COVID-19 contact tracing apps: How secure are they?  

Team Udayavani, Aug 18, 2020, 4:08 PM IST

Image Credit: Shutterstock

People want to know if they’ve been exposed to COVID-19. If they have and they know it, they can isolate themselves and get tested. But unless they strictly stay at home, people come in contact with strangers who might carry the disease. To help find out if they’re at risk, tech companies are producing applications and services to identify contacts with a positive diagnosis.

This is a valuable service, but it presents a tricky balance between security and information. Such software, by its nature, leaks some information. Some applications are better than others about minimizing and protecting the information they collect. They’re being rolled out under time pressure, which could lead to overlooking security problems.

Many people won’t mind the risks as long as they perceive a benefit, but people who have elevated security concerns need to think carefully. Anyone who uses VPN like https://surfshark.com/servers/india for protection while engaging in risky journalism or traveling in politically unstable areas is constantly aware of these concerns. Users at the highest risk never install an unnecessary application. Others evaluate each app carefully before deciding it’s acceptable. Caution is especially necessary with apps designed to trace people.

Some applications use only proximity checking through Bluetooth, while others use geolocation by GPS and cell towers. Some hold no personal information in a central location, while others keep a central database of their users. In each case, the second option increases the potential risk.

The Google-Apple Exposure Notifications System

Google and Apple have jointly developed the Exposure Notifications System, which is widely considered the gold standard of privacy protection. Its API exposes some operating system capabilities which normally aren’t available. The API is available only to public health authorities, and they aren’t allowed to use it in conjunction with geolocation.

This system has potential risks if it’s misused. If an unauthorized party cracks the API, it could use it to track device locations for its own purposes. It might be able to connect personal information to the device. An authorized developer might produce an application that secretly violated the terms of use. How good the protection against these possibilities is remains to be seen.

Government-sponsored tracing applications

Most contact tracing applications are issued by a governmental unit. At their best, they track people without personally identifying information and alert users who may have been exposed. Everyone’s privacy is safe. Not all the applications live up to this standard. Some have been badly designed and rushed out. Others take advantage of the governmental desire to collect as much information as possible.

Qatar

The State of Qatar issued a tracing application and made its use mandatory. Failure to have it installed can result in a three-year prison sentence. It collects geolocation data and uses a central database that holds personal information.

Amnesty International discovered it had a major security flaw. Anyone, without needing any authorization credentials, could submit a person’s ID in the system and get back personal information including names, health status, and the coordinates of their confinement locations. The IDs followed a format that made it easy to query the system with all possible values.

A fix was rolled out, but Amnesty International says it is still “unable to verify whether these changes meet sufficient security standards.”

United Kingdom

The system used in the United Kingdom, under the auspices of the National Health Service, may have usability issues that require a security compromise. It uses a Bluetooth proximity check similar to the Apple-Google system, but the application may not be able to communicate on many devices while running in the background. This is an operating system limitation. Users can unlock their phones, but doing so increases their security risks.

The NHS app can’t use the Exposure Notifications System because it collects personal information in a centralized database.

India

India’s Health Bridge application uses GPS tracking. It lets users check how many known infected people are within a 500-meter radius of them. Unfortunately, clever users can enter an arbitrary set of coordinates. By using overlapping circles, a user can narrow information down to a very small area, perhaps a single house, and find out if someone there is registered as COVID-19 positive.

United States

In the United States, the state of Utah is readying its own application instead of building on the Exposure Notifications System. It uses geolocation, though users can opt out of having their locations tracked. The state gets the data only for users who test positive. The information is stored on the site of the developer, Twenty Holdings, and some of its employees have access to the data. There is a clear opportunity for things to go wrong if security fails at any point.

The states of North Dakota and South Dakota are preparing a different application for contact tracing. It was found to violate its own privacy policy by sending location and identification data to third-party companies. ProudCrowd, the company that developed the application, addressed the problem by changing its privacy policy. North Dakota also plans to offer a separate application, based on the Exposure Notifications System and providing better privacy.

Balancing risks and benefits

Some people need to be very concerned about their mobile devices’ privacy. Being identified by the wrong people could lead to harassment, arrest, or terrorist action. They need to think carefully about whether any application will result in unacceptable risks, especially one designed to track them. It may be wise to avoid a new tracing application until it has had some public exposure.

Many people have only moderate expectations of privacy. These applications are unlikely to expose them to identity theft or credit card fraud. The ability to find out if they may have been exposed to a deadly disease is probably more important to them. The decision is a personal one, depending on the user’s need for privacy and level of comfort about reducing it.