Employers have to strike the right balance between protecting employees' health and preserving their privacy as workplaces reopen during the coronavirus pandemic. Some companies are using apps to conduct health screenings, manage access to the office, and monitor social distancing. While this information will help manage the risk of contracting the coronavirus, it also introduces new privacy concerns.
Here are two examples of how new apps are helping companies protect the health and privacy of their employees as well as recommendations about how to build these services with security in mind.
Using daily health screenings to limit risk
The Centers for Disease Control and Prevention (CDC) does not want people to gather in big groups for good reason: That's the fastest way to spread COVID-19 to many people at the same time. However, it's hard to conduct a class or run a warehouse without bringing groups of people together.
Some universities and businesses are even asking students and employees to fill out health questionnaires at the start of the day to reduce this risk. LiveSafe, a company that started seven years ago with a safety focus, has built WorkSafe. This specialized version of the original app can power health screenings and manage other health and safety risks caused by COVID-19. WorkSafe can be used to send daily health questionnaires to screen for symptoms before a person arrives on campus or at the front lobby.
"The platform shows who responded to the health check-in and who has not, and responses are time-stamped and recorded," said Carolyn Parent, CEO and president of LiveSafe. "Once you do come into the office or the campus, you can report things, like there's no hand sanitizer, or we need more masks, or the elevators are crowded."
The app does not store or track location, and users have the option to share information anonymously. The app can also provide alerts triggered by location.
LiveSafe works with banks and healthcare companies and helps clients in those industries comply with data privacy rules.
"We host everything in AWS in the cloud," said Parent, who added that everyone should be patient as institutions refine these protocols for the new normal.
"Everybody is trying to figure this out, and we're all going to have to have a lot of agility," she said.
The LiveSafe platform allows employees, students, and other community members to report safety issues to security officials. Users can send text, pictures, and video through the app, and the information is routed to the appropriate department, such as public safety or facilities management. Universities and corporations can use the app and dashboard combination to manage these reports and to push out information.
Austin Peay State University has used the LiveSafe app for several years. Students and staff at the small university in Tennessee can send tips via a personal profile or anonymously and call or text about emergencies. The app also houses the university's emergency guide, maps, and directions to buildings. The school included the WorkSafe option to the LiveSafe app and added links to the school's COVID-19 website.
Michael J. Kasitz, assistant vice president for public safety at Austin Peay State University, said that only people in his department have access to data collected from the app.
"Users are able to share their locations with us, but can turn off that feature at any time," he said. "We are unable to turn on location services for any of our users."
Using proximity monitoring for contact tracing
Another way to reduce the risk of COVID-19 transmission at work is to enable a contact tracing system. PwC is helping its clients do this via the company's office safety service Check-In, which launched in July 2020 with about 50 customers.
The service monitors ambient signals -- the constant background field of 2.4- and 5-gigahertz radio signals -- in an office environment to understand how and when employees interact. The technology then decodes the signals and analyzes how these signals interact.
The goal for this enterprise-level contact tracing system is to make it easier for human resources departments to conduct contact tracing and use the information to reduce the risk of coronavirus cases spreading within a company.
However, the platform doesn't notify anyone that they may have been in proximity to someone with a positive test. "That's up to the internal policies and procedures of our clients," said Rob Mesirow, the principal for IoT services at PwC.
Mesirow's team has tested the algorithm in several settings, including office buildings and warehouses. The service uses Bluetooth Low Energy (BLE) to power proximity sensors and monitor the movements of people in a space.
During beta testing, Mesirow's team fine-tuned the algorithm that uses the proximity data to determine the risk of transmitting COVID-19 from one person to another.
"If I was in an office, and you were two doors down, and I called in to report I had a positive test, we needed to know that there were two doors and three walls between us," he said. "We were testing for the right proximity matrix."
The algorithm that analyzes the proximity data assigns a high, medium, or low proximity score to help understand exposure. As the Centers for Disease Control guidelines continue to evolve, Mesirow's team will adjust the parameters to reflect the new information.
"For example, the CDC first said you have a higher probability of contracting the virus within 30 minutes of exposure, but then it changed to 15 minutes," he said.
PwC offices have not reopened, but the service was tested in the company's Shanghai office.
Mesirow said that most clients are making the app a requirement for employees returning to the workplace and are promoting it as a positive way to protect the health of colleagues and family members.
"It's hard to find a negative in contact tracing," he said.
Best practices for building secure apps
Despite the pressure to reopen workplaces quickly, developers should take the time to address data security issues early on in the process of creating these apps. Tim Mackey, principal security strategist at Synopsys CyRC, said that data requested by an app should serve a specific, current requirement, not in anticipation of any other use.
"With a new app, the decisions surrounding the processing and storage of any data collected will need to be made, which means that key questions surrounding the secure processing and storage of the data have yet to be answered," he said. "Answering these questions at the design or initial implementation phase is the least costly time to apply security practices."
Mackey added that going slightly slower at this phase can result in a quicker time to market as the development teams aren't needing to reimplement poor designs, patch applications, or re-secure retained data.
The mobile application protection company Guardsquare found that most contact-tracing apps don't employ sufficient hardening techniques. The company analyzed 17 Android mobile contact tracing apps from 17 different countries. All of these apps were built by government entities, sometimes by hired contractors.
Only one app that the researchers analyzed was fully obfuscated and encrypted. The other findings were:
- 41% have root detection
- 41% include some level of name obfuscation
- 29% include string encryption
- 18% include emulator detection
- 6% include asset/resource encryption
- 6% include class encryption
Guardsquare recommends that mobile app developers use a layered approach to security, including code hardening to protect code at rest and runtime application self-protection to protect apps in use. The best practices for app security include root detection, emulator detection, hook detection, tamper detection, and debugger detection.