Germany on Sunday pulled an about-face regarding the best way to use smart phones to trace people’s contacts with those infected by COVID-19, embracing a decentralized Bluetooth-based approach instead of the more invasive location tracking proposed in other approaches.
The Bluetooth approach – which keeps data local on people’s phones instead of being stored on a centralized database that could be used for mass state surveillance or to track people – is supported by Apple, Google and other European countries, Reuters reported.
Apple and Google first announced their contact tracing collaboration two weeks ago, on 10 April. Instead of “contact tracing,” though, they’re calling it an Exposure Notification system.
As the companies have explained in an FAQ about their approach, it will come in two phases, both of which will use Bluetooth technology on mobile devices to aid in contact tracing efforts.
The first phase will be an API that works across iOS and Android devices for public health agencies to integrate into their own apps. That’s due in May. The second phase, due in coming months, will be introduced at devices’ operating system levels to ensure broad adoption – a key element in the success of contact tracing.
It will be done on a strictly opt-in basis. After the operating system updates and a user has opted in, the Exposure Notification system will start pinging the Bluetooth beacons of nearby devices. Preliminarily, users won’t have to install an app to get those notifications. But if a match is detected that shows a user has come into contact with somebody who’s infected, the user will be notified.
If they haven’t already downloaded the official app, they’ll be prompted to do so and will be advised on what to do next, such as take steps to get tested or self-quarantine. “Only public health authorities will have access to this technology and their apps must meet specific criteria around privacy, security, and data control,” according to the FAQ.
If a user tests positive for COVID-19, they’ll be able to work with their health authority to report the diagnosis within the app. Then, with their consent, their beacons will be added to the list of devices belonging to people who’ve tested positive. Users’ identities won’t be shared with other users, with Google or with Apple.
CNET has done a deep dive on the measures that Google and Apple are taking to protect people’s privacy with this approach. for its part, Google provided this video and graphic to explain the basics of the system:
IMAGE: Google
As Google and Apple tell it, the system – which will run on either Apple’s iOS or Google’s Android operating systems – requires explicit user consent. It collects neither users’ personally identifiable information (PII) nor their location data.
The list of people you’ve been in contact with never leaves your phone.
The system relies on smart phone beaconing: the use of a phone’s built-in radios and Bluetooth to constantly ping other devices with a long, unique string that identifies a device: what the companies say is a string of random numbers that aren’t tied to a user’s identity and which change every 10-20 minutes to protect users from being tracked. Servers relay a device’s last 14 days of IDs to other devices that then look for a match, searching for devices that came within six feet of each other for a given amount of time.
If the app detects that a user has come into contact with somebody who’s tested positive for COVID-19, the system will tell them what day it happened, how long the contact lasted, and the Bluetooth signal strength of that contact. That’s the full extent of the information that will be shared about the contact.
On Friday, Apple and Google said in a press briefing that besides relying on Bluetooth instead of location data, and on top of regularly changing the identifying IDs, they’ve also added a new layer of encryption for the tracing data. The extra encryption layer will make it tougher to identify those who’ve tested positive for COVID-19 and will also encrypt data to make it harder to use as a digital fingerprint if it’s exposed.
“Nein” to centralized data storage
As Reuters tells it, as late as Friday, Germany was backing a different approach to contact tracing called Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT). That approach relies on tracking contacts by monitoring the proximity of their phones.
In fact, Germany was leading that initiative, which had the support of seven European countries as of last week.
That support went on to melt after 300 scientists published an open letter expressing concerns about PEPP-PT last Monday (20 April). They argued that PEPP-PT lacks transparency and that its centralized storage of data might be exploited by governments for discriminatory practices or invasive state surveillance.
We are concerned that some ‘solutions’ to the crisis may, via mission creep, result in systems which would allow unprecedented surveillance of society at large.
The scientists came out in support of an alternative standard, called DP-3T, that they claimed is more privacy-preserving. At least three of the European countries that initially supported a contact-tracing app that relies on location data and centralized data storage had switched to supporting DP-3T as of Friday.
On Friday, German Chancellery Minister Helge Braun and Health Minister Jens Spahn said in a joint statement that the country would dump its own, home-grown approach to contract tracing, which would have given health authorities central control over the tracing data.
A senior government source told Reuters that it was Apple’s refusal to tweak settings on its iPhones – a change that would have been required to adopt PEPP-PT – that forced Germany to change course.
In a joint statement, Braun and Spahn said Germany would now adopt a “strongly decentralized” approach:
This app should be voluntary, meet data protection standards and guarantee a high level of IT security. The main epidemiological goal is to recognize and break chains of infection as soon as possible.
Apple and Google plan to collaborate with other initiatives, like the Swiss-led DP-3T, that similarly use a decentralized system that stores data on individual devices instead of in a centralized database.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Mahhn
In the 6th paragraph: “Preliminarily, users won’t have to install an app to get those notifications. But if a match is detected that shows a user has come into contact with somebody who’s infected, the user will be notified.”
So,,, does this mean the App is just a placebo for people to think they have control over being monitored?
There are those in the world that crave mas surveillance so badly they are jumping with joy at this. Most people hope this helps control infections, and some of us are aware of the “mission creep” — those few nut job control freaks that think they are saving the world, getting the parts they need one piece at a time,,, The system has the potential to ID anyone they want, track them down, and put them in a Quarantine camp, where they will get the virus for sure (cruise ship anyone).
Other Mission Creep scenarios. Jimmy stood by Suzan while waiting on a bus last month, she is under surveillance for ? crimes. Jimmy is brought in for interrogation. He finds this frustrating and gets angry being held like this, he resist…….. Every worst case scenario you can imagine, is a goal of the worst people in the most powerful positions. If you have any doubt, read up on China’s requirements to own a cell phone.
(yeah, I know they are already tracking anyone they want, but I liked it when they kinda denied it still)
Dave
1) the data is deleted after 14 days so the ‘last month’ thing doesn’t work
2) the data is in *your* phone, not centrally and therefore the authorities have no way to determine that Jimmy was near Suzan. Only Jimmy’s phone knows that and will only alert Jimmy if Suzan is flagged as infected.
Roger
Hahahahaha please tell me you don’t truly believe that, right?
David Pottage
Actually, I would trust the Germans on this.
They have been legislating on cyber privacy and data protection for over 50 years now. (Their first data privacy law dates back to 1969 from the state of Hesse). After the Berlin wall came down 30 years ago, and the abuses of the Stasi where revealed they became even more obsessed with limiting the data collection powers of the state. The Germans are the diving force behind the European GDPR legislation.
So if the Germans say that the new contact tracing ensures individual user privacy, then I would trust them. (On the other hand, I would not trust similar assurances from British, American or even French data protection authorities).
If you prefer, you can also look at the system design. In summary, everyone’s phone generates a new Bluetooth MAC address every 15 minutes or so, where each is cryptographically related to a random daily key that changes each day. Each phone with the tracing app installed will make a private record of all the Bluetooth MAC addresses it sees, keep the last 7 days worth, and not send them to any central data store. Later when someone tests positive, then with that user’s consent, the last 7 daily keys used to generate Bluetooth MACs are uploaded to a central server, and added to a big list with no information on who they came from. Periodically the contact tracing app will download the huge list, and check all the daily keys with the local collection of MAC addresses. If there is a match an alert is displayed to the user.
If you think about the design, there is almost nothing that could be used to track citizens. The lists of who has been in contact with whom are in millions of individual phones. The lists of infected people have been anonymised down to lists of random numbers, and there are no GPS traces anywhere in the system.
Phil
What about microsoft and the last users of windows mobile even if they want participate ?
Josh Wilson
I will 100% be opting out of this one; if that even helps.
I want Apple to STAY OFF MY PHONE when it comes to ANY tracking information. I don’t want as much as an app on my phone….
Damn….
John Knops
Interesting (as Mr. Spock would say). But how does that work in jurisdictions such as mine where you get an $800 ticket if you have a phone in your car? Or in your purse in your car. (A very true example, unfortunately.) Even higher ticket if it is “on”. It is called distracted driving by the enterprising local constabulary. Smart people like me don’t risk those ridiculously stupid constables and fines by just leaving our phones at home. We have a very interesting service called “voicemail” by our telephone company (telco for the millennials reading this). Naturally we are not distracted by the undistractable TV screen in our car which we have to look at every time some thing beeps or whistles or the young lady tells us we are going the right way on a one way street and who forgets to tell us “whoops” when we drive into the parked car. So, it seems that Apple and Google left out the most important instruction: “In order for this to work all people must have one of our cellphones turned on at all times” and be wealthy enough that they can afford to pay the cellphone distracted driving fines. After all when stopped at a traffic light the Bluetooth will communicate with the car alongside and also warn that the other cellphone is less than 2 metres away which is valid grounds for not “social distancing” and another fine or jail where 20 are packed into an 8×10 cell (to control infecting other people). All this information will be anonymous except for the phone number which the authorities need to send you the message and know who you are and where you live (maybe) which is defeated of course by smart people who use a PO Box as their service address. But, of course, we must and will embrace this new technology because as Jean Luc Picard said: “Resistance is Futile”.
Ian
Where do you live? If what you wrote is true then those are some insane laws.
John Knops
https://www2.gov.bc.ca/gov/content/transportation/driving-and-cycling/road-safety-rules-and-consequences/distractions
Canada, BC. Yes, Canadian politicians and bureaucrats are not the brightest bulbs shining in the firmament. The one I mentioned was, in fact, overturned by a Justice of the Peace. The Act is so vague that constables (cops or fuzz in the coloquial jargon) do what they like (almost) to satisfy their ticket quota for the week. The quota system is vehemently denied by the RCMP etc but I did have it attested to by a retired cop who went on to a better life in security.
Paul Ducklin
The document you link to specifically talks about *using* electronic devices while driving, and specifies a maximum financial penalty for a first offence of $620.