Why Should We Install the Coronalert Contact Tracing App?
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Why Should We Install the
Coronalert Contact Tracing App?
Olivier Pereira∗
UCLouvain – Crypto Group
September 1, 2020
1 Introduction
This text is proposed as a reply to the consultation initiated by the Belgian Interfederal working
group in charge of the development of the Coronalert contact-tracing app during the August 5-31
2020 time period.1
This text focuses on Question 3 of the consultation: “How can we increase trust and better
understanding of the general population in the app?”. Here, I argue that an important element
would be to offer explanations that can at least convince the experts that the app’s benefits exceed
its drawbacks if it is used now, in Belgium. During the last few months, an abundance of discordant
and competing statements were made by experts, often with equally convincing credentials [20,
21, 19]. It is certainly very difficult to generate a general sense of trust and adhesion in such
circumstances. I propose some elements that would help going in that direction.
The main focus of this document is on security and privacy aspects. Even though these aspects
are a part of the picture, I certainly do not want to suggest that they are the only ones that matter:
they simply are my area of expertise.
2 Why should we trust a contact tracing app?
The promise of contact tracing apps Contact tracing apps offer the perspective of improving
and speeding-up the information of individuals who have been exposed to someone who has been
tested SARS-CoV-2 positive [10]. Apps can keep track of contacts between persons who do not
know each other, and therefore enable notification in cases where human tracing based on human
memory would be ineffective. Besides, automating the notification process with an app could enable
faster notification, making it possible for an exposed person to isolate more quickly, hence limiting
the risks of further contamination. These expected benefits clearly support the development and
deployment of contact tracing apps.
But these expected benefits do not come for free, and technical compromises need to be made
in order to realize a contact tracing app. If we accept the idea that a contact tracing app is useful
in Belgium, then we share the view that adopting the Google/Apple Exposure Notification API, as
∗
I would like to thank François-Xavier Standaert and Vanessa Teague for their interesting feedback and suggestions.
1
See https://www.esat.kuleuven.be/cosic/sites/corona-app/
1it is proposed for the Coronalert app, is the best possible choice for Belgium and for the moment.
We also fully support the choice of disclosing the source code of the future Coronalert app.
But this does not mean that we believe that adopting such an app is an innocuous decision. By
pointing, hereunder, some of the main difficulties that these apps raise in terms of privacy and other
risks that they create for our freedoms, all issues that have been well documented, we are calling
for strong evidence that contact tracing apps are as useful as hoped for. As of now, and despite
several months of usage in many countries, we feel that such evidence remains lacking. However,
we believe that such evidence would be necessary to foster trust and adherence to Coronalert, and
to justify the use of arguments based on public health to support the erosion of other important
aspects of our lives.
Contact tracing apps have an impact on privacy The Coronalert tracing app, like most
of the tracing apps that have been deployed during the last months, will rely on Bluetooth Low
Energy (BLE) communication. BLE technology has a long history of being used as a tracking
mechanism: BLE beacons are routinely deployed in airports, supermarkets, festivals, . . . in order
to monitor people’s movements [16]. This is recognized in the Android security architecture: on
phones running Android 6.0 and above, the device location setting needs to be turned on for all apps
in order to use BLE, as needed by Exposure Notifications System on which Coronalert relies [13].
This illustrates that, even when contact tracing apps have been designed in order to preserve
privacy as much as possible, their use of BLE still creates vectors for tracking people’s movement,
including through the use of beacons that are already routinely deployed in other contexts.2 And
this tracking technology is now associated to medical data, rather than to advertisements or at-
tendance statistics, which many may perceive as more innocuous. Many of the difficulties that are
raised by the use of contact tracing apps have been detailed in the literature (see [1, 26, 23] for
instance), and most of these will be present even if the Coronalert app is perfectly implemented
according to its specification.
The security question is of course also broader than “just” the contact tracing app. Using the
Coronalert app will require:
• activating BLE, which opens a vector for remote attack (see [4], for instance), while people
may keep their Bluetooth signal off otherwise;
• trusting iOS or Google Play, which are closed-source software systems. This is a step that,
as far as we know, was never required before as a preliminary for interacting with Belgian
public services.
Contact tracing apps have bugs In practice, we must expect that the situation will be worse
than the one resulting from the risk analysis that is made based on the app specification: just like
any complex software, contact tracing apps have bugs, and it is natural to expect that these bugs
will be more numerous given the time constraints of the app development. Here are just a few
examples:3
2
We are not suggesting that BLE is a bad choice: it is arguably the less problematic one. But it does not mean
that it is harmless.
3
More of them are discussed in [22] for instance. These bugs are impacting apps based on very different protocols
(centralized or decentralized, . . . ) and using different development strategies (more or less open source, . . . ): we do
not see any approach as being immune to bugs.
2• A number of privacy, security, functionality and usability issues have been detailed in the
COVIDSafe app used in Australia [17].
• The French National Commission on Informatics and Liberty (CNIL) confirmed several secu-
rity and privacy issues pointed in the StopCovid app used in France, and publicly summoned
the Health department to address them [7].
• The public git repositories of the Corona Warn App used in Germany show, as of August 29,
2020, 51 open bugs on the Android version [8], and 28 open bugs on the iOS version [9].
• The Cocoa app used in Japan has been suspended at least two times as a consequence of
bugs [25, 24].
• Security issues have been disclosed and fixed in the SwissCovid app used in Switzerland [18].
It is obviously impossible to evaluate the impact of the bugs that will be found in the future
Coronalert app. But it is also illusory to imagine that there won’t be any such bugs.
Besides, the impact of these bugs can go well beyond those considered in the previous section.
For instance, as a result of as a result of an erroneous exposure notification, a responsible user
would feel compelled to enter quarantine, causing risks of psychological distress, economic losses,
or failure of an academic year [29]. They can also have a negative impact on other methods used
to contain the Covid disease: they can for instance create saturation of testing or human tracking
centers.
Contact tracing apps offer a limited level of scrutiny Several countries, including Belgium,
decided to publish or already published the code of their tracing app. This is certainly an excellent
practice in order to increase trust and improve code quality. Rewarding bug disclosure, through
public acknowledgment and/or financial incentives for instance, is also an established practice that
can make such code review programs more effective – there is little benefit to publishing code if
nobody reviews it.
However, this transparency effort is limited by external factors: Belgium, just as many other
countries, relies on the Apple/Google Exposure Notification System, and this system, which con-
tains the core of the contact tracing protocol, is only partially public and/or published in an
outdated version. For instance, Google only provides “snippets of code that show how the Expo-
sure Notifications API works inside the Google Play services layer” [14], while the code released by
Apple has not been updated since July 21, 2020 (as a point of comparison, more than 300 changes
were committed during the month of August to the iOS version of the German Corona Warn app).
As a result, we still need to place much trust in Apple and Google.
So, it is a matter of proportionality The points discussed above show that the benefits that
are expected from contact tracing apps come with an erosion of our privacy, and that the bugs and
limited level of scrutiny that they offer can also have an important impact on our lives, e.g., by
unduly prompting users to quarantine.
These negative effects may be accepted if it is possible to establish that they are compensated
by high-enough benefits.
Those benefits were of course impossible to measure as long as contact tracing apps were not
deployed. But we are not there anymore: the Covid Tracing Tracker counted 42 tracing apps
3deployed at the end of July [2]. As discussed above, the privacy risks and, for the apps that opened
their code to review, the bugs, are well documented. However, the impact of these apps remains
difficult to assess [6] and is sometimes pointed as being very limited:
• In Australia, after six weeks of deployment and more than 6 millions COVIDsafe app down-
loads, the app still failed to identify a single otherwise unidentified contact [3] (though the
number of infected persons was also quite low during that period). After 3 months, two
people identified by the COVIDsafe app were tested positive [12].
• In France, after 10 weeks of deployment and 2.3 millions StopCovid app downloads, 72 ex-
posure notifications were sent [27]. (We do not know how many of them were sent to people
who were unaware of their exposition to the virus and resulted in positive tests.) On August
26, French’s prime minister Jean Castex stated that StopCovid did not deliver the results
that were hoped for [5].
• In Norway, after 2 months of deployment and more than 1.5 million Smittestopp app down-
loads, the usage of the app was suspended and all the collected data erased, based on the
argument that the benefits of the apps were not proportional to the associated privacy en-
croachment [11].
In various places, governments did not adopt tracing apps, including in California, home of Apple
and Google, and in the state of New York, which was one of the most impacted by the crisis [28].
Still, it appears that a key ingredient that would support the deployment and continued usage
of a contact tracing app like Coronalert would be the publication of metrics demonstrating its
effectiveness. The proportionality of contact tracing apps should be assessed on a regular basis
based on such a metric and it should exhibit significant gains over the ongoing testing efforts.
One possible metric could be the number of cases that are identified on asymptomatic persons
who are not already aware that they have been in close contact with an infected person and would
not have been tested otherwise: these cases would show the benefits of the app.
This quantity seems hard to measure in an automated way: it seems difficult to assess, without
interacting with people, whether they are requesting to be tested only because they have been
informed of a risky contact by their contact tracing app. But this information might be easy to
collect voluntarily, e.g., when people are getting tested.
Once these benefits are known, they can be put in balance with the corresponding risks, and
compared in terms of cost and effectiveness with other strategies that are available and could be
substituted. For instance, one could compare the cost associated to a contact tracing app, and the
effect that would be obtained by devoting the same amount of resources to an increased testing
strategy.
This would not account for the privacy losses and other risks associated to the app, but these
can be partially taken into account by actively guaranteeing the free and informed consent of the
user, and by a careful design.
A contact tracing app cannot be successfully if it is deployed in isolation Apart form
the questions discussed above, that focus on contact tracing apps taken in isolation, we observe
that the success of a contact tracing app also depends on many aspects that are going well beyond
the sole design and communication around the app: a contact tracing app can only be successful
4in conjunction with other measures [15], which is very different from hand washing, for instance,
which offers benefits on its own, independently of other measures. For instance:
• If testing resources are limited, or if the testing process is stressing, or if test results cannot
be obtained fast enough, then the benefits of a contact tracing app will be strongly limited.
• If the psychological and economic impact of quarantine is not sufficiently supported, then
people will just reject the app in order to minimize the risks of being requested to quaran-
tine [29].
As a result, we believe that the presentation of a contact tracing app can only be convincing if
it is placed within an ecosystem of other measures. There is no reason to install even a perfect app
if the surrounding ecosystem does not support it.
References
[1] Le traçage anonyme, dangereux oxymore. https://risques-tracage.fr/, Apr. 2020.
[2] P. H. O. Tate Ryan-Mosley Bobbie Johnson. A flood of coronavirus apps are tracking us.
now it’s time to keep track of them. MIT Technology Review, May 2020. https://www.te
chnologyreview.com/2020/05/07/1000961/launching-mittr-covid-tracing-tracker/ –
Checked on July 4, 2020.
[3] A. Bogle. COVIDSafe has been downloaded by millions, but yet to iden-
tify contacts (and authorities say that’s a good thing). ABC Science, June 11,
2020, https://www.abc.net.au/news/science/2020-06-11/coronavirus-contact-traci
ng-app-covid-safe-no-close-contacts/12343138.
[4] G. Camurati, A. Francillon, and F. Standaert. Understanding screaming channels: From a de-
tailed analysis to improved attacks. IACR Trans. Cryptogr. Hardw. Embed. Syst., 2020(3):358–
401, 2020.
[5] J. Castex. Jean castex : plan de relance le 3 septembre, 550 emplois pour
la justice, 2 milliards à la culture. France Inter, Grand Entretien, Aug. 26,
2020, https://www.franceinter.fr/emissions/l-invite-de-8h20-le-grand-entretien
/l-invite-de-8h20-le-grand-entretien-26-aout-2020.
[6] R. Cellan-Jones and L. Kelion. Coronavirus: The great contact-tracing apps mystery. BBC
News, July 21, 2020, https://www.bbc.com/news/technology-53485569.
[7] CNIL. Application “StopCovid” : la CNIL tire les conséquences de ses contrôles.
https://www.cnil.fr/fr/application-stopcovid-la-cnil-tire-les-consequences
-de-ses-controles, July 2020.
[8] Corona-Warn-App. cwa-app-android git repository. https://github.com/corona-warn-app
/cwa-app-android/issues, Aug. 2020.
[9] Corona-Warn-App. cwa-app-ios git repository. https://github.com/corona-warn-app/cwa
-app-ios/issues, Aug. 2020.
5[10] L. Ferretti, C. Wymant, M. Kendall, L. Zhao, A. Nurtay, L. Abeler-Dörner, M. Parker, D. Bon-
sall, and C. Fraser. Quantifying sars-cov-2 transmission suggests epidemic control with digital
contact tracing. Science, 368(6491), 2020.
[11] FOLKEHELSEINSTITUTTET. Midlertidig stans av appen smittestopp. https:
//www.datatilsynet.no/aktuelt/aktuelle-nyheter-2020/midlertidig-stans-av-a
ppen-smittestopp/, June 2020.
[12] A. Godfrey. COVIDsafe app actually found NSW coronavirus cases. 7News, Aug 2,
2020, https://7news.com.au/news/public-health/covid-safe-app-actually-found-ns
w-coronavirus-cases-c-1210745.
[13] Google. About the exposure notifications system and android location settings. https://su
pport.google.com/android/answer/9930236, 2020.
[14] Google. Google play services snippets. https://developers.google.com/android/exposu
re-notifications/play-services-snippets, 2020.
[15] A. Gosseries and O. Pereira. Quelle évaluation éthique des applications de traçage du covid-19?
Raison Publique, June 27, 2020, https://raison-publique.fr/42/.
[16] M. Kwet. In stores, secret surveillance tracks your every move. The New York Times, June 14,
2019. https://www.nytimes.com/interactive/2019/06/14/opinion/bluetooth-wireles
s-tracking-privacy.html.
[17] J. Mussared and V. Teague. COVIDSafe issues found by the tech community. https://gith
ub.com/vteague/contactTracing/, Aug. 2020.
[18] National Cyber Security Centre NCSC. Current reports on the swisscovid proximity tracing
system. https://www.melani.admin.ch/melani/en/home/public-security-test/curren
t findings.html, July 2020.
[19] P.-F. Laterre et al. Lettre ouverte à nos responsables politiques : Il est urgent de revoir to-
talement la gestion de la crise Covid-19. La Libre, Aug 28, 2020, https://www.lalibre.be/d
ebats/opinions/lettre-ouverte-a-nos-responsables-politiques-il-est-urgent-de
-revoir-totalement-la-gestion-de-la-crise-covid-19-5f467dfe7b50a677fb2b0d77.
[20] D. Rodenstein. On confond pandémie avec menace mortelle. Le Vif, July 29,
2020, https://www.levif.be/actualite/international/on-confond-pandemie-avec-me
nace-mortelle-carte-blanche/article-opinion-1315021.html.
[21] O. Servais and F. Gemenne. Crise de la covid-19: la tyrannie du risque zéro. Le Soir, Aug. 15,
2020, https://plus.lesoir.be/318833/article/2020-08-15/crise-de-la-covid-19-la
-tyrannie-du-risque-zero.
[22] N. Singer. Virus-tracing apps are rife with problems. governments are rushing to fix them.
New York Times, July 8, 2020, https://www.nytimes.com/2020/07/08/technology/viru
s-tracing-apps-privacy.html.
6[23] The DP-3T Project. Privacy and security risk evaluation of digital proximity tracing systems.
https://github.com/DP-3T/documents/blob/master/Security%20analysis/Privacy%2
0and%20Security%20Attacks%20on%20Digital%20Proximity%20Tracing%20Systems.pdf,
Apr. 2020.
[24] The Japan Times, July 11, 2020. Japan’s contact-tracing app suspended again to fix input
glitch preventing alerts. https://www.japantimes.co.jp/news/2020/07/11/national/ja
pans-contact-tracing-app-glitch/.
[25] The Japan Times, June 23, 2020. Bugs force health ministry to halt japan’s virus contact-
tracing app. https://www.japantimes.co.jp/news/2020/06/23/national/bugs-japan-v
irus-contact-tracing-app/.
[26] S. Vaudenay. Centralized or decentralized? The contact tracing dilemma. Cryptology ePrint
Archive, Report 2020/531, 2020. https://eprint.iacr.org/2020/531.
[27] M. Vigreux. Covid-19: “StopCovid, c’est un caprice technologique”. Public Senat, Aug. 24,
2020, https://www.publicsenat.fr/article/debat/covid-19-stopcovid-c-est-un-cap
rice-technologique-184168.
[28] F. Vogelstein and W. Knight. Health officials say ’no thanks’ to contact-tracing tech. Wired,
May 5, 2020, https://www.wired.com/story/health-officials-no-thanks-contact-tra
cing-tech/.
[29] L. von Beust. Les étudiants malades ou en quarantaine devront redoubler. 20 minutes, Aug
4, 2020, https://www.20min.ch/fr/story/les-etudiants-malades-ou-en-quarantaine-
devront-redoubler-667846945227.
7You can also read
