The COVID19 APP Bluetooth tracing but not tracking?

What I find facinating with working in the dataprotection field, is all the storytelling, all the narratives in marketing and selling of data privacy and security.

With this article I will provide some basic facts and insights about personalisation, identification and location tracking via mobile devices using Bluetooth and GPS. The article ends with a chapter on the functionality of the new Apple U1 Ultra Wide-Band chip.

THE MYTH 'If you buy our product and our technology; you will be elite, you will have fun, we will provide you a special service, we will protect your data in our cloud, you can work smarter while we collect data about you (only to service you better), and we will not share with 3rd parties. In fact, the data on your phone will never leave your phone... right... you can work and stream safely in our space. We respect you!'

GPS and BLUETOOTH DATA TELLS THE STORY OF SURVEILLANCE

We are merely datapoints, whether we like it or not. There has been numerous telling reasearch and articles showing that the tracing and tracking becomes more and more precise, the newspaper NYTIMES has done an extraodinary effort to share informations in this field. As example there is an amazing lenghty article Twelve Million Phones, One Dataset, Zero Privacy, Dec 2019

"Every minute of every day, everywhere on the planet, dozens of companies — largely unregulated, little scrutinized — are logging the movements of tens of millions of people with mobile phones and storing the information in gigantic data files. The Times Privacy Project obtained one such file, by far the largest and most sensitive ever to be reviewed by journalists. It holds more than 50 billion location pings from the phones of more than 12 million Americans as they moved through several major cities, including Washington, New York, San Francisco and Los Angeles. Each piece of information in this file represents the precise location of a single smartphone over a period of several months in 2016 and 2017."

Another example in the pandemic era is this video, a small company Tectonix Tec has the capability surveil crowds, to then track individuals from a location: "see where the devices went after they left the beach" Spring Break vs. COVID19: The Real Impact of Ignoring Social Contact

It is articles and videos like these that can help create awareness, question is how we use this new insight? But, we are reassured by Apple and Google. A press release that was shared all over the world, went viral at Twitter: "will ban the use of location tracking in apps" May 4 2020 They have good intentions and they are taking responsibility on their shoulders by promising us that they will not allow governments to track our locations.

THE MARKET

If ONLY we didn't know that they had already tracked us, and so have the telecompanies, the shops and everybody with a digitalised service. Big Tech companies has made several moves to position itself to find new areas of growth within Health, Retail, Cars, Smart Homes, Content Subscription Streaming Services, Artificial Intelligence.

In Stores, Secret Surveillance Tracks Your Every Move As you shop, “beacons” are watching you, using hidden technology in your phone.

"Not to be left out, in 2017, Google introduced Project Beacon and began sending beacons to businesses for use with Google Ads services. Google uses the beacons to send the businesses’ visitors notifications that ask them to leave photos and reviews, among other features. And last year, investigators at Quartz found that Google Android can track you using Bluetooth beacons even when you turn Bluetooth off in your phone.

For years, Apple and Google have allowed companies to bury surveillance features inside the apps offered in their app stores. And both companies conduct their own beacon surveillance through iOS and Android.

It should not be lost on the public that Apple created the first Bluetooth system of commercial surveillance. Apple’s chief executive, Tim Cook, recently wagged his finger at the “data-industrial complex.” Unlike other tech giants that monetize surveillance, Apple relies upon hardware sales, he said. But Mr. Cook knew what Apple was creating with iBeacon in 2013. Apple’s own website explains to developers how they can use iBeacon to micro-target consumers in stores.

Companies collecting micro-location data defend the practice by arguing that users can opt out of location services." (2)

"We passively record advertising events, while the Bluetooth in Windows 10 is en-abled. We measure data generated by one MicrosoftSurface Pro 5, two laptops and one desktop PC fromother OEMs, all running an up-to-date Windows 10." Read more about the macOS and iOS devices, Android devices, Smartwatches, Microsoft Surface Pen, iPad Pro Pen etc.

And what do they all have in common - Consumer Intelligence Research. We will also come back to that in a moment.

THE TECH DEPENDENCY

We have seen the the pattern more clear than ever from January 2020, the digital applications and SoMe platforms that we were already using, are now taking place in our everyday life in an acellerating pace of data flow.

Public and private space is melting together as citizens are encouraged to seek public informations on Facebook, socialize on TikTok and study via Zoom and Google Hangouts, and work via Slack and Microsoft Teams and many more. Facetime is used by family, even to say a last goodbye.

Politicians and municipalities are eager to inform the citizens, and happy to do so via Facebook versus a neutral public website (public money / public code).

More Facebook with 'Members Patient Groups' and Doctors happy to give advices, and individuals happy to participate in surveys with self-diagnosis for Covid19, only to let the data migrate at a later stage into a public statistics, while telling the public that the data collected "was deleted and removed from Facebook".

-Is that likely as this is FB business model to collect and share with business partners?

It is all good when we pride the highly digitalised developed Denmark. We can work from home as most danes have a broadband paid by themselves, and many provide their own device in working from home. But people are not aware of the dangers in the lacking dataprotection and dataprivacy. As another result, the cyberrisks has exploded like never before.

What are a country's national preparedness and contingency when we are relying our daily business on a few big tech companies?

We are online, but fully dependendant and in their good will of 3 operating systems; IoS and Android and Windows, and social platforms via our Microsoft-ID, Apple-ID and Google-ID. Never before have we provided so much personal data to big tech.

The usual signalling of understanding tech is the 'oh but it is encrypted right, so it must be okey'... We have willingly adapted haven't we, without asking basic questions. And we are not holding anybody responsible for the dependency that we now have.

THE TRUST encourages us to continue to rely our contingency and operations on the Big Tech companies, they are coming to our rescue when we need it the most. Google Meet and Microsoft Teams are giving access for free like Zoom, and that is great, but why on earth, are people not realising, that big gets bigger.

When we say yes to Google and Microsoft, we say NO to a vendor who has a good alternative Privacy Enhancing Technology platform. Zoom or TikTok is wildly popular and used by all ages because of the easy UX-functionality, and that is all the rationale there is, anybody is hardly looking for alternatives.

Big tech companies is now embedded in our society as basic most critical infrastructure.

If we are connected on LinkedIn you know my awareness posting has even been intensified since early month of March 2020 on for example Video-conference software and other communication platforms to encourage critical thinking.

THE INEVITABLE COVID19 APP

Lets make a long story short European Data Protection Board put pressure on nation states in March and April 2020 During its 24th Plenary Session, the EDPB adopted 3 documents.

"The EDPB stands by and underlines the position expressed in its letter to the European Commission (14 April) that the use of contact tracing apps should be voluntary and should not rely on tracing individual movements, but rather on proximity information regarding users.

Dr. Jelinek added: “Apps can never replace nurses and doctors. While data and technology can be important tools, we need to keep in mind that they have intrinsic limitations. Apps can only complement the effectiveness of public health measures and the dedication of healthcare workers that is necessary to fight COVID-19. At any rate, people should not have to choose between an efficient response to the crisis and the protection of fundamental rights.

The Danish Health Authority who had almost approved a centralised platform for the danish Covid19 app with personalised login via biometric ID and our civil identification number, but then recieved critic from different sides and stopped the development of the app. The local Netcompany ('a next generation IT services company') seems to lack even the most basic understanding of Privacy by Design.

As a result of the public critic the danish government then established an Covid19 Advisory Board of 5 people to be consulted on dataprotection and privacy issues, together with Dataethic Advisory under The Agency for Digitisation (an agency within the Ministry of Finance).

Google and Apple Bluetooth contact tracing is on the schedule, and we are informed that this solution will respect our privacy and keep our data on the mobile phone.

What is the range of Bluetooth?

The effective, reliable range between Bluetooth devices is anywhere from more than a kilometer down to less than a meter.

Calculation of the expected range between two Bluetooth devices, depends on the device and surroundings, normally it is approximately 10 meters. CHECK OUT The Bluetooth Range Estimator

A few considerations to the functionality of bluetooth proximity tracing:

• The bluetooth range differs depending on the device (age and brand)
• The bluetooth signal differs depending on bags, counters, walls etc
• The bluetooth signal is a proximity of distance, and only high positioning accuracy of 1-3 meters when combined with other sensors, March 10 2020

One of the renowned cyber/privacy specialists Schneier on Security has criticised any Covidapp for false positives: "My problem with contact tracing apps is that they have absolutely no value" Bruce Schneier, a privacy expert and fellow at the Berkman Klein Center for Internet & Society at Harvard University, told BuzzFeed News. "I'm not even talking about the privacy concerns, I mean the efficacy. Does anybody think this will do something useful? ... This is just something governments want to do for the hell of it. To me, it's just techies doing techie things because they don't know what else to do." You can read his analysis here Me on COVID-19 Contact Tracing Apps

"Given that Google and Apple’s Bluetooth contact tracing relies on using the strength of a received signal (Received Signal Strength Indication, or RSSI) to determine whether you were within coughing distance of a Covid-19 patient that time you walked to the grocery store, this could be a serious problem.

Swarun Kumar a professor of electrical and computer engineering at Carnegie Mellon University, recently estimated (see video) that environmental factors could make a Bluetooth device that’s 2 meters away appear to another device as if it’s 20 meters away, or vice versa." (1) From 46:00 forward https://youtu.be/KgKbllhgESc

No app will work anyhow without a full testing scheme. Major issue is that people can in fact be sick and transmit with Covid19 up to 3-4 days before showing any symptoms. What is the effect and transmission then if we do not keep physical distance?

BLUETOOTH AND DATA PRIVACY?

The Apple iPhone and the sacret data privacy.

Basically, the way bluetooth works, is by constantly sending out an 'Hello I am bluetooth (ID is the MAC address for each device)'.

For the Covid-app, the app Bluetooth ID is supposed to be a ever rotating/changing number instead of the MAC address (media access control) as I understand it, to create pseudonymity.

But to my surprise I find documentation that shows otherwise: "We showed that most computer and smartphone op-erating systems do implement address randomizationsby default as a means to prevent long-term passivetracking, as permanent identifiers are not broadcasted.However, we identified that devices running Win-dows 10, iOS or macOS regularly transmit advertis-ing events containing custom data structures which areused to enable certain platform-specific interaction withother devices within BLE range.

By observing typical advertising behaviors of these operating systems, we identified that parts of these data structures allow an adversary to abuse them as a temporary, secondary pseudo-identity. These identifying tokens can be integrated into an algorithm which allows device tracking beyond address randomization."

New tracing and tracking challenges comes to light

Authorities have encountered the challenge that Apple's iPhones will not allow sharing the bluetooth signal unless the Covid-app is active in front at all times.

The Apple 'followers' has time and time again praised Apple for its new privacy measure, not knowing that there might be more privacy intruding reasons behind. Namely a new patent for tracing and tracking that only few people have noticed, the new U1 ultra wide band Apple chip, I will come back to that in a moment.

In Dec 2019 the new iPhone11Pro was being reviewed by Brian Krebs OnSecurity a known specialist in cybersecurity and investigation. He noticed that allthough he denied all functionality access to use bluetooth, the iPhone11 would still track on location?

There is 2 ways to disable location tracking, the simplest, all off by choosing Never

Or by disabling location-based system services by tapping on System Services and turning off each location-based system service one by one. This illustration show iPhone11Pro location tracking Opt Out by default. A lot of work for the user.

"One of the more curious behaviors of Apple’s new iPhone 11 Pro is that it intermittently seeks the user’s location information even when all applications and system services on the phone are individually set to never request this data. Apple says this is by design, but that response seems at odds with the company’s own privacy policy.

The privacy policy available from the iPhone’s Location Services screen says, “If Location Services is on, your iPhone will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers (where supported by a device) in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations."

This is confusing, as we just thought that all that 'Opt Out, location denied' would protect iPhone users from location tracking?

The investigation is described in an article with a video for proof The iPhone 11 Pro’s Location Data Puzzler, Dec 2019 "On Nov. 13, KrebsOnSecurity contacted Apple to report this as a possible privacy bug in the new iPhone Pro and/or in iOS 13.x, sharing a video showing how the device still seeks the user’s location when each app and system service is set to “never” request location information (but with the main Location Data service still turned on)."

The answer on the big puzzle is a new track and trace tecknology Apple has patented, the U1 chip.

On Android devices its a similar situation, but for a different reason; Google can still use Bluetooth to track your Android phone when Bluetooth is turned off Making efforts for data privacy an uphill struggle.

Not only apps are using our bluetooth ID, more and more commercialised use has taken place in all sectors. Both for commercial use like marketing, but also transportation, warehouses, hospitals, robotics, smart cities, but also tracing whether people are sitting at their desk, you name it.

Most people use bluetooth for different purposes like headphones, smart speakers and baby monitors. Bluetooth Audio Gets a Big Upgrade at CES 2020

In retail it is used for counting and tracing customers, it is done with beacons answering your phones 'hello I am bluetooth'.

"Unlike any other positioning technique, beacons provide background capabilities, which enables positioning even when the user is not using the app. For instance, if a visitor in a supermarket has a phone in their pocket, the retailer can still enable geofencing and contextual notifications, provided that the user has given prior consent." How Bluetooth Will Continue to Drive Retail Innovation in 2020

Together with WiFi, bluetooth is ofcourse a BIG business in smart cities also.

That was the story of bluetooth surveillance, so what are the chances of our privacy when we are asked to download a Covid19 app using bluetooth 24/7 we can ask the national DPA and the European Data Protection Supervisor?

It is an either / or situation. If we download the app and have the bluetooth open at all times, it will be a privacy breach on at least location data during all that time.

Concluding - 'The next challenge for contact tracing apps that allow me to voluntarily submit additional info: Nothing about me should be learnable from a dataset that cannot be learned from the same dataset but with my data removed'.

ON BLUETOOTH VULNERABILITIES Thing is, beside denying you privacy of your whereabouts, and shopping habbits, there is also quite a lot of IT security risks using bluetooth. Having bluetooth on at all times, is the opposite of mitigating risks. Instead it is inviting hackers to man in the middle attacks and a lot other incidents that can take over the mobile phone. See links and read about Attack conditions, risk considerations for bluetooth smart devices. Whitepaper by Slavomir Jazek https://lnkd.in/dMVEacy

Find more articles on bluetooth vulnerabilities in links below.

U1 - The Biggest iPhone News Is a Tiny New Chip Inside It

Finally a few words about Apple's new IoT darling, or culprit, the actual reason why the bluetooth is 'only active while used by an active app in front' on the new iPhones. Ultra wide band with a location precision down to a few centimeters.

It is not a new technology, in fact it is 20 years old. The news is that it is build in a chip for Apple mobile devices.

"Perhaps the leading use case for UWB technology has been precise indoor localization, with accuracies between 10-0.5cm. Indoor localization is the process of finding the coordinates of a target (i.e. a phone) relative to one or more fixed-point anchors that also contain UWB radios. The relative coordinates are then mapped to a reference (e.g. blueprints) to provide an absolute location. High-accuracy localization is especially useful in contexts where traditional GPS is not accurate enough, or cannot reach. A number of other technologies have been explored for indoor localization, such as WiFi and Bluetooth, but the accuracy of these techniques is on the order of meters1, not centimeters."

Every move you make, I’ll be watching you: Privacy implications of the Apple U1 chip and ultra-wideband

The most astonishing and scarry perhaps, is the ability to map and read our physical movements more accurately than today, see illustration; patent application for AI use.

"As well as being able to track the precise location of things within the home, including other objects and Apple products, the AR system could work in tandem with the gesture-based system detailed above.

This could involve ‘reading’ hand gestures, which means the Apple Watch could be set to play a key part in Apple’s AR vision and connect up with AR eyewear to create a virtual interface."

"Adding the U1 chip to the iPhone removes the need for the additional UWB tracking tag, ultimately making the iPhone “location-aware” both indoors and outdoors (using GPS).

This additional U1 chip means that in any UWB equipped building, the iPhone could potentially be sent precise location-based content eg. Indoor turn-by-turn navigation, geo-fence warnings, promotions and entertainment content (audio guides and AR in our case).

Any implementation of UWB enabled experiences could naturally include high fidelity movement and behaviour analytics."

Read more about it in links below. I should mention that the the U1 is not embedded in the iPhone SE 2020. It probably will be in iPhone 11 series, Apple Watch Series 5, AirPods, AirPod cases, Apple Glasses, Apple car with keyless entry etc.

Speculative But Very Likely Use Cases Of The Apple U1 Chip "I have written a few reports over the last few years on how UWB technology will be used in the future. I presented the rather certain use cases in this article, however there will be many others. Time and space constraints presented here I will mention a few:

• Bitcoin wallets and merchant payment systems
• Medical biometrics
• Voice First HyperLocal HyperContextual systems

With FaceID and Apple Pay you just look at your phone and confirm and leave. It is not hard to imagine many retail businesses adopting the system. It is also not hard to imagine AppleLocate used in industrial locations and medical locations." (Forbes article)

To conclude on the much celebrated privacy effort from Google and Apple, -can we agree?

1. Consumer Intelligence Research in retail and marketing is becoming more intrusive with IoT, like spyware. I personally will continue to deny bluetooth and wifi access, not only for privacy, but to mitigate security risks.
2. Apple is perhaps the vendor most developed in this market for smart homes, owning and distributing of content. More proprietary digital solutions for marketshare gives us fever choices and results in bigger dependencies.
3. Apple and Google will perhaps not allow governments to track our locations through the API, but they sure will track us, and they have already sold our data to several governments, as have many other businesses.

Smarter If Apple were privacy minded, had they installed a U1 that was permanently on? Would they invest heavyly in smart homes? Some inventions can surely help some sectors, but is selfdriving cars with keyless control what we need in the future, or supermarkets watching our every move? I think other developments are more needed. Shall we start asking what is important for us human beings?

The next article shall be on digital technologies invented to identify poor health, it might come to your everyday as well, remember to think rational and ask questions.

Top of mind

Further reading

ON DATA PRIVACY RELATED ISSUES

EDPB Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak

Tracking Anonymized Bluetooth Devices, 2019, 65 pages pdf by Johannes K Becker*, David Li, and David Starobinski Added in update of this article

THE PRIVACY PROJECT, NYTIMES In Stores, Secret Surveillance Tracks Your Every Move As you shop, “beacons” are watching you, using hidden technology in your phone. (2) Added in update of this article

Apple and Google’s COVID-19 Exposure Notification API: Questions and Answers

Shelter in Place with Shane Smith & Edward Snowden (Full Episode), 10 April 2020

The Inventors of Bluetooth Say There Could Be Problems Using Their Tech for Coronavirus Contact Tracing, 5 May 2020 A must read article on the weakness of bluetooth in measuring distance. (1)

"Technology and Public Health Perspectives on Private automated Contact Tracing", May 2020 Video 120 min. IMPACT2020

On Apple U1 chip / Ultra Wide-band

What is the new Apple U1 chip, and why is it important? (locatify.com)

Apple iPhone 11 and Watch 5 (U1) Teardown (eetasia.com)

Everything You Need To Know About The New Apple U1 Chip (forbes.com)

How to turn off Ultra Wideband U1 chip to prevent background location tracking on iPhone 11 and 11 Pro (9to5mac.com)

Apple has added the option to disable the U1 chip completely on iOS13.

What Apple's U1 chip tells us about its future AR and smartwatch plans (wareable.com)

Videos on Ultra wide-band

UWB Indoor-Localization and Tracking shown at CES 2020 "UWB offers highly precise positioning, even in crowded, multipath signal environments, and can pass through walls, crowds of people, and other obstacles. As a result, UWB makes it easier to navigate large spaces".

IntraPosition and Apples UWB revolution (intrapostion.com) Automated monitoring tools

Bluetooth vulnerabilities

Who is Ashkan Soltani

Critical Bluetooth Vulnerability in Android (CVE-2020-0022) – BlueFrag, FEB 2020

Oh yes, and on a final sidenote, Facebook went up by more than 10% to an estimated 1.7 billion users in 1Q, Family daily active people (DAP) – DAP was 2.36 billion on average for March 2020, an increase of 12% year-over-year.

Illustrations of AdTech: Piwik Pro

#Covid19app #bluetooth #tracking #dataprivacy #U1 #ePrivacy #GDPR #Google #Apple #infosecurity #Resilience #Tracing #wireless #GPS #RiskMitigation #FalseData