Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

Privacy & Digital-Rights Experts Worry Contact-Tracing Apps Lack Limits

Mobile-phone-based tracking of people can help fight pandemics, but privacy and security researchers stress that it needs to be done right.

During this coronavirus pandemic, using mobile phones as a way to track who an infected patient has had contact with has become fertile ground for research and development, with many countries — including China, Israel, Singapore, and South Korea — using mobile apps to determine who might have been exposed.

While the technology is arguably necessary to fight the spread of COVID-19, privacy and security experts worry that such tracking applications could violate citizens' rights in the name of public health and could be used after the pandemic is resolved for unintended purposes, such as marketing and law enforcement investigations. Privacy experts point to the relaxation of privacy rights on data collection following the terrorist attacks of 9/11 as a possible outcome of the call for better contact tracing.

Striving to create better ways to keep people safe does not mean that people should give up privacy, says Matthew Siegel, a member and co-chair of the privacy and data security practice group at legal firm Cozen O'Connor.

"In the midst of a crisis, everyone is trying to do what they can to protect fellow citizens — we all want to do our part," he says. "The concern is that we have to make sure that whatever we do, it is limited to the time frame of the current crisis, and not come out on the other side of this and be horrified at what we have done."

As the number of worldwide deaths topped 80,000 and the economic cost of widespread social-distancing measures climb, government officials and experts are looking for ways to be more selective about who needs to be isolated due to infection by the novel coronavirus strain.

Contact tracing is an important tool in the arsenal of public-health officials and helps nations avoid the wholesale isolation of the population, reducing the economic impact of epidemics. Manual contact tracing is prone to missing potentially exposed people and is extremely slow. Using data from mobile applications can both speed contact tracing and lead to much greater accuracy.

However, contact tracing also has downsides. If the identity of a carrier is discovered by the general public, they could be ostracized or placed in danger. While some argue that the public-health risk such individuals pose outweigh the privacy of the individual, without privacy, few citizens would participate in contact tracing.

In a post listing 10 requirements for a privacy-preserving contact-tracing app, the digital rights and hacking group Chaos Computer Club argued that only voluntary contact tracing will be effective, and for people to volunteer, privacy must be preserved.

"Organizational or legal hurdles against data access cannot be regarded as sufficient in the current social climate of state-of-emergency thinking and possible far-reaching exceptions to constitutional rights," the group stated. "As a basic principle, users should not have to 'trust' any person or institution with their data, but should enjoy documented and tested technical security."

The Massachusetts Institute of Technology has taken this approach. The university has created prototype applications for Android and iOS that will allow individuals to discover whether they have crossed paths with an infected person without exposing information about their own movements.

Dubbed Private Kit: Safe Paths (PK:SP), the tool initially allows individuals to keep track of their own locations — where they were at what time — to provide to health officials, if they ever test positive for the disease. The next generation of the PK:SP framework will allow users to be alerted to whether they had crossed paths with any infected people. Finally, the software will allow alerts to be sent to users who have crossed paths with known carriers without the need for a third party, such as the government.

"In this third iteration, Safe Paths enables privacy protected participatory sharing of location trails by diagnosed carriers and direct notification of users who have been in close proximity to a diagnosed carrier without allowing a third party, particularly a government, to access individual location trails," the MIT researchers said in a paper describing the application.

MIT is not alone. Already, companies and universities in the United States have used data to shed light on the spread of coronavirus. Kinsa, a maker of "smart" thermometers, has published a map of the United States showing the relative rise in sick people compared with the average from previous years. Marketing firm Unacast has used its tracking technology to rate every state in terms of how well its citizens are restricting their movement.

The proliferation of such applications poses a danger to privacy if a sound legal and policy framework is not first developed, says Cozen O'Connor's Siegel.

Related Content

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32606
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
CVE-2021-3504
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
CVE-2021-20309
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
CVE-2021-20310
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...
CVE-2021-20311
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick. The highest threat from t...