How do you build a secure contact tracing app?

Natalie Healey 15 September 2020 (Last Updated September 15th, 2020 11:32)

While a testing and tracing programme is central to stopping the spread of Covid-19, there are privacy and security challenges to overcome. SonicWall CEO Bill Conner, who created the encryption behind the UK e-passport and has advised the UN on cybersecurity, speaks to Natalie Healey about how public and private sector institutions must collaborate to protect users.

How do you build a secure contact tracing app?
Data protection and privacy concerns halted the progress of the UK’s contact tracing app. Credit: Shutterstock

In March, the NHS announced it had started work on a centralised contact-tracing app that would form a key component of the UK’s Test and Trace programme for stopping the spread of Covid-19. But data protection and privacy concerns halted its progress, leading to the government to abandon its prototype in June. It would instead work with Apple and Google to develop a companion app.

Many people view this turn of events as a failure, especially considering the initial fanfare about the original app. But Bill Conner, the cybersecurity CEO from SonicWall, explains why he thinks the UK might have made the right call.

 

Natalie Healey (NH): Tell us about some of the cybersecurity projects you’ve been involved with during your career. What parallels can you draw between these and a potential contact tracing app for Covid-19?

Bill Conner (BC): I was involved in creating the encryption for digital passports and also the security and authentication for the UK Government portal 20 years ago. I’ve worked with Interpol on biometrics for passports and national IDs. I was also involved in a company called Silent Circle, making peer to peer encryption for phones.

In contact tracing (just like e-passports or e-visas), you essentially want to know who’s going across a specific border and make it as simple as possible to use. But right now, effective contact tracing is virtually impossible because it’s so manually driven.

When I think of the e-passport, a lot of governments chose to roll out their own. That might be fine for nations who don’t worry about privacy so much. But when you get to countries like the UK, the US and most of Europe, that’s a different situation.

I always think privacy equals security. And you must have security to have privacy. But it’s all dependent on what kind of privacy policy enables that.

NH: What are the main security problems with smartphone apps?

BC: Whether you’ve got an Android or iOS system, you can toggle your location on or off for specific apps. But apps can control a lot of other things – and sometimes you give them permissions without even knowing what the permissions are.

If I download an app, unless I go through the guts of what that thing can do, it can turn on my camera, it can turn on my speaker, it can create a video and it can take all my contacts.

It’s pervasive – so often applications are given permissions by the owner without them knowing. One of my deepest hopes is the Android PlayStore and Apple Store are going to have a much more rigorous app verification piece than exists today.

Some people might not care but it’s vital if you’re going to be giving away ‘tokens’ such as your health, your location and time. If it’s in the right hands, that’s fine. But if it’s in the wrong hands, it can be very dangerous.

NH: Was it a good idea to partner with Google and Apple for contact tracing?

BC: I really like the approach that the UK Government has taken here because they started to roll out their own app but realised quickly this is about speed. Google and Apple probably have the most security and trust of anybody when it comes to this, so I think it’s really smart to partner with them. Between the two you’ve got most of the devices in the world covered.

It’s all about where that data is going to be stored and what else they’re going to do with it. As you start to turn on a much more granular view of location data and the people you’re associating with, that’s a whole different level of privacy and health information that becomes very valuable.

NH: Which countries have been successful here?

BC: I think it’s too early to call that. Clearly certain countries track everybody anyway. But after you get out of those, there’s a different landscape.

The big thing that’s missing is a global standard. Right now, you’ve got a patchwork of contact tracing efforts because everyone’s worried about it within traditional borders. We’re looking at it country by country.

The reality is that Covid isn’t a national issue, it’s a global pandemic. And right now the standard operating model is to distrust travel and therefore an individual. And the only way to get around that is quarantine. There’s no global organisation dealing with the technical aspects behind the next generation health passport that will be needed for us to have trust again.

NH: Once an app is available, how do you get citizens to trust it?

BC: There’s a role the government has to play in the messaging around it. No one would give up their details or do testing if they didn’t have anything to gain. But my belief is people are going to want this. If you go to dinner, or a meeting, or travel by plane, you want to know whoever you’re sitting near is safe.

This is the new reality. Whether it’s Covid-19 or Covid-20 or 21, this isn’t going to go away. This is just the beginning which is why I really favour a global view of this.