Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Privacy & Digital-Rights Experts Worry Contact-Tracing Apps Lack Limits

Mobile-phone-based tracking of people can help fight pandemics, but privacy and security researchers stress that it needs to be done right.

During this coronavirus pandemic, using mobile phones as a way to track who an infected patient has had contact with has become fertile ground for research and development, with many countries — including China, Israel, Singapore, and South Korea — using mobile apps to determine who might have been exposed.

While the technology is arguably necessary to fight the spread of COVID-19, privacy and security experts worry that such tracking applications could violate citizens' rights in the name of public health and could be used after the pandemic is resolved for unintended purposes, such as marketing and law enforcement investigations. Privacy experts point to the relaxation of privacy rights on data collection following the terrorist attacks of 9/11 as a possible outcome of the call for better contact tracing.

Striving to create better ways to keep people safe does not mean that people should give up privacy, says Matthew Siegel, a member and co-chair of the privacy and data security practice group at legal firm Cozen O'Connor.

"In the midst of a crisis, everyone is trying to do what they can to protect fellow citizens — we all want to do our part," he says. "The concern is that we have to make sure that whatever we do, it is limited to the time frame of the current crisis, and not come out on the other side of this and be horrified at what we have done."

As the number of worldwide deaths topped 80,000 and the economic cost of widespread social-distancing measures climb, government officials and experts are looking for ways to be more selective about who needs to be isolated due to infection by the novel coronavirus strain.

Contact tracing is an important tool in the arsenal of public-health officials and helps nations avoid the wholesale isolation of the population, reducing the economic impact of epidemics. Manual contact tracing is prone to missing potentially exposed people and is extremely slow. Using data from mobile applications can both speed contact tracing and lead to much greater accuracy.

However, contact tracing also has downsides. If the identity of a carrier is discovered by the general public, they could be ostracized or placed in danger. While some argue that the public-health risk such individuals pose outweigh the privacy of the individual, without privacy, few citizens would participate in contact tracing.

In a post listing 10 requirements for a privacy-preserving contact-tracing app, the digital rights and hacking group Chaos Computer Club argued that only voluntary contact tracing will be effective, and for people to volunteer, privacy must be preserved.

"Organizational or legal hurdles against data access cannot be regarded as sufficient in the current social climate of state-of-emergency thinking and possible far-reaching exceptions to constitutional rights," the group stated. "As a basic principle, users should not have to 'trust' any person or institution with their data, but should enjoy documented and tested technical security."

The Massachusetts Institute of Technology has taken this approach. The university has created prototype applications for Android and iOS that will allow individuals to discover whether they have crossed paths with an infected person without exposing information about their own movements.

Dubbed Private Kit: Safe Paths (PK:SP), the tool initially allows individuals to keep track of their own locations — where they were at what time — to provide to health officials, if they ever test positive for the disease. The next generation of the PK:SP framework will allow users to be alerted to whether they had crossed paths with any infected people. Finally, the software will allow alerts to be sent to users who have crossed paths with known carriers without the need for a third party, such as the government.

"In this third iteration, Safe Paths enables privacy protected participatory sharing of location trails by diagnosed carriers and direct notification of users who have been in close proximity to a diagnosed carrier without allowing a third party, particularly a government, to access individual location trails," the MIT researchers said in a paper describing the application.

MIT is not alone. Already, companies and universities in the United States have used data to shed light on the spread of coronavirus. Kinsa, a maker of "smart" thermometers, has published a map of the United States showing the relative rise in sick people compared with the average from previous years. Marketing firm Unacast has used its tracking technology to rate every state in terms of how well its citizens are restricting their movement.

The proliferation of such applications poses a danger to privacy if a sound legal and policy framework is not first developed, says Cozen O'Connor's Siegel.

Related Content

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
There are multiple out-of-bounds vulnerabilities in some processes of D-Link AC2600(DIR-2640) 1.01B04. Ordinary permissions can be elevated to administrator permissions, resulting in local arbitrary code execution. An attacker can combine other vulnerabilities to further achieve the purpose of remot...
PUBLISHED: 2021-06-16
Matrix-appservice-bridge is the bridging service for the Matrix communication program's application services. In versions 2.6.0 and earlier, if a bridge has room upgrade handling turned on in the configuration (the `roomUpgradeOpts` key when instantiating a new `Bridge` instance.), any `m.room.tombs...
PUBLISHED: 2021-06-16
An issue was discovered on Enphase Envoy R3.x and D4.x (and other current) devices. The upgrade_start function in /installer/upgrade_start allows remote authenticated users to execute arbitrary commands via the force parameter.
PUBLISHED: 2021-06-16
An issue was discovered on Enphase Envoy R3.x and D4.x devices. There is a custom PAM module for user authentication that circumvents traditional user authentication. This module uses a password derived from the MD5 hash of the username and serial number. The serial number can be retrieved by an una...
PUBLISHED: 2021-06-16
An issue was discovered on Enphase Envoy R3.x and D4.x devices with v3 software. The default admin password is set to the last 6 digits of the serial number. The serial number can be retrieved by an unauthenticated user at /info.xml.