Contact tracing is a key strategy for preventing the spread of COVID-19, and smartphone-assisted contract tracing automates a laborious process. But contact tracing technologies face criticism from privacy advocates concerned about the potential for abuse. F-Secure privacy expert and global technical director Tomi Tuominen argues that the issue is a process problem, not a technology problem. In Episode 40 of Cyber Security Sauna, Janne speaks with Tomi about contact tracing and how apps that are respectful of privacy should work.
Janne Kauhanen: Welcome to the show, T.
Tomi Tuominen: Thanks.
First of all, there’s different kinds of contact tracing apps out there. The way they work and how they store user data can differ a lot and affects the impact on privacy. So let’s start by breaking down these main differences. Can you explain the concept of location-based versus proximity-based?
First of all, all the apps that are considered to be true contact tracing apps are not based on location. And the reason is location-based, meaning GPS and Wi-Fi-based detection, or location tracking, doesn’t really work for this use case.
These contact tracing concepts could be roughly categorized in three different buckets, the first one being centralized, which is an initiative called PEPP-PT, Pan-European Privacy-Preserving Proximity Tracing. There the idea is that there is a centralized repository where you collect all this beacon data or tracing data.
Then you have a strongly distributed system, it’s called DP-3T, Decentralized Privacy-Preserving Proximity Tracing, where the idea is that basically the only place that has the information whether you have been in contact with somebody who has in this case COVID, your device is the only place where that information is stored.
And then you have this Apple Google contact tracing project, which is essentially a bag full of Legos. So it offers you tools that could be basically used for distributed models. So in reality, most probably the solutions that we’re going to see will be using mostly the distributed model. But there has to be some sort of centralized element as well. Because the needs of healthcare professionals differ from the needs of individuals.
Yeah, okay. So talking about those different approaches into contact tracing, what’s the consensus? Like, how does this work?
There seems to be a pretty common understanding or approach to this. So the idea is that we’re going to be using some sort of radio transmission to measure if two people are close enough to each other. So in this case, most probably that technology will be Bluetooth beacons. And the idea is that if I meet you, and we are let’s say, within three meters of each other, for maybe ten, fifteen minutes, then both of our devices will record that one-time token that we actually met. And that token is randomized. So the next guy I’m going to be meeting with, most probably is going to have a different token.
So it’s something called a privacy-preserving token. And at that point, it’s only stored locally on your device. So at that point, nobody else gets it. If later on there is a need, that either I get infected, or you get infected, then the story changes. So then there has to be a mechanism that allows us to tell each other that the other one has been infected. And of course in that case the message has to go both ways. Because I have to be able to inform you, and you have to be able to inform me.
So that’s also where the centralized storage comes into the picture, because you need to have a register how you can actually connect those randomized tokens to real human beings.
To connect them to what exactly? Like are we talking about contact information, am I going to get a phone call, or just connect them to my individual app through some unique identifier, and I’ll get an alert in the app?
That’s a very good question. And this is basically what I mean when I said originally that this is a process problem. Yes, you need technology to solve this. But essentially – let’s play this game for a second, that I’ve been infected. I go to the local healthcare provider and they test me. And when I’m positive, there has to be a way how that healthcare provider can inform those people who’ve been in close proximity within the past 14 days, which is the time that those tokens get stored. But at that point they only know my identity.
And that’s what I meant, by saying that this is a process problem. That the tokens used can be as randomized and as privacy-preserving as possible. But there has to be a way the healthcare professionals can be in touch with real human beings. So that remains to be seen.
Most probably that’s going to be solved on a national level, and it’s going to be more of a reflection of the current governmental model in each and every specific country. An application-level problem.
Yeah, and I guess we can’t necessarily count on your cooperation in that situation. Not everybody wants to alert everyone else that they’ve been diagnosed positive.
That’s a very good question. At least in Finland, there seems to be a very strong consensus that this will always be on an opt-in basis. And I think that it will be a blessing and a curse at the same time. Yes, we get to keep our rights, but at the same time, unless we get enough people to use this application, it’s going to be pretty much useless.
But isn’t there a give and take? You can opt in, you can choose whether or not to install this app. But once you do, these are the rules, this is the cost. Being able to get the alerts, the cost of that is having to give them out as well.
I find this whole discussion pretty funny. At the same time people are posting whatever to Facebook, Instagram, LinkedIn, Snapchat, TikTok, whatever depending on your age. And now people are like, “Yeah, I’m not going to be installing that application.”
This is most probably going to be the most scrutinized, most researched application ever on the planet. And there also seems to be a very solid common ground there that this has to be open source, meaning that all the people who have the skills can actually look at the source code and see how it works.
Also, one thing we’re noting is that Apple and Google, in my book, I think they did something really sensible. They have said from the beginning that each country can have a single application on their app store that will have these special rights, and even then it’s going to be opt-in. This is actually a very smart move, because essentially it means that there’s going to be only one official application per country, which means that it’s going to be easier to vet these applications and see that they actually do what they are promising to do.
Fair enough. So are there any other principles that are being tossed around in the discussion that you would definitely see in any sort of real and responsible contact tracing app?
Well, essentially this is some sort of like, limited surveillance, right? So first of all it has to be lawful, it has to be necessary, and proportionate.
So in this case I personally interpret that there is this pandemic that we’re trying to tackle, and that’s the use case for this. I’m not a big fan, like currently Estonia and a few other countries, they are playing with this idea that this would basically be sort of a hive mind type of system where you can alert the public transportation agencies and whatnot on this. I’m strongly against that. Because this is a difficult problem to solve, even in this limited use case. And if you add more players to the picture, it’s going to be extremely complicated.
And also, all sort of extensions to this monitoring and surveillance, they need to have some sort of sunset clause. This is a limited time period where you can do this. I’m not a fan of giving this right from here to eternity to these players. And this is not a mistrust. It’s a different thing. I just think that it has to be limited somehow, that there is a beginning and there is an end. Otherwise we’re going to end up in a situation where we give up our basic rights until the sun dies down.
Right. But for example, we’re now talking about a system that will store my data for 14 days, and it’s on my phone so I can install it and uninstall it whenever I want, so isn’t that enough of a sunset? 14 days after I uninstall it, my data’s gone.
Actually, once you uninstall it’s gone immediately.
Oh, okay, so even better.
So it’s even better. That 14 days is the maximum amount of time that your device will store it, assuming that the model is a distributed one.
So that would be good enough for you.
I personally think that we have way bigger risks than this application.
I mean, if you look at the big picture – I’m a pragmatic guy. So I think that even having an application on your phone that checks the local weather, there have been cases that the weather providers have been selling that location data to third parties. And that’s not something that you would expect from your weather application on your phone. And that’s the thing.
First of all, I personally think that Apple and Google are exactly the right players to do this, because those guys know how to do it properly, they have the proper resources to do that. And also on a more pragmatic standpoint, those guys pretty much share the market when it comes to smartphones and other phone–like devices. And if we are expecting this thing to ever work, this is the cooperation that is needed. And they’ve been very transparent and open about it.
And like I said earlier, the national solutions will most probably be open sourced. And I think that actually offers the transparency that we need for these kinds of use cases. I’m not really worried about this.
The exposure API, or the tracing APIs that currently are in the works, they basically just tell that okay, these two devices were within a three–meter radius for ten or fifteen minutes, and on that specific day. That’s the only information that gets stored. Of course, you can most probably enhance or enrich this data, but that’s it in a nutshell, that it gets stored. And I think that we usually share much more than that about our private lives. And that’s the reason why I’m not that worried.
Also one thing that is worth noting is that unless you or somebody in your contact circles gets infected, that data will never be transmitted anywhere.
Okay, so let’s talk about the whole concept of contact as it relates to these applications. For example, how far does Bluetooth penetrate? And would we be using that whole range, or sort of limiting it within the – I don’t know, ten meters that Bluetooth penetrates through structures, we’re only thinking about the first three meters?
Assuming I’ve understood it correctly, they are basically measuring the amount of energy that the Bluetooth chip draws. So they are capping that, and unless you have an external antenna, it’s kind of well understood how long the Bluetooth signal will carry. Of course it gets impacted by walls and metal structures and whatnot, but I guess you can get some sensible averages from there.
And as far as I’ve understood, this is something that Singapore did already ten years ago. They started making these normalized measurements how different Bluetooth chips operate. And they were able to build this baseline that they gave out for free so that people know that okay, if my Bluetooth chip is drawing this amount of energy, or voltage, it means that this other person was within two or three meters. And that’s of course super valuable in this case.
So I think that on average, that data will be reasonably trustworthy. I mean, the question I hear people asking is that okay, if I’m sitting in a room next to this guy, will the system still mark as being –
Yeah, like with a wall between us. Or in the next car over.
Yes, exactly. So the short answer is yes, we’re going to have some false positives. But at least when you get to see the date, you know if you’ve been in touch with anybody on that day, or if you were just sitting in your car.
And this of course brings us to this question that okay, if I know this is a false positive, as an individual, do I have a chance to send that information upstream? Like, is there somebody I can notify? But I guess in the bigger picture, those are going to be outliers. We’re going to be pretty well off in that regard. I’m not too worried about that.
Well, let’s talk about the kind of information being shared. What do you think the level of detail would be? Like, I was in contact with a sick person on Tuesday, or I was in contact with a sick person at 9:30 on Tuesday?
Most probably, there’s going to be national differences on this one. The Apple/Google API, as far as I know, is only sharing the date, and that’s it.
Okay. So you can’t get more granular than that, even if you don’t want to.
This is a good question. As a healthcare professional, it might be very beneficial. And there is most probably going to be some sort of discussion that’s going to happen, that okay, this is what we get, but this is not what we need. And depending on who you ask, you’re going to get a different answer.
Yeah, but like, if everyone’s limiting their contacts, the number of people you come into contact with in a day should be fairly limited in the first place.
Well yeah, and there are exceptions. Like if you’re in a bus or tram or underground or whatever, then of course it’s a very different ballgame.
Yeah. You were already talking about some of the different governments and regions taking their approach into this. Are we seeing a difference, because certain nations have more of a privacy approach than maybe some other ones, so are we seeing a division along those lines? Are the more privacy oriented nations taking better steps, or?
Many of the nations have already now changed their opinions, Germany being a prime example of that. Originally they were like, “We’re going to build this ourselves.” And then when Apple and Google came out with their solution, they completely changed their opinion. Originally Germany was planning on doing a centralized solution. And then when the Apple/Google coalition came out, they said “Okay, this distributed model actually looks better,” and they went for that.
This seems to be a very political decision in many ways, and it doesn’t seem to follow EU borders or even continents. So different places have solved this very differently.
Is there anywhere where you particularly like the approach that they’ve taken?
In this case the devil is always in the details. Nobody has a fully working solution yet. There are some very good initiatives around this. In Finland we are piloting it currently. But it really depends how the whole chain is actually implemented. Like how the healthcare professionals are activating the notifications, who does the testing, who is authorized to notify people, and so on. There are so many things that could go wrong.
The application can be top notch, the whole ecosystem can be pure gold, but if the healthcare professionals are then doing something completely different than expected, it’s going to ruin the fun for everybody. I’m not expecting that to happen. All I’m saying is that currently I think everybody’s doing things that they think are the right ones.
I mean, if you look at Sweden, they have had a completely different approach to this whole COVID thing, as opposed to Finland for example, and nobody knows if their approach has been better. After a few years we’re going to see if their approach was a good move or not. Now everybody’s just looking at the statistics, and this is horrible and this is good and so on. But we’re going to see after a few years which approach was the best one.
Absolutely. Getting back to the apps themselves, researchers are saying we’d need coverage of about 60% of the population installing one of these apps to get actual effective results. Is there a value in these apps even if we don’t get up to that number?
That’s a very good question. That’s actually one of the things I’ve been mostly worried about, because this is simple math. I mean, if you have more people using the apps, the more beneficial it will be.
Exactly. And I’m actually quite worried that we’re investing huge amounts of time and money to do this, and then nobody’s every going to use it. So I think at the end of the day, it’s not a binary operation. I mean, even if you have a few people using the app, most probably it’s better than zero people using the app. But that’s a real threat to this project, I think.
What about the human side of this? Is there anything we can do in the app to help take care of people when they get the notification that they’ve been near someone with the symptoms? For example, there was a woman in the UK who was disappointed that when she got notified she’d been near someone with COVID-19, it only gave her general advice like “wash your hands” and stuff like that. And she was like, “I’m already exposed, what should I do now?”
That’s going to be probably very nation-specific. So what’s important to know is even now the latest iOS 13.5 that comes with the contact tracing API built in – it’s an opt-in, you have to enable it, and for example for Finland it doesn’t even work, you cannot enable it at the moment. But even with that, it’s just a bag of Legos. It offers you building blocks, and the national application needs to decide how and what will be done. There has to be a process built around it. The application itself most probably will be very simple, with a very simple UI, but the process around it will differ significantly.
So maybe the app will guide you to an external resource that you then go to and get more information.
Or…I mean, the whole contact tracing thing is just one piece in the puzzle. Some countries are doing a lot more testing than others. Some are using masks extensively. Some other countries are doing more self–isolation than others. So it really depends. You have to have a holistic view of this, where the application is just one part of the equation. And I think that the instructions will also reflect the state of the general medical health care system that you have. So yeah, your mileage may vary.
Yep. So as a hacker, you’re always thinking about how to break things and how to abuse things. What sort of abuse scenarios do you see for a contact tracing app? What are people going to do to abuse this app?
Like already discussed, there’s going to be significant differences depending on which country you are in. But I’m not really that worried about traditional vulnerabilities or exploits targeting these things, because they’re going to be extremely well scrutinized. Most probably one of the most safe and secure applications on the planet, to be honest. But I’m worried about the possible privacy impact, especially the process built around it.
Like what if a government official abuses the power that they can, for example, the healthcare providers can mark a specific person that they’ve been infected, and then use that information somehow? I think there has to be safeguards against this type of abuse, and as a citizen I need to be able to inform the governmental body that I think that my rights have been violated. And there has to be somebody there who is able to process that complaint.
This is the same thing with all the controls that are somehow impacting our privacy or our basic rights. That if there is governmental censorship or any sort of thing, there has to be a process around it where people can report possible abuse. It doesn’t have to be automated. I mean, I’m actually a bit against the fact that there would be a box on the application that you could just tick for “I think I’ve been abused” or “My data has been abused.” But I think there has to be some sort of process to make sure that if there is an abuse of rights or abuse of power, there has to be a way to report that.
Makes sense. So I guess the final question is, would you install an app like this? Well, like the one we’re developing in Finland?
Actually, I would. Because I think that we are fighting a global pandemic, and any solution that will help us as a society or as a country is worth trying for. Well, maybe not everything, but I think we have a reasonably solid foundation for this. And I think that even if it just helps us a bit, it’s worth it.
Well, on that note, I want to thank you for being with us today and helping us make sense of the contact tracing app situation. Thanks, Tomi.
Thanks. It was a pleasure.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast, and you can reach us with questions and comments on Twitter @CyberSauna. Thanks for listening.