If governments don’t focus on strong privacy protections in their COVID-19 contact tracking tools, it could exacerbate domestic abuse and endanger survivors, according to a warning from women’s support charities.
They’ve urged the U.K. government to include domestic abuse and violence against women and girls (VAWG) experts in the development of such initiatives.
Though the U.K. doesn’t yet have a widely available track and trace app, the charities – including Women’s Aid and Refuge – are already anxious enough about the current tracing program, where infected people are called up and asked to register themselves online as someone who has contracted COVID-19. They’re then asked to share details on people with whom they’ve been in contact so they too can be informed.
In a joint whitepaper, the nonprofits said they were anxious about contact tracing staff inadvertently leaking contact details of survivors to perpetrators. They also raised fears the program could be turned into a “tool for abuse.”
“For example, perpetrators may make fraudulent claims that they have been in contact with survivors in order for them to be asked to self-isolate unnecessarily, and in these circumstances survivors will have no means to identify the perpetrator as the original source,” they warned. “Perpetrators or associates may also pose as contact tracing staff and make contact with victims [or] survivors requesting they self-isolate or requesting personal information.”
The paper also claims abusers are already using the coronavirus pandemic for “coercive control,” in some cases deliberately breathing, spitting and coughing in survivors’ faces. As Forbes previously reported, the sharing of child abuse material has also spiked during global COVID-19 lockdowns.
As for apps, the report warned they required location services to be switched on. “While the NHS app itself doesn’t collect location data, if a perpetrator has installed spyware onto a survivor’s phone or is able to hack into it, then turning on location services will expose their location.”
Problems with Palantir?
The charities also raised concerns about a number of companies who’d partnered with the U.K. on the contact tracing initiatives. They said Serco, which is handling recruiting for contact tracing staff, “has a significant track record of failings and human rights violations, including running a controversial women’s immigration detention centre where staff have been accused of sexual misconduct and involvement in unlawful evictions of asylum seekers.” Serco also recently had to apologize for leaking email addresses of contact tracer staff.
Serco denies that it has any kind of significant track record of failing and human rights violations and that the evictions to which the charities are referring were in Scotland and were ruled legal. It also said that in seven years there had been no substantiated complaints about any sexual wrongdoing at the Yarl’s Wood immigration removal centre, where reports had revealed allegations.
“We are proud to be supporting the government’s test and trace programme with our Tier 3 contact centre team working from pre-approved Public Health England scripts. This is important work and we would like to thank all our teams who have stepped forward. In just four week we mobilised many thousands of people, which is a huge achievement, and we are focussed on ensuring that all our people are able to support the government’s programme going forwards,” a Serco spokesperson said.
Palantir, the $20 billion big data crunching business, also raised an eyebrow. The company, which has secured millions of dollars in contracts to help health agencies manage the outbreak, has come in for criticism for assisting U.S. immigration authorities on finding and rejecting illegal aliens.
Palantir hadn’t responded to a request for comment at the time of publication.
UK’s delayed COVID-19 app
The charities’ warning comes as the U.K. announced its contact tracing app would be shifting to the Apple and Google models, which promise stronger privacy protections than the app being tested by the government. The main difference is in where user information goes. In the government’s app, anonymized phone IDs of both the infected person and the people they’ve been near are sent to a centralized server, which determines who to warn about possible COVID-19 infection.
In the Apple and Google model, only the phone ID of the infected person is sent to a centralized database. The phone then downloads the database and decides where to send alerts. The latter means the government has access to far less data on people’s phones, pleasing some critics but aggravating the government.
Health secretary Matt Hancock said on Thursday that Apple’s restrictions on third-party apps’ use of Bluetooth may’ve been one reason the government’s own app wasn’t as successful as hoped. Bluetooth is being used to determine whether an infected person has been in close proximity with another person’s phone.
Earlier this week, Amnesty International cybersecurity researcher Claudio Guarnieri warned that global rollouts of contact tracing apps were a privacy “trash fire.” After analyzing 11 apps, he found many contained privacy shortcomings. So concerned was Norway that it suspended its tool.
Even with lockdowns easing, those who’re infected are still being advised to isolate. However, the NHS guidance says that “the household isolation instruction as a result of Coronavirus (COVID-19) does not apply if you need to leave your home to escape domestic abuse.” That message may not have been amplified as much as it should’ve been.
I’m associate editor for Forbes, covering security, surveillance and privacy. I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for The Guardian, Vice Motherboard, Wired and BBC.com, amongst many others. I was named BT Security Journalist of the year in 2012 and 2013 for a range of exclusive articles, and in 2014 was handed Best News Story for a feature on US government harassment of security professionals. I like to hear from hackers who are breaking things for either fun or profit and researchers who’ve uncovered nasty things on the web. Tip me on Signal at 447837496820. I use WhatsApp and Treema too. Or you can email me at TBrewster@forbes.com, or firstname.lastname@example.org.