11 votes

Contact tracing apps: Never mind privacy - they do not work

9 comments

  1. [9]
    skybrian
    Link
    I recently saw a detailed critique of the Brookings essay. I wonder whether traditional contact tracing would be considered to "work" if held to the same standards. It seems pretty lossy?

    I recently saw a detailed critique of the Brookings essay. I wonder whether traditional contact tracing would be considered to "work" if held to the same standards. It seems pretty lossy?

    3 votes
    1. [8]
      vektor
      Link Parent
      Absolutely. The blog post implies that the apps are supposed to give a clear-cut diagnoses. They're not. Chances are your alert is going to come up in the window between infection and...

      Absolutely. The blog post implies that the apps are supposed to give a clear-cut diagnoses. They're not. Chances are your alert is going to come up in the window between infection and infectiousness, so maybe 3 days after contact. For most people, infectiousness drops again quite quickly, lasting only a few days. You only have to blindly quarantine for a short time to have an effect. And he's also assuming that the professionals will be testing you while the app won't. Urgh, seriously. Every proposal in the history of ever says that apps need to be combined with testing. The app isn't supposed to do the work of the professionals, it's supposed to help them be faster. That's all this is. Hit the suspected cases quickly with a quarantine order, then verify infection. It's shoot first, ask questions second, sure, but that's what we need these days. Hell, stay-home is shoot first, ask questions never, so what's the big deal?

      To let out my snarky side, this guy sounds like the kind of person to be against self-driving cars because their accident rate is non-zero, even if the rate was a lot better than humans. Or he just completely missed the point of contact tracing apps.

      A valid argument he leaves us with is that of adoption rate. 20% in singapore is rather bad. Naively, that means 0.2*0.2 = 0.04 = 4% of contact pairs are adequately equipped. That's not good. It'll only make a minor dent in the workload of the contact tracers. But again, let's not let perfect be the enemy of good enough. Particularly considering some of the western apps will be a lot more privacy-friendly and can hope for higher adoption.

      6 votes
      1. [7]
        cfabbro
        (edited )
        Link Parent
        I love Bruce Schneier and have been following his blog for over a decade now. When it comes to matters of network security, cryptography, computer forensics, technology legislation, etc. he is...

        I love Bruce Schneier and have been following his blog for over a decade now. When it comes to matters of network security, cryptography, computer forensics, technology legislation, etc. he is incredibly well informed and his opinions usually worth seriously considering. However, he is also a privacy zealot (which isn't bad thing in this age of consistent privacy erosion and mass surveillance), and when he is talking about issues outside his wheelhouse that bias definitely factors into his opinions.

        And I suspect that is exactly what is happening here; He knows the privacy arguments against contact tracing apps have largely already been addressed by Google & Apple, so he is instead trying a different tactic to dissuade people from using them (and is on shaky ground as a result). So even though I am a huge fan of his, I would definitely recommend taking this particular criticism of contact tracing apps with a giant bag of salt, and I'm personally gonna side with the epidemiologists and healthcare data scientists on this one. ;)

        5 votes
        1. [6]
          skybrian
          Link Parent
          To be fair, I think he has legit concerns and I don't think they're based on zealotry. We all know from experience that dialog boxes warning of computer security issues are often ignored. However,...

          To be fair, I think he has legit concerns and I don't think they're based on zealotry. We all know from experience that dialog boxes warning of computer security issues are often ignored.

          However, it might play out differently. Often, a hacker only needs to succeed once, or at a very low rate. Preventing the spread of a real virus is a population-level numbers game and it matters more what most people will do in the common case.

          I don't know whether contact tracing apps will work, but I don't think he's proven that it's not worth trying.

          2 votes
          1. [5]
            cfabbro
            (edited )
            Link Parent
            They may turn out to be legit concerns, but even still, I honestly do think they are mainly stemming from his zealotry. And what I mean by that is, I suspect Bruce wants contact tracing apps to...

            They may turn out to be legit concerns, but even still, I honestly do think they are mainly stemming from his zealotry. And what I mean by that is, I suspect Bruce wants contact tracing apps to still be a bad idea even if all the privacy issues were sorted out with them, because the very concept of them makes him deeply uncomfortable due to his ideology, and as a result he may have fallen prey to a bit of confirmation bias here. I.e. He is willing to seek out, put forth, and defend much flimsier evidence and lines of reasoning that supports him than he would otherwise normally accept under other circumstances, and is also much less likely to seek out, share, or accept any contrary evidence as well.

            I didn't mean to imply that he should be outright dismissed... it's just that, IMO, people should really be aware of his incredibly strong views on privacy, deeply held fears of the surveillance State (which he has written dozens of blog posts, several essays, and a book about), and the potential biases that may stem from that. Again, I would just recommend taking what he claims in this particular post with, not just a pinch, but instead a giant bag of salt. ;)

            1. [4]
              skybrian
              Link Parent
              Well, if you say so. I only occasionally read his work (blog posts, not books) and had assumed that he keeps writing about security stuff because this is his field of expertise, the thing he's...

              Well, if you say so. I only occasionally read his work (blog posts, not books) and had assumed that he keeps writing about security stuff because this is his field of expertise, the thing he's built his career on. There's plenty to complain about since the security failures get more dramatic every year.

              Anyway, I'm glad the Google/Facebook proposal is getting attention from experts (including paranoid experts) since it will probably be improved because of the attention. Hopefully the issues aren't so bad it has to be abandoned.

              1 vote
              1. [3]
                cfabbro
                Link Parent
                I mean, yeah, that is why he writes about security, and I'm not going to disagree with the latter part of your statement since I wholeheartedly agree. But contact tracing as a concept is not...

                and had assumed that he keeps writing about security stuff because this is his field of expertise, the thing he's built his career on. There's plenty to complain about since the security failures get more dramatic every year.

                I mean, yeah, that is why he writes about security, and I'm not going to disagree with the latter part of your statement since I wholeheartedly agree. But contact tracing as a concept is not really security related and well outside his field of expertise, which is why him taking this angle to attack it is a bit of a red flag to me. :P

                1 vote
                1. [2]
                  skybrian
                  Link Parent
                  Designing these apps will require knowledge about software and user experience and Bluetooth and cryptography, which are all things computer security experts do think about and have experience...

                  Designing these apps will require knowledge about software and user experience and Bluetooth and cryptography, which are all things computer security experts do think about and have experience with. So I think this is an area where cross-discipline collaboration is a good idea and computer security experts do have interesting things to say.

                  I think it's just an exaggerated take on things, where good questions get written up as definitive answers.

                  1 vote
                  1. cfabbro
                    (edited )
                    Link Parent
                    I absolutely agree there... but unfortunately that's not what Bruce seems to be focusing on here. IMO he is not acting in a spirit of collaboration, but seems to instead be trying to undermine the...

                    Designing these apps will require knowledge about software and user experience and Bluetooth and cryptography, which are all things computer security experts do think about and have experience with. So I think this is an area where cross-discipline collaboration is a good idea and computer security experts do have interesting things to say.

                    I absolutely agree there... but unfortunately that's not what Bruce seems to be focusing on here. IMO he is not acting in a spirit of collaboration, but seems to instead be trying to undermine the concept of contact tracing as a whole, using a fundamental misunderstanding of its purpose, and rather flimsy arguments.

                    1 vote