Covid Tracking App - Now Live

jmcc

Well-known member
Joined
Jun 12, 2004
Messages
46,239
The app runs on Android 6 or higher and some phones running those versions are no longer receiving updates. It's hard to know exactly how many though. And of course any issues are not specific to the Covid app.
There's data provided during a HTTP/HTTPS connection that could identify a lot of the devices from the user agent field (User agent - Wikipedia) if it is provided. Websites often use it to determine which version of a website the user sees on their device (mobile version or desktop version).
 


greencharade

Well-known member
Joined
May 10, 2019
Messages
764
The app runs on Android 6 or higher and some phones running those versions are no longer receiving updates. It's hard to know exactly how many though. And of course any issues are not specific to the Covid app.


Are you saying they are not legally compliant as a result of this recent EU court decision? It's a bit soon to be pointing the finger as a result of that. The Data Protection Commissioner seems to be happy enough.
The Data Protection Commission - that has strung out acting against Facebook for years? Come on.
 

greencharade

Well-known member
Joined
May 10, 2019
Messages
764
Let's keep Facebook out of it. What exactly is your privacy concern with this app?
Maybe you could have read back through the thread for this.

- Installing this app on android requires location tracking by Google to be turned on. This is a big privacy exposure.
- HSE claims that IP address cannot tracked due to infrastructure set-up. Only possible if logging is turned off at significant gates. No information from HSE on this.
- Data associated with this app is processed in the US - SMS message linking phone to exposure key, and possibly deeper AWS stuff. US only a couple of days ago has been found by the ECJ not to be capable of complying with EU data protection requirements.
- No attempt by HSE to address user questions - just trust us, we know best.
- Legal framework is such that once you have been automatically identified as a contact, you are now liable, and if identified, may be subject to mandatory physical testing and isolation. This in the face of unproven contact technology and secret algorithms.
 
Last edited:

jmcc

Well-known member
Joined
Jun 12, 2004
Messages
46,239
- Installing this app on android requires location tracking by Google to be turned on. This is a big privacy exposure.
It looks more like an unintended consequence of using someone else's code rather than intentional. HSE should make it clear that other apps would have their settings updated/reset due to this.

- HSE claims that IP address cannot tracked due to infrastructure set-up. Only possible if logging is turned off at signicant gates. No information from HSE on this.
I don't think that they quite understand the use and accuracy of IP address WHOIS data. Most people do not. With a predominantly ISP based userbase, the ownership data on the IP addresses is going to be that of the ISP rather than the individual. With the lists of IP addresses by country, the minimum number of addresses is 256 (a /24 or C). With the shortage of IPv4 addresses (aaa.bbb.ccc.ddd), many ISPs (where they allocate ownership of a range of IPs) will only give a small number (much less than 256) of IPs to a user and typically that user is a business user. With most ISPs, the IP address assigned to a user is dynamic. It changes. The address can be assigned just for a call or for a few days. It is possible for an app user to hit the site via a number of IP addresses. As a single method of identifying users, it is not reliable.

- Data associated with this app is processed in the US - SMS message linking phone to exposure key, and possibly deeper AWS stuff. US only a couple of days ago has been found by the ECJ not to be capable of complying with EU data protection requirements.
This may be an issue and it would have to be dealt with in light of the ruling.
 

greencharade

Well-known member
Joined
May 10, 2019
Messages
764
I don't think that they quite understand the use and accuracy of IP address WHOIS data. Most people do not. With a predominantly ISP based userbase, the ownership data on the IP addresses is going to be that of the ISP rather than the individual. With the lists of IP addresses by country, the minimum number of addresses is 256 (a /24 or C). With the shortage of IPv4 addresses (aaa.bbb.ccc.ddd), many ISPs (where they allocate ownership of a range of IPs) will only give a small number (much less than 256) of IPs to a user and typically that user is a business user. With most ISPs, the IP address assigned to a user is dynamic. It changes. The address can be assigned just for a call or for a few days. It is possible for an app user to hit the site via a number of IP addresses. As a single method of identifying users, it is not reliable.
If ISP IP addressing is so unreliable, mobile phone billing would never work.
 

Orbit v2

Well-known member
Joined
Dec 8, 2010
Messages
12,494
Maybe you could have read back through the thread for this.

- Installing this app on android requires location tracking by Google to be turned on. This is a big privacy exposure.
Location services need to be turned on, but the app cannot access your location
- HSE claims that IP address cannot tracked due to infrastructure set-up. Only possible if logging is turned off at significant gates. No information from HSE on this.
What do you mean no information? They made it clear that IP addresses are stripped at the entry point. Whether you believe them or not is a different question.
- Data associated with this app is processed in the US - SMS message linking phone to exposure key, and possibly deeper AWS stuff. US only a couple of days ago has been found by the ECJ not to be capable of complying with EU data protection requirements.
Yes, the SMS gateway is in the US. They have said the AWS processing is done in Ireland. Again, your choice whether to believe them or not
- No attempt by HSE to address user questions - just trust us, we know best.
Ditto. There is nothing further they can do to address these "user questions".
- Legal framework is such that once you have been automatically identified as a contact, you are now liable, and if identified, may be subject to mandatory physical testing and isolation. This in the face of unproven contact technology and secret algorithms.
The algorithm is public and open. As regards being liable, that's tin foil hat stuff. There's going to be a minority (hopefully) who think this way, that the gubbermint is going to lock you up, if you engage with their public health efforts.
 

jmcc

Well-known member
Joined
Jun 12, 2004
Messages
46,239
If ISP IP addressing is so unreliable, mobile phone billing would never work.
The ISP assigns the IP address. It knows who has which IP address and for how long. The ownership data of the IP address will, typically, show the details of the ISP rather than that of the user. This means that merely having the IP address of the device that connects to the site is not enough, in itself, to identify the user.
 

Orbit v2

Well-known member
Joined
Dec 8, 2010
Messages
12,494
If ISP IP addressing is so unreliable, mobile phone billing would never work.
It's completely unreliable for locating people which has nothing to do with billing. The ISPs can match IP addresses to users but not people outside the ISP (unless instructed to do so by a court)
 

greencharade

Well-known member
Joined
May 10, 2019
Messages
764
It's completely unreliable for locating people which has nothing to do with billing. The ISPs can match IP addresses to users but not people outside the ISP (unless instructed to do so by a court)
Go back and read through the thread. You are regurgitating points already addressed.
 

greencharade

Well-known member
Joined
May 10, 2019
Messages
764
The algorithm is public and open. As regards being liable, that's tin foil hat stuff. There's going to be a minority (hopefully) who think this way, that the gubbermint is going to lock you up, if you engage with their public health efforts.
Please show the algorithm for determining contact distance, and the associated algorithm for determining notifiable exposure.
 

Orbit v2

Well-known member
Joined
Dec 8, 2010
Messages
12,494
Please show the algorithm for determining contact distance, and the associated algorithm for determining notifiable exposure.
I thought you were concerned about privacy. The algorithm for generating the broadcast IDs is published and clearly shows it is anonymous. The algorithm for determining contact distance has nothing to do with privacy. It's basically about measuring received signal strength of the broadcast bluetooth identifiers.
 
D

Deleted member 14257

The comments are more interesting (and more accurate) than the Tweet. :)
Indeed as its Google play services. I have been trying to wean off Google. Others such as limrem 5 or huwaei or open source software lineage os might be useful or beneficial.
 

Orbit v2

Well-known member
Joined
Dec 8, 2010
Messages
12,494
IP address (a rough proxy for location)
How rough though? Try it out by googling "what's my ip address" and DONT grant the page access to your location ... you want it to figure it out from your IP address, not by telling it where you are regardless. ;)

For me, on mobile data it says "Dublin, Leinster" (pretty rough) on fixed broadband it identifies the local town which I am several km from (still pretty rough). On my work VPN, it would say a different country which is plain wrong.

So, IP addresses are not a reliable proxy for location, nor ever an accurate proxy for location.
 

greencharade

Well-known member
Joined
May 10, 2019
Messages
764
How rough though? Try it out by googling "what's my ip address" and DONT grant the page access to your location ... you want it to figure it out from your IP address, not by telling it where you are regardless. ;)

For me, on mobile data it says "Dublin, Leinster" (pretty rough) on fixed broadband it identifies the local town which I am several km from (still pretty rough). On my work VPN, it would say a different country which is plain wrong.

So, IP addresses are not a reliable proxy for location, nor ever an accurate proxy for location.
Well you better take that up with Mr. Google. They think they have a very good idea, presumably due to the combination of all the data they collect, which might include things like which mobile mast you are connected to, which Wifi hotspot you are using, which take-away you ordered food from, which fuel stations you use, etc etc.
 

Orbit v2

Well-known member
Joined
Dec 8, 2010
Messages
12,494
Well you better take that up with Mr. Google. They think they have a very good idea, presumably due to the combination of all the data they collect, which might include things like which mobile mast you are connected to, which Wifi hotspot you are using, which take-away you ordered food from, which fuel stations you use, etc etc.
Why would I need to take that up with Google? The statement in the paper was that "IP addresses are a rough proxy for location" and I was showing just how rough they are.

This is important because various people are trying very hard to find something wrong with the architecture of these covid tracker apps and the fact that the apps have access to your IP address is one of the lines they are pursuing.
 

greencharade

Well-known member
Joined
May 10, 2019
Messages
764
Why would I need to take that up with Google? The statement in the paper was that "IP addresses are a rough proxy for location" and I was showing just how rough they are.

This is important because various people are trying very hard to find something wrong with the architecture of these covid tracker apps and the fact that the apps have access to your IP address is one of the lines they are pursuing.
Because, as has already been discussed, IP address can be linked to mobile phone subscription, which can be linked to name and address. Or, IP address can be linked to payment service provider, can be linked to name and address. Or, IP address can be linked to electricity company, can be linked to name and address. And so on. Warrant not required for the data access in all cases.
 


New Threads

Most Replies

Top Bottom