Data protection and IT security for corona tracking apps
Even if it’s not directly related to Splunk, it’s still related to data protection and IT security: Together with a group of various experts from the Cybersecurity focus group at digitalHUB Aachen, we have developed a concept for how the recently frequently discussed apps for collecting Corona propagation data can be designed in such a way that data protection and IT security are also guaranteed. The developers of such apps assure us that the apps work anonymously, but do we know exactly what they mean by “anonymous” and whether the anonymized data can be linked back to individuals? The Cybersecurity Focus Group concept discusses various approaches to technical implementation and evaluates them in terms of balancing privacy & IT security against statistical data collection on corona propagation:
To contain the COVID-19 pandemic (“Corona”), knowledge of contacts with infected individuals is essential. Due to the difficulty of tracing such contacts, proposals are increasingly emerging to harness the potential of existing technologies such as smartphones for this purpose.
The physical proximity of people to each other could be determined automatically in this way and infection paths evaluated. This could be critical to slowing the spread not only of the current COVID-19 situation, but also of future pandemics.
To prevent the abuse of blanket surveillance of citizens, privacy, data protection and IT security must be taken into account from the outset and in the interests of the user when using such tracking technologies.
In general, there are two main use cases to consider: The overall statistical view, which enables a global assessment of pandemic development and spread, and the individual assessment of personal infection risk for the individual user.
The Cybersecurity Focus Group of the digitalHUB Aachen, an association of IT security specialists from companies and organizations in the Aachen region, has set itself the goal of supporting the development of tracking solutions that comply with data protection and IT security requirements and evaluating proposed approaches in this regard.
This results in a number of requirements that must be taken into account during development. The focus group produced the discussion paper presented here, which can now be used in the course of further work to discuss how such an app and its central data storage could be structured in order to protect users’ privacy rights. To this end, the document presents various technically conceivable approaches and evaluates the respective advantages and disadvantages.
With this knowledge and upcoming discussion points, the group would now like to get involved in the development of such solutions. In this context, other approaches to solutions that are currently being developed and discussed in the media will also be looked at more closely, discussed and evaluated, and cooperation will be offered to these groups. The goal is to incorporate the cybersecurity focus group’s expertise in IT security and user privacy into the app. The Group assumes that, irrespective of apps already on the market, there will be reasons to add further functions to them and thus to be able to make a constant contribution to these developments.
The document does not claim to describe all legal, technical and organizational aspects in full and conclusively, but is continuously updated (work in progress). The focus group invites you to enter into a dialogue on this (Request for Comments).