About this App and its creators

Name of the App

Bluezone - Electronic mask

Short description of the App

Protect yourself. Protect our community.

Icon of the App

Languages supported by the App

  • vi

  • en

URL of the App on iTunes

https://apps.apple.com/vn/app/bluezone/id1508062685

URL of the App on Google Play

https://play.google.com/store/apps/details?id=com.mic.bluezone

Website of the App in English

https://bluezone.ai/

Website of the App in the local language (if applicable)

https://www.bluezone.gov.vn/

What’s the region and purpose of the app (for one-line overview)

Contact tracing for Vietnam

What are the main features of the App?

  • contact-tracing

  • promote-app-to-friends

Who develops the App?

bkav

Who operates the App?

bkav

Who sponsors the App?

ministries-of-information-communication-health-of-viet-nam

Who governs the App?

ministries-of-information-communication-health-of-viet-nam

Stated goals of the App

What are the stated goals of the App?

Side effects of the App

Are there any others goals, not stated by the App Creators, that they are known to also accomplish with this App, or that they could also accomplish with this App in the future?

The App Operators can establish the social graph of all Bluezone users, plus the time periods when they were within contact range of each other, at any time. Users additionally can be identified if they have provided a phone number to the App.

This has been shown in a proof of concept. Source: [github-thaidn-bluezone], checked on 2020-08-27 .

Are there any other goals that others (not App Creators) could also accomplish because this App exists, or is used by certain Users?

Are there notable side effects in the use of this App?

App users

Who are the intended users for the App? Where are they located?

Residents of Viet Nam

Are there technical, geographical, legal or other limits to who can use the App?

The app is now only available through the Vietnamese app stores, and only Vietnamese mobile phone numbers are accepted.

Social context of using the App

Is usage of the App required under some circumstances? If so, by whom? What are the consequences of not using it?

Not known.

Are there non-trivial incentives (e.g. financial, access) for using the App? Are there social pressures to use the App?

Not known.

Is a minimum penetration of App usage required in some population before the App can start to be effective against the pandemic?

  • “The Ministry of Information and Communications and the Ministry of Health recommend that the whole country install Bluezone for themselves and for 3 others” Source: [website], checked on 2020-05-18

  • Presumably the number of concurrent App Users in a certain region must be a significant percentage of people in that area. This is true for all technical approached to contact tracing.

Are there social pressures on the App User resulting from the use of the App, or from information shown by the App? (E.g. if the App indicates that the App User has likely been infected.)

The App website states: “According to the rule (App Assay interpretation: government policy), a person who has been identified as infected with COVID-19 will be put in quarantine and get treatment, so there is no way you can accidentally “get close” to such a person and Bluezone does not have this feature as well.” Source: [website], checked on 2020-05-18 .

This implies that users who are known to be infected will be put into mandatory quarantine. (This itself is not a consequence of the App, but of government policy.) It is unknown whether contacts of known infected people, as identified by the App, will also be subject to this policy; if it is, it would be a direct consequence of using the App. Note other consequences of technical Contact Tracing. Source: [technical-analysis], checked on 2020-05-18

Are there social pressures on anybody resulting from information shown by the App run by another App User? (e.g. pressures on an App User's family or friends if the App identifies the App User as likely infected)

Not known.

Is the App available in all languages and localizations most appropriate for the intended App User population?

Available in Vietnamese and English, which are primary languages for the intended region and international travelers. Source: [technical-analysis], checked on 2020-05-18

Operations

Describe the principle of operation of the App. This includes technology as well as people, operations, health system and the like.

Usage metrics

How many App Users are currently using the App?

More than 10 million Source: [playstore], checked on 2020-08-27

Effectiveness metrics against the disease

What metrics are available that indicate the effectiveness, or lack thereof, of the App with respect to the pandemic so far?

  • “With each person installing the app for themselves and getting the smartphones of 3 other people installed with Bluezone, in a month, the whole Viet Nam will get protected” Source: [website], checked on 2020-05-18

  • “If the number of users is large enough, even those who do not use smartphones are also protected.” Source: [website], checked on 2020-05-18

  • Several third parties have questioned the effectiveness of contact tracing in general (irrespective of this App) for fighting the disease, see Contact Tracing.

  • No numerical information about the App's actual effectiveness has been found.

How is the performance of the App with respect to effectiveness against the disease being monitored?

Not known.

If the App interoperates or federates with other Apps, what metrics are available that indicates the effectiveness, or lack thereof, of the App when interoperating or federating with others so far?

N/A

How does the effectiveness of the App compare to the effectiveness of other Apps developed elsewhere with similar functionality? What metrics exist?

Not known.

Privacy

Can identities of App Users be tied to, or can they be correlated to specific individuals, and if so, by whom?

How are new App Users onboarded on the App? What information do they need to provide to be able to use the App?

Vietnamese mobile phone number is strongly requested but not required. Source: [technical-analysis], checked on 2020-05-18

How long is collected data retained, and where?

Not known.

Are any Backups being made whose retention is longer than the declared Data Retention Period? How is it guaranteed that Backups are deleted on time?

Has a Privacy Impact Assessment been performed, and if so, where can it be obtained? Which recommendations have been implemented, and which not? If no such assessment has been performed, why not?

None found.

Is the App compliant with local regulations on privacy, in particular on privacy of health-related information?

Not known.

Is the App consistent with global best practices on privacy, in particular on privacy of health-related information?

  • In the most recent version, the newly implemented /choice/contact-tracing-iterated-pseudonym approaches global best practices.
  • However, the existence of silent upload functionality that can be triggered remotely is inconsistent with global best practices.

What assurances exist that the App will be shut down promptly when appropriate (e.g. when the pandemic has passed, or better approaches for combating the disease have been found)?

None found.

Is any data collected by the App transmitted beyond the App? If so:

  • Who is the receiver of the data?
  • What is the data that is being transmitted?
  • What are the terms under which the data is transmitted, and what are the safeguards that guarantee the terms are not being violated?
  • Can the transmitted data be correlated by the received with other data they may have or may be able to obtain?

The following data is being transmitted:

  • The App User's Contact IDs’ are broadcast continually (24x7) by the App User's smartphone via Bluetooth Low Energy (BLE). This broadcast is available to anybody who cares to listen. As the Contact IDs appear random and change frequently, by themselves they are not information that needs to be protected. However, once an App User has been marked as infected and their Daily Key has been conveyed to other App Instances, a partial unmasking of the App User can be accomplished for the time period from the start of the validity of the Daily Key. Source: [whitepaper], checked on 2020-08-27

  • There terms were found that govern the use of this data.

  • No information is available on whether or not data held by the Cloud Component is ever transmitted beyond the App. This data contains the phone number of infected App Users.

Is any data imported by the App from other sources? If so:

  • What data is being imported, and from which sources?
  • How does that increase the effectiveness of the App?
  • Does it potentially increase risks or downsides of the App, and if so, how?
No information is available on data imported on the Cloud Component. On the mobile phone, a record of all Contact IDs broadcast by other App Users is kept, for as long as the App User runs the App.

Is there a Privacy Policy, and if so, what type of privacy policy is it?

  • privacy-policy-none

Retention

Is data not required any more for the stated goals promptly deleted?

Not known.

Security

What technical approaches (e.g. cryptography) does the App use to protect all aspects of the App (e.g. confidential information, operational integrity) from Attackers?

Authentication via Firebase. HTTPS for communication between Smartphone Component and Cloud Component.

How is Data At Rest being secured? Discuss all locations at which Data At Rest exists.

How is Data In Motion being secured? Discuss all transfers between locations at which Data At Rest exists.

Source: [technical-analysis], checked on 2020-05-18

If an App User's unlocked mobile phone is stolen, what is the maximum impact of the breach on the App User, other App Users, third parties including the App system itself, and effectiveness against the disease?

This would effectively “lose” a contact in the contact tracing protocol and be no worse than if an actual contact had not been recorded (e.g. because somebody’s phone was off or not running the App at the time). If the thief continues to use the smartphone, the contact histories of two individuals will be effectively mixed. Source: [technical-analysis], checked on 2020-05-18

How are the operations of the App monitored with respect to attempted, or successful, Attacks?

Not known.

What operational approaches does the App use to protect all aspects of the App (e.g. requiring two-factor authentication, approval of commits by a second person) from Attackers?

Not known.

What are the operational procedures for access to highly privileged credentials (e.g. server or encryption root keys)?

Not known.

Can App Users verify their build of the App User (e.g. using technologies such as Reproducible Builds)?

No. While source code for some parts of the Smartphone Component is available, other parts are missing, and there is no mechanism to verify that the code downloaded to a mobile phone is actually identical to the code on Github, and in which version.

Has a process been defined for reporting and responding to a security breach?

None found.

Which organizations are known to have, or are strongly assumed to have the ability to influence the technology, operations or governance of the App, and thus require that users trust them?

All people involved in the creation, operation and governance of the App.

It is particularly notable that the App's cloudcomponent is now hosted by a company that is operated by the Vietnamese Ministry of Defense. This company has the largest market share in the Vietnamese telecommunications services market, and as such it may be able to bring together other information not usually available to an App Operator if it intended to use this App to surveil App Users and their contacts (e.g. de-anonymized IP addresses).

Have there been any reports on attempted or successful attacks on the integrity of any aspect of the App? Do the App Creators report on such attempted or successful Attacks?

None found.

Are there any reports on attempted or successful correlation of any of the data handled by the App with data from outside the App, or any attempted or successful Re-identification of anonymized or pseudonomized data?

None found.

Are there any reports on attempted or successful Data Poisoning of some of the data handled by the App?

None found.

Has an independent security review been performed, and if so, where can it be obtained? Which recommendations have been implemented, and which not?

None found.

What are the procedures and requirements for eligibility of any App Creator employees or contractors to participate in any aspect of the development, operations or governance of the App?

None found.

User education, consent, support and agency

Can the App User deactivate and delete the App?

If the source code is available, under which license is it available?

How do new App Users discover, and obtain access to the App?

How is user support handled?

How is the user experience, user understanding, and technical performance of the App being monitored in the field?

Not known.

Can App Users request a copy of the data that has been retained about them? Is the process simple and quick? Is the obtained data easy to understand, verify and use?

Can previous App Users request a permanent deletion of the data collected about them? Is the process simple and quick?

Can App Users request a correction of data about them? Is the process simple and quick?

No such process has been found. This means that if App Users pass their phone to a different person, or change phones during the pandemic, effectiveness and correctness of contact tracing may be impacted.

Can parents or guardians act on behalf of their children in all aspects of the App?

The App makes no distinction between adult and minor users. No parental consent, or withdrawal of consent is supported.

Is there an effective complaint process by which App Users can raise issues with the App, or issues with the impact of the use of the App has on them?

None found.

Are App Users being educated about what it means to use the App, and give their informed consent prior to using the App?

Partially. No information is provided on:

If the App performs several distinct functions, can the App User opt-in to some and opt-out of others?

Not applicable: the App performs only one significant function.

Usability

Are the user-facing components of the App built in a way that minimizes potential user mistakes that could be detrimental towards effectiveness or avoidance of risks and harms for themselves and others?

The user interface appears straightforward and understandable.

Is the App accessible?

Default OS features for accessibility.

Managed or processed data

What data does the App handle? Where in the Architecture is which data stored or processed? Is all data handled by the App strictly required for the stated goals?

Federation with other Apps

Is the App a standalone system (“stovepipe”) or is it intended to be used in Federation with other Apps created by others? If so, what are the supported Federation technologies (e.g. protocols/standards), operations and governance?

Not intended to be used in a federation.

Service Providers used with the App

What third-party Service Providers are used for the App, and what is their contribution or role with respect to the App? Are they under legal obligations consistent with the needs of the App?

The contractual or legal obligations of any of the service providers are not known.

Protocols

What are the key non-standard communication protocols the App uses? Explain. (These are highly dependent on the App's features.)

Technology

What Architecture does the App use?

  • architecture-smartphone-cloud

Is source code of the App available?

source-licensing-mixed

If it does, what kind of Cloud Component does the App use?

cloud-only-operator

If it does, what approach does the App take to contact tracing?

  • contact-tracing-iterated-pseudonym

Is the App based on anonymous, pseudonymous, or fully identified App Users?

  • userid-pseudonymous-global

Governance

How are decisions made about technology and operations of the App?

Not known.

How are decisions made about governance of the App?

Not known.

Is there a public roadmap for the App, and if so, where can it be found?

Not known.

Is there a whistleblower process for people involved in any aspect of the development, operation, or governance of the App?

Not known.

Should assertions by App Creators prove to be false, or their behavior to be negligent, what are the remedies available to App Users?

Not known.

Is technical documentation for the App available, and how complete is it? Is this documentation up-to-date?

  • The English-language whitepaper is out of date, but the Vietnamese-language version has recently been updated. It documents the basic contact tracing algorithm. Source: [whitepaper], checked on 2020-08-27 .
  • Major other parts of the system (such as when and what uploads occur) are not documented.

Is the entire process of App development and operations publicly documented? Is this documentation up-to-date?

No.

Validation by third parties

Which third parties have researched the effectiveness of this App against the disease? Are their reports publicly available, and if so, where?

None known.

Which third parties have researched the potential downsides or risks of this App? Are their reports publicly available, and if so, where?

See Sources.

Has any third-party audit been performed of the App? Who performed the audit, are their reports publicly available, and if so, where?

None known.

Are any major discrepancies known between self-assertions by the App Creators and Inference or Audits by third parties?

  • The public documentation strongly suggests that collected contact histories are only stored on the App User's smartphone. This is misleading as they are being uploaded at least when the App User has been marked as potential infected.

  • The public documentation strongly suggests that all (not just some) of the source code for the smartphonecomponent of the App is available as open source on Github. However, it has been shown that major functionality present in the app is not on Github.

  • Specifically, the functionality that allows the App Operator to silently upload a App User's contact history is not mentioned in public documentation, nor available in source code. Source: [github-thaidn-bluezone], checked on 2020-08-27

Audits

Is there an audit trail of what happens in the App that can it be accessed by the App User or entities on their behalf?

No.

Source code

If source code is available, where can it be found?

Other notes

Any other notes that may be of interest

  • While there are links labeled “Privacy Policy” from the app stores, these links only lead to a general information page about the App. For this reason, we catogorize the App as not having a Privacy Policy.

  • It is surprising that a number of apparently independent parties provided strong pushback on Hacker News on an independent review of this app Source: [hackernews], checked on 2020-05-18

Disclaimer and open issues that do not fit into any of the other questions.

  • Please note the general disclaimer. We appreciate feedback and corrections.

  • This assay is not exhaustive, for reasons that include available resources and the unavailability of key documentation about the App.

  • This assay relies on English-language documents, which may be less complete and less accurate than any presumed Vietnamese-language documents. Vietnamese-language documents were accessed with Google Translate, which may produce inaccurate results. Also, many of the available English-language documents were clearly written by non-native English speakers and often use terms that native English speakers would not use, or not use in this context. Our interpretation of some of those terms may be incorrect with respect to the intention of the writer.

Sources

List the information sources used for this assay, plus URL and whether they are self-asserted vs inferred vs from an Audit.

Rating

Ratings by self, third parties and any audit for the effectiveness of the App

  • self-green

  • others-green

Explanatory comments for the rating of the effectiveness of the App

The App is similarly effective to other Apps implementing Contact Tracing.

Ratings by self, third parties and any audits for the avoidance of potential risks and downsides of the App

  • self-green

  • others-yellow

Explanatory comments for the rating of the avoidance of potential risks and downsides of the App

The App has several privacy issues which can be avoided through a changed implementation including:

  • The App Operator can silently upload any App User's complete contact history and supposedly secret Base ID. This given the App Operator the ability to silently assemble a real-time social graph of all App Users. This is unnecessary for the stated purpose of the App and not conveyed to App User.

  • The App Operator can easily determine the real-world identity of any App User who has entered their phone number into the App.

  • Many aspects of the technology, operations and governance of the App are not documented, nor independently overseen. Where information exists, App Users largely depend on the word of the App Creators only.

Issue a recommendation to App Users

Before you download Bluezone, carefully consider the risks identified in this assay. Depending on your personal situation, you may decide that the risks of running the August 2020 Bluezone version, or any earlier version, may outweigh the potential benefits. For more details, please read the details of this assay.

Recommendations to the App Creators

  • We recognize that several major improvements have been made in the most recent version of Bluezone.

Critical:

  • Remove the functionality from the code that allows silent upload that can be triggered by the App Operator.

  • Restore trust in the implementation by publishing the full source code of the Smartphone Component including instructions that are known to enable independent reviewers to build the App on all platforms.

  • Do not ask App Users for their phone number at time of registration, as it does not appear to be needed. Should there be good reasons to need the phone number, they need to be explained which they currently aren’t.

Important:

  • Review the published white paper on a regular basis and make sure it accurately reflects the current state of the implementation. Remove outdated copies of the white paper (e.g. on Github).

  • Augment the white paper to describe all data at rest, and data in motion for all components of the App.

  • Respond to all open issues raised by the public on the bug tracker; currently several major issues have had no response.

  • Publish the State Machine of the App so it can be clearly understood what happens in terms of data exchange and behavior of the App triggered by which events. (E.g. the App seems to have states doubt, pending, safe, infected, verified; document what they mean and how the App behaves in those states)

  • Publish the source code of the Cloud Component.

  • Research and publish key statistics of the App on a regular basis. This should include not only how many active users there are, but also key disease-relevant metrics such as:

    • how many App Users have tested positive and whose Daily Key was published to other App Users through Bluezone.

    • how many of their contacts were identified through the App;

    • how many of their contacts then tested positive as well.

To further increase public confidence in the App:

  • Migrate the implementation to an independently validated, major implementation of Bluetooth-based contact tracing, such as the Apple/Google framework.

  • Perform development on the public Github repository, not elsewhere.

  • Commission an independent Audit of all aspects of the App, in particular the operations of the Cloud Component and the interaction of the entire App system with the public health system.

  • Clean up the code base to remove obsolete and duplicate code. Improve the overall quality and documentation of the code, and implement automated tests.

  • Convene an independent oversight board that maintains a list of questions submitted by the public, researches answers to those questions in full cooperation with the App Creators and publishes answers in a timely manner.

Changes

Bluezone is the official Vietnamese COVID-19 contact tracing App, sponsored by the government of Vietnam and developed and operated by Vietnamese software company BKAV.

It is a smartphone App with a cloud component. So far, it has been downloaded more than 10 million times. Its use is heavily promoted by the Vietnamese government.

App Assay first analyzed Bluezone during May 2020. We then updated the assay in August 2020 as a new Bluezone version incorporated significant changes.

As for other COVID-19 Apps, when assaying Bluezone, we are primarily interested in answering the following questions:

  • How effective is the App against COVID-19? Can its effectiveness be quantified?

  • Are there downsides, or risks, of using the App, and if so, what are they? Can they be quantified? Are there particular population groups of App Users that may be more at risk than others?

  • Does the App, based on what we know about its current implementation status and usage, have unique opportunities to enlarge its impact on the pandemic or further reduce downsides or risks? What recommendations can we make to the App Creators in the context of current world-wide best practices?

This report summarizes our results. More details are available on our website at https://appassay.org/apps/bluezone/.

Key components of Bluezone were rewritten between our first assay in May 2020 and the update in August 2020. We note that many of the serious concerns that we had raised in our first assay on both effectiveness against the disease and risks for users were substantially reduced through the August 2020 update. However, significant additional concerns have emerged in the meantime.

  • The August 2020 version of the App now appears similarly effective in automated, BLE-based Contact tracing, as many other Apps developed for the same purpose around the world.

  • Bluezone now changes contact every 15 minutes, and thus in this respect is protecting user privacy comparable to world-wide best practices.

  • The Bluezone App Creators state that they have published the source code of the App to increase transparency. However, technical analysis of the actual App downloaded from the Google Play Store shows that the App contains significant amounts of code that have not been published. The documentation provides no indication that such a discrepancy may exist.

  • Part of the unpublished code base is functionality that allows the App Operator (BKAV) to download, at any time, the full contact history and the cryptographic root seed from any Bluezone user. This download is implemented to be completely silent: it requires no approval by the App User, nor is the App User notified in any way. This functionality is in conflict with the public statements of the App Creators that “The app stores data on your own device, not on centralized servers”.

  • No significant information is available on day-to-day operation of the App, and how App Operators and their sponsors in the Vietnamese government ensure that this privacy-busting functionality is never invoked. It is our view that if it is not intended to be invoked, it should not exist. And if it is intended to be invoked, this needs to be transparently communicated to all users.

For this assay, we evaluated a broad range of sources, including:

  • Publicly available documentation and marketing collateral about Bluezone, published by Bluezone’s creators

  • Analysis by third parties and available on the web

  • Our own analysis of the components of the Bluezone source code that the app developers posted to Github.

For more information, please consult our full assay at https://appassay.org/apps/bluezone/.