Business

Virus-Tracing Apps Are Rife With Problems. Governments Are Rushing to Fix Them.

Posted July 8, 2020 8:10 p.m. EDT
Updated July 8, 2020 8:14 p.m. EDT

In April, Norway released a smartphone app, Smittestopp or “stop infection,” that records users who come into close contact for more than 15 minutes and sends alerts if they have been exposed to the coronavirus.

“We can all help stop the spread of infection and save lives,” Prime Minister Erna Solberg said in a statement at the time. “If many people download the Smittestopp app, we can open up society more and get our freedom back.”

Within two weeks, nearly 900,000 people — or about 1 out of 5 Norwegians older than 16 — had started using the app. But by mid-June, the government had temporarily turned off the service after data protection regulators there said Norway had so few coronavirus cases that the risks of intensified surveillance outweighed the app’s as yet unproven public health benefits. This week, the country’s data watchdog formally imposed an interim ban on the app.

Norway is one of many countries that rushed out apps to trace and monitor the coronavirus this spring, only to scramble to address serious complaints that soon arose over extensive user data-mining or poor security practices. Human rights groups and technologists have warned that the design of many apps put hundreds of millions of people at risk for stalking, scams, identity theft or oppressive government tracking — and could undermine trust in public health efforts. The problems have emerged just as some countries are poised to deploy even more intrusive technologies, including asking hundreds of thousands of workers to wear virus-tracking wristbands around the clock.

In mid-June, after a barrage of criticism from privacy advocates, Britain abandoned the virus-tracing app it was developing and announced it was switching to software from Apple and Google that the companies have promoted as more “privacy preserving.”

In May, after Amnesty International identified major security flaws with a mandatory virus exposure-alert app in Qatar, the government quickly released an update with new security features. In April, reporters at The New York Times found that a government virus-tracing app in India, which had been downloaded more than 77 million times, could leak users’ precise locations. The Indian government immediately fixed the problem and soon began offering financial rewards to security researchers who find vulnerabilities in the app.

In fact, “the vast majority” of virus-tracing apps used by governments lack adequate security and “are easy for hackers” to attack, according to a recent software analysis by Guardsquare, a mobile app security company.

“It’s a cautionary tale for governments aggregating such an enormous amount of data,” said Claudio Guarnieri, the head of Amnesty International’s Security Lab, who identified the problems with the Qatari app.

Governments around the world have rolled out several dozen virus-tracing apps this year, he noted. “But, of course, doing so in a rushed manner, and doing so without proper considerations and the proper design and oversight,” he said, could “jeopardize these efforts.”

Epidemiologists have said virus control apps may be helpful additions to public health efforts, especially in countries like South Korea, which has the national medical infrastructure to do mass-scale testing and isolate people who test positive.

But digital rights groups say some governments are using apps largely as performative gestures — to demonstrate to the public that they are taking some kind of concrete action against the virus.

“Digital contact-tracing — the idea that there’s an app for that — is a very hopeful concept,” said Carly Kind, a human rights lawyer who is the director of the Ada Lovelace Institute, an artificial intelligence ethics research center in London. “I think governments want it to be true,” she added, but often the efforts seem like little more than “do-something-itis.”

Governments in Asia, in Europe and elsewhere have turned to mobile phones and apps during the pandemic for a variety of purposes, including analyzing smartphone location data from mobile providers to assess residents’ compliance with lockdowns. But tracking apps, which some countries are using to notify people of possible coronavirus exposure or to enforce government quarantine orders, have come under heightened scrutiny. That is because some of the apps continuously collect details about users’ health, precise locations and social interactions, increasing the privacy and security risks.

In May, Qatar began requiring all residents to use a virus-alert and quarantine enforcement app or face fines of up to $55,000. The app assigns each user a digital color code — green for people who are healthy with no symptoms, red for confirmed cases of COVID-19 — that dictates whether a person must stay home or may go out. It can also track users’ real-time locations to monitor whether those infected with the virus are complying with government self-quarantine orders.

After testing the app, however, Amnesty International identified security flaws that could have given hackers access to the names, health status and in some cases the quarantine locations of the more than 1 million users who had downloaded it. Qatar quickly updated the app, bolstering its user authentication system.

Neither the Ministry of Interior in Qatar, which oversees the app, nor the country’s embassy in the United States responded to emails seeking comment.

Guardsquare’s recent analysis of government-sponsored virus-tracing apps in 17 countries found other security flaws — including scant encryption and inadequate hacker-detection systems. The report warned governments that prioritizing app deployment speed over user security could erode citizens’ trust, and participation, in public health efforts.

“App-makers unfortunately do not seem to be taking the risks seriously enough yet,” the Guardsquare report said. Critics faulted Norway’s “stop infection” app for a different issue: excessive government surveillance.

Like a virus-tracing app in India, the Norwegian app collects continuous location data and sends it to a central government database to be analyzed. Some other countries are taking a different approach, one that processes users’ private data on their own phones where government agencies cannot access it.

Gun Peggy Knudsen, deputy director general of the Norwegian Institute of Public Health, said that analyzing data from the virus-tracing app had helped her agency understand the effectiveness of public health measures, like lockdowns and social distancing.

But Norwegian technology experts soon began warning that location and social proximity data from the app could potentially be used for more invasive purposes, like mapping people’s social networks. Critics also argued that the public health agency was exploiting app users’ private details for its own purposes without their explicit consent.

In May, after privately advising the government to make changes, more than 300 Norwegian technology, security and privacy experts posted a statement on Medium warning that the app could lead to “unprecedented surveillance" of society.

In June, Norway’s Data Protection Authority said it would temporarily ban the app, arguing that it collected far more data than it needed to function and could “no longer be regarded as a proportionate encroachment” on users’ basic privacy rights.

The public health agency has since deleted users’ personal data and temporarily deactivated the app. But Knudsen, the public health official, argued that disabling the app now was shortsighted and could make Norway less prepared for the next wave of the virus.

“It’s good for democracy to have a huge debate when we collect this amount of data,” Knudsen said. “But I am surprised that the critics, primarily tech people in Norway, are focusing so much on the privacy side and not on how can we handle public health during the coronavirus outbreak.”

In June, the Norwegian parliament asked health authorities to develop distinct user permissions for the app: one consent for virus-tracing and another for data collection. When the country’s data watchdog formally imposed a temporary ban on the app this week, it said health authorities had not proved its utility or allowed users to control how their data would be used.

“The app was introduced in what you might call a warlike situation,” said Simen Sommerfeldt, chief technology officer of Bouvet, an information technology consulting company in Norway and one of the organizers of the group statement on Medium. But now that the pandemic seems less like a short-term war against a disease and more like a long-term “new normal,” he said, “we can’t have an app that is so invasive of privacy.”

“We need to protect human rights even in this situation,” Sommerfeldt added.

Countries with more controlling governments may not be as responsive to privacy concerns.

Singapore recently began pilot-testing more intrusive virus-tracking technology — asking a group of migrant workers to wear Bluetooth-enabled wristbands that can detect their locations and proximity to one another. The initial goal is to deter workers infected with the virus who are quarantined in special dorms from visiting their healthier colleagues, said Ron Rock, chief executive of Microshare, a company in Philadelphia that is supplying technology for the pilot.

“Privacy concerns in Singapore are nothing like Europe and the United States,” Rock said. He added that Singapore was considering making the tracking wristbands mandatory for hundreds of thousands of its migrant workers. “They can mandate it for sure.”

Our commenting policy has changed. If you would like to comment, please share on social media using the icons below and comment there.