Skip to main content
SpringerLink
Log in
Book cover

International Conference on Security and Privacy in Communication Systems

SecureComm 2020: Security and Privacy in Communication Networks pp 80–96Cite as

Coronavirus Contact Tracing App Privacy: What Data Is Shared by the Singapore OpenTrace App?

  • Conference paper
  • First Online:

Abstract

We report on measurements of the actual data transmitted to backend servers by the Singapore OpenTrace app, with a view to evaluating impacts on user privacy. We have three main findings: 1) The OpenTrace app uses Google’s Firebase service to store and manage user data. This means that there are two main parties involved in handling data transmitted from the app, namely Google and the health authority operating the OpenTrace app itself. We find that OpenTrace’s use of Firebase Analytics telemetry means the data sent by OpenTrace potentially allows the (IP-based) location of user handsets to be tracked by Google over time. We therefore recommend that OpenTrace be modified to disable use of Firebase Analytics. 2) OpenTrace also currently requires users to supply a phone number to use the app and uses the Firebase Authentication service to validate and store the entered phone number. The decision to ask for user phone numbers (or other identifiers) presumably reflects a desire for contact tracers to proactively call contacts of a person that has tested positive. Alternative designs make those contacts aware of the positive test, but leave it to the contact to initiate action. This may indicate a direct trade-off between privacy and the effectiveness of contact tracing. If storage of phone numbers is judged necessary we recommend changing OpenTrace to avoid use of Firebase Authentication for this. And finally, 3) the reversible encryption used in OpenTrace relies on a single long-term secret key stored in a Google Cloud service and so is vulnerable to disclosure of this secret key.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. In Coronavirus Fight, China Gives Citizens a Color Code, With Red Flags, New York Times, 1 March 2020. https://www.nytimes.com/2020/03/01/business/china-coronavirus-surveillance.html

  2. Apple and Google partner on COVID-19 contact tracing technology, 10 April 2020. https://www.apple.com/newsroom/2020/04/apple-and-google-partner-on-covid-19-contact-tracing-technology/

  3. Coronavirus: Under surveillance and confined at home in Taiwan, BBC News, 24 March 2020. https://www.nytimes.com/2020/03/01/business/china-coronavirus-surveillance.html

  4. Privacy and Security in Firebase, 27 November 2019. https://firebase.google.com/support/privacy

  5. Coronavirus mobile apps are surging in popularity in South Korea, CNN, 28 February 2020. https://edition.cnn.com/2020/02/28/tech/korea-coronavirus-tracking-apps/index.html

  6. BlueTrace: A privacy-preserving protocol for community-driven contact tracing across borders, 9 April 2020. https://bluetrace.io/static/bluetrace_whitepaper-938063656596c104632def383eb33b3c.pdf

  7. Android Reference Guide: Android Id. https://developer.android.com/reference/android/provider/Settings.Secure.html#ANDROID_ID. Accessed 26 Apr 2020

  8. CoronaMadrid Covid-19 App. https://www.coronamadrid.com/. Accessed 26 Apr 2020

  9. Decentralised Privacy-Preserving Proximity Tracing (DP-3T) Demo App. https://github.com/DP-3T/dp3t-app-android. Accessed 26 Apr 2020

  10. Firebase Blog: How Long Does it Take for My Firebase Analytics Data to Show Up? https://firebase.googleblog.com/2016/11/how-long-does-it-take-for-my-firebase-analytics-data-to-show-up.html. Accessed 26 Apr 2020

  11. Firebase Help: Automatically collected user properties. https://support.google.com/firebase/answer/6317486. Accessed 26 Apr 2020

  12. Firebase Reference Guide: FirebaseInstanceId. https://firebase.google.com/docs/reference/android/com/google/firebase/iid/FirebaseInstanceId. Accessed 26 Apr 2020

  13. Frida: Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. https://frida.re/. Accessed 26 Apr 2020

  14. Google Ad Manager Help: About mobile advertising IDs. https://support.google.com/admanager/answer/6274238. Accessed 26 Apr 2020

  15. OpenTrace Source Code. https://github.com/OpenTrace-community. Accessed 26 Apr 2020

  16. TraceTogether App Website. https://www.tracetogether.gov.sg/. Accessed 26 Apr 2020

  17. The Mandatory Registration of Prepaid SIM Card Users, GSMA White Paper, November 2013. https://www.gsma.com/publicpolicy/wp-content/uploads/2013/11/GSMA_White-Paper_Mandatory-Registration-of-Prepaid-SIM-Users_32pgWEBv3.pdf

  18. Cortesi, A., Hils, M., Kriechbaumer, T., Contributors: mitmproxy: A free and open source interactive HTTPS proxy (v5.01) (2020). https://mitmproxy.org/

  19. Machanavajjhala, A., Kifer, D., Gehrke, J., Venkitasubramaniam, M.: L-diversity: privacy beyond k-anonymity. ACM Trans. Knowl. Disc. Data (TKDD) 1(1), 3-es (2007)

    Article  Google Scholar 

  20. Golle, P., Partridge, K.: On the anonymity of home/work location pairs. In: Tokuda, H., Beigl, M., Friday, A., Brush, A.J.B., Tobe, Y. (eds.) Pervasive 2009. LNCS, vol. 5538, pp. 390–397. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01516-8_26

    Chapter  Google Scholar 

  21. Srivatsa, M., Hicks, M.: Deanonymizing mobility traces: using social network as a side-channel. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 628–637 (2012)

    Google Scholar 

  22. Sweeney, L.: k-anonymity: A model for protecting privacy. Int. J. Uncertain. Fuzz. Knowl. Based Syst. 10(05), 557–570 (2002)

    Article  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computer Science and Statistics, Trinity College Dublin, Dublin, Ireland

    Douglas J. Leith & Stephen Farrell

Authors
  1. Douglas J. Leith
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stephen Farrell
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Douglas J. Leith .

Editor information

Editors and Affiliations

  1. Yonsei University, Seoul, Korea (Republic of)

    Noseong Park

  2. George Mason University, Fairfax, VA, USA

    Kun Sun

  3. Dipartimento di Informatica, Universita degli Studi, Milan, Milano, Italy

    Sara Foresti

  4. University of Florida, Gainesville, FL, USA

    Kevin Butler

  5. Division of Nephrology, University of Alabama, Birmingham, AL, USA

    Nitesh Saxena

Rights and permissions

Reprints and permissions

Copyright information

© 2020 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Leith, D.J., Farrell, S. (2020). Coronavirus Contact Tracing App Privacy: What Data Is Shared by the Singapore OpenTrace App?. In: Park, N., Sun, K., Foresti, S., Butler, K., Saxena, N. (eds) Security and Privacy in Communication Networks. SecureComm 2020. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 335. Springer, Cham. https://doi.org/10.1007/978-3-030-63086-7_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-63086-7_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-63085-0

  • Online ISBN: 978-3-030-63086-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation