Well, that blew up…
I decided to write a blog post to describe what we’ve done at Profero with the “Hamagen” (shield in hebrew) application, and I ended up writing an article. I translated it, and I am including it below.
We also gave some talks, webinars and posts relating to the app, organizing them all below
This article is also cross-posted on Medium
A million downloads in 4 days: How was the “Hamagen” application developed
Nothing about the development process of the “Hamagen” application looks like a development process in a government agency, starting with fast, agile development, including well-known privacy and security experts or ending with releasing the application as an open-source project. Guy Barnhart-Magen, The CTO who took part in the development process, talks about the path to a million downloads in less than a week.
By: Guy Barnhart-Magen
Israel’s Ministry of Health was facing a complex problem. On the one hand, in order not to send large groups of people into self-isolation (assuming there was exposure to Corona patients), they need location data of anyone who was in actual proximity to them. On the other hand, access to such data is a severe breach to everyone’s privacy, as the recent public turmoil around the cellular tracking technology deployed by the Internal Security Service (SHABAK) can tell.
The motivation behind the application is simple. Today, and epidemiology investigator needs to conduct sessions with each confirmed corona patient and reconstruct his locations for the past 14 days before the confirmation – so they can find more people who were in proximity to the virus. This investigation is not accurate by its very nature (relying on patients’ memory) and does not scalable with the number of confirmed cases.
At Profero, we felt that this project has enormous benefits to both our health and our peace of mind. Finding a way to keep it both secure and private was imperative. We called in security and privacy experts to join us in reviewing the architecture, decisions, code, and the strategy of the ministry of health. We agreed beforehand that we would do an in-depth study, and only after it was complete could we back this application.
How do you conduct tracking without compromising privacy?
The highest goal for the application is to allow users to check if they have been in proximity to a confirmed corona patient. To fulfil that goal, we wanted to break it down to some achievable goals:
- Transparency – by using open source code, we can move from a closed model where no one is sure what the application is doing, to a model where you don’t have to trust experts, but can review the code yourself for the current and any following version.
- Security – reviewing the code and validating that best practices are used, and that the architecture is secure.
- Privacy – maintaining privacy, so no information that belongs to the users is sent to anyone without user consent.
- Simplicity – we aimed to keep the architecture as simple as possible, to focus on the critical issues, without features that will complicate privacy and security.
Planning a simple architecture
The selected architecture is rather simple.
- The Ministry of Health keeps a data structure (JSON) that contains public locations of confirmed corona patients and updates it from time to time.
- The Ministry of Health pushes the updated data structure to an Azure Object Storage. A cloud is used to isolate the Ministry of Health from the application and take advantage of the inherent redundancy and load capabilities of the cloud.
- The application is written in React/Native to simplify the code and support in Android and iOS.
- The application pulls the data structure periodically from the cloud.
- The application collects location data from the devices operating systems, along with a Wi-Fi identifier called an SSID, and keeps them in a local database (SQLite). The Wi-Fi SSID data is kept hashed: Hash(SSID)+MAC
- The application looks for spatial and temporal matches (time and place) between the local location data and the data structure. If there is a match,the user is asked to confirm that this is a match and not a false positive.
- If relevant, the user is asked to go (using a WebView link) to the Ministry ofHealth website to fill out a form reporting that he was exposed to a confirmed corona patient.
This architecture has a small number of components, the matching is entirely on the user’s device, the data never leaves the device, and the user can decide if and how he would like to report about exposure to a confirmed corona patient.
How do you get location data but still maintain privacy?
As the topic of privacy in this application is paramount, we wanted to make sure that private data of users will not be sent to the Ministry of Health today or in thefuture without the user’s knowledge. We recommended that the application will be released as open-source. This allows the community to validate and review what features are added to the application or what other capabilities it may have.
An example of that is the usage of the Wi-Fi identifier. The use of this identifier is used to differentiate between groups of users that may have been exposed (e.g.,they were at the same address, or within 500m), but in reality, they had no contact. If the patient was in a building on floor 18 – we shouldn’t send everyone else in that building into quarantine.
The way we chose to achieve that is to use anonymized Wi-Fi identifiers. The Wi-Fi identifier (called SSID, actually the label an access point broadcasts to the world when you scan for Wi-Fi in your device) goes through an anonymization process, which will help determine along with the time and location if there is a match.
Currently, the matching algorithm does not take this into account. The match is based on time and location only. But since the application is open-sourced, we can know when the algorithm does take that into account, and how exactly it would do so.
A Million Downloads in a Number of Days
Throughout the process, the Ministry of Health, the Cyber Directorate, the application development teams, and volunteers worked days and nights to launch the application on time, in a secure way while preserving everyone’s privacy- and they deserve all the credit. The application launched Sunday, March 22nd, and passed the 500K downloads in Android alone in under 48 hours.
To the best of my knowledge, this is the first time that a government agency turns to the security community to get guidance on how to plan and execute such a project and completely accepts all recommendations on architecture, security, privacy, and open source. This approach makes it easier for all of us to gain trust in our government, and specifically in the Ministry of Health’s application.
In conclusion, I would like to thank our team at Profero, led by Omri Segev Moyal,who worked long days and nights: Tomer Zait, Ido Naor, Inbar Raz, Lior Kaplan. Tothe Matrix team, the many volunteers who contributed their time and abilities to the project (which is on GitHub), to the cyber directorate personnel, and notably to the people at the ministry of health, who showed that the government could do projects differently, under time pressure and with high expectations.
The bottom line is – their success is everyone’s success.
Resources
Technical
Talks
Posts
English
- Profero’s Blog
- [Medium Articles]https://medium.com/proferosec-osm/a-million-downloads-in-4-days-how-was-the-hamagen-application-developed-73515d1ab5b2)
- Infographic as PDF
- Fox
- Graham Cluley
- Today Online
- Bleeping Computer
- Jerusalem Post
- Haaretz
- US News
Hebrew
French