Corona App – 10 requirements for the evaluation of “Contact Tracing” apps
ccc.deThis is one of those rare cases where you have to directly balance lives against privacy.
My feeling is that while privacy is important, it's being taken a bit too seriously given the severity of the crisis.
Google and Facebook et al. carry out far more involved and intimate surveillance of people's lives than would be required for an app as described in the article.
This is one of the few cases where more privacy might literally save lives, because people will be more inclined to install the app if the privacy is taken more seriously. There was a poll where Germans were asked if they would install a contact tracing app. Some 40% sayed yes outright. Another 40% said "only if privacy concerns are addressed". So you're looking at a potential 40% market penetration without proper privacy and 80% with, which greatly changes the impact the app can have on reducing the spread of the virus.
(Disclosure: I'm a member of CCC and chairman of a local chapter.)
I suspect a large proportion of people would install it if requested to by their government.
"Please install this app to save lives. Don't worry, it collects less data on your movements than Google Maps."
"Requested"? It is painfully obvious that this narrative will climax with highly reduced rights - such as freedom of movement; employment; any sort of "assembly" -- for individuals who elect not to use mandatory surveillance products. Pressure to conform will be enormous and applied from top and bottom (from hysterical/concerned bottom dwellers).
This drip drip of 'steps to take' by authorities and media is quite disingenuous: there have been multiple simulations into pandemics in the past 30 years and all these steps have been spelled out in various papers.
Here is one: www.centerforhealthsecurity.org/our-work/events-archive/2001_dark-winter/Dark%20Winter%20Script.pdf
(Grep for "freedom")
Did you read the article?
This is one of the few cases where mandatory installation of apps will save lives, as seen in China/SK.
For those "40% only if privacy concerns are addressed" there is a gradient of privacy. How many of them will still have concerns no matter what? And how many will not install anything out of laziness/comfort?
Meanwhile, Google and Facebook are installed in 90%+ of phones and happily scoop up location data every day.
Where's the proof that installing an app saved any lives at all?
And anyway, our rights are anyway being temporarily but heavily reduced. I don't see why we have to also install this app, especially since having everyone wear a mask and washing one's hands would make the whole point of having contact with an infected person almost irrelevant.
And that does not mean it is right; it just means it is status quo. And Germans have a good reason to dislike panopticons as some still remember Stasi.
Mandatory apps installation.. I guess that could be rolled out as most providers can and do have the ability to install stuff on your phone remotely.
That said.. what are the odds average person gets sufficiently annoyed by gvmt mandated apps and installs lineage?
> what are the odds average person gets sufficiently annoyed by gvmt mandated apps and installs lineage?
Won't happen to any meaningful degree. IMO if technologists fail to sensitize public discourse against the emerging dangers of surveillance tech now contemporary western democracies are probably about to be "disrupted".
I am willing to disagree. If the app becomes annoying ( and it may very be ) people may adapt rather quickly. My example is that of SIM locking in the old country. It was a somewhat technical process, but people quickly adapted to it and learned how to remove it. The perception was that removal of SIM lock was beneficial.
Naturally, I could be wrong ( and has been about cellphones for a while now ). And then, my mom could barely handle switch from Whatsapp to Signal.
edit: coffee didn't kick in yet. added barely before handle
If we'd want to go all in on mandatory apps it would be possible to create much friendlier lockdown controls than what we have now. For example instead of flat out forbidding access to recreation hotspots like parks it would be possible to ration access so that everybody can enjoy them occasionally but they never get too crowded. This would be completely unfeasible in a paper bureaucracy even outside a pandemic situation, but computers could easily do it. The missing "technology" to do that without also enabling police state is not so much crypto and blockchain (though something along those lines might certainly be part of it) but social achievements like data protection laws and how to enforce them, processes to build trustworthy organisations and so on.
Mandatory how? How will you address people without suitable devices? Not everyone has a (suitable) smartphone.
Making owning and carrying a smartphone with required app mandatory won't fly in any healthy democracy.
You don't need everyone to have it installed. Just getting a large proportion of people to use it would likely have quite a significant effect in reducing infection spread.
One compromise in making it semi-mandatory could be to reduce lockdown requirements for people using and carrying the app, because they'd be less dangerous.
That would be discriminatory, and run afoul of many constitutions and treaties. It could really only happen if anyone could get the device and required data bundle subsidized. “Less dangerous” is not enough to warrant such a huge breach in citizen's rights.
Really? 6 months ago I'd have said that putting the entire nation under house arrest won't fly in any healthy democracy, but here we are. Turns out no country is more democratic than China.
A friend of mine still uses a old Nokia from ~2009. Will he get a free smartphone? Who will check if he has it on him? What if he has it on it and the battery is empty? Or the screen is broken? What if suddenly everybody wants a free smartphone? What if suddenly everyone carries a broken old phone with them as a decoy with the police?
The answer to these questions is easy in a authotarian state: you assume they are bad actors and use the full force of the state on them – so people will go out of their way to do as if they comply with your rules even if they don't.
In any democratic nation with a culture of scepticism when it comes to the government it won't be that easy. If you force people to do things over here, you will get a considerable portion of people working actively against you in ways that you cannot prove. It might be easier, more efficient and fruitful to just make it voluntary.
In increasing degrees of difficulty, how does a government get:
* people who own an Android or IOS smartphone to install a required app? (Might work if Google or Apple pushes the software, but does this outlaw non-stock-Android and IOS operating systems on a smartphone? Will Apple/Google do this for every country with an app?)
* people who don't own a smartphone to buy one? (Subsidized? Black-box devices that only need to be charged at home as an alternative for this group? How do you deal with people who don't want one for valid reasons besides privacy? E.g., people who got rid of them because they are vulnerable to the addictive properties of smartphone apps? And of course people who can't afford them.)
* people who can't use a smartphone to carry one around? (The digitally or otherwise illiterate or mentally incapable, and people with physical limitations won't just disappear overnight. This includes many elderly; exactly the weakest group with this virus.)
Gradually. It will be used to provide your freedom back. Lockdown is still in place, but if you agree to use the app, you can go outside and chill in a park, maybe even meet up with family members (groups fewer than N). Then you can introduce checkpoints in public places (just like China did btw): wanna go to malls, cinemas or airports? Install the app. But no, you are not forced to do this. You can just sit at home if you'd like until the lockdown is fully lifted. But we can't tell you when it happens, nobody knows. Perhaps after everybody is vaccinated.
Surely, they can also add a smartphone-free version that is a huge pain in the ass to use. It checks the box "you can survive without smartphone", but makes it practically unreasonable.
It will be the same situation as with CCTV and bag searches nowadays. The vast majority of people will accept this as reality and perhaps even support this. London is full of CCTV and mostly people are okay with this because they believe it is for their own safety. Sure, you are not forced into this, feel free to live in mountains off-grid.
The bottom line is you just wait until the lockdown is normalized in people's minds and then reward them with freedoms if they agree to use the app. And 99% will be okay with this.
At least in my country the overwhelming majority of the people fully supports the measures. How is that not democratic?
One could say as well: This is one of the few cases where not living in an open society where citizens have rights might save lives.
I wonder. Some of my friends don't own a smartphone. How will that contact tracing app run on their Nokia from 2010? Or will they get a smartphone from the state? How would you check if someone owns a smartphone, or whether they are pretending to have one of the old ones? If your goal is to get as many installations as possible on devices people take with them is it really the most productive thing to try forcing it?
Don't get me wrong, I do realize that propper contact tracing is the only way to deal with this virus until we got a vaccine, but I don't see how a mandatory app installment could be enforced in any western state without breaking fundamental rights. You'd literally have police knock at doors and force people to unlock their phones in order to check the installed apps, if you really want it to be installed everywhere. You would have to stop people in the street and have them show you their device AND frisk them to make sure they are not showing you a decoy device with the line: "Ooops the battery went out" or "Ooops I broke it a few minutes ago".
No – in western democracies transparency and voluntariness carries much farther. If the CCC approved any contact tracing app, even I'd immidiately install it without hesitation. If however I had to trust a closed source app by a government which tried at every turn to legalize the surveilance state I'd probably not do it. If the state would force me to do it, I would actively work against it and help others to do the same.
Your overthinking it, imagining that a large part of the population wants to be Jason Bourne. It doesn't matter if 1% will evade this (you and your friends).
But you show exactly the bigger problem: the West is so individualistic, that it will rather have millions of deaths and economic collapse than a bit of privacy infringement over a number of months, again, everybody viewing himself as some sort of secret agent that the government is out to get at all costs.
Asian countries on the other hand understand that some time you need to make some real sacrifices yourself for the greater good.
I grew up in the alps on the countryside and I am thinking about people like my neighbour and my father. Other than them I do understand the reasoning behind contact tracing, while they don't. If they were forced to use such an app they would work against it just out of defiance. And they are by no means special people. They have no idea about computers, they are more or less center conservative or center left.
Especially in the german speaking parts of Europe the scepticism towards government data collection has historical roots that I probably don't have to elaborate on, with people who died from said collection still in living memory. While safety is a fundamental right, it doesn't outweight all the other fundamental rights automatically. These rights need to be balanced even (and especially) in times of crisis.
I think the right way here would be to follow the CCC recommendations, and make it about a voluntary utilitaristic action, rather than enforcing it from the top down. People have to want to do it, just like they did in China. How you will get them there is different in Europe however.
This is not an all-or-nothing scenario. The choice is not between an app that saves lives and compromises privacy, or no app and lives lost. Privacy preserving technologies exist, and now is the time to use them.
There is an additional technological cost, but that's what we should weigh the privacy costs against. The choice is between an app that doesn't care about privacy versus one that does.
> There is an additional technological cost
Time is of the essence here. I agree that, all else being equal, privacy should be respected. However, if it takes multiple weeks to iron out all the potential privacy issues, this approach becomes much less effective.
We don't have enough runway to care about privacy, we'll just un-collect all that data once we raised!
Sorry for the sarcasm, but I buy this now as little as I buy it in other situations.
That's maybe true, but giving governments the possibility to create movement profiles of people and correlate them is extremely dangerous. Maybe your current government is liberal enough to forego using the political aspect of the tracking app, but you can never be sure that this stays the case. What about governments with authoritarian regimes?
Finally regarding Google/FB: Why would you give up even more of your privacy?
> What about governments with authoritarian regimes?
They're probably not going to care about people's views in the first place. Such regimes are already mandating apps of this type to be used.
It is not relevant what would be required. It is only relevant what’s actually in there.
TraceTogether[1] by the Singapore government meets most of these requirements and is/will be open sourced soon.
The rki (they are the ones tracking Infektion Numbers etc here in germany) is apperently Building an App based on Trace Together. This (german) article says TraceTogether is linked to your phone number though https://www.golem.de/news/corona-app-per-bluetooth-kontaktpe...
Someone did an analysis on the app and posted on reddit[1]. Turns out they included a gov analytics tracker[2] in the app
This effectively puts proximity data in the hands of the government, violating points 3, 5, 7, 8, and 9.
> When you are close to another phone running TraceTogether, both phones use Bluetooth to exchange a Temporary ID. This Temporary ID is generated by encrypting the User ID with a private key held by the Ministry of Health (MOH).
From: https://www.tracetogether.gov.sg/common/privacystatement
In this case, even if it only does exactly what it says it does, the data gathered is more valuable than anything else. Complete movement profiles of an entire nation. Can you put a price tsg on that?
From that perspective whether it is open source is a secondary consideration.
Everyone generates an anonymous ID, if they come within Bluetooth proximity the devices trade these anonymous IDs. No location data is collected and none of the data is sent over the internet.
If you become infected you have the option of broadcasting your ID as being infected and others can compare the infected list against the IDs collected on their phones.
None of the data you mentioned is being collected.
Hmm, does that anonymous ID change? If not, it is not going to stay anonymous for very long as patterns will remain largely unchanged. People do tend to be creatures of habit.
I mentioned location data and if there is one thing we have learned over the past decade or so, it is that location is not gathered just from GPS ( which is the argument I assume you were making ).
edit: As for the claim, no data is sent over the internet.. I just plainly do not believe that statement. I do not understand how anyone would.
The app does not use GPS or other location data, contacts are established only by Bluetooth pairing.
Call me a cynic, but if apps like these became popular, I'd expect to see a creeping escalation. Reel in a large user base, then slowly capture and send more data. The possibility of being able to track a nation in real-time would have the security services blowing a load in their proverbial pants.
To those saying "its a real urgent emergency" you might be too young to remember the immediate response after 9/11, but you might be old enough to remember the fall out, Manning, Snowden etc which continues almost twenty years later.
This time around shouldn't we aim for a better response and no fall out that will last decades on our responses?
> Even if the transmission of a message is observed in the system (e.g. via communication metadata), it must not be possible to conclude that a person is infected himself or herself or has had contact with infected persons. This must be ensured both with regard to other users and to infrastructure and network operators or attackers who gain insight into these systems.
I don't think this is doable. All protocols that we currently have have the ability to reveal this information in one way or another.
There are two fundamental approaches at the moment: soemthing like DP-3T which uses TCNs (temporary contact numbers) where contacts exchange temporary numbers. On infection you download the list of infected people and compare on your device for matches. This fundamentally reveals who was infected. Then you have centralized approaches where you hand out encrypted IDs which a central authority can decrypt. In the latter case you can just create new device IDs which again lets you easily figure out which of your contacts was infected.
In the latter case you have the theoretical possibility to detect such behavior due to the sheer amount of IDs generated by participants.
Generally the attack vector would be someone putting a beacon to a super market and making pictures of people going in and out and capture their IDs. Then they could figure out later which of the people got infected.
I installed the contact tracing app from the Indian government on my phone. It won't let me use it without giving location access, not even just to see the app.
The Indian government does not have a great track record when it comes to privacy and information security. (https://www.firstpost.com/india/aadhaar-data-leak-details-of...) Aadhar is the Indian equivalent of the US SSN.
While the cause is noble, there is always the problem with setting precedents, and as governments are known to use Riders (https://en.wikipedia.org/wiki/Rider_(legislation)), I don't trust them they won't use Covid-19 to further their agenda either.
This is what happens when you erode peoples trust. I for one will not be using these apps.
As a side note, Android requires an app to get location access when using Bluetooth (not sure about iOS). So any Bluetooth contract tracing app will request location access.
San Francisco has demonstrated that just asking people to social distance and observe some shelter in place rules works for the most part.
Why do we need to implement a surveillance state on top of that?
> Why do we need to implement a surveillance state on top of that?
Most contact tracing comes up as part re-opening businesses (and schools, though in the US that will probably be in the fall), not as much for the current complete shutdown.
https://www.aei.org/research-products/report/national-corona... has a good explanation of why contact tracing is an important part of re-opening. The gist is that any amount of re-opening is likely to bring R0 much closer to 1 than it is during the current complete shutdown. The question then becomes how (well, how else) to minimize spread when new cases do occur.
Think of contact tracing as one way to replace the impact that’s currently provided by shutting everything down.
... and New Yoerk has shown that such methods aren't always sufficient. Contract tracing and testing clearly have a place. Doing so in a way that maintain civil liberties is clearly important.
There is an entire group of people who believe that "something" needs to be done. They do not know what that "something" is, but it has to be done. And the government representatives happily oblige with additional power grab.
Entire countries are under house arrest. I don't trust the government but I also want my parents to be able to go to store or hospital without risking their lives. Pretty much everybody is either in at-risk group themselves or has a close relative or friend who is at-risk.
Maybe this isn't the dystopia we deserve, but it's the dystopia we need.
From a technical perspective, you don't need to trust the government in these cases - provided that they implement the solutions with built-in privacy.
I don't want to be snarky, so instead let me ask what solutions would you recomnend for it?
I just meant that there are technical approaches that don't necessarily involve centralized storage of everyone's movements and contacts, but achieve the same goals.
Singapore (and others, for that matter) has allegedly solved some of these issues in their soon-to-be open source contact tracing app [0].
They basically let every device keep track on itself and it's encounters - until a diagnosis is made.
Can't remember the details from there off the top of my head, but you'd either do a lookup via a central authority, or notify peer-to-peer, depending on what other mechanisms are in play (ephemeral/co-signed IDs, etc.)
The German's app will use bluetooth to track whom you're closed to on the device. When you get ill, the device notifies everyone that id 18911-2342-112312 has it and people who came in bluetooth range to you will get a notice to self isolate.
I was listening in to yesterday's WH briefing and suveillance and contact tracing were mentioned multiple times with none of the media reps asking for details. I do know it is a genuine emegency, but I just don't trust goverment that much
sure we can write 10 page bioethics essays, but when contact tracing is implemented it won't even be an app, governments will access data directly from carriers. and people will be ok because they re scared