Privacy Guidelines for Contact Tracing Applications

TL;DR

This paper discusses privacy challenges in contact tracing apps, analyzes existing solutions, identifies threat actors, and proposes comprehensive privacy guidelines from multiple stakeholder perspectives to enhance trust and adoption.

Contribution

It introduces the first generic set of privacy guidelines specifically tailored for contact tracing applications, addressing various scenarios and stakeholder concerns.

Findings

Analysis of privacy implications in existing contact tracing apps

Identification of threat actors and potential misuse of data

Proposed comprehensive privacy guidelines for stakeholders

Abstract

Contact tracing is a very powerful method to implement and enforce social distancing to avoid spreading of infectious diseases. The traditional approach of contact tracing is time consuming, manpower intensive, dangerous and prone to error due to fatigue or lack of skill. Due to this there is an emergence of mobile based applications for contact tracing. These applications primarily utilize a combination of GPS based absolute location and Bluetooth based relative location remitted from user's smartphone to infer various insights. These applications have eased the task of contact tracing; however, they also have severe implication on user's privacy, for example, mass surveillance, personal information leakage and additionally revealing the behavioral patterns of the user. This impact on user's privacy leads to trust deficit in these applications, and hence defeats their purpose. In this work we discuss the various scenarios which a contact tracing application should be able to handle. We highlight the privacy handling of some of the prominent contact tracing applications. Additionally, we describe the various threat actors who can disrupt its working, or misuse end user's data, or hamper its mass adoption. Finally, we present privacy guidelines for contact tracing applications from different stakeholder's perspective. To best of our knowledge, this is the first generic work which provides privacy guidelines for contact tracing applications.