The coronavirus pandemic has brought many changes to everyday life, many of which infringe on basic liberties Perhaps the greatest threat is yet to come in the form of a tiny addition to the operating system of our cell-phones allowing the government to trace all of our movements and every person we come in contact with.
Last week, Apple and Google made available the first public version of their exposure notification application programming interface (API). Named the Exposure Notification system, this is not an app but rather a joint contact-tracing software tool that is part of the operating system installed on new phones and included in system updates. The tech giants are not planning on making an app but developers working on behalf of public health agencies can now issue apps that make use of it.
The two companies have promised that when the crisis has ended, they will shut down the tracking tools.
Commonly referred to as contact tracing, this will allow authorities to trace the contacts of infected individuals, testing them for infection, treating the infected and tracing their contacts in turn, public health aims to reduce infections in the population.
The way it works is your phone will regularly send out a beacon via Bluetooth that includes a random Bluetooth identifier that isn’t tied to a user’s identity. Bluetooth wireless technology can sense devices from up to 15 feet away. Other phones will be listening for these beacons and broadcasting theirs as well. When each phone receives another beacon, it will record and securely store that beacon on the device.
If you later come down with COVID-19, open the health app on your phone, and log a diagnosis. The phone then uploads the last two weeks’ worth of beacon data and asks for your permission to anonymously share your results and notify others. The app will recommend those people self-isolate in case they have contracted the disease. Those contacted won’t know the identity of the person who may have passed on coronavirus.
The functionality will only be available to public health apps so outsider developers won’t be able to use that data.
Contact tracing has been a pillar of communicable disease control in public health for decades. The eradication of smallpox, for example, was achieved not by universal immunization, but by exhaustive contact tracing to find all infected persons. This was followed by isolation of infected individuals and immunization of the surrounding community and contacts at-risk of contracting smallpox.
The significant difference in previous epidemics is that contact tracing was done after a person was diagnosed. Due to the prevalence of cell-phones, contact tracing can now be done proactively, before contracting the disease, and universally.
Last month, Apple and Google, who account for most of the world’s mobile operating systems, announced Coronavirus disease tracking technology for iOS and Android. Relying on Bluetooth wireless radio signals for contact tracing, the new tools would warn people about others they’d been in contact with who are infected by the coronavirus. This was voluntary and users would need to consent and opt to activate the app.
As of 10 April, corresponding coronavirus apps were expected to be released in May and enhanced later in 2020. The contact tracing capability will automatically become part of your ell phone’s operating system.
Though the tech companies assure the public that the API is safeguarded and does not record identity or store location data, privacy concerns are a serious issue.
Concerns about privacy are very real and the program becomes moot if no one uses it. One such app called Covidsafe was used in Australia and was touted as being an essential element to opening up public events. Yet nearly a month since launch, the contact tracing app has barely been used – just one person has been reported to have been identified using data from it.
Relying on Bluetooth is problematic. A recently released study reported that Bluetooth “contains vulnerabilities enabling impersonation attacks during secure connection establishment.” The vulnerability is described as a Bluetooth impersonation (BIAS) attack, where devices are tricked into accepting a new connection that has copied the pairing signature of a previous one.
“Any standard-compliant Bluetooth device can be expected to be vulnerable,” the report concluded. “All devices that we tested were vulnerable to the BIAS attack.”
Of more concern are less sophisticated socially engineering text messages and emails that warn you have been near an infected patient. These can provide links to install contact-tracing apps. These are designed to trick you into installing malware or giving up usernames and passwords.
The fear of infection can be used to coerce people into installing and running tracking software before entering commercial establishments or accessing government or health services.
And there is always the fear that your personal data can be accessed or even sold.