<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Thanks Brian, that's an excellent summary and Ross Anderson's
article is spot on.</p>
<p>It's clear to me now that the system cannot be anonymous, so the
key seems to be demanding absolute transparency in how the data is
collected and processed, and making sure there is an end to the
surveillance once the situation is over. You also talk about how
the "app" should not be proprietary, and I agree; but we also need
to consider the OS and ultimately the hardware, not just the app,
if we want transparency. I just don't think Android and iOS were
good platforms to begin with, so expecting everyone to carry this
garbage in their pockets would be extremely sad in my opinion.
Even if I could be convinced that government surveillance to fight
a pandemic is a good thing and that I should contribute with my
health data, I still would not want this data to be handled by
advertising and secretive companies; they are just not a good
baseline, their business models rely on secrets and exploiting
people's privacy.<br>
</p>
<p>Your points 2 and 4 are interesting, but it still seems to me
like big tech / government surveillance propaganda. Yes, manual
tracing is slow and expensive, but like Ross Anderson says in the
article, people might feel more comfortable getting the news from
a human being than from a device anyway, and like both you and the
article say, adoption is key to the effectiveness of the system.
And the problem with asymptomatic cases seems to be common to both
manual tracing and the tacts, not just exclusive to the manual
approach (David's video claims to solve this, but after watching
it, it seems to hinge on the assumption that someone "feels under
the weather", which is neither asymptomatic nor is it an
indication of infection, so I still don't understand how the
asymptomatic transmission is accounted for).<br>
</p>
<div class="moz-cite-prefix">On 4/24/20 2:27 PM, Brian Behlendorf
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:alpine.DEB.2.21.2004241352370.3981@flooz">On Fri, 24 Apr
2020, Richard Brooks wrote:
<br>
<blockquote type="cite">I had similar concerns. I also was
immediately
<br>
nervous about big tech doing this.
<br>
<br>
I then realized that they have all the data
<br>
anyway. This is probably the least bad thing that
<br>
they are going to do with it.
<br>
</blockquote>
<br>
It really is worth reading how GACT works, as well as some of the
more informed critiques of it.
<br>
<br>
The spec:
<br>
<a class="moz-txt-link-freetext" href="https://www.apple.com/covid19/contacttracing">https://www.apple.com/covid19/contacttracing</a>
<br>
<br>
The simplest possible description, from D3-PT:
<br>
<a class="moz-txt-link-freetext" href="https://github.com/DP-3T/documents/tree/master/public_engagement/cartoon">https://github.com/DP-3T/documents/tree/master/public_engagement/cartoon</a>
<br>
<br>
Ross Anderson's take on GACT:
<br>
<a class="moz-txt-link-freetext" href="https://www.lightbluetouchpaper.org/2020/04/12/contact-tracing-in-the-real-world/">https://www.lightbluetouchpaper.org/2020/04/12/contact-tracing-in-the-real-world/</a>
<br>
<br>
and a really good human-level summary of how contact tracing works
and how it would need to scale up to this challenge:
<br>
<a class="moz-txt-link-freetext" href="https://thehill.com/opinion/technology/493648-how-human-centered-tech-can-beat-covid-19-through-contact-tracing">https://thehill.com/opinion/technology/493648-how-human-centered-tech-can-beat-covid-19-through-contact-tracing</a>
<br>
<br>
It's important to understand the defaults:
<br>
<br>
1) Most of the public health authorities and competent government
leaders seem to be arguing that they consider contact tracing
essential to opening up more of society before there's a widely
deployed vaccine and herd immunity.
<br>
<br>
2) By default, the way it's done now, by manually asking people
with positive test results where they've been and where they've
been and who they've interacted with in the last N days, is
woefully inadequate when dealing with a disease where most of
those infected and infectious show no symptoms for the first few
days or possibly ever, where transmission via aerosol and surfaces
means large numbers of people can catch it from a single person in
a short amount of time, and with the number of people infected
even after we get a few more weeks down the flattened curve in
most places.
<br>
<br>
3) By default, public health authorities first preference will be
to digitize the manual approach by using a central county-wide,
state-wide, or national database to record who's infected, who
they've talked with, where they've been, etc. They'd seek to
augment that central database with whatever else they can get
their hands on, from cell phone location data to your credit card
purchase histories. Usual GDPR or other relevant privacy
constraints will likely not apply as this is a public health
emergency, and public opposition to this encroachment on privacy
would be low (sadly).
<br>
<br>
4) By default, you need everyone running this software - not just
the 2% of interested nerds who would self-select, but more like
50-70% at least, in order to pull the untraced transmissions
closer and closer to zero. (BTW Singapore's tracing app only saw
12% adoption, from what I heard, and they're seeing a second
wave). That means you need Bluetooth Low Energy (as Safepaths and
every other tracing system is proposing - GPS consumes too much
battery and is not precise enough, and cell tower location data
also not fine-grained enough to really isolate those who came
within a few meters of you), but you also need it to run in the
background continuously, which (for very good reason we all here
would I hope support!) Apple & Google have not allowed apps to
even ask for the permission to turn on and consume BLE in the
background.
<br>
<br>
5) By default, to make public health authorities happy and enable
, Google and Apple would need to special-case their apps to enable
BLE background, which would open a huge privacy hole government
agencies could walk through, and which might be much tougher to
close after the pandemic is closed.
<br>
<br>
So G&A appear to be doing the right minimal thing here, which
is to say "OK, you can get BLE background, but ONLY by doing
tracing in this decentralized way", which avoids at least the big
obvious risks of allowing public health authorities or anyone else
from creating a centralized picture of everyone you've been near
while running the app, when all they really need to know is who's
been in proximity to people who tested positive, and only if those
patients agree.
<br>
<br>
However, as Ross and others have pointed out, there are still a
lot of attack vectors and opportunities for re-centralized
surveillance that such an application could deploy. If we just
don't know what's running in the app, we don't know if it's also
reporting data to a central server without patient notification
let alone consent. We son't know what other location data it's
collecting and possibly reporting or aggregating. And when that
signed attestation comes in from a public health authority that
you should see if you've been near a certain set of "codes", the
app could report upstream that you have without notice or consent,
forcing you into reporting.
<br>
<br>
One approach to addressing many, but not all, of those concerns is
if the public health authority app was not proprietary code (and a
thousand different apps for a thousand different health
authoritie), but one app, open source (with reproducible builds to
verify what's in the code is whats on your phone), where the
reporting structure is configurable, and where the defaults are
set to encourage users to report matches but that would require
consent. Such an app should be the default, perhaps even required
app that public health authorities consult with and publish data
through. This is not a situation where a thousand different apps
help, even if all those apps are using GACT. You want public trust
in that app, and that app can come from carefully vetted public
open source code.
<br>
<br>
It likely should also be connected to the emerging self-sovereign
ID approaches being considered for vaccination records and
possibly antibodies tests, so that you can show a public health
authority "Hi! I've been exposed, at this time & date, I don't
know by who of course, but I can also show a positive antibodies
test or date of prior infection and recovery or proof of vaccine,
so no need to quarantine me." These kinds of proofs might also be
important to fighting anonymous trolling (Ross's description of
someone attaching their phone to their dog and having them wander
through a crowd, then reporting a positive test result),
potentially other concerns.
<br>
<br>
To Richard's question, this definitely seems to be among the
"least bad" things that GA could do in this space. It might even
make contract tracing possible both for the scale of the challenge
and in a privacy-preserving way. It's a necessary first step but
far from the complete solution.
<br>
<br>
I suspect that the different tracing projects out there will
converge on a common answer along these lines, and my hope is that
G&A follow up GACT with an endorsement of an effort towards a
common open source tracing app, and the different tracing app
efforts can combine forces around a common approach.
<br>
<br>
I have no skin in this game, I've just been studying it closely
along with some other COVID19 related initiatives, but if
something emerges we (The Linux Foundation) can do to be helpful,
let us know.
<br>
<br>
Brian
<br>
<br>
<br>
<br>
<blockquote type="cite">"How I learned to stop worrying and ..."
<br>
<br>
On 4/24/20 2:29 PM, msunet wrote:
<br>
<blockquote type="cite">There was some talk about this at the
Flatten the Curve Summit. At
<br>
first, I thought this technology would be interesting, but now
I have
<br>
doubts about it. It doesn't seem very useful to trace people
if you
<br>
can't test them, first of all. I also wonder how the random
numbers are
<br>
generated -- will they use your device or advertising ID? How
can you
<br>
tell when they embed this technology in their proprietary,
secret OSes
<br>
anyway? I also haven't seen what the authentication layer is
-- will you
<br>
need a google account? -- or more generally, how they plan to
protect
<br>
the system from attackers. It's also not clear to me who owns
the data,
<br>
where it is stored, how much of it, or for how long. And when
does the
<br>
tracing end? They also have not solved fundamental problems
about this
<br>
tech, like signals going through walls.
<br>
<br>
Unless these and other questions are answered (maybe they have
and I
<br>
haven't caught up), this just seems to me like an attempt by
<br>
corporations to use the situation as an excuse to creep in
more into
<br>
people's lives. It never hurts to remember that they are
powered by
<br>
profit, not good will.
<br>
<br>
On April 23, 2020 7:01:37 PM PDT, "Robert Mathews (OSIA)"
<br>
<a class="moz-txt-link-rfc2396E" href="mailto:mathews@hawaii.edu"><mathews@hawaii.edu></a> wrote:
<br>
<br>
<br>
On 4/23/20 5:26 AM, David Stodolsky wrote:
<br>
<br>
<blockquote type="cite"> This appears to be virtue
signaling. France is asking that the
<br>
Apple/Google tracing security be relaxed.
<br>
<blockquote type="cite">
<a class="moz-txt-link-freetext" href="https://apple.slashdot.org/story/20/04/21/2019202/france-says-apple-bluetooth-policy-is-blocking-virus-tracker#comments">https://apple.slashdot.org/story/20/04/21/2019202/france-says-apple-bluetooth-policy-is-blocking-virus-tracker#comments</a><br>
<a class="moz-txt-link-rfc2396E" href="https://urldefense.proofpoint.com/v2/url?u=https-3A__apple.slashdot.org_story_20_04_21_2019202_france-2Dsays-2Dapple-2Dbluetooth-2Dpolicy-2Dis-2Dblocking-2Dvirus-2Dtracker-23comments&d=DwMFaQ&c=Ngd-ta5yRYsqeUsEDgxhcqsYYY1Xs5ogLxWPA_2Wlc4&r=V-iMGiA8Z-z_leHLkLSzXQ&m=1UUH9eOltaAPSUdTtOKTK8wH6ws-MQUbG4Ac_auCdJ4&s=HA0muQHuHH31W1WZw0ZUdLoorMjmeoPDcTks1KDy4v8&e="><https://urldefense.proofpoint.com/v2/url?u=https-3A__apple.slashdot.org_story_20_04_21_2019202_france-2Dsays-2Dapple-2Dbluetooth-2Dpolicy-2Dis-2Dblocking-2Dvirus-2Dtracker-23comments&d=DwMFaQ&c=Ngd-ta5yRYsqeUsEDgxhcqsYYY1Xs5ogLxWPA_2Wlc4&r=V-iMGiA8Z-z_leHLkLSzXQ&m=1UUH9eOltaAPSUdTtOKTK8wH6ws-MQUbG4Ac_auCdJ4&s=HA0muQHuHH31W1WZw0ZUdLoorMjmeoPDcTks1KDy4v8&e=></a><br>
</blockquote>
It appears that France has developed a slightly less
secure
<br>
tracing method than the coming Apple/Google API/OS
built-in. The
<br>
current limitation is that Apple doesn’t allow Bluetooth
to run on
<br>
the iPhone, if the app is in the background and the data
leaves
<br>
the phone. This has crippled TraceTogether, etc., since
it makes
<br>
tracing impractical with the iPhone.
<br>
<br>
dss
<br>
<br>
David Stodolsky, PhD Institute for
Social
<br>
Informatics
<br>
Tornskadestien 2, st. th., DK-2400 Copenhagen NV,
Denmark
<br>
<a class="moz-txt-link-abbreviated" href="mailto:dss@socialinformatics.org">dss@socialinformatics.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:dss@socialinformatics.org"><mailto:dss@socialinformatics.org></a>
<br>
Tel./Signal: +45 3095 4070
<br>
</blockquote>
<br>
Notions of *'contact tracing'* must be considered in
broader
<br>
'technical' and 'technological' terms. For instance,
consider this
<br>
following headline, which I have been discussing with my
team since
<br>
its publication.
<br>
<br>
*"2 billion phones cannot use Google and Apple
contact-tracing tech
<br>
System developed by Silicon Valley relies on technology
missing from
<br>
older handsets."*
<br>
TIM BRADSHAW, FT.COM - 4/20/2020, 12:29 PM
<br>
*arsTECHNICA*
<br>
<a class="moz-txt-link-freetext" href="https://arstechnica.com/tech-policy/2020/04/2-billion-phones-cannot-use-google-and-apple-contract-tracing-tech/">https://arstechnica.com/tech-policy/2020/04/2-billion-phones-cannot-use-google-and-apple-contract-tracing-tech/</a><br>
<br>
MANY such subscriber-linked mobile handsets in-service are
located
<br>
within *the Continent of Africa*, and the *Indian
Sub-Continent.*
<br>
And, they are MOSTLY NOT - iPhone 10s.
<br>
<br>
Of this, I shared the following sentiment with my staff
and extended
<br>
teams....
<br>
<br>
//This story SHOULD teach us that, no matter how LARGE
any
<br>
"tech" company may be, if those human beings WITHIN
are NOT
<br>
disposed to understanding "SYSTEMS" more wholistically
(a widely
<br>
abused term), products born out of this lack of
understanding
<br>
cannot be expected to meet basic aspects of
<br>
//////functional//ity////. ///It also goes without
saying that
<br>
SYSTEMS so constructed can also 'not' be expected to
<br>
'INTEROPERATE reliably' with OTHER systems of a LIKE,
and/or
<br>
UNLIKE construction too./
<br>
<br>
In this respect at least, and more importantly, taking
note of the
<br>
UNIVERSALITY of COVID-19, backward operational
compatibility and
<br>
INCLUSIVITY should have been critical 'usability'
considerations.
<br>
<br>
<br>
-- Sent from /e/ Mail.
<br>
<br>
</blockquote>
<br>
<br>
<br>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
</blockquote>
<pre class="moz-signature" cols="72">--
GPG: 9C2A AF1D CC91 0A53 AB0A B6A1 C457 0E01 081F 8F91
<a class="moz-txt-link-freetext" href="https://emailselfdefense.fsf.org/">https://emailselfdefense.fsf.org/</a></pre>
</body>
</html>