Corona Virus Contact Tracing Apps Create Privacy Issues for Policy Makers
Nations are trying to use the
advanced IT, artificial intelligence and data science to keep track of the
spread of the coronavirus. Various apps have been devised to upload and process
information. However, it has also given rise to privacy concerns.
In the South Indian State of Kerala which has now won world-wide acclaim for its public health intervention policies that helped keep corona virus in check, a new allegation about collection of health information about people in quarantine. Opposition Congress Leader Ramesh Chennithala alleged that health data of people placed in quarantine and other health information related to Covid-19 patients were uploaded to the website of a US company without storing in state government servers. The data will be processed using artificial intelligence. This compromises privacy and security of important patient data, according to Ramesh Chennithala.
Hassan Asghar and Dali Kaafar of Macquarie University's Cybersecurity Hub has pointed out that even if Covid Contract tracing apps are life savers in these pandemic times, it can also cause privacy issues.
The scientists have analysed 'TraceTogether' a mobile app which has been put on open source by Singapore. Users may have concerns about the use of their data for mass surveillance. How the app works.
TraceTogether uses Bluetooth to exchange information between users. Signal strength approximates distance between users. The app shares time, and (temporary) user IDs, logging this, encrypted, on the device. When someone installs the app, a centralised authority, like the Department of Health, stores their mobile number, plus a newly-generated user ID, on its server.
The server uses its private key to generate temporary IDs, transmitting them to the corresponding user. These temporary IDs are exchanged between users near each other. A user diagnosed with COVID-19 is asked for consent to upload the app’s encrypted data logs to the server. With these, the registry can contact other users who were in contact with them.
Privacy from other users is built in. The app generates temporary user IDs, refreshing them frequently. These IDs are generated by the server based on people’s phone numbers and their permanent ID so the central authority can determine the identities of users if needed. The temporary nature of the IDs means other users can’t track someone for long. But the server can.
Users’ data is safe from snoopers: data logs on the user’s phone are encrypted, so hackers can’t read the data. The server has the decryption key for the data logs, which are only sent to the server for determining close contacts between people. The app keeps data secure from other users and snoopers, but not from the central registry. The server can retrieve users’ data logs, decrypt and read them. It can also link the temporary IDs to real identities.
There are some privacy features. The server only asks for data logs from infected users or people who have been near one. Data logs only contain relative distance, not precise location.
Data on phones is deleted after 21 days. The server can know a user’s private data, but this is a feature of most apps. If a user tests positive, they can consent to the server retrieving their data, to identify users who have been in contact with them. At this point, potentially uninfected users lose control over their privacy.
The app could be (mis)used for surveillance. The central registry could obtain and decrypt data logs from a large number of users, for mass surveillance. Although data logs on the device are deleted after 21 days, there is no guarantee data logs decrypted at the central server would be.
The app could be tweaked for more privacy, reconfiguring it so the app generates temporary user IDs. This way, only the user knows their identity. They would have to allow their device to share the list of their temporary IDs. The server would find temporary IDs that have been in contact with the infected user and broadcast them. Users getting a message containing their temporary ID can respond by identifying themselves.
Future versions should be decentralised. The server could push temporary IDs of diagnosed users to the apps, allowing other users to determine if they have been in contact with them.
Locally and randomly generated IDs can’t be linked to true identities. The server would not know the identities of the users within infection range of someone who tested positive. This fundamental change in the design might not be possible to do quickly.