Apple and Google are working on a Bluetooth contact tracing system that could help track and possibly reduce the spread of COVID-19. But security experts that AppleInsider have spoken to express concerns about privacy and execution, which could undermine its effectiveness.
Security experts and cryptographers have lingering concerns about the privacy and security of COVID-19 contact tracing. Credit: Brian McGowan
Both Apple and Google have made it clear that they are focused on coronavirus-tracking technology with privacy and security in mind. But, there are inherent limitations to Bluetooth which Apple and Google can't mitigate, compounded by concerns about the third parties that would be handling data collected through the systems.
For users relatively unconcerned about data privacy, or for those willing to sacrifice some of theirs to help stop a pandemic, that's not a problem. On the other hand, trust in the privacy and security protocols of mobile contact tracing, particularly voluntary ones, is going to be absolutely critical in convincing people to use it. Even though it's not going to be a cure-all, the system has some major hurdles to overcome and questions to answer before it can help.
Privacy and security issues
A slide deck explaining how the Apple and Google system work.
The system is actually an API that unlocks certain Bluetooth-related functionality for apps using it, including the ability to run Bluetooth tracing in the background. When it comes to privacy, Apple and Google have taken steps to anonymize users and avoid the mass collection of location and other data, such as changing the unique Bluetooth identifier every 10 to 15 minutes. But even then, the system isn't necessarily designed to be completely anonymous.
For example, these rolling proximity identifiers are only private until someone tests positive for COVID-19. After that, a device identifier becomes linkable and the system will send a copy of its cryptographic keys to all of the devices which came into close proximity with it.
As an example of how this can be leveraged by a bad actor, former Federal Trade Commission technologist Ashkan Soltani gave an example of a so-called "linkage attack" which could reveal the identity of someone who is COVID-19 positive.
"By design, your smartphone will broadcast a rotating unique identifier (via Bluetooth) every few minutes (the rolling proximity identifier) to anyone within range," Soltani told AppleInsider. That means there aren't any granular controls for users to avoid this, beyond not using the system.
Someone with a Bluetooth sniffer and a video camera could collect pairs of photos and rolling identifiers in a public place, Soltani explains. If one of those people tests positive for COVID-19, the attacker could pair their diagnosis keys with the pictures and rolling identifiers.
Soltani adds that a well-resourced attacker, like a retail location tracking company, could expand this tactic to a wider scale -- potentially allowing them to track a person's wider movement patterns. The researcher previously wrote about the privacy considerations of retail tracking for the FTC.
The ability for advertising technology (adtech) and retail tracking companies to identify people with COVID-19 was echoed by cryptographer and Signal app creator Moxie Marlinspike. Because devices with a contract tracing app installed will get a log of daily identifiers, a user's device could become linkable once they receive a positive diagnosis. Essentially, the system is only private until a positive diagnosis.
"At that point adtech (at minimum) probably knows who you are, where you've been, and that you are (COVID positive)," Marlinspike wrote. He says it takes Bluetooth privacy a "step back."
Another important point is that the Apple and Google API, as it stands, is not necessarily the end implementation. Instead, it's a framework for use by developers. In this case, those developers are going to be public health organizations.
Because of that, the privacy and security of the system really comes down to trust in the developers of mobile contact tracing apps, according to Sergio Caltagirone, vice president of threat intelligence at cybersecurity firm Dragos. Caltagirone told AppleInsider that the cryptographic specification provided by Apple and Google "simply states that the implementation must not store or correlate data but provides no additional controls -- a lot of trust when it comes to public health data and the potential for misuse."
In his security experience, he said a common exercise is to take any specification and search for the words "must" or "may" and then ask "what if it didn't?" Caltagirone calls it "faith-based" privacy, rather than cryptographically guaranteed privacy.
There are already signs that some public health groups aren't fond of the Apple and Google restrictions. The UK's National Health Service, for example, is reportedly in a "standoff" with the two companies because it wants to create a centralized database of identifiers. That's something that Apple and Google are barring organizations from doing.
Additionally, Soltani added that organizations can "design (their) app to collect any added info they think" people will consent to.
Practically, that means that although the Apple and Google API is "privacy-preserving," the actual contact tracing apps that health organizations develop may collect data in a way that isn't.
"Bluetooth contact tracing is a vast improvement over location tracking with GPS or cell site information, but it still needs strong privacy and security safeguards," Electronic Frontier Foundation General Counsel Kurt Opsahl said in a statement to AppleInsider. Echoing Soltani, Opsahl said that the Apple and Google framework is just "one part of the equation" and that "we also need privacy safeguards with the public health proximity apps that interact with this API."
Since these safeguards need to be implemented at the app and health organization level, they're not necessarily something that Apple and Google can guarantee.
Effectiveness of Bluetooth contact tracing
An illustration of Bluetooth contact tracing. Credit: MIT
The inherent risks of Bluetooth and unanswered questions about health data collection could undermine what is ultimately the most important part of mobile contract tracing: adoption.
For this type of contact tracing to be effective, it needs to be widely adopted by a population. Some experts, like contact tracing research group Covid Watch, float a 60% statistic for its efficacy to be worthwhile.
Apple and Google have barred third parties from making the app mandatory, which means that users will need to voluntarily download it. Whether they will may really come down to how the tech giants and health organization set up their app, as well as the privacy and security promises they make.
Some lawmakers and regulators are already raising questions about whether they can get the public's trustin the U.S. and Europe.
With disparate figures and organizations ranging from the American Civil Liberties Union to President Donald Trump casting doubt about the system, there's a real concern whether enough users will trust it to actually download and install it on their devices.
Ben Adida, a cryptography and information security researcher, is much more optimistic about the protocol than others. In a Twitter thread, he says it solves a lot of problems with other tracing surveillance and proposals, and that some kind of "properly tuned incentives" may be enough to see the right adoption rate.
Of course, there are also some real concerns about the efficacy of mobile contract tracing in its current forms. Jason Day, the product lead for Singapore's TraceTogether contact tracing app, said that it isn't going to be a replacement for manual contact tracing.
"If you ask me whether any Bluetooth contact tracing system deployed or under development, anywhere in the world, is ready to replace manual contact tracing, I will say without qualification that the answer is, No," he wrote in a Medium post.
There are unanswered questions about the effectiveness of Singapore's contact tracing methods. It's important to note that TraceTogether deployed without the Apple and Google API, meaning it could only work when the app was running in the foreground.
Even with that problem solved by the new Bluetooth framework, there are other issues without easy solutions. Mobile contact tracing also isn't going to cover those who don't have smartphones, such as children and the elderly, Soltani added in a tweet. Because it's proximity-based, it could also create false contact positives in dense living spaces like apartments.
And in certain countries, like the U.S., the primary hurdle beyond adoption is likely to be availability of testing. The Apple and Google API seems dependent on whether a person can receive a diagnosis from a public health official. While that cuts down on the risk of trolling, it raises a big question about whether enough testing is available for it to even work.
As cryptographer and ZCash Foundation engineer Deidre Connolly points out, the U.S. is simply not currently prepared to ramp up to the kind of testing that the Apple and Google API would require to be effective.
In case it wasn't clear, _all_ these contact notification proposals are tools to be used to assist contact tracing, and effective contact tracing _requires testing capacity_.
-- Deirdre Connolly (@durumcrustulum) April 14, 2020
They cannot be deployed in the US _today_, because our current testing capacity is low. https://t.co/4HomuAEOoA
Of course, despite these privacy and effectiveness concerns, the Apple and Google system could still be part of a broader solution to stop COVID-19, along with sufficient testing and measures like social distancing.
Whether that turns out to be the case will hinge on whether Apple, Google and public health groups are able to convince enough people to download and use it. Ultimately, that job may not be Apple's and Google's.
Without a concentrated, transparent, and trustworthy effort from all of those involved -- including the public -- mobile contract tracing will just end up being wishful thinking.