Information Security Assignment: Data Security, Privacy & Sovereignty of CovidSafe App
Question
Scenario to be examined in the Information Security Assignment
The sudden increase in COVID-19 cases worldwide has caused considerable disruption in many countries. However, a number of countries have started to use an individual tracking approach to try and contain the spread of the virus.
A number of countries have developed mobile phone apps that track people and their movements. Some details of these apps are:
Singapore: Contact tracing app. See:
https://www.thestar.com.my/tech/tech-news/2020/03/20/covid-19-singapore-launches-contact-tracing-mobile-app-to-track-coronavirus-infections
https://www.businessinsider.com.au/singapore-coronavirus-app-tracking-testing-no-shutdown-how-it-works-2020-3?r=US&IR=T
South Korea: Tracking mobile phones and cashless transactions:
https://www.channelnewsasia.com/news/commentary/covid-19-coronavirus-south-korea-cases-test-data-surveillance-1XXXXXXXXXXX
Taiwan: Quarantine by mobile:
https://www.theguardian.com/world/2020/mar/13/how-taiwan-is-containing-coronavirus-despite-diplomatic-isolation-by-china
Australia: CovidSafe:
https://www.health.gov.au/resources/apps-and-tools/covidsafe-app/covidsafe-help
https://www.qte.am/articles/covidsafe-follow-up
https://theconversation.com/privacy-vs-pandemic-government-tracking-of-mobile-phones-could-be-a-potent-weapon-against-covid-19-134895
Since the release of CovidSafe, Google and Apple have announced a joint initiative to do contact tracing.
See https://www.apple.com/au/newsroom/2020/04/apple-and-google-partner-on-covid-19-contact-tracing-technology/ and https://www.xda-developers.com/google-apple-contact-tracing-coronavirus/
There is also an article from ScienceMag.org that discusses phone tracking in more detail at https://www.sciencemag.org/news/2020/03/cellphone-tracking-could-help-stem-spread-coronavirus-privacy-price#.
Task:
After your successful engagement to develop privacy and personal data protection strategies for DAS, you have been engaged by the Department of Health (DoH) to advise on the development of privacy and data protection for CovidSafe users. DoH expect up to 16 million Australian mobile users to download and use this app. DoH have announced that they will be using a major U.S. based public cloud provider to host the CovidSafe data, but claim that the data will always be under Australian Government control.
You are to provide a report to DoH that:
Discusses the possible threats and risks to the security of user data on mobile phones, and in linked Cloud and financial accounts from the use of the CovidSafe app.
Discusses the possible threats to the privacy of a user's data, location and activities from the use of the CovidSafe app.
Discusses the issues of data sovereignty that may apply to the storage of CovidSafe data in U.S. based Cloud storage.
You are to recommend that DoH adopt:
Possible security controls that would prevent the loss or breach of user data, while still enabling effective tracking for COVID-19, and the reasons these controls will be effective.
Possible privacy controls to protect user privacy, particularly of data, location and activity, while still enabling effective tracking of COVID-19, and the reasons these controls will be effective.
Possible controls to ensure that the CovidSafe data remains under Australian data sovereignty and control, and the reasons these controls will be effective.
Answer
Introduction
The research on information security assignment signifies that Covid-19 or coronavirus is a deadly virus that is infectious and high communicable. The virus was first detected in 2019 and it is now impacting more than 200 countries across the globe. The total number of cases has crossed 39 Million and there have been more than 1.1 Million deaths due to the virus. Some of the top countries that have been impacted with the virus are the United States, India, Brazil, Russia, and several others (Leslie, 2020). There are various measures that are being used by countries across the world to contain the virus. There are technological advancements that have been done and these can be used to contain the spread of the virus.
The use of technology is being done by numerous countries to carry out contact tracing. The technique includes the determination of the individuals that come in contact of the person infected with Covid-19. With the access to this information, there are considerable measures that can be taken to control the impacts and the further spread of the virus. The use of the technique is being done by several countries, such as Singapore, South Korea, Australia, India, etc. to make sure that the spread of the virus is controlled (Wise, 2020). CovidSafe is the app that has been launched by the Department of Health (DoH) in Australia. The application will involve the US-based cloud service provider to host the data; however, it is stated that the data will always remain available with the Australian Government (Savona, 2020). There can be a number of security, privacy, and sovereignty issues that may arise with the use of the CovidSafe application.
Basic Mechanism
The details regarding the CovidSafe app are available on the Government website of DoH. The application is available on the Apple Store and Play Store and the users can download the same. The registration process on the app asks for the details, such as name, age range, mobile number, and postcode of the user. There is a confirmation code that is shared on the registered number to confirm and complete the installation process. There is an encrypted reference code that the CovidSafe app generates for the app(Australian Government Department of Health, 2020). It is essential that the app runs in the background at all times to make sure that the application works as per its purpose. The use of the Bluetooth technology is done by the app for the purpose of communication. The contact occurs through digital handshake and the information is logged if the contact is found. The information remains available for 21 days and the contacts older than 21 days automatically get deleted.
Data Security Risks and Issues
The technique and mechanism that is used in the contact tracing apps, such as the CovidSafe app can be effective in contact tracing to control the spread of coronavirus. However, there are certain data security issues that can be determined with such apps. The most prominent can come due to the network security vulnerabilities that may be exploited. The unauthorized access can be obtained with the use of such security vulnerabilities. The use of the Bluetooth technology is common with all the contact tracing apps that have been developed. The vulnerabilities with the Bluetooth technology can lead to the data security issues for the data present in the CovidSafe app along with the information associated with the other apps in the device (Stilgherrian, 2020). The Bluetooth vulnerabilities can be used by the malicious entities to break in to the device security and the violation of data and app security can be done in such cases. In the present times, there are several apps that the users keep in their phones. These also include the apps with critical and confidential information, such as the financial apps. The account hijacking using the Bluetooth vulnerabilities can provide the attackers with the access of the overall device info. It can then be captured, misused, shared, and manipulated by the attackers as per their choice.
There are different forms of availability attacks and issues that may be executed by the attacks. The digital handshake that is involved in the contact tracing process can be impacted with such attacks and there are fake messages that may be repeatedly sent. This can result in the access blockage and the security of CovidSafe and other apps can get impacted as an outcome. If the attackers succeed in gaining access to the device, then the cloud-based applications can be accessed and the utilization of the unauthorized access may be done (Bogle, 2020).
There are numerous eavesdropping attacks and issues that are also present and can be associated with the CovidSafe app. The application keeps on running in the background and remains connected to the network channel. The use of unsecure network or the presence of the network vulnerabilities can lead to the execution of the network eavesdropping. The attackers can capture the network access and can silently monitor the information being shared over the network. Along with the CovidSafe app, it may be done for the other apps installed in the mobile device of the end-user. The data of such applications and other cloud accounts can be captured in this way. The insider attacks from the authorities of the Australian Government can be done to catch and examine such snippets of data(Kang & Haskell-Dowland, 2020). There is privacy infringement that will be associated with these cases. Likewise, the kind of the information base that the Australian Government has expressed that will be utilized with the app will be centralized capacity. It will be presented to the infusion attacks and the information penetrates. The degree of adaptation to internal failure for centralized capacity will likewise be less when contrasted with the decentralized stockpiling. These perspectives will be negative from the perspective of the data privacy. There will be higher odds of infringement of the access and the integrity on the centralized information stockpiling. The devices that the users of CovidSafe app will utilize will have a huge task to carry out towards the data privacy. It is frequently seen that the cell phones or other mobile devices that are utilized are influenced with the security vulnerabilities (Dropkin, 2020). There can be absence of the reasonable security controls that might be present in the devices. This may prompt the simpler execution of the malware attacks or the infringement of morals by the attackers. The data privacy will naturally be put at risk.
Privacy, Location and Activity Issues
There are different properties of the information and data sets that are present. One of the most important is information privacy. It is necessary that the privacy of the information is always safeguarded. The CovidSafe app is also exposed to various forms of privacy issues and concerns. The data that the application will capture will be hosted by the public cloud provider based out of the United States. It has been claimed by the Australian Government that the access to the information will be with the Australian Government only (Davidson, 2020). However, the cloud vendor will have a certain form of control on the data sets. Also, the involvement of several parties will also lead to the expansion of the attack window and the attack surface. There is a violation of privacy that may be done by the host or the entities from the Australian Government itself. There will be varied access and the permissions that will be granted to the members of the Australian Government. The access can be violated and it is possible that the information is passed on to the attackers in a deliberate manner (Ponce, 2020).
It is estimated by the Australian Government that over 16 Million users will register on the app. The information associated with these users, such as name, age, etc. will be stored in the application database. Such massive pieces of data are often looked out by the business firms and the political parties to analyse the information and utilize the patterns for their business or political intent. The insider attacks from the officials of the Australian Government can be carried out to capture and analyse such pieces of information. There is privacy violation that will be involved in these cases. Also, the type of the database that the Australian Government has stated that will be used with the app will be centralized storage. It will be exposed to the injection attacks and the data breaches. The level of fault tolerance for centralized storage will also be less as compared to the decentralized storage (Watts, 2020). All of these aspects will be negative from the viewpoint of the information privacy. There will be higher chances of violation of the access and the integrity on the centralized data storage.
The issues around hacking and eavesdropping that were described earlier will also be negative from the aspect of the data privacy. The account hacking or the network eavesdropping will result in the breaches and there may also be issues around data leakage that may be witnessed. The occurrence of the privacy violation will be seen in these cases and it would be necessary to make sure that such privacy attacks are avoided (Marhold & Fell, 2020).
The devices that the users of CovidSafe app will use will have a significant role to play towards the information privacy. It is often witnessed that the smartphones or other mobile devices that are used are affected with the security vulnerabilities. There can be lack of the suitable security controls that may be present in the devices. This may lead to the easier execution of the malware attacks or the violation of ethics by the attackers. The information privacy will automatically be put at risk.
The mechanism that is followed in the CovidSafe app in order to carry out the contact tracing keeps the data present in the data storage for 21 days (Taylor, 2020). The time window is sufficient for the attackers to make use of the network and device vulnerabilities to violate the privacy. It has been claimed by the Australian Government that the app will not use the location. However, the Bluetooth and location of the device will remain on that will further expand the attack window and the attack surface. There are higher chances that the attackers will have to execute the privacy violations and breaches.
Data Sovereignty Issues
Data sovereignty is an important aspect that is associated with the information sets and must always be managed. Sovereignty of the information refers to the idea that the data must be handled and regulated as per the laws that are applicable in the country from which the data is acquired (Crespi, 2020). The CovidSafe app has been launched by DoH in Australia and the laws that will be applicable will be the Australian privacy and data management laws and regulations. There are several data privacy and IT laws defined in Australia and the most important out of all is the Privacy Act, 1988. The act protects the private data of the individuals from any form of misuse or violation. There is certain privacy principles on which the act is based on. These principles make sure that the information privacy is safeguarded at all times. In the case of CovidSafe, the information is stated to be with the Australian Government. However, the hosting of the data is done by the US-based firm. There can be clashes and confusions that may arise due to the involvement of these two parties from two different countries. There is also an issue of data sovereignty that is witnessed with the cloud-based applications and platforms. This is because the detection of the location of the cloud platforms may not be easily done. Also, the storage of the data may be done in the US as per the location of the data servers.
Apart from these confusions, there are various forms of security and privacy issues that may be observed with the CovidSafe app. These issues and concerns can be significant and must be controlled. There are various man-in-the-middle attacks that are additionally present and can be related with the CovidSafe app (Lazar, 2020). The application continues running out of sight and stays associated with the network channel. The utilization of unsecure network or the presence of the network vulnerabilities can prompt the execution of the network-based unauthorized monitoring. The attackers can catch the network access and can quietly screen the data being shared over the network. Alongside the Cove Safe app, it might be accomplished for the different apps introduced in the mobile device of the end-user. The information of such applications and other cloud accounts can be caught thusly. The deliberate violations by the insiders of the Australian Government should be possible to catch and inspect such bits of information. There is privacy encroachment that will be related with these cases. In like manner, the sort of the data base that the Australian Government has communicated that will be used with the app will be centralized limit. It will be presented to the implantation attacks and the data enters. The degree of variation to interior disappointment for centralized limit will moreover be less when stood out from the decentralized accumulating. These points of view will be negative from the viewpoint of the information privacy. There will be higher chances of encroachment of the access and the integrity on the centralized data amassing. The devices that the users of CovidSafe app will use will have a colossal assignment to complete towards the information privacy. It is often observed that the phones or other mobile devices that are used are affected with the security vulnerabilities. There can be nonattendance of the sensible security controls that may be present in the devices. This may incite the less complex execution of the malware attacks or the encroachment of ethics by the attackers. The information privacy will normally be put at risk. There are various types of accessibility attacks and issues that might be executed by the attacks (Vatanparast, 2020). The computerized handshake that is associated with the contact following cycle can be affected with such attacks and there are phony messages that might be consistently sent. This can bring about the access blockage and the security of CovidSafe and different apps can get affected as a result. On the off chance that the attackers prevail with regards to accessing the device, at that point the cloud-based applications can be accessed and the usage of the unauthorized access might be finished. With the violation of the data properties, such as the integrity, privacy, and availability, there will automatically be the violation of sovereignty that will be witnessed that shall be controlled.
Recommendations
There are various controls that can be implemented to make sure that the risks associated with information security, privacy, and sovereignty does not occur. The implementation of these controls will provide the mechanism to safeguard the information sets.
Security Controls
- There must be increased focus on the data encryption that must be applied. The encryption of the data shall be done while in the database and during its transmission over the Bluetooth technology or on the network. The string encryption must be used to protect the data sets.
- There can be a security evaluation that must be included as part of the application installation on the device. The evaluation must look for the device security status and shall check the need for the updates, presence of the antimalware tools, and such security controls and mechanisms. The user shall be notified of the elements missing and the suitable actions shall accordingly be taken(Gilbert et al., 2016).
- There are network security tools and controls used to protect the data sets and the devices. There are advanced tools and mechanisms that have been launched to promote network security. These include the intrusion detection and prevention systems, network log analytics, network-based firewalls, etc. The use of these mechanisms will make sure that the network security risks are prevented and avoided.
- The user shall also take certain initiatives and must connect to the secure networks only. Also, the users shall be given trainings on the secure practices and the prevention of the security issues and risks.
Privacy Controls
- There are antimalware tools that must be installed in the devices to make sure that the malicious codes and applications do not get installed.
- The device access shall be improved with the use of the advanced access control measures.
- There are various developments that are being done in the field of Cryptography. The use of the advanced cryptography algorithms shall be done along with the inclusion of the Blockchain technology(Hardjono& Smith, 2019). The use of these technologies will make sure that the privacy of the information is always maintained.
Data Sovereignty Controls
The sovereignty of the data is also required to be protected. The ultimate solution is to develop the stronger laws and regulations to make sure that the issues around data sovereignty do not occur at all. However, it is a long-term solution and the development and implementation of the laws cannot be done on an immediate basis.
Meanwhile, the use of the data privacy and security controls shall be done. There are administrative tools and controls that shall also be used so that the sovereignty can be maintained. The ethical codes and principles shall be used and there must be campaigns and sessions that shall be launched on the ethical trainings. The existing legal frameworks and regulations shall also be used. There are certain international bodies that have been setup that must take up the responsibility and ownership to make sure that the enforcement of the international and generic guidelines is done (Oguamanam, 2018).
Conclusion
The contact tracing applications have been developed to control the spread of Covid-19 virus. However, there are security, privacy, and sovereignty concerns that are observed with these applications. There are loopholes that are associated with the CovidSafe app and it is essential that the mechanisms are used and implemented to control these issues. Without the inclusion of the proper controls and security mechanisms, it is not possible to make effective use of these apps. The use of technology shall be done to ensure that the enhanced mechanisms are implemented for access control, network security, malware protection, and likewise.
References
Australian Government Department of Health. (2020, April 24). COVIDSafe app. Australian Government Department of Health. https://www.health.gov.au/resources/apps-and-tools/covidsafe-app#how-covidsafe-works
Bogle, A. (2020, June 16). COVIDSafe tests reveal Government knew about iPhone issues at launch. Www.Abc.Net.Au. https://www.abc.net.au/news/science/2020-06-17/covidsafe-contact-tracing-app-test-documents-rated-poor-iphone/12359250
Crespi, S. (2020). The facts on COVID-19 contact tracing apps, and benefits of returning sea otters to the wild. Science. https://doi.org/10.1126/science.abd2221
Davidson, J. (2020, June 8). COVIDSafe app shows up Big Tech’s problems. Australian Financial Review. https://www.afr.com/technology/covidsafe-app-shows-up-big-tech-s-problems-20200605-p54zx9
Dropkin, G. (2020). Covid-19: Contact tracing requires ending the hostile environment. BMJ, m1320. https://doi.org/10.1136/bmj.m1320
Gilbert, F., Sotto, L. J., Smedinghoff, T. J., &Practising Law Institute. (2016). Seventeenth annual Institute on privacy and data security law. Practising Law Institute.
Hardjono, T., & Smith, N. (2019). Decentralized Trusted Computing Base for Blockchain Infrastructure Security. Frontiers in Blockchain, 2. https://doi.org/10.3389/fbloc.2019.00024
Kang, J. J., & Haskell-Dowland, P. (2020). How safe is COVIDSafe? What you should know about the app’s issues, and Bluetooth-related risks. Information security assignment The Conversation. https://theconversation.com/how-safe-is-covidsafe-what-you-should-know-about-the-apps-issues-and-bluetooth-related-risks-137894
Lazar, N. (2020). Data, Data, Everywhere…. Harvard Data Science Review. https://doi.org/10.1162/99608f92.a6e7a24e
Leslie, M. (2020). COVID-19 Fight enlists digital technology: Contact tracing apps. Engineering. https://doi.org/10.1016/j.eng.2020.09.001
Marhold, K., & Fell, J. (2020). Format Wars Hampering Crisis Response – The Case of Contact Tracing Apps During COVID-19. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3598143
Oguamanam, C. (2018). ABS: Big Data, Data Sovereignty and Digitization: A New Indigenous Research Landscape. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3326282
Ponce, A. (2020). COVID-19 Contact-Tracing Apps: How to Prevent Privacy from Becoming the Next Victim. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3593405
Savona, M. (2020). The Saga of the Covid-19 Contact Tracing Apps: Lessons for Data Governance. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3645073
Stilgherrian. (2020). COVIDSafe’s problems aren’t Google or Apple’s fault despite government claims. ZDNet. https://www.zdnet.com/article/covidsafes-problems-arent-google-or-apples-fault-despite-government-claims/
Taylor, J. (2020, June 17). Australia’s Covidsafe coronavirus tracing app works as few as one in four times for some devices. The Guardian. https://www.theguardian.com/australia-news/2020/jun/17/covid-safe-app-australia-covidsafe-contact-tracing-australian-government-covid19-tracking-problems-working
Vatanparast, R. (2020). Data and the Elasticity of Sovereignty. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3609579
Watts, D. (2020). COVIDSafe, Australia’s Digital Contact Tracing App: The Legal Issues. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3591622
Wise, J. (2020). Covid-19: Scotland launches contact tracing app with England and Wales to follow. BMJ, m3566. https://doi.org/10.1136/bmj.m3566