Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/12/2020
05:00 PM
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Secure Contact Tracing Needs More Transparent Development

Experts worry that without proper planning, today's decisions about developing contact-tracing apps could have unforeseen consequences in the years to come.

Public health officials have long relied on tracking infectious diseases as common as tuberculosis and as lethal as ebola as a way to stop their spread. But manual contact tracing requires boots on the ground – people who track down patients, interview them about where they've been and who they've met with, and then find those people and let them know they've been in contact with someone who has tested positive. If any of them test positive, their "contacts" must also be interviewed.

Technology-enhanced contact tracing – using smartphone apps and geolocation data, for example – could help cut down on delays in tracking contacts and potentially provide more accurate information to public health officials. After all, it can be hard for the very ill to remember who they met weeks ago at a dark nightclub or which bus driver they might have coughed on.

So it's easy to see why tech-enhanced COVID-19 contact tracing holds such great promise for public health officials, politicians, and app developers. But with great data collection comes great responsibility, and experts worry that without proper planning, today's decisions about developing contact-tracing apps could have unforeseen consequences in the years to come.

Variety of Plans
Contact-tracing methods and technologies vary widely. While Taiwan's contact-tracing program has been hailed as a possible model for the United States, China's program would be considered invasive by the West's standards. Meanwhile, Israel is involuntarily collecting geolocation data, Singapore has built an open source contact-tracing system based on Bluetooth beacons, and the United Kingdom is struggling to find its own way.

In April, Apple and Google announced their plan to jointly develop a decentralized COVID-19 contact-tracing system for Android and iOS. It will use automatic Bluetooth interactions between phones to pseudonymously identify when a person has come in proximity to an infected patient. As of now, Apple and Google are not making their own apps but building the cross-platform architecture that contact-tracing app developers can use.

Adding to the complexity is a lack of clear standards for what the apps should look like and how consumers will need to interact with them. Johannes Ullrich, head of the SANS Internet Storm Center, said he's concerned that hard-to-use app interfaces will open the door for developers to sneak features into the apps long after they've served their purpose.

"These applications and their APIs could encourage feature-creep to set in. [They] could be used for other types of tracing and reduce privacy," Ullrich said. "The consumer has no real idea how these work, and they could keep running even if the [COVID-19] conditions change later."

Privacy Matters
Privacy advocates and technologists are alerting developers to the risks.

The data that contact-tracing apps could collect goes beyond where the device owner has been, warns Richard Weaver, data protection officer at cybersecurity provider FireEye. It could include healthcare information, government identification numbers, and infection status — all of which could be abused by hackers.

"These apps could create a pool of data that resides on the phone," Weaver says. "As an app developer, you have to ask yourself at what point you even need the data anymore."  

Developers should resist the temptation to retain data collected by their COVID-19 contact-tracing apps for longer than is necessary, he adds.

"App developers as a rule should follow data minimization" and not collect more than what's required to successfully aid contact tracers, Weaver says. Data minimization "is required in the European Union, but it's also best practices."

The American Civil Liberties Union established a series of privacy-protective protocols for organizations to adhere to when developing their contact-tracing systems. Microsoft vice presidents Julie Brill and Peter Lee have advocated for consumers to have control over how their data is shared, where the data is stored, that the data be used solely for public health purposes, that the minimum amount of data necessary for contact tracing be collected, and that the data should be deleted after the pandemic has receded.

A study on creating a privacy-sensitive protocol for mobile-device contact tracing (PACT) – co-authored by researchers from Microsoft, the University of Washington, the University of Pennsylvania, and the Boston Public Health Commission – recommended that location data kept locally on the device and only used in efforts to identify who else was near the infected patient might be safe from exploitation.

The system created by Apple and Google does anticipate some of these issues and institutes security and privacy precautions: For one, the system will use Bluetooth beacon key exchanges and not geolocation data. It also will likely require patients who test positive to COIVD-19 to only update the app with approval from a healthcare professional. In addition, the system recommends that app developers not store IP address information. Also of note: Apple and Google say they won't allow advertisers access to the system.

Not an Either/Or
Contact-tracing apps will not be effective unless they are paired with traditional, manual contact tracing, says Stefano Tessaro, an associate professor at the University of Washington College of Engineering, and co-author of the "PACT" study.

"All of this only makes sense on top of traditional contact tracing," Tessaro says. "I think there's a little bit of a misconception at this point. Somehow digital contact-tracing solutions are compared to manual contact-tracing solutions."

But it's not about replacing or cutting back on manual contact-tracing efforts, he says: "That would be the wrong approach."  

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Cyber Subterfuge and Curious Sharks Threaten the World’s Subsea Fiber-Optic Cables."
 
Seth is editor-in-chief and founder of The Parallax, an online cybersecurity and privacy news magazine. He has worked in online journalism since 1999, including eight years at CNET News, where he led coverage of security, privacy, and Google. Based in San Francisco, he also ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
GDPR Enforcement Loosens Amid Pandemic
Seth Rosenblatt, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4306
PUBLISHED: 2020-05-29
IBM Planning Analytics Local 2.0.0 through 2.0.9 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: ...
CVE-2020-4352
PUBLISHED: 2020-05-29
IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege escalation attack when running in restricted mode. IBM X-Force ID: 178427.
CVE-2020-4490
PUBLISHED: 2020-05-29
IBM Business Automation Workflow 18 and 19, and IBM Business Process Manager 8.0, 8.5, and 8.6 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a vitcim to a phishing site. IBM X-Force ID: 1...
CVE-2020-5572
PUBLISHED: 2020-05-29
Android App 'Mailwise for Android' 1.0.0 to 1.0.1 allows an attacker to obtain credential information registered in the product via unspecified vectors.
CVE-2020-5573
PUBLISHED: 2020-05-29
Android App 'kintone mobile for Android' 1.0.0 to 2.5 allows an attacker to obtain credential information registered in the product via unspecified vectors.