Privacy and Contract Tracing
Contact Tracing is the concept of identifying persons who may have come into contact with an infected person and it is seen as a critical component of managing the spread of COVID-19, a particularly contagious and serious threat. Contact Tracing can be done manually, in cases where contact is known and limited, like within a hospital room. Or, it can be managed automatically in situations that are less well regulated using a proxy for a person – like a phone.
Is it possible to allow our phones to automatically gather our sensitive medical data and make it accessible to an app, without completely destroying personal data? While there are myriad bad ways to do this, Google and Apple are trying to do it in a way that most respects personal data privacy. We’re going to dig a little into what they’re doing and what privacy concerns still arise.
On May 20th, Apple and Google released an API that apps from public health organizations can utilize for the purpose of Contact Tracing. The API will let those apps use a phone’s Bluetooth to keep track of whether it has been in proximity with another contact tracing app user who later turns out to have been infected with Covid-19.
The apps will broadcast unique, rotating Bluetooth codes. The codes are derived from a cryptographic key that changes every day. This ensures that the users stay unique, and that their identity is hard to uncover, based on the frequency of code rotation.
The apps then monitor other contact tracing apps they come into contact with, and record the anonymous codes issued by those devices.
When a user reports a positive COVID-19 diagnosis, their app uploads the keys that were used to generate their codes.
All other apps download the daily keys and use them to recreate the codes they generated. If it finds a match with one of its stored codes, the app will notify that person that they may have been exposed.
This exchange is outlined below by Wired.com (https://www.wired.com/story/apple-google-bluetooth-contact-tracing-covid-19/):
The positives are that the phones stay anonymous, the data exchange is voluntary, and the reporting is completely opt-in. However, there are still a few possible attack vectors, as outlined below.
Privacy Concerns and Responses
Correlation Attack: User is identified by matching their image to the codes broadcast in their proximity.
This would require recording the person’s face while catching the code, then matching the code to the bluetooth signals passing by. This is not going to expose a high number of people, but is a potential risk.
Identification through additional data: App could choose to collect IP address, location, etc. to ID the user.
This could be mitigated by Apple and Google vetting any apps using their API. Otherwise, the user would need to be able to choose not to opt into the app.
Ad targeting based on beacon data: Companies set up their own beacons to track infected customers
This is possible but not super useful to companies, who have much more detailed data on their consumers buying habits. Companies could market based on COVID-19 remedies, but this is going to be a small benefit to the company.
All told, the risks to privacy are fairly well mitigated by Apple and Google’s choices about how to deploy this API. The biggest risk will be to ensure that the apps that are using the data aren’t augmenting it with additional information that could reveal the person behind the anonymous codes. This will mean it’s up to Apple and Google to vet the apps, or up to the end user to ensure they are selective about what supplementary information they grant to the app or which apps they’ll trust to be privacy protecting.
There’s another element to the success of these apps – how well will they actually work given the protective nature of Apple and Google’s solution?
Efficacy Concerns and Responses
- Population must download and use the app. People may be fearful of how their data will be collected and used or may not care to adopt the app, which will limit usefulness
To address the fear of data collection, having a trusted source for the app, like a healthcare provider with strict access protocols and limited information could help assuage concerns that an unknown entity is accessing their health information.
To address the idea that we would need most of the population to use the app (a Forbes.com article suggests 80% adoption for smartphone users is necessary to be effective), governments could mandate app usage to access certain public spaces, travel, or return to work. This mandate would be problematic itself, however. It’s either discriminatory, since it will only work for those individuals who have a suitable device, carry with them at all times, and leave BLE enabled, or could only be enforced in situations where all parties are known to carry a device (e.g. employees granted a work phone.) And, it won’t work in any environment where radio transmission needs to switched off, like an aircraft.
2. The solution relies on the availability of testing to generate confirmed positive results There’s no way around this – there must be testing for this solution to work.
3. Trolls could report positive anonymously to disrupt the system
The system could require a code from the provider to log a positive result, or if the app is managed by health providers administering the tests, they could manage this directly, avoiding intentional false positives.
4. Bluetooth reports proximity but not whether you were actually in contact; contact through a wall/window/door could be reported where no actual contact occurred. This could generate false positives.
This could be managed by keeping the range for bluetooth low but otherwise may be a limitation of the system.
So, what’s the conclusion here? The privacy issues are relatively low, as long as apps don’t ask for extra data (or Google and Apple prevent it.) But the downside is that efficacy is also low for an opt-in app. This isn’t necessarily the fault of the high privacy approach, but more a reflection of how hard it is to get a large enough section of the population to use an app to make the result effective. It doesn’t hurt to have it, but other options, like manual contact tracing in local areas might be a more efficacious way to track people on a local level. Then, the locally collected data can be aggregated to create a clearer picture of the state of the virus.
Product Management – Privacy & Data Governance
The Color of 2020 is Blue
At specific points in history, life shifts: rhythms change, patterns of behavior evolve rapidly, and cultural values reshape themselves. The current global pandemic is one of these societal salients.
It’s not the first time that this kind of transformation has taken place, of course, and examining a similarly radical revolution can inform how we view the current environment. If the color of the world is indeed changing, then it’s only appropriate that one of the parallels that we examine be the astonishingly rapid rise of the color blue.
In the beginning, blue did not exist.
Red, white, and black were the colors of ancient cultures; from cave paintings to the dyeing of fabrics—blue was more difficult to source, process, and manipulate, and so it remained a second-rate color, especially in the western world.
The lack of blue in art and clothing meant that blue had little symbolic value; even up until the high Middle Ages, it was not even used for depicting the sky—most artists showed the sky as red, gold, or white. Whereas some colors took on cultural significance because of their widespread usage (the example of a small girl dressed in red, taking a pot of white butter to her grandmother, dressed in black in ‘The Little Red Riding-hood’ story comes to mind), blue was nonexistent in terms of meaning.
All of this, however, changed within a few decades in the 13th century. Artistic expression was driven by development of the “Chartres blue”, a new, brighter, and more luminous blue in glass form, which heralded a widespread adoption of the color in stained-glass windows in churches throughout Europe. Advances in clothing production also elevated the status of blue in textiles. A massive increase in production of woad, the raw material used in dyeing fabric blue, along with the associated rise in demand for the color, led to entire regions such as Languedoc (France) and Thuringia (Germany) becoming wealthy as they specialized in the production of blue and its associated products. By the end of the 13th century, a stable, bright blue cloth was widely available.
And as blue became more widely available, its semantic impact skyrocketed. Blue embedded itself into religion, as the new color was used to represent the robes of the Virgin Mary. It was also incorporated into the heraldry of various important families, and royalty was no exception to this affection for the new color. While the King of France was the first to adopt blue into his royal color palette, it was soon in use by the King of England, and later by kings in Germany and Italy.
In just a few short decades, then, blue went from having no cultural significance to representing some of the highest values of society: the purity of the Virgin, the power and prestige of royalty. The spectrum of meaningful color had expanded in short order, and the world was different as a result.
The world we live in is currently undergoing a similar seismic change. Previous patterns of working and living have been forcibly modified. One of the most foundational of these movements comes at the hands of “shelter-in-place” orders being enacted in various parts of the world: employees, no matter their industry or profession, are being forced to work from home.
The concept of working from home is not novel. With the adoption of mobile devices and the increase in broadband availability both in private and public areas, a small segment of the workforce had already adopted this model. Like the color blue, however, it was a secondary option, and its cultural impact was limited.
The spectrum of work has now shifted. Shelter in place orders have forced a global workforce to work from home. What had been an alternative mode of work has now become the primary—all within a few short months, if not weeks. Remote work is the color of 2020, and it is likely here to stay. Once blue arrived, innovation and investment drove production and created entirely new industries, and the forced adoption of this new mode of work will force a similar chromatic shift. People have a new color in their palette, and the world will be shaded differently.
In the wake of this transformation, the cultural impact of this shift awaits. In short order, blue came to be associated with health, power, and affluence. Will the same soon be said of working from home?
Certainly, from a business perspective, the value of this new way of working is already evident, particularly for organizations that have already developed the infrastructure to accommodate a pattern of remote work. This is not merely an installation of IT services such as a VPN, but also requires reconsideration of the established security mindset. While many of them may not have the scale to handle a complete and immediate transition to home-based employees, their transition to this brave new world will be smoother due to their preemptive investment in a revised security strategy.
This new approach to securing resources deemphasizes perimeter defense and elevates the role of identity. Various systems and names have been introduced (or reintroduced) to facilitate the practical development of these systems; zero trust and CARTA are a few strategies among many that attempt to translate this vision into a practical reality.
Businesses that have already begun this shift are likely to be less impacted by the maelstrom of change; while none welcome this new reality, organizations well-equipped for this new cultural value will be healthier in both the short and long term. Fewer disruptions in their business and continuity in their economic model will mean that they have a stronger chance of not just surviving, but being in the ascendancy as the crisis transitions into a different, hopefully milder, phase.
Even organizations with a solid security strategy, however, are subject to market forces. It is possible that the new dominance of remote work will alter the landscape of enterprise. Just as the rapid proliferation of the internet drove some organizations into the stratosphere and left others behind to languish in the “brick and mortar” mindset (the easiest example of this dichotomy is Amazon and local booksellers), working from home at this sort of scale has the potential to divide enterprises into strata of success. As a result, remote work may become semantically linked with health and with power—or their business-speak equivalents “profitable” and “innovative”—similarly to the new connotation blue acquired after it was employed by religion and royalty in the Middle Ages.
But the more profound potential for the cultural impact of working from home centers around individuals. In just a few short weeks the quarantine has shone a bright light on existing inequalities that are all-too-easily ignored.
The pandemic is revealing a caste system, one of whose demarcation lines is the ability to work from home. This flexibility is primarily dictated by both the availability of reliable broadband access and the specific occupation in question. Rural residents with limited network access, or those in specific sectors: the service industry, shipping and transport, food distributors, and government officials often have no viable option to work from a remote location—to say nothing of the healthcare workers who find themselves thrust to the front line of the pandemic.
For others, the ability to continue to work while staying home confers a wide range of benefits. The first is obvious: steady employment. With unemployment rapidly escalating, the pandemic is already having an effect on economies worldwide. If working from home means retaining a job, this primary benefit lays the foundation for the others that follow. The second advantage lent by remote work may be a bit more hidden: continued education for their children. Schools in 130 countries have closed, disrupting the learning of over 1.2 billion students. The same reliable network access which allows them to continue working also provides for the continued education of their children and puts those pupils at an advantage to their peers. Finally, the most striking benefit that working from home while quarantined bestows is a better health outcome. If the point of stay at home orders is to prevent interaction with outsiders, preventing the spread of COVID-19, then complying with these guidelines and working from their homes ensures that those individuals and their families are less likely to fall ill.
These are not minor benefits: affluence, education, and health. And if the pandemic and working from home are revealing an existing caste system, it is also reinforcing it. Those with the ability to work from home are finding their wealth protected, their children keeping pace academically, and their expected health outcomes confirmed.
After only a few short weeks of stay at home orders, both businesses and individuals are already associating a work from home model and increased health, power, and influence. As the quarantine continues, that connection will only strengthen. COVID-19 has transformed remote work from a relatively unused mode of employment to the only viable option, and the benefits that that model currently conveys will ensure its association as not just a possibility, but as a preferred way to work for many.
After a long period in relative obscurity, blue’s popularity exploded; the spectrum of the world expanded and blue rose to become the world’s favorite color in the space of a few short decades. Starting as an afterthought, it came to be strongly associated with positive ideals and well-being. Blue’s ascendance was astonishingly rapid, but the rate of worldwide change in this early portion of 2020 makes it seem glacial: the global pandemic has the potential to establish working from home as a cultural value—and to equate it with health, affluence, and power in only a few short months. The color of the world is swiftly changing once more.
Global Security Advocate, Office of the CTO
The Experience of Identity
Or The Art of Getting out of the Way
Most people basically don’t care about online security and privacy – at least, until something goes wrong. Most people care about getting stuff done. When most people go online, they do so to interact with friends or colleagues; to shop; to do work; to use local or national public services; to file taxes; to fill in school applications; to play games…. In other words, for most people, ‘real world’ and ‘digital world’ overlap and intersect in increasingly fluid ways. And just as in the real world, if we put barriers in the way – no matter how well-intentioned – most people will make a choice to use someone else’s service.
Let’s take the exceptions, first. It is certainly true that if I want to, for instance, open a bank account, or apply for certain benefits – in person, at a bank branch (if you can find one!) or regional government office – I may need to present one or more ‘proofs of identity’. The exact process will differ from country to country, but the basic principle is the same. Yes, it’s a little annoying… but it doesn’t happen very often, and we all (mostly) understand why we are being asked to follow the process. Most important: the ‘cost’ to us, in terms of the inconvenience, in most cases balances out against the value we ascribe to the service.
Likewise, when we go shopping (IRL) the process of buying something is generally pretty quick and simple. I don’t have to answer a bunch of questions, or agree to terms and conditions, or figure out whether or not to tick the box to accept marketing information. I pick my items, hand over my cash (or tap my card, or whatever) and I’m done. Barrier to entry very low – ease of transaction very high – everybody wins.
Unfortunately, we have developed habits over several years of making it really hard for most people to do simple things online. I’m sure we all have our own favorite egregious example. Here are a couple of mine, suitably anonymised.
Exhibit One: an international budget hotel chain. They have an app for making reservations. On the opening screen of the app, they provide this nice consent box:
Two problems here. The first is rather fundamental: I’m prevented from booking a room unless I agree to receive marketing. Well, that’s just naughty. The second problem is more subtle: I have to agree to the terms and conditions before I open the app. Imagine this as a phone booking instead:
Prospective customer: Good morning, awesome hotel! I’d like to book a room, please.
Ostensibly awesome hotel: Sure! We’d love to have your business! Before we do anything else, though, I need to read you our privacy notice (which is only 10 pages long) and our commercial terms and conditions (we have a great new version of these which is only 8 pages long!), and then you have to agree to it all. Is that OK?
Prospective customer for a different hotel: (decides this is not such an awesome hotel, and hangs up)
Not very awesome hotel: oh dear, there goes another customer
Being cynical, one rather imagines that the hotel chain is hoping that people will just check the boxes as a quick way to skip over the barriers here; and they are probably right. But even then – leaving aside the dubious ethics and legality – it’s not a great experience. What I want to do is to make a reservation!
Exhibit 2: MFA. So let’s be clear. There’s no question that MFA is a lot better and a lot easier to use than it was. There’s no question that MFA makes a tremendous difference in terms of things like account takeover. But here’s the rub. Most people don’t care. Case in point: in my spare time I manage a set of online services for a local charity. Our users are smart people, but they are not technologists. We use three different platforms to run the charity; two quite specific to the org, and one which is a very common business services platform. And we use online banking. The online banking service and two of the three platforms offer MFA (or, at least, 2FA). They all do it differently. The bank and one of the charity platforms have (different) custom solutions. The common business platform uses an industry standard solution… but the onboarding process, especially for non-technical people, is byzantine. As a result, it has taken over 12 months to get a team of 10 people properly configured. No-one is happy, because there are multiple systems to contend with (none of which are particularly user-friendly) and we’ve only succeeded because the threat of non-compliance with GDPR best-practices has forced individuals into action.
There are plenty of other examples – one which gets quoted a lot is the ‘having to create an account before you do anything’. This particular design pattern, I’m pleased to say, appears to be on the decline. I’ve had several online shopping experiences recently where the choice to create an account was just that: a choice. Presented to me after I completed my purchase. And you know what? In one case, I knew I was unlikely to visit that particular store again, so I saved myself the time – and in so doing I also saved the company from having to maintain and secure an account for me which was going to serve no useful business purpose!
And that’s the point. We – and the business leaders who inform the projects we work on – have fallen into habits and patterns which, in many cases, had sensible security or privacy or operational purposes behind them but which ended up getting in the way of the customer. And we could have – we can – do things differently. Standards like FIDO and WebAuthN and SAML and OpenID Connect (and many more) certainly help. We should take care not to compromise security and privacy in our efforts to improve usability. But we should start to prioritise designs which actively help users get things done. Which, more often than not, means getting out of the way.
IDPro Board Member
Are you preparing for the #CIDPRO exam? In addition to the #IDPro #BodyofKnowledge, view this list of sources for information relevant to the CIDPRO Foundations exam: https://bit.ly/3t8i6TD #IAM
#IDPro is hosting a members-only #virtual #meetup today at 1 pm Eastern / 6 pm GMT - details provided in the #general channel in IDPro’s Slack workspace. We hope to see you there!
In the #IDPro #BodyOfKnowledge, Mary McKee shares an overview of Policy-Based Access Control. Access control systems protect an organization’s mission through changes in users, personnel, responsibilities, organizational structure, and legal obligations: https://bit.ly/3eKTRUG
#Identity correlation is the process of mapping an account from an application or system back to its authoritative origination point. Review the steps outlined in this #IDPro newsletter article to better understand the Identity Correlation Framework: https://bit.ly/3yyQOXu #IAM
Do you have questions about the #CIDPRO certification? Explore the CIDPRO FAQ page to find exam logistics, available resources to help you prepare for the exam, scheduling and more: https://idpro.org/cidpro-faq/ #IAM #identity