IAS Security Hero

What I'm doing about Contact Tracing apps during the global pandemic

The short answer is, I'm using the COVID Alert NJ [1] [2] app on my smartphone. I find it to be a safe, secure, and private way for me to participate in helping to stop the spread of COVID-19. That being said, I didn't trust the app blindly. I did research and testing to ensure it met my requirements for privacy and security. My findings are below in case it helps you make a choice on whether or not you participate as well. For more information about COVID-19 at the Institute, check out our COVID-19 Campus Check-in page [3] on our website. For more information from the Centers of Disease Control and Prevention, checkout their website as well [4].

What is Contact Tracing?

Contact tracing is a broad term used for methods to determine how a contagious disease is spreading. Used correctly, contact tracing can help to stop further infection by notifying individuals who have been exposed to quarantine. Here is the definition from the NJ COVID site.

"Contact tracing is the process used to identify those who come into contact with people who have tested positive for many contagious diseases – such as measles, HIV, and COVID-19 – and is a long-standing practice in New Jersey and around the world." [5]

There are two big issues regarding contact tracing. The first is that of privacy and ensuring that your private information is not exposed. Good contact tracing keeps your private information safe. This can be difficult to achieve in a way that puts people at ease. Keep reading though, we talk about this more further along. The second is getting as much participation as possible. Contact tracing works best with widespread adoption in order to identify as many potential exposures as possible. Mis-trust is often cited as a major issue to the effectiveness of contact tracing programs. [6] Hopefully, the information below will help dispel some of these concerns.

What is a Contact Tracing app? Which should I choose?

A contact tracing app is a program that runs on your smartphone and can help identify those you have come in contact with to determine if you are at risk of exposure. There are many different apps to choose from that claim to do contact tracing. If you want to participate, it is important that you determine which app is the best for your situation.

Apple and Google came together [7] to implement a version of MIT's Private Automated Contact Tracing (PACT) [8] schema called Exposure Notification Service (ENS) [9]. This methodology was created by a group of researchers and Mathematicians including Ron Rivest [10] of MIT and Adi Shamir [11] of the Weizmann Institute of Science in Israel. They created the RSA protocol [12] back in 1977, which is responsible for the majority of the encryption of data on the Internet today.

Am I sharing my private data by participating?

If you use an official COVID-19 ENS app, the answer is you are not sharing your private data. The way the protocol works is designed for privacy from the ground up. The various articles [13] that explain the protocol are interesting, but I realize that it takes time to read. Here is my take on the basics of the protocol.

  1. Everyone who installs the app generates a really big random number. The chance that two people generate the same random number is so low, that it is generally accepted as being impossible.
  2. Everyday, the app generates a daily number based off of the number in step 1.
  3. Every 10 minutes during the day (144 times), it generates a number based on the number in step 2.
  4. As you walk around, this number is broadcast from your phone.
  5. Other phones with the app installed in the vicinity pick up this random number and store it along with the date and time they were in contact. One other piece of information is saved, and that is the signal strength between the two phones when the number was received. This can be used to determine how far away from each other the phones were at the time to determine if it was within 6 feet or not.
  6. No location data is saved or transferred at any time in this process.

All the data at this point shared and saved is local to the phones. No data has been sent anywhere in the cloud, not to any government, nor to any business like Apple or Google for processing. So what happens when someone is infected, how does the contact tracing work?

  1. A person who has the app has symptoms of COVID-19 and takes a test.
  2. A representative from the Department of Health or local health department contacts the patient with the test results. Unfortunately, they tested positive.
  3. The representative asks if they have been using the COVID-19 contact tracing app. If so, they give a special key to type into the app. Without this key, nothing happens.
  4. Once the key is typed into the app, the user is prompted if they want to share their random numbers from the past 14 days. Once they hit yes, their random codes are sent to the system. No other personal information is sent, just the random codes which cannot be tied to an individual.
  5. On a periodic basis, all phones that subscribe to the COVID-19 ENS app download the list of random numbers from individuals who have tested positive for COVID-19.
  6. Then, these phones check their own database of random numbers they've come in contact with. If any of the random numbers from individuals who have tested positive is in their local database, the app alerts them that they have been exposed. This alert does not leave the phone, it remains private.

The system is able to keep all of the personal data separated from the contact tracing data. This model ensures that the right people know they've been exposed without public identification.

There is an option to share the application usage data when you first install it. This is to help the developers understand how the app is being used. Personally, I turn this data sharing off when I load the app. It is up to you if you want to help them with improving the app or not.

But, is it safe to use?

If you use an official app that utilizes the COVID-19 ENS system, you are safe. Make sure to verify that it is an official app that is supported by your state or region. For NJ, the Covid 19 NJ website has links to the official apps for NJ for both Android and Apple devices. [14]

Why are there so many Contact Tracing apps?

My recommendation is to use an official "COVID-19 ENS" application as advertised in the Google Play or Apple App Store. Using an app that has the COVID-19 ENS brand ensures that you are protecting your privacy. If you are unsure, please look for an official website from your state or region to see if they recommend a certain application. To utilize the ENS system built into Android and Apple, you can only use one app at a time. So if you travel between two different states frequently, I would recommend just installing one of the apps, wherever you spend the majority of your time. [15]

Are you using this app, Brian?

Yes I am. I read about the possible pitfalls of contact tracing, and read about the protocol as well. I pulled out my bluetooth scanning tools and verified that the numbers being sent were random, and that the phone address changed every 10 minutes. The app is approved by the Google Play Store and the Apple App Store, and the Avast! Mobile Security App [16] [17] on my phone said that it was safe to run as well. With all that being said, I have personally seen the impact of COVID-19 on friends and family. We need to pull together to keep ourselves as safe as possible. This app is one of the many ways we can help stop the spread of the virus.

All the best, and stay safe,

[1] https://apps.apple.com/us/app/covid-alert-nj/id1529622525
[2] https://play.google.com/store/apps/details?id=com.nj.gov.covidalert
[3] https://www.ias.edu/before-you-come-to-campus-daily-checklist
[4] https://www.cdc.gov/coronavirus/2019-ncov/
[5] https://covid19.nj.gov/faqs/nj-information/slowing-the-spread/what-is-c…
[6] https://www.sciencedirect.com/science/article/pii/S1201971215002593
[7] https://blog.google/documents/58/Contact_Tracing_-_Bluetooth_Specificat…
[8] https://pact.mit.edu/
[9] https://www.google.com/covid19/exposurenotifications/
[10] https://people.csail.mit.edu/rivest/
[11] https://en.wikipedia.org/wiki/Adi_Shamir
[12] http://patft.uspto.gov/netacgi/nph-Parser?patentnumber=4405829
[13] https://covid19.apple.com/contacttracing
[14] https://covid19.nj.gov
[15] https://www.guidesafe.org/exposure-notification-app
[16] https://www.avast.com/en-us/free-mobile-security
[17] https://www.avast.com/en-us/free-ios-security