Expiry

So to kick start us. I think we ought to focus on a few key points. 1) Automatic Expiry MUST exist 2) That Expiry length out to be Reasonable (legal term) 3) Expiry results in complete deletion of data generate to and by the expired person 4) There must be a mechanism for EARLY removal (probably another separate thread, but one at a time) based on medical clearance, vaccine, treatment or confirmation of false positive

The data gathered relating to the user’s interactions is stored and processed locally on the user’s device for 21 days, in an encrypted form. Application data that resides on a user’s phone cannot be decrypted (it may only be decrypted once on the backend server). After this period, information is automatically deleted. This is from the Australian BlueTrace protocol

Does data generated by the user include contacts with other users? So let's say I come in contact with user X. Presumably, there is a mirror on X's phone that is "Came in to contact with user Aaron." Who owns the data describing our interaction? That defines how many of my interactions stay on my phone, and thus, how much of my information can be decrypted by someone else.

I've seen this proposed in the form of "randomly generated tokens" that are exchanged when users come into contact with one another. The tokens would be anonymous and just hold the infected/not infected information. Your phone would hold two secure lists -- tokens received (which wouldn't leave your phone) and tokens sent out (which would be sent to public health authorities if [1] you're infected and [2] you consent). Although the information is retained in the form of randomized tokens, this method seems to store a lot of information on the phones. Is this system a problem if it stores information from all interactions (not just at risk interactions) or does the use of randomized tokens eliminate that concern altogether?

That seems like a lot of communication back and forth between devices, then. If the Registered Health Authority only ever receives the tokens I have sent out, then how do you know if I came into contact with you? The server will have to broadcast all of my sent tokens to your device, and your device would then have to check if you ever received any. So are my tokens everywhere, now, once I test positive?

Hi Aaron -- I'm sorry, I know I did not explain that very well. This is the article where I read about the idea: https://arxiv.org/pdf/2004.13293.pdf -- "The Epione server allows users to check whether they have received a token from a user who has since been diagnosed with the disease, without revealing to the server their tokens (and thus their contacts) and without the server revealing any information to the user about the tokens of users diagnosed positive beyond the count of contact tokens in common. We use secure computation techniques, particularly PSI-CA, for private matching. This prevents the Epione server from inferring linkages between users, as well as preventing users from inferring the diagnosis status of other users, or the source of any exposure to the disease." (page 4)

@Aaron Maxwell @Shea Brown @Marta Ziosi @David Henritze Do you agree that the data collected in contact tracing apps should expire?

I agree. I believe there should actually be two expiry dates. The first is for my personal data - the app should only hold onto the last N days as we have already discussed. The second expiry date should be set by the moment we have a vaccine widely available. At this point, the entire App should be ceased: data servers wound down, all data deleted, and apps automatically removed from user phones. The definition of "widely available" can be set by Health Care Professionals and so on.

Unfortunately (as my wife's lab is working on covid19 treatments), the efficacy is likely not going to be Polio level eradication (99% free), but closer to the flu shot. Do you think a 30-50% effect rate is sufficient for shut down of tracing programs? Personally I think it still is as I would want the things shut down in general, but I am curious if you have a perspective on effectiveness

I think so. I mean, the danger to our health is not the virus itself, so much as if the disease puts too many of us into the hospital at once. We still move freely during flu season, because enough of us can get the flu shot to increase our resistance. And we've come to accept that even with the flu shot, we still suffer thousands of deaths annually. There isn't anything that will be 100% effective, and I understand that. But once the spread rate / reproductive number of SARS-Cov-2 becomes comparable to the known Influenza strains, I don't see why we need mandatory or even large scale population tracing; the number of individuals that need to be tracked should fall back to the number we can support using current (human) methods.