Protecting Health Data in a Pandemic: A Systematic Adversarial Threat Analysis of Contact Tracing Apps
Abstract
In this thesis centralized, decentralized, Bluetooth, and GPS based applications of digital contact tracing were reviewed and assessed. Using privacy principles created by a contingent of security and privacy experts from across Canada, a metric of assessing an application’s privacy was created. An attack tree was built to assess the security of the contact tracing applications. Eighteen attacks were theorized against contact tracing applications currently in use. An application’s vulnerability to the attacks was measured using a scoring system developed for this purpose. The results of the security scores were used to create a metric for assessing the security of contact tracing systems.
Five contact tracing applications were assessed using developed privacy and security metrics. The results of this assessment are that for privacy and security a centralized Bluetooth model with added location functionality scored low. While in privacy a decentralized Bluetooth model scored high. In security, the centralized GPS model scored high, while having only a fair level of privacy.