April 25, 2020 by Marco Cecconi
The "immuni" app (or is it a bracelet?), and other apps like it being proposed in Italy right now, are a terrible idea. The basic sell is that they act as a "proximity alert," so you can practice social distancing only towards infectious people and not indiscriminately. They are also being sold as a tool for "contact tracing," so if you are tested infective, we can trace back who you might have infected. In particular, "immuni" seems to be limited to contact tracing via Bluetooth. A large number of different claims about the "power of apps" have been made by Italian media, though, and lacking access to source code, we don't even know what an app will do. I'll try to address the claims as I've heard them here.
The idea of reducing social distancing through a "proximity alert" app is, beyond a reasonable doubt, scientifically unsound, and the "contact tracing" part has severe scientific limitations. Here's why.
Most of the contagion happens through unsymptomatic carriers. The app won't know about them.
Unless there's a magic "virus detector" in the app, how can it know if you are infected? It knows because the health department tells it. But the health department knows very very little about symptomatic carriers -- which are likely to be two times the number of recorded ones -- simply because it is not currently possible to test people extensively.
Imagine how much they know about asymptomatic carriers. It's risible. Recent preliminary studies that employed random testing showed that about nine million Italians might carry COVID antigens, yet official figures are that only two hundred thousand people are infected. That's one in 45.
Even the Bending Spoons "immuni" app has a medical diary. Because people self-reporting health data is a reliable indicator of... what exactly?
Tell me again how this will help. It won't. Nation-scale testing will help, not an app that plays replacing a doctor.
Most of the contagion happens within relatives in the quarantine home. The app won't matter in this case. Do you really think people within a household will be saved by this app? Of course not, they will be infected before they know they are living with a sick relative.
There's a lot of scientific evidence that the virus stays in an area for a long time after carriers left. The app won't see this. Social distancing also works because we avoid being in closed spaces where infected people might go. Even if they leave, the virus stays dangerous on surfaces and in thin aerosols of water particles. Surgical masks help. Gloves help. The app does not. This is a failure mode for "proximity alert" apps, but also to "contact tracing" apps.
There's growing evidence that particulate matter (pollution) carries the virus, but they don't carry the app, do they? If this is true, and the results are still not reliable, it means that we must limit pollution and stay at home on higher floors not to get infected. This app will promote movement, and therefore car use will increase the spread if this is true. This is a failure mode for "proximity alert" apps, but also to "contact tracing" apps.
To track contacts an app like this will do one or more of these three things:
The central server, if it exists, must know, about you (at the very minimum):
Of course, none of this is PII, personally identifiable information, when stored in the central server, which is why the government and the app developers can claim this respects your privacy.
This is at best incorrect and at worst a lie. Knowing your position means knowing where you live. knowing the proximity of app owners further identifies who your relatives are. While that means the central server owners might not know your name, they know a hell of a lot about you. Furthermore, they will know where you work, which phone you have, so perhaps they can estimate your net worth. They can see if you travel. They can see when you are home. They can see when you are sleeping and awake.
Bending spoon says (but does not show) that their app "uses Bluetooth", I'm not sure this statement excludes using location data. I am pretty sure they use a central server though because of this statement:
If one of the app users reports that they have tested positive for the coronavius, the system makes it possible to inform the people with whom they have been close to in the previous few days.
The unique user identifiers must then go through a central server, and all apps must report their owner's id to a central server so they can get warnings of other users reporting as infected.
If a big actor, like a nation-state, gets access to this data, they will, for sure, be able to do AI and completely de-anonymize the data. If this is not a privacy killer, I don't know what it is.
The only possible alternative is storing content only locally on the device, but this would make the app only useful for pure, after-the-fact, contact tracing: once you get infected we have a "black box" of all the people you met. Well, of the subset of people who use the app, at least. And this would still require people to report their identity together with the id to a central server for being contacted later.
There are so many ways to exploit this app unless we force people to use it.
Whether governments will be able to convince enough people to use the app is debatable, and I know my country. Any successful application in Italy will come with forced use - it might be a "soft" version of it (i.e., "if you want to take the underground, you need to have the app, and it must show you are not infected"), but it will undoubtedly be there.
At which point, we will be forced to lose what's left of our privacy, as you must know now.
The debate around which app to choose has not been public. Independent developers have not been able to examine the source code of the app. The app "will be" open source according to Bending Spoons. Yeah. But not until the government announced the choice of the app. What use is there for it, then?
A terrible start. Security relies on openness and reducing the need to trust other parties and especially the parties handling your data.
The tone of the debate right now is, "trust us with your data, the app is safe according to ourselves, we chose the app without telling you how and no, you can't check anything we say for now."
This is the case of a fable that is being sold as reality. Of course, contact tracing works, but when it does work it's not because we are adopting an app for it.
In theory, the reasoning goes like this: "if for each person we know gets infected we can trace who they have contacted, we can prioritize testing or quarantine them because they are high risk". Note that we don't need an app for this, nor we can assume an app can do this at all. It can be a huge help, but we still need to account for people not using the app.
In reality, in Italy, we already know a bunch of people who are very likely infected and we are not testing them because we lack tests and we are not issuing quarantine orders without a positive test or clear evidence and symptoms (like "you live with a confirmed case"). Contact tracing relies on tests as a source of data and needs tests or quarantine orders to do something useful with the data. Unless we have at least one of the two, the app cannot be useful. Either of the two, sufficient tests and quarantine orders for suspected cases, are useful even without the app.
This strategy works in Germany, South Korea, or Singapore, and you know why? Because they were and are well prepared with testing and have, for example, quarantine centers instead of doing home quarantine. The key advantage of extensive contact tracing is the ability to apply stronger countermeasures first and foremost.
Italy, instead, is not strengthening its COVID response in the next months. This app is being sold as a way of decreasing the need for social distancing. The app for "fase 2", when we return to work. It can't be.
Are we ready to be forcefully quarantined because an optional app tells us we are at risk of COVID? And if this is the only advantage left for the app, how widespread can it realistically become? Who wants to download the app that forces you to go in quarantine just in case if it detects you might have been in contact with a COVID case? Not many.
Don't use this. Not just yet. Not unless it's reviewed independently. Not unless the doubts are clarified and the COVID strategy is also explicitly given. I know I won't unless the Italian government forces me by law if these conditions are not met. Ask for more tests. Ask for suspect cases to be quarantined in a quarantine center and not at home with other people. Let the government do manual contact tracing first, and then enhance it.
These apps as sold are scientifically unsound, privacy killers, even the debate on it is misinformed and unuseful. If it is pushed without controls, please hack it. Let's spend our resources in having a strong COVID testing and quarantine strategy. Only then the privacy and security loss price will be offset by the effectiveness of the measure.
UPDATE: A longer, better written, more referenced article is available on Yahoo! albeit less centered on Italy. It seems that plenty of security experts are pointing out the exact same flaws I'm seeing.
UPDATE 2: The full statement of the crypto community.
Hi, I'm Marco Cecconi. I am the founder of Intelligent Hack, developer, hacker, blogger, conference lecturer. Bio: ex Stack Overflow core team, ex Toptal EM.Read more
October 15, 2021 by Marco Cecconi
Multiple people with my name use my email address and I can read their email, chaos ensues!Read more
September 29, 2021 by Marco Cecconi
After years of building, our top-notch consultancy to help start-ups and scale-ups create great, scalable products, I think it is high time I added an update to how it is going and what's next for us.Read more
February 03, 2021 by Marco Cecconi
A lesson in building communities by Stack Overflow's most prominent community manager emeritus, Shog9Read more
December 02, 2020 by Marco Cecconi
Some lessons learned over the past 8 years of remote work in some of the best remote companies on the planetRead more
$ wget -O - hackurls.com/ascii | lessRead more…