SoylentNews is people
SoylentNews
Locked iPhones rendered almost useless in Australia's COVIDSafe tracking efforts:
Software engineer Richard Nelson, who was part of a team of researchers that found other bugs in COVIDSafe, has detailed a bug affecting iPhone users, rendering their device basically useless when it comes to tracking efforts.
A locked iPhone with an expired ID cannot generate a new ID. Without an ID, Nelson said the device will record other devices around it, but cannot be recorded by others.
"A device in this state will record other people around it, but will not be recorded by others. If all relevant devices are in this state, no encounters are logged," he wrote.
"One could imagine Alice packing her bag, putting her iPhone in and going out for the day to a football game. With her device in this state, nobody else will record her presence, and if anyone around her tested positive she would not be contacted."
[...] Nelson told ZDNet that if the iPhone user was to unlock their phone, but not necessarily open the COVIDSafe app, a new ID would be fetched.
"If Alice's device was locked and had an expired token, and Alice then unlocks her device to check email, for example, and if Bob's device then scans and picks up Alice's device, Bob will be able to read Alice's ID," Nelson added.
But if the device is locked again first, it won't be read.
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @01:59PM (7 children)
That means that you're tracking EVERYPLACE that Alice has been, in great detail. No wonder the app is pushing this shit. This is backward for what any individual would want.
Instead, make the app record all tokens that it sees, and where. Individuals' tokens change hourly or whenever. The individual's phone keeps track of what tokens have been used, and it doesn't even matter where. Then, later, if another individual tests positive for the virus, it can flag an alert (minus some days) for all of the tokens that it has used in that time period, and in which zip codes. Other users check a list of positive-flagged tokens against their list of seen tokens. Any matches?
If you're tracking tokens you've seen, no privacy lost. If a central server is tracking all of your tokens, time, and exact location, and notifying you, then it was only ever about marketing anyway.
No wonder the latest survey said 70% of people won't use these apps because it's only about marketing anyway.
(Score: 2) by c0lo on Tuesday June 16 2020, @02:33PM (1 child)
No, the application is tracking who was in the proximity of who (for more than 15 mins, in the last 3 weeks), not the place where you've been.
See the part that you've left out, the "With her device in this state, nobody else will record her presence, "
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0, Disagree) by Anonymous Coward on Tuesday June 16 2020, @06:39PM
yeah, so it's way more dangerous.
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @03:22PM (3 children)
At a minimum, your cellular provider is doing so. If you don't turn off GPS/Location services, etc. Google/Apple are doing so too.
Don't want to be tracked? Don't carry your phone (and I don't mean just smartphones) or, if it's possible, remove the battery and take it with you.
If you're doing either of those things, you have nothing to worry about WRT apps of this type. If not, why are you complaining about this particular app when others have already been tracking your every move? And if you're in the US, you're subject to the Third-party Doctrine. [wikipedia.org]
You fucking whingers make me sick. Pissing and moaning about 'muh privacy!' while your cellular provider, ISP, Google and Apple (and to a less pervasive extent, Facebook, et al.) have inserted themselves deeply up your ass. Without even the courtesy of a reach-around [wiktionary.org].
Stop blaming others for *your* lack of care in protecting *your* privacy.
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @07:05PM
In an old smarphone with removable battery there was a hidden extra battery. I imagine they've done the same with all new phones.
(Score: 2) by lentilla on Tuesday June 16 2020, @07:20PM (1 child)
I like having a device in my pocket that makes calls and can look up information. I don't want to live behind shuttered windows, and to only do cash-in-hand jobs simply to hide from The Man. It's OK to want freedom, convenience, and an active place in modern society. It's also OK to inform our governments that this is what they will be providing.
The specific difference between general phone tracking and this app is that this time we got to say "and... we refuse to be tracked". We kind of missed the boat with mobiles because they appeared prior to social understanding of widespread tracking, and the subsequent will to reign it in via legal mechanisms.
Better to complain than to remain silent - especially at times like these when people are more receptive to arguments.
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @09:43PM
AC you replied to here. I agree. I do carry my phone (a smartphone -- powered on) with me most of the time myself. I even have (*gasp*) bank accounts and credit cards.
I do so because it makes a big difference in convenience. I will say that I disable GPS and location tracking on my phone, have an email address not directly associated with me configured on my phone, don't *ever* use that email address, and use cash for some purchases as well.
It's not perfect. Hell, it's not even good. But I am cognizant of the issues and have accepted that there are trade-offs betgween security and convenience.
And I do so with the full knowledge that my bank and my cell provider have detailed information about what I buy and where I go. I accept that trade-off, well aware that should the government wish to obtain that information, they can do so [wikipedia.org].
But it's not the government that's doing the tracking I mentioned, even though (at least in the US) they have access to that data with a warrant (Third-party Doctrine, as I mentioned). My point wasn't that people shouldn't complain, my point was that if you wish to have privacy, especially in this day and age, you need to *proactively* protect it yourself.
A person complaining that others should be responsible for their privacy is pretty dumb IMHO.
Too many people aren't concerned and don't even think about the fact that they are *already* being tracked.
And when they install all manner of insecure apps and store boatloads of sensitive information on their device, they think nothing of it.
So when folks complain about some new shiny (in this case the contact tracing app) and scream bloody murder that someone is tracking them, it makes pretty much *no* sense at all.
That's what makes me sick. My apologies if I wasn't clearer in my initial post.
(Score: 0) by Anonymous Coward on Tuesday June 16 2020, @08:02PM
You see, the issue was actually in the part of the code that made this invasiveness of tracking harder (I assume intentionally).
It seems that the system keeps a temporary ID, which it shares with those around it. If a person is found to be COVID-positive, they can see which IDs the person has been around (and when).
Now I am making assumptions, but I assume this list then is publicly published, and users (or more likely, the program automatically) read this list of ID and times, and checks it for any ID that they have had, and checks if they had it at that time. If so, the user is alerted that they have been in contact with a COVID-positive person, and should take appropriate steps.
The temporaryness of the ID (which was the key issue causing this bug) is the very feature that keeps this system from being a permanent record of a user.