TPC 17: Surfing the Second Wave

An update on tracing apps as well as lockdown reports from Germany and the rest of the world. I also present a case for why the lockdowns might not be working and we look at Amazon emerging as the big winner from this catastrophe.

On today’s episode of The Private Citizen, I talk about the changes Apple and Google have laid out for their coronavirus contact tracing protocol. I also provide an update on tracing apps around the globe and the lockdown situation here in Germany. Additional topics are Amazon’s growing power and the demise of small businesses in this permanent emergency state we all live in now.

Next, I present some data from a statistical analysis by a German scientist who disputes that the lockdown measures had any scientifically measurable effect and further says that there probably was no exponential spread of the virus in Germany. Finally, I have listener reports from all over the world, reporting on what’s going on in their respective countries.

An Update on Apple’s and Google’s Contact Tracing Protocol

After I explained in detail how Apple’s and Google’s contact tracing protocol works on episode 15, they changed their plans. Here’s a update on what changed.

If you are interested in the full details, and can read German, I did a detailed writeup of the whole spec for heise online .

Contact Tracing Apps in Different Countries

Since we talked last, the German government has changed its position on mandating to process data on a central server. As I had predicted, they want to make use of Apple’s and Google’s proposal now.

One country that has been persuaded of the companies’ approach is famously privacy-conscious Germany. Germans were instrumental in devising the (tongue twister alert) Pan-European Privacy-Preserving Proximity Tracing project, an effort to do exposure notification in a way that protected citizens from their governments. But the project would have required operating system-level changes to Apple’s iOS by making Bluetooth available to public-health apps that sought to process exposure notifications on a central server controlled by the government.

Reuters reports:

Germany changed course on Sunday over which type of smartphone technology it wanted to use to trace coronavirus infections, backing an approach supported by Apple and Google along with a growing number of other European countries. Chancellery Minister Helge Braun and Health Minister Jens Spahn said in a joint statement that Berlin would adopt a “decentralised” approach to digital contact tracing, thus abandoning a home-grown alternative that would have given health authorities central control over tracing data.

Germany as recently as Friday backed a centralised standard called Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT), which would have needed Apple in particular to change the settings on its iPhones. When Apple refused to budge there was no alternative but to change course, said a senior government source.

Meanwhile, the UK is going in the exact opposite direction.

The memo revealed the NHS and UK government reckon the contact-tracing protocols built by Apple and Google protect user privacy under advisement only. Thus, the British health service is in favor of a system that sends data on who may have the virus to a centralised server, and puts the NHS in charge of who is contacted and when.

The NHS app will grab all the IDs of all phones running the app, and store and process it all on its own servers. Then, if someone finds they have the virus and tells the app, whoever is in charge of the NHS database will decide how, when, and if, to alert other phones.

It appears Apple, at least, is willing to let the centralized NHSX app run Bluetooth scanning in the background, avoiding completely draining handhelds’ batteries.

→ Tweet by James Titcomb from the Telegraph

Australia’s contact tracing app has launched and has been installed by a lot of people. It does have some issues, though.

The design of Australia’s COVIDSafe contact-tracing app creates some unintended surveillance opportunities, according to a group of four security pros who unpacked its .APK file. Penned by independent security researcher Chris Culnane, University of Melbourne tutor, cryptography researcher and masters student Eleanor McMurtry, developer Robert Merkel and Australian National University associate professor and Thinking Security CEO Vanessa Teague and posted to GitHub, the analysis notes three concerning design choices.

The first-addressed is the decision to change UniqueIDs – the identifier the app shares with other users – once every two hours and for devices to only accept a new UniqueID if the app is running. The four researchers say this will make it possible for the government to understand if users are running the app. “This means that a person who chooses to download the app, but prefers to turn it off at certain times of the day, is informing the Data Store of this choice,” they write.

The authors also suggest that persisting with a UniqueID for two hours “greatly increases the opportunities for third-party tracking.”

“The difference between 15 minutes’ and two hours’ worth of tracking opportunities is substantial. Suppose for example that the person has a home tracking device such as a Google home mini or Amazon Alexa, or even a cheap Bluetooth-enabled IoT device, which records the person’s UniqueID at home before they leave. Then consider that if the person goes to a shopping mall or other public space, every device that cooperates with their home device can share the information about where they went.”

The analysis also calls out some instances of UniqueIDs persisting for up to eight hours, for unknown reasons.

None of which seems to be bothering Australians, who have downloaded it more than two million times in 48 hours and blown away adoption expectations.

Some lawyers also commented on the app.

The app, available for Android and iOS, uses some code from Singapore’s TraceTogther app and uses Amazon Web Services to store registration information, encrypted user IDs, and contact data.

While source code of the app has not been released, a privacy impact assessment drawn up by lawyers recommends it be made available. The Department of Health’s response concurs, saying it “will be released subject to consultation with the Australian Signals Directorate’s Australian Cyber Security Centre”. No timeframe for that consultation is offered, nor is there a guarantee the Cyber Security Centre will agree to the release of the source code.

The app’s use of AWS has quickly raised eyebrows given the cloud giant is subject to the United States’ Patriot Act and could be compelled to surrender COVIDSafe data despite it being stored on Australian soil.

Another criticism leveled at the app is that it must be in active use to perform usefully on Apple devices. As Australia’s national mobile phone fleet is dominated by the iPhone – with over 50 percent market share – the app may not collect a lot of useful data.

In Israel, the government has at least stopped some of the phone tracking.

Israel’s use of phone tracking technology to track COVID-19 patients has come to a partial end. A parliamentary oversight committee has halted use of the tracking to enforce quarantines after raising privacy concerns. The privacy violations outweigh the benefits, committee member Ayalet Shaked said – the phone monitoring tech doesn’t help much when police already pay visits to COVID-19 patients to ensure they’re following the rules.

Police have so far argued that the tool is effective, having arrested 203 people with the help of phone location info. Law enforcement conducted about 500 random location checks per day.

The country is still using technology (believed to involve phone tracking) from the national security agency Shin Bet for contact tracing. It can both map previous movements of infected people and pinpoint others who might have come too close. That program appears to be relatively safe, in part as its team deletes all info after a week.

The Situation on the Ground in Germany

In Germany, some restrictions have been loosened, but all federal states have now mandated that people must wear face coverings in many social situations.

There have been raids on illegal “basement hair salons” in Bavaria.

The police in Saxony gets regular detailed reports on infected people , even thought pretty much any privacy expert agrees that this is not permitted under current laws. It seems clear by the hesitant way this is being admitted and dealt with, that the people responsible knew this was illegal right from the get-go.

In North Rhine-Westphalia, 400 people living in a housing block in Grevenbroich were locked in and force-tested , after two families repeatedly ignored the stay at home orders. They found five infected people. Unbelievable. Makes me think of the movie Dredd.

Peach Trees entrance Entrance of the Peach Trees arcology in the 2012 film Dredd (Source: Lionsgate)

Everyone is acting like it, too

Effects of the Lockdown on Small Businesses

The lockdown is having a huge effect on the economy, particularly on small businesses. While the big guys will undoubtedly get bailed out, there are a myriad of small independent companies who will probably not survive all of this. And predatory businesses like Amazon are poised to take over.

→ Senator pushes DOJ to launch criminal antitrust probe of Amazon

Does the Lockdown Actually Work?

A psychologist from Regensburg has analysed the official German case and death numbers from the Robert-Koch-Institut and makes two compelling statistical points about their relation to the lockdown measures. He argues that the infection curve was actually flattened before these measures went into effect. And he also says that there actually was no exponential growth of the SARS-CoV-2 virus in Germany. His analysis of the data is that it just looks like there was exponential growth because there was an exponential increase in testing. And he presents very sound arguments.

RKI reproduction rate Effective reproduction number (R) of SARS-CoV-2 in Germany (Source: Robert-Koch-Institut)

Producer Reports

South Australian correspondent Bazzawill chimes in with this message:

Just a quick update on what is going on here in SA, particularly education focused. Schools remain open and attendance is up after the regular school break. We were down to below 18% before the school break. Initially parents advised most would keep their kids home when school returned, and we did a lot of work to get ready for online learning. Although we did somewhat expect parents would get sick of their kids (especially if they are working from home) and send them to school. That combined with a message (attached) from our chief public health officer, and low infection rates we now have 50 - 60% attendance (only 2 days, our attendance is usually only 80%).

We are being told that infection is low between children (including teenagers) which means school can go back to usual, but as adults we have to have distance between us. I think it may be more a case infection may not always be picked up in children, they may not even be symptomatic. We also have a contact tracing app.

I just want to clarify the information about children is child to child transmission not child to adult, apparently. So they can give it to me, but not too each other. Not sure how a virus decides to do that.

Butterbeans reports in from Tennessee:

Just finished listening to episode 15 on contact tracing. Another great one. I wanted to send you a copy of an article from the Financial Times today that affirms much of what you said (see attached). No surprise, but you’ve clearly done your research!

A couple paragraphs stuck out that I thought you’d find interesting. Regarding the Apple/Google big tech approach vs. the UK’s NHS driven app: “The UK has been wary of the tech giants’ approach, favouring a centralised database, whereas privacy-centric Germany has come out in support of it.”

Who represents “Germany” here and has come out in support of the Apple/Google approach? You may have mentioned it on the episode, but I don’t remember them if you did.

Also, something I hadn’t thought about, the emergence of a “health passport” as a result of contact tracing: “Some privacy activists also fear that the tech companies’ reassurances that the apps will remain voluntary will be hard to enforce in practice, if contact-tracing apps evolve into ‘passports’ that are demanded to enter supermarkets or other public places.”

Keep podding, brother! Your friend in Tennessee, where we FLATTENED THE CURVE enough to allow restaurants to partially open for sit-down service this week.

Fadi Mansour also has some feedback on episode 15:

I totally share your surprise that the Security Now treatment was only showing the positive side, with zero hints at the several potential risks.

I can see how Steve Gibson could be thrilled by the “elegance” of the proposed solution (from a crypto-theory point of view), but the devil will always be in the details: implementation. And as you mentioned: this proposal only details how these identifiers will be generated and shared: but no other details about what other data would (or could) be associated with it.

Bennett commented on an unrelated blog post of mine and as a part of that mentioned that he really liked my interview with Jürgen Geuter. He also added:

I took a break from your podcast because I wanted to take a break from corona immersion, but your coverage is well done, as always.

If you also have thoughts on the things discussed here, please feel free to contact me.

Toss a Coin to Your Podcaster

I am a freelance journalist and writer, volunteering my free time because I love digging into stories and because I love podcasting. If you want to help keep The Private Citizen on the air, consider becoming one of my Patreon supporters.

You can also support the show by sending money to via PayPal, if you prefer.

This is entirely optional. This show operates under the value-for-value model, meaning I want you to give back only what you feel this show is worth to you. If that comes down to nothing, that’s OK with me, pard. But if you help out, it’s more likely that I’ll be able to keep doing this indefinitely.

Thanks and Credits

I like to credit everyone who’s helped with any aspect of this production and thus became a part of the show.

Aside from the people who have provided feedback and research and are credited as such above, I’m thankful to Raúl Cabezalí, who composed and recorded the show’s theme, a song called Acoustic Routes. I am also thankful to Bytemark, who are providing the hosting for this episode’s audio file.

But above all, I’d like to thank the following people, who have supported this episode through Patreon or PayPal and thus keep this show on the air: Niall Donegan, Michael Mullan-Jensen, Jonathan M. Hethey, Georges Walther, Dave, Kai Siers, Eric gPodder Test, Rasheed Alhimianee, Butterbeans, Mark Holland, Steve Hoos, Shelby Cruver, Fadi Mansour, Matt Jelliman, Joe Poser, Vlad, ikn, Dave Umrysh, 1i11g, Vytautas Sadauskas, RikyM, drivezero, Dirk Dede, David Potter, Jackie Plage, Jonathan Edwards and Barry Williams.