Since China’s contact tracing system went live in February, around 30 countries have released official contract tracing apps. An evolution of traditional contact tracing systems, what seemed a few months ago to be a daunting yet exciting technological innovation has already reached a turning point. A range of privacy rows have ensued, and according to a recent software analysis by Guardsquare, a mobile app security company, the “vast majority” of contact tracing apps lack adequate security.
South Korea: an effective system with significant issues
South Korea’s epidemic response has received a large portion of media attention worldwide. Still, despite being one of the most highly praised national responses to the pandemic, South Korea’s apps have experienced a string of issues.
In its most recent scandal, the app which is used for those quarantining from arriving abroad has been found by engineer Frédéric Rechtenstein to have serious security flaws that made private information vulnerable to hackers.
The name, date of birth, sex, nationality, address, phone number, real-time location, and medical symptoms of its users could be accessed through using a weak encryption key (1234567890123456) which was written directly into the app’s code. Hackers were also able to tamper with app data to make it look like compliant users were violating quarantine orders, or like violators were safe at home.
In an interview, Jung Chan-hyun, an official at the Ministry of the Interior and Safety’s disaster response division, admitted that “We could not afford a time-consuming security check on the app that would delay its deployment.”
The flaws have now been fixed in the latest versions of the app and officials say there have been no reports that the vulnerabilities in the app were exploited. However, previous issues with the country’s contact tracing system, including the leaking of revealing private information and outing of gay people, have brought to the forefront the setbacks that even the most competent pandemic responses face.
Privacy and security issues elsewhere
Elsewhere, apps that collect location data and significant amounts of health info have come under increasing scrutiny. The Guardsquare software analysis also found weak encryption and other security issues in the 17 contact tracing apps it looked at.
In Norway, by mid-June, the government had temporarily suspended service of its location data-sharing contract tracing app Smittestopp. Data protection regulators said there were too few COVID-19 cases in the country to justify the unproven public health benefits of the app. In July, the country’s data watchdog imposed an interim ban on the app. The public health agency that ran the app has since deleted its users’ personal data.
In the UK, in mid-June, following criticism from several privacy advocates in the country, the government changed plans from building its contact tracing app from scratch to using the Apple-Google tracking system to ensure greater privacy. A few days later, plans for a contact tracing app altogether were shelved.
In Asia, reports from Amnesty International to The New York Times have revealed major security flaws with contact tracing apps in Qatar and India, prompting security updates. Where significant vulnerabilities have not been identified, apps such as those in China, Bahrain, and Kuwait have received criticism at home for excessively endangering privacy.
Decentralised apps have their share of issues too
Bugs and snooping aside, epidemiologists have acknowledged the potential for contact tracing apps to help public health efforts, especially where health systems can support mass-scale testing. However, Claudio Guarnieri, the head of Amnesty International’s Security Lab, stresses that the rushed manner in which these apps have been deployed could jeopardise efforts.
Countries like Germany and Ireland have attributed their success in handling the virus in part to their contact tracing apps. However, we are now becoming more aware of the complexity of contact tracing and the false sense of security that apps can bring. A lack of data to measure their effectiveness means that we cannot be sure whether these apps are performing their key function adequately; including how many false negatives and positives they are producing.
With decentralised app logs remaining with users, encrypted on their smartphones, by design, it will be difficult for us to get a clear picture of how useful these contact tracing apps are. With the honeymoon period over, countries will now have to take extra effort to secure these apps and justify their use to encourage their uptake.
Countries without enforced use of contact tracing apps were already struggling to get even half of their population to use their apps; Iceland has one of the highest non-mandatory uptakes with a mere 40%. Although the required adoption rate of 60% has been debunked, trust in these apps will be needed to make them powerful tools in this pandemic and future ones. Will any app be able to navigate the challenges at hand? Significantly more willpower and resources will be needed for us to get there.