The Truth About Privacy and Security in the Age of Contact Tracing
August 2020 by IntSights
COVID-19 has changed many aspects of our lives. The world has been introduced to epidemiology and medical terminology we never thought we would use in real life. Social distancing, virology, and contact tracing are now part of our everyday lives. Oftentimes, after watching the news, we are left with more questions than answers. This report addresses significant concerns on the minds of many: privacy and security in the age of COVID-19 contact tracing. What is Contact Tracing?
Contact tracing is a tracking method used to find and follow up with people who have been in close contact with someone who tested positive for COVID-19 ("the case"). People who were in the presence of "the case" are called “contacts.” Virologists and epidemiologists have been using this technique for decades to track the spread of diseases and try to limit the spread of illnesses like COVID-19.
How Does Contact Tracing Technology Work?
Traditionally, contact tracing has been done through face-to-face interviews. Today, technology companies have created contact-tracing applications for mobile devices that allow governments to track COVID-19 exposure and spread. Apple and Google, whose operating systems run on over 99 percent of the world’s smartphones, have collaborated to develop contact-tracing technology utilizing Bluetooth Low Energy service for detecting device proximity.
The new tech can track “contacts” who have been in a close proximity to “the case” for several minutes and then anonymously notify users through Bluetooth technology. Participation is optional, and requires the user to opt in to both tracking and notifications. Additionally, users are required to self-report if they test positive for COVID-19.
Will Digital Contact Tracing Even Work?
If it seems like everyone in the world has a smartphone or connected device, that’s because it’s mostly true. A 2019 survey revealed that over 90 percent of the world’s population owns a smartphone.
With billions of human beings in possession of smartphones, and a large percentage of them carrying or wearing their devices throughout the day, the technology could hypothetically assist governments in tracking the spread of COVID-19. However, there are two major challenges to making this program successful:
1. People do not want to participate. A study by the Washington Post and the University of Maryland found that three in five Americans are unwilling or unable to use the contact-tracing system. Other studies around the world show a similar sentiment towards the programs. Furthermore, researchers still have no accurate sense of what level of adoption is needed worldwide for the apps to work effectively.
2. Different apps are being used across the world. In Europe, governments are widely adopting digital contact tracing. Within the European Union, Austria, Croatia, Denmark, Germany, Italy, Ireland, Latvia, and Poland have launched apps using the Google-Apple technology, with another nine EU nations preparing to onboard the same. Other countries, such as Northern Ireland, Gibraltar, and Switzerland, have developed similar apps. France and Hungary developed their own native applications and chose to store data in central servers. With so many countries sharing borders and using different apps, the tracing of positive cases across the continent proves to be challenging.
The Truth About Your Privacy and Security
1. Nothing is truly and permanently secure. Some of the best engineers and data scientists in the world are working to create the most secure way of collecting this data and transferring it to authorities. Google and Apple have pledged to disable the service once the pandemic has been contained. They claim to be randomizing the generation of tracking keys linked to the user’s device, using encrypted Bluetooth signals to transmit data, and changing the data synchronously so it cannot be patched together. However, experience has taught us that everything can be hacked. Security practitioners are battling against financially and politically motivated cybercriminals every day. Hackers love breaking new technology and security defenses. Whenever a company or government has claimed to have a fail-safe security mechanism, historically, it has not been long before it was proven to be mistaken.
2. We do not know the long-term consequences of this novel technology. The truth is, China already uses this type of technology to track and monitor its population for COVID-19, and for social regulation. Starting back in February, the Chinese government implemented the use of QR codes to display health status or risk status and now requires users to register before they are allowed to use popular native mobile apps, such as AliPay, WeChat, and QQ. In the meantime, Western governments are not accustomed to having this type of surveillance technology in use in society. This type of precedence comes with the need for citizen accountability. Governments and officials should practice transparency throughout this journey, and consumers must demand accountability from those that govern these types of invasive social technologies.
3. Apple and Google are not storing and analyzing your data through the COVID-19 tracing application. However, the data will be made available to verified government and health authorities. According to their security guidelines, Apple and Google will not receive identifying information about the user, location data, or information about any other devices to which the user has been in proximity. Keep in mind, users must choose to participate and turn on the tracking function on their phones. It is not enabled by default.
Practical Advice For Securing Your Devices
Secure everything, not just your location data. If you have used Facebook, Instagram, TikTok, Google Maps, Apple Maps, or Waze, you are most likely already using GPS technology and location sharing on your mobile device. Did you read the “terms and conditions” when you downloaded the application or gave it permission to access that data from your phone? Probably not. This does not mean you shouldn’t be concerned. This type of technological use is unprecedented and it is happening all over the world. We SHOULD ask questions. However, it is equally important to change your passwords often, update your phone access PIN or biometrics, and review each of your applications’ security settings. There are multiple ways you can secure your information now, while we also explore what the government is doing to guarantee your data privacy.
Limit your location data exposure. Mobile devices use a combination of technologies to gather and send location data from your mobile device: Global Positioning System (GPS), cellular signals, wireless signals, and Bluetooth. This data is valuable to cybercriminals who wish to attack you in various ways. Anyone who wishes to track your location, analyze your daily routine and where you hang out, determine where you work and during what hours, or determine whom you are connected to can do so by hacking into your accounts and looking at your location services data. It is imperative to do a security inventory on your device. Turning off “location services” for your applications is one way to limit exposure to the third parties that run those applications. However, it will not eliminate the risks. Mobile devices inherently trust cellular networks when powered on, and can still be located via Bluetooth and WiFi when cellular service is turned off (as in Airplane mode).
Mitigate risks. On August 4, 2020, the U.S. National Security Agency published recommendations for mitigating the risks of location data exposure, including the following:
1. Disable location services on your mobile device.
2. Use Airplane Mode when the device is not in use (turn off WiFi and Bluetooth).
3. Limit use of location services in apps.
4. Limit advertising privileges and ad tracking on mobile devices.
5. Use a VPN to anonymize your location data.
6. For sensitive work missions (including intelligence operations and military operations), leave connected devices in a safe location, away from the area of operation (AO).