Governments around the world are releasing Covid-19 tracing apps. Despite their laudable goal of slowing the spread of the pandemic and accelerating the return to normalcy, as expected, they arrive as a matter of controversy. As its name suggests, a “tracing” app raises questions about the threat to citizens’ privacy and security. Throughout this post we list 20 of the most frequently asked questions we all have about the use of these apps.
1. What is the purpose of these apps?
The aim of these apps is to stop the spread of the virus. In the past, the procedure was different: through interviews with infected people, they were asked about the people they had been in contact with. Once identified, these people were notified to be kept in quarantine or given priority for diagnostic testing. This manual method also raises privacy issues: is misleading, extremely costly in terms of time and personnel, and is limited to those contacts that can be identified by the infected person.
2. How do infection tracing apps work?
It depends on each individual app, but in general they all work by constantly generating unique and changing Bluetooth codes. At the same time, they constantly monitor the phones around them, recording the codes of any other phone they find within a certain range and for how long. For example, within a radius of 2 meters for 10 minutes.
When a health authority confirms that a user is infected, their app uploads to a server the anonymous codes generated during the last two weeks. If another user’s app finds a match with one of their stored codes, it notifies them that this user may have been exposed and reports on the steps to follow: quarantine or diagnostic test, or whatever the health authority decides.
The system uses Bluetooth LE, not GPS, is completely optional, does not collect location data from users and does not load any codes from anyone without a positive diagnosis of Covid-19.
3. What do Apple and Google have to do with this?
On April 10, Apple and Google surprised with the announcement of their partnership to create a Bluetooth LE (Low Energy) based technology for contact tracing integrated into iOS and Android operating systems. The different countries will be able to develop their contact tracing applications on the functions provided by the Apple and Google APIs and platform. Both companies have developed this technology to make it easier for governments around the world to create infection tracing apps if they wish.
4. Why do these apps use Bluetooth LE and not GPS?
GPS technology allows locating a person at any time, which would be a serious threat to privacy. In contrast, Bluetooth communication occurs directly between mobile devices, without recording the location where the proximity took place, and this facilitates the creation of a decentralized system.
On the other hand, Bluetooth LE allows estimating more precisely the functional proximity in high-risk environments in terms of proximity: inside buildings, in vehicles and airplanes, in underground traffic, and so on. It could even be known if two people within 2 m of each other are separated by a partition by measuring the power of the Bluetooth signal and with complementary information from the terminal’s sensors: whether it is inside or outside a bag or pocket, whether it is stationary or in motion, etc.
5. To what extent will my privacy and security be threatened if I install these apps?
It is hard to know because each country will develop its own app, and even each region within each country, based or not on the Apple and Google platform. About 300 scientists and researchers from all over the world have signed a statement where they propose the following principles that should be adopted by any app:
- Contact tracing Apps must only be used to support public health measures for the containment of COVID-19. The system must not be capable of collecting, processing, or transmitting any more data than what is necessary to achieve this purpose.
- Any considered solution must be fully transparent. The protocols and their implementations, including any sub-components provided by companies, must be available for public analysis. The processed data and if, how, where, and for how long they are stored must be documented unambiguously. Such data collected should be minimal for the given purpose.
- When multiple possible options to implement a certain component or functionality of the app exist, then the most privacy-preserving option must be chosen. Deviations from this principle are only permissible if this is necessary to achieve the purpose of the app more effectively, and must be clearly justified with sunset provisions.
- The use of contact tracing Apps and the systems that support them must be voluntary, used with the explicit consent of the user and the systems must be designed to be able to be switched off, and all data deleted, when the current crisis is over.
For their part, Apple and Google ensure that user privacy is an essential requirement in the development of their own specification:
- User’s position is not required: any use of location will be optional. In case it is necessary to access the geolocation of the device, express consent will be required.
- Unique proximity identifiers will change every 15 minutes, so that it is useless to trace a person using Bluetooth.
- Unique proximity identifiers will be exchanged only between devices and will not be uploaded to the cloud.
- The user must decide if he or she wants to take part in the initiative.
- The user must consent if he or she wants to be identified -anonymously, always- as a person infected by Covid-19.
We will have to wait for the apps deployed by the various governments to assess if they comply or not with these guidelines.
6. How effective will these apps be in curbing the pandemic?
According to an analysis carried out by researchers from the Covid-Watch project, contact tracing applications need to be used by 50 to 70 percent of the population. Otherwise, symptomatic people would not know where they got the virus and asymptomatic people would continue to spread it unknowingly. As a reference, in South Korea only 10% of the population used the official app.
Although Apple and Google support these applications, their penetration rate will be lower than expected. According to analysts from Counterpoint Research, about 1.5 billion users use basic phones that do not operate under Android or iOS and lack Bluetooth LE chips. Similarly, those who use smartphones that are more than five years old will not be able to install this application due to technology or operating system restrictions.
On his part, Bill Gates rightly points out in a recent blog post that: “One limitation is that you don’t necessarily have to be in the same place at the same time to infect someone—you can leave the virus behind on a surface. This system would miss this kind of transmission.”
Finally, any effective contact tracing is useless without massive diagnostic tests, which currently are still few, expensive, and slow. In addition, diagnosed individuals need the economic freedom and space to be quarantined. Many older or low-income people, the ones who may be at greatest risk, are precisely the least likely to have smartphones capable of hosting these apps.
7. When the app warns me that someone who was near me has been infected, what guarantees do I have?
It is clear that not everyone will be able to notify that they are infected because then the system would be open to all kinds of errors and abuses: from users who misdiagnose their health status to trolls flooding the system with false positives. The solution requires that the positive diagnosis be approved by a competent medical or public health authority.
Other false positives can simply result from errors in proximity calculations by Bluetooth LE, particularly if it fails to detect panels, partitions, or walls.
Like any detection system, tracing apps will have their rate of false positives as well as false negatives: from viruses on surfaces to contacts with people without smartphones or who choose not to activate tracing.
8. If the app warns me that I am close to an infected person, what should I do?
Each country will decide how you will be alerted: through a call, a message, or a notification on your smartphone. From there, you may be advised to quarantine, visit a health centre or hospital for testing, or other options depending on your territory.
9. What personal data will the apps share and with whom?
These schemes are designed not to load any data from most users (the uninfected ones) but only anonymous Bluetooth codes from infected people. Even so, when notifying the infection, a user must necessarily upload some data to the server. And no matter how anonymous they are, they may leave a trace, such as the IP address of their terminal. Whoever manages that server, probably a public health institution, could identify the phones of the people reported as positive and, therefore, their locations and identities.
Similarly, prudent time limits are proposed for hosting such information and it is advised not to store communications metadata – but, again, this does not seem to be intrinsically implemented within the code, but rather appeals to the good practices of server managers.
10. Who will know if I have been infected?
When an individual voluntarily shares their diagnosis, their app will upload to a server the codes generated during the previous 14 days. All the apps are downloading from the same server these code lists to check if any of them match those stored locally. Therefore, nobody will know if you have been infected, except obviously the health authority that diagnosed you.
11. What app will be suggested in Spain?
Apparently, the Secretariat for Digitalisation and Artificial Intelligence is committed to a decentralised system such as the one recommended by the EU. Initially, Spain joined the Pepp-PT, but this one has modified part of its initial commitment and currently opts for a centralized system.
12. When will it start to be used?
It depends on the country. In Spain, it was launched on Monday 11 May (Asistencia Covid-19 app).
13. Am I forced to use these apps?
At the moment, you are not. As we have seen, the effectiveness of the system is based on its massive use, so at least 60% of the population should use it for the system to be effective. Each citizen will balance the public good with the safeguard of privacy when making the decision whether to use them or not.
14. If I have the app installed, will anyone be able to trace my movements?
In principle, they will not, since contact tracing apps are based on Bluetooth LE and not on GPS. And we are saying in principle because the app developer might wish to enable the use of GPS, but that option no longer depends on the tracing platform provided by Apple and Google or other initiatives, such as DP3T. In any case, unless their servers are cyberattacked, tracing will only be available to public health authorities.
15. There are a lot of infection-tracing apps coming out all over the world, are they all the same?
No, they are not. Although they are all based on Bluetooth following more or less the same scheme as described. However, they differ in who controls the data on the servers and how much personal information is stored on those servers. Those versions that most zealously protect privacy only load the keys generated by the devices, which are not personally identifiable (except for complex attacks described below). In other versions, the apps also upload the complete personal profile of the users: name, age, address, identification code, etc.
Recently, the TCN Coalition has been created, a global coalition to establish the protocols for tracing the first digital contacts to fight against Covid-19. This coalition aims to join forces to develop an open and shared protocol that can be used by multiple applications to curb the pandemic while preserving privacy.
16. Do these apps breach data protection regulations?
According to the European Commission’s press release: “They should be fully compliant with the EU data protection and privacy rules, as put forward by the guidance presented today following consultation with the European Data Protection Board.”
17. When the pandemic is over, may I be traced?
This is a difficult question to answer. Jaap-Henk Hoepman, professor of Digital Security at the Radboud University Nijmegen (Netherlands) and head of the Privacy & Identity Lab, is not clear about it, as he reports in his blog. For him, the dangers of this type of system do not lie in the fact that it could actually help that future “get back to normal” phase, but in everything that could come afterwards after implementing this type of system in our mobile phones:
- The police could quickly see who has been close to a murder victim: simply report the victim’s phone as being ‘infected’.
- Some might say this is not a bug but a feature, but the same mechanism could be used to find whistleblowers, or the sources of a journalist.
- A company could install Bluetooth beacons equipped with this software at locations of interest. By reporting a particular beacon as ‘infected’ all phones will report that they were in the area.
- If you have Google Home at home, Google could use this mechanism to identify all people that have visited your place.
- Jealous partners could secretly install an app on the phone of their significant other, to allow them to monitor who they have been in contact with. Overzealous parents could use this spy on their children.
18. How does the cryptography of these apps work?
From a more technical perspective, cryptography varies from one app to another, but they all follow similar steps:
- When the application is installed, a unique key associated with the device in question is generated, considering system components. The aim is to make it unpredictable and impossible to replicate, in order to ensure privacy and anonymity. In addition, it is stored locally on the device in a secure manner.
- From that first key, a second key is derived, which will be regenerated daily.
- While the Bluetooth is enabled, the communication is used to send, in the packages associated to the protocol, a proximity identifier. Terminals with Bluetooth enabled exchange these proximity identifiers with each other when they are within the predefined range. These keys change every 15 minutes and are derived from the previous daily keys.
- The sent and received proximity identifiers are processed and stored locally only.
- If one of the owners of the phone is diagnosed as positive, the health authorities assign a permission number.
- This person sends a request to the public database by using the permission number and its history of contact event figures.
- If the permission number is valid, the contact event figures are stored in the database and transmitted to all other phones.
- Each phone compares the published contact event figures with its own history. If there is a match, this means that they were near an infected individual and instructions are given on what to do next.
19. What attack scenarios can be designed to bypass protection measures?
There are different attacks that could disclose the identity of users diagnosed as positive. Fortunately, decentralized architectures require individual tracing of users, which is very time consuming and dramatically reduces the scale of the attack.
For example, an attacker could use a camera to record the face of everyone passing by while logging Bluetooth signals from their apps. In the future, if one of these passers-by reports that he or she is positive, the attacker’s app will receive like any other all his or her keys from the server and will be able to match the codes that the user issued at the moment of passing in front of the camera, thus identifying a stranger as positive.
Another version of this correlation attack would allow commercial tracing: an advertising company could place Bluetooth beacons in shops at street level that collect the contact tracing codes issued by customers who visit them. The company could then use the public health application to download all the keys of the people who are later diagnosed with Covid-19 and generate all their codes from the last two weeks. That method could hypothetically determine which trace of codes represented a single person and follow them from store to store.
Since the system takes not only the time of exposure but also the proximity of the devices as variables, an attacker could generate false positives by amplifying their signal via hardware so that users who are at a great distance would still be notified, even though it is physically impossible for them to have been infected by that user.
Perhaps the most serious issue lies in the design of the apps themselves rather than in the potential attacks. As cryptographer Moxie Marlinspike − developer of the so-called cross-platform encrypted messaging service Signal − argues on Twitter after Apple and Google’s announcement due to the initial description of the Apple and Google API, each user’s phone would have to download every day the keys of each person newly diagnosed with Covid-19, which would quickly translate into a significant data load: “If moderate numbers of smartphone users are infected in any given week, that’s 100s of MBs for all phones to DL.”
One argument in favour of the centralized system is that apps could better determine who needs to download which keys by collecting GPS location data, sending users only the keys relevant to their area of movement.
In this case, Google and Apple point out that if a location-tracing application wants to use GPS, it must first request user’s permission, as any application does.
20. Why did Apple and Google modify the name of their proposal?
In their new release of April 24, Apple and Google no longer refer to their system as “contact tracing” but as “exposure notification” because they believe this term better explains the value of their proposal. According to them, the purpose of the tool is not to “trace” users but to “notify” them when there is a possible exposure to a person infected by coronavirus. To determine the level of exposure, the software will be able to calculate the proximity between devices and the time of exposure, limited to 30 minutes.