Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Privacy & Digital-Rights Experts Worry Contact-Tracing Apps Lack Limits

Mobile-phone-based tracking of people can help fight pandemics, but privacy and security researchers stress that it needs to be done right.

During this coronavirus pandemic, using mobile phones as a way to track who an infected patient has had contact with has become fertile ground for research and development, with many countries — including China, Israel, Singapore, and South Korea — using mobile apps to determine who might have been exposed.

While the technology is arguably necessary to fight the spread of COVID-19, privacy and security experts worry that such tracking applications could violate citizens' rights in the name of public health and could be used after the pandemic is resolved for unintended purposes, such as marketing and law enforcement investigations. Privacy experts point to the relaxation of privacy rights on data collection following the terrorist attacks of 9/11 as a possible outcome of the call for better contact tracing.

Striving to create better ways to keep people safe does not mean that people should give up privacy, says Matthew Siegel, a member and co-chair of the privacy and data security practice group at legal firm Cozen O'Connor.

"In the midst of a crisis, everyone is trying to do what they can to protect fellow citizens — we all want to do our part," he says. "The concern is that we have to make sure that whatever we do, it is limited to the time frame of the current crisis, and not come out on the other side of this and be horrified at what we have done."

As the number of worldwide deaths topped 80,000 and the economic cost of widespread social-distancing measures climb, government officials and experts are looking for ways to be more selective about who needs to be isolated due to infection by the novel coronavirus strain.

Contact tracing is an important tool in the arsenal of public-health officials and helps nations avoid the wholesale isolation of the population, reducing the economic impact of epidemics. Manual contact tracing is prone to missing potentially exposed people and is extremely slow. Using data from mobile applications can both speed contact tracing and lead to much greater accuracy.

However, contact tracing also has downsides. If the identity of a carrier is discovered by the general public, they could be ostracized or placed in danger. While some argue that the public-health risk such individuals pose outweigh the privacy of the individual, without privacy, few citizens would participate in contact tracing.

In a post listing 10 requirements for a privacy-preserving contact-tracing app, the digital rights and hacking group Chaos Computer Club argued that only voluntary contact tracing will be effective, and for people to volunteer, privacy must be preserved.

"Organizational or legal hurdles against data access cannot be regarded as sufficient in the current social climate of state-of-emergency thinking and possible far-reaching exceptions to constitutional rights," the group stated. "As a basic principle, users should not have to 'trust' any person or institution with their data, but should enjoy documented and tested technical security."

The Massachusetts Institute of Technology has taken this approach. The university has created prototype applications for Android and iOS that will allow individuals to discover whether they have crossed paths with an infected person without exposing information about their own movements.

Dubbed Private Kit: Safe Paths (PK:SP), the tool initially allows individuals to keep track of their own locations — where they were at what time — to provide to health officials, if they ever test positive for the disease. The next generation of the PK:SP framework will allow users to be alerted to whether they had crossed paths with any infected people. Finally, the software will allow alerts to be sent to users who have crossed paths with known carriers without the need for a third party, such as the government.

"In this third iteration, Safe Paths enables privacy protected participatory sharing of location trails by diagnosed carriers and direct notification of users who have been in close proximity to a diagnosed carrier without allowing a third party, particularly a government, to access individual location trails," the MIT researchers said in a paper describing the application.

MIT is not alone. Already, companies and universities in the United States have used data to shed light on the spread of coronavirus. Kinsa, a maker of "smart" thermometers, has published a map of the United States showing the relative rise in sick people compared with the average from previous years. Marketing firm Unacast has used its tracking technology to rate every state in terms of how well its citizens are restricting their movement.

The proliferation of such applications poses a danger to privacy if a sound legal and policy framework is not first developed, says Cozen O'Connor's Siegel.

Related Content

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/1/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-01
CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website.
PUBLISHED: 2020-10-01
GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page
PUBLISHED: 2020-10-01
WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PUBLISHED: 2020-10-01
A vulnerability has been discovered in the ace.xmd parser that results from a lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. This can result in denial-of-service. This issue affects: Bitdefender Engines version 7.84892 and prior vers...
PUBLISHED: 2020-10-01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.