The original idea is to keep the users out of COVID-19 proximity by contact tracing tools. The collaboration of Google and Apple together will make larger Bluetooth ranges feasible though there are better ways for designing such programs than Bluetooth, they claimed that it is better than API since more users will be participating.
As Apple company stated:
“All of us at Apple and Google believe there has never been a more important moment to work together to solve one of the world’s most pressing problems. Through close cooperation and collaboration with developers, governments, and public health providers, we hope to harness the power of technology to help countries around the world slow the spread of COVID-19 and accelerate the return of everyday life.”
They are calling it “Exposure Tracing” although the technology is using “contact tracing” since the user’s perception of contact tracing is not as desirable. The companies tried to entice people by announcing the app will be a temporary one and it will be stopped as soon as the pandemic is over since people are not willing to use the app.
With this regard, Jennifer Stisa Granick, the ACLU’s surveillance and cybersecurity counsel, declared: “We just want to make sure that this is verifiable, and that there will be an independent review to make sure the commitments they’ve made is something they’re living up to.”
The not so clean track record of the companies in question made the doubts on the app even more. The Electronic Frontier Foundation, a staunch supporter of digital privacy, posed many questions on the cybersecurity and the privacy implications of the app in progress which is called Bluetooth IE. In an effort made by to improve the security, the companies provided the user’s devices with the encryption keys to decentralize it.
Regarding the security issue EFF stated:
“A well-resourced adversary could collect RPIDs from many different places at once by setting up static Bluetooth beacons in public places, or by convincing thousands of users to install an app. […] But once a user uploads their daily diagnosis keys to the public registry, the tracker can use them to link together all of that person’s RPIDs from a single day.”
The hackers are provided with an easy opportunity to track every bit of the user’s movement. They can extract information on the user’s location and activities. All these issues are trivial comparing to the information the companies and government will be provided with. Considering their track record it is tough to trust them knowing that there were other options such as open source. Moreover, we can’t ignore the vague explanations as well as the vague terminologies used.
To sum up
Most of the problems posed by this app are due to the use of approximate-based technology which causes security as well as privacy-oriented issues. While high-security tokens are inconvenient, it is inevitable that there were more secure ways. Some potentially better option to use was a tokenized version of the authentication certificate, RPID cross-referencing, and use across multiple systems. Relinquishing control and providing a way that doesn’t sacrifice the data to a third-party could be a better option which not surprisingly they are not taking them into consideration.
API: a set of functions and procedures allowing the creation of applications that access the features or data of an operating system, application, or other services.