The article is entirely premised on Apple and Google not giving users control over whether tracing is enabled. Indeed, if they don't, that would be bad. If they do, the concerns in this article do not apply.
> GACT creates a dormant functionality for mass surveillance, that can be turned on with the flip of a virtual switch at Apple or Google HQ.
If you don't trust Google or Apple to do what they say they do then you need to stop using their OS and hardware. It is already the case that Google and Apple can push (more) surveillance into your device anytime. GACT does not change that.
> Which makes the whole GACT platform a smokescreen really, as exactly the strong oversight would be required if the GACT platform was not there, and apps requested special access to Bluetooth to implement their own contact tracing technology.
Not at all. Plausible advantages of GACT: a) Google and Apple don't have to evaluate the properties of each app's Bluetooth protocol; b) standardizing the protocol prevents Balkanization and makes tracing much more effective; c) Google and Apple are likely to implement it better.
Another problem with this article is that the criticism is not constructive. If we believe the conclusions of the article, then what? Is there a better way to leverage smartphones for contact tracing? Or should we abjure smartphone-powered contact tracing? Doing what instead? "This sucks" without comparing it to alternatives is not actionable.
There are things which just “suck” and have no viable alternative. For instance: the Government may try to implement a question on “religion” in the Census or it may not... Is there any useful alternative? Useful for what?
Edit: and... five years later. “There was a mistake in the random number generator, all keys are discoverable”. Like, you know, the Intel Security Module.
The author isn't even saying there's no viable alternative. They're just leaving it open. That is particularly troublesome since in this case, unlike your hypothetical, there is obvious value in having faster and more accurate contact tracing during the COVID-19 pandemic.
Yes, but after the pandemic, wouldn't it be nice to be sure something like this is in place before we learn about a new virus? Wouldn't it be great if we kept this thing on forever, so it could be used retroactively after an outbreak has happened to trace it back and become even better at avoiding pandemics?
Oh, and maybe this could also be used to avoid certain crimes such as terrorism?
> Yes, but after the pandemic, wouldn't it be nice to be sure something like this is in place before we learn about a new virus? Wouldn't it be great if we kept this thing on forever, so it could be used retroactively after an outbreak has happened to trace it back and become even better at avoiding pandemics?
> Oh, and maybe this could also be used to avoid certain crimes such as terrorism?
> You know where this leads to.
Exactly, these capabilities won't go away. Today they are used for good but tomorrow? Not to invoke Godwin's Law but these contact tracing capabilities would have been a Nazi's wet dream.
Not necessarily. They included in the article that we could use decentralized contact tracing instead; and, an article arguing against a feature doesn't need an alternative.
If a refrigerator were being released with a microwave, do I really need to provide alternatives to where I could put the microwave instead?
Among other arguments, it argues that contact tracing is a source of mass surveillance. That alone, for the appropriate crowd, is enough reason to not use it. There doesn't need to be an alternative because the alternative is _not having it_.
Just because a bunch of developers ended up wasting their resources on a feature that is a net loss for society doesn't mean that the feature needs to be released.
One alternative that seems to work decently well is a cooperative society with a piece of paper where you share your phone number when needed. That's what Taiwan is doing and it works pretty well. But it only works because there is a base level of trust that the information is not misused. There is no such trust in the US and other places.
I hadn't heard about the paper-based phone number sharing approach in Taiwan - do you have a link where I could find out more about that, out of interest?
Perhaps similar or related, I'd read that Taiwan's using an alert system[1] that uses the absence of cell phone activity as a sign that it may be necessary to check on the owner.
I don't really have a link. Taiwan uses triangulation to make sure you stay in place once you've been detected as someone who has been in contact.
Some places have digital access but in general the temperature measurement of bigger buildings are automated. But most places I went to had a paper form to fill out your details. I assume those are shared with law enforcement and CDC once one person who attended the building has been traced as a positive case and then all people and their contacts will be notified and tested.
There is no centralized government mandated central database that I know of. But I do know that once a crime happens they're quite good at tracing your public movements.
I agree that trust has been eroded over the years. US is also a more individualistic society, which means individuals are less willing to sacrifice self for whole. I don't want to cast too wide a net, but asian countries tend towards society orientation. Heavens know I could not live long in Japan.
There are likely over 1 million people infected with COVID-19 in the US right now. I doubt any contact tracing is going to be useful at this point, and isolation has slowed the spread but it’s reduced it enough that contact tracing is likely viable.
I think you'll learn something from 3brown1blue's youtube video on simulating different intervention techniques. It's from a few weeks ago, but it very clearly shows how valuable contact tracing is, during any stage of the outbreak.
3brown1blue’s video is a very simplistic introduction to the subject. It’s illustrative not predictive.
Contact tracing is clearly useful, but on it’s one does not change the basic reproduction numbers much. Look at South Korea which still has active infections despite active contact tracing and very successful social distancing.
Contact tracing COVID-19 is suplimental not a solution.
PS: As to my point, if you’re a grocery store employee in NYC you are likely to have been in contact with someone with COVID-19 in the last week. We can’t simply send all of them home, that’s the issue with contact tracing when a meaningful percentage of the population is infected. You need looser restrictions which reduces effectiveness.
I care about America, but I live in NZ where the situation is much better (so far) and effective contract tracing is undoubtedly going to be very important.
“but not reduced it enough that contact tracing is likely viable”
For example, NYC has seemingly slowed the spread enough it’s possible to Test for and track new cases. But if you dig into their numbers 4,264 deaths are linked to COVID but where not tested prior to death. https://www1.nyc.gov/site/doh/covid/covid-19-data.page. They have little idea who’s currently infected and “ Due to delays in reporting, recent data are incomplete.”
Essentially they need a solid 2 weeks of minimal new cases. At which point they can start meaningful contract tracing, but contract tracing does not mean you can just get back to normal. Just slightly reduce the amount of isolation.
My understanding is that these tools are mostly being developed to allow reopening of things once the first wave dies down, with infrastructure in place to support contact tracing and reduce the impact of any second wave.
Reopen a small percentage of things, yes but not go back to normal. It provides minimal gain which is import only when the case reproduction rate is close to 1.
Remember, virus still doubles every 2-3 days under normal conditions. Without a vaccine or herd immunity, contact tracing alone does very little. It’s enough to reopen dental offices possibly hair salons, not schools.
This is likely to be untrue in the immediate future. This is probably already true in places like China, where mobile payments are the norm.
As a personal example, and I know this does not yet apply to the US, but where I live it is impossible (or so inconvenient that it might as well be not possible) to do some banking operations without an Android or iOS device, as even accessing my bank's website requires me to have the app installed for token generation. I'm sure if I shopped around I could still find a smaller bank without such a requirement or live with the limitations, maybe finagle a way to use an emulator or something equally inconvenient, but I'm quite certain that this will not last and a smartphone will become essential. A lot of other things are also quite inconvenient without a smartphone around here.
I know the US and Europe have a distinct resistance to the smartphone (or even the computer) becoming required to live as anything but a homeless vagrant because their economies and infrastructure developed before smartphones were even an idea, which gives them the luxury to resist these technologies on moral grounds, or even on the grounds of not wanting to learn the new thing. On the other hand, countries whose economies developed in lockstep with cellular technologies and smartphones (China, India, much of Africa, South-East Asia, much of Latin America, etc.) don't have that particular luxury or simply take a much more pragmatic approach to the whole thing. In these places it is already incredibly inconvenient to get by without a smartphone and will likely become impossible in the near future, if it isn't already.
When smartphones and the internet do become essential to life, I can only hope that the laws of the land have managed to catch up by then. I am not particularly optimistic on this aspect, though, and I suspect it will take some kind of major disaster and/or abuse of human rights (or more likely, a series of them) to happen for another "age of enlightenment"-like period to happen, focused on information technology this time.
Do you know the size of fraud departments at banks and payment providers, and the budgets going into fraud prevention every year? A bank card is as easily destructible as a smartphone is, but is far less secure, as we're sacrificing security for usability.
If we're comparing smartphone vs bank cards, it's only fair to presume that the bank cards are equipped with EMV, because magstripe terminals won't be able to accept smartphone either. In that case, I fail to see any security advantage over smartphones.
> which gives them the luxury to resist these technologies on moral grounds, or even on the grounds of not wanting to learn the new thing.
I do think making a smartphone a requirement for living is a genuinely catastrophic idea, not simply an ivory tower exercise nor conservativism. Requiring people to possess and carry with them at all times a computer with a myriad of sensors and an ever-broadcasting beacon not under their control seems terribly fragile, unnatural, caste-creating and cruel. It is worthwhile to fight this, despite it being undeniably convenient for some things.
> should we abjure smartphone-powered contact tracing?
YES
Since the Google Maps 'Allow 24/7 location tracing? Yes/Maybe Later' popping up once every other week, it is pretty clear that at least Google is willing to push surveillance as hard as possible. Once they have GACT built, deployed en masse and somewhat trusted by the public, it is not hard to infer they'll be willing to push any number of dark patterns to make it the de-facto reality for 99% of the population out there.
In summary: Yes, they can push any shit right now on your phone. No, they don't just push it yet because they are afraid of public / internal backlash. Yes, they'll do everything in their power to boil the proverbial frog and gradually reduce the backlash potential, and will eventually push the most invasive surveillance they can possibly conceive. And they are pretty imaginative.
Medium term bet: Within a year, Google will change GACT from opt-in to [de-facto] opt-out. For example by nagging you every two weeks: 'Protect your grandma life? Yes/Maybe Later'.
> If they do, the concerns in this article do not apply.
Most users are not your typical HN reader. Whatever is the default, or easy choice is the one that they are going to go for. Regulations were needed to forbid dark patterns with fishy defaults and pre-added items in the shopping car. People which profession is not related to computers may not have the time to spend analyzing and having a deep understanding of complex ethical computer problems.
> If you don't trust Google or Apple to do what they say they do then you need to stop using their OS and hardware.
I though that this argument was discarded long time ago. If I do not want to use Google nor Apple what are the alternatives? (I really mean it, it is not a cheap shot to your next argument, that is not a bad one) My bank has apps for iOS and Android, like my travel agency and even government. When so much depends on two providers choice is not really there.
That two points does not add much to your argument, as they are not good arguments in this or any situation. Leave them out next time and I think that your argument will gain more strength.
I agree that a constructive criticism is important, thou.
Which doesn't necessarily mean that the typical HN reader is right and most users are wrong. Many users will be prepared to sacrifice a bit of a "freedom" that HN users prize highly; that doesn't mean they're wrong to do so, just that their priorities differ.
In New Zealand, at least, I have no trouble conducting daily life using Web sites. I do have a smartphone but I don't use it for banking or shopping or government interactions. If my trust in Google and Apple declined I could downgrade to a dumbphone without much trouble (except for the trouble of actually finding one to buy).
I agree that this situation needs to be preserved. FWIW I worked at Mozilla for a long time because I was (and still am) enthusiastic about their mission, which is partly about making sure the Web remains a) a strong platform for such applications and b) not wholly controlled by Apple and Google. Part of that was doing FirefoxOS which mostly failed but curiously, via KaiOS in India, is also kind of succeeding.
I do agree that more constructive feedback on possible routes forward would be useful.
Although it's not stated by the author, one simple and low-cost approach is to take more time for further discussion and review before accepting deployment of a system like this.
To those who might argue that we "don't have time to delay" and need to rush this functionality out, then I would respond that a rushed solution can often be worse than doing nothing -- especially if there is no easy way to roll it back.
Therefore my personal suggestions would either be to take more pause before accepting and deploying a single solution like this, or to enact stringent and specific time bounds on the rollout.
> To those who might argue that we "don't have time to delay" and need to rush this functionality out, then I would respond that a rushed solution can often be worse than doing nothing -- especially if there is no easy way to roll it back.
That is a reality-independent objection that can apply in any situation and delay anything indefinitely.
Lots of experts say that a robust digital contact-tracing solution (as part of a multipronged contact-tracing effort) could provide big health and economic benefits, the sooner the better. That doesn't mean we should have no discussion and review, but it does mean we should expedite them. We have at least a month before Google and Apple start rolling out their stuff, let's make the most of it.
My primary concern is related to maintaining pleasant social interaction and a reasonable balance of power on a time horizon of five years and beyond.
To me it's hard to imagine that a continuous digital record of human interactions that is subject to a proprietary protocol and implementation would be the safest situation to end up in.
> one simple and low-cost approach is to take more time for further discussion and review before accepting deployment of a system like this.
That's "simple and low-cost" in the sense that doing nothing is simple and low-cost, usually. But it's not an "approach" to anything. It's also not low-cost considering thousands of people are dying every day.
It doesn't seem to me that there are easy solutions for this problems that offer better privacy that we haven't yet thought about for lack of time.
It's an emotive issue and as technologists we often feel an urge to do something, anything straight away.
I'm not suggesting delaying forever, and I do realize that there is human impact at the moment. I would not refer to the value of life in monetary terms that way.
There may not be easy solutions but there are plenty of other contract tracing technologies[1] that experts have been discussing, developing and critiquing.
I am suggesting that we allow those experts the time they need - no more, and no less - to get their work done to a sufficient level and report their findings to decision-makers.
After that feedback is gathered it could become apparent that deploying GACT as a closed-source, time-unbounded OS-level feature with app approval restricted to two companies situated in one nation of the world is less than ideal.
That could allow nations to collectively ask for changes to the proposal, with solidarity in their concerns and expert evidence to back it up.
Don't let perfect be the enemy of good. Defence is done in layers. Imagine a castle; does it stand on it's own in a plain field? Unlikely. It has walls, moats, hills, guard towers, bars on windows.
Even if Google or Apple are _capable_ of doing something evil, you can stil prevent them from excersing that power by not setting an example that it's okay to do so.
> Even if Google or Apple are _capable_ of doing something evil
Genuinely, it's not Google nor Apple that I fear doing something evil here.
Google will try to give me more targeted ads, without giving that detailed data to their app developers, but instead just making their demographics tools better.
Apple will do what they think will help the circumstance.
I fear the government doing evil with it, especially under the guise of good.
"Hey, we found this terrorist's phone number, turns out he has an Android device. Give me every person that's been physically near him in the last 24 hours"
"Hey, these 37 people were at a protest, where do they spend their off time?"
> you can stil prevent them from excersing that power by not setting an example that it's okay to do so.
And then they'll do it anyway a few years later, when you're not looking. Just look at Google's introduction and continuous tightening of SafetyNet requirements.
And what the hell can you do? Switch to buying Apple, who set the gold standard for this crap years ago? Switch to Purism, which BankID (practically mandatory for life in Sweden, sadly) still hasn't been ported to?
Giving up because of a possibility of something going wrong is just asinine. By that logic you might aswell just waste away right now because we'll all perish in the heat-death of the universe.
You get a chance and you take it. All things bring you towards success one step at a time, as unsatisfying as it might feel.
What does opt-out mean anyway? I've had examples where Google Fit has reenabled itself without my due consent in the settings of my phone (and I have screenshots to prove it).
We've seen opt-out abused before so it is down to whether you feel you can use a platform known for not respecting your choices.
Often times, it's a simple boolean value, do you want to trust that bool will stay the same, always?
Slippery Slope is a logical fallacy, much like appeal to authority or ad hominem, only that people online seem to have far less trouble recognising the later two than the former.
I would argue that if there's anything true about American Society and the US Government is that we continually trend toward authoritarianism and there is no such slippery slope when it comes to the loss of freedom.
The civil rights movement came after “the red scare”.
In fact the end of McCarthy came after McCarthy. That particular abomination universally being understood as one the darkest periods is also progress.
I’m also somewhat certain the idea of any net loss of freedom over the last 50 years would be considered a bad joke by anyone not cis/white/hetero/male. Into the 70s, you weren’t allowed to take a job or have a bank account without your husband’s permission.
And if you insist on limiting this to just the freedoms of the all-American white bro: the Boomer generation was still subject to the draft. Spending two years in an Asian rainforest in perpetual danger of dying would seem to be quite worse, liberty-wise, than... whatever you're calling "authoritarianism".
Marijuana legalization, etc. The point is that your claim has thousands of counterexamples and so is fairly nonsensical. If anything, net freedom has been continuously increasing, especially for minority groups.
I'm willing to trade my privacy for things I want. I don't want to know what kinds of diseases I'm coming in contact with every day. When a company starts invading my privacy without providing me with something I want I am likely to stop using them. Like I did with Facebook. Google was on thin ice before this. My next phone will likely be KaiOS powered.
> It is already the case that Google and Apple can push (more) surveillance into your device anytime. GACT does not change that.
It does legitimize it and that is a very important thing. Right now, pushing this kind of thing covertly would be disastrous if (when) it is discovered. With GACT, it's already there so it's presence alone is not suspicious and can be enabled surreptitiously.
> Or should we abjure smartphone-powered contact tracing?
Yes, in its present state, I think we should. We've done without smartphone-powered contact tracing before so it is clearly not essential. In its current form, it is worse than the alternative of traditional contact tracing.
Everything in this article is completely illogical and baseless.
We can't trust Apple/Google to manage the anonymous data behind Contract Tracing but we can for our photos, phone calls, messages, web history, app data and GPS locations.
And we have to be fearful because this anonymous data is somehow going to be linked by Apple/Google to real persons and used for mass surveillance. But yet they could have done this for years without needing GACT as an excuse.
Right. They've done the exact same tracing for years as part of the "Find my phone" feature, but now it becomes problematic when it's used to mitigate a pandemic outbreak? That makes zero sense.
1. the telcos have months - if not years - of LAC update data stored for every phone. They know where you sleep, who visits and where you work and shop;
2. they analyse the CDR for every call/SMS send and received (caller and receiving party cells) [look at your spam SMS with a jaundiced eye];
3. they 'ping' thousands of phones* daily to trilaterate the location to metres (and/or A-GPS, TDOA, etc.)
4. they analyse the voice and data handover records.
* The preferred way to do this with a veneer of deniability is for the authorities to add in a few phones into the known associates list of phones to be monitored in an otherwise legitimate drug or terrorist warrant.
They judges will never know (and certainly don't ask).
In fact pretty sure Apple has already implemented this functionality for their upcoming Apple Tags product. They have a patent on it and it works very similar to GACT i.e. by anonymously recording Bluetooth identifiers.
I'm not ready to risk giving up more privacy to "mitigate a pandemic outbreak".
I believe there are other ways to fight viruses, we (the world) should invest massively in biological R&D to better understand, protect, control and heal our body rather than track people. Tracking people is a low-level solution that misses the bigger picture.
Maybe this will be possible in 50 or 200 years, but the world we currently live in is not ready to both track people and respect basic human rights, in my opinion.
By the way : same argument is valid for nuclear weapons. Why don't we accept that all countries get nuclear weapons? Because it would be dangerous in the wrong hands.
I tend to agree that it is baseless but not the for the reasons you mention. I don't trust Apple or Google with my personal data. But from what I understand of this protocol, no personal data is shared with Google or Apple, only a randomly generated identifier IF you elect to declare yourself contaminated. And this identifier has no other value to anyone other than to notify the holders of smartphones that have been in close proximity with you over a limited period. What the article is saying is that they don't trust big tech to stick to that protocol.
> We can't trust Apple/Google to manage the anonymous data behind Contract Tracing but we can for our photos, phone calls, messages, web history, app data and GPS locations.
Just because our rights are already eroded doesn't mean we should give up the fight and disable our freedom.
Nobody said we should trust Google/Apple with any of that. This tracking of our anonymous data should only be allowed to be unencrypted by warrant. All data produced by the device stored on the cloud should be encrypted, unaccessable to Google and Apple.
Instead of blindly trusting corporations, we could implement regulations, allowing oversight and preventing unreasonable searches.
In any case, I use an Android phone and Google can't access my photos, calls, messages, web history, app data, or GPS locations. I've chosen a radio firmware which completely disables the GPS.
Looks like it's about time to get rid of Google completely from my Google phone.
Sorry to burst your bubble but governments have had access to this data for decades via their data siphoning agreements with telcos.
I used to work at a telco and we absolutely knew your location based off base station triangulation. And we knew who you called and messaged and who was nearby to you.
The whole point of GACT is to prevent governments from going that route.
i.e. most folks in favor of GACT adoption see the alternative path, of using actual location data without opt in and operated by the government, as a scarier erosion of privacy.
You cannot use this system to determine if two people have been in contact. It doesn’t have the capability.
All you can tell is if one person who explicitly participates in the system has had contact with one or more of any of the other people who explicitly participate in the system who indicates they are infected, but not which people.
My understanding is that given someone else's daily key, it can tell you whether you were in contact with that specific key.
So anonymity relies on not knowing who had that key. But the (as yet unspecified) authority collecting "infected" keys will certainly know who submitted what, so you are relying on their secrecy.
A list of which anonymous keys came into contact with other anonymous keys is never uploaded and is never centralized. You phone only tracks which keys it has seem and polls the server to see if one of those keys has been uploaded to signal itself as infected. The only way for this system to break privacy is if the app started uploading all keys it came in contact with, and also identified who the uploader is.
In this system, the collecting authority doesn’t know who submitted diagnosis keys.
If you assume a malicious app installed on both party’s phones, then you might be able to do it... but then again, if you have that you don’t really need this system to track contacts.
(I think on one side, you’d have to collect the daily keys and associate them when a person’s identity. Then, when you want to check a contact, you would then need to trigger an “infection” because otherwise the keys don’t leave the device. This requires user interaction, BTW, so there would be some kind of special social engineering effort to get someone to report themself as infected or else you the phone needs to be unlocked in the possession of a malicious party — or you have to hope to get “lucky” in that the person actually gets infected within 14 days of the timeframe of interest.
For the other party, you’d have to feed only the specific ids of the known people you want to check against to the matching API — it only tells you if there’s a match, not which match, so unless you’re checking only one, you’d have to use a process of elimination to work it down to a specific person. I wonder if that API might be throttled, though, or otherwise limited to make that less effective.
With the requirement to have malicious, cooperating apps on both sides you don’t need the Apple/Google system and you could get more useful info, like location, and with less user interaction.)
You have some guts to call the article baseless and then claim "we" can trust Apple and Google.
Actually you can't trust them to manage the other things either. Google is notorious for abusing user data for advertising purposes and their dark patterns. Two recent investigations by the Norwegian data protection agency highlights this clearly.
Anything on iOS touching iCloud is assumed to be accessible to at least the government where the phone user resides. Their on-device privacy's much better, but the defaults are to use iCloud extensively.
While it is important to keep Apple and Google under scrutiny and demand transparency, this blogpost is mostly FUD based on silent assumptions contradicting descriptions of the protocol and implementation.
> ensuring that all users of a modern iPhone or Android smartphone will be tracked as soon as they accept the OS update. (Again, to be clear: this happens already even if you decide not to install a contact tracing app!) It is unclear yet how consent is handled, whether there will be OS settings allowing one to switch on or off contact tracing, what the default will be.
I don't think that's correct: you can always disable Bluetooth. Moreover broadcasting, if I understand the documentation correctly, Google and Apple will be providing just general framework: no ID broadcasting will happen until a tracking app is installed. But even if it did, if the tracking keys are not published, it doesn't affect privacy more that Bluetooth MAC address.
> In other words, a malicious app could act as if the user is infected (in a way that is unnoticeable to the user) and extract the daily tracing keys and upload them to the server surreptitiously.
That's true for decentralized tracking not using Google's framework as well.
> This means the technology is available all the time, for all kinds of applications.
In Android ecosystem Bluetooth is available for all kinds of applications too. There is a permissions subsystem that can be applied in both cases.
Everything that Google / Apple Contact Tracing allows is already possible in Android. What it provides is a common standard, implementation, and iOS background Bluetooth capabilities.
It is not COVID tracking specific, is it? So no change here either, I guess. And it seems you can turn it off as well: https://news.ycombinator.com/item?id=22856030 , first comment.
I find these articles incredibly frustrating. If you go in with such a bias against the core concept then you run at risk of throwing out common sense in the process.
The article can basically be summarized in two points: slippery slope and distrusting the platform holder. The former is best countered by looking over what the platform holders do, the latter has little to do with contact tracing. Apple already broadcasts proximity IDs for "find my". They were in fact heralded for their privacy first approach of that protocol until a few months ago.
If you distrust your platform holder — which is fine — then be aware of what they are doing everywhere. This contact tracing protocol is by far the least worrisome thing these platforms do. In fact it largely just undoes a recent security improvement: MAC address rotation on Bluetooth.
I have a bit problem with blog posts like this: they get circulated widely because they propagate the idea of the big platform holders building a surveillance system. It particularly problematic because it also plays into the hands of PEPP-PT and other efforts which actually do want to build a centralized contact tracing system and they need the platform holders to give more control over the bluetooth stack for that goal.
Right now if apple and google were to go ahead with this implementation it would make it significantly harder to build a surveillance system than if certain other efforts would get their way.
You have a point, but 99.9% of consumers cannot follow your reasoning. What they will see is this:
"Apple and Google selflessly implement a new magic technology to save our lives. This involves a tiny little bit of contact analysis. Who would possibly resist!"
For these 99.9% the association "contact tracing good" has now been established. Companies will slowly go further and further in the future, because this event has established a precedence case.
Anchoring bad things to positive events and outcomes works. Advertising works, not for HN readers but for the general population.
Eh, seems like the opposite. So many people are both skeptical of surveillance and ignorant of technical implementation that no matter how secure/anonymous it is they will FUD about it and think the advertising is lies. And all the other people who don’t care about existing tracking will continue to not care.
That is not at all what consumers see where I am (Austria). The news of Apple/Google doing contract tracing or supporting it has been very badly received here. People would rather trust a centralized system run by PEPP-PT than a decentralized system aided by Google/Apple.
This is clearly a highly-technical project by teams at both Google and Apple, and presumably those teams have social overlap with the userbase here on Hacker News.
The risks raised by this article appear credible and worthy of consideration.
It'll be interesting to see whether Google and Apple do openly respond to any of the specific concerns raised by the privacy and security community - for exmaple, whether the functionality will be time-limited to the duration of COVID-19.
Google and Apple would gain huge potential leverage over nations worldwide if they retain the sole ability to offer and withdraw the functionality and to vet the applications that are allowed to use it.
> Google and Apple would gain huge potential leverage over nations worldwide
You do understand that Apple/Google are not in charge of the world. They operate within each country based on the laws that each government puts in place. It would be trivial for any country to force this functionality to be on/off and dictate which apps it can be used with.
For nations with the technical & legal staff and time required to review, address and negotiate updated legal terms with Google and Apple, that may be true.
Since you sound familiar with the situation, can you provide a link/reference to evidence of a country trivially changing the behaviour of an operating-system level feature like GACT after it has been deployed?
Governments don't need to negotiate with Apple/Google they just pass a law.
Example being Russia which told phone makers to either pre-install their apps or stop selling their products. Or EU pretty much telling the entire software industry how high to jump with GDPR.
I think this is the guy spreading FUD about this last week. He’s back spreading the FUD again this week.
In his analysis he keeps ignoring that the flow of data is user-controlled.
You need to opt-in to start this this, not just take an OS update.
You also need to install an app and opt-in to allow it to use the data.
Looking at the docs, the user also needs to approve at the point where an app receives the day and duration of contacts with an infected person. The only thing an app that you’ve already downloaded and opted-in to can do without further permission if report some contact with an infected person: not who or even which daily tracking ids, not when within the last 14 days. That won’t make a tool of mass surveillance.
In places he acknowledges some of this, but his analysis proceeds as if the user-controlled nature of this doesn’t exist.
This is deeply despicable.
To the extent this guy and people like him can sow distrust of this platform, the weaker privacy-preserving covid19 contact tracing will be.
That leads to more death and deeper economic ruin.
There are various other problems with the analysis here: For example (just a selection) (1) this platform doesn’t require any more trust from Google and Apple than before. They’ve always been capable of turning your phone into a tool of mass surveillance, one much more effective than what this platform allows. (2) This system cant’t be turned into a tool of mass surveillance with the flip of a virtual switch at Apple or Google HQ. The software to expose the data won’t exist and so would have to be developed, tested and released. This guy is using a Hollywood movie level understanding of of software systems here.
By the way, this guy is a professor with a specialty in privacy, so we know he knows better.
That means all of this is malicious. I don’t know what he has to gain from pushing this FUD, but I do know he doesn’t mind getting a bunch of people killed or putting them through economic hardship.
He should be using his expertise to do an honest and competent analysis of this system so that it could be improved.
My understanding from the article: if the tracing functionality is in the OS, it can be enabled in the future without user consent.
The fact that currently we need to opt-in with an app does not really matter; in the future the government can decide to use it directly for whatever purposes.
As the system is described there’s no way to flip a switch.
Apple/Google could always push a software update that does all kinds of terrible things, but that has always been true and remains true with or without a contact tracing system. It’s a concerning possibility but has nothing at all to do with this system.
If the government decided that the OS vendors could push the functionality anyway. System level applications are controlled by the OS vendor and already have access to this data, so there is no additional risk here.
>You need to opt-in to start this this, not just take an OS update.
>You also need to install an app and opt-in to allow it to use the data.
In some countries (i.e. Australia) there was indications from the government the app could be mandatory. Subsequently walked back, but definitely a testing of the water...
Sure... that’s part of why the Apple/Google contact tracing system is important. It sets the standard which includes privacy, transparency and opt-in at each step. It will be harder for governments to overstep once the standard is set.
But that's a criticism of government policy, not of Google, Apple, or the technology they created right?
If I'm forced by law to enable contract tracing, I hope it's created by Google and Apple and not a version created by some sketchy government contractor.
My high-level understanding of how it works is: Every 20m I generate a key, broadcast it and listen for and record others keys I hear around me. Periodically, I ask a server for a list of "infected" keys and compare those keys with what I've seen. If I get infected, I submit my key to the server.
The "who's seen who" sounded like it was entirely done locally to your devices.
Unless something nefarious is done under the covers, no central server gains access to the information correlation information.
What am I missing here? It seems like this system preserves privacy.
I exclude nefarious action above because if we believe Google or Apple are acting nefarious (which I understand many do), then they already be doing so at so many levels in our hardware and software that this is just a drop in the bucket.
Do you really need a mobile phone? I spend enough time with the Internet in the home office. When I go out, I go to a mountain, forest or similar natural scene. A phone + Internet is just bringing what I seek to escape from with me.
Just ditch the phone. Problem solved. Simple solutions are usually the best.
> GACT works much more reliably and extensively than any other system based on either GPS or mobile phone location data (based on cell towers) would be able to (under normal conditions). I want to stress this point because some people have responded to this threat saying that this is something companies like Google (using their GPS and WiFi names based location history tool) can already do for years. This is not the case. This type of contact tracing really brings it to another level.
I don't see an explanation of why this would be so.
Also, I see here as elsewhere a "what if one installs a malicious app that uses this?", but that argument applies even without the contact tracing framework.
Still, there are some valid points which I hope can be considered by the spec authors.
I'd guess it's because GPS / cell phone tracking data rely on line of sight to towers / satellites, but GACT works on human-to-human proximity, and therefore data can survive offline locally until some point in the future when you get connection back. Also it seems the distance accuracy between human to human would be more accurate (via BT signal strength) than distance accuracy in a GPS / cell phone tower situation.
The movements of your mobile phone (and everything you look at on it and what you type and who you communicate with and what you say and literally everything else you can think of) is available at the touch of a button to the government.
It amazes me that people know this, but simultaneously don't know it?!
The horse has bolted. It is gone. This urge to close doors to empty stables is really baffling to me. Really confusing. Why are people like this?
The complaint isn't about the capability for mass surveillance, but the normalization of it, in the public mind.
The capability has existed for a pretty long time, mostly out of the public eye, with occasional bursts of outrage when something caused it to become public, quickly forgotten afterwards.
The capability is there, that genie is out of the bottle and nobody is going to put it back in. This isn't really about the technology, it's about the legal frameworks and social attitudes surrounding this capability that are worth talking about. Putting your hands up in defeat is not useful, and at this point probably neither is trying to prevent the technology from spreading. I am unsure what the solution is but the conversation needs to happen, and in all likelihood the end result of that conversation will be that corporations can't be trusted, just like they couldn't be trusted with food safety, for example, thus the FDA was created. What actions will be taken after that, I cannot predict.
Sorry, I can see where you're coming from, I just think you're seeing a difference that isn't there.
Specifically, these programs are totally normalised. We've had them for decades. They're supported by both parties in the the whole English speaking world. They've grown and expanded since they were revealed. At this point, total surveillance is normal.
If anything, making an app for coronavirus is a good thing. It's easier to ignore this if it's done server side than if your carrier suddenly compels you to install some shitty slow battery draining app. I don't know if that qualifies as normalising it, but if it does and get people up in arms (or encourages even 1% of them to move to tor or signal or something) it's a good thing...
Is there a reason why this framework can’t be open sourced by Google and Apple?
I’m not suggesting that it be developed by the community, but it seems like visibility into the source could give some assurance of what it is doing and potential weakpoints.
I realize governments, Apple, google already have access to my personal information and location. But I get the sense the public gets uncomfortable whenever we feel Governments are openly using our personal data on a large scale. Uncomfortable is the key for me.
What scares me specifically about person proximity tracking is that in the current covid world it seems realistic that some governments will force people to enable it with seeming support from the public. Therefor eroding that uncomfortableness.
I feel that Apple and Google are a bit coy when they claim their solution is opt-in only. Given that one super-spreader can infect a whole city, you need very comprehensive coverage to keep infections under control. It's as if these companies are winking at governments and saying: Hey, we've done our part, now it's on you to enact CCP-style policies to make sure that everyone has to opt-in before you're allowed to leave your hose.
This isn’t how you do privacy analysis. The author assumed stuff about stuff he doesn’t know and extrapolated on that. I was expecting some protocol analysis. Not sure who this is and if the individual usually does cryptanalysis or not. So we don’t know what their thoughts on the actual protocol are. Unfortunately I am worried this will be listed as a negative on the protocol by aggregators who are not technical.
Authoritarian countries may give fake test results to people they don't like in order to find their whereabouts for the past two weeks, for example.
In the end, people should be in control and it should be obviously simple turn it off systemwide (not buried in Settings > Privacy > Location > System Services or whatever).
Say I work for a repressive regime. To do business in our economy (tag into subways, etc), you need to install an app with GACT enabled.
Now, whenever we arrest a political opponent, we get their GACT device key, and flag all of their associates as political dissidents, and arrest them too.
This seems like an invaluable tool for oppression.
The major question I have about smartphone based contact tracing is if it is effective, and if so how much more effective is it then existing techniques.
Bluetooth based contact tracing could be a valuable tool in public health, but as many have opined it is also a significant sacrifice of privacy.
Is there any data on the effectiveness of this sort of technology yet?
3brown1blue had a youtube video a few weeks ago, running simulations. The effect of contact tracing and testing is significant. Granted, it's just a simulation, but the efficacy of contact tracing + testing is quite powerful.
Absolutely, the efficacy of contact tracing has been known for a long time.
That being said, we’ve also been doing interview based contact tracing for a long time. The current IT systems for doing contact tracing leave a lot to be desired (I did a trade study a couple months ago), but public health agencies have procedures for doing contact tracing without invading privacy nearly as much as the proposed platform.
Preemptively using smartphone interactions to capture information world definitely be cheaper than the current manual processes but I want to know how much it improves efficacy before nationwide/global deployment of such an invasive technology.
Until then, hire contact tracer’s. There are a lot of unemployed people.
Pardon my ignorance, but how does a human do contact tracing? Start calling people to find out if they shopped somewhere recently with a known exposure?
You interview the identified case to determine who they’ve been in close contact with for the last several days, get their contact info, and then test them. Repeat for any new positive contacts.
If they were in any public areas you can pull purchase records for any one who also was in the area at the same time.
I've been wondering this -- what is my likelihood of infection based on vector? If I go shopping and there are 5% people actively infected, how does that compare to living with someone?
I've been operating under the assumption that proximity without PPE but within a few hours of existing in the same space is a significant vector. If true, it seems like it'll be very difficult to find people who shopped at the same store within the same day.
Do people really think the evil sorcerers at the twin towers of google and Apple rub their hands and laugh maniacally at the chance to build the ultimate evil privacy violation tool made only ever more fabulously evil because it is cloaked in goodness and brought as a gift to do good?
These are not the nine rings for mortal kings.
Do these people think that Larry and Sergei call a meeting of their most evil henchmen/project managers and say “gentlemen we have been given an outstanding chance to build something magnificently privacy violating! The coronavirus has driven people into our hands! We have waited so long for the chance to build such a system and because people think it’s for good, we’ll never be suspected! Go my minions, fly and build the dark software that will create us a secret and hidden trove of privacy data the likes of no other! Ha ha ha !”
> GACT works much more reliably and extensively than any other system based on either GPS or mobile phone location data (based on cell towers) would be able to (under normal conditions). I want to stress this point because some people have responded to this threat saying that this is something companies like Google (using their GPS and WiFi names based location history tool) can already do for years. This is not the case. This type of contact tracing really brings it to another level
I'm curious about this, the author says they would like to "stress this point", but then provides no analysis or evidence to impress this... anyone have any buttressing points?
Contact Tracing is an awesome way to use the technology in theory, however, while a bit conspiracy theory-ish, it can also be used as trojan policy to allow unfettered warrantless access to location data, mass surveillance, and anything else they'd like that could be exfiltrated from user devices.
Anything that has the ability to be exploited will be exploited for purposes.
We have a generally healthy level of distrust for our governments as well as big business, and given the consistent evidence, I feel that's generally warranted. (Government is supposed to serve the people, not the other way around).
I would never opt-in for this nor would I trust it.
Personal opinion: I'm glad Google and Apple are working on this. Because a very likely possibility if they don't, is that the governments demand further access to devices, backdoors to software, and enhanced power related to data collection and use.
Rationally, this would boil down to whether you trust your government or the tech companies more with this data, and opinions will vary.
My, admittedly high level, review of this proposal is that it seems to have a good privacy design. As I understand it, the contact information never leaves your device.
I don't think it's absurd to forego all this fancy crap that triggers through walls, and instead have a cute, local-to-device, privacy respecting app for logging contacts and locations.
Brought your mom some bread today? Log it in the app.
Went to a grocery store after? Log it in the app.
Every Sunday or something maybe check in with some of the people you got within physical proximity of, and try to investigate a bit if there were any known cases at your grocery store or such.
If you were potentially in contact with Covid, maybe update the people you saw after it, or maybe just self isolate, or maybe both.
Definitely do get in contact if you have symptoms, and ideally you could even alert the grocery store and they could post a notice somewhere people could easily find (ideally online) with when you visited and perhaps the likelihood of you having had it at that point.
Sanitize your groceries too~ People pick things up and put them back, I imagine there are hundreds of cans and junk food wrappers sitting in stores across america right now with Covid on them.
I really believe this is all doable with the stock iOS Reminders app and some discipline. But a standalone app would be nice; not-plaintext-in-the-cloud is kind of important at scale. Non-iCloud reminder lists were possible at one point.
(Tangent but Reminders a misnomer imo, I vote renaming it to String Nest)
Who do you trust more to build a complex decentralized anonymous tracing system? Which will be subject to the toughest privacy and security audit ever seen. A random tracing app developer, or an alliance of the biggest competing players in this field?
We may well really need this kind of tracing, and frankly it would be useful if we had had it since it would have and will save lives.
Do I think it is sensible to raise concerns? Yes
Am I disappointed that there aren't specific suggestions to address issues? Yes
It is really easy to criticise and a lot more difficult to come up with solutions. As an expert in privacy, I'd have liked to see specific actionable items. e.g. 'Google/Apple must do X to ensure Y' or something saying 'Yes, this is really difficult and I don't know the answer'. This opens the floor for collaboration and for suggestions which feels a lot more constructive.
What's key is that this is done right. If it isn't done right, there's a risk that no one will install it and we don't get the protection.
This is a very, very poor article with no real grasp of comparable threat vectors.
It seems to feel having two centralised vendors for this is worse than just having arbitrary third parties, without explaining how this would be facilitated without any controls over this on an OS level, so it would then just be entirely dependent on all of your third party applications. That's a much bigger threat model than the OS vendor, requiring you to trust dozens of different vendors with different motivations to behave.
The fact is really simple, if you don't trust your OS vendor that the APIs are as described then you're screwed and everything else is irrelevant. It is very clear the general public do not give a stuff.
Before we do all this, couldn't Facebook just turn over the data that its users have already consented to sharing? I feel like that would get us a significant part of the way there.
Thanks for the reference, I didn’t know about that [1]. Wouldn’t you achieve the same result by turning on airplane mode? I guess it should be straightforward to check whether there are any signals when it is activated.
Once you need to be online you must disable airplane mode, true, but you also must take your phone out of the silent pocket, no? At that point you “lost”.
My worry is more that there will be an exploit for Android that will collect all those Bluetooth IDs and geolocations and upload them somewhere that somebody could use nefariously.
Not saying that telcos have shown any moral high ground with location data, even Google has this level of location tracking enabled for a considerable amount of people. I'm most worried about an Elasticsearch instance cropping up where somebody's bluetooth ID can be used to see how they get to work, etc. Faraday cage bag for phone seems like a reasonable solution.
> And better not tell the author of this article but this data has been made available to authorities for decades.
Sometimes people can surprise us; the author is least somewhat familiar with GSM networks, and perhaps you'd both enjoy a learning experience if you're able to share any additional information you have with them.
I am well convinced this is just a cover for them to release the information they already are collecting without admitting they track everyone everywhere.
Google and Apple have come up with a somewhat ingenious scheme to mitigate this crisis while preserving privacy to the greatest possible extend.
Self-appointed privacy experts aren’t going to do their cause any favors by reflexively finding/imagining fault with it. This article comes surprisingly close to literally “crying wolf”.
I do, however, fault Google & Apple for using the acronym "GACT" here. This is an RNA virus, so they should be able to come up with something that baxkcronyms to "GACU".
The very OS level baking in of GACT tells that intent is not to make this opt-in, in principle.
Even if it is rolled out today as opt-in, the option stays open for a government to centrally enforce mandatory activation of tracking via Apple/Google
Jury is still out on Apple, advertising isn't their primary source of revenue and they have a much better track record on privacy than Google.
Verdict is definitely in on Google though. Anyone willing to give this level of power and data to Google is like sending your children to a daycare run by pedophiles. Sure, you might make it work and earn a paycheck but you're coming back home to a mess that probably can't be undone.
> GACT creates a dormant functionality for mass surveillance, that can be turned on with the flip of a virtual switch at Apple or Google HQ.
If you don't trust Google or Apple to do what they say they do then you need to stop using their OS and hardware. It is already the case that Google and Apple can push (more) surveillance into your device anytime. GACT does not change that.
> Which makes the whole GACT platform a smokescreen really, as exactly the strong oversight would be required if the GACT platform was not there, and apps requested special access to Bluetooth to implement their own contact tracing technology.
Not at all. Plausible advantages of GACT: a) Google and Apple don't have to evaluate the properties of each app's Bluetooth protocol; b) standardizing the protocol prevents Balkanization and makes tracing much more effective; c) Google and Apple are likely to implement it better.
Another problem with this article is that the criticism is not constructive. If we believe the conclusions of the article, then what? Is there a better way to leverage smartphones for contact tracing? Or should we abjure smartphone-powered contact tracing? Doing what instead? "This sucks" without comparing it to alternatives is not actionable.