Privacy Guarantees of BLE Contact Tracing: A Case Study on COVIDWISE

TL;DR

This paper analyzes the privacy, security, and reliability of Google's and Apple's exposure notification technology through a case study of Virginia's COVIDWISE app, providing validation and insights for trust and transparency.

Contribution

It offers an empirical analysis of the privacy guarantees and system properties of the exposure notification technology in real-world scenarios.

Findings

Validation of privacy and security properties under typical use cases

Assessment of system reliability and adversary resilience

Insights into transparency and user trust implications

Abstract

Google and Apple jointly introduced a digital contact tracing technology and an API called "exposure notification," to help health organizations and governments with contact tracing. The technology and its interplay with security and privacy constraints require investigation. In this study, we examine and analyze the security, privacy, and reliability of the technology with actual and typical scenarios (and expected typical adversary in mind), and quite realistic use cases. We do it in the context of Virginia's COVIDWISE app. This experimental analysis validates the properties of the system under the above conditions, a result that seems crucial for the peace of mind of the exposure notification technology adopting authorities, and may also help with the system's transparency and overall user trust.