EFF Warns of Privacy and Security Threats with Google and Apple’s COVID-19 Contact Tracing Technology

The contact tracing technology that Apple and Google are developing may be invaluable in tracking individuals who have come into close contact with people confirmed to be COVID-19 positive; nonetheless, the Electronic Frontier Foundation (EFF) is warning against the possibility that cybercriminals would abuse the system in its current form.

The technology is expected to roll out next month. The system will allow app developers to create contact tracing apps to help tag people who could have been exposed to SARS-CoV-2. If a user downloads a contact tracing app, each time he comes into contact with another individual while the app is installed on his phone, anonymous identifier beacons referred to as rolling proximity identifiers (RPIDs) will be swapped through Bluetooth Low Energy.

How Does the Contact-Tracing System Work?

RPIDs will be swapped only when somebody moves within a predefined range – 6 feet – and keeps in close contact for a fixed time period. The range can be established by the strength of the pings delivered by the users’ mobile device. If someone is named as COVID-19 positive and the information enters the app, all people that the person has come into contact with during the past 14 days will be given an electronic notification.

The sent data is anonymous, thus notifications will not provide any details regarding the person that has caught COVID-19. The RPIDs change for every 10-20 minutes, which will protect a person from being tracked and information will be kept on smartphones instead of being sent to a central server, and RPIDs will just be stored for 14 days. A user also needs to give permission before a public health authority may share the user’s temporary exposure key that verifies the individual has gotten COVID-19, thus preventing false alarms.

Whenever a COVID-19 diagnosis is affirmed, a diagnosis key will be inputted in a public registry that all app users will be able to access. In addition, the diagnosis key will be used for creating alerts. The diagnosis keys consist of all of the RPIDs for a specific user to permit all people who were in contact with them to be informed.

Electronic Frontier Foundation’s Concern About Privacy and Security Risks

EFF’s Bennett Cypher and Gennie Gebhart explained in a recent blog post that there is a problem with the system using the public registry. Any proximity tracking system that checks a public database of diagnosis keys against RPIDs on a user’s device, just like what the Apple-Google proposal does, gives the possibility that the information of an infected person will lead to the determination of the individuals they came across who is infected.

Every day, apps users will share their diagnosis keys, which results in the probability of linkage attacks. It would be possible for a threat actor to get RPIDs from different places at the same time by means of the use of static Bluetooth beacons in public locations. This would just provide details about where pings occurred and wouldn’t permit a person to be tracked. Nevertheless, when the diagnosis keys are transmitted, an attacker can link the RPIDs together and determine a person’s everyday routine from their RPIDs. Because a person’s motions would be different, it would possibly be possible to determine that individual and know their movements and where they reside and work. EFF states that risk can be minimized by sending diagnosis keys more frequently, such as every hour instead of once per day.

Another issue with the system in its current form is there is presently no way of confirming that a device sending contact-tracing data is the device that created the RPID. This indicates a malicious actor can intercept RPIDs and rebroadcast them.

For example, a network of Bluetooth beacons set up on busy street corners rebroadcast all the RPIDs they monitor. Anybody who passes by a ‘bad’ beacon would record the RPIDs of every person who was close to any of the beacons. This will result in many false positives, which could undermine public trust in the tracing apps or the public-health system in general.

There is also a concern that developers could possibly centralize the data gathered by the apps, which could expose men and women to much more risk. EFF suggests that developers remain focussed on the proposal laid out by Apple and Google and keep users’ data on their smartphones instead of in a central repository. EFF also states to restrict the details sent out online as far as possible and to just send data that is completely essential.

EFF echoes the advice of more than 300 scientists in saying that it is also essential for the program to terminate as soon as the COVID-19 public health emergency is finished to make sure there will be no secondary uses that can impact personal privacy in the future. They additionally suggest that app developers should operate with full transparency and clearly explain to users what information is collected, and should permit users to discontinue pings should they want and at the same time access the RPIDs they have gotten and erase data from their contact history.

Further, any app should be thoroughly examined to make sure it performs as it needs to and does not have any vulnerabilities that could be exploited. Post-release, the assessment must proceed to discover vulnerabilities and patches and updates must be made available rapidly to resolve flaws that are identified. In order for the system to work as it ought to, a high percent of the population should be using the system, which would most probably attract cybercriminals and nation-state hacking gangs.

No contact tracing system is probably without privacy risks, because there has to be a trade-off to do this type of contact tracing, however, EFF says that steps should be done to minimize those privacy risks as far as possible. The entire system relies on trust and, if the trust is undermined, the system won’t accomplish its aims.