Monday, May 11, 2020

Exposure Notification

Christina Farr:

Within a few weeks, the Apple project -- code-named “Bubble” -- had dozens of employees working on it with executive-level support from two sponsors: Craig Federighi, a senior vice president of software engineering, and Jeff Williams, the company’s chief operating officer and de-facto head of healthcare. By the end of the month, Google had officially come on board, and about a week later, the companies’ two CEOs Tim Cook and Sundar Pichai met virtually to give their final vote of approval to the project.


The early team included Ron Huang, who runs Apple’s location services group, and Dr. Guy “Bud” Tribble, a veteran Apple software vice president who is referred to internally as the “privacy czar.” Tribble, who is also a medical doctor, is known outside of Apple for speaking out in favor of federal privacy legislation, noting at a Senate hearing that in 2018 that privacy should be a human right.

Huang agreed to loop in a group of engineers who were willing to volunteer their time to the project. They included some of the company’s in-house cryptography experts, Yannick Sierra and Frederic Jacobs (Jacobs has been credited for helping create the secure messaging app Signal). The team began researching some of the protocols for electronic contact tracing already underway at the Massachusetts Institute of Techology and EPFL, a similarly well-regarded research university in Switzerland.

Cory Doctorow (tweet):

But “contact tracing” apps don’t actually do contact tracing. Real contact tracing, of the sort that has been used to fight previous grave infectious disease outbreaks, is a labor-intensive, hard-to-automate process.

The apps that will be developed atop Google and Apple’s joint API will be “exposure notification” apps, not contact tracing apps. These can be complementary to contact tracing, but do not substitute for the army of human tracers we need to fight the pandemic.

Joe Rossignol:

Apple and Google are now referring to “contact tracing” as “exposure notification,” which the companies believe better describes the functionality of their upcoming API. The system is intended to notify a person of potential exposure, augmenting broader contact tracing efforts that public health authorities are undertaking.

Bruce Schneier:

This is a classic identification problem, and efficacy depends on two things: false positives and false negatives.


Assume you take the app out grocery shopping with you and it subsequently alerts you of a contact. What should you do? It’s not accurate enough for you to quarantine yourself for two weeks. And without ubiquitous, cheap, fast, and accurate testing, you can’t confirm the app’s diagnosis. So the alert is useless.

Similarly, assume you take the app out grocery shopping and it doesn’t alert you of any contact. Are you in the clear? No, you’re not. You actually have no idea if you’ve been infected.

I do think it’s worth working on because the tests will hopefully get better, but there’s the danger of launching too soon:

People will post their bad experiences on social media, and people will read those posts and realize that the app is not to be trusted. That loss of trust is even worse than having no app at all.

Elly Belle:

“Those numbers are just unacceptable,” Scott Hensley, a microbiologist at the University of Pennsylvania, told the New York Times, adding, “The tone of the paper is, ‘Look how good the tests are.’ But I look at these data, and I don’t really see that. If your kit has a 3 percent false-positive, how do you interpret that? It’s basically impossible. If your kit has 14 percent false positive, it’s useless.” So if even the three most accurate tests still only proved to detect antibodies 90 percent of the time in people who have been infected, what does that mean for the overall accuracy of antibody tests?

Experts say that ensuring that tests don’t give false-positives is extremely important to everyone’s overall health — if someone receives a false positive and believes that they’re immune to COVID-19 when they aren’t, they could be putting themselves in danger by abandoning necessary measures like social distancing or isolating.

Richard Harris:

The Food and Drug Administration does not regulate these tests, but White House coronavirus task force coordinator Dr. Deborah Birx has said that she expects manufacturers to achieve a standard of 90% specificity (and 90% sensitivity, another measure of test performance that’s less important in this context).

Here’s what would happen if you used a test with 90% specificity in a population in which only 1% of the people have coronavirus. Nobody knows for sure, but that could be the situation in many parts of the country.

In that instance, more than 90% of the positive results would be false positives, and falsely reassuring.


Update (2020-05-14): OpenCovidTrace (via Hacker News):

This update is a reaction to the criticism (most of which was baseless) as well as several technical changes implemented in versions 1.1 and 1.2 of this protocol.


A primary private Tracing Key that was used before for Daily Tracing Keys generation has been removed. In the new version, each Exposure Key (Daily Tracing Key earlier) is randomly generated, so it is impossible to establish a link between them even in theory.


To improve performance, the encryption was changed to AES from HMAC-SHA-256.


A mistake in timing the temporary key generation was fixed.


The appearance of encrypted metadata is the most enigmatic change in specifications. It is not clarified what it will contain and who will have access to it, so let’s try to guess.

13 Comments RSS · Twitter

Pierre Lebeaupin

"I do think it’s worth working on because the tests will hopefully get better" that has been my take too, and don't forget that other parts of the world have reached that point (France has, or at least that is what our health authoristies have assured us); interested readers can read my full thoughts (I swear, there is a proper analysis of the Apple/Google proposal in the middle) at

1) If only they applied such urgency and allocation of resources to fix all of the bugs in iOS and MacOS. *sigh*

2) I predict that this whole thing will be largely useless. It’ll give too many false alarms. Just because I was in the same general area as an infected person for a few minutes does not mean that I legitimately increased the exposure risk, especially if both of us followed the recommended advice to wear masks, not touch each other, and the space was well ventilated.

This is just going to make people even more paranoid by alerting everyone of a risk nearly any time they go to a public place, especially folks who live in big cities — and this is where it’s ostensibly needed the most. My guess is that most people end up turning it off before they even hit 10 alerts.

Schneier's take feels like a bit of a childish interpretation of how all of this works. Yes, the app has false positives and false negatives. So do medical tests; they're still useful, as long as the numbers are low enough.

And yes, if you just get a "you've been exposed" notificatio, that's useless. Fortunately, the designers of these apps did think of the "what should you do when you get a notificatio" problem. The app will suggest to you what to do.

Schneier seems to assume that the people working on these apps are incredibly dumb. That's understandable, since he's a security expert, and most programmers are incredibly dumb when it comes to security, so he's just extrapolating from his earlier experience. Fortunately, the people working on these apps are not dumb. In fact, they know a lot more about this topic than Schneier, just like Schneier knows a lot more about security than the average programmer. So one would assume that the programmers of these apps are aware of the problems Schneier points out.

In fact, right now, researchers at my alma mater are running tests to see how closely contacts reported by these apps actually match contacts that medical professionals would classify as potentially dangerous. So before we just assume that these people are morons, and that this is never going to work, maybe we should actually see what the evidence is.

>This is just going to make people even more paranoid

BTW, if that is truly the outcome, then that would be the absolute best-case outcome.

Sören Nils Kuklau

Yeah, this is a surprisingly bad take from Schneier, both in terms of perfect being the enemy of the good and in terms of presuming that nobody has put some basic thought into these apps.

>This is just going to make people even more paranoid

>>BTW, if that is truly the outcome, then that would be the absolute best-case outcome.

Why, so we can all think that we've been exposed when in all likelihood we haven't?

We know that the best prevention is to keep distance from other people, wear a mask, and wash/disinfect your hands after touching public surfaces. That's it, that's all it takes. Unless an infected person sneezes or coughs directly into your face and neither one of you are wearing a mask, you're probably not gonna get it. There's a reason that most infected people got the coronavirus in a workplace or home -- it's because it requires very close contact, for a prolonged period of time, likely multiple sessions, when neither person is taking proper precautions. If this wasn't the case, and it spread simply by being in the same supermarket as an infected person then we'd have 100x more infected people than we do.

These apps are just going to needlessly freak people out, because all the app knows is your location and the amount of time that you were there. It has no idea what precautions you or the infected person took, and THAT is what actually matters. I'm in Japan and we've had the virus here a lot longer than the U.S. and it hasn't exploded -- because people wear masks nearly all the time and people don't touch one another. The outbreaks here have mainly been in nightclubs, hospitals, workplaces, and other similar situations where exposure has been between people who are close, touching each other or common surfaces many times, for prolonged and likely drepeated periods of time. It simply hasn't been the case that any outbreaks are thought to be of the "one guy on the morning train infects 10 other people" sort, but this seems precisely the kind of non-event that the Apple/Google system is supposed to detect.

>>>This is just going to make people even more paranoid
>>BTW, if that is truly the outcome, then that would be
>>the absolute best-case outcome.
>Why, so we can all think that we've been exposed when
>in all likelihood we haven't?

No, so people protect themselves. A pandemic is one of the few situations where paranoia is the rational response.

>Unless an infected person sneezes or coughs directly
>into your face and neither one of you are wearing a
>mask, you're probably not gonna get it.

From what we know at this point, this virus is extremely contagious. South Korea was able to link a few dozen new cases to a single person who went to a bunch of bars. There are examples where people just drove a sick person to the hospital, and got sick themselves. In multiple countries, a single church service caused major outbreaks. I doubt that much face coughing was happening at these events.

>because all the app knows is your location and the
>amount of time that you were there

That's not how most of these apps work.

Based on what I've read, the app tracks if you've come into close proximity of a registered infected person -- I'm assuming it logs the amount of contact time and/or there's some minimum threshold before it triggers a notification. If it doesn't then it's even more useless, since as I said before it'll be sending tons of alerts to people who didn't actually have a legitimate exposure risk. Then what? They all go get tested and it comes back negative? Or it gives someone a false positive? Most countries can't even keep up with testing people who have a legit exposure risk / symptoms, now we're supposed to test a bunch of people just because they got an alert on their iPhone? And how long should we make people wait before they are tested, living in anxiety hell, because you can't test someone until enough time has passed to show a viral load or not?

"Went to a bunch of bars" -- you mean somewhere that he was in close contact with other people, for a prolonged period of time, in a poorly ventilated space, not wearing a mask, and likely not taking any other precautions whatsoever? Gee I wonder.

"Church service" -- you mean where people are singing and talking and socializing, for a prolonged period of time, in a poorly ventilated space, not wearing a mask, and likely not taking any other precautions whatsoever? Gee I wonder.

You keep speculating about how these apps work, and explaining that the architecture you came up with won't work. But this is all publicly documented from the people who actually design these apps, so there's no need to guess.

Your first description was this:

>because all the app knows is your location and the
>amount of time that you were there

Not all of these apps work the same, but the apps described above don't know your location.

The way they work is that each phone sends a regularly changing ID. It keeps a list of all IDs it sees that go over a "exposure threshold" based on time and signal strength (which is a reasonable approximation for distance). When a person is tested, there is a way to register the test result with the app. If the test is positive, they have the option of publishing the IDs their app generated. Every other app can then check if there are any IDs they had contact with, and provide further options to the owner of that app, if an exposure is detected.

About the claim that this virus isn't highly contagious: I'm not sure why you keep making that claim, but as far as I can ascertain, you're going against the scientific consensus here, and you're not providing any actual evidence. I'd like to know more about this, so if you have any studies or anything along those lines, I'd be interested in seeing them.

Obviously it’s highly contagious — but only in certain circumstances. If you avoid those circumstances (which does NOT mean sitting at home in lockdown complete isolation) then you’re almost guaranteed not to get it. We can now see this based on evidence.

Look at the countries where it’s more under control, and what people are doing there. I gave the example of Japan where I live and everyone is wearing masks, not touching one another, being extra clean about hand washing, etc. We are in a lot less severe lockdown than the US yet the virus hasn’t really exploded here — look at the numbers in NYC vs Tokyo for example. People are still going out, riding trains, shopping, etc. Not at normal levels, but it’s still happening, stores are still full of people, there’s no limiting of how many customers can enter a store.

Here’s some info I came across yesterday, from a doctor (found the link via Kottke)

And yes, saying “location” was a slip on my part. It’s obviously logging proximity among people because exact gps location would be irrelevant, as nobody catches the virus from a building.

>If you avoid those circumstances (which does NOT mean
>sitting at home in lockdown complete isolation) then
>you’re almost guaranteed not to get it

I think the problem with this line of thinking is that is conflates individual risk with population spread. Studies show that if enough people wear masks, it will effectively push R0 below 1. Studies also how that masks alone don't fully protect individuals; they only decrease the chance of infection. In fact, they are most effective when people who are already infected wear them.

The article you link points out that only a small viral load is required to get infected. So if you follow all of the safety rules you list, but everybody else is infected and not following them, there's a good chance that you'll also get infected.

If you're already living in a country that has widespread infections, then just wearking a mask, trying to keep your distance, and washing your hands will not "almost guarantee" that you won't get infected, because the protection these actions convey is indirect. They protect you because they prevent the spread of the disease across a population, not because they fully protect you as an individual.

This is also why it was completely insane for Western governments to initially tell people not to wear masks.

TBH, I think we probably mostly agree with each other, we're just talking past each other. I've gotten so used to arguing with conspiracy theorists who think Bill Gates secretly designed this virus in a lab to force people to get vaccines that it has become a bit difficult to assume good faith when talking about this topic.

>It’s obviously logging proximity among people because
>exact gps location would be irrelevant

Since you could theoretically determine contacts between people from locations, I'm not sure this is obvious to most people.

>TBH, I think we probably mostly agree with each other, we're just talking past each other.

I agree :) When this whole thing first started and then Italy happened, and then NYC, I thought for sure that Japan would inevitably have a similar explosion since theoretically the super crowded conditions in Tokyo are much worse. Japan shut down a few things early, like primary school and large events, but up until about a month ago it was more or less normal life here, despite the virus appearing in Japan long before Italy or the US.

Restaurants and bars were still open in mid-April, everyone still commuting to work, packed trains, crowded supermarkets, no social distancing, no special precautions in place at businesses, etc. The only rational explanation is that Japan's fanatic mask wearing, lack of human touch, and the fact that hardly anyone talks on the train really make the difference. Many of the infection clusters were traced back to the specific types of interactions that I mentioned earlier in the thread, not random people infecting an entire morning commute on the train. It still blows my mind.

And even recently, when the state of emergency was declared and people started to take it more seriously, it's still not a complete lock down like in the US and Italy (partly because the Japanese government doesn't have the authority to force businesses to shut down). Yet... the numbers continue to decrease steadily. I can only presume that this is mainly because there's been a reduction in the type of interactions where the virus spreads (people in close proximity + with no mask + talking + possibly touching one another / sharing food + for extended periods of time)... some of it is also surely due to the overall reduction in people going out, but it feels like this is a much smaller part of the effect, as there are still a LOT of people out and about, shopping, walking around, even dining at restaurants, riding the train, kids playing together in the park, etc while taking the aforementioned precautions.

I was scared to death a month or two ago, but now that I've seen the real world results of wearing masks + not touching people + washing hands + taking basic common sense precautions, I'm not scared to go out and live my life (responsibly) anymore. That's good enough for me, because it is starting to seem impossible to live a lockdown lifestyle for another couple months TBH. I feel bad for my family and friends in the US because it seems like if more people there would just STFU and wear a mask + stop touching one another + wash their hands, then the US could more safely go back to something resembling normal life with precautions.

Leave a Comment