Cybersecurity Insights

Collaboration of the arch-rivals

Collaboration of the arch-rivals

 I recently spent some time reviewing the detail behind Apple and Google docs on the new contact tracing protocol and APIs they are both preparing.

Firstly, it’s good (and very surprising) to see this partnership happen, especially between arch-rivals like Apple and Google. It is obvious everyone is working together to try and solve one of the world’s most serious problems which is… How do we open up our societies again after lockdown?

Until a safe vaccine becomes available − which is 9 to 18 months away − we need 3 initiatives to return more quickly to a normal life and keep the spread of the virus under control. They are:

  1. Extensive testing
  2. Contact tracing
  3. Subsequent self-isolation of individuals who test positive and precautionary self-isolation of close contacts.

The partnership between Google and Apple is addressing the Contact Tracing point.

How it works (simplified):

  1. Your phone sends a random message every few minutes over Bluetooth. This random message is completely anonymised and doesn’t contain any personal data about you or your phone activity, not even your location data.
  2. Let’s say you sit next to a friend or work colleague. Your phones are exchanging these random messages.
  3. This random message sent by your phone changes every 15 minutes.
  4. Each phone then stores the messages they sent and the messages they received.
  5. If you have symptoms of COVID and get tested positive you can Opt-in to send all the broadcasts your phone sent in the last 14 days to a hospital or national health service phone application (depending on who builds the app on top of this framework).
  6. Because the messages are random, even your hospital will not have any of your personal details from the messages.
  7. All phones who opted in will regularly download these ‘tested positive’ messages to find out if they have heard any messages from COVID cases.
  8. If the phone heard enough messages, an alert will ask the user to self-isolate and monitor symptoms.

It’s great to see this privacy-first approach to the problem, unlike some other governments and countries who have been using location data, continuous tracking, and cell towers to identify cases.

Let’s take a closer look at some of the security and privacy risks and how they are being mitigated:

  1. The data you send from your phone is anonymous.
  2. Once a day, your phone creates a new daily tracing key.
  3. It uses that key to derive a new “proximity ID” every time your device’s Bluetooth address changes (15min), which is broadcast to nearby BT sensors.
  4. Your device keeps track of all “proximity IDs” it sees over a period of 14 days.
  5. No geolocation tracking — just Bluetooth beaconing.

Some concerns I can see from what I’ve read so far:

  1. When a user of the App tests positive, they opt-in to make their random messages public so others can download and check if there has been contacted. Ad tech platforms used in department stores could misuse this data and link COVID+ status to an account… sending you adverts for cough medicine, etc. However, this scenario would not work if your phone is only sending random messages and not BTLE details that can link your phone to an account.
  2. How will Apple and Google use this platform after the pandemic? The infrastructure will be there, the investment made, there could be multiple data monetisation plans for this already. That will always be a concern.
  3. There could be hundreds of MBs that each device needs to download (of the positive cases) and this will not be possible in some geographies. To fix this, they could possibly use location data to target the downloads.
  4. Typically, adoption is the hard part of contact tracing apps — but if this becomes baked by Apple and Google into the operating system, then messages by a device may be published to all devices around the world. This can be misused by attackers to carry out a major Denial of Service. If self-testing and self-confirmation of COVID+ are possible, anyone can send up their broadcast and create a situation where there’s GBs of data for all devices in the world to retrieve and compute.
  5. Once these apps are available, some schools and businesses may *require* opting into this contact tracing for anyone to return to school, work, etc., when they open back up. Or the business insurance company or lawyer may require this to reduce liability. So it no longer becomes a personal user choice.

This is a new program, and both Apple and Google so far have been approaching it well. They are talking to public health authorities and other stakeholders. This could be a significant game-changer for all countries, given that over a billion people use Apple or Google devices already.

ACLU provided some feedback:

“To their credit, Apple and Google have announced an approach that appears to mitigate the worst privacy and centralization risks, but there is still room for improvement. We will remain vigilant moving forward to make sure any contact tracing app remains voluntary and decentralized, and used only for public health purposes and only for the duration of this pandemic.”

Personally, I think this is an extremely critical initiative. We need this to get back to some form of normality until the vaccine (in addition to testing and self-isolation). To get over some of the privacy concerns out there, I would recommend Google and Apple involve independent privacy and cybersecurity experts in the overarching steering committee and working group to support the strategy now and after the pandemic.

This looks secure and private at the foundation level, but the key concern is how it will be used following this pandemic — given how much investment will have been put into the infrastructure and program… it’s difficult to see them just stop using it completely.

Only time will tell…