[dignick]

>A big part of the contact tracing protocol (which was originally the DP3T protocol) is implemented by Apple-Google in a part of the system called GAEN. This part has no available source code although the law requires disclosure of the source code of all components of the system.

By the same logic, this would seem to require all of iOS and Android to be open source. Where does the "App" end and the underlying OS and libraries begin in this requirement?

[niea_11]

They argue that GAEN is part of the Play Services on Android. And that the app was designed to work at first with DP3T protocol which (I'm not sure) requires only access to bluetooth on the device. But DP3T was replaced with GAEN.

(This just my understanding from the web page and wikipedia, I'm not familiar with all of this :) )

To justify such exclusion, SwissCovid promoters argue that GAEN is part of the operating system of the phone, or sometimes part of the Bluetooth communication interface of the phone, and that it is not common to require to disclose the source code of such parts. We deny that GAEN is any such part of the phone, at least on Android phones. GAEN is part of the Google Play Services which are independent of the operating system and of the communication interfaces. We could actually run a pre-standard version of SwissCovid on an Android phone which had no Google Play Services. However, this phone had the Android operating system and could use Bluetooth. Furthermore, most of the former DP3T protocol which was implemented in this pre-standard version disappeared in the current version of the app since an equivalent protocol is now in GAEN. We conclude that there is no founded technical justification for excluding GAEN from the components of the system.

[rob74]

Purely speculating, but the reason for GAEN being part of Play Services is probably that otherwise it would require an OS update to be installed, which means ~80% of the Android phones being used "out in the wild" would be incompatible (Ok, maybe a bit less in Switzerland). And (even more speculative), the reason for using GAEN instead of DP3T may be battery usage? So you could build a theoretically pure open source implementation, but then nobody would use it because it drains their battery twice as fast as normal...

[niea_11]

You are correct about battery usage. The analysis they published[1] mentions this (in the 2nd paragraph of the introduction) :

"One difficulty of using Bluetooth in phones is that the operating system does not allow apps running in the background to use the Bluetooth advertising system. Hence, to do so,either the app must stay in the foreground, which drains the battery a lot, or the operating system must be changed. Apple and Google allied to provide a standard Bluetooth API which would not drain the battery. Hence, automated contact tracing apps must either be complian twith this API or make the user upset about heavy battery usage."

Singapore's TraceTogether app doesn't use GAEN api and does have this issue [2].

France's StopCovid app uses a different protocol called ROBERT[3], and they asked Apple to allow their app to run in the background[4]. So they also have battery issues.

[1]: https://lasec.epfl.ch/people/vaudenay/swisscovid-ana.pdf

[2]: https://en.wikipedia.org/wiki/TraceTogether#Description

[3]: https://github.com/ROBERT-proximity-tracing/documents

[4]: https://en.wikipedia.org/wiki/Exposure_Notification#Non-adop...

[pdehaye2]

The part that has been open sourced is essentially UI. Some of the most consequential parts are in the Bluetooth metadata, and how this leads eventually to an average attenuation over a certain time period.

This has epidemiological consequences, as acknowledged by one of the leaders of the DP-3T team to the BBC: https://www.bbc.com/news/technology-52995881

Apple (and Google?) retain higher quality signals than what they make available to the apps.

It introduces new security issues, because Apple and Google have had to make choices that degrade the qualities of the protocol. See Sections 3.5 and 3.6 in the report. The Swiss Cyber Security Centre expressed negative sentiments towards the fact that Apple and Google didn't implement some of the recommended protocol improvements: https://www.melani.admin.ch/dam/melani/de/dokumente/2020/Rep...

Finally, this Bluetooth layer becomes a covert channel for transmitting information between phones. There is a lot that we can't tell from this outside.