The Privacy Foundation New Zealand has reviewed the updated Privacy Impact Assessment (PIA) from the Ministry of Health (MOH) that addresses the extension of the Covid-19 App’s function into the use of Bluetooth[1]. The Foundation endorses the privacy focused approach to the technology and highlights the following privacy points:

The problem is COVID-19. Contact tracing is like the ambulance at the bottom of the cliff. It is still very important, but people still need to think about self-protection from COVID-19 like washing hands, use of hand sanitiser, use of face masks, coughing and sneezing into elbows, and reporting to their doctor if they develop COVID-19 symptoms.

A PIA on new technologies or new processes which involve people’s personal information is essential. In particular, government agencies must be transparent about the thinking round privacy including identifying any risks and steps taken to mitigate those risks. The MOH has approached the extension of the App into Bluetooth appropriately with an updated PIA. This was finalised on 4 December 2020 and there is no apparent reason why this could not have been released at that time instead of 24 hours before the implementation of the technology.

There are some excellent privacy enhancing responses to the development of the App[2]. The use of the App is voluntary, and the information recorded is under the control of the user. The Bluetooth add-on is anonymised. The MOH’s privacy policy applies to the App. The MOH is publishing the source code so that the technology is transparent, and people can check that the App delivers what is promised. Apple and Google have said they have incorporated privacy into the technology including their intention to stop the use of the exposure network framework as soon as it is no longer needed for COVID-19 tracing.

The PIA clarifies the uncertainty around how an individual who has tested positive for COVID-19 could send out an anonymous notice to other users of the App. It initially seemed that there was nothing to prevent a prankster issuing a false notice. The PIA explains that a person who tests positive for COVID-19, receives a text from a contact tracer with a code which they can choose to input into the App. From there, all the Bluetooth keys which have been collected by their App are uploaded which creates a list for all users’ apps to check and a notification comes up if there is a match.

This development is not the total solution to contact tracing but a helpful addition to the solution for those that can, and choose to, use it. The App and use of Bluetooth is not grounds for complacency. Not everyone has access to the technology and with only 2.4 million New Zealanders having downloaded the App, there needs to be equal emphasis on other strategies for contact tracing. Further, Bluetooth is generally secure (by way of encryption and frequency hopping) and reliable but it is not infallible. It involves wireless technology and hacking can occur if Bluetooth is on and there is connection with a short-range device that is designed to access data or send messages such as advertising. Like any technology, it can malfunction.

To minimise security issues with Bluetooth, people should take steps such as updating phone systems including security patches and using security recommendations for their phone; securing passwords; backing up data regularly; and being wary of the consequences of any data hack such as emails or calls from unknown sources, particularly if the sender or caller is seeking bank a/c details or other personal information.

With this pandemic hopefully winding down in the foreseeable future given the introduction of vaccines, the solutions which have been developed now and in a reactive way are likely to become the foundation for templates for future pandemics. There needs to be rigorous assessment, documentation, and review in a transparent way with public consultation to ensure we have got this right and we are ready when a pandemic happens again.

The Privacy Foundation remains committed to being vigilant about technology developments that may turn into the “thin edge of the wedge”. It would not take much to have Bluetooth data converted into shared information with government, including identifying information. It is important this Bluetooth addition to the COVID-19 app remains voluntary and data anonymised, and it is switched off when this pandemic is over.

[1] The use of Bluetooth in the Covid-19 App is to create an anonymised alert system for people who contract Convid-19 and wish to let others who have been near them know that someone in their vicinity has contracted Covid-19 and they should contact the MOH. What happens is that the App (using Apple and Google’s exposure notification framework) creates a signal or beacon from a user phone which connects with other phones that have the same Bluetooth signal enabled and both phones collect the “key” sent by the other device. The key is a random set of numbers. There is no personal information shared and no personal information retained. Everyone’s “key” updates every 10 – 20 minutes to avoid hacking.