There is no doubt that technology made life more bearable during the global pandemic. From the use of unmanned aircraft to deliver medicines and basic necessities across Ireland, to the advent of videoconferencing platforms such as Zoom, creating a more connected community of isolated workers. The opportunities offered by our increasingly digital age make isolation more tolerant and provide connections and entertainment. However, the rapid application of technology during this international pandemic, which manifests itself under the guise of personal data security, has a downside.
The United Kingdom is currently pursuing a new COVID 19 tracking service that uses Bluetooth data from mobile phones to inform users of possible contact with infected persons. Mobile application : NHS COVID-19 is currently deployed on the Isle of Wight, with the prospect of further development on the British mainland in the coming weeks. However, despite the negative security connotations of the tracking application, most British people are in favour of the government being able to use mobile phone data to track the spread of crown viruses. Although it is theoretically useful to monitor the spread of the virus, allowing access to our personal devices by the government is a slippery slope with many security considerations.
According to the NHS website, the purpose of this application is to reduce the transmission of the virus by alerting people who may have been exposed to the infection. The NHS claims that the application was designed with privacy in mind, which indicates that no Personal Information (PII) is collected from users. However, this is without prejudice to a number of safety issues that have been raised. Despite the positive effects of this service, which proposes to keep the British population informed of possible contamination, there is a dark side to this application, which has its roots in government supervision and the security of personal data. The ethical implications of the service provision were only briefly addressed in the last paragraphs of the declaration, which shows that ethics are not at the forefront of the debate.
In addition, Yang Levey, an employee of the National Cyber Security Centre, has written an extensive blog describing the security settings of the application. However, the issue of safety is only fully addressed after ten general discussion points, some of which are devoted to the description of the use of contact tracing more than 500 years ago. The fact that physical safety only comes up for discussion after the history lesson shows that there is more at stake than meets the eye. Levi has repeatedly stated that the collected data is anonymous and can only be used to provide health information. However, this does not mean that users are not at risk.
Mr Levy went on to say that the system’s cybersecurity check keeps logs containing IP addresses, but these are strictly access-controlled and only accessible to the cybersecurity team monitoring the application system. However, this is not necessarily reassuring for the user, as all information can be filtered out, either by skilled cybercriminals, an unsecured access point or even by a dissatisfied insider who tries to make a quick profit by selling valuable information on the black web.
One of the key points in the development of this application is the speed with which it is developed. In general, time-critical applications such as these often involve a trade-off between speed and functionality. Tim Erlin, Tripwire’s Vice President, describes the problem and states that when there is a strong sense of urgency about a project, it can be difficult to override security and confidentiality. Hugo van den Thorn, head of offensive security at the outpost24 , also noted another source of concern: If an application is developed quickly, it is easy to make a mistake regarding the privacy and security of user data. Since this is confidential information, it is clear that we should not rush to download an application that could jeopardize our confidential information before it has been properly reviewed.
Joshua Berry, Assistant Chief Security Consultant at Synopsys, explains the possible consequences of disclosing such intimate details to third parties, even under the cover of anonymity. Contact tracking applications use Bluetooth Low Energy (BLE) advertising to send and collect messages to identify contacts with other users. In fact, with tracking applications, attackers can fully read all Bluetooth connections of the cars they drive to the music they are listening to.
To ensure that our contact tracking services are widely accepted, we must ensure that the PII we submit is completely secure. This raises several questions about where sensitive data is stored and who has access to it. For example, only biographical data such as age, gender and postal code are recorded in an application. Therefore, users need to be sure who has access to this data. Is this information used by medical services, or is it sold to companies that analyse data, or is it even used by the Ministry of the Interior to triangulate users’ movements using Bluetooth handshakes?
With more and more people blocking and working from home, we see that cybercriminals use fear to entice users into following malicious links. Indeed, Securonix found in the Cyber Threat Update COVID-19 that the number of malicious domains with the words corona or covid19 increased exponentially. Given the use of NHS COVID-19, users may fall victim to more pandemic-related social engineering methods. This is because if you wait for an update of the NHS application, you will probably open an email or text message with keywords: Coronavirus or COVID-19. The reason for this is that Securonix has proven that more and more cyber criminals use the terminology of viruses to trick users into downloading malicious material. For example, users with a mobile tracking application are more likely to fall victim to malicious content that is medically disguised.
After all, safety experts expect that the proliferation of this application will lead to a significant increase in dangerous mobile applications disguised by similar or sealed names. Jonathan Martin, Anomali’s EMEA partner, warned that a number of fake applications claiming to be the official NHS CovID 19 application can be expected and tempt people to download. Once this fraudulent application has been installed on your phone, it will be compromised, which may lead to the theft of some personal data, such as bank details, etc. Unlike the official application, which promises to anonymize PII, fake phantom applications will actively attempt to steal sensitive information.
While there is certainly room for improvement, I hope that the debate on this application will lead the security-conscious public to be sceptical about any attempt to collect huge amounts of personal data. It is one thing to oppose the NHS COVID 19 application, but I am probably optimistic that the government has our interests at heart. We must use this time to cynically investigate not only the government’s intentions with respect to this amount of personal data, but also, and perhaps more wisely, the way other services use and process our data. We have to agree with Tom Davison, technical director of Lookout, who told us… It is essential that the public understands what personal information they share and how it will be used now and in the future.
I’ll leave you one last question: Do you know what rights you have given to applications on your phone? If not, do some research. After all, there is no point in mourning the end of personal freedom if your flashlight application follows your geolocation?