Thank you. There are some things on that list which are interesting.
- The system will now share the strength of smartphone usersâ Bluetooth signals and allow public health authorities to set their own criteria for what constitutes a âcontact.â
Well, thatâs a start. Carries other security/privacy problems, I guess, but Iâm no expert and currently, thatâs not my focus. There are plenty of people discussing security and privacy of the app, I trust someone will jump on that.
- The companies are now dubbing the technology âexposure notificationâ to distinguish it from traditional contact tracing, in which health officials use patient data and interviews to build a record of people who may have been exposed to an illness.
Thatâs very good. See post above by @gatto.
-
The protocol will share only rough time of shared contact, from a minimum of 5 minutes up to a maximum of 30 minutes, in 5 minute increments.
Interesting, and also encouraging.
- The numbers sent by each phone will now be randomly generated on a daily basis. In the initial proposal, each dayâs key was derived from another number that was tied to a particular device.
Globsend. :sigh:
(Not OneBoxing but this is security expert Bruce Schnierâs statement on contact tracing apps)
https://www.schneier.com/blog/archives/2020/05/me_on_covad-19_.html
He references this essay:
And this article:
Weâve got a new topic started by @FGD135 on âexposure notificationâ apps over here:
Personally, I am increasingly worried that I might suffer from some kind of Conspiracy Theory -like delusion. One major feature of CT is that the believers think they are the ones who found a fundamental truth while everyone else is living in an illusion.
I must be wrong. @Aciantis must be wrong, too. I mean, itâs physics and some basic knowledge of technology, but we cannot be the only people who realise this cannot be work because of physics and practical implementation of current tech in smartphones. Right?
Even here on BB BBS some more people would realise this is not working. There are techies here. Other user or even contributors/authors maybe even noticed this topic and forwarded the link to someone they know in the industry, or in academia, working on exposure notification or bluetooth or smartphone tech in general. Or a journalist who knows someone.
FTR: I did. I wrote to someone in the media who I assume is interested in the subject.
I got the publishers response that my message was relayed - but nothing else came out of it. (Which adds to my anxiousness and also prompts questioning myself if I am on the loony train.)
Iâm afraid that the obviousness of the non-workability may not be as apparent to those who donât have direct personal experience working with measurement systems at some technical level of specificity, (whether those are implemented as physical mechanisms or statistical). The degree of severity that false negatives and false positive rates poses to obtaining usable data might be easy to miss if those concepts arenât familiar.
The most authoritative (hopefully convincing to a public audience), and succinct description of the problems you are raising is the Bruce Schneier article (previously shared above).
The area that feel like I might be veering into conspiracy minded thinking is around the suspicion that this could be being intentionally misrepresented by players who see opportunities for open ended development contracts and inevitable mission creep.
(eta) The one form of implementation that Iâve heard mentioned that seems at least plausibly secure if not necessarily any more accurate in terms of medical exposure risk, is the model which only keeps potential contact info on ones phone itself - thereby creating a condition for self-reporting of a potential contact event having been detected. Not sure where I saw that referred to, or if itâs being seriously considered anywhere.
I, for one, donât have that. I minored in physics way, way back, and I donât even know basics in electrical engineering. But I can understand what engineers explain to me. And of course I somwhat remember the inverse-square law from school!
Add some common sense and some info on chips and measurements provided above and you arrive at the conclusion that this canât work as intended. I think.
And while I read the links above, neither Schneier nor the BuzzFeed piece nor the Brookings piece do go into anything we discussed here, really. They agree with the engineer I asked and @Aciantis, above, but they donât really dive into why. They are not even asking the right questions.
Thatâs the current model promoted by Gopple (Apgle?), the EU, and others. Minus the UK, of course. Because, why not do British exceptionalism while you can? Oh, right, they always did that? Ok then, nothing to see here. Special relationship, etc.
I donât even get this far. If this isnât working as intended, it is also the fuck not usable for surveillance purposes. All the privacy chatter is moot if this is as bad as I expect. Yuck.
Here we go: someone in the media actually talked to people who do understand Bluetooth, and are as sceptical as expected.
Now, how to raise this to the attention of BB editors?
(I did submit this right away to the main page. Anyone who I should notify here? Is anyone reading this, editors?)
⊠I sort of recall you mentioning somewhere that youâre trained in statistical methods? Thatâs the crucial tech to get the right perspective imho, regardless of the specific tech implementations, (radios, optics, ADCâs - all just tools focusing or constraining probabilities at the end of the day, and how to interpret / make conclusions being the devilish details).
I thought the Schneier post nailed it.
What would you say are more the right questions?
Yeah, bit of a track record on state surveillance there for sure, at least it seems to be pretty out in the open.
Found a few more tech references that seem to back up the conclusions that the intent likely wonât be realized. (this is general BLE stuff and while not all tracking related - the core principles are relevant and maybe can provide some more context for the argument that effective tracing is implausible, if only by illustrating how tricky and costly it can be just to get the stuff to work as a simple comms protocol, (much less a temporal/spatial imager that has any substantial relationship to reality)).
Microwaves & RF article :
Also, because a mobile device transmitter doesnât know the direction of the receiving device, the ideal antenna pattern is typically âisotropicââmeaning that it radiates equally in all directions. Of course, getting to the ideal radiation pattern and TRP is the goal. But realistically the antenna cannot be 100% efficient; the antenna pattern will inevitably have some nulls.
The Anechoic Chamber Guide For EMC and RF (Wireless) Testing (link)
(a view of the insane efforts that involved with establishing a neutral environment for performing reliable RF measurements)
From a discussion of the limitations from a BLE chipmaker. (link)
To date, the only feasible answer to locate a beacon without geo-positioning information is to estimate its distance from the receiver (scanner) based on Received Signal Strength Indicator (RSSI) and RF transmit power. The exercise spits out an approximate proximity, or an âapproximity,â if youâll allow the pun.
Part of the reason is that RF degrades in its environment according to an almost unlimited number of variables (humidity, people density, walls, wall materials, transmit power, adjacent blockers, trees, metal, etc.
I donât know if the fact that itâs a poor medical tool makes me feel secure about this. Privacy measures can be a double-edged sword (esp. if thereâs misplaced trust). What might be terrible for doctors at scale might still have utility for a dissident hunter.
Just shortly: the video linked in the intercept piece seems to pick up on some of the questions.
I havenât come further than the talk of Swarun Kumar, but this is basically the questions I want to have answers to by people who really know their fields: how are we supposed to get the margin of error so low that it is acceptable.
And Kumar gives a first hint at the end of his talk. I hope later talks will go into detail.
Re: statistics - thatâs not tech, thatâs just scientific thinking. And a lot of people are capable of this, also in journalism. Or webcomics.
OK, granted, Randall is the poster child of a certain type of internet intelligent humour. But a lot of people enjoy his comics, and I bet some of those are journous. So, I want journalists to poke the question how on earth are we going to get from a margin of error in measurement of more than three orders of magnitude to a useful result (for an exposure notification app)? And given the hope we put in that tech, the question is bloody pressing.
What do you know, perhaps a more grounded perspective might win the day.
⊠public health officers are typically MDs and PhDs who arenât dazzled by cool-looking software, especially if the pitch comes from people without public health backgrounds. Theyâre uncomfortable deploying untested technology during a pandemic, when glitches can cost lives. âThose of us who have worked in public health for decades kind of cringe when we hear âOh it will be easy. Anyone can do itâ
(Admittedly was probably using âtechâ in the current (legitimately questionable) sense of over-broadly applying the term to any specific method or modality after the fashion of silicon valley hypesters. (otoh, also kind of recall the useage having some prior basis, esp. re. Heideggerâs âTechnikâ and so on).)
That is great, totally printing that and pinning it somewhere. (Some days I feel like Iâm stuck in a recursive loop between type 8 and type 3.)
So who should, then?
The Jesuits?
But honestly, the options are corporations or the government, right? Do we honestly trust either at this moment in time? No. But at the end of the day (and obviously under ideal conditions, which we donât live in), government is accountable to us, while corporations are accountable to their shareholders (or to their owners in the case of a privately held corporation). Itâs likely far easier (even now) to hold government accountable for its fuck ups than to hold a private corporation accountable.
Yes.
What do we want from this information?
To improve public health efforts.
Who is responsible for public health again?
Aliens.
AlwaysâŠ
But we as a society need to start recognizing that the free market canât fix all our ills and stop assuming that we canât make government part of the solution to our collective problems. There is not perfect solution to any of our problems, but the libertarian shift in politics has allowed for-profit corporations to colonize and profit from human misery. The only way to ensure that they donât exploit us is to have a large scale entity that we all have a say in, that can curb the worst tendencies of private industry. Of course, having strong unions would be helpful, too.
I find Type VII errors in my work all the time.
Type VIII is generally referred to as âscienceâ.
I was going to ask âwhat wayâ, but then, I really would like this topic to be about the knowns and unknowns of
Oh gawd.
The developers (oh glob, SAP and Deutsche Telekom - T-Systems, I suppose) of the German Corona warning app (CWA) are on GitHub.
Official news on the stuff, in German, of course:
We are three days into the release of the German Corona Warn App.
I still havenât seen journalists or technicians discussing the technical limitations as discussed above.
But there is plenty of other things moving around.
Norway halted itâs app, due to privacy reasons.
And so on.
