Norway, Bahrain, and Kuwait are amongst the “most dangerous” for privacy in their deployment of COVID-19 contact tracing apps, as they track their citizens’ locations on a live or near real-time basis. These apps adopt an “invasive centralised approach” and pose a “great threat to privacy”, according to an Amnesty International study.
The group’s research, however, does not include countries in Asia or the US. Conducted by Amnesty’s Security Lab, the study assessed contact tracing apps from Europe, Middle East, and North Africa, and included detailed technical analyses of 11 apps in Algeria, Bahrain, France, Iceland, Israel, Kuwait, Lebanon, Norway, Qatar, Tunisia, and United Arab Emirates, it said in a statement Tuesday.
Amnesty International\’s investigation uncovers the unfortunate fact that many governments have absolutely no respect for the privacy of their citizens. These countries have chosen to exploit the COVID-19 pandemic, seeing it as an opportunity to increase the tracking and surveillance of their citizens. These apps go far beyond what is required to perform COVID-19 contact tracing, violating the privacy of all users. This sadly discourages users from installing contact tracing apps on their devices, limiting the effectiveness of such apps.
It goes without saying that applications to map social contacts will indeed have an impact on integrity – they are designed with that very purpose. What impact that will have on individuals is dependent on who will have access to this information.
Now, it should be noted that most phones have the capacity to already log this information, you are already subject to the honesty of others if you carry such a device. Is this concerning? Yes. Do the ends justify the means? Discussable. Did we lose any actual anonymity by this, given that the one we fear is ‘the government’? Barely.
Personally, I find the often bad security of the applications, putting this information in the hands of others than those we have elected to trust, a greater concern. But I also have the benefit of living in a country where the threat of authorities raiding my house for my opinions is not a current problem, and even finding risks in a government IT system and telling them without causing harm is met by a thank you and not a jail sentence.
GPS tracking is not the most effective or safe way to go about contact tracing because it is not accurate enough in most cases to determine whether two people came within a close enough distance to spread disease. GPS data is also difficult to anonymize, impacting the privacy of data subjects. That\’s why more privacy-conscious contact tracing apps opt for Bluetooth, which is better for checking proximity. With Bluetooth, an app can see whether two people were in close contact without recording their exact locations. Google and Apple\’s combined approach uses Bluetooth and rotating anonymous identifiers to protect users\’ privacy. GPS might be useful for quarantine enforcement, but is less effective for contact tracing.
Although the benefits of such apps are evident, the process of gathering the contact information is prone to collecting sensitive information. This, in turn, makes the nature of these apps potentially intrusive towards the user’s privacy and securing the sensitive (health) data. The issue we see here is a traditional dilemma between the speed at which an app must be developed and how well the apps are securely designed. If a secure software development life cycle (SSDLC) approach is used, then the app’s security and privacy implications are assessed at every step in the development process. Although this takes time, it also means the final app is well thought through in terms of the privacy impact to the users and the securing of the sensitive data. Such a process takes time, which is the key-factor we do not have, and sadly several countries did not take.
This exact key-decision making throughout the development lifecycle is what in other countries, such as the Netherlands and the UK led to these apps not being developed. As the impact on privacy and the lack of security in all the proposed app designs were not up to standards. Although there is great potential, if these apps may lead to mass-data gathering, privacy breaches, and leaking of sensitive personal health information we might want to take a step back and ensure these apps are well designed. A hasty decision, even during a pandemic, could have a greater impact than what we bargained for if we do not consider security and privacy by design.