Notification: Our email services are now fully restored after a brief, temporary outage caused by a denial-of-service (DoS) attack. If you sent an email on Dec 6 and haven't received a response, please resend your email.
CFP last date
20 December 2024
Reseach Article

Ensuring Information Security and Data Governance in Cloud based Digital Contact Tracing Applications

by Radhika Ravindranath
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 186 - Number 50
Year of Publication: 2024
Authors: Radhika Ravindranath
10.5120/ijca2024924225

Radhika Ravindranath . Ensuring Information Security and Data Governance in Cloud based Digital Contact Tracing Applications. International Journal of Computer Applications. 186, 50 ( Nov 2024), 26-30. DOI=10.5120/ijca2024924225

@article{ 10.5120/ijca2024924225,
author = { Radhika Ravindranath },
title = { Ensuring Information Security and Data Governance in Cloud based Digital Contact Tracing Applications },
journal = { International Journal of Computer Applications },
issue_date = { Nov 2024 },
volume = { 186 },
number = { 50 },
month = { Nov },
year = { 2024 },
issn = { 0975-8887 },
pages = { 26-30 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume186/number50/ensuring-information-security-and-data-governance-in-cloud-based-digital-contact-tracing-applications/ },
doi = { 10.5120/ijca2024924225 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-11-27T00:39:39.484470+05:30
%A Radhika Ravindranath
%T Ensuring Information Security and Data Governance in Cloud based Digital Contact Tracing Applications
%J International Journal of Computer Applications
%@ 0975-8887
%V 186
%N 50
%P 26-30
%D 2024
%I Foundation of Computer Science (FCS), NY, USA
Abstract

The Covid-19 pandemic has stimulated the use of Digital Contact Tracing Applications(DCTAs) around the world, often implemented at a national scale. A public health crisis at such an unprecedented scale has accelerated research in the area of contact tracing, and the efficacy of digital contact tracing techniques. Given that there is now an estimated 2-3% chance of a pandemic striking at any given year, and a nearly 50% chance of a recurrence in the next 25 years it is important to learn from the lessons of past DCTAs. When cloud technologies are integrated when developing these applications, additional complexities related to cybersecurity, privacy and data governance arise. This paper aims to identify and summarize the cybersecurity, privacy and ethical harms of cloud based centralized and decentralized DCTAs. The findings highlighted in this paper can help inform national and international security and privacy policies in the field of digital contact tracing, as well as allow organizations to embed security-by-design and privacy-by-design elements into their DCTA infrastructure. Numerous national contact tracing systems were reviewed and their computing infrastructure, data collection, use and retention policies were studied in this paper. Potential cybersecurity, privacy and ethical harms associated with DCTAs were enumerated. International security and privacy standards like GDPR, NIST, ISO, etc. were reviewed to develop recommendations to address identified harms. While DCTAs are essential for public health, they also come with significant risks to end user data security, privacy and ethical rights. Information security and privacy safeguards must be implemented in adherence to industry standards to minimize the risk. Especially when considering cloud based DCTAs, governments should prioritize platforms and libraries that offer strong technical features like encryption, access control, and compliance elements like regular auditing practices. Tailoring DCTAs to country or region specific needs is crucial. Carefully considering these factors will allow governing bodies to effectively utilize DCTAs while upholding end users’ rights and maintaining public trust.

References
  1. Comparitech. (2024, October 17). Contact-tracing app adoption by country. [Online]. Retrieved October 17, 2024, from https://www.comparitech.com/blog/vpn-privacy/contact-tracing-app-adoption-by-country/
  2. A. Wesolowski, C. A. Eagle, J. J. O. Jr., N. M. Smith, and J. S. Salathé, "Nationwide rollout reveals efficacy of epidemic control through digital contact tracing," Nat. Commun., vol. 12, no. 1, p. 5918, Dec. 2021, doi: 10.1038/s41467-021-26144-8.
  3. G. Cencetti, G. Santin, A. Longa, E. Pigani, A. Barrat, C. Cattuto, et al., "Digital proximity tracing on empirical contact networks for pandemic control," Nat. Commun., vol. 12, no. 1, p. 1655, Dec. 2021, doi: 10.1038/s41467-021-21809-w.
  4. National Institute of Standards and Technology (NIST). (2011, September). NIST Cloud Computing Reference Architecture (Special Publication 500-292). [Online]. Available: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication500-292.pdf
  5. Microsoft. (2016, August). Windows Azure Security, Privacy, and Compliance. [Online]. Available: https://download.microsoft.com/download/1/6/0/160216AA-8445-480B-B60F-5C8EC8067FCA/WindowsAzure-SecurityPrivacyCompliance.pdf
  6. Mayer, S. E., & Marwell, G. (2005). Surveillance and privacy: A paradoxical relationship. Social Science Quarterly, 86(3), 723-744.
  7. Solove, D. (2001). Surveillance: A broader understanding. Stanford Law Review, 54(3), 579-643.
  8. Turow, S. (2009). The privacy paradox: Social tracking in the digital age. Yale Law & Policy Review, 27(2), 347-403.
  9. Russell, D., & Schneier, B. (2011). Security Engineering: A Guide to Building Trustworthy Systems. Addison-Wesley Professional.
  10. Stallings, W., & Brown, L. (2017). Computer Security: Principles and Practice. Pearson Education.
  11. B. G., & Phelan, J. C. (2001). Stigma and the social construction of illness. Journal of Health and Social Behavior
  12. European Union Agency for Cybersecurity (ENISA). (2020). Contact Tracing and Data Protection: A Guide for Policymakers and Practitioners. ENISA Report.
  13. European Union Agency for Cybersecurity (ENISA). (2020). Contact Tracing and Data Protection: A Guide for Policymakers and Practitioners. ENISA Report.
  14. GDPR, Art. 4(11). "Consent" means any freely given, specific, informed and unambiguous indication of the data subject's will, by which the data subject agrees, either by a statement or by a clear affirmative action, to the processing of personal data relating to him or her.
  15. GDPR Recital 39: Personal data should be adequate, relevant and not excessive in relation to the purposes for which they are processed.
  16. GDPR Recital 26: Pseudonymization should be considered where technically feasible and appropriate in order to reduce the risk to data subjects.
  17. Gentry, C. (2009). Fully homomorphic encryption using ideal lattices. In Proceedings of the 41st Annual ACM Symposium on Theory of Computing (STOC) (pp. 169-178). ACM
  18. Goldreich, O., Micali, S., & Wigderson, A. (1987). How to play any mental game. In Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC) (pp. 218-229). ACM.
  19. NIST. (2015). NIST Special Publication 800-171: Revised: Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations. National Institute of Standards and Technology
  20. ISO. (2013). ISO/IEC 27001:2013 Information security management systems -- Requirements for application to information security management systems. International Organization for Standardization.
  21. GDPR, Art. 5(1)(b): Personal data shall be processed fairly and lawfully.
  22. GDPR, Art. 5(1)(e): Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  23. NIST Special Publication 800-171: NIST. (2015). NIST Special Publication 800-171: Revised: Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations. National Institute of Standards and Technology.
  24. ISO 27001: ISO. (2013). ISO/IEC 27001:2013 Information security management systems -- Requirements for application to information security management systems. International Organization for Standardization.
  25. NIST SP 800-171, Control 3.8: Data retention and disposition procedures.
  26. NIST SP 800-171, Control 3.7: Backup procedures.
  27. ISO 27001, A.16.1.1: Backup and recovery procedures.
  28. GDPR Art. 13(1): When collecting personal data from the data subject, the controller shall provide the data subject with certain information at the time of collection, including the identity and contact details of the controller, the purposes of the processing, the categories of personal data concerned, the intended recipients of the personal data, the envisaged period of storage of the personal data, the existence of a right of access and rectification or erasure, the existence of a right to complain to a supervisory authority, and the source of the personal data if it is not collected from the data subject.
  29. GDPR Art. 28: The controller shall, by contract or other legally binding instrument, ensure that any processor it engages is subject to the same obligations as the controller under the GDPR.
  30. NIST SP 800-171, Control 3.3: Third-party service provider agreements.
  31. NIST SP 800-171, Control 3.4: Access control procedures.
  32. ISO 27001, A.12.4.1: Access control policies.
  33. NIST SP 800-171, Control 3.5: Role-based access control.
  34. ISO 27001, A.12.5.1: Role-based access control.
  35. NIST SP 800-171, Control 3.6: Authentication procedures.
  36. ISO 27001, A.12.3.1: Authentication procedures.
  37. GDPR Art. 44: Personal data may only be transferred to a third country or an international organization if adequate safeguards are in place, such as standard contractual clauses adopted by the Commission.
  38. GDPR Art. 33: When a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller shall communicate the breach to the relevant supervisory authority without undue delay.
  39. NIST SP 800-171, Control 3.9: Incident response procedures
  40. Kairouz, P., McMahan, H. B., Avent, B., et al. (2019). Advances in federated learning. arXiv preprint arXiv:1906.00582.
  41. Dwork, C., McSherry, F., Nissim, K., & Smith, A. (2006). Calibrating noise to privacy. In Theory of Cryptography Conference (TCC) (pp. 265-284). Springer.
  42. NIST Special Publication 800-171, Control 3.7: Backup procedures.
  43. ISO 27001, A.13.2.1: Physical security measures.
  44. The Pandemics to Come. Boston College Magazine, Winter 2022. (Author and DOI unavailable)
Index Terms

Computer Science
Information Sciences
Information Security
Data Privacy
Cybersecurity Cloud Computing
Digital Contact Tracing
Data Governance
Ethical Considerations

Keywords

Cloud applications digital contact tracing applications privacy cybersecurity information security data governance ethical harms data security