He further presents a novel attack, namely a biosurveillance attack, which allows the attacker to monitor the exposure risk of a smartphone user who installs their app or SDK but who does not use any contact tracing system and may falsely believe they have opted out of the system. 

Through traffic auditing with an instrumented testbed, he characterizes precisely the behaviour of one such SDK that he found in a handful of apps but installed on more than one hundred million mobile devices. Its behaviour is functionally indistinguishable from a re-identification or biosurveillance attack and capable of executing a false positive attack with minimal effort. He also discusses how easily an attacker could acquire a position conducive to such attacks by leveraging the lax logic for granting permissions to apps n the Android framework: any app with some geolocation permission could acquire the necessary Bluetooth permission through an upgrade, without any additional user prompt.