COVID-19 contact tracing applications are privacy snares, Defcon
Two Defcon security conference presentations find the apps launched by the governments consume an unjustifiable amount of data.
This spring, several public health authorities and tech giants across the world rushed in to build contact tracing apps. These applications serve an important role in determining whom the novel coronavirus may have affected.
The purpose of COVID contact tracing apps is awesome, they can help test people and isolate them accordingly. But the dangers are obvious, too.
COVID contact tracing apps boast the power of gathering personal data that exposes your activities, movements, and relationships.
This week, an annual gathering dubbed of hackers dubbed “Defcon” is taking place online. The potential risk of coronavirus contact tracing applications came into focus at it.
The data-hungry mindset of contact tracing apps
Two presentations at the annual security conference centered on the privacy shortcomings of contact tracking apps. Their result is clear, and as expected. The applications tend to collect more information than they need.
Experts believe governments must avoid this data-hungry mindset in contact tracing apps.
A Norway-based security researcher, Eivind Arvesen, who presented at Defcon yesterday, suggested governments a better approach for these apps. He urged governments to ask themselves,
“How little data they need to resolve this concrete issue? And collect no more than that.”
Arvesen presented on Norway’s contact tracing app, which now is deceased. The senior software developer and architect, based in Oslo, Norway, helped review the now-defunct Norweigan app as part of a third-party audit.
Another presentation tomorrow, on Saturday, August 09, will focus on the permissions COVID-19 symptom information and tracking apps demand. It will also shed light on the permissions contact tracing apps ask.
Yes, digital surveillance and tracking have helped contain the coronavirus outbreak in Singapore, South Koreas, and China, among others. But it does not mean the apps should be allowed to harvest more data than they need to solve the problem.
How apps like COIVD contact trackers work
The way human contact tracers work is by hunting down known contacts of the person who has tested positive for a deadly disease like COVID-19. These applications then seek to come to the rescue where an infected person has exposed a stranger to the disease.
For example, if two strangers stand or sit together, the apps installed on mobile phones of both will record the other person as a contact. And then in the days to follow, in case either of them tests positive, they report instantly.
The success of these apps depends on how much percentage of the population uses them. The higher number of population installs them, the more effectively they will work.
Suggested exit plan for contact tracing apps
Privacy experts begin warning about the risks soon after government health agencies turned to applications for augmentation of the contact tracing process.
Governments need to be transparent on the data they collect from phone devices and avoid collecting any data this is not needed. They also should have a plan to delete the data and end further collection when the COVID disaster passes.
Apps capturing location data
According to Arvesen, the Norwaign contact tracing app is the worse on privacy compared to the rest of Europe. But more data-hungry applications are out there in the world.
The COVID19AppTracker.org creators, who will present their findings on Saturday, scanned 136 apps using their automatic system worldwide. They found that most such apps ask for the permissions they do not need to function as assumed.
As per the Covid19apptracker.org co-creator, Megan DeBlois, three-quarters of all the apps scanned demanded location data. Some of the applications are only informational as they merely help people keep track of their corona symptoms. Such apps have no reason to collect users’ location data.
As any privacy advocate or security expert in the world would say, DeBlois stated she would like to see contact tracing apps to be more transparent about the data they use.
Ideally, governments should make their respective apps open source. It will enable privacy researchers to examine codes and flag any issues for the public.
One probable reason why governments have not done it is the pace with which they have had to build the apps. The haste could have made governments keep security reviews aside that would usually be conducted before programs get disposed to users.
Featured image courtesy of Pixabay.
About the author
Ali Qamar is the founder of PrivacySavvy, which he started out of the sheer passion for making every internet user privacy savvy. Ali has always been concerned about security and privacy for the general public and is very libertarian. Even before Edward Snowden appeared, he has been a privacy advocate even before Edward Snowden appeared with his revelations about NSA's mass surveillance.
Ali graduated with a computing degree from the leading IT college in Pakistan, so he boasts a background in this area. He has an accountable understanding of the technical sides of encryption, VPNs, and privacy.
Ali is regularly quoted in the privacy and security reports by the local press. His contributions have been featured in SecurityAffairs, HackRead, Ehacking, Livewire, Intego, Business.com, InfosecMagazine, and many more publications online. Ali is naturally attracted to transforming things.