..

Why the Vaccine Pass is a threat to privacy (and Leave Home Safe isn't)

Is the government using Leave Home Safe to spy on you? Actually, the vaccine pass is what could lead to you being tracked! In this post I will cover misconceptions regarding the LHS app, and how the vaccine pass scheme is concerning, from a privacy standpoint.

The Leave Home Safe app is not tracking you, actually it is indeed a privacy first implementation. If you’re extra tinfoil hat (like me), you don’t even need to trust it, but could still use it safely! The “Vaccine Pass”, however, even the “offline” implementation (paper copy), has the potential to be used for tracking. How? Well read on…

Vaccine Pass Promo

tl;dr - Leave Home Safe doesn't allow the you to be tracked, but the "Vaccine Pass" may.

First off, I do not encourage anyone to break the law. To the best of my knowledge, this article should, in no way, help you in doing so.


The meaning of being “tracked” easily


For the purposes of this article, being “tracked” means having your location history (place and time), or a part of it, available to an authority in a manner it normally isn’t.

For instance, let’s assume if a person, whom does not own mobile phone, travels across Tokyo by bicycle, enters a restaurant at 1300hrs for lunch, pays by cash, and cycles back, it would be hard (but not impossible) for the Japanese government to ascertain that said individual was at that specific restaurant at 1300.

There are three specific components to this event: the identity (of the person), the time and the location. For the purposes of this article, a hard way for the Japanese government to track the individual could be:

  • Have someone follow their movements
  • Have access to a video feed at / near the restaurant, from which they try and match the face to a name (or number). (Location is known, time from video timestamp)
  • GPS tracking device on their bicycle

All these three methods could give the Japanese government a tuple of (identity, location, timestamp), but are hard to apply to the general population at scale (though facial recognition is getting better every day…)

In contrast, an easy way would be, say, if they had some sort of forced activity required to be performed at the restaurant, which would directly feed (identity, location, timestamp) straight to their server…. (foreshadowing a bit)


Data, servers, and the relationship to being tracked


Let us talk about three few scenarios, which will be useful later:

  • Scenario A: The “activity” results in you keeping a local record of (location, timestamp) on your phone, which is not sent to the government.

  • Scenario B: The “activity” results in you keeping a local record of (identity, location, timestamp) on your phone, which is not sent to the government.

  • Scenario C: The “activity” results in a record of (identity, location, timestamp) being sent to the government.

In my view, Scenario A, B do not count as getting tracked (if the data indeed does not go to a goernment server) , whereas Scenario C does. Do scenarios A & B sound familiar? Leave Home Safe indeed. The next section will cover said application.


Leave Home Safe - Trust not included


The premise of leave home safe, for those unfamiliar with it, is: Use your device to scan a venue’s unique QR code when you visit, and mark yourself as having left when you leave. At some interval, the app will download the locations visited by confirmed COVID-19 cases, and it’s matched against your location histroy, locally on your phone. If there is an overlap, you will be notified of the risk so you can get tested.

This, is exactly scenario A. If you do not add your vaccine info to the LHS app, then it does not have your identity! Use of the app does not require adding you Hong Kong ID / other real name information to the app. If you do add it, then it is still scenario B.

“But the location history isn’t just local - it is being sent to their servers!”

Well, I have two points to counter this argument. The weaker one is - in my reverse engineering of the LHS app, including monitoring all its traffic for a weekend, it never sent my location history to any server. I only observed requests being made to download data regarding positive cases. But it is entirely possible there is some logic in the app to send it on a certain trigger or something. Or maybe you just don’t trust me. So how can it be safe?

Because the app doesn’t need the internet! Don’t believe me? Try turning off your Wifi, Mobile Data the next time you need to scan a LHS QR code, it will still work! (At least on the latest version of the app as of 2022-02-24). This is because the entire data regarding the name of the shop is entirely within the QR code - I cover this in my previous post. The timestamp is generated by your phone’s current time, and the tuple of (location, timestamp)

is stored on your phone, locally.

Another concern might be that when you turn your data on, what if it sends it then? Well, this is where the zero trust part comes in - you can disable the apps internet access completely! Well on Android you can. On iOS, well, Tim Cook won’t let you disable WiFi access, just mobile data. Maybe you can ask him about it.

Since even without internet you can comply with the requirement to scan the QR code, and it will show up in the app, Leave Home Safe can be used on a no-trust basis.


Vaccine Pass - Or Fail Rather


How about the vaccine pass? From the logic of the previous paragraph, you may think that if your record is in the Leave Home Safe application, and you disable internet, then whats the harm? Or better yet, if you carry the paper vaccination record, then it is impossible for them to track you! NO!!!

Going back to our definition of being tracked, if they can get a tuple of (identity, location, timestamp), it would count as tracking. Well, you can disable internet on your device, or carry a paper copy. But under the vaccine pass scheme, it is the venue you are visiting that will scan your QR code! (Note: currently, some “low risk” venues (such as malls) do not need to actively scan your QR code, unless asked by enforcing agents)

Kind of acting in a manner opposite to the Leave Home Safe app, the QR code allows their device to retrieve the data, which is contains your identity (probably Name and HKID). Now, I will admit, I do not know the backend mechanism of their “validation”. But the skeptic in me would think that your identity is sent to a government server for verification to ensure it checks out (e.g. you really did receive 2 doses).

Since it is plausible the government would ask the venue to register with them to be able to verify vaccination records, when they scan your code, the government gets (identity, location, timestamp)! Unlike the Leave Home Safe app, we cannot use a zero trust model to guarantee that we are not being tracked, and hence, the real threat to privacy lies in the Vaccine Pass.

Of course, I completely trust the Hong Kong Government with my data and am sure they will never misuse it. Yep. Totally. Definitely not sarcasm. Yep.

Questions?

I would be happy to answer any questions you have! You can contact me via email, and please use my PGP key to encrypt all communications.