COVID Tracing Apps: What Europe Has Done Right, And Wrong

Europe has been in COVID-containment mode for the last month, in contrast to the prior three months of serious lockdown. Kids went back to school, in shifts, and people went on vacation to countries with similarly low infection rates. Legoland and the zoo opened back up, capped at 1/3 capacity. Hardware stores and post offices are running “normally” once you’ve accommodated mandatory masks and 1.5 meter separations while standing in line as “normal”. To make up for the fact that half of the tables have to be left empty, most restaurants have sprawled out onto their terraces. It’s not really normal, but it’s also no longer horrible.

But even a country that’s doing very well like Germany, where I live, has a few hundred to a thousand new cases per day. If these are left to spread unchecked as before, the possibility of a second wave is very real, hence the mask-and-distance routine. The various European COVID-tracing apps were rolled out with this backdrop of a looming pandemic that’s tenuously under control. While nobody expects the apps to replace public distancing, they also stand to help if they can catch new and asymptomatic cases before they get passed on.

When Google and Apple introduced their frameworks for tracing apps, I took a technical look at them. My conclusion was that the infrastructure was sound, but that the implementation details would be where all of the dragons lay in wait. Not surprisingly, I was right!

Here’s an update on what’s happened in the first month of Europe’s experience with COVID-tracing apps. The good news is that the apps seem to be well written and based on the aforementioned solid foundation. Many, many people have installed at least one of the apps, and despite some quite serious growing pains, they seem to be mostly functioning as they should. The bad news is that, due to its privacy-preserving nature, nobody knows how many people have received warnings, or what effect, if any, the app is having on the infection rate. You certainly can’t see an “app effect” in the new daily cases rate. After a month of hard coding work and extreme public goodwill, it may be that cellphone apps just aren’t the panacea some had hoped.

Europe is a Patchwork

The first thing you need to know about Europe’s COVID apps is that there’s a ton of them, and they’re all different. Just as our neighbors to the south make phenomenal pizza, those to the west fantastic baguettes and cheese, and those to the east delicious Pilsner, the nationally endorsed tracing apps differ in more than language.

There are three frameworks in play, but two of them are essentially the same. The Google/Apple “Exposure Notification System” (ENS) was inspired by the original drafts of the European “Decentralized Privacy-Preserving Proximity Tracing” (DP-3T) framework, and both use date-time-ID hashes broadcast over Bluetooth LE to allow individual phones to determine if they’ve come into contact with infected individuals. We covered the ENS extensively before. Since the hashes change frequently and since your secret ID is never communicated outside your phone, these two provide very strong privacy guarantees. And since the DP-3T and EN frameworks are essentially the same, it should eventually be feasible for apps using both systems to converge; ENS basically incorporates the concepts of DP-3T into OS-level API calls in both Android and iOS. So while Europe is split about 50/50 between DP-3T and ENS, it’s fundamentally all the same thing.

“Croissants” by Jo@net, CC BY 2.0

The odd country out is France, which is using a centralized version of the same Bluetooth LE beacons approach. The ROBERT system used in their StopCovid app collects both your random ID and the date-time-ID hashes that your phone has heard, compares them in a central databank, and then informs you if there is a match. ROBERT is essentially a spinoff of the forerunner to DP-3T, the “Pan-European Privacy-Preserving Proximity Tracing” framework (PEPP-PT).

The “privacy” in PEPP-PT is due to the fact that the ID numbers are generated randomly per-phone as with the decentralized solution, so they are pseudonymous. On the other hand, if the central server could somehow correlate numbers with people, then they would have a tremendously detailed log of who has been near whom, when. The potential de-anonymizing of the data lead most of the Universities participating in PEPP-PT development to leave for DP-3T, and also resulted in possibly the most passive-aggressive whitepaper title of all time: “Proximity Tracing Applications: The misleading debate about centralised versus decentralised approaches” from the French camp.

You don’t have to fear the government to not want your data stored centrally, either. The Korean app’s encryption was just broken, and since it reports not only your COVID status but your location and purchase history back to the central server, this is a huge privacy breach. (The password with which everything was encrypted? “1234567890123456”. At least it’s long.) There don’t seem to be any similar howlers in the French code, but the database of everyone’s activities and contacts is going to be a juicy target for bad hackers.

But even leaving France aside, the apps that use the same framework don’t work together yet. Even though the apps use similar frameworks, a government agency needs to broadcast the authoritative list of contagious hashes daily for your phone to compare against. Should the German app pull data from the Italians and from the Spanish? The consensus seems to be that it should, and there is work afoot to make it possible before long. But for now, Europe’s COVID apps remain a patchwork delineated by national borders, even though travel restrictions within Europe have been partially lifted.

And still a few countries have no system up and running yet. Spain is notable here, although it’s in progress.

Europe is Open

One of the most reassuring sights in the European COVID app development process has been how thoroughly the development was debated in the public sphere. Here in Germany, the switch from the only-pseudonymous PEPP-PT to the DP-3T was widely reported on in the press, and probably due in no small part to efforts by the Chaos Computer Club and other public-interest groups with security expertise, and of course those in parliament who listened to them.

And because transparency was seen as crucial to app uptake, almost all of the nationally sponsored apps are open source. In the case of Germany, the app was developed behind closed doors by SAP and Deutsche Telekom, firms hardly known for their open-source credentials. But a few weeks before the release, they put it all up on GitHub: server, apps, verification portal, and extensive docs. As of today, of 356 issues raised, 293 are closed and all appear to be getting triaged quickly and taken seriously. How often do you hear a grumpy security programmer say of a codebase that it’s “astoundingly clean and contains, on first look, no obvious backdoors or security holes.”? High praise! (Translated by robots here.) No code is ever 100% secure, but the open security process seems to be working.

While I’ve followed Germany’s progress most closely, code is out for many other countries. Here’s Ireland’s, Italy’s, Austria’s, France’s, Poland’s, and The Netherlands’. Notably absent are Denmark and Finland, with proprietary apps, although they are based on the ENS and DP-3T frameworks, respectively. Feel free to update us all on any other country’s programs in the comments!

If you don’t believe that open, auditable code matters, see the South Korean debacle above. A hard-coded password in everyone’s app wouldn’t stand up for one day, much less a few months, in an open environment. This is not to say that there aren’t deep bugs in any of the open codebases — they’re huge and complex after all — but low-hanging fruit like 1234567890123456 would have been caught immediately.

Now the Bad News

One of the most important factors for any COVID app to be useful is that it’s in widespread use. For example, if only 5% of the population installs the application, you have a hard maximum chance of 5% that an actual exposure will be correctly reported to you, given that you have the app installed. While the positive effects of early tracing increase as the install base grows, British scientists estimate that you’d need ~60% coverage to wipe the disease out, and uptake varies wildly from country to country.

I couldn’t find up-to-date statistics for all countries, but I’d bet that Germany has the largest install base, with over 16 million downloads. But with a population of 83 million, that’s only 19% of the population. According to Angela Merkel’s chief of staff (who is totally not biased), Germany has the “best” app, and yet when asked in a survey only 42% say they would install the app.

Ireland boasts 1.3 million users, or 27% of their 4.9 million inhabitants, probably taking the prize for highest install rate. France’s app was only downloaded 2.3 million times in the first few weeks, on 65 million. 3.5%. Ouch.

You might need this. (“charging-battery” by Wolfgang Lonien, CC BY-SA 2.0)

And that’s assuming that everyone has the app on and running all the time. Germany’s app, which is supposed to run on the Android OS facilities provided by the ENS, ending up with gaps in service as it was backgrounded on Samsung and Xiaomi phones (translated) for most of the first month, undetected. The operating systems’ power saving modes were overly enthusiastic. It runs on “prioritized background” mode now, but taking the two largest phone manufacturers out of your dataset for a few weeks isn’t going to help. The French app, which can’t use the ENS and has to run in the foreground, is reported to eat batteries like they were Nutella crepes. How many people will keep battery hogs running?

It’s not all Android, either. There was a problem with users upgrading to iOS 13.6 that prevented the app from running at all. I don’t know if that’s been fixed yet. Anyone?

Other glitches in the German system have been more policy than software. If you test positive for COVID, your doctor informs you by mail, and then you have to validate a secret code by phone with a special hotline in order to enter the system as contagious. This can cause a two-day delay in getting into the system, during which time people won’t know that they’ve had contact with someone infectious. Since speed in tracing back contacts is the name of the game, this is a shame. And that’s assuming you register at all — there’s some preliminary evidence from the Robert Koch Institute that between four and six percent of people who’ve tested positive end up registering that on the app. (Translated.)

It could be worse. While no longer technically part of the EU, England has still failed to come out with a COVID app. After months of supporting a central-server model, and serious issues getting their app to run on iOS devices, the NHS decided to switch up to the decentralized ENS after all, which is probably a good thing for privacy and uptake but results in further delays. Meanwhile Scotland and Northern Ireland, ostensibly part of the UK, have taken matters into their own hands.

On top of all this, people still debate whether Bluetooth LE range is a good proxy for close, virus-communicating proximity in the first place. The various apps require multiple exposures to trigger a warning, so the “bus passing by” scenario isn’t such a concern, but people living in an apartment below someone who has tested positive will doubtless get false positives.

A Big Experiment? A Dress Rehearsal?

What are the take-home lessons of the last month of European COVID-tracing apps? On the positive side, inviting public involvement in the requirements process and providing open and auditable code can go a long way to encourage app adoption. Comparing France, Germany, and Ireland, it looks like users also care about their privacy enough to make a significant difference in uptake as well, even when it’s as subtle as the difference between anonymity and pseudonymity.

Still, it’s hard to see any effect of the COVID apps yet. Whether this is because of the technical glitches, too low an install base, or a failure to self-report as contagious, the systems have not made a real dent in the daily case numbers. Maybe there will be some effect visible later on, or maybe not. Only time will tell, sadly. The apps could even make things worse; we can also imagine a world where people relax their behavior based on false confidence of low exposure simply because nobody is using the app around them.

It’s a little bit disheartening that there isn’t a simple technological solution to preventing the spread of a highly contagious disease that lies dormant for a week or so, even when it’s confronted with clever cryptographic frameworks and open-source development. Masks, distance, and early testing and notification really seem to be the path forward: science and medicine instead of cellphones and software.

That said, the nice thing about many of the European apps is that they are open, respect your privacy, and do at least stand a non-zero chance of helping contain the spread of the disease. You don’t have anything to lose by using them, and the development process will hopefully serve as a model for the future. And given the ample supply of anti-patterns, that’s a success in itself.

63 thoughts on “COVID Tracing Apps: What Europe Has Done Right, And Wrong

  1. “Meanwhile Scotland and Northern Ireland, ostensibly part of the UK, have taken matters into their own hands.”

    Major public services affected by the pandemic, in particular public health services and education, are the responsibility of the devolved administrations in Northern Ireland, Scotland and Wales. In the case of Scotland and Northern Ireland, policing and justice matters are also devolved.

  2. I’d be curious what level of risk these apps add for the general public, although that’s hard to measure.

    Humans are uh, not bright. I’m sure I know at least a handful of people that would hear “this fancy new COVID app tells you if you have been around someone who’s been infected” and translate that to “Until the app tells me I am sick I am 100% safe and can lick everyones faces while in the ICU.”

    I’m sure most people are not that way but there are some silicon valley die hards that believe apps can do impossible things (I reference IPhone waterproof software update and IPhone microwave charging jokes as evidence). I am sure that overall the net result of these apps is positive I’m just curious what percentage of people will it have a negative impact with.

    1. False confidence is a real concern. And you’ve got to weigh that against creating unnecessary testing and/or false-positive fatigue. A tricky balance that probably depends not only on the install base, but also on the prevalence of the disease in the population.

      Tricky, to say the least.

        1. I don’t think that the end of the budget was a concern in any of the mentioned countries, so it’s more like “let’s do this app on top of the testing” rather than instead. The apps and their infrastructure aren’t being promoted the first line of defence.

          But yeah. It may end up money wasted. Or maybe the apps will only prove their worth later on. I think it’s all _way_ too early to tell, but it’s something to keep our eyes on.

          1. If not testing, then more ventilators, more masks, more funding for vaccine development, more welfare to those unemployed by the lockdowns…

            There are a million things that could be done instead of pouring money to multinational corporations over a phone app that has a snowball’s chance in hell of actually helping.

          2. Point being that none of these countries are exactly running a fiscal surplus at the moment. Even paying off a microscopic portion of their national debt would be a better bet for the future, considering there’s a major economic downturn going on – or simply not spending the money in the first place.

  3. There has been too much talk of privacy(yes it’s important, I agree) but almost no talk of efficacy. Without the latter, there is very little point in trading any aspects of the former.

    As the author says, there is no data to say if, or how well the decentralised apps work. And more importantly, by design, there never can be. It justs just a spray and pray approach.

    The UK has paused it’s toll out precicly because the efficacy could not be demonstrated. This is not because they are incompetent, but the problem is hard and solutions are non trivial. Even in a system that collects more data than many would like.

    This all comes down to a few technical reasons. But mainly, Bluetooth is not an effective means of measuring proximity. And nor would any other RSSI based system. Basically signal strength can vary massively depending on any number of things. For instance, is the phone in your pocket. The human body can easily provide more than 20dB of shieiding. What is the relative orientation of the antennas. Cross polarisation can totally kill the signal. Constructive and destructive interference can easily make 10s dB of difference in real world environments. This is not to mention the differences between 100s of phone models that have no standardised method of measuring RSSI and do not publish there performance data for such things.

    In a centralised model, you can at least try and set sensible thresholds, that despite all this will let you adapt it to make best use of the counties testing resources. It still a hard problem to prove effectiveness and tune the descision model,, but at least you stand a fighting chance. But sadly Apple has unilaterally crippled this functionality, without providing evidence that their competing system works.

    1. And that’s assuming that every exposure (exposee?) gets tested. Otherwise there’s no point, since the correct positives take a nosedive if cases are not verified.

      In Finland it was just plain hard for people to get tested. Having all the symptoms and having a high-risk job contagion-wise (e.g. customer service on a cruise ship) has not been enough evidence to warrant testing, unless you can categorically prove that you’ve been near a previously positive-tested infected person.

      Yes, you read that right; government didn’t test sick people. (Laboratories have been underutilized; there was triple capacity vs. the number of tests actually run.)

      So, even if the apps were installed on every phone by government mandate, it might not help.

      1. The same situation was in Lithuania. Only these folks who arrived back to country from abroad and felt sick were tested. Borders were not closed yet. And guess what – we had a very “low” positives initially. By numbers of course.

        1. By my guess – countries didn’t have enough tests in early beginning so they tried to limit the number.
          Regarding closing borders – politics. Nobody wants to risk their reputation of closing the borders or taking other hard sanctions when they are not sure what the actual risk is.

          1. Remember the tests weren’t developed/ proven at the start. The probability of accurate test results is still unpublished ( in the uk at least ). TBH flipping a coin when you lose your sense of smell is an instant & more accurate diagnosis. The fact of so many false negatives does make me wonder if there are 2 viruses circulating -for which only 1 is detected..

        2. From a cost/benefit standpoint…. why test if you’re confident they have COVID? Just treat them as infected and don’t spend the resources taking 98% confidence to 99%. I figure testing should only be used in cases where there is a question of if there’s an infection, not for confirmation of infection.

    2. The problem isn’t that _I_ think that privacy matters, it’s that other people do, and they’re not downloading the apps that connect up to central services. People are voting with their feet, as it were. See France.

      Regarding effectiveness: if the whole Bluetooth tracing is ineffective, that’s even more reason to make it maximally privacy respecting, no? Do no harm?

      In Singapore, in contrast, if you get a positive diagnosis, you hand your phone over to the Ministry of Health, they read off the ID, and use that to notify people. If you don’t hand over your phone, you get charged under the communicable diseases law. This sounds fairly invasive on its face, but it should be pretty effective. OTOH, they only collect your information once there’s a reason to, and it might be effective enough that it’s possible to consider the privacy tradeoff as reasonable if there’s no better alternative, IMO.

      In Germany, COVID is already a by-name registered disease, meaning your doctor must report your positive status to the state. ( There’s another class of contagious diseases for which they report the date and location, but you remain otherwise anonymous. The law is tailored to make this privacy / public health tradeoff.

      So when the Germans / French / Italians / whoever don’t think that handing over the complete association graph of all people to the state, sick or not, is a palatable choice, well, there you go! But at the same time, they’ve agreed that if they get some diseases, it’s OK to tell the state, and I’d bet that most people will voluntarily tell a doctor who they’ve been associating with for tracing purposes.

      The principle in German law is collecting the minimum amount of info necessary to do the job. This is in contrast to the vacuum-up-all-the-data-and-hope-some-is-useful approach that Silicon Valley firms seem to take. (The irony being that in this one case, Apple and Google aren’t. For a company that reads your e-mail and logs all of your online purchases, that’s pretty impressive.)

      And yeah, getting effectiveness metrics is a casualty of this. But I would argue that personal privacy, and stopping the spread of this disease, are more important than some data that might help an app work better, or maybe not.

      1. >The irony being that in this one case, Apple and Google aren’t

        That’s as far as we know. The general principle with Google seems to be that they collect data indiscriminately about everything, and the COVID tracking app is in a sense superfluous because the already know by SSID data, GPS data, network data, and bluetooth data to a very high precision where everyone are anyways.

        When I turn the GPS off, WiFi off, Bluetooth off, close Maps and any other app, and walk into a supermarket, Google still sends me a notification to review that shop. There are hundreds of different “privacy” options, AND device options that you have to turn off individually, and even so it probably just hides the fact that they’re still tracking you. Turn on but one wrong feature, and it cascades into turning all the tracking features back on.

        1. I suppose the best way to “break” those reviews is to always give them minimum points and list “notified to review by mobile tracking without consent” in the comments. Or just install LineageOS without gapps…

          Then there’s a way for anti tracking protesters to break any tracking app based on BLE by using a device to receive and then retransmit packets at a much greater distance than intended. Add in a mesh network to increase the reach for even more false positives.

          1. Google really wants to track you, and at the same time they want to make it look like they’re giving you the choice to not be tracked. It makes it very hard to trust any of their software / applications.

            In this one instance, however, it looks like they’re doing the right thing. The system is designed to pass them the minimal amount of info, and it’s hashed. If they later end up using the data or correlating it with users, there will be a shizzstorm of unbelievable proportions. I don’t think they’d risk it.

      2. The Germans in particular are generally viewed as privacy superchampions but this isn’t really deserved IMO.

        Yes, the state is strong in protecting civilians from corporate spying, however when they feel the need for their own purposes they are one of the first to push these protections aside. They’re part of the 14 eyes spying collective, and have been arguing very strongly against encryption lately.

        1. That article is old, none of what’s described got implemented, and De Maziere is no longer in office. There was a recent scare piece put out by some VPN over proposed legislation that was also recently shot down.

          But if you want to worry, check out (Interior Minister) Horst Seehofer’s never-ending battle against encryption. Or maybe that’s what you’re thinking of?

          “Germans” and “the state” are pretty gross generalizations. But if you wanted to generalize, I would agree with pro-privacy and pro-press-freedom.

          Article 10:

          Both Germany and the EU have ministries dedicated to protecting citizens privacy and data. They give an institutionally empowered voice to privacy concerns in lawmaking. (Often not powerful enough, IMO, but we can debate this.)

          I’m American, so I try to think of the equivalent body in the US Gov’t, and can’t come up with one. Which Dept/agency has a personal privacy mandate? The NSA? That might be the closest we’ve got.

          From my perspective, Germany/EU looks very pro-privacy.

      3. “OTOH, they only collect your information once there’s a reason to”

        This sortof ignores all the historical reasons why privacy is important, and even life-and-death.

        Oh, golly, the same people who have power over you that you don’t want to mistreat you promise that they won’t mistreat you. Yeah, that was reassuring to somebody, but not anybody concerned about their privacy.

        That’s isn’t an OTOH. That’s the same hand. It is invasive, and controlled by the same people who could abuse it.

        1. At this point the debate becomes “can you compel a sick person to name the people that he/she has most likely infected”. I would vote “yes” for that one. Public health, small burden, etc.

          I guess, though, I should say that I would vote “yes” if I had sufficient trust in the institutions. If I thought that the data would be immediately turned over to non-health agencies, I might have some pause.

          This is relevant to me: the police in Germany have just gotten exposed in a couple of cases of using the health logs kept in restaurants for COVID tracing, but for criminal investigation. There is a current debate on whether this puts a chilling effect on the (voluntary-esque) logs.

    3. – Just wanted to say well put. So much BS going on and being swallowed hook, line, and sinker it’s unbelievable. Side jab here, but I also find it interesting how many people can be in the ‘my body, my choice’ camp, but be fine with government mandated injections/vaccinations. ‘I should have the right to snuff out a 8-month old fetus/baby because I don’t want to deal with it, but why should anyone have the right to refuse a (rush-job vaccine with no long-term effect data, let alone who knows how questionable short-term data on adults, let alone little ones it will be given to) vaccine? – I My only guess is “Science…, it must be fine…”, as well as forcing everyone else to take something or their ‘safety’/fear falls into the same self-serving category as the aforementioned action. Asinine. /rant

    4. really?
      i thought they binned it because they found out that even for 12 million pounds dominic cummings’ friends can’t program and so they were stuck with a very expensive non-functional prototype.

  4. A little while back I invented a way to track phones and other devices using an existing part of the chipset: alas won’t work with fruity devices but will on a $10 burner phone.
    Works better with the headphones plugged in though.

  5. I can certainly think of way this app can be abused.
    1. Take the phone to place that infection is likely, e.g. hospitals.
    2. Wait for confirmation of potential exposure
    3. Take the phone to places with crowd, e.g. bus, subway, etc

    Wonder if the developers have a mitigation?

    1. It doesn’t work like this. A phone is not being flagged to others when it’s potentially exposed. Only when it is definitely exposed, confirmed by an actual test of the patient.

      A code is issues to make sure this can’t be done as a joke.

      1. This. You have to go to a doctor, get tested, the doctor then sends your results in, receives a code, you upload/scan code to phone.

        It’s actually a lot of hoops to jump through to register as sick if you are, but it’s a good thing to do for all of the people you’ve come into contact with in the last week.

        1. Yes, but nothing prevents Alice (who was tested positive) to give the phone to Bob (who is not in the hospital) to wander around in crowded places, creating a load of false positives.

          1. I wouldn’t say they’re necessarily false if Alice is close enough to Bob to let him have her phone for a bit, Bob could well be a silent spreader by now and the phone itself is a potential biohazard. Under most places rules, close associates of Alice should assume they had been exposed and go into a 14 day isolation anyway.

        2. Ok. I stand corrected. But I guess it is not too hard to break this. All one have to do is obtain a code like that. With all the privacy protection, I bet the positive test code does not have any personal identifiable information. Maybe the same code can even be used multiple times since patient could switch phone.

          1. No PII, but the code is probably linked to the ID.

            If I were designing the system, you’d submit your ID, it would be encrypted with a private key from the Health Dept, and then verified in the app.

            Codes are generated per-phone, though, so you’d have to get multiple signings if you had multiple phones.

          2. Even easier is to receive and then retransmit the packets using more power and higher gain antennas. It helps that BLE is normally sent at way below the legal limit, so by adding a $20 amplifier module and a DIY biquad antenna to a Raspberry Pi or whatever, it would be pretty easy to extend the range to far more than intended.

  6. The French app does not require to be in foreground and in their defense, there are multiple legitimate reasons to not want to use ENS (Apple/Google solution).

    For starters, ENS API is only available on the latest OS updates, which essentially means that anybody running a perfectly functional but not updated phone (iPhone 4S is BLE capable, but Apple rendered it obsolete by stopping updates at iOS 9, same with iPhone 5, 5S and 6 which stopped before iOS 13).

    Second and you don’t mention it, is smartphone market share. Not everybody has a smartphone, let alone one that could be updated to ENS.

    It is perfectly legitimate for a government (esp if democratically elected) to not be dictacted how to do stuff by a duopole of foreign companies known to do everything they can to twist laws to their own end.

    1. Good points on the ENS. Of course, since it’s an OS-level system, it requires later versions, and this means inaccessible to some. The whole scheme only works on phones with BLE — so those with cheaper phones more than a handful of years old won’t even have the hardware. (It won’t run on any of my three phones, for instance, and I’m unwilling to install Google’s spyware anyway.)

      I read in a few places that the French app used a lot of battery, but I guess I had assumed that it needed to actively manage the BLE module. How does it collect/send pings on BLE without becoming the active task? (Not a cellphone OS expert.)

    2. That OS thing is only an issue on iOS. On Android Google distributes the API via the Google Play Services updates, and any device as old as Android 6 can get it. I heard some country apps have higher requirements but these must have been set by the app builders.

      However iOS doesn’t have this dual distribution mechanism. Apple should really have included it in iOS 12 too IMO.

  7. The OS layer is called GAEN:

    “Our main concern about SwissCovid is that the app is outsourcing nearly all its tasks to the Apple-Google implementation called GAEN (as for Google Apple Exposure Notification) and that GAEN is out of public or national control: there is no source code nor any way to verify how it works. As discussed in the above document, this is not compliant with the spirit of the law.”

    “the Apple-Google implementation has no public source code (at least until July 21);”

  8. The government and big data collectors have joined to make smartphone app of questionable efficiency, not even supported by real world procedures to make it efficient but being able to totally spy on it’s user. And people don’t want to install it. We are sad abut it even though for last 15 years or so we kept informing people that their privacy has value and is being stolen, sold, marketed and used against us by corporations and government (and government use real or fake threats to get more access to our privacy) in the first place and smartphones with their apps are main tools used for that.

    Sorry but this kind of app lights up all possible red lights at once.

    1. Yeah, it is almost as if abusing people’s privacy for years on end has negative consequences in an emergency. Golly, gee, if only somebody had warned us. /s

      I trust them 0, so whatever they say the benefits are, multiple it by that and you’ll see how much I care. Is it remotely possible to abuse? If so, I’m not going to install it. It doesn’t matter what words people say; find a time machine, go back in time, convince people not to give up their privacy to the corps, and that’s how you can change my mind. No time machine, no app install.

      Maybe if they respect people for a couple decades, they can be trusted again? Maybe, but they haven’t started yet.

    2. Did you read the article at all? There were a few competing frameworks, and through publicly visible debate, the most privacy-preserving (read: requiring least trust in gov’t/industry) one was chosen. Apps were then developed which have been open-sourced and vetted by competent, and critical, independent third-party hackers.

      Without putting too fine a point on it, this is our wet dream. This is how everything should be.

      1. I did. Still I’m not surprised that 15 years of whistle blowing about massive surveillance resulted with people not willing to install “official spying app” no matter how transparent government this time is.

  9. Just for fun, I looked up Denmark’s downloads of Smittestop, which is more than 824,000 (from an announcement 2020-07-28 as the official number has not been updated since 2020-06-30), corresponding to 14.2% of the population (assuming no one has downloaded it more than once).
    Unfortunately, the government continuously fail at developing large, public IT projects and is currently only “considering” publishing the source code for Smittestop but is concerned about “safety issues” (says something about their frame of mind and/or the solution itself).

    1. Unfortunately a lot of people install apps and then immediately remove them. I don’t know what the “bounce” rate would be, but pulling a number out of somewhere, I estimate at least 30% in this case. People use it for a few weeks, everything looks ok, then they think it’s broken.

    1. Thanks for the source on this one. We had a hard time deciding how to represent Ireland’s population and adoption percentage when moving toward publication. At the time of writing we didn’t have this article (that was just published on Friday) and the sources we referenced mentioned that the app used in the Republic of Ireland wasn’t yet released in Northern Ireland.

  10. I don’t carry a smart phone with me all the time especially when the virus is around.

    Remember what the health tip: Don’t touch your face when your hands are dirty.

    Guess what people are conditioned to do in public when someone calls? Does any people go through the process of wiping down their phone and hands before answering?

    Make sure you only use a headset for answering your phone in public.

    1. Ideally, you should keep your hands clean…that’s what they are meaning with “wash your hands frequently”. If you clean after touching something potentially dirty, your hands should remain clean at all times.

  11. I installed the German app on my phone and just left it running. Unfortunately there’s very little feedback over what it’s doing, it just says “green”. You can go deeper into the Android settings and see when the tracing framework was used (Settings -> Google -> COVID-19 exposure notifications) but I have no idea if it’s working.

    So again, one of my pet peeves is that you have no idea if the system works or your phone works. Did it detect any other phones at all? Maybe saying that ‘2-degrees’ or ‘3-degrees’ away from you someone got tested. It could tell you that ‘300 phone were scanned, 5 were belonging to people negative’, that’s a nudge so more people test themselves. Perhaps that’s just too much invasion of privacy, but the data is already there, just not available to us.

    I work in an IT company and my German colleagues are really allergic to google and tracking. They plainly refuse to install any unneeded google apps, even though they would be able to understand how the tracing works. But they have no issue using FB, tiktok or posting publicly pictures of them hammered or their whereabouts on instagram.

    Unrelated, my girlfriend asked for an appointment to the doctor as she has a sore throat for months. They immediately isolated her, took a saliva sample in the backyard of the hospital, she then got a call from the Health Ministry(?) later that day to ask her details about her life. The test came negative, which was kind of obvious, but we got a glimpse of the big hidden system at work.

    On the other hand, this virus came at a time of so much technology and human isolation, that we will probably see scientific papers for many years to come, studying the culture vs spread, relationship vs infection rates, smoking vs gaming and who knows what else. And “boomers” will get replaced with “covids”.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.