After America was attacked on 9/11, the US government passed invasive surveillance laws that are still stripping away Americans’ privacy almost two decades later. Could the same abuse occur with the contact tracking apps being developed to fight the coronavirus pandemic around the world?
How does track and trace work?
Tracing apps track and monitor coronavirus contacts. In the event of a confirmed COVID-19 case, public health institutions can use location data or keys exchanged over Bluetooth to help determine where and when someone got sick and who they might have infected before they started exhibiting symptoms. Anyone who might have come into contact with the infected individual can then also be warned, especially if they also have a tracing app installed.
Here’s an example of how it might work:
- Joe goes grocery shopping at his local supermarket. He walks past Meredith, who is carrying the novel coronavirus but not yet exhibiting symptoms. She’s also carrying her smartphone, which has a tracing app that is logging her location at all times. She later gets tested and becomes a known COVID-19 patient.
- Joe hasn’t been feeling well so he gets tested. The test comes back positive – he has COVID-19. Fortunately, he’s been using a tracing app, which health officials promptly tap into to analyze Joe’s case.
- Where did Joe get COVID-19? They know that Joe and Meredith were at the same location at the same time, so it’s likely that he got it there.
- Patrick gets a notification on his phone. He was visiting the same supermarket three days later when Joe had returned for more groceries, which the government knows because he was also using a tracing app. There’s a chance he may have contracted the virus, so he gets tested as well. Even if he’s not yet exhibiting symptoms, this would allow him to find out if he has the potential to spread the disease before falling ill himself.
Does contact tracing really help?
There’s little doubt that contact tracing apps can have a positive impact on a country’s coronavirus response. However, it’s not clear how significant that impact is and whether it’s worth the negative consequences (we’ll get to those in a moment).
On their own, coronavirus tracking apps aren’t a significant preventative measure. Social distancing, protective equipment, and quarantines are far more effective at protecting individuals from the coronavirus. The insights these apps provide can help on a broader level by helping officials understand how and where the virus is spreading and by helping people get tested before they exhibit symptoms. All of this can slow its spread, but to what degree?
Coronavirus tracking app drawbacks and risks
- Questionable efficacy: A lot of things need to be true to get useful information out of a tracking app program. These include:
- Depending on who you ask, 60-80% of your entire population needs to use them for them to be relevant. That can be difficult to achieve when not everyone has smartphones (in a prosperous country like the United States, 81% of people have smartphones, meaning the app would need to achieve as much as 100% penetration). At-risk communities, like the elderly or disadvantaged, can be especially difficult obstacles for optimal app penetration.
- The user’s phone needs to be on, as do those of the app users around them. Depending on the app, they’ll need to have location tracking and/or Bluetooth enabled during their contact as well;
- You need to identify app users’ infections. Many countries have had trouble ensuring adequate testing, and in many cases, testing only happens if the user self-reports their symptoms. There can be many reasons why someone can’t or won’t report their symptoms (asymptomatic infections, pressure at work).
- Many countries may not need them: Many epidemiologists agree – contact tracking – via apps or public health professionals – is most effective before the epidemic has become widespread. Some epidemiologists aren’t even sure if it’s effective at all. When enough people are sick, tracking contacts can become more difficult and less effective.
- Potential for abuse: Apps can be bug-ridden on the best of days. Take massive surveillance on a national scale, give it a tight deadline, and you’ve got a recipe for failure. Here are a few things that might happen:
- Governments are notoriously poor at data security when it’s not a matter of national security (and even then…). It’s hard to trust a hastily built national location tracking database to keep your data secure. Furthermore, the PATRIOT Act is the perfect example of how “temporary” surveillance measures can become a two-decade fixture of national policy.
- Hackers know that these apps might be rushed, so they’ll be happy to break in and wreak havoc. Trolls might alter data to make it seem like there are more or less cases than there really are. Criminals might steal personal data or leverage location data to turn a profit on the black market. State-sponsored hackers, like trolls, could use access to sow chaos and panic and perform cyber warfare.
- Corporations can insert themselves as gatekeepers for these apps (indeed, both Google and Apple are trying to do so). Already-invasive corporations may be looking for more comprehensive ways to track even more people. We can only hope they’ll stick to their word and not profit off of these mountains of data, but the temptation may be too big to pass up.
- A false sense of security: These apps can be inaccurate. Perhaps the Bluetooth connection won’t succeed and you won’t know that you were in contact with an infected individual. Maybe it will put you at the same location as an infected individual while you were actually on the other side of a wall. These apps cannot take the place of intelligent human contact tracing work, only supplement it. However, app users may be lulled into a false sense of security by relying on the app’s feedback too heavily.
There are other potential issues as well. Many critics have pointed out that these apps may be made mandatory by schools or employers. They could then further be used to discriminate against people who the apps say have been in contact with COVID-19 carriers – whether or not the apps identified those contacts correctly.
Update – tracing apps are being hacked
Since this article came out back in May, some of our predictions have come true. Many of the contact tracing apps released nation-wide are now potential honeypots for criminals. They lack security, there are countless apps to choose from with poor accountability, and the millions of possible victims make them the perfect targets.
- Qatar's mandatory contact tracing app had a security flaw that would've let criminals access millions of citizens’ names, national I.D. numbers, location data, and medical status.
- India's app has also faced some criticism over its data collection. A researcher discovered that a flaw in the app enabled him to find out about anyone who's sick in India, down to the specific house.
Researchers found seven major security flaws in the UK’s virus-tracking app while it was already being trialled on the Isle of Wight. These included registration glitches that could allow criminals to manipulate contact tracing data and notifications. Other flaws affected the storage of unencrypted data on users' devices.
In July, the UK government admitted it deployed the app without a Data Protection Impact Assessment (DPIA), which is required by law. The government claimed that no data breaches had occurred, but several media outlets have reported security incidents related to the virus-tracking app.
- In the USA, the situation is particularly worrying. Each state is developing its own virus tracking apps with no significant nation-wide oversight, meaning that each application has its own particular brand of security bugs.
- North Dakota's app was revealed to have been sending people's location data to a digital marketing company called Foursquare. However, the flaw has been fixed.
- A recent study of 17 contact tracing apps based in different countries across the world revealed that less than half could detect unauthorized access to sensitive data. Only a third had proper encryption capable of securing private information in their source code.
Some cybersecurity experts now predict that exposing the personal data of millions of citizens might be the tip of the iceberg. They could even be used to interfere in the US’ 2020 presidential elections. In this hypothetical scenario, hackers might try to manipulate the numbers of case reports within the apps to deter voters in certain regions from participating in the election.
Should you use coronavirus tracing apps?
Only you can answer that question for yourself. In short, it depends on your location, your government, and the status of the coronavirus pandemic where you live. Here are some things to consider:
- Will the data collected from you help keep the public safe?
- Do you trust your data’s security in your government’s hands?
- Is it likely that these surveillance powers may be abused or extended indefinitely by your government?
- Is it likely that other organizations or individuals in your society might abuse the app?
Technology’s potential to help us beat the coronavirus pandemic and save lives has not yet been fully realized. However, it’s important that we protect our rights as well.
For more cybersecurity and privacy insights, subscribe to our monthly blog newsletter below!