Fears contact-tracing app will open the floodgates for cyber criminals

A lack of clarity from the government is leaving people worried that the NHSX Covid-19 contact-tracing app will expose them to a heightened risk of cyber attack, and that the app will be used to track their location and collect data on them.

This is according to a report compiled by pollsters at Censuswide on behalf of security firm Anomali, which set out to explore the necessary trade-off between complete individual privacy and the greater societal good that will be needed for contact tracing to be deemed successful, and for the UK to emerge from lockdown.

It looked at the views of 1,000 consumers and concluded that the success of the app may ultimately be hampered by a lack of public trust in its security.

“It’s tough to predict the increase in the volume of attacks we’ll see,” said Jamie Stone, head of EMEA at Anomali. “However, we are already seeing thousands of rogue and spoof Covid-19 domains being registered and used in attacks.

“Global interest around the virus, and each nation’s track-and-trace apps, means that attackers will likely use many of these domains to host phishing attacks via both email and SMS. People using Covid-19 tracking apps need to be extremely vigilant and aware, ensuring that they’ve installed official government apps and that they are interacting with authentic messages from the agencies.”

The report revealed that 43% of respondents were concerned that the app would give cyber criminals an opportunity to run manipulative phishing or smishing campaigns that was too good to pass up, and more than half – 52% – said they did not feel confident enough to differentiate between a legitimate communication and a fraudulent one.

A further 33% of respondents to the study – conducted between 7 and 11 May 2020 – feared the government might use the app to track their whereabouts, and slightly more than that – 36% – were worried that the app might be used to collect data on them.

“At this stage, nobody knows where to get the NHSX app from, so it can be reasonably expected that consumers will be faced with floods of emails with bogus links to convincing-looking domains to download the app from,” said Stone.

“There is also the danger of smishing attacks – similar to a phishing attack, but the phish is done via SMS message. Due to the smaller screen real estate, people will be less able to check the veracity of the link, so will be more trusting and might click it.”

Jagvinder Singh Kang, partner and international head of IT law at law firm Mills & Reeve LLP, said it was not the case that the contact-tracing app was being launched completely devoid of any privacy or security considerations, and expressed concern that this was being overlooked – the risk being that nobody will ever download the app and the UK may be plunged into what he termed a “continuous lockdown”.

Kang acknowledged that the app needs further work, including from a data protection alignment perspective, but argued that the only thing anybody should have to fear was fear itself.

“The irony is that privacy advocates who are so against the NHSX app are failing to realise that the potential risks of privacy intrusion are significantly greater through non-app contact tracing compared to app contact tracing,” he said.