Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • apa.csl
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Privacy Analysis of COVID-19 Contact Tracing Apps in the EU
Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013). (PriSec)ORCID iD: 0000-0003-1750-649X
Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013). Blekinge Institute of Technology.ORCID iD: 0000-0002-5235-5335
2021 (English)In: Secure IT Systems: 25th Nordic Conference, NordSec 2020, Virtual Event, November 23–24, 2020, Proceedings / [ed] Mikael Asplund and Simin Nadjm-Tehrani, Springer, 2021, p. 213-228Conference paper, Published paper (Refereed)
Abstract [en]

This paper presents results from a privacy analysis of COVID-19 contact tracing apps developed within the EU. Though these apps have been termed advantageous, concerns regarding privacy have become an issue that has led to their slow adoption. In this empirical study, we perform both static and dynamic analysis to judge apps’ privacy-preserving behavior together with the analysis of the privacy and data protection goals to deduce their transparency and intervenability. From the results, we discover that while the apps aim to be privacy-preserving, not all adhere to this as we observe one tracks users’ location, while the other violates the principle of least privilege, data minimisation and transparency, which puts the users’ at risk by invading their privacy.

Place, publisher, year, edition, pages
Springer, 2021. p. 213-228
Series
Lecture Notes in Computer Science, ISSN 0302-9743 ; 12556
Keywords [en]
Privacy, COVID-19, Contact Tracing Apps
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
URN: urn:nbn:se:kau:diva-83327DOI: 10.1007/978-3-030-70852-8Scopus ID: 2-s2.0-85103585121ISBN: 978-3-030-70852-8 (print)OAI: oai:DiVA.org:kau-83327DiVA, id: diva2:1533968
Conference
NordSec: Nordic Conference on Secure IT Systems
Projects
DigitalWell ResearchAvailable from: 2021-03-04 Created: 2021-03-04 Last updated: 2022-05-03Bibliographically approved
In thesis
1. Privacy and Security Analysis: Assessing Risks and Harm to Patients
Open this publication in new window or tab >>Privacy and Security Analysis: Assessing Risks and Harm to Patients
2022 (English)Licentiate thesis, comprehensive summary (Other academic)
Alternative title[sv]
Analys av Personlig Integritet och Informationssäkerhet : Bedöma Risker och Skador på Patienter
Abstract [en]

Disruptive technologies in the form of e-Health or electronic healthcare (the use of information technology in health) have the ability to provide positive implications to both patients and healthcare professionals. Recently, public health agencies deployed contact tracing apps with the aim of curbing the spread of COVID-19, by aiding manual contact tracing, and lifting restrictions. Despite this, their ubiquitous nature in the sector has opened doors to new threats in the area of information security and privacy, where these apps, for instance, contain security and privacy risks such as violation of the principle of least privilege, which when exploited can cause privacy harms to the user, for example, re-identification of users.

In general, information security and privacy in the healthcare sector is essential due to the nature of the data they process, and the need to keep the patient safe. While this is so, the general security posture of the sector, which is poor due to its under-financing in IT security among other reasons such as the use of legacy systems, makes it vulnerable to cyber-attacks that end up with exfiltration of personal health data, among other data, for instance, relevant research data. Such data can be misused incurring privacy harm to patients that have been affected by the breach.

This thesis follows an experimental approach to assess the privacy and security risks of m-Health apps, with the selected case study of these m-Health apps, that is, COVID-19 contact tracing apps. In addition, it also contributes with a theoretical approach to assessing impacts and consequences in the healthcare sector, including what harms patients could face in the event of a state-sponsored cyber-attack. In addition, the research aims at contributing to the field by proposing a sector-specific model that can be used to evaluate the impact on the privacy of patients affected by a data breach.

Abstract [sv]

Störande teknologier i form av e-hälsa eller elektronisk sjukvård (användning av informationsteknologi inom hälsa) har förmågan att ge positiva implikationer för både patienter och vårdpersonal. Folkhälsomyndigheter har nyligen implementerat så kallade kontaktspårningsappar i syfte att hindra spridningen av COVID-19, genom att bidra till manuell kontaktspårning och införande av restriktioner. Trots detta har deras allmänt förekommande natur i sektorn öppnat dörrar för nya hot i områdena informationssäkerhet och personlig integritet, Där dessa appar, till exempel, innehåller säkerhets- och integritetshot såsom brott mot lägsta prioritetsprincipen (eng. principle of least privilege), som, när exploaterad, kan orsaka personlig integritets-skador för användaren, exempelvis återidentifiering av användare.

Generellt kan sägas att informationssäkerhet och skydd av personlig integritet inom hälso- och sjukvården är absolut nödvändigt med tanke på egenskaperna hos de personuppgifter som behandlas, och behovet av att skydda patienten. Trots detta gäller att sektorns generella hållning , som är svag på grund av dess underfinansiering av IT-säkerhet bland andra skäl på grund av användning av gamla system, gör dem sårbara för IT-angrepp som slutar med exfiltrering av persondata, bland annat forskningsdata. Sådana data kan missbrukas och därmed orsaka skada för de patienters som drabbats.

Avhandlingen argumenterar för att hälso- och sjukvårdssektorns låga kvalitet på informationssäkerhet kan leda till att säkerheten och integriteten hos hälsodata, särskilt personlig hälsodata, kan exploateras för att orsaka integritetsskador inte bara från opportunister eller hacktivister, utan också från angripare som sponsras av stater, som exempelvis Fancy Bear i fallet World Anti-Doping Agency år 2016. Det följer ett experimentellt tillvägagångssätt för att säkerställa påverkan och konsekvenser i vårdsektorn, inklusive vilka skador patienter skulle kunna möta om ett angrepp sponsrad av ett annat land skulle ägan rum. I grunden visar forskningen på de kritiska och signifikanta egenskaperna i sektorn och den påverkan en IT-angrepp skulle ha på individer och på sektorn själv. Dessutom strävar forskningen efter att bidra till området genom att föreslå en sektorspecifik modell som kan användas för att evaluera påverkan på de patienters personliga integritet som drabbats av ett dataläckage.

Place, publisher, year, edition, pages
Karlstads universitet, 2022. p. 25
Series
Karlstad University Studies, ISSN 1403-8099 ; 2022:19
Keywords
Privacy, Security, e-Health, Risks, Harms, Personlig integritet, Informationss ̈akerhet, e-h ̈alsa, Risker, Skador
National Category
Computer and Information Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-89688 (URN)978-91-7867-292-9 (ISBN)978-91-7867-303-2 (ISBN)
Presentation
2022-06-10, 21A342, 10:15 (English)
Opponent
Supervisors
Available from: 2022-05-20 Created: 2022-05-03 Last updated: 2022-10-04Bibliographically approved

Open Access in DiVA

fulltext(1060 kB)60 downloads
File information
File name FULLTEXT01.pdfFile size 1060 kBChecksum SHA-512
27c2f552fcfcbfb2c98f46391c36af391386c06f1baa57eaee71ec0d0cb173f10c64882a09adf105e497c7f896a461bfedcbe27bc4c252ffbd8ac356d1821ba9
Type fulltextMimetype application/pdf

Other links

Publisher's full textScopus

Authority records

Wairimu, SamuelMomen, Nurul

Search in DiVA

By author/editor
Wairimu, SamuelMomen, Nurul
By organisation
Department of Mathematics and Computer Science (from 2013)
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 60 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 278 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • apa.csl
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf