-
• #14252
Example of one of the Chinese cities hoping to make the app permenant over there
https://www.theguardian.com/world/2020/may/26/chinese-city-plans-to-turn-coronavirus-app-into-permanent-health-trackerRegular track and trace the old fashioned way it supposed to be pretty effective. the app is just the cherry on the cake. However, I don't have to use public transport at the moment, so am not coming in to close contact with lots of random people.
For the conspiratoral minded and those skeptical of Goverment intentions:
https://bylinetimes.com/2020/05/14/whitehall-analytica-the-ai-superstate-part-1-the-corporate-money-behind-health-surveillance/ -
• #14253
Here's what the National Cyber Security Centre say about the app: https://www.ncsc.gov.uk/blog-post/security-behind-nhs-contact-tracing-app
I'm not trying to convince anyone to use anything. But it's worth knowing what it's actually doing (or, if you're more conspiratorial in nature, what they claim it's doing).
And yeah, NHS data has massive potential for a lot of private businesses - and it's already happened/been happening (see the controversy around DeepMind's deal with the NHS).
-
• #14254
This scares me, no openeness, part of contract redacted. No public scrutiny.
-
• #14255
Here's what the National Cyber Security Centre say about the app: https://www.ncsc.gov.uk/blog-post/security-behind-nhs-contact-tracing-app
I'm not trying to convince anyone to use anything. But it's worth knowing what it's actually doing (or, if you're more conspiratorial in nature, what they claim it's doing).
And yeah, NHS data has massive potential for a lot of private businesses - and it's already happened/been happening (see the controversy around DeepMind's deal with the NHS).
That's Ian Levy, I've interacted with him professionally and he's a clever chap, but (with regards to my subject area) he a) believed he knew what he was talking about and b) didn't.
The Registers analysis of that article and the app is interesting: https://www.theregister.com/2020/05/14/nhs_contact_tracing_app/
-
• #14256
I don't know anything about Ian Levy, but I think the point on centralized vs decentralized models is well made in the NCSC post. If I was in a position where I had to choose which to use, I'd prefer centralized. It also makes it clear that there is no geo-location data being tracked, and users are anonymous (as we would generally understand the word to mean).
The Register article raises important issues around bugs. But it's also three weeks old and talking about a beta version of an app. It's point on anonymity is a technical one. The headline is misleading, IMO (although given the audience of The Register, this may be forgiven). Most people who read that will assume the app, and therefore the government, is actually able to identify users despite what they claim. That's not the issue though. It questions whether having anonymized identifiers linked to phones actually fulfills GDPR requirements for the technical/legal use of the word anonymous.
Anonymity has a very precise definition under the prevailing legislation, including the European General Data Protection Regulations, and it’s unclear whether the current implementation meets that standard. This is due to the app’s practice of pinpointing phones with specific identifiers.
Recital 30 of Europe's GDPR states that: “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols."It provides a few examples, including IP addresses, cookie identifiers, and RFID tags. The concern is that these identifiers — which are linked to actual people in a one-to-one relationship — can be used to create profiles of the individuals they belong to.
I'm not sure it's possible to get around this issue while achieving the goals of a centralized model.
-
• #14257
Comes down to trust, I do not trust this government to have my data. They use "guided by the science" as a shield behind which they do what they consider politically expedient (release the lockdown) or politically existential (keep Cummings in place to run the country despite clear breaches of the regulations he shaped).
Yes the centralised model makes sense from the perspective of a centralised scientific response - but we don't have that, we have a centralised political response that uses soundbites from Scientists when it suits them.
-
• #14258
All valid gripes.
-
• #14259
The NI health advisor said he doesn't think apps are all that effective.
They aren't really promoting it here, yet?
-
• #14260
I might be missing something but there don't seem to be any actual changes to the code in the Android version for more than a month and yet the Android app in the Play Store was updated yesterday.
-
• #14261
This popped up a while ago - that they were releasing versions that weren't the same as the one in Git - assume the fear was that the open sourcing of it was in name only.
https://github.com/nhsx/COVID-19-app-Android-BETA/issues/49
I didn't really follow it up - it looks like there have been pushes recently so maybe it's no longer a valid gripe. Personally I simply don't trust them to either produce something ethically, to not use the data improperly or (even if done properly) to act on it effectively and impartially.
-
• #14262
I was just working through the issues to see if @jellybaby's point was noted - nice one. This is the "official" response:
Hello all - and thank you for your patience.
The app is still being actively developed in our private GitHub repos.
We're learning from all your comments, along with the security issues
raised through HackerOne.At the moment, all of our effort is going into building, refining, and
testing the app. The development team is focused solely on that.Preparing the app for an open source release takes time. We have to
make sure that all secrets and keys have been redacted, that all
developers' personal details have been removed, that the git history
doesn't contain anything untoward, that we haven't accidentally done
something to compromise security, that the licence files are correct
etc.Additionally, it's difficult to code in the open on a high-profile
project like this. We want to give our developers the space to work
safely and effectively.My job is to make sure that the source code gets released alongside
the public binary - and that it is released under a FOSS licence. I'm
working as hard as I can to achieve that goal.Thank you all for holding us to account over this.
To be fair, that's how I work on github. But mostly because I don't want people to see my shit code until I absolutely have to share it. And I'm not developing a pandemic track-and-trace app.
-
• #14263
Aha, further down in that issue:
Hello all - and thank you for your patience.
The app is still being actively developed in our private GitHub repos.
We're learning from all your comments, along with the security issues
raised through HackerOne.At the moment, all of our effort is going into building, refining, and
testing the app. The development team is focused solely on that.Preparing the app for an open source release takes time. We have to
make sure that all secrets and keys have been redacted, that all
developers' personal details have been removed, that the git history
doesn't contain anything untoward, that we haven't accidentally done
something to compromise security, that the licence files are correct
etc.Additionally, it's difficult to code in the open on a high-profile
project like this. We want to give our developers the space to work
safely and effectively.My job is to make sure that the source code gets released alongside
the public binary - and that it is released under a FOSS licence. I'm
working as hard as I can to achieve that goal.Thank you all for holding us to account over this.
That's not what I'd call Open Source and means if having the code in the open is a factor in if you would install the app or not I think you should treat it as closed source. But I'm perhaps just a paranoid nutter on the Internet.
-
• #14264
I'm not so worried the code is insecure, the data storage issues are my main issue.
Of course trying to explain the issues to people takes ages, followed by "it'll be fine" so all Covid Cummings has to do is a "you are a bad person endangering others if you don't install it" campaign.
Though that's intelligent and after his recent castle visit fuckup...what is he really at? Aside for jobs for his mates?
-
• #14265
Data storage is going to be with whatever partner Cummings wants, but it's definitely going to include Palantir, Peter Thiel's company. For that reason alone I won't be going near it.
-
• #14266
A couple of recent examples of mistrust:
Brings in quarrantine, then discusses (attempts to) with airlines
Changes hospital face mask policy, then discusses with hospital
Brings in App then... -
• #14267
Our lockdown wasn't shit. SA had an alcohol ban, which they've just relaxed. My mate in Jo'burg just sent me a video of a queue of hundreds of people singing outside the liquor store at 8am, in advance of a 9am opening. Heartwarming.
-
• #14268
Palantir is also NSA funded.
So no thank you. I know, a bit 3 for 2 tinfoil hat time however some of the Cambridge analytica tactics are also old NSA propaganda.
-
• #14269
No app here. Even if/when I go back to the office I always cycle. If I need to be contact traced it will almost certainly be from someone I know, not a random.
-
• #14270
I don't think it's a paranoid worry. I understand what the guy is saying about protecting his devs, and Occam's razor suggests that it's likely the true explanation.
However, in my mind his/her explanation should just mean that stuff isn't pushed publicly - not that the app is released anyway without a public code review available.
I've never done open source dev though - I could easily be wrong about how it's done. This isn't a game changer for me in any case as I never would have installed it, but it's a point of interest.
-
• #14271
Honestly the quality of the code in the app isn't the main concern, it's how they treat the data, who they give it to and how they store it that's my worry. These kind of databases have a habit of being held insecurely and/or hacked, not to mention just directly giving it to unknown companies.
-
• #14272
Data will be fine. I watched that Baroness Dido in the select committee, very reassuring, she had all the stats at her fingertips and what with her excellent record in this area there can’t be anything worth worrying about.
-
• #14273
Ditto Rupert Soames.
-
• #14274
The Death Secretary apparently not keen on answering crazy leftfield hypotheticals such as 'what are you actually going do to lockdown a local area?'
https://twitter.com/DanielHewittITV/status/1269604159004737536
-
• #14275
It’s weirdly specific, unanswerable question though isn’t it?
It depends on;
- size/proximity of outbreak
- likelihood of transmission
- vulnerability of individuals
- who ‘you’ are (critical or non critical role)
- where you are on the timeline of tests being returned
- a bunch of other shit
I think the journalist thinks ‘lockdowns’ will be of regions. That’s less likely than closing of (for example) a hospital or an office or business.
- size/proximity of outbreak
No need. they're already doing that at cellphone network level.