Share this page!

zerotypic Profile picture
Twitter logo
5 Jan, 17 tweets, 4 min read
Ok, seems like as good a time as any to take another look at where the data used by #TraceTogether is stored, and what are the implications of the police having access to it. 1/
First, let's talk about identities. There are 3 kinds of identities in TT. First is your actual PII: your NRIC number, contact number, etc. Second, a unique ID that is generated per user, the ttID. Third, temporary IDs that are broadcasted to other users, TempIDs. 2/
The server holds a mapping between the permanent ttID, and your PII. So with access to the server, it can determine who (in "real life") a ttID is. The phone holds your ttID, and it also appears in comms between client and server (including Firebase). 3/
TempIDs contain the ttID, but are encrypted using a secret key that only the server has. TempIDs are broadcasted to other devices, and so your TempID might be in somebody else's phone. To map from TempID to PII, you first need the secret key, and then the ttID to PII map. 4/
So with that out of the way, there are 3 main data stores we need to think about: 1. the server-side ttID-to-PII map and TempID decryption key, 2. the client-side database containing TempIDs (known as the StreetPassRecord database), and 3. the client-side TempID cache 5/
So, suppose the police have full access to the server-side info, and they seize your device with TT installed. They can then find out the full identity of every other person (running TT) that you were in proximity to over the past 2 weeks. 6/
Suppose you delete TT from your phone, or the police can't access your device for whatever reason. Then they can't obtain your list of contacts. But they would still be able to tell you were nearby some other person running TT, if they could access that person's records. 7/
Because that person's phone would contain your TempIDs, which the police can decrypt. 8/
If you ask the server to delete your data, and they honour that? IIRC GovTech says this includes the key used to decrypt your TempIDs. If true, then TempIDs residing in other devices can't be mapped to you anymore. There's no way of confirming this though. 9/
Otherwise, your TempIDs on other devices could still be decrypted and mapped to your ttID. If the police have your phone, they know your ttID, and so it doesn't matter whether or not your PII was removed from the server. 10/
Finally, suppose the govt declares that the police will not be given access to server-side data (fat chance!). What could the police do? They could use the TempID Exposure Attack I described here: blog.unwovenlabs.com/reports/govtec… (assuming it hasn't been fixed yet) 11/
If they have access to your phone, and another person's phone, they could determine the two of you have met in the past 12 hours, without any server side info, because your phone keeps a cache of TempID that it sent out to other devices. 12/
In summary: TT's contact tracing data is stored in 3 places: the StreetPassRecord database, the TempID cache, and on the server. For the first two, if you uninstall TT, they should be gone. For the last one, you'll have to ask GovTech for help and hope they do. /fin
PS: The StreetPassRecord database is stored at /data/data/sg.gov.tech.bluetrace/databases/record_database, and the TempID cache at /data/data/sg.gov.tech.bluetrace/files/tempIDs (and shortTempIDs). You need to be root to access these files.
My personal opinion on whether we should delete TraceTogether? I kind of feel that given the amount we are already surveiled, it won't make a huge difference. But I totally get that other people might be uncomfortable with it.
Oh one other thing: #TraceTogether has a pause feature that, last I checked on Android, works correctly. So you could use that instead of uninstalling. If enough people are interested I could take another look at the latest version to verify it is still working.
A clarification on this point: I took a quick look at the open sourced server side code, and there should be a single key used to decrypt all TempIDs (somebody who knows GCP better than me please verify). So what they delete is the link between your PII and your ttID.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with zerotypic

zerotypic Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @zerotypic

zerotypic Profile picture
23 Mar 20
Okay, so I've been taking a look at #TraceTogether over the weekend, to see what I could find. This is still very preliminary, but since there's a lot of chatter about it, I decided to write something up on whatever I have so far.
First, a disclaimer: I've not had a lot of time to look at it (weekend time is spent with the kids), and I have limited experience looking at Android apps, especially modern ones.
I also only did a static analysis as that's what I'm better at, and I didn't want to spend a day setting up a phone for dynamic analysis.
Read 37 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @zerotypic has new unrolls!

Check out other threads from @zerotypic!

Read all threads by @zerotypic