with Tonya Riley

Private companies are joining the rush to launch apps tracking the novel coronavirus’s spread, despite persistent concerns about how they’ll protect users’ security and privacy.

Companies including the global consultancy PwC are preparing to launch apps that track employees as they move through offices and factories, as the Financial Times reports. The idea is that when someone contracts the virus they’ll have a clear picture of who else needs to be tested and where to focus cleaning and disinfecting efforts.

The move comes as many nations and U.S. states are launching such apps to track the virus's spread, aiming to reduce the time between new infections and diagnoses and to quell new outbreaks. 

But, unlike the voluntary apps being launched by U.S. states and several Western governments, some of the corporate tracking apps probably will be mandatory. And they could include far fewer privacy protections. 

The moves underscore how privacy and security concerns are taking a back seat amid efforts to combat the pandemic. They also could mark a shift in how deeply people expect governments and employers to invade their digital lives, which could outlast the pandemic. 

The new technology is also coming despite widespread concerns GPS tracking and even a Bluetooth system being developed jointly by Apple and Google simply aren’t precise enough to yield useful data. Bluetooth, for example, often can't distinguish if two people are sitting directly next to each other or separated by an office wall. 

Companies that are building tracking apps warn offices may not be able to open safely if they’re not mandatory for employees. 

“You really need a majority of people to do this,” Rob Mesirow, who leads PwC’s connected solutions practice, told the Financial Times. “U.S. businesses are going to have to [tell employees]: If you’re going to come back to the work environment, you need this app on your phone.”

The PwC ystem is designed to keep user data private. But it also relies on companies handling the app's data appropriately when a person reports being infected. 

“[Our system] is designed so it has the ultimate privacy gates in place, but at the end of the day you cannot control human nature,” Mesirow said. “We are not here to police the HR department of the Fortune 1000.” 

It's also far from clear that all the new tracking apps will include rigorous security or privacy protections or that companies will fully vet them. And the market for such apps is already growing rapidly.

Another company, Microshare, is building a Bluetooth-based contact tracing app that would be built into an employee badge or wristband, which they say is easier than relying on smartphones. 

Even the controversial Israeli spyware firm NSO Group is developing a coronavirus tracking app and marketing it to clients in the United States, NBC News reports. NSO is embroiled in a lawsuit with Facebook’s WhatsApp messaging service, which says the company helped government clients hack into the WhatsApp accounts of dissidents and journalists. 

Many governments have made loose security and privacy commitments for their tracking apps but have not finalized the details before launch. 

Australia, for example, released an app nationwide this weekend that will hold 21 days of user location data — all of which will be shared with the government if a user is diagnosed with the virus and consents to the sharing. They’ll then notify anyone who was in close contact with the infected person.  

The app has already been downloaded 1 million times, according to the Australia Broadcasting Corporation. 

Leaders there pledged to use data from the app only to combat the virus, and published a privacy assessment. But they haven’t committed to a full set of privacy principles pushed by attorneys and haven’t released the source code for vetting by outside security researchers. 

While downloading the app is voluntary, Prime Minister Scott Morrison has described doing so as a civic duty akin to buying war bonds, the Guardian reports. He has also warned it will be difficult to roll back severe social distancing restrictions if enough Australians don’t download the app. Officials estimate 40 percent or more of Australians will have to use the app for it to be effective. 

Some states have launched apps with seemingly limited review. 
  • North Dakota repurposed an app used by North Dakota State University sports fans to stay in touch and check in at locations on their way to out-of-state football games to work as a voluntary contact tracing app. The app was built by a Microsoft engineer and NDSU graduate Tim Brookins, whose company ProudCrowd gave it to the state for free.
  • Utah entered into a $2.75 million contract with the app company Twenty to build a voluntary coronavirus tracking tool.
  • Officials in Hawaii discussed using GPS trackers to ensure tourists on the islands are following quarantine restrictions.
  • Connecticut Gov. Ned Lamont (D), meanwhile, is urging residents to use an app designed by researchers at Harvard, the Massachusetts Institute of Technology and other institutions to self-report their locations, symptoms and whether they’re diagnosed with the virus — but that doesn’t track their movements.

The keys

Democratic oversight is stuck in limbo as the party fails to reach a deal with Republicans on remote voting.

House Speaker Nancy Pelosi (D-Calif.) pushed on CNN yesterday to allow lawmakers to vote in Congress by proxy during the pandemic. She was advancing a proposed compromise avoiding the cybersecurity and legal hurdles facing more tech-heavy options such as voting by email or videoconference. 

But House Minority Leader Kevin McCarthy (R-Calif.) rejected those efforts in a dueling appearance on Fox, saying it was better for members to return to Washington and figure out a way to social distance. We can open up in a manner and have committees working,” he said. “They can work in bigger buildings, so they have social distancing. They can do it in a safe manner while all the members aren't there.

The standoff means the one branch of government where Democrats hold power has largely sidelined itself, my colleagues Mike DeBonis and Paul Kane write. It has prevented rank-and-file House members from having a say in coronavirus relief packages and weakened Democrats' ability to act as a check on the Trump administration, more than a dozen House Democrats tell my colleagues.

Pelosi backed off of a plan last week to allow some members to cast votes on behalf of colleagues amid Republican opposition. Instead she formed a committee to further study the topic. “I’m all for doing the remote voting by proxy. I want it to be bipartisan, she said on CNN. Mr. McCarthy has assured me that he will consider this. He’s not there yet. He could be there.” 

The FCC is eyeing blocking four Chinese telecoms from the United States over cybersecurity concerns. 

The companies China Telecom Americas, China Unicom Americas, Pacific Networks, and Comnet will have 30 days to respond to the Federal Communications Commission order with proof they don’t pose a risk of being used for digital spying by the Chinese government. 

We simply cannot take a risk and hope for the best when it comes to the security of our networks, FCC Chairman Ajit Pai said in a statement.  The move comes after the FCC and other agencies have spent more than a year trying to excise Huawei from U.S. networks and to limit its spread globally in next-generation 5G wireless networks. 

Sen. Tom Cotton (R-Ark.) praised Pai's action, saying the firms' operation in the United States will continue to pose a threat to our critical networks as long as it continues.

Meanwhile, House lawmakers are pushing for funding to make U.S. companies more competitive with Huawei. They introduced a bill Friday that would give the Commerce Department $750 million in grants to dole out to 5G competitors. A companion bill has already been introduced in the Senate.

An FCC commenting system is still vulnerable to hacking nearly three years after a high-profile debacle.

The FCC has fully implemented only about two-thirds of the recommended fixes to prevent a repeat of 2017 when its commenting system crashed amid a deluge of comments about net neutrality, a Government Accountability Office report found. The commission isn't planning to make all the remaining fixes until at least April 2021, the report said. 

Until FCC fully implements these recommendations and resolves the associated deficiencies, its information systems and information will remain at increased risk, the report notes. It was finalized in March but released publicly on Friday

The FCC claimed the 2017 crash resulted from a malicious effort to overwhelm its servers with traffic. But critics said it was due to a legitimate surge in public interest after a bit by comedian John Oliver. That was later backed up by FCC’s own inspector general. 

Chairman Pai must act swiftly to fix these vulnerabilities and restore trust back into the [electronic comment filing system] and the FCC’s cybersecurity practices overall, said Rep. Frank Pallone (D-N.J.), who requested the GAO report.

Hill happenings

Senate Democrats want the IRS to surge its authentication procedures to ensure people’s stimulus checks aren’t stolen during the pandemic. 

The IRS should also develop better fraud prevention strategies for online tools that people who didn’t file income taxes in 2019 will use to get their stimulus checks, Sens. Maggie Hassan (D-N.H.), Tom Carper (D-Del.) and Ron Wyden (D-Ore.) wrote in a letter to IRS Commissioner Charles Rettig.

The senators encouraged the agency to partner with the Federal Trade Commission and Federal Communications Commission, which have also been cracking down on fraudsters.

The IRS issued a warning earlier this month about an uptick in scams targeting stimulus recipients, including seniors.

Securing the ballot

New York members of Congress are calling for more state and federal help to secure elections against disinformation.

“The New York State Board of Elections and U.S. Election Assistance Commission must detail for the public the steps they are taking to protect against interference and disinformation campaigns, as well as how they will identify and address potential threats to the upcoming elections,” Rep. John Katko (R-N.Y.) said. 

He and Rep. Kathleen Rice (D-N.Y.) raised concerns after New York Gov. Andrew Cuomo (D) signed an executive order that will send every voter in the state an absentee ballot request form.

More voting news:

The extended primary is expected to have low turnout, between the mail-in system, potential delays getting ballots out and a presidential primary
The Columbus Dispatch

Cyber insecurity

A newly disclosed bug could have allowed hackers to use humorous GIFs to eavesdrop on Microsoft Teams meetings.

The bug should serve as a warning about how easy it is for hackers to compromise people working remotely, say researchers at CyberArk who first discovered it. Microsoft issued a patch for the vulnerability last week after CyberArk flagged it. 

More industry news :

Facebook, Google and other behemoths are training their sights on Silicon Valley’s company of the moment.
New York Times
A judge approved Facebook Inc.’s $5 billion settlement with the Federal Trade Commission over privacy violations, the agency says—overruling objections that the deal didn’t adequately punish the company.
Wall Street Journal

Global cyberspace

The pandemic is delaying the U.S. extradition case against WikiLeaks founder Julian Assange. 

A judge in the United Kingdom delayed a hearing scheduled for next month because a coronavirus lockdown prevents lawyers from attending in person, Reuters reports

More global cybersecurity news:

A revised report shows how Beijing reacts swiftly and effectively to tamp down Western criticism of its pandemic response.
New York Times
Polish security services on Thursday suggested the Russian government could be behind a cyberattack against an elite Polish military academy and an ensuing effort to undermine U.S.-Polish relations.
CyberScoop

Chat room

Facebook introduced a Zoom rival but privacy experts aren't convinced it's more secure. Consumer Reports's Justin Brookman:

Daybook

  • The McCrary Institute and Cyberspace Solarium Commission (CSC) will host live event discussing if deterrence is possible in cyberspace Wednesday at 1 p.m.
  • The R Street Institute will host a discussion on "EARN IT Act and Its Broader Implications for Encryption and Cybersecurity" Wednesday at 2 p.m.

Secure log off

Anthony Fauci gets the SNL treatment: