2.4GHz spectrum showing advertising channels and WiFi channels

Because the radio frequency range used by Bluetooth (2.4~2.48GHz) is incredibly congested — by WiFi, embedded devices, garage door openers, baby monitors, unshielded USB 3 cables, and even microwave ovens amongst other things — BLE transmits these advertisements in three different parts of the spectrum (the beginning, end, and middle, avoiding WiFi channels) in order to try and overcome any interference.

A BLE advert contains information which is extremely useful for tracking; information about the device (including the device's type and MAC address (an identifier)), and a payload containing the data being advertised. In the case of Covid-19 tracking, this payload appears to be a Universally Unique Identifier "UUID".

A UUID is a series of 128 numbers, represented in hexadecimal notation. UUIDs are (usually) derived in one of two ways; either (pseudo-)randomly generated, or derived from a property of the device — e.g. phone number, MAC address, IMEI or similar — and the time of generation.

Because these UUIDs are practically unique, they are an ideal way of identifying and consistently referring to a single device.

Bluetooth sounds ideal!

Of the various tracking technologies, Bluetooth certainly has the potential of being one of the least invasive purely based on its relatively low transmission radius, however there are significant drawbacks.

As mentioned earlier, Bluetooth LE (and Bluetooth in general) is incredibly noisy. How noisy? Open Bluetooth search on your phone and see how many devices you can see.

Because the Bluetooth protocols broadcast information about the device such as MAC address, the approaches so far have tried to mitigate the risks of people identifying a single contact by only recording identifiers provided in the Bluetooth payload by contact tracking app, the aforementioned UUID.

To break this down, if you have Bluetooth turned on, your phone will broadcast its MAC address, as well as other device information, alongside the payload. A MAC address is a unique identifier used by networking devices, and is physically set in the Bluetooth chip in your phone. However, the app that uses Bluetooth technology can seek to anonymise the identity of the phone by only storing a UUID instead of the MAC address.

To further try and obscure a single phone over time, the UUIDs broadcasted by the app may be regularly regenerated. i.e. you won't always have the same one. In order to keep track of the changes whilst still being able to tie them to an individual device, these UUIDs are either generated centrally — pushed down by the app's central server to your phone — or are generated on the device itself, and registered with the app.

This doesn't, of course, stop the people operating the app (in this case a Government) — who have the database linking UUIDs to phone numbers — from deanonymising individuals. Indeed, they may consider this a feature rather than a bug, but it's important to think of the scale involved.

The Singapore app TraceTogether, which uses Bluetooth connections to log other phones in close proximity, works by alerting those who have been in close proximity to a user who tests positive for Covid-19, to self-isolate. So if an individual who tests positive for Covid-19 uploads a list of UUIDs i.e. the people the infected person has been in close proximity to, then that's potentially hundreds if not thousands of people that the government contacts.

Given the speed at which this virus can spread, and if there was significant adoption of the app, it wouldn't take long until a significant number of the population are tracked by the app.

Abuse of Bluetooth

The risks associated with using Bluetooth for location (or proximity) tracking do not just occur at the time the data is collected, but continue as long as it is stored — in particular once it has been linked to an individual. Thus there are concerns about how data such as these could be repurposed by Governments.

The desire for proximity tracking apps to force or encourage people to keep their Bluetooth turned on at all times creates additional risks. Whilst the effective range of Bluetooth is around 10m it can easily be further than that; Bluetooth can potentially transmit up to 100m. Because (as discussed) Bluetooth is noisy, that means anyone in the vicinity can track / is able to keep a log of the MAC addresses etc which is an intrinsic part of the Bluetooth protocol.

What this means is that if we have our Bluetooth constantly on and constantly broadcasting, we need to be aware what other apps on our phone are using this information, what permissions they have been granted and how this could benefit commercial tracking which uses Bluetooth technology.

Security

A further negative with Bluetooth is its security.

Time after time, Bluetooth security has been found "wanting" - with the latest Android vulnerability, "BlueFrag", affecting Android 8, 8.1 & 9, and critical bugs in Apple Bluetooth allowing anyone in the vicinity to remotely execute code — that is, run any software they like — without any user interaction. Apple's BLE also implements some anti-tracking techniques such as MAC address randomisation, however their implementation has significant drawbacks, with a motivated attacker able to bypass it entirely.

To conclude

Bluetooth LE has the capability of being both the least intrusive of tracking technologies (based on proximity between people choosing to use the app), whilst at the same time being highly intrusive in movement and interaction tracking (because its proximity is so small, and works as broadcast), and deanonymisation will necessarily cascade as the infection continues to spread, and uptake of apps increase.

As with everything we're seeing in the age of Covid-19, we must be highly aware of the limitations of the choices we are offered. It is also important that technical and legal safeguards around the processing and storage of data — especially when those data can be used for deanonymisation — are not bypassed or ignored in the rush to deploy technology, however well-meaning or indeed vital it may be. It's also important to ensure that there exists a genuine need to use location tracking that is supported by the scientific evidence, given contact tracing is more effective at earlier stages of tackling pandemics.

Balancing the risks of location tracking also involves consideration of whether the apps will be effective given the down-sides. In the example of the United Kingdom, as identified by the Big Data Institute, this not only relates to adoption of the app - they estimate that over 60 per cent of the UK’s population would have to be using the app for digital contact tracing to reach enough people as they become infected. It is also essential, in their view, that people identified by the contact tracing app be promptly tested. This may require a significantly higher rate of testing that we’ve so far seen in the UK. As of March 24, UK government data shows 90,436 people have been tested in Britain (population 66.44 million) compared to more than 330,000 in South Korea (population 51.47m).

Alternatives to using Bluetooth include the use of apps collecting GPS and Wifi location data and storing everything on a central server, or government authorities going directly to telecommunications operators themselves. Despite the drawbacks of Bluetooth, some of which we've explored in this primer, with the use of changing UUIDs, apps only tracking other users, and opt-in of upload of localised data, it's a far less intrusive tracking method than some alternatives.