Apple, Google to harness phones for virus infection tracking

[Matrix]

 

 

Bottom line: Apple and Google on Friday announced a joint effort to help governments and health agencies track Covid-19 cases through contact tracing. The tech giants said both privacy and security will be central to their designs, as will transparency and consent (yes, these will be opt-in programs). Still, those promises are doing little to quell the concerns of privacy advocates and even conspiracy theorists.

In May, both companies will release APIs that enable “interoperability between Android and iOS devices” in apps from public health authorities. In the coming months, the two will work to build a broader Bluetooth-based contact tracing platform that bakes functionality directly into their respective mobile operating systems, making it potentially even easier for interested parties to participate.

 

 

It’s easy to argue that using smartphone data to trace Coronavirus infections has serious privacy implications.

 

But then again, using smartphones to track people isn’t anything new as Snowden revealed years ago.

 

One could also argue the effectiveness of such a system. We’ve been told that our best defenses against the virus right now include staying at home, getting tested and quarantining yourself if you test positive. How much more helpful would a tracing system be? It’s a reactive system, only alerting you if you’ve crossed paths with someone that might have been exposed to an infected person.

 

At that point, you might already have it. I suppose it could help you make an informed decision about whether or not you should self-quarantine, thus potentially stopping you from spreading it to others before symptoms are evident.

 

Conversely, some will argue that if a system like this is able to save even one life, it would be worth it.

 

Apple and Google have posted several white papers on the matter for those interested in diving deeper into the technical aspects of the proposed system.

 

Source

 

[dufus]

 

 

SAN FRANCISCO  Apple and Google launched a major joint effort to leverage smartphone technology to contain the COVID-19 pandemic.

 

New software the companies plan to add to phones would make it easier to use Bluetooth wireless technology to track down people for who may have been infected by coronavirus carriers. The idea is to help national or regional governments roll out apps for so-called “contact tracing” that will run on iPhones and Android phones alike.

 

The technology works by harnessing short-range Bluetooth signals. Using the Apple-Google technology, contact-tracing apps would gather a record of other phones with which they came into close proximity. Such data can be used to alert others who might have been infected by known carriers of the novel coronavirus, although only in cases where the phones' owners have installed the apps and agreed to share data with public-health authorities.

 

Software developers have already created such apps in countries including Singapore and China to try to contain the pandemic. In Europe, the Czech Republic says it will release such an app after Easter. Britain, Germany and Italy are also developing their own tracing tools.

 

Privacy and civil liberties activists have warned that such apps need to be designed so governments cannot abuse them to track their citizens. Apple and Google said in a rare joint announcement that user privacy and security are baked into the design of their plan.

 

The technology might serve as a stopgap in the absence of widespread testing for the novel coronavirus, which in the U.S. remains limited after production problems and limited federal coordination of the tests' production and distribution. “It’s not a replacement for just having widespread testing, which would be more accurate,” said Tiffany Li, a visiting law professor at Boston University who studies privacy and technology. “But clearly we have a huge shortage of tests.”

 

Li suggested that Bluetooth signal tracking protects privacy better than the use of other options such as GPS or cell-tower based location data, which would allow centralized authorities access to the information. But it could still lead to numerous mistaken alerts, she said — for instance, if someone was in full protective gear or in an adjacent apartment while physically close to an infected person.

 

Pam Dixon, executive director of the World Privacy Forum, said a conversation with Apple's senior director for global privacy, Jane Horvath, assured her that the initiative will protect people’s privacy. Sensitive information will stay on individual phones in encrypted form and alerts will be handled by public health agencies, not the tech companies, she said.

 

“I think they’ve taken care of some of the really big problems,” Dixon said, noting the companies say they can turn off the system when it's no longer needed. "The government is not going to have identity information of those testing positive.”

 

Asked about the Google-Apple effort at his daily news briefing, President Donald Trump called it “very interesting,” but expressed concern that “a lot of people worry about it in terms of a person’s freedom. We’re going to take a look at that.”

 

Security experts note that technology alone cannot effectively track down and identify people who may have been infected by COVID-19 carriers. Such efforts will require other tools and teams of public health care workers to locate people in the physical world, they say. In South Korea and China, such efforts have included the use of credit-card and public-transit records.

 

In general, epidemiologists say contact tracing won't be effective without widely available testing. In the Czech Republic, the plan is to have soldiers perform testing; medical students have been trained to staff call centers for notifying people at high risk of infection. The Czech app will use both Bluetooth technology and geolocation data from wireless carriers and banks to create “memory maps” that trace the movement of infected people to identify others they came into close proximity with in the five to ten days before they tested positive.

 

The hope is to quickly isolate people who may be affected so the virus can be contained and restrictions on movement relaxed. The app builds on a popular cellular-location mapping app used by one in ten Czechs, who number 10 million.

 

Given the great need for effective contact-tracing — a tool epidemiologists have long employed to contain infectious disease outbreaks — Google and Apple will roll out their changes in two phases. In May, they will release software that will support public-health apps for both Android and iOS phones. In coming months, they will also build this functionality directly into the underlying phone operating systems.

 

On Friday, the companies released preliminary technical specifications for the effort, which they called “Privacy-Preserving Contact Tracing.”

 

sauce

 

f that

[Karlston]

Apple and Google are building a coronavirus tracking system into iOS and Android

Potentially a huge step forward in the fight against COVID-19 All sharing options

 

Photo by James Bareham / The Verge

Apple and Google announced a system for tracking the spread of the new coronavirus, allowing users to share data through Bluetooth Low Energy (BLE) transmissions and approved apps from health organizations.

 

The new system, which is laid out in a series of documents and white papers, would use short-range Bluetooth communications to establish a voluntary contact-tracing network, keeping extensive data on phones that have been in close proximity with each other. Official apps from public health authorities will get access to this data, and users who download them can report if they’ve been diagnosed with COVID-19. The system will also alert people who download them to whether they were in close contact with an infected person.

 

Apple and Google will introduce a pair of iOS and Android APIs in mid-May and make sure these health authorities’ apps can implement them. During this phase, users will still have to download an app to participate in contact-tracing, which could limit adoption. But in the months after the API is complete, the companies will work on building tracing functionality into the underlying operating system, as an option immediately available to everyone with an iOS or Android phone.

 

Apple/Google

Contact tracing — which involves figuring out who an infected person has been in contact with and trying to prevent them from infecting others — is one of the most promising solutions for containing COVID-19, but using digital surveillance technology to do it raises massive privacy concerns and questions about effectiveness. Earlier this week, the American Civil Liberties Union raised concerns about tracking users with phone data, arguing that any system would need to be limited in scope and avoid compromising user privacy.

 

Unlike some other methods — like, say, using GPS data — this Bluetooth plan wouldn’t track people’s physical location. It would basically pick up the signals of nearby phones at 5-minute intervals and store the connections between them in a database. If one person tests positive for the novel coronavirus, they could tell the app they’ve been infected, and it could notify other people whose phones passed within close range in the preceding days.

 

 

The system also takes a number of steps to prevent people from being identified, even after they’ve shared their data. While the app regularly sends information out over Bluetooth, it broadcasts an anonymous key rather than a static identity, and those keys cycle every 15 minutes to preserve privacy. Even once a person shares that they’ve been infected, the app will only share keys from the specific period in which they were contagious.

 

Crucially, there is no centrally accessible master list of which phones have matched, contagious or otherwise. That’s because the phones themselves are performing the cryptographic calculations required to protect privacy. The central servers only maintain the database of shared keys, rather than the interactions between those keys.

 

 

The method still has potential weaknesses. In crowded areas, it could flag people in adjacent rooms who aren’t actually sharing space with the user, making people worry unnecessarily. It may also not capture the nuance of how long someone was exposed — working next to an infected person all day, for example, will expose you to a much greater viral load than walking by them on the street. And it depends on people having apps in the short term and up-to-date smartphones in the long term, which could mean it’s less effective in areas with lower connectivity.

 

It’s also a relatively new program, and Apple and Google are still talking to public health authorities and other stakeholders about how to run it. This system probably can’t replace old-fashioned methods of contact tracing — which involve interviewing infected people about where they’ve been and who they’ve spent time with — but it could offer a high-tech supplement using a device that billions of people already own.

 

Part of A guide to the COVID-19 pandemic

 

 

Source: Apple and Google are building a coronavirus tracking system into iOS and Android (The Verge)

[Karlston]

How you’ll use Apple and Google’s coronavirus tracking tool

There’s still a lot we don’t know

Photo by Amelia Holowaty Krales / The Verge

Earlier today, Apple and Google announced a Bluetooth-based COVID-19 contact tracing platform that could alert people if they’ve been exposed to the novel coronavirus. Contact tracing is a huge component in ending mass pandemic “stay-at-home” orders, and while phone tracking can’t replace traditional methods like interviews, it can supplement them.

 

Google and Apple are using Bluetooth LE signals for contact tracing. When two people are near each other, their phones can exchange an anonymous identification key, recording that they’ve had close contact. If one person is later diagnosed with COVID-19, they can share that information through an app. The system will notify other users they’ve been close to, so those people can self-quarantine if necessary. Ideally, this means you won’t have to reveal your name, location, or other personal data.

 

Beyond those basics, though, there are a lot of questions about how people will actually use the system. Here’s what we know so far.

The first phase is app-based, and it starts next month

Apple and Google are launching the program in two phases, starting with an application programming interface (API) in mid-May. This API will make sure iOS and Android apps can trace users regardless of which operating system they’re using. But it will be restricted to official apps released by public health authorities on the iOS App Store and Google Play Store.

 

During this first phase, you’ll need one of these apps to participate in the program. We don’t know who’s working with Apple and Google right now, or what the apps will look like. It seems likely they’ll be interoperable in some way — in other words, a phone with App A could swap a key with App B, as long as they’re both using the API. We could hypothetically see a national government or lots of small local agencies launch their own apps, or governments could approve something built by an outside party like a university. Google and Apple haven’t publicly nailed down many specifics, so we’ll be watching for those in the coming weeks.

 

No matter what the apps look like, you’ll have to proactively add them to your phone, which will almost certainly reduce how many people use them. But in the months after they launch, Google and Apple will be working on a more permanent solution.

The second phase adds opt-in tracking to iOS and Android

Following the API, Google and Apple want to add contact tracing as a core iOS and Android feature. The method is a little vague for now, but the goal is that you’d opt in through something like your phone settings. This would turn on the digital key-swapping without requiring a third-party app. Then, if you’re exposed, your phone would signal this somehow and urge you to download an app for more information.

 

This raises a few questions. We don’t know much about that handoff process, for instance: do you get a vague pop-up notification, or something with more detail? We’re also not sure how Android’s fragmented ecosystem might complicate the release. Google could plausibly push a fast update through the Play Store instead of waiting for carriers to roll it out, but it would still be dealing with huge variations in hardware capability. We also don’t know if individual government apps might ask for more invasive permissions like location tracking — even if Google and Apple’s core system doesn’t use it.

 

If you’ve got a phone without Bluetooth LE, of course, none of these apps will work. But iOS has included support since the 2011 iPhone 4S, and the Android platform added support in 2012. So unless you’ve got a very old phone, you’re probably all right.

What happens if you’re infected?

If you test positive for COVID-19, the system is supposed to upload your last 14 days of anonymous “keys” to a server. Other people’s phones will automatically download the key lists, and if they have a matching key in their history, they’ll get an exposure notification.

 

The app will need to make sure people are really infected, though — otherwise, a troll could cause chaos by falsely claiming to have COVID-19. We don’t know exactly how this will work. COVID-19 tests are currently administered by professionals and logged with health authorities, so perhaps Apple and Google could piggyback on that process to validate the tests. But it’s a huge issue, and they’ll need a satisfactory answer.

 

Either way, sharing your keys is supposed to be voluntary. That seems to mean actually approving an upload, not just granting blanket consent when you install the app — but the exact process is another thing we’re waiting to see.

What happens if you’re exposed?

If people share their data as described above, your phone will check the list once a day and look for key matches, then notify you if it finds one. Google’s sample alert is pretty simple: it just reads, “You have recently been exposed to someone who has tested positive for COVID-19,” and offers a link with more information. That information will be provided by whichever health authority is offering the app, and we don’t know what it might include — although at the very least, it will probably explain COVID-19 symptoms and self-quarantine guidelines.

 

Exposure isn’t a simple binary process: the more time you’ve spent with an infected person, the greater the risk. The documentation includes references to duration measured in 5-minute intervals. It could theoretically send that information to users directly, or it might offer a general risk assessment without an exact number, which would provide a greater level of anonymity.

 

As we’ve said before, none of this replaces traditional contact tracing interviews. Done right, though, it could add a platform-level system that’s easy to use and doesn’t overly compromise privacy. We’re just still waiting on a lot of details about how that will work.

 

 

Source: How you’ll use Apple and Google’s coronavirus tracking tool (The Verge)

[Karlston]

Answering the 12 biggest questions about Apple and Google’s new coronavirus tracking project

What the technical documents tell us about the project’s privacy and security measures

OnOn Friday, Google and Apple joined together for an ambitious emergency project, laying out a new protocol for tracking the ongoing coronavirus outbreak. It’s an urgent, complex project, with huge implications for privacy and public health. Similar projects have been successful in Singapore and other countries, but it remains to be seen whether US public health agencies would be able to manage such a project — even with the biggest tech companies in the world lending a hand.

We covered the basic outlines of the project here, but there is a lot more to dig into — starting with the technical documents published by the two companies. They reveal a lot about what Apple and Google are actually trying to do with this sensitive data, and where the project falls short. So we took a dive into those filings and tried to answer the twelve most pressing questions, starting at the absolute beginning:

What does this do?

When someone gets sick with a new disease like this year’s coronavirus, public health workers try to contain the spread by tracking down and quarantining everyone that infected person has been in contact with. This is called contact-tracing, and it’s a crucial tool in containing outbreaks.

 

Essentially, Apple and Google have built an automated contact-tracing system. It’s different from conventional contact-tracing, and probably most useful when combined with conventional methods. Most importantly, it can operate at a far greater scale than conventional contact tracing, which will be necessary given how far the outbreak has spread in most countries. Because it’s coming from Apple and Google, some of this functionality will also eventually be built in to Android and iPhones at an OS-level. That makes this technical solution potentially available to more than three billion phones around the world — something that would be impossible otherwise.

 

It’s important to note that what Apple and Google are working on together is a framework and not an app. They’re handling the plumbing and guaranteeing the privacy and security of the system, but leaving the building of the actual apps that use it to others.

How does it work?

In basic terms, this system lets your phone log other phones that have been nearby. As long as this system is running, your phone will periodically blast out a small, unique, and anonymous piece of code, derived from that phone’s unique ID. Other phones in range receive that code and remember it, building up a log of the codes they’ve received and when they received them.

 

When a person using the system receives a positive diagnosis, they can choose to submit their ID code to a central database. When your phone checks back with that database, it runs a local scan to see whether any of the codes in its log match the IDs in the database. If there’s a match, you get an alert on your phone saying you’ve been exposed.

 

That’s the simple version, but you can already see how useful this kind of system could be. In essence, it lets you record points of contact (that is, the exact thing contact tracers need) without collecting any precise location data and maintaining only minimal information in the central database.

How do you submit that you’ve been infected?

The released documents are less detailed on this point. It’s assumed in the spec that only legitimate healthcare providers will be able to submit a diagnosis, to ensure only confirmed diagnoses generate alerts. (We don’t want trolls and hypochondriacs flooding the system.) It’s not entirely clear how that will happen, but it seems like a solvable problem, whether it’s managed through the app or some sort of additional authentication before an infection is centrally registered.

How does the phone send out those signals?

The short answer is: Bluetooth. The system is working off the same antennas as your wireless earbuds, although it’s the Bluetooth Low Energy (BLE) version of the spec, which means it won’t drain your battery quite as noticeably. This particular system uses a version of the BLE Beacon system that’s been in use for years, modified to work as a two-way code swap between phones.

The workflow for broadcasting codes over Bluetooth, as displayed in the system’s Bluetooth spec

How far does the signal reach?

We don’t really know yet. In theory, BLE can register connections as far as 100 meters away, but it depends a lot on specific hardware settings and it’s easily blocked by walls. Many of the most common uses of BLE — like pairing an AirPods case with your iPhone — have an effective range that’s closer to six inches. Engineers on the project are optimistic that they can tweak the range at the software level through “thresholding” — essentially, discarding lower-strength signals — but since there’s no actual software yet, most of the relevant decisions have yet to be made.

 

At the same time, we’re not entirely sure what the best range is for this kind of alert. Social distancing rules typically recommend staying six feet away from others in public, but that could easily change as we learn more about how the novel coronavirus spreads. Officials will also be wary of sending out so many alerts that the app becomes useless, which could make the ideal range even smaller.

So it’s an app?

Sort of. In the first part of the project (aimed to be finished by mid-May), the system will be built into official public health apps, which will send out the BLE signals in the background. Those apps will be built by state-level health agencies not tech companies, which means the agencies will be in charge of a lot of important decisions about how to notify users and what to recommend if a person has been exposed.

 

Eventually, the team hopes to build that functionality directly into the iOS and Android operating systems, similar to a native dashboard or a toggle in the Settings menu. But that will take months, and it will still prompt users to download an official public health app if they need to submit information or receive an alert.

Is this really secure?

Mostly, it seems like the answer is yes. Based on the documents published Friday, it will be pretty hard to work back to any sensitive information based solely on the Bluetooth codes, which means you can run the app in the background without worrying that you’re compiling anything that’s potentially incriminating. The system itself doesn’t personally identify you and doesn’t log your location. Of course, the health apps that use that system will eventually need to know who you are if you are to upload your diagnosis to health officials.

Could hackers use this system to make a big list of everybody who has had the disease?

This would be very difficult, but not impossible. The central database stores all the codes sent out by infected people while they were contagious (that’s what your phone is checking against), and it’s entirely plausible that a bad actor could get those codes. The engineers have done a good job ensuring that you can’t work directly from those codes to a person’s identity, but it’s possible to envision some scenarios in which those protections break down.

A diagram from the cryptography white paper, explaining the three levels of key

To explain why, we have to get a bit more technical. The cryptography spec lays out three levels of keys for this system: a private master key that never leaves your device, a daily tracing key generated from the private key, and then the string of “proximity IDs” that are generated by the daily key. Each of these steps is performed through a cryptographically robust one-way function — so you can generate a proximity key from a daily key, but not the other way around. More importantly, you can see which proximity keys came from a specific daily key, but only if you start with the daily key in hand.

 

The log on your phone is a list of proximity IDs (the lowest level of key), so they aren’t much good on their own. If you test positive, you share even more, posting the daily keys for every day you were contagious. Because those daily keys are now public, your device can do the math and tell you if any of the proximity IDs in your log came from that daily key; if they did, it generates an alert.

 

As cryptographer Matt Tait points out, this leads to a meaningful privacy reduction for people who test positive on this system. Once those daily keys are public, you can find out which proximity IDs are associated with a given ID. (Remember, that’s what the app is supposed to do in order to confirm exposure.) While specific applications can limit the information they share and I’m sure everyone will do their best, you’re now outside the hard protections of encryption. It’s possible to imagine a malicious app or Bluetooth sniffing network that collects proximity IDs in advance, connecting them with specific identities and later correlating them to daily keys scraped from the central list. It would be hard to do this and it would be even harder to do it for every single person on the list. Even then, all you would get from the server is the last 14 days worth of codes. (That’s all that’s relevant to contact tracing, so it’s all the central database stores.) But it wouldn’t be flatly impossible, which is usually what you’re going for in cryptography.

 

To sum it up: it’s hard to absolutely guarantee someone’s anonymity if they share that they’ve tested positive through this system. But in the system’s defense, this is a difficult guarantee to make under any circumstances. Under social distancing, we’re all limiting our personal contacts, so if you learn you were exposed on a particular day, the list of potential vectors will already be fairly short. Add in the quarantine and sometimes hospitalization that come with a COVID-19 diagnosis, and it’s very difficult to keep medical privacy completely intact while still warning people who may have been exposed. In some ways, that tradeoff is inherent to contact tracing. Tech systems can only mitigate it.

 

Plus, the best method of contact tracing we have right now involves humans interviewing you and asking who you’ve been in contact with. It’s basically impossible to build a completely anonymous contact tracing system.

Could Google, Apple, or a hacker use it to figure out where I’ve been?

Only under very specific circumstances. If someone is collecting your proximity IDs and you test positive and decide to share your diagnosis and they perform the whole rigamarole described above, they could potentially use it to link you to a specific location where your proximity IDs had been spotted in the wild.

 

But it’s important to note that neither Apple nor Google are sharing information that could directly place you on a map. Google has a lot of that information and the company has shared it at an aggregated level, but it’s not a part of this system. Google and Apple may know where you are already, but they’re not connecting that information to this dataset. So while an attacker might be able to work back to that information, they would still end up knowing less than most of the apps on your phone.

Could someone use this to figure out who I’ve been in contact with?

This would be significantly more difficult. As mentioned above, your phone is keeping a log of all the proximity IDs it receives, but the spec makes clear that the log should never leave your phone. As long as your specific log stays on your specific device, it’s protected by the same device encryption that protects your texts and emails.

 

Even if a bad actor stole your phone and managed to break through that security, all they would have are the codes you received, and it would be very difficult to figure out who those keys originally came from. Without a daily key to work from, they would have no clear way to correlate one proximity ID to another, so it would be difficult to distinguish a single actor in the mess of Bluetooth trackers, much less figure out who was meeting with who. And crucially, the robust cryptography makes it impossible to directly derive the associated daily key or the associated personal ID number.

What if I don’t want my phone to do this?

Don’t install the app, and when the operating systems update over the summer, just leave the “contact tracing” setting toggled off. Apple and Google insist that participation is voluntary, and unless you take proactive steps to participate in contact tracing, you should be able to use your phone without getting involved at all.

Is this just a surveillance system in disguise?

This is a tricky question. In a sense, contact tracing is surveillance. Public health work is full of medical surveillance, simply because it’s the only way to find infected people who aren’t sick enough to go to a doctor. The hope is that, given the catastrophic damage already done by the pandemic, people will be willing to accept this level of surveillance as a temporary measure to stem further spread of the virus.

 

A better question is whether this system is conducting surveillance in a fair or helpful way. It matters a lot that the system is voluntary, and it matters a lot that it doesn’t share any more data than it needs to. Still, all we have right now is the protocol, and it remains to be seen whether governments will try to implement this idea in a more invasive or overbearing way.

 

 

Source: Answering the 12 biggest questions about Apple and Google’s new coronavirus tracking project (The Verge)