Stop the Apple and Google contact tracing platform. (Or be ready to ditch your smartphone.)

April 11, 2020
12

Apple and Google released a joint specification that allows both iPhones and Android devices to do contact tracing on a global scale. Even though "privacy, transparency, and consent are of utmost importance", this is a game changing event that has grave consequences. We must stop Apple and Google in their tracks. Or else ditch our smartphones as they will truly become the Stasi agents in our pockets.

Note 2020-12-15: I wrote an updated and much more detailed analysis based on this blog post, and published this on arXiv.

I haven't felt comfortable with the idea of a contract tracing app to fight the corona pandemic in the first place. But with this announcement, Apple and Google take it to another level:

in the coming months, Apple and Google will work to enable a broader Bluetooth-based contact tracing platform by building this functionality into the underlying platforms. This is a more robust solution than an API and would allow more individuals to participate, if they choose to opt in, as well as enable interaction with a broader ecosystem of apps and government health authorities.

Instead of an app, the technology is pushed down the stack into the operating system layer creating a Bluetooth-based contact tracing platform. This means the technology is available all the time, for all kinds of applications. Contact tracing is therefore no longer limited in time, or limited in use purely to trace and contain the spread of the COVID-19 virus. This means that two very important safeguards to protect our privacy are thrown out of the window.

Privacy is 'protected' using a so called decentralised approach. There is no central server collecting which devices have been in close contact to each other. Instead, each phone over time collects the (ephemeral) identifiers of all other phones (whether an iPhone or an Android) in its vicinity. When a user turns out to be infected by the corona virus, the phone (using the contact tracing app) only publishes its own identifier, so all other phones can locally check that they have been in close contact with this device (using the local database of identifiers they saw recently).

However any decentralised scheme can be turned into a centralised scheme by forcing the phone to report to the authorities that it was at some point in time close to the phone of an infected person. In other words, certain governments or companies -- using the decentralised framework developed by Apple and Google -- can create an app that (without users being able to prevent this) report the fact that they have been close to a person of interest in the last few weeks. The platform itself may be decentralised. But the app developed on top of it breaks this protective shield and collects the contact information centrally regardless. This effectively turns our smartphones into a global mass surveillance tool. By pushing a button on one phone, by reporting it as infected, all other phones that were recently in close proximity reveal themselves to the central server (operated by the government or some shady company). How invasive this tool is does depend on some details. The current specifications allow phones to learn when and where they were in contact with another device. It is unclear whether the actual identity of that device is also revealed. (But note that this may even be irrelevant if phones respond in real time to any request to reveal themselves.)

Any illusion we had that we could somehow tame the Stasi agent in our pocket, by buying more expensive iPhones because Apple pledged to take our privacy seriously, or being mindful about the apps we do or do not install on our phones, is just that: an illusion.

Just consider what this decentralised contact tracing platform could be used for, especially when apps are developed that collect the contact information centrally as outlined above, and even more so when people are forced or incentivised to install such apps. Manufacturers could of course also pre-install such apps or functionality on some of the phones they sell.

  • The police could quickly see who has been close to a murder victim: simply report the victims phone as being 'infected'.
  • Some might say this is not a bug but a feature, but the same mechanism could be used to find whistleblowers, or the sources of a journalist.
  • A company could install Bluetooth beacons equipped with this software at locations of interest (e.g. shopping malls). By reporting a particular beacon as 'infected' all phones (that have been lured into installing a loyalty app or that somehow have the SDK of the company embedded in some of the apps they use) will report that they were in the area.
  • If you have Google Home at home, Google could use this mechanism to identify all people that have visited your place.
  • Jealous partners could secretly install an app on the phone of their significant other, to allow them to monitor who they have been in contact with. Overzealous parents could use this spy on their children.

And I am sure people can come up with even better examples…

The technology will soon be there. The game changes because it is no longer a single app that we choose to install: it's a technology embedded in all future smartphones. We cannot rely on mere trust, hoping that Google, Apple and all these other app developers out there will not abuse this technology for nefarious purposes. This must be stopped. There is no place for such invasive tracking technology in our society. This is not a short-lived, targeted application of tracking technology, solely used to combat the COVID-19 pandemic. If this is the medicine, I think it is worse than the disease.

In the mean time: don't update the operating system of your phone. Or be ready to ditch your smartphone and get yourself a dumbphone.

In case you spot any errors on this page, please notify me!
Or, leave a comment.
jb
, 2020-04-12 12:06:55
(reply)

What we are facing here are our worst fears, the majority won’t even realise, I will simply burn my iPhone and never go back to smartphones.

Kimberly Palmer
, 2020-05-22 00:10:20
(reply)

I’ve never owned a so-called ‘smart’ phone. No, I’m not a Luddite. It’s that I value my liberty more than the over-touted convenience. Unfortunately, those ‘smart’ phone have done a good job at making payphone and landlines nearly extinct.

Akash Kumar Sharma
, 2020-04-12 12:24:04
(reply)

App based on this technology has started working here at Bharat (a.k.a. India ) ( population 1.3 Billion ). I hope the government uses it wisely. https://play.google.com/store/apps/details?id=nic.goi.aarogyasetu

Zain
, 2020-04-12 17:46:13
(reply)

This is a fundamental misunderstanding of the technology. An attacker reporting their bluetooth device as “infected” doesn’t get any privileged information. None of the scenarios you’ve described are technically possible with the Google/Apple tech.

If an attacker falsely reported they were “infected” then their own keys get uploaded to the cloud. The rest of the world can see those keys and determine if they were in close contact with the attacker, but the attacker gets no additional information about who they were in close contact with.

Read the whitepaper. Stop spreading FUD.

Jaap-Henk
, 2020-04-13 09:31:24
(reply)

I’ve read the whitepaper. And the technology does allow rogue apps (that either slip through the Apple/Google vetting process by negligence, coercion or market incentives) to abuse this decentralised system and turn it into a centralised one. Such a malicious app defines what “infected” means and thus determines when it should report your identifier to the central server. Such a malicious app on the phone of some person in the vicinity is notified of this fact, and can decide to also report this back to central server. If “infection” events are infrequent, a clear link between these people can be established without relying on any other metadata.

JWC
, 2020-04-12 19:23:46
(reply)

If you are afraid of being tracked by companies or government, then you should have already ditched your smartphone long time ago. I don’t understand how this can be worst than GPS tracking.

In case I have been infected, if I had to choose between sharing my entire GPS history (as some governments are doing), or just some random ID, I would gladly opt for the second option. It seems that’s the way Apple/Google solution works, your phone exchange some random numbers with others in proximity, and only in case you have been infected, you share the numbers you used so others can check if they have been in contact.

Jaap-Henk
, 2020-04-13 09:24:43
(reply)

GPS tracking is much less precise than bluetooth based contact tracing. But make no mistake: I am as opposed to OS based centralised location tracking.

Renaud Richardet
, 2020-04-12 21:14:09
(reply)

What’s your take on the Pan-European Privacy Preserving Proximity Tracing (PEPP-PT)? https://github.com/DP-3T/documents/blob/master/DP3T%20White%20Paper.pdf

Martin Nagy
, 2020-04-14 13:03:11
(reply)

Decentralised approach is a way to go. The API prevents any application to take out any of the IDS the mobile phone received within last 14-21 days from the protected storage, it can only query if some ID reported by central authority database as infected are present. The upload of the report that a match was found should be somehow prevented. This is the issue.

There are also other issues, e.g. vulnerability to eavesdropping, but I hope these will be addressed.

The most promising effort in this field is Privacy-First Decentralized Privacy-Preserving Proximity Tracing known as DP-3T https://github.com/DP-3T

Leon
, 2020-04-21 23:22:42
(reply)

While I take privacy seriously, this article looks like FUD to me.

Sure, we need to consider the implications of this tech. Then again, it could just be accompanied with a permission request for apps which could be blocked.

If someone has access to your phone like the jealous spouse example then they could just as easily install a GPS tracker rather than an anonymous ID that they can’t correlate with anyone.

Loyalty apps? they just ask for GPS permissions so they will likely ask for the BT correlation ID so just disallow it.

If governments force you to install spyware app you are in much deeper trouble than worrying about this feature.

Ottoman
, 2020-04-25 02:34:21
(reply)

You’re 100% correct. I would pay ZERO attention to the bots and other “groups” trying to discredit your analysis and sway the opinions of other readers. Only fools have such short memories or forget all of the times the “camel” has made it’s way into the “tent” and things didn’t end well.

None of these companies or government are to be trusted. They have proven themselves to be untrustworthy repeatedly and they did so all all on their own. The NSA wont spy on US Citizens phones, Google isn’t reading your email, The FISA courts wont be abused. Amazon isn’t storing your Alexa conversations. Windows 10 isn’t sharing you activity. The list goes on and on and on.

If this was intended to be optional or short term the wouldn’t force it into the operating system. Good intentions pave the road to hell and this is no different.

Ditch your phone now and start making other arrangements.