Bluetooth-based model has its advantages, but this doesn’t mean it’s totally secure
ANALYSIS The UK is considering the launch of a contact-tracing app to help restrict the spread of coronavirus – a development that could have serious implications for the privacy and security of the country’s citizens.
The initiative will involve cooperation between the country’s National Health Service (NHS) and “the world’s leading tech companies”, according to health secretary Matt Hancock, who made the announcement during the UK government’s daily pandemic update briefing on April 12.
NHSX, the digital innovation unit of NHS, will test a pre-release of the app in the north of England soon.
The app will allow users who test positive for Covid-19 to anonymously warn others who might have come into contact with them. The UK is one of several countries testing government-sponsored contact-tracing technologies.
China is reportedly following an aggressive data-collecting policy to track coronavirus patients. Taiwan and South Korea have also launched contact-tracing applications.
COMMENT Coronavirus contact-tracing apps are worse than useless – Schneier
The NHS app will also use the API released by Google and Apple earlier this month, aimed at facilitating decentralized contact tracing.
The UK’s proposal is similar to Singapore’s TraceTogether and Israel’s Hamagen apps, which use Bluetooth Low Energy (BLE) connections to record encounters and trace times when a user in is close proximity to another subscriber.
BLE-based contact tracing offers considerable privacy advantages over other technologies that rely on the centralized collection of geolocation data.
Even so, there are still concerns about ways it can compromise users’ privacy, and the precedent it can set for government surveillance.
How does Bluetooth contact tracing work?
The traditional way to perform contact tracing is to collect GPS data from phones and consolidate it in a large centralized server to trace collocation between infected users and others.
For obvious reasons, this is a privacy nightmare.
The privacy-friendly alternative, which has gained traction over recent weeks, is to use Bluetooth Low Energy signals to minimize the need to send data to remote application servers.
In this model, the user’s device broadcasts unique tokens at regular intervals, say every 15 minutes.
Nearby devices register these tokens in a local database for later collocation querying. The tokens do not contain any geographical data and cannot be traced back to the owner’s device.
EXCLUSIVE Meet the cybersecurity volunteers helping to protect the healthcare industry during the pandemic
When a user is diagnosed with Covid-19, they upload their tokens to a central server, which then sends them to all devices that have the app installed.
Each device will, in turn, check the downloaded tokens against its own local database. If it finds a match, it means that the device holder might have come in contact with a coronavirus-infected person. The user is then warned and advised to take remedial action.
According to the UK government, the app will have different signals for people who have self-diagnosed as having coronavirus and those whose infection has been confirmed by a positive medical test.
One benefit of the Bluetooth-based contact-tracing app model is that it stores no sensitive data
What are the security and privacy concerns?
We still don’t know the details of the NHS app, but the health service has confirmed that it will be using the Google-Apple API, which is well documented.
The benefit of the Bluetooth-based model is that it stores no sensitive data. The database of tokens contains no information that can link back to users.
Digital rights group Privacy International has touted Bluetooth contact tracing as “a far less intrusive tracking method than some alternatives.”
However, this does not mean that it’s a totally secure technology. Although exploiting the system is very difficult, it is not impossible.
RELATED Coronavirus: NHS delays healthcare security audit amid heightened security risk
The Google-Apple scheme uses three cryptographic keys to generate tracing tokens: a tracing key that never leaves your device; a daily tracing key generated once per day from the tracing key; and proximity keys generated from the daily tracing key at every time interval and broadcast to nearby devices.
The hashing is performed by a one-way function. This means you can’t trace back from a proximity key to a daily key unless you have the daily key.
Under normal circumstances, user devices only broadcast proximity keys. But when they test positive, users will also reveal their daily key, in which case a malicious actor can use the information to create a list of proximity keys that are associated with the daily key.
But even then, the malicious actor would need other information to reveal the identity of the user.
For instance, a malicious sniffer would need to collect BLE signals transmitted by the app along with other information, including geolocations and device IDs, before using all this information in combination to trace the identity of the infected patients.
How will the anonymity of contact-tracing app users be preserved?
There are also questions about the specific implementation of the hashing protocol that the UK government will use. The NHS has not specified if it will be collecting other data points in addition to the proximity and daily tokens.
“All data will be handled according to the highest ethical and security standards, and would only be used for NHS care and research,” Hancock said on April 12. “And we won't hold it any longer than is needed.”
But in order to use the anonymized tokens for research purposes, the NHS would need complementary information that could associate the data to users.
A draft government memo received by The Guardian suggests that the agency could use device IDs to deanonymize the data and trace it back to the users “if ministers judge that to be proportionate at some stage”.
Read more of the latest coronavirus security and privacy news
The system has been designed to operate without the need to collect device IDs. But there’s no technical barrier that would prevent the application server from collecting device IDs and other information in addition to tokens.
A spokesperson for NHSX denied there were ever plans to deanonymize the data. In his April 12 announcement, Hancock said that the NHS will be open-sourcing the app in order to facilitate auditing and review.
The Daily Swig has reached out to the NHSX for comments about code auditing, and open-source policies.
Privacy advocates, philosophers, and politicians have cautioned about providing too much monitoring to governments under the pretext of the pandemic.
“Powers granted in times of crisis tend to stick when the storm is over,” historian Yuval Noah Harari warned in an essay for the Financial Times.
READ MORE Metasploit founder HD Moore on bug bounties, computer security laws, and coronavirus