While we aren’t going to discuss it here, I think it’s a strange notion that one person’s privacy should be allowed to trump another person’s life. COVID-19 isn’t going to wipe out the species, as it turns out, but it’s certainly within the realm of possibility that another virus could pose such a threat. Will privacy be allowed to take precedence over the survival of humankind?
It’s a strange notion to me as well, but the reason we’re not going to discuss it further here is that such theoretical conversations—is privacy more important than human life?—never stay theoretical and quickly devolve into political debates that make me crazy. There are other places for such things.
Apple and Google will apparently generate apps for states now.
It’s interesting that the first sentence of the article refers to exposure notification apps while the headline calls them contact tracing apps. To me, this is another example of how the media repeatedly mischaracterize the system developed by Apple and Google. Either the system is useless because it does too little, or it’s too intrusive so no one will want to use it. It’s not surprising to me that adoption has been slow.
Woo—that’s big news, and I hadn’t heard about it before this. @glennf, any word from your contacts at Apple about this?
It is frustrating how many in the media have failed to distinguish clearly between contact tracing and exposure notification. It’s a really big difference, and the Apple-Google system is tremendously well-designed to protect privacy. See what @das wrote about that in
After the update the “Exposure notification” showed me “Exposure Logging status” ACTIVE and “Active Region” SWISSCOVID, which is correct. Here in Switzerland the government introduced the SwissCovid app a couple of month ago based on the Apple-Google API.
So exposure notification had correctly identified that I had an CoVid exposure app installed. I assume with will be the same in many other European countries as most use the the Apple-Google API.
No. Apple nor Google have a global database.
It’s very simple:
- Your phone generates a random ID. I think it is 64 bits long. It’s long enough that it’s almost impossible for two people to generate the same ID. The ID cannot be used to track the phone or person and it’s generated every fifteen minutes.
- When you are near another phone for a certain period of time that have contact tracing turned on, they exchange these random IDs.
- If someone is tested and is positive, they are given a PIN. Using that pin, they can let their phone know they’ve been tested positive.
- Apple and Google use their notification system to send all the random IDs that phone generated in the last two weeks.
- Your phone receives the notification and checks it against a list of all IDs it exchanged over the last two weeks.
- If there’s a match, your phone alerts you that you have been in contact with someone who tested positive.
Note that no one knows which phone is associated with which IDs. Note that the states aren’t collecting any data associated with this API. Note that not even Apple not Google can determine which phones are associated with which IDs.
It is possible that Apple and Google could be collecting these random IDs when someone tests positive. But…
- You must give permission to allow Apple or Google to collect these IDs via the PIN. Simply having these apps on your phone does nothing.
- There’s no associated data with the IDs. Google and Apple can collect them, but they’re meaningless.
- Apple and Google already have ways they can track your every move. Google especially collects data about your phone and location and apps you use and download and almost every webpage you visit. They don’t need this API to do it.
- The states get nothing. They don’t even get the IDs.
Is that right? I was under the impression that the database of “IDs that correspond to positive tests” was managed by each state via their respective apps. I thought it’s Apple and Google that don’t get any information.
But maybe my assumption is wrong. Most of what I know is based on the documentation from Virginia’s app. I haven’t actually reviewed the APIs used by the app.
The IDs wouldn’t help the states. It could be that the states’ apps report on the user, but the states get that information when someone tests positive whether or not that person uses the app. Apple and Google prohibits contact tracing apps from giving governments any information on whereabouts of people using the app.
Which phones are using which generated IDs is unknown to even Google or Apple. Your phone generates one every fifteen minutes.
When you test positive, and you allow your app to do so, your phone sends Apple and Google the streams of IDs it used. No personal information is transmitted. Apple and Google send out via their notification system that steam of data to their phones. Your phone looks at this and if one of those IDs match, you’re phone will notify you. Apple nor Google know which phones report back a positive contact and neither do the states.
It is my understanding this works across state and national boundaries. If two people from two different states or countries using two different contract tracing apps come in contact with each other, the notification system will still work.
All of this was done out of a concern for privacy and the hopes that if everyone understood the privacy build into API, they would be less concerned about being “tracked” by their government.
Given the algorithm you describe (in wonderful detail), why doesn’t Apple/Google allow all of their users to opt in, regardless of whether they have access to a government app? The algorithm you describe doesn’t need an app to report to users that they have been in contact with someone who tested positive.
What you describe is a global distributed database, which Apple/Google do (potentially) have access to (via their respective OSes), though they may have decided not to take advantage of their privileged access.
If you report a positive test from your phone, doesn’t the server that receives the report get your IP address, and doesn’t that (potentially) ID you?
There’s a puzzling sentence in that Fast Company article: “To make sure the system catches exposures across state lines, Apple and Google are working with the Association of Public Health Laboratories on setting up a national server.”
The system requires a server. It doesn’t just work on your phone, which explains why Apple can’t just turn it on for everyone.
In his TidBITS article, David Shayer makes a point that the servers are controlled by Apple and Google, but based on Apple’s documentation of the exposure notification system, I don’t think that’s actually the case. The documentation says that a public health authority (PHA) needs to set up two servers: a test verification server and a key server for exchanging IDs. The verification server obviously needs to be run by the PHA, but it appears the key server is as well.
This would explain the sentence Duane noticed about the national server. The PHA’s server would likely only work within a state, so a national server would be necessary for the system to be useful across state borders.
Exposure Notification Express does exactly this. If users enables Exposure Logging, they can be notified of exposure even without having an app as long as their PHA is set up for it.
If my state (Texas) doesn’t support Exposure Notification Express (just as it doesn’t support an app), then I’m still out of luck.
There’s another strange thing about the way the Apple/Google system works. When you try to turn on Exposure Notifications, you get this message: “Your public health authority’s guidelines determine if an exposure is significant enough to notify you and provide next steps.”
Since the system is currently run by the States, rather than the National government, the guidelines could vary from one state to another. In the USA, we could potentially have 50 different guidelines! What do you do if you are exposed while standing on the borderline between two states with conflicting guidelines?
I just tried Turn On Exposure Notifications, selecting United Kingdom. “Exposure notifications have not been turned on for your region by your public health authority”.
I updated to iOS 13.7 on Friday morning and I just turned on Exposure Notifications for Belgium. I received a message (translated from Dutch): “You have already added this region. This public health authority had already been authorized to send you exposure notifications”. So I’m guessing that this was done by default for the whole country: the release of the Belgian app has been announced for this month.
I’ll be skipping this IOS update, and turning off auto update.
Apple and Google assisting overreaching state governments to track us, what could go wrong?
It’s’opt-in’ they say? Sure it is, until the next ‘update.’
I don’t know where you got these conspiracy theory ideas, but they are completely and have been proven to be untrue. I suspect I won’t be able to change your outlook on this, but it’s important that nobody else think this way.
First of all, it’s in no way a “tracking” capability, rather it’s a “contact logging” feature. In order for it to do anything at all you would need to do all these things:
- Install iOS 14
- Install an application provided by a state or local public health organization
- Opt-in or at least not opt-out
Then you would have to be within a certain distance for a minimum amount of time to a self-reported infected person within a prescribed number of days. Or, if you are found to be infected, enter that information into the application so that others who have been logged as in your proximity recently can be notified of that fact (anonymously).
I’m in touch daily with security experts and hackers who have so far assured me that no information whatsoever is communicated anywhere without an activated application. Even between individuals.
So far, all of the very few apps that have been released appear to behave as advertised, but each one will need to be checked in order to verify they aren’t leaking any identification information and to whom.