UPDATED 9 May 2020 to reflect the recent announcements from the UK government around how the proposed contact tracing app will work.
Updated 23 May 2020 to add details of the Google/Apple Contact Tracing/Notification API.
Updated 20 June 2020 to reflect the latest updated from the UK government regarding their decisions around their Contact Tracing App. The full details can be seen in UK Coronavirus Contract Tracing Update.
As we progress through the COVID-19 pandemic, governments around the world are looking towards technology to perform contact tracing. While I think this is a necessary activity to allow us to return to some form of normality, there are a number of privacy considerations that have to be observed.
How do you track someones location
I wrote about this in Protecting your Online Privacy. This article went into the full set of different types of tracking from a perspective of online privacy. In this article I want to focus in on the technology that can be used to specifically track your location and how this might be used in contact tracing apps.
A lot of mobile apps request permission to access your location. The majority of these apps do not require this access to perform their function. If an app is requesting access to these functions then you should ask why and if it doesn’t stack up then deny access or remove the app (probably the best option).
Your location can be tracked on your mobile device apps in many ways:
- Tracking your Location through your Web Activity
- Tracking location through your WiFi router
- Tracking through your cellular connection
- Bluetooth and NFC
- Location Services, including GPS.
Lets look at these in order.
Tracking your Location through your Web Activity
When you connect to a website, various pieces of information are transferred to the website via the HTTPS connection. Some of this can be used to track your location, for example your IP Address.
Some websites also request access to your location. If you grant this permission then they can track you through the various means described in this article.
Google also retains location information by default. If you use an Android Phone, Google Maps or other Google apps on another device, then your location is being tracked. This can be switched off and cleared on your GMail account (another blog in prep).
Tracking location through your WiFi Router
When you connect to a WiFi router its location is known. If it is in your home, then I know you were in the vicinity of your home and so do your ISP. If you connected to a free WiFi hot spot in a coffee shop, I know where the coffee shop is and therefore I know where you were at a specific time.
As you walk around town, assuming your WiFi is switched on, your phone will attempt to connect to any open WIFi hot spot. As a result by accessing all the records of the various hot spots I can trace your path through the town. This is particularly easy if these hot spots are all managed by a single entity (e.g. BT, Virgin Media or some third party). As ISP’s in the UK, they have to retain all their connection records, and under a court order these can be disclosed to law enforcement.
These records will remain in the ISP’s systems for some time. In that time they are accessible from within the company. If the network was hacked, these connection records can be extracted and sold on the dark web.
Tracking through your cellular connection
As you walk around, your mobile device will attempt to connect to at least one, maybe more, cell towers and select the best one to initiate communications with. Each cell tower will have a known location. Using triangulation techniques, it is possible to determine within maybe a few hundred feet where you are, certainly what area of the neighborhood you are in. The more cell towers involved, the more accurate the location.
These records also have to be kept by the network provider, can be requested by law enforcement and can also be extracted by hackers.
Bluetooth and NFC
Bluetooth can be set to connect to any open Bluetooth connection within range. As a result this is a major source of vulnerabilities as malware can be installed through the open connection. Bluetooth apps can also exchange information without being prompted. While the Bluetooth connection logs will in all likelihood only exist on device, we can deduce the mobile devices location from other tracking services and therefore we know exactly where you were and when you connected to another phone.
There are also a lot of beacons deployed in shops these days that broadcast using Bluetooth where you are and can trigger alerts for offers in the store. The location of the store is known, when you pinged off that beacon is also known. This information is often in the hands of marketing companies and therefore vulnerable to attack and misuse.
An open NFC connection would require someone else to be in close proximity to take any information from you, but that is not impossible. From a location tracking perspective, if you use the NFC connection to do a contact-less payment, again we know where the shop is and therefore where and when you were there.
You can also be tracked via your credit card in this way since you have to be present to enter the PIN.
Location Services, including GPS
Your mobile device (phone, laptop, tablet) will have a chip on it that allows you to connect to various Global Positioning Systems (GPS). This is a system of earth-orbiting satellites, transmitting signals continuously towards the earth, that enables the position of a receiving device on or near the earth’s surface to be accurately estimated from the difference in arrival times of the signals. It can be accurate down to a few metres and in military systems down to a few centimeters.
Mapping apps use GPS to provide your position (using a GPS coordinate system) so that you can navigate. As you move that position changes and you can see your position change on your mapping app. GPS can also be used to tell marketing firms where you are so that they can send you offers elated to the shops in your immediate area.
This is by far the most accurate way of tracking someones location.
COVID 19 Contact Tracing Apps
Google and Apple have collaborated to provide a set of services that can be built into specific contact tracing apps. From what I hear this relies on Bluetooth to be switched on. As two devices get close to each other they exchange a secure token that records you were near another person. If that person subsequently reports they were COVID 19 positive in a test, or by self reporting, anyone who exchanged these Bluetooth tokens can be traced and told to self isolate and/or get tested.
This is all well and good, but require the Bluetooth v4 Low Energy (BTLE) technology to be installed on the device. A large number (and we are talking billions) of devices do not have BTLE installed and therefore this app is ineffective. The only option then is to use another tracing technology (see above). In order to be effective around 80% of all smartphone users will need to install and authorize the app.
Update: Details of the Google and Apple API can be found at:
Phase 1 of the rollout of this API will allow national health authorities to build apps based on it. The second phase will be to embed these services into Android and IoS, but you will still be asked to enable this service.
Bluetooth is riddled with vulnerabilities and any open connection could leave you wide open to attack. Most phones are not updated regularly so these vulnerabilities won’t get patched.
Other apps have used your Cellular data. We know your phone number and that your phone pings off multiple cell towers and can be traced. This would require extracting the data from the various cellular operators.
In the UK I have heard of a trial by the UK government to extract cellular connection logs to see if this was a viable method of contact tracing. I believe this involved a short period of time and access O2 connection logs.
There was also a contact tracing deployed in Israel earlier in 2020 to track COVID 19 instances and one in China that gave everyone a traffic light Red/Amber/Green status base on their exposure and if they were tested positive. There is also one in Germany being deployed very soon.
If you visit other countries, whether for business or pleasure, you may be required to submit yourself to being traced for COVID 19 tracking, so another thing to be aware of when going abroad when things get back to normal.
UK Contact Tracing App
Update: On 18 June 2020 the UK Government changed their approach to a contact tracing app. This is fully documented in UK Coronavirus Contract Tracing Update.
Update: On 5 May 2020 the UK government announced how their contact tracing app will work, which will be installed from the IoS App Store for iPhones or the Google Play Store for Android phones. You can read a full write up in this BBC News article. The following is a quote from the BBC’s article regarding how it will work:
“It records when two people who have the app are within a certain distance of each other for longer than a specified amount of time. If one of those people later reports having symptoms, all the other app users they came into significant contact with over recent days will be alerted and, if judged necessary, told to self-isolate …
… The “centralised” model of the app – meaning there is a central computer server which works out which phones have matched – has raised some privacy concerns. This is different to the “decentralised” model used by Apple and Google, where the matches take place on users’ handsets.”
The effectiveness of the app will depend on how many people install it and keep it working. Bluetooth Low Energy is not installed on all phones and these devices will not be able to use the app unless there are other means we have not been told about such as cellular signal tracking. This capability cannot be added since it requires the appropriate hardware to be installed within the device. However, I have seen some dongles which can be connected via an On The Go (OTG) cable but this will hang loose against the phone.
I believe the UK NHS app is going to be installed in a voluntary manner, but I have yet to confirm this from a reliable source. This may not be the case in other countries and if you travel you should fully research this before you travel.
A BBC News Article on 12 April 2020 provides some additional background.
Security and Privacy Concerns
I have already touched upon the security concerns regarding Bluetooth. The broader picture is the retention of the contact tracing records and how securely they are stored.
The UK NHS are going for a centralized approach and this has its own issues. Being centralized they can be hacked and all this trove of data can be extracted for nefarious uses. The people who run the NHS service better have top notch security.
There is a lot of press out there that states the issues with these apps, one from the BBC is here.
My biggest concern is what happens after the crisis is over? What happens to all this data? Will it continue to be collected?
Data retention will be governed by various data privacy laws, not withstanding the GDPR which in the UK was enacted under the Data Protection Act 2018 and will remain in force even after the UK leaves the EU fully in 2021 (on the current timeline). Take a look at my blog on Managing and Securing Data for more information. What will happen in other countries will depend on local laws, but any EU country will be governed by the GDPR and so will data relating to any EU/UK national in other countries.
Will this data be continued to be collected? This will depend on whether the service remains active and/or is repurposed. Once this type of tracing is established, it will be very hard for the UK (and other) government to put it aside. Rather than having to raise multiple court orders to gather location data on individuals, they can use the NHS service instead. If that service is repurposed after the pandemic is resolved this is a real possibility.
Once an app is installed, it is often forgotten and continues to collect data. This is why I advocate reviewing your installed apps on a regular basis and removing ones that don’t add any value – once you have cancelled the account and removed all your data of course.
We are all living the COVID 19 pandemic in our own ways. We all want things to get back to normal (whatever that is with all the resulting economic damage). One way forward is contact tracing so that we can head off a new spike in infections. As I have mentioned above, there are various ways this can be achieved, all of which have a down side in terms of security as well as our individual privacy.
For the moment I think people will just have to suck it up and comply. The alternative is to keep us all in lock-down, or live with the likelihood of multiple infection spikes forcing us back into lock-down.
Once the need for this contact tracing is over, we have an effective vaccine or the virus mutates into a harmless version, we need to make sure these measures are removed to protect our privacy.
I also tweeted about a COVID 19 infection tracing app on 19 April which I have researched and currently consider to be useful.