CoronApp, the digital security problems that the application has – ELESPECTADOR.COM

Experts have detected problems in the design and operation of the application. There are issues that concern digital security, information privacy and, in general, the transparency with which it has communicated what the information of the users will be used for and will use. Analysis.

CoronApp is the technology arm in the Government’s strategy to face the expansion of the new coronavirus. In essence, it is an application that seeks to provide information to the citizen about COVID-19, but it was also designed as a method to start identifying healthy or infected populations on a large scale.

Its scalability and massive application may be two of its great attractions and, at the same time, they are the aspects that most concern researchers and analysts who have been examining the scope of these and other similar tools.

Also read: Net neutrality and other luxuries in the pre-COVID-19 world

In the background, the app It is the Colombian adaptation of a strategy that is being implemented in other countries, such as South Korea; country where much of the CoronApp design inspiration came from, according to official information.

In addition to CoronApp, more localized versions are also available, but with similar characteristics in Medellín (Medellín me Cuida) and in Valle del Cauca (CaliValle Corona).

The Karisma Foundation, through its digital security laboratory (K + Lab), has led the analysis of this type of tool and has detected problems in issues of digital security and information privacy, as well as transparency in its development, among other aspects.

The research was done with the aim of knowing first-hand how they considered the privacy of the people who use these tools. The accompanying documents were searched and the code or what can be seen of it was also revised. Static analyzes of the installers were made of the HTML / javascript code and tools were used to analyze the data traffic that is exchanged between mobile devices or web pages and the servers.

It is important to highlight that all the technical tests applied by the K + Lab team are non-intrusive. In other words, it is not a penetration test, but an analysis of what can be seen internally or externally in the application or the web page. Something like seeing and not touching.

CoronApp: some technical details

This app is an inheritance from another app Brazilian that was used in the 2014 World Cup to track epidemics, in those times of dengue, Zika and Chikungunya and that the Colombian National Institute of Health tried to implement for those same purposes. In the end, what was left of this application quickly became CoronApp. The latest version of the app revised for this analysis was 1.2.32 (the last update was on May 4, version 1.2.40).

The question then is that this app not only inherited the functionality of the original version, but a code that was specific to Brazil, which included trackers, connections with Facebook and Google, permission to access the contacts, which had nothing to do with their current function. It is worth clarifying that in the response that the National Digital Agency gave to this analysis there is a commitment to destroy the data that would have been collected in the previous versions of the application and that are no longer required in the new versions, such as ethnic origin of registered people and phone contacts on the cell phone.

One of the first things that stand out about the application is the number of permissions that it asked for, apparently unnecessary, but that were still included hinting at future features. In short, the app It had the potential to see the phone’s contact list, its location, and asked for Bluetooth management permissions, which were to be used to apply the famous proximity contact tracking (contact tracing). This is that the phone will start connecting with others to exchange information and find out what other devices are nearby. In the background, there was never clarity on who will have access to that information and under what conditions, but all of this is there ready to be activated.

Also read: Catalina Botero will co-direct Facebook’s Supervisory Board

Being a tool that will respond to an emergency and, therefore, must be limited in scope, there is no precise definition of who will be able to access this data, the provision only repeats the legal exception rule that allows any public entity or administrative access to personal data, when the correct thing would be to establish a more specific commitment.

For the reviewed version, the traffic analysis of the application did not offer many problems, because originally the application sent and received the traffic by HTTP, without SSL. In other words, the movement of information was done without encryption, the minimum security that in this type of products is something that is designed by default to guarantee some privacy for users and more taking into account the sensitivity of the data. that are handled.

Earlier this week, the Reuters agency reported that the government canceled the contact tracking functionality with which the application had originally been designed. The decision, apparently, is to use the technology that is being developed by Apple and Google (the owners of the dominant mobile operating systems on the market).

Lack of information

The development of any technological solution must be guided by objectives that help measure its effectiveness and utility. It is very important to communicate these objectives to publicize what the tool is and what it does.

In this analysis process, the absence of public information was identified that allows understanding what the purpose of these tools is and how they are integrated into the strategy. Understanding what they really do will serve to inform the debate on the use of applications in the country.

The public announcements that the rulers make in Colombia about the role of the applications essentially focus on the monitoring functions of the tools with very poor explanations about their articulation with the rest of the strategy for the pandemic. Rather than monitoring the spread of the virus, it seems that we are being asked to trust that technology will help by monitoring people. Rather than analyzing the models of the applications that are deployed around the world to select and define which will be the “Colombian-style” version, the race against time seems to be because our solutions include all the functions that exist in the world.

What worries us most is that technology is known not to replace good public policies. Deploying technology based on illusions of results can generate more problems than benefits, in addition to a deeper crisis by breaking the trust placed in them.

Also read: Zoom will require default passwords for all video calls

It is necessary to understand what applications do and how they do it, why incorporate functionalities that represent significant risks – such as proximity contagion tracking and mobility passports – without being part of a comprehensive public policy strategy that addresses their technical limitations and especially the great social risks involved.

In the midst of the natural fear that a situation like the one that exists exists, part of the citizenry is willing to exchange some of their privacy for having information and are willing to contribute data to monitor the contagion to applications that seek in the context of pandemic.

That act of faith in handing over their information, their location, their medical data and probably even who they are with, where and when, should elicit a supremely responsible response from the entities that are receiving this great trust. These exercises should be the starting point for a significant improvement in the data processing that public entities do in this emergency and that they are at the technical level that this situation deserves.

* Carolina Botero, Pilar Sáenz, Stéphane Labarthe and Andrés Velásquez.

** The original texts of this analysis can be found here and here.