Published on June 29, 2020
Share on : Twitter / Facebook

While politics and the media still do not communicate openly, SPR publishes extracts from the devastating analysis by EPFL computer science professor Serge Vaudenay on the lack of transparency and the security risks of “decentralized” contact tracking. The analysis is of global importance since the Swiss protocol became the global standard through Google and Apple.

Translation of extracts by SPR. The original English report can be found here .


Preliminary remark SPR : The WHO came to the conclusion in a study of flu pandemics in 2019 that contact tracking “is not recommended under any circumstances” because epidemiologically it does not make sense. NSA whistleblower Edward Snowden warned in this context that Corona will be used as a pretext for the mass surveillance society develop comprehensively .

Read more : Facts about Covid-19 →


1) From the introduction

“The website of the National Cyber ​​Security Center NCSC lists many security reports that SwissCovid rates quite positively. But it doesn’t list our report. Instead, it contains a “detailed analysis” of the NCSC about our report. We disagree with this analysis. Since it appears to be fairly clear that communication is not transparent, we are presenting our observations to the public here. ”

2) Summary

“In summary, our observations are as follows:

  1. Although the app’s source code is available, we cannot compile, run, and run it without signing an agreement with Apple or Google. We therefore find the app not compatible with the term open source.
  2. Much of the contact tracking protocol (which was originally the DP3T protocol) is implemented by Apple-Google in part of the system called GAEN. This part has no available source code, although the law requires the source code of all components of the system to be disclosed.
  3. Some servers are hosted by Amazon as part of an external service.
  4. The information available to potential users is unclear, incomplete, or incorrect.
  5. When using SwissCovid, users can be tracked down or identified by third-party surveillance systems.
  6. Diagnosed users who submit a report are at risk of being identified by a third party.
  7. Third parties could give false warnings of possible infection on a target phone or on a large group of target phones. This would result in people having to be quarantined without being really at risk.

In order to avoid the problem that GAEN (the Google Apple interface) has no available source code, although the law prescribes a source code for all components, the Federal Council enacted a regulation that lists all components but is not contained in GAEN .

In order to justify such an exclusion, SwissCovid’s promoters argue that GAEN is part of the phone’s operating system or part of the phone’s Bluetooth interface and that it is not common to require the source code of such parts to be disclosed.

We deny that GAEN is such a part of the phone, at least on Android phones. GAEN is part of Google Play Services, which are independent of the operating system and the communication interfaces. ()

In addition, most of the previous DP3T protocol (for “decentralized” contact tracking) that was implemented in this original version has disappeared in the current version of the application because an equivalent protocol is now built into GAEN.

We conclude that there is no well-founded technical justification for excluding GAEN from the components of the system . We strongly believe that the regulation is a legal trick to circumvent the law, which is the result of a dispute between SwissCovid and Apple-Google.

We urge constitutional experts to assess the validity of the regulation. ”

3) For the non-transparent control of tracing by Google and Apple:

All highlights by SPR.

  • “We find that SwissCovid is far from being open source. The source code remains with Microsoft, the protocol is implemented and controlled by Apple and Google. The server is hosted by Amazon. Current information policy suffers from unclear or incorrect information. ”
  • “Almost everything that is sensitive is handled by the GAEN API [the interface between Google and Apple], which does not provide any source code and which we can never compile or analyze. 
  • “ That’s why SwissCovid is far from being open source. At best, the graphical user interface source code is available, but it cannot reproduce or modify the running application. ”
  • “There are some strange signs in the relationship with Google-Apple. The DP3T project [for “decentralized” contact tracing] asks its partner Google-Apple to open the interface at least for external audits and to update its implementation. This suggests that DP3T has lost control of SwissCovid. 
  • “The current situation with Google-Apple puts SwissCovid in a strange situation. () The user must agree to their personal information to Google Apple to pass , while SwissCovid must not use them. The SwissCovid application is also prohibited from using the location. However, Google Play services use access to devices, photos, location, bookmarks, calendar, storage, phone, microphone, device ID, camera, contacts, Wi-Fi, device status and history, identity, SMS and many other privileges . Since iOS is closed, we couldn’t say anything, but it will be the same. ”
  • “There was controversy over the introduction of centralized or decentralized systems. We can now see that the decentralized DP3T system has become an opaque system that is centralized at Google Apple Services. 
  • “Independent of SwissCovid, the same Bluetooth technology is already being used by Apple and Google to locate Bluetooth devices. Not using GPS does not mean that it is impossible to locate a phone. 
  • “Since most of the system is implemented by the Google Apple interface, there is not much left of DP3T.”

4) The security risks:

List of individual security risks in the original report.

  • “ We have shown that SwissCovid creates critical security and privacy threats. Regardless of whether they are reduced or not, we believe that they definitely need to be communicated. ”
  • “More importantly, the information available is inadequate, there is misinformation about anonymity and open source , there doesn’t seem to be any public security testing, and SwissCovid developers are bound by Google-Apple decisions .”
  • “We are aware that several attacks have already been empirically tested and reported . Our main point is that volunteer users should be aware of these attacks . They may be considered minor for most of them, but crucial for some. So far, the documentation made available to the user has been silent. 

5) To circumvent the tracing law by the Swiss government:

  • “The law of June 19, 2020 states that all components of the SwissCovid system must have a publicly accessible source code and leaves it up to the Federal Council to deal with the details of the operation. The Federal Council regulation of June 24, 2020 defines the components in such a way that it excludes what is provided by Google-Apple and implements the DP3T functionalities. The implementation of DP3T has bypassed the law. 
  • “We believe the regulation was already in preparation when the Council of States and the National Council discussed the need for publicly available source code and our analysis was censored . The citizens and Parliament have been deceived . It may be for good reason (e.g. to prevent the second wave), it is a blatant scam . In our opinion, 5 days after its adoption , the law created to protect people from having to use an opaque system has proven to be insufficient. 
  • “On Android, GAEN is part of the Google Play Services that regulate Google-specific services. () This proves that GAEN is neither part of the communication drivers nor part of the operating system, in contrast to the usual excuse for non-disclosure of GAEN, which is repeatedly published by the press. 
  • “We are convinced that the legal definition of” components “in a regulation is a trick to circumvent the law on the availability of source code.”
  • “We are asking independent legal experts to comment on this controversy to determine whether GAEN should be considered part of SwissCovid and should therefore be subject to the law that requires an available source code.
For the full Vaudenay report in English →