Protecting tracking apps in the post-coronavirus world

Our idea of normality has changed beyond recognition in a matter of weeks.

Across the globe, we’ve learned to stay indoors. We’ve transformed our dining rooms into offices. And we’ve accepted the need to sacrifice privacy to save lives.

There’s no doubt that the post-coronavirus landscape is going to take some getting used to. When we do venture outside again, it won’t be into the same world we left behind in the middle of March 2020.

For a start, there will be a lot more surveillance. Government apps will track our movement and our health to keep the virus at bay.

The idea of allowing our governments such power might be uncomfortable for some. But what if this power were to fall into more harmful hands?

Given the amount of citizen data on covid tracking apps, there's a danger bad actors will view them as the ultimate prize.

That’s why protecting tracking apps must be a crucial objective in the months ahead.

A new era of surveillance

The Chinese state’s measures to tackle the coronavirus pandemic won’t have surprised many people. After all, they’ve built up a surveillance system over time. A lot of the pieces were already in place.

But people in countries less known for overt surveillance of its citizens have also accepted the need for such a system.

Crises tend to normalise policies that would ordinarily shock us. Not long ago, the announcement of a mass surveillance system would have led to people protesting in the streets. But our world has changed since then.

As Yuval Noah Harari wrote recently, when people are given a choice between privacy and health, they tend to choose health.

In the UK, the NHS is currently working on an app designed to track people’s movement and how long they stay outside. There’s also talk of the app playing a role in the anticipated immunity passports for those who have already recovered from the virus or have been vaccinated.

There’s an acceptance that apps like the NHS one might be helpful. That said, people want to know whether governments will stop the surveillance once the crisis is over. There are plenty of examples of other temporary measures put in place during a crisis that remain in place decades later.

Yet there’s another equally important question that people aren’t asking quite as much.

Will these new tracking apps be safe and secure from outside attacks?

The threats facing tracking apps

It might be the case that citizens simply expect robust security of surveillance apps to be a given. But examples from Asia suggest that we need to stay vigilant.

As much as we’d like to think that everybody buys into the communal spirit of working together to beat the virus, there are those who are looking to profit from it. For bad actors, a government app full of sensitive personal data sounds almost too good to be true.

To get an idea of the opportunity offered them, we only have to look at privacy leaks from tracking apps in China and South Korea. In both countries, some personal details of those who have tested positive for Covid-19 have accidentally been exposed. The consequence for those individuals has included public ridicule and harassment.

Imagine if a bad actor obtained a list of those who had tested positive. What damage could they cause to those people’s lives?

Analysts have suggested other apps are at risk, too. One example is Slovakia’s track and trace app. The country announced a few weeks ago that they’d passed a law allowing the state to use data from telecoms companies to track the movement of people suffering from the virus.

We already know from the world of IoT that bad actors can cause a company or individual a lot of harm if they’re able to find a weak link in a network. But the same is true of a tracking app. If an app is used by millions of people across a variety of devices and networks, then there’s a greater risk of hackers finding a weak spot. A gate somewhere that hasn’t been locked.

In China, there’s an app that doubles as an immunity passport. A green code means that you don’t have Covid-19 or that you’ve recovered from it. A red one means that you’ve tested positive for the virus. If you have a red code, your movement is severely restricted. But citizens in Hangzhou have reported their codes flickering from green to red and back again without an explanation.

If a hacker was able to take control of this system, they'd have the power to change a green code red, or vice versa.

By protecting tracking apps you can build trust

Some commentators have pointed out that there’s an awkward truth behind our opposition to tracking apps:

We often let companies track our movement when we download their apps. So why not governments?

Most of the time there’s no need for these companies to know where we are. Instead, they use this information for marketing. And because we want the app, we mostly accept it without complaint.

Surely then there’s no problem in letting our governments have this data if it’s going to save lives rather than make money?

The key difference here is that we’re generally more sceptical about those who govern us. They have to work harder to gain our trust.

Governments around the world will be aware of the tightrope they’re walking with these new surveillance apps.

As much as people accept there’s a need for them right now, they will be vocal if they think the government is abusing its power.

And voices will grow louder still if the apps citizens are using don’t seem safe.

It explains why governments don’t only want to block bad actors for national security reasons. They also know how quickly public trust will evaporate should hackers find a way inside their apps.

That’s why robust protection for tracking apps is a must - while also keeping them as transparent as possible. We have to make sure that they’re safe from static and dynamic analysis, cloning (we’ll cover fake covid-19 apps in a later article), code injections, and man-in-the-middle attacks.

Then we can focus on using them safely to help beat the virus, without having to look over our shoulder for a very different kind of threat.