Contact Tracing Apps

Contact Tracing Apps

Several countries — and now individual US states — are planning or have rolled out their smartphone-based contact tracing apps. These apps are designed so that local health agencies can figure out who was near someone who was infected, in the hopes of gaining insight into the spread of infectionsLet’s talk about what you need to know about these apps, and how to decide your own security strategy.

Several countries are planning or have rolled out smartphone-based contact tracing apps. What does this mean for our privacy?

David Strom, 20 April 2020

There are several complicating factors:

First, how is this tracking data collected and who has access to it? How long does the agency keep this location data, for example? To prevent privacy invasions, the apps must go through some effort. Most only store the collected data on a user’s phone, for example. The ACLU is worried that this data isn’t all that accurate, and has raised other privacy issues in this paper. While the apps make use of various encryption protocols and layers, some are better than others. The goal here is to anonymize the user data and keep hackers at bay. Of course, no system is 100% fail safe, especially as the recent news of a hack on one of the potential Dutch tracking apps that was prematurely released.

Second, all the tracking data in the world is useless without enough actual patient testing and follow-up contact tracing. Many countries – such as the US – haven’t been able to test as many people as needed to find who is infected and who isn’t. This paper from Harvard goes into some of the details about how many tests will be needed for tracking to be effective. It turns out we need to be testing millions per day to really track down the spread of disease. And even after this hurdle, a health agency needs to have the manpower to follow up and trace these contacts to determine which communities are at risk.

A third weakness of these apps is that they all rely on the GPS network. This limits their utility given that precise locations aren’t really possible. How many of us have been directed down some odd street by a misbehaving GPS app? To make the apps more accurate means these have to cross-check with other data, such as with each user’s common locations or with Bluetooth scans of nearby users. For example, Taiwan has each user call the health department and cross-check their own location history against a central repository and request a test if there was an intersection.

Finally, just because you have a smartphone app doesn’t mean that everyone will use it. Some countries, such as China, require everyone entering the country to load the app and correlate their phone with their passport information. Others have been less successful: in Singapore, only a small number of people are running the app. A lot depends on the culture, the type of government and the trust in what the government is saying about the virus. None of these have anything to do with the underlying technology itself.

This page on Wikipedia lists more than a dozen countries where apps have been deployed. India has multiple app deployments from various state agencies. There are also apps available in ChinaIsrael, Norway, Ghana, the Czech Republic and Australia.

But this situation is rapidly evolving. What helps (or hurts, depending on your point of view) is that there are four different development efforts underway that combine either open or closed-source approaches:

  •  The most well-known is a joint project from Google/Alphabet and Apple that is more a framework than an actual app. Vaughan-Nichols explains the actual mechanics and The Verge answers some of the questions about this effort. The UK is poised to test their app based on this framework sometime soon. Both vendors have stated that these protocols will be incorporated into later releases of Android and iOS later this summer.
  •  An open-source EU-based effort called DP-3T has developed an Apache/Python reference implementation here on Github. There are sample apps for Android and iOS too.
  •  A second joint EU-based closed-source effort called PEPP-PT has gotten support from 130 organizations in eight different countries. No current apps are yet available to my knowledge on either EU effort.
  •  Finally is something called BlueTrace/OpenTrace which is open source code developed by Singapore that is part of their tracing app called Trace Together. This was launched in late March and is the basis of a new Australian app.  Singapore takes the information and stores the data in a central repository, which is also what the PEPP design uses.

What should you do? First, if your locale has an app, understand what it does and how it can be compromised. Make sure you check the permissions when you install any tracking app and from that, know what is being collected from your phone’s movements and usage.

Second, is the app really “privacy-enhancing” as its developers claim? One of the reasons why South Korea has been successful is that it doesn’t keep any private identity-related data, and just posts the confirmed patients’ location histories. However, there is a lot that can be learned about this, a better solution would be to not publish any location data but have a way to “jog memories to help people retrace their movements,” as the ACLU suggests.

Finally, for those of us that have a choice and value privacy over public access, don’t install any of these apps. When the phone operating systems update over the summer, remember to turn off the “contact tracing” setting.

About The Author

Avast Software

Avast is dedicated to creating a world that provides safety and privacy for all, no matter who you are, where you are, or how you connect.

Add a comment

*Please complete all fields correctly

Related Blogs

Posted by Intelligent web technology | November 20, 2020
Boost your application security
If you're looking to boost your career in application security, there is no better place to start than by reading a copy of Tanya Janca’s new book, Alice and Bob Learn...
Posted by Intelligent web technology | September 14, 2020
4 tips to boost your home Wi-Fi
It’s an historic moment. No less than the entire human race finds itself banded together as we all do our part to fight a global pandemic. Along the way, we’re...
Posted by Intelligent web technology | June 26, 2020
The anatomy of a phish
Phishing is the most prolific category of cyber scam. Others include romance scams, mugged in London scams, advance fee frauds and many more. Most scams seek to part you from your money...