Health Ministry coronavirus app protects privacy, says cybersecurity start-up
Among the extraordinary measures taken by authorities to curb the spread of the coronavirus, the most controversial has been the decision to allow the anti-terrorism system developed by the Shin Bet (Israel Security Agency) to track the movements of cellphone owners. That lets them reconstruct the itineraries of those who are later diagnosed with the virus and who they came in contact with, as well as to ensure that people abide by the rules of self-isolation.
An app released by the Health Ministry earlier this week aims to shield citizens from virus exposure by relying on their cooperation while protecting their privacy and to model a system to face the current emergency as well as future ones in Israel and abroad, Omri Segev Moyal, the CEO of cybersecurity company Profero, told The Jerusalem Post.
Profero is a Tel Aviv-based boutique cybersecurity company. It specializes in supporting companies and governmental organizations to protect themselves against hackers and other forms of vulnerability.
The Health Ministry approached them to review the application, which was developed with the support of volunteers and the ministry’s contractor, Matrix Systems.
“The app was developed very rapidly in four or five days,” Moyal said. “After all the controversies that the employment of the Shin Bet tracking system caused, the ministry wanted to create an app that anyone would want to download to contrast the virus but also feel safe in doing and be reassured that the data collected, such as location data and Wi-Fi data would not be shared with the government or anyone else.”
“The ministry understood that releasing the app without consulting experts in issues such as security and privacy could have been problematic and potentially damaging to their reputation,” he said.
Profero was hired by the ministry to provide guidance for these issues.
The data collected by most apps are sold, Moyal said. Moreover, in some countries, including China, apps developed by the government to contain the outbreak of COVID-19 were a complete breach of users’ privacy, as they would collect and share with the authorities sensitive information such as GPS locations or social interactions.
Hamagen collects locations based on mobile-device data and immediately updates users on possible contact with a confirmed infected patient and the details of the exact contact, such as location and time. However, the app does not share the information with the ministry or anyone else.
“The Health Ministry, also with our guidance, decided to keep all of the data collected in the device, without sending it to anyone,” Moyal said. “For the app to be functional, therefore, the solution found was that instead of collecting the users’ information, the ministry would send anonymous data on COVID-19 identified patients to the users.”
Another issue Profero tackled was to make sure that no hidden feature would allow modifying the app to share the data or turn it into a tracking app, he said.
“We investigated the architecture, every line of the code,” Moyal said.
Moreover, Profero made sure that Hamagen did not present any vulnerability that could be exploited by hackers.
“With the permission of the ministry, we opened our conclusions, the code and the application to major privacy and security professionals not contracted for this job, and then they reported their findings to us also because we thought this would help gain the trust of the public,” he said. “This way the perception in the public opinion changed.”
The strategy seemed to work. More than 600,000 people downloaded the app from Google Store on Monday, the first day after it was released. It is currently available on Apple Store.
“With our support and push, the app was also released as open source so everyone could verify it independently, as well as potentially working on further developments,” Moyal said.
Making the code open source also allows any other organization or government in the world to use it to develop a similar app. Hamagen can be downloaded and functions only in Israel.
There are practical and conceptual reasons why an Israeli should download the app even though the government is already employing other tracking techniques, Moyal said.
“First of all, the app tends to be more accurate than the cellular tracking by the Shin Bet,” he said. “Moreover, it is obvious that the Shin Bet tracking is not here to stay. It is only used for a short period of emergency. It was built to fight terrorism, not to protect citizens. It’s not ideal. We are a democracy. This app is an attempt to bring a better solution that does not require privacy breaches and could be potentially useful also for future situations,” Moyal said.