back to article Wanted: An exit strategy from the overt surveillance of smartphone contact tracing

The world seems set to adopt smartphone-driven contact tracing to help detect COVID-19 carriers but regulators need to plot an exit strategy from this new form of deeply personal and intensive surveillance. The need for that exit strategy is plain because whenever businesses or governments get us all to sign up for data …

  1. 2+2=5 Silver badge

    Yebbut...

    On the plus side, the wearing of surgical masks by people with colds will become the new norm so that's one in the eye for facial recognition.

    1. fidodogbreath Silver badge
      Big Brother

      Re: Yebbut...

      the wearing of surgical masks by people with colds will become the new norm so that's one in the eye for facial recognition

      Or not.

      1. e^iπ+1=0
        Boffin

        Re: Yebbut...

        "Or not"

        To be safe from virus / facial recognition you need goggles too.

        1. Snowy
          Boffin

          Re: Yebbut...

          For now yes but it will not be long until they can do facial recognition with goggles on too.

  2. Anonymous Coward
    Anonymous Coward

    What about Google?

    Firstly, the article suggests that Google and Apple should be the ones who control when this gets switched on or off. I disagree. Like it or not, decisions over this should be made by national governments (in my case, a democratically-elected national government), not private companies. The article appears to my eyes to suggest that corporations should take decisions over governments, and that has the potential to lead to a very dark future.

    Secondly, the article notes that "cynical misuse of the data by a social network" is a risk, but fails to include cynical misuse of the data by the world's largest ad broker, who are also responsible for the software running on 80% of the world's smartphones. And have been known to still collect data even when the "pretty please, I don't want to" switches have been set in the maze of twisty little config settings.

    Google are not some collective whose only concern is for the public good. They are a corporation whose only concern is maximising revenue. Any public statements of "Don't be evil" stopped long ago.

    1. Chris G Silver badge

      Re: What about Google?

      Not only does it need government input, it needs governments to specifically ban commercial use across the board.

      While governments are at it they should also be limiting themselves and their agencies from being able to abuse this technology.

      Simon can add to his list Social Services and Local government abuse, as happened before with the RIPA.

    2. Pascal Monett Silver badge

      Re: that has the potential to lead to a very dark future

      That has led us to today. Google, Apple, IBM and others lobby our governments, get lawmakers in their pockets and strive to ensure that no major obstacle gets in the way of their profits.

      We'll see how the EU declares managing this, and what actually results, but I will be sincerely astonished if Trump imposes anything on "Tim Apple".

    3. Anonymous Coward
      Anonymous Coward

      Re: What about governments?

      fails to include cynical misuse of the data by the world's largest ad broker

      likewise, a cynical misuse of the data by the world's goverments. Trouble is, that all the parties, i.e. contract providers, service providers (aka googles of the world) and the governments are out to get your data, all under the same pretences of helping YOU. Trouble (also) is that you can do fuckall about them. You have a choice, of course, you either either bend over for this one, or for that one, or for all three, etc.

    4. Anonymous Coward
      Anonymous Coward

      Re: What about Google?

      I can't help but feel that Facebook must be delighted with the way that everyone seems to be setting up neighbourhood WhatsApp groups to help support vulnerable people etc in the current situation. Purely from the meta-data from these groups they'll be able to identify communities of households across the country and work out which people are the "organisers" (people who send lots of messages taht others read and respond to), which ones are the "volunteers who repond when prompted" (people recieving messages from "organisers" and then further exchange in smaller groups) and people who "do what they are told" (people receiving messages from organisers and responding to them but not any further).

    5. HildyJ Silver badge
      Alert

      Re: What about Google?

      As little as I trust Google and Apple I trust the US and, from what I read, the UK governments even less This doesn't add much to their saleable data but it does wonders for a surveillance state.

      All it needs is a cutoff of notifications to anyone but a government agency and the ability of that agency to opt you in without telling you. Pick your suspect and see who he comes in contact with.

  3. Yet Another Hierachial Anonynmous Coward

    Scary and Scarier

    Whilst Covid-19 is undoubtedly scary, the prospect of users willingly signing up to contact tracing in order to get their life back on track and the abuse consequences of it are even scarier.

    It also needs to factor in.....

    Not everybody has a mobile phone.

    Not everybody with a mobile phone runs google or iphone OS.

    Not everybody with a phone has it with them 24/7 - I frequently leave my phone at home when going out, just to get away from it. This particularly the case when going into some public events, like concerts, or maybe restaurants.

    Whilst these ideas could do some good, there is a lot of potential for a lot of harm that we will never recover from.

    1. Anonymous Coward
      Anonymous Coward

      Re: Scary and Scarier

      Also, phones still have an off switch. Guess what the first request will be by idiots planning a covid party?

      1. Iad Uroboros's Nemesis
        Joke

        Re: Scary and Scarier

        Yes, but similar to Micky Flanagan's "out out", there is "off off". From what I understand from various articles, even when you have your mobe turned off, it is still partially on and reporting stuff back to mothership.

        The only way to have it "off off" is to remove the battery...and give it an hour or two for every capacitor etc. to discharge...or drop it in a bucket of acid (as many phones are now waterproof).

        1. Irongut Silver badge

          Re: Scary and Scarier

          That's some lovely FUD you have there.

          The tiny capacitors in your phone discharge in seconds. If they could hold charge for hours they'd be the size of bricks and your phone commensurably larger.

        2. staringatclouds

          Re: Scary and Scarier

          Are there any modern phones with batteries that can be removed these days ?

          1. EnviableOne Silver badge

            Re: Scary and Scarier

            some of the lower end ones, but definatley not the flagships, aa keep this relativley up to date.

            https://www.androidauthority.com/best-android-phones-removable-battery-697520/

    2. Yet Another Anonymous coward Silver badge

      Re: Scary and Scarier

      >Not everybody has a mobile phone.

      You mean terrorists/pedophiles/people_who_leave_the_teabag_in ?

      >Not everybody with a mobile phone runs google or iphone OS.

      Bans Huawei

      >Not everybody with a phone has it with them 24/7

      A new offense of "going un-equipped during the hours of daylight"

      1. EnviableOne Silver badge

        Re: Scary and Scarier

        most people have a phone and herd immunity only requires about 80% coverage

        if you look at mobile usage currently 6.8 billion own a mobile or 95%+ of the world populations

        and 99%+ of these run either android or iOS

        the next two OS are KaiOS at 0.32% and Tizen at 0.16%, and apparently 0.1% still use windows mobile

        so by covering Android and iOS you cover approximatley 94% of the world's population, which is more than enough to protect the other 6% (herds and all)

  4. Cynic_999 Silver badge

    There is absolutely no doubt in my mind that no real effort will be made to remove or disable any application that is so useful to state surveillance and "analytics" companies. On the contrary, we will likely be urged to adopt it permanently. For our own safety, of course.

    1. Steve Button

      "once coronavirus is behind us" it will be removed. Unfortunately coronavirus, like the common cold, is here to stay and it will NEVER be completely behind us. When do we decide it's behind us? Once not a single person is dying of it. So, never basically.

      1. Jonathon Green

        ...and there’s always the next pandemic.

    2. fidodogbreath Silver badge

      On the contrary, we will likely be urged to adopt it permanently. For our own safety, of course.

      Don't assume that it will remain optional. This issue sits at the nexus of surveillance capitalism and governments protecting themselves from their citizens. It is in the self interest of all of the stakeholders* to populate their "social graphs" with ever more intrusive and inescapable surveillance.

      * Except us, but no one in a position to decide cares what we think; we're just the batteries that power the matrix.

      1. TheMeerkat Bronze badge

        Capitalism? It is the Communist countries that always welcome surveillance. Capitalism is the only reason why we can reject the idea because without private capital nothing will limit the bureaucratic machine of the state.

  5. Ordinary Donkey

    Governments need to be explicit...

    UK.gov will inevitably include "... or to protect the economic stability of the UK" into the conditions where they may use this technology.

    Or in plain English, if it's worth selling they'll slurp it.

    1. Julz Silver badge
      Black Helicopters

      Re: Governments need to be explicit...

      You missed "...or where it may impact national security".

      1. Kane Silver badge
        Childcatcher

        Re: Governments need to be explicit...

        "You missed "...or where it may impact national security"."

        The two statements are not mutually exclusive.

  6. Pat Att

    Business opportunity

    I foresee a business opportunity a bit like dog walking. I offer to collect people's phones, and take them on a journey, to simulate any desired trip. Be somewhere your phone isn't, and fool The Man.

    1. Charlie Clark Silver badge

      Re: Business opportunity

      There was already an experiment like this in Berlin where I guy pulled a cart load of phones around: Google maps showed the largely empty streets where he was travelling as having traffic jams.

      Technology per se is rarely the solution to anything.

    2. Anonymous Coward
      Anonymous Coward

      Re: Business opportunity

      That job already exists in places like Monaco for people to live in a tax exiles' apartment and use phones and credit cards to prove residency.

      (Or was that just something I read in a Peter Mayle novel ...?)

    3. Anonymous Coward
      Anonymous Coward

      Re: Business opportunity

      sadly, phone-walking business is already behind the latest ideas. In another European country, you're supposed to snap a selfie, when the app "asks you" to do so. You have about 20 min to comply. And no, they don't compare that mugshot with their own database (although, they might, who knows, they didn't say they're not doing it). And what do they do when you don't want to send them your stupid mug, zap you? Nah, they send the police to check on you. Sure, multiply by 2 million (or just by 2, eh?) and all two police partrols are already engaged. But then, how about an idea of cheap and cheerful herd of robo-spiders tasked with checking on law-abiding citizens. Minority report is still in the future, but drones have had their first real, world-wide test. We're only at the very, very, very beginning of a race to replace certain services, costly to the State, with non-human equivalents. Remember citizens, it's all for your own good!

  7. Anonymous Coward
    Anonymous Coward

    I will say to both Apple's and Google's credit, they have baked a decent kill switch into their designs. Users hold a unique and private key that is used to generate daily identification tokens. This means two things:

    - Without access to the individual's unique key you cannot do pattern-of-life analysis across multiple days. This makes de-anonymisation _very_ difficult. I won't say impossible, but without the ability to spot common patterns across days, in turn allowing you to derive the day, venue, participants etc, it is at least very difficult.

    - Without access to everyone's keys (or at least a significant percentage of them), you can't tell which day is which - this means you can't hijack the contact tracing data for "other" research. Answering possibly benign but possibly not benign questions like "which day are people most social on?" becomes impossible.

    Assuming that private key is suitably protected and only used during contact tracing activity, the design is sound. Given both Apple and Google have effective root access to our devices and have unlimited capacity to store and analyse information about us, the design could have been a lot, lot more invasive.

    My worry here in the UK is that the government's approach is being informed by bullshit merchant powerpoint jockeys like "Faculty AI" and the absolute scumlords at Palantir. They'll be falling over themselves to smash the genie's bottle of privacy into as many pieces as they can so they can hoover up all the post-covid contracts, and I don't think there's any professional or technical body here with enough clout to fight them as they do it.

    1. Tom Chiverton 1

      Changing id daily doesn't help, the government knows where the phone was at the end of the day (carrier and local government data) and so has deanonymised not only you, but your whole social graph.

      Do you really think they'll give this power up once they have it?

      1. Anonymous Coward
        Anonymous Coward

        >Changing id daily doesn't help, the government knows where the phone was at the end of the day (carrier and local government data) and so has deanonymised not only you, but your whole social graph.

        Location data doesn't help. Contact tracing information has no location information, instead it encodes the fact that two devices came into proximity with one another, and that is only verifiable if you bring together the daily key of the broadcasting device with the device that received the broadcast; by design this does not happen on the servers that co-ordinate the process, it happens on your device. You need to read the spec a bit more closely.

        1. EnviableOne Silver badge

          they really dont need this info, using mobile metadata, they can work out who you are, where you go and who you meet with.

      2. Anonymous Coward
        Anonymous Coward

        > Do you really think they'll give this power up once they have it?

        Yes, once you point out to politicians that 'anonymous' press briefings and tip-offs will no longer be anonymous.

      3. Anonymous Coward
        Anonymous Coward

        Assumptions are sometimes quite subtle....

        @Tom_Chiverton_1

        *

        Quote: "...deanonymised not only you, but your whole social graph..."

        *

        There's a subtle assumption in there....namely that the STASI can identify "you". But they can only do that if the mobile you carry has been registered in some way to an actual person. Suppose I'm carrying a ten year old 2G phone with a "pay-as-you-go" SIM (from a convenience store) and using minutes (from a convenience store)...all paid for in cash. No contract, no credit card......and the STASI have no idea who is carrying the phone. Of course, "social graph" is another matter......but all my pals are using the same strategy.....all the STASI can collect is a completely anonymous "social graph".

        *

        Maybe the next legislation will attempt to ban this simple strategy? If so, we absolutely know that the STASI is with us, big time!

    2. GordonD

      This needs lots of upvotes.

      So many people either haven't read the Google/Apple scheme, or haven't understood it.

      This scheme doesn't need a kill switch, because it does not support tracking, only a yes/no have I met an infected person.

      But don't believe me, believe Bruce Schneier. "It is privacy preserving... and well thought out."

      https://www.schneier.com/blog/archives/2020/04/contact_tracing.html

      https://www.schneierfacts.com/facts/top

      As anonymous coward writes, the risk isn't that the Apple/Google scheme is abused, it is that it is ignored by those wishing to use Covid 19 as an excuse for wider surveillance.

      1. Dave 126 Silver badge

        Yep, I read the article above and was left unsure if the author had even read the Apple Google whitepaper. If the author had mentioned, for example, the tokens that the system is based on, then I would know that they had read it and thus their opinion was informed - regardless of whether they ultimately came down in favour or against it.

        As it is, the author writing about the white paper but then not mentioning any specific details leaves me in doubt.

      2. Dave 126 Silver badge

        https://www.ft.com/coronavirus-latest

        Lots of graphs here. Compare the graph of Coronavirus cases in South Korea compared to damned near everywhere else. It looks very different. Why? Well, being a prosperous country with good health care helped, as did a rapid roll out of testing and contact tracing. This contact tracing did save lives. It also, in a small number of cases, reveal some people to be cheating on their partners due to how it was implemented.

        I'll leave it to you to weigh up the right to live against the right to have a mistress on the sly.

        If anyone in the UK wants to take up arms in the fight against surveillance, then they would do well to look at the legislation that has been passed in response to this pandemic.

  8. Flak
    Coat

    Leave the phone at home

    ... and contact who you will...

    obviously after we have all stayed at home, protected the NHS and saved lives!

  9. Anonymous Coward
    Anonymous Coward

    Two things before we get there....

    How about

    1. Google undo the utter bullshit that is having to enable location service for bluetooth to work, and

    2. All the fuckers producing apps that hoover up all the contacts from people phones with some EULA fine print that says "I confirm that all my contacts have agreed to me sharing their data" which we all know is an absolute crock of shit, are hit with maximum GDPR fines

    /rant

  10. SVV

    Like a snowball gently descending into the firy pits of hell.....

    These calls to end it asap afterwards will be torched by the desire to make it compulsory forever. The excuses will be perfectly plausible and seem almost objection proof to most people, such as "needing further research to see if we could have learned more useful information that would have saved lives" and "being instantly prepared for the next time this happens". The "oh look, we now know so much about everyone that we can now terrify them into obedience in our new authoritarian state" bit will sadly only be discovered later. That bit only needs to happen once, however much the "don't be silly, we would never do such a thing" may be true for any incumbent government.

  11. Doctor Syntax Silver badge

    And the data.

    "First, I believe Google and Apple could usefully kick things off by making conditions under which they'll deprecate their schemes as part of their plans. That deprecation scheme should explain how, once coronavirus is behind us, the two firms will expunge contact-tracing from devices they power and ensure similar functions never make it into their app stores."

    It's not just the apps that need to be expunged, so does the data.

    In fact, there's a further aspect to consider about data. Once a patient is clear of the virus that needs to be taken into account as there's no point in warning people about contact with someone who's no longer a risk.

  12. Alan Brown Silver badge

    Glass broken ages ago

    This stuff has been around for at least a couple of decades - remember all the hallabaloo about it being used to trace drug dealer contacts?

  13. chivo243 Silver badge
    Coat

    First step to the bottom

    It was already taken many years ago, we hadn't gotten there fast enough, and this calamity accelerates the process, much to the delight of many on the other side.

    That old Nokia C1 must be in one of these pockets....

  14. Claptrap314 Silver badge
    Pint

    That's heavy dude...

    pass the joint.

    Seriously, if you think for one second that the "freedom-loving" nations are going to be able to claw any of this back without anything short of a all-hands-on-deck (or three whips) effort by a significant chunk of the populace, you're on something.

    And, as we've seen for the last decade, the populace does not care.

    Beer, for crying in.

  15. The Central Scrutinizer

    The Strayan' government is now openly talking about trying to get us to download the same type of app in a fortnight or so. Apparently at least 40% of us will have to do it for it to be effective. Yeah, good luck with that. IF there is ever a hint of this even remotely becoming mandatory, I'll unplug the smartphone and buy a $40 burner dumb phone. Good luck getting your spyware app on that.

    1. richdin

      Burners won't help

      What do you think will happen with a burner phone? You still have to connect to some network in order to talk. All they have to do is filter out the "known" phones (ID'ed) - showing just the burner phones... you make it easier to track and marked yourself as an object of interest.

  16. TheMeerkat Bronze badge

    Once it is in, it will never go away. This is how these things work, whatever promises are made.

  17. DrM

    Quotes

    "Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves." --William Pitt, The Younger (1759-1806), British statesman.

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." --Benjamin Franklin

  18. Intractable Potsherd Silver badge

    There is only one way to stop this becoming a privacy nightmare and that is to not start it at all. Democracy demands that the wishes of the electorate are now sought regarding when avoiding deaths becomes too expensive (not just in terms of money, but the whole package).

  19. Steve_Procter

    Everyone has gone off down the wrong rabbit hole. The real issue is that bluetooth proximity is horrendously unreliable. A total waste of time for this purpose. Will be far too many false positives and false negatives.

  20. richdin

    /e/?

    I installed a piece of [governmentally created] tracking software on my phone, which tracks my location vis-a-vis potential infection vectors... as I am only going from home to supermarket and back (we are under lock down). When this is over, I intend to flash my phone with a new operating system (/e/) - don't even trust the removal of the program to suffice... one can never be too paranoid.

  21. Anonymous Coward
    Anonymous Coward

    Ah...."think of the pandemic"...once upon a time it was "think of the children"......

    .....how often do we have to suffer this STASI government crap? Once again, NO MENTION AT ALL of plans to dismantle the tracking when the panic is over!

    Quote: "What should we do?" Answers in no particular order:

    1. Buy a "pay-as-you-go" SIM and some minutes for your smartphone from a convenience store ....cash of course!

    2. After item #1, be sparing in the use of the phone.....maybe switch it off most of the time.

    Actually, a better question is "What should we NOT do?" Answers, in no particular order:

    3. Never use a registered mobile contract paid for with a credit card. (See also items #1 and #4)

    4. Don't use a smartphone....find a ten year old 2G "feature phone" and buy a "pay-as-you-go" SIM and some minutes from a convenience store....cash of course!

    5. Don't use a mobile at all.

  22. Anonymous Coward
    Anonymous Coward

    Garbage

    The problem illustrated here is that it is very difficult to ensure that you don't have a contact tracker on your phone. Even if you delete an app that had a use during the Covid-19 pandemic the fear is that somehow it will remain, or be built into some other app or OS function. My solution is to swamp it with garbage.

    What we need is an app that most of the time when your location tracking is not critical, turns off or isolates the phone's GPS location tracking and instead introduces false data. This could be random or deliberately misleading. For example, once the spooks realise that there probably aren't several thousand people visiting 10 Downing St, Buck House, or the NEC in Birmingham they may just give up. If each phone cycled through several dozen random locations in a short time the whole thing may well collapse.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021