COVID-19 exposure notification apps privacy concerns (GAEN API / COVID Alert SA)

Speaking of Covid here is a poll.

Will you be using Governments Covid app?

Folks, the “government’s” COVID app is the same app that’s being rolled out all over the world based on the Google-Apple API.

Before kneejerking yourselves into apoplexy, just take a look at the permissions the app requests and find out a bit about what ACTUALLY happens when the app alerts you that you’ve potentially been exposed to the coronavirus.

You know, instead of listening to resident South African tech experts like The Kiffness.

I wouldn’t install their apps either.

I don’t really care about the permissions.

I thought the credit card thing was a joke.

Strong arguments. I feel myself becoming convinced already.

That’s cherry-picking. Yes the credit card thing was a joke. His earlier tweet(s) was/were not.

In fact, you can see from his Twitter feed that he doubled down on making potentially very damaging statements from a position of ignorance:

Such an invitation is all very well and good if the man didn’t help seed doubt on Twitter in the first place.

Just found this via Singe/Dominic White on Twitter. Dominic heads up SensePost here in South Africa. He’s a top notch hacker and his endorsement counts for a lot.

In this Twitter thread, another hacker called Marcus Mengs takes a deep look at the COVID Alert SA app:

Sorry.

I’m not really trying to convince you. You have your view which is pretty strong in one direction I have mine. I’m just not convinced by a virus that so many people can get but not realise they have it unless they are tested using a test that was never meant to be used for that purpose.

Not trying to start a war or anything just need to get my view out to other people than those that agree with me.

I didn’t realise there where more tweets. I don’t follow the dude on twitter. I saw that in a retweet.

That part was a (bad) joke and hopefully a more lighthearted way to point out that you are making a statement of opinion rather than one of fact.

I am always open to being convinced that I’m wrong. Comes with the territory.

I do hope that the strength of my opinion is correlated with my familiarity with the facts.

Since I am neither an epidemiologist nor virologist (but am well read), I hold my opinions on COVID-19 lighter than I do my opinion on the COVID Alert App.

RE: The Alert App… I am an advocate for end-to-end encryption and online privacy. My track record should speak for itself there. If I weren’t a journalist, I would be a crusader for peoples’ right to privacy in a world where mass surveillance has become dead easy and goes hand-in-hand with being able to mass-distribute propaganda on social media in a way that has provably influenced peoples’ opinions.

There’s a lot wrong here, or at least a lot I don’t understand about the logic you follow to your conclusions. But as you say you have a pretty strong view on the subject so it’s probably not worth derailing this topic.

Sorry, that was a poor assumption on my part. There are earlier tweets where The Kiffness asserted without evidence that the app will not respect people’s privacy.

Regarding the app, its not the app itself that’s a problem, its that its opening the door for undesirable crap that will stick around afterwards (just like the patriot act and all that other crap)

For now, you can just uninstall the app when the pandemic is over.

In future, if Google and Apple decide to build this feature into their phones at the operating system level you’ll be SOL. I don’t see Apple easily going that way, though. For all their faults, Apple has been pretty staunch about protecting people’s privacy — even the privacy of murderers.

That said, with social media apps the horse has already bolted. The undesirable crap that will stick around afterwards is already built into Facebook, Twitter, LinkedIn, TikTok, the works…

The fight now is to get it out, and choosing not to install an essential app during a public health crisis is not going to move that needle.

My 2c.

I haven’t read the terms and such, but I would have to check to see if a one-time install is an opt-in permanently (with or without the app), which would make it easier to slip it in OS level.

Thankfully I don’t have any devices capable of running the app anyways, so its a non-issue for me. For now…

Some compelling arguments and view points here.

I definitely seems to be in the minority here and this is partly why I don’t get involved in these types of discussions. I practice empathy a lot, given it’s my job and the type of person I am, and want to be emaptic towards the needs of others. I can understand and respects both sides of the arguments, especially those that have been affected, impacted and experience occurunces from COVID.

That being said, I also do not want to install this COVID app for a few reasons. It’s not so much about the tracking and personal information bollocks either. Even if I have been in contact with someone otherwise in contact with COVID how will that help me? If I go and get a test, what good will that bring? If it turns out I’m positive, how will that affect me?

I am big on removing negativity from mine, and my families lives. We follow faith based principles and teachings and believe we are protected by the blood of Jesus Christ. Does this make us immune, no! I am not being ignorant nor are we being careless. We’re all open to COVID regardless of race, beliefs, ethnicity, rich, poor, etc.

Sorry, much like others here I also just had to put my perspective out, and air my concerns. I’ve mostly been quiet on this thread for obvious reasons.

As someone who appreciates empathy… the way I see it is that it’s not about you. It’s about the people you have potentially exposed unwittingly (remember even in symptomatic cases, you can go several days without showing any symptoms, but still be shedding/spreading the virus).

From a purely selfish standpoint… if you have the virus and get a serious case you want to make sure that you get treatment as soon as possible. This thing isn’t a joke or even “just a flu”.

(I put that in quotes because even flu isn’t “just a flu”. People’s lack of respect for a proper influenza outbreak is part of the reason we’re in this mess. Flu is a killer that deserves every bit of our respect. We’ve honestly been lucky we haven’t been hit with a novel strain of flu that could tear through the human race like the Spanish Flu epidemic of 1918 did.)

In the beginning we thought it was “just” going to be a respiratory virus. Turns out this thing thickens blood, causes bloodclots, which in turn causes strokes and everything else that goes with clots.

So there’s two reasons. One selfish, one empathic.

FWIW:

• Lawyer Emma Sadleir gives the app her legal stamp of approval.
• Hackers Dominic White and Marcus Mengs give the app their technical stamp of approval.

Unrelated: Oooh LBRY video! I haven’t seen one linked in the wild before!

Update: OK I’m 4:30 onto the video and while the guy starts making a good argument regarding how your device might be deanonymised, he loses the plot be assuming that the GAEN API uses the Bluetooth MAC address.

GAEN doesn’t use your Bluetooth MAC address, but cryptographically generated tokens — random IDs which each device only stores for 14 days.

While some malware or sophisticated cryptanalysis could be used to deanonymise a device’s COVID tokens, I fail to see a purpose for that kind of attack. There are much easier ways to track people’s movements, if that’s what you’re after.

So I am willing to download the app and I have heard a few podcasts and news articles.

I just struggle to understand the following maybe when I missed something or might find the answer in a few but I don’t understand how this works at the moment.

So now I have the app cool you go to the store and go shopping etc. I now get sick and I go get tested and come back positive, being tested positive one goes into self-isolation. Cool, now I go onto the app and click the button to say I was tested positive. How does the app now let the others who I was in contact with when I was infected/got infected without being an online based application.

I am all for using tech for the better of people’s health and to help prevent people from getting sick and making others sick. Seeing that we are In RSA and the Government is not the most trustworthy how can people then trust this app.

Another thing I will maybe look into this week or maybe someone has. I have seen a lot of people talk about they don’t want to be tracked or have numbers leaked. But Bluetooth has vulnerabilities I am by no means an expert in this field it just seems that having your device looking for other connections to other devices seems dodgy to me.

At that point the app goes online. So the app will upload your randomly generated tokens to a server, which distributes them (via Push, I believe) to other app users. That is the only Internet communication that happens (as verified by Marcus Mengs).

So when someone sends out a notification that they have tested positive, your app will receive those tokens and check it against the list of tokens you have received from other people over the past 14 days. If one or more of the tokens match, that means you have potentially been exposed and the app will let you know.

Otherwise the app does nothing.

Yeah it’s because of the historical vulnerabilities in Bluetooth that this app couldn’t work without an API from the OS developer (i.e. Apple and Google). In closing up the security holes in Bluetooth, they made it impossible for third-party developers to build an app like this.

The only way to do it is with the Google-Apple Exposure Notitification API. You’ll see techies throwing around the acronym GAEN.

hmm makes sense. So when you tested positive it would push the tokens to the server, saying that how often do the phones when they are online do a pull to check if they have been in contact with someone that was infected.

Now on the other not of trolls. What then happens when I go to a mall and I go to a busy section and get into contact with tons of people and then in three days I press “I an positive” button, this would then cause chaos

Very valid points indeed, from both perspectives. It always help to take a higher/broader look at things, gives some food for thought.

Also, please dont get me wrong at all, I am or was not downplaying the severity of COVID. I am fully aware of how important it is to spread awareness and knowledge of the virus. And just like the flu, I do agree that people don’t realise how criticle the simple flu can be under the right circumstances, not just a seasonal virus.

Yeah, this is the only weakness of the app that I am worried about.

Hand-in-hand with absolute privacy is the fact that there are no consequences for fraud.

IIRC the Disaster Management Regulations makes it illegal to misrepresent anyone’s COVID status, but how are you going to find out if someone fraudulently clicked the Alert others button?

So this system relies on good faith and the fact that most people are “Good” (as in the D&D alignment). We’ll see if that faith is misplaced or not.

I think that is correct from everything I have heard/read.

Yeah, if the app is pushing anonymity so hard, this will make it very difficult to find out, and if they did, can you imagine the backlash?!

Given human behaviour patterns and speaking from my profession, this is exactly the type of feature and function that people like to “experiment” with. We are creatures of habit and we learn by doing. Despite not wanting to cause harm. Not even speaking into those that like to cause these issues. Albeit I do agree that there is more good in people than news and media make out to be.