COVID Tracer app's new Bluetooth tracing: Is it a privacy concern?

Tech experts say new upgrades to the COVID Tracer app will help New Zealand quash any outbreak before it gets out of control, whilst at the same time protecting users' privacy.

But a privacy law expert says it's a "thin edge of the wedge" and it wouldn't be difficult for the Government to start tracking users' movements if it wanted - not to mention open them up to the risk of hacking.

From Thursday, the COVID Tracer app will have Bluetooth functionality allowing it to ping other nearby phones, so if anyone you've been close to tests positive for the deadly disease they'll be able to send you an anonymous message urging you to contact the Ministry of Health or get tested.

Health Minister Chris Hipkins says it's not a replacement for scanning QR codes, but an additional tool which "improves our chances of getting on top of any potential outbreak quickly - as long as we use them". 

Few Kiwis are using the app, with fewer than 200,000 active devices being used on Monday - down from almost 1 million in early September. 

"QR codes allow us to create a private record of the places we've been, while Bluetooth creates an anonymised record of the people we've been near," said Hipkins. "Combined, they complement the work done by our public health units and the National Investigation and Tracing Centre to rapidly identify and isolate close contacts."

It uses technology developed by Google and Apple, the firms behind the Android and iOS phone operating systems most of us use.

"The way the app works is it sends out a little signal from your phone or a key that's picked up by another phone - that's all done anonymously," privacy law specialist Kathryn Dalziel told The AM Show on Wednesday. 

"If you contract COVID-19 you send out your keys. You make the decision as to whether or not you're going to send out notifications to anybody else who's received your keys - again, all of this is anonymous - to let them know that they should contact the Ministry of Health."

Hipkins said privacy concerns have been at the top of the app developers' minds, aware that some people might be put off if they thought their data was being collected. No data is sent to the Ministry of Health, and the data collected by the Bluetooth function doesn't include locations - that is still reliant on scanning QR codes.

"The app has been endorsed by the Privacy Commissioner, and the Ministry of Health is releasing the source code so New Zealanders can see for themselves how their information is managed."

Dave Parry of the AUT Department of Computer Science said the Google/Apple Exposure Notification (GEAN) system is "robust, secure and privacy-preserving", and there was "no real risk to privacy".

"At each stage you have to choose to release your data and all the tracing centre knows is the original person who tests positive (which they know anyway) - if you are a potential contact, you just get an alert asking you to communicate with the tracing people."

GEAN is already being used by 25 other countries. It can not only detect if you've been potentially exposed, but how at risk you are, based on how close you were to an infected person and how long. 

"The message might be different if two phones (and therefore people) were in close proximity for a few hours in comparison to two phones being relatively far apart for a few minutes," said Andrew Chen, a researcher at the University of Auckland's Koi Tū: The Centre for Informed Futures.

"The message might encourage a user to get a test, or to call public health officials." 

Kathryn Dalziel.
Kathryn Dalziel. Photo credit: The AM Show

Dalziel is concerned she's yet to see a privacy impact assessment on the technology.

"The Government isn't collecting personal information, but they could," she told The AM Show. "That's always the concern in privacy - that thin-edge-of-the-wedge thing. You set up the systems, it seems all go, at the moment it's all anonymous... What concerns me is that the Government just says, 'No, I tell you what - upload the data to us and we'll take care of it.'" 

Unlike scanning a QR code, Bluetooth involves sending and receiving signals - which opens up users to potential attacks. 

"We haven't seen major data breaches, but we do know hacking is available," she said, noting that the regular changing of users' individual keys will help stave this off. 

The app won't have Bluetooth turned on by default, but users will be prompted to enable it the first time they open the app after the update is installed. The Ministry of Health says users shouldn't be worried it'll drain their phone batteries because GEAN uses Bluetooth Low Energy - which uses far less electricity than Bluetooth Classic. The app also doesn't need to be open for the Bluetooth tracing to function. 

"Kiwis deserve a summer break more than ever this year but we cannot take our eye off the ball," said Hipkins. "The prospect of another outbreak should serve as a rock under our beach towels."