Summary: Germany is moving away from a centralized approach (PEPP-PT = Pan-European Privacy-Preserving Proximity Tracing) to a decentralized one (like DP-3T = Decentralised Privacy-Preserving Proximity Tracing).
(But is the Apple-Google protocol identical to DP-3T, or does the headline mention “Apple-Google approach” just for simplicity? I heard there are some minor differences…)
There are some differences. DP-3T proposes two different systems, one with linkable tokens and the other without linkable tokens. The first system is similar to Apple-Google in the sense that your tokens for a day are derived from a key which is uploaded to a central distribution server when you test positive. In the second system the tokens are not linkable and they propose the use of a Cuckoo Filter to reduce the space complexity. A Cuckoo Filter is a probabilistic data structure that can tell you if an item is not or might be in a set. As a result there are some false positives.
DP-3T also explains how records are uploaded to a central server and the interactions with health-care providers. Apple-Google omit this part and focus on proximity data collection.
I'd like to mention the TCN Protocol here (https://github.com/TCNCoalition/TCN), another very similar specification. I bring it up because the readme goes into quite a bit of (easily understandable!) detail regarding the trust assumptions of such a protocol and associated rationale.
Ultimately I think Apple and Google are right to omit record upload and authentication concerns from the base protocol. The low level implementation should be as interoperable and generalized as possible in order to facilitate immediate uptake and maximum reusability. Higher level concerns such as who to trust and how to interact with users can be handled by the various app implementations.
It seems unlikely that anyone will deploy a version of DP-3T that differs significantly from the approach built into Android and iOS, due to the need for apps to obtain special permissions to run in the background. So the alternative variants that go under that brand are probably a dead letter.
"Those privacy principles are not going to change," said Gary Davis, Apple's global director of privacy. "They are fundamental privacy principles that are needed to make this work."
Can an app not simply ask the user for, and subsequently be granted, the necessary permissions? At least on Android I had understood it to work that way in theory, although in practice perhaps it doesn't always behave ideally (https://support.google.com/pixelphone/thread/6068458?hl=en).
Edit: I see now that it's specifically iOS that doesn't provide for granting the required permissions. I find such lack of control over a device that one supposedly owns highly concerning at best.
Guess: many people would tap OK without thinking about it (they don’t understand or care what background means) then would be unhappy that their battery drains..
It seems to me that restricting freedoms to combat ignorance is unlikely to have a desirable outcome. To your specific example, I suspect that bluntly warning that granting the permission has the potential to lead to significant loss of battery life would get even the most technically illiterate user's attention.
More generally, how are background streaming services supposed to work on the iPhone? Does Apple have to individually approve every app that wishes to do so (ex Spotify, Pandora, ...)?
No, they would just click anything that makes that dialog that stands between them and their goal of installing the app go away without reading the text and then be unhappy that their battery drains. Any design that relies on a confirmation dialog is fundamentally broken. Even technically competent users will read most confirmation dialogs as „Let me do what I want [Abort] [OK]“ no matter what you actually write there.
In many situations we may not have better solutions, but that doesn‘t change the fact that this is terrible.
> Any design that relies on a confirmation dialog is fundamentally broken
I'm having trouble interpreting this in any way other than a claim that granting users control over their devices is a fundamentally broken idea. I won't dispute that users often choose to do dumb things in practice, but it seems the two of us have a fundamental disagreement in our underlying worldviews.
> Even technically competent users ... no matter what you actually write
I'd argue that such users aren't actually technically competent then, despite the high opinion they might have of themselves. On the other hand, perhaps the users are technically competent and it's actually the relevant software developers that have done a poor job of communicating? If an actual technically competent user is experiencing significant difficulties using a program, then perhaps the program doesn't work as well as the developers thought it did.
The issue is that because of some "bad" users you restrict all users. What I do when I designed a prompt dialog that gates a dangerous operation is make the user type something, yopu could have the user type a different thing so you can confirm he actually reads the prompt text so there are technical solutions, IMO the justification that Apple is taking your freedom to protect a subgroup of users is not the reality, the reality is that restrictions make Apple more money, if lifting the restrictions would make them more money you will see a lot of praise on how smart tech is behind Apple's dialog prompts that allow you to lift restrictions.
Could this be a feature rather than a bug here? Help maintain tracing to a very high level statistically while still giving plausible deniability for personal privacy?
This is definitely by design. The Cuckoo Filter relies on hashes of the input so there is a chance of collisions. My understanding is a Cuckoo Filter is a recent extension of a Bloom Filter, if you're familiar with those.
Would you okay with me reposting your paper on my site? I'm working on a piece about the regulatory implications of contact tracing apps in the U.S. -- you've done a better job outlining the pros and cons of the various approaches than I could.
Feel free to hit me up henriquez AT protonmail if you'd like to discuss!
Can someone explain who invents this abbreviations?
The PP-PT and P-3T parts are are exactly the same except completely differently shorted.
In P-3T the "3" is in reference to the "P", not the "T", so i would think it should be either DPP-PT or maybe D3PT.
Then the hyphen in the first abbreviation are at exactly different positions when spelled out: PEPP-PT vs Pan-European Privacy-Preserving Proximity Tracing.
Too bad that (at least on Android an app that needs to use Bluetooth also needs GPS permission. So there's still will be a concern about privacy. I don't understand why these two permissions needs to be together.
If you don't trust the app to not localize/track you, you also don't want to give it BT permissions. BT on its own is enough to localize/track you pretty well in cities, which was one of the reasons people didn't like the idea of a centralized database of BT contacts ...
That's a good comic for an overview, but with a lot of assumptions. Like that Alice can limit what she reports, that 30 seconds or 5 minutes or any amount of time is a "contact" this is entirely undefined as far as I know, that Alice could be compelled to release this data (4th and 5th amendment cases possible), that there will likely be no open source alternatives to the centralized AppleGoogle plan where both will want to build into the OS, doesn't say that just because the "public data" was X that there isn't also meta data Y that a mfg could add and supplement (like GPS data) and just the whole idea of opt-out might be questionable now and impossible later.
It's a good idea to show how it could be privacy "OK" , but doesn't even hint on a reality that this might not be a road we want to go down - paved best intentions and all that.
1. Alice limiting what she reports is a function of her phone software; this is trivially doable by just not broadcasting beacons, or after-the-fact by not reporting your beacons (or reporting false beacons) for certain times.
2. The number of minutes is a threshold decided by epidemiologists, programmed into people's phone, as a public-policy heuristic. It doesn't need to be perfect, just to catch a lot of the actual contacts in its filter while avoiding too many false positives - even quarantining 50 or 60% of contacts can reduce spread by a lot!
3. You could be compelled to release data, but all you would get is a list of beacons; you'd then have to also subpoena/steal everyone else's records of whose beacons they saw (this data stays on local devices!) and correlate encounters with actual locations. This is HARD - like, nation-state actor hard. Like, nation-state intelligence agency hard, probably beyond the reach of your average criminal-justice apparatus.
5. If your threat model is "my phone/OS manufacturer will publish code that doesn't follow the protocol", then you're screwed anyway. (And in fact, Apple and Google aren't following this protocol, they're coming out with their own joint system that they claim is DP3T-inspired.)
1. You clearly didn’t reference the panel where Alice is choosing to upload data with exempting sections from it.
3. Yea, that’s great and all. The point is that you may compelled to upload your contacts - NOT your beacons. You are collecting people you met. You likely do understand some of the ways contract testing could be abused. Think about police trying to prove contact with someone they do have beacons for.
5. So why bother with passcodes, or any security at all anywhere for any new or existing feature? This is a slight evolution on “I have nothing to hide”.
1. That's exactly what I was referencing? i.e. I interpreted your saying "with a lot of assumptions. Like that Alice can limit what she reports" as saying "a feature of the protocol, explicitly mentioned in the comic, is an assumption not to be trusted." Whereas that's an option which is already in the preliminary demo apps.
3. Indeed, they can use this to prove that two people who are both under surveillance/investigation were in the same area as each other. That's a risk, but not as severe of a risk as the general fear I've seen around this protocol.
5. That's my point. If you don't trust your implementer to actually implement the security feature, you're screwed anyway. You have to trust someone, and by using a modern phone you are implicitly trusting Apple and Google. Or at least trusting their employees to make a big stink if lines are crossed.
Thing is in the previous discussion it was already mentioned by experts that this "No" would be likely and that the result would be an App that would not be tightly integrated with the OS and thus less useful (and less used). But its now really easy for the politicians to point the finger at Apple instead of admitting ones fault.
How large the influence of the CCC actually has been is of course uncertain but their comments have played a big part in public discussion of the last days. Most articles that I have read mentioned the criticism. And in German media quoting the CCC is often synonymous with "the nerds who actually understand computer say" (in good but also bad ways).
Kudos to Apple for not budging on this. A senior dev once shared a bit of wisdom with me. That developers don't typically hold all the power, but the point of leverage we do have is that in the end we are the ones who actually are going to build it. Disagree with PM on a feature? If you feel strongly enough, you build it your way until they remove you from the project. YMMV. Skate at your own risk.
Anyway, that's essentially what Apple seems to have done here. Strong move, and one they should be rewarded for.
Passive aggressive way is sometimes the only possible way when the imbalance of power is so overwhelming that you don't even get the possibility to express your perspective, let alone defend it directly.
You always have the power to express your perspective. Although sometimes it can take some skill to express it well without getting yourself in trouble.
Yeah, but your perspective can be just ignored. A story:
I was asked to write an invoicing system. I know a _lot_ about invoicing systems. The owners who employ me were very explicit: all figures this invoicing system displays must exclude gst/vat. That made sense to them, because gst/vat just confuses their profit figures.
However, the whole point point of an invoice is to communicate to the customer what they will be paying and why. The customers in this case are retail. They are interested in only one figure: what comes out of their bank account. That figure includes gst/vat of course.
As part of this I asked to see what they were doing now. The old system they were using did adhere to their edict: everything was ex gst/vat. As a consequence every person who customer facing (ie, the the vast majority of the employees) carried a calculator to convert the figures to what the customer wanted as they spoke with them. It looked difficult to me, but evidently madly stabbing calculator buttons while maintaining a smooth flow of conversation must be a skill most people can acquire.
This was insanity of course: we could save the bulk of the organisation time and considerable fustraton by just giving these people the figures they needed. So I very explicitly ignored their direct instructions. Note: I had to ignore it, as I had already lost the argument. In due course it was rolled out for testing. I went down a month or two later. The calculators were gone, people were expressing their gratitude. Not a word was said by my managers, and I duly been rewarded every year with raises.
I am an professional. I am hired very explicitly because I know far more about computer systems than the people who hire me. Like a doctor who refuses to prescribe opioid's, I view as my duty to steer them them in the right direction even when they don't want to be steered. If that requires putting my balls on the line and refusing to budge, so be it. They can always fire me if I've made a grave error.
What I think gets missed here is that there could be a hidden requirement you don't know about. Were the owners using this invoicing system for internal accounting as well? Making that clear could have helped even more people do their jobs well.
Typically I find the cure for misinformation is more information.
That's simply not true. Sure, a place where you can't isn't going to be around for long, but if it's part of a larger, fairly-sane company then it might struggle along for a while before the entire company finally folds.
Passive aggressive would be not saying anything about it. That's not mutually exclusive with this. You can tell the PM, I disagree with you for these reasons, I'm going to build it the way I think is right, and if you need something different, go find someone else to build it.
What else would you do if your PM wants you to build backdoors into your encryption, for example?
> Disagree with PM on a feature? If you feel strongly enough, you build it your way until they remove you from the project.
This really only works in certain companies tho. I’ve seen some of our best developers removed from our project because they refused to build features that didn’t make sense. Word just goes up to senior management, and all of the sudden you’re to blame for project delays, and eventually pushed to another project.
Sadly not, although I wish it was. In my current team, developers are only there to agree with POs, and to build whatever they want. Any resistance from a developer is seen as bad. Of course if we build a feature according to POs requirements, and the requirements were wrong, then developers are also blamed, since we should've highlighted this up front.
I have walked away from gigs over this in the past.
It's not that I haven an issue with not having a final say in how things are build. If a PO comes with a seemingly unreasonable demand, I've come to understand that that's often the net result of politics and compromises from which developers are shielded. It's something I've come accept as a part of the job and I've even learned a great deal from. But it also implies that in some cases my professional responsibility doesn't extend beyond what I do in my terminal or my IDE.
I do have an issue being treated like a character in a badly organized DnD game. And I have had no qualms in the past making it clear that I don't tolerate being blamed for bad planning or shoddy requirements gathering.
Good PO's are sensible about this and own up to their responsibility. Talking about it works. That's why people skills are just as every bit as important for developers as well. If a team isn't willing to discuss this elephant in the room, then it says a lot about the dynamics, and you have to question whether it's worth your valuable time to work in a context that isn't enjoyable in the first place.
After all, life's too short to deal with other people's drama.
> I do have an issue being treated like a character in a badly organized DnD game. And I have had no qualms in the past making it clear that I don't tolerate being blamed for bad planning or shoddy requirements gathering.
I have found myself in this situation for the past two years, I've voiced my opinion more than once. But at the end of the day, in a non-tech financial company, developers just aren't important enough to be listened too. The business side holds all the powers, managers on the tech side know this, and thus let them treat us like code monkeys. There have been numerous reshuffles in our team to "try and fix the problem", however without accountability, it will be difficult to fix a problem without understanding the root cause.
I've lost all respect for people who operate as the middleman between the development team and the business side, mostly because when it comes down to choosing a side, they'll side with the business, and play their politics game. After all, developers can't get them fired / moved away from a project.
I know I should just walk away, and I've told myself this for over a year. Yet this job is oddly comfortable (in terms of benefits), so I just let it happen. I still have moments where I care enough to speak up, but they're quickly shut down my managers.
I have been looking around for a new opportunity, but I haven't come across any that made me comfortable enough to resign from my current job. My fear is that it will just be the same thing, and in that case, I might as well stay where I'm at.
It definitely won't be the same... "all happy families are the same, unhappy families are each unhappy in their own way. "
Forget where that's from, but seems true of companies too. Each company I've joined had skeletons you'd never see during an interview. After the honeymoon period wears off, the truth starts to show.
Not to say that you shouldn't find a new job. Definitely don't expect it just get better though.
In fact trading the known badness of your current company for something else gives you opportunity to find different ways a company can be dysfunctional. Enough of those experiences and you'll get good at pointing out dragons before they get nasty. Truly valuable for a senior developer.
Your anecdotes remind me of what I've heard about in-house counsel: lawyers can tell you that you should/shouldn't do something, but in the end, lawyers don't run the business, and sometimes they get ignored.
I think that in software there's something similar. Maybe you'd have more fun in a software company, where what you do is central to the business. Anyway, don't give up hope! There are jobs out there where you'd be having a lot more fun every day.
> I've lost all respect for people who operate as the middleman between the development team and the business side, mostly because when it comes down to choosing a side, they'll side with the business, and play their politics game.
Don't let this stereotype poison your career. Not everyone is like that, but if you assume they are, they likely will be. Relationships are so key.
Like the good cops versus the bad cops, they don't stand out. And they won't be advertising how hard they are working for people like you. Search them out, and give people the benefit of the doubt.
> Disagree with PM on a feature? If you feel strongly enough, you build it your way until they remove you from the project.
there is the other side as well, PM : build me a bike. Dev: here is a spaceship. PM: but i wanted a bike. Dev: bike make no sense if u can travel using a spaceship.
> there is the other side as well, PM : build me a bike. Dev: here is a spaceship. PM: but i wanted a bike. Dev: bike make no sense if u can travel using a spaceship.
At the risk of being overly nitpicky (because I understand and agree with the general point you're getting at):
That spaceship _is_ super awesome and far superior to a bike if you need a solution that'll get you a far distance in a short amount of time.
But what if the need is something that's safe, cheap, and doesn't require complicated infrastructure to support? A bike might be a better solution.
Blame the PM if they're not making those priorities and needs clear, though.
That works if it's a bottom up organization. Decisions like this at apple are very much top down. Luckily, the PMs there make the right calls, when it comes to privacy, since it's one of their key differentiators.
That might work on how a particular feature works (e.g. does the word count include symbols that have spaces either side of them?). If you're talking about the fundamentally changing the architecture and user interface of a program that takes a multi-person team to build, never mind one that the government want run by millions of people, you'd usually end up with less leeway.
In the current situation (and possibly in others) if a democratically elected government think it should be a certain way, then they could be excused for forcing Apple to make it that way.
I'm not sure what this means. Excused by whom? I don't blame governments for wanting this. Stability helps them keep power, even in a democracy. But I applaud those who are willing to push back.
Ha! You know very little about me. What I described isn't something I do, but it's an interesting power dynamic that plays out on a very small scale all the time. Knowing that it's happening is important, even if you're not abusing it.
Thanks for taking my nuanced statement and building that straw man.
An innovation in Sanitation Bioterror Theatre! Let's drop some letters from all alphabets, they can keep company with missed hugs and statistical literacy.
Google and Apple have published a FAQ about how this system, which they're now calling Exposure Notification, will work from a high level. (This is not the protocol details, which are published elsewhere.)
Important bit: This will not default to on, you will have to opt in. Apple and Google have a regional kill switch if it is being abused.
Australia is already rolling it out. Maybe they would have used it if it was ready, but as it is this is effort from Apple/Google is too slow. Every week we let this virus live is costing the government (and eventually us) billions. Perhaps they will move to the Apple solution when it comes out as what they have for Apple is cumbersome. But they already have Android users.
I rather like the solution the Apple/Google have come up with because it solves a more general problem very nicely. The more general problem is "malware" for what of a better word (it's perhaps too harsh) - apps that lie or mislead about what they do and hide what their bluetooth proximity harvesting in the permission thicket (who here would automatically associate the "Fine Location" permission with bluetooth proximity harvesting).
But notice in this particular instance that's not what's happening. There is no attempt to deceive. The app is purely opt-in, and what you are opting into is very explicit. In this particular case there is almost no difference between what Apple/Google propose and TraceTogether. The difference amounts to when you give the government permission to know who you are. For TraceTogether it happens when you install the app. For the Apple/Google proposal, it's when you see your doctor when being notified you are infected. In both cases, no privacy is given up until you are infected, and assuming you installed the app in good faith and do get tested when notified the outcome is the same.
There is the minor problem the Australian government could surreptitiously change the app to something more sinister down the track. I'd be very confident they would not do it now, but 24 months later when attitudes reverted it's sadly entirely plausible. That could be fixed by changing release policies (such as publish source before deploying). But it looks like for whatever reason they won't be doing that, so perhaps Apple/Google forcing them deal with the citizens they govern honestly and transparently is a good thing, despite the delays it causes.
I saw a tweet yesterday about having to leave the screen on, but it turns out the source website was updated to remove that line, and that's not how the app works. However, there are also screenshots on Twitter of lock screen notifications saying that the app needs to be open so I don't know any more...
1. There's a fixation on contact tracing without recognition that it's useless without isolation. In-home isolation will infect other occupants. Voluntary isolation doesn't scale. Asian countries doing effective test+trace+isolation already know this. Think of it terms of kill chain F2T2EA: find, fix, track, target, engage, assess. You have to execute the entire loop for effect. The ability to force people quarantine is probably a greater obstacle to liberty depending on local context that needs more discussion.
2. This is going to be EU's Huawei moment. Reliance on US tech for internal policy security that is subject to US political whims is going to cause further exacerbate calls of technological divestment. Who decides when covid19 crisis is over? What if EU want to keep contact tracing in place long term if it's the only ubiquitous system in place for reinstating schengen. I surmise some sort or global digital cordon sanitarie is going to be with us for a while, especially if we want to resume international travel.
1 is addressed by pretty much epidemiological and technical paper on the matter, nobody thinks digital contact tracing is a silver bullet.
2 This is not "reliance on US tech for internal policy security", this is using a tool that significant parts of the population have in their pocket to fulfill a complementary task in pandemic management. G&A make it easier to use it for managing the currently ongoing pandemic. "Who decides when covid19 crisis is over?" is pretty straight-forward in Germany, the government with their health ministry and external agencies and in coordination with the EU. G&A provide tools to switch this off on a regional basis. This is far from a "Huawei moment" because the tech side of it is pretty much a side note to history in terms of overall relevance.
1. Yes, scientists and policy makers know. But the average citizens who will be subject to these interventions largely do not. Western MSM has been extremely cautious not emphasizing the unpalatable elements of isolation strategies. And before that, the privacy breaking technical elements of contact tracing apps. These conversations are overdue even if societies eventually decide they are politically impossible.
2. This article is literally about US tech companies "refuse to budge" on standards a sovereign backed during time of extreme crisis. It may very be that Apple provided a better argument, but the language suggest Germany was rebuffed, that is, it was an unilateral decision on Apple's part. Germany just found out how little influence it has over critical tools to their security. This is arguably much worse than a Huawei moment since Huawei ostensibly has alternate supply chains whereas US companies own the software ecosystem for all mobile devices. The tech side in both scenarios are both going to be historically incidental, but the political ramifications will be long lasting.
Saying who decides covid19 is over is straight forward is like saying US declaring wars are over is straight forward. Maybe theoretically, but in reality not. What if EU wants these features permanent baked in as part of the future biosecurtiy system. What happens if G&A says no.
Any bit of reduced transmission helps. All we need is for R0<<1 and then this pandemic will end. Any contacts this finds that human contact tracers do not is a win.
Unless Asian countries are erring on the extreme side of caution it seems wise to assume test+tracing is not sufficient for R0<1. Their effective responses all employ techno-authoritarian interventions: wrist bracelets, GPS tracking, publicly releasing travel routes, QR health codes, out of home quarantine etc. This includes democratic countries. There's an ongoing myopia in the west that is failing to fully interrogate the solutions from Asian countries who are doing well in it's full scope and ramifications on liberty and applicability based on appetite for sacrificing liberty. Media is happy to elevate testing and contact tracing, without acknowledging the authoritarian followup.
E: I'm just suggesting it's worth discussing the system in aggregate rather than piecemeal.
Even if R_t is at or just above 1, that still lets us have a slow upwards curve with repeated short lockdowns.
The Oxford paper found that given the characteristics of SARS-CoV-2, 60% of people leaving the house would need to use an app like this (not 60% of the whole population).
But that is an evaluation of a single measure: phone contact tracing followed by prompt isolation of contacts. If you combine that with other potential measures such as continued closure of high risk environments, potentially public mask wearing, etc. you might be able to get away with less than 60%.
It effectively means the entire household becomes quarantined. Depending on where you live that's actually not really much of a problem. We just do what we have to do.
It's a problem in the sense that you still don't want to infect more people than you have to, there's still 20% hospitalization rate. Though I agree it's easier to maintain quarantine in countries with lower density and larger houses / suburbs. But one additional problem identified is adherence, especially without sufficient incentive (i.e. economic), hence location tracking or forced out of home quarantines. People become unreliable at scale.
As someone newly reading about this proposal, I'm curious to know which element of privacy is most of concern to people -- to educate myself on what tradeoffs some policymaker might understand and make some judgement call about. (wishful thinking)
(Suppose someone in charge of virus response is totally naive and says the old phrase, "what does anyone have to be worried about losing privacy, in the face of this public health crisis?" Or, "why wouldn't we want to know exactly when and where the transmission happened, to identify some trouble spot and stop it?")
Are we more concerned about one's location every 5 min being revealed? What if coffee shops/bus stations/shopping centers broadcast beacons and essentially became fixed known users -- doesn't that defeat this? And doesn't your phone already reveal location to anyone with sufficient access / authority on cell networks?
Are we more concerned about revealing who you associate with? Again, isn't that already possible through cell locations?
Are we not losing something by giving up recording the location element of the transmission event?
What are some examples of how this technology (if implemented wrong) could be misused, that are not already available?
And here's a related public policy question -- if we think ridiculous the people who are jumping to reopen businesses (and states) at the cost of putting people's lives at risk, why is privacy so important versus saving lives if a more effective (but slightly less private) information gathering mechanism could be implemented?
> What if coffee shops/bus stations/shopping centers broadcast beacons and essentially became fixed known users -- doesn't that defeat this?
No, because the list of beacons you received is only stored in your phone, so that would only allow you to determine that you went to a coffee shop often, and no one would be able to get a list of anyone who was close to the coffee shop.
This of course assumes that the app/OS vendor does not include hidden functionality that uploads your received beacons, but in that case they could just activate the GPS and upload the location regardless of the contact tracing system chosen.
The coffee shop would be able to determine how many smartphones are present near its location at any time (although this could be mitigated in principle by having smartphones send many beacons if they are receiving few, so the number is approximately constant), but would not know anything about them, including whether they are the same smartphones that it detected at a different time.
Government access to private data: revealing location & contacts. I think privacy might be the wrong description, I think it's more about surveillance of the people by the state, which is not acceptable for a huge percentage of people I know. Privacy is most of the time the better wording, but I think surveillance is the better fitting term for this occasion.
Just compare it to the DDR (German democratic republic, the communist state). Is it similar to the surveillance by DDRs Stasi, which tried to track every move and every word of dissidents?
As an additional point: You can't force people to use the app (as far as i know). I don't think this is in any way compatible with basic human rights as formulated by the Grundgesetz (which I support, we are a democracy where the power comes from the people and not an authoritarian regime). They have to opt-in themselves. You have to make the app attractive so that people want to opt-in.
The whole point of contact tracing is to give the government access to contacts when needed (location is much less important). Experts also say that to be effective these apps have to be installed on 80% of smartphones [1], so in practice they have to be made mandatory.
Everything else is a distraction. Either these apps are needed and the above applies, or they are not and let's forget about them.
> The whole point of contact tracing is to give the government access to contacts when needed (location is much less important).
Yeah, but only when needed, only as much as strictly necessary and deleting it immediately afterwards. I don't think we will allow general surveillance without a fight with a huge part of the population and fundamental changes to our society and our way to live.
Also, I don't agree at all. One right doesn't simply cancel another. And a mandatory app is simply not compatible with our idea of freedom, at least as I understood our basic law. Maybe in certain situation but a general surveillance is illegal.
We won't throw away our (liberal) democracy and the rule of law.
You can't set a target and just simply force the population to comply. I think we can achieve a good penetration without resorting to authoritarian measures. We have achieved some good numbers so far here in Germany, we can use this to further fight the coronavirus without turning into an authoritarian regime. Even our scientists, e.g. Prof. Drosten from the Charite, understand that politics is not science, there are limits what's possible and always stresses that the society itself must decide to act.
This has nothing to do with democracy, surveillance, or freedom.
Nothing is absolute and a balance has to be struck. Germany is quite controlling in many aspects so it is a little strange that this would be an issue.
If contact tracing is needed then it should be deployed in the most effective way.
This is temporary and does not restrict people's freedoms at all. The controversy is manufactured on ideological grounds at a time when pragmatism should prevail.
Claiming that this would be throwing away democracy or the rule of law is plainly ridiculous. I think Germany is still traumatised by its history and this often has unfortunate consequences (we already saw it several times in recent years).
>If contact tracing is needed then it should be deployed in the most effective way
I, and many others, do not agree with your opinion that it should be mandatory. No other country has mandated contact tracing apps for their non-quarantined population.
There's no proof that a contact tracing application would be effective after there are already millions of cases. There is no indication that there will be enough tests to identify asymptomatic carriers, so if you were vulnerable you'd still need to self-isolate to be safe.
Already 1 out of 5 people have antibodies to this. We're on our way to herd immunity and a death rate of something like 1 out of 500 people. We were trying to slow things down so that hospitals were not overwhelmed, and we've done so. Unless someone comes up with a vaccine that can be mass produced in the next couple months this will all be a moot point.
Is there a reason you don't think their numbers can be extrapolated to other places? Last week they were at 15% in NYC, and this jived with the numbers form other places, like the U.K., and I think also Germany.
It seems that as we get more data we're find more cases, and in increasing amounts, across the board. Which lowers the death rate and means we can reach herd immunity sooner than we thought.
Wow, I’m a bit surprised that the one with the ability to say yes or no in this instance was Apple. I’m not sure if I enjoy the idea that any given company can overrule the government of the country it operates in...
Apple did not make the decision here, the German government did. The government would have been free to try to force Apple's hand with sanctions or any other tool available to them.
Time will tell but I feel like reducing this to the technical decision of Apple is slightly one sided. The PEPP-PT proposal was a pseudonymous, centralized, social graph of all users in the app with a rather opaque power structure behind it. The government got pushback from many sides on this issue and several EU neighbours publicly endorsed the decentralized DP3T.
This is a complementary tool for an epidemiological use case that heavily depends on public adoption, while PEPP-PT tried to push this narrative of "Apple vs France/Germany" over the last week through lobbying I do not think it's an accurate/comprehensive depiction of the decision making process in a democratic government.
There was very strong lobbying from CCC and others. Apples decision will have played a role but the project would've suffered from a lot of distrust even if Apple had allowed it.
We won't know why exactly it was abandoned but I would give the CCC more credit than Apple.
This is not Apple overruling the government. Germany is perfectly free to ban Apple products. They did not.
Government / company interactions with multinational corporations are simple: the government makes rules, and the company is free to either operate in the locale or quit.
Germany decided that they would rather have an Apple which refused to play by the proposed rules, than no Apple at all, so they figured out new rules.
> This is not Apple overruling the government. Germany is perfectly free to ban Apple products. They did not.
That makes no sense. Maybe, in theory, if you had five years to play with, Germany could move towards restricting Apple products.
In practice the window of opportunity to affect the course of this epidemic using technology is weeks or months. That restricts your options to using existing infrastructure; realistically that means working with Apple or Google.
Germany could ban Apple and Google products, but that would leave them nothing to work with.
This is going to raise questions about national security and sovereignty going forward. I suspect this will be a subject of controversy after the pandemic dies down.
as mentioned above, I think the headline really is a little misleading here... there was a ton of backlash against using a centralised system for this contact-tracing app from the opposition, privacy lobbies, the CCC, universities, researchers, programmers that worked on it, etc. and on top of all of that also from Apple (though I doubt they would've put up much of an opposition if the EU had pushed their own solution and forced apple to adopt it - can you imagine the backlash apple would've faced if they denied co-operation for such an app during a pandemic, _had_ that app been the popular app of choice in the EU? It wasn't, however).
The way this is reported/seen in Germany is mostly that the government realised it would be difficult for an app to achieve wide-spread adoption without the support of privacy-advocates. For better or worse, those privacy concerns are usually taken fairly seriously!
Agreed. I certainly appreciate Apple's stance on privacy lately, but it doesn't seem reasonable for a corporation (particularly one based in a different country!) to be willing or capable of forcing the government's hand.
Turn it around, does it seem reasonable that an overseas government should be able to force a US company to make changes to their OS and add functionality it was never designed to have?
If Germany really needed it, they could take Apple to court.
I am sure Siemens would be horrified it it was turned around and the US govt started demanding they modify their industrial controllers, famously targeted by stuxnet, to allow them to be tracked more easily.
> does it seem reasonable that an overseas government should be able to force a US company to make changes to their OS and add functionality it was never designed to have
Yes, it actually does. I certainly don't like the idea of such an action being taken in practice, but isn't dictating that certain arbitrary requirements must be met in order to do business within a jurisdiction kind of a large part of the point of having a government in the first place? What's concerning to me about this case is that end users aren't even capable of opting in at present and that due to the time constraints involved Apple would appear to have a distinct advantage.
Note that the previous (somewhat similar) controversy in the US involving Apple was an issue specifically due to questions about constitutionally protected rights and federal government overreach.
That leaves 4/5th of NYC still vulnerable. That's a lot of potential hospitalizations and potential deaths. To reach herd immunity you need at least something like 2/3rds of people immune to the virus. Now imagine another 2/5ths of NYC's population becomes infected in a short period of time and what this would mean for the health care system. It more or less was on the brink of collapsing (some would say actually did collapse for some time) with only 1/5ths.
So thinking the worst is over for sure is wishful thinking; and to just resign to "out of the bag" isn't an option either; the worst is only over if we keep at flattening the curve enough to not collapse the system. There are many different parts to it, and one such part might be contact tracking/tracing with an app.
Also, all the talk about herd immunity etc is based on the premise that you actually get a lasting immunity after you had the virus. While it thankfully looks like this may be the case (exceptions like immunocompromised people, apply) - with e.g. blood plasma from cured patients showing good results when given to still severe cases - it isn't certain yet. It could mutate enough (like the flu) and reinfect, or it could "hide" like herpes and hit you full blown when your immune system isn't operating at full capacity. Let's hope not, but let's act at least with that in mind. Contact tracing technology we develop and roll out now may help should there be a second wave.
And yet another also: there have been reports that even after mild progressions some patients end up with damaged lungs, damage that is most likely be permanent. So while these reports haven't yet been verified or refuted, I am not a big fan of "just get it and get it over with, if you're young and low risk".
> It could mutate enough (like the flu) and reinfect, or it could "hide" like herpes and hit you full blown when your immune system isn't operating at full capacity.
While not criticizing you directly, I cringe every time I see this reported in the media, and even some TV scientists are not immune from these statements. It is a novel virus, all right. We know almost nothing about it, all right. But it's not a magical Star Trek-like being which does not fit any biological hypothesis.
Other members of the coronavirus family do not exhibit these properties (hiding like the herpes virus that is), so it is at least unlikely that this will happen. And while it can mutate, it will do so at a much lower rate than influenza, which, due to the structure of its RNA, can have plenty of recombination events which cause far more variation.
If covid will mutate like flu, every year, this will be the end of human race in maximum half a century - given if the symptoms/damage to our body stays the same regardless of mutations. My take is that our immune system will actually "mutate" as well so we might be, in couple of centuries, in same position as we are now vs. flu (the mortality rate will be insignificant).
Apologies for my directness, but no way around it: this is completely unhinged.
Humanity has dealt with double-digit-fatal diseases, several of them, for centuries. SARS2 is an ugly bug, but hardly an existential threat to the species.
Had, not have. One fifth of New Yorker had the virus. (If that study is correct)
In other words, not all of those people that had a virus are currently infectious. Only the people that are currently actively infectious are the ones that need to be traced.
I'm hearing such a wide variety of claims about this virus that I have by default become skeptical of anything that makes a wide ranging claim. The descriptions range from "highly infections, potentially causes strokes in otherwise young healthy people" to "highly infectious, young people often display no symptoms at all".
Are there multiple strains of this virus out there in the wild? I don't know of another way to explain what I'm hearing from people that work in virology and in hospitals on the front line.
>The descriptions range from "highly infections, potentially causes strokes in otherwise young healthy people" to "highly infectious, young people often display no symptoms at all".
Both those things can be true at the same time.
I saw one German doctor (from Charité Berlin I think?) who did over 100 autopsies on TV saying in all cases he had on his table there were preexisting conditions (and the older the more likely you have one or more of those). But he also said that the young and "healthy" people he looked at also had preexisting conditions that usually were never diagnosed before.
This reminded me of a buddy in school, who went for the routine mandatory checkup before the mandatory military service (since been abandoned), a jock-type who seriously considered joining up voluntarily to become a jet fighter pilot, and ended up learning he only had one kidney since birth. Something he never knew or suspected and never had any issue with because he was otherwise young and healthy, but which could come back to bite him when he gets old or when he contracts some serious disease (like this one maybe).
Deaths without comorbidities are relatively rare. Santa Clara's dashboard shows 5% of all deaths. You could ballpark a 1/1000 order of magnitude chance of death from an infection.
In some sense that is pretty high compared to the baseline, but being equal to 10 years of driving isn't apocalyptic.
Why do you think the two statements you quoted are contradictory? The baseline rate of stroke in young adults is very low, so even if the virus dramatically increases one's risk of stroke, it can still be true that the vast majority of infected people in that demographic are completely asymptomatic.
I suppose you're right, in that it's possible that a) coronavirus increases your risk of stroke & because of that we're seeing some young people have strokes that otherwise wouldn't and b) the vast majority of young people are asymptomatic ... but that doesn't really address my broader point, which is that this virus seems to be way worse in some regions and essentially a non-issue in others.
I'm not sure we'll specifically know the answer there for a while, but I haven't seen much in terms of regional variation that seems especially crazy. Most of the places where it's been especially bad are places you'd expect a virus to spread well - major cities with lots of international travelers and high density. Then you overlay the timelines for when various places took serious measures and you get some logic behind why Chicago is doing better than NYC right now.
There's probably a lot of other factors that feed into it - median age, pollution, weather/temperature, potentially genetic/ethnic factors... Even things like the prevalence and use of public transit. It's a lot harder to get/spread the virus in LA where most people drive private cars to everything than in NYC where a lot of people spend an hour or more every day in crowded subway trains/stations.
Working out exactly what contributed to the real-world outcomes we're seeing is something we'll probably only be able to guess at, but nothing I've seen so far feels inexplicable.
Even once three fifths of New Yorkers have had it, there'll be a potential for significant local outbreaks that this kind of tool can help suppress. (In particular, we definitely want a way to keep the virus out of nursing homes without just saying nobody's allowed in.)
I think it's the case that if you can get everyone in NY to completely isolate for a couple of months then the number of New Yorkers who are carriers can decline to a point where contact tracing makes sense.
I am still not sold for NY. If you commute daily with the metro and test positive, even going back only one week, you are going to trigger hundreds of previous contacts (people in the same car in the train, on the platform, people you crossed walking in a tunnel, etc). Basically the average new yorker may end up having to get tested several times a week.
I think it makes more sense when the density of contacts is less extreme.
But you can't get everyone in NYC to completely isolate for a couple months. Millions of people in NY are still going to work every day just to keep the lights on and the food stores stocked.
Increasing the odds that my very-productive 82-year-old colleague can keep thriving for another twenty years?
If there is no vaccine, or if the vaccine isn't very good, social-distancing and contact-tracing is the only way to win.
One fifth of the global population doesn't yet have it. Like many people around the world are undoubtedly experiencing, an elderly relative died yesterday from Covid-19 in New York. I doubt she will be the last.
> If there is no vaccine, or if the vaccine isn't very good, social-distancing and contact-tracing is the only way to win.
I know I sound like a broken record every time I say this on HN... but why no one thinks of pharmacological treatment? The first wave of (small) trials will end this June.
I'm moderately optimistic that plasma transfusions will help reduce the death toll, but evidence is mounting that even "mild" cases can leave the patients with severe lung damage. Having the contact data ready to start treatment earlier might help with that too.
I meant something far more aggressive towards disease treatment, from the repurposed drugs (which a few here say don't work, but I'm waiting for the results of the trials), then the specific ones like antibodies, soluble ACE2 receptors, and others.
Plus I'm confident that the anti-inflammation drugs being tested can help with lung tissue damage.
I'm no pharmacologist but I think we would be extremely lucky if one of existing antivirals also works here. I don't think that antibody drugs will be an important tool. They're extremely hard to manufacture (and hence very expensive). I don't think we could satisfy demand.
It would be great though if one of those studies found an effective drug!
> I'm no pharmacologist but I think we would be extremely lucky if one of existing antivirals also works here.
Even if the results are bad, it also depends on what they were used for, since the little evidence we have tells us that the sooner we act, the better.
Example: ritonavir was a letdown, but even in the NEJM paper the limitations of the study mention that the trial was done on people with rather severe sympthoms. At this point it was probably too late to make a dent in the infection.
The data on remedisivir (which came from two suspended trials due to lack of enrollment, so no statistical power) showed an almost-identical mortality between the two groups, but I'd argue that those (at least one of them was) were done on patients in severe conditions, so once again late.
Later trials which are ongoing are hopefully better designed (NIH's for remedisivir at least, Gilead's don't use a placebo IIRC) and will get us answers. IMO, even a small improvement on hospitalization rate would be a huge win for the ICUs.
That said, remedisivir is i.v. so this limits applicability to hospitals.
>If there is no vaccine, or if the vaccine isn't very good, social-distancing and contact-tracing is the only way to win.
Why is herd immunity not a "way we win"?
edit: Ah, yes, concern about the time to get there. Well, let's hope that happens quicker than expected (has any study not shown this?) because from where I'm sitting it looks like lock down is ending.
And the huge number of severe cases will overwhelm health care systems by an order of magnitude, risking the lives of other people who will need medical care to survive.
The "at risk" groups include a sizable percent of the US population, and isolating all of their first degree daily contacts alone is likely impossible.
Hospice patients, and the hospice workers.
People already in treatment, and the healthcare professionals providing them with care.
People who smoke, have diabetes, a heart condition, or are immune compromised, and so on, and everyone they know.
This has got to be millions and millions of people, and this isolation will be extraordinarily porous. Those folks have friends and family too, they will slip up, exposing their contacts and then the virus is on the other side of a firewall. And we've seen how quickly the virus spreads in isolated groups!
Which is not very realistic as a possibility given the number of people that fall into the at risk groups. It sounds simple in theory but seems very unlikely to be something workable in practice.
It's impossible to isolate only the at risk group. That's like 30% of the population. Also, there is growing evidence that even mild cases can leave more or less permanent damage.
Uh... from what do you understand that? Sweden isn't even close. Their deaths/case ratio isn't too far off from New York. We have reasonably good evidence now that New York is maybe 30-50% of the way to herd immunity (plus or minus a factor of two or so).
New York has six times the per capita deaths that Sweden does. Just extrapolating and multiplying their current number by 3x6==18, that's about 35000 dead swedes until they get to herd immunity.
I genuinely don't understand the alternative world some people live in where Sweden has already beaten this. They're current curve is about 3 weeks behind most of Europe, largely due to the lack of lockdown that allowed the early outbreak to spread for longer.
That's a statement from a politician, not a scientific result. He's not predicting "almost there", he says they "could" reach herd immunity within a month. And that 30% with immunity number quoted is wildly off from the actual research already done on this stuff in Italy and New York. In fact the back of my envelope tells me that it requires an even higher asymptomatic undercount than even the Stanford study did.
This isn't evidence. You're reading spin. The article even tells you that.
Almost to herd immunity? No. They're at less than 1% infected (like most places), with more deaths per capita than the us despite a younger healthier population.
I read The Model Thinker some time last year. It includes a chapter on the SIR model used in epidemiology. The book states the basic mathematical model for working out how much of the population needs to be immune before 'herd immunity' is achieved is (R0 - 1)/R0.
I have heard R0 estimated around 4. So, technically you would need 3/4 of the population to be immune. The result of this being that R_t drops below 1 thus no longer becomes an epidemic and eventually either disappears or becomes seasonal.
Personally, I think we're going to look back at this very differently than how it looks right now. If the studies showing the number of people that had it and built immunity without ever showing symptoms are correct, well, it'll be interesting to see what happens next time this comes up.
But, that's the larger point I think... Next time.
Let's say this ends up being way better than anyone modeled, it's great practice for a virus that actually has a 5%, or 10%, or etc fatality rate.
> If the studies showing the number of people that had it and built immunity without ever showing symptoms are correct
They're not.
The NY study is the only one measuring a positive rate much higher than the false positive rates of the tests, and it is consistent with about a 1% infection fatality rate.
Something I don't understand about this approach - if location data is not tracked/included, only contacts, then don't you have to download all the tokens for every person who tests positive in the world? Then even if it is optimized with location data, and I can only download tokens for people in my area, that will be 1000s of people a day multiplied by all of their tokens over whatever period of time.
Either I'm misunderstanding something or it has just been decided that downloading many MBs a day is not a dealbreaker.
You only need to download tokens for people who tested positive in the recent past (14 days - assuming you're not infected, any contact before that couldn't have infected you.)
While that's likely still a lot of data in areas with large daily case counts, at least it won't keep growing indefinitely.
BTW it's one token per day per person, to improve privacy. When someone tests positive, their tokens for the last 14 days are published.
To put some numbers to this: If you're living in a city with 10,000 new cases a day, with each case publishing 14 keys and each key being 16 bytes, it's a 2.2MB download a day (assuming incremental downloads).
When you first install the app you might have to download all keys from the last 14 days, which would be about 15 MB.
My understanding is that this is even feasible without location information if you use an approximate filter (e.g., a Cuckoo Filter [1]), which they propose in DP-3T (II).
With 20 bits/key such filters yield a false positive rate (FPR) of 0.001%. Meaning for 100,000 new cases per day worldwide, you would only need to download 0.24 MiB.
Note that the FPR applies to each lookup. That is, if you have collected say 100 tokens on a given day, the overall probability of a false positive will be 0.01% (assuming independence). With each extra bit per key you can roughly halve that probability. So in practice size won't be an issue.
Probably don't need 16 byte keys, either. If you live in an area under 4 billion people you are unlikely to have any key collisions (for any given day) with a mere 8 bytes. If you can tolerate some probability of false positives, or have fewer than 4 billion people in your meta-region, shorter than 8 bytes is feasible.
16 -> 8 halves those data figures; diminishing returns from there, but it is possible to reduce the data use further (slightly).
For people with 200MB & 500MB data caps (which is a surprisingly large number of people), this is a significant amount of their data allowance.
These are likely to be people that are still required to go out into the world and work, so are still using their data instead of wifi, and thus higher risk.
It's easy to forget when you're on 10GB+ data plans for years just how many people are not.
That's assuming you're never connected to wifi within those 30 days. The apps could either let you choose to only download the list while on wifi, or it'll probably download the list in the middle of the night when it's reasonable to assume most people are at home near wifi.
I understand that people with a data cap of a few GB and no Wi-Fi could end up being unable to download the tokens before the end of the month. For example a friend of mine stopped showing up in video calls with a group of friends because she's saving her GBs for the video calls she has to do for work. She should be spending a few Euros more per month but it's easy to wish with the money of other people.
DP3T is exploring various options for this, smallest daily proposal currently being 5MB, bigger picture download around 100MB. Worst case mobile providers could always be compelled to exempt this from data usage. That aspect seems pretty solved.
I think your phone collects tokens from other phones that you come near. So your phone only needs to take the few hundred / thousand tokens it has and ping the server with them to see if any of them have advertised that they are a positive result.
Even decentralized, there always will be a central authority in the system that you will have to trust to not misbehave in the future.
The other issue is that contact tracing (decentralized or not) is exploitable. In Korea, people sometime figured out who is infected or not, and those people are now socially bashed on the internet.
There are many scenarios where contact tracing can be abused : for example, anyone from outside your house can now know if there is someone inside. Handy for thieves.
French academics did set up a nice website with a list of those scenarios, but it's only available in French : https://risques-tracage.fr/
The actual debate is not decentralized/centralized, it's "should we allow contact tracing or ban it?"
> The actual debate is not decentralized/centralized, it's "should we allow contact tracing or ban it?"
Did you mean "digital contact tracing" there? Contact tracing itself is a necessary tool when dealing with a pandemic and I really do not see anybody arguing against that. Of course there's a lot of trade-offs and questions like voluntary/mandatory, usage restrictions, etc. but I feel like decentralized vs. centralized debate was a good first discussion to have in a democracy.
> Contact tracing itself is a necessary tool when dealing with a pandemic and I really do not see anybody arguing against that.
Humanity got right we are today (still alive and growing) without digital contact tracing. So, no, this is not a "necessary" tool.
I wish the link I posted above was available in English too, because they analyzed a few scenario that shows how digital contact tracing can be exploited by anyone, not just techies people.
I would rather be a partisan of investing our money in technologies that heal and strengthen our bodies. At least regenerating and healing the body could help with many other diseases.
Is there a good discussion anywhere of the anticipated impact in effacity on various choices around privacy here? A simple toy model for the fraction of infection chains stopped might be something like
fraction stoppped = (usage fraction in population)2 * (fraction of infections recorded as contacts) * (fraction of detected contacts who follow up correctly)
That's obviously a massive over simplification; for example real population dynamics don't give full random mixing between all members of the population. But every factor there is potentially depressed because of opt in and anomnymity; the first obviously so, the third because people are less likely to followup correctly if there's no consequence for not doing so, and the second because it will be impossible to tune the detection parameters without any data to work from. In that — again oversimplified — model if you get 50% o the population using the app (compared to 80% smartphone usage in western Europe), it detects 80% of transmissions and (say) 50% of people follow up correctly before themselves passing the disease on, you end up with 10% of infection chains traced. That doesn't seem like it's going to have a big impact.
So assuming that model's not wildly wrong — which it could be, again, I'm really looking for a link to an expert discussion of this, I can see a few possibilities:
* Digitial contract tracing doesn't have much impact on our ability to control the virus
* Governments seek to outsource the privacy-invasion needed to companies by e.g. requiring evidence that people are using the contact tracing software and have followed up on potential transmission events before allowing people to buy food etc.
* Ineffective opt-in contact tracing and a second wave of pandemic deaths/lockdown is used to bounce people into accepting the need for mandatory, non-anonymous contact tracing with fewer privacy concessions than you'd get right now.
To be clear I'm very concerned with the idea of govenments and in particular the current UK government having access to non-anonymised contact data; it's already being run by someone who considers population-level manipulation using data science and social media to be his core skillset. But I'd also like to understand what tradeoffs are being made in terms of disease control.
While of course a valid question I feel like some of your assumptions might have a different impact in reality. For Germany "50% of people follow up correctly" for example seems unrealistic due to a few factors:
- The proposed centralized solution would have to rely on malice to easily identify people that did not follow up correctly since there was no means to do that in it. The only upside you would have had was more trivial means for data collection on population scale to validate random epidemiological models and validate follow up.
- 50% of people failing to follow up correctly seems like an unreasonably low number given that it's not that different from breaking quarantine with the existing process and there's few enough cases of that to still garner high profile media attention here.
- Even if 50% wrong behaviour was a correct assumption, that would be a slippery slope in most models. If you lose, say, 10% of the overall population because it's allergic to the historical and privacy implications of the system design, misbehaviour of 50% of people left using it can be pretty irrelevant.
- AFAIR adoption in Singapore, which is often used as a reason to use this model in the first place, so far has not been anywhere close to the 50% of 80% of phone users. Many people seem to suggest looking at WhatsApps growth rates for realistic adoption time frames.
Fraser et al have a few general articles and calculated through scenarios on the matter that might be interesting, maybe you get something out of those:
Many discussions w.r.t. the epidemiological impact of these trade-offs at the moment seem anecdotal because they lack proper validation. I do not think any of them so far directly address the one you are looking at here.
This is pretty much what I was looking for, thanks. So in their model you need 80% of smartphone users (56% of the population) to opt in to the contact tracing for it to be effective. But iiuc they also assume what — to me — looks like a really high compliance rate; it assumes that people self-isolate for up to two weeks with 2% daily drop-out rate. That seems fine for people with trivial WFH jobs, or those in industries with good job protections, but pretty unlikely for people whose choice is between ignoring the guidelines and losing their income. I imagine with the excuse of "the whole country is in lockdown" gone, employers will be less tolerant of absence, even if — as in the models — it can be a significant fraction of the country in self-isolation at any time.
> "50% of people follow up correctly" for example seems unrealistic due to a few factors
My assumption was that if the R0 is 3-5, that's small compared to the total number of contacts over the infectious period. That means that the false positive rate is going to be rather high. Given a high false positive rate and some inconvenience with following up, needing to go get tested or go into isolation, either of which mean taking time off work at short notice, people will "take a chance" more often than you'd like and delay getting tested until there are symptoms. But certainly it's not a confident estimtate.
Also, Germany is likely cultrally different, but opt-in social distancing / lockdown lasted fully 3 days in the UK before it became clear that it wasn't going to have the necessary effecity. I can imagine the same thing for compliance with contact tracing recommendations.
> The proposed centralized solution would have to rely on malice to easily identify people that did not follow up correctly since there was no means to do that in it
Right, but this is (aiui) different to the systems in countries like South Korea which use location tracking to ensure that you don't break quarantine. It's a point in the possibility space that must be considered to understand tradeoffs.
> AFAIR adoption in Singapore, which is often used as a reason to use this model in the first place, so far has not been anywhere close to the 50% of 80% of phone users. Many people seem to suggest looking at WhatsApps growth rates for realistic adoption time frames.
You'd hope a massive public information campaign could speed up uptake here. I think I've heard that whatsapp is on 75% of devices in Germany (but I haven't verified that number) which if you assume 80% of the population owning a smartphone, leads to 60% of the population opting in. So that doesn't change the results of the toy model too much (if it was 75% of the population rather than 75% of smartphone owners, that would roughly double the fraction of infection chains terminated compared to the 50% assumption).
These numbers still seem pretty low to me, but again I've got precisely zero expertise here.
> Fraser et al have a few general articles and calculated through scenarios on the matter that might be interesting, maybe you get something out of those
Thanks! I'll read those.
> Many discussions w.r.t. the epidemiological impact of these trade-offs at the moment seem anecdotal because they lack proper validation.
That's worrying. I think there's a possibility here that we're in the zone where privacy-preserving contact tracing has too low effacity to be significant in saving lives, but solutions that are mandatory and come with enforcement are effective. If that turns out to be true, there's a clear tradeoff between individual privacy and saving lives / rescuing countries from economic ruin. If I were the sort of person who wanted to significantly change the narrative around privacy to make it look unacceptably selfish, this might be the sort of crisis I'd see as an oppertunity. And given that this is less information than Google and Apple can access as a mattter of course, constructing the narrative that it should be shared with the health service is easy, if people go that way.
I hope there are people thinking about the case where there's popular support for the tracking being mandatory and non-anonymous, so that there can be proper legal — rather than technical — safeguards to ensure the data is only used for its intended purpose and is destroyed promptly when it's no longer useful for that purpose. The optimistic point of view is that this process will give us the ability to shape the fuure of privacy regulation so that we accept that some entities (Google, Facebook, maybe the Government) have more personal data than we're confortable with, but there are stronger controls on how long that data can last and what it can be used for.
On March 16th there was a request to avoid "non-essential travel and contact with others", on March 20th pubs and resturants were forcibly closed, and by 23rd the restrictions on movement were being put into law.
The three-day period I was thinking of was the 20th-23rd; the number of people out and about on the weekend of 21st/22nd was widely reported as the reason for the stricter rules the following Monday e.g. https://www.theguardian.com/world/2020/mar/23/boris-johnson-...
If, however, you mean "what's the proof that people were ignoring the pre-lockdown restrictions in sufficient numbers to make the stricter provisions necessary", all I can do is point out that the people with the best access to that data did chose to require the stricter provisions in response to what they saw. For more you're going to have to wait for the inevitable public enquiry (and I am deeply deeply uninterested in having a discussion about whether lockdowns are the only or most effective policy here).
Do any of the custom-built apps work reasonably well? I know that the last time I touched Bluetooth on phones (long ago) the stacks were so buggy that getting different devices to communicate reliably was next to impossible. It would work for some devices, but cause issues with others etc.
I would expect that any custom solution would be implemented by one of the few contractors experienced in dealing with the local bureaucracy, and would thus suffer from a lack of experience in dealing with Bluetooth and all the undocumented quirks.
> Centralised apps would not work properly on Apple’s iPhone because, for Bluetooth exchanges to happen, the device would need to be unlocked with the app running in the foreground - a drain on the battery and an inconvenience to the user.
Why are governments trying to come up with their own? Why can’t they legislate around the protocol instead? Standardizing on the protocol saves a lot of time In the current situation.
Section 4, "How will the system protect user privacy and security?", bullet one:
> Each user will have to make an explicit choice to turn on the technology. It can also be turned off by the user at any time.
> Can I turn it off? Yes. The choice to use this technology rests with the user, and he or she can turn it off at any time by uninstalling the contact tracing application or turning off exposure notification in Settings.
Nothing short of a Faraday cage is going to work if your threat model is that Apple turns it on against your will. (I guess in principle you could find and physically destroy the Bluetooth receiver.)
Signal jamming is illegal and will get you a conversation with the FCC, and more importantly, you're just being a dick to everyone else on the 2.4GHz band.
it is kind of ironic that a country priding itself in data privacy was pushing for a very centralized data collection, while the "evil Apple" was pushing for a more decentralized and privacy-preserving approach.
I'm sort of divided on this. It's a better safer approach. But all of our movements and who we spend time with are already being tracked and have been for decades so why the pretence? Why are we reinventing this wheel, just have the NSA open their files.
The codes are 16 byte (ie 128 bit) numbers that are cryptographically derived from your daily tracing key. Of course all use of Bluetooth will reveal your MAC address, but this privacy concern already existed and is why many devices now rotate a randomly generated MAC address periodically.
my understanding is that the "codes" are randomly generated stuff, none based on any of the phone parameters. In which case you don't need any address. However, I am curious about collision. Same stuff happened 25+ years ago with famous Pentium bug. Intel was something like "this bug will happen only one time in 10 thousand years", except they considered those 10 thousand years happening under lab conditions, while in the production it hit so hard due to all software that used intensively, like AutoCad, that it actually happened per hour - result was disastrous for calculations for entire teams that were creating Architecture or Naval shipping research that in the end Intel issued a full recall on the entire chip line.
These are 128-bit cryptographically secure numbers that rely on thoroughly battle tested primitives. There is absolutely no way a compliant implementation would generate a noticeable number of collisions unless the underlying keys themselves were the same.
(And I would certainly expect that Apple and Google are capable of generating the underlying keys in a cryptographically secure manner.)
"These are 128-bit cryptographically secure numbers that rely on thoroughly battle tested primitives".
Oh, wow! So that's like 128 / 8 => 16 bytes? As in 16 ASCII characters? And what crypto has to do with them anyway in this context? Do explain please, I'd love to hear that. And also tell me about those primitives as well, I really need to hear their names.
If dang didn't warned me already not to feed the trolls in the past I'd say that you're full of "you know what", but since he did I'll just stop here
That governments are taking advantage of the COVID-19 crisis to effectively 'mandate' tracking is about as sinister as it gets. Governments are playing on people's fears to overcome privacy concerns that they would otherwise have in normal circumstances; moreover, they're making it appear both normal and reasonable to be tracked.
I rarely take my phone with me when I'm out and about and this has been the norm with me for years. I wonder how long it will be before I'm stopped in the street by police who'll ask me to present my phone for compliance inspection and when I report that I don't have it with me then I'll be fined.
To avoid tracking, some people I know take a different approach which is to turn Airplane Mode on until they actually want to make a call. I wonder how long it will be before Airplane Mode in phones is disabled by mandate.
I can foresee a time in the not-too-distant future when someone who doesn't want to own or use a phone will actually be mandated to do so by law. When that time arrives then we'll know that...
..."We've won victory over ourselves. We will have learned to love Big Brother."
"To avoid tracking, some people I know take a different approach which is to turn Airplane Mode on until they actually want to make a call. I wonder how long it will be before Airplane Mode in phones is disabled by mandate."
Carry your phone in a container made out of conductive material and while the phone is in it you won't be tracked by it.
Of course, all bets are off when you take it out.
Even simpler solution: turn off your phone and maybe take out your phone's battery (if you're lucky enough to have a phone with a removable battery) when not using it.
>Carry your phone in a container made out of conductive material and while the phone is in it you won't be tracked by it.
If your threat model is a tyrannical government, what's preventing them from making it an offense to not carry a phone or otherwise interfere with the contact tracing system?
Public perception of overreach operates on most governments no matter how authoritarian. Singapore is pretty far towards authoritarianism, and even they haven't made their contact tracing app mandatory. (China admittedly has.)
China has what most nations lack: a citizenry that already agrees philosophically (on average) that government authority should be deferred to because it is part of the natural order of things.
Right, I'm aware of having an effective Faraday cage around one's phone if one want's to shield it against the ingress and egress of RF energy. Unfortunately, in some areas (and that includes around where I live) that can be problematic. Unless the shield is very effective it can leak sufficient RF to still function. Leaky shields that I didn't expect to leak included containers like used sweets tins where the tin-plated top completely overlaps the (tin-plated) base. It seems that with a good line-of-sight to the tower and using frequencies upward of 800MHz that any slight oxidation of the tin allows RF to leak inside the container.
I'm not sure why these seemingly nearly perfect Faraday containers can be that leaky but they can be—often to the extent that the phone is able to 'dial home' to the tower. Also keep in mind that tin oxides can be both conductive and semi-conducting, which means that intermodulation is likely to occur around the edges of the lid (remember, tin oxide is unusual in that it is both conductive and essentially transparent which counts for why it's used as electrodes in vidicon and image orthicon camera tubes). Perhaps the problem was that if any oxide was present then it was unlikely to be visible (but solving that matter is for another time).
Anyway, I didn't research the problem in depth—as it was more a nuisance than a curiosity. A short while ago I spent a considerable amount of time rooting various Android phones and I didn't want them to call home before I'd finished (as I couldn't get a completely clean install) and it turned out that the leakage problem was significant—and a damn nuisance. To solve the problem with several of the phones, I resorted to opening them up and shorting out the IC pins that lead to the antenna.
As you mentioned, there's another problem with carrying a switched-on phone around in a Faraday cage and that's gaining physical access to the phone before it connects to the cell tower. For example, you may want to switch it to Airplane mode before any connection with the cell tower is established but essentially it's impractical to attempt it unless you are also completely within another much larger Faraday cage.
The fact that these days most phones have non-removable batteries is a first-class damn nuisance to say the least. I have some cheapie phones I use for testing and they have removable batteries and that's invaluable but it's not so with the high performance ones.
In this regard, the best phones I've ever owned were the old Nokia ones that used the three different sizes of detachable batteries (small, medium and large). One could remove the battery in an instant by just pushing the button on the back of the battery nudging slightly until its contacts parted with the phone. This instant detach feature was especially useful if say you were in a meeting and had forgotten to silence your phone—the instant it rang you'd reach into your pocket and voilà the battery and phone had parted company.
What's so annoying these days is that manufactures don't consider such features as important (or more likely they consider them undesirable as during a disconnection you'd likely lose some of that spy data that Google so eagerly collects (now we can't have that happen can we?).
> Germany as recently as Friday backed a centralised standard called Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT), which would have needed Apple in particular to change the settings on its iPhones.
The phones in question are not Apple’s phones. Those phones, and their settings, belong to the end user. They paid for them.
Except that the users themselves aren't permitted by Apple in all their benevolence to grant an app the necessary permissions on a device which they supposedly own!
Of course users willingly made the choice to purchase such a device in the first place, though I'm not at all convinced that most understood the tradeoffs they were making. To say that my feelings about the current situation are conflicted would be an understatement.
>When Apple refused to budge there was no alternative but to change course, said a senior government source.
Shutting down every Apple office in the EU seems like a pretty good idea, oh and confiscating all Apple products, designs and patents..... Look, let's be positive and assume that the reason Germany backed down is because actually Apple's approach is better and they were convined by the explanations of why a centralised approach is wrong. Becuase the other explanation - that European countries are scared of Apple doesn't stand up to scrutiny.
There was a big backlash in the last days in Germany over the intended central server solution favored before. More than 300 experts and groups warned about privacy implications.
It seems mentioning Apple in this regard is more used to not completely lose the face for the German government and the Helmholtz Institute that favored and developed the centralized version over the decentralized one. Please don't fall victim and paint Apple & Google as the bad boys here. It would be a horrible idea to force them by governments to implement a centralized protocol.
Germany’s historical experience with centralized databases (using IBM tech) means that there are very good reasons to be skeptical of a centralized approach that could conceivably allow a government to spy on or classify the population of a whole country or even A continent.
Silicon Valley is a useful boogeyman, in part because they have done some things on the negative side of the evil ledger. Historically governments dwarf private companies in the amount of damage and misuse they Can unleash — with a few notable exceptions where they almost reach the scale of what tyrannical or incompetent governments can wrought.
Nah, a good protocol with strong privacy is needed before any implementations are allowed. This must be one of the few times I'm glad Apple is so restrictive, the current COVID-19 trackers have been horrendous: https://twitter.com/xssfox/status/1251118830962663424
I think you're vastly overestimating Apple's influence here. While certainly losing out on the quarter of the smartphone market that Apple holds, having no app on iOS is likely a smaller issue than how to incentivise people to install the app in the first place.
A nice comic version of DP-3T, by Nicky Case, is available here: https://ncase.me/contact-tracing/
(But is the Apple-Google protocol identical to DP-3T, or does the headline mention “Apple-Google approach” just for simplicity? I heard there are some minor differences…)