Skip to main content
banner image
venafi logo

Contact Tracing Will Be Built into Your OS. Are you ready? [Encryption Digest 38]

Contact Tracing Will Be Built into Your OS. Are you ready? [Encryption Digest 38]

contract tracing
April 22, 2020 | Katrina Dobieski


In this issue:

  • Contact tracing and the short and long-term implications
  • Privacy fact check and "how long is this going to last?"


Contact tracing; can’t live with it—can’t live without it. Whether or not there’s something “irresistible-ish about it” remains to be seen, as initial adoption will be up to the volunteers. Us. Will we download the CDC-approved app released by a joint Apple-Google effort, or will we wait until it hits the operating systems? Or will we do something different? No longer a debate, the growing reality of encryption (and all its uses) presents itself at the forefront of our national debate, our public health, and our civil liberties. It’s a good time for the numbers.

Contact Tracing: Coming to an OS Near You

With Google and Apple’s contact tracing coming in May, let’s look at what we are getting into.


Russia, China and South Korea have all been early adopters of similar practices. Some state-implemented ideas to “stop the spread” have included facial recognition (Russia), a color-coded human tracking symbol that limits your movement (China), and an alert system that sends out the age, gender, workplace and home location of infected individuals (South Korea). Stay safe.

According to their April 10 announcement, the two typically rival companies “will be launching a comprehensive solution that includes application programming interfaces (APIs) and operating system-level technology to assist in enabling contact tracing.” In other words, it actions as Bluetooth tracking between devices, upon download of the app available next month.

That’s phase one.

Contact Tracing Built into the OS

Phase two rolls out with a more heavy-handed, though technically still voluntary, measure. Quotes the announcement, “in the coming months, Apple and Google will work to enable a broader Bluetooth-based contact tracing platform by building this functionality into the underlying platforms.”

Or, if you’re using the Android or iPhone OS after a few months, you’ll have contact tracing already built in. While some say it’s necessary to the public safety, others have weighted concerns about safety of a different sort.

"We just don’t have enough data”

“Something that was created to help solve a public health crisis, could instead be used to restrict people’s liberty,” said Kurt Opsahl, deputy executive director for the Electronic Frontier Foundation.

The move flies curiously in the face of rhetoric about “sunsetting pandemic provisions” only intended for the immediate crisis. Something about building permanent contact tracing solutions into two of the most ubiquitous operating systems in the world doesn’t strike me as temporary.

Adding to the concern, the decisive move by the two tech giants might seem iffy for one more reason:

“These technologies have not really been tested whether they really work or not,” said Josephine Wolff, assistant professor of cybersecurity policy at The Fletcher School at Tufts University.

“Potentially they could help alert individuals who are high risk and need to isolate, but we just don’t have enough data to really understand how much of a difference it’s going to make.”

For not having those basic questions vetted out, that’s a big commitment to build into your software going forward. And data sharing can still be risky if you cannot be certain of its encryption status and who can access it. More on that to follow.


Related Posts:


What We Know About Contact Tracing Privacy

As I covered above, next month, approved apps run by government health agencies will have the ability to track physical proximity between phones, using Bluetooth capabilities. Let’s look at how Phase I (the voluntary app phase in May) rolls out.

What Do We Know?

  • The data can be used to notify you if you’ve been in contact with someone with COVID-19
  • The program is opt-in
  • The program is Bluetooth only
  • No location data is collected
  • Only data on those diagnosed positive with COVID-19 will be collected
  • The Bluetooth codes are derived from cryptographic keys that change daily for security
  • The information (of everyone other than COVID-19 positive users) is anonymous

Along with those facts, are factual rebuttals:

  • Bluetooth is a wireless technology that is difficult to secure
  • The app doesn’t account for mistaken diagnoses
  • A recent study by the Imperial College of London reports that even anonymized data sets are not enough to secure personal information. The sets can be reverse-engineered “easily and accurately” to identify individuals—meaning even those without COVID-19. 

As an article in WIRED summed up, “The result is a complicated picture—an unproven system whose imperfections could drive users away from adopting it, or even result in unintended privacy violations.”

How Long Will It Last?

In addition to the app, other contact tracing strategies are being used, “including artificial intelligence, thermal imaging, facial recognition, IoT sensors, and more.”

"These companies we're talking to, and many of them are governments... want to be able to, at a moment's notice, separate people,” said Marty Sprinze, CEO of Vantiq, a firm specializing in surveillance technologies.

“At first, when we were being pulled in to build these apps or work with our partners to build these apps, at first we started thinking that, 'Oh, this is something that's going to last for a few months.' That's not the case."





Related Posts:

Like this blog? We think you will love this.
Featured Blog

With Rapid Rise in Funds Stolen from DeFi Protocols, Private Keys in Play

Massive heist begins with

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Katrina Dobieski
Katrina Dobieski

Katrina writes for Venafi's blog and helps optimize Venafi's online presence to advance awareness of Machine Identity Protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more