Re: COVID-19 contacts tracker (Re: a brief pondering)

[Phillip Hallam-Baker <phill@hallambaker.com>]

I am not surprised to see the privacy point raised here. And the
Apple/Google proposal is certainly very robust as far as protecting privacy
goes. I made a video presentation looking at the proposal in detail for my
YouTube cryptography course which should be out in the next couple of days.

It does have a major problem though. The task here is not to protect
privacy, we can do that with no app at all. The task is to either reduce
the spread of the disease or to enable the authorities to lift the
lockdown. Protecting privacy is a side condition. It may be a blocking side
condition such that we don't use the app at all if it isn't met. But it is
still a side condition.

If there was a therapeutic that had passed at least some non anecdotal
trials, I would be absolutely loading the app onto my phone and using it.
But that is months off even if the Gilead rumor is correct. And frankly,
having know-nothings and quacks hawking snake oil cures we know don't work
is making it harder for the legit research to take place.

So right now I am much less sanguine about this proposal than I would like.
I see it as a first attempt not a final product. It is not going to be
possible to provide absolute privacy protection and enforce targeted
quarantine. But that doesn't mean we need to sacrifice all privacy
permanently to produce something that helps lift the lockdown which is also
an infringement of civil liberties.

The bad news is that this isn't going to be a silver bullet situation and
we may have to make a messy compromise.

The good news from a technical standpoint is that going beyond this initial
proposal is actually a more interesting technical challenge. Specifically
we are going to need techniques that are from the 'exotic cryptography'
toolkit. Possibly something in the threshold toolkit or something related
to zero knowledge or oblivious transfer.

I really like what this scheme can achieve just using one way functions. It
is terrific. But it is only one point on the privacy-effectiveness
continuum and not necessarily the one we need.


This needs to be a discussion, not a unilateral proposal from the tech
camp. We are not the only stakeholders.



On Thu, Apr 16, 2020 at 7:00 PM Robert Raszuk <robert@raszuk.net> wrote:

>
> I am afraid our privacy/rights are already being abused as technology
> developed outside of IETF already allows to do so. Pegasus  spyware is just
> one example of it. There are many more ....
>
>
> On Thu, Apr 16, 2020 at 10:39 PM Jeff Tantsura <jefftant.ietf@gmail.com>
> wrote:
>
>> I’m with you Christian!
>> Our privacy/rights will inevitably be abused if the technology allows to
>> do so.
>> History always repeats itself.
>>
>> Regards,
>> Jeff
>>
>