There has been lots of discussion lately about contact tracing apps and how they may influence us in the future. These apps may create network vulnerabilities in both iOS and Android systems, so take caution and be aware. While innovative and seemingly harmless, these apps pose a threat not only from a network and security vulnerability perspective, but also from a data and privacy perspective.
The speed at which these apps are being developed will no doubt invite hackers to get in the game. Their efforts may be rewarded as time pressure may cause skipped testing processes and an overall compromise in quality procedures. In addition, as with any app, the desire to add more features and functionality causes concern. How will we maintain control of what ultimately goes into these apps? Will there be federal mandates to guard against privacy violations?
Just because you can do something does not mean you should. The real controversy around Bluetooth contact tracking apps lies in data and privacy issues. The potential for misuse is high, and many governments may opt for manual tracing. In the hands of the wrong individuals, your personal data can be compromised in a way that is hard to rescind.
What is Contact Tracing?
Contact tracing is nothing new as it relates to infectious diseases or viruses. There are two essential components to contact tracing:
The first component is identification. Suppose you test positive for COVID-19. Health officials will work with you to create a list of people with whom you have been in contact during a specific time frame. These individuals will be contacted and, in turn, also asked for a list. The health official will contact these individuals so they can self-quarantine or take other appropriate precautions. As you can see, this method is manually intensive, and there is no guarantee the data will be secured or otherwise protected. The intent of this method is to slow further spread.
The second component is notification. Once the lists are created and information is known, what should be done with it? Do you notify employers that someone in their organization tested positive for COVID-19? Do employers in turn notify employees and what happens then? What about the apartment or condo building in which you live? Should notification go to tenants that someone in the building tested positive? As you can see, the list can grow fairly quickly, and it is easy to imagine how this can easily get out of hand.
How do Contact Tracing Apps work?
Let’s call it the “chirp” or “token” system. The technology is simple enough – Bluetooth signals emitted from the phone which create a “chirp” or “token” that can be picked up from a phone in close proximity also running the app. The app estimates the distance between two people based on the strength of the Bluetooth signal or beacon. The “chirps” are unique to the phone, and if a person later tests positive, individuals you “chirped” can be notified that they may have been exposed.
Suppose you’re walking down the street and a pop-up appears on your phone that you are in close proximity to a person who has tested positive for COVID-19, or you receive an alert that you are close to a “hot zone” or heavily congested area that could potentially be dangerous. The app could also help with patient notifications and automate an otherwise manual process.
The possibilities for these contact tracing apps (also called exposure notification apps) are endless at this point. Indeed, the technology in today’s smartphones are robust to say the least. Using the phone’s accelerometer, a smartphone can discern whether you are in a car, riding a bike or walking, and many other attributes.
One thing is for sure, though, about contact tracing apps; the apps will consume lots and lots of data, so the issue of privacy and security is at the forefront of the controversy. In addition, once downloaded on your phone, the app may have access to other information about you which puts you at further risk of data exposure.
Technology Leaders are Spearheading the Effort
Many organizations are rushing to the cause to build innovative solutions that address the COVID-19 crisis and help keep people safe. Among the leaders are Apple and Google, but others are in the race too, and several universities like MIT have also begun contact tracing initiatives.
The tech giants Apple and Google are at the forefront of the effort, and they collaboratively launched an API or unified programming interface which can be used by public health agencies and other appropriate entities to develop an app. The platform has been designed to keep data private and use of location data is not allowed. It is up to each state or country to develop its own app using the platform which, of course, creates its own set of problems. The UK recently announced that it will integrate the Apple/Google system into its current app.
Maintenance and Updates
While Apple and Google have provided the much-needed infrastructure, who is going to maintain and update, enforce rules, and so on for future apps? In addition to an infrastructure, policies and procedures are needed to keep everyone in check regarding privacy and other issues. Also, to maximize effectiveness, apps will require mandatory, not optional, usage which will be exceedingly difficult to achieve. Those who think they have COVID-19 or may have been exposed will be less likely to participate.
Even if adoption were high, it is unlikely that the most vulnerable – the elderly and poor – would be among the adopters. That demographic likely has older phones and may not have smartphones. If the goal is to keep people safe, the elderly and poor should be at the top of the list.
The notion of creating an app has been criticized by many, as an app is not the silver bullet to solve an epidemic. There are other social problems that must be considered that could render an app ineffective. Placing too much confidence in an app could divert much needed focus and resources from areas that can make a difference. Many feel that there is a human component required for contact tracing – a level of emotional intelligence not available in an app.
Should You Install a Contact Tracing App?
There are still lots of questions to be answered, and lots of issues to be resolved. The technology is there, make no mistake, and contact tracing apps can catch interactions you may not remember. Contact tracing is an ideal candidate for artificial intelligence and machine learning, too, so expect more of that in the future.
When considering whether to install or not install, consider that with a new app, the risk of security vulnerabilities, hacks, fraud, and unintended consequences are typically higher at the beginning. You must consider the privacy tradeoffs and decide whether the benefits outweigh the risks. It remains to be seen whether a contact tracing app can slow the spread of the Coronavirus.
Apps built on Google and Apple’s Bluetooth platform seem the most obvious choice as the platform has been designed to keep personal information private and to keep most of the data on the phone. States and countries must decide what technology it will use, and you must decide whether or not you will use it. Some things to consider and privacy questions to ask:
- On what platform was the app built?
The Google and Apple Bluetooth platform appears to be the most secure and it is dominating the development space at the moment, but other platforms may arise.
- Does personal information stay on the phone?
As mentioned earlier, Google and Apple’s infrastructure is designed to keep data on the phone.
- How much data does the app collect and what type?
It is important to familiarize yourself with the type and magnitude of data collected. Conduct research before downloading. Large-scale personal data collection leads to unwanted mass surveillance/monitoring.
- Are there any circumstances under which data is shared with others?
This is a critical question. Some apps may share data in the event a person tests positive for Coronavirus, for example.
- Does the app use location services?
The majority almost certainly will so that token data is in context. You need to understand to what extent it is used. While Google and Apple’s platform does not collect GPS data, apps built on the platform could include it.
- Does the app reveal personal information?
Apps should not divulge personal information so that a user remains anonymous. The app should also not reveal any social networks or location data about a user.
- What security measures have been put in place to protect personal data and how is a user’s anonymity protected?
App developers should disclose the security measures built into the app to 1) confirmation that security has been integrated and 2) allow users to decide if security is sufficient
- How often is data purged or deleted?
Weekly? Monthly? More frequent is better to minimize vulnerabilities.
- Can the app be used to learn who is infected or at risk?
It is important that contact tracing apps alert users that they may have been infected, not who infected them.
- Does the app include any third-party software (particularly tracking software)?
If yes, beware! In many cases, use of third-party software allows developers to develop quickly; however, the third-party software can also be used to target marketing and political messaging. Third party apps can also install malicious code.