Simon's Blog

Reviewing Covid Alert Malta

October 25, 2020

Il-verżjoni bil-Malti ta’ dan l-artiklu jista jinsab hawnekk.

Introduction

I write this article a bit more than seven months after the Novel Coronavirus pandemic arrived onto Maltese shores. There are many aspects of this pandemic that I wish to share thoughts about, especially on the truths that it has revealed about us as a species and as a nation in socio-economic and political realms, however I will, for this article, stick to what I know best, which is the technological.

Contact Tracing in the 21st Century

The Maltese Government has released a contact tracing smartphone application. This is an application which contacts other smartphones in the person’s immediate vicinity, for the purpose of augmenting a contact tracing mechanism.

The idea is that, if someone you came into contact with tests positive for Covid-19, then the process of informing you of this contact becomes much easier, since your smartphone kept track of the fact that you were in the vicinity of a positive case.

The main issue around such a system is and always will be:

How can you preserve the privacy of an individual whilst still keeping track of them and their contacts?

The Maltese Government’s technological authority MITA has claimed that the app was developed in line with GDPR and also had it audited by the Malta Digital Innovation Authority.

Unfortunately, lack of transparency is a persistent issue in Maltese affairs - it is often difficult to get an answer as to how something was performed or to what level.

In a rare move, MITA have opted to open-source the entire stack for this application. This is the boldest and best move that MITA could ever make with the aim of fostering trust in the system.

They are literally stating that they have nothing to hide when it comes to what is going on under the hood. This enables even the most skeptical amongst us to review, audit and verify that the system is indeed preserving privacy and equipping our country to bring the pandemic under control faster.

Marrying privacy and contact tracing

Contact tracing feels like the evil twin of privacy. You are contacted by someone you do not know, about something you cannot see and you have to share where you were and whom you were with within the past few days, in as much detail as possible.

Despite this, it turns out that contact tracing is super important for containing a pandemic, so despite the seemingly inherent privacy nightmare, we do it, so that maybe, just maybe, we can put all this pandemic behind us a little bit sooner.

On closer inspection however, the exact time, date and place you were within proximity to someone is not as important as exactly who you were within proximity to (given parameters such as whether you were within two metres of each other, for longer than fifteen minutes and without any sort of face covering).

Wouldn’t it be great if we could share the information of who we were within proximity of, without going into the other details of where, when and possibly why? Bonus points if it could include people we do not even personally know.

Another issue is that our human memory is not particularly robust or reliable. We forget details, we mix up their order, we perceive time to be longer or shorter than it actually is. That chat you had with your neighbour at the grocer? It felt like five minutes but you actually spent twenty minutes. Wouldn’t it be great if we could recall details of our interactions with the highest precision?

It turns out, thanks to a collaboration between the greatest minds at Apple and Google, most modern smartphones (those supporting Bluetooth Low Energy (BLE) and running Android 6 Marshmallow and above or iOS 13.5 and above) now have Privacy-Preserving Contact Tracing capability built into their respective Operating Systems.

Article Outline

This article will focus heavily on the specific implementation that MITA have released that hooks into the Apple-Google Privacy-Preserving Contact Tracing system rather than the PPCT system itself. The aim is to challenge and verify the specific claims that it does not gather any sort of location data of the individual running it.

I will also follow a simple Question and Answer structure throughout rather than providing an FAQ at the end.

Covid Alert Malta

Let us start with an explanation of what open-source is.

Software which is open-source is software for which the program’s code is available for viewing and compilation, whilst closed-source does not have the program’s code disclosed, and a user can only make use of the software in a pre-compiled manner (like Microsoft Word) or as a service (like Google Maps).

With open-source software (often abbreviated as OSS), we can verify behaviour either by running the program or by reading the source code, since there may be behaviour which occurs but is not disclosed by the program. In closed-source, we can only observe the behaviour of the program by running it, and we have to rely on what we are told it does (or does not) do.

If I had to provide an analogy, a closed-source choclate cake is the kind you buy that is ready to enjoy. It looks delicious and tastes delicious, but you have no idea how, when, where or with what it was baked. The baker may assure you that it is gluten free, vegan or was baked in a nut free environment, but the only assurance of truth in that claim here is to take the baker’s word for it.

An open-source cake would be if the cake came with the recipe listing precisely the ingredients, their amounts, their source and the process of baking. We can observe or eat the cake and not care about the recipe, but we can also use the recipe to bake our own version of the cake, either to mix it up with our own preferences (such as replacing the chocolate frosting with jam) or to see if we end up with the exact same chocolate cake that has been pre-baked for us.

In this case, the Covid Alert Malta Android and iOS apps, along with the server which handles exposure notifications are forks (the equivalent of a software remix) of other open-source Covid-19 contact tracing apps, specifically the SwissCovid App.

Question

Does this mean that MITA stole the SwissCovid app and claimed it as its own?

Answer

Not at all. The specific open-source licence under which the SwissCovid app is made available allows for modifications and re-distribution (more about this later on).

Question

Why didn’t MITA write one from scratch?

Answer

I do not speak for MITA so I cannot answer this in their name, however I can speculate.

Before writing any software one should evaluate the feasability of it, both in terms of financial and time investment. Writing a contact tracing app from scratch is an option, however the time and knowledge investment required can be very high. Taking into consideration the fact that the sooner you release a contact tracing app the better in the case of a pandemic, any large time investment becomes cost-ineffective.

It would be much more feasible to find a pre-existing open-source implementation and adapt it to your specific needs. One of the main ideas behind Open Source is to avoid double-work. Code is shared in the spirit of collaboration and so that everyone benefits from not constantly re-inventing the wheel.

Question

Is MITA obliged to share the source code?

Answer

Yes. (Nearly) all open-source code comes with a licence, which specifies the duties an individual or organisation must assume in order to make use of the code. In this case, the SwissCovid app is licenced under the Mozilla Public Licence 2.0. Quoted directly from the FAQ linked:

Q9: I want to distribute (outside my organization) MPL-licensed source code that I have modified. What do I have to do?

To see the complete set of requirements, read the license. However, generally:

You must inform the recipients that the source code is made available to them under the terms of the MPL (Section 3.1), including any Modifications (as defined in Section 1.10) that you have created.

You must make the grants described in Section 2 of the license.

You must respect the restrictions on removing or altering notices in the source code (Section 3.4).

Question

Does making the source code available make the app less secure?

Answer

The security of any software is not contigent on whether it is open-source or not, but rather it is contingent on the quality of the software itself.

Creating insecure software and choosing not to disclose the source code is the equivalent of baking a cake but not choosing to disclose whether it contains gluten or not. Regardless of disclosure, the amount of gluten does not change and can still cause mild to deadly health issues on consumption of the cake if the consumer is gluten intolerant or a coeliac.

Choosing not to disclose source-code on the basis of security is a method known as security through obscurity, which is highly discouraged by any professional working in Software, Security or Information Systems.

Question

Wasn’t this App reviewed and certified by the MDIA?

Answer

One would hope that software such as Covid Alert Malta, which in an ideal world is running on every single smartphone in the country, would have gone through a rigorous security review.

To this end, the MDIA has claimed that the app passed their certification process, however this certification process is not public or transparent. Blind trust in any institution should be avoided since at the end of the day it is still made up of humans. I highly encourage the MDIA to share how and to what level certification was ensured, especially as this will continue to build trust in the system, which would drive even more installations.

Regardless of the above, open-sourcing the app allows anyone to perform their own audit. Regardless of your level of trust in any institution, whether you are more lax or more pedantic, the fact that the source code is right there for review will enable you to put your own seal of approval on it.

The Source Code

Full Disclosure: My expertise and experience lies mainly in cross-platform apps. I do not write apps in platform specific languages (such as Java, Kotlin, Objective C or Swift). Regardless, I have prior experience in Java and apps in general which I consider sufficient enough to perform this review.

The source code can be found at the following URL: https://github.com/GOVMT-MITA/dp3t-app-android-ch

Given that it is a proper fork, we can actually compare the differences between the original repository and the MITA one. This diff, short for difference, is an auto-generated list of differences on the level of each file.

From a quick skim, it looks like the only major addition to the app was the option to choose language when onboarding and localisation of the app due to the chosen language. There does not seem to have been any change in the behaviour in the app from what SwissCovid provided.

Question

The App keeps insisting that I turn on location settings. Everyone insists that the app never tracks my location. Why is there this disparity? Are they lying?

Answer

This disaprity is an unfortunate User Experience (UX) issue within the Android operating system, encompassed within the screenshot below:

Location Permissions

First of all, we can confirm whether the app has access to location data via Wi-Fi (known as Coarse Location) or via GPS (known as Fine Location).

When it comes to Android (this is also the case in iOS), a developer must state up-front what permissions the application requires to function. These are stated in the AndroidManifest.xml file. In our case, we can find it here.

The permissions listed are:

  • <uses-permission android:name="android.permission.BLUETOOTH" />
  • <uses-permission android:name="android.permission.INTERNET" />

If the App wanted to track your location, we would see the following permissions listed, as outlined in the Android Developers Documentation:

<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION" />

Plain as day: Covid Alert Malta is not able to track your location. Not directly at least.

Question

So then why does the app need location setting turned on?

Answer

Forget Covid Alert Malta for a second. Location information may leak if Bluetooth is enabled.

If Bluetooth is enabled, then your phone is going to be able to both transmit and receive data over BT. Devices are capable of finding each other if one of them is made discoverable. This is the process used when setting a BT device (such as a headset) in pairable mode. The headset shouts to all other devices in the vicinity that it is available for pairing, you use your phone to pair with it and they can now exchange data, which in this case would be audio.

One of the ways devices can recognise each other is via their MAC Address. This is similar to a postal address - I recognise it is John’s House because John lives at number 24 and the house infront of me has number 24. Similarily, your BT device will have an address in the format of D9:79:D4:9C:C9:1C.

If your device is sharing this address with any other device in the vicinity, then devices can use this to correlate your location and have a vague idea that you are the same person. Typically this is done through a device such as a BLE Beacon in a process such as:

  1. Restaurant owner wants to track how many people are in his restaurant
  2. Owner sticks a BLE Beacon above the soffit
  3. You, as a regular, go there every Friday evening for happy hour
  4. Your phone is screaming out its MAC Address to every device in the vicinity
  5. BLE Beacon takes note of your MAC Address
  6. The owner can know that they have a consistent regular every friday night, based on the fact that the same MAC Address turns up at the same time every week

Does this mean that the owner knows your full name, address, ID Card number, etc? No, not at all. Does this mean that they can know which person has that MAC Address? Maybe. Maybe they are watching their security camera footage to see who walks into the door when the MAC Address is registered by the beacon. This is considered a correlation attack.

This is what I meant by location data may leak. It does not mean that having BT enabled will share your home address, but that there can be a nugget of information which, if sufficient nuggets are gathered, can begin to indicate who owns that device.

Get this: the exact same happens with Wi-Fi. Whenever your device is advertising itself to possible routers (in a process calling probing), it reveals its MAC Address, which if you keep track of, can cause location data leakage.

Covid Alert Malta is not the cause of possible location leakage, however this is the reason that location services are required to be enabled, even if it is not Covid Alert Malta which is causing the leakage.

Conclusion

I greatly advise towards installing Covid Alert Malta for the following reasons:

  1. The source code is right there if you want to audit it
  2. It does not actually make use of your GPS or any sort of location data
  3. It will help speed up contact tracing, which should help bring the current Covid-19 outbreak under control
  4. There are many other applications which are siphoning off your location data in more egregious and obvious ways, such as Facebook, TikTok, Google Maps, Revolut, etc. To be concerned about Covid Alert Malta but not about all the other apps that are installed which actually request location permissions shows a fundamental misunderstanding of how widespread data siphoning is.

There are non-security concerns relating to running BT constantly, such as the fact that it can indeed cause higher than expected battery drain. I think that this is a small price to pay for a privacy conscious way of performing rapid contact tracing, especially in the age of battery packs and quick charging.

You can download Covid Alert Malta from the following links:

Written by Simon who lives in Malta. You can find out more about me on the about page, or get in contact.