Google and Apple’s Bluetooth contract tracing API is now available to public health agencies to use when building their own contract tracing applications.
Google and Apple have not created a contact tracing application.
Instead what they have developed is an API that sends a random identifier that changes every 10-20 minutes; receiving similar identifiers broadcast by those nearby. Once a day, it reaches the servers of participating health organisations who have built an application that plugs into the API.
It then pulls a list of identifiers associated with those who have reported a positive COVID-19 diagnosis. It can then send out push notifications to all those (opting in) who have come into proximity with someone affected.
It’s largely up to users to self-report as Google noted in its announcement today: “Each user gets to decide whether or not to opt-in to Exposure Notifications; the system does not collect or use location from the device; and if a person is diagnosed with COVID-19, it is up to them whether or not to report that in the public health app.”
The contact tracing technology using will be baked into the operating systems of Android and iOS smart phones.
NHS COVID-19 App Plagued by Issues
The UK, meanwhile, is building its own contact tracing application and associated set of technologies; it will not use the API.
Development appears to be beleaguered with issues: the National Cyber Security Centre (NCSC) is racing to fix a host of problems with the NHS’ COVID-19 tracing application following a shaky trial on the Isle of Wight.
The agency asked for feedback on technical documents it made public as well as bug reports, and was promptly swamped with messages pointing out errors and mistakes. Some were tame errors, others not so much as cybersecurity concerns with regards the strength of the registration process were flagged.
Dr Ian Levy Technical Director, NCSC commented: “Due to the coronavirus pandemic, the app has been developed in very compressed timelines and – like every beta – there was an engineering backlog at launch. And like every development, compromises were made in the name of timeliness.”
See a full list of the issues reported in Dr Levy’s blog here and a technical description of its architecture here [pdf]
There is sustained political pressure to develop an application, fast.
Privacy is a key concern in developing the app and the NCSC is keen to minimise the security dependencies on third parties such as Google and Cloudflare as much as possible. In the beta of the application proximity contact event data on devices was not encrypted before it was sent to servers.
Levy noted that: “When it’s transferred to the back end, it’s protected only by TLS. If Cloudflare went bad (or someone compromised them), they could get access to that proximity log data.”
The NHS COVID-19 application has been made open source and is available on GitHub.
Google and Apple Bluetooth API Privacy Concerns
The Google/Apple Contact Tracing API does not use GPS so it will not be providing location data, and in theory the applications using the technology should be decommissioned once the pandemic is over.
This has not stopped privacy and security advocates from raising concerns about the manner in which the Bluetooth tracing capability is being rolled out to devices as it may spell trouble in years to come.
(Apple and Google say they get zero user data via the API).
Jaap-Henk Hoepman associate professor of privacy enhancing protocols at Radboud University Nijmegen wrote recently that: “Instead of an app, the technology is pushed down the stack into the operating system layer creating a Bluetooth-based contact tracing platform.
“This means the technology is available all the time, for all kinds of applications. Contact tracing is therefore no longer limited in time, or limited in use purely to trace and contain the spread of the COVID-19 virus. This means that two very important safeguards to protect our privacy are thrown out of the window.”
One of the key concerns that Hoepman highlights is that since this tracing capability is passed down the stack via an update and not an application download it creates a platform for contact tracing on the global scale that works on all smart phones running Android or Apples OS, so pretty much all of them considering their joint OS market share is 99 percent.
His concern is that unless safeguard are put in place then: “This would create a global mass-surveillance system that would reliably track who has been in contact with whom, at what time and for how long.”