You don’t need to follow the news to know the COVID-19 pandemic isn’t getting any better. It’s everywhere you look – on YouTube, Facebook, Twitter, or any other social media sites.
People are doing their best to fight the pandemic while returning to their normal lives, but governments seem to think that’s not enough.
Enter contact tracing solutions – mobile apps that are supposed to keep track of your whereabouts and notify you whenever you come into contact with someone infected with the coronavirus. They do that either by using Bluetooth or location services.
The choice between the two has actually sparked quite the debate – should they all use Bluetooth, or are location services safer and more accurate?
We’ll take a look at that question in this article.
Here’s How Bluetooth Tracking Works
Bluetooth works by broadcasting a unique token (basically, a string of numbers) which allows Bluetooth-enabled devices to “pair up” and exchange data between them.
On its own, that’s not enough for contact tracing apps to be effective because the unique token is only intended for certain phones.
That’s where Google and Apple’s new API comes into play. It allows any kind of phone to listen for Bluetooth tokens and share their own – as long as they’re running the same contact tracing app and are in close proximity to each other. When a user tests positive for the virus, the app sends alerts to anyone who has that person’s token on their phone.
Example
You and a girl named Jane go to the same coffee shop. While you’re both waiting in line, your smartphones exchange Bluetooth tokens between them. From then on, the app will regularly check that token (alongside many others) to see if it belongs to someone who reported being infected with COVID-19.
If Jane ends up developing symptoms or testing positive for coronavirus, she would report that in the app. When the app sees that Jane’s token reported a positive diagnosis, it sends you an alert saying that you came into contact with someone infected with COVID-19.
Here’s How Location Services Work
This method uses WiFi signals, cellular signals, and GPS data to create a log of all the places you visit throughout your day. It might look something like this:
- 9 AM – Coffee shop
- 12 PM – Supermarket
- 1 PM – Restaurant
- 6 PM – Bar
That’s just a generic example, obviously. The app would replace the “coffee shop” with the coffee shop’s name and its address.
Contact tracing apps that use location tracking can’t exactly tell how close you were to someone who reported testing positive for COVID-19. But they can tell you’ve been to the same places.
Example
Let’s use Jane from the previous example again.
Both you and she go to a supermarket. You might only pass each other in an aisle, or you might stand behind her at the checkout line. The contact tracing app won’t know that, but it will know you both visited the same supermarket.
If Jane later reports coronavirus symptoms or a positive diagnosis, the app cross-references which places you’ve both been to. It sees you went to the same supermarket, so it sends you an exposure alert.
Bluetooth vs. Location Services – Which One’s Worse for Your Privacy?
They both have their advantages. Bluetooth lets you know you’ve been in close proximity to someone who is infected, while location services provide context (you know where it happened, so you’ll know if you took precautions beforehand like wearing gloves and a mask).
But which one handles privacy and security better?
Neither, it seems. They both have some pretty big issues.
The Problem with Location Services
This type of tracking just feels creepy. Not only does the app know exactly where you go, but it might also share that information with other people.
Usually, it’s health officials, but it could also be private companies or advertisers depending on the app’s ToS and Privacy Policy.
The Problem with Bluetooth
Problems, actually.
While the technology is generally secure, it has had (and continues to have) numerous vulnerabilities. Here’s a quick list to get you up-to-date:
- KNOB Attack – This was an issue with Bluetooth BR and EDR connections that would have allowed hackers to downgrade and crack Bluetooth encryption.
- BlueBorn – This was a pretty nasty vulnerability that would have made it possible for hackers to connect to a device directly.
- BIAS Attack – The most recent vulnerability, it would allow a cybercriminal to gain full access to a Bluetooth-enabled device.
Issues like that get patched pretty fast, luckily, but not all the time. If you use a cheaper off-brand device, there’s a chance the manufacturer didn’t offer updates to fix these problems.
Also, even Google and Apple’s new API is problematic – cybercriminals can abuse their system to associate infected people with photos of them. They just need to use a camera to record passerby’s faces, a rooted phone to capture contact-tracing Bluetooth signals.
How Contact Tracing Apps Handle Privacy Is Also an Issue
How they collect data matters, but what data they collect and how they manage it is important too.
For example, if the app asks you for your name and phone number, and demands access to your phone contacts (like Utah’s Healthy Together App does), that’s a serious problem.
Similarly, if the app lets third parties access collected data, that’s another breach of your privacy. For instance, ProteGo Safe in Poland lets “private companies” access user data.
Also, if the app stores the data you share with it on centralized servers instead of your device, you have less control over it. This article explains that problem pretty well. It uses the NHSX app as an example. Basically, user data becomes the property of the NCSC, which is a part of the GCHQ (the UK’s surveillance agency). And there’s no way you can have that data deleted.
Want to Know How Safe the Apps in Your Area Are?
No problem – you can use this scored list of contact tracing apps from ProPrivacy. It offers in-depth information about 54 apps from all over the world – what tracking method they use, what data they require, who they share it with, if they have a privacy framework in place or not, etc.
See if the app(s) available in your area show up there. If they do, the guide should offer you a pretty clear idea if they take your privacy seriously or not.
Bluetooth vs. Location Services – What’s the Verdict?
Unfortunately, they’re both imperfect solutions. On the plus side, they’re not that bad if the app doesn’t log personal information, and if it doesn’t share your data with anyone else. Though, the camera + rooted phone issue with Google and Apple’s API still worries us.
But how do you feel about all this? Do you think Bluetooth is safer, or do you prefer location tracking? Please tell us which one sounds best for you and why in the comments or on social media.