Building security and privacy into contact-tracing apps

As more governments across the globe roll out a plethora of contact-tracing apps to contain the spread of Covid-19, perennial questions around security and privacy have emerged in recent weeks.

Some authorities have been criticised for doing little to prevent their systems from being abused, while others are introducing legislation to prevent data from being used for purposes other than contact tracing.

Zulfikar Ramzan, chief technology officer at RSA, said greater transparency around the functions of contact-tracing apps and how data is being secured, managed and used will help to assuage privacy and security concerns.

“If we don’t have transparency, even if people download the app, they may not use it if they have concerns around it,” he said.

Ramzan said developers of these apps should also implement checks and balances, such as a governance mechanism, to ensure that whoever is using and collecting data is not going to do more with the data than they should.

He observed that some organisations such as MIT, Apple and Google, which have built contact-tracing systems, are already taking a privacy-by-design, decentralised approach where data is being stored on a user’s phone. The data can only be used and shared when necessary to minimise information disclosure.  

Apple and Google have said the contact-tracing features built into their operating systems will not allow developers of contact-tracing apps to access the location information of users. Governments that need such information would have to rely on Bluetooth data to determine close contact between users.

As app developers will not get things right at launch, processes for fixing and preventing security issues will also need to be in place, Ramzan said. This includes incident response, ensuring security of data at rest and in motion, along with scanning source codes for software vulnerabilities.

The fidelity and integrity of data is just as critical, without which any analysis and effort to glean data insights will be skewed.

“If you look at something like a Bluetooth signal, which is how a lot of contact-tracing apps work, it doesn’t give you a precise picture because it may be a case of you and I living in the same apartment complex with a wall between us.

“It may look like we were in contact with each other, but we’ve never really exposed each other to anything because there’s a physical barrier,” he said.

Ramzan called for governments to think through those problems, build trust with their people and ensure that no one can intentionally put bad data into their systems.

“We’ve seen situations where somebody can pick up their phone and put it on their pet. It looks like the phone is in different locations, and that creates bad data in the system,” he said. “Once the data is in the system, it can be very hard to identify that the data is corrupted.”

China, South Korea, Singapore and Australia are among countries in the Asia-Pacific region that have developed contact-tracing apps to curb and better manage the evolving pandemic.

China’s Close Contact Detector app alerts users who are in close contact with infected people or those suspected of having the virus, while South Korea’s Corona 100m alerts individuals if they come across infected patients within 100 metres of where they are.

India has also joined the fray with the Aarogya Setu app that tracks Covid-19 patients or suspected cases that need to be quarantined.

The app uses Bluetooth and location data to automatically identify if a patient under quarantine has come into close contact with another individual, reducing the time and errors associated with manual identification.   

Available in 11 languages, Aarogya Setu has become one of the fastest-growing mobile apps in India with more than 50 million downloads since its launch on 2 April 2020.

“Digital apps have the potential to help authorities know everything about the pandemic – its place of origin, where it’s heading next and other crucial epidemiological insights to mitigate it,” said Venkata Naveen, disruptive tech analyst at GlobalData.

“Taking cues on how various Asian countries are leveraging smartphones to slow the spread of the novel coronavirus, the US, UK and European countries are fast catching up to develop similar digital contact-tracing tools,” Naveen added.