Getting Privacy and Security Right
The leading privacy and security-first approach to new ‘track and trace’ technology, De-centralised Privacy-Preserving Proximity Tracing (DP-3T), is used to alert the individual to the spread of COVID-19 through people they have come into contact with. But why isn’t this being used by all countries? Let’s look at what it is and how it works.
Bluetooth or the Low Energy (LE) variant. This technology is what you use to connect your phone to your car or headphones and is a local proximity radio that allows devices to talk to each other and transmit data between each other. You may remember this piece of tech fondly for sharing songs or such on the bus to school in the 90’s or 00’s, albeit slow. Very slow. Well this tech has come a long, long way since then and is now proving to have its uses in aiding society in tracking contact between us humans, by the devices in their pockets.
This is where Bluetooth’s short range and device-to-device communication comes in useful, as it will be around the same radius as the virus’ contact radius and will enable devices to quickly ping each other to let them log that their owners have come into contact with each other.
The decentralised approach
With the release of iOS 13.5 (and equivalent on Android), there are new API’s available for apps to use that are developed with both your privacy and security in mind, with a toggle switch presented in the devices settings that turn these contact tracking API’s on and off very easily to keep you in the drivers seat.
These API’s were designed following guidance from the open source community (DP-3T) and global experts in these fields, as well as the outcrying voice from the tech sector as a whole. They are calling this implementation Privacy-Preserving Contact Tracing. This in an effort to ensure all ‘Track and Trace’ apps are keeping this very detailed level of very personal tracking private, secure and on the devices that people own.
This is a decentralised approach, keeping you in control of your own data in an encrypted format that only your device knows, leaving it much harder to access by third parties and nearly impossible by an attacker. This is much better than using a centralised system, which are often prone to; being a single point of failure, non-transparent in the way they are run and generally being easier to compromise (in both the sense of access to the data itself by unauthorised persons and how the data is used, as you are no longer in control of your data).
Whilst you the feature turned on, and have downloaded an app that can use them to provide the ‘Track and Trace’ functionality, your device constantly generates random cryptographically secure codes that it chirps out to nearby devices over Bluetooth. (Similar to how Apple’s redeveloped ‘Find My’ feature works in iOS 13 between other random Apple devices your device comes into proximity with).
Everyone’s phone then keeps a log of encrypted codes that it has come into proximity of. When someone logs that they have had the virus, your device is notified, and their code decrypted which contains information, such as how close you were to that person and this can be used to calculate the risk level to you and people you have come into contact with.
This approach keeps it safely decentralised and your information private. The device is the only thing storing any information and is doing so securely.
Impact of this technology
Using this technology means the spread of the virus can be safely, securely and privately tracked. Giving everyone the power to ensure this pandemic is brought to a swift and safe close. Technology has a decisive role to play in this scenario, and in the technology industry, there are voices we must listen to. We have the power in our hands to make real impact without sacrificing the privacy and security of our data.
With great power comes great responsibility, and given the implications, it is extremely important that both privacy and security play a defining role. Both in how this technology is developed and implemented, to deliver a safer global community; virtually and physically.
Governments such as Germany were developing their own centralised solutions in line with the UK’s NHSX (the health service’s digital innovation unit). But, after pressure from global industry experts and reviewing their options against advisory implementations, they decided it is best to go with a decentralised approach to best protect the privacy and security of their citizens.
Governments such as the UK and Australia are going with their own centralised solutions, which have been strongly contested by the same advisory groups, due to all of the privacy and security concerns raised above.
These concerns being rapidly realised as leaks have already demonstrated flaws in the UK’s systems that are being developed, especially in regard to leakage of users data, the incredibly long timeline that your data will be stored out of your control (up to 20 years) and the accuracy of what is being collected – all problems that have already been solved by the better system level API’s provided by Apple and Google with a de-centralised on-device and device-to-device storage being used.
It begs the question as to why we are making it harder for ourselves and going with the worst solution available.
Update on 18/06/20 at 7pm:
In a major U-Turn announcement, the UK government have just confirmed that they are now pursuing the Apple-Google joint venture approach. This is a greatly welcomed and applauded change that will see the UK’s citizens privacy and security kept at the forefront whilst also enabling the best technology for the track-and-trace to be used.
After seeing news of the UK’s implementation being delayed and full of holes, it is a shame to read that their reasoning was due to Apple’s restrictions around bluetooth utilisation for track and trace and this being phrased as the primary problem. This is not a problem on Apple’s behalf, and there is no surprise that Apple provided no ‘fix’ to assist.
These restrictions on bluetooth technology are there exactly to stop tracking and other privacy and security exploits to their users. They provided a joint solution to this problem with Google and proposed that as the official and purpose designed solution backed by the best and brightest among us, in which other governments have utilised and adopted as best approach without issue.
White papers are available to view for all of the above information at the following sources:
For more tech news and articles subscribe to our newsletter.
Contact us or book a demo now to understand how Kamma can solve property licensing for you.