Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/12/2020
05:00 PM
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Secure Contact Tracing Needs More Transparent Development

Experts worry that without proper planning, today's decisions about developing contact-tracing apps could have unforeseen consequences in the years to come.

Public health officials have long relied on tracking infectious diseases as common as tuberculosis and as lethal as ebola as a way to stop their spread. But manual contact tracing requires boots on the ground – people who track down patients, interview them about where they've been and who they've met with, and then find those people and let them know they've been in contact with someone who has tested positive. If any of them test positive, their "contacts" must also be interviewed.

Technology-enhanced contact tracing – using smartphone apps and geolocation data, for example – could help cut down on delays in tracking contacts and potentially provide more accurate information to public health officials. After all, it can be hard for the very ill to remember who they met weeks ago at a dark nightclub or which bus driver they might have coughed on.

So it's easy to see why tech-enhanced COVID-19 contact tracing holds such great promise for public health officials, politicians, and app developers. But with great data collection comes great responsibility, and experts worry that without proper planning, today's decisions about developing contact-tracing apps could have unforeseen consequences in the years to come.

Variety of Plans
Contact-tracing methods and technologies vary widely. While Taiwan's contact-tracing program has been hailed as a possible model for the United States, China's program would be considered invasive by the West's standards. Meanwhile, Israel is involuntarily collecting geolocation data, Singapore has built an open source contact-tracing system based on Bluetooth beacons, and the United Kingdom is struggling to find its own way.

In April, Apple and Google announced their plan to jointly develop a decentralized COVID-19 contact-tracing system for Android and iOS. It will use automatic Bluetooth interactions between phones to pseudonymously identify when a person has come in proximity to an infected patient. As of now, Apple and Google are not making their own apps but building the cross-platform architecture that contact-tracing app developers can use.

Adding to the complexity is a lack of clear standards for what the apps should look like and how consumers will need to interact with them. Johannes Ullrich, head of the SANS Internet Storm Center, said he's concerned that hard-to-use app interfaces will open the door for developers to sneak features into the apps long after they've served their purpose.

"These applications and their APIs could encourage feature-creep to set in. [They] could be used for other types of tracing and reduce privacy," Ullrich said. "The consumer has no real idea how these work, and they could keep running even if the [COVID-19] conditions change later."

Privacy Matters
Privacy advocates and technologists are alerting developers to the risks.

The data that contact-tracing apps could collect goes beyond where the device owner has been, warns Richard Weaver, data protection officer at cybersecurity provider FireEye. It could include healthcare information, government identification numbers, and infection status — all of which could be abused by hackers.

"These apps could create a pool of data that resides on the phone," Weaver says. "As an app developer, you have to ask yourself at what point you even need the data anymore."  

Developers should resist the temptation to retain data collected by their COVID-19 contact-tracing apps for longer than is necessary, he adds.

"App developers as a rule should follow data minimization" and not collect more than what's required to successfully aid contact tracers, Weaver says. Data minimization "is required in the European Union, but it's also best practices."

The American Civil Liberties Union established a series of privacy-protective protocols for organizations to adhere to when developing their contact-tracing systems. Microsoft vice presidents Julie Brill and Peter Lee have advocated for consumers to have control over how their data is shared, where the data is stored, that the data be used solely for public health purposes, that the minimum amount of data necessary for contact tracing be collected, and that the data should be deleted after the pandemic has receded.

A study on creating a privacy-sensitive protocol for mobile-device contact tracing (PACT) – co-authored by researchers from Microsoft, the University of Washington, the University of Pennsylvania, and the Boston Public Health Commission – recommended that location data kept locally on the device and only used in efforts to identify who else was near the infected patient might be safe from exploitation.

The system created by Apple and Google does anticipate some of these issues and institutes security and privacy precautions: For one, the system will use Bluetooth beacon key exchanges and not geolocation data. It also will likely require patients who test positive to COIVD-19 to only update the app with approval from a healthcare professional. In addition, the system recommends that app developers not store IP address information. Also of note: Apple and Google say they won't allow advertisers access to the system.

Not an Either/Or
Contact-tracing apps will not be effective unless they are paired with traditional, manual contact tracing, says Stefano Tessaro, an associate professor at the University of Washington College of Engineering, and co-author of the "PACT" study.

"All of this only makes sense on top of traditional contact tracing," Tessaro says. "I think there's a little bit of a misconception at this point. Somehow digital contact-tracing solutions are compared to manual contact-tracing solutions."

But it's not about replacing or cutting back on manual contact-tracing efforts, he says: "That would be the wrong approach."  

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Cyber Subterfuge and Curious Sharks Threaten the World’s Subsea Fiber-Optic Cables."
 
Seth is editor-in-chief and founder of The Parallax, an online cybersecurity and privacy news magazine. He has worked in online journalism since 1999, including eight years at CNET News, where he led coverage of security, privacy, and Google. Based in San Francisco, he also ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4719
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
CVE-2020-15604
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-24560
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...