On the Privacy and Integrity Risks of Contact-Tracing Applications
- URL: http://arxiv.org/abs/2012.03283v2
- Date: Tue, 8 Dec 2020 19:04:31 GMT
- Title: On the Privacy and Integrity Risks of Contact-Tracing Applications
- Authors: Jianwei Huang, Vinod Yegneswaran, Phillip Porras, and Guofei Gu
- Abstract summary: Smartphone-based contact-tracing applications are at the epicenter of the global fight against the Covid-19 pandemic.
This paper describes two important attacks that affect a broad swath of contact-tracing applications.
- Score: 32.01611421032163
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Smartphone-based contact-tracing applications are at the epicenter of the
global fight against the Covid-19 pandemic. While governments and healthcare
agencies are eager to mandate the deployment of such applications en-masse,
they face increasing scrutiny from the popular press, security companies, and
human rights watch agencies that fear the exploitation of these technologies as
surveillance tools. Finding the optimal balance between community safety and
privacy has been a challenge, and strategies to address these concerns have
varied among countries. This paper describes two important attacks that affect
a broad swath of contact-tracing applications. The first, referred to as
contact-isolation attack, is a user-privacy attack that can be used to identify
potentially infected patients in your neighborhood. The second is a
contact-pollution attack that affects the integrity of contact tracing
applications by causing them to produce a high volume of false-positive alerts.
We developed prototype implementations and evaluated both attacks in the
context of the DP-3T application framework, but these vulnerabilities affect a
much broader class of applications. We found that both attacks are feasible and
realizable with a minimal attacker work factor. We further conducted an impact
assessment of these attacks by using a simulation study and measurements from
the SafeGraph database. Our results indicate that attacks launched from a
modest number (on the order of 10,000) of monitoring points can effectively
decloak between 5-40\% of infected users in a major metropolis, such as
Houston.
Related papers
- Protect Your Score: Contact Tracing With Differential Privacy Guarantees [68.53998103087508]
We argue that privacy concerns currently hold deployment back.
We propose a contact tracing algorithm with differential privacy guarantees against this attack.
Especially for realistic test scenarios, we achieve a two to ten-fold reduction in the infection rate of the virus.
arXiv Detail & Related papers (2023-12-18T11:16:33Z) - How mass surveillance can crowd out installations of COVID-19 contact
tracing apps [6.015556590955814]
During the COVID-19 pandemic, many countries have developed and deployed contact tracing technologies to curb the spread of the disease.
This paper analyzes situations where centralized mass surveillance technologies are deployed simultaneously with a voluntary contact tracing mobile app.
arXiv Detail & Related papers (2021-10-04T17:07:47Z) - Contact Tracing Made Un-relay-able [18.841230080121118]
SARS-CoV-2 pandemic put a heavy strain on the healthcare system of many countries.
Governments chose different approaches to face the spread of the virus.
Mobile apps allow to achieve a privacy-preserving contact tracing of citizens.
arXiv Detail & Related papers (2020-10-23T20:03:31Z) - Modelling Memory for Individual Re-identification in Decentralised
Mobile Contact Tracing Applications [3.390388295995944]
We show that it is possible to identify positive people among the group of contacts of a human being, and this is even easier when the sociability of the positive individual is low.
In practice, our simulation results show that identification can be made with an accuracy of more than 90% depending on the scenario.
arXiv Detail & Related papers (2020-10-12T08:10:54Z) - Epidemic mitigation by statistical inference from contact tracing data [61.04165571425021]
We develop Bayesian inference methods to estimate the risk that an individual is infected.
We propose to use probabilistic risk estimation in order to optimize testing and quarantining strategies for the control of an epidemic.
Our approaches translate into fully distributed algorithms that only require communication between individuals who have recently been in contact.
arXiv Detail & Related papers (2020-09-20T12:24:45Z) - Mind the GAP: Security & Privacy Risks of Contact Tracing Apps [75.7995398006171]
Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy.
We demonstrate that in real-world scenarios the GAP design is vulnerable to (i) profiling and possibly de-anonymizing persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts.
arXiv Detail & Related papers (2020-06-10T16:05:05Z) - COVI White Paper [67.04578448931741]
Contact tracing is an essential tool to change the course of the Covid-19 pandemic.
We present an overview of the rationale, design, ethical considerations and privacy strategy of COVI,' a Covid-19 public peer-to-peer contact tracing and risk awareness mobile application developed in Canada.
arXiv Detail & Related papers (2020-05-18T07:40:49Z) - Digital Ariadne: Citizen Empowerment for Epidemic Control [55.41644538483948]
The COVID-19 crisis represents the most dangerous threat to public health since the H1N1 pandemic of 1918.
Technology-assisted location and contact tracing, if broadly adopted, may help limit the spread of infectious diseases.
We present a tool, called 'diAry' or 'digital Ariadne', based on voluntary location and Bluetooth tracking on personal devices.
arXiv Detail & Related papers (2020-04-16T15:53:42Z) - Give more data, awareness and control to individual citizens, and they
will help COVID-19 containment [74.10257867142049]
Contact-tracing apps are being proposed for large scale adoption by many countries.
A centralized approach raises concerns about citizens' privacy and needlessly strong digital surveillance.
We advocate a decentralized approach, where both contact and location data are collected exclusively in individual citizens' "personal data stores"
arXiv Detail & Related papers (2020-04-10T20:30:37Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.