A few days ago, I delved into the Google/Apple contact tracing -->
Today's news: "France is asking Google+Apple to weaken privacy protections around digital contact tracing" --> theguardian.com/world/2020/apr…
The news is misleading, the issues are complex.
🧵
Today's news: "France is asking Google+Apple to weaken privacy protections around digital contact tracing" --> theguardian.com/world/2020/apr…
The news is misleading, the issues are complex.
🧵
2/ The key issue: G+A and the French+German govs are making different privacy tradeoffs.
The French+German protocol, known as ROBERT github.com/ROBERT-proximi…, seems more closely aligned with classic contact tracing privacy, but with one large risk.
The French+German protocol, known as ROBERT github.com/ROBERT-proximi…, seems more closely aligned with classic contact tracing privacy, but with one large risk.
3/ In classic contact tracing, as best as I can tell, you get a call from the health department saying "you've been in contact with an infected individual." They don't tell you who, and they don't tell you when & where, because then you might figure out who it is.
4/ ROBERT fits that criteria. Even if you write your own app to speak the ROBERT protocol, you won't find out more than what classic contact tracing would tell you -- that somewhere, at some time in the last few days, you encountered an infected individual.
5/ With G+A, on the other hand, at the protocol level, each phone can determine, thanks to its own clock and GPS, when and where the dangerous contacts occurred. While this might be useful, it is different than typical contact tracing and may violate infected people's privacy.
6/ Now, Apple gives itself an out in its API docs: iOS might "fuzz" the date at which the contact happened, by up to a day. So the OS has the exact contact details, but may not release it to the app or user.
7/ Also, in the G+A protocol, because infected identifiers are broadcast, there is a possibility that one could correlate that data with other information from bluetooth readers. It doesn't seem so bad to me because, again, contact tracing is useful when the # of cases is *low*.
8/ Now, does France + Germany's ROBERT system solve this? Yes, but as I hinted earlier, with one giant caveat. In order to protect infected people's privacy, the ROBERT server keeps track of *everyone*'s random identifiers.
9/ There's supposed to be no geo or other data tied to these random identifiers, but that assumes good citizenship behavior from apps. Also, that server better be kept secure, because if its data gets out, it undoes privacy protections built into phones' bluetooth stacks.
10/ So, is it fair to say that France and Germany are trying to undermine the privacy properties of the G+A protocol?
No, I don't think so. They're making a different privacy tradeoff, and they're *trying* to not create a surveillance database.
No, I don't think so. They're making a different privacy tradeoff, and they're *trying* to not create a surveillance database.
11/ The ROBERT design also has the advantage of making it much easier to tweak the risk measurement algorithm over time (and possibly country), whereas for G+A that is built into the OS and won't change that easily.
12/ Overall, I'm a good bit more comfortable with the G+A approach, which structurally protects against many bad server behaviors.
And the G+A design does make use of the OS/app API layer to defend against the weakenesses that ROBERT tries to address at the protocol level.
And the G+A design does make use of the OS/app API layer to defend against the weakenesses that ROBERT tries to address at the protocol level.
13/ But I don't think it's fair to discount the ROBERT approach by accusing it of disregarding privacy. That's not quite right. It's a *different* kind of privacy tradeoff. And it's more closely aligned with classic contact tracing.
14/ thanks to @matthew_d_green for helping me phrase it more simply:
