How Software Developers Are Addressing Security Concerns About Coronavirus Tracing

How Software Developers Are Addressing Security Concerns About Coronavirus Tracing
The Siliconreview
24 July, 2020

As the coronavirus pandemic continues with no vaccine ready yet, healthcare officials and government leaders are looking for ways to restore some semblance of normalcy for citizens throughout the world. But getting life back on track, resuming business as usual, and boosting the economy must be balanced with lingering public health concerns.

Many experts agree that the best approach to striking that balance includes widespread testing and tracing. Testing means determining which people have the virus. Tracing is a process for determining who infected people come into contact with so those people can be alerted to get tested and/or self-isolate.

It sounds simple until you start considering other factors like security. All the information tracing apps need to gather amount to a goldmine for potential data thieves. That’s why software developers are working to ensure the public can be not only productive and healthy but also protected from hackers.

How Tracing Works

Just as your smartphone can help you order groceries, communicate with friends, exercise, and learn what’s going on in the news, they can help you do your part to combat the coronavirus, using location methods such as cell towers, Wi-Fi, GPS, and Bluetooth. These technologies can be deployed by an app to determine where people are at any given time.

The same app can collect user-provided information about who is infected with the virus, so it can tell you if you’ve been in contact with any of those people. When you are, the app can alert you to get tested yourself and/or self-isolate. This method can be used in place of or to support existing methods, which require human tracers to contact people about their health status and recent whereabouts.

Security Concerns

In India, citizens are concerned about the country’s coronavirus tracing app, Aarogya Setu (which translates to “a bridge to health” in Hindi). According to a recent CBS News article, the app “uses Bluetooth and GPS technology to alert users who may have come into contact with people who tested positive for COVID-19 or shown symptoms of the disease.” Many millions of people have downloaded the app since it became available. The Indian government has made it mandatory for certain groups, such as train travelers.

The concerns are over how much data the app collects. “It asks its users to share their name, phone number, age, gender, profession, and details of countries visited in the last 30 days,” states the CBS News article, reporting that internet freedom groups describe this amount of data, as well as the recording of users’ locations and Bluetooth data, as “excessive.” Additionally, researchers at the Massachusetts Institute of Technology (MIT) point out that it’s unclear who has access to the data.

Similar apps are being used in Singapore, Australia, Israel, South Korea, Taiwan, and China. The U.S. doesn’t yet have a national tracing app in place, but the government is working with tech companies and other resources to get one up and running. According to a recent Wall Street Journal article, Apple and Google “are working on a Bluetooth system that developers can use to build tracing apps while protecting users’ privacy.”

Security Measures

According to Reuters, “Nearly everyone agrees on deleting logs after about one month.” Other security measures include:

  • Leaving names off contact lists
  • Making contact lists secret
  • Leaving GPS data out of the mix
  • Making app use voluntary
  • Allowing users to opt in to share their data

The use of Bluetooth technology is of particular concern and another precaution is issuing patches when security issues are found. According to the Wall Street Journal article, “In November, a researcher from the Technical University of Darmstadt in Germany found a vulnerability in how Bluetooth was implemented on devices using Google’s Android operating system. Google issued a patch in February.”

Security Magazine proposes the following additional considerations:

  • Open source scrutiny. “All apps should be open source and vetted by the security community.”
  • “A decentralized approach such as the one proposed by Apple-Google has the benefit of not storing location data in a central ’trusted’ database that could be subject to abuse, data loss, and all the associated privacy risks.”
  • “Pooling resources and testing robust, open-source software would likely expedite the implementation of these apps and allow external validation.”
  • “Any new laws needed for storage of medical and location data should have sunset clauses and be revisited regularly and dismantled as soon as practical to do so.”

Another idea that has been floated by experts is for users to have the tracing app on a second phone, lowering the chance of having personal data accessed by hackers.

In Summary

As the coronavirus continues to disrupt the lives of people around the world, everyone is anxious for an end to the pandemic and the ability to return to normal activities. Until there is a vaccine available, one of the best ways to approach normalcy is with aggressive testing and tracing. While many are concerned about the security problems associated with tracing, cybersecurity experts are taking steps to ensure we don’t have to give up data security to protect our health.