We report on measurements of the actual data transmitted to backend servers by the Singapore OpenTrace app, with a view to evaluating impacts on user privacy. We find: 1) The OpenTrace app uses Google's Firebase service to store and manage user data and so there are two parties involved in handling data transmitted from the app, namely Google and the health authority. OpenTrace's use of Firebase Analytics telemetry means the data sent by OpenTrace potentially allows the (IP-based) location of user handsets to be tracked by Google over time. 2) OpenTrace also currently requires users to supply a phone number to use the app and uses the Firebase Authentication service to validate and store the entered phone number. The decision to ask for user phone numbers (or other identifiers) presumably reflects a desire for contact tracers to proactively call contacts of a person that has tested positive. Alternative designs make those contacts aware of the positive test, but leave it to the contact to initiate action. This may indicate a direct trade-off between privacy and the effectiveness of contact tracing. If storage of phone numbers is judged necessary we recommend changing OpenTrace to avoid use of Firebase Authentication for this. And finally, 3) the reversible encryption used in OpenTrace relies on a single long-term secret key stored in a Google Cloud service and so is vulnerable to disclosure of this secret key.
Authors: Douglas Leith (Trinity College Dublin), Stephen Farrell (Trinity College Dublin),
Hide Authors & Abstract