• ooterness@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    7
    ·
    1 year ago

    The Google system allegedly shares hashes of a ID-number salted with a rotating timestamp over BLE. But it’s also a closed-source binary. Can you or anyone else actually inspect its implementation? Can you really guarantee it doesn’t have even the smallest design flaws?

    This technology is exceptionally dangerous. There is very little difference between these two scenarios:

    • A doctor has identified a COVID patient. Let’s notify everyone who’s spent time with them recently.
    • Secret police have identified a “dissident”. Let’s round up all their close associates.

    It’s voluntary (for now). It’s allegedly secure (for now). But did anyone actually benefit from this complicated system? All I see are downsides.

    • FooBarrington@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      Security researches have taken apart the binaries, listened to network requests and everything else you need to do to verify that nothing nefarious was going on. The system itself is set up so no tracing is possible if nobody reads your hashes.

      • ooterness@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        3
        ·
        1 year ago

        [Citation needed]

        Every reverse-engineering study I’ve read has been about the apps built in top of the Google API, not the Google binaries. Here’s one, and here’s another, and neither paints a flattering picture.

        Maybe it’s possible to build a perfect implementation, but that is not what we got.

        You know what does work? Masks and vaccines. Phone-based tracking was a dangerous waste of time.

        • FooBarrington@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          2
          ·
          1 year ago

          Maybe it’s possible to build a perfect implementation, but that is not what we got.

          What exactly are you referring to? The whole approach is built in a way that doesn’t really give anyone any way to screw things up. Please be specific.

          You know what does work? Masks and vaccines. Phone-based tracking was a dangerous waste of time.

          Unless you were testing yourself literally every day, phone-based tracking is a great way to tell you when you should test yourself. It’s a great addition to other preventative measures, and I have no idea how you could come to this conclusion while thinking rationally about this topic.