Google & Apple bluetooth-based COVID-19 contact tracing: how does it work and how secure is your data?

Contact tracing is a technique used during an infectious disease outbreak that attempts to track how a disease spreads. When a person is diagnosed, health officials create a list of people who may have been exposed to the infected person, and then ask those people to self-quarantine to limit the spread of the virus. This is a manual process that relies on the infected individual’s memory and requires significant resources to notify everyone, especially when the list of people grows beyond a few dozen. And in the case of COVID-19, which can take up to 14 days to show symptoms, it can be nearly impossible to do accurately.

Bluetooth-based contact tracing, like the one used in the Google and Apple COVID-19 tracing app, relies on the individual’s smartphone to track where and when they were in contact with other people. When two smartphones are in proximity of each other, they exchange anonymous identifier beacons. Later, if a person is positively diagnosed with COVID-19, they can choose to upload their last 14 days of keys for their broadcast beacon to the cloud via the COVID-19 contact tracking app, while still preserving their anonymity. This will in turn notify anyone they were in contact with who is also using the coronavirus tracking app that they have potentially been exposed to the virus. As businesses begin to reopen, many are considering using contact tracing as part of their revised COVID-19 office safety plans to help mitigate the spread of coronavirus in the workplace.

While this technology could significantly help healthcare providers and slow the spread of COVID-19, it has raised a lot of concerns around the security and handling of personal data. Openpath’s Chief Security Officer, Samy Kamkar, helpfully diagrammed and explained how this technology is designed to work. He also reported his findings on Twitter, praising the COVID-19 app technology as “it's opt-in, way more user-centric, way less Black-Mirror,” and answered some important questions regarding the security and privacy of the spec. 

Does Bluetooth-based contact tracing track geolocation data?

No, the Apple and Google contact tracing app does not use or track geolocation data. However, it does send the Diagnosis Server a “region,” though it’s unclear how that region is defined, how large it is, or if multiple regions are sent. 

Can I opt out of this?

Yes, the COVID-19 contact tracking app is entirely opt-in. It’s also up to the individual to self-report a COVID-19 diagnosis. 

Is it anonymous?

Yes, according to the spec, smartphones log interactions with other smartphones using Rolling Proximity Identifiers that change every ten minutes. Individuals who self-report are kept anonymous, so others who are notified that they’ve been exposed via the contact tracing app won’t know who was the source. 

Will Google, Apple, or anyone else know where I've been? 

No, the Google and Apple tracking system does not use or alter any location data as it currently stands. If you opt-in, you will be broadcasting random identifiers, however those identifiers are never tied back to you as a user, and the key to generate the identifiers never leaves your device.

Will Google, Apple, or anyone else know who I've been near? 

No, while your phone will collect random identifiers of users within proximity to you, that data remains on your phone and never leaves, even if you opt-in to self-report a positive coronavirus diagnosis via the contact tracing app.

What am I sharing when I opt-in? 

Your phone generates an anonymous, random identifier every ten minutes and shares it via Bluetooth. As soon as a new identifier is generated, it has no link to the previous identifier.

How does the system know who is positively diagnosed? 

At this time, users may opt-in to self-report a positive diagnosis through the coronavirus contact tracking app, but this reveals no personal information about the user, only enough information for others who were in proximity to your device to know they were potentially exposed, and should take precautions like self-quarantining.

What information does my phone store? 

When your phone sees other devices who have opted-in to the Apple and Google COVID-19 tracing app, your phone will log the random identifier of the device in proximity, a timestamp, and the RSSI (Received Signal Strength Indication) which is an approximation of how far away the user may be.

Is anything preventing someone from falsely reporting a positive diagnosis? 

At this time, no additional requirements or validations are done through the contact tracking app when a user self-reports a positive diagnosis, so it may be possible to illegitimately trigger users to believe they were near an infected person when they were not. Further details are required on the Diagnosis Server, which is the service that will maintain and track the opted-in positive diagnosis data collected from the Google and Apple COVID-19 app.

Sources

• https://covid19-static.cdn-apple.com/applications/covid19/current/static/contact-tracing/pdf/ExposureNotification-BluetoothSpecificationv1.2.pdf?1

• https://covid19-static.cdn-apple.com/applications/covid19/current/static/contact-tracing/pdf/ExposureNotification-CryptographySpecificationv1.2.pdf?1

• https://developer.apple.com/documentation/exposurenotification

• https://blog.google/documents/55/Android_Contact_Tracing_API.pdf

• https://blog.google/documents/57/Overview_of_COVID-19_Contact_Tracing_Using_BLE.pdf

Additional Resources

• Download our Covid-19 Workplace Place Safety Guide