Germany’s Covid-19 Tracing App

Finally the contact tracing up is here. With big media attention the app was launched to public 2 days back, after the bumpy start with a complete strategic change from centralized to decentralized model. SAP and Deutsche Telekom cooperated and created an app-server environment in less than 2 months, chapeau for that performance. It comes at 20 million Euro, plus 2 to 3 million monthly for Deutsche Telekom, mostly to operate the hotline (not sure if they actual build an office building first, but anyway). Some might claim a start-up could have done it for a fraction, yes, maybe, would it be ready ? Would it be able to provide a system that can talk to the public healthcare system to create TAN’s to push alerts ?

You can download for Google and Apple. Interestingly the app was downloaded more than 1 million time within 2 days, after 3 days supposedly 8 million times and got more than 30.000 ratings/reviews (Android only) in that short timeframe (mostly positive) !
The team seem to work agile, they pushed out an update within 72 hours.

You can review and download the code at Github. I must admit, the documentation is really good, no one can claim this is not transaparent. Despite still so many people claim it would be used for tracking people and their whereabouts.
First thing to do ? Let’s look at the sourcecode and the underlying libraries by Apple/Google. Did not manage to build it with Android Studio 3.4, had to update to 4.0 to get it built and run on the phone, though it would fail after the initial info screens due to the missing Exposure Notification API on the phone. Guess that will be fixed once the Playstore app is updated.

Findings:

  • Permissions
    As planned and communicated only the bare minimum to make this app work. You can see it does not require the coarse location permission usually required by BLE.
  • Libraries
    A few of the standard libraries: ZXing Embedded, Joda Time, Room, SQLCipher, detekt and a some others.
    Most importantly Google’s Exposure Notifications API
  • Why would you disallow the user making screenshots, if everything is transpraent and opensource ?
  • Once you installed the apk file through Android Studio you cant install the official app, even after removing the app installed through adb.

Conclusion: Full transparency. It did materialize quite fast, too late for the first wave (no app can be ready for something totally new) but certainly in place if a second wave or individual hot-spots appear. I still have doubts if we reach a 60% penetration nut the initial figures are looking good. You can still argue about the quality of measuring the signal strength of Bluetooth and how many warnings we will see.

Bookshelf: Machine Learning and Data Science

With less options in your sparetime in the current situation, we can invest some of the extra time we have gained in reading instead watching (too much) Netflix and other streaming services. Here some recommendations from my booskhelf. Machine Learning and the related topics like Data Science are the hot topics in IT in almost any business domain context and a basic understanding is important for everyone dealing with software, be it sales reps or product managers with little or no computer science background, and the last time you touched discrete mathematics, linear algebra or probability was at high school. The challenge here, both topics have a steep learning curve and it is hard to acquire a decent knowledge, but for most of us, basic understanding is good enough to manoeuvre discussions and appreciate what is possible and what not (now). There is a huge choice of online courses and books, though the majority is most likely to deep-dive or covering a very specific aspect of machine learning. Publisher like Springer and Packt even allow you download selected titles these days or permanently for free.
Here 2 titles that scrape the surface but give you some insights and overview of commonly used terms. Both available as paperbacks or for the Kindle for less than Euro 15,-.

Machine Learning For Absolute Beginners

by Oliver Theobald, Independently published, 2018, 155 pages

If you start from ground zero with no knowlegde, this is a good overview at 10.000 feet without diving too much into formulars and algorithms. You learn about linear and logistic regression, decision trees, clustering and more but just enough to get a basic understanding. Neural networks are covered too, but it might be challenging to transport this through only 10 pages. There is a bit of Python coding sprinkled in if you feel getting more hands-on.

Data Science

by John Kelleher, The MIT Press Essential Knowledge, 2018, 280 pages

This book covers the basics of data science, ranging from the definition of data types and the DIKW pyramid to standard tasks and outlining the whole data science steps in the CRISP-DM process. Non-technical aspects like ethics and privacy are covered too. This book is 99% free of algorithm and sourcecode.

The MIT Press Essential Knowledge series offers a few condensed titles, like Deep Learning, MetaData, Computational Thinking and others.

I will recommend some more titles soon. Stay safe and tuned.

Daily Tech Observations 10

Tracing App Status Germany

While some of the restrictions are slowly being removed and public life resumes to some extent due to the decreasing infection numbers, there is some movement in the discussion around the tracing app(s). In Germany we dont have an app released yet and it is questionable if a significant volume of citizens will buy-in the contact tracing while the peak of epidemy in Germany has passed already, though a second wave could come. The announced cooperation of Deutsche Telekom and SAP target a release date in June. I still have doubts, the usual workflow of huge companies are not known for planning, designing and releasing in production within a couple of weeks. We will see. At least they started to document and release info on Github under the project title Corona-Warn-App. They adopt the decentral approach with DP-3T and TCN and will fully comply with GDPR. SAP develops app and backend, Telekom provides infrastructure.
At the same time we have at least two other groups, both projects of the #WirVsVirus Hackathon by the German government a few weeks back, working on tracing apps. ITO (github) creating a decentral solution and OHIOH (github) creating a server-centric solution. Others are Gretel, Predict-19 and Infection Chain. Some of the initiatives already became inactive or are stopped by now.
The main challenges, there is no standard for data exchange, not for Germany and none for international exchange. With too many apps and too little adoption there is a high risk of failing. Though I support all the activities, at least the teams get attentions and it might help to form or push start-up’s.

IBM Call for Code

IBM runs a challenge and supports selected teams to build solutions to replace physical queues by on-demand virtual lines. A different and interesting scope that looks beyond the current situation and attacks social distancing aspects. Find more info here.

Covid-19 Epidemic Forecasting

There are few sites run by research institutes predicting the further development of infection, R and death figures. The below list is from the Singapore University of Technology and Design (SUTD). They stopped publishing their predictions to public.

Google Community Report

Google is still publishing, the latest report dated May 14th.

Image by Free-Photos on Pixabay.

Daily Tech Observations 9

Tracing Apps Overview

About 35 countries released apps in the COVID-19 context, roughly half of them actually perform some kind of tracing or tracking using either GPS, Bluetooth or both. I reviewed some of them with the information that you find in the Google Play Store in regards of rating, no. of installations and permissions. I could not find any app that has a penetration of more than 5% (Android only), rather lower, and the success of such an app grows with the userbase.

Random samples:
(Numbers for Android apps only, Apple is not releasing the number of installations)

  • Stopp Corona (Austria), ~9.000.000 population and 100.000+ downloads
  • eRouška (Czech Republic), ~11.000.000 population and 100.000+ downloads
  • Aarogya Setu (India), ~1.300.000.000 population and 50.000.000+ downloads

Reference: Population by Worldbank

I noticed some apps are very generous with permissions, also asking for identity, phone number, contact list, all on top of GPS and Bluetooth.

Tracing Apps Details

Thanks to AppBrain you can get more information about individual apps. You can see the underlying libraries used and communication channel. It seems most of the apps make use of Google Firebase Messaging for the push part.

Sample: Dev libs for Stopp Corona (Austria)

Here as sample the details for the Stopp Corona App from Austria taken from the respective AppBrain page. We can see GCM (now Firebase) for messaging, the cryptographic lib Bouncy Castle, the JSON lib MOSHI.
At least none of the apps I have looked at so far, use social or Ad network libraries.

German Tracing App Status

While other countries have a headstart, Germany is falling behind. Despite news stating German Telekom and SAP joining the initiative, there seems to be no schedule, commitment and definitely no budget yet. I fear this will become a humongous project with 90% consultancy. We have existing open source applications following DP-3T as guidance, a small team of less than 15 people can produce an app in short time, and still comply with GDPR and security in place. My take.

COVID-19 Data

Latest Google Community Report was released on May 1st.

Stay safe and tuned.

Image by Free-Photos from Pixabay

Daily Tech Observations 8

Corona Tracing App Strategy Change

The German government moved away from the central data approach and the PEPP-PT initiative to a decentral solution. Seems they do not want to wait further on the non-commercial approach by a bigger group and hope the two huge companies SAP and Telekom can come up with an app. Looking forward to see the result, I doubt we will see anything released for another 8 weeks, being optimistic. A lot of countries have a head start here, see my overview post.

Questions I have:
The list of “infected ID’s” has to be updated regularly, potentially a growing list with many records need to be polled every hour ?!
How would you push the info to devices (in the case of infected contacts) ?
Use Google’s Firebase FCM ?

Reference:

Tracing Apps across the globe

There are about 40+ apps in various countries around the globe, adopting different protocols, some are open-source, some are propietary, most of them are in the Android Playstore, some are released as apk-files only.
In some countries we see multiple (contact tracing) solutions at the start, India with 4, Italy 3 and US 3. In the EU with have at least 10 different apps. There is no way to trace beyond the boundaries of individual countries. Have a look at my overview here.

Overview Covid-19 Tracing Apps and Protocols

Last Update: 2020 May 6th

Protocols and Initiatives

Open Source Apps, Code or Demo/POC

Mobile apps or projects with public accessible sourcecode.

Propietary Apps

Android Apps in the Google Playstore.
To notice quite a number of apps receive rather average reviews and quite some negative comments.
Not all apps are tracing apps, but information portals or self-checks.
[Average rating – number of ratings – installs] (As of April 29th)
Trac(k)ing apps are highlighted with * (Bluetooth) and ** (GPS). Specific contact tracing apps highlighted in bold.Other applications are general health, guidance, self-check or crisis apps.
Source: Respective app page in Google Play Store

Document References

Papers, articles, PhD Thesis, Research Documents. Focus on Wifi/Bluetooth/BLE technology.
No specific order, no attempt to be complete, quite a number of documents are discussing these topics.

(Image by Samuele Schirò from Pixabay)

Daily Tech Observations 7

PEPP-PT

There has been some movement in the Pan-European Privacy-Preserving Proximity Tracing project over the last few days. Earlier it was announced an app would be released after the Easter period. This has not happened so far, some of the project partners have even pulled out (reference). The project is driven by the Arago founder Chris Boos.
Though the app is not out, both documentation and some sourcecode has been released under Mozilla Public License on github. This is a good move, it creates transparency and allows to fork the project if needed. I have not seen other projects in the same tracing space to release their sourcecode. Time to have some hands-on with the sourcecode, more in an upcoming post.

ROBERT Protocol

The ROBust and privacy-presERving proximity Tracing protocol (ROBERT) by Inria and Fraunhofer Institute. Both are member of the PEPP-PT tracing project but the documentation can or should be the base for any implementation of a tracing app. Find the documents at github. This is the only way forward to create transparent apps that will be accepted by general public. Highly recommended reading.
It is key to differentiate between the centralised and decentralised approach, read more here.

DP-3T

As the ROBERT protocol is a solution with a central component, there is also a group proposing the a decentralised approach, DP-3T – Decentralized Privacy-Preserving Proximity Tracing. This proposal is aligned with the mutual Apple-Google proposal. Also highly recommended reading. Sourcecode is available on github as well.
Drop by the comic style explanation by Nicky Case.

By Nicky Case (CC-0)

TCN Protocol

Similar to DP-3T , there is TCN (Temporary Contact Numbers,) a decentralized, privacy-first contact tracing protocol. Find the specification here.

Open-Source Corona Apps

Two mobile apps have been released in the US

COVID-19 Data

More Research and Whitepapers

DIY Project: Create a Tracking and Tracing App Part 3

In this part we will have a short excursion into the world of radio signals, like wireless or bluetooth signals. As part of the tracing solution we must estimate the distance between two devices, it makes a difference if we stand next to a person (less than 2m) or being 5m and more apart for a potential transmission. The tracing app shall record only other devices in the nearby area, otherwise we will face a tsunami of false warnings after recording everyone in a 10m radius. The only way to measure or anticipate the distance is the signal strength of the received beacon signal.

Bluetooth Peripheral Mode

Bluetooth classic, made for higher speed and permanent connections, uses more energy and requires pairing before exchanging data between the devices (see previous post). We need to use the peripheral mode which was introduced with Android 5 (Lollipop) in 2014. The peripheral mode is mostly used by health devices, pedometers, etc. By today (2020) most Android phones should support this mode which is the key component, known as Bluetooth Low Energy Advertising, for the tracing app.
Bluetooth 5, supported since Android 8.0, introduced significant improvements to the BLE mode (reference). In the next post we will explore the BLE advertising and the related services.

Simple test to check if the Android device supports advertising

private BluetoothAdapter bAdapter = BluetoothAdapter.getDefaultAdapter();
..
if (bAdapter.isMultipleAdvertisementSupported())
	Log.i(TAG, "MultipleAdvertisementSupported supported.");
..

About Signal Strength

Theory

To be more precise we have to look at the strength of the received signal, also called RSSI (Received Signal Strength Indication), the measurement of power in a radio signal, measured in dBm. In short, the receiving device can measure the power of the signal and approximate the distance. Sounds simple, but it is not, radio signals is a huge field in science and research and I won’t attempt to replicate this in a blog post. The RSSI value often ranges between -100 and 0 dBm (in our context here), where -100 is the weakest signal and values near 0 the strongest.
Some links with references below for the interested reader. The main challenge is the signal strength depends on a number of parameters, the sending power, the distance (obvioulsy), external factors like reflection, absorption, interference and diffraction. It is very much an approximation, especially as we are talking about unknown devices (mobile phones) emitting the signals and not defined devices like industry beacons. In the literature you find a formular that estimates the distance in meters:

As you can see we do not have proper values for RSSId0 and Eta/n because we lack of reference devices and reference environments. We will experiment with values in the field test below.

References:

Android

For both Bluetooth and Bluetooth LE we can read the RSSI (values between -127 and 126) easily (Android Developer Documentation). See previous post for complete method.

For Bluetooth Devices

BluetoothDevice device = intent.getParcelableExtra(BluetoothDevice.EXTRA_DEVICE);
int rssi = intent.getShortExtra(BluetoothDevice.EXTRA_RSSI,Short.MIN_VALUE);

For Bluetooth LE devices

public void onScanResult(int callbackType, ScanResult result) {
	System.out.println(result.getRssi());
}

The method to calculate the distance based on above formular

double getDistance2(int rssi, int rssid0, float eta) {
	 return Math.pow(10d, ((double) rssid0 - rssi) / (10 * eta));
}

Field Test

Devices: Huawei P30 and Ubudu Beacon.

I use the app to read the RSSI value at the reference distance 1m.
In the first round I setup it outside at a grass field without surrounding building, walls etc.
The average RSSI value is about -83dBm with values ranging from -104 to -77dBm.
The second round in an office like environment, a room of about 3×3 metres. Now we have an average value of -51dBm with values ranging from -79 to -35dBm. In a second room I get -88dBm, -83dBm

RSSI Values at 1 meter distance

Now going back to our formular we calculate the distance with reference 1m RSSI value of 75dBm (best guess) and an eta of 2 (found this value when researching). Now setup again a 1m distance situation and check the caculated distance.

Calculated distance at 1 meter distance

This run with 2,1m average value differs 100% to the real 1 meter distance, the values having outliers up to 30m without touching the device or moving anything. If we need to rely on these values we need to capture at least 100 signals and average them to get anywhere near the real distance. I doubt changing eta and the reference RSSI will help as the RSSI value comes with these extreme outliers.

A few more random tests a different distances I come to the conclusion (with this specific test setup), the RSSI wont help us to measure the distance between two mobile phones, aka 2 persons properly. At most we can anticipate with an array of measured values and the the average if the device is less than 5m away, aka falls into a potential transmission candidate group.

Test Setup at 50cm resulting in 18cm average distance.

Header Image by Juanma_Martin from Pixabay

Daily Tech Observations 6

Google Community Mobility Reports

The latest report was released on April 16th. On top of the individual PDF files for each country you also can download a CSV file with all the data. With the CSV file at hand it is easier to compare countries or regions against each other and detect when lockdown came in place etc. Time to spin up your favourite visualization tool or for some hands-on Pandas-Bokeh action.

Tracing Apps

Despite announcing the release of such an app after Easter, there is nothing released yet. It is a challenge to release such an app, once pushed out to public you cant reverse or make significant changes to the key exchange algorithm etc. The rotating key mechanism need to be waterproof to avoid any tracking or identifying of persons just by looking at the local data storage and ‘wardriving’. Personally I believe no one want to do another quick shot like the ‘Datenspende-App’ (see next topic) and stay compliant with the below requirements. I highly recommend to read the read the contact-tracing-apps requirements by..

At all cost privacy has to be protected and we do not want any contact tracing in any non-health related crisis situations, eg. to be used to trace contacts in recent Hong-Kong events or during the Arab Spring in 2010.

I am very curious if and how they will release the source code for such an app.

Datenspende App

The RKI released the Datenspende app using anonymously health data from smart watches etc. (see previous post). Unfortunately they triggered a partially controversial discussion in media due to the fact that the usage of the data was not stated clearly enough, the app is implemented as closed-source by an external company and a few other problems like the lack of support of many health trackers. This resulted in quite a number of 1* ratings (refer to AppBrain). Though I absolutely believe in their good intentions and the good use of the data, RKI just had a bad start with this.

AppBrain Statistics

Google cooperating with Apple

Certainly makes most sense to have the same API features on OS level, though I am not sure how to publish this. Through an OS Update ? Here we would rely on the mobile phone manufacturers, quite a large number of phones have fallen out of the support cycles. Have a look at the specifications at the Apple website.

DIY Project: Create a Tracking and Tracing App Part 2

The tracing of contacts through mobile apps became the Number One hot topic in the last few days, governements and institutes of the EU countries are still working on technical solutions to trace transmissions of SARS-CoV-2 (though a bit late for the first wave that has hit most countries worldwide). At the same time there is an intense debate about these apps in terms of data usage, privacy, etc. The apps wont stop the spread or protect the person using the app but they should help to keep the situation under control in the times to come, maybe as a permanent tool to stay for a long period. Even more important not to build a tracking tool following examples of more authoritian states, but to have a solution that protect privacy.

In this blog series, looking at the technical aspects, we still touch both tracing and tracking for the matter of the discussion. In the last post we only touched the Bluetooth basics, now get into discovering nearby devices.

Android to discover Bluetooth devices

About device discovery

  • Discovery of Bluetooth devices is the step before pairing and coummunicating with another device. We can scan for nearby devices without the other devices (its owner) noticing it.
  • But for classic Bluetooth, the device need to be set to discoverable by its user, usually only for a limited period. It is consuming additional energy and would drain the battery faster if left on permanently (putting aside security concerns, see references).
  • BLE works like a beacon permanently being discoverable, certain location type application work like this, eg. to help navigate in buildings equipped with beacons.
  • The 3 key device attributes when discovering devices:
    Name: Not unique, just a label, can be set/changed by the user.
    MAC: The unique identifier (see previous post)
    Signal strength in dBm (more about this later)

Discover classic Bluetooth devices

We need to register a broadcast receiver and listen to the intents for discovery start and end. The discovery need to be triggered, it will run for about 12 seconds.

Register BC Receiver

private void initBCReceiver(){
	final BroadcastReceiver mReceiver = new BroadcastReceiver()
	{
		@Override
		public void onReceive(Context context, Intent intent){
			String action = intent.getAction();
			if (BluetoothDevice.ACTION_FOUND.equals(action))
			{
				BluetoothDevice device = intent.getParcelableExtra(BluetoothDevice.EXTRA_DEVICE);
				int rssi = intent.getShortExtra(BluetoothDevice.EXTRA_RSSI,Short.MIN_VALUE); // dBm
				System.out.println("Found: " + device.getName() + "," + device.getAddress() + "," +  rssi);
			} else if (BluetoothAdapter.ACTION_DISCOVERY_STARTED.equals(action)){
				System.out.println("ACTION_DISCOVERY_STARTED");
			} else if (BluetoothAdapter.ACTION_DISCOVERY_FINISHED.equals(action)){
				System.out.println("ACTION_DISCOVERY_FINISHED");
			}
		}
	};

	IntentFilter filter = new IntentFilter();
	filter.addAction(BluetoothDevice.ACTION_FOUND);
	filter.addAction(BluetoothDevice.ACTION_PAIRING_REQUEST);
	filter.addAction(BluetoothAdapter.ACTION_DISCOVERY_STARTED);
	filter.addAction(BluetoothAdapter.ACTION_DISCOVERY_FINISHED);

	registerReceiver(mReceiver, filter);
}

Now trigger the discovery

bAdapter.startDiscovery();
Discover Classic BT devices

Discover BLE devices

The BLe devices (beacons) constantly send their signal, we can pick it up in an async thread. The Android BT library supports this with less than 15 lines of code to capture the devices. Implement the callback and start/stop the scanning.

private ScanCallback leScanCallback = new ScanCallback() {
	@Override
	public void onScanResult(int callbackType, ScanResult result) {
		System.out.println(result.getDevice().getAddress() + "-" + result.getDevice().getName() + " rssi: " + result.getRssi() + "\n");
	}
};

public void startScanning(View view) {
	System.out.println("start scanning");
	AsyncTask.execute(new Runnable() {
		@Override
		public void run() {
			btScanner.startScan(leScanCallback);
		}
	});
}

public void stopScanning(View view) {
	System.out.println("stopping scanning");
	AsyncTask.execute(new Runnable() {
		@Override
		public void run() {
			btScanner.stopScan(leScanCallback);
		}
	});
}
Discover BLE devices

Interesting observations:
– The MS Designer Mouse is operating in both classic and BLE mode.
– The signal strength of devices can change without being physically being moved.

Conclusion

  • The Bluetooth classic mode is not feasible for the tracing requirement. It would drain batteries quickly and we cant disnguish between phones and other devices using solely the MAC (though we could identify manufacturers).
  • We need to consider the BLE peripheral model for our tracing app. Remember, we need to capture the unique key from another nearby user of the app, we cant achieve this without basic 2 way communication between the two apps.

Fun Facts

Stay safe and tuned..

References

Image by Free-Photos from Pixabay.