Together with our collaborators from all over Europe, we have published a critical report focusing on the issues related to the currently predominant contact tracing solution by Google and Apple. The report is entitled “Contact Tracing by Giant Data Collectors: Opening Pandora’s Box of Threats to Privacy, Sovereignty and National Security” and can be downloaded here.
A research team from the Technical University of Darmstadt, the University of Marburg and the University of Würzburg has demonstrated and confirmed vulnerabilities related to data protection and security of the Google and Apple specification for contact tracing apps under real-world conditions. The German contact tracing app developed by Deutsche Telekom and SAP on behalf of the German government is based on this approach. Also the Swiss and Italian contact tracing apps utilise this tracing technology.
Through experiments in real-world scenarios, the research team showed that risks already known on a theoretical level can be exploited in real life using commonly used technical means. This attack allows an external attacker to create detailed movement profiles of persons infected with COVID-19 and, under certain circumstances, identify them. On the other hand, an attacker can also manipulate the collected contact tracing information through so-called relay attacks, which can impair the accuracy and reliability of the entire contact tracing system.
Contact tracing apps on mobile devices promise the possibility of significantly reducing the manual effort needed to identify contact chains of infected persons and increasing the coverage of contact tracing. One of the most well-known suggestions for contact tracing comes from a collaboration of the companies Google and Apple. It is expected that the two US companies will integrate this new approach as a standard functionality into their respective mobile operating systems, Android and iOS. Some countries, including Germany, have already chosen this approach in their national contact tracing app projects.
The starting point for the experiments of the IT security experts from the three universities were previously published reports on possible data protection and security risks of the so-called “Google Apple Protocol” (GAP). The research team tested whether the attacks described on a conceptual level could be carried out in practice. Their experiments showed that GAP is susceptible to user movement profiling and may therefore allow an attacker to de-anonymize infected persons. On the other hand, so-called relay or wormhole attacks are also possible in GAP, which means that attackers can generate incorrect contact tracing data and negatively impact the accuracy and correctness of the overall system.
The research team implemented the attacks using commercially available inexpensive tools such as Bluetooth sniffers (as an app on smartphones or on Raspberry Pis), which can also be used in mobile environments. Since the implementation of the GAP approach is not yet available to the broader scientific community, the research team constructed the attacks based on previously published specifications. The results show that with the help of strategically placed sensors in a certain area, the movements of infected persons, simulated by test subjects in their experiments, could be reconstructed in detail. It was possible to identify sensitive places the test subjects visited as well as possible social relationships between them.
The vulnerability of GAP to so-called relay or wormhole attacks also reveals weaknesses. This attack enables an attacker to collect the Bluetooth IDs generated by contact tracing apps, and to pass them on to more distant locations without being noticed. Among other things, Bluetooth IDs were successfully transmitted between two cities 40 kilometres apart. This could allow an attacker to compromise the contact tracing system as a whole by falsely duplicating information about the presence of infected persons in many locations, which could result in a significant increase in false alarms about the potential contacts with infected persons.
Overall, the research team sees urgent need for improvement in the approach proposed by Google and Apple for contact tracing apps.
A detailed description of the experiments and their results can be found in the full study report.
As of today, a new version 1.8 Beta of the TraceCORONA app is available for download. This updated app version contains several improvements:
- Multilingual app: English and German UI
- Improvements in Bluetooth communication
- Improvements in usability and user interface
You can download the new app version here:
We would be happy if you would take the time to test the app. Instructions on what you can test can be found here.
We would also appreciate any feedback on the app. The best way to send us your feedback is via the user feedback form.
The Australian Covidsafe contact tracing app has been in use for roughly a month but is now facing criticism according to this news article by The Guardian. The app is following a centralised tracing approach and collects extensive information about their users (for a comparison of tracing approaches in different countries, please see here).
The app was initially marketed by the Australian government as a key requirement for being able to lift social distancing measures. However, according to the article, only one case of successful contact tracing has been attributed to the Covidsafe app so far, in spite of millions of users downloading the app. The justification for performing extensive data collection of such a large user base and the associated significant risks to their privacy seems therefore insufficient in view of the actual benefits the app can provide. In general, tracing apps should be seen as an important complementary measure to increase the coverage of manual contact tracing, but not as the main solution.
Another aspect is that it is not sufficient that users just download the app. They must be willing to actively use it. If using the app is perceived as invading user privacy, many users will simply not use it. As the article discusses, changing the privacy solution of the app later on will be very difficult. It is therefore better to select a decentralised and anonymous tracing solution from the beginning on.
As discussed in the previous blog post, the tracing process should be based on distributed contact verification. In this context, the three most notable tracing concepts proposed so far are the API proposed by Apple and Google, the Swiss-led DP-3T project proposal, and TraceCORONA developed by the Technische Universität Darmstadt, which I represent.
Of these, Apple’s and Google’s proposal is the weakest in terms of privacy properties, as it requires infected individuals to publish all Bluetooth proximity identifiers they have used during the days they may have been infectious to all devices participating in the system. It is thus possible for all applications and entities involved in the system to potentially track the movements (and thus de-anonymise) any infected persons during these days.
The Swiss-led DP-3T project’s design 2 provides better protection for infected individuals, as the local identifiers used by the infected person are only revealed to the background system in this model. Therefore, other users of the system will not be able to misuse proximity identifiers of users for tracking their movements. However, in the DP-3T design 2, it is possible to track infected persons by (mis)using the data stored in the backend system, as all proximity identifiers revealed by infected persons are known to the backend system.
Unlike almost all other proposed tracing models, the TraceCORONA tracing model is not based on frequently changing pseudonymous proximity identifiers, but on strong cryptographic Encounter Tokens that are unique to each encounter between two users. The cryptographic features of encounter tokens are such that even having unauthorised access to information in the backend system, the Encounter Token cannot be associated with the proximity data that devices beacon out via Bluetooth and may be collected with Bluetooth sensors. For this reason, identification of a contact is only possible for the actual devices that were involved in the contact and tracking of infected users is thus not possible even using backend system information. A comparison of the features of TraceCORONA and a detailed comparison with other major tracing application models is available here.
The biggest risks associated with contact tracing apps are related to the potential misuse of the information they collect. Compared to many other types of applications, an app for contact tracking inevitably collects an exceptionally large amount of sensitive information about the contacts and relationships between individual users in great detail. In addition, for a mobile application to be effective for its intended purpose, as many citizens as possible should voluntarily install the app and actively use it. Due to this, the system related to the monitoring application will collect a lot of information about the mutual contacts of people – considerably more than any other system currently used by authorities! It is clear, therefore, that the implementation of the system and the monitoring application must be designed such that effective contact tracing can be achieved, while minimizing the exposure of privacy-sensitive user data.
Centralized tracing models, such as, e.g., The TraceTogether solution used in Singapore or the CovidSafe application used in Australia, as well as the PEPP-PT model developed in Germany, do not provide adequate privacy protection for their users in this regard.
These systems are based on an approach in which a centralized back-end system assigns a unique identifier (a pseudonym) to each user’s application, from which frequently-changing pseudonymous proximity identifiers are derived and broadcast over Bluetooth to other nearby devices. The weakness of this approach is that the backend system is able to associate all proximity identifiers of all users with the unique pseudonym of each user. This in turn enables comprehensive monitoring of all users of the system.
By recording proximity identifiers observed by Bluetooth sensors in a number of strategically placed observation points in a given area (e.g. in a particular city), it is possible to track the movements of individual users between observation points and thus collect very detailed movement profiles of individual users.
Although the system does not explicitly collect or record the true identities of individual users, movement profiles based on pseudonymous tracing data make it possible to identify a large fraction of users with high probability. This is mainly because movement profiles are very distinctive. For example, using only the locations of home (main location during the night) and the workplace (main location during the day) make it possible to identify a very large proportion of people unambiguously. Also other possibilities for de-anonymisation have been proposed: for example, it is conceivable that by placing a Bluetooth sensor close to a camera system with facial recognition ability, it is in principle possible to directly associate the proximity identifier beaconed over Bluetooth and thereby the pseudonym used by the system with an identifiable person and thus entirely de-anonymise the person in question.
For reasons mentioned above, contact tracing apps should be based on decentralized identification of contacts. In this model, the backend system does not have information about proximity identifiers of users and is therefore unable to associate them with individual users. Indeed, due to the fundamental problems with the centralized tracing model, the Federal Government of Germany decided to abandon the approach of the PEPP-PT consortium, which it initially supported, and has set clear criteria for the German Coronavirus surveillance application to be based on decentralized contact tracing.
We have now added an overview of currently deployed and proposed COVID-19 tracing solutions in selected countries. We will keep updating this list, time permitting. Please feel free to provide further information / links to other solutions to include in this overview comparison.
Contact tracing using apps like TraceCORONA is only one part in the puzzle of encountering a disease like COVID-19. It is also important that authorities and policymakers receive timely and representative information about the societal impacts of COVID-19 and its perceptionst in the general population.
A very interesting project in this regard is the Covid19 Impact Survey conducted by our colleagues from Spain. It consists of an on-line survey comprising 25 concise and easy-to-answer questions that can help the researchers to obtain important information about how the disease impacts the life of people in different countries and how people perceive it.
We have performed an extensive analysis of existing and proposed contact tracing approaches in particular with regard to their anonymity and privacy properties. Please see here for a summary of our findings.
A high-level description of the technical approach taken in the anonymous and distributed tracing approach of TraceCORONA including a comparison with a number of prominent proposals or implemented systems for contact tracing is now available.