circumstances for privacy reasons.
posted by atrazine at 8:06 AM on April 11, 2020 [3 favorites]
Nelson: It actually requires Apple to co-operate since IOS doesn't allow the necessary background Bluetooth beacon under ordinary circumstances for privacy reasons.
posted by atrazine at 8:06 AM on April 11, 2020 [3 favorites]
Yeah, third-party contact-tracing apps have been running into limitations of the existing Bluetooth APIs on iOS (example). Apple’s support is really the only way to get past those problems.
posted by mbrubeck at 8:07 AM on April 11, 2020 [1 favorite]
posted by mbrubeck at 8:07 AM on April 11, 2020 [1 favorite]
One key thing about this approach is it relies on Bluetooth connections between phones to establish a social connection. I'd have thought a simpler approach would be just to compare the location histories of individuals and figure out when pairs of people were near each other. No Bluetooth required, just location services (GPS and cell triangulation, mostly.) A location-only approach has statistical errors and is more privacy invasive. It's doable without the Bluetooth magic though. I think the Bluetooth approach being pursued by Google/Apple is better, but it's not the only way.
posted by Nelson at 8:11 AM on April 11, 2020 [3 favorites]
posted by Nelson at 8:11 AM on April 11, 2020 [3 favorites]
. It won't be instant, but once you can combine the covid data with $(all sorts of location data leaking from 99% of people's phones) then all those not-consenting people have been mapped.
Almost certainly the advertising networks already know where you go already. With contact tracing we get to finally have something useful from the surveillance system that already tracks us.
Privacy is incredibly important but I suspect this won't expose much that isn't already out there :/
posted by Nonsteroidal Anti-Inflammatory Drug at 8:13 AM on April 11, 2020 [3 favorites]
Almost certainly the advertising networks already know where you go already. With contact tracing we get to finally have something useful from the surveillance system that already tracks us.
Privacy is incredibly important but I suspect this won't expose much that isn't already out there :/
posted by Nonsteroidal Anti-Inflammatory Drug at 8:13 AM on April 11, 2020 [3 favorites]
It won't be instant, but once you can combine the covid data with $(all sorts of location data leaking from 99% of people's phones) then all those not-consenting people have been mapped.
Well if you have 99% of people's movements you hardly need the covid-19 data, but putting that nitpicking aside: reconstructing Alice's movements in the event Alice gets sick is the whole point of contact tracing. This proposal isn't trying to solve that for people who get sick, it's so that people who aren't sick don't have to be traced everywhere they go to do contact tracing. Now, you might say that your trail of infection is your own business and no-one else has the right to know it, to which I point out that every ideology has challenges it cannot overcome, and libertarianism is poorly equipped to deal with pandemics*.
The problem is getting Bob's movements, and as far as I can tell you can't actually get anything from Bob because the communication is one-way - Alice posts the last 14 days of codes, which are only date stamped for the day (as noted in the technical docs), and Bob's device sees those codes recorded. Bob doesn't send a message back to the central server saying 'I'm self-isolating'.
*also, the general distribution of power, and how to organise societies - what I'm saying here is that libertarianism is an unserious ideology
posted by Merus at 8:14 AM on April 11, 2020 [3 favorites]
Well if you have 99% of people's movements you hardly need the covid-19 data, but putting that nitpicking aside: reconstructing Alice's movements in the event Alice gets sick is the whole point of contact tracing. This proposal isn't trying to solve that for people who get sick, it's so that people who aren't sick don't have to be traced everywhere they go to do contact tracing. Now, you might say that your trail of infection is your own business and no-one else has the right to know it, to which I point out that every ideology has challenges it cannot overcome, and libertarianism is poorly equipped to deal with pandemics*.
The problem is getting Bob's movements, and as far as I can tell you can't actually get anything from Bob because the communication is one-way - Alice posts the last 14 days of codes, which are only date stamped for the day (as noted in the technical docs), and Bob's device sees those codes recorded. Bob doesn't send a message back to the central server saying 'I'm self-isolating'.
*also, the general distribution of power, and how to organise societies - what I'm saying here is that libertarianism is an unserious ideology
posted by Merus at 8:14 AM on April 11, 2020 [3 favorites]
Well if you have 99% of people's movements
Not quite what I said, but sure, whatever: that would be data that various people (not including Alice or Bob) have consented to share.
The problem is getting Bob's movements, and as far as I can tell you can't actually get anything from Bob because the communication is one-way - Alice posts the last 14 days of codes, which are only date stamped for the day (as noted in the technical docs), and Bob's device sees those codes recorded. Bob doesn't send a message back to the central server saying 'I'm self-isolating'.
This seems to me to be the USP of this system, but the idea that Bob has anonymity here depends on the idea that he isn't otherwise tracked. Everybody who's thought about this knows that this is not the case. Everyone is always tracked by something, the question is whether db1 checks itself against db2 etc.
I'm not trying to slag off the OP thing, but it's not really sensible to consider this stuff in a vacuum.
posted by pompomtom at 8:46 AM on April 11, 2020 [2 favorites]
Not quite what I said, but sure, whatever: that would be data that various people (not including Alice or Bob) have consented to share.
The problem is getting Bob's movements, and as far as I can tell you can't actually get anything from Bob because the communication is one-way - Alice posts the last 14 days of codes, which are only date stamped for the day (as noted in the technical docs), and Bob's device sees those codes recorded. Bob doesn't send a message back to the central server saying 'I'm self-isolating'.
This seems to me to be the USP of this system, but the idea that Bob has anonymity here depends on the idea that he isn't otherwise tracked. Everybody who's thought about this knows that this is not the case. Everyone is always tracked by something, the question is whether db1 checks itself against db2 etc.
I'm not trying to slag off the OP thing, but it's not really sensible to consider this stuff in a vacuum.
posted by pompomtom at 8:46 AM on April 11, 2020 [2 favorites]
I saw the cartoon and have a question.
Bluetooth proximity is not real proximity. I can see my neighbors devices but I am in no way in contact with them Here in the dense city where I live someone could walk down the street and even stop in front of our place and ping our phones. If they are infected how is that relevant to me or all the residents of the other houses they have passed?
Or is this app meant for suburbs only?
posted by vacapinta at 8:46 AM on April 11, 2020 [1 favorite]
Bluetooth proximity is not real proximity. I can see my neighbors devices but I am in no way in contact with them Here in the dense city where I live someone could walk down the street and even stop in front of our place and ping our phones. If they are infected how is that relevant to me or all the residents of the other houses they have passed?
Or is this app meant for suburbs only?
posted by vacapinta at 8:46 AM on April 11, 2020 [1 favorite]
Shit I can't get similar bluetooth proximity between devices in the same room *stares at fancy-looking keyboard*. I think the app is for hopeful techbros.
posted by pompomtom at 8:50 AM on April 11, 2020 [6 favorites]
posted by pompomtom at 8:50 AM on April 11, 2020 [6 favorites]
This seems also to rely on the hospital promising not to store IP address data along with the uploads, and also promising to delete data after a set number of days. Some countries may require retention for years.
It also requires you to opt-in by downloading an app (which 99.99% of uses will not inspect the code or be able to understand the code) and leaving Bluetooth on.
So it sounds like a solution in the same way that PGP's a solution.
posted by scruss at 9:12 AM on April 11, 2020
It also requires you to opt-in by downloading an app (which 99.99% of uses will not inspect the code or be able to understand the code) and leaving Bluetooth on.
So it sounds like a solution in the same way that PGP's a solution.
posted by scruss at 9:12 AM on April 11, 2020
Just because the app itself doesn't include GPS data doesn't mean that location data cannot be inferred from the connections made through the db.
Google already has approximately 100% of this information for android users already. So do your local telcos. You already opted into it by owning a cellphone. All this random number nonsense is sort of performative.
posted by mhoye at 9:17 AM on April 11, 2020 [14 favorites]
Google already has approximately 100% of this information for android users already. So do your local telcos. You already opted into it by owning a cellphone. All this random number nonsense is sort of performative.
posted by mhoye at 9:17 AM on April 11, 2020 [14 favorites]
It looks like there may be a vulnerability at the 'doctor issued one time passcode' part. Can 'Russia' shut down 'Washington, DC' by sending out beacons around the city, buying a passcode from a family doctor in Texas, and then self-reporting an infection?
posted by jpziller at 9:28 AM on April 11, 2020
posted by jpziller at 9:28 AM on April 11, 2020
It's also vulnerable to a large rock being dropped from space. Or even a mid-sized pattern of tungsten rods striking from the troposphere.
...makes ya wonder why they bother at all, really, if it can't protect against even low-orbit strikes.
posted by aramaic at 9:40 AM on April 11, 2020 [10 favorites]
...makes ya wonder why they bother at all, really, if it can't protect against even low-orbit strikes.
posted by aramaic at 9:40 AM on April 11, 2020 [10 favorites]
Ars Technica’s coverage (by Dan Goodin) goes more in-depth into some of the privacy and security risks, including the possibility of “trolling” through falsified positive results.
posted by mbrubeck at 9:52 AM on April 11, 2020 [6 favorites]
posted by mbrubeck at 9:52 AM on April 11, 2020 [6 favorites]
It seems like this is a wash in terms of actual privacy, but I can think of a couple of reasons why Apple, Google, and the like would prefer this approach to exposing existing location info. For one thing, Personally Identifiable Information these days is typically treated as radioactive, to be handled directly as little as possible and by as few people as possible. Exposing identifiable people's location histories on a large scale would create a lot of regulatory and litigation risk. For another, using information these companies already have would expose a lot more detail about what information they actually have, and how it is structured, than they might prefer to expose to the eyes of competitors or the public.
No idea if either of those concerns actually came into play here, but they seem more plausible to me than a concern with privacy as such.
posted by Not A Thing at 10:09 AM on April 11, 2020 [4 favorites]
No idea if either of those concerns actually came into play here, but they seem more plausible to me than a concern with privacy as such.
posted by Not A Thing at 10:09 AM on April 11, 2020 [4 favorites]
aramaic - it seems the primary concern with this is adoption. knowing there's a potential 'trolling' element may not dissuade the first round of adopters, but may be the end of the platform as of the first abuse.
Or am i speculating too far in a negative way? And maybe operating from a different context?
I'm currently in full military lockdown in Spain for nearly a month (businesses are shut and everything) and I think its put me into a weird high-alert headspace, so maybe I read too deeply too quick.
Another question would be about how best to mitigate the trolling element, which wasn't addressed in the first link I read (or, if i remember right, in the subsequently linked ars link)
Other than that specific vulnerability the rest looked pretty much reasonable to me tbh. The 'rods from god' may be a very much less likely and much harder-to-implement scenario than this kind of 'trolling' cyberwarfare, and with far less risk.
NOTE: I'm not *against* this, this was just the first thing I thought of. I think we should probably do this (with some 'givens', involving OSS and low barriers to adoption from the general population)
posted by jpziller at 2:29 PM on April 11, 2020
Or am i speculating too far in a negative way? And maybe operating from a different context?
I'm currently in full military lockdown in Spain for nearly a month (businesses are shut and everything) and I think its put me into a weird high-alert headspace, so maybe I read too deeply too quick.
Another question would be about how best to mitigate the trolling element, which wasn't addressed in the first link I read (or, if i remember right, in the subsequently linked ars link)
Other than that specific vulnerability the rest looked pretty much reasonable to me tbh. The 'rods from god' may be a very much less likely and much harder-to-implement scenario than this kind of 'trolling' cyberwarfare, and with far less risk.
NOTE: I'm not *against* this, this was just the first thing I thought of. I think we should probably do this (with some 'givens', involving OSS and low barriers to adoption from the general population)
posted by jpziller at 2:29 PM on April 11, 2020
also, do echo the above poster -- is bluetooth ready for this?
posted by jpziller at 2:32 PM on April 11, 2020
posted by jpziller at 2:32 PM on April 11, 2020
I think they should give away localized, donated prizes and coupons every day to a random people using the app. The benefits to the economy of reliable contact tracing would far outweigh the cost of those donations.
posted by mecran01 at 3:09 PM on April 11, 2020
posted by mecran01 at 3:09 PM on April 11, 2020
This may be "privacy preserving" but I can't see most Germans (e.g.) allowing this on their phones. Americans are a little more blase about privacy, and would probably be more than happy to let a health agency mine teleco location data.
posted by 3j0hn at 3:23 PM on April 11, 2020 [1 favorite]
posted by 3j0hn at 3:23 PM on April 11, 2020 [1 favorite]
This random number nonsense is NOT performative. It has definite privacy advantages. It is not perfect either.
(ctrl-F "moxie"... crickets. so:)
Here's a cryptographer's take on it. My TL;DR: it's sound, would save lives, would result in making it easier to target ads to individuals.
First look at Apple/Google contact tracing framework
posted by runehog at 5:14 PM on April 11, 2020 [5 favorites]
(ctrl-F "moxie"... crickets. so:)
Here's a cryptographer's take on it. My TL;DR: it's sound, would save lives, would result in making it easier to target ads to individuals.
First look at Apple/Google contact tracing framework
posted by runehog at 5:14 PM on April 11, 2020 [5 favorites]
Since I saw the comic strip on kottke I haven't been able to stop wondering whether the blatant fencepost error was a legitimate fuckup, a deliberate (IMO bad-faith if so) oversimplification, or a very subtle troll.
posted by 7segment at 1:50 AM on April 12, 2020
posted by 7segment at 1:50 AM on April 12, 2020
Anybody who thinks the comic strip is the entire story, and all this is indeed privacy conserving and all that, need to wake up and dig deep into this vaudenauy paper at https://ia.cr/2020/399.
Because doing this right is hard. REALLY hard.
posted by DreamerFi at 2:17 AM on April 12, 2020
Because doing this right is hard. REALLY hard.
posted by DreamerFi at 2:17 AM on April 12, 2020
Bruce Schneier isn't sold:
I was going to write a long essay about the security and privacy concerns, but Ross Anderson beat me to it. (Note that some of his comments are UK-specific.)posted by aneel at 9:11 PM on April 13, 2020 [1 favorite]
...
So I agree with Ross that this is primarily an exercise in that false syllogism: Something must be done. This is something. Therefore, we must do it. It's techies proposing tech solutions to what is primarily a social problem.
A friend of mine had a good question. How is Google going to ship this new capability, given that no one installs Android OS updates? (Or rather can't, because their vendors don't make them available.) Maybe there's a trick where they can ship the contact tracing stuff as an app? Or part of Google Play Services, which has some privileged access in the system and can be updated without vendor cooperation?
posted by Nelson at 6:48 AM on April 14, 2020
posted by Nelson at 6:48 AM on April 14, 2020
Answering my own question: Android phones will get the COVID-19 tracking updates via Google Play. That'll handle any phone back to Marshmallow, which is about 85% of phones. There's a wrinkle with Chinese and Huawei phones the article discusses.
posted by Nelson at 7:22 AM on April 14, 2020 [2 favorites]
posted by Nelson at 7:22 AM on April 14, 2020 [2 favorites]
By the lead developer of Singapore’s contact tracing app and Bluetooth tracing protocol: Automated contact tracing is not a coronavirus panacea.
posted by mbrubeck at 8:26 AM on April 14, 2020 [1 favorite]
posted by mbrubeck at 8:26 AM on April 14, 2020 [1 favorite]
How is Google going to ship this new capability, given that no one installs Android OS updates?
I read an article a while back that argued that the best driver of Android security updates was the release of new emojis.
posted by pompomtom at 2:53 AM on April 15, 2020
I read an article a while back that argued that the best driver of Android security updates was the release of new emojis.
posted by pompomtom at 2:53 AM on April 15, 2020
Apple and Google announce privacy improvements to their exposure notification system, and plan a beta release next week (MacRumors).
Germany will switch to an Apple/Google/DP-3T-style approach rather than its original plan which would store data on a centralized server (Reuters).
Virologist Trevor Bedford explains why contact tracing can be important and cost-effective even if it only slightly slows down an epidemic, rather than fully containing it (Twitter).
posted by mbrubeck at 8:11 PM on April 26, 2020 [1 favorite]
Germany will switch to an Apple/Google/DP-3T-style approach rather than its original plan which would store data on a centralized server (Reuters).
Virologist Trevor Bedford explains why contact tracing can be important and cost-effective even if it only slightly slows down an epidemic, rather than fully containing it (Twitter).
posted by mbrubeck at 8:11 PM on April 26, 2020 [1 favorite]
Interesting data points in this article
Only 15% of Singapore's population has installed their contact tracing app.
Iceland has the highest adoption of contact tracing apps of any country, but it's only 40%.
Epidemiologists say you want at least 60%.
posted by Nelson at 8:50 PM on April 26, 2020 [2 favorites]
Only 15% of Singapore's population has installed their contact tracing app.
Iceland has the highest adoption of contact tracing apps of any country, but it's only 40%.
Epidemiologists say you want at least 60%.
posted by Nelson at 8:50 PM on April 26, 2020 [2 favorites]
« Older Guys this is the ultimate audio history records | Keep on Truckin' Newer »
This thread has been archived and is closed to new comments
posted by mbrubeck at 7:34 AM on April 11, 2020 [3 favorites]