SwissCovid

From Wikipedia, the free encyclopedia

SwissCovid is a COVID-19 contact tracing app used for digital contact tracing in Switzerland. Use of the app is voluntary and based on a decentralized approach using Bluetooth Low Energy and Decentralized Privacy-Preserving Proximity Tracing (dp3t).[citation needed]

Development[edit]

The app was developed in collaboration with the FOPH by Federal Office for Information Technology, Systems and Communications FOITT, École polytechnique fédérale de Lausanne (EPFL) and the Swiss Federal Institute of Technology in Zurich (ETH) as well as other experts.[1]

Non-interoperability with applications in European countries[edit]

There is an agreement between EU countries to make applications compatible.[2] However, there is no legal basis for the SwissCovid application to be part of this portal even though technically speaking it is ready, according to Sang-Ill Kim, head of the digital transformation department of the Federal Office of Public Health.[3]

Criticism[edit]

Not full open source and dependence on Google and Apple[edit]

In June 2020, researchers Serge Vaudenay and Martin Vuagnoux published a critical analysis of the application, noting that it relies heavily on Google and Apple's exposure notification system, which is integrated into their respective Android and iOS operating systems. Since Google and Apple have not released the full source code of this system, this would call into question the truly open source nature of the application. The researchers note that the dp3t collective, which includes the developers of the application, has asked Google and Apple to release their code.[citation needed] Moreover, they criticize the official description of the application and its functionalities, as well as the adequacy of the legal basis for its effective operation.[4]

Cyber attacks[edit]

Professor Serge Vaudenay and Martin Vuagnoux identify also various security vulnerabilities in the application. The system would thus allow a third party to trace the movements of a phone using the application by means of Bluetooth sensors scattered along its path, for example in a building. Another possible attack would be to copy identifiers from the phones of people who may be ill (for example, in a hospital), and to reproduce those identifiers in order to receive notification of exposure to COVID-19 and illegitimately benefit from quarantine (thus entitling them to paid leave, a postponed examination, or other benefits). The system would also allow a third party to use a phone using the application by means of Bluetooth sensors scattered along the way.[5]

Paul-Olivier Dehaye of Personaldata.io and professor Joel Reardon of the University of Calgary published in June 2020 several examples of AEM (Associated Encrypted Metadata) replay and manipulation attacks via software development kits (SDKs) found in benign third-party mobile applications downloaded by the general public and having the phone's Bluetooth access permissions[6] and in September 2020 a paper indicating that "Bluetooth-based proximity tracing apps are fundamentally insecure with respect to an attacker leveraging a malevolent app or SDK".[7]

Costs[edit]

According to a publication by the federal administration, "the costs of developing the software for the mobile phone application, the GR back-end and the code management system as well as the costs for access management for the cantonal doctors' services are estimated at a one-off amount of 1.65 million francs.[8] However, the Zurich-based company Ubique, responsible for the development of the application, was finally awarded the mandate to develop the application for an amount of 1.8 million francs.[9] Through the Botnar Foundation based in Basel, École polytechnique fédérale de Lausanne received 3.5 million Swiss francs for the development of the application[10]

References[edit]

  1. ^ "Tackling Covid-19 trace and trace app problems". eeNews Europe. 2020-07-20. Retrieved 2020-08-11.
  2. ^ "Press corner". European Commission - European Commission. Retrieved 2020-08-11.
  3. ^ "L'appli Swiss-Covid à l'étranger". www.Bluewin.ch (in French). Retrieved 2020-08-11.
  4. ^ "Analysis of Swisscovid" (PDF).
  5. ^ Vaudenay, Serge. "The Dark Side of SwissCovid". lasec.epfl.ch. Retrieved 2020-11-10.
  6. ^ Dehaye, Paul-Olivier; Reardon, Joel (2020-06-22). "SwissCovid: a critical analysis of risk assessment by Swiss authorities". arXiv:2006.10719 [cs.CR].
  7. ^ Dehaye, Paul-Olivier; Reardon, Joel (2020-11-09). "Proximity Tracing in an Ecosystem of Surveillance Capitalism". Proceedings of the 19th Workshop on Privacy in the Electronic Society. Virtual Event USA: ACM. pp. 191–203. arXiv:2009.06077. doi:10.1145/3411497.3420219. ISBN 978-1-4503-8086-7.
  8. ^ "Botschaft zu einer dringlichen Änderung des Epidemiengesetzes im Zusammenhang mit dem Coronavirus (Proximity-Tracing-System)" (PDF).
  9. ^ "Ubique schnappt sich Millionenauftrag vom Bund für Corona-App". www.netzwoche.ch (in German). 15 May 2020. Retrieved 2020-08-11.
  10. ^ "Fondation Botnar commits CHF 20 million to global research efforts around COVID-19". Fondation Botnar. 2020-03-27. Retrieved 2020-08-11.