Thread on "theoretical" privacy concerns around Aarogya Setu which will soon
become reality.

aka the real motivation behind "tech industry volunteers" who built the app.

The key feature of Aarogya Setu is the app is always running and keeps advertising your presence via Bluetooth everywhere you go for other devices running the app to detect your presence and "establish contact".

Knowing everywhere you go is very valuable information for every company that's into surveillance capitalism.

It allows them to build a more complete profile of you and your preferences, than just from browser cookies.

Google collects this data from Android users but does not share with others.

Other companies need to find ways to collect this data. That's why apps and businesses want users to "Check-in" at places they visit and offer rewards for it.

Or why apps care about WiFi connections.

Bluetooth Addresses are static and due to BT protocol relying on it for pairing, re-connecting to known devices it's not practical to keep changing.

(Unlike WiFi MAC addresses which privacy respecting devices, keep randomising to protect your privacy.)

While contact tracing requires the apps to talk to each other, proximity detection does not require it, since you are always advertising your presence and the other device can sense how strong/weak your signal is.

So everyone with Aarogya Setu installed is walking around with a beacon that advertises their presence and identifies them uniquely to everyone around with a Bluetooth enabled device.
(Not just to others with the app installed)

Until now, most people turned off their Bluetooth, and even if they left it on, the device wasn't discoverable to others.

So it wasn't really worthwhile for companies to invest in tracking people via Bluetooth.

But Aarogya Setu has turned that on the head.

Any phone with the app installed has Bluetooth turned on and is dscoverable to everyone.

And with millions of active users and the govt. pushing for millions more to download the app.

BT stalking will hit critical mass.

Matter of time before companies realise this and start stalking people by Bluetooth.

(Or they already realised this when they volunteered to build the app.)

If a fintech company enables this feature for their merchant app or tablet POS device, or mobile card swipe app, or cab/food delivery company enables this on their driver apps.

Your Bluetooth Address is no longer anonymous but links back to you explicitly.

If your BT Address is in proximity for multiple transactions, they can confidently link the Bluetooth address and all the associated location data back to your profile with other pieces of information about you, Name/Phone/Debit or Credit card numbers/Home Address etc.

With no privacy or data protection laws in India.

These businesses will be perfectly legitimate. https://www.vice.com/en_us/article/bjpx3w/what-are-data-brokers-and-how-to-stop-my-private-data-collection

There are non-privacy threats too.

Most Android phones are vulnerable to a serious Bluetooth bug that allows remote code execution.

Android version 8,9 and 10 (Oreo, Pie and Android 10) that received this update in Feb 2020 are safe.

h/t @sgekar

https://source.android.com/security/bulletin/2020-02-01

Older version of Android may be vulnerable too. The researchers just didn't test them.

https://www.andreafortuna.org/2020/02/13/bluefrag-cve-2020-0022-a-critical-bluetooth-vulnerability-in-android/

Apparently Android versions 6 and 7 also (Marshmallow and Nougat) also use the same kind of Bluetooth system as 8 and 9(Oreo and Pie) https://github.com/marcinguy/CVE-2020-0022/blob/master/README.md