While contact tracing apps are useful public health analytics tools that help to combat the spread of COVID-19, they may introduce new problems of their own. On one hand, these apps have helped health authorities track people exposed to COVID-19 patients and minimize contagion risks. Indeed, many governments worldwide mandated the use of these apps in late 2020. However, these apps come with serious data security and privacy concerns, leading many to question whether or not they should use them.
For instance, the Norwegian government decided to stop the use of contact tracing apps. This was mainly because these apps have the potential to become highly invasive surveillance tools. The apps have triggered fears of mass surveillance, including concerns about how the data will be used after the crisis is over. As contact tracing is a key technology used to counter the pandemic, it is imperative that these apps comply with security policies. This, in turn, will build trust and encourage users to adopt the technology.
Security Risks Associated with Contact Tracing Apps
Contact tracing apps can be roughly differentiated into three categories. The first category of the apps requires users to voluntarily record and check their symptoms. This category of apps is prevalent in Lebanon and Vietnam. The second category of apps depends upon Bluetooth to track and measure distances. This category of apps stores data on smartphones, rather than on a centralized database. They are prevalent in Austria, Germany, and Switzerland. And the third category of apps uses a centralized model to capture user data via the smartphone’s Bluetooth, GPS, or both, and then uploads it to a centralized government database. Contact tracing apps from Bahrain, Kuwait, and Norway fall under this model.
Some of the top security risks associated with contact tracing apps are-
Contact tracing apps may expose/leak users’ location data-
Sometimes, the app may track users’ location even when not required and thus potentially expose it. Contact tracing apps leverage users’ geolocation data to track down patients. Security advocates fear that if hackers are able to get their hands on this data, they may expose sensitive user data.
Contact tracing apps can be abused as a mass surveillance tool-
A leading mobile security firm known as Guardsquare conducted a survey on contact tracing apps. It tested 95 applications on various factors relating to security and privacy. The result indicates that 40% of apps did not use the Apple-Google security protocol, which helps to protect user privacy. Many of these apps use GPS data to determine users’ locations and link to their phone numbers or passport identifiers.
Contact tracing apps often do not follow strict security protocols and audits prior to release-
Out of the 40% of applications mentioned above, which did not use the official Exposure Notifications (Privacy-Preserving contact tracing project developed by Apple Inc. and Google), only about 5% used more than two out of six necessary security and privacy measures. These measures include encrypting sensitive strings, encrypting data at rest, linking hosts to their SSL keys, and monitoring the device for a jailbreak. Apps can improve data security and privacy factors by clearly specifying who will be in charge of the data, where it will be stored, and how it will be used.
As the saying goes, with great power comes great responsibility. So, tech companies responsible for building these apps must take responsibility to institute safeguards. Otherwise, developing contact-tracing apps without proper security measures can have unforeseen consequences in the years to come.