Secure Contact Tracing Needs More Transparent Development

Experts worry that without proper planning, todays decisions about developing contact-tracing apps could have unforeseen consequences in the years to come.

Public health officials have long relied on tracking infectious diseases as common as tuberculosis and as lethal as ebola as a way to stop their spread. But manual contact tracing requires boots on the ground – people who track down patients, interview them about where theyve been and who theyve met with, and then find those people and let them know theyve been in contact with someone who has tested positive. If any of them test positive, their contacts must also be interviewed.
Technology-enhanced contact tracing – using smartphone apps and geolocation data, for example – could help cut down on delays in tracking contacts and potentially provide more accurate information to public health officials. After all, it can be hard for the very ill to remember who they met weeks ago at a dark nightclub or which bus driver they might have coughed on.
So its easy to see why tech-enhanced COVID-19 contact tracing holds such great promise for public health officials, politicians, and app developers. But with great data collection comes great responsibility, and experts worry that without proper planning, todays decisions about developing contact-tracing apps could have unforeseen consequences in the years to come.
Variety of Plans
Contact-tracing methods and technologies vary widely. While
Taiwans contact-tracing program
has been hailed as a possible model for the United States,
Chinas program
would be considered invasive by the Wests standards. Meanwhile,
Israel
is involuntarily collecting geolocation data,
Singapore
has built an open source contact-tracing system based on Bluetooth beacons, and the
United Kingdom
is struggling to find its own way.
In April,
Apple and Google
announced their plan to jointly develop a decentralized COVID-19 contact-tracing system for Android and iOS. It will use automatic Bluetooth interactions between phones to pseudonymously identify when a person has come in proximity to an infected patient. As of now, Apple and Google are not making their own apps but building the cross-platform architecture that contact-tracing app developers can use.
Adding to the complexity is a lack of clear standards for what the apps should look like and how consumers will need to interact with them. Johannes Ullrich, head of the SANS Internet Storm Center, said hes concerned that hard-to-use app interfaces will open the door for developers to sneak features into the apps long after theyve served their purpose.
These applications and their APIs could encourage feature-creep to set in. [They] could be used for other types of tracing and reduce privacy, Ullrich said. The consumer has no real idea how these work, and they could keep running even if the [COVID-19] conditions change later.
Privacy Matters
Privacy advocates and technologists are alerting developers to the risks.
The data that contact-tracing apps could collect goes beyond where the device owner has been, warns Richard Weaver, data protection officer at cybersecurity provider FireEye. It could include healthcare information, government identification numbers, and infection status — all of which could be abused by hackers.
These apps could create a pool of data that resides on the phone, Weaver says. As an app developer, you have to ask yourself at what point you even need the data anymore.
Developers should resist the temptation to retain data collected by their COVID-19 contact-tracing apps for longer than is necessary, he adds.
App developers as a rule should follow data minimization and not collect more than whats required to successfully aid contact tracers, Weaver says. Data minimization is required in the European Union, but its also best practices.
The American Civil Liberties Union established a series of privacy-protective protocols for organizations to adhere to when developing their contact-tracing systems. Microsoft vice presidents Julie Brill and Peter Lee have advocated for consumers to have control over how their data is shared, where the data is stored, that the data be used solely for public health purposes, that the minimum amount of data necessary for contact tracing be collected, and that the data should be deleted after the pandemic has receded.
A
study
on creating a privacy-sensitive protocol for mobile-device contact tracing (PACT) – co-authored by researchers from Microsoft, the University of Washington, the University of Pennsylvania, and the Boston Public Health Commission – recommended that location data kept locally on the device and only used in efforts to identify who else was near the infected patient might be safe from exploitation.
The system created by Apple and Google does anticipate some of these issues and institutes security and privacy precautions: For one, the system will use Bluetooth beacon key exchanges and not geolocation data. It also will likely require patients who test positive to COIVD-19 to only update the app with approval from a healthcare professional. In addition, the system recommends that app developers not store IP address information. Also of note: Apple and Google say they wont allow advertisers access to the system.
Not an Either/Or
Contact-tracing apps will not be effective unless they are paired with traditional, manual contact tracing, says Stefano Tessaro, an associate professor at the University of Washington College of Engineering, and co-author of the PACT study.
All of this only makes sense on top of traditional contact tracing, Tessaro says. I think theres a little bit of a misconception at this point. Somehow digital contact-tracing solutions are compared to manual contact-tracing solutions.
But its not about replacing or cutting back on manual contact-tracing efforts, he says: That would be the wrong approach.
Related Content:
Coronavirus, Data Privacy & the New Online Social Contract
Microsoft Proposes Privacy Controls for COVID-19 Contact Tracking, Tracing
Privacy & Digital-Rights Experts Worry Contact-Tracing Apps Lack Limits
Latest Security News & Commentary about COVID-19

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that really  bad day in cybersecurity. Click for
more information and to register
.

Check out The Edge, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
Cyber Subterfuge and Curious Sharks Threaten the World’s Subsea Fiber-Optic Cables
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Secure Contact Tracing Needs More Transparent Development