a short tale of a wearly traveller

yesterday, three of us experienced the hassles of having to produce the 5 documents & dependencies on infrastructures required to travel/fly from crete to london during period  it is held in amber status by uk, due to covid cases (sep 2021)

1/ passport, on paper (possible e-passport - needed to get through LHR in less than a day:-) 

2/ vaccination status (2 QR codes) - on smart phone may need net access to download, if you forgot to do so ahead of time (or it was deleted)

3/ covid test result from within prev 72 hour (scan or paper)- typically given on paper, so you need a camera phone or scanner

4/ passenger locator form (PLF), including reference for 

day 2 PCR test booking after return. (so you probably needed email to get that booking)

BA required these to all be uploaded before checkin & issuing 

document number

5/ boarding pass (on smartphone or paper), needing access to

printer, scanner or camera phone & network. - I guess they might have accepted them all on paper at the checkin desk...

2 days after return, get PCR test and a day later get results (negative, unsurprisingly). However, a day after that, the three of us that travelled together all get pinged by the NHS Test&Trace to say we have been in contact with someone and now have to get another test - this is stupid, because we had not been together since landing back in the UK, so the only point of contact must have been another traveller on the plane. so we have all gotten negative PCR since then, and the NHS know this, so why ask us for another test? fail to join up thinking. (I'd say it was a race condition, but I've never heard of one that lasted over 24 hours).

The only way we were on the NHS records was via the passenger locator form (since they used both mobile & email to contact the three of us and that's the only place they would get that info) which has the booking info for the day 2 returnee PCR test on it. 

on trusting trust and the shadows on the wall of the cave

Reading  the excellent Your Computer Is On Fire recently, and there's a great chapter revisiting Ken Thompson's rightly famous Turing Award Speech about trusting trust. The chapter also discusses the Wheeler solution to the problem --

in a nutshell,  when you use a tool chain for building a computing system, you depend on the tool builders. So an application must be compiled (or interpreted) and runs on an operating system, which runs on hardware which may be networked and so on - it is "turtles all the way down".  The Thompson "hack" takes advantage of two things - bootstrapping compilers and quotation, to build systems that build in trapdoors at build time, but in a way that is not visible to simple inspection of the compiler tools (without going back in time to before the hack and before the bootstrap - i.e. introduces a cost of effectively rebuilding your tools ab initio every time to avoid the trapdoor re-insertion two step dance. The Wheeler solution is to find some tools from elsewhere as well and compile your system with those too and compare the results. An alternative is to use trustworthy computing so that the privileges don't increase as you go down the stack, and you can check the integrity of the tools&die as well as apps - but now with attestation, or with multiple toolchains, we have a chain or even a web of trust rather than a stack of trust. We may need a web (or even a blockchain) because we want to mitigate collusion (between key signing agents or between different tool builders, or, obviously both) - 

Isn't life complicated...?

decentralisation & disintermediation

 thinking about the history of peer-to-peer (IP routers, eDonkey, the original skype, and now new things like matrix,  mastodon etc) - there are several properties oft conflated together 

1. distributed - in your pocket, kitchen, on your bike, etc

2. decentralised - there's no agency, service with a single point of contact, failure, power, etc

3. heterogeneous - and partially federated - implemented by different people, but interoperating 

what this also means is that there's no big intermediary - no single platform owner, who has a god's eye view of the proceedings - marketing things or surveilling things. - there could still be such services, but they would need cooperation from all the targets they'd want to hit or spy on.

what is wrong with Uber, Airbnb and (probably) Bitcoin is that while they have some of these properties, they are dependent on single large infrastructures (roads/gas, houses/keys and the electricity grid) - you can build a fully peer-to-peer map of the world and let everyone share their EVs, and you could move all property into collective ownership (gasp), and you can build a decentralised trust system that doesn't depend on proof-of-work, but without that, these systems are fundamentally intermediated by those key infrastructure owners, who could change the operating rules to make what is done infeasible, or just pwn it. i..e their governance is extremely sketchy.

The internet is made of holes

 This Atlantic article by Zittrain suggests that the internet is decaying. I think this is a classic observation error - the internet is like a kids plastic inflatable garden pool that is being blown up bigger and bigger and filled with water the whole time to overflowing - sure, lots of spillage, but also more and more content. and this isn't just a quantitative observation - more and more of the content is curated in various ways  the problem is that exponential grown brings both more quality content, but even more (in just pure numbers of, say, pages or photos or ditties) junk in the long tail, which isn't being looked after (think of all the social media content that dissappears when people grow up and delete their (last year's most popular service) account.

sure, the internet is full of holes. that is why the content was organised as a web  - the clue is in the name:-)

If "important" stuff is disappearing permanently, often, I think someone would do something about it, and they are...

Photo Id for Voting in the UK

 There are about 3.5M people of voting age in the UK who dont have photo id.

May cannot afford a passportt and don't drive so won't get a driving license.

so government proposals to require photo id for voting is 

a) unfair on them as the hassle of getting some other voter id will deter some from voting, and is cleatly motivated around which segment of society they are likely from, politically.

b) Plan B is to have local councils generate free, or very cheap, photo id for those people to get on demand. Not a great plan, since such Id will then become a target for fake id (as it is in the USA).

This will increase voter fraud (which currently in the UK runs at about 1 case per election). at a cost of about £20M per annum. brilliantly counter productive.

but also (as experience in NI and aforesaid USA shows) will also be used for age verification, and even ID checks for people making payments, hence increasing fraud there, massively. 

Ironically, something the Online Harms bill shoud really be addressing - another piece of pointless

government legislation ust to be seen to be doing "something" for a problem that exists in another country, but not here. doh.

what's in an NHS App QR code that vouches for your vaccine status?

 

If you've got the NHS app (the one you use for booking appointments, or repeat prescriptions, not the contact tracer one), you can download a vaccine/covid status to it - here's mine, decoded

on it, you see my name & dob and the vaccine dose name, batch number and date, plus it is signed, and can be checked for its legitimacy - there's international protocols (at least for EU, and the UK Is still cooerating on that). If you dont have a phone capable of running the app, you can get a letter from your GP (takes a few days) - not too much data being given away here- you don't need to show the vaccine status being downloaded, you can store it (or get it emailed)and a border person could check it with (presumably) some other app and check name/dob against passport.

the code is valid for 1 month - i.e. it expires, so you then just download (or get emailed) a new one - so long as the vaccine wasn't so long ago that it's efficacy has dimmed (and we dont know how long that is yet for all the vaccines in use) you should just get a new valid QR code or cert (or letter) for another month...

not a lot of privacy threat here....nor is it a huge burden on systems to run something like this...

ref: https://paravirtualization.blogspot.com/2021/05/whats-in-nhs-app-qr-code-that-vouches.html

trust framework: https://ec.europa.eu/health/sites/default/files/ehealth/docs/trust-framework_interoperability_certificates

_en.pdf

<COSE_Sign1: [{'Algorithm': 'Es256', 'KID': b'Key5PRO'}, {}, b'\xa4\x01bGB' ... (350 B), b'\xd1zo\xb3\x1b' ... (64 B)]>
  {
    "-260": {
      "1": {
        "dob": "xxxxxxxxxx",
        "nam": {
          "fn": "Crowcroft",
          "fnt": "CROWCROFT",
          "gn": "Jonathan",
          "gnt": "JONATHAN"
        },
        "v": [
          {
            "ci": "",
            "co": "GB",
            "dn": "1",
            "dt": "2021-02-11",
            "is": "NHS Digital",
            "lot": "EL7834",
            "ma": "ORG-100030215",
            "mp": "EU/1/20/1528",
            "sd": "2",
            "tg": "840539006",
            "vp": "1119349007"
          },
          {
            "ci": "",
            "co": "GB",
            "dn": "2",
            "dt": "2021-04-09",
            "is": "NHS Digital",
            "lot": "ER1749",
            "ma": "ORG-100030215",
            "mp": "EU/1/20/1528",
            "sd": "2",
            "tg": "840539006",
            "vp": "1119349007"
          }
        ],
        "ver": "1.0.0"
      }
    },
    "1": "GB",
    "4": 1624147200,
    "6": 1621341834
  }

----------

import sys

import zlib

from base45 import b45decode

from cose.messages import CoseMessage

import cbor2

import json

qr = input("QR plz: ")

print(qr)

if qr.startswith('HC1'):

              qr = qr[3:]

              if qr.startswith(':'):

                  qr = qr[1:]

bin = b45decode(qr)

print(bin)

foo = zlib.decompress(bin)

print(foo)

bar = CoseMessage.decode(foo)

print(bar)

baz = bar.payload

baz = cbor2.loads(baz)

fee = json.dumps(baz, indent=4, sort_keys=True)

print(fee)

-----

reminder of value of contact tracing:-

https://www.nature.com/articles/s41586-021-03606-z

but also of risks:-

https://blog.appcensus.io/2021/04/27/why-google-should-stop-logging-contact-tracing-data/

Proof of Green

 so rather than burn the earth even faster in some bogus pursuit of decentralized crypto-currencies (we only have one earth, so bitcoin is inherently centralised around that one fact), why not use renewable resources to generate coins. I don't mean greenwashing where you place your mints next to hydroelectric or geothermal sources. I mean literally use the fact that sources like solar are highly time&space varying - a large solar array could be used to generate signatures (each cell will receive slightly differnt amounts of sunlight over time - the voltage generated from each, therefore varying - this can be logged (e.g. on a blockchain) with GPS coordinates (now feasible down to centimeter accuracy courtesy of new devices), and acts as a unique coin value. This can be measured and verified by other parties. It costs almost nothing to mint, and is a side effect of building more renewable (solar) energy sources, rather than a pointless consumer of them.

see the light! 

mutable biometric auth - the really useful MBA

 o here's a thought. 

we now have reliable and safe mRNA for people. 

how about we use mRNA to teach our cells how to generate protein keys (key pairs) for crypto. We then have chip based readers that can check to see who we are (and we can build secure protocols for doing this that avoid obvious replay attacks etc), but without committing to using your actual DNA (or other biometrics) which, once compromised, cannot be changed.

chips that decode proteins are around - all the pieces are there. 

also, you don't get locked in to one provider (there are lots of people doing mRNA stuff, and we could even open source the mRNA system)....

seems like the way to go - 

before anyone tries to patent it:-)

Why not look at Augmented Human Intelligence, ahead of Artificial General Intelligence?

 As part of the Turing's AI UK Conference I was thinking about where we should be in 5,10,30 years

I'd like to see if we can reverse Frank Zappa's observation about scientists' incorrect belief that Hydrogen is the most abundant substance in the Universe, and rather, it is far exceeded by Human Stupidty.

Given peoples' blatant lack of discernment in social media, voting, and generally outrageously dumb collective behaviour, e.g. in the face of existential threats like climate and nuclear weapons, this seems like an urgent matter. and building AI to mimic humans seems, at this point, like a bit of a seriously losing proposition.

So how could we use AI to augment human intelligence? The trick is not to democratise the writing of black-box AI (giving people visual programming languages for convolutional Neural Networks is an even worse idea than increasing the world's population of buggy C, Python coders.

The idea is to make existing work on AI legible. Not just explainable, but teachable. so when making a decision, an augmented human might use an AI method, and at the end, not just no why it recommended what it did, and not only why, but how to internalise the knowledge and skill to use that method herself.

This is akin to the idea of the mentat characters in the novel, Dune. Humans carry out computational tasks, and computers have long since been banned after the fictional Butlerian Jihad, on the basis that they are unethical. In my view, that is somewhat of a limited view - we need to retain the AIs, but they become mentors.

To this end, we need to concentrate on AI tools and techniques that are intelligible not just explainable. So while simple ML tools like regression and random forests are ok, you also need tools like generalised PCA and probablistic programming systems, and Bayesian inferencing that clarifies confounders, and, if  we must go on using neural nets, at least SHAP, path-specific counterfactual reasoning and energy landscapes, to illustrate the reason for relationship between inputs and outputs. GANs fit here fine too Ultimately all these systems should really be a pair - a model, that is self-explanatory (e.g. physics, engineering, biological cause/effect) coupled with the statistical system that embeds the empirical validation of that model, and, possibly a hybrid of symbolic execution and data-driven systems. Of course, people in guru/hacker mode writing the next gen AI need to document their processes, including their values, as this is all part of making the results teachable/legible/learnable too.

In the end, these systems will also likely be vastly more efficient (green cred), but also intellectually, will contribute to human knowledge by exporting the generalisable models they uncover and make more precise, and allow humans to individually, and collectively, stop behaving like a bunch eejits.

Then we can let the AIs all wither away, as we won't need them any more.

The Genies that probably won't go back in the Bottle

 One discovery made about people in organisations using video conferencing was in the early days of the Defense Simulation Internet - this was about 30 years back (DSINet started around 91) and made extensive use of the Mbone technology to provide many-to-many real time video, audio and shared applications. One of the UIs for this had a prototype of the "hollywood squares" that many Zoom users will nowadays be familiar with, 

Most of the real users of this system were wargaming (the shared apps included highly detailed battlefield maps with animations of army vehicles etc). At some point, the generals got really upset because they noticed the rank-and-file were talking directly to each other, rather than up-and-down the chains of command. Students of history will know that such a peer-to-peer organisation was also how the anarchist brigades operated in the Spanish civil war - it is highly effective as it is highly resilient (there's no leader to decapitate, and it is lower latency to get information to the people who need it to make decisions and take action).

This all applies to any overly hierarchical organisation, be it university, company or indeed, entire nation states. We cut out those annoying pointless "leaders" who make the wrong decisions because they are a bottleneck, and swamped with either too much advice, or too many filters, or too many lobbyists distorting the information, The Internet may finally actually democratise socieity, but not as previously envisaged.

By the same lockdown token, people have more time to consider content delivered by digital communication. Consideration may lead to more nuanced decision making (e.g. not responding to clickbait, or believing fake news, or even taking care to remember who was responsible for these things and mentally marking their future utterances as suspect, or at least "to be fact checked carefully when I have time after this".

Evidence for the increasing discernment by the broad public can also be seen in the search for relatively subtle explanations of what is happening (rules for lockdown, vaccine safety etc) - where people would dismiss experts, they now much choose an expert who explains about exponential increases in cases when R0 is above one, or the nature of false positives and false negatives in different tests. This is because after a year of hearing experts and politicians, it is increasingly obvious whose explanations and predictions are based in some sort of discipline, and whose are just self-serving attempts to maintain a wobbly power base. 

You can fool some of the people some of the time, but 12 months in, everyone starts to realise who the real fools are. Or indeed, crooks.

attention deficit misorder

 In The Attention Merchants by Tim Wu, we heard about the cycle of technology and content and advertising that takes each new medium, and drives a race to the bottom in terms of increasing levels of commercials, and decreasing revenue, leading to worse and worse actual content, and eventually, a rapid fall off the cliff edge in terms of actual audience, who then move to the next tech - the book contains a plethora of historical examples from 19th century newspapers, through radio, on via television (see also four arguments for the elimination of television plus for the impact on actual journalism, see Flat Earth News), and finally, today, several generations of social media (MySpace, Facebook, Twitter, Instagam, TikTok...next?).

So a new factor in this is not just the very poor quality of advertising / infotainment, which is incented to lie about products, but now we have the new players heavily involved in daily spread of misinformation:- governments. Governments (especially populist ones) are one of the main sources of peacetime lies. We expected the Ministry of Information to spread propaganda during wartime, but now we have arrant nonsense distributed directly from the desks of Trump and Johnson, casting doubt on election results, undermining democratic choice during referenda, and destroying confidence in public health measures during a pandemic.

What is to be done? We need platforms that deliver a reliability metric about sources, not just fact check their individual utterances. This would move the prominence of repeat-offenders, lower and lower in every readers' feed - taking away the effectiveness of polarized clickbait.

Time for the EU to regulate?

Identity and Currency - Trust and Implementation

 A discussion recently about national digital identity systems revealed that some stakeholders feel they need to own the implementation and the deployed operational system, as well as the legal authority for the root of foundational identity.

We can discuss separately, the idea of self-sovereign identity, and the use of the social net (parents, friends&family, colleagues, situation etc) to build a fully peer-to-pee digital id system, without any need for central government agency - indeed, you can imagine having this, as well as a more "traditional" system, with birth certificates, passports, national insurance numbers, biometric data etc etc

but for  now, for the latter case: who should build and run the digital id infrastructure?

well, the analogy I want to draw is with currency. The national bank (e.g. Bank of England) underwrites the value of the national currency (coin of the realm, sterling). They also participate in various mechanisms to maintain the relative value of different national currencies (i.e. exchange rate mechanisms or the Gold Standard, etc).

But who mints cons/notes? Could be anyone really. Who makes the machines that do that minting? Whoever wins the contract. Why should digital id infrastructure be any different? For example, british passports contain digital information about the holder and are issued by Her Majesty's passport office, but are physically made by  Gemalto, owned by French firm Thales. In the past, anyone could issue banknotes (up til early 20th century!), but now the physical currency in the UK iis a monopoly, but of course there is a wide range of digital ways to store and transmit value as well, run by credit and debit card companies, and fully virtual currencies are legal in some countries.

So it seems that even a national, government approved or mandated or supported identity system could be outsourced. Indeed, many components of functional id based on some notional national id already are implemented and run (e.g. DVLA for driving licenses) by 3rd parties.

This also argues for why one needs to consider at least some level of federation for digital id systems to allow for moving provider, inter-operating, and even comprehending how  extreme federation such as self-sovereign systems can co-exist with more traditional centralised registeries and the vouchsafing of who you are.

identity is not property - so how can you "steal" it?

 another poor metaphor (as with security theater, which isn't even poor stand-up), identity theft.

as with music piracy (aka p2p file sharing), you copy, you don't  take. but in this case, the metaphor of theft is even less apt, as identity has some deep roots (e.g. biometric attributes) and some more shallow (notarised documents like birth cerrtificates, passports) and some social contextual attributes (people vouch for you)

mistaken idenity (the mcguffin of many a fine play, film, book, but perhaps not song) is apt

but identity theft just isn't.

Computational Thinking Considered Harmful.

 I was a big fan of Jeanette Wing's initiative on computational thinking - it came at a time when we were developing the computing at schools initiative and the Raspberry Pi and so on, and fitted in well with our optimism about how anyone could pretty much get to grips with the core ideas of reasoning in the style computer science has developed (not just logic/algorithmic, but also systems and many other sub-disciplines).

I'm now worried that what has happened is to enable people with the capacity to adopt the technology, much as with  nuclear and biological weapons (or going back further, gunpowder, TNT, or even just any projectile weapon, crossbow, longbow, slingshot etc) and now we have asymmetric warfare, but it is really asymmetric warfare by the few against society. Now we have people hacking on democracy, on trust in science, on social cohesion. 

I'm not talking about the PRC or the Kremlin.  I am talking about the unpleasant, sociopathic power-hungry in our midst. People that were put in their box by long fights to improve everyone's lot over since the enlightenment or even since the renaissance  (or whatever equivalent there was in your non European part of  the world).

People who have adopted the ways of thinking about problems in manners that let them scale-out,, rapidly. Crucially, for  which  we  as yet  have no effective defence (computationally thought out  or otherwise).

I think we need a Pugwash or Asilomar, or even a Butlerian Jihad against computational thinking without appropriate checks and balances.

Now this  is a very tricky proposition as it is quite different  from proposing ethical controls of dangerous technologies. It is about modes of thought. This hasn't been something people outside of ancient Mesopotamia or modern totalitarian states a la 1984  have considered. How to modulate computational  thinking so that it is inherently a moral  framework would be, for me, the thing we need urgently to do. 

when people say Security Theater, just what do they think they mean?

Security Theater is a  terrible metaphor.

In theater, you suspend disbelief, sure, but that's so you believe  the characters are real, and  that the  characters are subject to true motives and actions are  in reaction too circumstances in  the universe of the play.

So when Macbeth falls for his personal initerpretation of the 3 witches predictions, this is true. and when Burnham Wood is come to Dunsinane, the attack/deception works.

Even the  twist at the end of a whodunnit like the venerable Mousetrap, or the   clever Sleuth (or indeed Whodunnit) catch you by surprise. 

If security  operatives employed techniques like this, they  would essentially be carrying out a mix of

a) real security

b) social engineering on the adversary.

No,  what people really mean is like the well-meaning uncle who says he'll entertain a room full of 9 year  old kids full of sugary drinks with a very  bad conjuring show that  they immediately see through. Not tragic or comic, not even really bathetic or pathetic. Just bad.

People go to the theater to be taken out of themselves. What people call security theater is stressful because it is transparently useless and incredibly boring at the same time. 

When you go parachute jumping or scuba diving and check your equipment, it is quite interesting. That's because theatrics only happen if you don't.

hyperextensibility

back in the day(*) the UCL internet gang (Indra) built a IP over the international X.25 packet switched system, that operated by tunneling IP packets over virtual circuits (VCs) that the various  telcos operated.

to indicate that the VC was carrying IP rather than (say) remote  terminal traffic from the quaintly named PAD (Packet Assembler&Disassembler), they used a fiield in the VC setup, that could carry Call User  Data (arbitrary stuff up to 128 bytes as far as I recall) and this could even have a copy of the IP address and other useful metadata...

so this is the grrandparent of SMS which uses call user data in the old GSM call setup packet to carry text messages.

so SMS begat Whatsapp and Twitter and who knows what more universes of discourse.

So these "features" are a great deal more powerful than mere options.but also less dangerous than fully programmable protocols (like, say, SIP).

They are like "lifting" in programming languages. And as such should be celebrated.

I'm going to call protocols with such an apparently lowly, but actually grand affordance, hyperextensible, as they allow shortcuts to entire new worlds.

* bob braden, peter kirstein et al, probably around 1980.

On BS Jobs and Non-work-conserving employment - or how the internet might help with the future of work

 Just reading the Graeber book based on this essay On the phenomenon of bullshit jobs, and thinknig about how lockdown revealed how much work was a) unecesssary  b) structured in ways to make it even more unpleasant (e.g. communiting) -

A tell for this is that there's a  workflow, and there are strict office hours - leading to strict commuting time requirements-   this non-work-conserving approach to how "labour" fits in  to "society" is completely inhuman - people work at different paces, and the same person at different rates on different days.  Most tasks that really require a human (leaving aside care work / parenting) are not predictable, so even if we know when they should start, we can't schedule a next task as we don't know when they will end - if  we did, we should  automate them.

The internet doesn't work like that, and that's why it is cheap and efficient, but also forgiving and fllexible.

Society probably once worked like that (I am sure a farmer and a blacksmith interacted in ways that would cope with elasticity). 

We must get rid of time  sheets and the notion of human "resources". You know the saying "Rich people trade their  money  for more time. Poor people trade  their time for money"? Well, that assumes  time, like money, is fungible,  which is obviously BS. Time is running  out.  Time expires. We  are living on borrowed time. Only two of those last things happen with money.  Maybe  we  could design cryptocurrencies that allowed  tracked of the subjective value of our time? Not now, please my Emoticoin is too high for you.

Really useful networking efforts, and their opposites.

My  favourite group currently working on internet stuff around the ietf is 

GAIA which is delivering lots of useful information about shared initiatives to provide meaningful and relevant internet access and services (see especially work on affordable community networks, and reducing misinformation, e.g. on covid in the minutes&slides linked above).

In contrast, the race for 5G, and now even 6G is driven, it seems to me, almost entirely by greed and a nlatant disregard for anything remotely sustainable or fairly offered (as per, William Gibson's "the future is already here, it is just unevenly distributed").

For example, we were looking at various mobile apps for covid-19 that might help mitigate the pandemic, and concluded that very few would be in the least bit viable in the developing world.  The GAIA folks are heading a long way to helping with that. Quite frankly, the 6G folks are going the opposite direction.

confusion regarding privacy of decentralised ("gapple") based BLE contact tracing apps

various publications report problems with the (e.g. swiss, german, irish) contact tracing apps privacy model confusing OS (what apple&google can and do do with location services and networks) and apps.

I suggest people read the app code (the irish have very kindly open sourced the HSE app for the world. even more helpfully, their leading researchers have actually measured what data is sent by different european contact tracing apps so you can see what is and is not the case about your privacy.

more light and less heat, please:-)

also comments on the efficacy of decentralised apps (do they work) can be countered with the observation that what you care about is the number of people notified that test positive, and that can be done when people notified ask for a test (you could even get the history of RSSI/BLE readings from them without re-identifying the phone random decentraslised id magic at that point, and run stats, which would be more time consuming than centralized log analysis, but would eventually let you re-calibrate your BLE algorithm to maximise effectiveness) - remember, we dont actually care about the distance between phones, we care about the true positive infection detection/notify/isolate rate, and we care about minimising false negative proximity so you don't end up isolating zillions of people and might as well go back to lockdown....).

ref 1 BBC not sure how to understand efficacy of apps.

ref 2 NYT mixing OS up with Apps

update on centralised v. decentralised contact tracing apps....deconstructing who distrusts whom?

one of the reasons oft-cited for the centralised design of the original UK NHSX contact tracing app was

the lack of testing for people, due to the governments decision (failure) to continue/expand/rol out systems (despite offers from quite a few research labs that had large capacity systems ready to roll).

Instead, the assumption was that people would "self report" with symptoms (or diagnosed after a 111 call) - not only might these be unreliable, they might attract abuse (troll like behaviour is fairly common). Hence one goal was that the index case should be trackable and (presumably) potentially blocked /reported if multiple bogus attempts made to claim a) they were infected and therefore b) cause a lot of people in their contactee data to have to self isolate pointlessly for 7+ days.

I'll note here that tests on the contactees dont help set them free, because recently infected people don't typically test positive for virus until they have symptoms (pre-symptomatic) and note, a significant fraction won't ever get symptoms even if infected (asymptomatic, and are still potentially infectious even if apparently well. Indeed - there arre good public health reasons to measure the rate of asymptomatic infectious people as this is part of the risk level in an area.

Thus, as well as wishing to improve any diagnosis menus in an app, and as well as desiring to continuously improve the exposure notification algorithm used to turn BLE measurements into a likelihood of possible infection, we also have the wish to record who (non anonymously) claimed infection, and who (possibly anonymously, but re-linkably in a chain of infections) was a contactee without symptoms, for epidemiological reasons, as well as for notification.

As well as this, it would be useful to know the context (location, e.g. indoors, in vehicle, type of building versus out doors) and whether in only a pairwise encounter, or a group - all this data helps understand the modes that the virus spreads through, to help sharpen advice to the public, and also refine the algorithms.

There's some discussion about why one would combine these two functions in one app (contact notification and public health statistics). There are quite a few nice symptom reporting apps (notably in the UK joinzoe), which do a good job of learning new symptoms' importance, and can map hotspots over time as well) - but the point is that it is not a change to a centralised app to provide the contact graph of infected people - this is the same primary purpose - the "second" application is simply the use of the stored data and doesn't change the app at all. In fact, the notification service is also notably simpler if you don't need to build some magic decentralised rendezvous network. 

I notify service I am diagnosed positive with list of contacts. service notifies each contact they may have been exposed (potentially with human in the loop to detoxify the bad news).

so what are the trust problems here? well by not having testing and not trusting the users to all only honestly report symptoms, the government/UK health service set a tone that the customer is not always right. But the decentralised systems send the message that the public don't trust the national health service in their country, and yet they have to trust that health service if they fall ill, so this is a hidden toxic message too.

don't be too surprised if both systems lead to a rise in distrust of health science, and potentially a boost to the anti-vaxxer movement, just at a time when we may really need to get vaccinated.

the good thing is that when we have a vaccine, unlike with smallpox or polio, we don't need to create (true) herd immunity immediately, but rather need only vaccinate the vulnerable, at least at first. Of course, there may be a novel novel corona virus around the corner which goes back to the mortality risk levels of SARS and MERS but has the incubation time of Covid-19, and then we'd really care that a lot of people were out of the infection loop proactively (not reactively).

For now, reacting as fast as possible is our best bet to get as close to zero cases as possible..