with Tonya Riley

THE KEY

As federal and state officials scramble to fight the novel coronavirus pandemic, experts are sounding alarms about the potential danger of increased surveillance programs they say could do long-term damage to U.S. privacy rights. 

Other nations, including South Korea and Israel, have used tracking data including cellphone location information and facial recognition tools to power their pandemic responses. But similar efforts in the United States could amount to a major erosion of civil liberties. And there’s scant evidence that efforts more sensitive to privacy and security concerns would actually be effective at containing the virus, experts say. 

My concern is that out of desperation we will turn to technology and put in place a massive surveillance apparatus at a tangible loss to civil liberties that doesn’t even accomplish the goals it sets out to in terms of saving human lives and healing the economy,” Ryan Calo, a University of Washington law professor focused on cybersecurity and privacy, told me. 

Technology aimed at tracking infected Americans  is just now being developed in the United States. Google and Apple are teaming up to create new digital tools that could tell iPhone and Android users when they cross paths with someone who is infected via Bluetooth wireless technology. Neither the infected person's identity nor their actual location would be revealed.

Yet one big concern is the virus could lead policymakers to rush headlong into adopting new digital surveillance regimes that don’t get rolled back once the pandemic is under control.

Officials could also adopt tracking tools that are later re-purposed for other things, similar to how post-9/11 surveillance and investigatory powers aimed at combating terrorism were later used to stem drug trafficking and other crimes. Tools that trace who has been in contact with people who test positive for the virus, for example, ultimately could end up being used by law enforcement to track criminals and their associates. 

“Mission creep is always a concern because historically we’ve seen it happen,” Jennifer Granick, surveillance and cybersecurity counsel at the American Civil Liberties Union’s Speech, Privacy and Technology Project, told me. 

Granick and other experts are urging companies and government officials to make a series of technology and policy commitments regarding any surveillance programs. Those include collecting as little data as possible and anonymizing to the greatest extent feasible. They should also ensure any data they collect won't be used for purposes beyond combating the virus and commit to ending any new programs as soon as the virus is under control. 

During a Senate Commerce Committee hearing last week, Sen. Maria Cantwell (D-Wash.), whose state is among the hardest hit by the virus, urged the government to “resist hasty decisions that will sweep up massive, unrelated data sets” and to “guard against vaguely defined and non-transparent government initiatives with our personal data. Because rights and data surrendered temporarily during an emergency can become very difficult to get back.”

The meeting was conducted as a “paper hearing” with lawmakers and witnesses digitally submitting opening statements and questions and answers but not meeting in person. 

Though there’s been a lot of talk about leveraging technology to combat the pandemic, there are few hard plans inside the United States so far. 

The joint venture between Google and Apple, which could launch as soon as mid-May, includes protections to anonymize user data and would rely on people voluntarily downloading apps that participate in the program and reporting when they test positive. 

Google is also using its trove of location data across 131 countries to share anonymized information with health officials about how much people are traveling during the pandemic. 

Those privacy and security protections may also make any contact tracing technology less effective, though. For example, the apps probably wouldn’t distinguish between people who passed an infected person on the street and those who spent day after day next to him at the office, Greg Nojeim, senior counsel at the Center for Democracy and Technology noted during a panel discussion on coronavirus privacy concerns hosted by the Project on Government Oversight. 

Some tech and security experts also warned information collected by the apps could be used to discriminate against people based on their infection status. 

Here’s Sergio Caltagirone, a former National Security Agency official, who’s now vice president for threat intelligence at the cybersecurity firm Dragos:

There’s also a danger of hackers exploiting such apps. 

For example, U.S. adversaries might falsely report a slew of infections to sow chaos and create the false impression of a surge of new infections, Calo said. Or political operatives could do something similar during an election to make people fearful of leaving the house to vote in person. 

And even anonymized data can be misused by government officials — for instance, if police use reports that a particular neighborhood isn’t honoring stay-at-home orders as an excuse to ramp up unrelated arrests, Granick said. 

We need to be responsive to this crisis now, but we also need to be thinking about how this data will be used in the future,” she said. “Once this data is collected the only thing that really constrains how it’s used are laws and policies.”

Politico also reported last week that a coronavirus task force led by presidential adviser Jared Kushner has reached out to numerous health tech companies about how they can use data to combat the virus. 

Sen. Edward Markey (D-Mass.) wrote to the White House urging significant privacy protections on any such effort including reviews by external experts, a halt to the programs once the virus is under control and extra efforts to ensure the privacy of racial minorities and LGBTQ people.  

Note to Readers: The Cybersecurity 202 will just be publishing Tuesday, Wednesday and Thursday this week. We’ll be back to our regular schedule next week.

PINGED, PATCHED, PWNED

PINGED: Former first lady Michelle Obama's organization "When We All Vote" threw its support yesterday behind legislation to mandate the ability to vote by mail without an excuse across the nation and give states funding to enact it. 

It's the first time the celebrity-fueled organization, whose co-chairs include Tom Hanks and Selena Gomez, has endorsed federal legislation. And it could give a Hollywood-fueled boost to Democrats' efforts to ensure expanded voting options amid the pandemic.

The bill, the Natural Disaster and Emergency Ballot Act, would also mandate more early voting days and enhanced protections for in-person voting during the pandemic. 

Unless the bill is passed, "millions of Americans will be forced to choose between their health and their right to vote come November," sponsors Sens. Amy Klobuchar (D-Minn.), Ron Wyden (D-Ore.) and Christopher A. Coons (D-Del.) wrote in an opinion piece for USA Today.

Advocacy groups including Planned Parenthood and the Sierra Club are also teaming up with voting rights advocates, signing onto the most recent letter by Stand Up America to get Congress to provide $4 billion in total funding to states for election assistance.

PATCHED:  The Defense Department has failed to fully implement nearly two dozen cybersecurity initiatives in the past five years, leaving military technology vulnerable to foreign hackers, a government watchdog reports. Many of the cybersecurity fixes were supposed to be completed as far back as 2016 and 2018, according to the Government and Accountability Office report

Among the problems, officials aren't regularly updating Pentagon leadership on cybersecurity education and training and aren't integrating cybersecurity into operational exercises, the report notes.

The report recommends dramatically ramping up cybersecurity training and better monitoring for how well divisions are doing basic cybersecurity tasks like updating computer patches. The Pentagon’s top technology official should also set target dates for completing all the cybersecurity fixes, the GAO said. 

PWNED: A design feature in the work messaging app Slack could allow hackers to steal organizations’ private data, researchers at AT&T Alien Labs are warning in a new report

The questionable feature would allow hackers who know the unique web address used by third-party apps that connect to an organization’s Slack network to con workers there into downloading what looks like a verified Slack app but that will actually siphon off the organization's data. 

The report comes amid a boom in hacking that targets work messaging as offices resort to telework during the pandemic. There’s no evidence hackers have actually used the feature to steal companies’ data. But researchers say they found over 130,000 pieces of code on the public computer code-sharing forum GitHub that would help hackers steal data from particular companies. 

AT&T Alien Labs researchers are urging companies that use Slack to require authentication for any outside app and limit users who can download them to people with technical training.

Slack said it blocks people outside an organization from viewing those unique URLs on its own site and does its best to remove them from sites like GitHub so hackers can’t find and exploit them.

“We also provide additional features to support the proper oversight of app installation and usage within workspaces, which help workspace owners and admins protect their workspaces," Slack said in a statement. “We allow teams to require admin approvals on all apps, and recommend they establish and follow basic security diligence procedures before permitting apps to be added into a workspace. Our security recommendations for approving apps can be found here.”

This piece was updated with a statement from Slack.

PUBLIC KEY

— Cybersecurity news from the public sector:

PRIVATE KEY

— Cybersecurity news from the private sector:

WILD WILD WEST

— Cybersecurity news from abroad: