Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:00 PM
Connect Directly

Secure Contact Tracing Needs More Transparent Development

Experts worry that without proper planning, today's decisions about developing contact-tracing apps could have unforeseen consequences in the years to come.

Public health officials have long relied on tracking infectious diseases as common as tuberculosis and as lethal as ebola as a way to stop their spread. But manual contact tracing requires boots on the ground – people who track down patients, interview them about where they've been and who they've met with, and then find those people and let them know they've been in contact with someone who has tested positive. If any of them test positive, their "contacts" must also be interviewed.

Technology-enhanced contact tracing – using smartphone apps and geolocation data, for example – could help cut down on delays in tracking contacts and potentially provide more accurate information to public health officials. After all, it can be hard for the very ill to remember who they met weeks ago at a dark nightclub or which bus driver they might have coughed on.

So it's easy to see why tech-enhanced COVID-19 contact tracing holds such great promise for public health officials, politicians, and app developers. But with great data collection comes great responsibility, and experts worry that without proper planning, today's decisions about developing contact-tracing apps could have unforeseen consequences in the years to come.

Variety of Plans
Contact-tracing methods and technologies vary widely. While Taiwan's contact-tracing program has been hailed as a possible model for the United States, China's program would be considered invasive by the West's standards. Meanwhile, Israel is involuntarily collecting geolocation data, Singapore has built an open source contact-tracing system based on Bluetooth beacons, and the United Kingdom is struggling to find its own way.

In April, Apple and Google announced their plan to jointly develop a decentralized COVID-19 contact-tracing system for Android and iOS. It will use automatic Bluetooth interactions between phones to pseudonymously identify when a person has come in proximity to an infected patient. As of now, Apple and Google are not making their own apps but building the cross-platform architecture that contact-tracing app developers can use.

Adding to the complexity is a lack of clear standards for what the apps should look like and how consumers will need to interact with them. Johannes Ullrich, head of the SANS Internet Storm Center, said he's concerned that hard-to-use app interfaces will open the door for developers to sneak features into the apps long after they've served their purpose.

"These applications and their APIs could encourage feature-creep to set in. [They] could be used for other types of tracing and reduce privacy," Ullrich said. "The consumer has no real idea how these work, and they could keep running even if the [COVID-19] conditions change later."

Privacy Matters
Privacy advocates and technologists are alerting developers to the risks.

The data that contact-tracing apps could collect goes beyond where the device owner has been, warns Richard Weaver, data protection officer at cybersecurity provider FireEye. It could include healthcare information, government identification numbers, and infection status — all of which could be abused by hackers.

"These apps could create a pool of data that resides on the phone," Weaver says. "As an app developer, you have to ask yourself at what point you even need the data anymore."  

Developers should resist the temptation to retain data collected by their COVID-19 contact-tracing apps for longer than is necessary, he adds.

"App developers as a rule should follow data minimization" and not collect more than what's required to successfully aid contact tracers, Weaver says. Data minimization "is required in the European Union, but it's also best practices."

The American Civil Liberties Union established a series of privacy-protective protocols for organizations to adhere to when developing their contact-tracing systems. Microsoft vice presidents Julie Brill and Peter Lee have advocated for consumers to have control over how their data is shared, where the data is stored, that the data be used solely for public health purposes, that the minimum amount of data necessary for contact tracing be collected, and that the data should be deleted after the pandemic has receded.

A study on creating a privacy-sensitive protocol for mobile-device contact tracing (PACT) – co-authored by researchers from Microsoft, the University of Washington, the University of Pennsylvania, and the Boston Public Health Commission – recommended that location data kept locally on the device and only used in efforts to identify who else was near the infected patient might be safe from exploitation.

The system created by Apple and Google does anticipate some of these issues and institutes security and privacy precautions: For one, the system will use Bluetooth beacon key exchanges and not geolocation data. It also will likely require patients who test positive to COIVD-19 to only update the app with approval from a healthcare professional. In addition, the system recommends that app developers not store IP address information. Also of note: Apple and Google say they won't allow advertisers access to the system.

Not an Either/Or
Contact-tracing apps will not be effective unless they are paired with traditional, manual contact tracing, says Stefano Tessaro, an associate professor at the University of Washington College of Engineering, and co-author of the "PACT" study.

"All of this only makes sense on top of traditional contact tracing," Tessaro says. "I think there's a little bit of a misconception at this point. Somehow digital contact-tracing solutions are compared to manual contact-tracing solutions."

But it's not about replacing or cutting back on manual contact-tracing efforts, he says: "That would be the wrong approach."  

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Cyber Subterfuge and Curious Sharks Threaten the World’s Subsea Fiber-Optic Cables."
Seth is editor-in-chief and founder of The Parallax, an online cybersecurity and privacy news magazine. He has worked in online journalism since 1999, including eight years at CNET News, where he led coverage of security, privacy, and Google. Based in San Francisco, he also ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
PUBLISHED: 2020-07-07
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user su...