2020.05.07 Privacy issues in the aftermath of Covid-19
2:33PM May 7, 2020
Many of you have searched within this crisis, not only about the crisis itself, and by the way, I hope you all save wherever you are, but about the consequences of this crisis. Yes, I need to repeat before I start because they were newcomers we are about we actually we are recording this, and I hope this is not an issue for any of you. Would it be the case, please shake your hands. Otherwise we'll continue recording.
Privacy issues in the aftermath of COVID-19? What are your concerns regarding privacy and personal data collections? A whole lot of topics to discuss here. I'm very pleased to introduce the topic presenter today. Stefano Zanero. I hope I pronounce well. You are from Milano, your an associate professor at Politecnical di Milano. You are focusing on computer engineering, system security and critical infrastructure security. You are the author of a very large number of papers and conferences. And you also do some, very consulted by media in Italy and Europe. So, we're very glad to have you with us. In front of you we wanted someone who can just wait, this contribution, so we decided to ask my colleague Robin Wilton, who is known by actually most of, every of you, he's the Drector of Internet Trust in the Internet Society. Robin is a specialist in online privacy, in digital identity. He has over 30 years of experience. He's also a boardmember of the Kantara initiative. Robin also authored thousands of papers on privacy. And he's also the author of a regular blog that I would invite you to check. We got our backup from the team, we got Howard and Janica, who will deal with the communication issues. And of course, we got our regulatory and legal support here. That would be Ceren Unal, she's also part of Internet Society. And to me, she's one of the best specialists of GDPR in Europe, and that will be useful for our conversations.
So let's kick that off. Whenever you open your news, you see a lot of consequence of this COVID crisis for the internet and privacy. And one of the questions that you could see is, whether privacy would, or not, be another victim of this crisis? Now, a couple of weeks ago, the European Data Protection Board communicate about the fact that GDPR would allow for countries and governments to play a little bit with privacy in the context of the pandemic. And then it would make a lot of privacy advocates a little bit dizzy. You check Germany with this new app, Corona. That expanded based on volunteer people. You got false with the Stop COVID. You got Poland, who went a step up, going with selfies, and that would allow government to control where people are. eItaly start quite early, and this is also the reason we are glad to have you Stefano to comment on this, they started on 9th of March, also monitoring some of these activities. So Stefano, I would like to start with you. Is all of this useful? Is it efficient? Is it privacy or style? Well, I guess we can we can have some assumption here, and is it here to stay?Some people fear that those measure that are set to be provisional, might just stay beyond the crisis. So I would like to hear you about those issues, Stefano, back to you.
Thank you very much for the introduction. Way too kind. And thanks for the invitation. It's really a pleasure. I've been a member of the Internet Society for a long time, and it's a pleasure to join this call. So, I would like to start from your last question, which is super important. And. in Italy we have a saying, and it applies to Italy, but I think it applies to a lot of places, nothing is more permanent than anything provisional. And usually the example here is that we are still paying some taxes on the fuel that we are meant to support the efforts for World War Two. So, some things that are applied as a provisional manner, kind of stick around. And, in security and in privacy, we've known that for a long time. Security measures stick around, it's kind of part of the first class that I give to all of my students. As engineers, we have a responsibility when we apply a security measure, to remember that this security measure will stick around for a very long time, and it will be very difficult to convince people to take away a security measure. So, when we examine all of the applications that are proposed in this moment of crisis, we need to think about how much data they will gather, and how they are going to be dismissed at the end. And I specifically looked at contact tracing, which is on everybody's mind probably, but this applies across a variety of different applications for telemedicine, health, location, generating alerts, There's a number. Today there was a journalist friend here in Italy, a very, very good journalist covering privacy, Fabio Cozzi, who started the thread on his Twitter account, posting all of the news related to all of this stuff that is being proposed for going back to normal, like bracelet for kids in order to get kids to separate in playgrounds, and if they don't separate, in order to be able to track who was in contact with whom, in case of an infection, and the bracelet for people that go to the seaside in order to keep people separate, even in the water. And all of this is being proposed as ways to go back to normal. Well, this is not normal. This cannot and should not become normal.
As you said, there's been way too much on the Italian media in the last few days, and a friend of mine created like this contraposition of a video of me saying precisely this, this is not normal, we should not normalize this., this is a crisis response, and maybe it's important that, right now, we do this, but a) we should study if it's actually important, and b) we should do it in such a way that it does not become part of our lives. Counterpose to one of our ministers saying, Oh, well, we are going back to the normal, but this is going to be a new normal that is never going to change back to the old normal. No, no, no. We very much want this to change back, maybe not to the old normal, but in many ways, yes, to go back to normality, which does not include contact tracing on our phones. That's not normality, that's abnormality. Now, going back to your question, which is super right, and I love it, because the first question that you asked was, does this work? which is the right question. Is this private enough? is the wrong question, or Is privacy more important than health? is the wrong, wrong, wrong question. That's not the question. There are two important things. There are two important parts of our safety, as citizens and as people. So, it's the wrong way to frame it. The first thing is, Is this useful? Now, I'm not an epidemiologist, well, I am a computer epidemiologist, so I am a doctor, but not the kind of doctor that helps people, I'm the kind of doctor that studies computers, and they don't have an answer. But I read the literature, which makes an important case. The literature says that, traditionally, epidemics are kept under control by testing, tracing, and treating individuals, and we have been doing this for 100 years. It's not new science, this is old established science. So, in this specific case, for this illness, we have treaties with three different issues. The first is test, and most countries are unable to test citizens in a significant number. We can scale that up, but it will never be enough to test everyone all the times we would need to test them. Treat? At the moment, yes, at the moment there are some treatments. It's not like people cannot be treated at least a little bit for this illess. So, it's a serious illness, but there are ways to treat people, but there's no real treatment in the sense of an antiviral that works precisely as intended every time. So, we cannot, and this is important, because when we have someone with that risk of contracting infections, for instance, suppose that we have someone that for a chance has been exposed to HI, there is a treatment called post exposure prophylaxis that is widely available throughout Europe. You can get it everywhere, because it's an emergency treatment, which is based on the same antiretroviral drugs that are given to your people, and which, if they can urgently, in most cases prevent the illness from developing. It's given to people that have suffered from aggressions, it's given to people that have had accidents in their practices, and so on. We don't have that for this illness, we can only treat people in the sense of enabling them while they work off the illness by themselves. And so, that leaves us with contact tracing, because if we cannot test so many people, and we cannot really treat them in the sense of giving them a drug that prevents the illness from taking taking over, we need to be very efficient in finding the people that are possibly exposed, and asking them to self isolate.
So, there is science describing the scenario, and it's saying, okay, for this scenario, tracing people manually, it's not going to be enough. We need to be faster and to be more thorough than we are usually for people that are manually traced. And so, there comes all of the tracing madness that we have around us, because of course everyone has tried, maybe their best, to answer this. We have seen different answers in different countries. Som in Asia, for instance, in South Korea, they have done contact tracing very aggressively in, I would say, a manner that is probably not really acceptable from our point of view, from our sensitivity, because....
May I make a remark?
It may be that the Netherlands will come with a new initiative, a new solution for this tracing app that is privacy friendly. So..
No, it's it's great, and as we said, there are, I mean, all proposals are useful because we are trying to do something that, it's not like we never thought it could be done, but we never wanted it done. So, to be totally honest, if somebody came to me before this epidemic and said, Oh, we have this brilliant idea for tracing the contacts of people, I would have probably screamed at them at top of my lungs. But, at the moment, we need to figure out a way, if it's possible, going back to the question by Frederic at the beginning, if it's possible, if it works, to try to complement manual tracing. And, a long story short, there's been ways in South Korea, for instance, for tracing based on giving access to manual contact tracers to a lot of sources. So, if someone gets ill, or gets tested positive, the contact tracers can for instance, access their credit card track, or their underground, pass track, and flag wherever they have been, and give an alert to the people that have been in the same place, for instance people that have paid at the same restaurant through a credit card, and alert that they may have been exposed. Now, I don't know about you, but for instance, for me, if I started receiving messages from my government saying, Oh, you have been to this restaurant, and you may have been exposed, that would be way more invasive of our privacy than anything else. So, it's the South Korea solution that is often confused with contact tracing in the sense of using an app, is completely different. This is way more invasive. In Europe, throughout Europe, and in other countries, actually, the proposal has been moved to the idea of using an app on the phone. So, voluntary, and in some ways more complete than anything else, because our our phones are our small surveillance system that we always carry around, already. And here, and making a long story short, because many of the people on the call probably already have looked into this, but basically there are two big technologies that you can think of using, one is GPS location, and one is Bluetooth. Now GPS location has two big hindrances. The first hindrance is that it's not so precise, in particular inside, or when you are in public transport, so, if you get on the underground, we lose track of that until you get out on the other side. So, getting understanding exactly who you have been in touch with is basically impossible. And the second enormous issue, the most prevalent issue, for people concerned with privacy, is that the only sensible way and I'm using sensible in a very, very broad definition of sensible, to do this would be to upload the track of every movement of every citizen to a central server that then does a correlation. And this means building an enormous database of all the trajectories of all the citizens of a state. And for all people that are participating, which is inconceivable, frankly,
Can I can intervene, please? I would like Stefano to be able to end up, then Robin to answer, and I will open up the conversation. So, please use the chat for any questions, and keep them absolutely open. But, let's go Stefano, now. Thank you.
For me, it's the same, but okay, I will get to my point. And so people... I like more the fact that people can ask questions. So that's the hindrance of GPS, right? Enormous hindrance. You're creating an enormous centralized database, with a lot of sensitive information, that then needs to be protected, and more importantly, that has a lot of other uses besides contact tracing. And here, we should remember history, not long ago history, but very recent history. After 9/11, in Europe, we started creating logs and tracks of phone conversations, metadata of phone conversations, for terrorism, tracking purpose, and to keep them for a very long time. They have been accessed for all other purposes, because when they are there, how do you say no to using those same logs for tracking child porn, or for tracking other criminal issues? Or because they may be useful to prove someone's innocence in a crime, in a murder case, if we build an enormous annotated database of movement of citizens, even if it's voluntary, it will be used for some other things. it's absolutely inconceivable that it will be left alone there, and then destroyed at the end of this event, it will never happen. There's always going to be another crisis, there's always going to be something else that it's good for. So, the other alternative, which everyone basically has turned to, is Bluetooth, which actually solves a much closer problem, right? It's solves really the problem of being closer to another person. And the data from these matches is useful, basically, only for tracing contracts, which is a very good property, if we need to use an application to do this, making sure that the application only does that. It's not useful for other things, it's useful only for that. Additionally, thanks to the work of many European colleagues that developed a protocol called the DP Treaty, this can be done in a very privacy preserving manner, by keeping all of the data for a single user on the phone, on their user's phone, without a centralized database. Now, I will just simply explain it, but then if someone is curious and wants to know more about it, we can discuss it later, maybe. Basically, the protocol works in this way, each cell phone -- its app, actually, user -- has a unique ID that they generate, they choose it, it's like an alias. And, when the two phones are in close contact for enough time, like more than 15 minutes, less than two meters, is the usual parameter that is suggested for this illness at this time, but it's a parameter, it could be modified with our experiences. And they exchange this ID. So my cell phone has a list of anonymous IDs of people I've met. I don't know whose IDs they are, but they are the people I've met. When someone tests positive, they are authorized by the health authorities to upload if they wanted their ID to a centralized server. And this server only stores these anonymous IDs of people that have tested positive. They don't have contacts, they don't have identities. They don't have anything that's just a list of anonymous IDs. All the users are receiving this list, and they check if they have met these IDs in the past. If they have met these IDs, the user receives, only the user receives, a notification, and only the cellphone of the user has computed this, so there's no central database that can say this. I must say, as I said before, if someone had asked me before this pandemic, we want to do contact tracing, I would have said no, possibly with more choice words in Italian, (indiscernable). But right now, if we need... Yeah, a lot of hand waving. I love zoom, because it cuts me here, so you don't see the hands going anywhere.
But, if we need to do this, if we really, really need to do this, and this I don't know, because I'm not an epidemiologist, but if the epidemiologists and health officials told us that this would be a help, if we need to do this, the most privacy preserving way to do this, maybe there's better, but the most preserving, privacy preserving way to do this, that I have seen so far proposed, is DP-3T. And, as an additional bonus, when Apple and Google decided - go figure, Apple and Google doing something together, it's really it's really a sign of the impending apocalypse - when Apple and Google decided to implement a contact tracing functionality inside their their operating systems, and this is important because Bluetooth, as it is designed to work in our current systems, is not really designed to do this thing. It can be used to do it, but it's not really simple for a variety of reasons. in deploying this they decided to use DP-3T, not really exactly DP-3T, they changed a couple of details, but basically DP-3T. By this they basically presented the governments and the app developers of the word the choice. They said, Okay, so we simplified doing this for you, but only if you use this privacy preserving approach. If you don't want to use this, you're very welcome to do it, but you need to do it on your own, and it will suck. So, this is the basic trade off that has been proposed. For once, and I'm not an enormous fan of technological giants when they move in the area of privacy, usually, but for once, this is actually a positive effect of their market dominance. So, summarizing, I don't know if we need context racing, but epidemiologists and health officials are very much convinced when we do, or either, I'm convinced we need contact tracing, because that's established science. I'm not sure digital contact tracing will help that much. I don't know. I don't think anybody really knows, but we need some help because manual contact racing will probably not be enough. So, we can test this. But given that it's a test, and given that it's very invasive, and given that we need to ensure that, once this disease ends or is or this crisis is over, this is not useful for something else. Then, if we want to keep all these points open, a DP-3T is the closest thing to a solution that we have. And luckily enough, it's the standard that the two technological giants have decided to deploy, in this way making it very much harder for the governments of the world to go another way. France has gone another way, and they have a lot of issues with their applications at the moment. Italy was undecided, but when Apple and Google thing came out they, that was the final - I mean, I was one of the people that proposed and then pushed for DP-3T, and the Apple and Google thing was the final straw that brought them over to that. Germany has changed from a centralized approach to DP-3T because of the Apple and Google thing. So, I think that for once that was a positive influence in diminishing the privacy impact of applications.
Before I conclude, I would just like to stress one thing related to the privacy versus health conundrum. Well, for what they have seen, for all I've studied, I've asked all people, that I met during these weeks of discussions, to give me examples of things that a more centralized approach could do, which a decentralized approach could not do, because I am sensitive to the trade off. If there is something that would help us more trading off on user privacy, then that's a discussion that can be made. If people consider that, I mean, privacy is an important issue, it's not like there's health so, privacy, who cares? No, no, we care. We just can have the same results in a privacy preserving manner. It's not less results, but privacy. It's same results and privacy, so far. But, if anybody has, or as heard of significant concerns that cannot be realized in a distributed manner with DP-3T, I would be super interested in hearing about them,because, ethically, as computer scientists, we need to of course, preserve privacy and then give that top - but we also need to operate for the common good of society. So, if the common good of society requires us to design things,, we want to design them in as privacy preserving manner as possible, as useful as possible, as user friendly as possible, as transparent as possible, but we need them to be useful, right? So, it's important that whenever we frame this discussion with our friends, with our colleagues, with the general public that depends on us as experts, we don't frame it as, but privacy, but we frame it as, Okay, this gives you everything you wanted, and privacy. If it doesn't, tell me what it doesn't do, and I will find the best way, the most privacy preserving way to do everything that needs to be done. So, let's all try to avoid framing it as health versus privac. Because, in that case, and I am a great privacy and security advocate, I've been dedicated to it my whole life, I started in 1997, it's 23 years of my life, but if you frame it as one life versus privacy concerns, then life wins. Then life wins. But, if you phrase it as, let's give all the support that we can, and make it as privacy preserving as possible, because we can do that, then everybody wins. Thank you very much for listening for now. But now, I want to hear from our discussant and all the questions that you have. I will go through the chat in the meantime, so if you see my screen ooscillate, that's why.
Thank you.Stefano, it was so clear. You can see already much traffic in the chat. Thank people for doing so. We will get back to each of your question. I like what you're saying Stefano, because you put it so clearly. I would I would like to hear from you, Robin. You now have the task to discuss this, as a discussant and an academic, before we open up to the floor. But I see already, I've got myself many questions, and I see many others. So please, Robin, shoot.
Thanks, Frederick. Thank you, Stefano. And it's both a pleasure and a worry to see so many people on the call. Fantastic. Thank you all for joining. A colleague of mine asked me to give some thought to the question of contact tracing apps and COVID related data a few days ago, and so I started jotting down some of the issues that I could see. I'm delighted to say the first thing on my list was the first thing on Stefanos list as well. Will it work? Is there utility here? Is it effective? I then carried on writing my list, and when I got to about 30 items, I realized I'd better take a slightly different approach, and so I looked at the list to see if I could group them at all, and the groupings that I came up with, I think, reflect the diversity of the questions and comments in the chat. Stefano set out a clear position. And, in the chat, we can see that it raised questions about technology, about society, about regulation, and so on. And so, just looking back at my own list, the categories that I ended up with were: first, clinical, because that's the effectiveness measure; sSecond, social, because if people won't adopt it, you won't get useful data; third, the legal aspects; fourth, the technical aspects; and fifth operational: How do you deploy this? How do you make use of the data? How do you apply effective governance to the data once you've got it? And I think a very important factor, what is the exit strategy from this? As Stefan has said, this is redefining normal, and it may be a forlorn hope to think that we can go back to what we thought of as normal before, but we shouldn't just allow a new normal that's hostile to our interests to take over, without thought, without deliberation, without discussion and debate. So, with that kind of context, I wanted to look at this through just three lenses: the first one is utility; the second one, and this again is something that Stefano raised, is what I call the break glass factor. What do you do if in the interests of a public health emergency, you collect, store, and process massive amounts of sensitive personal data, when that public emergency has ended? And I have some thoughts on that; and the third one was a slightly more practical one, again coming out in discussions with colleagues, about some of the issues that arise when you start thinking about immunity passports, which have been touted as a measure for helping us get back to that whatever normal turns out to be. So, I'm not going to try and discuss any of those three topic areas in huge detail, just to give them as examples, I think, first of the issues, and second of the ways in which we can break those issues down. Because, although this feels new, I don't think we are confronted here with a new problem. The elements of this problem seem to me to be very familiar ones, about privacy, about the balance of rights and public interest, and so on. The combination of those problems may be new. But, I think that many of them are problems that we ought to recognize, and to which we ought to think we have the solution.
So, first, my three points: Utility, and what I thought about here was something very basic. If you roll out a voluntary contact tracing app, what's the quality of the input to that app? What quality of data does it give you? And it seemed to me that whichever axis I chose, the answer was the data is going to be flawed. Is it going to be timely? Well, you have to keep putting data in for two or three weeks before you get useful proximity data, and so it won't be terribly timely for some people. It will only tell them that they might be at risk after they have been at risk for some time. And that time factor seems currently to be quite arbitrary. It's not really understood for how long you can incubate this virus and for how long you're contagious if you are incubated, and so this period we seem to have at the moment, of 14 days of tracing proximity data, seems to me to be fairly arbitrary. And so, I'm not convinced that the data that goes into these systems will be timely. The second axis I chose was, is the data authoritative? Well, at least in the UK, the app will collect self asserted data, and it will do so based on whether the individual thinks they have a temperature, and whether they've got a cough. Well, is that authoritative? It doesn't seem terribly authoritative to me, because there may be perverse incentives to misreport. And, under those circumstances, your only next step is either to proceed on the basis of inaccurate data, because someone has misreported, or to haul them in for a clinical test, which will then prove negative, probably, because they've misreported, and therefore you've wasted resources and time, and so on. So, the input data doesn't seem to me to be of a very high level of authoritativeness. And then the third axis that I looked at was, correlation. Is the correlation between the data and reality usefully accurate. And here again, it seems to me that the correlation was quite weak, in terms both of false positives and false negatives. And what I mean by that is, given that in the UK case, they are only collecting two assertions, do you have a temperatur,e and do you have a new cough? Well, that doesn't prove you've got COVID, because there are other reasons why you might have a temperature and a cough. Nor does it guarantee that you're - well, sorry, let me put that the other way around - you could have COVID without those symptoms, because it's clear that people can have this virus asymptomatically. So, collecting data only about whether someone has a cough and a temperature will result in both false false negatives and false positives. So, the correlation between the data collected and the actual status seemed to me to be weak. So, that seems to me to undermine a lot of the utility of this kind of solution, from the outset. One other factor, in passing is that this of course, only tracks contagion by personal contact, it doesn't track contagion through objects, and that's known to be another pathway for this virus. It's persistence on surfaces like plastic or cardboard is established, and, that would come up in any of these tracing apps.
Okay, so, that was utility. On the break glass question, this is something I started looking at back in about 2006, and to give that some context, it was after the h5n1 virus, not a pandemic, but an epidemic at least. And so, as I say, some of these some of these problems should seem familiar to us. This won't be the last pandemic with which we're faced. Back then, I don't know if you remember, also, after 911, there were a certain number of anthrax scares, where people were thought to have been sent anthrax through the mail. And so, there was a general concern about contamination by by object content. And, sorry, yes, in the chat, Andrew, I absolutely agree, the solution on that false negatives and false positives is to do something other than allow self reporting, and that requires clinical testing, an approach which our government here seems to have sort of discarded. So, sorry, on the break glass scenario, just to recap that quite quickly. A lot of personal data is being collected here on the basis, this is an emergency. And I think we need to look now, as some people did back then, at the long term privacy risk of collecting and holding that amount of personal data. And, I don't look at this from the point of view of well, because you're holding that personal data, I am bound to be at some future privacy risk. I look at it for a much more practical viewpoint, which came out of the discussions back then in 2006, and that was, if you have that data, and there is therefore a risk of the data breach, how would you know if that had happened? And what steps should you be taking now, to make it detectable, if, at some point in the future, the data that you've held, gets breached, and is in the process of being leaked or abused in some way? It's quite hard to work out technical ways to do to do that. Once suggestion at the time was well, you salt your database with some fake entries, so that later on, if you see those fake entries in the wild, you'd know that your database has been breached. But, I won't go through the details now, but if you think down that path, it's actually really hard to distinguish invalid use of those fake identities from valid use of those fake identities. A commercial third party, wanting to make legitimate use of the data, would want to scan to see if some of the entries that they'd been given were actually not people, and it would be very hard to distinguish that activity from activity leading up to, and relating to, fraud. So, I think there are real problems here with the accumulation of personal data, as Stefano pointed to, and the break glass scenario, and the problem of, to mix my metaphors, getting the toothpaste back into the tube.
And then the last one I wanted to touch on was the idea of these immunity passports, again, not a new issue. We have been working on trustworthy attribute assertions, in the identity and privacy community, for a decade or more, but it's a tough problem to crack. In this case, again, there is no proof that someone has a given immunity status, technically speaking. There might be clinical evidence, but to say, Well, I can write an assertion to a smart card, or to a wristband, and treat that as proof of this person's status, is mistaken. It is the best evidence of that person's status, and you have to decide whether you consider that evidence to be reliable or not. A couple of other problems with immunity passports, there will be perverse incentives for people to get hold of an immunity passport. People may actually seek to get infected, so that they can get an immunity passport, in order to get back to work, because they need to feed their family. So, perverse incentives, I think, are something that needs to be considered in the design of any system for immunity passports.
And then the last one was a thought about unintended consequences. Take that scenario that I just mentioned, where someone is desperate to get back to work because they're running out of money. They go out and get infected in order to get an immunity passport. And perhaps by that stage, the government has said that, if you do that you're committing an offense . Well, are we going to lock up all the people who've done that? And, if so, does this turn into a problem of prison capacity, and not of trustworthy attribute assertion? It doesn't take much thought for this kind of solution to go down some very unnerving and socially divisive and difficult pathways. So, I welcome to Stefano's analysis of the architectural choices and options behind tracing and proximity apps? I think that that analysis was clear, and it was comprehensive. I think that whole issue, of how you design an app to be privacy respecting and effective, needs to fit into that wider set of considerations. Some of the specifics that I've covered under my three bullet points, but also - and Stefano and the chat between them have covered a lot of this - those five areas that I mentioned, the clinical, social, legal, technical, actually a fairly minor component of the whole thing, and then the operational, includingm and especially, the exit strategy. So, I hope that's been a useful counterpoint, and a recap. And I'd better mute, and have a look at the chat as well. Thank you.
Thank you, Robin. Super analysis as well, thank you very much. I'm facing a chat that's growing and growing.
I was reading that as well. There's a lot,
There is a lot of stuff. And trust me, we will open up. And, as the case may be, we will reorganize another call, trust me. This being said, before i open up, I would like to come back to both of you, you Stefano and Robin. So, if we succeed - just in one minute, we won't - but if we would succeed to escape this conundrum of privacy versus health, and we agree that contact tracing is efficient, and needs to be implemented, and then we talk, which is not being shared by everybody. You've seen our colleague, Bruce Schneier, who just completely oppose the idea in a Bruce Schneier way, which is quite tough, but let's assume we agree on this. We nevertheless would need to talk privacy, and also see in the chat security issues, right? Because of the privacy issue here. What it is that we, as a community who should actually require our government, should there be governance process that should be implemented right now, are we talking of open sources as a guarantee, or much guarantee, to something that would offer those conditions? Should we talk about duration, proportionality? What and how would you see this happening?Starting with you Stefano, and then Robin. Thank you.
These are great questions. So, for a starter. I think that such applications should be open source, not just because of the inherent value of having the many eyes looking at the code, for something that has been developed in a hurry. in any case, because these are being developed very quickly, but also for building trust, because these applications need to collect data, they need to collect only a specific amount of data, they need not to have a surprise feature. It's a way to build mutual trust. There is an issue there, fFrom a technical point of view. So, as many of you probably know, having something that is open source is not really useful unless you are certain that the executable, that is actually running, is the same source that you are looking at. Now, this is achieved in the open source community, through something called a reproducible build. And, in the mobile world, creating reproducible builds is very difficult in the case of Android, impossible in the case of iOS, because you cannot sideload applications, which are not going through the Apple App Store. So, open source needs to be there. The community is also to check, and validate, that the applications that citizens actually run corresponds to the source. So, there's going to be a need for community people to reverse engineer the applications, and study them, and make sure that they are exactly as transparent as they say they are. Because different countries will also adopt different ways to deploy these applications, private developers, partnership with the industry, or something completely public. This is an interesting point. On the points of governance, I think I will let my colleague talk, because I really, really appreciated his take, and I will let that go through him. I have chosen a couple of questions from the chat already afterwards, if I can come back and actually answer those.
Please. Thank you. Robin, quickly
Well, so to copy one of our politicians, I think the answer is transparency, transparency, and transparenc, of which open sourcing code is a really important part. But, I think it goes further than that. I think there needs to be transparency about the governance that's put in place. Obviously, there needs to be transparency about the architecture that is being implemented. At the moment, I think, again, I'm going to fall back on the UK as an example, here there is a great deal of ambiguity about whether this solution can best be described as centralized or decentralized. Clearly, it's in the interest of some of these stakeholders for that ambiguity to persist. I don't think it's in the interest of the citizens for that ambiguity to persist. And I think we need much more clarity about the placement of data, the placement of processing, and how long the data persists, and where? So, I think there's this transparency requirement in the architecture, of course, as well. I think there's also a need for transparency about who the stakeholders are. Foreseeably this data will end up being processed as part of a public private partnership, and therefore, commercial interests start to come into play, particularly when you look at potential monetization of that data later on. So, I think there needs to be a lot more transparency about who the stakeholders are, what their economic interests are. I didn't even get into the economics in my five categories, because that was another huge can of worms. But, unless there's transparency about who the stakeholders are, and what their motivations are, we won't understand the economic forces that drive behavior in one way or another. And what we know from the monetization of personal data is that economic force tends to be the overriding one.
Thank you, Robin. Stefano, shall we start answering some of the comments?
Yeah, I would start answering basically two things that are not really single questions, but they cover a number of those. So, and there is a lot of confusion about this, and this is pretty normal because the whole topic has been handled in a very confused manner by many people, and many governments as well. Now, what we need to build is contact tracing. Knowing that I and Frederic met over a coffee and stayed for more than 15 minutes together, not where we met, or where we have been, which is location data. Location data would be one way to do contact tracing, but contact tracing is a different problem. So, what we want to solve is the contact tracing problem, and since location data, for this specific problem, creates more issues than it solves, we have abandoned that. So, 99% of the proposals that you will see for contact tracing do not have anything to do with location tracking, that's a different thing. That's one thing. In particular, DP-3T, for instance, specifically avoids any type of location data. So, that's one thing. The other thing is something that also, actually, in Robin's discussion, there was some overlap between the two things, and I wanted to try to streamline a part of the discussion, because this has already been an issue in Italy and is going to be an issue everywhere else I think. So one thing is having apps that allow the citizen to enter symptoms in order to handle their health issues, to communicate to health officials if they feel symptoms, that's one thing. Contact tracing is another thing, they are separate. They may be in the same app, but they are two separate things that need to be kept separate. You could, as a health care system, decide that you want your citizens to self report fever or cough, so that you can keep track of them, or send them instructions and say, okay, you should self isolate, try to stay away from your family as well, until you see what you have, or get to this location and get a test, maybe. But, this is one thing, contact tracing is another thing. And contact tracing should work independently because we want users, we want as many citizens as possible, to adhere to it voluntarily. And it does not work together with that, because if we use for contact tracing, for to trigger contact tracing, we use self reporting symptoms, or inserted IDs by someone arbitrarily, then we trigger an enormous amount of problems with trolls, with people making jokes, that's not something that we want. At least in Italy, and in many other countries, the choice is that when a health official would start contact tracing manually on you, at that same time they provide you with a unlock key, in order to allow you to upload your ID to the server as a positive person. So, in most proposals, contact tracing starts when someone tests positive, and it's separated from healthcare apps in general, because it's a separate type of data. Healthcare data has sensitivity issues, contact tracing has sensitivity issues, but they have two different types of data. Paradoxically, contact data of citizens is more sensitive than their health data in many ways. Knowing that I have a fever, or even knowing that I have been positive to COVID, is less sensitive than knowing the complete list of people I have met in the last 14 days, it's less interesting for attackers. There's a lot more attackers that would be interested in the complete contact set of Italian citizens, than attackers that would be interested in my spleen radiography, or whatever else. So, it's a complete difference. And this is a very common mistake in this debate, like saying, oh, but the healthcare system already has your digitalized exams, and they are very private, and they are already protecting it. Yeah, but it's a completely different type of data from contacts, completely different.
Another thing that goes to Robin's point is time factor. The 14 days are, yes, more or less, an arbitrary amount of time, but they are not really arbitrary. They come from established science, that the average time for someone to display signs of COVID, or to be infectious, is five days since they've being exposed. And these, plus three sigma, in the traditional scientific sense, brings us to the 14 days. So, 14 days is a very good safe interval from when you have been exposed to when you probably end up being tested or displaying symptoms, and anybody that you met in the last 14 days could a) have been the person that infected you, or b) the person that you infected before having the evidence in terms of being tested. So,it's a very good way. These applications, or the entire contact tracing process, is never meant to get each and every one of the contacts, or to be false positive free, because many people have been asking about false positives, or false positive injection. That's not an issue. This is always going to generate false positives. In a regular day, not in lockdown, because I've not been meeting anyone in the last two months, but, and this is starting to be hard, but in a regular day, I probably meet 20, 30 people in a COVID significant setting. So, in 14 days, you can have met 100 people or so, right? Of these people, on average, each person that has COVID, without security measures, infects three or four others. So, regardless of how good the application is, it's going to generate 98% of false positives. That's built in, in the idea of contact tracing. When you trace contacts for infectious diseases, you always get a lot of people that are not infected. It's normal. The point is that, in this way, you can use better the tests you have, and the time you have. So, the false positives are not a real issue. And I will stop here and let people ask questions. I have more than I would like to answer but there is limited time.
And we appreciate so much, Stefano, and indeed you talk already a lot, but I would keep listening to you for the next coming three hours. I know it's not possible. I will be quick. You got here, in front of you, hundred people and I tell you they represent, most of them, the highest level of people I could imagine are able to discuss those issues from the technical community, you got lawyers here, you got government specialists coming from governments, or international institutions, so you got a true multi stakeholder panel here in front of you. I would like to hear from you guys, whether you believe there should be a DNA for anything that resembled contact tracing, in Europe or elsewhere, that would you would be able to stand from your perspective, and your values. Does it make sense? I would like to really hear whether you think there should be features attached to any tracing, contact, tracing up, whatever it would be developed in Europe or worldwide. I would be interested to hear from your different angles. Anyone want to take this? I know it's a tough one. If not, I will keep it, come back to you at the end of this conversation, and now start taking questions from from the floor. So please, if you have a question or a comment to make, should it be a comment, make it short. But, let's make sure we have questions here. Please raise your hand, and I'm checking the chat. I know there is already many people who commented So please, if you have something, Dominic, please go. I cannot hear you Dominic.
Can you hear me now?
Yes, that's better.
Right? Okay, I've written code for the UK Government. First of all, if I wanted to deliver this application this year, there's no way, in god's green earth, I would make it open source. Because the top, once you have the scale of the number of people looking at it, that you have for this high profile application, it just simply would not be possible to hand it, or deal with it, in any rational process, and subject myself to the incessant hassle, and get it actually delivered to a point where it was even remotely useful. So, although I see the attractions of open source, and have a deep cynicism about the many eyes, given the many problems we've had with many eyes, meant to be a closed source app, and to deliver it any other way just is not - well you might just as well as not have an app if you insist on it being open source.
Yeah, but then you don't have to listen to everyone who expresses an opinion on your open source. You can open source it so that everyone can see it, but then only listen to some subset of the stakeholders in deciding what to do about any comments that you get.
Can I add something to this?
The Norwegian government created a COVID tracker app that was closed source, for probably the exact same reason. A couple of days after, it was actually reverse engineered, and source code was published, albeit in a much less readable way than it would have been if somebody had written it as open source first. So, if it's going to be that sensitive a type of application. publishing it as open source actually is a much better option because, first of all, you control the way it gets displayed, you don't have somebody reverse engineering it, and showing it in a very ugly way, and second, you get the option of involving the population early on, and having them actually identify potential bugs really quick, before they blow up in your face in a much nastier way.
By the way, there's a lot of experience, in that I used to work for Sun., and when we open sourced Solaris, in 48 hours, somebody published a bug, and the source code to fix it, and in less than five days, it was fixed, and it was a major bug, and it was the fastest ever in the industry, at that time, that a security bug was corrected after the moment it was discovered, and all of that because we open sourced it. So, I really think open sourcing this kind of application is the way to go, because it's going to a) let you control how the source code is visible, b) ensure that as many people can look at it, which is what you really want, and give them a fair chance to fix things.
And also, if I may, there is a point in the chat that is very important, and the point is this: These are voluntary applications, at least for most governments in Europe, and they are effective with the country with a quadratic measure of adoption, because, of course, both people that meet need to have them active on their phone. Now, this means that we want as mass adoption of these voluntary as possible, if they need to work, otherwise, we'd better not build it. Now, and I totally appreciate the comment, I'm not an open source Taliban, and I completely agree that there are some cases in which open source works better, and I'm sure it was the case for Solaris. That was a word that I have not heard in a long time, so thanks for bringing me back to my young histories, but the adoption of open source here is not much for bug track, bug hunting, or vulnerability hunting, I think that there's going to be an enormous community, in each country, of people that are going to volunteer their time to propose fixes and issues. And, of course, you're going to have people that are going to criticize, but, you know, people are willing to criticize in any case, and you want to be able to prove them wrong by pointing them at the source code and saying, Okay, so here's the thing that proves you're wrong, and if you cannot read it, then maybe you should not be commenting about it. And, I think that open source here is necessary to build trust, and trust is necessary to build adoption. Personally, I'm able to reverse engineer anything that gets thrown at me, I analyze malware for a living, so I'm pretty sure that I'm able to reverse engineer things that have been developed for mobile applications. But, I think that it would go an enormous way, in building trust, having a community of experts, academics, experts from NGOs, able to look at the source code and say, okay, yeah, you know, there's nothing hidden here. Everything is as documented, and we're going to adopt it. That's the way you get adoption. Otherwise, you get people that will say, I don't know what's inside there, I can't, I will not install it.
Andrew, you're next please.
Thank you. Just to echo a point on the chat, about decentralized apps, and having unique IDs for different contact, and so on. That suggests quite a lot of data needing to be exchanged, in order to work out who I've had contact with. So, across a whole network, when you total up the data, that feels like a lot of data in aggregate coming to us in the network. I presume there's got to be a crossover point where, for a given population size, decentralized apps of this nature become very challenging. versus a centralized app, where you can do the data matching in the central database, and then alert for people that are affected. So how scalable is a decentralized app for contact, or for contact tracing, in reality?
That's a great question that allows me to clarify something that probably was not clear in my explanation. So, in reality, there's not that much data being exchanged because, basically, when two phones are close to each other, they exchange their identifier over Bluetooth directly, and each stores these identifiers only locally. The only moment when data is pushed to the network is when someone flags themselves as positive. At that point his identifier, and only the identifier, is going to be shared to everyone. So, that match of this identifier against the list is done locally on the phones. So, it's just a few bytes per every positive user that is published every day. So, the updates and the propagation of data is actually relatively minimal. Whereas, instead, you would be right in the case of a centralized approach, we would need to transfer all of the contacts centrally. Now, there is actually one corner case that they I did not dive into, which is this: for some operating systems, but notably iOS in the current form, there would be a case where a ping toward the server would be needed in order to be sure to have the complete set of contact data., and, in that case, this would create a lot of traffic, but with the updates that Apple is going to be able to deploy in the next version of the iOS, this is not going to be needed. So, with DP-3T, actually the amount of data transferred is minimal because of this intelligent way of sending only the positive, and only publishing the positive lis, and the positive list is a set of what? at least, in Italy, there's 200,000, or something, positive cases at the moment, and that would translate into 200,000 times an identifier of 128 bits. So, it's a network traffic that is abysmal.
Thank you, Stefano. We got another 17 minutes left. So, Richard, please.
Yeah, hi, My question was: I think I understand why this is the best possible, or the least worst possible solution, from a technical point of view, I'm comfortable with that, but if we don't have the same solution worldwide, what use is it? So, they're going to do something like this in Switzerland, first problem is only 20% of the people use it, that's not very good, but then, if we want to allow travel, well, so what, right?Because, when I go to the UK, they are going to have a different solution, and when I go to France they are going to have a different solution, and so on. So, what we really need, a global solution based on the design that you're showing, Stefano.
That's a great question that you just posed, and, in fact, it's a significant advantage of the push that Apple and Google did because these basically imposed a de facto standard. Once again, I am not a fan of de facto standards. Actually, I have been an ISOC, and IEEE member, for a long time, IETF, so I'm an advocate of standards based on consensus and the community development. In this specific case that created a flatbed that is probably useful for enabling interoperability between applications. And this, you are right, this is an enormous issue. For instance, here in Italy, in particular, in northern Italy, Milan is 70 kilometers away from Switzerland, and we have a lot of people that work across the border. Mostly they work in Switzerland, with Swiss salaries, and come back to live in Italy, not the other way around, but the problem of moving across borders so often, or think of the areas at the border between France and Germany, for instance, you can cross the border 10s of times in just 100 kilometers of highway. It's a super important problem, and we need the interoperable solutions. That's going to be a huge need, and maybe the community that ISOC, or IETF, or IEEE are representing are good communities to help design interoperable ways to do this.
I certainly hope so. Stefano. Gregory, you're next.
Yes, thank you very much. Gregory Engels, Pirate Parties International. So, I would like to stress that we need the decentralized solution for contact tracing rather than a central one. Because like in many countries, the central one's been discussed, but it's coming back to Richard and the travel situation. The central solution is, besides that it is uncertain what happens to the data after it had been collected, and if the data will get leaked and so on, it is also central means the national. And that means the Belgian data not necessarily get to shared with the German authorities, or the Italian data get to shared with the Swiss authorities, and so on. So, this only can work as a decentralized solution where the push happens indirectly to the user saying like, yeah somebody you've been in contact got positive, early tested, or something, and then you need to go into quarantine now, voluntarily. And this, not everybody needs to participate. It doesn't need to be like involuntarily mandatory measure, because if only 60% participates, it's already enough to get the R zero below one, and then the virus will die out after a time. So, we only need to get it below one, we don't need to get it to zero, we don't need 100% certainty, so that I want to stress. Thank you.
Thank you. Yup.
Can I just say that, this is a point I had never thought of, the fact that centralized also creates an issue for our travel, and then I say, so thank you very much for making that. I noted it in my head, and I will be using that point whenever someone asks about centralized versus decentralized.
Thank you, Stefano,
Hi. I just want to know, how exactly is this key gonna be generated? Because, if we're going to make it secure against someone just spoofing their IDs, it's gonna need to have some form of cryptographic handshake, and we all know exactly how flaky Bluetooth handshakes are on phones. So how is that going to then scale up to a large public area?
That's a super technical question. I would refer you to the documentation of the DP-3T because they're interesting set of solutions over there. I would address the question about spoofing. So, in this type of scheme, spoofing is going to be possible, but the point is that this type of attack does not really do much good, because unless you can inject an identifier in the contacts of someone, and this requires staying in close proximity for 15 minutes, and this cannot be easily dodged, it's something that each of the two phones participating will calculate. And also, at the end, the only way to make use of this would be to generate a positive alert for that ID. So, you would need to, at least, in the solution that is used by most counters, which does not allow self reporting, but it allows the health authorities to authorize you to disclose your health status, it would require the spoofer to actually also test positive for COVID. So, cryptographically, you're perfectly right, this is going to be possible. But, from the systems security point of view, it doesn't really work, doesn't really create an attack, unless I misunderstood you. But, if you want more detail, we can get in touch later, and we can look together at the documentation of DP-3T, I would be happy to do that for you.
I was more thinking of sort of replay attacks, of sort of being in the middle, and as you said, there's a 15 minute limit.
But you can imagine, you know, being in an office, or just walking around a public street with a couple of black boxes that stand stood in the middle, and pretended to be each side of the conversation. (indiscernible)
Yeah, that can happen. Attacks can happen. There's a lot of mischief that can happen. But, they are going to have such a limited impact, in any case, because they're going to need to be geographically distributed, and there's also possibly the issue that you need then to force the upload of someone being positive on the centralized server. This positivity, if it turns out to be fake, could be retracted easily. So, I must say, I understand, from a security standpoint, you're perfectly right, but the scenario is not really feasible, or cannot really obtain any massive results. I think it's pretty resilient to that thing, even if it's actually vulnerable to them, but it's resilient as a whole system.
Thank you, Stefano. I mean, we slowly come to the end, so I will ask Mark to just go for us the last contributor, because I'd like us you, Stefano and Robin, to say a few words before we end up. Mark, please?
Thank you, Frederic. Where Robin and Stefano started, does any of these solutions solve the problem? It seems like there's a really big gap when jumping from the human to the technical solution here. A lot of the focus on this call has been on technical solutions, disintermediated from the actual application of how it helps the person. I think, fundamentally COVID is a human problem. It's a social problem. Technology can be used to help solve that for the human, but it has to be human centric, and I think, technically, education and awareness, and how people can - so I think, for instance, a challenge might bean anonymous service people could use when they feel some symptoms to self track, that doesn't use any phones or anything - if it would be way more effective. I mean, I'm running the numbers here, and watching, I'm currently been stuck in Canada, but I normally live in the UK, and I've been watching the phone call rates for the health services here in shock and horror, when people - we could just educate people to self report, and self trace, and solve these things now, and saved a lot of lives. So, I think we have to look at the reality of the situation here, the human nature first, and then, I definitely think, decentralized, but people should be able to contribute their data to a national ledger that's redacted from their identity, and allow people to solve the problem first, and then look at the technical. Thanks.
So, there's already a project. Sorry, yeah, we do have a project called - I think if you're looking at framing it, you have to look at definitely the global solution here, because this social problem, this virus, is not bound by borders, and it's also impacted by different age groups, how they function in society, is how it spreads, so there's less risk for different demographics to function in society than other ones. There is ways, if we knew what we were doing, where we could be functioning right now without the technology, just with a lot of education and community support. So, I think, trying to governing that has secondary impacts which actually would cause a lot more expenses and problems, and might even further hinder the ability to solve issues. So, again, I think every every solution should start with, we're going to solve this human problem with the technology this way, and anchor it to the transparency of that, for every solution, and I think we're in a very good place to see how to solve it together. I think that's the approach. ISOC should promote. Thanks.
So, Mark, thank you for all of this. I mean, you reopen an entire discussion, which I would love to have. So that's the end as usual, but thanks a million for putting that here. Trust me, we keep that in mind. We're coming to the end of these conversations, and I would like to give, well, first, a lot of applause to Stefano, you are just wonderful of being able to answer all those questions, to contribute, as well as you, Robin. So, tons of applause to both of you. I would like to give you the two last minutes of today, starting with you Robin, and then you, Stefano. Please, Robin, if you could say a few words from what is your take? Thank you.
Sure. Thanks, Frederic. Yes, I'm not going to try and recap or rehash what has been discussed. What I would like to do is add two further thoughts to our risk model here. The first one is that we've been talking about this in terms of the data and the application, and, actually, there is a third element, which in my view, will persist longer than either of those, and that's the framework, the API that the mobile handset companies are building into the infrastructure. That's going to stick around unless it is dislodged, and dislodging it will, I think, take considerable effort., and it would be largely, I think, a political push that would have to do that, in the same way that it has been a political push that has persuaded them to do it. And the second and last one is, I think we need to be very mindful of the diverse interests of stakeholders, and make sure, as we architect these solutions and deploy them, that we are not putting the disadvantaged and the vulnerable at greater risk. If you think of things like the homeless, or people who can't afford a mobile subscription, or people who can't afford to be connected all the time, it seems clear to me that they will be left sidelined by some of these architectures and solutions, and I think that's a very dangerous precedent to set. So, I think we need to take that full range of stakeholder perspectives into considerationas we design and architect and analyze these solutions.
Thank you. Stefano?
So, I would like to connect with the last comment that we heard, and this is something that I have been saying for a while, even if I'm a computer scientist. I'm an engineer, so I'm trying very practically, and I'm trying to look at systems. So we have the treaties, right? And the application is, if it works, we don't know even if it works, but it's going to be a part of the second team, but it's not going to work unless we also have the tests, and we also have ways to treat people. So, once the people receive a message saying, Oh, you have been in touch with a positive person, we need to give them clear instructions, instructions that they can adhere to. They need to feel cared about by the society, because they are helping the society by self isolating. If we don't do this, the application, whose usefulness is already in doubt, is already questionable at best, will do nothing or will be detrimental. There's a whole process that needs to be structured around these applications, and it needs to be designed. And, since I am a civil servant, the state, the government, will take a longer time designing and implementing those processes, thaen any implementer implementing the application. It's easier to write code than to get ambulances to the people that need them, to get tests to the regions where they are needed. So, there's a lot of things that need to be done around this in order for it to be at least marginally useful, and possibly not dangerous. So that's my other thing, we are computer scientists, we can do our part, but we need to message to the outside, this is not going to be the solution. This is one small chunk of the solution, the solution is very big and very difficult to put together. And that's the thing that I would like to leave there, in the conclusion of this,
It is very well received , Stafano. Again, thanks from the team, myself, and of course, from all the people here around this table. Thanks for your valuable time that you were sharing with us. I've received many personal messages during this call from people asking for more. You have the ability to ask for more. You are our community, you can just get back to us, and be - through the chapters, through the different communities of ISOC, asking for more from ISOC, and we would love to hear you saying this. In the meantime, I trust you found this very useful, and we'll continue our coordinating of these kind of conversations with experts of the level of Stefano hopefully. Thanks a million and I'll see you on the internet soon. Take care of yourself, of course. Bye bye.