The report is thorough, informative, and technically competent, IMO.
It loses marks for not being a "single-purpose app" as the same app also provides you a way to track your own symptoms.
It loses a lot of marks for "necessity and proportionality" on the grounds of not providing documents that prove or support such an app as being useful for contact tracing, even if it works. Surely they could give the benefit of the doubt here. And in a separate section they give it a D for "effectiveness" citing studies that it probably just won't work and will have too many false positives.
More marks lost for relying on closed Google/Apple APIs, using Twilio to send text messages, not having a Github issue tracker...
I think they make a lot of good points but when I think about what it would take for an app to move from a C+ to an A under this framework, it looks like 80% box ticking and 20% addressing serious privacy concerns.
Firstly, surely there's a known mitigation here - replay attacks involving a delay can be mitigated by including a cryptographically signed timestamp in your beacon messages. Secondly, the damage from an attacker sending false negatives and false positives seems small compared to the privacy implications of deanonymization attacks (e.g. attacker listens for the beacons in several buses, offices or shopping centres, later identifies which ones were reported covid-positive, groups those into clusters each likely associated with an individual, and cross-references the location data with identifying data from another source). Why call out one but not the other?
Except they didn't.
I personally find this hilarious, but good as compatibility between the apps is really important given the existence of the Common Travel Area between Ireland and the UK.
British exceptionalism at its finest: "Why would we do this easy thing when we can do it worse ourselves?"
'Mr Johnson claimed on Wednesday that “no country in the world has a working contact-tracing app”. But the German app has been downloaded 13m times and Gibraltar’s has had good initial take-up.
The British territory started working on a tracing app based on open source code developed by the Irish government and the Google-Apple platform in early May. As the UK was taking the decision to scrap its £12m app effort on June 18, Gibraltar launched its version.
Officials estimate a fifth of the population has downloaded it so far, at a cost of less than £100,000.'
Not sure (from a quick read) if the rest of the UK is going to go with the same/similar codebase.
https://www.ft.com/content/9446192a-aff1-4e95-93fb-a5adfbc7b...
From skimming respectable non-technical sources it's apparently not very invasive of my privacy, and won't kill my battery. But this is likely copied from the HSE press release, I'd like to hear the same from an independent reviewer.
In fact, using this app will be helpful, as long as enough people do it. So you should definitely use it.
https://github.com/HSEIreland/covid-tracker-app/tree/master/...
(of course we also know that limited disclosure apps not based on this framework developed in Australia, the UK, and France definitely don't work because of bluetooth issues)
(edited to add
See this paper out of Ireland: https://www.scss.tcd.ie/Doug.Leith/pubs/bus.pdf
One of the best use cases for apps like this is public transport, except that it doesn't seem to work on buses. Hopefully it works better on trains but given the similarly complex metal environment, I wouldn't hold out much hope.)
Tracker apps are partially what the massive TSA-implementation programme was in the States post 9/11, i.e. security theater combined with the illusion that the dominant paradigm of that time (force/projecting power in the early 2000s, technology in our present times) is a silver bullet.
History will look at these 'apps' and will make conclusions based on their effectiveness, and the ones that are more privacy preserving will likely not rate highly on impact or usefulness.
If anything, this pandemic has enabled authoritarian regimes the capability of monitoring their populous 24/7 with wearable gadgets and apps that collect location/contact and other information.
To me, it highlights the importance of not using apps where possible and further highlighting how smartphones are spies for the governments around the world.
I think Apple and Google should make contact tracing built-in and on by default, plus ideally there should be enforcement of activation by all places that require to pass a thermal scanner to enter.
The Apple/Google protocol is privacy preserving, so there is no "spy" concern.
