[est31]

Note that years ago, Moxie has studied a similar problem of how to let users know if their contacts use Signal or not without uploading the whole address books like e.g. WhatsApp does [0]. It's similar because in both instances you want to "match" users in some fashion using a centralized service while keeping their privacy.

He ruled out downloads of megabytes of data (something that the Google/Apple proposal would imply) and couldn't find a good solution beyond trusting Intel's SGX technology, arguably not really a good solution but better than not adopting it at all [1].

You have kind of a computation/download/privacy tradeoff here. You can increase the time interval of the daily keys to weeks. Gives you less stuff to download but the devices have to do more hashes to verify whether they have been in contact with other devices. You can increase the 10 minutes to an hour. That means less privacy and more trackability, but also less computation needed.

My guess to why Google/Apple didn't introduce rough location (like US state or county) into the system was to prevent journalists from jumping onto that detail and sensationalizing it into something it isn't (Google/Apple grabbing your data). Both companies operate the most popular maps apps on the planet as well as OS level location services that phone home constantly so they are already in possession of that data.

[0]: https://signal.org/blog/contact-discovery/

[1]: https://signal.org/blog/private-contact-discovery/

[olliej]

Increasing the lifetime for what are currently "daily keys" reduces the precision of the contact reporting - e.g. your example of a week means that a positive user would need to report at least 3 weeks of keys, so someone can now do correlation over 3 weeks instead of X days.

There's no inclusion of location data as that has no value - the only thing that this protocol cares about was whether you were in the vicinity of someone who has tested positive for cover-19, and so suggest you get tested. Knowing where you are/were has no value for that purpose.

[rrrrrrrrrrrryan]

I think he was trying to say you could reduce the computation by narrowing the space-time radius, then searching for matches. Even a state-level restriction would be enough to substantially narrow down the possible matches without sacrificing anonymity.

[toohotatopic]

You don't need full SGX if you trust the provider.

People already trust providers with their medical data. Why not trust some computation service to do the matching? This is a moment for trustworthy institutions to create data centers and get customers by their reputation.

Combine a big market of trustworthy providers and SGX, and abuse becomes much more difficult.

[doomrobo]

To answer your question: the handling of medical data is governed by HIPPA. Everything else (outside banking data) in the US (outside of California) is pretty much fair game.

[lilyball]

> My guess to why Google/Apple didn't introduce rough location (like US state or county) into the system was to prevent journalists from jumping onto that detail and sensationalizing it into something it isn't (Google/Apple grabbing your data). Both companies operate the most popular maps apps on the planet as well as OS level location services that phone home constantly so they are already in possession of that data.

Apple is not in possession of the location of your phone. Their mapping system is designed to keep all queries to the servers anonymous using random rotated identifiers, even going so far as to keep the server from being able to see the full route from start to end (IIRC it's broken up into at least two chunks that are requested separately, though I don't know the details).

[est31]

Do you mean this?

> To protect user privacy, this data is associated with an identifier that rotates at the conclusion of a trip, not with the user’s Apple ID or any other account information. Rotating the ID at the conclusion of the trip makes it harder for Apple to piece together a history of any user’s activity over time.

https://www.apple.com/privacy/docs/Location_Services_White_P...

I think it's a nice gesture, however I wouldn't say that Apple isn't in possession of that data. The phone already uses other Apple services that are linked to your Apple ID and those services tell your IP address to Apple. Even if Apple can't track you via the rotating ID (not sure how it's made, maybe they actually can't), your IP address will reveal you, at least as long as you are using ipv6 which Apple has been heavily pushing in the past years.

They might not have the data refined, but even the whitepaper says it only makes piecing together the location history harder, not impossible.

[lilyball]

What you quoted is specifically about traffic collection. I don't know where to find a definitive source on this now, but Apple used to have a marketing page that said

> When you use Apple Maps, your route from A to B is fragmented into scrambled sections on Apple servers because nobody else should know your entire route. Not even us. In fact, we don’t even know who requests a route.

My recollection was that the device itself sends multiple requests in chunks to get the route, but I don't know if this is accurate or if it's just fragmented on the server prior to any data retention.

In any case, the point is that Apple very intentionally discards data that can be used to track you, and anonymizes what they do retain. While yes, it's very likely that Apple could figure out where you are if your device is set to use Apple services and they wanted this info, they've set up their services to make it as difficult as possible for them to figure this out.

[tinus_hn]

The proposed system requires download of 16 bytes per infected user per day. Unless this really gets out of hand that’s not in the megabytes range.

[jeremyjh]

Yes, this is where OP lost me.

> Published keys are 16 bytes, one for each day. If moderate numbers of smartphone users are infected in any given week, that's 100s of MBs for all phones to DL.

"Moderate" rate of infections is not millions of new cases per week worldwide. That would be such a catastrophe that contact tracing would be useless.

[ralfd]

Currently there are 1.2 million active infections. Doesn’t this mean every smartphone in the world would need to download 17 MB per day?

If more cases would be tested in India or Africa or Sputh America a ten fold increase wouldn’t be unthinkable.

[jeremyjh]

No, my understanding is you only would download two weeks worth of keys when a new infection is reported. There is an assumption in any method of contact tracing that once people test positive that they are isolating themselves. If they don't, there is no reason to do the tracing since the virus will simply spread exponentially.

[tinus_hn]

The downloads are mediated by country specific apps. You don’t need numbers from the whole world.