ABTraceTogether Cybersecurity & Privacy
Here are some initial thoughts about the Government of Alberta’s COVID-19 contact tracing application, ABTraceTogether, from one of our co-founders, Chris Nowell. Chris audited Information Security controls at the Ministry of Health with the Office of the Auditor General of Alberta and has performed assessments of healthcare application, NetCare, Primary Care Network (PCN) and clinic privacy, cybersecurity, and compliance with ThreeShield Information Security Corporation. He holds Certified Information Systems Security Professional, Certified Information Systems Auditor, and other cybersecurity certifications.
- ABTraceTogether information is available at: https://www.alberta.ca/ab-trace-together.aspx
- Download for Android at: https://play.google.com/store/apps/details?id=ca.albertahealthservices.contacttracing
- Download for iPhone at: https://apps.apple.com/ca/app/abtracetogether/id1508213665
Disclaimer: I haven’t audited the application's source code and have not yet received the application's encryption standards or the Privacy Impact Assessment (PIA). However, I have confirmed that the Office of the Information and Privacy Commissioner of Alberta has received the PIA, and the review process is underway. The following are my personal opinions and may not reflect the positions of ThreeShield Information Security Corporation or the Auditor General of Alberta.
TL;DRABTraceTogether’s design, as described on its website, follows or exceeds the best practices that I like to see in this kind of application.
Best-In-Class Affirmative ConsentABTraceTogether stores encrypted data on cell phones. The app requires an infected person that Alberta Health Services (AHS) contacts to decide to upload it. ABTraceTogether is an excellent example of affirmative consent: it goes beyond an “I agree” checkbox at installation. It requires someone to go through the process of pressing the share button when it’s actually needed.
Minimal Personal DataThe personally-identifiable information is the minimum: a phone number. Privacy laws treat combined personal information (like a name AND a phone number) more seriously than just one item, like a phone number. We also don’t like to see any more information collected than necessary. A phone number to call a potentially infected contact is the perfect example of the minimum amount of information that should be collected. This is much better than in other jurisdictions with similar apps. Other places have collected phone contacts to invite friends to join the apps or GPS data to correlate times and places. Alberta isn't doing either of these things. This app has access to less data than many bluetooth earbuds.
The new Apple/Google solution (which is still waiting for some iPhone updates to make work properly) goes further without collecting phone numbers. Instead, diagnosed users enter a code into the app to indicate that they are infected. This code causes the phone to upload all of the Bluetooth identifiers that it used over the last two weeks to a central server. Every night, the other phones download these codes to see if they have been in contact and notifies the affected users.
On one side, the Apple/Google approach is less prone to phishing and doesn't collect any personally-identifiable information. However, on the other, the code could potentially be misused to trigger a bunch of false reports. It could also start to consume a lot of data and storage space as the database of infected users grows.
They Don’t Want Your DataAccording to the website, there are controls in place to prevent accidentally uploaded information from being accepted. This means that information on phones that my phone may go by won’t be used unless it’s useful for COVID-19 tracing.
No Combined DataThe privacy statement indicates that the phone number isn’t used for any other purpose and isn’t correlated with a health care number or any other information. This follows privacy laws, and I expect that the Privacy Commissioner is verifying this. The app’s website also indicates that aggregated statistics will be anonymized.
Minimum Data RetentionContact records (encrypted tokens stored on individual cell phones that likely link to phone numbers in a central database) are retained for only 21 days. Thinking about the time when people tend to go to the hospital and require care, that seems like the low-end of the justifiable retention period. The new Apple/Google contract tracing system, which will be available in a few months, stores data for 14 days. However, I suspect that decision has more to do with the amount of data that it transfers and stores than privacy concerns.
Minimal Contacts With High ThresholdsPotential contacts that the ABTraceTogether records are only those who are close to you for 15 minutes or more. That means that everyone I come close to won’t be able to track me — that’s better than the built-in NFC and Bluetooth on most devices. Frankly, I would have probably used a lower threshold. (note: I haven’t found a reference to this 15-minute threshold on the website; however, Dr. Hinshaw mentioned it in her media availability)
ABTraceTogether records contacts after it uses the Bluetooth signal strength to calculate that two phones are within approximately 2 metres of each other. This is another intentional effort to decrease data collection since most cell phones have a Bluetooth range of about 10 metres.
No Geographical DataUnlike many other contact tracing apps, ABTraceTogether's doesn’t use geographical location data to track where the contact took place. Unfortunately, Android requires “ACCESS_FINE_LOCATION” permissions for applications that request Bluetooth connections for Android versions above 9 (API level 29 or higher). This is bound to cause some confusion, but this is an Android policy that the ABTraceTogether developers can’t control. The lack of GPS data shows remarkable constraint. If you are concerned about apps tracking your every move, you might want to disable this “feature” in Facebook and Google.
Personal Information Not Shared Between PhonesContacts are stored using an identifier that seems to be a time-based key that is likely combined with other security features to encrypt the contact’s phone number. This follows best practices and are much better than most other systems. I’m looking forward to learning about the hashing implementation; however, the design shows an excellent job of de-identifying the information the way that it is stored and not combining information.
Opt-Out and Right to Be ForgottenThere are opt-out and right-to-be-forgotten processes in place, which are now mandatory.
The New Apple/Google Contact Tracing SystemThe main three differences are:
- The new system will allow the iOS app to run without being on the screen.
- The Apple/Google system is fully automated without a human being immediately available when someone receives a notification. It requires that people who receive a positive diagnosis also receive a code, which they need to enter into the app.
- The new system won’t be fully available for “a few months.”
This new system will take an automated approach. Users will enter a code into the app to indicate that they are diagnosed as infected. Those with phones that recorded the diagnosed user receive automated notifications instead of a call from a public health authority. This removes the need for a phone number in a central government database. However, it also creates potential vulnerabilities that could introduce false infection reports and removes the opportunity for tailored human support.
The automated updates will come as part of daily downloads of the Bluetooth codes that changed every 10 to 20 minutes from infected users’ phones. This will require more wireless data than the ABTraceTogether app. The large download requirement is likely why Apple and Google decided to limit their system to geographically-restricted governments and why they are purging data within 14 days, even though that seems a bit too tight.
Apple and Google have released the source code for this new system, which they announced on April 10, 2020. However, the iOS and Android updates that will make this system possible will be released in “the coming months.”
The ABTraceTogether app is already out and adopted by more than 100,000 people as of May the 4th, 2020. Hopefully, a new version will be released for iOS after Apple releases their updates to allow it to work in the background.
iPhone App Must Be ActiveOne frustration with the iOS version is that it must be the active “foreground” app on your phone. This is because of the way iOS treats Bluetooth events with applications that aren’t displayed in the foreground. Google and Apple are working together to create a contact tracing system that will remove this requirement. However, in the interest of time and reliability, it seems that the app developers decided to use the foreground mode in the first version instead. This means that when you switch applications, it goes into the “background” and eventually stops running.
Unfortunately, about 52% of Canadians use iOS compared to about 48% that use Android. By frustrating roughly half of Albertans with the foreground mode requirement, that reliability benefit will likely significantly hurt adoption. Singapore, Australia, and other countries have also had negative reviews from Apple users because of this same problem. However, Android has a 66% market share in Singapore and a 57% market share in Australia. Despite this problem, I find it interesting that the Australian iPhone app has 4.3 stars and their Android app only has 3.8 stars. It seems that Australians are experiencing additional Android permission requests that I haven't experienced on my own device. So far, Albertans have given the iPhone app 3.5 stars and the Android app 4.4.
On Android, the app needs permission to run in the background and allows Bluetooth scanning as long as high-resolution location permissions are granted — even when GPS isn’t used.
Some of the technical limitations that I believe led the developers to require the app to run in the foreground until the Apple/Google tracing system is released include:
- iOS can unexpectedly terminate applications running Bluetooth in the background.
- The signals that devices need to find other Bluetooth devices can be unpredictable.
- If iOS sees the same device several times while the background app is running, iOS combines all of those events into one discovery event. If the app’s design recorded every contact, that might be okay. However, it might have prevented a design that requires phones to see each other for 15 minutes before transferring data.
- Although iOS can wake up a background app for certain events, it only has 10 seconds to complete a task after being woken up.
- Some of the background limitations can be overcome by requiring user interaction at each event; however, that would make the app too annoying to use.
The developers could have overcome these limitations to allow it to run in the background. However, it would have come at the cost of reliability and privacy. It looks like they chose to limit data capture and ensure reliablity over increasing adoption at all costs. Given the privacy concerns that this sort of an app raises, I respect this choice.
Of course, using foreground mode also comes with its tradeoffs: the app will suspend itself shortly after going into the background state. While suspended, it won’t be aware of any Bluetooth activity and won’t work at all. There seems to be a conscious decision for ABTraceTogether to work properly when it’s running on iOS instead of unreliably. I assume that a new version will be released in a few months to fix this problem. Right now, it’s simple for Android users and a bit inconvenient for iOS users.
Does Apple Take Bluetooth Privacy More Seriously than Android?Although there are privacy advantages to hobbling Bluetooth on apps that aren’t displayed on the screen, the limitations seem to target battery life more than privacy. Apple doesn’t prevent apps running in the background from identifying other Bluetooth devices, which could be combined with other information to confirm known locations. It just combines notifications about devices, slows down the way those apps can find other devices, and shuts them down if it needs to save battery power.
Closing ThoughtsI continue to have concerns about how long it has taken for AHS to document and implement some findings that I wrote over a decade ago with the Office of the Auditor General. However, the people that I have met in Alberta Health Services, the Ministry of Health, and other health organizations in Alberta have our best interests at heart. They generally implement security controls that exceed those in the rest of the Government of Alberta. This has been a point of frustration for me because they require separate testing procedures to make sure that they meet their own high bar. However, it’s also part of the reason why I installed this app the moment Dr. Hinshaw mentioned it.
Want to prepare your business to weather storms and illnesses?