The apps have to balance the goal of greater accuracy vs. respecting the privacy of their users, according to Check Point Research.
Contact tracing apps have been employed in several countries as one way to try to stem the spread of COVID-19. Such apps work by identifying users who’ve tested positive for the virus, prompting them to share that information, locating people with whom they’ve been in close contact, and then notifying those people.
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
But these types of apps face a balancing act. To be fully effective, they need to track and monitor the locations of their users. But such monitoring can threaten a person’s privacy, especially if the data falls into the wrong hands or is used for malicious purposes. A blog post published on Thursday by cyberthreat intelligence provider Check Point Research describes the challenges and pitfalls faced by tracing apps and offers tips for potential users.
Contact tracing apps work by detecting the proximity of one user with another. To monitor a person’s location, such apps employ either GPS or Bluetooth, specifically Bluetooth Low Energy (BLE). With BLE, the user’s mobile phone periodically broadcasts information with a unique ID. With GPS, the exact location of the user is continually logged.
SEE: How tech companies are fighting COVID-19 with AI, data and ingenuity (TechRepublic)
Though various apps work somewhat differently, the contact tracing process follows the same general steps:
When people who use the same contact tracing app are in close proximity, that information is registered with the app.
If one of the users tests positive for COVID-19, that person is prompted to share that diagnosis via the app, or in some cases, the app automatically shares the information without the user’s knowledge.
The app then notifies other users who were in close proximity to the infected person.
On paper, those steps may sound doable and feasible. But in the real world, it’s not so simple. For contact tracing to work most effectively, the apps must be adopted by a wide number of people. With many apps, anyone who tests positive for COVID-19 has to willingly share their status, otherwise the chain is broken and the process is stopped in its tracks. But the very act of being monitored and sharing your condition raises questions of privacy and potential abuse.
Check Point posed several questions directed toward such apps:
- What data is collected, how and where is it stored, and how is it shared?
- Is the data encrypted?
- Are authorization and verification methods used to protect against abuse?
- Is the identify of the user kept anonymous given the collection of such data as phone number, name, and ID?
- Does the user share the coronavirus diagnosis voluntarily, or is that information revealed without the person’s knowledge?
The methods used by contact tracing apps also play a role in the question of effectiveness versus privacy.
Apps that use GPS location tracking can save and store a log of the user’s ongoing locations and timestamps. That information can help track the spread of the virus within a specific geography. But GPS tracking can also invade the person’s privacy by revealing their whereabouts and travels over an extended period of time. Example of apps that use GPS are MIT’s SafePaths, Cyprus’ CovTracer, Israel’s Hamagen, and India’s Aarogya Setu.
Apps that use BLE are considered more privacy-minded as they transmit a secure and changing anonymous ID that doesn’t expose the person’s identity. However, these apps are less effective than ones using GPS since they aren’t able to track the infection geographically. Examples include the UK’s NHS COVID-19, Singapore’s TraceTogether, and Australia’s COVIDSafe.
Where the tracing data is stored is another key component.
In a centralized approach, the log is uploaded to a central server where public health authorities can analyze the information to track the spread of the disease. But this process encroaches on a user’s privacy by storing data on their locations and the identities of people with whom they’ve come in contact. Apps that use this approach include the UK’s NHS COVID-19, Singapore’s TraceTogether, and Australia’s COVIDSafe.
In a decentralized approach, the log remains on the mobile device with only a minimal amount of information uploaded to the server. The app downloads the anonymous IDs of users who’ve tested positive for the virus and matches them against logs stored on the device. Apps with this approach include Holland’s PrivateTracer and upcoming programs that will adopt the Google and Apple “Exposure Notification” platform.
Specifically, Check Point outlined four concerns related to the privacy and security of contact tracing apps:
- Devices can be traced. With apps that rely on BLE, mobile devices broadcast data packets that help identify contact with other devices. If this process is not set up properly, hackers can potentially trace a person’s device by correlating the various devices involved and their respective identification packets.
- Personal data can be compromised. Contact tracing apps store contact logs, encryption keys, and other sensitive information on the mobile device. Such data should be encrypted and stored in the application sandbox and not on shared locations. Even with the sandbox approach, any hacker who gains root privileges or physical access to the device could access the data.
- Interception of an application’s traffic. If all communications with the app’s backend server are not properly encrypted, users can be targeted with “man-in-the-middle” attacks that intercept the traffic.
- Flooding of fake health reports possible. Contact apps must perform authentication when information is submitted to its servers, such as when a user posts diagnosis and contact logs. Without the proper authorization, the servers could be flooded with fake health reports, undermining the reliability of the system.
“The jury is still out on how safe contact tracing apps are,” Jonathan Shimonovich, Check Point’s manager of mobile research, said in a press release. “After initial review, we have some serious concerns. Contact tracing apps must maintain a delicate balance between privacy and security, since poor implementation of security standards may put users’ data at risk. This comes down to questions on what data is collected, how it is stored and, ultimately how it is distributed.”
For anyone who plans to use a coronavirus tracing app, Check Point offers the following two tips:
- Download from official stores only. As multiple fake coronavirus apps have already been detected during the pandemic, users should install contact-tracing COVID-19 apps from official app stores, since they only allow authorized government agencies to publish such apps.
- Use mobile security solutions. Download and install a mobile security solution to scan applications and protect the device against malware, as well as verify that the device has not been compromised.