with Tonya Riley

Cybersecurity pros are warning people to exercise caution before downloading apps aimed at combating the coronavirus pandemic that might be rushed out without adequate security protections. 

The contact tracing apps, which are launching across the globe now, could provide useful information for governments and researchers trying to stop the virus’s spread and give people an early warning that they might be infected. But they could also provide a trove of information for hackers if they’re breached – which risks exposing the personal details of people who tested positive for the virus and scaring people away from potentially critical tools to flatten the curve. 

With U.S. cases surging towards 1.2 million and resulting in more than 68,000 deaths, the pressure is on to follow more than two dozen countries such as Australia and South Korea that have developed smartphone apps for the public to download. While the federal government has been slow to specify how it would use technology in its efforts to alert people whether they may have been in contact with someone who tested positive for the virus, commercial apps are on their way in some states here with a range of security and privacy protections. 

There's little time for security testing. And the apps are dealing with potentially sensitive health and location data.  

Developers could miss basic security measures amid pressure to get the apps released as quickly as possible. 

The speed factor is probably the most concerning right now,” David Grout, a top technology executive at the cybersecurity firm FireEye, told me. “That’s clearly a challenge because developers need to put solutions in place in the really short term.”

Already a coronavirus app launched by one of India’s largest telecom companies exposed millions of records about users' symptoms and locations, TechCrunch reported. Security pros fear that similar vulnerabilities could lurk in other apps from state and national governments, health services and private companies, many of which are still in the process of being released.  

We know these apps are going to be buggy when they come out and that’s a cause for concern,” said Jon Callas, senior technology fellow at the American Civil Liberties Union and a former cybersecurity executive at Apple. “They’re being rushed out in months if not weeks. I expect at least one horrible security or privacy thing to happen.”

The way some apps are built could make them an attractive target. And a compromise could have have huge social consequences. 

Security pros are especially concerned about apps that store large amounts of coronavirus data in a central location.

Those systems raise risks because they create a single target for hackers who could steal or expose reams of data that could be used to identify infected people. 

This could be attractive to hackers working for adversary government, too: They might seek to link it with other stolen data troves to uncover secret health information about government officials or other intelligence targets. 

The United Kingdom government, for example, started piloting an app on the Isle of Wight today that collects anonymized data about users’ self-reported coronavirus symptoms and the people they’ve come in contact with via Bluetooth and stores it all in a central computer bank. A similar Australian app also sends data to a central computer system that's accessible by public health officials but only if the user tests positive for coronavirus and consents to the sharing .

Privacy advocates warn the apps could lay the groundwork for long-term surveillance of citizens. 

They fear governments and companies might collect more information than they need to, keep it longer than necessary or use it for purposes unrelated to the pandemic such as sharing it with law enforcement. 

Amnesty International’s U.K. Director Kate Allen warned in a statement the United Kingdom's app is “opening the door to pervasive state surveillance and privacy infringement, with potentially discriminatory effects.”

Google and Apple, meanwhile, are developing a similar Bluetooth-based system that public health agencies across the globe can use to alert people who might be infected with the virus -- but it stores all the data on people’s phones rather than sending it to an external server. Apple and Google are developing the underlying software for use on their systems but relying on government health agencies to build the apps, which Washington has not yet decided to do though some U.S states are planning to build apps using the system.

That's likely better for users' security and privacy because there's no central database of information for hackers to target – but it also limits how useful the information is for public health services trying to combat the virus's spread. 

The companies also imposed a slew of new limits yesterday on how public health agencies could use the apps, including banning them from being linked with GPS location information, which government officials say would help pinpoint outbreaks. 

Symptom-tracking apps might collect too much personal information. This could be useful for cybercriminals. 

Most of the contact tracing apps released by Western governments are limited to collecting anonymized information about users’ infection status and the people they’ve been in contact with. 

But a slew of commercial apps for checking coronavirus symptoms and sharing information about the disease ask for far more information such as users’ age, gender and zip code, all of which can be used to figure out a person’s identity. 

“It would be very easy for a sophisticated adversary to identify people,” Tony Cole, chief technology officer at the cybersecurity firm Attivo Networks told me.

Experts fear people will be ostracized or publicly shamed if their infection status leaks out. 

And there could be a link with cybercrime: Malicious groups looking to steal people's information or con them out of money might offer apps posing as legitimate coronavirus symptom trackers. 

One Android app that posed as a tool to track the outbreak was actually full of malicious software that locked up people's phones until they paid a ransom, Business Insider reported

Security pros fear it will be tough for people to determine whether their data is securely stored and where it's going. 

Fireye released a blog post this morning outlining a series of things people should look for as they mull downloading coronavirus apps including how the data is being stored and secured, whether it’s encrypted and if governments or other app developers are laying all that information out in plain language. 

“This is not an easy topic for non-technical people. It’s not easy to understand or dig into,” said Grout, who co-authored the blog post. 

The keys

The White House is surging efforts to reduce U.S. companies’ reliance on China, officials say. 

The Trump administration has been trying for years to reduce China’s role in U.S. supply chains because of concerns about cybersecurity and other issues, but officials are “now turbocharging that initiative,” Keith Krach, a top State Department official told Reuters

The move, which was spurred by anger over China's handling of the coronavirus outbreak, could include creating a list of “trusted partners" in the United States and allied nations that could produce goods that are deemed more secure and trustworthy than what comes from China.

It would be the latest in a series of U.S. moves to block Chinese technology. The president signed an executive order last week aimed at keeping technology produced by foreign adversaries including China out of the U.S. power grid. The administration has also moved to restrict the Chinese telecom giant Huawei from most U.S. networks and barred U.S. companies from selling it some vital components. 

Cybersecurity companies are shifting their lobbying efforts to focus on coronavirus issues.

Major topics for the lobbyists in recent months have included advising lawmakers on the cybersecurity needs of state and local governments where more employees are working remotely and on how Congress could cast votes remotely if the pandemic keeps them out of Washington, the Wall Street Journal reports

That's in addition to lobbying on more traditional topics such as security measures for 5G telecommunications networks and potential federal privacy laws. 

Cybersecurity lobbying has surged in recent years. 

The 12 largest cybersecurity companies spent nearly $4 million on lobbying last year nearly triple what they spent in 2015, the Journal reports. Some of the top spenders include the companies Iron Mountain, Forescout Technologies and Tenable Network Security.

The extradition trial for WikiLeaks founder Julian Assange, delayed by coronavirus, will resume in September.

There’s still no firm date or venue for the trial, which started in February and was scheduled to resume May 18 before being delayed by the pandemic, Michael Holden at Reuters reports.

Assange did not attend the hearing, which was hosted virtually, because he was unwell, his lawyers said.

The Justice Department claims Assange violated anti-hacking laws by offering to help Chelsea Manning crack a Defense Department password to leak more documents to WikiLeaks. Cybersecurity advocates, however, worry that stretches the interpretation of the law too far and could set a dangerous precedent. 

Chat room

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency used "Star Wars Day" to raise awareness about its mission to protect critical infrastructure from hacking:

CISA Director Chris Krebs drew a number of cybersecurity lessons from the film franchise. 

He closed by pitching the agency to prospective cybersecurity talent. 

Politico's Morning Cybersecurity previewed the Star Wars campaign yesterday. 

Hill happenings

The Senate Intelligence Committee is holding a nomination hearing this morning for Rep. John Ratcliffe (R-Texas) to be the nation's intelligence chief, which includes leading a vast digital spying network. 

The candidate “is expected to face pointed questions…from Senate Democrats about his qualifications for the job and his willingness to provide candid intelligence free from political considerations,” Ellen Nakashima, Shane Harris and Seung Min Kim report. 

Ratcliffe’s nomination was earlier derailed by criticism that he was under-qualified and had embellished his resume.

More news from the Hill:

Global cyberspace

Hackers are trying to steal coronavirus research from  British universities and scientific facilities, the United Kingdom's top cybersecurity agency warned.

The activity is likely backed by hostile nations including Iran, Russia and possibly China, experts told The Guardian. But none of the attacks has been successful so far.

More global cybersecurity news:

Cyber insecurity

A hacker bribed a worker at the online gaming firm Roblox for access to players' personal information. 

The breach could have exposed the data of children who make up a large percentage of the online game company's customers, Joseph Cox at Motherboard reports.

A Roblox spokesperson said the company took actions to address the issue and informed the users whose information was compromised. The company said the breach affected a small number of users but didn't provide a specific figure. 


  • The House Intelligence Committee will host a hearing on the nomination of John Ratcliffe as director of national intelligence today at 9:30 a.m.
  • The Cyberspace Solarium Commission will host a virtual forum on  from 11 a.m. to 12 p.m.

Secure log off

Even cybersecurity experts (or reporters) need help figuring out their WiFi sometimes. You're welcome:

Speed up your Internet connection and eliminate wireless ‘dead zones’ while you’re stuck at home. (The Washington Post)