A coalition of EU scientists and technologists that’s developing what’s billed as a “privacy-preserving” standard for Bluetooth-based proximity tracking, as a proxy for COVID-19 infection risk, wants Apple and Google to make changes to an API they’re developing for the same overarching purpose.
The Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) uncloaked on April 1, calling for developers of contact tracing apps to get behind a standardized approach to processing smartphone users’ data to coordinate digital interventions across borders and shrink the risk of overly intrusive location-tracking tools gaining momentum as a result of the pandemic.
PEPP-PT said today it has seven governments signed up to apply its approach to national apps, with a claimed pipeline of a further 40 in discussions about joining.
“We now have a lot of governments interacting,” said PEPP-PT’s Hans-Christian Boos, speaking during a webinar for journalists. “Some governments are publicly declaring that their local applications will be built on top of the principles of PEPP-PT and also the various protocols supplied inside this initiative.
“We know of seven countries that have already committed to do this — and we’re currently in conversation with 40 countries that are in various states of onboarding.”
Boos said a list of the governments would be shared with journalists, though at the time of writing we haven’t seen it. But we’ve asked PEPP-PT’s PR firm for the info and will update this report when we get it.
“The pan-European approach has worked,” he added. “Governments have decided at a speed previously unknown. But with 40 more countries in the queue of onboarding we definitely have outgrown just the European focus — and to us this shows that privacy as a model and as a discussion point… is a statement and it is something that we can export because we’re credible on it.”
Paolo de Rosa, the CTO at the Ministry of Innovation Technology and Digital Transformation for the Italian government, was also on the webinar — and confirmed its national app will be built on top of PEPP-PT.
“We will have an app soon and obviously it will be based on this model,” he said, offering no further details.
PEPP-PT’s core “privacy-preserving” claim rests on the use of system architectures that do not require location data to be collected. Rather devices that come near each other would share pseudonymized IDs — which could later be used to send notifications to an individual if the system calculates an infection risk has occurred. An infected individual’s contacts would be uploaded at the point of diagnosis — allowing notifications to be sent to other devices with which had come into contact.
Boos, a spokesman for and coordinator of PEPP-PT, told TechCrunch earlier this month the project will support both centralized and decentralized approaches. The former meaning IDs are uploaded to a trusted server, such as one controlled by a health authority; the latter meaning IDs are held locally on devices, where the infection risk is also calculated — a backend server is only in the loop to relay info to devices.
It’s just such a decentralized contacts tracing system that Apple and Google are collaborating on supporting — fast-following PEPP-PT last week by announcing a plan for cross-platform COVID-19 contacts tracing via a forthcoming API and then a system-wide (opt-in) for Bluetooth-based proximity tracking.
That intervention, by the only two smartphone platforms that matter when the ambition is mainstream adoption, is a major development — putting momentum behind decentralized contacts tracing for responding digitally to the coronavirus crisis in the Western world, certainly at the platform level.
In a resolution passed today the European parliament also called for a decentralized approach to COVID-19 proximity tracking.
MEPs are pushing for the Commission and Member States to be “fully transparent on the functioning of contact tracing apps, so that people can verify both the underlying protocol for security and privacy and check the code itself to see whether the application functions as the authorities are claiming.” (The Commission has previously signaled a preference for decentralization too.)
However, backers of PEPP-PT, which include at least seven governments (and the claim of many more), aren’t giving up on the option of a “privacy-preserving” centralized option — which some in their camp are dubbing “pseudo-decentralized” — with Boos claiming today that discussions are ongoing with Apple and Google about making changes to their approach.
As it stands, contacts tracing apps that don’t use a decentralized infrastructure won’t be able to carry out Bluetooth tracking in the background on Android or iOS — as the platforms limit how general apps can access Bluetooth. This means users of such apps would have to have the app open and active all the time for proximity tracking to function, with associated (negative) impacts on battery life and device usability.
There are also (intentional) restrictions on how contacts tracing data could be centralized, as a result of the relay server model being deployed in the joint Apple-Google model.
“We very much appreciate that Google and Apple are stepping up to making the operating system layer available — or putting what should be the OS actually there, which is the Bluetooth measurement and the handling of crypto and the background running of such tasks which have to keep running resiliently all the time — if you look at their protocols and if you look at whom they are provided by, the two dominant players in the mobile ecosystem, then I think that from a government perspective especially, or from lots of government perspectives, there are many open points to discuss,” said Boos today.
“From a PEPP-PT perspective there are a few points to discuss because we want choice and implementing choice in terms of model — decentralized or centralized on top of their protocol creates actually the worst of both worlds — so there are many points to discuss. But contrary to the behavior that many of us who work with tech companies are used to Google and Apple are very open in these discussions and there’s no point in getting up in arms yet because these discussions are ongoing and it looks like agreement can be reached with them.”
It wasn’t clear what specific changes PEPP-PT wants from Apple and Google — we asked for more detail during the webinar but didn’t get a response. But the group and its government backers may be hoping to dilute the tech giants’ stance to make it easier to create centralized graphs of Bluetooth contacts to feed national coronavirus responses.
As it stands, Apple and Google’s API is designed to block contact matching on a server — though there might still be ways for governments (and others) to partially work around the restrictions and centralize some data.
We reached out to Apple and Google with questions about the claimed discussions with PEPP-PT. At the time of writing, neither had responded.
As well as Italy, the German and French governments are among those that have indicated they’re backing PEPP-PT for national apps — which suggests powerful EU Member States could be squaring up for a fight with the tech giants, along the lines of Apple versus the FBI, if pressure to tweak the API fails.
Another key strand to this story is that PEPP-PT continues to face strident criticism from privacy and security experts in its own backyard — including after it removed a reference to a decentralized protocol for COVID-19 contacts tracing that’s being developed by another European coalition, comprised of privacy and security experts, called DP-3T.
Coindesk reported on the silent edit to PEPP-PT’s website yesterday.
Backers of DP-3T have also repeatedly queried why PEPP-PT hasn’t published code or protocols for review to-date — and even gone so far as to dub the effort a “trojan horse.”
#DP3T entered as a candidate to so-called PEPP-PT in good faith, but it is now clear that powerful actors pushing centralised databases of Bluetooth contact tracing do not, and will not, act in good faith.
ETH Zürich’s Dr. Kenneth Paterson, who is both a part of the PEPP-PT effort and a designer of DP-3T, couldn’t shed any light on the exact changes the coalition is hoping to extract from “Gapple” when we asked.
“They’ve still not said exactly how their system would work, so I can’t say what they would need [in terms of changes to Apple and Google’s system],” he told us in an email exchange.
Today Boos couched the removal of the reference to DP-3T on PEPP-PT’s website as a mistake — which he blamed on “bad communication.” He also claimed the coalition is still interested in including the former’s decentralized protocol within its bundle of standardized technologies. So the already sometimes fuzzy lines between the camps continue to be redrawn. (It’s also interesting to note that press emails to Boos are now being triaged by Hering Schuppener, a communications firm that sells publicity services, including crisis PR.)
“We’re really sorry for that,” Boos said of the DP-3T excision. “Actually we just wanted to put the various options on the same level that are out there. There are still all these options and we very much appreciate the work that colleagues and others are doing.
“You know there is a hot discussion in the crypto community about this and we actually encourage this discussion because it’s always good to improve on protocols. What we must not lose sight of is… that we’re not talking about crypto here, we’re talking about pandemic management and as long as an underlying transport layer can ensure privacy that’s good enough because governments can choose whatever they want.”
Boos also said PEPP-PT would finally be publishing some technical documents this afternoon — opting to release information some three weeks after its public unveiling and on a Friday evening (a seven-page ‘high level overview’ has since been put on their GitHub here [this link has since been deleted – Ed.] — but still a far cry from code for review) — while making a simultaneous plea for journalists to focus on the “bigger picture” of fighting the coronavirus rather than keep obsessing over technical details.
During today’s webinar some of the scientists backing PEPP-PT talked about how they’re testing the efficacy of Bluetooth as a proxy for tracking infection risk.
“The algorithm that we’ve been working on looks at the cumulative amount of time that individuals spend in proximity with each other,” said Christophe Fraser, professor at the Nuffield Department of Medicine and Senior Group Leader in Pathogen Dynamics at the Big Data Institute, University of Oxford, offering a general primer on using Bluetooth proximity data for tracking viral transmission.
“The aim is to predict the probability of transmission from the phone proximity data. So the ideal system reduces the requested quarantine to those who are the most at risk of being infected and doesn’t give the notification — even though some proximity event was recorded — to those people who’re not at risk of being infected.”
“Obviously that’s going to be an imperfect process,” he went on. “But the key point is that in this innovative approach that we should be able to audit the extent to which that information and those notifications are correct — so we need to actually be seeing, of the people who have been sent the notification how many of them actually were infected. And of those people who were identified as contacts, how many weren’t.
“Auditing can be done in many different ways for each system but that step is crucial.”
Evaluating the effectiveness of the digital interventions will be vital, per Fraser — whose presentation could have been interpreted as making a case for public health authorities to have fuller access to contacts graphs. But it’s important to note that DP-3T’s decentralized protocol makes clear provision for app users to opt-in to voluntarily share data with epidemiologists and research groups to enable them to reconstruct the interaction graph among infected and at risk users (aka to get access to a proximity graph).
“It’s really important that if you’re going to do an intervention that is going to affect millions of people — in terms of these requests to [quarantine] — that that information be the best possible science or the best possible representation of the evidence at the point at which you give the notification,” added Fraser. “And therefore as we progress forwards that evidence — our understanding of the transmission of the virus — is going to improve. And in fact auditing of the app can allow that to improve, and therefore it seems essential that that information be fed back.”
None of the PEPP-PT-aligned apps that are currently being used for testing or reference are interfacing with national health authority systems, per Boos — though he cited a test in Italy that’s been plugged into a company’s health system to run tests.
“We have supplied the application builders with the backend, we have supplied them with sample code, we have supplied them with protocols, we have supplied them with the science of measurement, and so on and so forth. We have a working application that simply has no integration into a country’s health system — on Android and on iOS,” he noted.
On its website PEPP-PT lists a number of corporate “members” as backing the effort — including the likes of Vodafone — alongside several research institutions including Germany’s Fraunhofer Heinrich Hertz Institute for telecoms (HHI) which has been reported as leading the effort.
The HHI’s executive director, Thomas Wiegand, was also on today’s call. Notably, his name initially appeared on the authorship list for the DP-3T’s white paper. However, on April 10 he was removed from the README and authorship list, per its GitHub document history. No explanation for the change was given.
During today’s press conference Wiegand made an intervention that seems unlikely to endear him to the wider crypto and digital rights community — describing the debate around which cryptography system to use for COVID-19 contacts tracing as a ‘side show’ and expressing concern that what he called Europe’s “open public discussion” might “destroy our ability to get ourselves as Europeans out of this.”
“I just wanted to make everyone aware of the difficulty of this problem,” he also said. “Cryptography is only one of 12 building blocks in the system. So I really would like to have everybody go back and reconsider what problem we are in here. We have to win against this virus… or we have another lockdown or we have a lot of big problems. I would like to have everybody to consider that and to think about it because we have a chance if we get our act together and really win against the virus.”
The press conference had an even more inauspicious start after the Zoom call was disrupted by racist spam in the chat field. Right before that Boos had kicked off the call saying he had heard from “some more technically savvy people that we should not be using Zoom because it’s insecure — and for an initiative that wants security and privacy it’s the wrong tool.”
“Unfortunately we found out that many of our international colleagues only had this on their corporate PCs so over time either Zoom has to improve — or we need to get better installations out there. It’s certainly not our intention to leak the data on this Zoom,” he added.
The federal government is ordering the dissolution of TikTok’s Canadian business after a national security review of the Chinese company behind the social media platform, but stopped short of ordering people to stay off the app.
Industry Minister François-Philippe Champagne announced the government’s “wind up” demand Wednesday, saying it is meant to address “risks” related to ByteDance Ltd.’s establishment of TikTok Technology Canada Inc.
“The decision was based on the information and evidence collected over the course of the review and on the advice of Canada’s security and intelligence community and other government partners,” he said in a statement.
The announcement added that the government is not blocking Canadians’ access to the TikTok application or their ability to create content.
However, it urged people to “adopt good cybersecurity practices and assess the possible risks of using social media platforms and applications, including how their information is likely to be protected, managed, used and shared by foreign actors, as well as to be aware of which country’s laws apply.”
Champagne’s office did not immediately respond to a request for comment seeking details about what evidence led to the government’s dissolution demand, how long ByteDance has to comply and why the app is not being banned.
A TikTok spokesperson said in a statement that the shutdown of its Canadian offices will mean the loss of hundreds of well-paying local jobs.
“We will challenge this order in court,” the spokesperson said.
“The TikTok platform will remain available for creators to find an audience, explore new interests and for businesses to thrive.”
The federal Liberals ordered a national security review of TikTok in September 2023, but it was not public knowledge until The Canadian Press reported in March that it was investigating the company.
At the time, it said the review was based on the expansion of a business, which it said constituted the establishment of a new Canadian entity. It declined to provide any further details about what expansion it was reviewing.
A government database showed a notification of new business from TikTok in June 2023. It said Network Sense Ventures Ltd. in Toronto and Vancouver would engage in “marketing, advertising, and content/creator development activities in relation to the use of the TikTok app in Canada.”
Even before the review, ByteDance and TikTok were lightning rod for privacy and safety concerns because Chinese national security laws compel organizations in the country to assist with intelligence gathering.
Such concerns led the U.S. House of Representatives to pass a bill in March designed to ban TikTok unless its China-based owner sells its stake in the business.
Champagne’s office has maintained Canada’s review was not related to the U.S. bill, which has yet to pass.
Canada’s review was carried out through the Investment Canada Act, which allows the government to investigate any foreign investment with potential to might harm national security.
While cabinet can make investors sell parts of the business or shares, Champagne has said the act doesn’t allow him to disclose details of the review.
Wednesday’s dissolution order was made in accordance with the act.
The federal government banned TikTok from its mobile devices in February 2023 following the launch of an investigation into the company by federal and provincial privacy commissioners.
— With files from Anja Karadeglija in Ottawa
This report by The Canadian Press was first published Nov. 6, 2024.
LONDON (AP) — Most people have accumulated a pile of data — selfies, emails, videos and more — on their social media and digital accounts over their lifetimes. What happens to it when we die?
It’s wise to draft a will spelling out who inherits your physical assets after you’re gone, but don’t forget to take care of your digital estate too. Friends and family might treasure files and posts you’ve left behind, but they could get lost in digital purgatory after you pass away unless you take some simple steps.
Here’s how you can prepare your digital life for your survivors:
Apple
The iPhone maker lets you nominate a “ legacy contact ” who can access your Apple account’s data after you die. The company says it’s a secure way to give trusted people access to photos, files and messages. To set it up you’ll need an Apple device with a fairly recent operating system — iPhones and iPads need iOS or iPadOS 15.2 and MacBooks needs macOS Monterey 12.1.
For iPhones, go to settings, tap Sign-in & Security and then Legacy Contact. You can name one or more people, and they don’t need an Apple ID or device.
You’ll have to share an access key with your contact. It can be a digital version sent electronically, or you can print a copy or save it as a screenshot or PDF.
Take note that there are some types of files you won’t be able to pass on — including digital rights-protected music, movies and passwords stored in Apple’s password manager. Legacy contacts can only access a deceased user’s account for three years before Apple deletes the account.
Google
Google takes a different approach with its Inactive Account Manager, which allows you to share your data with someone if it notices that you’ve stopped using your account.
When setting it up, you need to decide how long Google should wait — from three to 18 months — before considering your account inactive. Once that time is up, Google can notify up to 10 people.
You can write a message informing them you’ve stopped using the account, and, optionally, include a link to download your data. You can choose what types of data they can access — including emails, photos, calendar entries and YouTube videos.
There’s also an option to automatically delete your account after three months of inactivity, so your contacts will have to download any data before that deadline.
Facebook and Instagram
Some social media platforms can preserve accounts for people who have died so that friends and family can honor their memories.
When users of Facebook or Instagram die, parent company Meta says it can memorialize the account if it gets a “valid request” from a friend or family member. Requests can be submitted through an online form.
The social media company strongly recommends Facebook users add a legacy contact to look after their memorial accounts. Legacy contacts can do things like respond to new friend requests and update pinned posts, but they can’t read private messages or remove or alter previous posts. You can only choose one person, who also has to have a Facebook account.
You can also ask Facebook or Instagram to delete a deceased user’s account if you’re a close family member or an executor. You’ll need to send in documents like a death certificate.
TikTok
The video-sharing platform says that if a user has died, people can submit a request to memorialize the account through the settings menu. Go to the Report a Problem section, then Account and profile, then Manage account, where you can report a deceased user.
Once an account has been memorialized, it will be labeled “Remembering.” No one will be able to log into the account, which prevents anyone from editing the profile or using the account to post new content or send messages.
X
It’s not possible to nominate a legacy contact on Elon Musk’s social media site. But family members or an authorized person can submit a request to deactivate a deceased user’s account.
Passwords
Besides the major online services, you’ll probably have dozens if not hundreds of other digital accounts that your survivors might need to access. You could just write all your login credentials down in a notebook and put it somewhere safe. But making a physical copy presents its own vulnerabilities. What if you lose track of it? What if someone finds it?
Instead, consider a password manager that has an emergency access feature. Password managers are digital vaults that you can use to store all your credentials. Some, like Keeper,Bitwarden and NordPass, allow users to nominate one or more trusted contacts who can access their keys in case of an emergency such as a death.
But there are a few catches: Those contacts also need to use the same password manager and you might have to pay for the service.
___
Is there a tech challenge you need help figuring out? Write to us at onetechtip@ap.org with your questions.
LONDON (AP) — Britain’s competition watchdog said Thursday it’s opening a formal investigation into Google’s partnership with artificial intelligence startup Anthropic.
The Competition and Markets Authority said it has “sufficient information” to launch an initial probe after it sought input earlier this year on whether the deal would stifle competition.
The CMA has until Dec. 19 to decide whether to approve the deal or escalate its investigation.
“Google is committed to building the most open and innovative AI ecosystem in the world,” the company said. “Anthropic is free to use multiple cloud providers and does, and we don’t demand exclusive tech rights.”
San Francisco-based Anthropic was founded in 2021 by siblings Dario and Daniela Amodei, who previously worked at ChatGPT maker OpenAI. The company has focused on increasing the safety and reliability of AI models. Google reportedly agreed last year to make a multibillion-dollar investment in Anthropic, which has a popular chatbot named Claude.
Anthropic said it’s cooperating with the regulator and will provide “the complete picture about Google’s investment and our commercial collaboration.”
“We are an independent company and none of our strategic partnerships or investor relationships diminish the independence of our corporate governance or our freedom to partner with others,” it said in a statement.
The U.K. regulator has been scrutinizing a raft of AI deals as investment money floods into the industry to capitalize on the artificial intelligence boom. Last month it cleared Anthropic’s $4 billion deal with Amazon and it has also signed off on Microsoft’s deals with two other AI startups, Inflection and Mistral.