You cannot decentralise contract tracing apps or make them privacy friendly

I’m curious about how Google and Apple’s decentralised contract tracing app can possibly be anonymous.

The basic premise I understand and accept is that phones will generate unique tokens every 15 minutes and exchange them over Bluetooth and not tell anyone else.

The question is when a sick person sends the signal to let others know they need to be self isolating – how are others notified?

They are not in physical Bluetooth range any more and therefore can not communicate directly via Bluetooth again. The relay must happen via google or Apple servers. You’re also self-isolating so we can’t have an onion like phone-to-phone network like some decentralised ideas.

Instead all communication must go to Google or Apple servers. They will at a minimum immediately know you’re sick.

So how do others find out if they were made sick? There’s three options:

  1. Without revealing their tokens each phone can download the whole database of every sick persons token and compare it to a list of people they met on their phone. This would be a good, anonymous solution.
  2. Google or Apple could push the token of every sick person out and every phone could ignore non matches. Again, a good anonymous solution
  3. You tell Apple or google all your tokens and they tell you if you were infected. This gives up your identity!!

Now, I have to suspect Google and Apple are building the insecure version 3 solution that allows them to track and monitor every interaction you have with people.


Because there are a billion phones on the planet. If a person speaks to another person this generates two tokens on your phone and two on theirs (assuming you always give out unique ids). It’s an exponential rise, in a day you’re generating two dozen entries multiplied by a billion phones, not including group gatherings and so forth. There’s absolutely no way every phone can subscribe to every event and filter the data on their end. It would be a huge toll after a few weeks. They will always use the solution of telling Google “here are my tokens, here’s who I spoke to, did any of them get sick?” Google knows which phones are sending those requests in so now get to witness every human interaction ever.

Even a hybrid solution where you download the whole database but restricted to roughly where I’ve been, means telling Google roughly where you’ve been.

I feel like Google and Apple are about to start collecting micro-data about our interactions in a mid May update that I can’t opt-out of.