We masked, we vaccinated, we reinforced – but are we underutilizing the technology that could contain the pandemic because we don’t trust it? A team led by Virginia Tech investigated the privacy risks of digital contact tracing technology, and their findings show that exposure notification systems are highly secure.
“This is not the Spanish flu epidemic of 1918,” said Danfeng (Daphne) Yao, a computer science professor at Virginia Tech, a CACI faculty member, and a faculty member of Elizabeth and James E. Turner Jr. ’56. “Contact tracing apps can improve our lives, but people need to understand better in order to trust more.”
The team’s study, which will be published in the February edition of IEEE Computer, was supported by the Commonwealth Cyber Initiative in southwestern Virginia.
Digital contact tracing apps
Contact tracing refers to a method of tracking possible new cases of COVID-19 by screening the interactions of a COVID-positive patient during their infectious period. It can be arduous, expensive and time-consuming. But if you have a smartphone, there is an easier way.
At the start of the pandemic, Google and Apple teamed up to create the Google/Apple Exposure Notification (GAEN) system. This digital contact tracing app uses Bluetooth low energy communication to allow your device to track the distance and duration of close contacts with other GAEN users.
“When GAEN is installed and activated, the system assigns you a temporary key and starts broadcasting beacons with anonymous ID numbers,” explained Salman Ahmed, a graduate computer science researcher and first author of the study.
To ensure user anonymity, ID numbers should change every 10-20 minutes and the key every 24 hours. If a user is within approximately 10 meters (33 feet) of another GAEN user, the devices will exchange beacons. Later, if one is positive, the other user can choose to enter the key into the frame, which automatically notifies a server and subsequently anyone who has been in close contact with the infected person for a period of time. during the previous two weeks.
Distrust and reluctance
The premise of this technology immediately began to ring alarm bells for many, including a few of Yao’s respected colleagues.
“I understand the confusion and fear surrounding contact tracing,” said Yao, who is also a CACI fellow. “Because the easiest way to do that would be to collect user information and send it to a central authority for analysis. But today’s technology is much smarter.
Yao, Ahmed and Ya Xiao, a graduate researcher in computer science from Virginia Tech, are in contact with Taejoong (Tijay) Chung from computer science, Carol Fung from Virginia Commonwealth University and Moti Yung from Columbia University and Google, who helped design the GAEN system. Yao’s Virginia-based team conducted its investigation independently of Google, but reached out to Yung for comment on some of the findings.
Test security at every threat level
The researchers focused on the Virginia Department of Health’s COVIDWISE app, the first state-run exposure notification system in the nation. Yao and his team wanted to know exactly what was stored on a device, if keys and ID numbers actually changed and how often, how often beacons are exchanged between devices, and how easy it would be to hack. these informations.
To answer these questions, the team started by reading the fine print. “We wanted to make sure that the observed behaviors matched the claims,” Ahmed said.
In any case, they found the official specifications and observations to match well: “For example, the random identifier is supposed to change every 10-20 minutes with the Bluetooth address – and they did,” said Ahmad said.
The researchers inspected thousands of lines of library code over long periods of time and performed empirical analyzes using both Android and iPhone. To assess the technology’s security, privacy and reliability, they tested it in a series of real-world models, starting with the least threatening and most likely situation – coming across someone on a trail or sidewalk.
After assessing a user’s risk at this level, the team went through five riskier and less likely situations (called threat levels). They ended with the “organized crime model”, where an attacker actively seeks to obtain the victim’s infection status.
In the first four scenarios, which cover the majority of most people’s day-to-day experiences, the researchers found no privacy leaks.
“In the last two threat levels, there is a privacy risk,” Ahmed said. “But the attacking requirements are huge.” An attacker would have to bypass a smartphone’s security mechanisms, mount additional devices in different locations to acquire data within days. Additionally, they would need to collect metadata from other information channels, such as social media.
“There are easier ways to profile someone’s movements,” laughed Yao. “You can just hire spies!”
Also, there is no central server keeping track of who is talking to whom.
“All data is distributed and stored in a decentralized way,” Yao explained. “There is no location tracking.”
Researchers have verified that ID numbers are stored and protected on your local device and that information is randomized.
“Nothing goes beyond your device unless you choose to share,” Ahmed said.
High-impact security technologies
The Commonwealth Cybersecurity Initiative actively seeks to support investigations that bridge the gap between theory and practice.
“This study shows the significant role that expert cybersecurity analysis can play in the adoption of technologies in society,” said Gretchen Matthews, director of the Southwest Initiative Node. “And that’s part of CCI’s mission: to advance deployable security technologies that can make a difference in people’s lives.
As waves of COVID-19 variants rise and fall, wider adoption of contact tracing technologies could impact the course and timeline of the pandemic.
“We have so many fantastic and safe technologies that could help contain the spread of COVID-19 – including this one,” Yao said. “We should make an effort to use them.”