back to article Apple and Google tweak key bits of contact-tracing privacy plan

Apple and Google have revealed a little more about their plans to support COVID-19 contact-tracing apps and changed up some of their security plans. In an updated FAQ document released late last Friday, the companies explain their plans to employ a "privacy-preserving identifier - basically, a string of random numbers that …

  1. katrinab Silver badge
    Unhappy

    Chances of an Android update appearing on any actual phones any time soon?

    1. Doctor Syntax Silver badge

      It's likely to put pressure on vendors to make this update available PDQ. As the update is an OS update then presumably any other pending OS update will be included.

      1. Anonymous Coward
        Anonymous Coward

        No it's not an OS update. It's included in Google Play services which are distributed directly from Google. No vendor support necessary.

        1. Anonymous Coward
          Anonymous Coward

          "It's included in Google Play services which are distributed directly from Google. "

          And you can bet suddenly nothing works if you haven't installed this latest piece of spyware.

          Basically one more data collecting service for Google. *Major* collecting service: Health data, wifi-data, bluetooth data and all paired with id and GPS-coordinates. A goldmine, literally. Not even GDPR can stop that spying as it's "health monitoring" now.

          Application showing the data could as well query it directly from Google as it *will be there*. With IMEI or advertiser-id.

        2. Doctor Syntax Silver badge

          "No it's not an OS update"

          From the FAQ linked in TFA: "In the second phase, available in the coming months, this capability will be introduced at the operating system level". Sounds like an OS update to me.

  2. Pascal Monett Silver badge

    "apps using the API will check health authorities databases"

    So Google is going to have to its hand up the health databases skirt. There's a lot of reassuring noises in the communication, a lot of making it seem like user privacy is paramount, but Google made a mistake in communicating that they will approve apps that correspond to their criteria of privacy.

    There's a lot of wiggle room there.

    But we'll see how it goes down. I didn't have a problem with the centralized approach, but at least now we know the direction apps should take.

    Looking forward to reading about the API functions, and if there are any hidden ones.

    1. Doctor Syntax Silver badge

      Re: "apps using the API will check health authorities databases"

      It does seem that these sorts of proposals are getting closer attention* than the tradition anit-social media and advertising networks have done in the past let alone existing "think of the children" telecoms surveillance. Maybe some of this attention will start to spill over into other areas.

      * Maybe one factor is that this is being proposed at national and, indeed, global scale so it's a lot harder to hide than one at a time individual primary care trust data slurping contracts.

    2. Anonymous Coward
      Anonymous Coward

      Re: "apps using the API will check health authorities databases"

      "There's a lot of reassuring noises in the communication, a lot of making it seem like user privacy is paramount, but Google made a mistake in communicating that they will approve apps that correspond to their criteria of privacy."

      That's pure show from Google. All the actual data collection is *part of Android* itself. Even more spying on top of old spying.

      Applications then get an API which they can use to ask Google what it has been collecting. No more than UI for a service which runs as well without UI. And collects everything directly to Google servers, of course. You don't even *need* an application to make a query to Google search engine, a browser could do that as well.

      At that point application level privacy is totally meaningless smoke screen, "IDs" and IMEI associated with it is already stored to Google. And mapped to advertiser-id. Totally trivial when OS does it all. And it will.

      Google of course knows this, that's why its pure show.

  3. Spanners Silver badge
    Black Helicopters

    My biggest concern

    While anything like this sort of app carries potential risks, the risks from governmental abuse are far lower than the possibility that Apple, or even Google, might misuse it or pass it onto some other organisation.

    The problem is that US "medical insurance" looks to be one of the most profitable scams in history and it desperately wants to spread to the developed world. Any help could help them make Billions!

    1. Anonymous Coward
      Anonymous Coward

      Re: My biggest concern

      "...the possibility that Apple, or even Google, might misuse it or pass it onto some other organisation."

      Possibility? Google is literally living by selling everything it collects. *Everything* they or *any* Android is collecting, for any reason, is for sale with Google.0 privacy and Google boasts it: "Privacy is dead" by CEO. Literally. Them assholes.

      Apple isn't so obvious, harder to tell.

      But for Google it's a goldmine for many reasons:

      1) 'this and this person *has* Covid-19' (Anonymity is a joke within Android: There isn't any, by design) This knowledge alone is worth billions.

      2) collect all the Bluetooth-IDs paired with GPS locations.

      3) collect all the Wifi-IDs, paired with GPS locations.

      And the best part? It's now totally legal!

      A buttload of *more data to sell*, from billions of people! No wonder Google wants it immediately, preferrably yesterday.

      Of course any three letter organization is USA has full access to everything Google collects, as usual. "How to leak, not only your health data, also everyone around you ,health data to anyone who wants to know and has money to buy it (and NSA)".

      I already see any health insurance claim rejected due the 'pre-existing condition', i.e. Covid-19.

      And the best part? Android does it all under the hood, user has no control whatsoever on anything. Except removing the battery. Absolute power to spy users, by Google.

  4. Tubz

    Funny how an app like this can be squeezed in to the OS, yet we can't squeeze out the useless bloatware, designed to make Apple, Google and manufacturers a quick buck !

  5. Doctor Syntax Silver badge

    All such schemes are dependent on widespread testing just to get started. HMG's testing target is 100k per day by the end of this month. It seems from current progress that the number actually delivered is a fraction of the claimed capacity and I expect that if the claimed capacity is 100k they'll declare the target met even if reality continues to fall well short.

    However, let's assume the delivered tests actually meets that target. The current policy is that frontline staff and their households are entitled to a test. The number of households is estimated at above10 million. I wonder if anyone has worked out that even if only the staff let alone other household members are to be tested this is going to take well above 3 months. To test the existing households within a reasonable period of time the target is about an order of magnitude short. If lockdown is eased the number of qualifying households is going to increase so the testing capacity is going to have to increase further.

    Now let's assume that this scheme is under way. It depends on the testing regime picking up a large proportion of existing and new infections. Without this there is inadequate data to start the system and most positive contacts will be missed. This means that the existing UK testing capacity is unlikely to be able to bootstrap the system in any useful manner.

    Let's further assume that the system is up and running on an adquate footing. What happens when the positive contacts start to flood in? We must assume that a proportion, probably a majority of reports will be false positives. How should those receiving a warning react? Are they to assume the worst and go into self-isolation? What's the economic and personal impact of such unnecessary periods of self-isolation? The reports are going to have to be followed up with tests to avoid this and the testing system will have to be able to cope with this as well or TPTB will need to be prepared to switch testing strategy from frontline household members to putative contacts.

    It seems likely that such a system is going to depend a testing system adequate to bootstrap it effectively and, unless the infection rate is low enough when it's introduced, a testing system adequate to not be overwhelmed by testing those with positive contact reports. It's certainly not going to be a means of easing to load on testing, nor on getting infection rates down from current levels.

  6. Anonymous Coward
    Anonymous Coward

    They must be joking, right?

    "The new shifting identifier will make it more difficult for those tracking Bluetooth signals to associate the keys with specific users."

    Ehheh, really??

    Android is generating those keys internally and at the same time sending them to mothership. *Every* key will be paired with IMEI already at the phone. And sent to Google, of course. Just like every personal detail the phone has.

    And, as it's a Google service doing it all under the hood, there's literally nothing you can do to stop that: It's part of Android and you *need* to have Android running. The "secure app" they boast everywhere? It's basically a UI for a service OS is running: Nothing more: Service will run regardless of the app and app security is irrelevant as it's only an UI. Spying to Google happens without app as well.

    And, as it's a Google service, Doze *is not* stopping it: it runs all the time, collecting not only location(GPS), but everyone nearby via Bluetooth *and* all the Wifis. So Google finally gets "legal reason" to collect every Wifi it can find with gps-coordinates. Spying which gave it bad rap when they did it with Google Maps cars. Suddenly it's OK "because covid-19".

    Literal data mining goldmine, gifted to Google/Apple by idiots who have no idea how it actually works.

    Also yet another data slurping privacy destroying "feature" baked into OS. Same thing with Apple, of course. I can already bet it won't be an update you can skip: iI's pushed with force and you aren't asked.

    Google is obviously using Microsoft as guidance how to abuse your users to the hilt. F**k them.

  7. Anonymous Coward
    Anonymous Coward

    "Privacy is dead" - Google CEO

    " that leaves data on the device until users call in sick"

    No such thing as "data on the device". At least not in Android: Google has access to *everything* and will use that access every 0.5 seconds. And there's no way you can stop it. You can't stop or prevent OS (i.e. Google) access to any data in the phone.

    You might have *a copy of data* locally but *everything* is sent to Google. Literally.

    Who is the idiot who believes "application" can hide something from *OS*? Are they morons? Or do they believe that Google doesn't abuse data worth of billions?

    If they do, they *are* morons.

    "The companies also clarified that data will never reach a public health authority - or Apple and Google - until a person tests positive for COVID-19 and opts in."

    Yea, sure. Android exists solely for spying users and this is blatant bullshit. *Any* data OS collects will be sent immediately to Google. Who's the moron who actually believes this?

    Apple the same, of course but less resale, as far as I know.

    1. Anonymous Coward
      Anonymous Coward

      Re: Dumb, dumb, DUMB.

      "Apple the same, of course but less resale, as far as I know."

      You know nothing. You're assuming, but you know nothing. Thanks for your opinion.

  8. mark l 2 Silver badge

    According the a story on the BBC today the NHS have rejected the Google & Apple approach to go with their own centralised server based app.

    https://www.bbc.co.uk/news/technology-52441428

    Which knowing how well government IT project usually go should be ready for rolling out around 2025.

    1. DavCrav Silver badge

      "Which knowing how well government IT project usually go should be ready for rolling out around 2025."

      Lots of government IT projects do really badly, but some are actually quite effective. The online car tax form is very quick and efficient, as is the passport application form. The EU settled status app actually worked very well considering what it was doing and the number of applications it received. (These are just the ones I have experience with.)

      I don't know in which camp this one will fall. I hope for everyone's sake it's one of the successes.

      1. Anonymous Coward
        Anonymous Coward

        NHS Digital make Google look like privacy champions.

  9. earl grey Silver badge
    Devil

    so what happens

    If you have wifi and bluetooth turned off all the time... or does this turn them on and run your battery down no matter what?

    phone not just turned off but powered off?

    oh, you don't have a "modern" snoop phone... here's one - carry it everywhere. lolololol

    1. Intractable Potsherd Silver badge

      Re: so what happens

      It looks like my SailfishOS Jolla is going to become my main phone.

      1. Michael Wojcik Silver badge

        Re: so what happens

        Hmm. Might be time to pick up an unlocked Xperia XA2 off eBay and slap Sailfish on it.

        I have an old Nokia that runs Symbian 6 which I'd switch to For The Duration, but the battery life is abysmal - like a couple of hours - and I don't know if I can get a new battery for it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020