Pages

Search This Blog

Translate

Search Tool




Apr 14, 2020

Analysis | The Cybersecurity 202: Privacy experts fear a boom in coronavirus surveillance


By Joseph Marks


with Tonya Riley

Photo by NACHO GALLEGO/EPA-EFE/Shutterstock (10611449a) A worker, with a protective mask, looks at his mobile phone as he is on board a bus to go to work.
THE KEY
As federal and state officials scramble to fight the novel coronavirus pandemic, experts are sounding alarms about the potential danger of increased surveillance programs they say could do long-term damage to U.S. privacy rights. 
Other nations, including South Korea and Israel, have used tracking data including cellphone location information and facial recognition tools to power their pandemic responses. But similar efforts in the United States could amount to a major erosion of civil liberties. And there’s scant evidence that efforts more sensitive to privacy and security concerns would actually be effective at containing the virus, experts say.
My concern is that out of desperation we will turn to technology and put in place a massive surveillance apparatus at a tangible loss to civil liberties that doesn’t even accomplish the goals it sets out to in terms of saving human lives and healing the economy,” Ryan Calo, a University of Washington law professor focused on cybersecurity and privacy, told me.
Technology aimed at tracking infected Americans  is just now being developed in the United States. Google and Apple are teaming up to create new digital tools that could tell iPhone and Android users when they cross paths with someone who is infected via Bluetooth wireless technology. Neither the infected person's identity nor their actual location would be revealed.
Yet one big concern is the virus could lead policymakers to rush headlong into adopting new digital surveillance regimes that don’t get rolled back once the pandemic is under control.
Officials could also adopt tracking tools that are later re-purposed for other things, similar to how post-9/11 surveillance and investigatory powers aimed at combating terrorism were later used to stem drug trafficking and other crimes. Tools that trace who has been in contact with people who test positive for the virus, for example, ultimately could end up being used by law enforcement to track criminals and their associates.
“Mission creep is always a concern because historically we’ve seen it happen,” Jennifer Granick, surveillance and cybersecurity counsel at the American Civil Liberties Union’s Speech, Privacy and Technology Project, told me.
Granick and other experts are urging companies and government officials to make a series of technology and policy commitments regarding any surveillance programs. Those include collecting as little data as possible and anonymizing to the greatest extent feasible. They should also ensure any data they collect won't be used for purposes beyond combating the virus and commit to ending any new programs as soon as the virus is under control.
During a Senate Commerce Committee hearing last week, Sen. Maria Cantwell (D-Wash.), whose state is among the hardest hit by the virus, urged the government to “resist hasty decisions that will sweep up massive, unrelated data sets” and to “guard against vaguely defined and non-transparent government initiatives with our personal data. Because rights and data surrendered temporarily during an emergency can become very difficult to get back.”
The meeting was conducted as a “paper hearing” with lawmakers and witnesses digitally submitting opening statements and questions and answers but not meeting in person.
Though there’s been a lot of talk about leveraging technology to combat the pandemic, there are few hard plans inside the United States so far. 
The joint venture between Google and Apple, which could launch as soon as mid-May, includes protections to anonymize user data and would rely on people voluntarily downloading apps that participate in the program and reporting when they test positive.
Google is also using its trove of location data across 131 countries to share anonymized information with health officials about how much people are traveling during the pandemic.
Those privacy and security protections may also make any contact tracing technology less effective, though. For example, the apps probably wouldn’t distinguish between people who passed an infected person on the street and those who spent day after day next to him at the office, Greg Nojeim, senior counsel at the Center for Democracy and Technology noted during a panel discussion on coronavirus privacy concerns hosted by the Project on Government Oversight.
Some tech and security experts also warned information collected by the apps could be used to discriminate against people based on their infection status.
Here’s Sergio Caltagirone, a former National Security Agency official, who’s now vice president for threat intelligence at the cybersecurity firm Dragos:
This will ABSOLUTELY be used to discriminate against people as fear of coronavirus will rise as we leave large-scale quarantine. Some people will not be allowed in certain places. Some people may not be allowed to return to work.
— Sergio Caltagirone (@cnoanalysis) April 10, 2020
There’s also a danger of hackers exploiting such apps. 
For example, U.S. adversaries might falsely report a slew of infections to sow chaos and create the false impression of a surge of new infections, Calo said. Or political operatives could do something similar during an election to make people fearful of leaving the house to vote in person.
And even anonymized data can be misused by government officials — for instance, if police use reports that a particular neighborhood isn’t honoring stay-at-home orders as an excuse to ramp up unrelated arrests, Granick said.
We need to be responsive to this crisis now, but we also need to be thinking about how this data will be used in the future,” she said. “Once this data is collected the only thing that really constrains how it’s used are laws and policies.”
Politico also reported last week that a coronavirus task force led by presidential adviser Jared Kushner has reached out to numerous health tech companies about how they can use data to combat the virus.
Sen. Edward Markey (D-Mass.) wrote to the White House urging significant privacy protections on any such effort including reviews by external experts, a halt to the programs once the virus is under control and extra efforts to ensure the privacy of racial minorities and LGBTQ people.
Note to Readers: The Cybersecurity 202 will just be publishing Tuesday, Wednesday and Thursday this week. We’ll be back to our regular schedule next week.
PINGED, PATCHED, PWNED

Former first lady Michelle Obama speaks at a rally to encourage voter registration in Las Vegas. (AP Photo/John Locher, File)
PINGED: Former first lady Michelle Obama's organization "When We All Vote" threw its support yesterday behind legislation to mandate the ability to vote by mail without an excuse across the nation and give states funding to enact it. 
It's the first time the celebrity-fueled organization, whose co-chairs include Tom Hanks and Selena Gomez, has endorsed federal legislation. And it could give a Hollywood-fueled boost to Democrats' efforts to ensure expanded voting options amid the pandemic.
The bill, the Natural Disaster and Emergency Ballot Act, would also mandate more early voting days and enhanced protections for in-person voting during the pandemic. 
Unless the bill is passed, "millions of Americans will be forced to choose between their health and their right to vote come November," sponsors Sens. Amy Klobuchar (D-Minn.), Ron Wyden (D-Ore.) and Christopher A. Coons (D-Del.) wrote in an opinion piece for USA Today.
Advocacy groups including Planned Parenthood and the Sierra Club are also teaming up with voting rights advocates, signing onto the most recent letter by Stand Up America to get Congress to provide $4 billion in total funding to states for election assistance.

U.S. Defense Secretary Mark T. Esper. (Brendan Smialowski/AFP/Getty Images)
PATCHED:  The Defense Department has failed to fully implement nearly two dozen cybersecurity initiatives in the past five years, leaving military technology vulnerable to foreign hackers, a government watchdog reports. Many of the cybersecurity fixes were supposed to be completed as far back as 2016 and 2018, according to the Government and Accountability Office report
Among the problems, officials aren't regularly updating Pentagon leadership on cybersecurity education and training and aren't integrating cybersecurity into operational exercises, the report notes.
The report recommends dramatically ramping up cybersecurity training and better monitoring for how well divisions are doing basic cybersecurity tasks like updating computer patches. The Pentagon’s top technology official should also set target dates for completing all the cybersecurity fixes, the GAO said. 

Slack app is displayed on a mobile phone. (AP Photo/Mark Lennihan, File)
PWNED: A design feature in the work messaging app Slack could allow hackers to steal organizations’ private data, researchers at AT&T are warning in a report out today
The questionable feature would allow hackers who know the unique web address used by third-party apps that connect to an organization’s Slack network to con workers there into downloading what looks like a verified Slack app but that will actually siphon off the organization's data. 
The report comes amid a boom in hacking that targets work messaging as offices resort to telework during the pandemic. There’s no evidence hackers have actually used the feature to steal companies’ data. But AT&T researchers say they found over 130,000 pieces of code on the public computer code-sharing forum GitHub that would help hackers steal data from particular companies. 
AT&T researchers are urging companies that use Slack to require authentication for any outside app and limit users who can download them to people with technical training.
Slack said it blocks people outside an organization from viewing those unique URLs on its own site and does its best to remove them from sites like GitHub so hackers can’t find and exploit them.

PUBLIC KEY

Cybersecurity news from the public sector:

Hackers compromised the computer network serving New York’s state government in late January, officials said Monday, prompting the state to hire an outside firm and change thousands of employee passwords.
Wall Street Journal

The recommended revocation of China Telecom’s U.S. license is the latest in a series of actions targeting Chinese tech businesses.
Ellen Nakashima

Americans rank the spread of infectious disease, terrorist attacks and cyberattacks as the top national security threats, a study released by the Pew Research Center on Monday found. 
The Hill

It may be open season for coronavirus scammers, but tax frauds aren’t letting up, either.
CyberScoop

PRIVATE KEY

Cybersecurity news from the private sector:

Hackers injected malicious login-stealing code on two airport staff websites.
TechCrunch

Over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free.
Bleeping Computer

Paying customers can "opt in or out of a specific data center region."
The Verge

WILD WILD WEST

Cybersecurity news from abroad:

A decade of health disinformation promoted by President Vladimir Putin of Russia has sown wide confusion, hurt major institutions and encouraged the spread of deadly illnesses.
New York Times

Dutch police has shut down 15 DDoS-for-hire services that were used to run cyberattacks aimed at knocking websites and networks offline.
CyberScoop

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.