CybersecurityPhysicalSecurity NewswireCybersecurity News

Do Contact Tracing Apps Infringe on Privacy/Security?

Can mobile technology come to the rescue during coronavirus, and help us adapt to a 'new normal'?

Alastair Paterson, co-Founder and CEO of Digital Shadows, with the aid of Pratik Sinha, MD, and close colleagues in the healthcare sector, developed a blog to help answer this question. Below, we explore some of the key points Paterson makes. Find the full blog by visiting https://www.digitalshadows.com/blog-and-research/contact-tracing-can-big-tech-come-to-the-rescue-and-at-what-cost/

As public health consensus seems to be on the need to test, trace and isolate infected individuals, along with lockdown measures, policy makers have been turning their attention towards how to encourage such measures - but the capacity to test and trace are very underdeveloped, notes Paterson.

How can 'Big Tech' help provide innovative solutions to address the unmet challenges of contact tracing? Paterson cites the Apple and Google partnership to develop a cross-platform application programming interface (API) to enable contact tracing apps to use their mobile operating systems for this purpose.

"Several other organizations are simultaneously working on apps to facilitate contact tracing using a variety of platforms. Most of these apps propose using location data to identify contacts of infected patients," writes Paterson.

Although the solutions seem ideal, they post significant risks to digital security and patient privacy, claims Paterson.

Following are some apps Paterson says will be most likely used for contact tracing and the threats they pose:

digitalshadows

As Paterson notes, although the intention is to centralize data collection in a 'trusted' platform, these apps come with associated privacy concerns since governments would have access to citizen’s location data, the ‘social graph’ of all the other people they physically met, and any other data this framework chooses to store that the app is able to access from the phone. In addition, if these databases are hacked by malicious third-party attackers, the data would be exposed to cybercriminals - even nation states, Paterson claims.

Conceptually, the Big Tech solution, says Paterson, seems to be a decentralized and open-source approach, as it helps balance access versus privacy effectively. But, regardless of the approach taken, the following factors must be considered, Paterson warns.

Open source scrutiny: All apps should be open source and vetted by the security community. Any other approach will lack trust with the public due to privacy and security concerns, slowing adoption and efficacy, and raising the risk of abuse by authorities and malicious third parties.
Decentralized: A decentralized approach such as the one proposed by Apple-Google has the benefit of not storing location data in a central ‘trusted’ database that could be subject to abuse, data loss, and all the associated privacy risks.
Collaboration: Pooling resources and testing robust, open-source software would likely expedite the implementation of these apps and allow external validation.
Legal: Any new laws needed for storage of medical and location data should have sunset clauses and be revisited regularly and dismantled as soon as practical to do so. If a centralized approach is taken, The California Consumer Privacy Act (CCPA) may become the default standard for the US, especially if the US apps are developed in Silicon Valley. In Europe, GDPR will apply where, for example the use of contact tracing applications should be voluntary and based on proximity, not indiscriminate tracing of individuals’ movements.
Efficacy: Does the approach actually work? The proposed technologies must be rapidly tested and validated before mass roll-out.
Uptake: Governments will have to work hard to convince people to do so, which is again why privacy and security must be clearly guarded and communicated as part of a broader public information and health campaign. These apps must remain voluntary.