Polytechnique Montréal’s expert professors in cybersecurity are ensuring that contact-tracking applications that the Canadian and Québec governments may soon adopt are trustworthy and respect citizens’ privacy. Group members are also going even further than their Canadian cybersecurity colleagues, requesting that these applications’ codes be freely accessible.
Left to right: Department of Computer Engineering and Software Engineering Professors Frédéric Cuppens, Nora Boulahia-Cuppens, Gabriela Nicolescu, and José Fernandez.
As the world prepares for a second wave of COVID-19, countries are adopting the use of contact-tracing applications to track the spread of SARS-CoV-2, and alert individuals who may have been exposed to the virus.
The Department of Computer Engineering and Software Engineering’s Professor Nora Boulahia-Cuppens acknowledges that tracking tools could prove effective in helping to prevent a resurgence of the virus, yet they also come with their share of uncertainties - particularly with regards to the protection of citizens’ privacy.
“There’s no guarantee that these tools won’t be used for reasons other than COVID-19 – even if everything starts off with the best of intentions,” she explains.
Boulahia-Cuppens points to the Care19 application, deployed in North Dakota recently. A report released last week revealed that the data collected by the application found its way into the hands of Foursquare and Google, among other private companies.
“Even if these tools don’t technically allow the output of personal data, there’s always the possibility that other applications may collude to obtain the data illegally,” she notes.
For Professor Boulahia-Cuppens, many questions about these applications also remain unanswered. In particular, the cybersecurity expert is concerned about issues related to the so-called “right to be forgotten,”adding: “We have no idea what will happen to the data once the pandemic is over.”
A common front
Recognizing the urgency of the situation, Polytechnique’s Cybersecurity Team mobilized. Along with other Canadian colleagues, Professor Boulahia-Cuppens and Professors José Fernandez, Gabriela Nicolescu and Frédéric Cuppens all signed a statement requesting that independent cybersecurity experts have access to these applications’ codes to ensure they are both reliable, and respect essential privacy protection principles - prior to the applications’ deployment.
“The potential for abuse is enormous,” says Professor Fernandez. “A technical review by cybersecurity specialists is essential.”
Fernandez is proposing going as far as making the code for these applications freely accessible so that anyone can verify their quality. “The source code for slot machines in Nevada casinos is accessible, why should it be any different for applications that deal with privacy issues? There has to be a transparent compromise to ensure that the public is protected,” he states.
Professor Fernandez believes that verification work has the potential to increase citizens’ confidence in tracing tools, which in turn can help the public adopt them more quickly. Application utility is what’s at stake: according to a study published recently in Science magazine, a contact-tracing application must be used by at least 60% of the population to be effective. Yet as the examples of Singapore (15%) and Australia (44%) demonstrate, this target is in fact quite challenging to achieve.
En savoir plus
Statement on Privacy-Respecting and Trustworthy COVID-19 Tracing Apps (bilingual)
Professor Nora Boulahia-Cuppens’s expertise
Professor José Fernandez’s expertise
Professor Gabriela Nicolescu’s expertise
Professor Frédéric Cuppens’ expertise
Department of Computer Engineering and Software Engineering Website
Groupe de Recherche en Cybersécurité et Cyber-résilience Portal