SecureMac, Inc.

Checklist 183: Tracing the Contact Tracing Story

April 30, 2020

This week, we’ll highlight some big decisions about mobile contact tracing from around the world — and we’ll also let you know what’s going on over at Apple (spoiler: get ready to update iOS).

Checklist 183: Tracing the Contact Tracing Story

Last week, we talked all about the coronavirus contact tracing tool that’s being developed by Apple and Google. This week, we’ll highlight some big decisions about mobile contact tracing from around the world — and we’ll also let you know what’s going on over at Apple (spoiler: get ready to update iOS).

Contact tracing … sorry, “exposure notification” … moves forward

For the past couple of weeks, we’ve been talking about the Covid-19 contact tracing tool being developed by Apple and Google — including the concerns raised by some tech experts about its implementation.

In case you need a refresher, the basic idea is to use the Bluetooth radios in mobile devices to emit anonymous beacon IDs — and listen for beacons from other devices. When two phones are in close proximity, they record one another’s beacon IDs and store them in their log files. If someone is diagnosed with Covid-19, they can authorize public health officials to upload their phone’s anonymized data to a remote server which can be accessed by other people’s devices. If you’ve been exposed to someone who has tested positive for the virus, your phone will let you know so that you can take precautions.

This sounded like an interesting idea, but it also raised privacy concerns. Apple and Google said they would release the API to legitimate public health authorities around the world (so they could develop their own localized apps), but it wasn’t clear how many takers they’d have.

This week, we’re sharing some new developments in the story, both from Silicon Valley and around the world.

Apple and Google have the biggest news: They’re ahead of schedule, and have just released the first seed of the API to qualified organizations. They’ve also made changes to the proposed framework based on feedback that they received over the past two weeks. Here are some of the highlights:

  • Instead of calling it “contact tracing”, the tool will now be called “exposure notification” — which strikes us as good old-fashioned rebranding, designed to allay people’s fear of being “traced” by Big Brother
  • Beacon ID generation will be randomized, which will make it even more difficult to link any particular ID to a specific person
  • Bluetooth metadata will receive additional protection by means of encryption
  • The API has been fine-tuned in order to cut down on the possibility of false positives

Meanwhile, there have also been some significant developments in Europe over the past few days.

Germany has announced a complete reversal of its earlier position, opting for a decentralized exposure database similar to what Apple and Google are proposing. In the Silicon Valley version of contact tracing (or “exposure notification”, if you prefer), information about phone-to-phone contacts is to be stored on individual devices only, and never on a centralized server. The only information that will be kept centrally is the list of anonymized ID keys from Covid-19 patients — uploaded with their permission — that can then be used by individual devices to determine whether or not their owners have come into contact with an infected person. 

Initially, Germany had planned to do the exact opposite of this, keeping all information about contacts on a central server, but it seems they’ve had a change of heart. According to a government spokesperson, the reason comes down to “trust” — which is a crucial factor in getting large numbers of citizens to opt in to such a system and make it effective. Now that Germany seems to be on the same page as the two tech giants, the country may simply decide to use Apple and Google’s pre-existing framework to build an app, instead of developing their own from scratch, but as of now no decision has been made.

The government of the United Kingdom is taking a different route, opting for a centralized approach similar to what Germany has just rejected. The UK’s National Health Service (NHS) says that this will make it easier for them to learn more about how the virus spreads; make changes to the tool if new scientific evidence becomes available; and do a better job of making sure only high-risk contacts receive notifications.

Meanwhile, other tech companies are making their own sales pitches to governments around the world, and some of these are a bit disturbing. Cellebrite, a company best known for its iPhone hacking tools, is telling the police in India that its products can be used to capture the location and contacts of anyone who tests positive for the Covid-19 virus, allowing authorities to quarantine “the right people”. The company also notes that their tools can be used to hack into a user’s phone without their consent, which (according to them, anyway) may be legally justified in some cases. Other companies are floating similar proposals to governments in Latin America, Asia, and Europe — making this story one to remember when we finally begin traveling again.

Apple makes some changes

These past couple of weeks have been pretty busy for Apple, with a few major developments that deserve a mention.

One big change that you can see immediately has to do with Maps. The app is now highlighting Covid-19 testing centers to help users find diagnostic options in their area. All you have to do is open Maps and tap in the search area, and you’ll be given the option to look for “COVID-19 Testing” as a search suggestion. Some users have said that they weren’t able to see this at first, but that after completely shutting down and restarting their devices, the missing option appeared.

As we noted above, the contact tracing / exposure notification API seed is here — and two weeks early at that. This will bring some changes to the OS itself (presumably pretty significant ones), and Apple has therefore decided to acknowledge that in the release number. Instead of going with the expected “iOS 13.4.5”, the update is now being released in beta as iOS 13.5. 

Based on reports from people who have been testing the iOS 13.5 beta, it looks like there will be a way to opt in to or opt out of the OS-level functionality that will make those public health contact tracing apps viable. To do this, go to Settings > Privacy > Health > COVID-19 Exposure Notifications. There you will find a toggle that lets you turn the feature on or off. It’s worth noting that any organization’s app that is built with the iOS API will still have to be downloaded, installed, and given permission to access your data. 

The iOS 13.5 beta also contains a feature that will come as welcome news to people who use Face ID. When Face ID is enabled as the default authentication method, iOS always tries to use it first. If iOS is unable to use your face to unlock the phone, then it will offer a passcode unlock option after a few seconds’ delay. Considering how many people are wearing masks these days, this is obviously happening quite a bit — and is getting frustrating for users who have to wait for that passcode option to pop up when they need to access their device in public. Thankfully, iOS 13.5 seems to address this problem, giving users the ability to pull up the passcode unlock option with a single swipe. Leave it to Apple to think about UX — even in the middle of a pandemic.

That brings us to the end of this week’s Checklist, but if you want to keep learning and developing your cybersecurity skills throughout the week, be sure to have a look at our show archives, where you can listen to past podcasts and read the full notes for each episode. And if you have a question about digital security and privacy, or would like to suggest a topic for a future Checklist, please let us know at Checklist@SecureMac.com.

Get the latest security news and deals