Are contact tracing apps tracking me? Not at all, say Virginia Tech researchers
Commonwealth Cyber Initiative (CCI) researchers from Virginia Tech investigated the security of digital contact tracing technology. Their findings offer reassurance to those leery of privacy risks.
We’ve masked, we’ve vaccinated, we’ve boosted — but are we underutilizing technology that could contain the pandemic because we don’t trust it? A Virginia Tech-led team investigated the privacy risks of digital contact tracing technology, and their results show that exposure notification systems are highly secure.
“This is not the 1918 Spanish flu epidemic,” said Danfeng (Daphne) Yao, Virginia Tech computer science professor, CACI Faculty Fellow, and Elizabeth and James E. Turner Jr. '56 Faculty Fellow. “Contact tracing apps can improve our lives, but people need to understand more in order to trust more.”
The team’s study, which will be published in the February edition of IEEE Computer, was supported by the Commonwealth Cyber Initiative in Southwest Virginia.
Digital contact tracing applications
Contact tracing refers to a method for tracking possible new COVID-19 cases by sifting back through a COVID-positive patient’s interactions within their contagious period. It can be arduous, expensive, and time-consuming. But if you carry a smartphone, there’s an easier way.
In the early days of the pandemic, Google and Apple teamed up to build the Google/Apple Exposure Notification (GAEN) system. This digital contact tracing app uses Bluetooth low-energy communication to allow your device to track the distance and duration of close contact with other GAEN users.
“When GAEN is installed and turned on, the system assigns you a temporary key and begins to broadcast beacons with anonymous identification numbers,” explained Salman Ahmed, a computer science graduate researcher and the first author of the study.
To help ensure user anonymity, the identification numbers should change every 10-20 minutes and the key every 24 hours. If a user is within a range of approximately 10 meters (33 feet) of another GAEN user, devices will exchange beacons. Later, if one tests positive, the other user can elect to enter the key into the framework, which automatically notifies a server and subsequently everyone that’s been in close contact with the infected person for a certain amount of time over the previous two weeks.
Suspicion and reluctance
The premise of this technology immediately started ringing alarm bells for many, including a few of Yao’s respected colleagues.
“I understand the confusion and fear surrounding contact tracing,” said Yao, who is also a CACI Fellow. “Because the most straightforward way to do this would be to collect user information and send it to some central authority for analysis. But the actual technology is a lot smarter.”
Yao, Ahmed, and Virginia Tech computer science graduate researcher Ya Xiao, connected with Taejoong (Tijay) Chung from computer science, Carol Fung from Virginia Commonwealth University, and Moti Yung from Columbia University and Google, who helped design the GAEN system. Yao’s Virginia-based team conducted their investigation independently of Google, but reached out to Yung for feedback on some of the findings.
Testing security at every threat level
The researchers focused on the Virginia Department of Health’s COVIDWISE app, the first state-maintained exposure notification system in the nation. Yao and her team wanted to know what exactly was being stored on a device, if keys and identification numbers actually changed and how often, how frequently beacons are exchanged between devices, and how easy it would be to hack that information.
To answer these questions, the team started by reading the fine print. “We wanted to make sure the behaviors we observed matched the claims,” said Ahmed.
In all cases, they found the official specifications and observations match well: “For instance the random identifier is supposed to change every 10 to 20 minutes along with the Bluetooth address — and they did,” said Ahmed.
The researchers inspected thousands of lines of library code over extended periods and conducted empirical analyses using both Android and iPhones. To assess the security, privacy, and reliability of the technology, they ran it through tests in a series of real-world models, starting with the least threatening and most likely situation — passing someone on a trail or sidewalk.
After evaluating a user’s risk at this level, the team moved up through five riskier and less likely situations (called threat levels). They ended with the “organized crime model,” where an attacker actively seeks to obtain the victim’s infection status.
In the first four scenarios, which cover the majority of most people’s everyday experiences, the researchers found no privacy leaks.
“In the last two threat levels, there is a privacy risk,” said Ahmed. “But the attack requirements are huge.” An attacker would need to bypass the security mechanisms in a smartphone, mount extra devices in different places to acquire data over a few days. In addition, they would need to gather metadata from other information channels, like social media.
“There are easier ways to profile someone’s movements,” laughed Yao. “You can just hire spies!”
Tight ship
In addition, there is no central server that keeps track of who is talking to whom.
“All the data is distributed and stored in a decentralized way,” explained Yao. “There’s no location tracking.”
The researchers verified that the identification numbers are stored and protected on your local device and that information is randomized.
“Nothing goes beyond your device unless you choose to share,” said Ahmed.
Security technologies with big impact
The Commonwealth Cyber Initiative actively seeks to support investigations that close the gap between theory and practice.
“This study showcases the meaningful role an expert cybersecurity analysis can play in the adoption of technologies in society,” said Gretchen Matthews, director of the southwest node of initiative. “And that’s part of CCI’s mission — to advance deployable security technologies that can make a difference in people’s lives.”
As waves of COVID-19 variants rise and fall, wider adoption of contact tracing technologies could impact the course and timeline of the pandemic.
“We have so many fantastic, safe technologies that could help contain the spread of COVID-19 — including this one,” said Yao. “We should make a push to use them.”