Skip to main content

Contact tracing apps - friend or foe?

(Image credit: Unsplash)

To help minimise the spread of coronavirus, contact tracing apps have sprung up to identify those who may have been in contact with someone infected. 

These developments have been backed by governments and health authorities. While there may be a difference between applications, most are able to detect close contact between individuals over a period of time. When a person tests positive, these apps are able to track their location.

However, this has raised understandable concerns about the invasion of privacy. 

In addition, there have already been multiple fake apps detected during the pandemic which are not linked to any government or health authority. 

For those not even thinking about fake apps, there is still the concern that contact-tracing apps are being used as surveillance tools that disclose sensitive information. Therefore, any such app and tracing system must maintain a delicate balance between privacy and security, since poor implementation of security standards may put users' data at risk.

What it comes down to is what data is collected, how it is stored and how it is distributed. Another is user consent and the extent you are required to consent. 

GPS tracking vs Bluetooth 

The two most widely used techniques for detecting proximity between two devices is GPS and the Bluetooth Low Energy (BLE) protocol.

With this method, the apps obtain a user's GPS position periodically, and save a log of the user's locations and timestamps. This data may be later intersected with other users' location logs.

This approach offers the flexibility to analyse the geography of the infection spread, and gives more options to governments and health authorities to localise infected regions and apply prevention policies accordingly.

However, this also gives away very sensitive information, revealing users' travels and locations over the previous few days or weeks.

Bluetooth Low Energy (BLE)

Here, each device broadcasts pings over BLE. These pings are registered by other devices that are in Bluetooth range based on duration and signal strength. To work, both devices must be running the contact tracing app. 

This technology is widely used in coronavirus tracing applications, as it offers more privacy - the only info usually transmitted over Bluetooth is a cryptographic identifier that changes frequently and does not expose user identity. In addition, BLE randomises MAC addresses sent in a packet over the air and changes it every few minutes, making it difficult to track devices.

When a person tests positive for COVID-19 they can publish all the IDs collected in proximity to them. Each user can then check whether one of the IDs belongs to them and find out when, and for how long, they were in proximity with the infected person. Since the IDs are anonymised, only the end user can affiliate them to their device.

The downside of this approach is its inability to map the infection geographically.

Centralised vs decentralised

Regarding data distribution, applications can be classified, again, into two groups: those using a centralised approach and those using a decentralised approach.

Centralised approach

Most of the currently deployed apps are built on the centralised approach.

With this approach, the contact events log is uploaded from the device to a central server. Even if the user uploads the data to the server when they are diagnosed with coronavirus, the data is stored and processed only at the central server.

This gives authorities more power to analyse contact data and get more insight on the spread of the virus, but it also enables them to access private information on the mass population, such as the locations of individuals, or who met whom and when.

This is a more privacy-centric approach, meaning the contact events log never leaves the device, and only minimal information is uploaded to the central server.

The application periodically downloads keys of positive diagnosed users, and matches them against contact logs stored on the device.

Such an approach is used in the DP^3T open protocol, as well as in the "Exposure Notification" specification designed jointly by Google and Apple. Holland's PrivateTracer use the DP^3T decentralised model, while applications adopting Google|Apple approach are not yet available publicly.

User anonymity 

Another important point in preserving privacy is whether an application that is running on a device can be associated with the real user. 

In order to preserve user anonymity, no personal identifiers (phone number, name, IDs etc) should be associated with the application at any time. This is achieved by using cryptographic keys that change frequently and serve as user identifiers transmitted over the air (via Bluetooth or Internet connections).

Usually, an application receives a one-time random unique key during installation /registration, and that key is used to derive rotating cryptographic identifiers that are broadcasted over Bluetooth, and uploaded to servers.

However, while preserving privacy is crucial, so is the reliability of the application. 

Let's consider the following common use case of contact tracing applications. 

One of the features of contact tracing applications is that a user may submit a diagnosis report, and in many cases, there is a self-diagnosis questionnaire where the user fills in the symptoms they are experiencing, as well as other information.

When a user submits such a report, some applications do not perform any verification, while others enforce some kind of validation by requiring a phone number to send a verification code via SMS.

The verification by SMS de-anonymises users, and protects against fake reports. On the other hand, without verification, the whole system can be undermined by multiple fake reports, causing fake alerts and nationwide panic.

Several standards and frameworks have been developed that implement contact tracing features, with privacy and security in mind.

So, what do to?

Participating in a contact tracing app is a hard decision to make. On one hand, it is helpful to know if you have been near someone who has been diagnosed, but on the other, you could be opening yourself up to a privacy breach. 

Some ways to protect yourself is by ensuring the app you are downloading and signing up to is legitimate. This is easiest done by only downloading apps from an official app store because they only allow authorised apps from government agencies to publish on their platform. 

Another option is to download and install a mobile security app, such as Avast or AVG or Check Point, that will scan your device for malware and verify that the device has not been compromised.