SEARCH

MENU

Bluetooth tracking and

COVID-19: A tech primer
In a scramble to track, and thereby
stem the flow of, new cases of the
Coronavirus, Governments around
the world are rushing to track the
locations of their populace. One way
to do this is to write a smartphone
app which uses Bluetooth
technology, and encourage (or
mandate) that individuals download
and use the app. The aim of this
piece is to provide more detail on
the technology itself, rather than a
deep dive into the risks and whether
or not Bluetooth technology should
be used.

CONTENT TYPE POST DATE

Explainer 31st March 2020

KEY POINTS

• The risks associated with using

Bluetooth for tracking do not just
occur at the time the data is
collected, but continue as long as it
is stored — in particular once it has
been linked to an individual

• Alternatives to Bluetooth include

apps collecting GPS and Wifi
location data, or government
authorities going directly to
telecommunications operators
themselves

• Despite the drawbacks of Bluetooth,

some of which we've explored in this
primer, it's a far less intrusive tracking
method than some alternatives

Image is CC0, found at

https://www.piqsels.com/en/public-domain-
photo-zrgme

In a scramble to track, and thereby stem the

flow of, new cases of Covid-19, Governments
around the world are rushing to track the
locations of their populace. One way to do this
is to write a smartphone app which uses
Bluetooth technology, and encourage (or
mandate) that individuals download and use
the app. We have seen such examples in
Singapore andemerging plans in the UK.

Apps that use Bluetooth are just one way to

track location. There are several different
technologies in a smartphone which can be
used in order to track movements such as GPS
and WiFi. Telecommunications operators
('telcos') are also handing over customer data
which can show the cell towers phones have
connected to, and therefore triangulate an
individual's location. Internet companies are
also providing access to location data they
have derived. In this piece we will focus on
Bluetooth technology.

Whilst we will highlight some of the dangers and

risks associated with this technology, the aim of
this piece is to provide more detail on the
technology itself, rather than a deep dive into
the risks and whether or not Bluetooth
technology should be used. We welcome those
debates.

TL;DR: Bluetooth is arguably one of the more

accurate technologies in terms of proximity
identification, in this instance, proximity to
other phones using a specified app. Arguably, it
is also the least intrusive form of tracking given
that it is based on proximity to other phones
using the app rather than actual location e.g.
GPS or cell tower data. In this context, it can be
understood more so as an interaction tracking
tool. Data can be 'localised' and shared in
accordance with a policy e.g. the Bluetooth
devices you connect to are not shared unless
for example you come into contact with
someone who believes they have Covid-19 (as
testing is still relatively rare). It is unclear
whether anonymisation *may* in reality be
possible; Bluetooth technology still has the
potential to deanonymise vast swaths of the
population and if implemented like Singapore's
Trace Together, share sensitive personal data.

Why Bluetooth?

At first glance, using this technology makes

sense - there are 3.5 billion smartphone users
worldwide, and people carry their phones with
them everywhere they go making them a
perfect candidate for location-based tracking
of population movements.

However, whilst large numbers own smart

phones, it is still less than 50% of the world's
population, and questions must be raised
about effectiveness of location tracking related
to usage of the app. Unless there is a high level
of adoption, will it work? In Singapore for
example, the Economist reported that the app
TraceTogether has been downloaded by
735,000 people — 13% of the population.

Considering the number of smartphone users,

the base level of computer literacy and
awareness of the problem, the deployment of
such technology may only benefit those who
need it the least, a lesson we learned from the
humanitarian sector in situations of crisis.

Samsung SGH-F480V controller board with

Samsung BTM48B2SB - Bluetooth / FM Module
highlighted. Original image © Raimond Spekking /
CC BY-SA 4.0 (via Wikimedia Commons)

Just what is Bluetooth?

Named after the 10th Century King Harald

"Bluetooth" Gormsson who unified Scandinavia
— and whose runic initials comprise the logo —
Bluetooth is a wireless, low-power, and
therefore short-distance, set of protocols used
primarily to connect devices directly to each
other in order to transfer data, such as video
and audio.

A 'protocol' in computer science is simply a set of

rules or procedures for transmitting data, in this
case between phones or devices, such as your
Bluetooth headphones. Being 'short-distance'
means that it can only communicate to other
devices which are close-by, hence the level of
accuracy of the location (or proximity to other
devices) it tracks.

Since the release of iOS 5 (Q4 2011), Windows

Phone 8.1 (Q3 2014), BlackBerry 10 (Q1 2013), and
Android Jelly Bean (4.3 - Q3 2012), mobile phone
operating systems have supported a further
subset of Bluetooth protocols known as
Bluetooth Low Energy ("Bluetooth LE"). Although
Bluetooth and Bluetooth LE are not directly
compatible with each other, i.e. they have
different rules about how to communicate,
most modern Bluetooth chips are designed to
talk both "Classic" and "LE" as they share a
frequency range, meaning they can also share
an antenna.

As the name suggests, the Bluetooth LE

protocol is a far lower-power type of Bluetooth
connection than Bluetooth Classic, making it
ideal for low-power devices, or where only small
amounts of data need to be transferred. Unlike
Bluetooth Classic, which is designed for
sustained data transfer, Bluetooth LE "sleeps"
between connections.

Bluetooth for tracking?

Most of us who've encountered Bluetooth use it

to send files between devices, connect a
wireless mouse, or to wirelessly listen to music.
However using Bluetooth for proximity tracking
has been done commercially for over a decade
- as part of "Smart Cities", as stickers or keyrings
allowing people to locate lost objects, or in
stores to track clients' interests and
movements.

Bluetooth tracking is done by measuring the

Received Signal Strength Indicator ("RSSI") of a
given Bluetooth connection to estimate the
distance between devices. Simply put: the
stronger the signal, the closer the devices are to
each other. Bluetooth LE devices are also able
to change their transmission power, meaning
they can further limit the range of the signal.
Bluetooth 5.1, released in late 2019 (and so yet to
gain any real market penetration), supports
Radio Direction Finding ("RDF") meaning it can
get an effective accuracy of ~1cm.

A key feature of Bluetooth LE, which is attractive

when thinking about location or interaction
tracking, is that like many aspects of
smartphones, Bluetooth LE is noisy. It's like the
person in the room who won't stop talking.
Bluetooth LE devices use broadcast
"advertising" to announce their presence to
other Bluetooth LE devices — constantly saying
"I'm here" to any device that's close enough to
hear it. By design, adverts are broadcast at a
fixed time interval, which can be set anywhere
between 20ms and 10.24s apart (in 0.625ms
increments) depending on how urgent these
connections are.

2.4GHz spectrum showing advertising channels

and WiFi channels

Because the radio frequency range used by

Bluetooth (2.4~2.48GHz) is incredibly
congested — by WiFi, embedded devices,
garage door openers, baby monitors,
unshielded USB 3 cables, and even microwave
ovens amongst other things — BLE transmits
these advertisements in three different parts of
the spectrum (the beginning, end, and middle,
avoiding WiFi channels) in order to try and
overcome any interference.

A BLE advert contains information which is

extremely useful for tracking; information about
the device (including the device's type and MAC
address (an identifier)), and a payload
containing the data being advertised. In the
case of Covid-19 tracking, this payload
appears to be a Universally Unique Identifier
"UUID".

A UUID is a series of 128 numbers, represented in

hexadecimal notation. UUIDs are (usually)
derived in one of two ways; either (pseudo-
)randomly generated, or derived from a
property of the device — e.g. phone number,
MAC address, IMEI or similar — and the time of
generation.

Because these UUIDs are practically unique,

they are an ideal way of identifying and
consistently referring to a single device.

Bluetooth sounds ideal!

Of the various tracking technologies, Bluetooth

certainly has the potential of being one of the
least invasive purely based on its relatively low
transmission radius, however there are
significant drawbacks.

As mentioned earlier, Bluetooth LE (and

Bluetooth in general) is incredibly noisy. How
noisy? Open Bluetooth search on your phone
and see how many devices you can see.

Because the Bluetooth protocols broadcast

information about the device such as MAC
address, the approaches so far have tried to
mitigate the risks of people identifying a single
contact by only recording identifiers provided in
the Bluetooth payload by contact tracking
app, the aforementioned UUID.

To break this down, if you have Bluetooth turned

on, your phone will broadcast its MAC address,
as well as other device information, alongside
the payload. A MAC address is a unique
identifier used by networking devices, and is
physically set in the Bluetooth chip in your
phone. However, the app that uses Bluetooth
technology can seek to anonymise the identity
of the phone by only storing a UUID instead of
the MAC address.

To further try and obscure a single phone over

time, the UUIDs broadcasted by the app may
be regularly regenerated. i.e. you won't always
have the same one. In order to keep track of the
changes whilst still being able to tie them to an
individual device, these UUIDs are either
generated centrally — pushed down by the
app's central server to your phone — or are
generated on the device itself, and registered
with the app.

This doesn't, of course, stop the people

operating the app (in this case a Government)
— who have the database linking UUIDs to
phone numbers — from deanonymising
individuals. Indeed, they may consider this a
feature rather than a bug, but it's important to
think of the scale involved.

The Singapore app TraceTogether, which uses

Bluetooth connections to log other phones in
close proximity, works by alerting those who
have been in close proximity to a user who tests
positive for Covid-19, to self-isolate. So if an
individual who tests positive for Covid-19
uploads a list of UUIDs i.e. the people the
infected person has been in close proximity to,
then that's potentially hundreds if not
thousands of people that the government
contacts.

Given the speed at which this virus can spread,

and if there was significant adoption of the app,
it wouldn't take long until a significant number of
the population are tracked by the app.

Abuse of Bluetooth

The risks associated with using Bluetooth for

location (or proximity) tracking do not just occur
at the time the data is collected, but continue
as long as it is stored — in particular once it has
been linked to an individual. Thus there are
concerns about how data such as these could
be repurposed by Governments.

The desire for proximity tracking apps to force or

encourage people to keep their Bluetooth
turned on at all times creates additional risks.
Whilst the effective range of Bluetooth is
around 10m it can easily be further than that;
Bluetooth can potentially transmit up to 100m.
Because (as discussed) Bluetooth is noisy, that
means anyone in the vicinity can track / is able
to keep a log of the MAC addresses etc which is
an intrinsic part of the Bluetooth protocol.

What this means is that if we have our Bluetooth

constantly on and constantly broadcasting, we
need to be aware what other apps on our
phone are using this information, what
permissions they have been granted and how
this could benefit commercial tracking which
uses Bluetooth technology.

Security

A further negative with Bluetooth is its security.

Time after time, Bluetooth security has been

found "wanting" - withthe latest Android
vulnerability, "BlueFrag", affecting Android 8,
8.1 & 9, and critical bugs in Apple Bluetooth
allowing anyone in the vicinity to remotely
execute code — that is, run any software they
like — without any user interaction. Apple's BLE
also implements some anti-tracking
techniques such as MAC address
randomisation, however their implementation
has significant drawbacks, with a motivated
attacker able to bypass it entirely.

To conclude

Bluetooth LE has the capability of being both

the least intrusive of tracking technologies
(based on proximity between people choosing
to use the app), whilst at the same time being
highly intrusive in movement and interaction
tracking (because its proximity is so small, and
works as broadcast), and deanonymisation will
necessarily cascade as the infection continues
to spread, and uptake of apps increase.

As with everything we're seeing in the age of

Covid-19, we must be highly aware of the
limitations of the choices we are offered. It is
also important that technical and legal
safeguards around the processing and storage
of data — especially when those data can be
used for deanonymisation — are not bypassed
or ignored in the rush to deploy technology,
however well-meaning or indeed vital it may be.
It's also important to ensure that there exists a
genuine need to use location tracking that is
supported by the scientific evidence, given
contact tracing is more effective at earlier
stages of tackling pandemics.

Balancing the risks of location tracking also

involves consideration of whether the apps will
be effective given the down-sides. In the
example of the United Kingdom, as identified by
the Big Data Institute, this not only relates to
adoption of the app - they estimate that over
60 per cent of the UK’s population would have
to be using the app for digital contact tracing to
reach enough people as they become infected.
It is also essential, in their view, that people
identified by the contact tracing app be
promptly tested. This may require a significantly
higher rate of testing that we’ve so far seen in
the UK. As of March 24, UK government data
shows 90,436 people have been tested in
Britain (population 66.44 million) compared to
more than 330,000 in South Korea (population
51.47m).

Alternatives to using Bluetooth include the use

of apps collecting GPS and Wifi location data
and storing everything on a central server, or
government authorities going directly to
telecommunications operators themselves.
Despite the drawbacks of Bluetooth, some of
which we've explored in this primer, with the use
of changing UUIDs, apps only tracking other
users, and opt-in of upload of localised data, it's
a far less intrusive tracking method than some
alternatives.

TAGS
OUR CAMPAIGN
Fighting the Global Covid-19 Power-Grab

OUR FIGHT
Contesting Government Data and System
Exploitation

Promote Strong Cyber Security and

Protections for People

LEARN MORE
Communications Surveillance

Comms Surveillance Tech

Direct Access by Government

Location Surveillance Technology

Smartphones

RELATED LEARNING RESOURCES

Explainers

WHAT PI IS CALLING FOR

Technologies, laws, and policies

contain modern safeguards to
protect people from exploitation.
PI seeks protections for everyone READ
MORE

Data should be protected

Data should be protected from access
by persons who are not the user. READ
MORE

Limit data analysis by design

As nearly every human interaction now
generates some form of data, systems
should be designed to limit the
invasiveness of data analysis by all
parties in the transaction and
networking. READ MORE

Responsible security
Manufacturers and/or vendors must be
responsible for the security and privacy
design in the products they manufacture
and sell, throughout a clearly identified
period. READ MORE

RELATED CONTENT

NEWS & ANALYSIS EXPLAINER

Schools and Telco data and

Covid-19 Covid-19: A primer
We’re part of a In a scramble to track,
coalition asking data and thereby stem the
protection authorities, flow of new cases of
policymakers, edtech Coronavirus,
providers, and Governments around
educators to take the the world are rushing
following steps to to track the locations
protect children of their populace. One
around the world. way to do this is to
CONTINUE READING leverage the
metadata held by
mobile service
providers in order to
track the movements
of a population, as
seen in Italy, Germany
and Austria, and with
the European
Commission. This sort
of population and
movement tracking is
neither new nor novel -
indeed, PI have been
pushing back against
measures of this type
for two decades. We
have seen
telecommunications
data utilised in
building "smart cities",
in tracking protesters,
and in arrests...
including of innocent
people, dissidents, and
journalists. CONTINUE
READING

NEWS & ANALYSIS LONG READ

Zoom is not the There's an app for

worst, just getting that: Coronavirus
the attention apps
software deserves Increased trust makes
The rise of scrutiny of every response to
Zoom is welcome COVID-19 stronger.
evidence that privacy Lack of trust and
and security is valued confidence can
and essential as our undermine everything.
lives and interactions Should we trust
become increasingly governments and
virtual. CONTINUE industry with their app
READING solutions at this
moment of global
crisis? CONTINUE READING

GET INVOLVED

ACT WITH US
• DONATE
• JOIN

FOLLOW US

NAVIGATION

NEWS

CAMPAIGNS

LEARN

IMPACT

ABOUT

DONATE