COVID-19 contact tracing apps are leaking user data according to security company Avast. It claims that rushing apps to market has meant skimping on security. It means that cybercriminals can steal personal details of those who are sick, national ID numbers, location data and more.
Trace and contact apps are seen as essential to stopping the spread of COVID-19. It allows governments to trace people who have been in contact with an infected individual to tell them to self-isolate. The data also shows how the virus is spreading and where hotspots are beginning to appear. It means that localised lockdown can be used to contain the risk of a greater outbreak.
The UK and India are two countries who have discovered problems with their national apps and had to rethink how they are designed. In the US, however, there is no national app. Instead, each state is designing its own. It raises questions over interoperability between states and, more importantly, how data is protected. In June, Politico described the situation in the US as a: “fat, loosely defended target.”
US legislators introducing laws to stop leakage
To stop the leakage of users’ data, two bills in the US seek to limit what data is collected and how it is used. A group of Republican Senators introduced the COVID-19 Consumer Data Protection Act (CCDPA) of 2020 on April 30, 2020. It wants to limit how data is collected, processed and transferred. It also puts limits on the type of data that would be collected. Importantly, it requires all organisations covered by the bill to create, implement and maintain reasonable data security policies.
Democratic Senators then introduced the Public Health Emergency Privacy Act (PHEPA) May 14, 2020. It is seen as an alternative to the CCDPA and seeks to go further than the CCDPA. The PHEPA wants to limit data collected to being used solely for public health purposes. It also has provisions for enforcement for those organisations that fail to comply.
But will they work or even become law?
It can be argued that we already have large numbers of laws around privacy and data protection. Despite that, data breaches continue to occur in increasing numbers.
Avast security evangelist Luis Corrons feels that new app laws are beside the point. “The solution is already here, and there is no need for extra legislation. The success of these apps relies on the people using them.”
One of the problems in the US is that there is no central COVID-19 app. Instead, each state is writing its own, which increases the risk of data leakage and raises questions over the interoperability.
Corrons sees this approach as being too risky. He says: “Apple and Google worked together to create an API that can create contact tracing apps. It requires user consent, works with Bluetooth, is anonymous, and does not store personal information on any server, protecting user privacy all the time. And it works for both Android and iOS.”
Enterprise Times: What does this mean?
Getting laws through either house of the US is no simple matter. With the US heading towards an election, there is little time for hashing out a compromise between the two competing bills. The Republicans and Democrats have different views on privacy and data protection. This is seen in reading the two bills, where only one has any real enforcement mechanism.
The problem for the US is similar to that faced by Europe. As European countries rushed to create their own COVID-19 tracing and contact bills, interoperability quickly became an issue. It took until June 16, 2020, for an interoperability solution to be agreed across the EU. Neither of these US bills seeks to address that issue and they also avoid the creation of a single US app that could provide more coherent track and trace capability.
The key question, however, is will either bill stop or reduce leakage and misuse of data? Given the lack of time in either house, Congress and Senate, to debate the bills, the answer is no.