In South Africa, we are firmly in the grip of our second wave of Coronavirus, with daily identified cases exceeding that of our first round of the virus. During this second wave, I have installed the COVID Alert SA app, South Africa’s contact tracing app (akin to the apps in other parts of the world). This app and those globally have been a hot topic on the privacy, tech, and cyber security fronts, with many very strong opinions in various directions. A friend being forewarned by the COVID Alert SA app was the catalyst to me installing it, and as she says, “forewarned is forearmed”.
“Tracing” is not the same as “Tracking”
The app does not use GPS to track. It uses Bluetooth with unique identifiers (without personal information) to identify other phones that you’ve been in close proximity to. In short, it traces devices that have been in contact with each other, it doesn’t track what your movements have been. Let’s take a look at how these technologies operate:
GPS – Global Positioning System – works as its name implies. Using a network of satellites, your phone is triangulated to within around 8-10m of your current location when connected to enough satellites. Most modern phones will indicate that GPS is in use. For example, my iPhone’s clock will go blue and display a small compass needle if an app is using my location in the background. My phone simply does not do this with the COVID Alert app. Try it for yourself, open Waze / Google Maps or similar and see how your phone reacts when GPS is being used. It would indeed appear that GPS is not used in the COVID Alert SA app.
Unique identifiers – think of these as a unique virtual “fingerprint” of your device. It’s important to note that there is no personal information involved here, nor is there any location data (as GPS is not in use). These are features that Google and Apple have built into your device (find them in settings), and are not reliant on governments, developers or otherwise. This unique identifier is a randomly generated number that rotates and is, as the name implies, unique to your device. In other words: the tracing is anonymous.
Bluetooth – a short-range communication method between devices. I stress the short-range part of that. Anyone who has tried playing music over a Bluetooth speaker knows that when you walk the 10m to the kitchen from your braai (barbecue for my overseas readers), the music gets patchy and connectivity drops. How the app works is that when you get within 2m of another person with the app installed, the apps will exchange unique identifiers, and keep a record of it. If someone discloses that they have been infected, then all the unique identifiers (phones) that have been in contact with each other for the last 14 days will receive notifications. Anonymously.
The department of health has a great explainer video that I’ve popped in below.
It comes down to risk management
So why have I installed it? It comes down to risk management. In every workshop that I give on privacy and cybersecurity, I emphasize the importance of taking a risk-based approach to things. This sounds very corporate, but it is in fact incredibly easy to apply to your day-to-day. Any sort of risk analysis, at a very basic level, comes down to likelihood and impact.
Think of an asteroid approaching the Earth.
- Likelihood, is the score of “what are the chances that this sucker is gonna hit us?“.
- Impact, is the score of “what damage will this thing cause if it DOES hit us?“
We then rate each of those out of a score of 5, with 1 being very low, and 5 being critically high. Take those scores, multiply them together, and you get a rating out of 25. The higher the rating, the more risky it is.
Likelihood, in this case for me, is “what are the chances that COVID is gonna hit me?”. When we were in the lull after the first lockdown, at around 1,000 to 2,000 cases per day, the likelihood of me encountering someone infected was fairly low (I’m pretty introverted and for the most part I work remotely). Let’s give it a likelihood score of somewhere between 2-3 (let’s not underestimate people who do not wear their masks correctly – it goes over your nose).
But now let’s look at the graph below (courtesy of Johns Hopkins University) as at the 2nd of January 2020, filtered for South Africa on daily cases reported:
For the last 7 days (in red), cases have ranged from around 8,000 per day at their lowest, to 18,000 cases at their highest (31st December). That’s around 100,000 cases since Christmas. This is HIGHER than the cases at their peak previously (in blue). This, coupled with the fact that we are not fully locked down, increases my likelihood rating to a solid 4-5.
Now let’s get onto the second set of ratings, impact. This doesn’t really change much for me, it’s always high. I am an ex-smoker so my lungs probably aren’t the best they could be, this could increase my impact. I am, however, relatively fit with both cardio and strength, which could also reduce the impact. None of this is as relevant though as an underlying heart condition, which squarely puts me into the dreadfully named “comorbidity” space, most certainly increasing my impact exponentially.
That is just for me, and it is not all about me. My wife is currently recovering from an unrelated viral infection which puts her immune system at risk. My parents are also in a high-risk category. Lastly, a number of my friends are immunocompromised, be it from cancer, medication, transplants, or COVID itself. I would not be able to forgive myself for making them sick (or worse) which places impact, for me, at a solid maximum score of 5.
So let’s talk risk rating; those who have attended my workshops will know this image well. Knowing what I know now, my impact will be a solid score of 5 as mentioned above, though in the first throws of lockdown back in March, I’d say I estimated a score of 4. Likelihood, however, changes rapidly given the circumstance. Given that we have two scales of likelihood and impact, we can plot these on a heat-map. The higher on both scores, the hotter and more risky it gets.
- When the initial lockdown was in place, my likelihood of contracting COVID would have been a score of 1. I never went anywhere and was confined to my home like most every South African. This is highlighted by circle A. The total risk rating at this point was 4 (1 likelihood x 4 impact).
- When lockdowns eased and we went back to “business as usual”, my likelihood was 2.5 as mentioned. This is highlighted in circle B. The total risk rating at this point was 12.5 (2.5 likelihood x 5 impact).
- Where we are now, I’m at 5 and 5 – giving a risk rating of 25 in the end as shown in circle C.
For those keeping score, the rating was lower in the initial lockdown (4) than it was in the lull (12.5), and is now incredibly high (25)*.
There are four major techniques of handling risk; avoiding it, reducing it, sharing it, or accepting it.
In COVID, we took the view of avoiding it initially with the hard lockdown. If no-one can go anywhere, in theory there would be no infections. When things eased up, we went for reducing it; wearing masks (correctly), sanitizing and social distancing.
Accepting it (doing nothing) was not an option (thank goodness) and neither was sharing it; you can’t take out an insurance policy for COVID or for loss of life.
In short, to reduce the rating of risks, you can put controls in place. Now, in the event where the controls of wearing masks and social distancing fail and this invisible risk becomes real, I can have a really great approach to avoiding the risk if I know about it beforehand. This app, in essence, is my crystal ball to know when someone of been within 2m of has tested positive and I can quarantine myself to:
- see whether I’m infected, and
- not infect any of my friends and family.
That’s a win in my book.
But “they” will track me!
Ah the proverbial “they”. Presumably, in most normal conversations, this would be the government (I am sure though that there are some that will claim it’s the Illuminati or the Rothschild family or some such, I doubt I could change their minds either way). If the developers are to be believed, then tracking isn’t going to happen. If the analysts that have looked at the software (both from a tech and privacy perspective) are to be believed, then tracking isn’t going to happen. If everyone involved in deploying this is to be believed, then tracking isn’t going to happen. But, like with most conspiracy theories, people love believing that there’s always a much more complex explanation than there actually is.
In my view, if “they” really wanted to track you, there are far more resources at their disposal just by virtue of you owning a phone, having a credit record, or driving a car. “They” would not have to worry and fuss about you voluntarily installing an app on your phone. Given the risk vs reward above, I’ll stick to having the app, distancing, and wearing my mask over my nose and mouth.
If you’d like some further reading on the topic from various specialists and news outlets, please read some of the articles below.
* Of course this is purely subjective to my personal rating, however, I’d hazard that most folks’ analyses would show up a similar result. At least I’d hope so.