1/11: A comparison on the state of CovidApp transparency in Aus, the UK and Singapore.
Singapore released app and server code weeks ago.
Aus & the UK released app code, and no server code, within the last 24 hours.
#CovidSafeApp @chrisculnane @rgmerk @noneuclideangrl @1Br0wn
Singapore released app and server code weeks ago.
Aus & the UK released app code, and no server code, within the last 24 hours.
#CovidSafeApp @chrisculnane @rgmerk @noneuclideangrl @1Br0wn
2/11: Singapore & the UK have released whitepapers explaining their crypto and assumptions. The UK's is by @NCSC's Ian Levy: ncsc.gov.uk/files/NHS-app-…
In both cases, there are some things I disagree with, but I respect the authors for putting the details out for review.
In both cases, there are some things I disagree with, but I respect the authors for putting the details out for review.
3/11: Singapore rotates encrypted IDs every 15 mins.
Aus #CovidsafeApp rotates them every 2 hours.
The UK's app keeps the same one all day. The explanation is that this can helpfully nudge people about how much close contact they've had.
Aus #CovidsafeApp rotates them every 2 hours.
The UK's app keeps the same one all day. The explanation is that this can helpfully nudge people about how much close contact they've had.
4/11: If it was my country, I'd vote for the Apple-Google 15-minute rotation synched with MAC ID rotation so that it was hard for random strangers (and their bluetooth devices) to tell how many times they'd been close to me in the same day.
5/11: But, again, I respect Ian Levy for making the argument, which compares favourably to the total refusal of @Ausgov to provide any rationale for taking Singapore's 15-minute cycle and stretching Aus's out to 2 hrs. At least the UK has the basis for a rational debate about it.
6/11: It also looks like the UK team has done some clever stuff to make it work better on iPhones, but I haven't checked this myself. @jim_mussared @GeoffreyHuntley @xssfox @wabzqem
7/11: UK & @Ausgov are both keeping their server code secret, but this is much worse in Aus because the server does all the crypto. The UK whitepaper & app code give some opportunity to examine the crypto for bugs. In Aus we don't even know what encryption they're using (if any).
8/11: There is one significant misconception worth straightening out in the UK whitepaper, on the possible re-identifiability of social graph data.
9/11: @ElaineRShi @bipr and @random_walker showed that social network data can be re-identified *from the graph alone* without demographic or other info. arxiv.org/abs/1102.4374
10/11: I'm still not convinced that centralised data gathering is worth the risks, but at least the UK has a clearly-articulated basis for their decisions. All we learnt today in Aus is that @Ausgov still hasn't fixed the Bluetooth bugs @jim_mussared told them about last month.
11/11 : We need to see the server code, and read some justification of the design decisions, so that we can identify and fix other bugs in #CovidSafeApp and have a genuine public debate about how it should change. #Auspol
