A Security and Privacy Scoring System for Contact Tracing Apps
Contact tracing applications have flooded the marketplace, as governments worldwide have been working to release apps for their citizens. These apps use a variety of protocols to perform contact tracing, resulting in widely differing security and privacy assurances. Governments and users have been l...
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2021-10-01
|
| Series: | Journal of Cybersecurity and Privacy |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2624-800X/1/4/30 |
| _version_ | 1827671873138196480 |
|---|---|
| author | Leah Krehling Aleksander Essex |
| author_facet | Leah Krehling Aleksander Essex |
| author_sort | Leah Krehling |
| collection | DOAJ |
| description | Contact tracing applications have flooded the marketplace, as governments worldwide have been working to release apps for their citizens. These apps use a variety of protocols to perform contact tracing, resulting in widely differing security and privacy assurances. Governments and users have been left without a standard metric to weigh these protocols and compare their assurances to know which are more private and secure. Although there are many ways to approach a quantitative metric for privacy and security, one natural way is to draw on the methodology used by the well-known common vulnerability scoring system (CVSS). For privacy, we applied consensus principles for contract tracing as a basis for comparing their relative privacy practices. For security, we performed attack modeling to develop a rubric to compare the security of respective apps. Our analysis shows that centralized Bluetooth with added location functionality has low privacy and security, while non-streaming GPS scored high in security and medium in privacy. Based on our methodology, only two apps were given a high ranking of privacy: Canada’s Covid Alert and Germany’s Corona Warn-App. They both used the Google/Apple Notification Framework as the basis for their design. To achieve comparable privacy, we recommend that future projects follow their examples in the following ways: minimizing the amount of data they collect and holding it for the shortest possible length of time; only having features necessary for the app’s main function; and releasing design details so that users can make informed decisions. |
| first_indexed | 2024-03-10T03:49:54Z |
| format | Article |
| id | doaj.art-905a15de8c704d2589232b6f32dbbfd6 |
| institution | Directory Open Access Journal |
| issn | 2624-800X |
| language | English |
| last_indexed | 2024-03-10T03:49:54Z |
| publishDate | 2021-10-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Journal of Cybersecurity and Privacy |
| spelling | doaj.art-905a15de8c704d2589232b6f32dbbfd62023-11-23T08:59:04ZengMDPI AGJournal of Cybersecurity and Privacy2624-800X2021-10-011459761410.3390/jcp1040030A Security and Privacy Scoring System for Contact Tracing AppsLeah Krehling0Aleksander Essex1The Department of Electrical and Computer Engineering, University of Western Ontario, London, ON N6A 3K7, CanadaThe Department of Electrical and Computer Engineering, University of Western Ontario, London, ON N6A 3K7, CanadaContact tracing applications have flooded the marketplace, as governments worldwide have been working to release apps for their citizens. These apps use a variety of protocols to perform contact tracing, resulting in widely differing security and privacy assurances. Governments and users have been left without a standard metric to weigh these protocols and compare their assurances to know which are more private and secure. Although there are many ways to approach a quantitative metric for privacy and security, one natural way is to draw on the methodology used by the well-known common vulnerability scoring system (CVSS). For privacy, we applied consensus principles for contract tracing as a basis for comparing their relative privacy practices. For security, we performed attack modeling to develop a rubric to compare the security of respective apps. Our analysis shows that centralized Bluetooth with added location functionality has low privacy and security, while non-streaming GPS scored high in security and medium in privacy. Based on our methodology, only two apps were given a high ranking of privacy: Canada’s Covid Alert and Germany’s Corona Warn-App. They both used the Google/Apple Notification Framework as the basis for their design. To achieve comparable privacy, we recommend that future projects follow their examples in the following ways: minimizing the amount of data they collect and holding it for the shortest possible length of time; only having features necessary for the app’s main function; and releasing design details so that users can make informed decisions.https://www.mdpi.com/2624-800X/1/4/30contact tracingsecurityprivacy |
| spellingShingle | Leah Krehling Aleksander Essex A Security and Privacy Scoring System for Contact Tracing Apps Journal of Cybersecurity and Privacy contact tracing security privacy |
| title | A Security and Privacy Scoring System for Contact Tracing Apps |
| title_full | A Security and Privacy Scoring System for Contact Tracing Apps |
| title_fullStr | A Security and Privacy Scoring System for Contact Tracing Apps |
| title_full_unstemmed | A Security and Privacy Scoring System for Contact Tracing Apps |
| title_short | A Security and Privacy Scoring System for Contact Tracing Apps |
| title_sort | security and privacy scoring system for contact tracing apps |
| topic | contact tracing security privacy |
| url | https://www.mdpi.com/2624-800X/1/4/30 |
| work_keys_str_mv | AT leahkrehling asecurityandprivacyscoringsystemforcontacttracingapps AT aleksanderessex asecurityandprivacyscoringsystemforcontacttracingapps AT leahkrehling securityandprivacyscoringsystemforcontacttracingapps AT aleksanderessex securityandprivacyscoringsystemforcontacttracingapps |