Govt.-Backed Contact-Tracing Apps Raise Privacy Hackles

COVID contact tracing apps

New opt-in COVID-19 Exposure Notifications Express systems baked into Apple’s iOS and available on Android need privacy guardrails, say privacy advocates.

The Electronic Frontier Foundation is echoing lawmaker concerns that California is not taking privacy seriously enough, as state legislators mull launching a COVID-19 exposure-notification app based on Apple and Google’s smartphone technology.

The U.S. nonprofit, which is aimed at protecting citizens’ privacy and free speech, criticized the state’s lack of any privacy standards for state COVID-19 mobile tracking apps, or for contracts that California may enter to deploy such programs.

Threatpost Webinar Promo Bug Bounty

Click to Register

While California has not yet formally announced a program similar to ones other states already have launched that use mobile technology or apps to help people keep track of COVID-19 exposure in their local area, there are plans in the works, according to a blog post by Electronic Frontier Foundation’s (EFF) Hayley Tsukayama, a legislative activist.

Those plans have a distinct lack of consideration for privacy, however, she said, backing concerns made in a letter to California Governor Gavin Newsom written by three state lawmakers–Assembly Privacy and Consumer Protection Chair Ed Chau, Senate Judiciary Chair Hannah-Beth Jackson and Assembly Speaker Anthony Rendon.

In referencing discussions for a pilot program in California that includes a “contact-tracing application,” the legislators “articulated concerns about the lack of privacy considerations that have accompanied those plans,” Tsukyama wrote.

“The Administration has not fully considered many important implications of implementing” a statewide app, lawmakers said in the letter.

They also cautioned that California should be careful of the suggestion that Google and Apple may be willing to create a pilot program for California “free of charge,” maintaining that there could be hidden fees in how the companies use the sensitive personal data collected.

The most recent contact-tracing program launched by Colorado uses the Exposure Notifications Express (ESE) system, which Apple recently added to iOS and which will also soon be available on Google’s Android operating system. The technology for the system was jointly developed by the two companies to allow tech users to opt-in to a public health program that lets them if they’ve been exposed to COVID-19 without requiring them to download a separate app.

“It is likely to become the easiest path for most smartphone users to participate in exposure notification systems,” Tsukyama noted.

Other state COVID-19-notification systems already launched include North Dakota Care19Wyoming Care19 Alert, Alabama Guidesafe, Nevada COVID Trace and Virginia Covidwise, the last of which has has gotten good reviews for privacy and security, according to the EFF.

Any similar system that California decides to implement must not be done without having some very clear privacy rules, she warned, calling on Newsom “to place basic privacy guardrails on any contact-tracing program run by or with the state.”

Two bills toward this end that the EFF supported have already have been shot down in California legislature, Tsukyama noted. Those actions were “a disappointing failure to protect the privacy of Californians and thereby advance public health” as “the need for these protections is only growing,” she said.

Rules regarding citizen privacy in contact-tracing apps should include a data-minimization law that ensures that the data collected only serves a public-health purpose, and a guarantee that the information not be used for any other purpose, such as for commercial use.

The EFF also is calling for an assurance that those who choose to participate do not face discrimination, and that there are protections for people who cannot or do not want to participate in a data-collection program. The group also opposes California’s plan to make participation in the program compulsory.

Finally, any program should also include a strong requirement to purge data from such programs when it is no longer useful, requesting a 30-day retention period–with one “narrowly crafted” exception possible in terms of demographic data, Tsukyama wrote.

This latest critique is not the first time the EFF has expressed concern over COVID-19 contact-tracing technology. Back in April, the organization urged developers to proceed with caution when it came to Apple and Google’s joint developer platform for building COVID-19 tracking mobile apps. It warned against the potential for cybercriminal use and exploitation.

“Privacy protections are necessary to public-health programs, particularly when a program needs high levels of participation to be effective,” Tsukyama wrote. “People will not use applications they can’t trust.”

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.

Suggested articles