(Nov. 20, 2020) The Spanish government’s official contact tracing application, “Radar Covid,” achieved nationwide operation on October 27, 2020, when the Catalan Health Service began distributing the app’s codes to users.
The app has been officially up and running since August 10, but because of “the lack of codes and the slowness of the autonomous regions to adopt it,” efforts to incorporate the app into general use by the population have fallen short. The Madrid Health Department reportedly accessed the codes on September 2 but did not officially announce that it was distributing them until October 8. As of October 29, the app had been downloaded about 4.6 million times—far below the government’s goal of use by 30% of the population—and actual use of the app may be significantly lower.
How the App Operates
Radar Covid operates through automatic tracing, which is considered essential to stop the chains of contagion. It allows users to receive notifications if they have come in contact with someone who has tested positive for COVID-19. The data managed through the app is anonymous, secured, confidential, and voluntary. The app does not provide identification of affected persons and their contacts, nor does it provide geo-localization since it does not collect location data.
Once Radar Covid is installed and active on a mobile phone, if the holder comes within 2 meters (6.6 feet) of another person carrying a mobile phone with an active Radar Covid app for more than 15 minutes, the mobile produces a Bluetooth signal, sending a random code that does not collect any personal information or location. At that time, each phone remembers the other’s anonymous identifier code.
If after a few days the holder tests positive for COVID-19, the healthcare staff provides the holder with an anonymous diagnosis code that can be voluntarily entered in the app. Then a notification is sent to all terminals that have the recorded identifier—that is, to all the people who were in close contact with the app’s holder. The known contact as well as other contacts whom the app’s holder may not know or remember will be able to take the necessary precautions.
Radar Covid uses only Bluetooth Low Energy to exchange random codes between devices, without collecting location or personal information of any kind. In addition to respecting personal privacy, it consumes very little battery power in mobile phones. For the app to be effective and able to register risky contacts, the mobile phone needs to be in Bluetooth mode and notifications activated.
According to an article published on November 13 by a technology safety news organization, a vulnerability in Radar Covid could allow attackers to fake users’ identities. The article states that “[i]dentification and de-anonymization of COVID-19 positive users who upload Radar COVID TEKs to the Radar COVID registry is feasible in the impacted versions of Radar COVID. … The vulnerability is triggered by the fact that only COVID-19 positive users make Radar COVID connections to the server (uploading TEKs to the backend). Therefore any on-path observer will recognise the users have had a positive test with the ability to track traffic between the app and the server.”