Will you download the contact tracing app?

gabeeg

plodder wrote: »

It's not an exact science because Bluetooth wasn't designed to measure distance, but walls will cause the signal to be attenuated, as if you were a longer distance away and that is what you want.

I know they are constantly updating the data they have about individual phones as they do vary. I think it's likely that some false positives will occur.

I think it would be better to at least install the app and not provide your phone number if you are concerned about this. If you get an exposure notification you can decide what to do about it then, without any danger of people knocking on your door.

Good shout. Thanks

plodder

KyussB wrote: »

That certainly makes it harder alright. It's still usable to track, and there is potential to be able to time the switches (even though a 10 min random variance is a lot), but if there aren't too many other devices around, it should be quite trackable.

"Quite trackable".

Sure, you could walk around the place with your headphones and detector equipment and follow people around recording their random ids as they change every 15 minutes. But, I think you would attract attention ... to say the least

which is to say it is completely impractical and not really trackable at all.

harr wrote:

I was just thinking that this morning, what’s stopping a group of teenagers downloading it messing about with it , if even a group of ten people were acting the bollox with it in a small town it would leave a lot of the population of that town thinking they were exposed.

You need to enter a special code before you can notify that you were exposed and you only get this from a GP or someone else in the HSE.

Higgins5473

GarIT wrote: »

They were lying about tech and making up some mad cap theories. I studied wireless communications as part of my degree.

Which bit was the lie and which bit was the mad cao theory and what knowledge do you have that says otherwise? What you did in a degree in wireless coms, even if you finished last month has probably changed since.

“ The latest Bluetooth version, Bluetooth 5 allows low-energy transmissions offering data range for more range. The theoretically proven range for Bluetooth 5 for a maximum of around 800 feet which is up to four times the range of Bluetooth 4.2 LE.”

That’s not far off what he said in his first paragraph

micks_address

harr wrote: »

I was just thinking that this morning, what’s stopping a group of teenagers downloading it messing about with it , if even a group of ten people were acting the bollox with it in a small town it would leave a lot of the population of that town thinking they were exposed.

You need a code from HSE to enter in app if you test positive... Kids wouldn't have code's...so the app shouldn't have false positives

NegativeCreep

ACitizenErased wrote: »

No, the app comes into use when you’re contacted by the contact tracing team

I’m being very dumb today. Maybe I need more coffee. But how does it know if I’ve come into contact with someone with COVID then? Are they relying on the self reported symptoms you can put in once a day?

KyussB

listermint wrote: »

In fairness youve no interest in whats technically possible. Lets discuss was remotely possible, with the equipment, skills, need, why bother... all of the above.

The latter is a discussion of what's technically possible...

listermint

ELM327 wrote: »

Both are equally true.
:rolleyes::rolleyes:

You go nowhere but are afraid of the government tracing your movements.


Both are equally true. .. ? right.

NegativeCreep

NegativeCreep wrote: »

I’m being very dumb today. Maybe I need more coffee. But how does it know if I’ve come into contact with someone with COVID then? Are they relying on the self reported symptoms you can put in once a day?

Never mind. I see you get a unique code from the HSE and that allows you to share your close contacts found by the phone

listermint

KyussB wrote: »

The latter is a discussion of what's technically possible...

Can you infer multiple reasons for lets face it, going to substantial investment in time and money to achieve whats technically possible.

Stark

NegativeCreep wrote: »

I’m being very dumb today. Maybe I need more coffee. But how does it know if I’ve come into contact with someone with COVID then? Are they relying on the self reported symptoms you can put in once a day?

The HSE will give the person who tested positive for Covid a code to enter into their app. That will allow the app to upload the IDs it generated over the past 14 days. Other apps (including yours) can then download those IDs from the server and check them against IDs it's recorded as seen. If there's a match, it will notify you.

ACitizenErased

NegativeCreep wrote: »

I’m being very dumb today. Maybe I need more coffee. But how does it know if I’ve come into contact with someone with COVID then? Are they relying on the self reported symptoms you can put in once a day?

No. You test positive. The contact tracing team contact you as always. Do you have the app? Yes. They give you the access code which you enter on the contact tracing tab on the app. The app stores all people you’ve been in contact with for more than 15 mins within 2 metres for the last two weeks. Data is uploaded and people are anonymously notified.

ELM327

listermint wrote: »

Probably should have just put that in your

" I WONT BE DOWNLOADING THE APP"

opening post, but sure that wouldnt get responses i suppose.


Although in your condition surely interesting to get easy access to all the stats. I would have thought... but sure look.

Don't see why my post has been altered and capitalized by you.
I suppose, sensationalism doesnt work well when you accurately attribute quotes

KyussB

plodder wrote: »

"Quite trackable".

Sure, you could walk around the place with your headphones and detector equipment and follow people around recording their random ids as they change every 15 minutes. But, I think you would attract attention ... to say the least

which is to say it is completely impractical and not really trackable at all.

Well, it seems like the switchvoer is vulnerable to a timing attack. Not everyones id will switch at the same time, so there is a window (I don't know how short) to detect switchovers for a specific person.

If there's a technical means of doing this that gets verified, it won't be long before a practical/discreet solution is developed for doing this.

plodder

NegativeCreep wrote: »

I’m being very dumb today. Maybe I need more coffee. But how does it know if I’ve come into contact with someone with COVID then? Are they relying on the self reported symptoms you can put in once a day?

No. Everyone's phone creates these random ids every 10-20 minutes and is listening out for other people's ids. If you are in contact with someone for more then 15 minutes, your phone records their id (at that time) on your phone for 14 days.

If someone reports that they have the virus, they are allowed to upload all of the ids that they came in contact with for the last 14 days. Everyone's phone checks the list of uploaded ids every day to see if it matches one that you have stored. If there is a match that means you will get an exposure notification. But it doesn't tell you anything else about, who, where or when it happened.

KyussB

GarIT wrote: »

They were lying about tech and making up some mad cap theories. I studied wireless communications as part of my degree.

Missed this post: What, precisely, did I say that was a lie?

A wireless comm degree? Sure you do...random anaonymous internet person...I have a PhD in astrobiology-slash-wirelss-comm-rocket-surgery myself! /s

techdiver

Riflecreek wrote: »

Downloaded it this morning. Have to laugh at the self absorbed clowns worried about their "privacy". Muppets.

The same people who will post the conspiracies about the dangers of this app on, wait for it..... Facebook!

plodder

KyussB wrote: »

Well, it seems like the switchvoer is vulnerable to a timing attack. Not everyones id will switch at the same time, so there is a window (I don't know how short) to detect switchovers for a specific person.

You may be able to detect a switch-over for a person, but so what? They had one random id before and now they have a different one. What does it get you? Nothing.

You would literally have to follow the person around to track them every time it changes .... but you would be following them around, which doesn't require bluetooth.

If there are flaws in this system it will be due to bugs in software, but bugs can be fixed quickly.

Pistachio19

Oh well, after posting last night that my device doesn't support it, and getting advice to update phone, which I did, I tried it this morning again and still no joy. Finally discovered while listening to Today FM earlier that my ancient iphone5 is too old for the app :-(

Arrival

Downloaded it, seems fairly decent and straightforward

KyussB

listermint wrote: »

Can you infer multiple reasons for lets face it, going to substantial investment in time and money to achieve whats technically possible.

It doesn't necessarily have to cost that much - and e.g. a private detective lets say, would probably fork out a lot of money for tech like that. Sure look at the expenses police forces and private security contractors fork out on similar stuff.

I'm not saying any of this is definite or practical yet - but I certainly have little in faith in what I've seen of if so far.

FionnK86

Signed up this morning and shared with my family whatsapp. Brother shared it on his facebook after that.

Buddy of his said he wouldn't let HSE have his data, same genius who posted his new mobile number after losing his old one on the beer in town sunday.

KyussB

plodder wrote: »

You may be able to detect a switch-over for a person, but so what? They had one random id before and now they have a different one. What does it get you? Nothing.

You would literally have to follow the person around to track them every time it changes .... but you would be following them around, which doesn't require bluetooth.

If there are flaws in this system it will be due to bugs in software, but bugs can be fixed quickly.

The first two paragraphs are certainly true - you would have to be following someone, and that's the situation I'm considering here - potentially you could be reliably following them from a very far distance, which is still a big privacy concern in a lot of ways.

Rather than being a bug, though - it seems like a design fault, that I'm not sure how they would fix.

So, which one of us with get a notification first?

My monies on Beasty. I hear they get around a bit.

KyussB

So, I've read up on it a bit more and it appears to use the exposure API:
https://en.wikipedia.org/wiki/Exposure_Notification

This is brand new tech guys - and it's only had 2-3 months worth of public security scrutiny, which is a very very short time period. It's common in software, for stuff to be around for decades, and then suddenly critical security issues are found that people missed for that whole period of time...

So yea, while this is no doubt going to get a ton of immediate scrutiny, it's still early days and imo it doesn't look good. Not touching it with a barge pole.

There is already a disputed security disclosure about the framework - which doesn't seem to be settled yet:
https://nvd.nist.gov/vuln/detail/CVE-2020-13702

Way too early to consider this privacy safe.

circadian

ELM327 wrote: »

I will not be downloading this.

Excellent contribution. Well done you.

KyussB wrote: »

Ya privacy is so passé these days.

So judging by how this works, if any private person can identify your unique id, they can track where you are in person by pinging your phone - possibly requiring a bit of extra tech to do this, for range and directionality, but nothing as complicated as e.g. the stingray networks for mobile phones.

So it seems rather like it's only a matter of time before someone writes an app for that, in short order.

So much conjecture, so little fact. If you knew anything about this then you'd know two things.


1. Doing anything like you suggested would be expensive both financially and time wise.


2. On the point of cost, the cost to benefit ratio of the anonymised data available from somehow successfully doing what you suggested is absolutely not worth the investment.


If you really want to gather information on people just set up an open WiFi hotspot and start packet capturing everything that comes in from people who leave their settings to "connect to all open networks" or whatever.

Gael23 wrote: »

No, huge invasion of privacy and amazes me how it can possibly be GDPR compliant

Oh, hi there Gael23. Remember I asked a few days ago if you had a technical opinion on how it was a huge invasion of privacy? Just to jog your memory here is the post in question;

circadian wrote: »

Feel free to give us your technical explanation of this. Source code is freely available on Github if you so wish to take a look.

KyussB wrote: »

That certainly makes it harder alright. It's still usable to track, and there is potential to be able to time the switches (even though a 10 min random variance is a lot), but if there aren't too many other devices around, it should be quite trackable.

Feel free to demonstrate a proof of concept of this, considering you're so certain that this is an easy possibility.

ELM327 wrote: »

So the government will know everywhere i've been? And with who?


This is brought in under the guise of health but in a few years will be standard and used against you.

The app doesn't use location services, so no the government won't know everywhere you've been. If you have the app installed and are confirmed to be a case then you can still opt-out of using the tracing code the HSE provide you with to start the tracing. Even then, when you are alerted through the app that you were in contact with a case, there is absolutely no personally identifying information until you contact the HSE.

Higgins5473 wrote: »

Coming from someone who doesn’t particularly care about my personal data and has no notions about what the government are going to do with it, this ‘tinfoil hat’ response stuff is getting ridiculously tiresome, particularly when the post you were replying just seemed to detailing tech and not some mad cap theories.

The comments in question show a complete misunderstanding of the technology.

KyussB wrote: »

The latter is a discussion of what's technically possible...

Again, please feel free to go into detail about how this is possible. I'm sure the developers would be delighted to be informed of any security vulnerabilities on their product.


Nothing is 100% secure, this is a fact. However, what you're suggesting isn't worth it. Also, what personal data does this app store that is of concern?

Keyzer

irishguy1983 wrote: »

Have not looked into this too much but does the privacy argument really hold up? Like are FB, google, not tracking my every movement anyway? Does it make a difference?

That was my point...

GarIT

Higgins5473 wrote: »

Which bit was the lie and which bit was the mad cao theory and what knowledge do you have that says otherwise? What you did in a degree in wireless coms, even if you finished last month has probably changed since.

“ The latest Bluetooth version, Bluetooth 5 allows low-energy transmissions offering data range for more range. The theoretically proven range for Bluetooth 5 for a maximum of around 800 feet which is up to four times the range of Bluetooth 4.2 LE.”

That’s not far off what he said in his first paragraph

That is singal strength in a lab, with no other signals around, with a huge antenna and powerful transmitter. They have a whole building for it in MU. And tech might change, but I keep up to date and physics doesn't change often.

The contact tracing API that Apple and Google developed used by the app does not transmit on full power.

Anything that has been claimed to be done can be done much easier using WiFi, or Bluetooth without the app being involved. Your Bluetooth and WiFi send out unique identifiers that don't change and have a longer range.

The poster is talking about using equipment on the scale of a mobile phone mast which has much less function that just using a mobile phone mast.

plodder

KyussB wrote: »

The first two paragraphs are certainly true - you would have to be following someone, and that's the situation I'm considering here - potentially you could be reliably following them from a very far distance, which is still a big privacy concern in a lot of ways.

Rather than being a bug, though - it seems like a design fault, that I'm not sure how they would fix.

No seriously, you can't assume a design fault when you identify a "flaw" that is easier to exploit some other way, especially when that other way is not easy at all, eg following someone around the place all day.

As regards the tech being new, what did you expect concerning a virus that hardly anyone knew about seven months ago?

KyussB

circadian wrote: »

So much conjecture, so little fact. If you knew anything about this then you'd know two things.


1. Doing anything like you suggested would be expensive both financially and time wise.


2. On the point of cost, the cost to benefit ratio of the anonymised data available from somehow successfully doing what you suggested is absolutely not worth the investment.


If you really want to gather information on people just set up an open WiFi hotspot and start packet capturing everything that comes in from people who leave their settings to "connect to all open networks" or whatever.
...
Feel free to demonstrate a proof of concept of this, considering you're so certain that this is an easy possibility.
...
Again, please feel free to go into detail about how this is possible. I'm sure the developers would be delighted to be informed of any security vulnerabilities on their product.


Nothing is 100% secure, this is a fact. However, what you're suggesting isn't worth it. Also, what personal data does this app store that is of concern?

Well look at my other posts - I've researched the tech, and figured out a likely flaw that makes it trackable - and separately found an active/disputed CVE on the framework it uses - in pretty much no time...

There are many who have use for such potential flaws where expense doesn't matter - and we haven't established that it would be burdensome/expensive either - if these vulnerabilities are real, it doesn't seem like the basic hardware should cost that much to me...

I've got a job, thanks. Anyone who wants an easy bug bounty can do the POC - I've seen enough to steer clear.

KathleenGrant

Get Real wrote: »

Another misunderstanding of GDPR.

Also, from boards alone, you're voluntarily giving information on 2 medical conditions, that you did your LC in 2010. You have a Sivek investment fund. You did ordinary Level Maths. You were due to go on holiday last month and you're a Vodafone customer.

Is that you Sherlock Holmes?

spookwoman

FionnK86 wrote: »

Signed up this morning and shared with my family whatsapp. Brother shared it on his facebook after that.

Buddy of his said he wouldn't let HSE have his data, same genius who posted his new mobile number after losing his old one on the beer in town sunday.

Might want to tell him to get in touch with his doc, hospital etc cause if he's sought medical treatment they will have his details.

hmmm

KyussB wrote: »

So yea, while this is no doubt going to get a ton of immediate scrutiny, it's still early days and imo it doesn't look good. Not touching it with a barge pole.

There is already a disputed security disclosure about the framework - which doesn't seem to be settled yet:
https://nvd.nist.gov/vuln/detail/CVE-2020-13702

Way too early to consider this privacy safe.

These are very minor issues in the greater scheme of things. If you're worried that someone may be trying to track you through the method described in CVE-2020-13702 you should really get rid of your phone. The in-built location technology on the operating system will already reveal your location to anyone who is really interested in tracking you, and there is also cell triangulation of the phone itself even if you disable this. Let's not even start on the 5G death rays.

If you're an international drug smuggler, or a KGB spy, I probably wouldn't install this. If you're someone worried that the HSE might know you were meeting the lads down the pub on Friday, you're really not that important.

GarIT

KyussB wrote: »

The first two paragraphs are certainly true - you would have to be following someone, and that's the situation I'm considering here - potentially you could be reliably following them from a very far distance, which is still a big privacy concern in a lot of ways.

Rather than being a bug, though - it seems like a design fault, that I'm not sure how they would fix.

"Very far distance". Up to 800m with an antenna the size of your house, powered by a big generator, only if you are in an area with no trees, no buildings, no WiFi, no cordless phones, no headphones, no smart watches. And the app restricts the phones Bluetooth transmitter to a shorter range/low power reducing it even further. If you can achieve 10 meters in any location where you couldn't just follow someone with your eyes you'd be breaking world records.

ixoy

KyussB wrote: »

Well look at my other posts - I've researched the tech, and figured out a likely flaw that makes it trackable - and separately found an active/disputed CVE on the framework it uses - in pretty much no time...

Do you think that none of the many experienced, highly-qualified engineers working on these projects haven't seen and considered these?

KathleenGrant

I downloaded it. Sure I have absolutely no filter and tell even random strangers stuff about myself all the time.
I also am a very ordinary person living a mundane life, who has no money or assets and is not involved in shady dealings of any kind. Tracking me and my movements would cure insomnia.

GarIT

KyussB wrote: »

A wireless comm degree? Sure you do...random anaonymous internet person...I have a PhD in astrobiology-slash-wirelss-comm-rocket-surgery myself! /s

I didn't say I had a wireless comms degree. I said I studied wireless comms as part of my CS degree. In Maynooth, the place with the big wireless comms research centre.

Yes sure I posted about what I'm studying 5 years ago and included IT in my bloody username in preparation to argue with you on this day

Bridge93

Its such a shame that the tech scientists and programmers at Apple and Google were't aware of the obvious GDPR breaches and hacking capabilities of the app that are so severe they make the app unsafe and unusable from the start.

Or maybe they know better than a few anonymous Boards accounts, some of whom have a posting history of rejecting everything related to covid so far. All tech has work ons. But these are small considerations in the grand scheme of things. I feel confident that a bunch of lads in Russia arent following me sitting on my couch working and would rather do my bit to further help with the suppression of this virus

MrMusician18

KyussB wrote: »

So, I've read up on it a bit more and it appears to use the exposure API:
https://en.wikipedia.org/wiki/Exposure_Notification

This is brand new tech guys - and it's only had 2-3 months worth of public security scrutiny, which is a very very short time period. It's common in software, for stuff to be around for decades, and then suddenly critical security issues are found that people missed for that whole period of time...

So yea, while this is no doubt going to get a ton of immediate scrutiny, it's still early days and imo it doesn't look good. Not touching it with a barge pole.

There is already a disputed security disclosure about the framework - which doesn't seem to be settled yet:
https://nvd.nist.gov/vuln/detail/CVE-2020-13702

Way too early to consider this privacy safe.

What aspect of your privacy do you think this will impinge on?

Android and IOS are relatively new, do you shun both those as well?

KyussB

GarIT wrote: »

That is singal strength in a lab, with no other signals around, with a huge antenna and powerful transmitter. They have a whole building for it in MU. And tech might change, but I keep up to date and physics doesn't change often.

The contact tracing API that Apple and Google developed used by the app does not transmit on full power.

Anything that has been claimed to be done can be done much easier using WiFi, or Bluetooth without the app being involved. Your Bluetooth and WiFi send out unique identifiers that don't change and have a longer range.

The poster is talking about using equipment on the scale of a mobile phone mast which has much less function that just using a mobile phone mast.

GarIT wrote: »

"Very far distance". Up to 800m with an antenna the size of your house, powered by a big generator, only if you are in an area with no trees, no buildings, no WiFi, no cordless phones, no headphones, no smart watches. And the app restricts the phones Bluetooth transmitter to a shorter range/low power reducing it even further. If you can achieve 10 meters in any location where you couldn't just follow someone with your eyes you'd be breaking world records.

You're talking nonsense - here are some lads getting 700m open air with a drone and a basic antennae:
https://www.youtube.com/watch?v=w4PbxVwg83M

Nijmegen

I'm finding some social media posts about not installing the app very amusing, given what's involved in signing up to a social media platform and the tracking they do on you across devices.

The Nal

Nijmegen wrote: »

I'm finding some social media posts about not installing the app very amusing, given what's involved in signing up to a social media platform and the tracking they do on you across devices.

There are a lot of halfwits out there who don't seem to realise than most apps know your location and google know about every step you take.

KyussB

plodder wrote: »

No seriously, you can't assume a design fault when you identify a "flaw" that is easier to exploit some other way, especially when that other way is not easy at all, eg following someone around the place all day.

As regards the tech being new, what did you expect concerning a virus that hardly anyone knew about seven months ago?

Security vulnerabilities aren't classed relative to the existence of other security vulnerabilities. If you're already easily trackable due to other means, it doesn't make a new means of tracking any less of a vulnerability - that's not how it works.

Potentially being able to reliably follow someone at a large distance is a privacy/security issue.

ACitizenErased

Just passed the 300k mark on iOS, thats quite impressive

KyussB

KyussB wrote: »

It doesn't necessarily have to cost that much - and e.g. a private detective lets say, would probably fork out a lot of money for tech like that. Sure look at the expenses police forces and private security contractors fork out on similar stuff.

I'm not saying any of this is definite or practical yet - but I certainly have little in faith in what I've seen of if so far.

You were the poster the other week making up stuff about your employer spying on you when you WFH weren't you? Just be honest, no matter what this app is/does you'd be on here whinging about it, making up all sorts of crazy implausible scenarios and providing absolutely nothing in the way of evidence.

ACitizenErased

ACitizenErased wrote: »

Just passed the 300k mark on iOS, thats quite impressive

On a quick tot up on my abacus of people in the country over the age of 15 I make it over 13% have downloaded it.
Less than 24 hours in.

KyussB

ixoy wrote: »

Do you think that none of the many experienced, highly-qualified engineers working on these projects haven't seen and considered these?

Do you know a single bit of software without a security vulnerability?

owlbethere

I couldn't give a rats arse about data and privacy etc. OK, some degree I do but not in relation to the COVID app. I view it as an important tool in tackling the virus. There's no second chances with this virus. For me what scares me the most about the virus is the long tail illness and the potential for being incapacitated for a few months. So I'm for everything that will help in tackling the virus.

plodder

GarIT wrote: »

"Very far distance". Up to 800m with an antenna the size of your house, powered by a big generator, only if you are in an area with no trees, no buildings, no WiFi, no cordless phones, no headphones, no smart watches. And the app restricts the phones Bluetooth transmitter to a shorter range/low power reducing it even further. If you can achieve 10 meters in any location where you couldn't just follow someone with your eyes you'd be breaking world records.

You could probably use one of these maybe. Just switch a few of the wires around, it'll work for bluetooth then ... defo .. wouldn't look at all suspicious either ..

KyussB

Bridge93 wrote: »

Its such a shame that the tech scientists and programmers at Apple and Google were't aware of the obvious GDPR breaches and hacking capabilities of the app that are so severe they make the app unsafe and unusable from the start.

Or maybe they know better than a few anonymous Boards accounts, some of whom have a posting history of rejecting everything related to covid so far. All tech has work ons. But these are small considerations in the grand scheme of things. I feel confident that a bunch of lads in Russia arent following me sitting on my couch working and would rather do my bit to further help with the suppression of this virus

That's directly lying about past posting history - cite that.

El Weirdo

ACitizenErased wrote: »

Just passed the 300k mark on iOS, thats quite impressive

I think that's 300k for both platforms.