Apple and Google’s bluetooth contact tracing API: impressive example of privacy-preserving features

The Apple & Google privacy-preserving contact tracing has no additional (privacy) cost.
It may have limited to no benefit because of low adoption and other issues.
It may have big benefit due to keeping the curve flat, while relaxing the physical distancing requirements.
It is the only one that has a chance to work because of its possible adoption and practical addressing of BTLE items.
No costs but potential (big) benefits = I vote we do this.

In case you are coming to this without previous context, this is an informal write up about the Apple & Google privacy-preserving approach, and why I wholeheartedly support it.

Compared to my normal bio-hacking ancient “woo-woo” practices with technology and dorking around with a high speed camera, this is the closest I’ve come to putting my work background on this blog.

I’ve put it here because I’d like to both show how a professional paranoid like me analyses this (in the hope you can learn that trick too), as well as hopefully counter some of the Fear Uncertainty and Doubt that comes up around tracing technology.
After all, I do think this is an excellent piece of engineering and policy decision from Apple and Google.

TL;DR version

The way I see it:

No costs but potential (big) benefits = I vote we do this.

How professional paranoids think

It is relatively easy to go into a paranoid mindset, just assume everyone is out to get you. I know, I’ve been doing that for decades, mostly professionally.
What distinguishes amateur and professional paranoids like me, is that professionals know when to stop worrying and doubting.

One of the things we do for this in my professionally paranoid world, is to think about the goal and capabilities of the attacker.
We think of things the attacker could do in terms of: “An attacker wanting <intent of the attacker> with <capability of the attacker> would <what the attacker achieves>”.
We call this the “threat model” or “security problem definition” in Common Criteria.

When this idea of phone based contact tracing was started (and to be overly clear: the Apple & Google privacy-preserving approach does not have these, which is why am supporting it), these were the kind of threats I thought:

  1. An attacker with access to the central server, would see who I have met, when and where. I.e. this can be used to map my social interaction graph by Apple/Google/government.
    (Not the case because the phone only sends the daily tracing keys to a semi-centralised server after I’m declared sick. And even then, these keys and the derived 10-minute pseudonym numbers are not linked to an identity. And even in that case, your phone determines if you were near that pseudonym, not the central server. Your phone doesn’t gain any information about me, just has a bunch of pseudonyms without attached identities and it determining it was near at a certain time.)
  2. An attacker able to eavesdrop the entire internet, would see who I have met, when and where. I.e. the above one on NSA scale.
    (Not the case because the phones just don’t transmit that information. An all mighty eavesdropper might know a bit more about me, and would be able to couple those facts to me being declared sick and uploading my daily tracing keys to the semi-central server. But that isn’t an added risk due to this system, this is the risk of worldwide surveillance by both the government agencies and commercial companies. They would already know you called a doctor…)
  3. An attacker able to eavesdrop an area, would know when I declare I am infected, that I was in that area, including when and ‘how far’ from the eavesdropping station.
    (Not really a case, as this is the same as say a shopkeeper’s phone doing this. Arguably this is a good thing: one could know where in the area extra cleaning might have been applicable.)
  4. An attacker able to eavesdrop all bluetooth transmissions over the whole world, would see all connections. I.e. the above one on illuminati scale.
    (Not the case because what they would see, is some blinks of ±10-minute ‘identities’ move around. Really not useful, but in any case this is not more information: any phone already sends a Bluetooth and WLAN MAC code that is unique. These MACs are in modern phones already randomised every ±10 minutes for exactly this tracing reason. One of the things I found clever, is that the tracing pseudonym and the bluetooth MAC are varied at the same time, thus one can not use one to link it to the other.
    Of course, if you disclose the daily tracing keys, the rolling proximity identifiers are now grouped for the same day. So this all powerful eavesdropper would know that a pseudonym infected person walked where. Which is exactly what contact tracers are doing manually without this process. So I consider this a feature.
    In the end this would be an attack for ‘the last mile’ location tracking: just to function on cellular network level, every mobile phone is still sending its unique identifier (IMSI and related values) to the mobile network, so at least on the granularity of mobile network cells the mobile networks know where that phone is.)
  5. An attacker with physical possession of my phone would be able to force me to show who I met. I.e. evil secret police forces me to show my co-conspiring cuddling group.
    (Not the case because my phone does not know this. It only knows those random pseudonyms. Actually is the above case.)
  6. An attacker would force me and you to show that we were close to each other. I.e. police investigation into me and an already suspected other, like you, for doing an unauthorised cuddling, or worse.
    (Somewhat possible, but with major limitations: they would have to force my phones to declare me are sick (which is usually illegal), they would then have to wait at least a day (because both phones only disclose tracing keys at least one day old), they would only be able to go back 15 days (again: phones), and then they would at best get that your phone says you were potentially exposed at a certain time it saw an ‘infected’ pseudonym. But still no confirmation it was me, just a suspicion it was me that they can’t use in court. And then we’re back to their original suspicion anyway.)
  7. An attacker with significant legal or informal power, forces me to declare I’m sick and then my app transmits “I am a leper” code for everyone to shun me.
    (Not possible, because since version 1.1 of the specification, the phone will not disclose the current day’s tracing key, only yesterdays onwards, with a max of 15 days. This is one of the improvements I found very clever.)
  8. An attacker forces me to show I am not infected/infectious, i.e. the green/yellow/red QR code apps being deployed.
    (This is independent of this proposal. The Google&Apple API does not help this, it actually seems to go out of its way to hinder this.)
  9. An attacker generates false ‘infections’ and causes many to be pseudo-infected. I.e. a cyber-bio-terror attack: I put my ‘phone’ with a strong Bluetooth amplifier near any place of gathering, then declare myself sick, and everyone who was in that place of gathering shows up as being ‘near’ to an infected person.
    (This is possible with any approach. I suspect this is one of the reasons why sane contact tracing apps will require some medical confirmation that one actually is infected. And that part then falls under medical safety and privacy as usual.)

So… long but hopefully insightful story on how someone like me looks at this mechanism and determines the risk/benefits.

Some of the underlying tricks I use to stop worrying:

  • Already accepted risk: if we end up in a situation we already accepted (here for example: the mobile phone could track me, regardless of this proposal), I remind myself why I accepted the original situation, quickly check if things really changed or not, and if not shrug and accept this too.
  • No additional risk: when we reach a point where we are assuming that the attacker already got what he is aiming for, to get it, I stop. Obviously an attacker who can hack the whole phone OS and hardware, can get it to do more than it should.
    But that attacker then doesn’t need this mechanism.
    So… probably that attack isn’t useful to the attacker.
  • No additional information: I’m keeping in mind what all parties could possibly know (this is an application of ‘belief logic’). If the attacker does something, but he does not gain knowledge, it is unlikely to be useful.

I hope you find this helpful.

With kind regards,

P.S. (2020-06-14) There are quite a few other analyses out there, which I really like, but dear me a lot of them are unprofessional FUD.
For example Mind the GAP: Security & Privacy Risks of Contact Tracing Apps claims that:

  • “We demonstrate that in real-world scenarios the current GAP design is vulnerable to (i) profiling and possibly de-anonymizing infected persons,”: well no, not more than you already can, see my #3 and #4,
  • “and (ii) relay-based wormhole attacks that principally can generate fake contacts with the potential of significantly affecting the accuracy of an app-based contact tracing system.”: yes, but any false claim of connections would work, this has nothing to do with the technology, see my #9.

SoundSelf and Breathwork: Tune up, tuning out

With thanks to some suggestions Kasper van der Meulen of Mindlift (who gives a great Breathwork Mastery class) and by Robin (who made SoundSelf), I’ve been playing with breath and SoundSelf.

The breathing basis

This image has an empty alt attribute; its file name is Breathing-techniques-2-1024x346.jpeg

In the beginning the voice guidance guides you into setting up your space, settling in comfortably, letting go of tension, and generally feeling grounded and relaxed.
I find that a good way for me to go to that place, is to do a breath hold, and letting that go with a somewhat explosive pfffffffff via the mouth.

Calming breaths to start any meditation.

Then the tree launch sequence starts, where you set and SoundSelf learns the base rhythm for the later session. So I set the base rhythm there with an unhurried but deliberate, deep full-belly nose inhale (my natural rhythm seems ±5s, yours may differ) and long deep resonating ohhhmm tone out via the mouth (±30s).
A normal SoundSelf rhythm to fall back to.

This will be the rhythm I fall back to in the later process, the metronome that SoundSelf will also be repeating to you in your own voice.

Power (breathing) up

Power breathing and exhale hold

The basis of supercharging the experience, is first some over-ventilation:
forced quick in- and exhales for a short period.

Nose in, mouth out power breathing.

Although the details of the technique (in/out via nose or mouth) do not matter that much for this purpose, I suggest that you focus on the exhale via your mouth, and inhale 80% in via your nose.
This matches the rest of the breathing patterns, activates your system but does not panic it, and it is generally a good idea to prefer nose inhales.

Do these quick breaths to taste: to the moment where you feel more energised/tingling, a bit or even a lot further than that if you are more experienced with breathwork.
I end up doing 10-40 breaths usually.

Everyones’ mileage can vary, but the big trick with this experience seems to be what you do right after this power up breathing.
Think of going right back into toning (you may notice that you can exhale and thus tone longer because you have exhaled a lot of CO2).

Mouth power breath and immediate chanting. Note the longer Oooooooom.

But you can also immediately fully exhale, hold empty until you feel the clear urge to breathe in, nose inhale and go back to breathing.
This one is my current favourite.

This looks like this:
My current favourite: power-up with over-ventilation, nose in and mouth out.
Exhale and hold until you feel a clear need to inhale (via your nose).

Bringing it to a grounding close

At the end, give yourself some time to get back to grounding. Lay down and let your body integrate, then take some grounding breaths like so.

Quieting down after intense breath work and finding ground again.

I like anchoring this experience to a trigger, so that I can come back to the sensation with that word/gesture.

Future things to try

There are of course many further things to try, like making different sounds (I’ve started experimented with mantras), exogenous chemical influence, and tactile experiences like the SubPac/TacSuit (going towards EMDR?).


DMTtripBear showed how using the mantra “Om Mani Padme Hum” would work and I’m experimenting with mantras now too.

Normal Om Mani Padme Um

A power breath and Om Mani Padme Um:

Nose in, mouth out power breath with Om Mani Padme Um mantra

Other possible power-ups

For the (increasing) places where this is legal, apparently “indica dominant cannabis can dramatically heighten the SoundSelf experience“. Try it out, let me know?

Doing SoundSelf with psylocibin (“magic mushrooms”), LSD or other ‘real’ psychedelics… I doubt will be that interesting or smart at a dose that gives an internal psychedelic experience. Robin has tried that experiment and sweetly came to the conclusion that the internal experience from the psychedelics is more interesting. And that the magic goes away if you know how SoundSelf works like he does.
I’d also think that it is probably not a good idea to have a VR headset strapped to your head with a full psychedelic (not a great setting), and the visuals might be a bit extreme on a screen. To be clear: not advised.

Micro-dosing… maybe. Let me know?
Alcohol… pretty sure not.

More to follow I am sure…

SoundSelf: Zone out, Tune in

SoundSelf play is both a very relaxing zone-out self-care moment for me, as well as a deepening tune-up of meditation and breath work. I’ve been starting my day with a cup of coffee and a 15-20 minute SoundSelf session, and often end the day with 40 minute one.
I feel relaxed and clear for the whole day from this, and it is nurturing something deep in me.

SoundSelf is labelling itself as “a technodelic” and that seems like the best way to describe this unique new experience (in the VR domain): somewhere between an old-school Winamp-like sound visualisation and a psychedelic experience.

I highly advised you try it, not in the least as it gives a taste of meditation and/or psychedelics, while keeping legal wherever you are ;-).

A long history with SoundSelf

I’m a huge, long-time fan of SoundSelf: when way back in 2016 I heard about this VR-generated almost-psychedelic software being in its alpha stages, I bought a Kickstarter Oculus Rift CV1 setup just to experience this myself.

From that moment on I’ve been ‘playing’ SoundSelf from that “I’ve got something cool” demo phase, through the kickstarter phase in 2017, to a chance meeting with Robin in 2019 where I got to tell him I bought the Oculus for the experience and he told me he wrote it, to investing in Andromeda Entertainment to bring this to the world, to now the big launch into the wide world in April 2020.
So you could say I’m quite invested and experienced in SoundSelf.

‘Game play’

Starting menu

‘Play’ is simple: start SoundSelf, sit or lay back, and tone (drone ‘ooooohhhhhmmmm’).

Full session (unedited)

A SoundSelf session is both a very relaxing zone-out self-care moment for me, as well as a deepening tune-up of meditation and breath work. I’ve been starting my day with a cup of coffee and a 15-20 minute SoundSelf session, and often end the day with 40+ minute one.
I feel relaxed and clear for the whole day from this, and it is nurturing something deep in me.

If I go more meta, games like these are of course a way to enjoy an experience and a story, but also a way nurture and grow something inside me (Robin is saying similar things in interviews). This one is teaching me to take time for myself, to do active breath and toning meditation, and surrender into quiet one-ness.


There is research showing SoundSelf helps go into medium altered states [1]. My experience is not a full blown psychedelic experience, but there is definitely a losing my default mode network/ego, and relaxing into the quieting down from the toning and breathing (vagal nerve stimulation).
It definitely is also a good breath exercise.

I’ve been making recordings using the Muse as brainwave measurement device, but it is quite a bit of data so I’ll analyse them later.
Quick and dirty measurement using the Muse in normal meditation mode does show way more neutral and calm then in normal state, and obviously more activation than in the Zen no-mind meditation that Muse aims you towards.

Quick and dirty measurement with the Muse: mostly neutral

Practicalities: VR headset not needed

A frequent question I get from people wanting to experience SoundSelf, is whether you need to have VR goggles?
The answer is simply: no.

But… the more immersive you can make it, the better.
So ideally you set yourself up such that:

  • The visuals take up as much as possible of your visual field: use a big screen or projector, sit close to it, have the surrounding visual side be dark and non-distracting.
  • You can relax into the sensation, ideally recline back a bit or completely.
  • You can feel the base. The audio needs to play on a headset, but a body-shaking subwoofer is a great addition. I have a SubPac that works great for it, but I guess that if you keep it to the low tones, an external subwoofer will work too.
  • If you consider getting a VR headset for this (like I did), consider the HTC Vive (or presumably even better because of the bigger field ov view: the Steam Index), over the Oculus Rift, as the newer headsets have less screen door effect and more pixels.

Practicalities: Running on MacBook

The visualisations are fairly CPU and GPU intensive, so even though it works on MacBook, it really needs a recent high-end one.
Currently there is a strange quirk with the microphone and the access control on it by MacOS. This means that if SoundSelf does not ‘hear’ your microphone, try not starting it via Steam but directly start the application. You can tell you are starting it the right application if you see SoundSelf green eye icon, not the blue Steam gear.
On the MacBook you’ll want to disable the ‘strobing’ feature, as the lower frame rate makes it look bad.

(more to come) More here

Fun experiments with Pilot FriXion ink

I have been really enjoying the Pilot FriXion 4-colour pen to make notes and graphs. The pen not only has a 0.5mm fine tip in 4 colours, but the FriXion also allows “erasing” the text by friction.

This is not happening by abrasion like pencils are erased, but by heating up the ink.

Wrote the text
Erased the E and A (note that the camera is a lot better at seeing the “erased” text than the naked eye is, in person this seems erased)

I read in a review of the pen that someone left the pen in the sun in the car and now the ink was blank as one would expect. But there was a response suggesting leaving the pen in the freezer “to restore the ink” which was surprising.
So I thought about trying it out and put the paper in the freezer and lo and behold it indeed came back:

After a night in the freezer

In the Ophan X book “Out of the Dark” (by Gregg Hurwitz) the bad guy makes his notes with a FriXion pen and “destroys” these by using a microwave. As in the story, a part stays legible, just like my attempt:

“Erasing” by putting the paper in the microwave.

However, besides just increasing the contrast like my phone does, all Orphan X had to do was put it in the freezer and…

And recovery with ten minutes in the freezer.

More on the background of the chemistry can be found for example here.

Fun stuff.

Showing off Bodhi Bhavan with a drone

I was at a seminar at the Bodhi Bhavan space in Portugal, near Faro, with my drone. Pretty shots came from that!

Kaya is seeing the drone off.
This is showing the main house below, the pool being dug, and up the hill the seminar room.
During the night is is spectacular too.
With the lights on and Kaya and Julia in the room, it looks even prettier.
Daylight view showing the environment better.

Some of these videos are also up on youtube.

RFID blockers have very limited use

I keep seeing these “RFID blockers”.

Anti RFID skimm device
Anti RFID skimm device

RFID blockers improve your security only a bit as contactless skimming is a high-risk/low-reward attack for the attacker: Contactless credit cards and electronic IDs reading distance is max ±25cm so about ±10 inches in lab conditions with 500+Watt amplifiers (this is the kind of power that causes sparks to fly!).
If you can get reading distance up to half that reliably in real world situations, you we can make a lot of money selling your skills in the reader market.

For this attack to work, someone needs to be basically rubbing up to you to talk to your card.
In the case of electronic IDs (eIDs) like passports, driver’s licenses, ID cards, that follow international ICAO norms (i.e. any European one, Americans only since a few years), that still doesn’t get the attacker anything: to talk to the chip requires some information from the front side of the card: the 3-4 lines of computer-readable text at the bottom of your passport. (In case you want to know, this is called the Machine Readable Zone (MRZ)).
Basically: you need to optically read the eID before you can electronically read it, i.e. you are already handing it over to them (ID checks at airports, rentals, hotels).

In the case of contactless credit cards, the story is a bit more complex, as it depends on what your issuing bank has configured the card for (they have a dozen or so parameters they can choose).
In general, transactions up to $25-ish to an overal total of $150-ish don’t require a PIN (for the tap-and-go payment of coffees).
As the electronic transactions with these credit cards are one-time and only-with-that-shop, a pair of attackers would need to pull of the following to pay with your card, in what I call a “contactless extension cord” attack or is often called “virtual pickpocketing”:

  1. Attacker A dry-humps you to get his card reader within those ±5 inches of your card, and
  2. Attacker B, at that exact same time, is physically at a shop with a card emulator, and about to pay to max that limit that we are talking about (i.e. max 5x$25-ish product).

This exposes both Attacker A and B to being physically caught, for $25-150 of stuff that still needs to be fenced at a much lower return value.
There are lower-risk and higher-reward kind of attacks you can do as a criminal :-). 

That said, if you want to get protection, consider adding a layer of aluminum foil in your existing wallet (reduces the read distance to 1-2 inches) or combine with the practicality of a compact wallet like Secrid.

With kind regards,

Sinterklaas is the only real one!

Let it be known, that I am of the firm opinion that the only real celebration of the mind expanding properties of psychedelic mushrooms saint that rewards the good and punishes the bad, is the Dutch Sinterklaas, not this imposter Santa Clause.

As one of my math professors convincingly argued in a time I was still quite impressionable:

  1. 17+ Million clear headed Dutchies can not be wrong. All those cola-advertising-indoctrinated ones can.
  2. Sinterklaas is on December 5th, Santa Clause is December 25th. Clearly the first is the first.
  3. If that is not convincing, Sinterklaas existed before the American culture that promotes Santa Clause existed. Again, the first is clearly the first, is clearly the correct one
  4. The elder Sinterklaas spends his off-time in a warm climate (Spain). The elder Santa Clause goes and hides on the North pole icecap. If you could fly anywhere anytime at several times faster than the speed of sound (to deliver all the packages), without breaking the sound barrier, and you were an older gentleman, where would you go?


Categories: Fun