Agency CISOs will have to weigh the ramifications of apps that could combine health and location data of federal employees, a security professional said.
“Big tech” is a popular target of federal policy-making efforts that attempt to hold some of the most profitable companies in the U.S. economy accountable for protecting individuals' privacy. But when it comes to using applications to track the spread of COVID-19, roles are reversed.
With human contact tracers in low supply, some states are turning to smartphone apps to notify individuals that they have been exposed and should isolate themselves so they don’t continue spreading the disease. Experts say contact tracing will be especially important as officials look to lift lockdown orders.
But the apps—some of which are in use in other countries—are not created equally. Some rely on specific geolocation services, and some of them work in conjunction with a central database of individuals who have tested positive for the coronavirus. This use of sensitive information stokes concerns from privacy and civil liberty advocates about the potential for data misuse.
While Democratic lawmakers in the House wait for a response from the Trump administration on its plan for the use of contact tracing apps, Apple and Google announced an unprecedented partnership to develop software they say would make the privacy issue a moot point. Their joint platform would enable iOS and Android phones to use Bluetooth technology to alert individuals when they’ve come in range of an infected person. The companies call what they’re working on an “exposure notification” platform to facilitate contact tracing apps.
Google and Apple have laid out criteria for the use of their platform, and they must approve the subsequent apps. Authorized apps would only be for public health authorities, would not use geolocation, and would be limited to one per country in order to maximize efficacy. Anyone using the apps would be doing so voluntarily and they are more effective if large numbers of people choose to participate.
Phones installed with the apps would use the Bluetooth protocol to radiate encrypted codes unique to users and record the unique encrypted codes of other users within a certain distance — six feet, for example. Those who have tested positive would voluntarily upload their status and have it associated with their code. Surrounding phones with the approved apps would recognize this and send their users information on quarantining.
This is somewhat encouraging to former CIA official Marcus Fowler.
“In the Apple and Google proposal it does look like they are attempting to address as many of the privacy concerns as possible,” Fowler, now director of strategic threat for cyber firm Darktrace, told Nextgov.
Limiting app development for contact tracing to public health authorities, especially, makes sense to Fowler, in order to allow accountability and foster public trust.
“I would trust an app created by one federal organization a lot more than a private-sector company,” he said. “If it was someone like the [Centers for Disease Control and Prevention] or someone along those lines there would be a lot more credibility and there would be a lot more room for redress in terms of misuse and oversight if it's a government body that's owning that and being held responsible to data security. That's the right approach.”
The best Congress has to offer?
But assurances from Google and Apple aren’t enough for Fowler, who said policy-makers should be discussing things like sunset clauses for use of the technology.
He sees a scenario similar to the period immediately following the September 11th attacks. Lawmakers approved a system of domestic surveillance that’s stuck around and become the norm despite concerns about undue government intrusion.
“There are a lot of decisions and laws and capabilities that were put in place then due to the sense of urgency,” he said. “And I think we are going to quickly, if we're not already there, have the same sense of urgency for contact tracing. You can see people saying this is what's necessary to get an economy back on line or for people to go to work, and the only way we're going to scale is if we use certain technology. We can very quickly skip over the public debate in defining rules to the implementation, and then it can be hard to walk it back once you've taken that step.”
Senate Republicans are promoting legislation they reportedly plan to introduce this week as a way to hold entities accountable for privacy protections while enlisting technology to help stop the spread of COVID-19.
Digital rights groups excoriated the bill, proposed by Senate Commerce Committee Chairman Roger Wicker, R-Miss. along with Sens. John Thune of South Dakota, Jerry Moran of Kansas, and Marsha Blackburn of Tennessee.
Among other things, the COVID-19 Consumer Data Protection Act, a draft of which was obtained by Bloomberg, would require companies to publish transparency reports describing their data collection activities related to the coronavirus.
Sara Collins, policy counsel at Public Knowledge, said it was a “privacy ‘cure’ worse than the disease,” noting “the bill gratuitously preempts the much stronger [Federal Communications Commission] privacy protections governing mobile carriers.”
Privacy advocates are affronted by what they see as an opportunistic play to roll back regulations in place at the FCC restricting mobile phone companies such as Verizon, AT&T and T-Mobile from sharing users’ data with third parties without their permission.
“During normal times, their behavior is unseemly. During a pandemic, it’s unconscionable,” Fight for the Future Deputy Director Evan Greer said, “It’s disgusting and offensive that this is what they’ve come up with.”
The bill is a microcosm of larger efforts to pass federal privacy legislation—and political camps now seem further apart than ever.
CISOs, Don’t Be Shy
While federal policymaking on the use of contact tracing apps flounders, Fowler says chief information security officers should step up.
“As a federal CISO, I would be looking at evaluating and understanding the options,” he said. “My worry is that you're going to have this flood of applications that collect different things and you're going to have some that are secure and some that are slapped together because people want to get them out there [and sell data to advertisers].”
Fowler said for federal workers, particularly those in the intelligence community, contact tracing apps might collect information hackers could access and use as phishing lures to penetrate government systems, and encouraged CISOs to act before it’s too late.
“What happens at times is they aren't sure what guidance they want to issue, so they don't speak out and then before you know it, the apps are already on people's phones before someone says we don't recommend the following,” he said. “So it's going to be important as these become available, that there is communication from that information security leadership.”
Fowler emphasized that there's going to be a lot of pressure from higher-ups to move quickly and said CISOs should stake out their ground now, even if that’s by saying they need time to evaluate the apps.
“If you have someone like the president or some very senior people outside your organization who are saying ‘all federal employees need to have one of these’ then you're stuck, as a CISO,” he said. “There could be friction emerging from their own evaluation and comments from senior leaders on press conferences or on Twitter, so it's going to be an important thing to try and stay ahead of as a security person within a federal government agency.”