The NOVID20 SDK, a new framework for contact tracing just appeared. The project claims to focus on privacy and took an important first step towards transparency and public trust into privacy and security claims by making their source code publicly available. We took this chance and provide a first quick analysis of the openly available source code in our report The not so private way of tracing contacts: A first analysis of the NOVID20 Android SDK.
Contact tracing is one of the main approaches widely proposed for dealing with the current, global SARS-CoV-2 crisis. As manual contact tracing is error-prone and doesn't scale, tools for automated contact tracing, mainly through smart phones, are being developed and tested. While their effectiveness - also in terms of potentially replacing other, more restrictive measures to control the spread of the virus - has not been fully proven yet, it is critically important to consider their privacy implications from the start. Deploying such tools quickly at mass scale means that early design choices may not be changeable in the future, and potential abuse of such technology for mass surveillance and control needs to be prevented by their own architecture. Many different implementations are currently being developed, including international projects like PEPP-PT/DP-3T and national efforts like the Stopp Corona app by the Austrian Red Cross.
A new framework for contact tracing, the NOVID20 SDK was published 3 days ago. It's an SDK that can be integrated with different apps to facilitate interoperable on-device contact tracing. The authors of the SDK took an important step towards transparency and public trust into such a framework, and published the source code of their SDK on Github.
Over the last day, our researcher Michael Roland, Tobias Höller, and Michael Sonntag analyzed the NOVID20 Android SDK with regards to security and privacy. Given short the time period, our analysis is neither comprehensive nor formal, but summarizes a first impression of the code.
NOVID20 follows a reasonable privacy design by exchanging only pseudonyms between the phones in physical proximity and recording them locally on-device. However, there is some room for improvement: (a) pseudonyms should be generated randomly on the phone, and not on the server side; (b) transmitted pseudonyms should be frequently rotated to avoid potential correlation; (c) old records should automatically be deleted after the expunge period; (d) absolute location tracking, while handled separately from physical proximity and only optionally released, can be problematic depending on its use - absolute location data must be protected with additional anonymization measures such as Differential Privacy, which are left to the application/server and may, therefore, not be implemented correctly; and (e) device analytics data, while helpful during development and testing, should be removed for real deployments. Our report gives more detailed recommendations on how this may be achieved.
We explicitly note that all of these points can be fixed based on the current design, and we thank the NOVID20 team for openly releasing their code, which made this analysis possible in a short time window.
The full report summarizing our analysis is available here: The not so private way of tracing contacts: A first analysis of the NOVID20 Android SDK.