With governments worldwide beginning to slowly lift some of the COVID-19 lockdown regulations, the question remains as to how people can begin living their normal lives again. Several companies and governments have developed their own version of a contact tracing app, which uses Bluetooth connectivity to notify people when they are in close proximity with someone who tested positive for the Coronavirus. While this may seem like the best way for people to safely continue with their lives outside of their homes, security issues are causing many people to rethink the technology.
Different Countries, Same Lack of Protection
As the virus has affected every continent except for Antarctica, countries everywhere are determining how to implement contact tracing into the lives of their citizens. In Australia, an app called COVIDsafe was launched despite negative feedback about its privacy approach. It uses a mixture of Bluetooth and stored contact data on the app and servers to let users know if they’ve been in close contact with someone who tested positive for the virus.
While they claim the info only gets sent to healthcare officials, the fact that any data is stored on servers outside of the app has raised some concerns. The government there claims they will delete information when the pandemic is over. However, the end is indefinite and the length of time between data collecting and the end of a virus that is suggested to be eradicated in 12-18 months allows for some serious misuse of data.
Israel also had some difficulties with privacy as they were tracking the phones of residents to enforce quarantines and identify infected people who left their home. Their Supreme Court stated that residents cannot be tracked without their permission and legislation must be drafted to cover this practice if it is to be done with proper privacy. The court said it is a slippery slope if the government uses a tool like phone tracking without justification.
Meeting the Demand for Privacy
On the opposite end of the spectrum, Germany is moving in favor of a decentralized architecture where contact data is only stored on devices. Apple and Google, who have been working on a contact tracing app for several weeks now have altered their design in response to public criticism of security vulnerabilities.
The app, while still using Bluetooth (BT), won’t have to connect with other phones to work and will instead connect with BT signals and use unique identifiers to determine with which people you have been in contact with. The BT identifiers used to rotate every 24 hours, but the tracing keys will now change throughout the day randomly so people won’t be able to connect and ID with a certain person. Metadata associated with the BT contacts will now also be encrypted with AES technology.
A group of over 450 French cryptographers and security researchers signed a letter to raise awareness about the potential risks of a contact tracing app. They demand that every technical choice is documented and justified and overall, residents should be allowed to opt-out of using the app. They went on to describe how a centralized approach, that collects data in a server, requires a lot of faith in the government that they will respect that data and not use it negatively.
The Fate of the World in the Hands of the Public
While the privacy of the emerging contact tracing app may be improving, at the end of the day the whole idea may have been for naught if people decide not to use it. Australia wants at least 40% of the population to use the app, while in Singapore, the national development minister said that 75% of the population would have to use the app for it to be effective.
The need for the public to participate for the apps to be successful leads to new concerns such as the government making it mandatory to use or the app dictating whether someone may leave their home. While people may be anxious to return to their lives pre-pandemic, long-term privacy risks are something that need to be addressed before blindly accepting an app from tech giants with questionable backgrounds in consumer privacy.
SecureData always puts consumer privacy first, whether it be through our secure data recovery process where we are SSAE 18 Type II certified, or with our hardware encrypted and FIPS 140-2 Level 3 validated data storage devices. To learn more about our privacy protocols and how our products and services can help you, call 1-800-388-1266.