Covid-19 contact tracing app based on Apple-Google API could be vulnerable to data harvesting, EEF warns

Accurately estimating the distance between two devices is also a significant challenge

The Electronic Frontier Foundation (EEF) has warned that coronavirus contact-tracing apps built using Apple-Google API could pose a threat to privacy and security of users.

The experts at EEF cautioned that threat actors could exploit security weaknesses in those apps to harvest users' data and to shake people's confidence in the public health system.

On Wednesday, Apple and Google released the first versions of their API to enable developers to start creating coronavirus contact-tracing apps for public health organisations. Such apps will enable a person who tests positive for coronavirus to disclose their diagnosis to government agencies. The system, which is based on Bluetooth technology, will then track all people who had come in contact with the infected person in last 14 days, and notify those individuals of a possible exposure.

According to the EFF, the effectiveness of these apps, which are based on Bluetooth technology, will rely on various trade-offs and yet must engender sufficient trust for widespread public adoption.

A major challenge at this point is that there is currently no technique to verify that the device sending rolling proximity identifiers (RPID) is actually the one that generated it.

This weakness could allow cyber criminals to harvest the data over the air and rebroadcast it, thereby undermining the system completely.

"Imagine a network of Bluetooth beacons set up on busy street corners that rebroadcast all the RPIDs they observe," EFF director of research Gennie Gebhart and staff technologist Bennet Cyphers wrote in a blog post.

"Anyone who passes by a 'bad' beacon would log the RPIDs of everyone else who was near any one of the beacons. This would lead to a lot of false positives, which might undermine public trust in proximity-tracing apps—or worse, in the public health system as a whole."

Another challenge is to accurately estimate the distance between two devices.

Because Bluetooth signals can be interrupted in the presence of large concentrations of water, including human bodies, many phones may not able to establish radio contact in such situations, despite two people being in close proximity to each other.

EFF experts have also raised privacy concerns surround contact-tracing apps, saying that the programme must be "sunset " once the coronavirus crisis is over in order to protect the privacy of users.

Earlier this week, it emerged that the UK National Health Service (NHS) is working on a coronavirus contact tracing app that will not rely on API developed by Google and Apple.

The NHS wants to develop a centralised solution, in which NHS servers will be used to carry out matching and send alerts to people.

The agency believes this approach will provide more insight into how the virus is spreading in various cities and will also give government officials more control over who receives notifications.

However, many people fear the approach is being rushed through without sufficient consideration of mission creep, where sensitive data could be reused for other purposes. Yesterday an open letter letter outlining these concerns was sent to NHSX, the digital technology health body driving the app development, by 117 privacy and security experts.