COVID-19 Contact Tracing Applications Privacy & Security
In an effort to track and control the spread of COVID-19 contact tracing is being used to identify people who may have been in contact with a person who is known to be infected with the virus. This is usually a slow, manual effort, however, so smartphone applications are proposed to automate the process. This has led to concerns around privacy and security.
With a second wave of the pandemic widely predicted, the ability to efficiently and effectively perform contact tracing to restrict the spread of the virus will be paramount. Automating this task using smartphone apps appears like an appropriate use of technology to address this problem. However, this approach is not without its pitfalls. There is potential for abuse and serious implications around the privacy and security for the individuals who agree to install the apps.
Privacy vs Utility
Whilst several contact tracing frameworks have been developed by global health authorities, they all take one of two approaches, centralised or de-centralised.
A de-centralised system uses Bluetooth Low Energy technology to detect handsets in close proximity to each other by sending out, and listening for, beacons consisting of a string of random numbers that regularly change so they are not tied to a user’s identity. If an individual is infected, they notify the app and then, with the user’s consent, the app uploads the last 14 days of beacons to a server to be added to a positive diagnosis list. Devices will periodically download this list and if an entry matches a beacon they have stored the user will be notified of the day of the contact, how long it lasted and the Bluetooth signal strength along with instructions from their health authority on what they should do next. As location data is not tracked and matching is carried out locally on the handset this solution offers the most privacy although wider analysis of data is restricted.
This de-centralised approach offers a good balance between privacy and utility. The user must make a conscious choice to turn on the technology and can turn it off any time they choose. Location data is not collected, and the Bluetooth identifiers are rotated on a regular basis to prevent tracking of individuals. The matching and subsequent exposure notification is carried out locally on the device and personal or private information is never directly disclosed as the Bluetooth beacons are not linked to an identity.
With a centralised system the proximity data is stored on the handset, but when someone informs the application that they have symptoms the data is uploaded to central servers which then carries out the matching and notification actions. The main advantage of this approach is that additional analysis can be carried out on the data and correlation with other data sets, such as test results, can be performed to identify potential hot spots.
This approach comes with more privacy concerns, which stem from lack of transparency around what data is actually being uploaded and the vast amount of data likely to be stored in one place, potentially open to abuse or a breach. The concerns here are not only that the data may be breached by outsiders, but that no party, including governments themselves, should be entrusted with this volume of sensitive information on private citizens.
The centralised approach could have far reaching consequences. Although the applications are currently being developed specifically for COVID-19, there is nothing to say they could not be repurposed in the future. The vast quantities of personal, sensitive data being collected and stored centrally would make a data breach more likely which (depending on the data being stored) could certainly lead to realistic looking scams and identity theft. Furthermore, without absolute transparency as to what the data is used for, there is every possibility for internal abuse. This could take the form of governments using it to surveil its citizens through location tracking or even selling access to the data (to insurance companies for example) so they can determine the risks of providing health insurance to an individual. Before deploying these applications there should be a clear and concise policy issued stating who has access to the data, what can be done with it and how long the data is retained for, enforced by strong systems of governance and bullet proof technical controls to ensure that the policy is adhered to. In today’s political reality many people are sceptical that governments and their suppliers are able to provide these essential guarantees.
Laying the Groundwork
In order to facilitate the de-centralised solutions Google & Apple have collaborated to introduce the technical tools required in their Android & iOS mobile operating systems. The tools initially take the form of application programming interfaces (API’s) that only health authority contact tracing apps, which have met specific criteria, can use. Essentially the APIs enable interoperability between Android & iOS devices. Further down the line the functionality offered by the API’s will be integrated into the underlying platforms to provide a more robust solution. Both Apple & Google have emphasised that privacy, transparency, and consent were central to the design, the standard has been published and publicly reviewed and is generally considered to fulfil its stated privacy goals.
Abuse of Power
Whichever approach is taken, success of a tracking application relies on enough of the population being prepared to voluntarily install and use the app and to self-isolate if they are instructed to. In order to make a meaningful difference it has been estimated that a contact tracing app would need to be used by 60% of a country’s population. Achieving that level of coverage could be a stretch in many cases, especially given the concerns around privacy and security.
Security and privacy concerns around such an application are not without precedent either. Quite early in the outbreak a message claiming to be from the Iranian Ministry of Health urged all its citizens to install an app which, whilst not a contact tracing app, was touted as being able to diagnose coronavirus infections. In reality the application was being used to collect information on, and track the movement of, its citizens. The concerns over government authorities having this level of surveillance of their citizens is likely to make people reticent about installing the app in the first place, thus reducing its efficacy.
In a review that reaffirms these fears, Amnesty International recently carried out an analysis of 11 COVID-19 contact tracing applications from countries in Europe, Middle East and North Africa to determine how invasive to privacy they were. In their report they state that at the time of the review apps used by Bahrain, Kuwait and Norway were among the most dangerous for privacy. All three of the apps carried out live or near-live tracking of users’ locations by frequently uploading GPS coordinates to a central server, although Norway has since ceased the use of their app in its current form after being informed of Amnesty International’s findings.
Our Belief & Recommendations
Whilst this is not a ‘traditional’ security risk, we do believe that it has significant long-term implications for society.
In our view the priority right now needs to be to slow down the spread of the virus and get our economies running again. In this spirit we would advise businesses and individuals to support tracking initiatives as far as is reasonable.
Whilst there is no doubt that there are privacy concerns inherent in both major approaches, it would be our view that these risks are not extraordinary (when compared to other similar risks we take with other applications like banking, navigation, collaboration and social media). The urgent need to mitigate the corona crisis therefore outweighs the most immediate short-term risks of adopting even centralised tracking applications.
In the long term there needs to be a fine balance between the need of governments to collect data to address the crisis, and the rights of citizens to retain their right to privacy. We doubt that the tracking applications are likely to tip this balance disproportionately in the short term, but we are concerned that excessive collection and retention of data by governments in the long term does represent a shift in the balance of power that could be difficult to reverse out of later, even once the crisis is behind us.
Our recommendation is therefore that adoption of tracking applications and processes in the short term be counter-balanced with an unrelenting demand on governments and providers to:
• Justify the choice of a centralised approach over a decentralised one;
• Keep the amount of data collected and the duration for which it is retained to the essential minimum;
• Provide absolute transparency on how much data is collected, how long it is stored, when it is used and what for;
• Demonstrably adhere to the highest standards of security and good governance;
• Provide guarantees that any technology, legislation or bureaucratic mechanism which infringes on privacy rights to counter the virus in the short term be torn down again as soon as the crisis is under control.