The new Covid tracker app was launched this week.

Covid app privacy concerns

The risk of a new Covid-19 tracker app being used for malicious reasons exists and could be disruptive for schools and businesses, a cyber expert at UCC has said.

The Covid Tracker App for Ireland was launched on Tuesday by the Health Service Executive and the Department of Health with the hopes that it will enhance existing contact tracing measures by enabling users to identify close contacts and to alert those who are using the app of the need for Covid-19 testing as quickly as possible.

It’s expected that the app will be downloaded more than one million times this week with Dr Paul Reid, CEO of the HSE yesterday (Wednesday) tweeting that it was by far the most successful launch of this type of app anywhere in the world.

“Please keep it going and protect everyone by downloading it now,” his tweet added.

However, concerns have been expressed about how it tracks users and how the app could be used in malicious ways especially given that it is a health app helping to trace a serious virus.

Dr Paolo Palmieri, a lecturer in cyber security at UCC, told the Cork Independent that concerns about the app weren’t specific to just the Irish version and could be applied to any country’s Covid-19 tracing app.

He said: “Because of the way Apple and Google designed the services that enable contact tracing, the possibility for the HSE for example to monitor people is quite limited. That is because Apple and Google have a centralised approach to the application whereby it’s the phone itself that is doing most of the job rather than a central server controlled by the HSE or health authority.

“However, it’s the users that have the possibility to infringe on another person’s privacy. For example if you were wondering if I had the virus all you would have to do really is find a spare phone, install the app on it and make sure that Bluetooth is disabled on the phone so it wouldn’t record any contact because the app relies on Bluetooth to work. When we meet, you turn on the phone’s Bluetooth so that our contact is recorded and when we part ways, the Bluetooth is disabled again. Then, if you ever receive a notification on the phone that you’ve come across someone with the virus then you would know it’s me.”

He added that businesses could use that technique when interviewing people using a separate phone for each interview. Interviewers would be alerted if a potential employee had the virus.

When asked about the Covid-19 app versus social media apps, Dr Palmieri said that social media apps are more invasive when it comes to privacy. 

However he added that social media apps are used mostly for entertainment purposes and it wouldn’t be as bad if something went wrong with those apps compared to this new tracing app because it is being used for health purposes.

He said: “The risk of something bad happening exists but it is limited and I’m sure the HSE has very good protocols in place. But it could be very problematic if something did go wrong.”

He went on to further explain that it could be possible for someone to maliciously set up a false alert on someone’s phone telling them that they were near someone with the virus.

He added: “This could be highly disruptive if the person was working for a big company and all of the employees had to stay at home for two weeks because of this false alert. The same with could be done with a college or school where all staff and students were sent home. We’ve seen several incidents of this happening in South Korea where schools closed because of a false alert.”

When launching the app on Tuesday, the Department of Health (DOH) said that the app has been “developed with privacy by design at its core, employing a decentralised model”.

A DOH spokesperson said: “This means that it will record if a user is in close contact with another user by exchanging anonymous codes. If a person tests positive for Covid-19, they can choose to anonymously alert other app users who they have been in close contact with. Close contact data is stored on the users’ phone and not a Government server.” See covidtracker.gov.ie/ to download the app.