Bluetooth tracking and COVID-19: A tech primer

In a scramble to track, and thereby stem the flow of, new cases of the Coronavirus, Governments around the world are rushing to track the locations of their populace. One way to do this is to write a smartphone app which uses Bluetooth technology, and encourage (or mandate) that individuals download and use the app. The aim of this piece is to provide more detail on the technology itself, rather than a deep dive into the risks and whether or not Bluetooth technology should be used.

Explainer
Key points
  • The risks associated with using Bluetooth for tracking do not just occur at the time the data is collected, but continue as long as it is stored in particular once it has been linked to an individual
  • Alternatives to Bluetooth include apps collecting GPS and Wifi location data, or government authorities going directly to telecommunications operators themselves
  • Despite the drawbacks of Bluetooth, some of which we've explored in this primer, it's a far less intrusive tracking method than some alternatives
Person holding phone

Image is CC0, found at https://www.piqsels.com/en/public-domain-photo-zrgme

In a scramble to track, and thereby stem the flow of, new cases of Covid-19, Governments around the world are rushing to track the locations of their populace. One way to do this is to write a smartphone app which uses Bluetooth technology, and encourage (or mandate) that individuals download and use the app. We have seen such examples in Singapore and emerging plans in the UK.
Apps that use Bluetooth are just one way to track location. There are several different technologies in a smartphone which can be used in order to track movements such as GPS and WiFi. Telecommunications operators ('telcos') are also handing over customer data which can show the cell towers phones have connected to, and therefore triangulate an individual's location. Internet companies are also providing access to location data they have derived. In this piece we will focus on Bluetooth technology.
Whilst we will highlight some of the dangers and risks associated with this technology, the aim of this piece is to provide more detail on the technology itself, rather than a deep dive into the risks and whether or not Bluetooth technology should be used. We welcome those debates.

Why Bluetooth?

At first glance, using this technology makes sense - there are 3.5 billion smartphone users worldwide, and people carry their phones with them everywhere they go making them a perfect candidate for location-based tracking of population movements.
However, whilst large numbers own smart phones, it is still less than 50% of the world's population, and questions must be raised about effectiveness of location tracking related to usage of the app. Unless there is a high level of adoption, will it work? In Singapore for example, the Economist reported that the app TraceTogether has been downloaded by 735,000 people — 13% of the population.
Considering the number of smartphone users, the base level of computer literacy and awareness of the problem, the deployment of such technology may only benefit those who need it the least, a lesson we learned from the humanitarian sector in situations of crisis.

Samsung SGH-F480V controller board with Samsung BTM48B2SB - Bluetooth / FM Module highlighted. Original image © Raimond Spekking / CC BY-SA 4.0 (via Wikimedia Commons)

Just what is Bluetooth?

Named after the 10th Century King Harald "Bluetooth" Gormsson who unified Scandinavia — and whose runic initials comprise the logo — Bluetooth is a wireless, low-power, and therefore short-distance, set of protocols used primarily to connect devices directly to each other in order to transfer data, such as video and audio.
A 'protocol' in computer science is simply a set of rules or procedures for transmitting data, in this case between phones or devices, such as your Bluetooth headphones. Being 'short-distance' means that it can only communicate to other devices which are close-by, hence the level of accuracy of the location (or proximity to other devices) it tracks.
Since the release of iOS 5 (Q4 2011), Windows Phone 8.1 (Q3 2014), BlackBerry 10 (Q1 2013), and Android Jelly Bean (4.3 - Q3 2012), mobile phone operating systems have supported a further subset of Bluetooth protocols known as Bluetooth Low Energy ("Bluetooth LE"). Although Bluetooth and Bluetooth LE are not directly compatible with each other, i.e. they have different rules about how to communicate, most modern Bluetooth chips are designed to talk both "Classic" and "LE" as they share a frequency range, meaning they can also share an antenna.
As the name suggests, the Bluetooth LE protocol is a far lower-power type of Bluetooth connection than Bluetooth Classic, making it ideal for low-power devices, or where only small amounts of data need to be transferred. Unlike Bluetooth Classic, which is designed for sustained data transfer, Bluetooth LE "sleeps" between connections.

Bluetooth for tracking?

Most of us who've encountered Bluetooth use it to send files between devices, connect a wireless mouse, or to wirelessly listen to music. However using Bluetooth for proximity tracking has been done commercially for over a decade - as part of "Smart Cities", as stickers or keyrings allowing people to locate lost objects, or in stores to track clients' interests and movements.
Bluetooth tracking is done by measuring the Received Signal Strength Indicator ("RSSI") of a given Bluetooth connection to estimate the distance between devices. Simply put: the stronger the signal, the closer the devices are to each other. Bluetooth LE devices are also able to change their transmission power, meaning they can further limit the range of the signal. Bluetooth 5.1, released in late 2019 (and so yet to gain any real market penetration), supports Radio Direction Finding ("RDF") meaning it can get an effective accuracy of ~1cm.
A key feature of Bluetooth LE, which is attractive when thinking about location or interaction tracking, is that like many aspects of smartphones, Bluetooth LE is noisy. It's like the person in the room who won't stop talking. Bluetooth LE devices use broadcast "advertising" to announce their presence to other Bluetooth LE devices — constantly saying "I'm here" to any device that's close enough to hear it. By design, adverts are broadcast at a fixed time interval, which can be set anywhere between 20ms and 10.24s apart (in 0.625ms increments) depending on how urgent these connections are.

2.4GHz spectrum showing advertising channels and WiFi channels

Because the radio frequency range used by Bluetooth (2.4~2.48GHz) is incredibly congested — by WiFi, embedded devices, garage door openers, baby monitors, unshielded USB 3 cables, and even microwave ovens amongst other things — BLE transmits these advertisements in three different parts of the spectrum (the beginning, end, and middle, avoiding WiFi channels) in order to try and overcome any interference.
A BLE advert contains information which is extremely useful for tracking; information about the device (including the device's type and MAC address (an identifier)), and a payload containing the data being advertised. In the case of Covid-19 tracking, this payload appears to be a Universally Unique Identifier "UUID".
A UUID is a series of 128 numbers, represented in hexadecimal notation. UUIDs are (usually) derived in one of two ways; either (pseudo-)randomly generated, or derived from a property of the device — e.g. phone number, MAC address, IMEI or similar — and the time of generation.
Because these UUIDs are practically unique, they are an ideal way of identifying and consistently referring to a single device.

Bluetooth sounds ideal!

Of the various tracking technologies, Bluetooth certainly has the potential of being one of the least invasive purely based on its relatively low transmission radius, however there are significant drawbacks.
As mentioned earlier, Bluetooth LE (and Bluetooth in general) is incredibly noisy. How noisy? Open Bluetooth search on your phone and see how many devices you can see.
Because the Bluetooth protocols broadcast information about the device such as MAC address, the approaches so far have tried to mitigate the risks of people identifying a single contact by only recording identifiers provided in the Bluetooth payload by contact tracking app, the aforementioned UUID.
To break this down, if you have Bluetooth turned on, your phone will broadcast its MAC address, as well as other device information, alongside the payload. A MAC address is a unique identifier used by networking devices, and is physically set in the Bluetooth chip in your phone. However, the app that uses Bluetooth technology can seek to anonymise the identity of the phone by only storing a UUID instead of the MAC address.
To further try and obscure a single phone over time, the UUIDs broadcasted by the app may be regularly regenerated. i.e. you won't always have the same one. In order to keep track of the changes whilst still being able to tie them to an individual device, these UUIDs are either generated centrally — pushed down by the app's central server to your phone — or are generated on the device itself, and registered with the app.
This doesn't, of course, stop the people operating the app (in this case a Government) — who have the database linking UUIDs to phone numbers — from deanonymising individuals. Indeed, they may consider this a feature rather than a bug, but it's important to think of the scale involved.
The Singapore app TraceTogether, which uses Bluetooth connections to log other phones in close proximity, works by alerting those who have been in close proximity to a user who tests positive for Covid-19, to self-isolate. So if an individual who tests positive for Covid-19 uploads a list of UUIDs i.e. the people the infected person has been in close proximity to, then that's potentially hundreds if not thousands of people that the government contacts.
Given the speed at which this virus can spread, and if there was significant adoption of the app, it wouldn't take long until a significant number of the population are tracked by the app.

Abuse of Bluetooth

The risks associated with using Bluetooth for location (or proximity) tracking do not just occur at the time the data is collected, but continue as long as it is stored — in particular once it has been linked to an individual. Thus there are concerns about how data such as these could be repurposed by Governments.
The desire for proximity tracking apps to force or encourage people to keep their Bluetooth turned on at all times creates additional risks. Whilst the effective range of Bluetooth is around 10m it can easily be further than that; Bluetooth can potentially transmit up to 100m. Because (as discussed) Bluetooth is noisy, that means anyone in the vicinity can track / is able to keep a log of the MAC addresses etc which is an intrinsic part of the Bluetooth protocol.
What this means is that if we have our Bluetooth constantly on and constantly broadcasting, we need to be aware what other apps on our phone are using this information, what permissions they have been granted and how this could benefit commercial tracking which uses Bluetooth technology.

Security

A further negative with Bluetooth is its security.
Time after time, Bluetooth security has been found "wanting" - with the latest Android vulnerability, "BlueFrag", affecting Android 8, 8.1 & 9, and critical bugs in Apple Bluetooth allowing anyone in the vicinity to remotely execute code — that is, run any software they like — without any user interaction. Apple's BLE also implements some anti-tracking techniques such as MAC address randomisation, however their implementation has significant drawbacks, with a motivated attacker able to bypass it entirely.

To conclude

Bluetooth LE has the capability of being both the least intrusive of tracking technologies (based on proximity between people choosing to use the app), whilst at the same time being highly intrusive in movement and interaction tracking (because its proximity is so small, and works as broadcast), and deanonymisation will necessarily cascade as the infection continues to spread, and uptake of apps increase.
As with everything we're seeing in the age of Covid-19, we must be highly aware of the limitations of the choices we are offered. It is also important that technical and legal safeguards around the processing and storage of data — especially when those data can be used for deanonymisation — are not bypassed or ignored in the rush to deploy technology, however well-meaning or indeed vital it may be. It's also important to ensure that there exists a genuine need to use location tracking that is supported by the scientific evidence, given contact tracing is more effective at earlier stages of tackling pandemics.
Balancing the risks of location tracking also involves consideration of whether the apps will be effective given the down-sides. In the example of the United Kingdom, as identified by the Big Data Institute, this not only relates to adoption of the app - they estimate that over 60 per cent of the UK’s population would have to be using the app for digital contact tracing to reach enough people as they become infected. It is also essential, in their view, that people identified by the contact tracing app be promptly tested. This may require a significantly higher rate of testing that we’ve so far seen in the UK. As of March 24, UK government data shows 90,436 people have been tested in Britain (population 66.44 million) compared to more than 330,000 in South Korea (population 51.47m).
Alternatives to using Bluetooth include the use of apps collecting GPS and Wifi location data and storing everything on a central server, or government authorities going directly to telecommunications operators themselves. Despite the drawbacks of Bluetooth, some of which we've explored in this primer, with the use of changing UUIDs, apps only tracking other users, and opt-in of upload of localised data, it's a far less intrusive tracking method than some alternatives.