CovidSafe(Australia), TraceTogether(Singapore) and many other Bluetooth contact trace apps are based on the same core idea components. This post looks at the privacy risks created by the Australian CovidSafe app, and whether those privacy risks are necessary to deliver the functionality. Is there a ‘big brother’ mentality driving the collection of data and creating privacy risks that are unnecessary?
I have seen several articles discussing ‘how the app works’, but these tend to read more like a brochure than an analysis. There is also a department of health Privacy Impact Assessment available online, which perhaps unsurprisingly, reads like a review of a product produced by the company that is trying to sell the product. In short, it does not look very closely at potential problems, and is more marketing oriented. Hence a review prepared to actually be critical.
Looking as an outsider: The privacy risks in the system arise from the fact that entire system is based on others recording data about you, rather you recording data about you. When you register, the central database records data about you, and whenever the app is running on your phone, it is broadcasting data or others to collect over Bluetooth. Using Bluetooth, and particularly using Bluetooth how this App uses Bluetooth (sending data to unpaired devices) introduces its own security concerns.
Some of the risks could be removed with no loss of functionality of the app, and these risks only seem to remain in the system to give a sense of power to those running the system. In fact the entire system seems design compromised to allow for an easy move to a compulsory system, with compulsory testing and quarantine imposed on those identified by the system as ‘at risk’. If the system is to remain voluntary, there are far better track and trace solutions, with less privacy risks, and better ability to detect people at risk of infection who should get tested. Are these shortcomings all because of a big brother complex?
- The Risks
- Summary & Details of Risks
- The App
- Removing the registration Requirement
- A location based variant
- Privacy by Legislation?
- Big Brother Syndrome
- Conclusion: The Cost of the Problems
In summary, the risks are:
- An unnecessary registration process and database
- Possibly a carryover from a totalitarian thought bubble?
- Your App does not track you, but everyone else does
- There are more issues due to the Bluetooth requirements
Risk: Unnecessary Registration & Database
Simply put, the application, even being a Bluetooth based trace application, does not require registration, or a central database with user data. It is not necessary for this type of application collect validated phone numbers, or have a central database with data on each user. This does centralise the checking the contact history, which in turn gives government some big brother power, but unless there is a plan to make use of the big brother problem, the database just attracts hackers.
If there was no central database, the system could only inform people when they should be tested via the app, leaving users to act on that advice. Adding the central database gives the government knowledge of users who need to be tested. A feeling of control for the government. However it seems unlike the government would go further than informing the person they should be tested anyway, and if so the only thing that changes is a user gets a text message from the government rather than an alert message through the app. Is the government really going to use force to ensure people get tested? If people were to be forcibly tested rather than given the choice, then there is a risk would simply disable the Bluetooth on their phones to prevent the app tracking them.
All the trouble of registration and a database, to provide the government with power, even though it would seem unwise to ever wield that power.
The modification to run the system without a database is described below. It is not difficult.
Risk: Broadcast Data to Other People with CovidSafe.
If everyone is following the rules, as will other copies of the Covid-Safe app, the only data recorded about you by others will have been rendered anonymous, and of limited use by any one without access to the central database.
For example, a chain of stores with a copy of the app in each store could gain data to determine which stores and for how a long a person visits any of the stores within a given two hour period, but to learn about patterns beyond two hours, they would need access to the central database.
From another single phone with the Covid-Safe App, even with access to the central database, all that can be determined is when your phone was in range of that other phone. Although what can be learnt about you is limited, note that no access to your phone is required.
Risk: Broadcast Data Could Be Captured By Third Parties.
There are a variety of methods of Bluetooth surveillance, and device that is broadcasting in order for ‘handshakes’ to be recorded, provides significantly increases opportunities for tracking.
The risk here is that the app broadcasts data to be collected by others, and any ‘other’ who collects this data, and is recording the location of where they collected this data, potentially track you, and who you are with.
In other words, the exact risk the app was designed to avoid is still present. In fact this risk would be lower with an app that privately recorded your location, avoiding the need to broadcast information.
Removing the central database would not remove this risk.
Risk: The ‘Apple’ limitation is not an accident.
So why does the CovidSafe App provide less utility on Apple phones? Apple has been working on the as been reducing the risk of people tracking you without your permission that Apple using Bluetooth. It is the measures Apple introduced to protect privacy that limits CovidSafe on Apple phones. Should Apple remove those protections?
Generally, in a world where so many people provide Facebook, Google, Amazon and Apple so much information about their lives, it may be considered an acceptable low risk. However it is the exact risk Google and Apple have been working hard to block for fear of a backlash. It is also the reason why Google and Apple are against the Covid-Safe type of App for track and trace, and instead are supporting Apps providing greater privacy.
Risk: Surveillance of Bluetooth Broadcasting.
This article on ‘how stuff works‘ explains Bluetooth surveillance, or how devices can be tracked through Bluetooth. In summary, if your Bluetooth device is broadcasting it can be tracked by others. Leaving your device discoverable, keeps the device broadcasting. Of course, having an app that keeps your device broadcasting even when it is not discoverable produces the same risk.
CovidSafe Overview (note: more complete explanation below)
In summary, the CovidSafe app turns your mobile device into a beacon continually broadcasting an ‘I am here’ message to any device in range, and into a recorder for other people broadcasting their own ‘i am here messages’. Instead of broadcasting your name (e.g. Joe Bloggs is here’), the system gives you unique random IDs (e.g. ‘X23ZY4R is here’) with ability to convert random IDs only possible by access to a central database. This enables any person/location to keep a log of which IDs come near them, with access to the central database required to map those IDs to individuals.
Initial Registration: When the app is launched for the first time registration is required. The app requests the users phone number, age(range), name and postcode. If the age range selected is under 18, and additional tick box of ‘do you have parental permission’ appears. The phone number is validated by a code sent in an SMS to that phone number, but no other data is validated so there is no requirement for accurately revealing anything beyond phone number.
Normal App Operation: Each app broadcasts that individual version of the app’s current unique anonymous code, and collecting those codes as sent broadcast by others. Every two hours, each app contacts the server for a new anonymous code to broadcast. Codes collect are are stored only on the users phone, and not sent to the central database. This means ‘who is in contact with whom’ is never recorded on the central database.
On Infection: If a person becomes infected, they have the option of providing their contact data from the app. This contact data can used to send alerts to all the recorded contacts. If is only if infected, and even then only if you agree, that the government agency can use the data of your contacts.
How the CovidSafe App works
The ‘anonymous codes’ mentioned in the CovidSafe Overview are changed every two hours and never reused, ensuring the each anonymous code uniquely identifies only one contact. Changing the codes limits the use of the code as a tracking tool to a two hour period. From the Privacy Impact Assessment it is learned that each app gains new codes by codes from the server using a unique anonymous App ID assigned at registration. It can be inferred that server keeps a list of all IDs issued to each app, as this is required to be able to match the contact data stored on by the app of the infected person with the people to be contacted.
This is the main additional information required to understand the app, beyond what is already provided in the overview. Keeping the list of IDs for each user/app in order to identify centrally who is a potential contact is the main reason for the central database. The reason for the verified phone number for each user is to facilitate then contacting Understanding the App general operation of the appby the from people infected with the people they came in contact with.
Removing the Central Registration Database
There is still a central server, only simplified now without a registration database of information. The data held by the server is reduced to a list of no longer in use unique IDs that were used by people who have now tested positive: an ‘at risk IDs’ list. This data is made available to everyone, in order to check their own logs to see if there were in contact with one of these IDs. Since the data is publicly available, there is nothing to ‘hack’.
Initial Registration: The first step is to keep the idea of the logic that on first use the app should obtain a unique ID from the central server, but it is no longer necessary to keep the phone number. Given the other data is effectively voluntary as it is not verified, whether this other data is kept on the server is optional. In fact keeping any data from each app on the server is optional, but the app should at least keep the age, and in useful postcode data in the local storage in the phone.
Normal App Operation: The main operation of the app is unchanged, retrieving a new code for broadcast every two hours and storing within the private local data in the phone all received unique ID detected from the broadcasts of other used with their CovidSafe Apps.
New functionality from the app is required to fulfil functionality previously delivered by the central server. The first is to store the apps own history of unique IDs, as these are no longer on the server, and the second is to at least once per day perform the ‘am i at risk check’, which is now completed by the app. This ‘at risk check’ function consists of downloading updates to the list of ‘at risk IDs’, checking the contacts history for matches, and reporting any matches as a recommendation for testing.
On Infection: The process if a person is infected is unchanged. If a person becomes infected, the process is they have the option of providing their contact data from the app. This contact data can used to send alerts to all the recorded contacts. If is only if infected, and even then only if you agree, that the government agency can use the data of your contacts.
A location Solution
Simplistically, moving to a Bluetooth solution from a location solution, means moving from a system where each persons phone can keep a private record of where they have been, to a solution where each persons phone broadcasts to everyone in range that it is near them so everyone else in range can make a private record of where the person has been.
In place of a location system keeping a record on a persons own phone, a Bluetooth solution keeps the record on every device in range that is running an app able to detect information being broadcast. The system is designed to attempt to ensure the information detected will be of little, but there are clever ways to use data.
Privacy By Legislation?
Unlike a regular application provider, the government can can introduce legislation that makes any use of vulnerabilities in the application a crime. In theory, this could reduce hacks of database to only those offshore, and as Bluetooth is short range, make Bluetooth surveillance attacks specific to the app illegal. But how to determine if another app is breaking these rules, either deliberately or accidentally. Is it ironic that implementing a solution to preventing ‘big brother’ surveillance by way of the CovidSafe app, could require survelliance of other apps to ensure they are not breaking laws introducted to protect against surveillance.
Big Brother Syndrome.
The CovidSafe app has everyone with the app broadcast wherever they go, in a manner that is anonymous to everyone but those with access to the central database. It also has everyone with the app recording a log of everyone else around them. Under the rules described, the system should be benign. Dropping the tracking by others element of the system would not only provide privacy, but also far better track and trace (see here and here). So why have the tracking by others element of system at all, if there is no intent to track citizens in this way and the result is an inferior track and trace? Is it because having citizens broadcast where they are allows later introduction of new ways for the government to use that data? At one time, there were rumours of the system even being mandatory. This was quickly rejected as politically unsound. But are there those at levels of government below the ultimate decision makers always pushing for more and more big brother?
Conclusion: The Cost of the Problems
The system of CovidSafe has all the hallmarks of a solution designed by those with a surveillance of citizens mentality, but then crippled of the surveillance to produce a politically palatable system.
A system designed from the outset for the best track and trace would be far more effective in combatting Covid19, allowing less stringent lockdowns and therefore with significant economic benefits. In other words, while the privacy as to what may happen bubble under the surface, this solution comes with significant and definite economic cost.