The Privacy and Security of COVID-19 Tracking Apps

COVID-19 tracking apps are now commonplace, despite numerous security concerns from public advocacy groups and segments of wider society.

First Published 12th May 2020 |  Latest Refresh 30th November 2021

The Privacy and Security of COVID-19 Tracking Apps

The race to launch Covid apps might have overlooked some basics.

3 min read  |  Reflare Research Team

As international travel returns, the tracking app market fragments

Earlier during the global pandemic, both the news cycle and social media were extensively covering the various COVID-19 contact tracking apps and APIs that were either being released or being finalised.

Today, there is a plethora of applications out there - each with its own set of endorsements and each for its own specific market segment. In this report, we will relook look at who the major forces behind these apps are, what is being done to protect the privacy of users, and what the public opposition to the apps may teach us about privacy literacy.

Who has developed the contact tracking apps?

The brief answer is - most countries as well as Apple and Google. The two tech giants have teamed up for a common goal. This is certainly rare. Instead of leaving the development of such tracking apps up to governments or the private sector - and thus exposing them to widely varying levels of technological know-how and malicious intent - the developers of the two main mobile operating systems are likely better equipped to develop a technically sound solution.

Since Apple’s iOS and Google’s Android combined makeup 99% of the mobile OS market, this also greatly increases potential coverage.

Notably, the solution that Apple and Google provided is not what the end-user will work with. Instead, they aimed to provide an API that would allow other developers - for example, governments - to build secure and somewhat private applications on top of it. The specifications of the API are explicitly designed to protect user privacy. However, valid concerns naturally remain.

At the same time, many governments, including Singapore, Australia, and the United Kingdom, rolled out their own apps. Most of the governmental apps aimed to provide high levels of privacy but ran into strong opposition. After all, the universal location tracking of citizens by their government is a deeply disturbing vision. To combat this fear, the UK government went as far as to announce the release of the source code of their tracking app, only to then completely withdraw it altogether.

What are the real risks of these tracking apps?

That is an exceptionally difficult question to answer and is best broken down into two parts:

The near term risks

In the near term, the majority of contact tracking apps will likely cause no major privacy breaches or incidents of government surveillance. This is especially true for those apps that use the API developed by Google and Apple. While theoretical attacks are possible, these require extensive resources and are unlikely to go unnoticed.

The long-term risks

In the long term, risks are more significant. By creating a precedent, more tracking apps can be more easily introduced in the future. The COVID-19 contact tracking is largely transparent, voluntary, and for a good cause. But much more obscure and privacy-invading mandatory tracking apps could easily follow in the name of “protecting children”, “counter-terrorism” or any of the other standard justifications that are employed to reduce civil liberties.

Should I use these apps?

We are in no position to answer this question since it heavily depends on you, your location, your government, and the upcoming continued spread of COVID-19. For what it’s worth, Reflare recommends that it’s employees install the apps provided by the governments in the jurisdictions we operate in. However, we would consider reversing this decision if these apps became obscured or mandatory.

At the same time, it is important to note that complaining about the risks of the current generation of contact tracking apps on a platform like Facebook is akin to only eating organic food to protect your body from toxins while smoking a pack of cigarettes a day.

As International travel returns, we highly recommend you conduct your own research into the required tracking apps that your destination country requests you install on your device. Informed people make informed decisions, and even though the intent of the overwhelming majority of these apps is positive, assuming your destination country follows the same rules as your home country when it comes to the privacy and security of your data would be foolish at best.

To stay up to speed on technological privacy and security matters, consider subscribing to our newsletter and check out our related research reports.

Subscribe by email