Last month it was announced that the UK would be making a sudden u-turn on its contact tracing strategy, adopting a Bluetooth-powered decentralised contact tracing app using a framework developed by Apple and Google instead of the centralised app that was being developed by NHSX.
The NHSX contact tracing app, which has cost £11.8m so far, according to the parliamentary under-secretary of state for innovation Lord Bethell, was also found to have issues in detecting Android and Apple phones in trials on the Isle of Wight.
Meanwhile, Google and Apple have been making the case for their approach to the issue. In May, the tech giants released a joint statement saying “both companies will release APIs that enable interoperability between Android and iOS devices using apps from public health authorities”.
“These official apps will be available for users to download via their respective app stores.”
Contact tracing apps: Privacy and security challenges
Bill Conner is a cyber defense advisor to the UK Government and the CEO of SonicWALL. He was also involved in the encryption for UK passports and the digital security of the government portal while president and CEO of Entrust, and has advised the UN on cybersecurity and in creating Interpol‘s e-identification.
When it comes to contact tracing, Conner believes that security and privacy are of paramount importance.
“When I think of contact tracing it’s all about your personal privacy, be it location, be it health, be it other personal information that’s going to be resident there. In this case it’s PII with a HIPAA tone to it as well,” he says.
“And then it’s got a technology component. When I think of privacy, I always try and think privacy is a equation. Privacy = security x policy. Meaning PII is one kind of policy, GDPR is another kind of policy. So security’s got to be underpinning that, because you can’t have privacy without security, but the underlying security has got to be appropriate for what it’s trying to protect.”
Apple and Google’s model, in which data is stored on an individual’s device rather than anonymised data being stored in a centralised database has been welcomed by privacy advocates more than alternatives.
The two tech giants have put a number of restrictions in place in their contact tracing model, such as preventing GPS location data from being collected, and apps not requiring users to enter personal data, and have said that “privacy, transparency, and consent are of utmost importance in this effort”.
Conner believes that, from a privacy perspective, following Google and Apple’s model is a step in the right direction.
“With contact tracing, the good thing is the UK is and has always been one of the leaders in privacy. And I mean that from a public private standpoint as well as a personal standpoint,” he says.
“I think this is yet another case where the UK is kind of taking leadership for the citizens and the public-private partnership through what they’re doing with Google and Apple to bring privacy with underlying security with the right policy given the environment we’re in.
“I would assume between those three parties they know that and understand that extremely well, but if it ends up being a third party hosting that data and those three certainly know the level of risk about where that data resides.”
The Covid-19 pandemic has also seen a surge in malicious actors imitating trusted sources such as the World Health Organisation and governments.
Recently internet security company ESET warned that cybercriminals had created website imitating Canada’s contact tracing app as a way of spreading ransomware.
Threat intelligence platform Anomali also identified 12 applications masquerading as contact tracing apps which, when downloaded install malicious software to “steal banking credentials and personal data”.
Conner believes that having an app developed by the likes of Google and Apple is more secure than contact tracing apps created by potentially unreliable sources.
“One of the concerns around privacy is if those apps were not Google or Apple apps that were vetted by them, only by them and partnered with a government,” he says.
“People could be downloading contact tracing apps from anybody and then it was down to either Apple Store or Play Store to vet that it wasn’t bad, but that’s hard to do. I think the UK took leadership in saying “hey, we need a partnership here. We’ve got something that needs policy around it which is if people get infected with Covid, we need a mechanised way to help figure that out.
“Certainly by Google and Apple doing a partnership themselves and partnering with the government, the potential worry about getting rogue apps in those stores goes away.”
As well as privacy, concerns have been raised over the damage that could be done if the data generated by contact tracing apps falls into the wrong hands. Connor explains how this would be a goldmine for cybercriminals.
“If these got compromised, you’re going to have personal information, location information, health information, it’s very target rich in terms of information that would be worth something on the dark web and reusble on the dark web,” he warns.
“The beautiful thing, at least with Google and Apple is both those companies do a whole lot to protect security and records, Apple probably more notorious for that in the law enforcement world. So I think UK citizens will feel much better about that being protected. I’m sure they’re keeping that information in the UK so it’s not being stored elsewhere, and accessible through the government as opposed to other private institutions.
“I think [concerns about tracking and surveillance] are real. We can only hope, because this is a new experiment, that because it’s one app that Google, Apple and the government put out that other people that could have bad intentions aren’t allowed in the App Store or the Play Store to put out bogus apps. I’m not sure how that’s going to happen, I haven’t seen anything public from Google or Apple on that but hopefully they won’t be posting a bunch of non-vetted contact tracing apps there.”
Contact tracing: “These systems are complicated”
He believes that, as has been demonstrated by the rollout of voting technology in the US, individual governments or authorities developing their own technological solutions is not always successful.
“We’ve got elections coming up in the US and if you look at some of the states that have rolled out their own election system versus a national one and how terribly that’s gone,” he says.
“These systems are complicated. They have a lot of security and privacy risks that have to be thought through and in this case, it’s not a company, it’s Google and Apple collaborating together, it’s a government collaborating with that, and other companies in that group as well. If it was easy it would’ve already been done. It’s better to do it right than quick.”
Connor said that a contact tracing app could be rolled out in the US, but this process could be more complex than in the UK.
“The UK by nature has done more public private partnerships…the UK has a unique model that’s maybe a bit easier because of the scale of the country compared to the US and the government is used to that public-private partership,” he says.
“The US is doing a lot of work on it, and has talked a lot about it but it’s all kind of behind the curtain at this point.” “I think every country is going to have its own version. I’d be very happy if our version was similar to the UK. But the US is a much more complicated state-driven, healthcare-sensitive market that is a bit different. We’ll see if that same model or a derivitive of it will pass through here.”