During the last hours the controversy with Radar COVID has arisen, due to an alleged security breach allowing third party access to user data. The Secretariat of State for Digitalization and Artificial Intelligence itself claims to have corrected this situation, of which there are several points that may not be clear.
Let’s explain to you what happenedThe Committee would like to know how the secretariat has attempted to arrange this and what the scenario is.
Radar COVID uses Amazon’s AWS, which raises privacy concerns
Radar COVID uses AWS (Amazon’s cloud services) to send data to the server. As we already saw analyzing the app code, it only sends data out of the phone when we are going to report a positive. That is to say, when we’ve already been given the code and reported our positive.
After learning about the use of the Amazon tool, the question has been raised as to whether Amazon can access user data. To answer this question we have consulted LinuxctHe is a regular contributor to XDA Developers and Xataka Android.
The expert explains that, even in the hypothetical case that Amazon accesses the positive communication, it could not have access to any sensitive user data
He explains that, in the event that the Amazon server where the information sent by Radar COVID is hosted is in Europe (Amazon EC2 Frankfurt/Paris/Milan etc.), it would be technically possible for this information to remain within Amazon’s reach. However, Amazon could only know where the data is being routed from. That is, to know that someone is communicating with the server, but not who or how.
“This is not a security breach, it is only a hypothetical scenario that some provider with intention to access the data could detect the communication of positives. In any case, the last update solved that possibility by introducing the random sending of false codes to “hide” the real traffic and eliminate that hypothetical scenario. The code is open, so it couldn’t be more transparent. SEDIA
Any user information is subject to the GDPRIn the hypothetical case that Amazon had access to any type of user data, it would not be able to consult it so easily. It should also be taken into account that the app is not linked to personal databut sends out random codes unlinked to the user. Radar COVID, based on what has been seen in its source code, complies with current security standards, although from SEDIA admit that this supposed scenario can be created in the case of Amazon.
The solution to this, according to SEDIA to Xataka Móvil, has been update the app to introduce the random sending of false codes. In this way they try to “hide” the real traffic, in order to mask the data that is sent to the server.
In short, the use of Amazon’s AWS has raised privacy concerns. However, according to the analysis of the app’s code, the very functioning of the app makes sensitive data a priori inaccessible even to that company. The only time that Radar COVID takes the data out of the terminal is when it sends the positive communication, by generating random keys that are not linked to the patient.