Next Article in Journal
CyBERT: Cybersecurity Claim Classification by Fine-Tuning the BERT Language Model
Previous Article in Journal
Cyber Crime Investigation: Landscape, Challenges, and Future Research Directions
Article

A Security and Privacy Scoring System for Contact Tracing Apps

The Department of Electrical and Computer Engineering, University of Western Ontario, London, ON N6A 3K7, Canada
*
Author to whom correspondence should be addressed.
Academic Editor: Stefanos Gritzalis
J. Cybersecur. Priv. 2021, 1(4), 597-614; https://doi.org/10.3390/jcp1040030
Received: 10 September 2021 / Revised: 3 October 2021 / Accepted: 4 October 2021 / Published: 14 October 2021
(This article belongs to the Section Privacy)
Contact tracing applications have flooded the marketplace, as governments worldwide have been working to release apps for their citizens. These apps use a variety of protocols to perform contact tracing, resulting in widely differing security and privacy assurances. Governments and users have been left without a standard metric to weigh these protocols and compare their assurances to know which are more private and secure. Although there are many ways to approach a quantitative metric for privacy and security, one natural way is to draw on the methodology used by the well-known common vulnerability scoring system (CVSS). For privacy, we applied consensus principles for contract tracing as a basis for comparing their relative privacy practices. For security, we performed attack modeling to develop a rubric to compare the security of respective apps. Our analysis shows that centralized Bluetooth with added location functionality has low privacy and security, while non-streaming GPS scored high in security and medium in privacy. Based on our methodology, only two apps were given a high ranking of privacy: Canada’s Covid Alert and Germany’s Corona Warn-App. They both used the Google/Apple Notification Framework as the basis for their design. To achieve comparable privacy, we recommend that future projects follow their examples in the following ways: minimizing the amount of data they collect and holding it for the shortest possible length of time; only having features necessary for the app’s main function; and releasing design details so that users can make informed decisions. View Full-Text
Keywords: contact tracing; security; privacy contact tracing; security; privacy
Show Figures

Figure 1

MDPI and ACS Style

Krehling, L.; Essex, A. A Security and Privacy Scoring System for Contact Tracing Apps. J. Cybersecur. Priv. 2021, 1, 597-614. https://doi.org/10.3390/jcp1040030

AMA Style

Krehling L, Essex A. A Security and Privacy Scoring System for Contact Tracing Apps. Journal of Cybersecurity and Privacy. 2021; 1(4):597-614. https://doi.org/10.3390/jcp1040030

Chicago/Turabian Style

Krehling, Leah, and Aleksander Essex. 2021. "A Security and Privacy Scoring System for Contact Tracing Apps" Journal of Cybersecurity and Privacy 1, no. 4: 597-614. https://doi.org/10.3390/jcp1040030

Find Other Styles

Article Access Map by Country/Region

1
Back to TopTop