Alabama’s contact tracing app won’t collect location data

News

The Alabama Department of Public Health has admitted it doesn’t have enough workers to efficiently trace all of the people who have come in contact with someone who tests positive for COVID-19.

So, the state is turning to tech giants Google and Apple for help with a contact tracing app. 
But how does it work, and what does this mean for the privacy of Alabamians?

Do you remember everyone you’ve come into contact with over the past 14 days? Well, if someone is diagnosed with COVID-19 health officials are going to want to use that information for contact tracing. With a new app ADPH, UAB and Birmingham-based company Motionmobs are developing, people won’t have to remember; their phones will collect that information for them.

The app works with your phone’s Bluetooth signal.

“The app will be distributing a randomized key for you. It changes every 15-20 minutes and it will exchange that key using Bluetooth with any other app that comes within range of it,” said Emily Hart, director of consulting and marketing for Motionmobs.

The app saves your keys and the keys of users you come in contact with for 14 days. If one of those people tells the app they were diagnosed with COVID-19, you will receive a notification. WHNT can’t tell you all the information people will receive, but the idea is that they will be sent the date the exposure took place, how long it lasted, and the strength of the Bluetooth signal.

Hart says it will be up to UAB and ADPH to determine how close and how long people will need to be exposed to each other in order for keys to be exchanged.

Some experts worry about the accuracy of the Bluetooth signal. Gregory Nojiem, Director of Freedom Security and Technolgy project at the Center for Democracy and Technology in Washington DC says Bluetooth signals can fluctuate if they travel through walls, clothing or peoples’ bodies.

“There’s a variety of things that affect signal strength other than the distance between the two phones and those are hard to account for in determining whether the person gets notice,” Nojeim said.

He says your Bluetooth needs to be enabled at all times for this to work effectively. But does that put your information at risk?

Joshua Crumbaugh is the CEO of Peoplesec, a Huntsville-based cyber security firm. He says Bluetooth has been hacked before.

“A few years back there was a Bluetooth vulnerability discovered that allowed attackers to download somebody’s entire address book or contact list, so it’s all in the execution and how well they’re actually doing this,” Crumbaugh explained.

Hart says a third party cyber security firm will test the app before it is released, but they have not been told which one.

Crumbaugh says when people download contact tracing apps they should consider what information the app has access to. He also says people should know about the security of the app itself, has it been tested and where is data stored at the end of the day.

Something to note… Alabama has partnered with Google and Apple to use their ‘Exposure Notification’ API for this app. The companies are allowing state health departments use their interface to create contact tracing applications. This allows for data to be stored directly on the device itself, which can be beneficial for security purposes.

“It’s a difference between when it’s on the operating system level a bunch of data can be stored locally and it just exchanges keys when necessary. When its through a third party app, all of that data has to go on a server somewhere and that’s when your security issues begin to arise because you’re now sending information about where you’ve been and who you’ve been in contact with off your device,” Hart explained.

 The apps using Google and Apple’s API will all operate pretty much exactly the same way. Nojeim says the tech giants are taking privacy measures others are not. They do not allow the health department to have access to users’ identities or geographical location. Alabama’s app developer describes it as a little black box.

“It can’t connect to location services, it can’t connect to any other data on your phone, it can’t connect to your social network, your contacts. it does not have permission to go outside of itself,” Hart said.

Downloading the app and using it is voluntary. Nojeim say 60% of the population needs to use it to be effective, which could be a challenge.

“So, Singapore created an app that’s probably been in use for a couple of months now. It’s a different system than what Google and Apple have put together, but they never really broached the 20% or 21% user rate,” Nojiem said.

Curtis Carver, Chief Information Officer for ADPH released a statement to WHNT saying that an Oxford study suggests 80% of the population to use the app. The statement reads in part, “We have tried to develop the app with Apple and Google so as to provide the greatest possible protection of user privacy, user control over notification, and the greatest technical chance of success. This creates the opportunity for widespread adoption in Alabama.”

Google and Apple have released a document addressing frequently asked questions. In it, it’s explained that the Exposure Notification API will have two phases. It the second phase it says, “After the operating system update is installed and the user has opted in, the system will send out and listen for the Bluetooth beacons as in the first phase, but without requiring an app to be installed.”

WHNT News 19 has asked for clarification about how this will affect the state’s app. Carver told WHNT, “This is a future development that has not been deployed and we have not discussed with Apple, Google, or ADPH. We would be happy to discuss at a future date when additional information, beyond the website you reference below, is released.”

We have also reached out to Google and Apple for clarification and have yet to hear back.

ADPH officials say when the app is launched it will first be rolled out on college campuses, but a launch date has not yet been released.

Trending Stories