Apple's Exposure Notification System Guide

[manu chao]

It's absolutely pointless. Unless every person on Earth has a smart phone and enables this, it won't do anything.

You’ve done the math on this what percentage of people need to participate for this to provide meaningful benefits? And with borders closed, you largely have to worry only about the people in your country, not about how many people on other continents have smartphones.
[automerge]1589013473[/automerge]

Like I said, this whole thing is totally pointless.

Thankfully what you said is incorrect.

 

[secretk]

Interesting and detailed article. The visuals definitely help explaining the material. That being said I still have some quesitons that are left unanswered for my curiosity.

1. For example how they make sure that the random identifier that they assign to a phone is really unique. I mean I do assume that they use the type of phone, the OS etc. That being said the examples are a bit misleading because there is no way for this number to be of just 6 digits and be unique for every person. It is definitely longer IMO.
2. Apple and Google play a little bit out of the lines when it comes to opt-in. Full opt in means that the setting is disabled by default. I get their point that a person would have to install an app and give permission to it but still potentially a person that does not understand what they are doing could end up exposing data they don't want to. Per GDPR guidelines the setting really should be disabled by default unless there are legal obligations that say otherwise. Meaning the country should have a law that allows this setting to be enabled by default to be fully into the GDPR guidelines.
3. It is kind of unclear what exactly centralized server means. I mean it is one centralized server per app, per country, per region, or for the earth.
4. It is also not clear if this setting would be available on iPads or only on iPhones. I assume that it would be only for phones but still it is not clearly specified.
5. It is also not clear what happens with Android and Apple devices that do not get the latest respective OS version.


After saying all of this as a person I would not use it just because I don't keep my phone on Bluetooth unless I am listening to music. My phone is also not with mobile data enabled by default. I turn it on only to check my email/chats/social media for like 5 minutes and then I turn it off. I also tend to turn off Background Refresh app for most of the apps so even if I had something installed the chance of doing something for me specifically would be rather low.

 

[daniesy]

The source code wouldn't be any more proof than the spec, since the user has no way to verify that the code that is deployed on the phone is identical to the published source. At the end of the day you have to trust that they don't lie to your face. But if they did, they could already do a lot of nefarious things on your phone, so why would they wait for this exposure notification system?

Yeah because Apple never lied to our faces 😂
[automerge]1589624173[/automerge]

Maybe disabling Bluetooth disables it. I never have it on anyway.

this isn't an option if you use airpods or apple watch

 

[manu chao]

1. For example how they make sure that the random identifier that they assign to a phone is really unique. I mean I do assume that they use the type of phone, the OS etc. That being said the examples are a bit misleading because there is no way for this number to be of just 6 digits and be unique for every person. It is definitely longer IMO.

It's gonna be as long as it needs to be. But it still won't create any noticeable bandwidth or storage footprint. Note, that the system will be able to notify you on which day you might have been exposed. Somewhere the date must thus be stored, it could be part of the random identifier string. In that case, it would only need be unique for all identifiers created that day.

But much like a digital signature works (eg, apps have a digital signature that is unique to them and changing any bit of the app bundle will change that signature), creating a hash of a range of properties of a device and the data on it that is both unique and not traceable in any way to the phone that generates it isn't very difficult. And even if there is a 1:1'000'000 chance that two phones spit out the same random identifier, that false positive would increase the number of PCR tests by only 0.0001%. That's absolutely negligible.

3. It is kind of unclear what exactly centralized server means. I mean it is one centralized server per app, per country, per region, or for the earth.

As a start, there will be one app per region and one server per region, corresponding to one health authority per region. In most cases, a 'region' will simply be a country. But there might be deviations in that in the U.S. that might be broken down to one of each per state. But whoever creates the app will control their own server, meaning these will be self-contained systems. Things might change in the future if, eg, in Europe several countries want to make their systems interoperable (right now, a lot of borders are still closed).

4. It is also not clear if this setting would be available on iPads or only on iPhones. I assume that it would be only for phones but still it is not clearly specified.

And this doesn't really matter at this point. They might include tablets because it doesn't require any additional technological effort. But then the user still can enable/disable things on tablets or not, or download the app to their tablet or not.

5. It is also not clear what happens with Android and Apple devices that do not get the latest respective OS version.

So far Apple hasn't said anything about releasing an OS update for older devices. But they could be added later (it will be just additional effort on their part to port this feature to older OS versions that have different (private) APIs). One has to start somewhere, and currently, the largest group of iOS devices runs iOS 13 (the second largest group most likely is running iOS 12, and so on).

Google will release their work as part of Google Play Services (I think that is what it is called), not as an OS update (that only a minority of Android phones would get, at least in a timely manner).

After saying all of this as a person I would not use it just because I don't keep my phone on Bluetooth unless I am listening to music. My phone is also not with mobile data enabled by default. I turn it on only to check my email/chats/social media for like 5 minutes and then I turn it off. I also tend to turn off Background Refresh app for most of the apps so even if I had something installed the chance of doing something for me specifically would be rather low.

I think a lot of people suffer much bigger problems than you keeping Bluetooth on would cause you. And one doesn't even need to go to health effects but the shutdowns and unemployment alone are massive as well. I think asking you to make a small sacrifice here is rather reasonable given the overall situation.

 

[secretk]

It's gonna be as long as it needs to be. But it still won't create any noticeable bandwidth or storage footprint. Note, that the system will be able to notify you on which day you might have been exposed. Somewhere the date must thus be stored, it could be part of the random identifier string. In that case, it would only need be unique for all identifiers created that day.

I don't care so much about the storage footprint than to be as long as it needs to be. We (Developers) are people too and we make mistakes. We all know the 2000 years problems. So yes I do ask if they know how long exactly it needs to be and whether their algorithm for randomness is really random. It is not like I don't know so called methods random that return 4 half of the time.

But much like a digital signature works (eg, apps have a digital signature that is unique to them and changing any bit of the app bundle will change that signature), creating a hash of a range of properties of a device and the data on it that is both unique and not traceable in any way to the phone that generates it isn't very difficult. And even if there is a 1:1'000'000 chance that two phones spit out the same random identifier, that false positive would increase the number of PCR tests by only 0.0001%. That's absolutely negligible.

Not exactly true! First of all until you know how many symbols are in this number and how the random function works you cannot calculate its probability. You are making a guess which might be true or not. There is nothing in the article than provides information on how long the random identifier is and how often it gets changed. It is mentioned one 15 minutes than between 10 and 20.

As a start, there will be one app per region and one server per region, corresponding to one health authority per region. In most cases, a 'region' will simply be a country. But there might be deviations in that in the U.S. that might be broken down to one of each per state. But whoever creates the app will control their own server, meaning these will be self-contained systems. Things might change in the future if, eg, in Europe several countries want to make their systems interoperable (right now, a lot of borders are still closed).

That does not tell me anything about my original question. Nothing stops apps using and sharing the same sever. What you say might be true but it is not written in the article. I am saying that it is not clearly specified in the article itself what centralized server means.

And this doesn't really matter at this point. They might include tablets because it doesn't require any additional technological effort. But then the user still can enable/disable things on tablets or not, or download the app to their tablet or not.

It does not matter for you. If I ask the question is because it matters to me. My phone might not have Bluetooth active all the time but my iPad has.

I think a lot of people suffer much bigger problems than you keeping Bluetooth on would cause you. And one doesn't even need to go to health effects but the shutdowns and unemployment alone are massive as well. I think asking you to make a small sacrifice here is rather reasonable given the overall situation.

Who is talking about sacrifice here? I don't keep my phone with active Bluetooth on because it drains its battery. And because it is general security problem. Nothing to do with this app or API. I just don't see the point to keep my device with Bluetooth on just for the sake of it.

I am however Software Developer who from pure professional perspective will put into scrutiny every API or app like that because I know how easy Developer can break security and privacy rules without even realizing.

 

[manu chao]

What you say might be true but it is not written in the article. I am saying that it is not clearly specified in the article itself what centralized server means.

You ask a question about something not elaborated on in the article. And then you complain when my answer is not already confirmed by the article???

And do you also refuse to use, eg, Apple Maps because they haven’t detailed what random number generator they use when using those data in conjunction with differential privacy?

 

[nicolas17]

I don't care so much about the storage footprint than to be as long as it needs to be. We (Developers) are people too and we make mistakes. We all know the 2000 years problems. So yes I do ask if they know how long exactly it needs to be and whether their algorithm for randomness is really random. It is not like I don't know so called methods random that return 4 half of the time.

The codes are 128 bits long.

I looked up an example I wrote a while ago. On 2020-04-30, between 19:56 and 20:00, your phone starts receiving Bluetooth exposure notification messages with the proximity identifier 0546ec4d24f0675dc0c9bcf738df1f9f (and maybe others too, since you may be close to multiple transmitting phones). At 20:00 that stops, and you start receiving messages with proximity identifier 222a19dc602dd291978dc98c853c4fbe, and from a different Bluetooth MAC address. At 20:07 you walk away from where you are and you stop receiving them.

It's impossible to know if those two came from the same person / phone or not. All your phone can do is record the identifiers, the date and time of each contact, and maybe the signal strength to estimate distance, and keep it for the future in case one of those is reported as infected. The government's app is also forbidden from using GPS so it can't know where you were when that contact happened. (I think it's not even allowed to access the IDs, it can only ask the OS to look things up in the list of collected IDs but not access the list)

You ask if they really are random. They are actually not random themselves, they are derived with AES-128 from a random key. To know whether those two identifiers were derived from the same key without knowing the key, or to "go backwards" and figure out the key from the identifiers, you would need to break the security of AES. If you could break AES you would break the security of a significant proportion of the world's computer systems, you wouldn't waste it to track people in the supermarket.

EDIT: I was going to post the random key and challenge technically-minded people to follow the spec and figure out if the above proximity identifiers match the key or not (ie. pretend I got infected and I uploaded my key, see if you were in contact with me or not). However it turns out I screwed up following the crypto spec myself, so those won't match anything. Oh well.

 

[planteater]

Dude, it’s not 2003. 46% of people 64 and above have a smartphone. And growing rapidly.

Also, 23% of deaths are of people 45-64. Not that old.

And many of the deaths are not even from covid19. Over zealous reporting has been used in most jurisdictions.

 

[chucker23n1]

And many of the deaths are not even from covid19. Over zealous reporting has been used in most jurisdictions.

Excess mortality data actually suggests COVID deaths are underreported.

 

[planteater]

Excess mortality data actually suggests COVID deaths are underreported.

It’s the opposite. They are using it as the cause even when it’s secondary with a primary cause that would lead to death with or without covid. And it sure is suspicious how the flu deaths are so low this year.

Then there is the under reporting of people that actually have the disease due to people with no or minor symptoms not getting tested. Overall, the stats make it look worse than it really is.

 

[manu chao]

It’s the opposite. They are using it as the cause even when it’s secondary with a primary cause that would lead to death with or without covid.

Not really: https://www.economist.com/graphic-d...d-19-victims-have-died-soon-without-the-virus
Here is the original study: https://wellcomeopenresearch.org/articles/5-75

EDIT: Sure shows you cannot handle being shown wrong and gullible.

 

[Sasparilla]

Its an interesting system and one that seems designed to keep people's privacy in place (for this).

That said, since the U.S. isn't creating a national app for everyone to use for contact tracing, its up to each state to do it all on their own...and most are choosing ready made apps that don't use the Apple / Google API and do violate your location privacy (only 3 states so far are going to use this API Apple and Google just released) - so at least in the U.S., since you have to have an app installed to even enable it to work - most folks will never see the Apple / Google update even enabled. A big swing and a miss (for the U.S.) for contact tracing.

Guessing most of the states which are going for real location tracking back to home base apps (not using the Apple Google api) won't get the remotely close to the number of users to install the number of apps that they need for it to be effective. Entirely predictable. Another big swing and a miss (for the U.S.) for contact tracing.

The U.S. should have had a national system for this, but since it didn't (and it was pretty obvious a good while ago the admin wasn't going to do anything here) Apple and Google should have created their own app - so it would have been available. JMHO...

 

[dcworthi]

Once again, it’s not a data/privacy issue, it’s an ideological/societal one.

I will not have my phone pinging me just because someone else has gotten sick. If I get sick, I’ll take appropriate measures. But I’m not walking around waiting to get pinged. In high density areas like a city, you’ll be at risk for getting more pings about COVID than texts from friends and colleagues.

To me, this is simply obnoxious; but imagine the people who already can’t handle anxiety or mainstream fear paranoia, how will they do with being pinged about their potential acute death sentence multiple times a day?

Furthermore, unless I end up in hospital from symptoms, I won’t be pursuing a COVID test because of how haphazardly it’s assumed I should suddenly be tracked. That’s a big NO. I was not opposed to getting tested until seeing how a positive test suddenly comes with all of these assumptions and implied actions to take next.

All of this is a red flag setting precedent for worse things. In the other thread I used the example of HIV/AIDS. That’s something that “should” have contact tracing, yet it does not. So far we can statistically say that people recover from COVID. Not so with HIV, which is a death sentence* on maintenance. So I find this COVID tracking supremely suspicious.

If you’ve got no problem with this, then get ahead of the curve you’re flattening and imagine a future where you’re pinged for passing a stranger with COVID … then passing one with HIV … then passing one with Herpes … etc. It’s all inappropriate.

The violation of privacy is not with the data (which I applaud Apple for handling well), but with the idea of allowing our health to be broadcast and allowing our personal devices invaded with pings from those who willy-nilly broadcast their health out of some noble sense of saving the world.

It would honestly make more sense to have no privacy and share everyone’s contact info. That way if you, Person Who Supports Tracking, pass me and get me sick, then I can sue your insurance to cover my healthcare to get sick. How does that sound? Just like with a car accident.

After all, contacting COVID and ending up in hospital in the US is more likely a financial death sentence than an actual death sentence. Statistically speaking, anyway.

EDIT: Corrected typo of not including the word “sentence.”

There's a stunning amount of false equivalence here and outright falsehoods here, but I'll address the most ridiculous statement. HIV hasn't killed >95,000 Americans over the past three months (with a near total shutdown and social distancing) and someone who starts antivirals isn't going to die within three weeks. It's not the 1980s, pal... I'd suggest you read up on HIV and not stereotype people who are positive as some sort of plague carriers.

I was sick with Covid for over 10 weeks and still can't fully taste and smell. Two of my friends lost their mom's, two lost grandfathers, and one lost a nephew. You may think this pandemic isn't serious and that specious technolibertarian soundbites make for 'smart' forum posts, but it's crap.

 

[chucker23n1]

In high density areas like a city, you’ll be at risk for getting more pings about COVID than texts from friends and colleagues.

Wait, hold up. You expect to get pinged a lot, and your lesson from that is not "maybe I should stop walking around in crowded places during a pandemic" but rather "this notification system is really annoying; I'm going to turn it off"?

All of this is a red flag setting precedent for worse things. In the other thread I used the example of HIV/AIDS. That’s something that “should” have contact tracing, yet it does not.

I wasn't aware that the HIV pandemic is back (what is this, 1987?) or that HIV can now be spread through breathing?

So far we can statistically say that people recover from COVID. Not so with HIV, which is a death sentence* on maintenance.

And yet, in the entirety of 2017, 16,350 US citizens diagnosed with HIV died. In only the first five months of 2020, 90,000 and counting died of COVID.

 

[Hodar1]

Please look at the CDC.gov website. Look for "Hospitalization Rates".
For the month of March, across 14 states, the rate of which people with diagnosed COVID19 (Wuhan Flu) were forced to be admitted to the hospital was less than 410 per 100,000.

(410/100,000) x 100% = 0.041%

So, assuming you are exposed, and do catch this virus (and it's pretty much inevitable, hide if you want - you will be exposed), the odds of you being asymptomatic are 40-60%. You could have had it, or have it now and not know or realize it. If you get it, odds it will be little more than a slight fever and a dry cough. There is a ~0.041% chance you will go to the hospital- and then the odds are that you will come home a few days later.

Research for yourself, yes, thinking for yourself is hard..... so is math. It's so much easier to be lied to, to have people with an agenda lead you to fear, and to give up your privacy and "let them protect you". Historically, those who say they want to protect you, wind up enslaving you.
[automerge]1590093493[/automerge]

...
And yet, in the entirety of 2017, 16,350 US citizens diagnosed with HIV died. In only the first five months of 2020, 90,000 and counting died of COVID.

Apparently you have not realized the difference of dying "with" a disease, and dying "because" of a disease.

Given that hospitals are given $13,000 for each death attributed to COVID. Now, suppose you have an elderly patient with Heart and Lung issues, and they die. If you say "Heart attack", you get nothing. If you say "COVID", that's an easy $13,000 from Medicare. No questions. What do you suppose is going to happen?

Why do you suppose the CDC pulled back over 45,000 deaths off the National death count? I am reasonably sure they didn't hop off the tables and walk away. If you are shot in the head, stabbed a dozen times, it doesn't require a MD to say that they probably didn't die of COVID. But, that's not what the Death Certificate says.

Nice thing about the truth - it doesn't change with time. Facts remain, no matter how circumstances change, politics change, facts remain constant. However, the story on this virus changes constantly. Remember when it started, we were supposed to be at 2 Million dead at the beginning of this month.

 

[nicolas17]

However, the story on this virus changes constantly. Remember when it started, we were supposed to be at 2 Million dead at the beginning of this month.

The story was that you'd be at 2 million dead *if you did nothing* (many clickbait news articles left off that detail). You're not at that number *thanks* to the preventative measures.

 

[chucker23n1]

Apparently you have not realized the difference of dying "with" a disease, and dying "because" of a disease.

Given that literally both numbers are people dying with a disease, I'm not sure how you figure that.

Given that hospitals are given $13,000 for each death attributed to COVID. Now, suppose you have an elderly patient with Heart and Lung issues, and they die. If you say "Heart attack", you get nothing. If you say "COVID", that's an easy $13,000 from Medicare. No questions. What do you suppose is going to happen?

If you're trying to concoct a conspiracy theory that COVID deaths are overcounted: the excess death number suggests they're actually undercounted.

Why do you suppose the CDC pulled back over 45,000 deaths off the National death count?

I don't know that they did, but my guess would be: they're bad optics for the administration.

Nice thing about the truth - it doesn't change with time. Facts remain, no matter how circumstances change, politics change, facts remain constant. However, the story on this virus changes constantly. Remember when it started, we were supposed to be at 2 Million dead at the beginning of this month.

Yeah, man. I was told I could fall to my death, but I didn't, so what even is the point of wearing a parachute?

 

[compwiz1202]

The fact is that if you have a cell phone, you are being tracked. The Gov't already knows where I live, where I work, how much money I earn/have, who my friends are, where I shop and what my hobbies are. Honestly, I do not see a big problem with this.

You don't even need a phone. Just being on the Net tracks you. The Net came out 25 years ago about it.

 

[chucker23n1]

You don't even need a phone. Just being on the Net tracks you. The Net came out 25 years ago about it.

True, but a phone has far more sensors.

You can gather someone's location data from IP packets (especially if the ISP plays ball because you have a warrant), but with a phone, you get far more data than that from cell towers + Wi-Fi, not to mention collected data on the phone from all kinds of other sensors.

(Which is why iOS and Android are so much more aggressive about sandboxing this data.)

 

[compwiz1202]

here's a scenario that hasn't been explained:

Two strangers who have never been near each other, turn this app on and participate.
Person 1 gets sick and reports it to the app.

But since Person 2 never has been near Person 1, Bluetooth identifiers were never exchanged.

While Person 1 is still infected (and contagious) he HAS to still go out to the store to get food. When he's waiting in line, (next to Person 1) will Person 1 get an ALARM immediately that there's a person nearby who is a leper?

• Will it be real time? Or always old news with a time lag?

If it's REAL TIME (Alert! Alert! Infected Person Nearby) are hoards of people (using the app) going to spill out of doorways in panic the moment the Leper enters the store?

If yes - not good.
If no - contact tracing won't protect you

I'm wondering what I thought you were going to ask at first. Let's say we have 1 2 and 3. 1 and 2 come in contact at some time, and at another location 2 and 3 come in contact. If 1 reports infected, obviously 2 gets an alert, but does 3 get an alert they were in contact with someone potentially infected due to being a positively infected? And how deep will that go? If 3 and 4 were near and 4 and 5 were later near etc....how many will get warned and will you be told how many hops?

 

[compwiz1202]

You're creating the problem, you deal with it. Personal responsibility.

No the virus caused the problem if the business closed due to it. The is definitely a failure of the system that ones who lost their jobs by no fault of their own aren't being assisted. My wife is fine, but lots in PA who need to contact UC can't even get through.

 

[CarlJ]

No the virus caused the problem if the business closed due to it. The is definitely a failure of the system that ones who lost their jobs by no fault of their own aren't being assisted. My wife is fine, but lots in PA who need to contact UC can't even get through.

Go read the whole context of the thread you’re replying to - it’s people asserting they refuse to participate in wearing masks and/or contact tracing, including Apple’s exposure notification system, yet they’re tired of staying home and want to exercise “their god given rights” to do whatever they damn please, including risking other people’s lives. If they - or you - don’t want to participate in protecting society’s health, then my response stands, stay home until a vaccine is perfected. They are creating the problem of risking the health of society at large, by refusing to participate in masks and contact tracing. If they don't want to play by the rules, then they can sit on the sidelines, and that choice, and the resulting consequences (staying home), is on them, not on the virus.

(I grow weary of people yelling about their “god given rights”, which they confuse with “the right to do anything I damn well please”. If you were the only human on earth, then, sure, you could do whatever you want. Once there are other people around, and society exists, and you are part of that society, you have to play by some basic rules. Your rights are limited to things which don’t, in turn, violate other people’s rights. For example, you can’t just go around stabbing anyone you please, even if you really want to. And if you are walking on public sidewalks, driving on public roads, receiving protection from police and fire departments and the military, or exchanging money for anything ever, then you are participating in society, and you need to abide by the rules. If you want to live in “I can do anything I want land”, you’ll have to go somewhere else, far away from any other humans.)

As a separate issue, yes, the system has failed to take care of many in society. This didn’t start with covid19. We’ve got a lot of homeless people, and they’re not living on the street out of choice. We’re the only major industrialized country without universal healthcare, leaving it instead to employers to deal with (or not), meaning that if you lose your job you lose your healthcare. One faction has worked very hard to dismantle every program intended to assist those who fall on hard times (which can be anyone, in times of crisis), decrying anything that gets in the way of their goal as “socialism”. And in times of crisis we look to our leadership to marshal resources and organize a response, but our “leader” is far too preoccupied with shouting down his opponents, muzzling medical experts, congratulating himself and his team, and worrying about his poll numbers. The states were told to fend for themselves, but he’s quick to take credit for anything that goes right, and deny responsibility for anything that goes wrong. The White House had months of notice that trouble was coming, but did nothing other than issue denials (”there are only 15 cases and soon it will be close to zero”), for fear that it might upset the precious stock market. And epidemiological studies now say that shutting everything down even just a couple of weeks earlier would have saves tens of thousands of lives.

So, yes, the system has failed us in many ways. That’s a reason to try to fix the problems with the system, not to decide that you’re not gonna play by the rules any more, and you don’t care if you put everyone else’s health at risk. The virus created a mess by showing up. The responsibility for how we choose to deal with it is on us.

 

[manu chao]

here's a scenario that hasn't been explained:

Two strangers who have never been near each other, turn this app on and participate.
Person 1 gets sick and reports it to the app.

But since Person 2 never has been near Person 1, Bluetooth identifiers were never exchanged.

While Person 1 is still infected (and contagious) he HAS to still go out to the store to get food. When he's waiting in line, (next to Person 1) will Person 1 get an ALARM immediately that there's a person nearby who is a leper?

• Will it be real time? Or always old news with a time lag?

If it's REAL TIME (Alert! Alert! Infected Person Nearby) are hoards of people (using the app) going to spill out of doorways in panic the moment the Leper enters the store?

If yes - not good.
If no - contact tracing won't protect you

If people whose infection has been confirmed by a test do not severely limit their contact with others (self-isolate, eg, get their groceries delivered), then there is little point in testing in the first place. Contact tracing just helps the authorities find potential candidates for testing.

 

[IV1]

Can someone please explain to me why is this region limited, is it US only Apple?

 

[nicolas17]

Can someone please explain to me why is this region limited, is it US only Apple?

It's limited to regions where an app was developed and you enable it by installing said app. It's not US-only.