The COVID-19 pandemic led to a rapid response to try to contain the virus' global spread. However, whenever speed is a factor, security and privacy often fall by the wayside. This is especially true with contact-tracing mobile apps, which have been available since spring 2020 yet still lack some of the most basic security protections.
Historically, centralized, government-run data-collection efforts have been abject failures, which seems surprising given the availability of vast computing resources. Even something as seemingly straightforward as government computerization of medical records has succeeded in only a small number of countries. Due to the urgency of the COVID-19 pandemic, governments had to consider noncentralized approaches to contact tracing to both react quickly and achieve the necessary high coverage.
In a sense, contact-tracing mobile apps are an example of a crowdsourced solution to a governance problem, and their success sets an important precedent. Mobile devices will no longer be seen as exclusively communication or leisure platforms. They'll also be considered whenever public health authorities and other government entities need to gather data from their entire population.
All this data collection should be done far more carefully and securely than it is today, or governments will risk losing their citizens' trust permanently.
The Role of Trust and Privacy in Contact Tracing
In a single word, trust is essential if contact-tracing apps are to succeed in their purpose, which is to provide a pervasive and accurate capability to warn individual citizens of potential exposure to the virus when going about their day-to-day activities. Distributed contact tracing via mobile apps (as opposed to centralized, manual contact tracing performed by humans) can be effective only if the majority of citizens install and use the apps.
For this to happen, individuals must believe that the app is safe to use and doesn't expose their personal information, either to the government or to malicious actors who might hack the app. The best way to avoid personal data exposure is for the contact-tracing app not to gather it in the first place.
In May 2020, Apple and Google jointly released the Exposure Notifications API to help governments and other groups build contact-tracing apps. The API's goal is to provide the core functionality for building apps that notify users of possible exposures while protecting user privacy and security. This was a game-changer for contact tracing using smart devices, and the companies hoped that the majority of the world's health authorities would adopt the API. Public health experts hoped the attention paid to privacy and security by design would result in a greater likelihood of public trust in this approach to combating the spread of COVID-19.
An analysis of 62 iOS and Android contact-tracing apps in December found that 60% used the API (62% of the Android apps and 58% of the iOS apps). In addition, they found significant security and privacy concerns in the 40% of apps that did not use the official Exposure Notifications API and instead took a do-it-yourself approach to security. Of greatest concern were the contact-tracing apps that used GPS geolocation data.
GPS and Security Concerns: Where Many Countries Went Wrong
The potential privacy implications of using GPS data are of great concern on their own; even worse, many of the apps that use GPS tracking also require people to share their phone number or passport details to use the app.
Some of the analyzed apps harvest device information, which is a clear overreach. Just an IP address and a time stamp are enough for a government to link a person to a device. Harvesting anything more is unnecessary and creates clear privacy risks.
Unfortunately, many examples of overly invasive and poorly secured contact-tracing apps have been found since last spring. These failures eroded public trust in these apps, which reduced the effectiveness of the entire public health response. The earliest apps were rushed to market with many flaws or (like one UK app) failed so badly that they were abandoned before release.
You only get one chance to make a good first impression. Jurisdictions that made multiple attempts to roll out contact-tracing apps most likely faced adoption issues due to the aforementioned lack of trust.
Collect Only Essential Data, and Make Your App Difficult to Compromise
A best practice is to collect only the data that is necessary for the app to function properly. In the case of contact-tracing applications, that means using the Exposure Notifications API instead of GPS data. Beyond that, applying basic security techniques can prevent attackers from gaining unauthorized access to data, tampering with code, creating fake applications, and more. Security incidents are a serious issue that can erode public trust.
Luckily, these issues are easily fixable if mobile app developers and security professionals prioritize security early in the development life cycle. It's important to empower developers with secure coding skills, take advantage of pen testing and other application security testing measures, and apply code hardening and runtime application self-protection before an application is published (and with each subsequent release). Prioritizing security as much as time-to-market can help prevent incidents, as well as protect both consumers and governments.