Apple and Google Will Track Infected With Coronavirus via Bluetooth. What About My Privacy?
Posted on 04-16-2020.
Tech corporations Apple and Google are going to develop an API solution to trace contacts of infected people and notify potential carriers of the disease about the need for self-isolation. The solution is meant to be used together with applications from unnamed healthcare providers.
Independent researcher Andrey Tukmanov explains how Apple and Google’s coronavirus tracing solution is supposed to work and whether it threatens user privacy.
COVID-19 Contact Tracing Technology Overview
The solution is based on Bluetooth technology: phones remember devices around them and refer to this history if a new case of infection appears. For as long as the user hasn’t contracted the disease, the history is stored locally on their phone. If there’s a positive COVID-19 test result, the person’s identifiers are published. Each app checks back with its own list and notifies the user is they have encountered an infected person during a given period of time.
The companies stress that the apps don’t use geolocation data. User ID is anonymous and a new one is generated every 10 minutes. All this is meant to make it harder to spy on users.
A device with the app stores a 256-bit random unique identifier called a tracing key. This key is created once and is bound to a particular device. The technical documentation doesn’t have a protocol for changing the ownership of the device.
Every 24 hours, a new 128-bit key is generated called a daily tracing key. It is calculated by the HKDF
algorithm and depends on the tracing key and the day number, which as a number derived from Unix Epoch Time
Given the tracing key, the daily tracing key for any day can be calculated. The HKDF algorithm allows the use of randomness to eliminate this relation, but the protocol states that all keys are deterministic. The reverse operation is impossible. The key is calculated using the SHA256 hash function.
Every 10 minutes, a new 128-bit rolling proximity identifier is calculated using the HMAC
algorithm. This number depends on the key and the time interval number, which is a number assigned to each 10-minute interval within a 24-hour window as defined by DayNumber.
If the user contracts the disease, they send a set of their daily tracing keys for a certain period. A server aggregates the keys from different senders and periodically sends out notifications to users connected to the API. The server doesn’t keep the information on healthy users and can only access the keys of infected users generated in a set period of time.
To turn on the application, a user would have to give their consent both at the OS level and at the application level.
Official apps by healthcare providers are expected to come by May 2020. The names of the organizations participating have not been disclosed yet. After the rollout of the official apps, the API will be available to third-party developers.
It is likely that this solution will be integrated into corporate ecosystems, as both tech giants are actively building their healthcare platforms.
China was the first country to face the epidemic and local tech companies have already developed some solutions to fight the virus.
a color code system in Hangzhou and many other cities across China. A user registers via the app and gets a green, yellow, or red code. A green code grants access to things like the subway, while yellow and red codes require the user to contact the authorities.
There isn’t a lot of official communication about the inner workings of the system. Ant Financial, AliPay’s parent company, states that it is a third-party app integrated into its ecosystem. The system is being promoted by the administrations: subway staff simply turn back people without cellphones.
The authorities use the app in their propaganda but do not comment on the mechanics of the algorithms involved. It is likely that the app uses China’s social credit system. One may also assume that misuse of the app may negatively affect the user’s social credit.
The color code system is constantly changing and nobody knows the reason behind getting a yellow code for sure.
About half a million people have red or yellow codes. This is less than 2% of the 50 million people using the app.
The system is planned to be scaled up to cover the entire country. AliPay’s top competitor WeChat is also taking part.
It is possible that healthcare will become one of the main aspects of the super-apps that are so important in Asia. Still, the majority of countries don’t have such hi-tech solutions and the extent of surveillance seen in China may not be taken lightly abroad leading to social and political instability.
Are There Similar Solutions? How Do They Work?
Since the beginning of the epidemic, a lot of apps and protocols have been developed to fight the virus.
The government of Singapore has already tested an app called Tracetogether
. The app is based on the Bluetrace protocol and there are reference implementations
for iOS and Android. The protocol uses IDs generated by a centralized service. There is an implementation that uses the Google Firebase cloud.
Privacy-oriented solutions are also being developed by independent groups supported by large universities. One of such is safepath
, a project supported by the MIT that GPS and geohash systems to track contacts.
Another protocol called TCN
also uses Bluetooth identifiers. The system involves several levels of IDs. Initially, a user keeps their primary secret (rvk). Each new key is calculated using the previous value and the primary secret. The published IDs are calculated as hashes from the temporary key and its number. If tested positive, a user publishes the first temporary key and its number. This solution requires less information to transmit the warning, but a user has to generate a new secret after publishing. This protocol is used by Co-Epi
and COVID watch
projects. The latter combines the solution with GPS tracking via safepath.
The Swiss Federal Institute of Technology together with ETH Zurich and other European universities have already presented their DP-3T protocol. ZCash Foundation researchers compared
the two protocols mentioned above. The main difference found was the integrity verification, which was done better in TCN. This feature allows checking if a report filed by an infected user is valid.
Meanwhile, a blockchain-based IoT project called Nodl developed by the creators of an anonymous messenger app FireChat and Philip Milne Ph. D announced their own protocol called Whisper.
Currently, there are over 60 IT projects aimed at fighting the COVID-19 epidemic. Most of them were created during hackathons, the largest of which is Wirsvirus
. The event took place on March 20th in Germany and was visited by more than 20,000 people.
The developers behind all these initiatives are facing similar problems. Some of these problems may be solved by the recent initiative by Google and Apple. Not all of them, though.
What Problems Did Developers Face?
When transmitting data over Bluetooth, the biggest problem is the battery drain.
Apple and Google use different approaches to energy efficiency. Earlier versions of iOS don’t support broadcasting by third-party apps.
Introducing tracing systems at the OS level and implementing a single API will make the development significantly easier and the resulting solutions more energy-efficient.
Most protocols imply looking for matches on users’ devices. But if the system was to be adopted globally the number of reports from across the world would require significant processing power.
If the protocol doesn’t use geolocation, the client will have to check infection reports from all around the world.
The technical documentation mentions aggregating data on servers. Currently, there are multiple solutions for finding matches in large lists, Bloom filter
being the most well-known. Yet, a Bloom filter can trigger false positives, which would require additional checks that are likely to take place server-side.
All systems emphasize on their care for users’ privacy. There are some questions though.
Apple and Google claim that the data will be stored locally on users’ devices. But most of the clients create backups that can be accessed by adversaries or government agencies.
User IDs will be updated periodically but they remain publicly known. Users’ actual movement can be traced using statistical analysis.
When receiving a report, the system has to trust the sender’s data. An adversary can undertake a DoS attack and spread false records regarding the infection.
Since these results can put people in quarantine, such attacks may lead to delicate problems.
The protocols don’t lay out the principles of getting recommendations regarding the need for treatment and isolation.
While in China, everything is decided by a centralized system, the proposed solutions put the decision into the user’s hands. We know too little about the spread of COVID-19 disease, so the heuristics involved may turn out suboptimal.
Finding good rules will require data aggregation, which brings new questions about the privacy aspects of the suggested solutions.
In their announcement, the tech giants say nothing about how the apps will access certain functions and how the data will be separated.
The Bluetooth specification of the protocol mentions Service UUID but it’s not clear how it will be used.
Apple is also known to have faced
trouble with German authorities because of the Near Field Communication (NFC) access restrictions introduced by the company.
The protocol by Apple and Google is a big step in the fight against the disease. But there are still questions of users’ privacy and the subsequent interpretation of the information acquired.
The next step will likely involve other large players joining in on the initiative to digitize the pandemic. This may leave a chance for people’s privacy to at least remain where it is now and use the findings to build predictive analytics needed for new useful results.
Follow us on Twitter and Facebook and join our Telegram channel to know what’s up with crypto and why it’s important.