Master of Engineering Science
Electrical and Computer Engineering
In this thesis centralized, decentralized, Bluetooth, and GPS based applications of digital contact tracing were reviewed and assessed. Using privacy principles created by a contingent of security and privacy experts from across Canada, a metric of assessing an application’s privacy was created. An attack tree was built to assess the security of the contact tracing applications. Eighteen attacks were theorized against contact tracing applications currently in use. An application’s vulnerability to the attacks was measured using a scoring system developed for this purpose. The results of the security scores were used to create a metric for assessing the security of contact tracing systems.
Five contact tracing applications were assessed using developed privacy and security metrics. The results of this assessment are that for privacy and security a centralized Bluetooth model with added location functionality scored low. While in privacy a decentralized Bluetooth model scored high. In security, the centralized GPS model scored high, while having only a fair level of privacy.
Summary for Lay Audience
The digital world is growing larger every day. Everything we do that involves a computer or the internet generates data points. These data points are collected and stored. Together all of this data forms a picture of your life. With it models that can predict your behaviour can be created. There is a lot of power sitting and waiting to be used.
The power of this data can be used for good. To create models that can diagnose illness or determine the best treatment plan for an individual. It could also be used to harm people. The same medical record that together with others could create a treatment breakthrough for a mental disorder could be used to discriminate against someone with that disorder, losing them their job. Health data is private for good reasons.
Determining the best practices of keeping health data private provides those tasked to do so with the tools they need. The first section of this thesis is a review of the state of health data privacy. This leads to an overview of the best practices of the field.
Then the specific health data problem of contact tracing is tackled. Both the privacy and security of contact tracing applications is important. The privacy of the application was measured using privacy principles created by a contingent of security and privacy experts from across Canada. From these privacy principles, a metric for assessing an application’s privacy was created.
To assess the security of the contact tracing applications eighteen attacks were theorized. These attacks were then applied to the systems that the application’s use. An application’s vulnerability to the attacks was measured using a scoring system developed for this purpose. The results of the security scores were used to create a metric for assessing the security of contact tracing systems.
Five contact tracing applications were assessed using developed privacy and security metrics. The results of this assessment are that for privacy and security one out of the five was ranked as low, one was ranked as high, and three were ranked as medium. This means that of the five applications scrutinized four out of five have privacy or security concerns. As these applications are intended to be used across the globe by everyone for the safety of the populace these concerns are important to address.
Krehling, Leah, "Protecting Health Data in a Pandemic: A Systematic Adversarial Threat Analysis of Contact Tracing Apps" (2020). Electronic Thesis and Dissertation Repository. 7586.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.