Do Contact Tracing Apps Infringe on Privacy/Security?

May 14, 2020

Can mobile technology come to the rescue during coronavirus, and help us adapt to a 'new normal'?

Alastair Paterson, co-Founder and CEO of Digital Shadows, with the aid of Pratik Sinha, MD, and close colleagues in the healthcare sector, developed a blog to help answer this question. Below, we explore some of the key points Paterson makes. Find the full blog by visiting https://www.digitalshadows.com/blog-and-research/contact-tracing-can-big-tech-come-to-the-rescue-and-at-what-cost/

As public health consensus seems to be on the need to test, trace and isolate infected individuals, along with lockdown measures, policy makers have been turning their attention towards how to encourage such measures - but the capacity to test and trace are very underdeveloped, notes Paterson.

How can 'Big Tech' help provide innovative solutions to address the unmet challenges of contact tracing? Paterson cites the Apple and Google partnership to develop a cross-platform application programming interface (API) to enable contact tracing apps to use their mobile operating systems for this purpose.

"Several other organizations are simultaneously working on apps to facilitate contact tracing using a variety of platforms. Most of these apps propose using location data to identify contacts of infected patients," writes Paterson.

Although the solutions seem ideal, they post significant risks to digital security and patient privacy, claims Paterson.

Following are some apps Paterson says will be most likely used for contact tracing and the threats they pose:

digitalshadows

As Paterson notes, although the intention is to centralize data collection in a 'trusted' platform, these apps come with associated privacy concerns since governments would have access to citizen’s location data, the ‘social graph’ of all the other people they physically met, and any other data this framework chooses to store that the app is able to access from the phone. In addition, if these databases are hacked by malicious third-party attackers, the data would be exposed to cybercriminals - even nation states, Paterson claims.

Conceptually, the Big Tech solution, says Paterson, seems to be a decentralized and open-source approach, as it helps balance access versus privacy effectively. But, regardless of the approach taken, the following factors must be considered, Paterson warns.

Open source scrutiny: All apps should be open source and vetted by the security community. Any other approach will lack trust with the public due to privacy and security concerns, slowing adoption and efficacy, and raising the risk of abuse by authorities and malicious third parties.
Decentralized: A decentralized approach such as the one proposed by Apple-Google has the benefit of not storing location data in a central ‘trusted’ database that could be subject to abuse, data loss, and all the associated privacy risks.
Collaboration: Pooling resources and testing robust, open-source software would likely expedite the implementation of these apps and allow external validation.
Legal: Any new laws needed for storage of medical and location data should have sunset clauses and be revisited regularly and dismantled as soon as practical to do so. If a centralized approach is taken, The California Consumer Privacy Act (CCPA) may become the default standard for the US, especially if the US apps are developed in Silicon Valley. In Europe, GDPR will apply where, for example the use of contact tracing applications should be voluntary and based on proximity, not indiscriminate tracing of individuals’ movements.
Efficacy: Does the approach actually work? The proposed technologies must be rapidly tested and validated before mass roll-out.
Uptake: Governments will have to work hard to convince people to do so, which is again why privacy and security must be clearly guarded and communicated as part of a broader public information and health campaign. These apps must remain voluntary.

For the full blog, please visit https://www.digitalshadows.com/blog-and-research/contact-tracing-can-big-tech-come-to-the-rescue-and-at-what-cost/

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 September

This month in Security magazine, we bring you our 2020 Most Influential People in Security annual report, where we highlight 22 industry leaders, their path to security, careers, goals and guidance for future security professionals. Industry experts discuss the evolution of ransomware, houses of worship security, cybersecurity standards, security careers in investigations and the unifying power of security. Diane Ritchey, past Editor-in-Chief, says goodbye and thank you to our readers.

View More Create Account

Do Contact Tracing Apps Infringe on Privacy/Security?

Related Articles

Related Events

Report Abusive Comment