10 March 2022

Bluetooth contact tracing is a dangerous security hole

Governments and corporations have implemented a mass surveillance mechanism with total disregard for the privacy and security of those that are in their sights.

Smartphone users have been 'enticed' to use government issued contact tracing apps.

To make matters worse for the user's privacy and security, the smartphone operating system [deliberate] duopoly Apple and Google have forced their 'contact tracing' program upon the users with zero opt out, under the 'health' banner.

It's baked into the operating system and you cannot remove it, unless of course you are running Android AOSP.

Apart from that the contact tracing method is ineffective.

Even after the so called disease is gone, the tracking app is not, where the security hole will always exist on your device.

See post from 2020, where it's a:

"A comprehensive, technobabble free explanation of how Bluetooth contact tracing (doesn't) work and why simple solutions are often not that simple, if not outright dangerous, when applied in real life."

under the headline:

SARS-CoV-2 Bluetooth contact tracing apps are a tremendously stupid idea!

It’s an intriguingly simple concept: when someone tests positive for SARS-CoV-2, quarantine him, get a list of everyone he has been in contact with for the last week, quarantine them as well. Unfortunately, this method doesn’t scale well when done manually and most people won’t know, let alone remember, all the other people they met in the past seven days. However, since (virtually) everybody owns a mobile phone, why not make them simply exchange their owners calling cards automatically via Bluetooth, when coming “in contact” (=2 meters for 10 minutes) with each other?


Of course, simply handing out full contact details to everyone in the vicinity is not a smart idea. The inevitable result would be an inbox full of spam and hoax messages, helicopter parents would spy on their children, jealous spouses will want to know if their partners are cheating, government agencies and law enforcement … to be honest, I have no idea why they should be interested, but surely, they will.

So, “privacy” has to be a build-in feature of the app, but is it possible to be identifiable and anonymous at the same time? As self-contradicting as it sounds, it actually is!

Let there be app!

The basic idea behind the DP-3T protocol as well as Google and Apples joint effort works as follows (simplified summary):

Every smartphone gets a unique calling card number (not connected to anything), which is then broadcasted once per minute via Bluetooth. Whenever a smartphone receives such a broadcast 10 times in a row, with the signal strength indicating a distance of less then 2 meters, it assumes a contact and remembers the transmitted calling card number for the next 7 days.

If a user finds himself infected, he publishes his calling card number to a central bulletin board. All phones with the app installed check the board regularly for calling card numbers, they have seen within the last week. When a match is found, the phone assumes an infection. That is, publishes its own calling card number to the bulletin board and alerts its user to take actions (get tested/quarantined). This forms a simple alarm chain that only passes on an “infected” status, without allowing anyone to find out the identity of the other links.

Clever! But how would this mechanism work in the real world? Story time!

Day 1

Meet Joe Average, a reasonably responsible, reasonably intelligent, everyday person. There is nothing remarkable about him at all. If you were to conduct a scientific study, he’s the kind of guy, you’d want to include.

Today is when, the SARS-CoV-2 Bluetooth contact tracing app becomes available. Let’s see, how Joe spends the day…

08:00
Joe wakes up. A notification on his phone prompts him to install a new app. The description makes sense, so he complies without giving it further thought. In fact, not being too tech-savvy, he completely misunderstands the concept, thinking the app will warn him of infected people in the vicinity.
09:00
Joe's apartment is on the fifth floor. Out of convenience, he takes the elevator down. The idea that someone might have sneezed in the cabin earlier does not occur to him.
11:00
Joe enters a supermarket. He is in need of some toiletries, which he could easily carry in his hands. Nevertheless, the supermarket now has a policy that forces him to use a shopping cart. He wonders if the staff disinfected the handle properly, then decides to grab the cart by the side. Unfortunately, the previous user had the same idea, while the supermarket staff did not.
12:00
A homeless person gets uncomfortably close while asking Joe for some spare change. This is deliberate. The begging community learned quickly that the COVID-19 fear, if played correctly, will increase the success rate for getting a handout.
16:00
Luv u! Licksies?
Joe meets a friend in the park, who's walking "Smooch", his dog. Smooch is a friendly 75 lb Boxer mongrel, who just loves licking faces, but will also happily settle for hands, if faces are not available. Several small children and senior citizens (none of them carrying a smartphone) have petted him today so far. Joe gets the works.
19:00
Joe meets a girl, he'll only ever know as "Suzie" (not her real name) at a bar. She literally wears nothing except a red dress and high heels. There's really no question as to her intents and who's going to pay the tab.
19:30
Common sense and Hormones have a short, but passionate debate. Hormones win with a little help from alcohol.

Joe does catch SARS-CoV-2 Today. When? Where? How? Well, that is everyone’s guess! He certainly had a lot of opportunity.

Assessment The fundamental flaw of Bluetooth contact tracing is that phones, not people, most certainly not viri are tracked. Every moment in the timeline above breaks the alarm chain because a phone was not in the right place at the right time. Of course, having a broken alarm chain is still better than not having one at all, one might say, but not if it comes at the price of people, like Joe, getting careless.

Day 2

Meet Jane Doe, Joe’s next door neighbor. Joe and Jane’s daily routines are vastly different, so they almost never meet each other in the hall. They do have some similarities, though. Like, for example, using their phones as an alarm clock. Also, the bedrooms of their two apartments are separated by the same wall. Whatever they put on their nightstands is pretty much just an arms length apart.

(The rent is about as cheap as this sketch)

Jane got the same notification as Joe, but hesitated at first. She did not install the app until after midnight. Nevertheless, the two phones spent most of that night well within a 2m radius of each other and without any means of detecting the wall in between. Joe might as well have been sleeping with Jane instead of Suzie, as far as the apps are concerned (just one of the many reasons, why privacy by design is a must).

Jane is a biology teacher, teaching a graduation class. Most of her students own (much to her dismay) a smartphone and today is an important exam. Jane, knowing a thing or two about viri, takes reasonable precautions, like wearing a mask and keeping the windows open. However, she can’t prevent her tracer app from picking up a few dozen contacts that day. Of course, this is mutual. Whoever she logs as a contact, logs her as well. Later that day, her students will also log their families.

Assessment Bluetooth contact tracing is hyped as a silver bullet, an alternative to social distancing. It is neither! It merely replaces an effective countermeasure with an inferior one in order to permit risky behavior again. In other words, for policy makers, the availability of Bluetooth contact tracing is an excuse to raise the threshold for what is deemed “dangerous” without actually lowering the risk.

Day 3

It’s John Smith’s day off. He’s a long-distance trucker and parent of one of Jane Doe’s front row students. Their father-daughter day starts off with the two logging a contact for each other.

Assessment At first it may seem as if Jane Doe and John Smith are just two different names for the same function, but they aren’t. She’s a multiplier (spreads to many people locally), he is a bridge (spreads to few people, but across barriers).

Day 4

John starts a new tour. He picks up cargo early in the morning and drops it off in another town after sunset. Since it is too late already to drive back home, he stays at a motel for the night. He could have slept in his truck, but today he is having company. The kind of company that would make him uninstall the tracing app right away, if it didn’t guarantee privacy.

Assessment John is not infected, but part of an alarm chain. He just linked two multipliers in different communities together. Keep in mind that we are only tracking contacts as infections, not actual infections!

Day 5

Joe wakes up, feeling a bit under the weather. At first, he brushes it off, but his condition worsens fast. In the afternoon, he finally seeks medical attention which includes a SARS-CoV-2 smear test.

Assessment Any manual action that is required between suspicion, confirmation and reporting causes signalling delay. In this case, the virus gets another day to spread from anyone, Joe might have infected. This makes all the argument for automatic alarm forwarding, even if false alarms are to be expected.

Day 6

Joe’s test results are back: positive. He does the responsible thing and hits the “I am infected” button in his contact tracing app. Within minutes, the alarm cascades through his contacts and the contacts of his contacts. Everyone who has directly or indirectly gotten in touch (pun intended) with him for the last week receives a message with a simple choice:

Either stay at home for 14 days or pay for a test and stay at home till you have the results.

The social graph of Joe (red), Jane (yellow) and John(blue)

Potentially a few hundred people are going to have a really rotten day. Most of them will have no clue of where they might have caught the bug (after all, that was the whole point of making a contact tracing app, wasn’t it?) or if they actually caught it at all, but now they carry the “infected” status with all the social and legal implications.

Joe would be really unpopular by now if the app did not guarantee privacy.

Assessment An alarm, especially a false one, raises the question of liability. Is Joe responsible for having been careless? Is Jane responsible for causing a false alarm? Is the app maker responsible for the security holes in the protocols design? Fact is, a lot of people will have to drop everything in order to get tested and someone will have to foot the bill. False alarms are a pretty convincing reason to uninstall the app.

Meanwhile in an alternate reality

There are, of course, different versions of the story above. Let’s explore some alternatives by putting Joe (source), Jane (multiplier) and John Smith (bridge) in slightly different roles.

Joe, the hacker
What if Joe stayed home the first day (did not get infected), got hold of Jane’s phone and decides to swat her for fun?
Joe, the slacker
What if Joe was not a neighbor of Jane, but one of her students, desperate to meet a deadline. Could he buy himself an extension by faking an infection?
Joe, the movie buff
What if Joe had invited Suzie to the movies and turned his phone off before entering the cinema hall?
Joe, the deceived
Plot twist: Joe just caught the flu. Same symptons, different pathogen. Should he wait for test results (or be tested at all) before hitting the alarm?
Joe, the unprepared
Joe is single. What if he runs out of food while quarantined? Will he sneak out, leaving his phone at home?
Joe, the kindergarten teacher
What if someone had the idea to reopen kindergarten, thinking the availability of Bluetooth contact tracing renders social distancing unnecessary?
Jane, the hypochondriac
What if Jane had an unrelated symptom, quarantined herself without a test and thinks, she gained immunity afterwards.
Jane, the gym instructor
How many contacts would Jane’s phone log, if she left it in the locker room?
John, the secret agent
Are there countries that would benefit from keeping other countries in lockdown? If so, what could be more effective than interlinking as many people as possible, then sending a fake alarm?
101010, the software bug
Is it possible that a piece of software, especially one, that is based on a bad idea and coded in a hurry, might malfunction?

Every sufficiently large community will have multiple Joes, Janes and Johns. The story above inevitably unfolds, over and over, time-displaced, in parallel and with numerous variations. Some of the story lines will intertwine, others won’t. Every variations adds complexity and requires exception handling.

Privacy aware Bluetooth contact tracing is fragile at best. Even a tiny amount of malevolence or stupidity can easily send waves through the entire system, making it completely unreliable. We are essentially putting our faith in a system that is constantly going to cry wolf. (Repeated) false alarms have consequences:

  • People will stop taking alarms serious.
  • People will uninstall the app.
  • People will try to circumvent the app (Suzie, for example, simply left her smartphone at home).

Worst of all, however, people will demand the app to be fixed and governments will succumb to the sunk cost fallacy.

Privacy has to go!

The privacy aware approach has three major weakness:

  1. The system is open for trolling.
  2. Any incoming alarm must be treated as the real thing.
  3. A false alarm cannot (efficiently) be cancelled.

Obviously, an anonymous bulletin board will not work in real life, so the next version of the contact tracing app will have to be backed by a central authority that knows the identity of every user. Needless to say that this will, quite rightly, creep people out and result in the app getting uninstalled.

Installation is mandatory!

Voluntary use of the app builds on trust. Trust builds on privacy. Privacy cannot be guaranteed. This means, the only way to get the app on people’s phones is by installing it forcefully and making it unclosable (i.e. make it part of the operation system). People who don’t carry a smartphone, or turn it off will eventually find that they may no longer be permitted to enter supermarkets or use public transports.

Of course, the app will still not work properly, as people will make an effort to actively circumvent or even sabotage the system.

No end in sight!

Privacy, schmiracy. Many app proponents are of the opinion that saving human lives is more important than saving human rights. Of course, expressing that opinion requires the basic human right of free speech. So, yeah there’s an interesting discussion starter. Another interesting and more practical question is: for how long are we going to suspend the right to privacy?

The world is full of places with poor medical care. Slums, refugee camps and the like are communities where SARS-CoV-2 can go into hiding and from where it can be re-imported at any time. The pandemic does not really end till the virus is completely eradicated. There are just dormant phases in between outbreaks and those are the ones when we actually need the contact tracing apps to be active.

So, when can we have our privacy back? The answer is pretty much: never.

Conclusion

Bluetooth contact tracing is a dumb idea. At best, it will not work, at worst, it will lead is into a dystopian future.

Listening to scientists is generally a good idea. Some Epidemiologist/virologists may suggest contact tracing apps as a promising approach, but their expertise is in… well, epidemiology/virology, not computer science. Ask a computer scientist for their opinion and the answer is: FUCK NO!

No comments:

Post a Comment