{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T01:53:08Z","timestamp":1767837188785,"version":"3.49.0"},"reference-count":43,"publisher":"MDPI AG","issue":"4","license":[{"start":{"date-parts":[[2021,10,14]],"date-time":"2021-10-14T00:00:00Z","timestamp":1634169600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JCP"],"abstract":"<jats:p>Contact tracing applications have flooded the marketplace, as governments worldwide have been working to release apps for their citizens. These apps use a variety of protocols to perform contact tracing, resulting in widely differing security and privacy assurances. Governments and users have been left without a standard metric to weigh these protocols and compare their assurances to know which are more private and secure. Although there are many ways to approach a quantitative metric for privacy and security, one natural way is to draw on the methodology used by the well-known common vulnerability scoring system (CVSS). For privacy, we applied consensus principles for contract tracing as a basis for comparing their relative privacy practices. For security, we performed attack modeling to develop a rubric to compare the security of respective apps. Our analysis shows that centralized Bluetooth with added location functionality has low privacy and security, while non-streaming GPS scored high in security and medium in privacy. Based on our methodology, only two apps were given a high ranking of privacy: Canada\u2019s Covid Alert and Germany\u2019s Corona Warn-App. They both used the Google\/Apple Notification Framework as the basis for their design. To achieve comparable privacy, we recommend that future projects follow their examples in the following ways: minimizing the amount of data they collect and holding it for the shortest possible length of time; only having features necessary for the app\u2019s main function; and releasing design details so that users can make informed decisions.<\/jats:p>","DOI":"10.3390\/jcp1040030","type":"journal-article","created":{"date-parts":[[2021,10,14]],"date-time":"2021-10-14T22:42:18Z","timestamp":1634251338000},"page":"597-614","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":12,"title":["A Security and Privacy Scoring System for Contact Tracing Apps"],"prefix":"10.3390","volume":"1","author":[{"given":"Leah","family":"Krehling","sequence":"first","affiliation":[{"name":"The Department of Electrical and Computer Engineering, University of Western Ontario, London, ON N6A 3K7, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0228-0371","authenticated-orcid":false,"given":"Aleksander","family":"Essex","sequence":"additional","affiliation":[{"name":"The Department of Electrical and Computer Engineering, University of Western Ontario, London, ON N6A 3K7, Canada"}]}],"member":"1968","published-online":{"date-parts":[[2021,10,14]]},"reference":[{"key":"ref_1","unstructured":"Lomas, N. (2020). Norway Pulls Its Coronavirus Contacts-Tracing App after Privacy Watchdog\u2019s Warning. TechCrunch, Available online: https:\/\/techcrunch.com\/2020\/06\/15\/norway-pulls-its-coronavirus-contacts-tracing-app-after-privacy-watchdogs-warning\/."},{"key":"ref_2","unstructured":"Government of Singapore (2020). Blue Trace Protocol. Bluetrace.io, Available online: https:\/\/bluetrace.io\/."},{"key":"ref_3","unstructured":"Apple Inc (2020). Exposure Notification Framework. Apple Dev. Doc., Available online: https:\/\/developer.apple.com\/documentation\/exposurenotification."},{"key":"ref_4","unstructured":"Luccio, M. (GPS World, 2020). Using contact tracing and GPS to fight spread of COVID-19, GPS World."},{"key":"ref_5","unstructured":"UK NHS (2020). What the App Does. NHS COVID-19 App Support, Available online: https:\/\/covid19.nhs.uk\/what-the-app-does.html."},{"key":"ref_6","unstructured":"Mozur, P., Zhong, R., and Krolik, A. (The New York Times, 2020). In Coronavirus Fight, China Gives Citizens a Color Code, With Red Flags, The New York Times."},{"key":"ref_7","unstructured":"Johns Hopkins Coronavirus Resource Center (2021, March 10). COVID-19 Map. Available online: https:\/\/coronavirus.jhu.edu\/map.html."},{"key":"ref_8","unstructured":"Sweeney, L. (2000). Simple Demographics Often Identify People Uniquely, Carnegie Mellon University."},{"key":"ref_9","unstructured":"Tockar, A. (2014). Riding with the Stars: Passenger Privacy in the NYC Taxicab Dataset, Neustar Research."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Drakonakis, K., Ilia, P., Ioannidis, S., and Polakis, J. (2019). Please Forget Where I Was Last Summer: The Privacy Risks of Public Location (Meta)Data. CoRR, abs\/1901.00897.","DOI":"10.14722\/ndss.2019.23151"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Dingledine, R., and Syverson, P. (2003). Towards Measuring Anonymity. Privacy Enhancing Technologies, Springer.","DOI":"10.1007\/3-540-36467-6"},{"key":"ref_12","unstructured":"Dingledine, R., and Syverson, P. (2003). Towards an Information Theoretic Metric for Anonymity. Privacy Enhancing Technologies, Springer."},{"key":"ref_13","unstructured":"Alderson, E. (2020). Aarogya Setu: The Story of a Failure. Medium, Available online: https:\/\/medium.com\/@fs0c131y\/aarogya-setu-the-story-of-a-failure-3a190a18e34."},{"key":"ref_14","unstructured":"Amnesty International (2020, May 26). Major Security Flaw Uncovered in Qatar\u2019s Contact Tracing App. Amnesty Int., Available online: https:\/\/diaspora.evforums.net\/posts\/ecc5380081860138a774005056264835."},{"key":"ref_15","unstructured":"Hamilton, I.A. (2020, May 20). Cybersecurity Experts Found Seven Flaws in the UK\u2019s Contact-Tracing App. Bus. Insid., Available online: https:\/\/www.businessinsider.com\/cybersecurity-experts-find-security-flaws-in-nhs-contact-tracing-app-2020-5."},{"key":"ref_16","unstructured":"Goodes, G. (2020, June 16). REPORT: Most Government-Sanctioned Covid-19 Tracing Apps Risk Exposing Users\u2019 Data and Privacy. Available online: https:\/\/www.guardsquare.com\/blog\/report-proliferation-covid-19-contact-tracing-apps-exposes-significant-security-risks."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Krehling, L., and Essex, A. (2021). Support Document for \u201cA Security and Privacy Scoring System for Contact Tracing Applications\u201d. Mendeley Data, 1.","DOI":"10.3390\/jcp1040030"},{"key":"ref_18","unstructured":"Wikipedia (2021, March 13). COVID-19 Apps. Available online: https:\/\/www.wikipedia.org\/."},{"key":"ref_19","unstructured":"Rahman, M. (2021, March 13). Here Are the Countries Using Google and Apple\u2019s COVID-19 Contact Tracing API. Available online: https:\/\/www.xda-developers.com\/google-apple-covid-19-contact-tracing-exposure-notifications-api-app-list-countries\/."},{"key":"ref_20","unstructured":"FIRST (2015). CVSS v3.1 Specification Document. FIRST, Available online: https:\/\/www.first.org\/cvss\/v3.1\/specification-document."},{"key":"ref_21","unstructured":"Kerschbaum, F., and Barker, K. (2020). Coronavirus Statement. Waterloo Cybersecur. Priv. Inst., Available online: https:\/\/uwaterloo.ca\/cybersecurity-privacy-institute\/news\/coronavirus-statement."},{"key":"ref_22","unstructured":"Office of the Privacy Commissioner of Canada (2020). A Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19, Office of the Privacy Commissioner of Canada."},{"key":"ref_23","unstructured":"Gillmor, D.K. (2020). ACLU White Paper\u2014Principles for Technology-Assisted Contact-Tracing, American Civil Liberties Union."},{"key":"ref_24","unstructured":"Club, C.C. (2021, April 10). 10 Requirements for the Evaluation of \u201cContact Tracing\u201d Apps. Available online: https:\/\/www.ccc.de\/en\/updates\/2020\/contact-tracing-requirements."},{"key":"ref_25","unstructured":"Ministry of Electronics & Information Technology (2020). AarogyaSetu Bug Bounty Programme (for Android App). Bug Bounty Program, Available online: https:\/\/static.mygov.in\/rest\/s3fs-public\/mygov_159057669351307401.pdf."},{"key":"ref_26","unstructured":"Health Canada (2021, June 10). Canada\u2019s Exposure Notification App. Available online: https:\/\/www.canada.ca\/en\/public-health\/services\/diseases\/coronavirus-disease-covid-19\/covid-alert.html."},{"key":"ref_27","unstructured":"The Directorate of Health and The Department of Civil Protection and Emergency Management (Iceland) (2021, June 01). Privacy policy Rakning C-19\u2014App. Uppl\u00fdsingar um Covid-19 \u00e1 \u00cdslandi, Available online: https:\/\/www.covid.is\/app\/protection-of-personal-data."},{"key":"ref_28","unstructured":"(2020). National Informatics Center of India. Aarogya Setu, Available online: https:\/\/aarogyasetu.gov.in\/technical-faqs\/."},{"key":"ref_29","unstructured":"PRIVATICS Team\u2014Inria and Fraunhofer AISEC (2021, May 01). ROBust and privacy-presERving proximity Tracing protocol. Available online: https:\/\/github.com\/ROBERT-proximity-tracing\/documents."},{"key":"ref_30","unstructured":"Aranja (2020). Rakning-c19-App. GitHub, Available online: https:\/\/github.com\/aranja\/rakning-c19-app."},{"key":"ref_31","unstructured":"The Government of Canada (2021, May 01). COVID Alert Privacy Notice (Google-Apple Exposure Notification). Canada.ca, Available online: https:\/\/www.canada.ca\/en\/public-health\/services\/diseases\/coronavirus-disease-covid-19\/covid-alert\/privacy-policy.html."},{"key":"ref_32","unstructured":"Office of the Privacy Commissioner of Canada (2020). Privacy Review of the COVID Alert Exposure Notification Application, Office of the Privacy Commissioner of Canada."},{"key":"ref_33","unstructured":"Government of France (2021, May 01). TousAntiCovid Application. Gouvernement.fr, Available online: https:\/\/www.gouvernement.fr\/info-coronavirus\/tousanticovid."},{"key":"ref_34","unstructured":"Government of France (2021, May 01). Help for Using TousAntiCovid. Tousanticovid.stonly, Available online: https:\/\/tousanticovid.stonly.com\/kb\/fr\/donnees-personnelles-26615."},{"key":"ref_35","unstructured":"National Informatics Center of India (2020). Aarogya Setu FAQ\u2019s. Aarogya Setu, Available online: https:\/\/aarogyasetu.gov.in\/faq\/."},{"key":"ref_36","unstructured":"Clarance, A. (BBC News, 2020). Aarogya Setu: Why India\u2019s Covid-19 Contact Tracing App Is Controversial, BBC News."},{"key":"ref_37","unstructured":"Government of India (2021, June 10). Aarogya Setu, Available online: https:\/\/www.aarogyasetu.gov.in\/."},{"key":"ref_38","unstructured":"Government of Singapore (2021, June 10). OpenTrace. Available online: https:\/\/github.com\/OpenTrace-community."},{"key":"ref_39","unstructured":"Asher, S. (BBC News, 2020). TraceTogether: Singapore turns to wearable contact-tracing Covid tech, BBC News."},{"key":"ref_40","unstructured":"Government of Singapore (TraceTogether, 2020). TraceTogether Privacy Safeguards, TraceTogether."},{"key":"ref_41","unstructured":"Google, and Apple Inc (2021, June 10). Exposure Notifications: Using Technology to Help Public Health Authorities Fight COVID-19. Covid-19 Information & Resources., Available online: https:\/\/www.google.com\/search?q=privacyinformationgain&rlz=1C1CHBF_enCA960CA961&oq=privacyinformationgain&aqs=chrome..69i57j33i160.3632j1j7&sourceid=chrome&ie=UTF-8."},{"key":"ref_42","doi-asserted-by":"crossref","unstructured":"Sun, R., Wang, W., Xue, M., Tyson, G., Camtepe, S., and Ranasinghe, D. (2021). Vetting Security and Privacy of Global COVID-19 Contact Tracing Applications. CoRR.","DOI":"10.1109\/ICSE43902.2021.00101"},{"key":"ref_43","doi-asserted-by":"crossref","first-page":"136","DOI":"10.1007\/s42979-021-00520-z","article-title":"A Survey on Security and Privacy Issues in Contact Tracing Application of Covid-19","volume":"2","author":"Sowmiya","year":"2021","journal-title":"SN Comput. Sci."}],"container-title":["Journal of Cybersecurity and Privacy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2624-800X\/1\/4\/30\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T07:14:58Z","timestamp":1760166898000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2624-800X\/1\/4\/30"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,10,14]]},"references-count":43,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2021,12]]}},"alternative-id":["jcp1040030"],"URL":"https:\/\/doi.org\/10.3390\/jcp1040030","relation":{},"ISSN":["2624-800X"],"issn-type":[{"value":"2624-800X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,10,14]]}}}