In Apr. 2020, tech giants Apple and Google announced that it is working together to create a COVID-19 tracing app. The idea is to transform iOS and Android devices into a contact tracing device to identify possible COVID-19 exposures. However, the Electronic Frontier Foundation (EFF) recently warned that apps like this could pose cybersecurity and privacy threats to users.
The EFF is joining on the call for COVID-19 contact tracing app developers to factor possible security and privacy risks brought by these new technologies. The foundation is also warning users not to fully trust that any app could solve the current global health crisis or provide answers to all questions. The EFF also says that users and privacy enthusiasts have no way of verifying that the data the contact-tracing app is sending is, in fact, the one that generated it.
Security researchers also fear that malicious actors could collect data over the air and broadcast it, potentially undermining the system. The EFF also highlights its privacy concerns and notes that the program should 'sunset' after the pandemic is over so as to protect the integrity of the users of the COVID-19 contact tracing apps. There is a chance that the technology could be utilized by attackers to violate the privacy of users without just cause in the future.
In the organization's latest blog, EFF staff technologist Bennet Cyphers and director of research Gennie Gebhart claims that "the apps built on top of Apple and Google's new system will not be a 'magic bullet' techno-solution to the current state of shelter-in-place." The EFF is also concerned about the proximity tracking earlier proposed by tech giants' Apple and Google.
According to the blog post, it "leaves open the possibility that the contacts of an infected person will figure out which of the people they encountered is infected." Cyphers and Gebhart say that this could be a potential security risk. On May 4, Reuters claimed that the contract-tracing API used by the app being developed by Google and Apple could not use the location data of the smartphone.
The report further claimed that the location data the app is referring to is actually GPS-based. Interestingly, in the Apple document, it mentions that it is location tracking, stating that tracking using cell towers and WiFi networks is prohibited. Additionally, the report suggested that only one app in every country could use the API. Unfortunately, that information is nowhere stated in the Apple FAQ, which notes that the apps would be developed by public health authorities in every region.
