The NZ COVID Tracer App – Review

At the time of writing, New Zealand has one active COVID-19 case. Before we move to business as usual, it would be good to look at how our contact-tracing mobile app works, and see how it handles privacy and security. Many other countries are using Bluetooth for automatic contact tracing by recording who you were in proximity to. I’ve written a companion post which gives an introduction to COVID-19 Bluetooth contact tracing and compares the implementation of a few countries.

App Introduction

How does New Zealand compare to these other approaches? NZ COVID Tracer is somewhat different. Rather than being a Bluetooth-based contact tracer, it is more of a digital diary to keep track of the places you’ve been.

Businesses can generate a QR code to post at their premises. App users scan these codes and the app logs the business and time they visited.

This data is stored on your phone, and it appears that it is a manual process to review your previous locations. There is no automated method to upload these to a server for analysis of which other users have been in the same location at the same time. Data is automatically deleted from your phone after 31 days.

If you are diagnosed with COVID-19 then you can share your locations with the Ministry of Health or District Health Board for them to undertake their own manual investigation.

QR Code Format

The data that’s stored in the QR code contains:

• The business' Global Location Number. This appears to be a unique integer for a particular business location (e.g. one branch)
• The business name
• The business street address
• A type, which looks to be information about the scan type of the code. I have only seen this be entry
• A version code, which would allow updates to the data format to add/remove information

The data is stored in JSON format, here’s the MoH example data:

{"gln":"9429300170861","ver":"c19:1","typ":"entry","opn":"Example Cafe Wellington","adr":"15 Stout Street\nWellington Central\nWellington"}

It’s then base-64 encoded and prefixed with NZCOVIDTRACER:. Base-64 encoding is a method of representing data using just alpha-numeric characters. It’s not really necessary here since QR codes can contain the JSON data verbatim, as it’s just text anyway. The encoding is probably done for safety just in case there are some weird characters (like emoji?) in the JSON. Whatever the reason, the raw data that’s in the QR code is something like (truncated):

NZCOVIDTRACER:eyJnbG4iOiI5NDI5MzAwMTcwODYxIi…

When scanning a QR code that doesn’t match this format, the app displays an error.

Security

Now the format is known, could we generate our own QR code with malicious data? Kind of, but it depends on your definition of “malicious”.

Here’s a screenshot of a fake location that I was able to scan by generating a QR code with my own information.

What bad things could come from this?

Anyone could generate fake QR codes and replace posters or put up fake ones on premises. Ultimately the user just ends up with fake data on their phone, and hopefully they notice this upon scanning. If the bad data isn’t spotted at scan time, then it could still be picked up if the check-in history needs to be reviewed. The MoH official may ask if you really were at “123 Butt St”. It would be handy to be able to delete an individual record but this is not possible at the moment, the only option is to delete all data.

Another potential security issue is encoding malicious URLs into the QR code, to create a sort of real-life phishing scam. Here’s a QR code that looks a real COVID Tracer one, but it actually contains a link to a Rick Astley video on YouTube.

Luckily the URL is not particularly malicious, and we know that if it were scanned with the COVID Tracer app itself, you’d get an error. But take this scenario:

1. The user instead tries to scan a QR code with their built-in camera/QR reader app, instead of the COVID tracer app. Perhaps they've tried to scan the code with the app and received an error, so try with a basic scanner instead. Or they don't know about the app.
2. The URL the QR code contains a realistic looking but fake URL. Something like covid19app.co.nz (at the time of writing this domain is not registered, please don't assume it's real). This is a standard phishing approach.
3. The user visits the bad site, which they think is real. They then put in personal information or download a malicious app, and so on.

This is again, perhaps a slightly far-fetched scenario, but these kinds of problems can come up when users are trained to scan and trust QR codes.

Privacy

We’ve seen that the QR codes contain the premises’ addresses. This is a double edge sword. Omitting them and having an ID embedded instead would make the QR code data harder to fake. You would have to generate a (hopefully hard to guess) ID to make a fake QR code, and even then it would need to map back to a real business. With this approach though, the app would need to retrieve address data from a remote server to show the user they had checked in to the right place. This would reveal the user’s IP address and location to the remote server.

An alternative might be to generate a list of all the business IDs and addresses and periodically download them to the phone. On scanning a QR code the address information can be retrieved from the local database. Of course this is not perfect. A user may check in using a new QR code before they’ve downloaded the new list containing that ID, in which case no address could be shown. The ID could still be recording for reconciliation later.

Also, distributing all the IDs like this would mean they could be extracted and we’re back to the problem of being able to generate our own QR code using the ID. Although it would only be able to map back to an existing business – the worst thing we could do is have users checking in at the wrong business.

All things considered, the current implementation is probably a good approach for the given requirements (offline recording of the current location).

Alternative Location Tracking

The NZ COVID Tracer app requires “buy-in” from a lot of businesses for it to work well. While the QR code generation is automatic once you’ve registered with Business Connect, it’s still a process that must be undertaken, and a barrier to entry.

The app does not use GPS location tracking, which I suspect may be for apparent privacy. There is a perceived difference between “recording my location” and “checking in at a business”. In practice these are the same thing, since the current implementation is recording the address anyway.

An alternative implementation could forgo QR codes and just allow users to “check-in” using their GPS coordinates (à la Foursquare Swarm). The rest of the implementation could remain the same – location data is stored only on the phone and then manually shared with the MoH. This would allow app users to check in at places that have not registered with Business Connect, or even check in manually later if they forget.

This solution is not perfect either though, GPS may not be completely accurate: if you record your location within a cluster of shops, say, it’s not clear which one you might have been inside. Given that reviewing the list is a manual process you may be able to answer that question yourself at that time. Or, perhaps the app could prompt you with a list of nearby businesses or allow you to enter the business name manually.

Conclusion

Should we be concerned about New Zealand’s approach that could appear somewhat lackadaisical? Given that our approach in regards to other aspects of COVID-19 management appears to be going so well (touch wood), and with the lack of community transmission, it perhaps doesn’t matter about our implementation of the app. Provided that there’s no second wave it would seem (to a non-epidemiologist without any medical background, at least) that contact tracing apps in New Zealand aren’t that useful.

Stay safe, wash your hands, and let’s hope we’re at zero soon.