This week, the UK government was given the green light to collect mobile data of British citizens to try and bring a halt to the spread of the coronavirus. While many may see this as a breach of privacy, the independent privacy watchdog, the Information Commissioners Office (ICO) have granted permission for this to go ahead.
Initially, the government had enquired about leveraging the data from mobile phones to observe and track that the public were adhering to the social distancing recommendation, in a bid to prevent the spread of the coronavirus.
However, privacy advocates have been swift in voicing their anger regarding the steps the government are taking, stating that more transparency and explanation was required so that public trust wasn’t damaged especially with the network providers.
It has been reported that BT and O2 have held talks about handing over required data for a project designed to observe trends in public movements but they have declared that any data given will not be used to track individuals and there is no plans for this in the future.
Other nations have taken this drastic measure to monitor COVID-19 contact tracing with Israel being the latest to do so. Israel’s Prime Minister, Benjamin Netanyahu, passed an emergency law which bypassed parliamentary approval, that allowed the use of mobile data to track those infected with coronavirus in a bid to locate and quarantine them.
Whether the U.K. government will be forced in following such a procedure, only time will tell.
The following cybersecurity professionals have had their say on the matter:
Jonathan Deveaux, Head of Strategic Partnerships – Enterprise Data Protection at data-security specialists, comforte AG:
“The COVID-19 pandemic is disrupting the way companies work and many employees are now being required to work from home. Unfortunately, not all employees while at home operate on secure networks, nor are they using a secure device supplied by the company. Some companies are ‘adding’ apps on home-based desktops, or they are requiring employees to download apps on their mobile devices – both of which may have previously been used mainly for non-work activities.
This is an extremely difficult security challenge, especially when confidential and sensitive company-restricted data is accessed via numerous technologies and stored in different locations. Shifting approaches from ‘SECURE the TECHNOLOGY,’ to ‘SECURE the DATA,’ may help reduce the threat of data loss or exposure when (not if) a cyber-attack happens, regardless if the data is accessed via a mobile app or stored in a cloud database. ‘Securing the DATA’ means that as soon as data is classified as confidential or sensitive (think names, address, payment info, healthcare records, company account into, etc) that data is immediately protected.
This approach doesn’t have to wait until the data is correlated, centralized, or written to various databases; protection is applied to the data immediately. It matters less if systems are updated with the latest patches, if cloud security is turned on, or if database ‘access permissions are granted. When companies focus on securing the data, on top of securing the devices, apps, and systems, cybersecurity risks and sensitive data losses of any magnitude may be significantly reduced.”
Niamh Vianney Muldoon, Senior Director of Trust and Security at OneLogin:
“From a privacy perspective, once the UK Government can provide individuals with ‘privacy trust assurance’ I see this technology as a great enabler to tackle coronavirus pandemic. By privacy trust assurance I mean two things: Firstly, that the individuals’ data is only being used for the purpose that it is collected, in this case to track virus infection. And secondly that the individuals’ data is being protected as it is collected, purposed and stored by the app, by this I mean that the appropriate security controls are applied to the app; for example, access control technologies and encryption.
It is vital that apps like this containing individuals’ most sensitive health data are designed with both security and privacy in mind. Bear in mind that more rush can also lead to less speed. Rigorous security testing is needed prior to an app like this going into production and being released for public for usage. Not designing security and privacy into the app could result in security and privacy holes.”
Tom Davison Technical Director International at Lookout:
“Mobile technology offers great potential to aid the fight against the spread of COVID-19 and state sponsored apps have already been deployed in a number of countries worldwide. Indeed many users will want to do everything they can to support such initiatives and will be quick to sign-up.
It is vitally important, however, that the public takes the time to understand the personal information they will be sharing and how it will be used, both now and in the future. This is not always easy for the average user, so the government will need to ensure that their privacy policies are extremely clear, up front and easy to understand if they want to encourage mass participation.
Many users do not consider just how effective mobile devices can be at tracking and monitoring their owners, equipped as they are with a multitude of sensors. Once data from millions of devices is collected, uploaded and correlated together it becomes enriched and even more powerful. As such it is critical that all of the privacy implications are carefully thought through even with the current sense of urgency. This is a fast moving picture and we must not make rushed decisions that could have long-term impact for UK citizens.
In the UK, the government will need to operate within the bounds of GDPR and the Information Commissioner’s Office is there to monitor adherence with regulations. It is also understood that use of the app will be on a voluntary basis. The hope is that the government will do a great job of addressing privacy concerns to ensure that this becomes the success it could be.
Another serious concern is the number of phishing campaigns and malicious apps that have surfaced recently in relation to COVID-19. Attackers are quick to try to exploit our sense of fear and our hunger for up to date information on the virus. This may prompt us to click links or install apps without due diligence. It is vital the government app is well sign-posted to prevent users inadvertently installing the wrong thing, causing them to share data with an unintended 3rd party.”