Nothing in the development process of the “Protector” app looks like a development process in a government office: from working at zero time, through collaboration with security and privacy experts, to an open source choice. Guy Bernhard-Magen, the CTO behind the development, talks about the way to 1 million downloads in less than a week
By: Guy Bernhard-Magen
The Ministry of Health was facing a complex problem. On the one hand, in order not to send large numbers of people for isolation on suspicion of being exposed to Corona patients, they needed location data from someone close to them. On the other hand, access to such data is a serious violation of the privacy of all of us, as was evident from the public outcry that followed the use of GSS cellular media.
The motivation behind the app is simple. Today, an epidemiology researcher needs to conduct research with each coronated patient in order to build the same path he went through in the 14 days prior to validation in order to find more people who may have been exposed to the virus. This investigation is inherently inaccurate (relying on patients' memory) and, in particular, not scaled to the expected increase in the number of patients.
We wanted to ensure that this project, which is very important to the health of all of us (and also to peace of mind), was implemented – but in a safe way, one that preserves the privacy of our citizens. We called on a number of leading security experts in their field to join us and examine the architecture, code and strategy of the Ministry of Health, when we agreed in advance that we were conducting a thorough investigation and only afterwards could we stand behind the app.
How to manage surveillance without compromising privacy?
The overall purpose of the app is to allow users to check if they were near Corona carriers. For this purpose, we wanted to maintain a number of goals: transparency – By using open source we can work from a closed model where no one knows exactly what the app is doing, to a model where you don't have to rely on experts, but you can test the code independently in the current version and in any future release; securing – Checking the code and verifying that Best Practices are used and that the architecture is secure; privacy – Maintaining the privacy of users, so that no information belonging to users will be passed on to any other party without the user's consent; simplicity – We wanted to keep the system as simple as possible, to focus it on the really important things, with no additional features to complicate security and privacy.
They design a fairly simple architecture
In the end, the architecture chosen is fairly straightforward.
- Ministry of Health manages data structure (JSON) containing public locations of verified corona patients, and updates it periodically
- The Ministry of Health is pushing the updated data structure to Azure Object Storage. The use of the cloud here is to isolate the Ministry of Health from the application and take advantage of the redundancies and readiness for the existing loads in the cloud.
- The app is written in React-Native to simplify code and support for Android and iOS
- The app pulls the data structure at regular intervals from the cloud
- The app collects location data from the phone's operating system along with the WIFI network ID and saves it to a local (SQLite) database. The WIFI data is HASH (stacked), meaning the information saved is Hash (WIFI) + MAC
- The application intersects with a spatial location algorithm only between the local location history and the locations of the validated corona patients. If a match is found, the user is asked to verify that it is indeed a match (and not False Positive)
- If there is a match, the user is asked (via WebView Link) to visit the Ministry of Health website to fill out a corona patient exposure report
For this architecture a small number of components, the calculation is done entirely within the device, the information does not leave the device at any stage and the user decides if and how to report exposure to the Corona patient.
How do you get placements but still maintain privacy?
Because the privacy issue in such an app is of utmost importance, and we wanted to make sure that user private information is not coming to the Ministry of Health today, but will not come in the future without users' knowledge, we recommended that the app be released in open source. In addition, community control allows you to see what content is added to the app, what additional features it has, etc.
An example of this is the use of the WIFI ID. The use of this identifier has emerged as a technical necessity to distinguish groups of app users who may have been exposed to a corona patient verified for spatial computation (presumably staying at the same address, within a range of up to 500 meters), but in practice had no connection. If the Corona patient was in an office building on the 18th floor, there is no reason to put the whole building in isolation.
The way to do this is to use the anonymous WIFI IDs. The WIFI ID (called SSID, actually the name the router publishes to the world when scanning on devices on the device) is undergoing anonymization on the one hand, but retaining a unique identifier so that it can be known with the time, location and ID data whether or not there was exposure.
At the moment, the algorithm does not take this into account. The adjustment of the adjustment is based on the adjustment of time and space only. The open source lets us know when the algorithm will take this into account, and how exactly it will be done.
One million downloads in days
Throughout the process, the Ministry of Health, the cyber array, app development teams, and volunteers worked nights as days to launch the app on time, safely and securely, while maintaining the privacy of all of us. The app launched on Sunday, March 22, went through 500K downloads in less than two days, and is now close to a million Android downloads only.
To the best of my knowledge, this is the first time that a government body is appealing to the security community for guidance on how to plan and execute such a project, and to fully accept all recommendations on architecture, security and privacy and open source. This approach allows us all to put more trust in the government in general and the Ministry of Health app in particular.
In conclusion, I would like to thank our Profero team led by Omri Segev Moyal, who worked long days and nights: Tomer Zeit, Ido Naor, Inbar Raz and Lior Kaplan, and of course also the Matrix app development team, for the many volunteers who contribute their time and ability to the project (found Bagithab), To cyberspace personnel – and especially to health ministry officials who have shown that a project can be done differently, with high time pressure and multiple expectations.
The bottom line – their success, is the success of us all. Only Health.
The writer is the CTO at Profero