One of the main issues that massive data processing might involve is the exposition of personal data to unauthorized third parties. A data breach could cause dramatic harm to thousands or millions of users, whose privacy could be compromised. For instance, in Qatar a security flaw in their national contact tracing app exposed sensitive personal details of more than one million people in May 2020.[1]
These risks must be mitigated through the implementation of technical and/or organizational security controls. Technical measures include -but are not limited to- the use of state-of-the-art cryptographic techniques, able to secure the data stored in servers and applications, exchanges between applications and the remote server. Mutual authentication between the application and the server must also be performed. If the application reports users, this must be subject to proper authorization, for example through a single-use code tied to a pseudonymous identity of the user. If confirmation cannot be obtained in a secure manner, no data processing should take place that presumes the validity of the user’s status.[2]
Organizational measures should ensure an adequate implementation of well-established security principles such as ‘need-to-know’ (i.e. allowing access to information or knowledge if required to perform an assigned task), the creation of roles with different permissions to access data, or ‘layered security’ (i.e. a defensive security strategy featuring multiple layers that are designed to slow down a security attack). It is important to know that the overall level of security of a solution is only as strong as the weakest link. Thus, “every component of a solution, whether central systems or remote devices, should be secured adequately”.[3] Indeed, many times this weakest link may be caused by human error. Consider, for instance, the case of weak passwords being subject to phishing attacks or the loss of a device that stores data. For this reason, security measures shall include training and awareness programs for the personnel involved.
Before deploying the tool in the real world, it is advisable to perform security tests (random data testing, also called “fuzzing”, vulnerability scanning, etc.). These will serve to check that the product continues to function acceptably when its normal use is abandoned and that it does not present any vulnerability that could allow third parties to compromise its security. Both types of tests are important for the proper functioning of the tool. For example, a continuous integration system should be set up to run tests automatically after every change in the source code.
| Box 5: Verifying and checking identifiers and participants in the tool
When an application creates or uses a unique identifier, steps need to be taken to ensure that the identifier is linked to the legitimate user of the application and keeps this information up to date. Each party using identifiers is responsible for taking steps to: – implement measures devoted to guarantee that any unique identifier applies to only a single unique user. If this is too complex, introduce measures aimed at preventing or mitigating undesirable consequences and inform data subjects about it. – ensure that unique identifiers are kept up to date and are retained only for as long as necessary to fulfill the purpose of the application and the reasons notified to users. – prevent a unique identifier from being associated with another user, unless a justified PROJECT need requires it. The use of a persistent identifier (such as an IMEI number or advertising ID) generally creates more risk than the use of a random or rotating identifier. In addition, the management of end-user/participant profiles should be thought through prior to development. Authenticate users where possible using risk-appropriate authentication methods. Where assertion of a real-world identity is an important component of a service, stronger authentication, such as two-factor authentication using a cell phone and UICC, should be applied. |
| Checklist: Ensure security[4]
☐ The controller assessed potential forms of attacks to which the tool could be vulnerable, introduced mitigation measures and documented them. ☐ The controller considered different types and natures of vulnerabilities, such as data pollution, physical infrastructure and cyber-attacks. ☐ The controller put measures or systems in place to ensure the integrity and resilience of the system against potential attacks. ☐ The controller verified how the system behaves in unexpected situations and environments. ☐ The controller considers to what degree the system could be dual-use. If so, the controller took suitable preventative measures against this. ☐ The controller ensured that the system has a sufficient fallback plan if it encounters adversarial attacks or other unexpected situations (e.g. technical switching procedures or asking for a human operator before proceeding). The data sent to the central server is transmitted over a secure channel. The use of notification services provided by OS platform providers is carefully assessed, and does not lead to disclosing any data to third parties. Requests are not vulnerable to tampering by a malicious user. State-of-the-art cryptographic techniques are implemented to secure exchanges between the application and the server and between applications and, as a general rule, to protect the information stored in the applications and on the server. The central server does not keep network connection identifiers (e.g., IP addresses) of any users. In order to avoid impersonation or the creation of fake users, the server authenticates the application. The application authenticates the central server. The server functionalities are protected from replay attacks. The information transmitted by the central server is signed in order to authenticate its origin and integrity. Access to all data stored in the central server and not publicly available is restricted to authorized persons only. The device’s permission manager at the operating system level only requests the permissions necessary to access and use the communication modules, to store the data in the terminal, and to exchange information with the central server. ☐ The personnel and other physical person in the project has been informed and given awareness of security measures. |
References
1https://www.amnesty.org/en/latest/news/2020/05/qatar-covid19-contact-tracing-app-security-flaw/ ↑
2EDPB, Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak Adopted on 21 April 2020 ↑
3JRC Technical Reports, Guidelines for public administrations on location privacy, at: https://publications.jrc.ec.europa.eu/repository/handle/JRC103110 ↑
4This checklist has been built on the basis of these documents: EDPB, Guidelines 04/2020 on the use of cation data and contact tracing tools in the context of the COVID-19 outbreak Adopted on 21 April 2020; High-Level Expert Group on Artificial Intelligence (2019) Ethics guidelines for trustworthy AI. European Commission, Brussels. Available at: https://ec.europa.eu/digital-single-market/en/news/ethics-guidelines-trustworthy-ai. ↑