As a privacy designer I wanted to point out that the bluetooth-based contact tracing apps are not anonymous, even though they were often called that in public discourse. I also wanted to show how a bluetooth-free solution could work. This resulted in two websites:
CoronaDetective.eu reveals that the contact tracing apps that most European countries use were not guaranteed to remain anonymous.
How it works
First, it shows how easy it is to figure out which people around you have installed bluetooth-based covid tracking apps. You may know that websites can gain access to your webcam if you give permission. But did you know websites can also request permission to scan for Bluetooth signals? CoronaDetective uses this to scan for the specific type of bluetooth signal that covid tracking app emit. Next, it allows you to find out which phone likely belongs to which person in the room. For example, if John just entered the room, and at the same time a new bluetooth signal appears, you can infer that the signal likely belongs to John.
Once you figured this out, you can keep a list of matches. You make a note of it: John has emitted code H83Jk4fS. This code changes every 15 minutes, but that doesn’t protect John’s privacy: if he gets infected, his app will upload all the codes he has emitted over the last few days. Including code H83Jk4fS.
If John self-reports that he has covid, then it’s made public that code H83Jk4fS belongs to someone who at that time was likely already infected. Normally, all apps download these code to check if they had seen them. If so, they can tell you that you were in the vicinity of someone with covid, without telling you it was john.
However, because you used CoronaDetective to link that code to John’s identity wat back when he was broadcasting it, you now discover that John had gotten covid. You have broken the “anonimity” of the system, be it on a small scale. (Technically the system was never anonymous in the first place, it was pseudonymous).
One political issue is that these contact tracing apps rely on underlying software in mobile phones that Google and Apple have quickly rolled out. While the contact tracing apps were promoted as being open source, in reality they are only a thin shell around Google and Apple’s software. And their software isn’t transparent. Can you call the entire system transparent if only a part of it actually is?
With CoronaDetective I also wanted to point out a more serious problem, which if of a more philosophical nature. However well intended, the contact tracing apps may have set a precedent. It’s the first time we have used a government issued app to scan eachother on a massive scale. That’s why CoronaDetective’s interface would slowly become more dystopian the more it was used.
The “I told you so” moment
A few months later, it was releaved that there were indeed issues with Google’s system, stemming from the lack of transparency. Google’s framework had logged the sensitive codes that were broadcast via bluetooth to Android’s internal logs as well. Other (pre-installed) Android apps could access this ever changing stream of codes – although it’s unclear if this actually occured. These apps could have done the same thing CoronaDetective does – matching codes with the identity of the phone users – but on a much larger scale.
To the pubic that was sold a fully anonymous system, this was a shock. A shock that, gauging by the outrage on social media, may have eroded trust in the government further. A shock that could have been avoided.
During my research into contact tracing technologies I learnt that New Zealand has a different approach. They let people scan QR codes, which patrons would print out and put up all around cities.
Their approach had so many advantages over the bluetooth technology that I felt compelled to make a second website that showcases how this could work. I was able to create a working prototype called CoronaMilder.nl – a pun on CoronaMelder, the name of the official Dutch contact tracing app.
How it works
If users give the website access to their phone’s camera, then they can scan QR codes.
The website also allows you to print out QR codes onto paper or show them on digital screens. These codes are essentially random numbers, for example 287421. The idea is that traincars, supermarkets, work meetings or birthday parties can display a code somewhere (a different one each day), and then people visiting those places/meetings record that they were at that code at that time.
For example, you can record that you entered the supermarket at 12:30 by pressing the ‘checkin’ button and scanning its current QR code. Optionally, you can remember exactly when you left by pressing the ‘checkout’ button and scanning the code again.
Josephine entered the supermarket at 12:32, and a day later learns she has covid. Josephine can now share with the world that code 287421 (the supermarket on tuesday) may have been risky between 12:30 and 12:45. Just as with the current contact tracing apps, you can now be alerted that you were near someone with Covid, without knowing that it was Josephine.
I have documented the advantages (and disadvantages) in more detail on the website, but to give a quick overview:
- No Google or Apple framework is required, so these third parties don’t need to be relied on.
- No app to install, the website is all you need. This lowers the threshold to adoption, and it can run on a larger variety of devices, including older phones.
- It makes scanning an active and precise activity, giving people more control over what situations they want to record.
But the most important one for me is a philosophical argument. The bluetooth apps work by having people emit codes, and having other people scan those codes. It’s a system where we trace people. With the QR codes solution we are instead tracing meetings. When John shares codes using CoronaMilder, he’s not sharing codes that uniquely represent him. This difference alone would, for me, make a QR-code based solution the prefered option.
There are some downsides at well – no system is perfect. But I wished we had a public debate about which option we prefered. We might have concluded we would like an app that has both options – England and Germany have expanded their apps to support both methods.
In the media
CoronaDetective was officially released and was able to gain attention in the Dutch press. Some examples:
- NOS.nl – “overheid weet niets, boefjes misschien wel“.
- Security.nl “privacy ontwerper: coronaMelder app niet volledig anoniem“.
- Parool (Dutch newspaper) Techcriticus: ‘CoronaMelder is niet anoniem, maar pseudoniem’
I was also able to speak on the subject at public debates, and give a live demonstration at Dutch Design Week as part of their “battle for the internet” show.
CoronaMilder wasn’t officially released since I worried that the government might not appreciate the work. In theory only the government is allowed to create contact tracing apps.
I was very careful in releasing CoronaDetective, and first made sure they and the Dutch privacy authority were aware of the project, and understood which safety precautions I had taken to avoid actual abuse. As part of our arangement I also disabled the scanning functionality on the 31st of december 2020.
CoronaDetective and CoronaMilder were built on existing open source code.