[jstarfish]

> I don't think there is any social stigma to catching the coronavirus.

"In Mexico, Colombia, India, the Philippines, Australia and other countries, people terrified by the highly infectious virus are lashing out at medical professionals — kicking them off buses, evicting them from apartments, even dousing them with water mixed with chlorine."

https://www.washingtonpost.com/world/the_americas/coronaviru...

...and these are cases where the victims don't even have the virus.

Disease has always carried stigma. We tend to lash out at things we don't understand. History has seen everything from leper colonies to menstruating women herded into tents.

You or I may be able to rationalize it and say "well, shit, the test was positive-- time to self-isolate" but plenty of plebes will use it as cause to incite a witch hunt, especially if a loved one dies from it and transmission is attributable to you.

[cm2187]

OK, that's a fair point, but it would take someone uneducated that believes in the stigma to also be a tech wiz to collect and correlate the data. Presumably the app won't tell you when and where the contact happened (and if so, no implementation of contact tracing is anonymous since the app won't know that you were in a busy bus full of strangers or in a small office with a single colleague).

[jstarfish]

> it would take someone uneducated that believes in the stigma to also be a tech wiz to collect and correlate the data

Not quite. It takes a wiz to collect and correlate the data, yes. What happens to that data after that? For it to be useful, it's going to get stored somewhere. All it takes is an uneducated clerk or bored intern with access to go snooping around the de-anonymized data to compromise anybody implicated.

And this does happen routinely.

* Facebook, Uber and Google have all had problems with plebes (and tech wizzes!) with god-tier access doing inappropriate things with sensitive data.

* Bored data entry clerks with access to the credit reporting database routinely snoop on neighbors', exes' and celebrities' credit reports in spite of federal law.

* Revenge porn is such a thing that rule 34(a) ought to be that if you produce nudes, your confidant or Geek Squad/iRepair technician will post them on the internet.

* Look at how often people get doxxed by employees leaking customer PII onto reddit and 4chan, then look at how fast the mob descends on people innocent of any actual wrongdoing.

* We've seen a secretary get her hands on the Pepsi formula and try to sell it to Coca-Cola.

* The people living in the geographic center of America continue to receive death threats and harassment because of a flaw in outdated MaxMind databases that attributes ungeolocatable IPs to their location.

* There are people who refuse to participate in the census because of what certain cults of personality have done with such data.

Any chain of confidentiality is only as strong as its weakest link. You presume far too much intelligence and rationality on the part of humanity. Never forget that half of Americans wanted a belligerent narcissist to be "leader of the free world," and he still has supporters despite publicly recommending anti-parasitics and Lysol douches as solutions for a global viral pandemic.

Sensitive data is not created and left to decay in an underground bunker in Yuma. Despite its practical uses, at some level it will be exposed to individuals who lack discretion and will be exploited to malevolent ends.

Not once in human history has it worked out any other way!

[azinman2]

The deanonymized data doesn't exist except on your own device.

[Reelin]

It's a bit more complicated than that. What's being suggested here is that it would be possible for a bad actor to observe all Bluetooth activity over a large area. They could then use a diagnosis key to reconstruct someone's path through this monitored area, and then deanonymize that person by combining their path with other data sources. Later, an uneducated and hostile individual might somehow gain access to this deanonymized data and abuse it.

[nsgi]

Couldn't they do that for anyone with bluetooth on, whether or not they're using the app? I get that knowing they have Coronavirus might make them a bigger target, though

[Reelin]

Sort of.

If you enable the framework but never test positive (and thus never publish any of your keys), it's no different than if you had just kept Bluetooth on all the time.

If you enable the framework, later test positive, and choose to publish your diagnosis keys, each key can be used to link all your rolling identifiers together for the corresponding time period (nominally 24 hours). Contrast this with a randomizing Bluetooth implementation, which never intentionally reveals anything that would allow the different MAC addresses to be linked.

Of course, Bluetooth MAC address randomization itself is trivial to defeat for a reasonably capable and motivated adversary. If they can plant a bunch of radios for the purpose of tracking you, why can't they also use cameras?

[azinman2]

That would work if there's just 1 person who is crossing the path, and you're able to physically identify them. If it's a crowd of people, you won't know who was what device unless their device is immediately next to the evil antenna. This isn't very realistic in practice, and is very unlikely to become common place world-wide. However, the virus IS already world-wide, and is a giant threat to many.

[Reelin]

> If it's a crowd of people, you won't know who was what device unless their device is immediately next to the evil antenna.

Actually that's not true for the situation I described.

The bad actor would be able to connect any of your broadcast identifiers they observed back to each other via the diagnosis key that you published. Assuming they have a number of nodes monitoring Bluetooth traffic over a broad area that you passed through, they will be able to reconstruct the path you traveled over time.

For a naive implementation, the resolution of this reconstruction would depend on the spacing of the nodes. For a more advanced implementation, other data could be integrated to drastically improve it. Remember, your Bluetooth device is a broadcasting radio at the end of the day.

As to the likelihood of such things becoming commonplace worldwide, do bear in mind that many devices now periodically randomize their Bluetooth MAC addresses due to real world examples of tracking. Thankfully in this case it would only be possible to compromise the privacy of those who tested positive, and only within a singe 24 hour period (ie the daily tracing key rotation time frame) at that.

[wtmt]

People who are educated tech wizards can also have the same stigma. There are many factors at play in places that have more diversity and existing problems between communities (like race, religion, class, etc.). Hopefully, like you said, the app won’t tell you when and where the contact happened. But we still need to make sure that we have as much privacy protection as possible while making this useful.