Last week, Google and Apple announced that they were incorporating changes into Android and iOS that will enable Bluetooth-based COVID-19 contact tracing. This announcement set off immediate criticism worldwide by individuals who felt that the companies were using the tool as yet another means of virtually spying on its users.
The new feature will go into effect next month. The government health agencies run apps that will utilize Bluetooth radios to track physical proximity between phones. Then, if someone later tests positive for COVID-19, they can report their diagnosis through the app, and any users who have been in close contact with the individual will receive a notification to their phone.
According to the Washington Post, the system is said to protect privacy by being Bluetooth-only and fully opt-in. The system allegedly will not collect location data from users nor data at all from anyone without a positive COVID-19 diagnosis.
Several security and privacy-focused technologists have pointed out quite a few potential flaws with the new system, which includes techniques that could reveal the identities of users with COVID-19 and allow advertisers to track them.
While Bluetooth-based contact tracing is not as likely to garner any privacy violations, the security protections are not full proof. To break it down scientifically, as explained by WIRED, contact-tracing apps will consistently broadcast unique, rotating Bluetooth codes that are created from a cryptographic key that changes once a day while constantly monitoring surrounding phones and recording the codes of any other phones they encounter within a certain amount of range and time. If a user were to report a positive coronavirus diagnosis, their app would then upload the cryptographic keys that were used to generate their codes over the last two weeks to a server. Everyone else’s app then downloads those daily keys and uses them to recreate the unique rotating codes they generated. If it finds a match with one of its stored codes, the app will notify that person that they may have been exposed, and will then provide them with information about how to properly self-quarantine or receive testing.
According to WIRED, the system involves every phone constantly broadcasting Bluetooth codes but limits snooper’s ability to eavesdrop on those codes to track a person’s movements by changing the numbers every 10 or 15 minutes.
Former chief technologist for the Federal Trade Commission, also pointed out that a so-called “correlation attack” could still allow some forms of tracking.
“While the system itself has anonymous properties, the implementation—because it’s broadcasting identifiers—isn’t anonymous,” Soltani says. “If you know you might end up on Nextdoor as someone who’s infected, you might not be willing to use one of these apps.”
Another major concern is whether or not the technology will be used for ad targeting. While ad-targeting firms aren’t directly allowed, they could put Bluetooth beacons in stores that collect contact-tracing codes emitted by visiting customers. The firm could then use the government public health app to download all the keys of people who are later diagnosed with COVID-19 and generate all their codes for the previous two weeks. Hypothetically, this method could then determine which trail of codes represented a single person, which would allow them to follow them from store to store.
With so many what-if scenarios to take into consideration, one could argue, is it even worth the trouble?
Discover more from Baller Alert
Subscribe to get the latest posts sent to your email.
