This week we have been asked, just out of curiosity apparently, by age old friends with brains bigger than Marvin The Paranoid Android (when they turn them on of course) a few questions about The Government’s announcement that ‘it will release an app where people can self-report symptoms for COVID-19 and which will then alert other people who have been in contact with them’.
Of course this announcement is like passing a writhing plate of opportunistic paranoid snakes to all of the factions; The tin foil hat brigade including the 5G /vaccination/Bill Gates wants to chip everyone crazies who we will not bother linking, the privacy intellectuals, lawyers (obviously in it for the general public), concerned citizens, drug dealers, criminals (including those evil hackers nmwahahaha), law enforcement, security services, Beelzebub, very smart bored sun lounging ex investigative journalists, the whole bit.
Trying to break this down is very tricky. So, in reverse order of stuff we actually know about, here is the approach; A summary of the proposition, what can we see now (in the public domain), Government motivation, outcome and cost justification, a withering assessment of the proposed technology from security, uptake and what are they thinking about perspectives (a balanced analysis) and maybe a dystopian 'what ever next' through the eyes of the aforementioned Marvin.
Regular, long suffering readers will know that these blogs are (so far) titled after records. Follow Me is a dance classic which ironically has these lyrics (it’s not Dylan)
I'm hoping to see the day
When my people
Can all relate
We must stop fighting
To achieve the peace
That was torn in our country
We shall all be free
We are hoping to see the day when the Pubs reopen. Shallower than an empty foot-wash thing at the public baths,
Google, Apple, Samsung and parties third obviously gather location data and utilisation metadata (calls from here to there at this time, active time online, loads of it), and in some cases, we have hear, even whole streams, voice calls, WhatsApp, the lot are recorded (true words). Even if they can't be decrypted now, they will be in the future.
Google even publishes this stuff - have a look at the report into lockdown across the UK here (spoiler alert, if you are a tin foil hatter, turn off all your power now).
Google came up with a suggestion to use Bluetooth Low Energy (integrated with Bluetooth version 4 see below) to anonymously use proximity information in order to warn people if they have been near someone who reports they have Covid-19 symptoms.
The Charley says overview is here. It is only a matter of time before the ‘Bob and Alice’ metaphor for secure communications is outed for the disgrace it is. After all this time everyone knows that Bob and Alice wouldn't be talking.
The key exchange proposition is fairly solid (taken at face Alice and Bob value) along with the promise to publish the source code, however the source of the source code is not clear! There are a significant number of issues all round. Buckle up.
As previously mentioned, location details are routinely gathered using IP addresses, location services (if you have them on) and beaconing to and from service providers (triangulation, used by law enforcement and people who set up fake cells, i.e. law enforcement).
This proposition is that punters voluntarily install an app which uses Bluetooth Low Energy to log people in close proximity, whilst not sharing any user details with the Government finger crossed, (honest).
In order for this to be viable, a large number of users would have to voluntarily install the app and enable Bluetooth on their devices. Easy to say but the Pandora’s box potentially unleashed is gruesome.
Firstly, a large number of users will not install this. Why would they?
Secondly, the citizens that do will have to enable Bluetooth V4 (always on) including the Low Energy bit. Both of these are ambrosia of the Gods for hackers. Bluetooth hacking is a real thing, take a look at these ‘how to’ guides for hacking Bluetooth Low Energy and just Bluetooth hacking and discovery in general.
Information security channels are buzzing about the differences between the Alice and Bob, ‘everything will be fine’ picture as painted above and reality. We think this proposal is rife for misuse and abuse as does the infamous Moxie.
Even Wikipedia says this about Bluetooth Low Energy:
Bluetooth LE comes with very low, and in many cases broken security. BTLE or Bluetooth Smart, is a new modulation mode and link layer packet format targeting low powered devices and is found in recent high-end smart phones, sports devices, sensors, and will soon appear in many medical devices. Unfortunately the security implementation is broken with the encryption of any Bluetooth LE Energy link easily being rendered useless. This flaw in security can allow any device nearby to eavesdrop on Bluetooth Low Energy conversations. This includes packets being intercepted and reassembled into connection streams, as well as injection attacks.
Bluetooth LE has been suggested as the basis of an app for tracing contacts of people during the Covid pandemic of 2020, silently tracking other phones which come within BT LE range of a person's phone, allowing those who have been in sustained proximity with a possibly infected person to be notified without identifying the person. However, a draft government memo said that ministers might be given the ability to identify people from their mobile phones, which has been criticised as a potential security breach.
Everyone feeling comfortable? Your Mum, your Dad, installing this app, doing their bit and leaving their phones wide open for a jacking.
At this point, we could get into a discussion about having a Government application on your phone and the implications of updates and all that, but we really DO not want to go there.
Suffice to say that we cannot see this working. We can see it costing fortunes and other than an exercise in acceptance and utility, futile,
Of course in other parts of the world, Internet users are compelled to install Government Certificates in order to access the Internet , or mandated/socially expected to use tracking applications , but the window of utility for that tech is closed to the UK now, as well as all the other lost opportunities (DO NOT GO THERE. ED).
Clearly these are strange times for civil liberties and privacy. We can only hope that they will not be used for an opportunistic land grab by Big Brother or his Twisted Sister. Time will tell.
Moving on to the dystopia bit. Given the above (summary: WTAF?), why would you invest in this unless you had a mate in a software business or a grander plan? Just saying.
Of course this will all be turned off after the Covid-19 crisis, won’t it ?
In other news, it appears that there are some people at the door.
Hope you are all well.