Euro Security Watch with Mathew J. Schwartz

Application Security , COVID-19 , Governance & Risk Management

Digital Contact-Tracing Apps Must Win Hearts and Minds

We Need These Apps, But Some Nations' Security and Privacy Follies Don't Bode Well
Digital Contact-Tracing Apps Must Win Hearts and Minds
The U.K. National Health Service contact-tracing app (Source: NHS, via BBC)

Despite the need to battle COVID-19, too many digital contact-tracing apps in development are already dogged by security and privacy concerns. Whether enough users will ever trust these apps to make them effective remains a major question.

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

This need not have happened. If there was one lesson software development teams - and the people who commission them - should have learned before the world faced a pandemic, it's that an application's requirements need to be correctly specified before it's developed (see: Contact-Tracing Apps Must Respect Privacy, Scientists Warn).

In these days of agile-inflected development processes, specifications need not be long, and they should be subject to change. Project development teams would ideally then pursue sprints of two to six weeks, and include on the team not just developers but also quality assurance experts, security experts - to bring DevSecOps to bear - as well as at least one expert user to offer input and later champion the software after it goes live and continues to be refined.

Enter contact-tracing apps.

Such apps could help individuals better understand if they were exposed to someone who was infected with the virus that causes COVID-19 so they can self-isolate. Whether the apps will be effective remains to be seen. But public health experts say they'll only be helpful if backed by a much more extensive effort, including thousands of people working as manual contact tracers. In short, they're no silver bullet.

Another challenge: Oxford researchers say 60% of the population should use such apps to ensure effectiveness, although at least in Britain, only 80% have the advanced smartphones needed to run the apps.

Apple and Google will soon update their respective mobile operating system platforms to facilitate such apps, letting them use Bluetooth in the background. But there are ground rules: Such apps may not touch location data, for example, GPS. Opt-in will be mandatory, as will be letting a user opt-out whenever they choose. The apps can only grab a certain amount of data. And only one contact-tracing app per region will be supported, with Apple and Google saying in a statement that they'll also support countries that have "opted for a regional or state approach" (see: Contact-Tracing App Privacy: Apple, Google Refuse to Budge).

Obvious Play: Work With Apple, Google

Some countries are pursuing roll-out plans that will gel with the Apple and Google model. Given that they're the world's two biggest mobile OS players, you'd be a fool to not work with them because doing so will likely make for the easiest-to-use and most reliably functioning apps. Some leading privacy researchers have also said these efforts are heading in the right direction, because they minimize data collection and prioritize user control (see: Contact-Tracing Apps: Privacy Group Raises Concerns).

Because what you want here is akin to Apple's Health app, which I've enabled so it counts my steps in the background, even though I often forget it's doing so. What the app doesn't do, however, is send data on my workout activities to a centralized location so the government or anyone else - doctor, insurer - can study it. I'm in control. More on that in a moment.

In terms of how digital contact-tracing apps will function, several groups are building protocols for decentralized systems that put power in the hands of users in part by leaving the data on their devices. They're also transparent, offering full source code and the promise of complying with privacy laws, including the EU's General Data Protection Regulation.

These four protocols that have been getting the most attention from privacy and security researchers:

So far, at least two dozen countries have fielded contact-tracing apps. Austria, Czech Republic, Germany, Iceland, Indonesia, Israel, North Macedonia and Switzerland are among the countries that have pledged to pursue decentralized approaches. That in and of itself does not guarantee privacy, but it's a start.

Others Pursue Centralized Approach

In contrast to taking a decentralized approach, some governments have opted to take a different tack. That includes the states of North and South Dakota as well as Utah and also Australia, France, India and Norway.

Britain, too, has announced a centralized system. Its plans are not based on any other protocols, and its contact-tracing app is designed to grab location data and store everything centrally, for however long the government chooses. In addition, the app is being developed by the National Health Service.

I am a huge fan of the NHS on ideological, economic and social grounds. The care I have received from the NHS is exemplary.

But deservedly or not, from a technology standpoint, the NHS has a reputation for not being staffed by technology all-stars, as well as preferring custom software projects that too often fail to work as advertised, if they work at all, when common, off-the-shelf software could have been adapted faster and for less.

Privacy and Security Input Essential

Getting any nation's residents to use a contact-tracing app is going to take a huge hearts-and-minds campaign, except for autocratic governments that try to force the issue (see: COVID-19 Contact-Tracing App Must-Haves: Security, Privacy).

So it's maddening that the U.K. government, led by Prime Minster Boris Johnson, is pursuing public health policies that have left the country with the second-highest COVID-19 death rate in the world. And the nation's contact-app project, led by Health Secretary Matt Hancock, has also been unnecessarily violating numerous best practices for maximizing the potential success of any software project.

For starters, while there's an ethicist on board, its contact-tracing app project team didn't include any of Britain's world-renowned privacy or security researchers (see: Digital Contact-Tracing Apps: Hype or Helpful?). Nor has the source code been published, although the government has promised to do so - after it releases the app.

What we know so far of the specification reads like a centralized surveillance nightmare, with the government saying it will collect enough information to create "social graphs" of everyone and who they come into contact with, as well as where it happens. Then they'll keep this data indefinitely, potentially selling it to third parties for research, analysis or what-not, despite experts warning of the surveillance, data breach and espionage risks this potentially poses, and a team of legal experts already positing that Britain's approach flagrantly violates GDPR data privacy principles.

If the app's data collection is to be safeguarded by new laws, and captured data subject to a "sunset clause" after which time it must be deleted, such legislation has yet to be mooted.

Who's the User?

Software development projects succeed when they put users' or customers' requirements and concerns first. Clearly, the U.K. government thinks it's the user here, when in reality the users are millions of U.K. residents who need to be using the app for it to be effective.

The U.K. approach is akin to Apple pushing a free copy of a U2 album to everyone's iPhone and acting surprised when they don't fall in love with it, or indeed, want it to be immediately expunged. It's not only wrong, off-key and smacking of Big Brother; it's also infuriating.

For comparison, look at Zoom, which has seen a surge in users due to COVID-19. That's resulted in many more security researchers taking a close look at its software and infrastructure and finding problems. In response, Zoom's CEO hired an information security all-star team - including former Facebook CISO Alex Stamos to look at encryption, and bug bounty queen Katie Moussouris to help it get a better handle on flaws - and launched a 90-day security overhaul program to start to make things better (see: Stolen Zoom Credentials: Hackers Sell Cheap Access). We have yet to see the full results, but this bodes well.

Back to the U.K.'s contact-tracing app project, which could have been lean, mean and championed by someone people trust (hint: outside the government). Instead, with testing now underway on the Isle of Wight, the effort has been beset by security and privacy concerns, with Hancock, the health secretary, belatedly promising to bolt on some supposed protections. We know adding security and privacy as an afterthought always bodes well.

Whether the NHS app can overcome these challenges and the government can get people to trust it remains to be seen. Potentially, by bungling the rollout, the government will have squandered its best chance for success.

We Need All the Help We Can Get

Already, many, many people - not just in the U.K. - have declared that because of privacy concerns, they won't touch a contact-tracing app.

But whatever our respective governments develop, we really need to use. As former U.S. Defense Secretary Donald Rumsfeld said: "You go to war with the army you have, not the army you might want or wish to have at a later time."

For COVID-19 containment, we need whatever help we can get, and contact-tracing apps, while unproven, may be a boon. But the approach being practiced by the British government isn't helping.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.