We live in a society of contradictions. Privacy is increasingly valued, but we do nothing to maintain it. In fact, the most widely used password is still 1234.
In this context, in which we boast of our opposition to the large technological companies trading in our personal data and demand clear and easily understandable cookie warnings, but we cannot spend a few days’ holiday without sharing our stay on all the world’s social networks leaving on the Internet a record of when we are and are not at home, how far we are, who we are spending our holiday with, etc., the government application Radar Covid appears.
Apart from any conspiracy theory (and some of them are very good), let’s try to analyze the application from a security point of view as if it were any other app.
Is it reliable or not?
Well, it’s not so easy to answer. We can easily find equally valid arguments for and against.
Transparency in the project was announced from the beginning. The implementation was to be open source, which has not been the case at present.
An open source app would allow other developers to analyse, verify and audit the code, especially in the search for the dreaded “exploit 0 days” (i.e. those security gaps that are still unsolved).
Believing that an application that has been developed in such a short period of time is flawless is like thinking that the first time you skate you won’t fall. You may have been born for it, but just in case, put on some protection.
An identical app would have been reasonable in all European countries, given the freedom of movement within the territory and the real mobility of citizens between different countries.
It requires the (minimum) citizen´s participation, who must have the bluetooth on for it to function, a communication protocol that consumes a lot of battery power and which security is questionable.
It is a simple application, with no complex interface and very few necessary user settings. It must be considered that the application is intended for the whole population and the skill of some age groups with the technologies is scarce.
It is an application that in principle does not need to activate the geolocation of the user’s mobile. And that for a tracking app, is very remarkable.
If we go back to the first applications that appeared in China, South Korea or Singapore, they use technology with a great invasion of user’s privacy. This was a great challenge in Europe, since after the effort that the implementation of the General Data Protection Regulation, known as GDPR or RGPD, has involved and continues to involve, it would be difficult to understand an invasive use and centralised management by a state body of the app users’ personal data.
Radar COVID does not require personal data or location permits. It is based on the DP3T protocol, developed independently by a team of 33 people including developers, epidemiologists and lawyers, led by Carmela Troncoso, a Spanish researcher at the Federal Polytechnic School of Lausanne, and used in other European countries such as Italy, Germany, Austria and Switzerland.
This protocol is open source. It works by using Bluetooth to track and record meetings with other users in an encrypted and anonymous way, so that the central server never has access to the user’s contact records.
All this seems very positive from a privacy point of view. However, on android devices, geolocation needs to be activated for Bluetooth to work, so everything explained above is “quarantined”.
As we can see, it is not so easy to say whether the app is reliable and secure or not. The Computer Chaos Club, one of the largest hacker associations in Europe, created a decalogue of the conditions that any tracking application should meet:
1. Epidemiological purpose
2. Voluntary use
5. Data should not be managed centrally
6. Only essential data may be collected
7. Users need to remain anonymous
8. No user movement profiles should be created
9. The encrypted keys for the technology to work must be temporary and non-binding
10. Communications between devices must be unobserved
This may not be a bad starting point for creating an ethical environment for the protection of individual privacy.
In the current situation, both major technology companies and governments are gambling with their credibility towards users. A breach, exposure, violation or any other damage to personal data of users of a COVID-related application would be catastrophic for the trust relationship in the use of the app, which is essential for its use and an ideal breeding ground for all kinds of conspiracy theories.
A breach, exposure, violation or any other damage to personal data of users of a COVID-related application would be catastrophic for the trust relationship in the use of the app.
The success or failure of RADAR COVID will depend on the confidence that we all have in the application and a good first step would be to release the code. In general, it would be desirable that any application, programme or action of the Administration should be open source.
At the moment I have downloaded the application, but as I don’t have the bluetooth on…