Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

Privacy & Digital-Rights Experts Worry Contact-Tracing Apps Lack Limits

Mobile-phone-based tracking of people can help fight pandemics, but privacy and security researchers stress that it needs to be done right.

During this coronavirus pandemic, using mobile phones as a way to track who an infected patient has had contact with has become fertile ground for research and development, with many countries — including China, Israel, Singapore, and South Korea — using mobile apps to determine who might have been exposed.

While the technology is arguably necessary to fight the spread of COVID-19, privacy and security experts worry that such tracking applications could violate citizens' rights in the name of public health and could be used after the pandemic is resolved for unintended purposes, such as marketing and law enforcement investigations. Privacy experts point to the relaxation of privacy rights on data collection following the terrorist attacks of 9/11 as a possible outcome of the call for better contact tracing.

Striving to create better ways to keep people safe does not mean that people should give up privacy, says Matthew Siegel, a member and co-chair of the privacy and data security practice group at legal firm Cozen O'Connor.

"In the midst of a crisis, everyone is trying to do what they can to protect fellow citizens — we all want to do our part," he says. "The concern is that we have to make sure that whatever we do, it is limited to the time frame of the current crisis, and not come out on the other side of this and be horrified at what we have done."

As the number of worldwide deaths topped 80,000 and the economic cost of widespread social-distancing measures climb, government officials and experts are looking for ways to be more selective about who needs to be isolated due to infection by the novel coronavirus strain.

Contact tracing is an important tool in the arsenal of public-health officials and helps nations avoid the wholesale isolation of the population, reducing the economic impact of epidemics. Manual contact tracing is prone to missing potentially exposed people and is extremely slow. Using data from mobile applications can both speed contact tracing and lead to much greater accuracy.

However, contact tracing also has downsides. If the identity of a carrier is discovered by the general public, they could be ostracized or placed in danger. While some argue that the public-health risk such individuals pose outweigh the privacy of the individual, without privacy, few citizens would participate in contact tracing.

In a post listing 10 requirements for a privacy-preserving contact-tracing app, the digital rights and hacking group Chaos Computer Club argued that only voluntary contact tracing will be effective, and for people to volunteer, privacy must be preserved.

"Organizational or legal hurdles against data access cannot be regarded as sufficient in the current social climate of state-of-emergency thinking and possible far-reaching exceptions to constitutional rights," the group stated. "As a basic principle, users should not have to 'trust' any person or institution with their data, but should enjoy documented and tested technical security."

The Massachusetts Institute of Technology has taken this approach. The university has created prototype applications for Android and iOS that will allow individuals to discover whether they have crossed paths with an infected person without exposing information about their own movements.

Dubbed Private Kit: Safe Paths (PK:SP), the tool initially allows individuals to keep track of their own locations — where they were at what time — to provide to health officials, if they ever test positive for the disease. The next generation of the PK:SP framework will allow users to be alerted to whether they had crossed paths with any infected people. Finally, the software will allow alerts to be sent to users who have crossed paths with known carriers without the need for a third party, such as the government.

"In this third iteration, Safe Paths enables privacy protected participatory sharing of location trails by diagnosed carriers and direct notification of users who have been in close proximity to a diagnosed carrier without allowing a third party, particularly a government, to access individual location trails," the MIT researchers said in a paper describing the application.

MIT is not alone. Already, companies and universities in the United States have used data to shed light on the spread of coronavirus. Kinsa, a maker of "smart" thermometers, has published a map of the United States showing the relative rise in sick people compared with the average from previous years. Marketing firm Unacast has used its tracking technology to rate every state in terms of how well its citizens are restricting their movement.

The proliferation of such applications poses a danger to privacy if a sound legal and policy framework is not first developed, says Cozen O'Connor's Siegel.

Related Content

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4177
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174732.
CVE-2020-4180
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 174735.
CVE-2020-4182
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174738.
CVE-2020-4187
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 could disclose sensitive information on the login page that could aid in further attacks against the system. IBM X-Force ID: 174805.
CVE-2020-4190
PUBLISHED: 2020-06-03
IBM Security Guardium 10.6, 11.0, and 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174851.