Today’s Big Story
Can Apple and Google Save the World?
Hello again everyone, I hope all of you all are carrying on the best you can right now. Last week, I briefly touched on a new partnership forged between Apple and Google with the aim of creating a universal coronavirus contact tracing technology.
As we’ve seen recently over the past month, there’s no shortage of tech companies jockeying for the opportunity to have their technology become the next big thing to stymie the ravaging epidemic. By all accounts, the Apple Google partnership is the most significant, and furthest reaching proposal to date. With that in mind, I wanted to dive deeper into just how the unlikely pairing’s contact tracing proposal would work and what the world has to say about it thus far.
So what is this thing?
Basically, Apple and Google are combining their near omnipresent duopoly over mobile phones to create an automated contact tracing system using the Bluetooth technology embedded in every device. While the system is running, your phone (if you opt-in) would send out a periodic blast and log all of the other devices within its vicinity. This blast includes part of your phone’s unique identifier. All of those identifiers are logged and stored on each device. If someone gets sick and is diagnosed by a certified health practitioner to have COVID-19, that individual can then opt to submit their unique code to a “central authority” (the identity of which is not entirely clear, but in the US would probably be the CDC). That central authority would then use an app to ping every device that had come in close proximity with the affected individual over several weeks. Those pinged devices would receive a push notification advising them to self-isolate.
That’s the basics. If you want to read more on how it works, click here or here.
Importantly, the companies are not building the apps that would be a necessary supplement for this tracing to work, however, they said they are building out the underlying technology that could be used for that app.
As anyone reading this newsletter will know, contact tracing solutions like these are inundated with privacy questions. Gapple, (maybe that moniker will catch on?) released some information on that end. Below you can find links where the company lays out the technical specs of different elements of the system.
Contact Tracing - Bluetooth Specification
Contact Tracing - Cryptography Specification
Contact Tracing - Framework API
In a separate document, the company specifically boasted that its privacy-first methods would explicitly require user consent, would refrain from collecting “personally identifiable information or user location data,” and would “only be used for contact tracing by public health authorities for COVID-19.” They also released a few diagrams illustrating how the system would work in the real world.
So that’s what the companies have to say, but there are still two main questions that keep popping back up from privacy advocates and civil liberties groups. Just how anonymous is this information and how effective would it be?
On that first question, answers have been mixed.
Several weeks ago, before the official Apple Google partnership, Apple had hinted to the fact that they were coming up with some sort of contact tracing technology. That news was immediately met with some concern by American legislators. In a joint letter signed by California senator and former Democratic presidential candidate Kamala Harris, and New Jersey Democrat Bob Menendez, the senators asked Apple to disclosure what level of involvement it would have with the federal government, and how they were planning on protecting personal user data.
Apple responded to the senators’ letter last week. Among other things, the response letter says that Apple’s tracking tool includes “strong privacy and security protections,” and that the company would not sell the data it collects. For the most part, these responses seemed to placate the senators. Senator Menedez summed up his feelings in a statement sent to The Verge.
“Apple’s response reflects a commitment to data privacy and the importance of taking proactive steps to protect it,” Menedez said. I expect them to live up to this commitment and I will be there to hold them accountable if they fail.”
Much of the private sector responded similarly. Quickly after the news went live, some influential players in the tech world praised Apple and Google’s professed commitment to privacy. One of those was GitHub CEO Nat Friedman.
“Huge thanks to Apple and Google for building privacy-preserving contact tracing into iOS and Android,” Friedman tweeted. “Tech is emerging as a pillar of civilization and a critical reservoir of competence.”
And it’s not just silicon valley converts singing praises either. In a recent article in The Markup, Julia Angwin took a look at the system and found that it’s pretty much anonymous, and also benefits from being decentralized.
“Using some clever cryptography, the information that users’ phones transmit to other phones is not tied to their identity. Rather, the phone transmits what the companies are calling a “rolling proximity identifier” that changes every 15 minutes. Each phone stores a local database of all the rolling identifiers it has seen.”
Angwin went on.
“It’s mostly decentralized. Most of the activity—sending and storing identifiers—takes place on a user’s phone. Only one central server receives the diagnosis key and the associated day that it was uploaded. That server does not contain any user identity or precise location information.”
But that’s all on Apple and Google’s side. Remember, this system would have to work in tandem with some sort of tracing app, which would then need to work with the “public health authorities,” mentioned. One of the best potential solutions on the app side for protecting privacy is the Private Kit: Safe Paths app being developed by MIT, but that’s still in a beta stage.
While many experts seem to think the Apple Google solution is pretty secure, like anything, it isn’t foolproof.
Moxie Marlinspike, the founder of encrypted messaging service Signal, outlined some of these potential privacy pitfalls of the Apple Google solution in a Twitter thread. Specifically, Marlinspike pointed out issues with the “daily tracing keys,” that are regularly updated to maintain anonymity but are published once an individual tests positive.
Marlinspike went on to write that in order for the contact tracing to actually be effective, location data (which was what this whole endeavor is attempting to avoid) might have to be be used somewhere down the line anyways.
Okay, so it’s probably fair to say that of the plethora of tracking solutions offered so far, the Apple/Google solution isn’t without potential problems, but it still seems better than many alternatives.
So that’s the privacy side of things. What about effectiveness? Well, that’s where things start looking less great.
For starters, it’s unclear just how many people (especially in the United States) would willingly comply to downloading an app and submit their COVID-19 test results. If the Apple Google contact tracing system were to work in tandem with an app, it would resemble in many ways the type of digital contact tracing system seen deployed in Singapore. In that case study, in a city-state with far more authoritarian control than the dispersed, federalist United States, only about 20% of the population actually downloaded the app. That’s not great. In the UK, where the National Health Service is preparing to roll out its own contact tracing app, health officials have said the system would essentially be useless unless at least 60% of the adult population signed up.
Then there’s the Bluetooth issue. Apple and Google opted to go the Bluetooth route over Google specifically to address the privacy issues inherent in location data. But when compared to GPS locaiton data on your phone, which is scarily precise and can detect people within inches of whee they’re standing, Bluetooth is crude and comparatively low tech. If GPS is a Tesla, then Bluetooth is a horse and buggy.
That’s good for privacy but it creates problems when you’re trying to determine who counts as being in close proximity with an infected person. In my apartment, for example (which is the size of a petite armpit) it’s not unlikely that a Bluetooth proximity of 100 feet could include the neighbor on the other side of my wall as being within my proximity. Or, for that matter the delivery guy outside my door. That can potentially lead to an untenable amount of false positives, an issue former FTC CTO Ashkan Soltani wrote about in length in a Twitter thread.
As mentioned above, these types of contact tracing apps are only truly effective when a large proportion of the population chooses to adopt them. So, most places that have tried to do this have failed to hit the magic number, but Soltani raises a good point, which is that the closer a society manages to get to that number, the more incentive a government agency or task force may have to mandate the app’s use. That’s already happened in China, where over 100 million Chinese residents are using a government-mandated app that assigns them a color dictating where they can travel.
While admittedly unlikely, there’s also the possibility that, with enough effort, this Bluetooth data could be de-anonymized.
Then, on the other side of the spectrum from what this newsletter normally considers, there are those who say that while the Apple Google solutions do indeed protect privacy pretty well, it does so at the expense of effectiveness. That point was most articulated laid out this week by Stewart Baker in Lawfare.
“To be blunt, I think the companies were so eager to avoid criticism from privacy groups and Silicon Valley libertarians that they produced a design that raises far too many barriers to effectively tracking infections,” Baker wrote.
“This default system is less essential, and a good thing too. The Google/Apple default tracking system is seriously flawed, mainly because it elevates privacy over effectiveness. Luckily, national health systems will be free to write better, more workable tracking apps that can still plug into Google and Apple operating systems without buying into the questionable choices those companies seem to favor.”
I know that’s all a ton of information, but when deciding as a collective what solutions we want to welcome in with open arms and which ones we shun out, it’s worth considering just what you’re getting. This new contact tracing solution does the best so far at alleviating surveillance concerns, but it’s not perfect. On that end of the spectrum, nothing will ever be perfect.
But then, on the effectiveness side, it’s unclear whether or not such a mass collection would actually even work in the first place. That leaves you faced with a strange choice: welcome in a relatively secure piece of technology with a marginal chance of misuse for marginal to nonexistent help with limiting COVID-19 deaths, or don’t implement the technology at all. At the risk of sounding like a broken record, this tradeoff reminds me more and more of the concerns raised by some advocates that COVID-19 related surveillance tools will live on past the virus.
Like the Patriot Act and any other number of laws curtailing civil liberties following 9/11, the laws were created, not so much to keep Americans safe, but instead to create the illusion that the government and civil society were doing things to make people safer. You can disagree with that take, but reams of research in recent years has shown the TSA’s massive ineptness, and recent reports found that the NSA’s surveillance apparatus failed to actually stop terrorists.
Instead, then, these measures were created to get people back in planes, out of the house, and feeling confident to engage in the global economy. With government officials all around the globe itching to lift lockdown restrictions and get their economies pumping, one can see the clear incentives for companies to produce technology that creates the illusion of safety.
Like what you’ve read so far? If so, please consider becoming a paid subscriber for $5 per month.
If that’s too much commitment, no worries. You can also support the newsletter by making a one-time Venmo donation to @Mack-DeGeurin to help keep this content coming.
In Other News…
***Andrew Yang says people should have a “counterweight” to massive tech giants.***
In a Livestream on Wednesday with Axios, former Democratic presidential candidate Andre Yang spoke about joblessness during the coronavirus pandemic and said that internet users should have more monetary control over their personal data.
The entrepreneur turned presidential upstart started the brief conversation by advocating for every American citizen to receive $2,000 per month in economic stimulus for the duration of the coronavirus pandemic. Yang went on to speak on solutions to let people have more control over the data that massive tech companies collect on them and sell, a key component of his group, Humanity Forward.
“Out data is getting sold and resold and repackaged without us really knowing what’s going on,” Yang said. “If there is value that is changing hands, we should be a part of that.” You can watch the full interview here.
Axios
***Vietnam’s new “fake news” law***
Vietnam has released a new law issuing fines for people found to have spread “fake news” regarding the coronavirus. According to Reuters, the Vietnamese government has already fined “hundreds of people,” the equivalent of $426 to $852. According to Reuters, that sum can amount to the equivalent of about three to six months of paid wages in the country. Here’s Reuters describing what counts as fake news:
“Penalties can now be imposed on anyone sharing publications that are banned from circulation in Vietnam, state secrets, or maps which fail to show Vietnam’s claims in the South China Sea, according to the decree.”
Misinformation has flourished during the global pandemic, both abroad and domestically in the United States. While it’s important to prevent the mass distribution of incorrect information detrimental to public health, the rollout of “fake news” laws far predates COVID-19. The topic, which I’ve previously reported on, rose in fashion among authoritarian governments following Donald Trump’s 2016 election. In Egypt, for example, dissidents found posting content critical of the el-Sisi regime face severe penalties. Laws like these, while wrapped in a veil of fake news, are really censorship by any other name.
Phuong Nguyen, James Pearson for Reuters
***UK prepares to launch corona tracking app***
In what may prove a pivotal moment in the future of locaiton tracking, the UK is preparing to release its coronavirus contact tracing app. The app, which is being developed by the National Health Service’s digital transformation arm, with help from private companies — including Apple — would work similarly to the apps already rolled out in Singapore and South Korea.
According to the NHS, the app would only be deemed effective if at least 60% of the population downloads it. That’s a tough figure, considering the registration pitfalls facing similar apps in other countries. In Singapore, for example, the government-backed contract tracing app was only downloaded by about 20% of the populace.
Health Secretary Matt Hancock addressed the public about the app on Sunday.
“Today I wanted to outline the next step: a new NHS app for contact tracing. If you become unwell with the symptoms of coronavirus, you can securely tell this new NHS app and the app will then send an alert anonymously to other app users that you’ve been in significant contact with over the past few days, even before you had symptoms so that they know and can act accordingly.”
Hancock went on to try and alieve some of the concerns espoused by privacy advocates concerned with potential abuse the location data collected.
“All data will be handled according to the highest ethical and security standards, and would only be used for NHS care and research, and we won’t hold it any longer than it’s needed. And as part of our commitment to transparency, we’ll be publishing the source code too.”
***A selfie a day keeps the police away”***
A state in India has mandated the use of a quarantine app where residents are required to regularly submit selfies to prove they are complying with quarantine. The app, called Quarantine Watch, monitors residents’ in southern India’s Karnataka state movements via their GPS location and asks for hourly selfies.
In a Tweet, Karnataka said, “A selfie an hour will keep the police away,” and said that those who violate the procedure would be sent to a “government-run mass quarantine center.”
***New Facebook privacy lawsuit***
Some of the past complaints lodged against Facebook claiming the company would store cookies on their browser when they visited non-Facebook sites containing similarly designed “like buttons.” The complaints say Facebook would then repackage that data into personalized profiles and sell them to advertisers.
The appeals courts ruled that users could pursue claims made against Facebook under federal and state privacy and wiretapping laws, according to Reuters. Facebook, for its part, has denied the allegations and told Reuters the proposed lawsuits were “without merit”
***Over 500,000 Zoom accounts sold on Hacker Forums***
According to Bleeping Computer, over 500,000 Zoom accounts have been compromised and are being sold on the dark web and hacker forms for, “less than a penny each.”
Here Lawrence Abrams expanding on how hackers gained access to the credentials:
“These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers.
Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.”
According to the report, the comprised account credentials include the victim’s email, password, personal meeting URL, and their host key. While those sound like a staggering amount of accounts, the report notes that some of the passwords acquired were older, expired versions. Nevertheless, the news is one more reason to consider alternatives if you, your family, or business is still using Zoom.
Lawrence Abrams, Bleeping Computer
Long Reads/ Food for Thought
Surveillance Capitalism and the Internet of Things
Jessica Bruder and Dale Maharidge for Literary Hub
An enlightening eye-opening reminder for anyone who owns, or plans to own a smart speaker. These devices were created with the intention of capturing your real-world conversations, dissecting terms or words you use, and turning that into real-world monetary value.
One example, provided in the piece, illustrates a sick woman asking her Alexa device a question between fits of coughing. The Alexa answers her question, but then recognizing the cough, asks the woman if she would like to order a one hour delivery of cough drips. By simply saying yes, the woman’s account is charged and she presumably receives some cherry flavored Halls soon after.
While that example shows the ability of Alexa to detect cough, the technology can also detect much more specific words and phrases. Amazon may currently limit the data collection to advertising, there’s no technological reason why that couldn’t be altered to filter for other, say, political terms.
“Since smart speakers’ microphones are always turned on, privacy advocates worry about them becoming wiretaps for law enforcement. That sounds alarmist until you look back at 2006, when federal agents got permission to use a cellphone as a “roving bug.” What would prevent them from making a similar request involving an Amazon Echo or any other smart device with a microphone or sensors?”
The Problem With Google and Apple’s COVID-19-Tracking Plan
Stewart Baker for Lawfare
We need mass surveillance to fight covid-19—but it doesn’t have to be creepy
Genevieve Bellarchive for MIT Technology Review.
We can't cure COVID-19 by giving up our right to privacy
John Ackerly for Protocol
Former White House technology officer John Ackerly says privacy should be foundational in an approach to COVID-19.
Alright, that’s it. Have a great weekend and stay safe y’all.
Thoughts? I want to know what you think! This newsletter is a living, evolving, work and it is meant to be a helpful resource to keep you informed and engaged with the ways emerging technologies are impacting daily life. Please send all comments, questions, corrections, criticism, and hate (lemme have it) to thestateofsurveillance@gmail.com.
If you found this newsletter beneficial, you can help keep it going by sharing it online or (better yet) telling a friend about it. To help support the newsletter in more tangible ways you can make a donation of any amount to my Venmo account below. Any and all support is greatly appreciated.
Follow the State of Surveillance on Twitter @state_of_spies
Follow me on Twitter @mackdegeurin
Support this newsletter with a Venmo donation to @Mack-DeGeurin