Toward the end of his recent webinar with CISO MAG, hacker, security researcher and CISO, Chris Roberts took questions from the audience on the security needs for contact-tracing apps surrounding the COVID-19 cases. He said, “I want to believe tracing apps will be amazing because it has a bigger purpose to serve. But it should also be clearly stated, what will be done to the data afterwards — post the COVID-19 situation.” His statement reverberates to the entire Apple cloud platform iCloud versus the FBI fiasco — privacy norms vs governance, and even the latest revision to Apple and Google’s latest automatic contact tracing proposal. Both Apple and Google have pledged to shut down the tracer apps as soon as the pandemic ends, after several complaints citing privacy concerns.
In the last joint COVID-19 notification effort, the technology giants refined its technical details along with the FAQ and have elaborated on the cryptography, Bluetooth communications, as well as the API framework for developers. According to the notification, among the methods used to contact trace is a system called exposure notification, where users will be informed if they have been exposed to an infected person. Exposure notification is part of the companies’ joint standard to accelerate adoption and interoperability. The companies have shared a library of reference code for both Android and iOS devices.
On the encryption front, Apple has stated that they have migrated to AES-based encryption, instead of the earlier used HMAC encryption. Apple noted that AES performed better in this application of the technology. Apart from that, both the companies also stressed on using temporary tracing keys, which are now randomly generated, making it difficult for attackers to reverse engineer how keys are derived. One of the other key advantages of the tracker apps by Apple and Google is faster rollout to the maximum number of people.
Several countries have touted for Apple-Google to be the staple format for contact tracing due to the reasons including:
- Explicit user consent required
- Doesn’t collect or use location data from your phone
- Bluetooth beacons and keys don’t reveal user identity or location
- User controls all data they want to share, and the decision to share it
- People who test positive are not identified to other users, Google, or Apple
- Will only be used for exposure notification by public health authorities for
- COVID-19 pandemic management
Other reasons why Apple and Google appear to be the better ones in a sea of Coronavirus tracing apps are the transparency and quality. Currently, one of the largest downloaded COVID tracing app in the world is India’s Aarogya Setu app, which crossed the 100 million mark. However, the app received a skimpy two out of five points by the MIT Technology Review.
The review, which judges tracing apps on several parameters, gave two points to Aarogya Setu on benefits like useful data and deletion of data on time, while it lost on parameters like voluntary use, and transparency. The review also noted that India was the only democracy that has made the app mandatory for millions of people. Austria’s Stopp Corona App, Czech’s eRouska, Iceland’s Rakning C-19, Israel’s HaMagen, Italy’s Immuni, and Singapore’s Trace Together were among the apps that scored a perfect 5.