COVID-19 contact tracing has rolled out to all Android/iOS devices this week. In other words, big tech just dropped a change to your OS without any real notice/consent.

On iOS go to Settings -> Health -> COVID-19 Exposure Logging (screenshots at the end).

On Android go to Settings and you will find a Google option:

Under Google settings, you now can select COVID-19:

There you will find that Google needs both Bluetooth and location tracking to be enabled, although they claim while location data needs to be collected, it also won’t be collected:

Confused? You should be. Bluetooth is a terrible protocol for tracing contact as it just reads everyone’s MAC addresses. It’s being used because other options are not as easy to violate for a clumsy contact tracing agenda.

There are two problems in Bluetooth, both related to privacy:

1. Before Bluetooth version 4.2 the MAC addresses were static, which was a major privacy issue (and exploited by law enforcement using widely systems like Bluetooth Travel Time Origin and Destination (BlueTOAD), as I’ve spoken about publicly many times). After Bluetooth version 4.2 the devices started to use rolling MAC addresses for privacy protection. Google and Apple have designed their system to overcome this privacy benefit, by issuing everyone a set of tokens that can be mapped back to the device.
2. Aside from the privacy of its identity getting in the way, Bluetooth also doesn’t record distance accurately. Strength of signal isn’t a reliable measure, given all kinds of interference variables. Thus Apple and Google have included location to overcome this secondary privacy benefit, by using location data to record proximity of Bluetooth signals.

It appears incredibly disingenuous for the companies to claim their framework was designed with privacy preservation in mind when it was designed to bypass some fundamental privacy protections.

Also while technology companies may lay claim that location data never will be shared, the entire point of their system is to inform some unnamed/unknown officials of spread of infections by… location.

What about who you would expect, such as qualified scientists, using the data? Apparently Apple and Google say they will not serve community members who are in the best position to make use of pandemic data.

If you’re a virologist or epidemiologist arguing that you need data to fight the spread of infection inside your country, you’re out of luck. Apple and Google have said no.

That’s what I call clumsy.

Finally, in terms of general trust, adoption of this system needs to be really high to be effective. Some estimates are at least 70% of people (not just phone owners) have to be in the contact tracing system to make it worthwhile.

And yet they pushed a significant update to the OS without any local notice/consent (just blog posts like this one), as if the U2 crash didn’t teach them a thing.

The music suddenly appeared on 500 million iTunes accounts. Shortly after came the backlash and, with it, a story of what may have been the most expensive gaffe in Apple’s history — upwards of $100 million…

This is the sort of top-down centralized approach with no real discussion of social contract that probably makes 90% want to throw their phone in the toilet. I’m also reminded of the science lessons from free trees in Detroit.

Detroiters were refusing city-sponsored “free trees.” A researcher found out the problem: She was the first person to ask them if they wanted them.

Ironically, America is so far behind on COVID-19 science and engineering, it’s rolling out mobile phone software just as Singapore (a global leader during this pandemic response) has abandoned the same.

Singapore’s Bluetooth-based contact tracing app TraceTogether was the first of its kind, intended to log potential exposure events without violating the privacy of participants. As with all of the efforts of this nature, voluntary adoption by the public was key to success. TraceTogether struggled in this area due in no small part to technical issues that hampered the usability of phones. The government has gone back to the drawing board and come up with a new answer: a contact tracing wearable that remains offline as it logs close contacts, only making that data available when a medical professional makes a coronavirus diagnosis and requests access to the device.

The wearable does leverage Bluetooth, to be fair, but it’s a whole different model with dedicated hardware for medical professionals to access.

It didn’t have to be this way. Engineers at the largest tech firms in the world, paid the highest salaries in the world, could have started at the point Singapore has just now reached — a personal/decentralized system that works directly with medical professionals only.

Instead Apple and Google have built a thing nobody should want: a forced update in their OS to serve mostly an Apple and Google agenda that has apparently little or no accountability to them when it’s misused or even abused. Compare and contrast these two stories, for example:

• Apple drops Hong Kong police-tracking app used by protesters
• Police in Minnesota say they’ve started “contact-tracing” demonstrators.

Or consider that, while Apple and Google insist they aren’t writing the apps that will use their “framework”, early studies already indicate that leaves open a lot of room for abuse:

…50 apps available in the Google Play Store that have been developed specifically for COVID-19…researchers classified nearly half as informational tools, roughly a third as tracking tools, 10% as assessment tools and 8% as scientific research apps…

Apple screenshots:

I am honored to be the first person on ZeroDaysLive Video to have been an audio-only guest. You can watch/listen to me being interviewed here:

Honored to be a part of the Inrupt mission as profiled by Andrew Sears on All Tech is Human (ATIH) CHANGEMAKERS. Here’s a full text version of my interview:

Davi Ottenheimer is the Vice President of Trust and Digital Ethics at Inrupt, a company striving to restore the power of balance on the web through data decentralization technology. For over 25 years, he has worked to apply security models to preserve human rights and freedoms. He is the co-author of Securing the Virtual Environment: How to Defend the Enterprise Against Attack (2012) and the author of The Realities of Securing Big Data, which is due to release this year. Davi spoke with ATIH about where the web went wrong and how decentralization technology can get things back on track.

ATIH: Tell us about your journey to your present role at Inrupt. How did you first become interested in digital ethics work?

My interest in digital ethics goes back to at least sometime in the early 1980s. The 414s seemed to me a foreshadowing of where the world was headed, at least in terms of society defining shades of lawful and unlawful data access. Their story felt very normal, not at all exceptional, because at that time it was similar to what I was experiencing in school and it was on the cover of big publications like Newsweek.

My family also exposed me very early to authorization concepts in both digital and analog tech. I basically grew up seeing computers as a natural next step like a tractor replaces the ox; no one really would want to be without one. That gave me a fluid understanding of ethics across a wide technology spectrum. For example as a child in very rural Kansas we had only a shared “party line” for telephone; my parents would of course tell me it was wrong to listen to our neighbors’ calls. I was fascinated by it all and by the time I was in college studying philosophy I was running my own copper from taps on building wires to connect dorm rooms, shifting underutilized resources to community service by taking over computer labs and all kinds of typical mischief. At the same time I was playfully exploring, I also ended up helping investigate or clean up some clever abuses of the lines by others (e.g. toll fraud, illegal reselling).

More to the point in college I always tried to turn in digital versions of assignments including a hypercard stack (precursor to websites) on ethics of linguistic regulation of Internet hate speech. That felt more exceptional, substantially entering digital ethics, because my teachers sometimes bristled at being handed a floppy instead of the usual paper. I was deep in a world at this time many professors had access to yet barely seen. I still figured at that point since I could dive into it anyone could and soon would. It was around 1990 that I excitedly showed a political science professor a 30 second video clip that I had spent 12 hours downloading and reconstituting. I had been studying information warfare and told him dissemination and manipulation was entering a whole new domain with Internet video… he told me “just do your damn homework” (some typical assignment on Middle East peace options) and walked away shaking his head. I felt at that moment I wasn’t giving up or going back, digital ethics had become my thing.

After college I applied to do political research at LSE and they countered with an offer in the history course. I accepted and explored far more historic cases of ethics in intervention (information warfare by Orde Wingate, and power dynamics in taking over large scale systems while not really owning them — 1940 British invasion of Ethiopia). My history advisor was truly amazing. He encouraged me to go professional with technology work and even told me it wouldn’t be a bad idea to pursue as a career.

It was great advice and I went straight into working for a DEC reseller in California pushing decentralization with PCs and TCP/IP. Getting paid to take hardware and software completely apart to fix it was like heaven for me. From those first phases of interest we can fast forward through twenty-five years of hands-on security within many industries around the world of all sizes and shapes. My journey has always been about convincing people from field to board-level that unsafe technology alters power dynamics, and that we protect liberties by bringing safety principles into engineering as well as policy.

A few years ago a very small database company reached out for help fixing their widely publicized product security flaws. Literally millions of people were being harmed, and they told me they weren’t finding people willing or able to help. I agreed to jump into it on the condition they let me drive end-to-end encryption at the field-level into their product as a feature, while I also cleaned up management practices. It was after we released that end-to-end field-level encryption feature, and after I guided them through IPO and massive growth to a much safer and more proper course including external oversight, that Bruce Schneier strongly suggested I consider the new Inrupt mission to bring Solid to life. I was thrilled to be given the opportunity to join such an important and challenging role.

ATIH: Inrupt is advancing the development of Solid, an open source platform designed to remake the web. What’s wrong with the web that we have today?

Solid presents a powerful yet very simple concept to remake the web: your data lives in a Pod controlled by you. Any data generated by you or your things (e.g. watch, TV, car, computer, phone, thermometer, thermostat) goes to your Pod. You then control access at a meaningful level, where consent has real power. I call it the need for an off button and a reset button for big data. Don’t want your data used anymore by who knows who? You have that choice. Want to be the authoritative source on data about you? Also your choice. If your doctor wants to look at your fitness tracker data, you grant that. When a family wants to share moments in photos, they grant that. Want your machines to talk with each other, not the manufacturer, and only at certain times? Up to you, through your Pod controls.

We expect this to evolve with completely distributed models, although sounding idealistic, because they are necessary and thus not out of the question. At the same time, efficiencies of scale and basic economics tell us many people will have Pod service providers instead of going with homegrown or localized varieties. As a long-time self-repair and build-your-own-kernel linux advocate I see no conflict innovating towards both off-grid piece-meal installations, as well as abstract and monolithic cloud services. You win because you have a lot more flexibility in a world where you seamlessly can flow between different worlds of control that suit you.

Sir Tim Berners-Lee calls the Solid project of decentralization being pro-human, as opposed to what he calls the current anti-human web platforms. For me perhaps the best way to explain the current problem with the web might be aggressive centralization, which historians used to say about the neo-absolutist surveillance state of 1850s Austria. I find it useful to reference history events to explain socio-economics that we see today with Google.

Another aspect of the problem, which I have been giving presentations about recently, is how our “digital bodies” owned by large proprietary platforms becomes a form of human trafficking.

Unfortunately 1850s American slave plantations seem to be an appropriate history reference as well. It actually explains Facebook data management and expansionist habits. I don’t say this lightly, especially as Memorial Day was created in 1868 specifically to honor those who made the ultimate sacrifice to win the war that was supposed to end slavery in America.

In my presentations on big data security, for example, I literally ask people to consider how the cotton gin was invented by a woman to end slavery, yet instead it led to state sanctioned rape of American women and forced births to rapidly expand human trafficking. That’s not the kind of history anyone really hears in school, and those are the actual facts. The web was invented to bring freedom, to end our digital selves being locked away, yet it has led to state sanctioned collection methods with vastly expanded proprietary control over almost our entire lives.

ATIH: How did these problems with the web come about?

That’s a great question. There has been massive pressure for data centralization from so many camps that have failed, it’s almost a wonder at all that some succeeded in cornering the web. I’d like to think the problems are the exception (e.g. like nationalization of the telephone under President Woodrow Wilson, or invasive inspection and destruction of U.S. mail under President Andrew Jackson) and we’re course-correcting to get back on track.

Cable television and AOL dial-up services both, believe it or not, were considered threats at some point to the success of a decentralized web. Microsoft too, although it obviously found itself in US government regulatory trouble when it aggressively tried to center the web around its browser and operating system. Some might point to RFC2109 but I find the socio-economics to be more important than this technical specification that helped build statefulness.

Perhaps the real turning point that set back decentralization came soon after the web was being panned as just a fad that would never rebound after the dot-com disaster. We witnessed in a time of crisis the giant transfer from small businesses to conglomerates, which might feel familiar to economists looking at today’s pandemic.

The optimism of the hugely diverse commercialization efforts by startups, which in a large part led to the crash, generated a kind of popular herd momentum that was picked up by the few dominant remaining technology firms. They in fact roared out of the dot-com crash with far more influence, far more human connectivity, and the market rewarded a kind of fast monopolistic growth as it escaped financial downturn. The web’s standardization and ease of use, once transformation to it was popular, made it a perfect vehicle for massive-scale growth.

The next market crash, from the mortgage crisis, then served as another accelerator on the trend for centralization coupled with more powerful devices becoming less expensive and default connected to the standards-based web. The technology sector became seen as a stable financial engine and attracted business innovators who believed user generated content had the best potential value and they set out to build systems that flipped the web on its head; would keep users connected by making it difficult to exit.

What’s notable about this history is the financial conditions and technological shifts that may never again materialize in quite the same way. That’s why I see dangerous centralization as a form of regression, an error that requires applied humanitarian correction. It’s like firing a CISO who steals, or countering the rise of extremist anti-science cults that typically form in response to recent scientific breakthroughs. I don’t believe in an inherent centralization need, or natural monopoly, in this context. In fact I see more the opposite, that we should think about Facebook in terms of why abolition of slavery never should even have been a debate. Had there not been the stress effects that led to over-centralization as a form of wealth preservation (arguably an incorrect response fueled by other unfortunate market conditions) the web could have continued to evolve in the more naturally pro-human model.

ATIH: Inrupt’s Co-Founder, Sir Tim Berners-Lee, calls Solid a project “to restore the power and agency of individuals on the web.” How does Solid accomplish this?

Giving users consent controls over their data, making the technology that represents a human to be actually human-centric, is the path forward. The Pod is a representation of one’s self that should be liberating, and is manifestly difficult to do without Solid. Many people now seem to agree we can and need to fundamentally alter the balance of power, whether they call it Solid or something else. Given that everywhere you are something is a computer generating data that represents you, taking control of your digital body has become essential.

In terms of projects at massive scale I’ve lived through early days on multiple data sharing standard initiatives (DICOM, TCP/IP, HTTP, HTML, KMIP) and worked deep inside the security teams for the biggest data platform companies (EMC, Yahoo, ArcSight, etc) so much of the scope and ambition feels familiar. I mean when you really think about it, the Solid protocol could be even bigger and more exciting, like a 1968 Carterfone moment or even 1862 Emancipation Proclamation, in terms of how small decisions restore power to individuals at massive scale.

The market either will keep building costly bilateral bridges and proprietary hubs people are trapped on, like we’re seeing with Apple and Google attempts at a COVID-19 alerting API. Or standard languages and protocols will emerge to lower barriers to human-centric innovation and expand the web again by decentralizing it and shifting to Solid. If it’s the latter we’ll see a boom in more generalized global prosperity. Trust is an essential step towards making it all work, just like always, yet user security awareness levels are so much higher than I’ve ever seen before. Doing things the right way for humans to preserve their agency, to help everyone avoid becoming victims of digital trafficking, brings up all kinds of granular authorization discussions. We are quite literally reimagining technology in ways that the Solid protocols will better augment and protect positive human conditions, complex communities, cultures and all.

ATIH: What does your role as VP of Trust and Digital Ethics look like day-to-day?

I get up and wonder if I can configure my toothbrush to start streaming its data to my Pod. Pour a cup of tea and think about a digital assistant reading data in my Pod to know exactly what leaf and temperature “Earl Grey, Hot” means, and how accurate automated speech recognition would become when designed from the start to be highly localized on Pod data and trained for my particular accent within my community or even my family.

But seriously, every day is running a gamut of working on trust concepts for the specification and protocols being designed, including security for the related products being engineered and the services offered to support both at a global production-ready scale.

People are coming to us with very real problems to solve across every sector and industry. It’s a great feeling to be helping them, working with such a passionate team that carries a real vision of a better future. Lately there has been a lot of discussion with both large and small organizations that have similar values and find Solid and Inrupt deliver a valuable piece in their own human-centered technology development projects.

Almost every day I am reminded of the important lessons and legacy of John James Ingalls such as his application of “ad astra, per aspera”, roughly translated as purposefully shooting for the stars, which became the Kansas state motto in 1861.