After learning that our institution paid for a COVID-19 contact tracing app called Trace Innovations (or Trace), many Choate Programming Union (CPU) members were puzzled. There are many excellent, free, open-source, privacy-respecting contact tracing apps out there made by large, reputable organizations.

What is unique about Trace, then? Here is what we found out.

Summary of Findings

After careful reverse-engineering, we were able to determine the following facts about the Trace Innovations app and how it functioned. Unless otherwise noted, all facts are accurate as of January 25th at 7:30 PM Eastern Time or later.

1. Trace Innovations on its website claims that “Trace records interactions, not location,” “Trace does not record where students were when they interacted,” and “Neither the school nor Trace sees where you son or daughter are.”

2. In its privacy policy, Trace states, “We do not collect location data.” To our knowledge there is no mention of sending GPS locations regularly to a server on either the website or the App Store listing.

3. The Trace Innovations app collects and sends precise GPS coordinates every two minutes to their server.

4. There is significant code in the version of the Trace Innovations app that we examined that collects and sends location data. In fact, there are two functions in the codebase called LocationService.this.startLocationDataCollection and LocationService.this.sendCollectedLocation respectively.

5. The Trace Innovations app collects a list of the users in the vicinity of the phone using Bluetooth and sends it regularly to their server.

6. On January 25th at 7:30 PM Eastern Time, there were exactly 14241 registered users on the Trace Innovations app.

7. On January 25th at 7:30 PM Eastern Time, these organizations had an account with Trace Innovations (the list includes Phillips Exeter and Dartmouth College).

8. We believe that there are several security flaws related to how the Trace Innovations app is updated and controlled. We are unable to definitively confirm our suspicions due to restrictive school rules that prohibit most types of security research. Unless the rules change, we will not investigate this further.

9. The founders of Trace Innovation claim to have decades of experience in the Frequently Asked Questions.

Our tech founders have decades of Bluetooth and telecoms experience, and understand the importance of data privacy and security, providing Bluetooth connectivity for tens of millions of devices in consumer, medical, and industrial applications.

10. Apple and Google have already integrated privacy-protecting contact tracing infrastructure in each phone with iOS and Android installed – nearly every phone in the world. Almost every contact tracing app utilizes this privacy-protecting infrastructure or an equivalent, which do not need GPS location data. These apps are endorsed and utilized by public health organizations across the world.

Implications

Nowhere on the Trace website or app does Trace say that it collects and sends your GPS location to a remote server. In fact, it makes several statements to the contrary. In its privacy policy it explicitly states:

We do not collect location data

Additionally, it states in its Frequently Asked Questions:

neither Trace, nor the school, tracks your students. Trace records interactions, not location.

Trace does not record where students were when they interacted, only that students were close enough for a specific period of time to be counted as an interaction.

We have discovered that the Trace Innovations App does collect and send your GPS location data. We have also discovered that Trace Innovations self-describes its activities as sending and collection location data, in its code. Not only is this surprising, but this is also unjustifiable as there are many excellent, free, open-source, privacy-respecting contact tracing apps out there made by large, reputable organizations (like the German government or MIT). These privacy-protecting alternatives do not collect GPS location data and have been endorsed by various governmental health organizations. Additionally, Trace already has a working implementation of Bluetooth contact tracing in both its iOS and Andriod apps.

We are forced to conclude that at the very least, the statements made by Trace Innovations are misleading. At the very worst, they are lies.

Further Reading

This page contains the summary of our findings. More detailed reports on how we collected this information and our methodology will be published shortly. Feel free to email a CPU member if you have any questions or want to get in touch.

School Rules

Although our security and privacy research was severely hindered by school rules, no school rules were broken in the making of this report. All information gathered was either publicly available or observable through passive analysis of the behavior of the Trace Innovations app.

However, this was still an excellent academic exercise in reverse-engineering and malware analysis techniques.

Archived Sources

We have archived all pages referenced on this page on the Internet Archive’s Wayback Machine for reference in case of deletion or modification. The archived version of each page is listed below, along with the original URL.

• FAQs: Archive link as of Jan. 30th.

• How does it work?: Archive link as of Jan. 30th.

• Privacy Policy: Archive link as of Jan. 30th.

• App Store Description: Archive link as of Jan. 30th.