This weekend, 7 apps to track corona virus infections were presented to the public and the ministry of public health of the Netherlands in an “appathon”1. On april 7th, Minister Hugo de Jonge announced that the cabinet wanted to use apps to track and prevent corona virus infections, and now - two weeks later - only 7 initiatives are left. Besides the apparent lack of understanding of the involved timeline with developing such an app that’s eerily apparent when you look at the failure of past government IT projects - the company that is most often involved with failing IT projects2 is part of the selection again - some huge issues are not taken into consideration.
Managing timelines, developer- and server-capacity and communication channels with health organizations and then motivating people to install the app are all hard, very hard. With most of the IT projects by the Dutch government either failing or losing a lot of money - costing the government between 1 and 3 billion dollars per year3 -, even if this one doesn’t and the above obstacles are managed, and in the unlikely event of the threshold usage percentage achieved, another problem is underexposed.
The golden goose of 6 out of 7 pitched apps is bluetooth tracking. (The other pitch didn’t mention what technology was used). The example that is used to compare this to is the Singaporean “TraceTogether”, where random id’s are generated for each phone that is consequently stored on phones that come within 2 to 5 meters of this phone. App installation is not mandatory in Singapore, with less than 20 percent of people downloading the app and subsequently not being effective. Even a partnership between Apple and Google is aiming to solve the exact same problem using bluetooth4. But what all these proposed solutions don’t seem to keep in consideration is that everything can be used maliciously. With cyber crime spiking after the start of the outbreak, we can’t expect these apps to be left alone.
Firstly, some of the (proposed) implementations keep track of encounters from both sides. So if an attacker can report it (or actually) is sick, and acts like it encountered hundreds of devices when they in fact didn’t even go outside, an attacker could prevent hundreds of people form going outside, creating an actual physical Denial Of Service attack. This could be either targeted or more general depending on the objectives of one of such attackers.
But let’s consider the less vulnerable version where you only consider your own encounter records valid and an attacker can’t pretend they were near you when they weren’t. An attacker could still drop of a device at an entrance of a store they want to target, or target hundreds of communities in an organized attack by a hacker group. And now you’re in full lock down again, with invalid contamination data possibly costing hundreds peoples their lives.
On the other hand, an “intelligent” lock down is what we are in now anyway. Apart from clouding data sets used to fight and contain the virus, doing a country wide DDOS is not that much of an issue then, right? But there’s a bigger issue:
Bluetooth needs be constantly enabled. Besides several security issues with the protocol recently that a lot of phones won’t have patched because of the poor update support for android phones, another big issue appears. We become more trackable. I can’t find reliable data about how many people have Bluetooth enabled by default, but it’s reasonable that it’s going to be a lot higher when these apps are going to be used more. Some of you who know me personally know that I tend to be a bit paranoid, and one of the things I do is immediately switching of bluetooth whenever I can. I want to use the bluetooth in my car but don’t want to be tracked while doing my shopping. The virus will be a blessing for digital advertising agencies with the tremendous amount of tracking data that suddenly becomes available. Now elderly can suddenly be followed while grocery shopping, minors can be followed walking through department stores and every step you take can be monetized. Remember that shirt you looked at and bought online and that google tries to sell you again? (Why?!) The same thing will finally happen in real life from now on. We finally really arrived in the digital age.
At least the app is not mandatory. I personally won’t install it, but probably millions of people will. And despite the results not being anything concise as the usage numbers will be too small, two things will have been accomplished. Another IT project that money was wasted on has been established. And even more people are now tracked and part of the data sets and can be influenced in buying worthless consumer products that will be thrown away after one use. And who knows, maybe the app will be mandatory when a next outbreak occurs and we will live in a surveillance state?