The Vietnamese government urges people to install Bluezone to help detect the risk of Covid-19 infection, while security experts believe that this application has many potential risks for users.
A large number of Vietnamese people have responded to the Government’s call to install Bluezone apps on smartphones to help detect exposure to the source of infection. According to Minister of Information and Communication Nguyen Manh Hung, by the end of August 6, there were more than 8.5 million Bluezone downloads on iOS and Android platforms.
However, among cybersecurity experts, there is a warning about potential risks to users and to the Vietnamese state.
Sharing with BBC News Vietnamese on August 7, Mr. Duong Ngoc Thai, a security engineer in Silicon Valley, said: “Whoever breaks into Bluezone’s data system will have a social graph. In addition, they can also sabotage by turning any person into F0, F1 or F2.”
“That means they can quarantine many people and make the health agencies work hard to check those who are not sick,” Mr. Thai explained.
Bluezone knows who is dating whom
Bluezone is the application to quickly track people at risk of infection, and warn if users have close contact with people with Covid-19. This is for smartphones running iOS and Android.
Bluezone products were launched under the direction of the Government of Vietnam, with two implementing units, the Ministry of Information and Communications and the Ministry of Health. Application development experts include BKAV, a company specializing in IT security solutions in Vietnam.
Experts Duong Ngoc Thai explained: “Bluezone is a mobile application that helps to detect who has been in contact with whom, through Bluetooth Low Energy. Bluezone helps Vietnamese state agencies perform contact tracing to detect the source of the infection (F0) and who is at risk of exposure (F1, F2, etc.). Bluezone users will know if they have been exposed to F0 or F1.”
However, according to Mr. Thai, in theory like that, in reality, how effective and accurate, “I do not have enough information to evaluate.”
Expert Duong Ngoc Thai was the one who raised a series of warnings about the security vulnerability of Bluezone back in April. He said he sent the warning to the app development team, but was later attacked and criticized in various ways.
“When Bluezone launched around April 2020, I did a research on how it works and discovered some security flaws that impact the safety and privacy of users. I submitted a report to the Bluezone team and published on a personal blog because I think many people need to know that information,” Mr. Thai said.
Mr. Thai said that initially the Bluezone development team and their supporters “found ways to counter my report, including personal attacks.”
“I have learned to point out what is wrong, state programmers are not patriotic. After that, partly because I am busy, partly because I keep talking, they will not fix it so I am discouraged, I am not monitoring Bluezone anymore. Looks like the project has stopped,” he said.
“When the epidemic breaks out again in Vietnam, I predict after all that the Vietnamese government will ask people to install Bluezone because Bluezone is not only a technology but also a political cause for many people,” said Thai.
“I opened Bluezone again and as I wrote on my blog, by analyzing the latest Android version (2.0.4, released on August 4th, 2020), I found Bluezone fixed the critical flaws. The biggest one I announced in April. In addition, thanks to the persuasive efforts of Professor Phan Duong Hieu in France, Bluezone has also overcome another important weakness.”
According to expert Duong Ngoc Thai, the current implementation of Bluezone is quite similar to Singapore’s. one. Accordingly, the server will collect all contact history of F0, F1, F2.
“Gathering all the data in one place will make tracing easier and more efficient, but it also means that Bluezone, the state of Vietnam, will know who met whom and for how long, and from this information it is possible to infer who knows who, ie the social graph of the majority of officials and the public,” he explained.
“This is very sensitive information, because it reveals, for example, who is dating whom. In the middle of the afternoon, seeing two phone numbers constantly exchanging ‘codes’ for an hour so they would predict that the couple is just lying hugging each other to stop the coldness.”
Consistent with Vietnam’s reality
Experts Thai said that with the above working mechanism, Bluezone will have a social graph of the whole country, and “those who grasp the social graph will have many ways to make money and rights.”
The entire Facebook empire is built on a social graph. This is why many countries do not choose this approach because of the fear that concentrating too much information in one place will lead to abuse of power. Google and Apple have also built a traceability technology built into Android and iOS, but this technology also does not disclose the social graph to the server-side,” he said.
Although assessing the potential dangers of Bluezone, expert Thai said that this solution was “suitable with the cultural and social situation in Vietnam.”
“Everyone wants the disease to end quickly so they can return to a normal life, it is okay to sacrifice a little privacy and lose a little personal information. It is only a matter of how Bluezone will protect the data and how to ensure there is no abuse of power. Currently, Bluezone has not provided any information about this.”
Hanoi, August 6
On its website, Bluezone recently made many commitments to reassure users, such as “The application only saves data on your device, does not transfer to the system,” or “Everyone joins the community anonymously. Only the authorized Health Authority can know people infected and suspected by close contact with someone infected with COVID-19.” However, there is still no mechanism to monitor the implementation of those commitments.
Mr. Thai added that: “Because the people listen to the Government’s call to install Bluezone to fight against pandemics and only fight against pandemics. The agreement between the two sides is very simple: people provide data to the Government to work together. The government is fighting back the pandemic. If the government or development team Bluezone uses the data for something else, it is against the deal.”
“Switzerland also has a Bluezone-like application called SwissCovid. Although SwissCovid does not store data centrally on a server, which is more secure than Bluezone, the Swiss government has enacted a law specifying how SwissCovid’s operation and commitment to the application will be deactivated as soon as it is no longer needed. That means they legalize the agreement between the two sides and enforce the monitoring by law.”
In the context of Vietnam, the expert suggested: “The Government can issue a decree stating that Bluezone data is only used for anti-pandemic purposes, how many days will be deleted after Vietnam declares the end of the pandemic, and then hire or appointing an independent monitoring agency. The more people trust, the more transparent the Government must be, that can be sustainable.”
On the question of whether it is possible for hackers to break into Bluezone’s data system, expert Duong Ngoc Thai said that there is very little information available on how Bluezone designs and protects the data system, so it is impossible to evaluate it.”
However, he recommended: “Based on the quality of what Bluezone has announced, I think the Vietnamese government must be very cautious and should hire a third party to independently evaluate the Bluezone team’s way.”
What do the users notice?
Prime Minister Nguyen Xuan Phuc personally called on people to install Bluezone. Vietnamese authorities in many ways, including text messages by phone, also constantly urge people to install this software.
“The Covid-19 pandemic is complicated. The Ministry of Information and Communications and the Ministry of Health suggests that all residents with smartphones install a Bluezone close contact detection application. The application will warn of the risk of Covid-19 infection, help protect yourself and your family. Install now … “. Every Vietnamese mobile phone user in Vietnam has received the message at least once since the outbreak in the community reappeared in late July.
Expert Thai said that applications like Bluezone are only really effective when the number of users is large. During the online meeting of the Government of Vietnam on Covid-19 anti-epidemic on Aug 6, Minister Nguyen Manh Hung called on localities to promote propaganda and mobilization of people to install Bluezone applications “to 30% – 45% of the population install this application.”
“We have strong government and deep to the base so the installation can definitely do it. Go every lane, knock house by house and check each person to install Bluezone,” said Hung. According to Mr. Hung, thanks to this application, the health sector has traced 21 cases of F1 and F2.
In cases where anti-pandemic priority is prioritized and personal security sacrifices temporarily, there are a few guidelines to keep in mind to minimize risk.
“First, each person’s social graph and exposure history will most likely be collected and stored by the Bluezone server for a long time. Should adjust the hugging schedule accordingly,” said expert Thai.
“Bluezone does ask for the phone number when registering. Actually, not entering a phone number does not affect the operation of the application much, but helps users become somewhat anonymous on Bluezone’s system. If it were me, I will not enter phone number until it is identified as F0.”
“Bluezone is actually not a mask. Masks are effective against them and have almost no side effects. Bluezone does not help fight viral infections, it only helps detect whether or not someone is around sick or not. Everyone should still wear a mask and exercise social stretch,” he added.