Govts scurry to fix nosey tracing apps

Chennai

In April, Norway released a smartphone app, Smittestopp or “stop infection,” that records users who come into close contact for more than 15 minutes and sends alerts if they have been exposed to the coronavirus. “We can all help stop the spread of infection and save lives,” Prime Minister Erna Solberg said in a statement at the time. “If many people download the Smittestopp app, we can open up society more and get our freedom back.” Within two weeks, nearly 900,000 people — or about one out of five Norwegians older than 16 — had started using the app. But by mid-June, the government had temporarily turned off the service after data protection regulators there said Norway had so few coronavirus cases that the risks of intensified surveillance outweighed the app’s as yet unproven public health benefits. This week, the country’s data watchdog formally imposed an interim ban on the app.

Norway is one of many countries that rushed out apps to trace and monitor the coronavirus this spring, only to scramble to address serious complaints that soon arose over extensive user data-mining or poor security practices. Human rights groups and technologists have warned that the design of many apps put hundreds of millions of people at risk for stalking, scams, identity theft or oppressive government tracking — and could undermine trust in public health efforts. The problems have emerged just as some countries are poised to deploy even more intrusive technologies, including asking hundreds of thousands of workers to wear virus-tracking wristbands around the clock.

In mid-June, after a barrage of criticism from privacy advocates, Britain abandoned the virus-tracing app it was developing and announced it was switching to software from Apple and Google that the companies have promoted as more “privacy preserving.”

In May, after Amnesty International identified major security flaws with a mandatory virus exposure-alert app in Qatar, the government quickly released an update with new security features. In April, reporters at The New York Times found that a government virus-tracing app in India, which had been downloaded more than 77 million times, could leak users’ precise locations. The Indian government immediately fixed the problem, and soon began offering financial rewards to security researchers who find vulnerabilities in the app. In fact, “the vast majority” of virus-tracing apps used by governments lack adequate security and “are easy for hackers” to attack, according to a recent software analysis by Guardsquare, a mobile app security company.

“It’s a cautionary tale for governments aggregating such an enormous amount of data,” said Claudio Guarnieri, the head of Amnesty International’s Security Lab, who identified the problems with the Qatari app.

Governments around the world have rolled out several dozen virus-tracing apps this year, he noted. “But, of course, doing so in a rushed manner, and doing so without proper considerations and the proper design and oversight,” he said, could “jeopardize these efforts.” Epidemiologists have said virus control apps may be helpful additions to public health efforts, especially in countries like South Korea, which has the national medical infrastructure to do mass-scale testing and isolate people who test positive.

But digital rights groups say some governments are using apps largely as performative gestures — to demonstrate to the public that they are taking some kind of concrete action against the virus. “Digital contact-tracing — the idea that there’s an app for that — is a very hopeful concept,” said Carly Kind, a human rights lawyer who is the director of the Ada Lovelace Institute, an artificial intelligence ethics research center in London. “I think governments want it to be true,” she added, but often the efforts seem like little more than “do-something-itis.”

Governments in Asia, in Europe and elsewhere have turned to mobile phones and apps during the pandemic for a variety of purposes, including analyzing smartphone location data from mobile providers to assess residents’ compliance with lockdowns. But tracking apps, which some countries are using to notify people of possible coronavirus exposure or to enforce government quarantine orders, have come under heightened scrutiny. That is because some of the apps continuously collect details about users’ health, precise locations and social interactions, increasing the privacy and security risks. In May, Qatar began requiring all residents to use a virus-alert and quarantine enforcement app or face fines of up to $55,000. The app assigns each user a digital color code — green for people who are healthy with no symptoms, red for confirmed cases of COVID-19 — that dictates whether a person must stay home or may go out. It can also track users’ real-time locations to monitor whether those infected with the virus are complying with government self-quarantine orders.

After testing the app, however, Amnesty International identified security flaws that could have given hackers access to the names, health status and in some cases the quarantine locations of the more than one million users who had downloaded it. Qatar quickly updated the app, bolstering its user authentication system. Neither the Ministry of Interior in Qatar, which oversees the app, nor the country’s embassy in the United States responded to emails seeking comment.

Guardsquare’s recent analysis of government-sponsored virus-tracing apps in 17 countries found other security flaws — including scant encryption and inadequate hacker-detection systems. The report warned governments that prioritizing app deployment speed over user security could erode citizens’ trust, and participation, in public health efforts. “App makers unfortunately do not seem to be taking the risks seriously enough yet,” the Guardsquare report said.

Critics faulted Norway’s “stop infection” app for a different issue: excessive government surveillance. Like a virus-tracing app in India, the Norwegian app collects continuous location data and sends it to a central government database to be analysed. Some other countries are taking a different approach, one that processes users’ private data on their own phones where government agencies cannot access it.

Gun Peggy Knudsen, deputy director general of the Norwegian Institute of Public Health, said that analyzing data from the virus-tracing app had helped her agency understand the effectiveness of public health measures, like lockdowns and social distancing.

But Norwegian technology experts soon began warning that location and social proximity data from the app could potentially be used for more invasive purposes, like mapping people’s social networks. Critics also argued that the public health agency was exploiting app users’ private details for its own purposes without their explicit consent.

Natasha Singer is a business reporter covering health-edu tech and consumer privacy for NYT© 2020

The New York Times