This note provides a tutorial explanation of the Preliminary Bluetooth Contact Tracing Specification for COVID-19 from Apple and Google (you can review the protocol here). Also included are three baseline recommendations for the supporting infrastructure, which is more likely to create privacy and security compromise than any technical weaknesses in the protocol, cryptography, or frameworks. Here’s how the V1.1 protocol scheme works:
Mobile devices running a so-called contact detection service will generate and store once a tracing key (root secret). The device uses this tracing key every twenty-four hours to derive a new daily tracing key (session secret). The daily tracing key is then used every fifteen minutes to cryptographically generate a rolling proximity identifier (device identifier). All these derivations and intervals are included to protect the privacy of the device owner.
Mobile devices will continually advertise their current rolling proximity identifier to other devices in Bluetooth LE proximity, and who happen to be scanning as part of the contact detection service. Ingested rolling proximity identifiers are stored on the device. Since a great many participating devices might be in the vicinity, and since device identifiers change so frequently, filters are mentioned in the specification to preserve device power.
A cloud-resident workload periodically sends so-called diagnosis keys to devices running the contact detection service. These keys are offered willingly by humans infected with the COVID-19 virus, and who have consented to share this information with other users. A resolution function runs on the device to match stored rolling proximity identifiers with ingested diagnosis keys. Exposure duration is mentioned to help measure health risk.
Numerous points are made in the specification regarding the security and privacy aspects of the overall scheme – and they seem reasonable to this author. The cryptography appears sound and considerable transparency does appear to be designed into the protocol. Ancillary concerns such as device bombardment with rolling proximity identifiers might represent an annoying hack, but are unlikely to create privacy issues. Hackers might also be traced.
The more worrisome security and privacy concerns, however, will emerge from the supporting infrastructure for this service. Depending on how users are registered, updated, curated, notified, helped, administered, and even decommissioned (hopefully from lack of interest versus breath) – will determine the success or failure of this solution. As such, we offer below three recommendations for the infrastructure supporting this proposed service:
Simplified Expert Management – The service should be administered through a common set of procedures that apply in exactly the same way, everywhere on the globe. Language and cultural issues should be avoided through use of icons and picture diagrams to guide users through download, registration, and usage. Wherever the temptation exists to add complexity to the supporting infrastructure, this should be resisted without exception.
Simplified management is important because any security expert will explain that hackers succeed best by finding weaknesses in the infrastructure for any targeted service. They will look for edge cases in registration, exceptions in support tools, sloppiness in help desks, and so on. For these reasons, great expertise and care must go into the service management design. This will be much more important to user privacy than even the cryptography.
Coordinated Social Media – Since all forms of social media will no doubt include massive commentary by citizens, groups, and others on this new contact service, it would be advised to set-up and run a coordinated social media effort with live, expert curation of help desk issues and user questions. This effort can also quickly dispose of crazy rumors and bad ideas that could cause misinformation to spread even more quickly than the COVID-19 virus.
One must expect that an app downloaded by potentially billions of users must be curated for luddites, technology-challenged individuals, and even innocently-confused citizens. Furthermore, these users will come from every country, region, and culture on the globe, so over-indexing on the communication via social media seems like an important requirement. Well-curated social media support also can help reduce security and privacy stress.
As an example, one can envision hackers sending messages or other pop-ups to users explaining that “YOU HAVE come into proximity with a COVID-19 infect person – so please CLICK HERE to save your life.” Such phishing messages and other attacks could be serious enough to literally undermine the entire effort. So communication and messaging are essential to proper operation. The importance of this point cannot be over-stated.
Absolute Minimal Functionality – If you ask any security expert how to make application software more secure, they will tell you to start removing code (and hence removing functions). Minimization of all functionality in this proposed service and its supporting infrastructure must be obsessive. No function should be included that does not contribute directly to the mission, which is to help human beings live a safer, happier life.
It goes without saying that the nightmare of competing implementations from different vendors would be a terrible way to go. The implementation should instead originate from one shop, should be downloadable from one site, and should include zero branding or other information. This will help ensure that rogue downloads of contact tracing apps that are “faster” or “more efficient” or “endorsed by some celebrity” can be avoided.
Closing point: It is the opinion here that an effort the size of a golf ball remains to ensure that the protocol and supporting cryptography will be sufficient for wide-scale usage. In comparison, however, a much larger effort, perhaps the size of a weather balloon, still exists to properly define the support infrastructure for this service. I would hope that sufficient attention is placed in this area.
Please let me know your thoughts on this note – and please stay safe and healthy.