To the guy asking if we'd using COVID-19 tracking apps...
-
Proposed government coronavirus tracking app falls at the first hurdle due to data breach | ZDNet[^] Just publish the source code with personal data from ANOTHER APP!? :wtf: "Amateurish" doesn't even begin to describe it... "A spokesperson for the Covid19 Alert app said the information was "accidentally put online" due to the haste in which the team wanted to make the source code available for analysis." If they have so much haste I'm sure this isn't the only "accident" that they put in the code. Again, I'm NOT going to use any COVID-19 app ever.
Best, Sander sanderrossel.com Migrating Applications to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript Object-Oriented Programming in C# Succinctly
Sander Rossel wrote:
Again, I'm NOT going to use any COVID-19 app ever.
You are not alone.
I wanna be a eunuchs developer! Pass me a bread knife!
-
Proposed government coronavirus tracking app falls at the first hurdle due to data breach | ZDNet[^] Just publish the source code with personal data from ANOTHER APP!? :wtf: "Amateurish" doesn't even begin to describe it... "A spokesperson for the Covid19 Alert app said the information was "accidentally put online" due to the haste in which the team wanted to make the source code available for analysis." If they have so much haste I'm sure this isn't the only "accident" that they put in the code. Again, I'm NOT going to use any COVID-19 app ever.
Best, Sander sanderrossel.com Migrating Applications to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript Object-Oriented Programming in C# Succinctly
-
Proposed government coronavirus tracking app falls at the first hurdle due to data breach | ZDNet[^] Just publish the source code with personal data from ANOTHER APP!? :wtf: "Amateurish" doesn't even begin to describe it... "A spokesperson for the Covid19 Alert app said the information was "accidentally put online" due to the haste in which the team wanted to make the source code available for analysis." If they have so much haste I'm sure this isn't the only "accident" that they put in the code. Again, I'm NOT going to use any COVID-19 app ever.
Best, Sander sanderrossel.com Migrating Applications to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript Object-Oriented Programming in C# Succinctly
So before we all jump on the "it's never going to work it's impossible not on my watch over my dead body" bandwagon, can we step back and be software developers? 1. There's a serious issue and we, as developers, can help. 2. There are serious privacy considerations. We, as developers, can help. So let's start with the lowest common denominator here ("We, as developers, can help") and workshop some ideas I think Google / Apple have discussed this one but I haven't had a chance to read up on it. It seems to be along the following lines: 1. You install an app and give it access to your bluetooth. The app generates a GUID as an ID and stores that on the device. And only on the device. 2. It constantly scans it's surroundings for other IDs via bluetooth that are being transmitted by the apps on other people's phones. It records all IDs that you're next to for more than 15 mins 3. When someone is diagnosed with COVID the health care worker requests their app ID. They don't ask for your name, your email, or anything. Just the ID you were broadcasting. 4. A central server sends out a push notification with that ID. If someone else's app has that ID in their "person I've been near for 15 mins" list they get the big red scary screen of self isolation. That's it. Start to end. You can delete the app. You can wipe any trace of the ID from your phone. The ID was never associated with you in any way. There is NO GPS logging. Anyone see any holes in this?
cheers Chris Maunder
-
So before we all jump on the "it's never going to work it's impossible not on my watch over my dead body" bandwagon, can we step back and be software developers? 1. There's a serious issue and we, as developers, can help. 2. There are serious privacy considerations. We, as developers, can help. So let's start with the lowest common denominator here ("We, as developers, can help") and workshop some ideas I think Google / Apple have discussed this one but I haven't had a chance to read up on it. It seems to be along the following lines: 1. You install an app and give it access to your bluetooth. The app generates a GUID as an ID and stores that on the device. And only on the device. 2. It constantly scans it's surroundings for other IDs via bluetooth that are being transmitted by the apps on other people's phones. It records all IDs that you're next to for more than 15 mins 3. When someone is diagnosed with COVID the health care worker requests their app ID. They don't ask for your name, your email, or anything. Just the ID you were broadcasting. 4. A central server sends out a push notification with that ID. If someone else's app has that ID in their "person I've been near for 15 mins" list they get the big red scary screen of self isolation. That's it. Start to end. You can delete the app. You can wipe any trace of the ID from your phone. The ID was never associated with you in any way. There is NO GPS logging. Anyone see any holes in this?
cheers Chris Maunder
I often have my bluetooth off. So do many people I know. So GPS tracking seems more reliable. Still, "the app" can do the tracking on your device alone.
#SupportHeForShe Government can give you nothing but what it takes from somebody else. A government big enough to give you everything you want is big enough to take everything you've got, including your freedom.-Ezra Taft Benson You must accept 1 of 2 basic premises: Either we are alone in the universe or we are not alone. Either way, the implications are staggering!-Wernher von Braun
-
So before we all jump on the "it's never going to work it's impossible not on my watch over my dead body" bandwagon, can we step back and be software developers? 1. There's a serious issue and we, as developers, can help. 2. There are serious privacy considerations. We, as developers, can help. So let's start with the lowest common denominator here ("We, as developers, can help") and workshop some ideas I think Google / Apple have discussed this one but I haven't had a chance to read up on it. It seems to be along the following lines: 1. You install an app and give it access to your bluetooth. The app generates a GUID as an ID and stores that on the device. And only on the device. 2. It constantly scans it's surroundings for other IDs via bluetooth that are being transmitted by the apps on other people's phones. It records all IDs that you're next to for more than 15 mins 3. When someone is diagnosed with COVID the health care worker requests their app ID. They don't ask for your name, your email, or anything. Just the ID you were broadcasting. 4. A central server sends out a push notification with that ID. If someone else's app has that ID in their "person I've been near for 15 mins" list they get the big red scary screen of self isolation. That's it. Start to end. You can delete the app. You can wipe any trace of the ID from your phone. The ID was never associated with you in any way. There is NO GPS logging. Anyone see any holes in this?
cheers Chris Maunder
I really don't like babies, so your subject is poorly chosen on me :laugh: Seriously though, the idea sounds alright when done right. And it's that last part I worry about. We've seen it time and time again. And here it is again, an app that's not supposed to track users leaked personal data before it even went into production. So there's the hole, the incompetence of people. xkcd explains it quite well[^] :) I've laid out my (mostly) non-technical arguments about such apps in this Lounge post[^].
Best, Sander sanderrossel.com Migrating Applications to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript Object-Oriented Programming in C# Succinctly
-
I didn't see this reply coming :D
Best, Sander sanderrossel.com Migrating Applications to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript Object-Oriented Programming in C# Succinctly
-
I really don't like babies, so your subject is poorly chosen on me :laugh: Seriously though, the idea sounds alright when done right. And it's that last part I worry about. We've seen it time and time again. And here it is again, an app that's not supposed to track users leaked personal data before it even went into production. So there's the hole, the incompetence of people. xkcd explains it quite well[^] :) I've laid out my (mostly) non-technical arguments about such apps in this Lounge post[^].
Best, Sander sanderrossel.com Migrating Applications to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript Object-Oriented Programming in C# Succinctly
a) That XKCD is so awesome. b) Yep. They can and do track us already. The only problem is, even though we've allowed them to do it because it's convenient to us, we're not going to let the data be used to open up our lives because we don't want to admit it openly. Deep down we all just want our cake and we want to eat it too.
cheers Chris Maunder
-
So before we all jump on the "it's never going to work it's impossible not on my watch over my dead body" bandwagon, can we step back and be software developers? 1. There's a serious issue and we, as developers, can help. 2. There are serious privacy considerations. We, as developers, can help. So let's start with the lowest common denominator here ("We, as developers, can help") and workshop some ideas I think Google / Apple have discussed this one but I haven't had a chance to read up on it. It seems to be along the following lines: 1. You install an app and give it access to your bluetooth. The app generates a GUID as an ID and stores that on the device. And only on the device. 2. It constantly scans it's surroundings for other IDs via bluetooth that are being transmitted by the apps on other people's phones. It records all IDs that you're next to for more than 15 mins 3. When someone is diagnosed with COVID the health care worker requests their app ID. They don't ask for your name, your email, or anything. Just the ID you were broadcasting. 4. A central server sends out a push notification with that ID. If someone else's app has that ID in their "person I've been near for 15 mins" list they get the big red scary screen of self isolation. That's it. Start to end. You can delete the app. You can wipe any trace of the ID from your phone. The ID was never associated with you in any way. There is NO GPS logging. Anyone see any holes in this?
cheers Chris Maunder
- GPS is not precise enough, especially indoors. You must use something else. All you've got to "measure" with is the signal strength. Phones vary a lot in their transmitted energy, and you don't know which model the other person is using, so you can't tune it from the phone model. Antennas vary greatly as well, an they do not distribute the energy evenly over a sphere. Turn the transmitting, or the receiving, or both phones 90 degrees around each of the three axes - received signal strength may vary considerably. At chip level, many (most?) BT chips allow the transmission power to be adjusted. I don't know if this is available through Android, but if it is, it adds yet another factor in signal strength: Even if you knew the exact model held by the other person, you wouldn't know the raw transmission power. 2) Draw two lines, 6ft apart, and have two people walk towards each other immediately outside the lines. Put their mobile phone in the pocket towards the lines. Let us optimistically assume that both phones report a distance of 6 ft. Then repeat the same test, but now with the phones in the pocket facing away from the lines. Persons meet at exactly the same distance between them. Not only are the phones about 4 ft further apart (2 ft on each side), but also, the signals must go through 4 ft of human flesh, 2 ft on each side. Which distance will the apps report this time? Bottom line: Distance estimates based on BT signal strength is a joke. 3) You may have been infected up to two weeks ago, in the worst case. For those two weeks, you have been walking around spreading the virus. Even in the best case, within reasonable limits, will it take a couple of days from that other person infected you until he notices any symptoms, either get really sick, or he lines up for a test, which takes some time to analyze, and to get the message back to that other guy, so that he can warn others that he might have affected them. If you were infected, you would be spreading the virus for at least a couple of days. 4) The other guy, who infected you. must himself take the initiative to report to a central cite that he has become sick. Chances are that if if the illness comes very rapidly, chances are small that the first thing he will think of is fiddle around with his smartphone to report to a central site; he might forget it entirely. Furthermore, you must regularly interrogate the central site about all the people you have met, whether any of them have turned sick. So there is another delay, and
-
So before we all jump on the "it's never going to work it's impossible not on my watch over my dead body" bandwagon, can we step back and be software developers? 1. There's a serious issue and we, as developers, can help. 2. There are serious privacy considerations. We, as developers, can help. So let's start with the lowest common denominator here ("We, as developers, can help") and workshop some ideas I think Google / Apple have discussed this one but I haven't had a chance to read up on it. It seems to be along the following lines: 1. You install an app and give it access to your bluetooth. The app generates a GUID as an ID and stores that on the device. And only on the device. 2. It constantly scans it's surroundings for other IDs via bluetooth that are being transmitted by the apps on other people's phones. It records all IDs that you're next to for more than 15 mins 3. When someone is diagnosed with COVID the health care worker requests their app ID. They don't ask for your name, your email, or anything. Just the ID you were broadcasting. 4. A central server sends out a push notification with that ID. If someone else's app has that ID in their "person I've been near for 15 mins" list they get the big red scary screen of self isolation. That's it. Start to end. You can delete the app. You can wipe any trace of the ID from your phone. The ID was never associated with you in any way. There is NO GPS logging. Anyone see any holes in this?
cheers Chris Maunder
I am not saying "over my dead body". I had an iPhone for many years and currently use a not rooted Android smart phone. I partially agree with you in your first paragraph. But in the second...
Chris Maunder wrote:
I think Google / Apple have discussed this one ... ... ... That's it. Start to end. You can delete the app. You can wipe any trace of the ID from your phone. The ID was never associated with you in any way. There is NO GPS logging. Anyone see any holes in this?
Apart from "Google / Apple" and "The ID was never associated with you in any way." in such a little text? Seriously? Several years and many articles / reports confirm that is a bit of an oximoron.
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
- GPS is not precise enough, especially indoors. You must use something else. All you've got to "measure" with is the signal strength. Phones vary a lot in their transmitted energy, and you don't know which model the other person is using, so you can't tune it from the phone model. Antennas vary greatly as well, an they do not distribute the energy evenly over a sphere. Turn the transmitting, or the receiving, or both phones 90 degrees around each of the three axes - received signal strength may vary considerably. At chip level, many (most?) BT chips allow the transmission power to be adjusted. I don't know if this is available through Android, but if it is, it adds yet another factor in signal strength: Even if you knew the exact model held by the other person, you wouldn't know the raw transmission power. 2) Draw two lines, 6ft apart, and have two people walk towards each other immediately outside the lines. Put their mobile phone in the pocket towards the lines. Let us optimistically assume that both phones report a distance of 6 ft. Then repeat the same test, but now with the phones in the pocket facing away from the lines. Persons meet at exactly the same distance between them. Not only are the phones about 4 ft further apart (2 ft on each side), but also, the signals must go through 4 ft of human flesh, 2 ft on each side. Which distance will the apps report this time? Bottom line: Distance estimates based on BT signal strength is a joke. 3) You may have been infected up to two weeks ago, in the worst case. For those two weeks, you have been walking around spreading the virus. Even in the best case, within reasonable limits, will it take a couple of days from that other person infected you until he notices any symptoms, either get really sick, or he lines up for a test, which takes some time to analyze, and to get the message back to that other guy, so that he can warn others that he might have affected them. If you were infected, you would be spreading the virus for at least a couple of days. 4) The other guy, who infected you. must himself take the initiative to report to a central cite that he has become sick. Chances are that if if the illness comes very rapidly, chances are small that the first thing he will think of is fiddle around with his smartphone to report to a central site; he might forget it entirely. Furthermore, you must regularly interrogate the central site about all the people you have met, whether any of them have turned sick. So there is another delay, and
Sounds like you're saying that if the solution doesn't work 100% (or even 80%) it's not worth it. I respectfully disagree. If there is an agreed goal to isolate infections as fast as possible then even incremental solutions are better than throwing up your hands. We're a clever bunch, with most cleverer than I. I reckon there's plenty of scope here to come up with something that works well enough and protects privacy.
cheers Chris Maunder
-
I am not saying "over my dead body". I had an iPhone for many years and currently use a not rooted Android smart phone. I partially agree with you in your first paragraph. But in the second...
Chris Maunder wrote:
I think Google / Apple have discussed this one ... ... ... That's it. Start to end. You can delete the app. You can wipe any trace of the ID from your phone. The ID was never associated with you in any way. There is NO GPS logging. Anyone see any holes in this?
Apart from "Google / Apple" and "The ID was never associated with you in any way." in such a little text? Seriously? Several years and many articles / reports confirm that is a bit of an oximoron.
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
Let me clarify: Google/Apple (I think) have discussed the "use bluetooth to detect proximity". I wasn't suggesting we use a Google/Apple app. I actually also said such an app is actually not even needed - they already track us really, really well. (sure, not indoors, and not to within 6 ft, but track us enough to know that I was standing inline outside the grocery store that had 2 positive cases in that same line) I think of this purely as a technical issue. The political, social, epidemiological issues merely complicate the process. Much like users. <shudder>
cheers Chris Maunder
-
Let me clarify: Google/Apple (I think) have discussed the "use bluetooth to detect proximity". I wasn't suggesting we use a Google/Apple app. I actually also said such an app is actually not even needed - they already track us really, really well. (sure, not indoors, and not to within 6 ft, but track us enough to know that I was standing inline outside the grocery store that had 2 positive cases in that same line) I think of this purely as a technical issue. The political, social, epidemiological issues merely complicate the process. Much like users. <shudder>
cheers Chris Maunder
Chris Maunder wrote:
Google/Apple (I think) have discussed the "use bluetooth to detect proximity". I wasn't suggesting we use a Google/Apple app.
Sorry if I miss-read something.
Chris Maunder wrote:
actually also said such an app is actually not even needed - they already track us really, really well. (sure, not indoors, and not to within 6 ft, but track us enough to know that I was standing inline outside the grocery store that had 2 positive cases in that same line)
exactly. Although I am not really that positive that even that would help that much. As Member79xxx said, it only might work (no certainty at all) if everyone is carrying a working smart phone. If not... I think it can do more harm than help. People starting to have symptoms that check the app and see "no potential contact registered" are going to think... "oh, ok, I haven't been exposed, so it is not CV" and this thinking is going to make them even more dangerous. I think it is like with autonomous driving, it will only work, once ALL the cars are autonomous. As long as there is a mix on the road, forget it, the number of accidents will ramp up like hell. For me the best protection we can use is just to switch our brains on, be careful without panicing and pay attention to what we do.
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
Chris Maunder wrote:
Google/Apple (I think) have discussed the "use bluetooth to detect proximity". I wasn't suggesting we use a Google/Apple app.
Sorry if I miss-read something.
Chris Maunder wrote:
actually also said such an app is actually not even needed - they already track us really, really well. (sure, not indoors, and not to within 6 ft, but track us enough to know that I was standing inline outside the grocery store that had 2 positive cases in that same line)
exactly. Although I am not really that positive that even that would help that much. As Member79xxx said, it only might work (no certainty at all) if everyone is carrying a working smart phone. If not... I think it can do more harm than help. People starting to have symptoms that check the app and see "no potential contact registered" are going to think... "oh, ok, I haven't been exposed, so it is not CV" and this thinking is going to make them even more dangerous. I think it is like with autonomous driving, it will only work, once ALL the cars are autonomous. As long as there is a mix on the road, forget it, the number of accidents will ramp up like hell. For me the best protection we can use is just to switch our brains on, be careful without panicing and pay attention to what we do.
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
Nelek wrote:
the best protection we can use is just to switch our brains on,
Whoa, whoa, WHOA. Now you're just talkin' crazy.
cheers Chris Maunder
-
So before we all jump on the "it's never going to work it's impossible not on my watch over my dead body" bandwagon, can we step back and be software developers? 1. There's a serious issue and we, as developers, can help. 2. There are serious privacy considerations. We, as developers, can help. So let's start with the lowest common denominator here ("We, as developers, can help") and workshop some ideas I think Google / Apple have discussed this one but I haven't had a chance to read up on it. It seems to be along the following lines: 1. You install an app and give it access to your bluetooth. The app generates a GUID as an ID and stores that on the device. And only on the device. 2. It constantly scans it's surroundings for other IDs via bluetooth that are being transmitted by the apps on other people's phones. It records all IDs that you're next to for more than 15 mins 3. When someone is diagnosed with COVID the health care worker requests their app ID. They don't ask for your name, your email, or anything. Just the ID you were broadcasting. 4. A central server sends out a push notification with that ID. If someone else's app has that ID in their "person I've been near for 15 mins" list they get the big red scary screen of self isolation. That's it. Start to end. You can delete the app. You can wipe any trace of the ID from your phone. The ID was never associated with you in any way. There is NO GPS logging. Anyone see any holes in this?
cheers Chris Maunder
The problem isn't in your approach. The problem is that whatever solutions are created will include unnecessary features and data handling that lend themselves to misuse. Normally I'm an optimist, but the Wild West of mobile app development does not give me confidence.
Software Zen:
delete this; -
a) That XKCD is so awesome. b) Yep. They can and do track us already. The only problem is, even though we've allowed them to do it because it's convenient to us, we're not going to let the data be used to open up our lives because we don't want to admit it openly. Deep down we all just want our cake and we want to eat it too.
cheers Chris Maunder
A long time ago, in a business far, far away...
I worked for a company that made ballot-counting equipment and software during the MS-DOS and "hanging chad" era. The idea of applying blockchain to that domain is... :elephant:ing hilarious. Go ahead, kids. Daddy's going to sit back and watch the world burn.
Software Zen:
delete this; -
Proposed government coronavirus tracking app falls at the first hurdle due to data breach | ZDNet[^] Just publish the source code with personal data from ANOTHER APP!? :wtf: "Amateurish" doesn't even begin to describe it... "A spokesperson for the Covid19 Alert app said the information was "accidentally put online" due to the haste in which the team wanted to make the source code available for analysis." If they have so much haste I'm sure this isn't the only "accident" that they put in the code. Again, I'm NOT going to use any COVID-19 app ever.
Best, Sander sanderrossel.com Migrating Applications to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript Object-Oriented Programming in C# Succinctly
-
The problem isn't in your approach. The problem is that whatever solutions are created will include unnecessary features and data handling that lend themselves to misuse. Normally I'm an optimist, but the Wild West of mobile app development does not give me confidence.
Software Zen:
delete this;Gary R. Wheeler wrote:
include unnecessary features
Sounds like you are saying someone could create a framework for this.
My plan is to live forever ... so far so good
-
Apparently the Australian tracking app doesn't track location, but they can't release the source code to prove it because "security reasons".
That's not how security works... :~
Best, Sander sanderrossel.com Migrating Applications to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript Object-Oriented Programming in C# Succinctly
-
So before we all jump on the "it's never going to work it's impossible not on my watch over my dead body" bandwagon, can we step back and be software developers? 1. There's a serious issue and we, as developers, can help. 2. There are serious privacy considerations. We, as developers, can help. So let's start with the lowest common denominator here ("We, as developers, can help") and workshop some ideas I think Google / Apple have discussed this one but I haven't had a chance to read up on it. It seems to be along the following lines: 1. You install an app and give it access to your bluetooth. The app generates a GUID as an ID and stores that on the device. And only on the device. 2. It constantly scans it's surroundings for other IDs via bluetooth that are being transmitted by the apps on other people's phones. It records all IDs that you're next to for more than 15 mins 3. When someone is diagnosed with COVID the health care worker requests their app ID. They don't ask for your name, your email, or anything. Just the ID you were broadcasting. 4. A central server sends out a push notification with that ID. If someone else's app has that ID in their "person I've been near for 15 mins" list they get the big red scary screen of self isolation. That's it. Start to end. You can delete the app. You can wipe any trace of the ID from your phone. The ID was never associated with you in any way. There is NO GPS logging. Anyone see any holes in this?
cheers Chris Maunder
Should you be alerted if you came into contact with someone that came into contact with a confirmed case, i.e. 2nd-hand contact (or even 3rd-hand contact)? If so, then all your close-encounter data needs to be harvested, which removes the veil of security in the original proposal.
-
a) That XKCD is so awesome. b) Yep. They can and do track us already. The only problem is, even though we've allowed them to do it because it's convenient to us, we're not going to let the data be used to open up our lives because we don't want to admit it openly. Deep down we all just want our cake and we want to eat it too.
cheers Chris Maunder
Chris Maunder wrote:
The only problem is, even though we've allowed them to do it because it's convenient to us, we're not going to let the data be used to open up our lives because we don't want to admit it openly.
I think that's because the tracking products we use now (Apple, Microsoft, Google and Facebook mostly I guess) started out pretty innocent. The tracking aspect was added later or we only later found out it was tracking us. By that time, the technology became a part of our lives and routines and at that point it's hard to switch. There isn't even a decent alternative for some services, like Windows which I really need for my job (and which I'll always prefer over Apple, Linux is too technical for most users). Or a smartphone which I now can't do without and I only have two options, being tracked by Google or being tracked by Apple (and I choose Google every time). Now this new corona app is created for the sole purpose of tracking us and we aren't using it yet. I think that's just a step too far for most people.
Best, Sander sanderrossel.com Migrating Applications to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript Object-Oriented Programming in C# Succinctly
