Yes, they’re making a respectable effort at privacy here, and I‘m happy to see this getting as much thought as it is. That said, though, the last revision was touted for protecting privacy, and now we hear that they’ve only now decided to move to random keys— and it’s still not clear how uncorrelated that is to user information. I’m not sure that it’s possible to truly make this private. If each key is being used for 5 minutes before updating, and a government puts listeners on every street corner, then it’s pretty straight forward to track an individual’s movements and identify them. It would be nice if every interaction was a one time code so there was less correlation in the information.
That’s the big difference between this and GPS— GPS is listen only, so nobody knows you’re using it. The app that is providing the UI for that GPS has the potential to forward that information (and there’s been a lot of uproar over that, actually). Still we have fine grained control over location services and can ensure an app only has that information when we want it to. This system is a beacon that emits everywhere you go without your intervention and without turning off.
I’m a bit bothered by the “save us, big tech!” mentality that’s developed— these are businesses and its not really their role to provide public health services. I also don’t know if there’s another solution rather than tracing everyone everywhere, but I’d hope people are looking for one because it’s really easy to just decide that we have to throw privacy out the window without thinking about it more deeply.
If it turns out that tracking individuals is the only safe way forward, then I’d much prefer this be a dedicated key fob that I can throw away when the crisis is over, rather than building this kind of tracking functionality into the OS of all my devices.
I found your response very thoughtful and well reasoned. I had actually thought the first revision of this had random keys so I was a bit surprised that that only came up in the second iteration.
However, if the key is changing randomly every 5 minutes a government with listeners on every street corner would only be able to to tie a series of keys together in sparsely populated areas. For example, I am walking down an empty street and emitting ABC123 as my random key. The government sensor detects my approach and departure and even direction of my departure since BLE can be used for that based on signal strength. Then I go out of range. Minutes later the second sensor on another street corner detects DEF456 is approaching. If traffic light cameras show only a single person walking or only a couple of people walking then they can know that ABC123 and DEF456 and eventually GHI789 are the same phone. But they still don't know who that is unless they trace back to the original home address. But for all that to go down, you would already have to be somebody who is under surveillance for them to know to bother looking at you and the problem get exponentially harder in crowded urban areas where there are 20 to 30 possible "next identifiers" for ABC123 and another 20 to 30 (or more) for each of those it does not take long for the graph to explode into a serious big data problem to try to track just one person, let alone a population.
So, if not for the opt-in requirement, I do see this being a problem when authorities are
targeting a specific individual for tracking. Police could use this sort of scenario to track down bad guys. For example, an alarm goes off in a store on an empty street in the middle of the night. Police don't care what the bluetooth ID is, only care about ID's approaching from that store and departing away from the store and see where they might lead. At the same time, an authoritarian government could target somebody designated as an insurgent after they make a protest of some kind against that government. If they know the starting point and the streets are empty, then they can trace. However, in both of the above cases the person could opt-out of BLE contact tracing and maintain their privacy -- just like terrorists do when they opt-in to phone encryption and opt-out of iCloud backups.
The average person is not going to be targeted -- in fact the vast majority of them -- because it would take a very large population of authorities to target a large population of citizens. So for the rest of us, this is really good privacy. Targeted attacks can always invade privacy -- there is no way around that. In fact, every time you make a voice phone call the government may be listening because they have issued a warrant against you to wiretap. In fact, large swaths of voice calls are analyzed for key words and phrases and then targeted by governments to thwart terrorists attacks. I don't see this technology on any worse level for targeted attacks than what already exists today (including tracking your location with cell towers when targeted -- if only OJ Simpson had turned off his mobile phone).
Finally -- I love your idea of a key fob, but if I can shut this off whenever I want then I see no reason not to have it in my phone. The minute they take away the ability to opt-out (or the requirement to opt-in) then there is a much bigger problem here. Right now, I feel that with cell tower location tracking, voice call screening, wiretaps, traffic surveillance cameras and good old cloud based email, we have dealt with and accepted much greater threats to our privacy for general and targeted surveillance.
BONUS FUN FACT: Germany, France and the UK all want the identifiers stored in a centralized database rather than distributing the identifiers across people's phones. They essentially want the "sensors on the street corners" to be the smartphones that people are carrying so they don't even have to install sensors anywhere. A big reason I support this architecture is the decentralization of it -- centralizing it in government servers can be disastrous since it greatly increases the ability to data mine without targeting (i.e.: sensors are everywhere since they are everybody's phones) and it creates a central place for hackers to attack.
www.nytimes.com
