One common theme that many of our articles have stressed is that people are the most susceptible to phishing, business email compromise (BEC) and other types of social media attacks in times of crisis. Hackers regularly take advantage of users being stressed, distracted, and vulnerable to certain buzzwords and topics. Similarly however, we can be too quick to embrace a proposed solution in response to a major crisis without careful consideration of its impact concerning other aspects of our lives. A good example of this right now is the issue of coronavirus contact-tracing apps. While one can certainly recognize the benefit of a nationwide deployment of these apps since over 79 percent of Americans own a smartphone, there are serious privacy concerns regarding such an endeavor.
How Contact Tracing Apps Work
The premise behind contact-tracing apps is straight forward. These apps identify users that have tested positive for the virus. Their infection status is then shared through the app and broadcasted using either GPS or Bluetooth. If everyone has the app installed on their phone, their phone will alert them whenever they come into proximity of someone infected. Once being alerted, that person can check themselves for symptoms, get tested, and self-quarantine. Many government health officials across the globe assert that the apps can play a vital role in identifying localized spikes in infections and help authorities to quickly isolate those infected in order to prevent further spread of the virus.
Some Basic Challenges with the Apps
Although it sounds easy in theory, there are some inherent obstacles getting it all to work in actuality. First off, the proximity systems for these apps are not accurate enough to capture every contact instance. The apps also are incapable of factoring in extenuating circumstances of the immediate environment. For instance, while two individuals may be 2 feet apart on the grid, they may be located in separate rooms of the same building with a wall safely dividing them. And then there are the issues of whether a user has the app turned on and configured correctly.
Contact-tracing Apps Depend on Public Participation
Of course, contact-tracing apps are of little use is the app fails to attain a critical mass of active users. This has been a primary challenge for many of the countries that have attempted nationwide deployment of these apps. In Singapore, only one fifth of its 5.7 million people installed it, far below the 75 percent active participation rate needed according to its health officials. The highest participation rate was garnered by Iceland at 38 percent, far below the minimum 60 percent target that European officials say has to be met in order for it to be effective. Reasons for the lackluster participation include people not being informed about the apps, privacy concerns, and the fear that infected individuals might be stigmatized. Others worry that the apps will evolve into a surveillance tool that will indefinitely invade individual privacy. In some countries, the use of the apps has become politicized and many people are defiantly not participating.
Legitimate Privacy Concerns
The privacy concerns that people have about sharing information about their personal health is a valid one. Norway, one of the first countries to implement a national coronavirus contact-tracing app campaign recently abandoned it out of privacy concerns. The program only managed to obtain a 10 percent participation rate and was pulled when the country’s Data Protection Agency asked for the program to be suspended until privacy concerns could be addressed. A recent report by the cybersecurity company, Check Point, posed several privacy concerns regarding these apps.
- What data is collected and how is it shared?
- Where is it stored and is it encrypted?
- Are there authorization and verification methods used to protect against abuse?
- Do users share their coronavirus diagnosis voluntarily or is the information revealed without their knowledge or permission?
There are also concerns that the apps could be easy prey for hackers. Researchers have found multiple vulnerabilities such as the exposure of national ID numbers and health status information. In India, a researcher discovered a security gap that allowed him to determine the infection status of individuals within their own homes. In North Dakota, the location based advertising service, Foursquare admitted that they receive location data from the state’s contact-tracing app called Care19.
Are Contact-tracing Apps Compliant?
Regardless of the dire need for contact-tracing apps, the issue of compliance must be kept in mind as the ramifications of noncompliance can be long lasting. The sharing of sensitive personal health information falls under a number of regulatory acts. For instance, the American with Disabilities (ADA) prohibits employers from disclosing confidential medical information regarding and employee that includes the employee’s identity. Then you have the issue of whether these apps stand up the cybersecurity standards outlined by compliances including HIPAA, GDPR, and CCPA. A big issue for the developers of these apps concerns where the collected personal data resides. As long as the information permanently resides on the hosting device, then developers do not have to worry about transferring issues. However, if the data is cached on the device and later aggregated to the cloud, protectionary measures must adhere to regulatory requirements as a company must demonstrate its duty of care.
CCPA and Contact-tracing Apps
CCPA defines “personal information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly to a California resident.” Because contact-tracing apps collect both geo-location data and health information, these data gathering processes fall under the legislation of CCPA. What’s more, many of these COVID-related apps require users to state a home location for the purpose of potential quarantining.
Due to the size of California, the implications of the California Consumer Privacy Act on contact-tracing apps is a big issue. Because CCPA applies to the personal information of all California residents, it applies to any state that Californians visit. It also applies to the state government of California regarding any state issued contract-tracing app. In addition, some large companies are issuing their own contact-tracing apps to employees. CCPA requires employers to notify their staff before deploying some sort of data gathering app. This means that any company or organization that employees California residents at any of their offices should first verify their compliance requirements related to CCPA before implementing any sort of internal contact-tracing app.
HALOCK Security Labs can Help
In these uncertain times, it is the responsibility for any governmental organization or business to take precautionary measures concerning the health and safety of their employees and constituents. But these efforts must also implemented with prudence and discretion when it comes to protecting the personal information of the very people they are trying to protect. That’s why it is important to have a partner that can educate and direct your efforts to ensure that your company remains compliant. At HALOCK, we have been helping companies of all sizes and industries navigate through the muddled waters of cybersecurity compliance long before COVID made its way into our lives. We invite you to speak with one of our subject matter experts regarding compliance concerns regarding contact-tracing apps or any other facet of your business.
HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.