Coronavirus Contact Tracing App Privacy: What Data Is Shared by the Singapore OpenTrace App?

We report on measurements of the actual data transmitted to backend servers by the Singapore OpenTrace app, with a view to evaluating impacts on user privacy. We have three main findings: 1) The OpenTrace app uses Google’s Firebase service to store and manage user data. This means that there are two main parties involved in handling data transmitted from the app, namely Google and the health authority operating the OpenTrace app itself. We find that OpenTrace’s use of Firebase Analytics telemetry means the data sent by OpenTrace potentially allows the (IP-based) location of user handsets to be tracked by Google over time. We therefore recommend that OpenTrace be modified to disable use of Firebase Analytics. 2) OpenTrace also currently requires users to supply a phone number to use the app and uses the Firebase Authentication service to validate and store the entered phone number. The decision to ask for user phone numbers (or other identifiers) presumably reflects a desire for contact tracers to proactively call contacts of a person that has tested positive. Alternative designs make those contacts aware of the positive test, but leave it to the contact to initiate action. This may indicate a direct trade-off between privacy and the effectiveness of contact tracing. If storage of phone numbers is judged necessary we recommend changing OpenTrace to avoid use of Firebase Authentication for this. And finally, 3) the reversible encryption used in OpenTrace relies on a single long-term secret key stored in a Google Cloud service and so is vulnerable to disclosure of this secret key.