Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

04:10 PM

Data Privacy Concerns, Lack of Trust Foil Automated Contact Tracing

Efforts to create a technology framework for alerting people to whether they have been exposed to an infectious disease have been hindered by a number of key issues.

Automated contact tracing — a tool that could potentially help blunt the impact of the next wave of the coronavirus pandemic as well as future outbreaks — has been largely sidelined due to privacy concerns and citizens' lack of trust in both government agencies and technology companies, according to a variety of experts. 

Only 21% of people would willingly share data with healthcare businesses for contact-tracing purposes, and more than half continue to feel uncomfortable sharing personal data for any reason, according to the "2020 Consumer Trust and Data Privacy report" published this week by enterprise privacy firm Privitar. Because automated contact tracing requires significant market penetration to be effective, the absence of privacy protections and the lack of trust means the technology will likely not be adopted quickly enough to be a factor in the current pandemic.

Related Content:

Using 'Data for Good' to Control the Pandemic

Data Privacy Challenges for California COVID-19 Contact Tracing Technology

To gain citizens' trust, the technologies and policies surrounding those technologies must protect privacy and be totally transparent in how data is collected and used, says Guy Cohen, head of policy for Privitar.

"If we want to take advantage of tools like contact-tracing apps, we need to make sure those tools work and are trustworthy — otherwise they won't be adopted," he says. "We need evidence of value and trustworthy data management needs to be both perception and reality."

A failure to trust the technology is not the only challenge for contract-tracing applications. False positives — identifying a person as a potential transmission risk — could be a significant issue, as the technologies used to determine proximity — Wi-Fi and Bluetooth — do not take detect a variety of environmental factors, such as whether people are indoors or outside, whether they are talking with one another or facing away from each other, and whether they have donned masks. 

Using such technology without finding ways to resolve those issues could result in so many failures that people will lose even more confidence in the applications, says Casey Ellis, chief technology officer and founder of crowdsourced vulnerability assessment firm Bugcrowd.

"The reality is that COVID-19 contact-tracing apps are uncharted territory, and developers are requiring users' devices to use location-based and Bluetooth communication in ways they weren't designed to do," he says. "Additionally, developers are pressured to bring these apps to market faster than what is recommended since we are in the middle of the pandemic still, and this leaves room for error."

Contact tracing is a natural approach to attempting to track down people who have been potentially been exposed to a virus or a disease. In the past, legions of workers have taken on the task after a report of an infected person. Automating contact tracing promises to increase population coverage, speed up the process, and reduce the cost by allowing — or requiring — people to install an application that tracks which mobile devices have been in close proximity. While the technology seems like a smart use of an already ubiquitous technology — people's mobile devices — automated contact tracing raises a passel of thorny issues.

Those most at risk — older people — are least likely to download a contact tracing app, for example, and even distributed contact tracing opens the risk to malicious attacks, such as bad actors reporting a COVID-19 infection in an area to reduce voting participation or shut down businesses, according to three experts who wrote for the Brookings Institution about the challenges facing the technology.

"We have no doubts that the developers of contact-tracing apps and related technologies are well-intentioned, [b]ut we urge the developers of these systems to step up and acknowledge the limitations of those technologies before they are widely adopted," the three researchers said. "Health agencies and policymakers should not over-rely on these apps and, regardless, should make clear rules to head off the threat to privacy, equity, and liberty by imposing appropriate safeguards."

Because contact tracing relies on trust, the current polarization of US politics has made gaining the trust of a third of Americans that much more difficult, according to Privitar's research.Trust requires that two conditions be met, says Privitar's Cohen: One, any app has do its job effectively, and, two, privacy must be protected. Without such transparency, adoption of contact tracing will not pass the threshold that will make it effective, he says. 

Stronger federal laws protecting privacy could help make future efforts more likely. However, while Democrats and Republicans have both proposed legislation, they have failed to agree on key provisions, such as whether state laws — such as the California Consumer Privacy Act — can be more stringent than a federal law, as well as the ability of citizens to bring legal action against offenders. Until those fundamental issues are resolved, privacy protections are unlikely to pass through Congress, Cohen says.

"Key disagreements ... [have] blocked progress so far and make it unlikely that the new proposals will pass," he says. "In the interim, America is left lacking any federal standard, and [that is] driving state-level action."


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
9/1/2020 | 1:15:13 PM

Nice work Robert,

AS is usually the case, its not a technical problem! Tech can solve many things but if specifications, policies and procedures are not wholey developed, the system will fail. good idea fairies and well intended politicians often fail to understand.

Try looking at all the other failures of citizen privacy issues over the years. States SELL DMV data, including photos, to 3rd parties. Some publish VOTER registration records online. Now here comes COVID with social stigma all over the map. Only the naive would participate willingly. Thus abysmal failure.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd