Abstract
We report on measurements of the actual data transmitted to backend servers by the Singapore OpenTrace app, with a view to evaluating impacts on user privacy. We have three main findings: 1) The OpenTrace app uses Google’s Firebase service to store and manage user data. This means that there are two main parties involved in handling data transmitted from the app, namely Google and the health authority operating the OpenTrace app itself. We find that OpenTrace’s use of Firebase Analytics telemetry means the data sent by OpenTrace potentially allows the (IP-based) location of user handsets to be tracked by Google over time. We therefore recommend that OpenTrace be modified to disable use of Firebase Analytics. 2) OpenTrace also currently requires users to supply a phone number to use the app and uses the Firebase Authentication service to validate and store the entered phone number. The decision to ask for user phone numbers (or other identifiers) presumably reflects a desire for contact tracers to proactively call contacts of a person that has tested positive. Alternative designs make those contacts aware of the positive test, but leave it to the contact to initiate action. This may indicate a direct trade-off between privacy and the effectiveness of contact tracing. If storage of phone numbers is judged necessary we recommend changing OpenTrace to avoid use of Firebase Authentication for this. And finally, 3) the reversible encryption used in OpenTrace relies on a single long-term secret key stored in a Google Cloud service and so is vulnerable to disclosure of this secret key.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
In Coronavirus Fight, China Gives Citizens a Color Code, With Red Flags, New York Times, 1 March 2020. https://www.nytimes.com/2020/03/01/business/china-coronavirus-surveillance.html
Apple and Google partner on COVID-19 contact tracing technology, 10 April 2020. https://www.apple.com/newsroom/2020/04/apple-and-google-partner-on-covid-19-contact-tracing-technology/
Coronavirus: Under surveillance and confined at home in Taiwan, BBC News, 24 March 2020. https://www.nytimes.com/2020/03/01/business/china-coronavirus-surveillance.html
Privacy and Security in Firebase, 27 November 2019. https://firebase.google.com/support/privacy
Coronavirus mobile apps are surging in popularity in South Korea, CNN, 28 February 2020. https://edition.cnn.com/2020/02/28/tech/korea-coronavirus-tracking-apps/index.html
BlueTrace: A privacy-preserving protocol for community-driven contact tracing across borders, 9 April 2020. https://bluetrace.io/static/bluetrace_whitepaper-938063656596c104632def383eb33b3c.pdf
Android Reference Guide: Android Id. https://developer.android.com/reference/android/provider/Settings.Secure.html#ANDROID_ID. Accessed 26 Apr 2020
CoronaMadrid Covid-19 App. https://www.coronamadrid.com/. Accessed 26 Apr 2020
Decentralised Privacy-Preserving Proximity Tracing (DP-3T) Demo App. https://github.com/DP-3T/dp3t-app-android. Accessed 26 Apr 2020
Firebase Blog: How Long Does it Take for My Firebase Analytics Data to Show Up? https://firebase.googleblog.com/2016/11/how-long-does-it-take-for-my-firebase-analytics-data-to-show-up.html. Accessed 26 Apr 2020
Firebase Help: Automatically collected user properties. https://support.google.com/firebase/answer/6317486. Accessed 26 Apr 2020
Firebase Reference Guide: FirebaseInstanceId. https://firebase.google.com/docs/reference/android/com/google/firebase/iid/FirebaseInstanceId. Accessed 26 Apr 2020
Frida: Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. https://frida.re/. Accessed 26 Apr 2020
Google Ad Manager Help: About mobile advertising IDs. https://support.google.com/admanager/answer/6274238. Accessed 26 Apr 2020
OpenTrace Source Code. https://github.com/OpenTrace-community. Accessed 26 Apr 2020
TraceTogether App Website. https://www.tracetogether.gov.sg/. Accessed 26 Apr 2020
The Mandatory Registration of Prepaid SIM Card Users, GSMA White Paper, November 2013. https://www.gsma.com/publicpolicy/wp-content/uploads/2013/11/GSMA_White-Paper_Mandatory-Registration-of-Prepaid-SIM-Users_32pgWEBv3.pdf
Cortesi, A., Hils, M., Kriechbaumer, T., Contributors: mitmproxy: A free and open source interactive HTTPS proxy (v5.01) (2020). https://mitmproxy.org/
Machanavajjhala, A., Kifer, D., Gehrke, J., Venkitasubramaniam, M.: L-diversity: privacy beyond k-anonymity. ACM Trans. Knowl. Disc. Data (TKDD) 1(1), 3-es (2007)
Golle, P., Partridge, K.: On the anonymity of home/work location pairs. In: Tokuda, H., Beigl, M., Friday, A., Brush, A.J.B., Tobe, Y. (eds.) Pervasive 2009. LNCS, vol. 5538, pp. 390–397. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01516-8_26
Srivatsa, M., Hicks, M.: Deanonymizing mobility traces: using social network as a side-channel. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 628–637 (2012)
Sweeney, L.: k-anonymity: A model for protecting privacy. Int. J. Uncertain. Fuzz. Knowl. Based Syst. 10(05), 557–570 (2002)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Leith, D.J., Farrell, S. (2020). Coronavirus Contact Tracing App Privacy: What Data Is Shared by the Singapore OpenTrace App?. In: Park, N., Sun, K., Foresti, S., Butler, K., Saxena, N. (eds) Security and Privacy in Communication Networks. SecureComm 2020. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 335. Springer, Cham. https://doi.org/10.1007/978-3-030-63086-7_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-63086-7_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-63085-0
Online ISBN: 978-3-030-63086-7
eBook Packages: Computer ScienceComputer Science (R0)