Even though the two behemoths in the technology industry–Apple and Google– launched digital contact-tracing systems this week, Americans are extremely wary about opting in to tracing apps, even if they’re told the information would help in the development of a vaccine to fight COVID-19.

The VPN provider ExpressVPN and software security company Checkmarx queried 1,200 and 1,500 consumers, respectively, to find out what Americans think about digital contact-tracing systems having access to their health information. The studies were conducted in May. Results were not exactly the same, but certainly close enough to conclude that both studies came to similar conclusions.

ExpressVPN and Checkmarx each asked if they would opt in to a contact-tracing app, and 54% of ExpressVPN respondents and 52% of Checkmarx respondents said they would. Still, this also means that 46% and 48% (respectively) replied that they would opt out.

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic)

Contact tracing and the pending vaccine

It is the nearly half surveyed who opted out that invites concern: The University of Oxford reported that around 80% of smartphone users would need to install a contact-tracing app in order for it to be effective in suppressing an epidemic. Oxford needs the research, as the university is developing a vaccine so promising, that in April, the US gave vaccine developers’ AstraZeneca $1.2 billion in funding, for at least 400 million doses. On May 22, the British government added $79 million in fresh funding.

Americans do not want information misused 

Respondents are all in to help facilitate the much-needed vaccine, but they have grave concerns about their health information being used by the government or third parties, or could be easily hacked. They trust big tech companies over the federal government.

ExpressVPN found that 77% believe that digital contact tracing puts Americans at risk for mass surveillance after pandemic and in the long run. Most are concerned that tech companies (79%) and the government (84%) will misuse phone location data intended only to track the spread of COVID-19.

SEE: COVID-19: A guide and checklist for restarting your business (TechRepublic Premium)

“Their reticence is not necessarily directly tied to the pandemic/coronavirus,” said Susan St. Clair, senior cybersecurity strategist at Checkmarx. “However, all of the news coverage about contact tracing has forced a lot of people to think about the associated privacy concerns with applications and/or the cell phone vendors and technology providers themselves. As new software use cases with lesser-understood implications continue to emerge, as we’re seeing with contact tracing, consumers’ security and privacy concerns will continue to rise simultaneously.”

Fair exchange: Total transparency of information

Checkmarx’s survey did not use the same or even similar verbiage in its poll, but discovered that 38% insist on the ability to opt out anytime during the research. Another 32% are very concerned about transparency in regards to the use of their data, and 35% need more information on what kind of security measures would be taken to protect their privacy.

Survey questions from Checkmarx focused on respondents’ concerns about privacy, and the results included: 

• How their data will be used, stored, or shared (45%) 
• Granting third-party access to the apps (29%)
• General application hacking concerns (28%)
• Risk of health records being exposed (27%)
• Risk of location data being exposed (25%)

Meanwhile, ExpressVPN’s respondents expressed privacy issues:

• 75% believe that contact-tracing apps violate a person’s privacy
• 88% are concerned contact tracing may put their personal information in the hands of third parties, such as marketers and advertisers
• 84% are concerned that the government companies may misuse phone location data that should be exclusively for coronavirus research purposes
• 79% are concerned that tech companies may misuse phone location data that should be exclusively for coronavirus research purposes
• 77% believe they are at risk of mass surveillance long-term as a result of the increase in the prevalence of contact-tracing mobile applications.
• 75% believe that contact-tracing apps in general violate a person’s privacy
• 59% of Americans still believe they should be forgoing some rights to personal privacy for the sake of public health at large

ExpressVPN’s February 2020 survey, taken at the start of the US’ pandemic awareness found:

• 9% of Americans fully trust that Big Tech companies are protecting their online data privacy overall
• 10% reported feeling very confident that these companies are complying with current data privacy regulations
• 46% of Americans said they are aware that Big Tech is already using anonymized location data to track compliance with social distancing 
• 80% are concerned that the identities of those tracked will be revealed publicly in the future

Bluetooth: An essential

One issue both studies addressed–albeit differently phrased–is that of Bluetooth. Since many contact-tracing applications rely on Bluetooth technology to detect encounters with test-positive individuals, this may also inhibit the effectiveness of these applications.

SEE: Top 100+ tips for telecommuters and managers (free PDF) (TechRepublic)

Checkmarx’s respondents

• 52% of surveyed individuals reported only having Bluetooth turned on on their smartphones 50% of the time or less
• 18% say they have it enabled less than 25% of the time
• 18% say they never have it on

ExpressVPN noted that globally about 25% of the active 3.4 billion smartphones do not support the Bluetooth Low Energy standard required by Google and Apple’s proposed contact-tracing technology, making the target even harder to reach.

How to protect your privacy in contact-tracing apps?

Checkmarx offered consumers possible solutions:

• Don’t be fooled into updating software applications from counterfeit websites. When it doubt, open up the applications themselves and update using the instructions within
• Use your corporate VPN, in addition to a private VPN, to give yourself a layered security approach
• Suspect any domain that does not use .com, .edu, .gov, .org, etc.: If it doesn’t appear to be legitimate, it’s almost guaranteed not to be
• Try to separate daily online “fun” activities from critical ones
• Don’t log into your bank account, retirement account, etc., while surfing questionable sites within the same browser

Don’t look for consumers to embrace contact-tracing apps anytime soon. “There will always be underlying concerns to some extent,” St. Clair said. However, actually seeing the value of automating contact tracing (or other public health initiatives) plus having a clear understanding of what data is being captured, where it goes, and how they can potentially get ‘their’ data back, can help alleviate some concerns.”

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Sign up today

Also see