Apple and Google COVID-19 Contact Tracing a Potential for Security and Privacy Concerns

This blog was written and produced by Courtney Nist, Senior Consultant, and Betul Yilmaz, Security Consultant II at FoxPointe Solutions. Both provide expertise to clients related to SOC 1 & 2 and HITRUST compliance. Looking to get in touch with Courtney or Betul? Reach out today: Courtney Nist, cnist@foxpointesolutions.com and Betul Yilmaz, byilmaz@foxpointesolutions.com.

You know you are living in a crazy time when there is a pandemic consuming the entire world and it mysteriously causes all the toilet paper to disappear off the shelves. But the true indication of craziness is when Apple and Google, notorious technology rivals, come together for the common good and well-being of the public. But is it really all that good?

The COVID-19 contact tracing framework that Apple and Google aim to have available in mid-May utilizes Bluetooth Low Energy (BLE) beacons to track individuals who have tested positive for the disease and alerts those who have had contact with them. The Application Programming Interface (API) will be available only to public health agencies so that they can integrate it into their own applications. Here is a simple breakdown of how the model is intended to work:

• When people are in close contact with one another, their phones will exchange an anonymous proximity identifier that changes about every 15 minutes to prevent continuous tracking of the device.
• Given that this is a voluntary opt-in service, an individual who has the disease would enter their positive diagnosis into the system. They would then authorize the release of their device’s broadcast beacons from the last 14 days to the system.
• Those who have a beacon that matches with the broadcast beacons of people who tested positive would be alerted that they have been in close proximity with a COVID-19 positive individual without disclosing that person’s identity.

It appears that Apple and Google are banking on the fact that the tool uses Bluetooth technology rather than device location and on the voluntary participation aspect of it as a way to gain user’s trust. Let’s give them the benefit of the doubt and say that they really are developing this tool with good intentions. This does not change the fact that there are flaws with all technology. With a new data breach discovered every day, the proposal of this new system rightly leads to a number of questions and concerns. For example:

• How do you prevent people from providing a false positive diagnosis?
• What if hackers find a way to get into this system and submit positive test results to cause more chaos?
• How does my information get deleted and after how long?
• If the information is being used to track who an individual has been in contact with, can’t it also be co-opted for commercial purposes or government surveillance? Apple and Google claim that there are no personal identifiers involved; however, nothing can be guaranteed.

At first, the use of a Bluetooth tracking technology appears to be the right solution to help end this worldwide pandemic. However, there are many privacy and security concerns that individuals of all ages must consider prior to opting-in and using Apple and Google’s COVID-19 contact tracing technology. Just like any other security system, Bluetooth is not perfect even though the data between the two devices is encrypted. On a regular day, hackers are working to break that encryption. Given the potential increase in the use of Bluetooth during this time, hackers are going to be working even harder to decrypt Bluetooth connections to gain access to eavesdrop on all the data that passes to and from a device. It is important to note that hackers are more likely to be successful in decrypting data from devices that have older Bluetooth versions, so it is critical that users ensure that their devices remain up to date on Apple’s and Google’s software updates. Another concern is the accuracy of using Bluetooth for this purpose. Bluetooth can connect to other devices through barriers, such as walls, floors, and cars. Given this, it is very likely that false positives may be reported on a frequent basis.

There are clear privacy and security concerns as the tool currently stands but remember that it doesn’t end there. Once government agencies adopt the application, there is no guarantee that additional invasive permissions would not be added, such as location tracking. They may require users to provide more personal information. There is no written rule that the use of this tool would end once COVID-19 clears up. The government may use this model to track other various, contagious diseases. Will entering our symptoms and diagnoses into a mobile tracking application become the new normal? Providing your positive test results to the system is voluntary, but again, who is to say that the government wouldn’t go as far as mandating it? Other countries have implemented similar surveillance type methods, like the use of drones, cameras, facial recognition, location tracking, and much more.

It is important to not be narrow-minded with regard to the COVID-19 pandemic to the point where we ignore other worldwide issues that are a constant concern, such as hacking. Given the reputation between Apple and Google, it is safe to say that many have confidence that their application will be secure; however, it is important that potential users of the technology do their part in ensuring their individual privacy and security.

For additional information, reach out to our experts today.

The information and advice we are providing for this matter relates to COVID-19 legislative relief measures. Because legislative efforts are still ongoing, we expect that there may be additional guidance and clarification from regulators that could modify some of the advice and information provided to you, after the conclusion of our engagement. We therefore make no warranties, expressed or implied, on the services provided hereunder.