Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

04:10 PM

Data Privacy Concerns, Lack of Trust Foil Automated Contact Tracing

Efforts to create a technology framework for alerting people to whether they have been exposed to an infectious disease have been hindered by a number of key issues.

Automated contact tracing — a tool that could potentially help blunt the impact of the next wave of the coronavirus pandemic as well as future outbreaks — has been largely sidelined due to privacy concerns and citizens' lack of trust in both government agencies and technology companies, according to a variety of experts. 

Only 21% of people would willingly share data with healthcare businesses for contact-tracing purposes, and more than half continue to feel uncomfortable sharing personal data for any reason, according to the "2020 Consumer Trust and Data Privacy report" published this week by enterprise privacy firm Privitar. Because automated contact tracing requires significant market penetration to be effective, the absence of privacy protections and the lack of trust means the technology will likely not be adopted quickly enough to be a factor in the current pandemic.

Related Content:

Using 'Data for Good' to Control the Pandemic

Data Privacy Challenges for California COVID-19 Contact Tracing Technology

To gain citizens' trust, the technologies and policies surrounding those technologies must protect privacy and be totally transparent in how data is collected and used, says Guy Cohen, head of policy for Privitar.

"If we want to take advantage of tools like contact-tracing apps, we need to make sure those tools work and are trustworthy — otherwise they won't be adopted," he says. "We need evidence of value and trustworthy data management needs to be both perception and reality."

A failure to trust the technology is not the only challenge for contract-tracing applications. False positives — identifying a person as a potential transmission risk — could be a significant issue, as the technologies used to determine proximity — Wi-Fi and Bluetooth — do not take detect a variety of environmental factors, such as whether people are indoors or outside, whether they are talking with one another or facing away from each other, and whether they have donned masks. 

Using such technology without finding ways to resolve those issues could result in so many failures that people will lose even more confidence in the applications, says Casey Ellis, chief technology officer and founder of crowdsourced vulnerability assessment firm Bugcrowd.

"The reality is that COVID-19 contact-tracing apps are uncharted territory, and developers are requiring users' devices to use location-based and Bluetooth communication in ways they weren't designed to do," he says. "Additionally, developers are pressured to bring these apps to market faster than what is recommended since we are in the middle of the pandemic still, and this leaves room for error."

Contact tracing is a natural approach to attempting to track down people who have been potentially been exposed to a virus or a disease. In the past, legions of workers have taken on the task after a report of an infected person. Automating contact tracing promises to increase population coverage, speed up the process, and reduce the cost by allowing — or requiring — people to install an application that tracks which mobile devices have been in close proximity. While the technology seems like a smart use of an already ubiquitous technology — people's mobile devices — automated contact tracing raises a passel of thorny issues.

Those most at risk — older people — are least likely to download a contact tracing app, for example, and even distributed contact tracing opens the risk to malicious attacks, such as bad actors reporting a COVID-19 infection in an area to reduce voting participation or shut down businesses, according to three experts who wrote for the Brookings Institution about the challenges facing the technology.

"We have no doubts that the developers of contact-tracing apps and related technologies are well-intentioned, [b]ut we urge the developers of these systems to step up and acknowledge the limitations of those technologies before they are widely adopted," the three researchers said. "Health agencies and policymakers should not over-rely on these apps and, regardless, should make clear rules to head off the threat to privacy, equity, and liberty by imposing appropriate safeguards."

Because contact tracing relies on trust, the current polarization of US politics has made gaining the trust of a third of Americans that much more difficult, according to Privitar's research.Trust requires that two conditions be met, says Privitar's Cohen: One, any app has do its job effectively, and, two, privacy must be protected. Without such transparency, adoption of contact tracing will not pass the threshold that will make it effective, he says. 

Stronger federal laws protecting privacy could help make future efforts more likely. However, while Democrats and Republicans have both proposed legislation, they have failed to agree on key provisions, such as whether state laws — such as the California Consumer Privacy Act — can be more stringent than a federal law, as well as the ability of citizens to bring legal action against offenders. Until those fundamental issues are resolved, privacy protections are unlikely to pass through Congress, Cohen says.

"Key disagreements ... [have] blocked progress so far and make it unlikely that the new proposals will pass," he says. "In the interim, America is left lacking any federal standard, and [that is] driving state-level action."


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/1/2020 | 1:15:13 PM

Nice work Robert,

AS is usually the case, its not a technical problem! Tech can solve many things but if specifications, policies and procedures are not wholey developed, the system will fail. good idea fairies and well intended politicians often fail to understand.

Try looking at all the other failures of citizen privacy issues over the years. States SELL DMV data, including photos, to 3rd parties. Some publish VOTER registration records online. Now here comes COVID with social stigma all over the map. Only the naive would participate willingly. Thus abysmal failure.
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An integer overflow exists in the APIs of the host MCU while trying to connect to a WIFI network may lead to issues such as a denial-of-service condition or code execution on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4....
PUBLISHED: 2021-05-07
Nim is a statically typed compiled systems programming language. In Nim standard library before 1.4.2, httpClient SSL/TLS certificate verification was disabled by default. Users can upgrade to version 1.4.2 to receive a patch or, as a workaround, set "verifyMode = CVerifyPeer" as documente...
PUBLISHED: 2021-05-07
IBM Robotic Process Automation with Automation Anywhere 11.0 could allow an attacker on the network to obtain sensitive information or cause a denial of service through username enumeration. IBM X-Force ID: 190992.
PUBLISHED: 2021-05-07
Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reas...
PUBLISHED: 2021-05-07
The affected product allows attackers to obtain sensitive information from the WISE-PaaS dashboard. The system contains a hard-coded administrator username and password that can be used to query Grafana APIs. Authentication is not required for exploitation on the WISE-PaaS/RMM (versions prior to 9.0...