Contact Tracing Apps Might Do More Harm Than Good

The COVID-19 pandemic isn’t getting any better, so people need to do everything in their power to stop the spread of the virus. Besides using surgical masks in closed, crowded spaces, practicing social distancing, and getting themselves tested, governments and health officials also urge us to use contact tracing apps.

 

contact-tracing-apps

 

 

Not familiar with them? Basically, they’re apps that notify you whenever you come into contact with someone who is diagnosed with COVID-19. They either use location services or Bluetooth to keep track of users’ locations and send notifications.

All in all, they sound like a pretty decent solution. But how true is that, actually? As we’ll show you in this article, contact tracing apps come with some serious problems.

 

Here’s Why We’re Skeptical of Contact Tracing Apps

Based on our research, these are the main issues with them:

 

They Can Actually Violate Your Privacy

Sure, health is important, but so is privacy. What’s the point in doing your part and participating in the fight against the pandemic when your personal data ends up in the hands of advertisers?

There’s no good reason for these apps to share your data with third parties. Only you or medical officials should have access to it. Unfortunately, some of them actually do that – like ProteGo Safe in Poland, an app that lets “private companies” access your data.

What’s more, all a contact tracing app needs to work efficiently is access to location services and Bluetooth, and for you to be honest about the state of your health. It doesn’t need to know your name, phone number, gender, age, and profession like Aarogya Setu does in India.

And neither does it need access to your contacts (we’re looking at you, Healthy Together App).

 

Hackers Can Abuse Them

Cybercriminals can actually take advantage of fake alerts and messages to trick people into accessing phishing sites. If successful, they can steal sensitive data from them, like their personal contact details and credit card numbers.

And that’s not all. Hackers can also set up their own fake contact tracing apps. Once installed on your device, they can infect with malware. They already did that with fake live COVID-19 maps, so it was only a matter of time until they’d set their sights on contact tracing apps.

 

They Come with Cybersecurity Risks

Location services are inherently a huge breach of privacy because they rely on WiFi, GPS data, and cellular signals to accurately track which places you’ve been to.

So a lot of apps use Bluetooth instead. It’s more privacy-friendly because the app only collects Bluetooth IDs from nearby Bluetooth-enabled devices. When one user reports COVID-19 symptoms, the app will alert all the devices it came into contact with.

However, Bluetooth isn’t perfect either.

For starters, Bluetooth Classic is actually vulnerable to a BIAS attack. According to this research paper, if successful, it could allow a hacker to get full access to your device.

What’s more, Bluetooth experienced two more serious vulnerabilities before:

  • BlueBorn – A dangerous exploit that would have allowed cybercriminals to connect to your device directly.
  • KNOB Attack – A vulnerability in Bluetooth BR and EDR connections that would have made it possible for hackers to downgrade Bluetooth encryption, making it easier for them to crack it. So they could monitor the sensitive data you share with the contact tracing app.

Those issues were fixed, but if you’re using a device whose manufacturer didn’t issue a patch for them, you’re in danger.

Oh, and Google and Apple’s new API that would allow decentralized data sharing through Bluetooth isn’t 100% safe either. The TL;DR is that a cybercriminal could use a camera that records the faces of people passing by alongside a rooted Bluetooth-enabled phone to associate COVID-19 diagnosis alerts with strangers’ faces.

 

False Positives Can Be a Huge Problem

What do we mean by “false positives”?

It’s simple – fake reports of COVID-19 exposure or diagnosis. Since that data is voluntarily submitted, anyone can lie and say they have symptoms or that they came into contact with someone who has the virus.

That can lead to people receiving erroneous alerts that they need to self-isolate. When those notifications pile up, people will start giving up on the app. Others might follow the fake advice and put their lives on hold for no reason.

And things can escalate fast. A desperate business owner could make fake exposure reports that involve competitors. Or an unscrupulous politician could submit fake reports to lower voting participation in a specific area.

 

So You Shouldn’t Use Contact Tracing Apps at All?

Not exactly. 

You can use them if you really want to. Just make sure they really take your privacy seriously and go the extra mile to protect it. By that, we mean they should:

  • Use Bluetooth instead of location services. Despite its problems, it’s still more privacy-friendly.
  • Store collected data on your device, not centralized servers.
  • Never share your data with third parties.
  • Never ask you for too much information (none is ideal).
  • Only allow users to access their data. If not possible, only health officials.

So you need to do a lot of digging around before downloading and installing such an app. We recommend checking out these contact tracing apps first. There are 54 of them from around the world, and ProPrivacy ranked them according to how well they handle privacy. Who knows, you might find the apps available in your region there.

If they don’t show up, and the only apps you can use are a joke when it comes to privacy, it’s better to avoid them. Maybe try pressuring politicians (by tagging them on social media, for example) to follow the example of privacy-friendly apps (like ito in Germany or SwissCovid in Switzerland).

 

What’s Your Opinion on Contact Tracing Apps?

Do you think they’re a step in the right direction, or will they fail because people can easily abuse them?

Please share your thoughts with us in the comments or on social media. Also, if you have any other relevant questions, go ahead and ask.