Apple and Google struck the right balance between protecting privacy and combating the coronavirus in a tool they released to help alert people who’ve been exposed to the disease, according to a majority of cybersecurity experts.
That assessment from 59 percent of The Network, a panel of more than 100 cybersecurity experts who participate in our ongoing informal survey, marks a vote of confidence for the system embraced by some state and national public health agencies but criticized by others for not providing enough information to help them slow the disease’s spread.
A number of states and at least 22 countries plan to build exposure notification apps using the technology.
“There is no perfect balance between fighting the virus and protecting privacy…[But] the capability offered by these companies represents a useful step,” said Sam Visner, director of the National Cybersecurity Federally Funded Research and Development Center, which is managed by the Mitre Corporation.
“While the Google and Apple approach has some risks, the limits on what is collected, along with a thoughtful approach on restricting how the data is processed and accessed, creates a net positive benefit,” McAfee Chief Technology Officer Steve Grobman said.
The Network features experts from the U.S. government, private sector and the security research community. (You can see the full list of experts here.)
The effort to track the spread of the coronavirus has been bedeviled by health agencies’ desire to scoop up useful data on one hand and citizens’ fear of being tracked on the other.
The Apple-Google system generally comes down on the privacy side of the ledger.
It isn’t an app itself but a framework that governments can use to build apps within narrow parameters that must be voluntary for users. Those apps use Bluetooth signals to record which phones are in proximity to each other and alert people if a phone they were near belongs to someone who self-reports testing positive for the virus.
The technology doesn’t collect any data about where those meetings took place or share any data with the government. All the data is also anonymized and stored on the phones themselves rather than on Apple or Google’s servers.
Many cybersecurity experts who support that system said it would be unwise to share that data with the government.
“There's little question that we'll need to use technology-enabled contact tracing to deal with covid-19. However, there's also very little question that the government will try to use the data for other purposes,” said Jake Williams, a former NSA hacker who founded the company Rendition InfoSec. “I think the privacy protections built into the contact tracing tool by Apple and Google…probably are sufficient to stop the most egregious wholesale abuses.”
Jeff Moss, founder and CEO of DEF CON Communications, called the app “the best of a bad situation…when you trust tech monopolies more than your own government.”
Peter Swire, professor of law and ethics at the Georgia Institute of Technology, praised the system’s “relatively cautious approach to data collection,” which he noted “contrast[s] to the rush for data after 9/11,” which led to a sweeping expansion of U.S. intelligence capabilities.
Some experts who supported the system nevertheless warned that putting large tech companies in charge of such a program could create problems.
“We haven't yet grappled with the implications of these private companies taking on roles that have traditionally been done by government,” said Suzanne Spaulding, who led Department of Homeland Security cybersecurity operations during the Obama administration. “We have constitutional safeguards that apply to the government that don't apply to the private sector. On the flip side, government has certain protections against liability that companies don't.”
Other supporters worried that not enough people will download apps that use the technology to make them useful.
That’s a fear widely shared among public health officials. A University of Oxford study found about 60 percent of a population would need to opt in to such apps to make them effective at slowing disease spread. But only about 40 percent of Americans say they are willing and able to opt in, a recent Washington Post-University of Maryland poll found.
“The app is promising, but only if there is widespread adoption, especially among groups disproportionately infected,” said Lance Hoffman, who founded the Cybersecurity and Privacy Research Institute at George Washington University.
He urged public health agencies and small businesses to consider incentive programs to increase app downloads. “How about a $5 discount on your haircut if you show that the app is downloaded and enabled?” he suggested
A Google spokeswoman declined to comment on The Network survey but shared a broad statement that “adoption of these apps relies on user trust so privacy-preserving technology is complementary to public health goals.”
The companies consulted hundreds of public health agencies, government officials, privacy experts and academics before settling on its final model, she said.
Apple did not respond to a request for comment.
Among the 41 percent of survey respondents who oppose the Apple-Google system, several said it focused too much on privacy at the expense of being useful at combating the virus.
“While I'm typically a huge supporter of privacy-preserving technologies, I believe that, in this case, [the] Google/Apple approach [has] gone too far and fundamentally undermined the ability of public health authorities to perform contact tracing,” said Ashkan Soltani, a former chief technologist for the Federal Trade Commission.
Former NSA General Counsel Stewart Baker was even more critical. “In its extreme effort to protect privacy, the app sacrifices efficacy,” he said. “Contact tracing that doesn't provide location data makes it much harder to identify the site of outbreaks and super spreader events.”
Other critics said they simply don’t trust large tech companies to handle such a sensitive task without misusing the data.
“Contact tracing is corporate surveillance by another name,” said Sascha Meinrath, a Penn State professor and founding director of X-Lab, a think tank focusing on the intersection of technologies and public policy. “Without clear consumer protections, coronavirus tracking is becoming a Faustian bargain whereby unsuspecting consumers are being subjected to immensely invasive tracking without any measurable public health benefit.”
Kiersten Todt, president of Liberty Group Ventures who led an Obama-era cybersecurity commission, said she was more concerned about Google, whose revenue comes largely from targeted ads based on users' online activity, than Apple, whose business model is based on selling laptops, phones and other devices.
“Google's business model relies on revenue generation from the collection of data,” she said. “Therefore, without appropriate federal — or even state — policies on data protection and privacy, it is difficult to trust Google's intended use of the data collected through this tool.”
Others worried that even if the technology is built with good intentions it could be repurposed for nefarious purposes.
“I think the protests have highlighted how these sorts of voluntary/mandatory tracking systems can be abused,” said Dave Aitel, a former NSA computer scientist who is now CEO of the cybersecurity company Immunity, referring to recent law enforcement surveillance of protests following the police killing of George Floyd.
“New technology like this that could be repurposed sooner or later to track protesters and their contacts is a real threat to human rights and civil liberties,” Luta Security founder Katie Moussouris said.
Finally, some respondents worried the system simply won’t be effective because Bluetooth isn’t precise enough to tell whether people are genuinely close enough to each other to spread dangerous microbes or sitting on opposite sides of an office wall.
“We don't know that this kind of tool will work given how hard it is to calculate proximity with Bluetooth,” said Jennifer Granick, surveillance and cybersecurity counsel at the American Civil Liberties Union’s Speech, Privacy and Technology Project.
“Why compromise privacy for a tool that is not the best way to suppress the spread of covid?” said Ashley Deeks, a former State Department official and professor at the University of Virginia Law School.
— More responses to The Network survey question about the Apple-Google coronavirus alert system:
- YES: “As long as access to the data set is restricted to contact tracing — without scope creep — the companies have architected these tools with the right balance of privacy and enabling a social good.” — Chris Finan, an Obama administration national security official who’s now CEO of Manifold Technology
- NO: “It doesn't fight the virus at all but protects privacy just fine.” — Bruce Schneier, fellow and lecturer at the Harvard Kennedy School of Government
- YES: “The Bluetooth method, without GPS and without providing other personal information, provides sufficient information for people to take action, and for health officials to gain valuable metrics, but does not significantly risk privacy.” — Michael Daly, chief technology officer for cybersecurity and special missions for Raytheon Intelligence, Information and Services
- NO: “It might [be the right balance], if it were specific and accurate enough to provide real value for public health actions that reduce infections and save lives. The risk-benefit analysis has to be about the size of the benefit as well as the risk.” — Steve Weber, director of the Center for Long Term Cybersecurity at the University of California at Berkeley
- YES: “However, other security concerns with individual implementations remain — particularly with respect to false reporting of positive diagnoses.” — Tom Cross, chief technology officer of network security provider OPAQ Networks
Just about 18 West Virginia voters with disabilities cast ballots using a controversial mobile app this week.
About 180 people used the app to cast ballots in the state but about 90 percent of them were using it because they were overseas or in the military, Bryan Finney, president of Democracy Live, which produces the mobile voting system, told me.
West Virginia previously offered a mobile voting option to overseas voters. But it was among just three states that made the controversial decision to expand that program during the coronavirus pandemic to voters with disabilities that make voting by mail impractical.
Election security experts warn that casting votes using Internet-based systems is highly insecure because there’s no way for voters to verify hackers didn’t alter their ballots. DHS, the FBI and the Election Assistance Commission even took the rare step of sending states a warning about such systems last month.
In this case, however, the debate is largely theoretical because it’s highly unlikely hackers could affect an election by manipulating just 18 votes or even 180. About 440,000 West Virginians cast ballots in Republican and Democratic primaries on Tuesday.
In another pilot in New Jersey, just one person voted using the mobile voting system. New Jersey officials have pledged not to use the system in future elections.
Officials also authorized a controversial Internet-based voting system during the District of Columbia primary June 2. In that case, they made a last-minute decision to allow voters who had requested vote-by-mail ballots but not received them to vote by email using a Democracy Live system.
About 1,100 District residents cast their ballots that way, D.C. Board of Elections Public Information Officer Rachel Coll told me. The District is contacting all of those voters to verify their identities and won’t know how many of the votes will actually count until that process is complete, she said.
A slew of major cybersecurity bills are entering the legislative pipeline.
An annual intelligence bill includes provisions requiring the U.S. spy chief to report to Congress on the rise in commercial spyware. Critics say repressive governments use those systems to spy on their citizens, including dissidents and journalists.
The director of national intelligence would also have to report on any spyware built inside the United States and how to keep it out of adversaries’ hands, Zack Whittaker at TechCrunch reports.
The Senate Armed Services Committee, meanwhile, released its version of an annual defense policy bill with a slew of provisions aimed at raising U.S. cyber defenses recommended by the Cyberspace Solarium Commission.
Here’s a rundown from CyberScoop’s Shannon Vavra:
SASC's NDAA21 summary includes 11 recommendations from the Cybersecurity Solarium Commission, one of which calls for an assessment on feasibility/advisability of a National Cyber Director. It also would extend the commission so it can facilitate implementation of its recs: pic.twitter.com/awyaTvc7MQ— Shannon Vavra (@shanvav) June 11, 2020
Sen. Gary Peters (Mich.), the top Democrat on the Senate Homeland Security Committee, is also releasing two cybersecurity-focused bills shared exclusively with The Cybersecurity 202.
One, called the Continuity of Economy Act, would require the federal government to create a strategy to ensure critical parts of the economy can keep operating during a major cyberattack.
The other, called the National Guard Cyber Interoperability Act, would bolster the ability of the National Guard’s cybersecurity pros to remotely help state governments during cyberattacks.
Twitter took down more than 23,000 accounts it says are linked to China’s Communist Party.
The accounts were stealthily spreading propaganda to counter the pro-democracy protests in Hong Kong and undermine criticism of the Chinese government's handling of the coronavirus pandemic, Ellen Nakashima, Elizabeth Dwoskin and Anna Fifield report. The tactics weren't as sophisticated as Russia's social media efforts to divide Americans ahead of the 2016 elections. But experts said it was notable that China is covertly seeking to spread its message on social media.
“While the Chinese Communist Party won’t allow the Chinese people to use Twitter, it is happy to use it covertly to sow propaganda and disinformation internationally,” Fergus Hanson, director of the International Cyber Policy Center at the Australian Strategic Policy Institute, said.
The campaign recently expanded to spread misinformation about protests in the wake of the police killing of George Floyd. Twitter’s announcement that it had removed the accounts follows an action last year in which it removed other accounts that the company linked with China’s ruling party.
Race and the cybersecurity community
More black cybersecurity pros are speaking out about how race affected their lives and careers following national outrage over the police killing of George Floyd.
Retired Lt. Gen. Vincent Stewart, former deputy commander of U.S. Cyber Command and former director of the Defense Intelligence Agency, posted this to LinkedIn: “It’s hard for me to explain and help you understand the pain of a high school student being stopped and searched every time I left my apartment – and for a simple reason – the color of my skin. I was never accused of anything; it was a simple stop and search of a young man just like so many others.”
“It’s hard for me to explain and help you understand the pain of being described as the best black officer in a unit, never able to be described as the best officer in the unit,” wrote Stewart, who was also commanding general of Marine Corps Forces Cyberspace.
Former FBI cyber agent Andre McGregor described in a CNN op-ed fearing he’d be accidentally shot by fellow officers who assumed he was a criminal because of his skin color.
“We need to change a culture that makes it impossible for black cops to feel like equitable members in their own communities as well as in their own departments by investing into hiring the right caliber of officers the first time around -- not the first or possibly the only candidates to apply,” he wrote.
Microsoft joined a pledge not to sell facial recognition tools to police until there are nationwide rules.
Amazon and IBM have made similar pledges amid concerns about law enforcement using the technology to identify protesters, Asa Fitch at the Wall Street Journal reports. (Amazon CEO Jeff Bezos owns The Washington Post.)
Yet many smaller firms offer facial recognition tools that will likely fill the gap, Vice’s Kevin Truong reports.
More industry news:
Here’s a play-by-play thread of how the pandemic and poor planning combined to create a disaster in this week’s Georgia primary from Bay Area NBC reporter Faith Abubey:
For starters – the pandemic.— Faith Abubéy (@ReporterFaith) June 9, 2020
Two people who process absentee ballots/voter registration in Fulton County tested positive for COVID-19. One died just before Easter. The other was out for a month to recover. @11AliveNews
- The House Financial Services committee will host a hearing on how cybercriminals are exploiting the covid-19 pandemic on June 16 at noon.
Secure log off
Until we can have people over again: