Bluetooth “fundamentally flawed” for use in Covid-19 tracing apps
The use of Bluetooth in Covid-19 contract tracing apps is “fundamentally flawed”, according to the founder of a British cyber security firm.
Specifically referencing Australia’s COVIDSafe app, Louis-James Davis, the founder of VST Enterprises Ltd (VSTE), said such technology is susceptible to Bluetooth hacks, malware and the “bad actor attacks”.
“The tracing app is vulnerable to an attack every 24 hours once the daily keys are put into play. Although this is difficult, it is not impossible to work this back to user data,” he said.
“Each phone or smart device handset is subject to a wider brute force attack using Bluetooth hacks and malware. A rogue state could hack handsets of unsuspecting users and remotely manipulate or update their voluntary contribution to the system… creating negative effects for any government or health service relying on the data,” he continued.
“If high level information were disclosed to the public or the media, then this could have a massive impact on a country’s economic wellbeing as financiers would model economic trends associated with the health data based on the last quarters bailouts and cost,” Davis added.
On the topic of “bad actors”, Davis highlighted the potential for incorrect information to be entered and the resulting impact on those who are then wrongly alerted about a potential infection.
“There is nothing to stop them false flagging that they are now infected and pushing false information to thousands of other people who attended or have been in proximity to them. This then raises anxiety and fears causing mass panic, vital resources can then be put under pressure just because of bad data.”
Similar concerns have also been raised about tracing and contact apps in other countries.
In March, Capacity reported that The UK’s government’s collaboration with network providers to monitor the success of its social distancing policy could infringe the Human Rights Act.
Toni Vitale, partner and head of data protection at JMW Solicitors, said that although the data would be anonymised – and location data is often scraped from devices – the distinction depends on how the data will be used in these circumstances.
“If it is limited to creating heat maps showing where people are congregating, that might be OK. Some shopping centres already do this to show where shoppers are. This is useful to plan exits, where the cafes should be placed etc. Location data is commonly scraped from mobiles without users being aware,” he said.
Meanwhile, France is planning to create a state-managed tracing system, however it needs Google and Apple to review privacy protections in order for data to be with public health authorities.
“We’re asking Apple to lift the technical hurdle to allow us to develop a sovereign European health solution that will be tied our health system,” digital minister Cédric O told Bloomberg last month.
Davis said: “Given that most major corporates are renowned for selling advertisements or push ‘suggestions’ based on device voice recordings and geo sensitive insights, only heightens anxiety when you could now add a health data set. The proposition of having a health app that is ‘opt-in’ and filled with self-diagnosed triage information is mostly worthless to society. More anxiety and discrimination will come from wondering who is being honest and who even has the app on their phones.”
Further, as smartphone penetration varies across age groups, there could also be holes in the collected data. In other countries, VSTE said as few as one in six smart-phone users have opted to download this style of app.
On the issue and concerns on the Policing of data Louis-James Davis added;
“With the pandemic causing so many deaths, it is worrying that the Government would think about backing an app that is self-opt-in and self-updating purely for the fact it could be and most definitely will be abused. The app may install a false sense of hope and may cause more people to mingle. They won’t know that they are infected until they show symptoms which is no better than not having the app in the first place.”