Tag Archives: Contact Tracing

Security News for the Week Ending May 29, 2020

Hackers Have Access to iOS 14 Months Before You Will

Apple gives developers early prototypes of their new software so that Apple doesn’t have a disaster on its hands when the new software is released and user’s applications no longer work. Unfortunately, some developers sell those phones – or at least access to them – so that they can get unlocked copies of the OS to hack and reverse engineer. This is why hacks appear so quickly after the new versions are finally released. Credit: Vice

Reports: eBay is Scanning User’s Computers for Open Ports

Bleeping Computer tested reports that users who visit eBay’s web site have their Windows computers scanned for open ports. It is possible that they are looking for computers that are compromised and used to commit fraud. However, accessing a user’s computer like this likely violates the Justice Department’s interpretation of the Computer Fraud and Abuse Act, which is a felony, specifically because they did not ask for permission. That “interpretation” is now being reviewed by the Supreme Court. Expect lawsuits. Credit: Bleeping Computer

UK Says They Will Keep Contact Tracing Info for 20 Years

No big surprise here – I expected this. This is the downside of the “centralized” model for contact tracing apps.

According to the privacy notice attached to the UK’s new contact tracing app, data collected by the app will be stored for up to 20 years.

And, you have no right to have it deleted. Credit: Computing UK

Abandoned Apps May Pose a Security Risk to Mobile Devices

If you are like most people, you have a number of apps on your phone or tablet.

Question for you – whether you use every single one of those apps frequently or not – is how many of those apps are still supported by the developer? That includes the so-called “packages” that the app developer used to write that app.

The unsupported app – with bugs that have not be discovered or patched – can provide an avenue for exploit by hackers. For as long as those apps remain on your phone.

So while you are not using that app, hackers are trying to figure out how to exploit it. The risk is higher than you might think. Credit: Dark Reading

Facebooktwitterredditlinkedinmailby feather

The Conundrum of Privacy Tracing Apps

States in the US and countries around the world are racing to contain the Covid-19 virus. Everyone knows that is a war. We have won or maybe are winning some of the battles in that war, but the war is far from over.

One “weapon” in that war is contact tracing. If we find an infected person, we would like to know who that person came in contact with since they became infected. That way we can test those people and see if they are infected. And so on and so forth.

Some countries, like China, don’t care about people’s privacy.

China is installing video surveillance cameras outside the door of people’s apartment that are under quarantine. You leave your apartment and the authorities will arrest you or, perhaps, you just disappear.

Google and Apple have a strategy and implemented, jointly, software that would trace the contacts of other phones that also had the software on it, but will keep the data local. If you become infected, you can give the government that data. The problem with this is that the government doesn’t get to own a massive database of your location and contact data, which is a problem for them. They like lots of data.

Utah rejected the Google/Apple strategy in favor of some software written by a startup. The company they chose was a social media startup. The company has 50 employees and wrote the app in three weeks with no oversight and no review. What could possibly go wrong? Do you remember the Iowa Caucus software?

The interesting story about the Utah experiment is that only 2% of Utah residents have opted to install the software. Experts say that you need about 60% for the data to have much use.

Other countries, like Singapore, South Korea and Israel are using existing data from credit card transactions, GPS data and surveillance cameras.

The UK’s National Health Service also rejected the Google/Apple solution, but leaked NHS documents show that they have privacy concerns. Part of their concern is that the data is self reported (other than the location itself) and may not even be correct.

Reuters has an article talking about the issues and the competing solutions.

When I started writing this I thought it would be controversial, but now that it is done, I am thinking it is less so.

Everyone has to decide for him or herself whether they trust the government to track them and collect terabytes of data that they will likely keep forever.

While some of these technologies claim that the data is anonymized, think about this. If the data is anonymous, how do they use it to find the infected people? And data scientists have shown, through many examples, that it is virtually impossible to truly anonymize data. If I have datapoints for your house, your work, your church and your gym, for example, I will de-anonymize that data.

I don’t have the answer. In fact, I don’t think there is a right answer. Everyone has to decide what is right for them.

What I think I can say is that it is highly unlikely that apps, written in a couple of weeks under intense pressure and enormous quantities of data collected by governments with very little advance planning will be secure. Even when companies and governments have lots of time and resources, apps and data are not very secure. To confirm this, all you need to do is check the news on a daily basis.

No easy answers. Sorry.

Facebooktwitterredditlinkedinmailby feather