ShakeAlertLA users are concerned about earthquake app’s security issues, bugs and crashes

Los Angeles’ earthquake early warning app has won buzz in recent weeks, as it’s the first public app of its kind in the United States that aims to warn people seconds before shaking arrives from an earthquake.

It hasn’t been truly tested yet: There has been no significant earthquake in the Los Angeles region since the app was published New Year’s Eve. But lots of people are interested — ShakeAlertLA has been downloaded more than 400,000 times: 327,000 on iOS and 96,000 on Android.

But among users who commented on the app, some are concerned about privacy and crashes and expressed concerns that the app was rushed out too early.

So far, the app has received 2.5 out of 5 stars on Apple’s App Store and 3.6 out of 5 stars in the Google Play Store. Some are frustrated that the app works only for users physically present in Los Angeles County.

Others have celebrated ShakeAlertLA, saying they believe earthquake warnings will save lives, giving people time to act and take cover before shaking arrives.

When he introduced the app, Los Angeles Mayor Eric Garcetti acknowledged that it wasn’t perfect and that there were still bugs in the software. The city’s app, built under a contract with AT&T, gets information from a separate earthquake early warning system operated by the U.S. Geological Survey. The USGS system, called ShakeAlert, is still in its early phases, and lots of testing still needs to happen.

Garcetti wanted to make good on an earlier pledge he made to get the app in the hands of Angelenos by the end of 2018. He has said it was important to get the app out there publicly sooner rather than later, even if it meant the early version of the app was less than perfect.

Here’s a rundown of the complaints and flaws about the app, and the response from the city:

Q: Why does the app require the city to constantly know the location of the phone?

A: By design, the app needs to know where a user is to warn how intense the shaking will be before it arrives; for example, an earthquake that begins off the coast of Newport Beach would produce far stronger shaking in Long Beach than it would in the San Fernando Valley.

In the 1994 Northridge earthquake, a magnitude 6.7 temblor, people in Northridge felt violent shaking of intensity 9 on the Modified Mercalli Intensity Scale, meaning damage was severe. Anaheim got intensity 6 shaking, which would generally produce only slight damage.

×

Los Angeles Mayor Eric Garcetti explains how to use the new ShakeAlertLA app, available for Android and iOS devices.

Q: Does the city store the data of all app users?

A: The city receives information about a user’s whereabouts and assigns the device to a broader geographical hexagon, which has about a 5-mile radius. Phones in that area will receive an alert based on that location.

The city does not keep historical records of a device’s location, which are erased once a user moves outside that polygon.

Users are not asked to provide their phone number or name to use the app.

Q: Some users reported crashes soon after the app was made available in early January. What gives?

A: Early versions contained a programming error for iOS users outside Los Angeles County that caused a crash as soon as the app was opened. The flaw has been fixed.

Q: Any other problems?

A: A college student voiced some concerns with portions of test code related to ShakeAlertLA that had been posted weeks earlier.

Q: What did he find?

A: Alex Garcia, a UC San Diego senior in computer programming and native of Whittier, found some password information that accompanied portions of test code erroneously uploaded to GitHub and made public. GitHub is an online repository where computer programs are stored, and users of the site are invited to review code and provide feedback to find bugs and offer authors advice.

Q: Was it problematic?

A: There were a couple of accidental disclosures when the test code was erroneously uploaded and published.

First, a password was published that provided internal access to USGS notifications about an earthquake’s occurrence and location. The USGS was alerted, and the compromised account was suspended.

Another problem was the disclosure of a password that offered access to a city test server that showed the whereabouts of roughly 120,000 imaginary devices conjured up by programmers for a test.

No user data was compromised, but there was an acknowledgment that human errors were made, and officials are making efforts to avoid mistaken releases of passwords.

Q: What was the USGS’ reaction to the city’s mistake?

USGS scientist Robert de Groot said in a statement that the compromised account was a “read-only” account, meaning the city could only read the alerts pushed out from a USGS server but not create false data or maliciously send out a fake earthquake warning through the federal government’s system.

The USGS system “employs the highest security standards, including secure public-facing servers and encrypted data streams,” De Groot said. “The USGS provides ongoing guidance to optimize the performance of ShakeAlert delivery products that are developed by others, like mass-alerting mobile apps. However, it is the responsibility of the partner to develop and maintain those products.”

Q: Does the ShakeAlertLA app offer an estimate of how many seconds will elapse before shaking arrives?

A: Not in its current version. There’s concern that shaking could arrive earlier or later than the computer’s estimate. Given the uncertainty, the countdown feature is not now available.

Q: How many people have deleted the app after downloading it?

A: Of the 96,000 times the app has been downloaded on the Android system, it has been deleted from 15,000 devices. (Similar data for iOS devices aren’t available.) That means the deletion rate is about 16%. The overall deletion rate for an app after 30 days is 28%, according to AppsFlyer, a San Francisco mobile marketing company.

Q: Why does the app only work inside Los Angeles County?

A: ShakeAlertLA was created by the city to ensure that City Hall, not just private companies, could control how earthquake warnings are distributed to the public. It was funded with $43,000 from a nonprofit established by Garcetti, called the Mayor’s Fund for Los Angeles, and $260,000 from the nonprofit Annenberg Foundation. So its ambitions were set early on to focus on the L.A. area.

Q: Will apps be made available for other parts of California?

A: It’ll just be a matter of time. A private company, Santa Monica-based Early Warning Labs, has its own QuakeAlert app in development, and plans to soon offer it to 100,000 test users, who may include people outside L.A. County.

Other officials have sought more information about Los Angeles’ app, including authorities in Orange, San Diego and Ventura counties; San Francisco; Seattle; the state of Washington; the water and electricity utility of Eugene, Ore.; and the California Governor’s Office of Emergency Services.

Q: Why not make the app available to everyone?

A: Adding too many people to receive alerts could suddenly slow down the delivery of the messages, and it’s important for researchers to identify problems and fix them.

Q: Why not make the app available to all cellphone users through Amber Alert-style text messages?

A: State officials will soon conduct a test to see whether Amber Alert-style text messages are quick enough to be useful for earthquake early warnings.

A test warning is scheduled to be sent March 27 by text message to Oakland’s Lakeside neighborhood, which has a daytime population of 40,000 people and includes government employees.

The California Governor’s Office of Emergency Services will be asking those in the area to fill out a survey on exactly when they receive the alert. They’ll be asked to look at a precise clock on a computer screen while they wait for the text message. If the test shows it might be useful for some users, state officials might explore sending quake warnings through text messages.

It has long been thought that the current U.S. cellphone network is probably too slow to make earthquake warnings useful through text message. A recent National Wireless Emergency Alert System test showed that the average delay in users receiving a text message was about 22 seconds. A rollout of fifth-generation, or 5G, cellular technology could help, but that could take years.

Q: What’s the current delay between the time an alert is issued and when it arrives on a cellphone?

A: In simulations, there’s a delay of less than two seconds between the time an alert is issued and when it arrives on a ShakeAlertLA-equipped cellphone.

Q: The mayor said ShakeAlertLA’s computer programming code will be “open source,” meaning the code will be made public for other cities to use and for other programmers to scour for bugs and suggest improvements. It’s not public right now. Will it be?

A: Yes, there are plans for the city to release that. Before that’s done, AT&T and the city will have cybersecurity teams do an extra check to ensure they don’t mistakenly release private information.

Q: There’s a page on the app that says, “View recent earthquakes,” but nothing shows up. Is it working?

A: The interface is a bit confusing right now — the key suggests that there would be a list of earthquakes of all magnitudes, but the system right now is set up to only list earthquakes of at least magnitude 5 in the Greater L.A. region. None have occurred since New Year’s Eve.

A future version of the app will show earthquakes of magnitude 3 or greater in the United States for either the previous 30 days or the last 300 seismic events exceeding that threshold.

Q: Why does the map on viewing recent earthquakes sometimes default to a view focusing on Western Europe instead of L.A.?

A: The glitch should be resolved in a future version.

Q: When I click on “earthquake alert map,” all I see is my location.

A: The display is a bit confusing when there’s no active earthquake alert. The city is working on making the interface clearer, which would offer users an example of what an alert would look like.

Q: Why is the “find a shelter” page blank?

A: The city isn’t pre-publishing shelter sites, as they will depend on the earthquake. Shaking more tightly focused on the San Fernando Valley, for instance, may not require shelters to open in San Pedro.

ron.lin@latimes.com

@ronlin