UK privacy and security experts warn over coronavirus app mission creep

A number of UK computer security and privacy experts have signed an open letter raising transparency and mission creep concerns about the national approach to develop a coronavirus contacts tracing app.

The letter, signed by 177 academics, follows a similar letter earlier this month signed by around 300 academics from across the world, who urged caution over the use of such tech tools and called for governments that choose to deploy digital contacts tracing to use privacy-preserving techniques and systems.

“We urge that the health benefits of a digital solution be analysed in depth by specialists from all relevant academic disciplines, and sufficiently proven to be of value to justify the dangers involved,” the UK academics write now, directing their attention at NHSX, the digital arm of the National Health Service which has been working on building a digital contacts tracing app since early March. 

“It has been reported that NHSX is discussing an approach which records centrally the de-anonymised ID of someone who is infected and also the IDs of all those with whom the infected person has been in contact. This facility would enable (via mission creep) a form of surveillance.”

Yesterday the NHSX’s CEO, Matthew Gould, was giving evidence to the UK parliament’s Science and Technology committee. He defended the approach it’s taking — claiming the forthcoming app uses only “a measure of centralization”, and arguing that it’s a “false dichotomy” to say decentralized is privacy secure and centralized isn’t.

He went on to describe a couple of scenarios he suggested show why centralizing the data is necessary in the NHSX’s view. But in the letter the UK academics cast doubt on the validity of the central claim, writing that “we have seen conflicting advice from different groups about how much data the public health teams need“.

“We hold that the usual data protection principles should apply: collect the minimum data necessary to achieve the objective of the application,” they continue. “We hold it is vital that if you are to build the necessary trust in the application the level of data being collected is justified publicly by the public health teams demonstrating why this is truly necessary rather than simply the easiest way, or a ‘nice to have’, given the dangers involved and invasive nature of the technology.”

Europe has seen fierce debate in recent weeks over the choice of app architecture for government-backed coronavirus contacts tracing apps — with different coalitions forming to back decentralized and centralized approaches and some governments pressuring Apple over backing the opposing horse with a cross-platform API for national coronavirus contacts tracing apps it’s developing with Android-maker Google.

Most of the national apps in the works in the region are being designed to use Bluetooth proximity as a proxy for calculating infection risk — with smartphone users’ devices swapping pseudonymized identifiers when near each other. However privacy experts are concerned that centralized stores of IDs risk creating systems of state surveillance as the data could be re-identified by the authority controlling the server.

Alternative decentralized systems have been proposed, using a p2p system with IDs stored locally. Infection risk is also calculated on device, with a relay server used only to push notifications out to devices — meaning social graph data is not systematically exposed.

Although this structure does require the IDs of people who have been confirmed infected to be broadcast to other devices — meaning there’s a potential for interception and re-identification attacks at a local level.

At this stage it’s fair to say that the momentum in Europe is behind decentralized approaches for the national contacts tracing apps. Notably Germany’s government switched from previously backing a centralized approach to decentralized earlier this week, joining a number of others (including Estonia, Spain and Switzerland) — which leaves France and the UK the highest profile backers of centralized systems for now.

France is also seeing expert debate over the issue. Earlier this week a number of French academics signed a letter raising concerns about both centralized and decentralized architectures — arguing that “there should be important evidence in order to justify the risks incurred” of using any such tracking tools.

In the UK, key concerns being attached to the NHSX app are not only the risk of social graph data being centralized and reidentified by the state — but also scope/function creep.

Gould said yesterday that the app will iterate, adding that future versions could ask people to voluntarily give up more data such as their location. And while the NHSX has said use of the app will be voluntary, if multiple functions get baked in that could raise questions over the quality of the consent and whether mission creep is being used as a lever to enforce public uptake.

Another concern is that a public facing branch of the domestic spy agency, GCHQ, has also been involved in advising on the app architecture. And yesterday Gould dodged the committee’s direct questions on whether the National Cyber Security Centre (NCSC) had been involved in the decision to select a centralized architecture.

There may be more concerns on that front, too. Today the HSJ reports that health secretary Matt Hancock recently granted new powers to the UK’s intelligence agencies which mean they can require the NHS to disclose any information that relates to “the security” of the health service’s networks and information systems during the pandemic.

Such links to database-loving spooks are unlikely to quell privacy fears.

There is also concern about how involved the UK’s data watchdog has been in the detail of the app’s design process. Last week the ICO’s executive director, Simon McDougall, was reported to have told a public forum he had not seen plans for the app, although the agency put out a statement on April 24 saying it was working with NHSX “to help them ensure a high level of transparency and governance”.

Yesterday Gould also told the committee the NHSX would publish data protection impact assessments (DPIAs) for each iteration of the app, though none has yet been published.

He also said the software would be “technically” ready to launch in a few weeks’ time — but could not confirm when the code would be published for external review.

In their letter, the UK academics call on NHSX to publish a DPIA for the app “immediately”, rather than dropping it right before deployment, to allow for public debate about the implications of its use and in order that that public scrutiny can take place of the claimed security and privacy safeguards.

The academics are also calling for the unit to publicly commit to no database or databases being created that would allow de-anonymization of users of the system (other than those self reporting as infected), and which could therefore allow the data to be used for constructing users’ social graphs.

They also urge the NHSX to set out details on how the app will be phased out after the pandemic has passed — in order “to prevent mission creep”.

Asked for a commitment on the database point, an NHSX spokesman told us that’s a question for the UK’s Department of Health and Social Care and/or the NCSC — which won’t salve any privacy concerns around the governments’ wider plans for app users’ data.

We also asked when the NHSX will be publishing a DPIA for the app. At the time of writing we were still waiting for a response.

from Android – TechCrunch https://ift.tt/2SkZuyu
via IFTTT

UK privacy and security experts warn over coronavirus app mission creep

A number of UK computer security and privacy experts have signed an open letter raising transparency and mission creep concerns about the national approach to develop a coronavirus contacts tracing app.

The letter, signed by around 150 academics, follows a similar letter earlier this month signed by around 300 academics from across the world, who urged caution over the use of such tech tools and called for governments that choose to deploy digital contacts tracing to use privacy-preserving techniques and systems.

“We urge that the health benefits of a digital solution be analysed in depth by specialists from all relevant academic disciplines, and sufficiently proven to be of value to justify the dangers involved,” the UK academics write now, directing their attention at NHSX, the digital arm of the National Health Service which has been working on building a digital contacts tracing app since early March. 

“It has been reported that NHSX is discussing an approach which records centrally the de-anonymised ID of someone who is infected and also the IDs of all those with whom the infected person has been in contact. This facility would enable (via mission creep) a form of surveillance.”

Yesterday the NHSX’s CEO, Matthew Gould, was giving evidence to the UK parliament’s Science and Technology committee. He defended the approach it’s taking — claiming the forthcoming app uses only “a measure of centralization”, and arguing that it’s a “false dichotomy” to say decentralized is privacy secure and centralized isn’t.

He went on to describe a couple of scenarios he suggested show why centralizing the data is necessary in the NHSX’s view. But in the letter the UK academics cast doubt on the validity of the central claim, writing that “we have seen conflicting advice from different groups about how much data the public health teams need“.

“We hold that the usual data protection principles should apply: collect the minimum data necessary to achieve the objective of the application,” they continue. “We hold it is vital that if you are to build the necessary trust in the application the level of data being collected is justified publicly by the public health teams demonstrating why this is truly necessary rather than simply the easiest way, or a ‘nice to have’, given the dangers involved and invasive nature of the technology.”

Europe has seen fierce debate in recent weeks over the choice of app architecture for government-backed coronavirus contacts tracing apps — with different coalitions forming to back decentralized and centralized approaches and some governments pressuring Apple over backing the opposing horse with a cross-platform API for national coronavirus contacts tracing apps it’s developing with Android-maker Google.

Most of the national apps in the works in the region are being designed to use Bluetooth proximity as a proxy for calculating infection risk — with smartphone users’ devices swapping pseudonymized identifiers when near each other. However privacy experts are concerned that centralized stores of IDs risk creating systems of state surveillance as the data could be re-identified by the authority controlling the server.

Alternative decentralized systems have been proposed, using a p2p system with IDs stored locally. Infection risk is also calculated on device, with a relay server used only to push notifications out to devices — meaning social graph data is not systematically exposed.

Although this structure does require the IDs of people who have been confirmed infected to be broadcast to other devices — meaning there’s a potential for interception and re-identification attacks at a local level.

At this stage it’s fair to say that the momentum in Europe is behind decentralized approaches for the national contacts tracing apps. Notably Germany’s government switched from previously backing a centralized approach to decentralized earlier this week, joining a number of others (including Estonia, Spain and Switzerland) — which leaves France and the UK the highest profile backers of centralized systems for now.

France is also seeing expert debate over the issue. Earlier this week a number of French academics signed a letter raising concerns about both centralized and decentralized architectures — arguing that “there should be important evidence in order to justify the risks incurred” of using any such tracking tools.

In the UK, key concerns being attached to the NHSX app are not only the risk of social graph data being centralized and reidentified by the state — but also scope/function creep.

Gould said yesterday that the app will iterate, adding that future versions could ask people to voluntarily give up more data such as their location. And while the NHSX has said use of the app will be voluntary, if multiple functions get baked in that could raise questions over the quality of the consent and whether mission creep is being used as a lever to enforce public uptake.

Another concern is that a public facing branch of the domestic spy agency, GCHQ, has also been involved in advising on the app architecture. And yesterday Gould dodged the committee’s direct questions on whether the National Cyber Security Centre (NCSC) had been involved in the decision to select a centralized architecture.

There may be more concerns on that front, too. Today the HSJ reports that health secretary Matt Hancock recently granted new powers to the UK’s intelligence agencies which mean they can require the NHS to disclose any information that relates to “the security” of the health service’s networks and information systems during the pandemic.

Such links to database-loving spooks are unlikely to quell privacy fears.

There is also concern about how involved the UK’s data watchdog has been in the detail of the app’s design process. Last week the ICO’s executive director, Simon McDougall, was reported to have told a public forum he had not seen plans for the app, although the agency put out a statement on April 24 saying it was working with NHSX “to help them ensure a high level of transparency and governance”.

Yesterday Gould also told the committee the NHSX would publish data protection impact assessments (DPIAs) for each iteration of the app, though none has yet been published.

He also said the software would be “technically” ready to launch in a few weeks’ time — but could not confirm when the code would be published for external review.

In their letter, the UK academics call on NHSX to publish a DPIA for the app “immediately”, rather than dropping it right before deployment, to allow for public debate about the implications of its use and in order that that public scrutiny can take place of the claimed security and privacy safeguards.

The academics are also calling for the unit to publicly commit to no database or databases being created that would allow de-anonymization of users of the system (other than those self reporting as infected), and which could therefore allow the data to be used for constructing users’ social graphs.

They also urge the NHSX to set out details on how the app will be phased out after the pandemic has passed — in order “to prevent mission creep”.

Asked for a commitment on the database point, an NHSX spokesman told us that’s a question for the UK’s Department of Health and Social Care and/or the NCSC — which won’t salve any privacy concerns around the governments’ wider plans for app users’ data.

We also asked when the NHSX will be publishing a DPIA for the app. At the time of writing we were still waiting for a response.

from Apple – TechCrunch https://ift.tt/2SkZuyu

Apple adds COVID-19 testing sites to Maps across the U.S., and shares more mobility data

Apple has now added COVID-19 testing sites to its Apple Maps app across the U.S., covering all 50 states and Puerto Rico. The update provide testing locations including hospitals, clinics, urgent car facilities, general practitioners, pharmacies and more, as well as dedicated COVID-19 testing sites, where tests are available. In addition, COVID-19 is now a prioritized point-of-interest option when you go to search for locations. Apple also updated its new Mobility Trends website, which provides free access to anonymized, aggregated data bout how people are getting around their cities and regions during the COVID-19 crisis.

The Maps update was reported last week, first spotted by 9to5Mac through a portal that Apple created in order to allow test site providers to provide their site location so that it could be added to the database. Now, it’s live and lives alongside other prioritized search options in Maps, which have been customized for the pandemic, and which include grocery stores, food delivery, pharmacies, hospitals and urgent care facilities.

As for the Mobility Trends site, it now includes improved regionalization, like state or province level search, depending on what terms a country uses, and it’s also been better localized, including use of a area’s local name added to search results to ensure that everyone can find what they’re looking for globally. Also, in the U.S., there are now more cities available to review.

Apple’s made this data available in order to help governments, transportation authorities and cities make better sense of the impact that the ongoing pandemic is having, and potentially provide information about the effective of, and compliance rate with, efforts like broad social distancing measures and shelter-in-place orders. The data comes from info about what methods of directions users are selecting within the Maps app, but it’s worth noting that Apple’s Maps app has privacy built-in by default, so it doesn’t collect any personal information along with guidance search info.

from Apple – TechCrunch https://ift.tt/2zxoVq2

UK’s coronavirus contacts tracing app could ask users to share location data

More details have emerged about a coronavirus contacts tracing app being developed by UK authorities. NHSX CEO, Matthew Gould, said today that future versions of the app could ask users to share location data to help authorities learn more about how the virus propagates.

Gould, who heads up the digital transformation unit of the UK’s National Health Service, was giving evidence to the UK parliament’s Science & Technology Committee today.

At the same time, ongoing questions about the precise role of the UK’s domestic spy agency in key decisions about the NHSX’s choice of a centralized app architecture means privacy concerns are unlikely to go away — with Gould dodging the committee’s about GCHQ’s role.

A basic version of the NHSX’s coronavirus contacts tracing app is set to be tested in a small geographical region in the next 1-2 weeks, per Gould — who said “technically” it would be ready for a wider rollout in 2-3 weeks’ time.

Although he emphasized that any launch would need to be part of a wider government strategy which includes extensive testing and manual contacts tracing, along with a major effort to communicate to the public about the purpose and importance of the app as part of a combined response to fighting the virus.

In future versions of the app, Gould suggested users could be asked to contribute additional data — such as their location — in order to help epidemiologists identify infection hot spots, while emphasizing that such extra contributions would be voluntary.

“The app will iterate. We’ve been developing it at speed since the very start of the situation but the first version that we put out won’t have everything in it that we would like,” he said. “We’re quite keen, though, that subsequent versions should give people the opportunity to offer more data if they wish to do so.

“So, for example, it would be very useful, epidemiologically, if people were willing to offer us not just the anonymous proximity contacts but also the location of where those contacts took place — because that would allow us to know that certain places or certain sectors or whatever were a particular source of proximity contacts that subsequently became problematic.”

“If people were willing to do that — and I suspect a significant proportion of people would be willing to do that — then I think that would be very important data because that would allow us to have an important insight into how the virus was propagated,” he added.

For now, the basic version of the contacts tracing app the NHSX is devising is not being designed to track location. Instead, it will use Bluetooth as a proxy for infection risk, with phones that come into proximity swapping pseudonymized identifiers that may later be uploaded to a central server to calculate infection risk related to a person’s contacts.

Bluetooth proximity tracking is now being baked into national contacts tracing apps across Europe and elsewhere, although app architectures can vary considerably.

The UK is notable for being one of now relatively few European countries that have opted for a centralized model for coronavirus contacts tracing, after Germany switched its choice earlier this week.

France is also currently planning to use a centralized protocol. But countries including Estonia, Switzerland and Spain have said they will deploy decentralized apps — meaning infection risk calculations will be performed locally, on device, and social graph data will not be uploaded to a central authority.

Centralized approaches to coronavirus contact tracing have raised substantial privacy concerns as social graph data stored on a central server could be accessed and re-identified by the central authority controlling the server.

Apple and Google’s joint effort on a cross-platform API for national coronavirus contacts tracing apps is also being designed to work with decentralized approaches — meaning countries that want to go against the smartphone platform grain may face technically challenges such as battery drain and usability.

The committee asked Gould about the NHSX’s decision to develop its own app architecture, which means having to come up with workarounds to minimize issues such as battery drain because it won’t just be able to plug into the Apple-Google API. Yesterday the unit told the BBC how it’s planning to do this, while conceding its workaround won’t be as energy efficient as being able to use the API.

“We are co-operating very closely with a range of other countries. We’re sharing code, we’re sharing technical solutions and there’s a lot of co-operation but a really key part of how this works is not just the core Bluetooth technology — which is an important part of it — it’s the backend and how it ties in with testing, with tracing, with everything else. So a certain amount of it necessarily has to be embedded in the national approach,” said Gould, when asked why NHSX is going to the relative effort and hassle of developing its own bespoke centralized system rather than making use of protocols developed elsewhere.

“I would say we are sensibly trying to learn international best practice and share it — and we’ve shared quite a lot of the technological progress we’ve made in certain areas — but this has to embed in the wider UK strategy. So there’s an irreducible amount that has to be done nationally.”

On not aligning with Apple and Google’s decentralized approach specifically, he suggested that waiting for their system-wide contact tracing product to be released — due next month — would “slow us down quite considerably”. (During the committee hearing it was confirmed the first meeting relating to the NHSX app took place on March 7.)

While on the wider decision not to adopt a decentralized architecture for the app, Gould argued there’s a “false dichotomy” that decentralized is privacy secure and centralized isn’t. “We firmly believe that both our approach — though it has a measure of centralization in as much as your uploading the anonymized identifiers in order to run the cascades — nonetheless preserves people’s privacy in doing so,” he said.

“We don’t believe that’s a privacy endangering step. But also by doing so it allows you to see the contact graph of how this is propagating and how the contacts are working across a number of individuals, without knowing who they are, that allows you to do certain important things that you couldn’t do if it was just phone to phone propagation.”

He gave the example of detecting malicious use of contacts tracing being helped by being able to acquire social graph data. “One of the ways you can do that is looking for anomalous patterns even if you don’t know who the individuals are you can see anomalous propagation which the approach we’ve taken allows,” he said. “We’re not clear that a decentralized approach allows.”

Another example he gave was a person declaring themselves symptomatic and a cascade being run to notify their contacts and then that person subsequently testing negative.

“We want to be able to release all the people that have been given an instruction to isolate previously on the basis of [the false positive person] being symptomatic. If it was done in an entirely decentalized way that becomes very difficult,” he suggested. “Because it’s all been done phone to phone you can’t go back to those individuals to say you don’t have to be locked down because your index case turned out to be negative. So we really believe there are big advantages the way we’re doing it. But we don’t believe it’s privacy endangering.”

Responding to the latter claim, Dr Michael Veale — a lecturer in digital rights and regulation at UCL who is also one of the authors of a decentalized protocol for contacts tracing, called DP-3T, that’s being adopted by a number of European governments — told us: “It is trivial to extend a decentralised system to allow individuals to upload ‘all clear’ keys too, although not something that DP-3T focussed on building in because to my knowledge, it is only the UK that wishes to allow these cascades to trigger instructions to self-isolate based on unverified self-reporting.”

In the decentralized scenario, “individuals would simply upload their identifiers again, flagging them as ‘false alarm’, they would be downloaded by everyone, and the phones of those who had been told to quarantine would notify the individual that they no longer needed to isolate”, Veale added — explaining how a ‘false alarm’ notification could indeed be sent without a government needing to centralize social graph data.

The committee also asked Gould directly whether UK spy agency, GCHQ, was involved in the decision to choose a centralized approach for the app. The BBC reported yesterday that experts from the cyber security arm of the spy agency, the National Cyber Security Centre (NCSC), had aided the effort.

At first pass Gould dodged the question. Pressed a second time he dodged a direct answer, saying only that the NCSC were “part of the discussions in which we decided to take the approach that we’ve taken”.

“[The NCSC] have, along with a number of others — the Information Commission’s Office, the National Data Guardian, the NHS — been advising us. And as the technical authority for cyber security I’m very glad to have had the NCSC’s advice,” he also said.

“We have said will will open source the software, we have said we will publish the privacy model and the security model that’s underpinning what we’re going to do,” he added. “The whole model rests on people having randomized IDs so the only point in the process at which they need to say to us who they are is when they need to order a test having become symptomatic because it’s impossible to do that otherwise.

“They will have the choice both to download the app and turn it on but also to upload the list of randomized IDs of people they’ve been in touch with. They will also have the choice at any point to delete the app and all the data that they haven’t shared with us up to that point with it. So I do believe that what we’ve done is respectful of people’s privacy but at the same time effective in terms of being able to keep people safe.”

Gould was unable to tell the committee when the app’s code will be open sourced, or even confirm it would happen before the app was made available. But he did say the unit is committed to publishing data protection impact assessments — claiming this would be done “for each iteration” of the app.

“At every stage we will do a data protection impact assessment, at every stage we’ll make sure the information commission know’s what we’re doing and is comfortable with what we’re doing so we will proceed carefully and make sure what we do is compliant,” he said.

At another point in the hearing, Lillian Edwards, a professor of law, innovation and society at Newcastle Law School who was also giving evidence, pointed out that the Information Commissioner’s Office’s executive director, Simon McDougall, told a public forum last week that the agency had not in fact seen details of the app plan.

“There has been a slight information gap there,” she suggested. “This is normally a situation with an app that is high risk stakes involving very sensitive personal data — where there is clearly a GDPR [General Data Protection Regulation] obligation to prepare a Data Protection Impact Assessment — where one might have thought that prior consultation and a formal sign off by the ICO might have been desirable.”

“But I’m very gratified to hear that a Data Protection Impact Assessment is being prepared and will be published and I think it would be very important to have a schedule on that — at least at some draft level — as obviously the technical details of the app are changing from day to day,” Edwards added.

We’ve reached out to the ICO to ask if it’s seen plans for the app or any data protection impact assessment now.

During the committee hearing, Gould was also pressed on what will happen to data sets uploaded to the central server once the app has been required. He said such data sets could be used for “research purposes”.

“There is the possibility of being able to use the data subsequently for research purposes,” he said. “We’ve said all along that the data from the app — the app will only be used for controlling the epidemic, for helping the NHS, public health and for research purposes. If we’re going to use data to ask people if we can keep their data for research purposes we will make that abundantly clear and they’ll have the choice on whether to do so.”

Gould followed up later in the session by adding that he didn’t envisage such data-sets being shared with the private sector. “This is data that will be probably under the joint data controllership of DHSC and NHS England and Improvement. I see no context in which it would be shared with the private sector,” he said, adding that UK law does already criminalize the reidentification of anonymized data.

“There are a series of protections that are in place and I would be very sorry if people started talking about sharing this data with the private sector as if it was a possibility. I don’t see it as a possibility.”

In another exchange during the session Gould told the committee the app will not include any facial recognition technology. Although he was unable to entirely rule out some role for the tech in future public health-related digital coronavirus interventions, such as related to certification of immunity.

from Apple – TechCrunch https://ift.tt/2YcsM6d

Hundreds of French academics sign letter asking for safeguards on contact tracing

A group of 471 French cryptography and security researchers has signed a letter to raise awareness about the potential risks of a contact-tracing app. A debate in the French parliament will take place tomorrow to talk about all things related to post-lockdown — including contact-tracing app StopCovid.

Among the group of researchers, 77 of them are affiliated with Inria, the French research institute that has been working on the contact-tracing protocol that will power the government-backed contact-tracing app, ROBERT. With this letter, it appears that Inria is conflicted about ROBERT.

“All those applications induce very important risks when it comes to protecting privacy and individual rights,” the letter says. “This mass surveillance could be done by collecting the interaction graph of individuals — the social graph. It could happen at the operating system level on the phones. Not only operating system makers could reconstruct the social graph, but the state could as well, more or less easily depending on the approaches.”

The letter also mentions a thorough analysis of centralized and decentralized implementations of contact-tracing protocols. It includes multiple attack scenarios and undermines both the DP-3T protocol as well as ROBERT.

Ahead of the debate in the French parliament tomorrow, researchers say that “it is essential to thoroughly analyze the health benefits of a digital solution with specialists — there should be important evidence in order to justify the risks incurred.”

Researchers also ask for more transparency at all levels — every technical choice should be documented and justified. Data collection should be minimized and people should understand the risks and remain free not to use the contact-tracing app.

Over the past few weeks, multiple groups of researchers in Europe have been working on different protocols. In particular, DP-3T has been working a decentralized protocol that leverages smartphones to compute social interactions. Ephemeral IDs are stored on your device and you can accept to share ephemeral IDs with a relay server to send them to the community of app users.

PEPP-PT has been backing a centralized protocol that uses pseudonymization to match contacts on a central server. A national authority manages the central server, which could lead to state surveillance if the protocol isn’t implemented properly. ROBERT is a variant of PEPP-PT designed by French and German researchers.

While the French government has always been cautious about the upsides of a contact-tracing app, there’s been little debate about the implementation. Inria, with official backing from the French government, and Fraunhofer released specifications for the ROBERT protocol last week.

Many (including me) have called out various design choices, as you have to trust your government that they’re not doing anything nefarious without telling you — a centralized approach requires a lot of faith from the end users as the government holds a lot of data about your social interactions and your health. Sure, it’s pseudonymized, but it’s not anonymized, despite what the ROBERT specification document says.

Moreover, ROBERT doesn’t leverage Apple and Google’s contact-tracing API that is in the works. France’s digital minister, Cédric O, has been trying to put some pressure on Apple over Bluetooth restrictions with a Bloomberg interview. Given that Apple and Google provide an API for decentralized implementations, they have little incentive to bow to French pressure.

On Sunday, Germany announced that it would abandon its original plans for a centralized architecture in favor of a decentralized approach, leaving France and the U.K. as the two remaining backers of a centralized approach.

France’s data protection watchdog CNIL released a cautious analysis of ROBERT, saying that the protocol could be compliant with GDPR. But it says it will need further details on the implementation of the protocol to give a definitive take on StopCovid.

The European Data Protection Supervisor (EDPS) also said on Twitter that the debate in front of the French parliament is particularly important. “Decisions will have an impact not only on the immediate future but as well on years to come,” they say.

France’s Inria and Germany’s Fraunhofer detail their ROBERT contact-tracing protocol

from Apple – TechCrunch https://ift.tt/2SbNoHT

Lost item finder Tile expands partnership with Comcast, as Apple’s competitor looms

Bluetooth-powered lost item finder Tile is expanding on its two-year old partnership with strategic investor Comcast to help customers find misplaced items around their home. The two companies had first announced their intention to partner in early 2018 and later that year introduced a way for Comcast users to locate lost items using their Xfinity X1 Voice Remote. Now, Comcast is adding more set-top boxes and xFi Gateways into the mix as access points.

The companies announced today that select Comcast X1 and Flex set-top boxes as well as xFi Gateways will be able to work as extensions to the Tile network. Specifically, this includes the newer Xfinity devices like the xFi Advanced Gateway, and Xi5, Xi6, and XG1v4 devices, Tile tells us.

What this means Comcast’s boxes can supplement or even take the place of the Tile mobile app in terms of being an access point used to look for a lost Tile device, when an item goes missing.

This could be useful for those who don’t have the Tile app installed on their phone, whose phone is not within easy reach or has run out of battery, as well as for those those who just want the added convenience of having another way to search for their lost item.

Previously, Comcast Xfinity customers could use their X1 voice remote to see a Tile’s last-known location on the screen. Now, not only can Comcast users ring their Tile directly, the Flex set-top boxes and xFi Gateways can also work as finding extenders in the home.

Tile devices themselves come in a variety of form factors, including keychain or luggage dongles like Mate and the more powerful Pro, a Slim device ideal for wallets, and Tile Sticker for anything else — like laptops, bikes, tools, cameras, and more. In the home, Tile devices are often used to find small items like car keys, purses, or even a child’s favorite toy that’s always getting misplaced.

Alongside the support for Comcast boxes, the companies also updated the existing X1 remote functionality to include a new feature to directly ring missing items. Now, customers can say things like “Xfinity Home, find my keys” to have the Tile make its distinctive ringing sound so the lost item can be found.

“The average person spends about 15 minutes a day looking for lost items,” said Tile CEO CJ Prober, in a statement about the expanded partnership with Comcast. “We’ve been working with Comcast to alleviate this daily disruption. By allowing Comcast Xfinity customers to use their xFI Gateways and X1 and Flex set-top boxes as finding extenders, the Tile network becomes stronger and ensures users will quickly and easily find lost or misplaced items, bringing convenience to their daily routine,” he said.

Tile claims to now locate some 6 million items daily across 195 countries worldwide, with a 90% success rate in finding lost items. To date, it has sold 26 million Tile devices.

However the company is preparing to face steep competition. Apple has effectively confirmed its plans to release a Tile competitor called Air Tags that are more deeply integrated into its iOS operating system and have special privileges that aren’t offered to third-party apps. Tile has gone on the offensive about Apple’s plans, arguing to Congress that Apple’s behavior is anti-competitive and needs regulation.

This month, Tile told a congressional panel that Apple has failed to live up to promises aimed at resolving their dispute, noting Apple did not reinstate the “Always Allow” background permission. This permission would allow Tile to compete on a more even playing field with Apple’s own “Find My” app, which doesn’t have to continually remind users that it’s using their location data like third-party apps do. Tile also spoke about how Apple planned to allow its own Air Tags to use UWB (ultra-wideband) for better location finding, but not open that up to competitors like Tile.

The fight for regulation will be a long-term battle. In the more immediate future, Tile’s partnerships are how it will continue to grow its customer base and device usage.

In total, Tile now works with over 20 partners across audio, travel, smart home and PC categories.

 

 

from Apple – TechCrunch https://ift.tt/3bJkXJ9

Stay-at-home order for 7 million Bay Area residents extended to end of May

A stay-at-home order for seven San Francisco Bay Area counties will be extended through the end of May due to the COVID-19 pandemic, a decision that affects 7 million residents and thousands of businesses.

The Public Health Officers of the Counties of Alameda, Contra Costa, Marin, San Francisco, San Mateo and Santa Clara as well as the City of Berkeley said in a joint statement issued Monday that it will issue revised shelter-in-place orders later this week. The new order will ease some specific restrictions for what the health officers from the seven counties described as a “small number of number of lower-risk activities.”

The stay-at-home orders were set to expire May 3. Details regarding this next phase will be shared later in the week, along with the updated order.

The seven counties are home to thousands of startups and technology companies that includes Apple, Facebook, Google, Salesforce, Twitter, Tesla and Uber.

“Thanks to the collective effort and sacrifice of the 7 million residents across our jurisdictions, we have made substantial progress in slowing the spread of the novel coronavirus, ensuring our local hospitals are not overwhelmed with COVID-19 cases, and saving lives,” the health officers said in a joint statement. “At this stage of the pandemic, however, it is critical that our collective efforts continue so that we do not lose the progress we have achieved together.”

The public health officials said Monday that hospitalizations have leveled, but more work is needed to safely re-open communities and warned that “prematurely lifting restrictions could lead to a large surge in cases.”

The health officers plan to also release a set of broad indicators used to track progress in preparedness and response to COVID-19, in alignment with the framework being used by the rest of the state.

from Apple – TechCrunch https://ift.tt/2W1Jtyx