Euro Security Watch with Mathew J. Schwartz

Application Security , COVID-19 , Governance & Risk Management

Digital Contact-Tracing Apps: Hype or Helpful?

Australia, India and UK Pursuing Centralized Approach Many Privacy Experts Warn Against
Digital Contact-Tracing Apps: Hype or Helpful?
Photo: Tim Dennell (via Flickr/CC)

Technology is no panacea, including for combating the COVID-19 pandemic. While that might sound obvious, it's worth repeating because some governments continue to hype contact-tracing apps for combating the disease.

See Also: Webinar | Enhancing Cyber Resilience and Regulatory Compliance for OT Systems APAC

In their most privacy-preserving form, contact-tracing apps are akin to submarines, pinging each other directly via Bluetooth as they pass. Each ping contains the unique code for the user. If the user later tests positive for COVID-19, their ID can be broadcast to all other apps. Any record of having come into close contact with that ID for a specified length of time (likely 10 minutes or more) can alert other users to self-isolate.

While that's the theory behind contact-tracing apps, experts warn that they'll only be effective when they supplement manual contact-tracing efforts, including contact tracers working the phones to identify who may have been exposed, in an update of practices that date from the late 18th century.

For COVID-19, experts say countries also need rapid and reliable blood tests to accurately identify who's infected, buy-in from users and sufficient levels of personal protective equipment to safeguard key workers against infection.

Oxford University researchers have estimated that 56% of the U.K. population - equating to 80% of smartphone users - must use contact-tracing apps to make them optimally effective.

Research conducted in Taiwan on contact tracing found that 99 percent of people who came into contact with an infected individual did not develop COVID-19 symptoms, at least as measured from when the infected individual began displaying symptoms.

"I think this [research] is important in setting the right expectations, also for (digital) proximity tracing," says privacy expert Marcel Salathé via Twitter.

In other words, only a fraction of people who come into contact with someone who's got COVID-19 will be infected with the virus that causes the disease, but also, many people are poor at remembering who they've come into contact with. "Traditional contact tracing is based on recall," he says. "Digital proximity tracing might be able to identify many of the missed contacts/transmissions, if there are any."

Don't Rush

Despite their potential, rushing such apps to market may also do more harm than good. "Premature deployment of a digital contact-tracing app, which will ultimately rely on widespread public uptake to be effective, risks tarnishing public trust and confidence in technologies that could assist a transition out of the crisis," says Carly Kind, the director of the Ada Lovelace Institute, which has been evaluating contact-tracing apps.

Governments also need to entice users to take a leap of faith, while not overselling the potential upsides. "This is absolutely new ground," Kind tells Wired. "This is the first major epidemic or pandemic where these kinds of contract-tracing apps have been under consideration. There's not very much evidence at all to support the sustained benefit."

Risk: 'Social Graph'

Already, some governments, rather than taking a privacy-preserving approach and attempting to entice users, have been instead developing apps that centrally track everywhere a user goes and everyone with whom they come into contact, sometimes via not just Bluetooth but also GPS.

This can be used to create a "social graph" of everyone with whom a user comes into contact. But privacy rights watchers warn that without clear, legal protections for users, social-graph data could be abused, including for mass surveillance by governments, as well as via hackers and private businesses. Storing so much data centrally also puts it at risk of it being stolen or inadvertently exposed (see: Contact-Tracing Apps: Privacy Group Raises Concerns).

Last month, worried by how some countries have been approaching these apps, hundreds of privacy and security researchers and scientists signed an open letter calling on governments to pursue contact-tracing apps in an open, transparent manner; to make such apps opt-in only; to always take the most privacy-preserving approach to any design decision; and to pass laws defining what can be done with collected data and including a "sunset clause" for how and when it will be deleted (see: Contact-Tracing Apps Must Respect Privacy, Scientists Warn).

"Everyone accepts that extraordinary times can call for extraordinary measures, but it has to be done transparently, with legal backing and with oversight. To do otherwise risks what start out as good intentions being misused in future," says Alan Woodward, a professor of computer science at the University of Surrey (see: COVID-19 Contact-Tracing App Must-Haves: Security, Privacy). "Not all governments are benign."

Such concerns are at the heart of the EU's General Data Protection Regulation, which requires anyone storing or processing personally identifiable information to only collect the minimum necessary and to not retain it for longer than is necessary. To do otherwise risks violating individuals' privacy in myriad ways, including via the threat that this information will get lost, stolen or inadvertently exposed (see: Ashley Madison Breach: 6 Lessons).

Centralized Versus Decentralized

For digital contact-tracing apps, which approaches will best meet public health officials needs while preserving privacy? For many privacy professionals, taking a decentralized approach - meaning proximity data gets processed only on a user's phone, rather than a central server - is the best way forward. While there are multiple ways to do this, the DP3T protocol - for decentralized privacy-preserving proximity tracing - appears to be gaining the most traction.

Apple and Google have pledged to soon update their mobile operating system platforms to facilitate decentralized contact-tracing apps, and to "openly publish" details of what they've done. Primarily, their efforts will involve allowing such apps to always use Bluetooth in the background, so none of the aforementioned pings get missed and apps don't quickly wear down batteries (see: Contact-Tracing App Privacy: Apple, Google Refuse to Budge).

"Privacy, transparency, and consent are of utmost importance in this effort, and we look forward to building this functionality in consultation with interested stakeholders," Apple and Google said in a joint statement.

Multiple governments - including Austria, Germany, Ireland and Switzerland - have pledged to pursue a decentralized, privacy-preserving approach.

But others appear to be pursuing centralized approaches that would enable them to centrally store and track an extensive array of information. So far, Utah and North and South Dakota in the U.S., as well as Australia, France, India - which plans to make the use of its app mandatory for all workers - and the United Kingdom are among those that appear to be opting for this centralized approach.

Transparency Questions

The British government has yet to release its contact-tracing app for third-party review, but officials have said they are pursuing a centralized approach that will store a social graph for all users.

Addressing Britain's approach, on Wednesday, nearly 200 privacy and security researchers in the U.K. signed an open letter calling on the government to include expert privacy and security input into the app being developed by the U.K. governmental unit NHSX. They also want the government to specify what data is being collected and why, with justification from leading epidemiologists, and warned against any attempt to build social graphs.

"This facility would enable (via mission creep) a form of surveillance," the researchers write in their open letter. "We hold it is vital that if you are to build the necessary trust in the application the level of data being collected is justified publicly by the public health teams demonstrating why this is truly necessary rather than simply the easiest way, or a 'nice to have,' given the dangers involved and invasive nature of the technology."

Separately, a group of legal experts, reviewing what's known about the NHSX contact-tracing app program, warn that the NHS doesn't appear to have the legal authority to process personal data in the manner that it's proposing, and may also be violate GDPR.

"The data-sharing arrangements that the government has announced for the creation of a data store for purposes relating to the COVID-19 pandemic currently lack sufficient clarity and detail to comply with the data protection principles set out in Article 5 of the General Data Protection Regulation," say Matthew Ryder, Edward Craven, Gayatri Sarathy and Ravi Naik in their legal opinion.

Clarity Needed

Governments need to be clear about exactly what they're doing, what they hope to achieve by doing it, and commit to safeguards.

Because if such apps don't work as intended, what happens next remains an open question. If it "doesn't work, where does the technology go?" Michael Veale, a lecturer in digital rights at University College London, says in comments to BBC Radio 4. "Does it slip into function creep further with more functions that enable greater surveillance? Or do we say, actually, this was not a great idea?"

Governments that take a transparent, open, privacy-preserving approach to digital contact-tracing apps, backed by clear legal protections for the public, will be best-placed to foster contact-tracing app adoption. Governments that opt for a different approach put at peril not only adoption of their apps, but potentially public health as well.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.