Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
EU Google Privacy Apple

Google, Apple Covid-19 Tracking Tech Faces EU Scrutiny (bloomberg.com) 68

The European Union said it will scrutinize Google and Apple's proposed contact-tracing technology to ensure it meets the bloc's new standards governing the deployment of Covid-19 apps. From a report: Officials from member states and the EU's executive arm will "seek clarifications on the solution proposed by Google and Apple," the European Commission said on Thursday as it issued guidelines aimed at making the various virus-tracking apps interoperable. Alphabet's Google and Apple late last week announced they would add technology to their platforms to alert users if they have come into contact with a person with the coronavirus. While the system is voluntary, it has the potential to monitor about a third of the world's population. In a video-conference earlier this week with Google CEO Sundar Pichai and YouTube CEO Susan Wojcicki, EU Industry Commissioner Thierry Breton "insisted on the need for all digital actors to develop apps to trace the spread of the virus in full respect of the privacy of individuals and ensuring interoperability and security of communications," the EU said.
This discussion has been archived. No new comments can be posted.

Google, Apple Covid-19 Tracking Tech Faces EU Scrutiny

Comments Filter:
  • by Anonymous Coward
    Instead of having to rely on US technologies and become beholden to USA. That should also help with the NSA spying.
    • Re: (Score:1, Flamebait)

      Google and Apple are multinational corporations. People need to stop thinking about them as "US companies". They aren't.

    • There is an idea of the Uniform Economy, where all countries have the ability to make equal economies. Just do what the US does and your economy will flourish. But that isn't the case.
      Even in the US, we have Silicon Valley where there is a large tech sector in the economy, we got Detroit where there is a big thing in auto manufacturing. Vergina, Maryland, and DC is where many government services are.
      It isn't all just because of the Climate Silicon Valley Tech doesn't need to be close to actual Silicon fo

      • by guruevi ( 827432 )

        I think you are mistaken. There are reasons car manufacturers developed cars in Detroit or the government is in DC and Silicon Valley is in CA. You should learn economics and history to understand. Companies don't just spring up because it's convenient for them, otherwise you wouldn't see any concentration happening anywhere throughout history.

      • The reason Silicon Valley remains in California is because of the fact that noncompetes are unenforceable there. This is why other states can't replicate it.

    • That's a noble ideal, but here in the real world smartphones are largely based on either Android or iOS, both of which are developed by US-based companies. Unless you're suggesting that the EU compel its citizens to install a different OS or turn in their devices for something homegrown (with Nokia out of the picture, I'm having trouble remembering any EU-based major players at this point...), I don't know how they would do what you're suggesting. At best they could write an app, but an app won't have the s

      • Meanwhile in the UK... Apple and Google are the reason the NHS is unable to spy on UK citizens in the way it wants to [theguardian.com]

        The NHS is in a standoff with Apple and Google after the two tech firms refused to support the UK’s plans to build an app that alerts users when they have been in contact with someone with coronavirus.

        But the policies, unveiled last week, apply only to apps that don’t result in the creation of a centralised database of contacts. That means that if the NHS goes ahead with its original plans, its app would face severe limitations on its operation. The app would not work if the phone’s screen was turned off or if an app other than the contact tracer was being used at the same time. It would require the screen to be active all the time, rapidly running down battery life, and would leave users’ personal data at risk if their phone was lost or stolen while the app was in use.

    • Instead of having to rely on US technologies and become beholden to USA. That should also help with the NSA spying.

      The european app is https://www.pepp-pt.org/ [pepp-pt.org]

    • by wilsong ( 322379 )

      Yeah, won't happen.

      The EU's vast army of meddling bureaucrats makes the development of Googles and Apples there rather unlikely.

  • You can only track someone carrying a device. People will leave their device at home when they don't want to be tracked. People without a device won't be tracked.
    This strikes me more as a power grab, like "look how much good we did tracking 50% of the people. let's make it mandatory for everyone to be tracked so we can do even more good!"
    I'd rather get sick and die than live in that world.

    • Based on my rejected submission on another aspect of this topic I'll go ahead and blow up all the technical security defenses in the most obvious way. Leaving your phone at home is only the most trivial of the technical defenses.

      If the government doesn't like you and they want full access to your tracking data, then it's totally easy. Just arrange to "expose" you to someone who might have the disease in question. Then ALL of your contact data is unencrypted and sent upstream to other agencies where it can b

    • You pack that device with a ton of features, people will carry that device all the time.

      We carry our smartphones all the time. We use them to pay for stuff, some people use them to unlock their car doors....

      • For the past month, my android smartphone has done nothing but sit here at home being unused.

        In the past week, while just sitting there, its been losing charge much faster than normal.

        Its obviously now doing some shit that I would not approve of.
    • Perfect is the enemy of good. Tracking is a critical piece of the puzzle and the Google/Apple approach is a great start.
    • by fintux ( 798480 )
      This approach will never be 100% effective, whether or not all people who can will carry the cellphone. However, it doesn't need to. In another article, it was mentioned that it is enough if 56% of the general population use the app. Even a smaller portion will at least help somewhat. Currently we have in many areas 0% of the people using the app. It means we need to use more of different kinds of means for managing the situation. The app will make the management easier and it will help to lift some of the
  • Of course the app violates privacy. However, I think hope the debate moves beyond the false sense of privacy the EU, CCPA and other crappy laws provide back to "should someone who is sick with X really have the 'privacy' right to not allow everyone else to know about it."

    I, for one, am perfectly fine with moving back to the pre-HIPAA model where people who checked into the hospital had their name, age and condition broadcast (printed in the newspaper back then) for everyone in the community to see.

    I'm not
    • it's there to protect the wealthy.

      Think of it this way, if you've got the CEO of a large company who drives their stock price up and he gets diagnosed with stage 4 terminal cancer a month or two before buyout negotiations, what would that do to the stock price?

      I don't think we're going to say goodbye to HIPAA. But I do think we're going to get these tracker apps and that they will be made mandatory to enter stores. Either by the Government or just plain by the stores themselves.

      Contract tracing
    • by idji ( 984038 )
      How does the app violate privacy? I read the paper that Apple & Google cowrote last week. An app (which anyone can make since they only provide an API) detects nearby bluetooth devices and then sends a hash of a passerby's bluetooth to public repositories. If that user in the future tells their app they are covid-positive that goes to the database. Your app regularly download's hashes and when it finds a match OFFLINE it tells you WHEN it happened (to nearest 10 minutes) and you can reconstruct the loca
      • You say this....

        Your app regularly download's hashes and when it finds a match OFFLINE it tells you WHEN it happened (to nearest 10 minutes) and you can reconstruct the location (perhaps your app stores your GPS coordinates locally when it detects a bluetooth device).

        Followed directly by this....

        You don't find out who the person is.

        Which is it? Do you find out when and where you were near someone with covid19, and therefore have a good idea of who that person was, or do you not find out who that person was?

        How about stop being such a transparent apologist for the privacy violators.

    • The Apple/Google plan does not violate privacy. Please investigate the plan before making the statement. Recognize its better than any alternative and educate your non-tech friends.

      Each phone will have a unique ID generated and only available on the phone and nowhere else. Any updated bluetooth enabled IOS/Android phone will share its unique ID and will get stored on phones in proximity along with the date, time and duration.

      If you test positive, you report your unique ID to a central database. The cent
  • Not sure if I am mistaken, but the following seems an easy line of attack to deanonymize all these 'privacy-preserving' apps. A malicious actor can set up a free Wifi hotspot (for instance, spoofing the SSID of another one you normally connect to) and a Bluetooth listening device in the same location. Then they can see that at 17:42 in the afternoon a phone relays via Bluetooth the anonymous id 4e2f134a, and at the same minute your MAC address connects to their network (and maybe logs on their network on a
    • by GeLeTo ( 527660 )
      So what will they gain from this? If you tested positive for covid and gave permission - they will know this, as well as the anonymous ids of covid positive people that you've been near to in a 15 minute interval. Compared to what for instance Google knows about you - this is practically zero.
      • If I test positive for Covid and give permission, the health authorities know that I am infected. With this attack, an arbitrary attacker can figure that out as well.
        There is a huge difference between a server in the NIH basement knowing that I am infected, and every malicious entity in the world knowing it.
    • Not sure if I am mistaken, but the following seems an easy line of attack to deanonymize all these 'privacy-preserving' apps.

      A malicious actor can set up a free Wifi hotspot (for instance, spoofing the SSID of another one you normally connect to) and a Bluetooth listening device in the same location. Then they can see that at 17:42 in the afternoon a phone relays via Bluetooth the anonymous id 4e2f134a, and at the same minute your MAC address connects to their network (and maybe logs on their network on a captive portal with your username, or accesses a http page, etc.). It is easy for them to figure out who this 'anonymous' id 4e2f134a belongs to. Boom, deanonymized.

      AFAIK the info that 4e2f134a had corona won't be relayed to you, just that someone you've spent time with has reported they are infected. You'd need to be able to submit false data to be able to triage (for example create a fake user that reports that the only person they've encountered was 4e2f134a).

      • AFAIK the info that 4e2f134a had corona won't be relayed to you, just that someone you've spent time with has reported they are infected.

        I must have misunderstood then, because I thought the main idea is that all anonymous ids of infected people in the past 14 days get published.
        If that's how you suggest, then it is even more worrying, because to do that they need a database of all encounters.

        • AFAIK the info that 4e2f134a had corona won't be relayed to you, just that someone you've spent time with has reported they are infected.

          I must have misunderstood then, because I thought the main idea is that all anonymous ids of infected people in the past 14 days get published.

          If that's how you suggest, then it is even more worrying, because to do that they need a database of all encounters.

          I found the specs here: https://blog.google/documents/... [blog.google] https://blog.google/documents/... [blog.google] https://blog.google/documents/... [blog.google]

          • ...and they confirm what I wrote above, it seems: all anonymous ids of (consenting) infected people in the past 14 days get published. The only minor detail is that they don't publish the actual 4e2f134a number, but a "daily key" that can be used to regenerate it.
        • by tlhIngan ( 30335 )

          I must have misunderstood then, because I thought the main idea is that all anonymous ids of infected people in the past 14 days get published.
          If that's how you suggest, then it is even more worrying, because to do that they need a database of all encounters.

          No, you just publish a list of IDs that have it.

          The database of encounters stays on your phone locked away. When the list of known contacts with it is updated, your phone downloads the updated list, and compares it with every encounter it had recorded.

      • sooner or later law enforcement is going to subpoena the data. Worse, in most countries prosecutors can use data like this to force plea deals from innocent people (you pick 1 guaranteed year in jail vs possibly 10). In the United States where racism runs rampant and juries often vote on feelings this is a very real danger.

        That said, I don't think we're going to be given a choice on this one. It has the potential to let us reopen the economy months and months sooner. It's too valuable. It will be forced
    • by idji ( 984038 )
      That has nothing to do with the app. that is bluetooth anyway. This app API hashes the bluetooth with a timestamp so your idea won't work,
      • I think you missing a word there. Anyway, why does hashing with a timestamp prevent this attack from working? At the end of the day the government needs to release the hashes of infected people for this whole system to work, so you can map hashes to people.
    • by amp001 ( 948513 )

      Take a look at the specifications (https://www.apple.com/covid19/contacttracing/) – they aren't really all that complicated. The MAC address in the Bluetooth LE advertisements are already randomized, changing (about every 15 minutes) and uncorrelated with the MAC address you'd use to connect to something. This is also true of the WiFi probes phones generate, by the way –those also come from a random MAC address that has nothing to do with the actual MAC address you'd use to connect to a WiFi net

      • Based on your extended description, I don't see why the attack I have outlined does not work. You set up an unprotected wifi network, grab the (actual, non-randomized) MAC address when people connect to it, and note their RPIs. Then a few days after you check if these RPIs match those that you can generate from the public list of DTKs. If you get a match, you know that the owner of that MAC address is infected, and you can correlate it with all their (non-HTTPs) activity on your wi-fi networks: visited page
        • by amp001 ( 948513 )
          I see where you're going. It still depends on the victim being someone who does get diagnosed –meaning it doesn't just work for anyone. It also depends on them doing enough non-HTTPS traffic to figure out who they are. That's not impossible, but more and more sites are moving to HTTPS for everything, and certainly anyone who cares about privacy wouldn't be using an unprotected WiFi network without anything else (like a VPN) underneath. Either way, you still have to have something in physical proximity
          • Yes, you need physical proximity for all this to work. Perhaps a simpler and clearer version of this attack: you wish to know if your neighbour is positive to Coronavirus or not. You buy a burner phone, install the app on it, you get physically close to him, and let the app do its beacon-sharing thing with him. In this way, you have a phone that has your neighbour as its only registered contact. Then the app reports that you have been exposed to the virus if and only if your neighbour is infected. It seems
  • This is stupid. The EU can't deliver this kind of technology, in any reasonable time frame or cost. So, when corporations, which they usually bash on, come up with something they want to complain.

    Have it your way: All corporations stop trying to be good citizens. Simply do nothing. Oh wait, then the EU will complain they should help....

    Typical government, can only point the finger, can't produce anything.

    • This is stupid. The EU can't deliver this kind of technology, in any reasonable time frame or cost. So, when corporations, which they usually bash on, come up with something they want to complain.

      Have it your way: All corporations stop trying to be good citizens. Simply do nothing. Oh wait, then the EU will complain they should help....

      Typical government, can only point the finger, can't produce anything.

      Perhaps they've adopted the policy of just being annoying enough for someone to google the answer for them?
      https://www.pepp-pt.org/ [pepp-pt.org] You're welcome.

    • by wilsong ( 322379 )

      The EU's mission isn't to deliver technology.

      It's to fatten itself by taking taxes from those who can deliver technology.

      The more "scrutiny" of tech companies it needs to do, the more taxes it will just have to take.

    • while its true that EU complains about US companies generally for power grabs and money, when it's also good for the general populace, i'm not all that unhappy (however rare that is)

    • The EU's major failing is not gifting corporations everything at the expense of the people. Why they don't follow the American model and fuck the public I will never know.

      Also the EU has no technological development arm and aren't in the business of technology development. I guess you mean EU based companies, they can absolutely deliver this technology. You would know, Americans keep buying them out to prevent competition.

  • There clearly is a desperate need for more accurate, efficient, & comprehensive contact tracing to keep the pandemic from overwhelming our healthcare systems. The question is, what's the best way to achieve that? Contact tracing without mandatory testing & quarantine is useless. What they're proposing is to police populations around the world via their phones. The consequences of being flagged as potentially infected have to be neutral or beneficial to people or many will try to evade detection. Not
  • Having been living in the EU since 1995, I have a very unpleasant feeling of this taking so long that the pandemic will be long gone until the EU can come to a decision on this topic. Every country wants to have their small modification, even if it is a tiny one. There is always the bike shed effect in EU about anything. And then there will be the one country who wants to ban the whole thing and using their veto rights when all of the other countries have come to an agreement. In 2025 there may be the decis

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...