1. 8
  1.  

  2. 0

    Interesting topic but it reads so emotionally charged that it’s hard to believe there are no further personal reasons for the author to write this.

    Also it’s often stated that IP addresses are an extremely poor way to identify someone reliably, so why would it not be the case now?

    That’s especially true when most people are going to be using mobile data and not their home WiFi, so an attacker would need to do so much work just to get some even more unreliable data on whether someone has contracted covid or not. For what purpose anyway? It’s not like it’s the bubonic plague after all.

    The Bluetooth part I agree is a bit poor, especially the precision, but I guess if it is presented as not a perfect and final metric for social distancing then I don’t see the problem with it.

    Valie points but the tone is completely off in my opinion.

    1. 1

      While I agree this is emotionally charged, there are good points in there about bluetooth and privacy design in general.

      Why do you say that “it’s often stated that IP addresses are an extremely poor way to identify someone reliably”? If anything this proved to be reliable enough (TM).

      1. 2

        Why do you say that “it’s often stated that IP addresses are an extremely poor way to identify someone reliably”?

        Because that has been tested in court on multiple occasions.

        1. 1

          True that they can fail to work as proof in court. And depending or your ISP (mobile or not) they may rotate frequently leading to the wrong mobile (or not).

          They can still be used as correlation together with other data though. The concern here is not court use, but rather privacy disclosure. In court they are discarded because they are not enough to identify one single person, at least not without other proof. The article also suggests this by combining IP with user agent.

          Any service that can tie that ip/timeframe to user identity could collude with this Covid tracking service to reveal that information - this could be your ISP, or any other service that you used in a time window and can identify you.

          I think his point stands - compromising that service risks exposing the identity, even if not directly. It is not like there are no alternative designs to avoid this either.

        2. 1

          Exactly what @colonelpanic said.

          Anyway IP are quite precise indicators when you can go and talk privately with the ISP of that IP with a datestamp in hand.

          But only IP address means absolutely nothing: VPNs, restarting your router, changing cellular station and restarting your mobile data, all that usually changes your IP address, making it not a 1 to 1 match.

          That’s why browser fingerprinting is much worse as normally nobody changes that often enough (unless you use extensions to prevent some of that).

        3. 0

          Also it’s often stated that IP addresses are an extremely poor way to identify someone reliably, so why would it not be the case now?

          The IP address is now tied to a mobile phone and not a family home computer.

          1. 1

            Mobile IP addresses get reused very often by the ISP so, as I said, unless you are in touch with people there you won’t get anything out of IP addresses nowadays.