Will you download the contact tracing app?

robinph

enda1 wrote: »

Why is it Irish only? Why haven't they released it internationally for us who will be coming to Ireland shortly? Seems a strange oversight...

(Apple iOS at least, no idea for Android)

You can certainly download it outside of Ireland as it is approved on the UK Android store in order that NI networks can access it. It will also accept mobile numbers from any country to register, but you don't need to enter a number to make use of the app. Entering your number just means that you have pre-approved for the app to upload it to the contact tracers in the event of the app figuring out that you were near to someone who since tested +ive.

irishguy1983

seamus wrote: »

Showing about 350,000 downloads now. Good to see the engagement so high. 25% was the figure thrown around in May. We're already at least at 10%.

Irish people are a whole lot more civil-minded than we give ourselves credit for. The fact that it requires you to basically do nothing also helps

In New Zealand the app originally required you to "check in" to places that you had been in order to track movements. Nice idea, but I couldn't see it working here.

Let’s follow New Zealand

Not going to argue with people who know more about apps/privacy/etc but I am happy to download if it helps even 10%.....Would check in also - I don’t really care who knows what I am up too....

GarIT

SimonTemplar wrote: »

I have location and bluetooth enabled. I opened the app and then disabled location but left bluetooth on. I then got a message from the app saying "Exposure Notifications are off" and that I need to enable location to use this feature.

However, I also note that the Contact Tracing is showing as active in the app itself. So perhaps only part of the functionality doesn't work when location is disabled.

Strange. I know for a while Google was including Bluetooth in location because you can use Bluetooth to work out location if you know the location of other Bluetooth devices but they said they were going to not include it like that for this.

Sconsey

ExMachina1000 wrote: »

Downloaded it just for a look. Dont like it at all. Deleted straight away

More of the same auld sh1te from you I see....won't wear a mask, won't use the app. Looks like every society has to put up with a few who go out of their way to be beligerant, hopefully some day you will cop on.

KyussB

plodder wrote: »

You were pontificating about this before you knew anything about it. You're just a sh!t stirrer.

You're talking shite here - this is my first post in the thread, where I'd already read up on how it works:
https://www.boards.ie/vbulletin/showthread.php?p=113959140

GarIT

robinph wrote: »

You can certainly download it outside of Ireland as it is approved on the UK Android store in order that NI networks can access it. It will also accept mobile numbers from any country to register, but you don't need to enter a number to make use of the app. Entering your number just means that you have pre-approved for the app to upload it to the contact tracers in the event of the app figuring out that you were near to someone who since tested +ive.

Your phone number is just for then to call you to book an appointment if you get a positive match.

enda1

robinph wrote: »

You can certainly download it outside of Ireland as it is approved on the UK Android store in order that NI networks can access it. It will also accept mobile numbers from any country to register, but you don't need to enter a number to make use of the app. Entering your number just means that you have pre-approved for the app to upload it to the contact tracers in the event of the app figuring out that you were near to someone who since tested +ive.

Can't download it on iOS anyway. "App Not Available. This app is currently not available in your country or region". My country is France FWIW

KyussB

KyussB wrote: »

You haven't read any of my posts if you think I have an issue with the government collecting the information the app does.

You can choose to share the information if you wish

KyussB

ixoy wrote: »

And don't you think the benefits of this outweigh the risk? It literally could save lives rather than your hypothetical scenario.

It's not a dichotomy betwen privacy breaches and saving lives - for starters, they can increase the rate of randomization of the UID - meaning people are trading storage space and data bandwidth in return for proper privacy.

ixoy

KyussB wrote: »

You're talking shite here - this is my first post in the thread, where I'd already read up on how it works:
https://www.boards.ie/vbulletin/showthread.php?p=113959140

Okay, it's open source - clone the Git repo and come back to us with a fix.

MrMusician18

KyussB wrote: »

Where did I say I was happy to share private information with companies? Where is the 'insanity' in pointing out a very likely privacy breach? Where did I say I'm against a tracking app?

A simple solution is: Fix the privacy breaches. That is probably as simple as changing the UID with far higher frequency.

You are the person in denial of evidence here, so spare me the anti-vaxxer shite - I've provided direct evidence of a disputed security breach in the API used, in addition to the likely flaw I've discussed.

You are posting here on boards, sharing information on a commercial service.

OMG boards has your IP!

plodder

KyussB wrote: »

This isn't enitrely true for more recent phone OS's, that's starting to become randomized more - and I think the exposure API does bluetooth MAC randomization.

It is done far less frequently than in this technology. Otherwise MAC addresses would be unusable for the purpose they were designed.

Face it. There are a multitude of easier ways to track people than using this technology. Your concerns are unfounded.

And anyone making the kind of strident claims you are making would want to have read up on the basic aspects of the design , eg that the ids are random and change every 10-20 minutes before criticising it, which you didn't.

GarIT

KyussB wrote: »

It's not a dichotomy betwen privacy breaches and saving lives - for starters, they can increase the rate of randomization of the UID - meaning people are trading storage space and data bandwidth in return for proper privacy.

If they increase the randomisation, to more than every 15 mins how will the calculate you have seen the same ID for 15 mins? Without exchanging more info than they currently do.

KyussB

KyussB wrote: »

Where did I say I was happy to share private information with companies? Where is the 'insanity' in pointing out a very likely privacy breach? Where did I say I'm against a tracking app?

A simple solution is: Fix the privacy breaches. That is probably as simple as changing the UID with far higher frequency.

You are the person in denial of evidence here, so spare me the anti-vaxxer shite - I've provided direct evidence of a disputed security breach in the API used, in addition to the likely flaw I've discussed.

Hypothetical privacy breaches.

robinph

KyussB wrote: »

... if any private person can identify your unique id...

The point of the Apple/ Google apps is that you don't have a unique ID.

Your phone generates a bunch of random codes that it shares to other people running the app. The others persons app doesn't know if the multiple codes it gets from your phone after you spending an hour sat next to them in the park are from the same phone or ten different ones. The other person tests positive and their app then uploads all the codes that it received to the central database.

You phone then checks the database and finds on of the codes that it shared with someone else, but has no indication of who, and from that knows that you were in contact with someone who tested positive.

Nobody can link the multiple codes that your phone generated back to you.


Unless you are the very first person to test positive and before anyone else tests positive they have access to the database, and then everyone who then gets told by their app that they were in contact with you then contacts the HSE and the hacker also manages to get hold of their phone numbers somehow through that process and can then download all those peoples phone location data via some unrelated app and then the hacker could maybe figure out where you the first person to make use of the app had spent the last day. As soon as someone else tests positive though the database of codes would be useless for figuring out where anyone had been as you couldn't link the codes to an individual.

fly_agaric

enda1 wrote: »

Can't download it on iOS anyway. "App Not Available. This app is currently not available in your country or region". My country is France FWIW

The apps operating these new bluetooth proximity detection apis are supposed to be authorised & overseen by the local health service (here HSE). Think it is a bit much to expect them to be having to cater to needs of international users who want to install the app as they might be visiting Ireland. Said it before but IMO infection risk from such people is better managed by other means than a voluntary phone application (mandatory quarantines in a set place [or at least with alot of monitoring], testing, bans on tourism to/from regions where infection rate is alot higher than here/virus is effectively out of control).

KyussB

plodder wrote: »

It is done far less frequently than in this technology. Otherwise MAC addresses would be unusable for the purpose they were designed.

Face it. There are a multitude of easier ways to track people than using this technology. Your concerns are unfounded.

And anyone making the kind of strident claims you are making would want to have read up on the basic aspects of the design , eg that the ids are random and change every 10-20 minutes before criticising it, which you didn't.

The existence of other means of tracking doesn't make a new means of tracking less of an issue...

I did go out and read up on that, when it was mentioned - and after a short bit of research I'm pretty sure I know more about the whole exposure API than anyone else in the thread now, because I actually went and did my research...(to the point of finding an active disputed vulnerability disclosure, of almost exactly the same type of privacy breach I'm talking about)

It's called critical thinking and learning...

seamus

KyussB wrote: »

It's not a dichotomy betwen privacy breaches and saving lives - for starters, they can increase the rate of randomization of the UID - meaning people are trading storage space and data bandwidth in return for proper privacy.

Increasing the rate of randomisation of the UID doesn't seem to be a proposed fix and won't prevent the alleged exploit.

You use the word "disputed" like we would talk about territory. But when you look at the reported issue, it's clear that it's very much theoretical and the reporter has yet to demonstrate that the risky behaviour is actually taking place.

It's probably worth another look by the Google team to make sure they haven't missed anything, but it's not even close to being a big enough vulnerability to justify scaremongering about privacy.

KyussB

GarIT wrote: »

If they increase the randomisation, to more than every 15 mins how will the calculate you have seen the same ID for 15 mins? Without exchanging more info than they currently do.

I'd stopped replying to you in order to report posts/insults rather than reply to them - but since this is a valid technical point:
Instead of matching one UID, users will match several sequential UID's from the infected person instead.

Deeper Blue

Anyone who doesn't download this is a selfish ****, simple as that

GarIT

KyussB wrote: »

The existence of other means of tracking doesn't make a new means of tracking less of an issue...

I did go out and read up on that, when it was mentioned - and after a short bit of research I'm pretty sure I know more about the whole exposure API than anyone else in the thread now, because I actually went and did my research...(to the point of finding an active disputed vulnerability disclosure, of almost exactly the same type of privacy breach I'm talking about)

It's called critical thinking and learning...

Can you tell us a real world scenario where you think this could be used. You are saying tracking someone up to 600m away if you can see them. And there is no evidence of being able to track them more than 10m or to be generous 15m away in a populated area.

And why would you use this when you can just track their WiFi transmitter or Bluetooth transmitter without having to work out a way to manipulate the data from this app?

GarIT

KyussB wrote: »

I'd stopped replying to you in order to report posts/insults rather than reply to them - but since this is a valid technical point:
Instead of matching one UID, users will match several sequential UID's from the infected person instead.

Then you would have to link sequential UIDs together making changing them pointless

KyussB

robinph wrote: »

The point of the Apple/ Google apps is that you don't have a unique ID.

Your phone generates a bunch of random codes that it shares to other people running the app. The others persons app doesn't know if the multiple codes it gets from your phone after you spending an hour sat next to them in the park are from the same phone or ten different ones. The other person tests positive and their app then uploads all the codes that it received to the central database.

You phone then checks the database and finds on of the codes that it shared with someone else, but has no indication of who, and from that knows that you were in contact with someone who tested positive.

Nobody can link the multiple codes that your phone generated back to you.


Unless you are the very first person to test positive and before anyone else tests positive they have access to the database, and then everyone who then gets told by their app that they were in contact with you then contacts the HSE and the hacker also manages to get hold of their phone numbers somehow through that process and can then download all those peoples phone location data via some unrelated app and then the hacker could maybe figure out where you the first person to make use of the app had spent the last day. As soon as someone else tests positive though the database of codes would be useless for figuring out where anyone had been as you couldn't link the codes to an individual.

The privacy aspect I ended up focusing on, is more in-person tracking - if you determine someones current UID (which lasts for 10-20 minutes - will keep calling it a UID for simplicity), then if you can track their UID switchovers (since not everyones UID switches at the same time, seems vulnerable to a timing attack), that gives a means of tracking them - but with a lot of other caveats that limit the circumstances where this may be practical (e.g. hardware for achieving longer distance tracking, environment/line-of-sight etc.).

There are much better and more prevalent ways of tracking people, for sure - but I still view a new means of tracking as notable - and this one would potentially be one that any private person could do.

MrMusician18

GarIT wrote: »

Can you tell us a real world scenario where you think this could be used. You are saying tracking someone up to 600m away if you can see them. And there is no evidence of being able to track them more than 10m or to be generous 15m away in a populated area.

And why would you use this when you can just track their WiFi transmitter or Bluetooth transmitter without having to work out a way to manipulate the data from this app?

Sorry GarlIT, go away with your coherent argument and go back engage in 'critical thinking'

poolboy

I wear a mask, I've downloaded the app and I'll get a vaccine hopefully. Anyone who doesn't is a selfish prick in my opinion.

enda1

poolboy wrote: »

I wear a mask, I've downloaded the app and I'll get a vaccine hopefully. Anyone who doesn't is a selfish prick in my opinion.

The virtue signalling in here is out of this world!

Take a break from the internet maybe...

KyussB

KyussB wrote: »

The privacy aspect I ended up focusing on, is more in-person tracking - if you determine someones current UID (which lasts for 10-20 minutes - will keep calling it a UID for simplicity), then if you can track their UID switchovers (since not everyones UID switches at the same time, seems vulnerable to a timing attack), that gives a means of tracking them - but with a lot of other caveats that limit the circumstances where this may be practical (e.g. hardware for achieving longer distance tracking, environment/line-of-sight etc.).

There are much better and more prevalent ways of tracking people, for sure - but I still view a new means of tracking as notable - and this one would potentially be one that any private person could do.

Would you not be better off just following the person if you wanted to track them in this scenario?

Santy2015

Just over 400,000 people have downloaded the app now. Not even available 24 hours yet.

robinph

KyussB wrote: »

The privacy aspect I ended up focusing on, is more in-person tracking - if you determine someones current UID (which lasts for 10-20 minutes - will keep calling it a UID for simplicity), then if you can track their UID switchovers (since not everyones UID switches at the same time, seems vulnerable to a timing attack), that gives a means of tracking them - but with a lot of other caveats that limit the circumstances where this may be practical (e.g. hardware for achieving longer distance tracking, environment/line-of-sight etc.).

There are much better and more prevalent ways of tracking people, for sure - but I still view a new means of tracking as notable - and this one would potentially be one that any private person could do.

Tracking them where, you can see them as they are stood a couple of meters away from you? Why not just follow them?

If you are on about potentially then being able to figure out their movements after the event by downloading the database then you'd depend on knowing that they had tested positive and then get the whole database of codes after that. It would only tell you that you had been around that person though. You wouldn't be able to identify any of the other codes that they had generated after they were in your presence, unless they were the only person to have tested positive, after that moment the database would be useless to you for identifying anyone.

MrMusician18

KyussB wrote: »

The privacy aspect I ended up focusing on, is more in-person tracking - if you determine someones current UID (which lasts for 10-20 minutes - will keep calling it a UID for simplicity), then if you can track their UID switchovers (since not everyones UID switches at the same time, seems vulnerable to a timing attack), that gives a means of tracking them - but with a lot of other caveats that limit the circumstances where this may be practical (e.g. hardware for achieving longer distance tracking, environment/line-of-sight etc.).

There are much better and more prevalent ways of tracking people, for sure - but I still view a new means of tracking as notable - and this one would potentially be one that any private person could do.

So effectively you are worried about the app tracking people, but you have to be within and remain within Bluetooth proximity for this 'exploit' to work.

Luckily most people have eyes which will defeat this dastardly exploit.