Read on Twitter
So, the New Zealand Covid Tracer app... it's out. And sure, I do have an opinion on it.
Disclaimer: I'm a back end and Android engineer. I have not been involved with building this app nor any competitors. I have a few friends having done work on another contact tracing app.
1/
Disclaimer: I'm a back end and Android engineer. I have not been involved with building this app nor any competitors. I have a few friends having done work on another contact tracing app.
1/
Caveat: I'm not looking at this with the eyes of a hacker or security professional, nor am I a legal expert in privacy law.
This thread will solely list a few things I found from looking closer at the app code & implications arising from them.
Draw your own conclusions.
2/
This thread will solely list a few things I found from looking closer at the app code & implications arising from them.
Draw your own conclusions.
2/
The NZ govt's Covid Tracer app is being sold as a "digital diary" via scanning QR codes in places you visited.
By registering for the app (which is mandatory), it allows human contact tracers to have your up-to-date contact information.
3/
By registering for the app (which is mandatory), it allows human contact tracers to have your up-to-date contact information.
3/
For starters:
Having to create an account and setup a login with a password is a deterrence from uptake of this app. They do that, because they want as much of your contact info as possible.
The PIA seems to be quite clear & open about that, too.( https://www.health.govt.nz/system/files/documents/pages/nz_covid_tracer_pia_18_may_2020.pdf)
4/
Having to create an account and setup a login with a password is a deterrence from uptake of this app. They do that, because they want as much of your contact info as possible.
The PIA seems to be quite clear & open about that, too.( https://www.health.govt.nz/system/files/documents/pages/nz_covid_tracer_pia_18_may_2020.pdf)
4/
Some problems with this:
1. This approach limits uptake, because there'll be people who can't be arsed to set up JUST another account to just scan QR codes.
2. People will be (rightfully, in my view) concerned about the government collecting their personal data.
5/
1. This approach limits uptake, because there'll be people who can't be arsed to set up JUST another account to just scan QR codes.
2. People will be (rightfully, in my view) concerned about the government collecting their personal data.
5/
Now, we all know that FB, Twitter or Google are collecting way more data from us, however that's different from the government doing so.
Also - the government has a bad(tm) track record of dealing with personal data in a safe, secure and appropriate way.
6/
Also - the government has a bad(tm) track record of dealing with personal data in a safe, secure and appropriate way.
6/
The minimum info you'd have to provide is an email address (and password) - but the sign-up process strongly pushes you towards providing much more.
If I was to register for it, I'd set up a new gmail address for this purpose only and redirect it to my real email.
7/
If I was to register for it, I'd set up a new gmail address for this purpose only and redirect it to my real email.
7/
Also, I would not provide any more personal information and just check my email regularly (which I do anyway).
From a technology point of view, this is more a mobile website than an app (and I'm looking at the Android version here, but assume iOS is same/similar).
8/
From a technology point of view, this is more a mobile website than an app (and I'm looking at the Android version here, but assume iOS is same/similar).
8/
It's more or less running http://tracing.covid19.govt.nz in a WebView component with some native bits, like nav, the QR scanning, storing information in sqlite on the device & dashboard.
The app seems to be written at least partly in Kotlin & uses a bunch of standard Android libs.
9/
The app seems to be written at least partly in Kotlin & uses a bunch of standard Android libs.
9/
The fact that this is a WebView is problematic to some extent. If the content and functionality on http://tracing.covid19.govt.nz was to change, the app's functionality would change.
It'd be easy for the government to push a new web app into the WebView that does "X" now.
10/
It'd be easy for the government to push a new web app into the WebView that does "X" now.
10/
"X" being a new functionality, potentially something useful, but something you don't have agreed to. Let's say, trying to get your GPS location.
Now, because "X" would have to be written in JS inside of a WebView, they could do certain things only, but that's not great.
11/
Now, because "X" would have to be written in JS inside of a WebView, they could do certain things only, but that's not great.
11/
WebViews allow quick & convenient content changes, essentially avoiding the process of having to publish a new app through the app stores and also undermining/avoiding the app review processes.
Note: this is not unusual or malicious as such lots of companies sadly do this.
12/
Note: this is not unusual or malicious as such lots of companies sadly do this.
12/
The only obvious reference to a backend API is: https://api.tracing.covid19.govt.nz --- requiring an AuthToken - albeit I haven't looked deeper into what is actually going over the network at this stage.
The code base of the app has a bunch of references to third party products, too.
13/
The code base of the app has a bunch of references to third party products, too.
13/
In the Privacy Impact Assessment, MoH refers to Amazon Pinpoint for analytics purposes. I don't know that product well, but it seems to be able to do more - real-time analytics and user engagement --- I assume it might allow contact tracers to send notifications to you.
14/
14/
There's also code references to AWS Cognito - an identify management solution. I assume that's used for registration and their 2FA setup.
It's *not* mentioned in the PIA though as far as I can see. Or if - very vaguely without product name/reference.
15/
It's *not* mentioned in the PIA though as far as I can see. Or if - very vaguely without product name/reference.
15/
The app also has also the Microsoft App Center crash reporting libraries built-in. I assume they use that to record and log issues inside the app.
Again, doesn't seem to be mentioned in the PIA at all, which is not great.
16/
Again, doesn't seem to be mentioned in the PIA at all, which is not great.
16/
To store data on the device (Locations), Room is used. Kind of the common DB store these days on Android.
Looking superficially over some of the classes that are used to model check-ins and locations, there *currently* doesn't seem to be anything in there more than:
17/
Looking superficially over some of the classes that are used to model check-ins and locations, there *currently* doesn't seem to be anything in there more than:
17/
User id (you, I assume), Business id, name and address, QR code GLN and timestamp.
The permissions required for it on Android are camera and full network access. That's quite common.
Note though: It's entirely possible that updates to the app will sneak in more.
18/
The permissions required for it on Android are camera and full network access. That's quite common.
Note though: It's entirely possible that updates to the app will sneak in more.
18/
Depending on *which* permissions specifically, that might even happen without you as the user having to agree to that.
Personally, this is one of the apps on my device that I would *not* allow to auto-update.
The PIA is quite open about their future app plans, too.
19/
Personally, this is one of the apps on my device that I would *not* allow to auto-update.
The PIA is quite open about their future app plans, too.
19/
TL;DR; A quick scan through the de-compiled and de-obfuscated Android code makes me think there's currently nothing obvious in the app where authorities are maliciously not telling the truth,
There are third party data collection solutions used that are not in the PIA!
20/
There are third party data collection solutions used that are not in the PIA!
20/
The latter is something that I'd like to point @andrewtychen and @JCE_PC to.
I believe that the use of Amazon Cognito and Microsoft App Center should be openly and transparently disclosed in the PIA.
If not legally required, that just for good faith and trust in the app.
21/
I believe that the use of Amazon Cognito and Microsoft App Center should be openly and transparently disclosed in the PIA.
If not legally required, that just for good faith and trust in the app.
21/
TL;DR; (2): Would I currently use the app?
If I was engaging with the public & leave my property - I might, under the following rules:
- Using a dedicated email address I'd make sure to check
- Would not provide any other personal info
- Would not auto-update the app
22/
If I was engaging with the public & leave my property - I might, under the following rules:
- Using a dedicated email address I'd make sure to check
- Would not provide any other personal info
- Would not auto-update the app
22/
TL;DR; (3): Future plans for the app:
Hmmm. Some of their intentions seem to be good, but seem to point towards MoH wanting to store location data centrally, which would be an instant absolute no-go zone.
If they integrate with the Google/Apple APIs, that'd be much better.
23/
Hmmm. Some of their intentions seem to be good, but seem to point towards MoH wanting to store location data centrally, which would be an instant absolute no-go zone.
If they integrate with the Google/Apple APIs, that'd be much better.
23/
TL;DR; (4): Swapping functionality:
Be aware that everything that's provided in their WebView architecture could conceptually be swapped by them at any time to something you don't like and don't have agreed to (without you knowing).
I doubt they would, but hey...
24/24
Be aware that everything that's provided in their WebView architecture could conceptually be swapped by them at any time to something you don't like and don't have agreed to (without you knowing).
I doubt they would, but hey...
24/24
