Industry News
Coronavirus tracking apps could threaten personal privacy

Sign up for our daily cybersecurity news briefing today, free.

The coronavirus tracking apps coming onto the market, initially hailed as an important tool for containment of the virus, have quickly encountered fears about privacy, cybersecurity and effectiveness.

Tracking apps are already in use in Australia, India, China, Singapore and South Korea, and under development in France and Germany. In the United States, tech giants Google and Apple are teaming up to develop “exposure notification” software for use in iOS and Android apps.

The technology uses Bluetooth signals to determine the distance between phones. A person with a confirmed case of coronavirus can automatically send notifications to other phones with the contact tracing app, alerting users that they may have been exposed to the virus. The software, which is in beta testing, will be shared with local health departments.

Apple and Google say location services will not be used and any personal data would be anonymized and stay on the user’s phone, rather than going to a centralized database.

But researchers say that anonymized data can be reverse-engineered and mined for valuable particulars using machine learning and 15 characteristics, including gender, age and marital status.

Sven Mattisson, an engineer who helped develop the Bluetooth concept in 1995, says Bluetooth was not designed for tracking and location accuracy can be confused by buildings and open spaces, giving inaccurate readings.

The complexity of the Bluetooth technology can harbor vulnerabilities that could be exploited by hackers, says Ben Seri of the cybersecurity firm Armis Inc., who found such a flaw that was subsequently patched.

Other apps use GPS data that can track the location of the phone and send the data to a centralized database, making individuals easier to identify.

Coronavirus tracking around the world

American engineer Tim Brookins repurposed a football app into a coronavirus tracking app used in North and South Dakota. It is not as accurate as Bluetooth apps because it uses GPS, Wi-Fi and cell towers to estimate people’s real-world locations. The data is sent to a private server on Microsoft’s cloud, where health care officials can access it in real time with the user’s permission.

India uses several coronavirus apps including Aarogya Setu, a Bluetooth app that will become the default tracking app on Indian cellphones. An app called Quarantine Watch tracks the location of people under quarantine who must take selfies to prove they are home. Another quarantine app used in the Mumbai region creates a virtual perimeter around a quarantined house using location data collected from smartphones and notifies authorities if someone leaves the quarantined area.

South Korea has successfully contained the coronavirus using data from cellphones, GPS in cars, credit card transactions and surveillance cameras to track the spread of coronavirus cases.

The information goes to a centralized data collection platform where it is available to public health authorities. Here is an example of what’s collected: 

  • Two patients, one of them a 21-year-old male, visited a 7-Eleven from 3:59 to 4:11 a.m.,  and then spent two hours at a local bar. Both locations were notified and sanitized. One of the patients later went to a movie theater and watched “The Invisible Man” from the last row without wearing a mask.

While that level of information has been useful to health authorities, it alarmed the National Human Rights Commission of South Korea, which said it could discourage self-reporting of symptoms and traumatize patients because the information is specific enough to be able to identify some individuals.

Personal Privacy Concerns

The technology in the apps has been used by marketers for years to collect data points from web searches and social media sites about consumer interests. But now medical information is being added to the mix and during the pandemic, the US Department of Health and Human Services is easing the HIPAA privacy rules to allow health departments to access it. Personal privacy advocates are worried about what might happen to that data after the pandemic is over.

“As these systems are deployed, we need to keep the really sharp eyes as a society to make sure that they don’t become effectively mandatory, and that people can continue to live their life without it,” said Daniel Kahn Gillmor, senior staff technologist at the American Civil Liberties Union.

The Mayo Clinic, Facebook and the MIT are working on a different technology, called differential privacy, that could analyze data without identifying individuals, who also would be allowed to edit their data before it is submitted to a public health database. Encryption would protect personal information from cybercriminals.

This type of app would allow public health departments to identify virus clusters, so public officials could customize restrictions based on risk.

However, all of these concerns are irrelevant if Americans don’t buy in and download the apps. Recent surveys indicate Americans are reluctant to use them. Some are worried about privacy and hacking issues. Others, especially the vulnerable population over age 65, don’t own a smartphone.

Researchers at Oxford University say that 60% of a population would need to be using the tracking apps for them to be effective. But, a Washington Post-University of Maryland poll found that only 41% of Americans who own a smartphone would be willing to download the app.

The apps, while a promising tool in the coronavirus fight, will present users with ongoing challenges of how to balance public health with the right to privacy.

If you enjoyed this deep dive into how coronavirus tracking apps could affect your personal privacy, you can subscribe to our daily cybersecurity news briefing for more informative content. For even more quality news coverage, you can subscribe to any of SmartBrief’s 275+ free newsletters.

Lilla Ross is a copy editor/writer for SmartBrief. She focuses on cybersecurity and mobile marketing.