When it was first launched, the Bluezone app used a fixed ID for contact tracing, which was later changed to a temporary ID. It is relatively easier to identify the real identity of users through a fixed ID compared to a temporary ID. Although the change appears positive, it is still unknown how the app is able to securely protect the personal data of its users.
There is concern regarding the extent to which the released source code and the white paper are trustable. The released source code did not contain a part of the app’s code, which was later discovered to record the contact history from users, including those who have not been in close proximity to confirmed COVID-19 cases.
A. The Development of Digital Contact Tracing in Vietnam
On April 18, 2020, Vietnam launched the contact tracing app, Bluezone, which was developed by a Vietnamese cybersecurity firm, Bkav, on behalf of the Ministry of Information and Communications of Vietnam. According to Bkav, the app was developed and released in a total of 3 weeks. Similar to other countries that have implemented a contact tracing app, Vietnam authorized Bluezone for the purpose of assisting the authorities to control the spread of the COVID-19 pandemic. The app is not mandatory, meaning that people may choose whether or not to download and use it. The source code of the app was made available on GitHub on May 12, 2020. According to the white paper, the app operates according to four principles: data security, no location data collection, anonymity, and transparency. These principles are elaborated as follows:
The app stores data on a device, which is not uploaded to centralized servers.
No Location Data Collection
The app does not collect the geolocation data of users.
The identities of users who join the app will remain anonymous. Health authorities are only able to access information about users’ identities when a user has tested positive for the virus or if a user has been in contact with a confirmed case.
The project is open source under the GNU General Public License v3.0. End users are encouraged to study, use, research, modify, and share the source code.
A device with the installed app is able to communicate with other devices that also have the downloaded app within a distance of two meters; the app uses Bluetooth Low Energy (BLE), which consumes less power compared to Bluetooth Classic. The app broadcasts an anonymous ID, called Bluezone ID (BLID), which is then used to communicate with other installed devices. The BLID of users is stored in each other’s devices when they communicate with each other. Each BLID consists of six digits and is a fixed ID; this aspect is different from Singpoare’s contract tracing app, TraceTogether, which uses a temporary ID.
When a new COVID-19 case is identified, health authorities are able to enter the data from the case into the app’s system. The system then sends the data to other smartphones with Bluezone installed. Data from the previous 14 days is collected from the infected individual’s device and analyzed. All users who have been in contact with the infected individual during the 14-day period are alerted and requested to contact health authorities according to the given instructions and contact information. Bkav also claimed that the app is able to provide specific details of when and how long a person had been exposed to the infected person.
Concerns have been raised on the potential threat that the app may have on users’ privacy and personal data. After it is installed on a device, the app asks users’ for access to their location, photos, media, files, and storage. However, the app claims it does not collect or use the geolocations of its users, and requests permission to access users’ files only for the purpose of recording “close contacts” from the device’s memory. According to Bkav, when a Bluetooth is activated on Android phones, any app would automatically ask for permission to access users’ location due to Google’s policy. Some contact tracing apps have previously encountered problems with iOS devices, which could only run when the app is in the foreground. However, Bluezone is able to run in the background on both iOS and Android systems.
In July 2020, Vietnam faced a second wave of COVID-19 after new confirmed cases were found in Da Nang and other cities including Ho Chi Minh City, Hanoi, and Central Highlands. Following the incident, the government asked the mobile service providers, including Viettel, VinaPhone, MobiFone, and Vietnamobile, to send text messages to their subscribers to encourage them to install Bluezone on their phones. On August 1, 2020, the government issued Document No. 2841/BTTTT-THH which provides ten guiding principles in order to increase the number of people with Bluezone installed on their devices. The principles promote the installation of the app nationwide through multiple outlets, including handing leaflets, displaying banners in public areas, sending text messages, and encouraging the use of the app in media, such as television channels, radio programs and newspapers. Following these combined efforts, the number of downloads has increased significantly from around 256,000 downloads at the end of July to 2.3 million downloads as of August 3, 2020. On August 21, 2020, less than a month after the launch of the nationwide campaign, the app reached more than 20 million downloads. In order for the app to work effectively, approximately 60% of the population, or 50 million people, would have had to install the app. The government of Vietnam also required the Department of Computerization to set up a dashboard system so that the provinces can update the number of people who have installed Bluezone in their locality.
A month after the nationwide campaign was launched, the app reportedly reached more than 20 million users. In August, it was found that the white paper had been updated. In this updated version, it was found that the app now uses a temporary ID instead of the fixed ID which it had used in the previous version. According to the updated white paper, the BLID changes every 15 minutes, and each BLID has a length of 12 bytes.
B. Implications on Surveillance and the Right to Privacy
This section discusses how the app puts users’ privacy at risk and facilitates surveillance. This is due to (1) the technical vulnerabilities and non-transparent areas of the app that raise concerns over users’ right to privacy and (2) the lack of robust regulation and enforcement mechanisms to protect users’ privacy in Vietnam.
1. Technical vulnerabilities and non-transparent areas raise concerns
As Bluezone was developed within a short period of three weeks before it was launched to the public, there has yet to be any public evidence that the system had been tested for privacy and security flaws before it was launched. There are still some vulnerabilities in the system regarding its privacy and security. The identities of the app’s users can be disclosed regardless of whether or not they were confirmed to test positive for COVID-19.
The app’s security and privacy risks have been pointed out, as the app generates a fixed BLID. Once a contact ID has been disclosed, the users’ activities and locations can be tracked; this information can be used to build a social and proximity graph of Bluezone users. The app’s developer, Bkav, explains its rationale for not using a temporary ID (i.e. an ID that is changed after a period of time) by stating that having a fixed ID does not affect a user’s anonymity. In the white paper, the developer states, “We believe that constantly changing of such [user] ID does not make the anonymity better. When Bluetooth is enabled on a smartphone, there are two types of signals that are broadcasted, namely Bluetooth Classic and Bluetooth Low Energy (BLE). With the Bluetooth Classic signal, there will always be a fixed MAC Address of the phone since its shipping. Thus, by nature the phone has broadcasted a fixed ID via Bluetooth Classic.”
A Media Access Control (MAC) address is a unique identifier assigned to a network interface controller (NIC), a computer hardware component that connects a device to a network such as Ethernet, Wi-Fi, and Bluetooth. This hardware allows the data to be transferred correctly to an “address” within the network. Although there will always be a fixed MAC Address in Bluetooth Classic, Bkav could have opted not to build the app with a fixed BLID, especially as this option creates more vulnerability with respect to protecting users’ privacy. As the app later uses a temporary ID for contact tracing, an independent technical analysis is needed to see how the changed function operates securely to protect the privacy of users. There is also a need to have an independent analysis on the architecture, functions, protocols, data management, and security design of the app.
When Bluezone is installed, users are requested to provide a phone number on the app. As a phone number can be identified as Personally Identifiable Information (PII), it is recommended for the developer to be transparent about how the phone number, as well as other PII, once collected, is used, processed, and stored. If this function is not necessary, it should be removed from the app. The app should also collect as minimal data from its users as possible. If PII is collected, it is recommended that the app provide this information and design the app to enable users to have control over how their data is being collected and used. Information should also be provided on how the data is processed, stored, and kept before being deleted.
Unfortunately, it is difficult to rely on the information provided by the developer of Bluezone for a number of reasons. According to the app’s description, when health authorities enter data into the system, the data is stored in the cloud storage, which an independent source earlier found to be Amazon Web Services (AWS). Not much is known about the security of the data stored in the AWS, nor is the source code of this function available. Storing the collected data in the AWS also raises concern due to the United States’ 2018 Clarifying Lawful Overseas Use of Data Act, known as the CLOUD Act, which allows U.S. law-enforcement to access data collected by American companies regardless of where the data is collected from. However, it was later found that the AWS was no longer being used as a cloud storage for Bluezone. Despite this change, there remains a lack of information about the app’ storage and the system; therefore, an independent analysis is necessary to identify any technical vulnerabilities related to data privacy and security.
The app has raised an additional alarming issue. According to one independent source, a technical analysis was conducted on the app and found a missing part of the code that had not yet been released. According to the analysis done by reverse engineering, the app’s centralized servers, which are claimed to be currently hosted at https://apibz.bkav.com, have the capability to “silently grab” all contact history from users, including those who have not been in close contact with confirmed cases. This finding is contrary to the claim in the app’s white paper that a notification is sent to users to upload their contact history to servers. The white paper also states that the collected data is stored on the device only. As the white paper has been updated after this finding was published on GitHub, the analysis was conducted again on the 3.0.2 Android version of Bluezone. The source claimed that the initial finding remains accurate regardless of the update. This finding raises a serious issue, as the collected data has the potential to be used for surveillance. This discovery has led to questions about the reliability of the content that is provided in the app’s white paper. This finding has further created concerns regarding the app’s transparency, including the purpose behind Bkav’s decision not to release the source code, and who has access to the contact history collected by the app. As the apps have more than 20 million downloads, the contact history of users can be used to build a large-scale social and proximity graph for surveillance.
2. Lack of regulations and enforcement mechanisms to protect privacy
As Vietnam does not have personal data regulations in place, there is a risk that personal data may be misused or mishandled. An enforcement mechanism on personal data protection also does not exist. The absence of robust personal data regulations and mechanisms that are equivalent to the international best practices and standards means that there is no oversight with regard to how data collected is treated and protected.
Given these concerns, there is a need for specific legislation and an oversight committee for Bluezone, as well as for other contact tracing efforts which may occur in the future. This regulation should legislate which types of data the app is allowed to collect, and to ensure that the collected data is as minimal as possible. This legislation should also address how data is to be processed and shared, and specify the retention period for the data that is collected from contact tracing efforts. There has also been neither a human rights assessment nor privacy assessment conducted before the app was rolled out.
These risks are heightened in the context of the human rights situation in Vietnam, where there have been crackdowns on free speech and a record of the government using surveillance technology, including the use of FinFisher Spyware. These human rights issues have raised concern on whether people can trust the state’s contact tracing efforts, especially as there is no guarantee that the data will not be misused nor mishandled. Transparency is needed as the country’s contact tracing efforts are being implemented. In addition, assessments must be conducted and regulations must be made to protect people’s privacy.
C. Conclusion and Recommendations
The change of Bluezone from using fixed IDs to temporary IDs is considered as a positive move for protecting the privacy of users. However, concerns over how the collected personal data are treated by the app still persists, as the change to temporary IDs does not ensure the full security of the collected data. An independent analysis is still needed to examine the architecture, functions, protocols, data management, and security design of the app. This missing information also includes how the IDs are generated. Furthermore, a question has been raised about the reliability of the white paper, given the finding from a part of the unreleased source code which shows how the app collects the contact history of general users without their permission. This finding also raises concerns on whether there is a hidden purpose behind the use of Bluezone.
Moreover, the law in Vietnam cannot protect users’ right to privacy, and specifically the personal data of users. As there is neither a data privacy law nor an enforcement mechanism that is equivalent to those considered best practices, the risks of personal data being misused and the right to privacy being violated as a result of the country’s contact tracing efforts are left unchecked. Vietnam needs to issue a specific regulation and implement an enforcement mechanism to ensure that the collected data is treated in accordance with the right to privacy.
In order to protect the right to privacy of Bluezone’s users and the public at large, the government of Vietnam and Bluezone’s developers are urged to act upon the following recommendations:
- Release the complete source code of the deployed app together with the relevant build parameters as this would ensure reproducibility and provide transparency to the app’s functioning.
- Implement a specific regulation and an oversight committee for Bluezone to oversee how the app is implemented and how privacy and personal data are treated in the country’s contact tracing efforts.
- Conduct a human rights impact assessment (HRIA) and privacy impact assessment (PIA) for Bluezone, and make the results publicly available.
- Support an independent technical analysis of the app and address the technical vulnerabilities that are found. The government and the developer should pay attention to the findings and be transparent about its solutions to fix the problems identified from the analysis in order to better protect the right to privacy.