A Security & Privacy Analysis of US-based Contact Tracing Apps

• URL: http://arxiv.org/abs/2207.08978v2
• Date: Wed, 20 Jul 2022 16:34:47 GMT
• Title: A Security & Privacy Analysis of US-based Contact Tracing Apps
• Authors: Joydeep Mitra
• Abstract summary: Governments worldwide planned to develop and deploy contact tracing (CT) apps to help speed up the contact tracing process. Experts raised concerns about the long-term privacy and security implications of using these apps. Google and Apple developed the Google/Apple Exposure Notification framework to help public health authorities develop privacy-preserving CT apps.
• Score: 0.0
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: With the onset of COVID-19, governments worldwide planned to develop and deploy contact tracing (CT) apps to help speed up the contact tracing process. However, experts raised concerns about the long-term privacy and security implications of using these apps. Consequently, several proposals were made to design privacy-preserving CT apps. To this end, Google and Apple developed the Google/Apple Exposure Notification (GAEN) framework to help public health authorities develop privacy-preserving CT apps. In the United States, 26 states used the GAEN framework to develop their CT apps. In this paper, we empirically evaluate the US-based GAEN apps to determine 1) the privileges they have, 2) if the apps comply with their defined privacy policies, and 3) if they contain known vulnerabilities that can be exploited to compromise privacy. The results show that all apps violate their stated privacy policy and contain several known vulnerabilities.

Related papers

• Privacy Law Enforcement Under Centralized Governance: A Qualitative Analysis of Four Years' Special Privacy Rectification Campaigns [8.568810204115938]
  China has launched a series of privacy enforcement campaigns known as Special Privacy Rectification Campaigns (SPRCs) SPRCs are characterized by large-scale privacy reviews and strict sanctions. We conducted 18 semi-structured interviews with app-related engineers involved in SPRCs to better understand the campaign-style privacy enforcement.
  arXiv  Detail & Related papers  (2025-03-11T15:56:09Z)
• PrivacyLens: Evaluating Privacy Norm Awareness of Language Models in Action [54.11479432110771]
  PrivacyLens is a novel framework designed to extend privacy-sensitive seeds into expressive vignettes and further into agent trajectories. We instantiate PrivacyLens with a collection of privacy norms grounded in privacy literature and crowdsourced seeds. State-of-the-art LMs, like GPT-4 and Llama-3-70B, leak sensitive information in 25.68% and 38.69% of cases, even when prompted with privacy-enhancing instructions.
  arXiv  Detail & Related papers  (2024-08-29T17:58:38Z)
• Protect Your Score: Contact Tracing With Differential Privacy Guarantees [68.53998103087508]
  We argue that privacy concerns currently hold deployment back. We propose a contact tracing algorithm with differential privacy guarantees against this attack. Especially for realistic test scenarios, we achieve a two to ten-fold reduction in the infection rate of the virus.
  arXiv  Detail & Related papers  (2023-12-18T11:16:33Z)
• ATLAS: Automatically Detecting Discrepancies Between Privacy Policies and Privacy Labels [2.457872341625575]
  We introduce the Automated Privacy Label Analysis System (ATLAS) ATLAS identifies possible discrepancies between mobile app privacy policies and their privacy labels. We find that, on average, apps have 5.32 such potential compliance issues.
  arXiv  Detail & Related papers  (2023-05-24T05:27:22Z)
• Privacy Explanations - A Means to End-User Trust [64.7066037969487]
  We looked into how explainability might help to tackle this problem. We created privacy explanations that aim to help to clarify to end users why and for what purposes specific data is required. Our findings reveal that privacy explanations can be an important step towards increasing trust in software systems.
  arXiv  Detail & Related papers  (2022-10-18T09:30:37Z)
• Analysis of Longitudinal Changes in Privacy Behavior of Android Applications [79.71330613821037]
  In this paper, we examine the trends in how Android apps have changed over time with respect to privacy. We examine the adoption of HTTPS, whether apps scan the device for other installed apps, the use of permissions for privacy-sensitive data, and the use of unique identifiers. We find that privacy-related behavior has improved with time as apps continue to receive updates, and that the third-party libraries used by apps are responsible for more issues with privacy.
  arXiv  Detail & Related papers  (2021-12-28T16:21:31Z)
• A Critique of the Google Apple Exposure Notification (GAEN) Framework [1.7513645771137178]
  Digital contact tracing has been proposed as a tool to support the health authorities in their quest to determine who has been in close and sustained contact with a person infected by the coronavirus. In April 2020 Google and Apple released the Google Apple Exposure Notification framework, as a decentralised and more privacy friendly platform for contact tracing. We argue that this creates a dormant functionality for mass surveillance at the operating system layer.
  arXiv  Detail & Related papers  (2020-12-09T15:05:59Z)
• Mind the GAP: Security & Privacy Risks of Contact Tracing Apps [75.7995398006171]
  Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy. We demonstrate that in real-world scenarios the GAP design is vulnerable to (i) profiling and possibly de-anonymizing persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts.
  arXiv  Detail & Related papers  (2020-06-10T16:05:05Z)
• Decentralized Privacy-Preserving Proximity Tracing [50.27258414960402]
  DP3T provides a technological foundation to help slow the spread of SARS-CoV-2. System aims to minimise privacy and security risks for individuals and communities.
  arXiv  Detail & Related papers  (2020-05-25T12:32:02Z)
• Decentralized is not risk-free: Understanding public perceptions of privacy-utility trade-offs in COVID-19 contact-tracing apps [13.240901989243104]
  We present a survey study that examined people's willingness to install six different contact-tracing apps. We found that the majority of people in our sample preferred to install apps that use a centralized server for contact tracing. We also found that the majority of our sample preferred to install apps that share diagnosed users' recent locations in public places to show hotspots of infection.
  arXiv  Detail & Related papers  (2020-05-25T07:50:51Z)
• How good is good enough for COVID19 apps? The influence of benefits, accuracy, and privacy on willingness to adopt [24.202334512830255]
  A growing number of contact tracing apps are being developed to complement manual contact tracing. We evaluate the effect of both accuracy and privacy concerns on reported willingness to install COVID19 contact tracing apps.
  arXiv  Detail & Related papers  (2020-05-09T01:53:52Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.