Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Privacy & Digital-Rights Experts Worry Contact-Tracing Apps Lack Limits

Mobile-phone-based tracking of people can help fight pandemics, but privacy and security researchers stress that it needs to be done right.

During this coronavirus pandemic, using mobile phones as a way to track who an infected patient has had contact with has become fertile ground for research and development, with many countries — including China, Israel, Singapore, and South Korea — using mobile apps to determine who might have been exposed.

While the technology is arguably necessary to fight the spread of COVID-19, privacy and security experts worry that such tracking applications could violate citizens' rights in the name of public health and could be used after the pandemic is resolved for unintended purposes, such as marketing and law enforcement investigations. Privacy experts point to the relaxation of privacy rights on data collection following the terrorist attacks of 9/11 as a possible outcome of the call for better contact tracing.

Striving to create better ways to keep people safe does not mean that people should give up privacy, says Matthew Siegel, a member and co-chair of the privacy and data security practice group at legal firm Cozen O'Connor.

"In the midst of a crisis, everyone is trying to do what they can to protect fellow citizens — we all want to do our part," he says. "The concern is that we have to make sure that whatever we do, it is limited to the time frame of the current crisis, and not come out on the other side of this and be horrified at what we have done."

As the number of worldwide deaths topped 80,000 and the economic cost of widespread social-distancing measures climb, government officials and experts are looking for ways to be more selective about who needs to be isolated due to infection by the novel coronavirus strain.

Contact tracing is an important tool in the arsenal of public-health officials and helps nations avoid the wholesale isolation of the population, reducing the economic impact of epidemics. Manual contact tracing is prone to missing potentially exposed people and is extremely slow. Using data from mobile applications can both speed contact tracing and lead to much greater accuracy.

However, contact tracing also has downsides. If the identity of a carrier is discovered by the general public, they could be ostracized or placed in danger. While some argue that the public-health risk such individuals pose outweigh the privacy of the individual, without privacy, few citizens would participate in contact tracing.

In a post listing 10 requirements for a privacy-preserving contact-tracing app, the digital rights and hacking group Chaos Computer Club argued that only voluntary contact tracing will be effective, and for people to volunteer, privacy must be preserved.

"Organizational or legal hurdles against data access cannot be regarded as sufficient in the current social climate of state-of-emergency thinking and possible far-reaching exceptions to constitutional rights," the group stated. "As a basic principle, users should not have to 'trust' any person or institution with their data, but should enjoy documented and tested technical security."

The Massachusetts Institute of Technology has taken this approach. The university has created prototype applications for Android and iOS that will allow individuals to discover whether they have crossed paths with an infected person without exposing information about their own movements.

Dubbed Private Kit: Safe Paths (PK:SP), the tool initially allows individuals to keep track of their own locations — where they were at what time — to provide to health officials, if they ever test positive for the disease. The next generation of the PK:SP framework will allow users to be alerted to whether they had crossed paths with any infected people. Finally, the software will allow alerts to be sent to users who have crossed paths with known carriers without the need for a third party, such as the government.

"In this third iteration, Safe Paths enables privacy protected participatory sharing of location trails by diagnosed carriers and direct notification of users who have been in close proximity to a diagnosed carrier without allowing a third party, particularly a government, to access individual location trails," the MIT researchers said in a paper describing the application.

MIT is not alone. Already, companies and universities in the United States have used data to shed light on the spread of coronavirus. Kinsa, a maker of "smart" thermometers, has published a map of the United States showing the relative rise in sick people compared with the average from previous years. Marketing firm Unacast has used its tracking technology to rate every state in terms of how well its citizens are restricting their movement.

The proliferation of such applications poses a danger to privacy if a sound legal and policy framework is not first developed, says Cozen O'Connor's Siegel.

Related Content

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
PUBLISHED: 2020-06-04
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
PUBLISHED: 2020-06-04
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
PUBLISHED: 2020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request ...
PUBLISHED: 2020-06-04
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console� that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the applicat...