Apple, Google Ban Use of Location Tracking in Contact Tracing Apps

Apple and Alphabet's Google on Monday said they would ban the use of location tracking in apps that use a new contact tracing system the two are building to help slow the spread of the novel coronavirus. From a report: Apple and Google, whose operating systems power 99% of smart phones, said last month they would work together to create a system for notifying people who have been near others who have tested positive for COVID-19, the disease caused by the coronavirus. The companies plan to allow only public health authorities to use the technology. Both companies said privacy and preventing governments from using the system to compile data on citizens was a primary goal. The system uses Bluetooth signals from phones to detect encounters and does not use or store GPS location data. But the developers of official coronavirus-related apps in several U.S. states told Reuters last month it was vital they be allowed to use GPS location data in conjunction with the new contact tracing system to track how outbreaks move and identify hotspots.

For Now

[LarryRiedel]

Those features will be quietly added in an update.

Re:

[AndyKron]

It will be for our own good. Trust me.

Re:

[saloomy]

They won't. The APIs are published, and the system is opt-in.

Re:

[Rockoon]

the opt-in phase is an alpha test

Re:

[Vaginal_Belch]

You don't need to rub it in.

Re:

[bagofbeans]

MS used unpublished APIs to give Word an advantage over WordPerfect.

What's to stop the systems here doing the same?

Re:

[infolation]

UK's NHS/X CEO, Matthew Gould has already said that the NHS want the UK tracking app released today to share location data to help authorities learn more about how the virus propagates. The is in addition to bluetooth proximity token tracking.

Re:

[gnasher719]

It will be for our own good. Trust me./quote Stupid post #2 with no reason whatsoever.

Re:

[kot-begemot-uk]

They will not.

If they were, known Stasi fans HMG and French Government would not have tried to develop their own.

I do not trust Apple and Google separately for a split second because anything they come up with is PM/Engineering driven without proper thoughts of the consequences. If they have come up with something together, there we Lawyers involved as well as proper consideration of the consequences. So this is likely to remain "as advertised" and any backdoors will be only the USA Gov/FISA ones (somet

Both companies have your location history.

[gl4ss]

what does it matter when they have the location history in a different data bucket already anyways?

for 99% of people who would use their app they could look into that data and look it up from there.

It's kinda dumb really. you want to have tracking or not? if you install the app you very clearly want to, imho.

bluetooth contact tracking is kinda iffy - but not only that, this way they have the gps locations of the people who have gps disabled in their phones as well but are running this app, by correlating fr

Re:

[Sumguy2436]

It's kinda dumb really. you want to have tracking or not? if you install the app you very clearly want to, imho.

That is assuming people have a choice. Governments might force you to install the app if you want to go outside for example.

Re:

[nnet]

Good luck enforcing that in North America.

Re:

[gnasher719]

Those features will be quietly added in an update.

Stupid comment based on nothing whatsoever.

No, no it's not.

[lessSockMorePuppet]

Events in the Universe consist of things slamming into each other, why do you need to know more than who you ran into? Why do you need to know where?

Isn't the whole idea to propagate a chain of notifications? You need events, not locations for that.

Re:

[lessSockMorePuppet]

To elaborate on what I'm getting at, we define our notion of space by events, and then we describe other events to (attempt to) create a set of events that constitute "location".

We know "where" a GPS receiver is, because we've bounded it in one particular way, with a particular set of events. Contacts can function just fine in a space thats topologically marked by POSETS of contact events. You don't need to specify the bounds as a Cartesian triple.

Re:

[Carrier Lifetime]

Once the people who get notified of being possibly infected report for a check-up the geographical location of a given outbreak will be know. No need for the government to know the location of every single one of us. This system requires however a provision for the doctors to report to the system the general location reported buy the patients.

Re:

[aaarrrgggh]

While I generally agree, potentially understanding *where* a cluster of cases originates might help to understand appropriate policy actions that should take place. Completely for hiding that data from automated gathering though.

Re:

[swilver]

It only says no GPS. You can still track location without it, just not as accurate. This works by looking at what WiFi networks are visible near you and making an a guess at your location based on their relative signal strengths.

Re:

[thereitis]

If you believe you have symptoms, see a doctor.
If you don't have symptoms, they won't test you anyway.
"But the app said..."
We don't have enough tests.
Assuming you've followed the social distancing guidelines, all you can do is hope you don't get infected. So see the first point: see a doctor if you believe you have symptoms.
We don't need an app for this.

Re:

[DontBeAMoran]

Besides, aren't people obsessed with checking their phones more likely to bump into other people?

Re:

[flyingfsck]

The doctors don't need Covid tests either. If a doctor cannot diagnose pneumonia with a thermometer and a stethoscope, then there is something wrong with the doctor.

Re:

[Anonymous Coward]

Well, we can certainly tell why you're not a doctor. Among the many reasons why what you're saying is a load of bollocks:
- It causes a set of symptoms that are somewhat like pneumonia, but are not pneumonia
- The idea is to identify doctors who are asymptomatic or mildly symptomatic who then pose a risk to patients and colleagues
- Not all patients have fever or respiratory symptoms audible through a stethoscope
- Lots of other diseases also cause fever and respiratory symptoms
etc etc

Back in your box, dipshit

Re: This sounds like a goddamn nightmare

[Malc]

If you believe you have symptoms, see a doctor.

Well that's completely the wrong advice. I work for an American company who also kept repeatedly saying this despite it contradicting the government advice of most of the countries they operate in. Our government said: go home and call 111 if you think you have symptoms. They absolutely did not want Covid-19 patients going to see the doctor because deep cleaning a GP's office is expensive and disruptive and also puts other vulnerable people at risk of infec

Whoops! Can't Just Turn Off Bluetooth!

[Cmdln Daco]

The natural response to predatory tracking initiatives like this is to just disable bluetooth. But you can't do that and use a headphone on a phone that has had the jack removed.

Re:

[iggymanz]

faraday case or bag time

Re:

[DontBeAMoran]

dongle time

Re:

[bug_hunter]

Actually the natural response to this (if you're so inclined) is to not install any apps that use the API.

Re:

[swilver]

I would be surprised if a normal app with normal blue tooth permissions could even achieve this as it would require bluetooth devices to be auto discoverable the whole time. I suspect only Apple or Google has access to the internals needed to make this happen in the first place.

Re:

[AmiMoJo]

They are not using Bluetooth discovery, they are using Bluetooth Low Energy. BLE devices can transmit advertising messages periodically that other devices can pick up. Discovery is used when trying to pair, it's a different system entirely.

The real issue for apps not using this API is that the OS will prevent them running in the background, in order to stop them killing the battery. The UK's app requires users to be in close contact for half an hour before it flags it up, for example, because the most frequ

Re:

[thereitis]

Could also be a legal agreement that needs accepting before they are allowed to officially use the data.
I hope I'm wrong, but it'll start as opt-in, then the loop will get closed as laws catch up. Look at how social distancing started: first a recommendation staying apart from others. Gradually stronger advice until it becomes a punishable offense to break social distancing. Then emergency numbers you can call to tattle on people who aren't abiding. Once a majority of people are abiding, the leverage st

Re:

[flyingfsck]

So, you need courage to use an iPhone with Bluetooth...

Re:

[tlhIngan]

The natural response to predatory tracking initiatives like this is to just disable bluetooth. But you can't do that and use a headphone on a phone that has had the jack removed.

Huh?

I have a Google Pixel 3 and an iPhone XL. Both work perfectly fine without Bluetooth and headphones. I just plug my headphones into the USB-C jack at the bottom of the Pixel, and into the Lightning port on my iPhone.

I can even be fancy and use a high end DAC or my USB speakers with both.

Oh wait, maybe you're not familiar with th

Bet the data can be de-anonymized and localized

[joe_frisch]

I bet someone will figure out how to de-anonymize and localize the data based on other information. We need *laws* to prevent misuse of information. Technical hurdles just mean some smart people waste a lot of effort and get to the same result.

Re:

[flyingfsck]

In my experience, 'laws' don't help since they are not enforced. The legal system only concerns itself with serious matters and ignores trivialities. Bluetooth is a triviality, until an important politician or judge, gets caught with his pants down at the local Chicken Ranch due to the tracking.

Re:

[bug_hunter]

That's why the random code your phone advertises while using this API changes every 15 minutes.

Re:

[AmiMoJo]

Laws are easily broken. Technical solutions can be much more effective.

Provably secure - it can't be done

[raymorris]

> I bet someone will figure out how to de-anonymize and localize the data based on other information.

Of course if you're running Google Maps, that has your location, so *Google* would have your location "based on other information". Of course that has nothing whatsoever to do with this app. In the world of mathematically provable cryro and security, that's call a priori information - something they already knew.

The health department or other government agency doesn't have that information, so it's not a priori information from their perspective. That's who we want to think about. Based on the information available to the health department with this app, what information can they learn? Secondly, people we are physically close to for a few minutes receive a token. Can they get any interesting information from that token?

What we can sometimes prove about crypto-based schemes, such as this one, is that no computationally bounded attacker can gain non-trivial information. For other schemes, we can prove that an attack IS possible. Crypto nerds like me look at the spec and try to prove it is secure or it's not secure, under different conditions for the attacker. For each type of security, we prove security (or lack thereof) by showing that the information the attacker has is indistinguishable from random bits, or it is distinguishable from random bits.

Trivial information includes the fact that someone (we don't know who) sent a message (presumably using the app).

We can analyze the crypto here and try to prove it secure or not:
https://covid19-static.cdn-app... [cdn-apple.com]

We see that the health department / government receives the following:
When someone reports that they have been diagnosed, they can submit some codes. Those codes are randomly generated numbers, numbers their phone randomly generated each day. What information can the health department infer from the random numbers they receive? Can we show that the numbers are indistinguishable from random?

The numbers sent to the health department ARE random numbers. Therefore they are indistinguishable from random numbers. The health department / government can learn nothing from those numbers. It *can* note that somebody submitted numbers, without in who submitted them, so the health department can learn that an anonymous person was diagnosed. But the health department already knows that because the doctor reported the diagnosis. So that's a priori information. They learn nothing new from the app. That leaves this info for them:
Somebody who was positive used the app.
We already knew someone was positive.
So the health department can learn is that somebody used the app.

"Somebody used the scheme" is defined as trivial information. The government can learn no new non-trivial information from the app. It's provably secure.

How about the people around you? They can learn something that the health department can't learn. They receive the SHA-256 HKDF of random numbers. Those are indistinguishable from random if either SHA-256 is unbreakable or HKDF sha-256 is unbreakable. We have reason to believe that SHA-256 is unbreakable, so that's a pretty safe bet. That leaves the contacts receiving a number that is indistinguishable from random - provably totally secure, BUT then they might receive the same number two minutes later if you're still there. That's distinguishable from random. Contacts CAN learn that somewhere near them right now was also near them two minutes ago. (Fresh tokens are generated every 10 minutes).

For contacts, we can therefore prove two things:
1. It's not perfectly secure in the sense that in a given 10-minute window, a number might repeat, indicating that the same person is still nearby.

2. If we decide we don't care about repeats within 10-minute blocks, if we ignore the repeats, then we end up with

Re:

[raymorris]

Ps - what I laid out above is of course an informal proof, not a formal one.
Formally, we'd show that the data is indistinguishable from random. Because what the health department receives actually IS a random* number, there isn't much to add for a formal proof.

As for nearby contacts, one could probably do a little more work to formalize the proof. Still, it's pretty straightforward - it's a truncation of a strong operation on a trusted hash, which is itself a truncation of a strong primitive. The truncati

Re:

[gnasher719]

I bet someone will figure out how to de-anonymize and localize the data based on other information. We need *laws* to prevent misuse of information. Technical hurdles just mean some smart people waste a lot of effort and get to the same result.

You haven't looked at the API. There _is_ no data to be de-anonymized. Do you think Apple and Google haven't hired people with a bit more brains in their skulls than you have?

Re:

[joe_frisch]

But they don't need to just be smarter than me. They need to be smarter than the people OTHER groups will hire to try to get at the (very valuable) information.

There must be some data - I presume the goal is to let people know if they have been near someone who was exposed. Maybe it really is just a single bit? Is nothing sent to a central database? Maybe - but then it will be very difficult to understand how the system is working. People will receive alerts with no way to know why they got them.

At

Of course...

[wakeboarder]

If we gave the governement location data, that would give them too much power, leave the location data to the large advertising companies.

This is Big Data's wet dream

[Rosco P. Coltrane]

They don't need the app to use GPS localization: Google and Apple already collect that data in a myriad other ways. What they'll have on top of that is the ability track actual human networking - a much finer way to find out who is where and interacts with whom.

The damn virus just gave them a justification implement that additional piece of Orwellian software.

Re:

[bug_hunter]

* And the only way to get around it is to not install covid-19 apps that make use of the API
* or install them and when they ask to use the API say no
* or to install the apps, give them permission, and then not worry when a randomly generated ID gets copied onto nearby phones also running the app, and have that data uploaded only if the phone owner claims to have contracted covid-19, and then for your device to see if its generated ID is in the list that have been uploaded (rather than your random ID being p

Re:

[flyingfsck]

"not install covid-19 apps that make use of the API" - Another reason for a special phone that stays in my car with a flat battery most of the time.

Computerphile video about it

[schweini]

Here's am excellent Computerphile video on how this will work, including it's problems:
https://www.youtube.com/watch?... [youtube.com]

Re:

[Rockoon]

Every computerphile video that cover subjects I know very well is also very cringy and inaccurate. For instance their one on computer chess is outright wrong unless its still the year 1990.

It's easy to beat up on the big guys...

[ClarkMills]

It's easy to beat up on the big guys; well figuratively speaking, we all know we're dweebs if we're real slashdotters.

Yes, I've though about this a lot...

A bluetooth model that doesn't transmit ANY information out to Apple & Google (A & G) and only logs on your device the presence of other passing bluetooth devices (serial number exchange only) seems like an entirely workable and relatively safe system. The initial registration and the potential "Oh no! I have been diagnosed with the novel corona virus!" are the ONLY things that need be transmitted to the server, EVER. No need for GPS or any other form of location system, just collect bluetooth connects-disconnects on your device for a month in a circular queue. Compare your list with the list of "sick serial numbers" that are broadcast or the app can pull it occasionally. If you've had exposure... it's up to YOU to respond; though the "sick serial" device will know that they connected with you from their device's "circular monthly queue of connects".

This may not be the way A & G have set it up; a user activating the "Oh no! I have been diagnosed with the novel corona virus!" alert may potentially upload their "bluetooth interaction log". This would then give A & G the sick persons interaction list... this is a potential privacy incursion; A & G really should define exactly how their system is set up. This isn't needed by A & G; trusting the user to get checked out should be good enough and is certainly better than nothing.

A & G may have done the correct thing; there is no magic bullet with tech but this potentially does seem to be about as good as it gets.

Re:

[snowshovelboy]

Sounds like a great way to force everyone to upgrade their phones if you ask me. Most phones already have GPS. The thing that is not required is associating any of this with any personal information. Transmitting randomly generated sick serial numbers to a central server where they can measure distance based on location data is not less invasive than an always on bluetooth beacon that literally anyone can listen to. The GPS based central server has the added functionality of being able to tell you if

Just uninstall the app

[joeshutt]

I understand the concerns about privacy invasion, but if you are concerned about being traced after the pandemic is over, just uninstall the app. The only huge problem for me would be if the government made it compulsory to have the app on your phone like some oppressive countries have done with other apps and root certificate authorities.

To the people saying this will enrich Apple's and Google's data about you and who you interact with, they already know anything this would tell them and more.

Re:

[flyingfsck]

"The only huge problem for me would be if the government made it compulsory to have the app on your phone" - This is already happening in some countries and I happen to live in one of those at the moment.

Re:

[betsuin]

> compulsory to have the app on your phone" - This is already happening in some countries and I happen to live in one of those at the moment

Which country is that?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: Bruce Schneier had a great take.

[NagrothAgain]

Does anybody think this will do something useful?

Ya, a bunch of medical doctors and epidemiologists.

Re:

[AmiMoJo]

His objections are because he thinks false positives and false negatives will make it worthless, but that's just silly.

If there is a false negative someone might get coronavirus but not know it, but eventually they will pass it on to someone who isn't a false negative. It doesn't have to be perfect to be immensely useful.

False positives are also not such a big deal. For a start the health authority app can simply require approval before a positive is recorded, which would require a test. So not just random

Re:

[gnasher719]

False positives are also not such a big deal. For a start the health authority app can simply require approval before a positive is recorded, which would require a test. So not just random people tapping "I have coronavirus" to get off work for a few weeks. And even if mistakes are made the consequence is only that some people have to isolate for a while, not have the whole country on lockdown.

Simple solution: Every positive test gets a unique random 12 digit number. There is a database of the numbers, with no additional information. To confirm that you are infected, you type in the 12 digit number. Each number can be used once only.

Re:

[gnasher719]

Well, what will people do when they have the choice of dying, not going to work again, or installing an app? Especially when mum runs out of money to feed the kids in the basement?

Sorry, can't trust them.

[Rick Schumann]

It's a moot point really since I don't have a smartphone and won't be buying one in any event, but I don't trust either one of them, or government agencies, to do what they say they're going to do in this case. As someone else in this discussion said: they won't add GPS tracking for now. I'd assume the code would be there anyway, just waiting to be enabled. No thanks. We can do this without any sort of 'app'. Besides which, no 'app' on the planet will stop people from being stupid, and that's really what's

Re:

[gnasher719]

It's a moot point really since I don't have a smartphone

So what the hell are you doing on this site? Are you living in a cave?

Re:

[Rick Schumann]

Shut the fuck up, comedian.

Apple & Google are scared...

[VeryFluffyBunny]

...shitless that there might be a popular backlash against them & a substantial number of people might stop using their services or at least be soured towards them. It wouldn't take much for a more privacy focused smartphone OS company to come along and 'disrupt' their business models if that were the case. The Chinese & Korean manufacturers already have alternatives that they're developing in case they fall out with Google too. Google & Apple may look like unstoppable leviathans but there's a lot to be gained by locking them out of accessing people's lives & some of that power lies with the companies that make the actual smartphones & decide which operating systems to install.

Re:

[gnasher719]

The Chinese & Korean manufacturers already have alternatives

They have privacy focused alternatives for iPhone and Android phones? What alternative universe are they living in?

distances do provide almost exact location

[illusionm]

Given enough Bluetooth distance information, stored in a central place, the location can pretty much be calculated exactly. No GPS is needed. More accurately in densely populated areas. The algorithm is called distance geometry. The distances don't even need to be exact. So be very careful with statements about privacy concerning location.

Give the me source code, please

[cordovaCon83]

This just seems like one of the times when it makes sense to go ahead and release the source code. This isn't an app that they're expecting to monetize, right? The minimum viable product sounds ridiculously simple to code. I'm sure Apple and Google are working over-time to shoehorn in extra features that no one asked for in order to implement proprietary technologies.

Simpler way

[kenh]

I don't understand the concern, there should be an easy way to do this:

If you had Covid-19, your phone emits an "I have" or "I had" the virus Beacon, no identifying information, no central server, no database of identities, nothing a curious government could exploit.

Everyone else runs an app that looks for those signals, the app records the time and location where YOU were when you got the beacon. Certainly logging your personal location where you saw a beacon wouldn't raise privacy concerns since you are t

The stupid is strong today.

[gnasher719]

The amount of stupid people here is incredible. I'm just waiting for a few anti-vaxxers, 5G tower conspiracists, and "Bill Gates wants to infect us" people.

There are published APIs. Anyone can see what they are doing. The people who created them are known. And all these smashdotters here are insulting them - with not a trace of evidence.

"How do we know they are not secretly collecting data" - we know that because they are billion dollar companies that would end up in court doing it. And it would come

Only Big Tech gets to track you and misuse data

[landofcleve]

Not going to let govt. duplicate their efforts and potentially have that data dump in the public domain where companies don't have to pay for it.