Skip to main content

Contact Tracing Apps. How it works? Privacy Concerns with ArogyaSetu.

Contact Tracing apps alerts others (as well as the Government) that they may have been in contact with people carrying/infected with the Virus. Many Countries has released official apps for contact tracing. Lets see how it works and what are the security and privacy concerns with it. In this post, i specifically compares India's Arogya Setu contact tracing app with other Nation's contact tracing applications.
How it works?
The app can be download from the App/Play store. User has to manually install this.All these contact tracing app uses a set of permissions such as Bluetooth, storage, network access etc. However it primarily make use of Bluetooth Low Energy (BLE) protocol for contact tracing. It tries to measures how far you are from the other person( Usually 1.5 meters). The application checks and connect with other mobile phones installed with the application over Bluetooth. This data will be stored on the phones. This depends and differs on applications. for example UK's NHS stores the data for 28 days, the data will be stored and after that it will be deleted.
If you came in proximity of the affected person with in 21 days (normally), you will get notified. This notification process can be automated and manually. For example, Singapore does this manually whereas in Australia it is automated. No personal details are involved in the notification. Means It will not alert with whom(name) you came in contact with. Personal details remains anonymous.It will just sent a notification urging them to isolate or to contact the health officials.

What information usually the app collects?
While installing the application, it collects some details and verify the user as well. The details differs from apps to apps. Some common details collected are,
1) Mobile number
2) Full Name
3) Gender
4) Age
5) Postcode
6) GPS location access permission. (*controversial and exceptions, explained below)

Some Specifics
Most countries has considered the following specifics on contact tracing application.
  • Conduct Privacy Assessments related to the application and data collection.
  • Made the Source code is public, so that any vulnerabilities in that can be found and fixed ASAP, thereby making the app more secure.
  • Importance and need fort he application has communicated to their citizens.
  • Clarify data collection.
  • Seek active consent from the user on the application and data collection/usage.
  • Finally OPT-IN, Not MANDATORY.  
Now lets analyze Arogya Setu.
  • In India, at many places and organizations/departments, the installation  of Arogya Setu app has been made as compulsory. NOIDA city even went extreme with up to six months jail term if you don't install this Arogya Setu contact tracing application. Mostly all countries made their contact tracing as an opt-in option where as in India, the authorities are forcing the people to install it.
  • Now regarding to the use of GPS location services. This is the most controversial things with Arogya Setu Application. Mostly all other counties relies on the Bluetooth information and don't use or collect the GPS Location details. Because accessing the location services invades and might compromise a person's privacy. While installing Arogya Setu, you cant register or proceed further without giving access to the GPS Location services, and that also set as "Always". Means the location can be tracked via GPS continuously and it is indeed a surveillance. The retired Supreme Court judge, who heads the expert panel on data protection laws, said pushing the App would cause “more concern to citizens than benefit”. Accessing location data and any compromise to that can lead to huge privacy crisis.  Already a french hacker was able to illustrate and explain how these location details can be misused.
  • Make the code open source and develop the application based on open-source architecture. However the Government mulls open-source architecture for app.
In my personal opinion, if the intention is to control the COVID-19 spread and help people, then the Government can do things differently and much better. Take considering the privacy of citizens as a primary factor, use open-source architecture and thereby secure the application and use the funda of least privilege/need to know. Collect only what you need to achieve the objective. Other countries such as Singapore, Australia has done tremendous success with their contact tracing applications by considering their citizen's privacy.

Popular posts from this blog

Cisco ASA: Disable SSLv3 and configure TLSv1.2.

For configuring TLS v1.2, the ASA should run software version 9.3(2) or later. In earlier versions of ASA, TLS 1.2 is not supported.If you are running the old version, it's time to upgrade. But before that i will show you the config prior to the change. I am running ASA version 9.6.1 Now ,set the server-version to tlsv1.2, though ASA supports version tlsv1.1, its always better to configure the connection to more secure. Server here in the sense, the ASA will be act as the server and the client will connect to the ASA.     #ssl server-version tlsv1.2 set the client-version to tlsv1.2, if required.     #ssl client-version tlsv1.2 ssl cipher command in ASA offers 5 predefined security levels and an additional custom level.     #ssl cipher tlsv1.2 high we can see the setting of each cipher levels using #show ssl cipher command. Now set the DH group to 24, which is the strongest offered as of now in the ASA.     #ssl dh-group group24 An

How to Install Netmiko on Windows?

Netmiko, developed by kirk Byers is an open source python library  based on Paramiko which simplifies SSH management to network devices and is primarily used for network automation tasks. Installing Netmiko in linux is a matter o f one single command but if you need to use Netmiko in your Windows PC, follow this process. 1) Install the latest version of Python. 2) Install Anaconda, which is an opensource distribution platform that you can install in Windows and other OS's (https://www.anaconda.com/download/) 3) From the Anaconda Shell, run “ conda install paramiko ”. 4) From the Anaconda Shell, run “ pip install scp ”. 5) Now Install the Git for Windows. (https://www.git-scm.com/downloads) . Git is required for downloading and cloning all the Netmiko library files from Github. 6) From Git Bash window, Clone Netmiko using the following command git clone https://github.com/ktbyers/netmiko&#8221         7) Once the installation is completed, ch

RUST error: linker `link.exe` not found

While compiling Rust program in a windows environment, you may encounter the error : linker `link.exe` not found. This is because of the absence of the C++ build tools in your machine. For compiling Rust programs successfully, one of the prerequisites is the installation of the Build Tools for Visual Studio 2019.   Download the Visual Studio 2019 Build tools from the Microsoft website. After the download, while installing the Build tools, make sure that you install the required components (highlighted in Yellow) This will download around 1.2GB of required files. Once everything is successfully installed, reboot and re-run your rust program and it will compile successfully.   Read More on RUST Hello World Rust Program : Code explained RUST Cargo Package Manager Explained Data Representation in Rust.

What is a Gratuitous ARP? How is it used in Network attacks?

Many of us encountered the word "Gratuitous" while exploring the network topic on ARP, The Address Resolution Protocol. Before explaining Gratuitous ARP, here is a quick review on how ARP works. ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address.For example, Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache. Host B shoots a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A. All hosts within the same broadcast domain receive the ARP request, and Host A responds with its MAC address. We can see the ARP entries on our computers by entering the command arp -a . So, back to the topic on what is a Gratuitous reply, here is a better explanation. Gratuitous arp is when a device will send an ARP packet that is not a response to a request. Ideally a gratuitous ARP request is an ARP request packe

Recovery Procedure: Alcatel-Lucent Omni-Switch not booting AOS: Going to Mini-boot prompt.

Problem: Switch not booting AOS; Going to Mini-boot prompt. Model: Alcatel-Lucent OS6850 [Note:The same procedure might be applicable for different models of Omni-Switches, However, for this illustration, i have used OS-6850 ] Reason: This problem may occurs due to corrupt AOS image files or misconfigured boot parameters. Hence switch cannot boot the images properly and will go to Mini-boot prompt.  Work Around: [Note: This zmodem procedure consumes a lot to time to finish the process.] 1.) Power off your OS6850 2.) When you switched it back on, stop it before the Miniboot (there is some counter counting down from 4). Press Enter to break. 3.) You will have the following prompt " => " 4.) Enter " setenv baudrate 115200 ”. Increasing baudrate helps to increase the data transfer speed using zmodem. 5.) Enter " saveenv " 6.) Enter " boot " 7.) The switch should run now in baud rate 115200 (so you have to change your clients ter