COVID-19 Contact Tracing Methods Compared: Examining Privacy & Security Implications
Discussions about contact tracing have been ongoing since February 2020, when some experts began looking ahead at how to move through the global COVID-10 pandemic.
What Is Contact Tracing?
Contact tracing essentially comprises identifying those who have been infected with COVID-19 and notifying as many people as possible who have been in close contact with them within a 14-day window.
The goal of contact tracing is to slow the spread of the novel coronavirus to reduce its overall impact both nationally and globally. Both manual (in-person) and software-based (smartphone app) methods have been implemented.
The problem? These approaches fly in the face of the various privacy acts in the U.S., essentially putting these privacy initiatives on hold.
Inconsistency of Contact-Tracing Methods
The challenge with COVID-19 contact tracing is rather than a singular, unified approach, multiple different approaches have been developed.
Along with manual contact tracing, current technology-based solutions include (but are not limited to):
Each technological solution adopts a different approach to contact tracing. For example, some methods rely on GPS, which gathers longitude and latitude as data points, while others leverage a QR system that only tracks where you scanned. Bluetooth technologies vary depending on who implemented them.
Limitations of Manual Contact Tracing
Many states have decided to implement a manual method of hiring, or asking for volunteers, to become contact tracers. Some may argue that the manual method has worked in the past, so why argue against it now? Let’s review some of the limitations of manual contact tracing.
Minimal Educational and Training Requirements for Contact Tracers
The requirement to become a contact tracer? Surprisingly, only a high school diploma. No medical training or advanced education is required.
In addition to this, the contact tracing class is free and hosted on the site Coursera.
Too Few Contact Tracers in Major Cities
Volume is another factor limiting the effectiveness of manual contact tracers, especially in large cities.
For example, in New York City, MIT Technology Review found that a population exceeding 21 million people with more than 16,000 deaths has had fewer than 1,000 tracers in action.
How do they plan to increase those numbers to handle the potential of another surge? The answer is to spend money, which brings us to our second problem: budget.
High Cost of Hiring Contact Tracers at Scale
States such as Massachusetts have budgeted $44 million to hire contact tracers. And health leaders have asked Congress to provide $3.5 billion to help fund contact tracing. This is at a time where our economy is struggling and the lack of funding for testing is still being fought.
Limited Smart Phone Access Can Hamper Contact-Tracing Effectiveness
So why are people arguing against technology for the manual method? A common argument is that the people most affected do not have access to smartphones which would be required to make this technology work. So, I decided to do a bit of math using New York as my example.
- According to New York health officials, 1 in 5 people may have had COVID-19, which would be roughly 376,080 people using 2020 data.
- To purchase a very cheap Android or Apple smartphone under a prepaid plan that could support app-based contact tracing would cost roughly $3,760,800 using the lowest price I could find on Boost Mobile before adding money to the prepaid plan.
Additionally, the government has a program called LifeLine that offers phones to those in need. So even that can be used to outfit the high-risk individuals with a phone.
Limitations of Contact Tracing Technology
What about the technologies that have been developed around COVID-19 contact-tracing applications? So many have been developed and no one is following the exact same model.
Centralized Data Storage Poses Major Data Breach Risk
Some contact-tracing methods use centralized storage, which is the act of storing ALL data collected by users’ phones to one location.
The risks? A single point of failure and single target for malicious actors to access the data, and government discretion on how long to retain data and how they would use data.
In fact, in the U.K., officials have stated they would hold post-COVID-19 data for “research” purposes.
By contrast, a decentralized model (as adopted by Google and Apple) stores the data on each person’s phone separately. If you test positive for COVID-19, you have the ability to upload your data to a health authority’s server so others can be notified via a random identifier.
Contact Tracing App Privacy and Security Concerns
Outside of storage, what about privacy or security concerns around the use of these apps? We have already seen privacy AND security issues arise just over the last month.
One recent implementation was in South Korea, which is effectively a practice of mass surveillance under the guise of a pandemic app. Other security vulnerabilities were recently discovered in India’s contact-tracing app, Aarogya Setu.
These are not the only security and privacy breaches we will see. Each breach erodes the trust of the people, thereby reducing the effectiveness of each app.
How Google and Apple’s Exposure Notifications API Works
What about tech giants Google and Apple’s implementation of contact tracing? Each has been very upfront on their design of the Exposure Notifications API.
This API is designed to leverage Bluetooth Low Energy (BLE) wireless personal area network (WPAN) technology to randomize a unique Bluetooth identifier and exchange that number with others they may be near for a minimum of 5 minutes.
Participation Is Voluntary
In addition, this entire program is opt-in, allowing users to decide if they wish to participate. And it goes a step further. If you test positive, YOU have the ability to opt into sending your positive test proof to your health authority.
The process involves Google and Apple’s security and privacy reviews that allow the person who tested positive to enter some sort of key or scan a code, which then informs health authorities of your positive test result.
Notifications Are Anonymous
The health authorities then leverage the Exposure Notifications API to distribute your unique key to all other participants. If a match is found, that individual is notified that they may have come into contact with someone who has tested positive for COVID-19. No names, locations, or other personal information are shared.
If you decide to opt-out, Google and Apple both state in their white papers they will delete all keys from your phone.
Exposure Notifications API Phase 2 Rollout
Google and Apple have also indicated a phase 2 rollout where the contact tracing API will be on everyone’s phone, with opt-in capabilities still present. This means you can leverage their APIs without ever using a government application.
The problem with this approach is you would not be able to upload a positive test to a health authority without the health authority’s app. However, if you met someone who did, you would be notified nonetheless.
This May Be The Best (If Imperfect) Current Contact-Tracing Approach
Are these approaches perfect? Probably not. However, they are the best we have seen that take security and privacy into consideration from the start of development all the way through implementation.
In addition, both have already turned away countries such as France who have requested a centralized approach, which reveals an unwillingness to accommodate government requests.
We have seen numerous times how Apple deals with the federal government, with refusals to allow access to their customers’ phones or data.
These companies have a lot at stake when it comes to their reputation, so it would be unwise for them to abuse public trust with an application like this.
Will I Participate In Contact Tracing? Yes…With Conditions
I am often asked if I would participate in contact tracing. If the method was one I investigated and reviewed the security and privacy controls put in place, absolutely.
A technological approach is the only one that can withstand the volume while also keeping people safe. However, the weakness of this approach is that it relies on the number of people that participate AND the number of people who submit their positive statuses.
Widespread Mistrust of Contact Tracing Apps Stems from Misunderstanding
A recent poll by Axios states that most in the U.S. are against using this technology. In my opinion, this is due to the lack of understanding of what these apps do AND the wide variety of contact-tracing methods being leveraged across the country.
The government needs to be decisive about which implementation to leverage across the United States. This would allow better oversight into the security and privacy of the data. Data leaks or security breaches will erode the trust of the people, making this technology obsolete.
Do Your Homework
Investigate the contact-tracing application or method being implemented in your state to ensure privacy and security have been considered and part of the development from the beginning.
Ask for transparency from your local politicians. If using an application from developers, inquire about their privacy policies.
Finally, question who has access to the data, regardless of the method being used locally or nationally. All these questions should help you decide whether to participate.
TEAMARES is an offensive and defensive security team compromised of highly trained cybersecurity professionals that provide expertise in technology, adversarial engagements, risk and compliance, privacy and more.
You may also be interested in…
- Consumer Education(39)
- Consumer Stories(2)
- Cybersecurity Consulting(10)
- Data Breaches(15)
- Data Privacy(43)
- Incident Response(9)
- MDR Services(64)
- Penetration Testing(16)
- Press Release(64)
- Research Report(9)
- Security Assessments(16)
- Thought Leadership(17)
- Threat Hunting(9)
- Vulnerability Disclosure(3)