Are you considering bringing your workforce back into the office? It’s a big decision that comes with significant considerations. How will your office be set up? What safety precautions are in place? What are the cybersecurity implications? And, one you may not have even considered: Will you use contact tracing apps? That last one is what I want to discuss because those apps may be a critical tool for firms to expedite reopening safely. It’s pivotal to understand their efficacy and the cybersecurity concerns related to them.
Location-based vs. Proximity-based Apps
There are two main types of contact tracing apps: location-based and proximity-based. Location-based apps use the app user’s location data to determine if they have recently been near someone who has tested positive for COVID-19.
Proximity-based apps, supported by the API built by the partnership between Google and Apple, use the Bluetooth Low Energy (BLE) technology to determine if a user has been near someone who has reported a positive test result for the virus. BLE works by “pinging” nearby devices that are also using the app and analyzing the signal strength to determine an approximate distance between the two devices. If the two devices are close enough for long enough, they exchange “tokens,” which are random sequences of numbers used to identify the device without providing personal information on the device or its user. The app then stores the token of all devices that meet the distance and time criteria. If a user reports a positive test result, all devices with that user’s token are notified.
One primary concern with contact tracing apps is how they protect the privacy of their users. Location-based apps store location data for each user, which presents a host of privacy concerns. App developers have to figure out how to guarantee that users’ location data will not end up in the wrong hands—think cybercriminals, advertisers, and foreign intelligence services.
On the other hand, proximity-based apps don’t store any location data. Many apps, including the Apple/Google API, change the token associated with each user frequently enough to reduce the risk of identifying an individual user.
Due to the privacy concerns of location-based apps, proximity-based apps have a higher likelihood of acceptance from the general public.
Reliability & Accuracy
So, which one should you consider the most viable? When evaluating the usefulness of the two types of apps, ask yourself if the app can reliably determine if two users are within six feet of each other. Location-based apps rely on GPS and cell-tower data, which is not granular enough to determine if two users were within six feet of each other. Proximity-based apps are not a silver bullet either, as the technology they use to determine proximity, BLE, has an uncertain detection range, which raises concerns about their accuracy.
Both types of apps must determine how users can report a positive result. Some apps require health officials to certify that a user is infected before it will alert other app users. This will likely slow down the process of alerting users, which is the app’s core function. Some apps allow users to self-report positive test results or symptoms, which will likely result in more false-positives and present a vector for disruption. If enough false positives are fed into the app, the app can be rendered useless.
Another major factor in the value of either type of app is its user base—the more users on an app, the more likely it is to provide useful information.
The following are some questions firms should be asking when considering implementing contact tracing apps into their reopening strategy:
- If the app your firm chooses is not widely used in your geographic area, is it effective? Epidemiologists from the University of Minnesota explain that high infection rates, such as what we are currently experiencing in the US, make tracking the disease difficult. We may have to wait for infection rates to drop before the apps prove useful.
- If your firm chooses to wait to use a contact tracing app, what factors will warrant revisiting the decision?
- What responsibility does your firm have to its users if personal information is leaked or stolen from the app?
- Can your firm mandate the use of a contact tracing app? If so, are employees required to self-report alerts from the app?
- How will your firm handle notifications to third parties who might have been exposed?
- When employees receive an alert, what happens? Are they required to self-isolate? Is there a section of the office where potentially exposed employees can work? If your firm is considering changes to the office layout, ensure all the risks are considered before implementing changes.
Your firm’s return to operational normalcy needs to be deliberately planned and carefully executed. Contact tracing apps may or may not ultimately play a part in your firm’s plan for returning to on-premises operations.
Given what we know, proximity-based apps are more reliable and pose less risk to user privacy. So, how do they fare in real-world implementation? Several countries and states have rolled out apps with varying levels of success. Ireland’s contact tracing app launched on July 7th and has seen some early success in adoption rates, which is the first hurdle—employees and the general public have to use the app for it to be successful. It’s encouraging to see early adoption in a country-wide app launch.
Virginia was the first state in the US to launch a contact tracing app based on the Apple/Google API. On the other hand, Utah shut down their first attempt at collecting data from visitors within 72 hours of its launch when the system was unable to determine the location of users within several miles. Though these apps show promise, there is not enough data to determine how effective they have been at flattening the curve.
Given the drastically diverse response to contact tracing apps by countries across the globe and states in the US, the jury is still out on the usefulness of these apps in fighting COVID-19. With no federal direction and varying levels of commitment between states, it’s clear that every firm will ultimately have to decide what role contact tracing apps will play, if any, in allowing employees to return to the office. There is no single solution to this problem. Still, by evaluating the available options and making an informed decision, your firm can ensure they adequately respond to this pandemic and learn enough from it to be prepared to maintain business continuity when a similar scenario occurs in the future.
As you work through your plan and execution, give us a call. Agio’s team of hedge fund and private equity cybersecurity and managed IT service experts has your back. Our vCISOs can provide guidance and insight as you navigate your way through the many questions related to returning to on-premises operations.