Are Contact Tracing Apps a Threat to Privacy?

What to know about protecting your private information

Contact tracing apps can help public health officials track global pandemics, but there are growing privacy and cybersecurity concerns surrounding their implementation. Just how much of a threat to your privacy contact tracing apps may pose remains an open question.

What Types of Data Do Contact Tracing Apps Collect?

Contact tracing mobile apps came about in response to the global coronavirus outbreak. These apps emit a low-energy Bluetooth signal that communicates with other smartphones running the app. Each user is assigned an anonymized ID to keep track of interactions. If a user reports that they tested positive for an infectious disease, everyone who has been in Bluetooth-distance of that person will be notified of the potential exposure.

Colleagues in the office bumping elbows to avoid handshakes during COVID-19 pandemic.
Martin-DM 

Contact tracing apps might request information that many other apps ask for, such as your age, phone number, and zip code. All data is stored locally on your phone unless you choose to upload it to the public database. If you let the app know that you've tested positive, no identifying information about you will be shared with other users. The app, however, will save a record of your Bluetooth activity to its servers.

In order to utilize your phone's Bluetooth capabilities, Android apps will request permission to access your location; however, they do not actually track your location.

Contact Tracing Privacy and Security Concerns

The American Civil Liberties Union has identified several civil rights concerns regarding apps that use Bluetooth for contact tracing. Chief among them is the potential for sensitive health data to be exposed and used to discriminate against individuals. There's also the question of what happens to that data when the pandemic is over.

Although contact tracing apps won't share your personal information with other users when you report a positive test, it may be possible for others to surmise your infection status. For example, in regions that aren't densely populated, anyone you've come in contact with can deduce who may have exposed them based on their personal interactions.

Because governments have the legal authority to monitor the spread of infectious diseases, it's possible that they can force companies to hand over user data. Although the use of contact tracing apps is optional in most countries, governments can demand that restaurants and other businesses run a contact tracing app to catch potential outbreaks.

To help protect your personal data, use contact tracing apps in conjunction with privacy apps for iPhone and Android.

Can Contact Tracing Apps Be Hacked?

Despite the best efforts of cybersecurity experts, there's always the potential for security breaches. Apps that utilize Bluetooth are vulnerable to correlation attacks, which could give hackers access to anonymized Bluetooth data. This information could theoretically be used in conjunction with security cameras or other surveillance tools to put faces to user IDs.

Older versions of Android also have a vulnerability that allows hackers to remotely execute code while your Bluetooth is active. Thus, it's important to keep your Android OS up-to-date so that you have the latest security updates for your device.

What's Being Done?

To quell fears of government surveillance, governments and private companies are collaborating to develop APIs and privacy protocols for contact tracing apps. Developers can use these tools to design their own contact tracing apps for Android and iOS devices.

Google and Apple have promised to eventually delete the data their apps collect, but there is no law compelling them to do so. Nonetheless, the protocols they have developed block developers from accessing users' GPS data, which prevents apps from tracking your movements. In addition to protecting user anonymity, developers will have to make sure that they are compliant with government regulations such as HIPAA laws.

Best Practices for Contact Tracing Privacy

There are a few things you can do to mitigate the privacy risks of running a contact tracing app on your smartphone:

  • Enable automatic operating system updates to automatically download the latest security patches.
  • Enable automatic app updates so you're running the most recent version.
  • Research the legitimacy of any app before downloading it to make sure it's not a scam.

Smartphone Contact Tracing Apps in Other Countries

While the U.S. is taking a decentralized approach to contact tracing, other countries are making their own official apps that collect user data in a centralized database. For example, the government of Australia uses Covidsafe, which stores identifying information provided by users on an Amazon Web Services server.

This data can then be shared with healthcare professionals for contact tracing if a user decides to report a positive test result. Users must give their consent to upload their Bluetooth activity. To further promote transparency, the government has made the source code for the app publically available.