So I’ve finally spun up a bit of a better test environment for evaluating COVIDSafe which I intend to do a substantial packet capture over several hours, so in between I’ve been reading the spec for Apple & Googles implementation, available here: https://www.apple.com/covid19/contacttracing
A quick look at the apple & google spec
at first glance, I actually like the look of this one, the Bluetooth specification sees a tighter payload, with a lower likelihood of disclosable personal information. Additionally the constant rotation every 15 minutes of the beacon will also reduce the traceability of individual users which wasn’t a risk previously.
The lack of personally identifiable data from a privacy standpoint is great, bur from a practicality, application integrity and response standpoint a way to undermine the applications intent.
The specification in its current form has not really discussed the Positive Diagnosis process; how does one actually get diagnosed and confirm that they’re infected and is this fact qualified by a medical practitioner? Ideally there should be an opportunity to validate a diagnosis. I do note that wired discusses this feature alongside the following quote in one of the documents:
At least once per day, the system will download a list of beacons that have been verified as belonging to people confirmed as positive for COVID-19 from the relevant public health authority.
This does not appear to be in the technical specifications. Other concerns I’d have include:
- Can the positive identification feature be susceptible to unauthorised access?
- Will a medical practitioner need to be in front of the patient to authenticate the identity of a phone and thus permit a positive diagnosis?
- How are medical practitioners vetted and provisioned into such a system and does it vary from country to country? How does diagnosis work in less developed or less regulated systems?
- With the item above in mind, is it possible to impact another Country’s citizens by diagnosing their citizens as testing positive outside the control of their own healthcare system?
However, it’s also worthwhile noting that there isn’t a point of escalation or follow up for potentially exposed individuals; the key to defeating the virus is early intervention, and is dependent on an individual responding to an alert on their phone which, if we also look at the pull requirement (IE pulling data down of infected beacons for contract tracing “at least once a day”) as opposed to a push requirement (actively messaging and pursuing contacts once a case has been confirmed, which appears to be the rationale in the Australian system). The key to contact tracing and the fundamental tenant of eradication and a fast return to normal involves minimising lag times which I don’t think the Google/Apple approach to contact tracing will achieve as fast as the other systems, albeit at a [perceived] sacrifice to privacy.
Scenario 1: The canary
The canary scenario I think would be interesting is the of tracking outbreaks. If several devices not associated with a human were spread in key locations such as egress points to train stations or heavily traversed areas, it would be possible to identify and map outbreaks as they evolve and even start identifying hotspots. It would also be a good indicator of health in an area based on setting canaries around say a suburb.
Not a security risk, but perhaps a good way to start informing community health and implementing some degree of tracking.
Scenario 2: The Hyena
The hyena scenario I’ve derived from the specifications lack of maturity on diagnosis; should this be a self reporting feature with no professional diagnosis and qualification that someone is infected (as is the case in the Australian and Singapore instances) three scenarios are likely:
- Hypochondriacs self diagnosing and skewing the data and creating a little bit of disruption.
- Pranksters looking to troll family and friends they’ve recently come into contact with (this is not funny… please don’t).
- Collecting a large number of contact events (IE through layering devices around heavily traversed areas similar to the canary scenario) and triggering positive notifications over several hours. This would be fantastic if you wanted to panic an entire city.
Alternatively, these scenarios can be realised with laxed security controls on medical practitioners or even a positive diagnosis of an American courtesy of a medical practitioner that does not reside in the United States.
Anyone ranging from a to a cunning creature hell bent on manipulation to someone seeking a laugh could easily abuse this feature (thus the name of the scenario).
Until the diagnosis mechanism has a level of integrity and factors in the requirement for speed, I assess the utility of this contact tracing implementation will not be as effective as the Australian approach.