Will you download the contact tracing app?

KyussB

GarIT wrote: »

Then you would have to link sequential UIDs together making changing them pointless

An infected person transmits their UID's to the HSE, the HSE sends those UID's out to users of the app presumably, and again presumably those UID's are grouped-together per-person

If you were near the infected person, instead of matching 1 UID, you would match several UID's from the group of UID's associated with the infected person.

poolboy

enda1 wrote: »

The virtue signalling in here is out of this world!

Take a break from the internet maybe...

Virtue signalling LOL, it's being a responsible adult. The conspiracy theorists who think anyone gives a crap where they go and Bill Gates is going to posion them are the ones who need a break from the internet.

KyussB

Deleted User wrote: »

Would you not be better off just following the person if you wanted to track them in this scenario?

Potentially, with the tracking you won't lose them, and could follow from a much greater distance - little or a lot less chance of being noticed.

poff

I looked at the app: there is no registration or login as suggested by the RTE picture. RTE, do a bit of research before publishing a misleading picture!

I did not allow for anything apart from the tracing bit. The app is connecting to T4app.covidtracker.ie and firebaseinappmessaging.googleapis.com which seems reasonable or essential for the workings.

Fears about privacy are overblown.

Is this statement supposed to increase my trust? It does not work for me, it has the opposite effect, it sounds arrogant. I would need a few more details and references, not a statement that ignores one's feelings.

Most of the other apps on your phone are gathering a lot more data than this is.

That might be the case. Does that mean less data collection is ok?

Less data would not be ok. As far as the documentation tells me, the app is collecting the bluetooth IDs and is not passing it on to any server. The documentation says that all other data is anonymised - I can not read the source code, but I guess it is. That is ok. Comparing the covid app with any other app is a bit strange. That is a different subject where people should think about the privacy of using the facebook apps and the likes. (By the way, I don't use any of those)

It would be really the passing on of data or personal information to the server - as it would have happened with the first centralised design of the app and also with the British failed app, that would not have been ok. Luckily, google and apple did not allow for that.

Seamus, are you a politician? Your post sounds like it. Not saying anything assuring...

I suggest to get informed and write about the important details with proper references and links to support what you say. That might establish trust. If I was not informed, your post would trigger all my alarm bells.

KyussB

robinph wrote: »

Tracking them where, you can see them as they are stood a couple of meters away from you? Why not just follow them?

If you are on about potentially then being able to figure out their movements after the event by downloading the database then you'd depend on knowing that they had tested positive and then get the whole database of codes after that. It would only tell you that you had been around that person though. You wouldn't be able to identify any of the other codes that they had generated after they were in your presence, unless they were the only person to have tested positive, after that moment the database would be useless to you for identifying anyone.

I'm not talking about the database, no.

With the right equipment and environment (emphasis on the latter - would not work in the middle of a city well), bluetooth can go hundreds of metres, even up to a kilometre.

robinph

KyussB wrote: »

An infected person transmits their UID's to the HSE, the HSE sends those UID's out to users of the app presumably, and again presumably those UID's are grouped-together per-person

If you were near the infected person, instead of matching 1 UID, you would match several UID's from the group of UID's associated with the infected person.

Why would the codes be grouped per person when your app checks them against the HSE database?

If there is a hundred people tested positive yesterday who upload then thousands of codes to the database from their apps, why does your app need to know if you are matching a contact with one or multiple people after your trip on the Luas?

KyussB

KyussB wrote: »

Potentially, with the tracking you won't lose them, and could follow from a much greater distance - little or a lot less chance of being noticed.

Or you could open Snapchat map and see where they are from there. That map will also show if it’s raining.

There really are easier ways to follow people without having a big antenna sticking out of your bum bum.

What’s the point of this convo anyway?

seamus

It seems the use case for this hypothetical exploit requires that the exploiter has access to a dense mesh of bluetooth scanning devices in the target area and a secondary - theoretical - mobile set of devices for tracking the individual outside of this mesh.

And to start with, you need to physically identify the individual upon their entrance to your mesh in order to tie them to their UID. Otherwise they are just anonymous UIDs traveliing through your mesh.

So in short, it is orders of magnitude more expensive, difficult and error-prone than paying someone to physically follow your target. Not to mention the fact that a big chunk of tech needed to implement your tracking is in very early stages.

There are no mass surveillance or privacy issues since it cannot be used to track crowds of people, and you need to be able to see the individual before you can start tracking them.

Bobeagleburger

Slick app. Very impressed.

It should be a great help.

robinph

KyussB wrote: »

Potentially, with the tracking you won't lose them, and could follow from a much greater distance - little or a lot less chance of being noticed.

So with this amazing Bluetooth receiver that you have and you are tracking someone who has just disappeared into an alleyway out of sight, you then loose the signal...what next?

How is having known that they were 100m away from you in some unknown direction going to help you now locate them?

KyussB

robinph wrote: »

Why would the codes be grouped per person when your app checks them against the HSE database?

If there is a hundred people tested positive yesterday who upload then thousands of codes to the database from their apps, why does your app need to know if you are matching a contact with one or multiple people after your trip on the Luas?

To eliminate the privacy breach I'd considered, one possibility is frequently randomizing (much faster than every 10-20 mins) the UID - so in order to know if you'd been around someone for 15 mins, you'd need to match against a whole list of sequential UID's from that person - which is why they'd need to be grouped per person, when uploaded to the HSE and then sent out to everyone to check for contacts.

So, it's more to be able to judge the time you are around another person, if the UID is changing much more frequently.

It's not an important side discussion though - just a technical way the potential privacy issue I'm discussing, could be minimized - at the cost of storage/data.

KyussB

KyussB wrote: »

Potentially, with the tracking you won't lose them, and could follow from a much greater distance - little or a lot less chance of being noticed.

What if they walked into a crowded area with loads of apps talking to each other simultaneously? Genuine question

ACitizenErased

Data protection lawyer has given the app a B. Only reason it didn’t get an A is for the symptoms tracker but she said it’s entirely opt-in.

https://twitter.com/katecolleary/status/1280446821593231360?s=21

https://twitter.com/katecolleary/status/1280457900419428352?s=21

MrMusician18

seamus wrote: »

It seems the use case for this hypothetical exploit requires that the exploiter has access to a dense mesh of bluetooth scanning devices in the target area and a secondary - theoretical - mobile set of devices for tracking the individual outside of this mesh.

And to start with, you need to physically identify the individual upon their entrance to your mesh in order to tie them to their UID. Otherwise they are just anonymous UIDs traveliing through your mesh.

So in short, it is orders of magnitude more expensive, difficult and error-prone than paying someone to physically follow your target. Not to mention the fact that a big chunk of tech needed to implement your tracking is in very early stages.

There are no mass surveillance or privacy issues since it cannot be used to track crowds of people, and you need to be able to see the individual before you can start tracking them.

Not just see them, but isolate them so you are sure that you are tracking the right UID.

And then you'd need to isolate them every other the UID changes unless you knew when it was going to change and even then it would be extremely probe to error.

This is a lab grade 'exploit' (and I use that term very loosely) not a realistic real world one.

KyussB

seamus wrote: »

It seems the use case for this hypothetical exploit requires that the exploiter has access to a dense mesh of bluetooth scanning devices in the target area and a secondary - theoretical - mobile set of devices for tracking the individual outside of this mesh.

And to start with, you need to physically identify the individual upon their entrance to your mesh in order to tie them to their UID. Otherwise they are just anonymous UIDs traveliing through your mesh.

So in short, it is orders of magnitude more expensive, difficult and error-prone than paying someone to physically follow your target. Not to mention the fact that a big chunk of tech needed to implement your tracking is in very early stages.

There are no mass surveillance or privacy issues since it cannot be used to track crowds of people, and you need to be able to see the individual before you can start tracking them.

Or just use a drone with a high powered bluetooth receiver/transmitter, like in the video I posted earlier (which would need to be somewhat directional to track someone).

enda1

poolboy wrote: »

Virtue signalling LOL, it's being a responsible adult. The conspiracy theorists who think anyone gives a crap where they go and Bill Gates is going to posion them are the ones who need a break from the internet.

The world's not black and white. Calling people selfish pricks is not the language of a responsible adult.

The hardcore conspiracy theorists are not helpful. But your self-claimed moral superiority isn't either. This type of divisive behaviour is a scourge on modern discourse

robinph

KyussB wrote: »

To eliminate the privacy breach I'd considered, one possibility is frequently randomizing (much faster than every 10-20 mins) the UID - so in order to know if you'd been around someone for 15 mins, you'd need to match against a whole list of sequential UID's from that person - which is why they'd need to be grouped per person, when uploaded to the HSE and then sent out to everyone to check for contacts.

So, it's more to be able to judge the time you are around another person, if the UID is changing much more frequently.

It's not an important side discussion though - just a technical way the privacy issue I'm discussing, could be minimized - at the cost of storage/data.

Can your app not figure that out at the time though?

Gets a code from another device, never gets that code again, deletes it as irrelevant. Get the same code from another device 10 minutes later it saves it?

If the codes were changing more frequently then you'd not have anything to check against locally. Now it's possible if you are hanging out in the pub for an hour and one person comes to chat with you for 30 seconds every 12 minutes before they then go and hide behind a lead lined wall and so you never collect their contact ID, but the chances of that are minimal, and if that person tested +ive someone else in the pub would also have picked up your ID and their ID and you'd still get picked up either by regular contact tracing or your mate telling you they had just had a test after being to the same pub.

GarIT

[Deleted User] wrote: »

What if they walked into a crowded area with loads of apps talking to each other simultaneously? Genuine question

The range would be reduced to single digit meters, maybe 10m, 15m would be a huge stretch.

I have tested this in an airport lounge and struggled to get 1.5 meters using Bluetooth 4. Bluetooth 5 is theoretically up to 4 times better for range.

fly_agaric

KyussB wrote: »

An infected person transmits their UID's to the HSE, the HSE sends those UID's out to users of the app presumably, and again presumably those UID's are grouped-together per-person

If you were near the infected person, instead of matching 1 UID, you would match several UID's from the group of UID's associated with the infected person.

That is not making sense to me. I've read the laymans explanation, not the code or a more complete technical spec or whatever.

AFAU the random codes are supposed to represent the anonymous contact (person with the app on their phone) that came "close enough" for the 10-15 min (doesn't actually matter when or where that actually happened for scheme to work, which is good for privacy - could have been anywhere in Ireland, could have been any time within last 14 days [if using what I think is supposed to be maximum incubation time for this disease]).

How do you bundle a group of such random codes together as an entity in itself to represent the "contact" occurring? You cannot I think unless also tracking the timing of the generation of ids...so you actually need to collect more information (a much more exact timing) if the unique ids are being cycled very rapidly.

Also adding to overall complexity (more codes [no expert but generating pseudorandom numbers/avoiding clashes etc can get tricky], more data, more cpu use on the phone). It is not all as "simple" as you are making out imo, and whatever you think about the +s and -s of their effect on our world, the 2 "showers" who developed the apis have a lot of extremely smart people beavering away for them.

myfreespirit

GarIT wrote: »

It doesn't use location.

I agree on the second point.

I'm a little confused about whether the app uses location on your phone - I normally have Location turned off to save my rather old battery.
However, with location off, the app then says:

"Exposure notifications are turned off "

What does this mean I wonder?

Oops, just noticed someone has posted a similar query earlier.

hetuzozaho

Riflecreek wrote: »

Presumably such risk averse individuals don't leave their house for fear of being stung by a wasp.

How they make it to boards.ie safely I don't know!

CrowdedHouse

Presumably if someone tests positive they have to be asked if they're using the app and only then will people in close contact know

GarIT

GarIT wrote: »

The range would be reduced to single digit meters, maybe 10m, 15m would be a huge stretch.

So in summary, far easier and far more reliable to get someone to follow your target? How often does KyussB find himself being tailed by Mossad?

plodder

seamus wrote: »

Increasing the rate of randomisation of the UID doesn't seem to be a proposed fix and won't prevent the alleged exploit.

You use the word "disputed" like we would talk about territory. But when you look at the reported issue, it's clear that it's very much theoretical and the reporter has yet to demonstrate that the risky behaviour is actually taking place.

It's probably worth another look by the Google team to make sure they haven't missed anything, but it's not even close to being a big enough vulnerability to justify scaremongering about privacy.

Right. The supposed "research" that he did was to google CVE's relating to this technology and sure one comes up, that he at least acknowledges is disputed.

It was reported nearly a month ago and it doesn't seem to be creating any degree of fuss. So, I think it's safe to assume it is spurious.

https://news.ycombinator.com/item?id=23488214

robinph

CrowdedHouse wrote: »

Presumably if someone tests positive they have to be asked if they're using the app and only then will people in close contact know

You test positive, they give you a code, you enter the code into your app, your app uploads the codes that you have generated over the last couple of weeks.

Someone else has the app on their phone, the app queries the database of codes, recognises the codes there as ones it has downloaded from other people, you get a warning from the app to self isolate.

poolboy

enda1 wrote: »

The world's not black and white. Calling people selfish pricks is not the language of a responsible adult.

The hardcore conspiracy theorists are not helpful. But your self-claimed moral superiority isn't either. This type of divisive behaviour is a scourge on modern discourse

It's black and white when it comes to protecting public health and those more vulnerable to this disease. I'm not claiming any moral superiority I'm sick off the idiots and I'll stand over selfish pricks who think wearing masks or downloading apps is some infringement on there civil liberties.

Calahonda52

Strawberry Milkshake wrote: »

Or you could open Snapchat map and see where they are from there. That map will also show if it’s raining.

There really are easier ways to follow people without having a big antenna sticking out of your bum bum.

What’s the point of this convo anyway?

She said the man in the gabardine suit was a spy
I said, be careful, his IUD is really a camera

Sardonicat

What's wrong with the contact tracing being done here to date?

Bridge93

Even if something is technically possible it doesn’t mean it’s practical. why does it outweigh the good the app can do? When is anyone going to be tailed by a drone tapping into their Bluetooth? What info do I have that somebody will bother to put that much work in when their are much easier ways to obtain info? What info is even on the app that’s of use to anyone?

Irish Aris

KyussB wrote: »

I'm not talking about the database, no.

With the right equipment and environment (emphasis on the latter - would not work in the middle of a city well), bluetooth can go hundreds of metres, even up to a kilometre.

If I understand correctly your point, you mean that this is technically possible, right?
For everyday people though, is this really a big risk? I would consider the possibility of something like this happening to me extremely low.

In any case, I downloaded the app and plan to use it when I'm out and about. Based on the 15 minute principle, my contacts would be limited anyway, but I think it could be very useful for when I use public transport.
The app seems very easy to use and doesn't feel that needs a lot of my attention
I opted not to give my phone number at this point in time, but I see I can add it at any time.