Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

04:10 PM

Data Privacy Concerns, Lack of Trust Foil Automated Contact Tracing

Efforts to create a technology framework for alerting people to whether they have been exposed to an infectious disease have been hindered by a number of key issues.

Automated contact tracing — a tool that could potentially help blunt the impact of the next wave of the coronavirus pandemic as well as future outbreaks — has been largely sidelined due to privacy concerns and citizens' lack of trust in both government agencies and technology companies, according to a variety of experts. 

Only 21% of people would willingly share data with healthcare businesses for contact-tracing purposes, and more than half continue to feel uncomfortable sharing personal data for any reason, according to the "2020 Consumer Trust and Data Privacy report" published this week by enterprise privacy firm Privitar. Because automated contact tracing requires significant market penetration to be effective, the absence of privacy protections and the lack of trust means the technology will likely not be adopted quickly enough to be a factor in the current pandemic.

Related Content:

Using 'Data for Good' to Control the Pandemic

Data Privacy Challenges for California COVID-19 Contact Tracing Technology

To gain citizens' trust, the technologies and policies surrounding those technologies must protect privacy and be totally transparent in how data is collected and used, says Guy Cohen, head of policy for Privitar.

"If we want to take advantage of tools like contact-tracing apps, we need to make sure those tools work and are trustworthy — otherwise they won't be adopted," he says. "We need evidence of value and trustworthy data management needs to be both perception and reality."

A failure to trust the technology is not the only challenge for contract-tracing applications. False positives — identifying a person as a potential transmission risk — could be a significant issue, as the technologies used to determine proximity — Wi-Fi and Bluetooth — do not take detect a variety of environmental factors, such as whether people are indoors or outside, whether they are talking with one another or facing away from each other, and whether they have donned masks. 

Using such technology without finding ways to resolve those issues could result in so many failures that people will lose even more confidence in the applications, says Casey Ellis, chief technology officer and founder of crowdsourced vulnerability assessment firm Bugcrowd.

"The reality is that COVID-19 contact-tracing apps are uncharted territory, and developers are requiring users' devices to use location-based and Bluetooth communication in ways they weren't designed to do," he says. "Additionally, developers are pressured to bring these apps to market faster than what is recommended since we are in the middle of the pandemic still, and this leaves room for error."

Contact tracing is a natural approach to attempting to track down people who have been potentially been exposed to a virus or a disease. In the past, legions of workers have taken on the task after a report of an infected person. Automating contact tracing promises to increase population coverage, speed up the process, and reduce the cost by allowing — or requiring — people to install an application that tracks which mobile devices have been in close proximity. While the technology seems like a smart use of an already ubiquitous technology — people's mobile devices — automated contact tracing raises a passel of thorny issues.

Those most at risk — older people — are least likely to download a contact tracing app, for example, and even distributed contact tracing opens the risk to malicious attacks, such as bad actors reporting a COVID-19 infection in an area to reduce voting participation or shut down businesses, according to three experts who wrote for the Brookings Institution about the challenges facing the technology.

"We have no doubts that the developers of contact-tracing apps and related technologies are well-intentioned, [b]ut we urge the developers of these systems to step up and acknowledge the limitations of those technologies before they are widely adopted," the three researchers said. "Health agencies and policymakers should not over-rely on these apps and, regardless, should make clear rules to head off the threat to privacy, equity, and liberty by imposing appropriate safeguards."

Because contact tracing relies on trust, the current polarization of US politics has made gaining the trust of a third of Americans that much more difficult, according to Privitar's research.Trust requires that two conditions be met, says Privitar's Cohen: One, any app has do its job effectively, and, two, privacy must be protected. Without such transparency, adoption of contact tracing will not pass the threshold that will make it effective, he says. 

Stronger federal laws protecting privacy could help make future efforts more likely. However, while Democrats and Republicans have both proposed legislation, they have failed to agree on key provisions, such as whether state laws — such as the California Consumer Privacy Act — can be more stringent than a federal law, as well as the ability of citizens to bring legal action against offenders. Until those fundamental issues are resolved, privacy protections are unlikely to pass through Congress, Cohen says.

"Key disagreements ... [have] blocked progress so far and make it unlikely that the new proposals will pass," he says. "In the interim, America is left lacking any federal standard, and [that is] driving state-level action."


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/1/2020 | 1:15:13 PM

Nice work Robert,

AS is usually the case, its not a technical problem! Tech can solve many things but if specifications, policies and procedures are not wholey developed, the system will fail. good idea fairies and well intended politicians often fail to understand.

Try looking at all the other failures of citizen privacy issues over the years. States SELL DMV data, including photos, to 3rd parties. Some publish VOTER registration records online. Now here comes COVID with social stigma all over the map. Only the naive would participate willingly. Thus abysmal failure.
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.