COVID-19 contact tracing just dropped on Android/iOS - Security Boulevard

SBN COVID-19 contact tracing just dropped on Android/iOS

COVID-19 contact tracing has rolled out to all Android/iOS devices this week. In other words, big tech just dropped a change to your OS without any real notice/consent.

On iOS go to Settings -> Health -> COVID-19 Exposure Logging (screenshots at the end).

On Android go to Settings and you will find a Google option:

Under Google settings, you now can select COVID-19:

There you will find that Google needs both Bluetooth and location tracking to be enabled, although they claim while location data needs to be collected, it also won’t be collected:

Confused? You should be. Bluetooth is a terrible protocol for tracing contact as it just reads everyone’s MAC addresses. It’s being used because other options are not as easy to violate for a clumsy contact tracing agenda.

There are two problems in Bluetooth, both related to privacy:

  1. Before Bluetooth version 4.2 the MAC addresses were static, which was a major privacy issue (and exploited by law enforcement using widely systems like Bluetooth Travel Time Origin and Destination (BlueTOAD), as I’ve spoken about publicly many times). After Bluetooth version 4.2 the devices started to use rolling MAC addresses for privacy protection. Google and Apple have designed their system to overcome this privacy benefit, by issuing everyone a set of tokens that can be mapped back to the device.
  2. Aside from privacy getting in the way, Bluetooth also doesn’t record accurate distances. Strength of signal isn’t a reliable measure, given all kinds of interference variables. Thus Apple and Google have included location to overcome this privacy benefit, by recording distance using location.

It appears incredibly disingenuous to both claim this system isn’t violating your privacy as it has been designed entirely on ways to violate two fundamental privacy protections.

Also while technology companies may lay claim that location data never will be shared, the entire point of their system is to inform some unnamed/unknown officials of spread of infections by location. Not valid and qualified scientists, though, because Apple and Google say they will not serve the most deserving community members who are positioned to make best use of pandemic data.

If you’re a virologist or epidemiologist arguing that you need data to fight the spread of infection inside your country, you’re out of luck. Apple and Google have said no.

That’s what I call clumsy.

Finally, in terms of general trust, adoption of this system needs to be really high to be effective. Some estimates are at least 70% of people (not just phone owners) have to be in the contact tracing system to make it worthwhile.

And yet they pushed a significant update to the OS without any local notice/consent (just blog posts like this one), as if the U2 crash didn’t teach them a thing.

The music suddenly appeared on 500 million iTunes accounts. Shortly after came the backlash and, with it, a story of what may have been the most expensive gaffe in Apple’s history — upwards of $100 million…

This is the sort of top-down centralized approach with no real discussion of social contract that probably makes 90% want to throw their phone in the toilet.

Ironically, America is so far behind on COVID-19 science and engineering, it’s rolling out mobile phone software just as Singapore (a global leader during this pandemic response) has abandoned the same.

Singapore’s Bluetooth-based contact tracing app TraceTogether was the first of its kind, intended to log potential exposure events without violating the privacy of participants. As with all of the efforts of this nature, voluntary adoption by the public was key to success. TraceTogether struggled in this area due in no small part to technical issues that hampered the usability of phones. The government has gone back to the drawing board and come up with a new answer: a contact tracing wearable that remains offline as it logs close contacts, only making that data available when a medical professional makes a coronavirus diagnosis and requests access to the device.

The wearable does leverage Bluetooth, to be fair, but it’s a whole different model with dedicated hardware for medical professionals to access.

It didn’t have to be this way. Engineers at the largest tech firms in the world, paid the highest salaries in the world, could have started at the point Singapore has just now reached — a personal/decentralized system that works directly with medical professionals only.

Instead Apple and Google have built a thing nobody should want: a forced update in their OS to serve mostly an Apple and Google agenda that has apparently little or no accountability to them when it’s misused or even abused. Compare and contrast these two stories, for example:

Or consider that, while Apple and Google insist they aren’t writing the apps that will use their “framework”, early studies already indicate that leaves open a lot of room for abuse:

…50 apps available in the Google Play Store that have been developed specifically for COVID-19…researchers classified nearly half as informational tools, roughly a third as tracking tools, 10% as assessment tools and 8% as scientific research apps…

Apple screenshots:

*** This is a Security Bloggers Network syndicated blog from flyingpenguin authored by Davi Ottenheimer. Read the original post at: