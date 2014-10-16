from the roll-your-own dept.
NHS rejects Apple-Google coronavirus app plan:
The UK's coronavirus contact-tracing app is set to use a different model to the one proposed by Apple and Google, despite concerns raised about privacy and performance.
The NHS says it has a way to make the software work "sufficiently well" on iPhones without users having to keep it active and on-screen.
That limitation has posed problems for similar apps in other countries.
[...] "Engineers have met several core challenges for the app to meet public health needs and support detection of contact events sufficiently well, including when the app is in the background, without excessively affecting battery life," said a spokeswoman for NHSX, the health service's digital innovation unit.
[...] Like the authorities in many other countries, NHSX has opted to use wireless Bluetooth transmissions to keep track of each qualifying meeting, and has said that the alerts will be sent anonymously, so that users do not know who triggered them.
It has opted for a "centralised model" to achieve this - meaning that the matching process, which works out which phones to send alerts to - happens on a computer server.
This contrasts with Apple and Google's "decentralised" approach - where the matches take place on users' handsets.
The tech giants believe their effort provides more privacy, as it limits the ability of either the authorities or a hacker to use the computer server logs to track specific individuals and identify their social interactions.
But NHSX believes a centralised system will give it more insight into Covid-19's spread, and therefore how to evolve the app accordingly.
"One of the advantages is that it's easier to audit the system and adapt it more quickly as scientific evidence accumulates," Prof Christophe Fraser, one of the epidemiologists advising NHSX, told the BBC.
[...] But hundreds of the country's cryptography and computer security experts have just signed an open letter calling on it to reconsider. Dozens of those opponents work for Inria, the institution tasked with building the app.
For its part, the European Commission has indicated that either model is acceptable.
"All countries deploying an app must put adoption at the front of their mind, and if it doesn't work well or significantly depletes battery life then that may act as a deterrent, particularly for those with older phones," commented DP3T's Dr Michael Veale.
[...] Australia is the latest country to release a contact-tracing app. It too had indicated it had found a way to work around Apple's restrictions, but has since acknowledged power consumption problems as well as "interference" if users have other Bluetooth and location-tracking apps open.
Senators raise privacy questions about Google's COVID-19 tracker:
Two US senators want to make sure Google's COVID-19 tracker isn't infringing on millions of people's privacy. In a letter sent to Google CEO Sundar Pichai on Tuesday, Sens. Ed Markey and Richard Blumenthal raised questions about how the tech giant's tracker is ensuring that the location data it's collecting and presenting stays confidential.
The Trump administration has called on tech companies to provide data for tracking the coronavirus pandemic, hoping that logs of people's locations can give insight on social distancing and the disease's spread. Location data has been used in South Korea and China to help contain and track COVID-19 cases, and the US government is looking to do the same as it deals with the pandemic.
[...] Last Friday, Google announced its own COVID-19 tracker, using location data it's collected from its millions of users to help health officials make policy decisions and measure social distancing effects.
The data is collected from people who have their Location History setting activated on their phones, which is typically off by default. In its announcement, the tech giant said no personally identifiable information is collected for this tracker.
Still, Markey, a Democrat from Massachusetts, and Blumenthal, a Democrat from Connecticut, have their concerns with Google using a massive amount of location data for tracking the outbreak.
The two lawmakers raised points about how researchers have easily de-anonymized location data several times, since the datasets are often tied to frequently visited spots like homes, workplaces and places of worship.
"Location data sharing carries with it myriad risks, and while we commend Google's efforts to assist in combatting the coronavirus pandemic, we caution you against steps that risk undermining your users' privacy," the senators wrote in the letter.
Apple and Google are launching a joint COVID-19 tracing tool for iOS and Android
Apple and Google's engineering teams have banded together to create a decentralized contact tracing tool that will help individuals determine whether they have been exposed to someone with COVID-19.
Contact tracing is a useful tool that helps public health authorities track the spread of the disease and inform the potentially exposed so that they can get tested. It does this by identifying and 'following up with' people who have come into contact with a COVID-19 affected person.
The first phase of the project is an API that public health agencies can integrate into their own apps. The next phase is a system level contact tracing system that will work across iOS and Android devices on an opt-in basis.
The system uses on-board radios on your device to transmit an anonymous ID over short ranges — using Bluetooth beaconing. Servers relay your last 14 days of rotating IDs to other devices which search for a match. A match is determined based on a threshold of time spent and distance maintained between two devices.
If a match is found with another user that has told the system that they have tested positive, you are notified and can take steps to be tested and to self quarantine.
[...] you run into technical problems like Bluetooth power suck, privacy concerns about centralized data collection and the sheer effort it takes to get enough people to install the apps to be effective.
Ross Anderson, a researcher at the Security Group at the University of Cambridge Computer Laboratory, has written about contact tracing in the real world enumerating in detail some of the many shortcomings with and false assumptions about contact tracing as means of fighting a pandemic.
There are also real systems being built by governments. Singapore has already deployed and open-sourced one that uses contact tracing based on bluetooth beacons. Most of the academic and tech industry proposals follow this strategy, as the “obvious” way to tell who’s been within a few metres of you and for how long. The UK’s National Health Service is working on one too, and I’m one of a group of people being consulted on the privacy and security.
But contact tracing in the real world is not quite as many of the academic and industry proposals assume.
First, it isn’t anonymous. Covid-19 is a notifiable disease so a doctor who diagnoses you must inform the public health authorities, and if they have the bandwidth they call you and ask who you’ve been in contact with. They then call your contacts in turn. It’s not about consent or anonymity, so much as being persuasive and having a good bedside manner.
He is not alone in pointing out that claims of being able to anonymize personal data have largely been proven to be bunk. The rules we set in place now will be with us for a long time and have far-reaching effects. The need to be given an appropriate level of consideration.
Security researcher Bruce Schneier posted his concerns on the same contract tracing story.
https://www.coindesk.com/decentralized-protocol-removed-from-eu-contact-tracing-website-with-no-notice:
The Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) consortium, which is charged with helping develop the protocols for a privacy-focused European Union contact tracing system, has removed any mention of the decentralized protocol proposal Decentralized Privacy-Preserving Proximity Tracing (DP3T) from its website.
Contact tracing is the process by which health authorities track the spread of viruses, identifying who has been in contact with infected individuals and should therefore be quarantined. Countries are pursuing a variety of digital methods of doing so, ranging from location tracking of cell phones and facial recognition, to digital health passes that restrict movement and Bluetooth proximity tracing. Last weekend, Google and Apple announced a plan to update their mobile operating systems to allow Bluetooth tracing.
Any E.U. contact tracing would have to comply with the General Data Protection Regulation (GDPR), which ensures greater privacy and data protection for EU citizens than is currently enforced in the U.S.
[...] The DP3T team, which outlined its proposal to CoinDesk earlier this week, was not told the protocol was being removed from the site, and was not invited to attend a PEPP-PT call Friday with the consortium's various partners, according to three sources familiar with the matter.