Tracing the Virus. Apple and Google Combine Forces
Desperate times mean desperate measures and in a big effort to assist health authorities to trace coronavirus exposure risk, tech giants Apple and Google are pooling their resources to create the technology needed. Given that 99% of the world’s smartphones run on either iOS or Android, the companies will bring out a pair of API’s by mid-May with users having to download an app to participate. Eventually, the tracing function will be built into the underlying operating systems. The proposed system works with users allowing their phones to share data via Bluetooth Low Energy (BLE) transmissions in conjunction with health organizations’ approved apps. This system varies from the other ones which are using GPS data as the Bluetooth does not track actual location but the phone’s proximity to others using the same technology. From there, the information is stored on a database for future use if the participant becomes infected with the virus. This way contact tracing can be achieved which will hopefully lessen the spread of the virus. In theory lockdowns could be lifted earlier if new clusters of infection were quickly identified.
In a joint statement, both companies said
“Privacy, transparency, and consent are of utmost importance in this effort. All of us at Apple and Google believe there has never been a more important moment to work together to solve one of the world’s most pressing problems.”
With privacy concerns in mind, the app broadcasts an anonymous key rather than a static identity and those keys change every 15 minutes. The technology is very much opt-in and users would have to agree to entering their health status in their phones. The companies further stated that the identities of users who test positive would not be shared.
The European Data Protection Supervisor which monitors compliance with the EU’s privacy rules, said that “further assessments” needed to made about compliance.
The ACLU commented that Bluetooth technology can be imprecise with signal strength varying based on the phone. However, their surveillance and cybersecurity council Jennifer Granick did say that the effort
“appears to mitigate the worst privacy and centralization risks.”
adding that “there is still room for improvement. She further stated that
“no contact tracing app can be fully effective until there is widespread, free and quick testing and equitable access to healthcare. People will only trust these systems if they protect privacy, remain voluntary, and store data on an individual’s device, not a centralized repository.”
https://www.aclu.org/report/aclu-white-paper-limits-location-tracking-epidemic
On the face of it, governments are trying to help us but at the same time our privacy and freedoms are being eroded, perhaps permanently. Moxie Marlinspike, who is the creator of the Signal messaging app, took to nitter to express his concerns about the Apple/Google collaboration:
First look at Apple/Google contact tracing framework:
- Once a day, your device derives a new key (“daily tracing key”).
- It uses that to derive a new “proximity ID” every time your device’s bluetooth address changes (15min), which is broadcast to nearby BT sensors.
- Your device keeps track of all “proximity IDs” it sees.
- If someone tests positive, they choose to publish their (previously secretly) “daily tracing keys.”
- Your device frequently DLs all published daily tracing keys and KDFs to see if they match recorded proximity IDs.
So first obvious caveat is that this is “private” (or at least not worse than BTLE), until the moment you test positive.
At that point all of your BTLE mac addrs over the previous period become linkable. Why do they change to begin with? Because tracking is already a problem.
So it takes BTLE privacy a ~step back. I don’t see why all of the existing beacon tracking tech wouldn’t incorporate this into their stacks.
At that point adtech (at minimum) probably knows who you are, where you’ve been, and that you are covid+.
Second caveat is that it seems likely location data would have to be combined with what the device framework gives you.
Published keys are 16 bytes, one for each day. If moderate numbers of smartphone users are infected in any given week, that’s 100s of MBs for all phones to DL.
That seems untenable. So to be usable, published keys would likely need to be delivered in a more ‘targeted’ way, which probably means… location data.
Third caveat is that it seems likely some kind of PII would have to be combined with what the device framework gives you.
Keys published by a device have to then be in turn “published” to all devices in the world. That’s a major DoS vector!
If anyone can anonymously blast up keys, they can create a situation where there’s GBs of data for all devices in the world to retrieve and compute. There would likely need to be some kind of rate limiting on a combination of stable IDs (phone number, IP, etc) to prevent it.
Not to mention the “prank” aspect of being able to light up everyone you’ve been near’s devices with “you’ve been exposed to covid” (without them knowing you’re the culprit) at any time, without some kind of pretty heavy manual ID/result verification at the moment of reporting.
All that aside, these APIs are novel in terms of what becomes possible from the app layer.
I’m not super optimistic about opt-in contact tracing becoming a major factor, but I do kind of anticipate that someone will end up using this for some other interesting thing.
Edward Snowden has criticized governments for using the coronavirus to build a global
“Architecture of Oppression”.
In a recent interview with the co-founder of Vice magazine Shane Smith, Snowden expressed his concerns about all the data that was currently being collected to help in the effort to stop the spread of the virus. Citing a lack of privacy laws in the US, he questioned where all of this data would end up after the pandemic was over. He said
“As authoritarianism spreads, as emergency laws proliferate, as we sacrifice our rights, we also sacrifice our capability to arrest this slide into a less liberal and free world”.
Check out the complete interview here:
Even Dr Fauci, who is always seen at the side of President Trump during this crisis, has reservations about the Apple and Google partnership. Whilst his expertise is in the medical field as Director of the National Institute of Allergy and Infectious Diseases, that did not stop him from voicing his concerns about contact tracing apps. During an interview on the Snapchat show Good Luck America, he said that tracing makes sense from a purely public health standpoint but
“Boy, I gotta tell you the civil liberties-type push back on that would be considerable.”
When asked about these civil liberty compromises, Fauci commented by way of a quotation by Benjamin Franklin:
“If you give up some liberty for some protection, you are neither free nor protected.”
The Electronic Frontier Foundation have also weighed in on the debate:
“COVID-19 is a worldwide crisis, one which threatens to kill millions and upend society, but history has shown that exceptions to civil liberties protections made in the time of crisis often persist much longer than the crisis itself.”
Not everyone wants to wait for the tie-up between Apple and Google to take full effect however. White-hat hackers in South Korea and Taiwan are also stepping up to the plate to help out. Lee Dong-hoon who is an industrial engineer studying at Kyung Hee University in Seoul, within a day had set up a website to track the spread of infections. 24 hours later 2.4 million people had read his Facebook post about it. Taking information which was readily available on a government website, Lee and his fellow students uploaded the locations of infected people allowing it to become the most accurate and up-to-date source of information. Lee promises to close his website once things get back to normal.
In Taiwan, a civic hacker in the city of Tainan created an app showing where masks were available. Even Taiwan’s digital minister, Audrey Tang, who was a previous civic hacker, created a government infection control map and a database of local pharmacists with masks in stock. Many citizen hackers are helping to contribute in Taiwan with one noting that
“The government is not good at developing tools because, in general, public servants are not the main users of the tools.”
Kevin Chu lives in Singapore and writes code in his spare time. He delved into the government’s TraceTogether app and found pointers to a government data collection agency embedded in the code. His discovery of this privacy flaw forced the developers to update the app.
Back in South Korea, Lee Doo-hee, a hacker and reality TV star, also developed a mask inventory website which in turn caused the government to reach out with an offer of data and cloud hosting. Lee said
“Civic hacking can make the government change. This movement isn’t something that will go away in the future. This culture will be accelerated more and more.”
Originally published at https://dt.gl on April 18, 2020.