Tech With Viral

Monday, 27 April 2020

Hundreds of French academics sign letter asking for safeguards on contact tracing

A group of 471 French cryptography and security researchers has signed a letter to raise awareness about the potential risks of a contact-tracing app. A debate in the French parliament will take place tomorrow to talk about all things related to post-lockdown — including contact-tracing app StopCovid.

Among the group of researchers, 77 of them are affiliated with Inria, the French research institute that has been working on the contact-tracing protocol that will power the government-backed contact-tracing app, ROBERT. With this letter, it appears that Inria is conflicted about ROBERT.

“All those applications induce very important risks when it comes to protecting privacy and individual rights,” the letter says. “This mass surveillance could be done by collecting the interaction graph of individuals — the social graph. It could happen at the operating system level on the phones. Not only operating system makers could reconstruct the social graph, but the state could as well, more or less easily depending on the approaches.”

The letter also mentions a thorough analysis of centralized and decentralized implementations of contact-tracing protocols. It includes multiple attack scenarios and undermines both the DP-3T protocol as well as ROBERT.

Ahead of the debate in the French parliament tomorrow, researchers say that “it is essential to thoroughly analyze the health benefits of a digital solution with specialists — there should be important evidence in order to justify the risks incurred.”

Researchers also ask for more transparency at all levels — every technical choice should be documented and justified. Data collection should be minimized and people should understand the risks and remain free not to use the contact-tracing app.

Over the past few weeks, multiple groups of researchers in Europe have been working on different protocols. In particular, DP-3T has been working a decentralized protocol that leverages smartphones to compute social interactions. Ephemeral IDs are stored on your device and you can accept to share ephemeral IDs with a relay server to send them to the community of app users.

PEPP-PT has been backing a centralized protocol that uses pseudonymization to match contacts on a central server. A national authority manages the central server, which could lead to state surveillance if the protocol isn’t implemented properly. ROBERT is a variant of PEPP-PT designed by French and German researchers.

While the French government has always been cautious about the upsides of a contact-tracing app, there’s been little debate about the implementation. Inria, with official backing from the French government, and Fraunhofer released specifications for the ROBERT protocol last week.

Many (including me) have called out various design choices, as you have to trust your government that they’re not doing anything nefarious without telling you — a centralized approach requires a lot of faith from the end users as the government holds a lot of data about your social interactions and your health. Sure, it’s pseudonymized, but it’s not anonymized, despite what the ROBERT specification document says.

Moreover, ROBERT doesn’t leverage Apple and Google’s contact-tracing API that is in the works. France’s digital minister, Cédric O, has been trying to put some pressure on Apple over Bluetooth restrictions with a Bloomberg interview. Given that Apple and Google provide an API for decentralized implementations, they have little incentive to bow to French pressure.

On Sunday, Germany announced that it would abandon its original plans for a centralized architecture in favor of a decentralized approach, leaving France and the U.K. as the two remaining backers of a centralized approach.

France’s data protection watchdog CNIL released a cautious analysis of ROBERT, saying that the protocol could be compliant with GDPR. But it says it will need further details on the implementation of the protocol to give a definitive take on StopCovid.

The European Data Protection Supervisor (EDPS) also said on Twitter that the debate in front of the French parliament is particularly important. “Decisions will have an impact not only on the immediate future but as well on years to come,” they say.

France’s Inria and Germany’s Fraunhofer detail their ROBERT contact-tracing protocol

from Apple – TechCrunch https://ift.tt/2SbNoHT

Lost item finder Tile expands partnership with Comcast, as Apple’s competitor looms

Bluetooth-powered lost item finder Tile is expanding on its two-year old partnership with strategic investor Comcast to help customers find misplaced items around their home. The two companies had first announced their intention to partner in early 2018 and later that year introduced a way for Comcast users to locate lost items using their Xfinity X1 Voice Remote. Now, Comcast is adding more set-top boxes and xFi Gateways into the mix as access points.

The companies announced today that select Comcast X1 and Flex set-top boxes as well as xFi Gateways will be able to work as extensions to the Tile network. Specifically, this includes the newer Xfinity devices like the xFi Advanced Gateway, and Xi5, Xi6, and XG1v4 devices, Tile tells us.

What this means Comcast’s boxes can supplement or even take the place of the Tile mobile app in terms of being an access point used to look for a lost Tile device, when an item goes missing.

This could be useful for those who don’t have the Tile app installed on their phone, whose phone is not within easy reach or has run out of battery, as well as for those those who just want the added convenience of having another way to search for their lost item.

Previously, Comcast Xfinity customers could use their X1 voice remote to see a Tile’s last-known location on the screen. Now, not only can Comcast users ring their Tile directly, the Flex set-top boxes and xFi Gateways can also work as finding extenders in the home.

Tile devices themselves come in a variety of form factors, including keychain or luggage dongles like Mate and the more powerful Pro, a Slim device ideal for wallets, and Tile Sticker for anything else — like laptops, bikes, tools, cameras, and more. In the home, Tile devices are often used to find small items like car keys, purses, or even a child’s favorite toy that’s always getting misplaced.

Alongside the support for Comcast boxes, the companies also updated the existing X1 remote functionality to include a new feature to directly ring missing items. Now, customers can say things like “Xfinity Home, find my keys” to have the Tile make its distinctive ringing sound so the lost item can be found.

“The average person spends about 15 minutes a day looking for lost items,” said Tile CEO CJ Prober, in a statement about the expanded partnership with Comcast. “We’ve been working with Comcast to alleviate this daily disruption. By allowing Comcast Xfinity customers to use their xFI Gateways and X1 and Flex set-top boxes as finding extenders, the Tile network becomes stronger and ensures users will quickly and easily find lost or misplaced items, bringing convenience to their daily routine,” he said.

Tile claims to now locate some 6 million items daily across 195 countries worldwide, with a 90% success rate in finding lost items. To date, it has sold 26 million Tile devices.

However the company is preparing to face steep competition. Apple has effectively confirmed its plans to release a Tile competitor called Air Tags that are more deeply integrated into its iOS operating system and have special privileges that aren’t offered to third-party apps. Tile has gone on the offensive about Apple’s plans, arguing to Congress that Apple’s behavior is anti-competitive and needs regulation.

This month, Tile told a congressional panel that Apple has failed to live up to promises aimed at resolving their dispute, noting Apple did not reinstate the “Always Allow” background permission. This permission would allow Tile to compete on a more even playing field with Apple’s own “Find My” app, which doesn’t have to continually remind users that it’s using their location data like third-party apps do. Tile also spoke about how Apple planned to allow its own Air Tags to use UWB (ultra-wideband) for better location finding, but not open that up to competitors like Tile.

The fight for regulation will be a long-term battle. In the more immediate future, Tile’s partnerships are how it will continue to grow its customer base and device usage.

In total, Tile now works with over 20 partners across audio, travel, smart home and PC categories.

from Apple – TechCrunch https://ift.tt/3bJkXJ9

Stay-at-home order for 7 million Bay Area residents extended to end of May

A stay-at-home order for seven San Francisco Bay Area counties will be extended through the end of May due to the COVID-19 pandemic, a decision that affects 7 million residents and thousands of businesses.

The Public Health Officers of the Counties of Alameda, Contra Costa, Marin, San Francisco, San Mateo and Santa Clara as well as the City of Berkeley said in a joint statement issued Monday that it will issue revised shelter-in-place orders later this week. The new order will ease some specific restrictions for what the health officers from the seven counties described as a “small number of number of lower-risk activities.”

The stay-at-home orders were set to expire May 3. Details regarding this next phase will be shared later in the week, along with the updated order.

The seven counties are home to thousands of startups and technology companies that includes Apple, Facebook, Google, Salesforce, Twitter, Tesla and Uber.

“Thanks to the collective effort and sacrifice of the 7 million residents across our jurisdictions, we have made substantial progress in slowing the spread of the novel coronavirus, ensuring our local hospitals are not overwhelmed with COVID-19 cases, and saving lives,” the health officers said in a joint statement. “At this stage of the pandemic, however, it is critical that our collective efforts continue so that we do not lose the progress we have achieved together.”

The public health officials said Monday that hospitalizations have leveled, but more work is needed to safely re-open communities and warned that “prematurely lifting restrictions could lead to a large surge in cases.”

The health officers plan to also release a set of broad indicators used to track progress in preparedness and response to COVID-19, in alignment with the framework being used by the rest of the state.

from Apple – TechCrunch https://ift.tt/2W1Jtyx

The next iPhone could be delayed a month, as pandemic wears on

The latest budget iPhone arrived this month to largely positive reviews. The next flagship, on the other hand, may have to wait. The COVID-19 pandemic is having all manner of knock-on effects on the global economy, and the supply chain is certainly not immune.

The Wall Street Journal this morning is reporting that the iPhone 12 may be among the devices impacted by unexpected issues. Apple is “pushing back the production ramp-up” of the new devices, per the report, owing to manufacturing issues in Asia and “weakened global consumer demand.”

This follows a number of similar reports of delays, with some putting the flagship smartphone’s launch at December, instead of the usual September/October timeframe. The current report, would likely put the phone’s release at around November — in line with that of the iPhone X. The company, unsurprisingly, hasn’t commented on the matter. The company doesn’t often comment on supply issues for released products, let alone those that are months away.

Review: Apple’s cheap and cheerful iPhone SE

Asia was the first to be hit by the pandemic, and while a number of areas have returned to some semblance of business as usual, issues still remain. Beyond that, Apple (like all manufacturers) will have to grapple with the changing face of consumer wants/needs in the face of a pandemic and widespread stay-at-home orders. For many areas, those are expected to continue at least until the summer.

Those are compound overall slowing smartphone demand, putting manufactures in a tough spot. Prior to COVID-19, however, Apple was no doubt anticipating an uptick in demand with the expected arrival of its first 5G handset. For now, however, it seems best to expect the unexpected.

from Apple – TechCrunch https://ift.tt/3cJjcvM

The next iPhone could be delayed a month, as pandemic wears on

Review: Apple’s cheap and cheerful iPhone SE

from iPhone – TechCrunch https://ift.tt/3cJjcvM

Germany ditches centralized approach to app for COVID-19 contacts tracing

Germany has U-turned on building a centralized COVID-19 contacts tracing app — and will instead adopt a decentralized architecture, Reuters reported Sunday, citing a joint statement by chancellery minister Helge Braun and health minister Jens Spahn.

In Europe in recent weeks, a battle has raged between different groups backing centralized vs decentralized infrastructure for apps being fast-tracked by governments which will use Bluetooth-based smartphone proximity as a proxy for infection risk — in the hopes of supporting the public health response to the coronavirus by automating some contacts tracing.

Centralized approaches that have been proposed in the region would see pseudonymized proximity data stored and processed on a server controlled by a national authority, such as a healthcare service. However concerns have been raised about allowing authorities to scoop up citizens’ social graph, with privacy experts warning of the risk of function creep and even state surveillance.

Decentralized contacts tracing infrastructure, by contrast, means ephemeral IDs are stored locally on device — and only uploaded with a user’s permission after a confirmed COVID-19 diagnosis. A relay server is used to broadcast infected IDs — enabling devices to locally compute if there’s a risk that requires notification. So social graph data is not centralized.

The change of tack by the German government marks a major blow to a homegrown standardization effort, called PEPP-PT, that had been aggressively backing centralization — while claiming to ‘preserve privacy’ on account of not tracking location data. It quickly scrambled to propose a centralized architecture for tracking coronavirus contacts, led by Germany’s Fraunhofer Institute, and claiming the German government as a major early backer, despite PEPP-PT later saying it would support decentralized protocols too.

As we reported earlier, the effort faced strident criticism from European privacy experts — including a group of academics developing a decentralized protocol called DP-3T — who argue p2p architecture is truly privacy preserving. Concerns were also raised about a lack of transparency around who is behind PEPP-PT and the protocols they claimed to support, with no code published for review.

The European Commission, meanwhile, has also recommended the use of decentralization technologies to help boost trust in such apps in order to encourage wider adoption.

EU parliamentarians have also warned regional governments against trying to centralize proximity data during the coronavirus crisis.

But it was Apple and Google jumping into the fray earlier this month by announcing joint support for decentralized contacts tracing that was the bigger blow — with no prospect of platform-level technical restrictions being lifted. iOS limits background access to Bluetooth for privacy and security reasons, so national apps that do not meet this decentralized standard won’t benefit from API support — and will likely be far less usable, draining battery and functioning only if actively running.

Nonetheless PEPP-PT told journalists just over a week ago that it was engaged in fruitful discussions with Apple and Google about making changes to their approach to accommodate centralized protocols.

Notably, the tech giants never confirmed that claim. They have only since doubled down on the principle of decentralization for the cross-platform API for public health apps — and system-wide contacts tracing which is due to launch next month.

At the time of writing PEPP-PT’s spokesman, Hans-Christian Boos, had not responded to a request for comment on the German government withdrawing support.

Boos previously claimed PEPP-PT had around 40 governments lining up to join the standard. However in recent days the momentum in Europe has been going in the other direction. A number of academic institutions that had initially backed PEPP-PT have also withdrawn support.

In a statement emailed to TechCrunch, the DP-3T project welcomed Germany’s U-turn. “DP-3T is very happy to see that Germany is adopting a decentralized approach to contact tracing and we look forward to its next steps implementing such a technique in a privacy preserving manner,” the group told us.

Berlin’s withdrawal leaves France and the UK the two main regional backers of centralized apps for coronavirus contacts tracing. And while the German U-turn is certainly a hammer blow for the centralized camp in Europe the French government appears solid in its support — at least for now.

France has been developing a centralized coronavirus contacts tracing protocol, called ROBERT, working with Germany’s Fraunhofer Institute and others.

In an opinion issued Sunday, France’s data protection watchdog, the CNIL, did not take active issue with centralizing pseudonymized proximity IDs — saying EU law does not in principle forbid such a system — although the watchdog emphasized the need to minimize the risk of individuals being re-identified.

It’s notable that France’s digital minister, Cédric O, has been applying high profile public pressure to Apple over Bluetooth restrictions — telling Bloomberg last week that Apple’s policy is a blocker to the virus tracker.

Yesterday O was also tweeting to defend the utility of the planned ‘Stop Covid’ app.

« Oui l'application #StopCovid est utile ». Volontaire, anonyme, transparente et temporaire, elle apporte les garanties de protection des libertés individuelles. À la disposition des acteurs sanitaires, elle les aidera dans la lutte contre le #COVID19 https://t.co/12xYG5Z8ZC

— Cédric O (@cedric_o) April 26, 2020

We reached out to France’s digital ministry for comment on Germany’s decision to switch to a decentralized approach but at the time of writing the department had not responded.

In a press release today the government highlights the CNIL view that its approach is compliant with data protection rules, and commits to publishing a data protection impact assessment ahead of launching the app.

If France presses ahead it’s not clear how the country will avoid its app being ignored or abandoned by smartphone users who find it irritating to use. (Although it’s worth noting that Google’s Android platform has a substantial marketshare in the market, with circa 80% vs 20% for iOS, per Kantar.)

A debate in the French parliament tomorrow is due to include discussion of contacts tracing apps.

We’ve also reached out to the UK’s NHSX — which has been developing a COVID-19 contacts tracing app for the UK market — and will update this report with any response.

In a blog post Friday the UK public healthcare unit’s digital transformation division said it’s “working with Apple and Google on their welcome support for tracing apps around the world”, a PR line that entirely sidesteps the controversy around centralized vs decentralized app infrastructures.

The UK has previously been reported to be planning to centralize proximity data — raising questions about the efficacy of its planned app too, given iOS restrictions on background access to Bluetooth.

“As part of our commitment to transparency, we will be publishing the key security and privacy designs alongside the source code so privacy experts can ‘look under the bonnet’ and help us ensure the security is absolutely world class,” the NHSX’s Matthew Gould and Dr Geraint Lewis added in the statement.

from Apple – TechCrunch https://ift.tt/2SaSRyR