Contact Tracing Apps: Where Does the Security Debate Stand?

The global health crisis has led countries to consider the use of contact tracing apps to track and detect the spread of virus but concerns about privacy and mobile security abound. Willy Leichter, Virsec’s VP of Marketing, explores the current state of contact tracing apps and whether this smartphone-based approach is secure enough to accomplish the big mission. 

Given the sense of urgency to find solutions to improve the COVID-19 pandemic around the world, contact tracing applications have been launched in many countries in an effort to better understand the virus, its effects and its spread. The immediate issue which arises is that haste typically causes mistakes, and in the cybersecurity world, these inevitable mistakes can have damaging consequences.  

Especially now because the amount of digital threats, vulnerabilities, and attacks has never been higher, businesses and end-users alike are waking up to the harsh realities of inadequate cybersecurity protection. In fact, as of last week, cybercriminals in Canada discovered how to utilize ransomware to deceive citizens by making them think they are using a legitimate contact tracing app. 

The debate about contact tracing apps so far has largely centered on if they are a good idea, whether they can keep data and privacy intact at scale, and ultimately speculation on whether they will actually work as intended. While these have yet to be definitively answered, answers to the above questions are starting to formulate — as well as more questions now that applications are being deployed among the general public.  

Learn More: 8 Tips for SMBs to Reduce Cyber Risk in 2020 and BeyondOpens a new window

Because contact tracing is entering the implementation phase in many countries, we are now seeing a variety of strategies and technologies for measuring the spread of the coronavirus. Most of which are determined to be effective or not based on a country’s political systems.  

Some countries, like India, have enforced mandatory adoption of contact tracing apps, which has, as expected, caused more citizens to use the app. However, this enforcement of mandatory usage and reporting has also illuminated many security and privacy concerns. Experts estimate that adoption of contact tracing applications needs to reach 80% of a country’s population to meaningfully replace expert, manual labor. By making contact tracing compulsory, India may achieve this level of usage, but their use of centralized government databases with everyone’s GPS history illuminates a privacy nightmare for many. 

Why Google and Apple’s Privacy Preserving Approach Seems More Promising 

Additionally, rather than using open-source toolsOpens a new window with independent security audits, developers of the Indian contract tracing app have publicly stated that unsolicited security input would overburden the staff developing and managing the app. Most of this derives from the inherent security issues seen with open-source software, which is being used by India’s developers, as corrupted code and ample vulnerabilities can be easily applied to new environments or users. 

For democratic states who want the system of contact tracing to be optional, and can’t abide a centralized Big Brother database, the whole idea of contact tracing applications becomes tenuous. Google and Apple should be applauded for their privacy-first approach to developing contact tracing APIs, but so far we have not seen adoption rates come close to where they need to be to work as intended.  

As seen recently with facial recognition technology, technology can harbor racial biases and push to the side the historic experiences of underrepresented communities. This is a compelling reason for many US citizens to not partake in contact tracing. Those with serious medical conditions also tend to not disclose if they have had or not had the virus as well because they fear their concerns won’t be taken seriously but that medical costs will still ensue.   

Learn More: 3 Pro Tips to Avoid IP Security Camera Breaches

Contact Tracing Apps Can Expose Sensitive Data  

Traditional manual contact tracing is time-consuming and expensive, but we shouldn’t assume that technology can leap-frog an established process.  According to BloombergOpens a new window , Japan has effectively kept infections down with an efficient, manual system that does not rely on unproven apps.  

So where do these issues related to contact tracing apps leave us? With COVID rates rising again rapidly, the need for effective contract tracing is more urgent than ever. 

But, for automated contact tracing to work, people will have to trust the integrity of the apps, and processes behind them. Even the best-designed code always has vulnerabilities, and only with constant vigilance, extensive testing, and continuous runtime monitoring can these risks be comfortably mitigated. Without more serious security scrutiny related to contact tracing applications, breaches will become more likely, privacy will be compromised, and users will simply choose not to participate. 

We in Silicon Valley often suffer from the conceit that technology can solve every intractable problem. While technology has certainly revolutionized our ability to trace almost anything, when we’re dealing with people and sensitive medical information, we can’t gloss over privacy and security concerns. 

 
Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!