There’s been a lot of discussion about the COVID-19 tracking application being developed by the Australian Government. I’m a very strong critic, because of general IT incompetence, and these things are hard, as well as the actual base implementation being reliant on the protocols of TraceTogether (the Singapore Government application).
The TraceTogether application has a centralised data store, which is then used, in conjunction with stored personal information to contact the people who have been “near” an infected person. This has a whole bunch of significant privacy concerns, especially as there is absolutely no need to build the application in this manner. Not only is this an issue if the store is breached (you lose all your private information), but all those folks who have been near you can be identified. This is, not good.
This might seem confusing to people, but you can actually build systems without needing to know the identity of people involved, and have the information not need to be securely stored, because it’s public information anyway.
How? Well, let me tell you.
First of all, I’m going to describe what the required conditions are for this to work, but they’re not onerous, and quite sensible.
- The application users are trying to help, and will respond to application alerts. This is no different to other applications, but if people download the application with no reason to use it effectively, then it’s exactly the same as them not downloading it in the first place. So, it’s not a negative, it doesn’t break anything, it’s just “people aren’t notified”
- There is somewhere all application users can contact for updates. There needs to be a way to announce some new information that applications can make sense of. This might be an alert, or it might be the applications can say “what’s new?”
Um, that’s it really.
Now, this next bit I’m going to use a metaphor, and it’s not completely true, but it gives the right kind of story about how this can work, and how it can work without you needing to give up any information ahead of time to anybody, unless you are either tested positive, or at risk. Sounds good? Ok, here we go.
Alice has download the app COVID-SONG-STAR (CSS) to her phone. She starts the application, and then goes about her daily business. All the while, CSS is broadcasting songs to everybody within 1.5m and adding the songs to a daily playlist (DPL). These songs are chosen randomly from all the songs on SpotifyUniversePlus, so there’s a lot of songs, and at the time, nobody in the world will ever play the same songs.
At the same time, Bob also has downloaded CSS and is rocking out with his songs. Same with Carol, Dave, Eve, Frank and Grace. CSS is a pretty cool app, and is able to hear what other songs are being sung with 1.5m. Every time you hear a song, you add it to your heard list (DHL).
The daily playlists (DPL) are held for 21 days (DP1 -> DP21) and heard lists (HL1 -> HL21) the same. These are held on the phones, and if any of our cast of characters decide to no longer participate, they can just delete everything. Nothing leaves the phone without their consent. No cloud, no internet, just your phone. There’s no private data anywhere, just the songs (DPL and DHL) you’ve played, and heard.
Now what? Well, Alice has got a bit of sore throat, can’t smell anything and thinks oops, maybe I should be tested. So she rocks off to her trusted and caring medical professional and tests positive for COVID-19. Fuck. Poor Alice. (Don’t worry everybody, Alice turns out fine, this story has a very happy ending).
We need to find out who Alice has been near, and guess what, we have all the information we need. We just publish all the songs on Alices playlists (DP1 -> DP21). Anybody who’s heard these songs is at risk, but how will they know? Well, the CSS can get a daily update of all the Infected People Play Lists (IPPL), or a server can send alerts to the applications each time a new IPPL is published.
So, Alice publishes her DPL (with help from her medical professional, because we only want IPPL, not just any DPL) and Bob, Carol, Dave, Eve, Frank and Grace all look at the songs, and see if any of them are in DHL1 to DHL21. If they are, then that means they were close enough to Alice to be at risk of contracting COVID-19, so they need to go to their medical professional and say “I heard this song, and I hear the person playing it got sick, so I think you need to stick a probe uncomfortably up my nose, and then go and hide in my house for 14 days”.
What do we notice? At no point do I ever need to store private information about our cast of characters. Alice, Bob et al are all anonymous, in control of their own data up until the point where they are at risk. There is no way to “forward trace” by a centralised system, because while Alice has played all these songs, there’s no way to know if anybody, or everybody heard them because it’s all stored locally on the phones. Only Eve knows the songs Eve has heard.
What I’ve described in a story in which the participants cooperate, and the CSS has been built with this system in mind. It’s very easy to imagine a scenario where the CSS is built in such a way that it uploads everything, including all your phone data, but that’s why many people are strongly advocating that the app is independently reviewed (and the protocols and design of the system) so we can be sure that it’s operating as expected.
At this point, based on what the track record of our government in competence, and the privacy and security implications of this information the government wants to collect, I cannot recommend downloading and installing the COVID-19 app being developed.
Thanks for reading.