[liberationtech] How are mobile carriers/Google/Apple helping track Covid19? Hey South Korea!

Mon Mar 16 01:48:45 CET 2020

I work for Google in the sealed computing group (there are just a few of
us).  The project you probably never heard of that I worked on is called Cloud
Key Vault
<https://developer.android.com/about/versions/pie/security/ckv-whitepaper>,
where we encrypted your Android backups so that Google can't decrypt them,
unlike Apple iPhone backups, which they hand over to law enforcement
thousands of times per year
<https://9to5mac.com/2020/01/21/apple-reportedly-abandoned-end-to-end-icloud/>.
I can't speak for Google, but many of us who work there take your privacy
extremely seriously.  In fact, to the point that likely we will not build a
system like the one you suggest to track COVID19 and report to our users
and health officials when we think someone was potentially exposed.

It is just my personal opinion, but I feel we should build a secure
facility audited by folks like the Electronic Frontier Foundation, and pay
security experts like the NCC group to aid in verifying we have workable
security systems that allow high performance computers to run open-source
algorithms which the public can attest is running verified code for
themselves.  The algorithms would detect who had been in close proximity to
people who later tested positive for COVID19, and encrypt notifications to
users such that even Google could not easily determine who is being
notified for potential COVID19 exposure.  As a Google user, I personally
would want to know if I was recently in close proximity to a COVID19
positive person.  We also could encrypt results to  health workers
responsible for tracking down these folks, assuming user's are OK with
that.  We also could provide aggregate anonymized data to researchers.
We'd just use the short-term location data we already have access to
<https://slate.com/technology/2019/02/reverse-location-search-warrants-google-police.html>
.

Unfortunately, I would be amazed if Google were to build such a system.
The recent pressure on Google to back-door end-to-end encryption simply had
the effect of causing most leadership at Google to avoid the issue like the
plague.  I suspect this is how Apple got stuck handing over your
non-encrypted iPhone backups to law enforcement: after the San Bernardino
mess, everyone internal to Apple probably found other projects less risky
to work on, and eventually law enforcement figured out Apple had access to
your iPhone backups.

Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ghserv.net/pipermail/lt/attachments/20200315/173f113d/attachment.html>