Profile picture
, 17 tweets, 3 min read
My Authors
Read all threads
1/ Who's ready for another Apple/Google contact tracing thread? I know I am!

To me, the most interesting piece of the puzzle is how much trust we place in the phone operating system vs. the app, and the role of the phone's operating system in protecting your privacy *from apps*.
2/ Let's start with the most recent news: Germany has relented and is adopting the Apple/Google approach, the so-called "decentralized" approach, vs. the one Germany wanted (along with France).

reuters.com/article/us-hea…
3/ Both approaches have in common:

- phones broadcast identifiers over Bluetooth, rotated every 15 min, not linkable to one another.

- phones read broadcasts from others, recording which identifiers they've come in contact with.

- there's a server, run by a health department.
4/ Key differences:

- Apple+Google: server learns only identifiers of infected. Germany+France: server learns all identifiers & identifier pairs where exposure.

- Germany+France: exposed people learn only that they've been exposed. Apple+Google: exposed learn when & where.
5/ tradeoff: with Apple+Google, no large server holding lots of sensitive data, but privacy risk that infected individuals might be identified.

I much prefer Apple+Google, especially because they mitigate the infected-individual privacy risk at API level.
6/ Until recently, Germany+France had one more advantage: the exact model for "suspected exposure", duration and distance of exposure, was adjustable over time.

In an API update 2 days ago, Google+Apple added that capability to their API without changing privacy model.
7/ That may be what moved Germany to adopt the Google+Apple model: they won one important feature without any privacy loss, and I bet it's a feature that matters to public health officials for the sake of prioritizing which contacts to talk to.
8/ Now, why was this even a fight? Why couldn't Germany and France just build the app they wanted?

This is where it's worth understanding that Apple especially, but also Google, have done a LOT to protect your privacy from apps that want to do questionable things.
9/ If an app monitors identifiers broadcast over Bluetooth, that's a very questionable thing. It could use that to track you as you walk around. That's why iOS & Android protect you from this problem by letting apps do this monitoring only when in the foreground, actively in use.
10/ Of course the operating system, iOS & Android, can monitor all they want. With the exposure notification API, the're doing the recording of encountered identifiers and releasing a sliver of that information, only with user approval. The OS is protecting you from the app.
11/ The contours of that protection, the *exact* APIs that exist, have to be designed with incredible care. Over the years, Apple and Google have changed app APIs quite a few times to protect against unexpected abuses that almost always targeted user privacy.
12/ For example, I mentioned earlier how Google+Apple protocol technically leaks exactly when (and thus where) an individual was exposed, which could leak the infected individual's identity.

At the API level, however, the exact time of the encounter is hidden. On purpose.
11/ Back to France+Germany. Their original plans involved sending all past observed identifiers to the server upon infection. That requires being always in foreground to collect the identifiers, or getting them from the exposure notification API, which Apple-Google won't support.
12/ This large gap between what the operating system can do and how much it reveals to the application is a critical part of privacy design in modern operating systems.

It genuinely reflects the very different trust users place in Apple/Google vs. an app they just downloaded.
13/ In this case, an app -- and not just any app! An app built by a major democratic country's health department in a pandemic -- wanted more access. With good intent! But that was access that Google+Apple considered too risky, and I agree with them.

They pushed back. And won.
14/ Now, I still would love to hear more about why we think contact tracing apps are going to be useful at all. Assuming they are, Apple+Google's is a great design, and I'm glad Apple & Google are fighting for user privacy.
15/ Worth pointing out their protocol design is inspired by the DP-3T effort (github.com/DP-3T/documents). Lotta smart people involved.

The API/protocol separation, though, is Apple+Google's. And it's a critical piece of the puzzle.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Ben Adida

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @benadida see all

Profile picture
Ben Adida
@benadida
A few days ago, I delved into the Google/Apple contact tracing -->

Today's news: "France is asking Google+Apple to weaken privacy protections around digital contact tracing" --> theguardian.com/world/2020/apr…

The news is misleading, the issues are complex.

🧵
2/ The key issue: G+A and the French+German govs are making different privacy tradeoffs.

The French+German protocol, known as ROBERT github.com/ROBERT-proximi…, seems more closely aligned with classic contact tracing privacy, but with one large risk.
3/ In classic contact tracing, as best as I can tell, you get a call from the health department saying "you've been in contact with an infected individual." They don't tell you who, and they don't tell you when & where, because then you might figure out who it is.
Read 14 tweets
Profile picture
Ben Adida
@benadida
1/ OK, so a few days ago, I wrote some thoughts about the Apple+Google contact tracing API + framework. A few key topics have come up in the questions that I think are worth clarifying.
2/ Some are pointing out that tech is not the silver bullet. I strongly agree. There are many issues to consider beyond tech, including having a social safety net for people who need to be tested & quarantined.

Tech can, at best, accelerate contact tracing.
3/ One thing I didn't say clearly: with this framework, Apple & Google servers get ZERO additional data.

They're building a framework, not the apps that use the framework. Those apps will get some data, and the framework exists to *minimize* how much data they get.
Read 8 tweets
Profile picture
Ben Adida
@benadida
1/ Last night, I spent some quality time with the Apple docs on the new contact tracing protocol and APIs they and Google are preparing.

I'm quite optimistic about this effort. Here's why.
2/ First, my understanding of the health experts' point of view. If we want to reopen society once hospitalization rates are down & testing is more broadly available, but before we have widespread vaccination, we'll need contact tracing to rapidly contain any outbreak.
3/ contact tracing is this: say you test positive, we want to very quickly find everyone you were in contact with over the past 2 weeks and test them, too. Anyone testing positive is then quarantined to contain the outbreak.
Read 23 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!