Several countries are introducing contact tracing apps to address COVID-19 concerns. This includes India, as the BBC has reported. The app – Aarogya Setu, which means “bridge to health” in Sanskrit – was launched just six weeks ago. India has made it mandatory for government and private sector employees to download the app.
However, as citizens of India install the Aarogya Setu app, what should users be aware of as cybercriminals capitalize on these uncertain times?
READ MORE: What are the data privacy concerns from contact tracing?
To understand the issues and concerns surrounding the app, Digital Journal spoke with Brenda Ferraro, VP of Third-Party Risk for Prevalent. Ferraro works directly with organizations around the world to manage and monitor the security threats and risks associated with vendors, suppliers, and other third parties.
Digital Journal: How has the coronavirus situation altered the business world?
Brenda Ferraro: The coronavirus situation altered the business world by shining a light on our broken supply chain. Business Resilience has become top of mind and with continuously changing facts about the pandemic businesses are forced to pivot as to how to react or survive. Security Controls are shifting to include a new focus on work from home environment protections, interconnections of internal and external business dependencies, and concentration risk. Businesses are starving for real time intelligence of which is changing rapidly and could result in miscalculated data based driven decisions.
DJ: What is the objective of contact tracing apps?
Ferraro: Information crowdsourcing is critical to provide global visibility of the pandemic. The ecosystem needs to figure out how to gather intelligence without placing the human factor in danger of scrutiny and the silo intelligence approach will need to foster a harmonized way to address the pandemic. Reactively we can find out where people have been to inform those individuals to stay home. Yet, for real time data based decisions the lagging information will require components such as; Who is currently sick? Who have the sick been in contact with? Are the sick following quarantine? If I am not sick, can I see who is sick around me to invoke social distancing? Will the intelligence be used to quickly determine hot spots to allow the economy to appropriately open based on the landscape of the sick? Will the application track if they are compliant? If yes, is there a consequence if they don’t comply? All of which will require testing capabilities that are accurate and quick.
DJ: What are the privacy concerns stemming from such apps?
Ferraro:With application security being the weakest security domain, my focus on this topic is What, When, Why, Where, and How the application would be used. Is it important to collect data, yes! Do we need to know who is sick and who is healthy, most definitely! An application alone will not provide a complete picture to address the intent. The horrible reality is that the application will cause human nature to kick in and drive up discriminatory behavior and what concerns me the most is that this the application is on Androids, and we all know the vulnerabilities with Android applications of which increase the risk for cybercriminals to exploit data.
DJ: Are the concerns similar to GDPR, where the primary factors are end-user privacy and control of access to user-identifiable information?
Ferraro:Yes the concerns are similar to GDPR. The primary factors with lack of end-user and user-identifiable information control reeks opportunity for misinterpretation due to only having a portion of the information required to trigger actions or decisions.
DJ: How about cybersecurity, what are the main issues here?
Ferraro:Expect a free for all from the cybercriminals as there will not be data privacy for the citizens and the third party better be prepared to address potential backlash on how the data is used by the known requesting countries and the cybercriminals.
DJ: Are all of the different contact tracing apps equally vulnerable?
Ferraro:Android applications are proven to not be as secure as other smart phone application platforms. If protections are not put in place to control defect management of the application, cybercriminal activity is inevitable.
