With smartphone usage now a global phenomenon, mobile apps and connectivity are common denominators binding people the world over. And as the world’s nations grapple with the common dilemma of how to manage the ongoing pandemic of coronavirus or COVID-19, it’s little wonder that governments and health authorities across the planet are turning to mobile app technology as a weapon in their crisis management arsenal.
A number of schemes involving COVID-19 specific apps are already in place, with intentions that range from keeping track of individuals who are confirmed to have contracted the virus, to tools providing clinical advice, or acting as channels of communication for the reporting of symptoms.
Several of these apps take a deep delve into highly sensitive personal information, or offer levels of tracking and surveillance that would in normal circumstances be considered highly suspect or intrusive. This has prompted calls for these apps to include methods for making personal data anonymous, or protected opt-in mechanisms enabling users to sign up to their information exchange systems without divulging personal information.
But privacy protections and anonymity are only part of the problem. As we’ll be discussing in this article, it is critically important to put some form of app attestation in place, to safeguard these highly sensitive applications from the dangers of data compromise and malicious attack.
COVID-19 tracking apps are currently being deployed in 11 countries, worldwide. Some nations are probing deeply into the movement and activities of individual citizens, while others are taking a more generalised approach using anonymised data to monitor behaviour patterns and clinical information.
In Asia, South Korea has adopted one of the most thorough looks into the activity of its people, with an app ecosystem that tracks individual users' phones and provides a publicly accessible map charting the movement and activities of confirmed coronavirus patients.
According to Business Insider and a live index from digital rights group Top10VPN charting the COVID-19 related activities of various governments, South Korea’s app database includes credit card records and one-on-one interview data from patients. This is enabling the South Korean government to build retroactive traces of patient movements, and to proactively send text messages to people in regions where coronavirus patients recently visited.
The Guardian reports that the app developed by South Korea’s Ministry of the Interior and Safety provides tools for quarantined patients to report their symptoms -- while at the same time using GPS tracking to alert both law enforcement and their fellow citizens if they happen to stray outside their permitted zone of movement.
Similar measures have been adopted in Taiwan, where the government has set up what it calls an "electronic fence," which tracks mobile phone data and issues alerts to the authorities if someone under quarantine leaves their home -- or even if they switch off their phone. And in Singapore, social distancing is being reinforced with help from an app capable of tracing people within 2 metres of an infected patient.
Business Insider also reports that a $2 trillion economic stimulus bill passed by the US Senate includes $500 million for the Centre for Disease Control (CDC) to launch a new "surveillance and data collection system" to monitor the spread of the COVID-19 virus. No details are available as to how the system will operate.
In Europe, the BBC reports that “a number of mobile network operators have offered to provide anonymised data about users' movements to help identify potential "hot zones" where the virus might be at most risk of spreading.” One of these is Telekom Austria AG, which is using a derivative of technology developed to gather statistics from tourist sites. Governments in Belgium and Germany are also coordinating their COVID-19 monitoring efforts with local telecom operators, as is Italy, which has been the continent’s hardest hit nation to date.
A Polish government app named "Home Quarantine" requires quarantined patients to first register themselves with a selfie, after which they receive periodic requests for snapshots verifying their whereabouts. Failure to comply within 20 minutes merits a visit from the police.
Meanwhile, the UK has begun talks with major telecom networks to gain access to large and anonymised data sets, and Business Insider reports that the government is “considering using aggregated data to track the wider pattern of people's movements.”
The BBC indicates that the Prime Minister's advisor Dominic Cummings recently hosted a meeting with technology leaders to discuss the development of a COVID-19 management app in the UK. The results of their deliberations are still anticipated -- but as with the measures taken by other countries, a number of caveats have been stipulated.
Some governments are deploying their COVID-19 monitoring app programmes with a degree of respect for public concerns over heightened surveillance and invasions of privacy. For example, Singapore's TraceTogether app only uses Bluetooth to establish if a user remains within 2 metres of another person for more than 30 minutes.
In other places however, there are worries that the enhanced powers taken on by government and law enforcement agencies during these early days of the pandemic may remain as standard practice, long after the COVID-19 outbreak has been brought under some manageable level of control. Speaking to Business Insider, Samuel Woodhams, Top10VPN's Digital Rights Lead summed it up like this:
"Without adequate tracking, there is a danger that these new, often highly invasive, measures will become the norm around the world. Although some may appear entirely legitimate, many pose a risk to citizens' right to privacy and freedom of expression. Given how quickly things are changing, documenting the new measures is the first step to challenging potential overreach, providing scrutiny and holding corporations and governments to account."
Digital rights and civil liberties watchdogs may have a rough road ahead, as COVID-19 app monitoring is also serving to help governments and health professionals track symptoms, patterns of spread, and other clues needed in formulating management strategies and treatment plans. In this regard, there may be greater concerns than those relating to personal privacy.
Clinical observations, patient behaviour patterns, and other information gleaned from these apps could have a bearing on treatment or containment methodology and strategic planning, moving forward. Of course, the assumption in this is that any insights obtained from analysis of this data are based on information that’s accurate, authentic, and relevant.
In an atmosphere where people’s living conditions are now radically altered and with greater emphasis on digital channels of interaction and trade, new opportunities are being created for an already active ecosystem of hackers and cyber criminals. COVID-19 monitoring apps are in danger of attack -- for example, via spoofing scripts that could corrupt the data they provide, and give misleading assumptions to health and crisis managers.
Under these circumstances, it’s therefore an issue of national security to minimise the risk of attacks on COVID-19 apps. As we move deeper into our management of the crisis, app attestation will become a key technology in balancing individual privacy rights against the needs of society.
In essence, attestation is a mechanism that enables an app to authenticate itself. Of particular relevance in the COVID-19 context is remote attestation, whereby successful authentication allows one system (a government database, for example) to make reliable conclusions about the software running on another system (e.g., a COVID-19 tracking app on a remote user’s phone).
Attestation protocols can run in two directions, allowing the sender of a communication or piece of data and its recipient to authenticate each other. Attestation also allows participating systems to enforce security policies that limit connections only to parties that agree to abide by their rules. In the context of a COVID-19 tracking app, we need to ensure that an attacker cannot maliciously send data that indicates that they have been in contact with many more people than they really have. We also have to protect any API endpoints about being brute-forced in some way that can be used to denonymize the data held.
These are the kinds of assurances and controls that both governments and their citizens will need, as we face the prospect of increasing levels of surveillance, monitoring, and data analysis using COVID-19 tracking apps and related technologies.
PS If you are interested in what CriticalBlue is contributing to the creation and deployment of COVID-19 proximity tracing app, please check out this blog article and its associated whitepaper. And let us know if you have any thoughts on the topic.