COVID-19 Contact Tracing Apps Fight Privacy Fears

Governments around the world are introducing apps to help health officials trace contacts of people newly infected with the novel coronavirus. They work by recording whom you come close to—then alerting those people if you contract COVID-19.

But questions remain about how these apps will preserve privacy. And not just the apps themselves, but also the cloud services behind them.

DevOps Connect:DevSecOps @ RSAC 2022

The new breed of apps are decentralized, and they don’t even think about the phone’s location. In today’s SB Blogwatch, we work out how.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Uke. Orch. of GB.

Iffy Oz App? Bundesrepublikkehrtwende?

Strewth! What’s the furphy, ya galah? No wuckas, Brett Worthington is rapt—“Tracing app COVIDSafe released by Government to halt spread of COVID-19 in Australia”:

 People who download the app will be asked to supply a name, which can be a pseudonym, their age range, a mobile number and post code. [They] will be notified if they have contact with another user who tests positive.

Prime Minister Scott Morrison has flagged the app as being essential for Australia to be able to ease coronavirus-induced restrictions. … Using Bluetooth technology, the app “pings” or exchanges a “digital handshake” with another user when they come within 1.5 metres of each other, and then logs this contact and encrypts it.

If a person with the app tested positive to COVID-19, and provided they consent to sharing the information, it will be sent to a central server. … When a person deletes the app [they can] request for any information they have shared with the central server to also be deleted.

But people are the weakest link? Byron Kaye adds—“Australia will make it a crime to use coronavirus tracing data for non-health purposes”:

 Australia will make it illegal for non-health officials to access data collected on smartphone software to trace the spread of the coronavirus. … The federal government has said existing “social distancing” measures will remain until at least mid-May, and that its willingness to relax them will depend on whether people download the smartphone “app” to identify who a person with the illness has had contact with.

“It will be illegal for information to go out of that data store to any other person other than that for whom the whole thing is designed, and that is to support the health worker in the state to be able to undertake the contact tracing,” [said Morrison. He] also confirmed a local media report which said the data would be stored on servers managed by AWS, a unit of U.S. internet giant Amazon … but added that “it’s a nationally encrypted data store.”

Yeah right. No really, Simon Sharwood says—“regulation avoids ‘woolly’ principles in comparable cyber-laws, say lawyers”:

 The smartphone app follows the now-established practice of asking people to register their name, age range, phone number, and postcode, and create a unique identifier. That identifier is shared with other users of the app when they come into close contact with each other.

The app, available for Android and iOS, uses some code from Singapore’s TraceTogther app. … Law firm Gilbert & Tobin analysed the legal instrument that underpins the app … and offered the following commentary:

“It avoids the formula of broad discretions and ‘woolly’ principles which have characterised much of the telco data security legislation of the last few years.” … “You cannot – to use medieval plague language – be treated as a ‘leper’ because you have decided not to download the app.” … The determination includes what the firm calls a “keep out Home Affairs signpost” that means any investigation into the app’s use can only concern the determination, not possible breaches of other laws.

“The now-established practice”? Douglas Busvine und Andreas Rinke explain—“Germany flips to Apple-Google approach on smartphone contact tracing”:

 Chancellery Minister Helge Braun and Health Minister Jens Spahn said in a joint statement that Berlin would adopt a “decentralised” approach to digital contact tracing, thus abandoning a home-grown alternative that would have given health authorities central control over tracing data. In Europe, most countries have chosen short-range Bluetooth “handshakes” between mobile devices as the best way of registering a potential contact.

Germany as recently as Friday backed a centralised standard. … In their joint statement, Braun and Spahn said Germany would now adopt a “strongly decentralised” approach. … Germany’s reversal brings it into line with a proposal by Apple and Google, who said this month they would develop new tools to support decentralised contact tracing.

An open letter from hundreds of scientists published last Monday warned that, if the contact tracing data was centralised, it would allow “unprecedented surveillance of society at large.” [Also] centralised apps would not work properly on Apple’s iPhone because, for Bluetooth exchanges to happen, the device would need to be unlocked with the app running in the foreground

Decentralised … Bluetooth-based smartphone contact tracing operates by assessing the closeness and length of contact between people and, if a person tests positive for COVID-19, telling recent contacts to call a doctor, get tested or self-isolate.

But how can that possibly preserve privacy? This Anonymous Coward tries an analogy:

 Say you discover a new thing, something only you know, like say a made-up word I ask you to pick at random. … You can choose to tell that word to other people, or can choose to not tell anyone.

If you choose not to tell anyone … there is no magic … such that everyone else somehow knows that word you never shared with anyone. … That’s all this is, except your phone is remembering who came near you.

You can choose to give that out or not.

But it’s still GPS location tracking, right? Wrong, says Jimmy2Cows:

 [No] location data is required. The app just uses Bluetooth to pass unique identifiers to other apps within Bluetooth range.

If a user becomes symptomatic or infected they register as such, and their identifier is sent to other app users. Your app checks if you encountered that user’s ID, and alerts you if you did.

At no time is any location data consumed.

“At no time”? Matthew Robbins—@matthewrdev—has decompiled the Android app:

 The app is not obsfucated (scrambled); this means we can decompile it to a level almost as good as having the original source code. [It] looks to be written in Kotlin and uses Android building blocks like activities, services, broadcast receivers, RoomDatabase, Retrofit etc.

Data is stored locally in a SQLite database using the RoomDatabase API. This places collected data inside the apps internal storage. … This means data is secured using the operating system’s security mechanisms and is not accessible by other applications.

The data upload is authenticated by a One Time Pin request that is sent your mobile phone. … All data upload is through user consent only. … Data is transmitted via HTTPS to an AWS instance secured with a public/private key pair. … There is a cleanup task that automatically deletes all records after 21 days.

Everything in the #covidsafe app is above board, very transparent and follows industry standard. … It looks like the app is heavily based on OpenTrace (licensed as GPL3).

But still, The Central Scrutinizer can’t scrutinize the decentralized system:

 Still, given the [Australian] government’s atrocious track record in the digital domain and the lack of source code so far, I am not downloading it. They need to earn our trust, not take it as a given.

And StevieP ponders how the distance measurement could possibly work:

 Having worked in BLE bluetooth with beacons for a couple of years, I have yet to see a single person get anything reliable out of the RSSI (relative strength indicator). It is the dream we all have to be able to make Bluetooth beacons a reliable discovery product.

One minute a beacon is 5 metres away and the next it has magically moved to 15 metres. … With dozens of different broadcasting handsets rather than just a single beacon from one manufacturer … I am highly doubtful that this app will be reliable.

Meanwhile, Mike Cannon-Brookes cannons his way through: [You’re fired—Ed.]

 When asked by non technical people, “Should I install this app? Is [it] safe? Is it true it doesn’t track my location?” – say “Yes” and help them understand.

Remind them how little time they think before they download dozens of free, adware … games that are likely far worse for their data & privacy than this ever would be!

And Finally:

Uke lockdown

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image sauce: David Figuera (cc:by)

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 370 posts and counting.See all posts by richi