Does Your Contact Tracing App Track Your Location?
5 min read
Not sure whether the local contact tracing app is tracking your location? You’re not alone. It’s not uncommon for developers or governments to keep things vague with regards to app functionality. Luckily, this ranked list of contact tracing apps should let you know exactly what you’re dealing with.
If your country’s app is using location tracking technology, the “How Does It Work?” section should list one of the following. We’ve also included a brief explanation of how each technology works down below.
1. GPS Location Data
Contact tracing apps may use a GPS satellite connection to determine your location. They work much like any other app that uses location data – tracking you wherever you go if you press “Allow” in the permissions prompt. Yes, the tracking can be turned off wherever digital contact tracing isn’t mandatory, but that kind of defeats the whole purpose of the app.
Want to know just how precisely the app can trace your usual routines? One look at this New York Times study should give you an accurate (if chilling) idea.
Location-based contact tracing sounds even worse when you consider that your location data may be shared with advertisers. Naturally, the North Dakota-based “Care19” scandal was followed by empty apologies and assurances that “your data isn’t used in any way, and it is promptly discarded.”
2. Telecom Location Data
When you use mobile data on your phone (“smart” or not), your device sends out signals to nearby cell towers. Operators can keep track of your approximate location and offer this location data to the officials or agencies in charge of the contact tracing app.
A good example of this is Corowarner in Turkey, which can send alerts even to people who don’t own a smartphone. The app is a hybrid model and also uses GPS location and Bluetooth functionality. Why? According to the developers, the data is used to estimate how close and how long a user has been in contact with someone who has tested positive for Covid-19.
Of course, Bluetooth would have been sufficient for this purpose, but we’ll get to that in a moment.
3. QR Codes
China has implemented a color-based QR code contact tracing system. After signing up to the mandatory service through the popular Alipay or WeChat apps, users are asked to complete a short health survey. The result of this questionnaire is a QR code in one of three colors: green, yellow, or red – representing the user’s health status.
Those with a green QR code may move about relatively freely, but may only enter public establishments after their code is scanned by a local authority. Neither the Chinese Communist Party nor Alipay have explained the criteria by which the app “color-codes” people. Predictably, this has lead to a lot of confusion and unexpected self-isolation orders for those that received yellow or red codes.
On the other side of the world, using New Zealand’s NZ Covid Tracer app is completely optional (though highly encouraged). Public venues have an official QR code placed outside, which app users can scan before entering. If a user tests positive for Covid-19, they may upload this information to a central cloud. Why? So other users who may have been present at the venue may receive an alert through the app – either to get tested or to self-isolate.
Now, having to scan QR codes at various locations doesn’t mean you’re tracked every second of the day like in the cases above. Nevertheless, your daily habits and routines can easily be monitored by whoever has access to the QR code data.
4. Self-reported Location Info
Wherever QR codes aren’t available, users have the choice (or legal obligation) of self-reporting their location. It’s a feature in NZ Covid Tracer and several other apps around the world. Self-reporting may also be an option if the app doesn’t use location data, or if location tracking is impossible for whatever reason (such as poor reception).
Bluetooth as a Contact Tracing App Framework
You might have heard that Google and Apple have teamed up to deliver a Bluetooth-based contact tracing system. Apps that use Bluetooth allow users to know whether they’ve been in contact with a Covid-19 carrier without the need to track their location at all times. Provided the other person has the app as well, that is – but that pretty much applies to all contact tracing tech.
In any case, no personal information is collected aside from a randomized identifier that changes every few minutes. As app users come into close proximity, these identifiers are mutually shared via Bluetooth signals. They are then kept in an encrypted log on the users’ smartphones and are deleted every two weeks.
Now, if a user tests positive for the virus, they have the option of uploading their specific log of identifiers to a central cloud. After a healthcare provider provides an official diagnosis, an alert can be sent to all users to get tested.
As you can see, no personal information is revealed throughout the entire process. Naturally, the system isn’t perfect, but digital contact tracing is still in its first months of development. New apps, such as Israel-based Sonar-X that uses ultrasonic technology, aim to fix Bluetooth’s shortcomings while maintaining the same level of privacy.
Why Location Tracking Isn’t the Way to Go
GPS or telecom location tracking isn’t more effective than Bluetooth for one simple reason. For digital contact tracing to be truly effective, a substantial portion of the population needs to use the app. This sentiment is shared by a group of researchers at University College London.
So why not use Bluetooth or similar alternatives for that extra bit of privacy?
After all, where you came into contact with an infected person is more or less irrelevant. Unless you can somehow remember everyone on the bus or at the supermarket to give them a heads up, that is. Hyperbole aside, what matters is taking precautionary steps like getting tested and self-isolating.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.
Subscribe
Facebook Page
Follow Me On Twitter
contactme@binaryblogger.com
