Search This Blog

Translate

Search Tool




Jun 22, 2020

Analysis | The Cybersecurity 202: Privacy experts say many coronavirus apps aren't doing enough to safeguard users' information

By Tonya Riley


with Joseph Marks

Governments across the world are leaning on an array of coronavirus technologies, such as contact-tracing apps and smart thermometers, to make decisions about reopening. But experts are warning that their security and privacy protections are lacking — which could make it easier for hackers to compromise peoples' personal information.
Developers of the apps, researchers say, did not implement strong digital protections that are standard on other technology that deals with sensitive personal or health information And many are siphoning data to third parties — which means peoples' private information could be used for targeted advertising or to track them across other, non-related apps.
"One thing that's happening with [coronavirus] is that people are giving even more of their information up as response to the crisis, or downloading an app," says Adam Schwartz, a senior staff attorney at the Electronic Frontier Foundation, a privacy advocacy group. "There aren’t the protections we need.”

The Care19 app. (Stephen Groves/AP)

Many of the apps are used to automate some form of contact tracing, a process that allows users to figure out whether they may have been in contact with someone infected with the coronavirus. Users self-report if they're infected and the apps use either location data or anonymized Bluetooth signals to ping other users who may have been in proximity and exposed. The goal is also to provide insights to governments about local infection rates.
Out of 17 Android contact tracing apps — from 17 different countries — only one-third had basic encryption.
That's according to research from cybersecurity firm GuardSquare.
And bad security and privacy can have an impact on the apps' effectiveness: Experts warn that the apps won't attract a large enough user base to be useful for contact tracing if users don't trust the apps to protect their privacy. "If you want a large amount of uptake and installation or use people are going to have to trust these apps," says Grant Goode, chief scientist at GuardSquare.
After all, Goode says, "if they are inadequately secured ... they then become an attractive target for hackers." 
Other experts are concerned about the apps sharing data with third parties without users' explicit understanding or consent.
An investigation by the International Digital Accountability Council, an independent privacy and consumer watchdog nonprofit based in Boston, found eight coronavirus apps around the world that shared information with third parties, such as mobile analytics company Branch, Google-owned Crashlytics and Facebook.
Developers commonly partner with these companies offering software to help optimize an app's performance — such as for collecting analytics or crash reports. However, in many cases third parties also gain access to person information and phone data that can be used for targeted advertising.
"The rationale for the concern about [third-party software] involvement in some of these covid-related apps means that there is the risk of greater information collection than than users might expect," IDAC president Quentin Palfrey says. "That could undermine public trust in the utilization of some of these tools, which in public trust is very important for the efficacy of this public health measure.”
Three U.S.-based apps that IDAC found sent data to third parties shared Android data explicitly designed for targeted advertising. They were symptom-logging apps Kencor Covid-19,  Care19 and smart-themometer app Kinsa.
Palfrey and other researchers says that this kind of data sharing might be appropriate in a commercial context, but raises red flags for apps that are being used in a public health response.
For instance, Kinsa aggregates data it collects about peoples' fevers that can be used to predict hot spots so that public health officials can respond accordingly. The company has already distributed around 700,000 thermometers to users during the coronavirus pandemic through partnerships with nine U.S. cities and states. (The app also allows users to self-report cases of covid-19, though that information is not shared outside the app, which uses the data to offer health recommendations.)
Kinsa said it was previously unaware that Branch was receiving data that could be used for targeted advertising and disallowed access for Android phones last week following IDAC's report.
But Kinsa still shares iPhone user data including IP addresses and device information – and the company said it could not disable this function without rendering the app useless on Apple devices.
Kinsa does not share health data or personally identifiable information such as email addresses with Branch, the company emphasized.
But so long as third parties can access information like IP addresses and device build, it's almost impossible for users to prevent the third-parties from creating a digital fingerprint for them and tracking them across unrelated apps, says Patrick Jackson, chief technology officer at privacy app Disconnect.me.
“It’s a black box," he says. “The downside for consumers is if Branch ever had a data breach the user would never know.”
Utah’s Healthy Together App collects similar data. 

An image of Healthy Together's app. (courtesy of Healthy Together/Twenty)
The privacy policy for the app pushed by public health officials in the state says that it "collect[s] information about your mobile device or computer system, including MAC address, IP address and mobile device ID" – all the signals needed for a digital fingerprint that researchers like Jackson warn about.
The app's privacy policy doesn't list which third-parties receive this data or why. But a spokesperson for Twenty, the developer of the app, says it uses Firebase Analytics and Crashlytics for performance analysis and engagement metrics.
This just shows how difficult the problem is to solve, EFF's Schwartz says. “If they want the aggregate data they should do so in a way that's protective of the public and their privacy,” said Schwartz. “We don't object to using truly aggregate data but if the [app] is sending out information to data brokers that a customer owns then that's not truly aggregate data.”
It's these kinds of potential privacy gaps that members of Congress are hoping to address. 
Both parties have introduced their own versions of legislation that would regulate the use of data collected for coronavirus response.
“Technology can help our country defeat the covid-19 pandemic, but when tech products collect any personal data related to the pandemic, it must only be used for public health purposes,” said Rep. Anna G. Eshoo (D-Calif.), who introduced the Public Health Emergency Privacy Act, which would put guardrails on how companies working on pandemic response efforts collect and share personal data including IP addresses.
“The American people do not want this data shared with third parties, used for ad targeting, sold to data brokers, or used for any purpose outside of improving public health," Eshoo continued.

The keys

A federal judge rejected the Justice Department's request to block publication of John Bolton's book.

Former national security adviser John Bolton. (Pablo Martinez Monsivais/AP)

The judge agreed that the former national security adviser gambled with the security of the United States and risked criminal prosecution by publishing the book before government approval. But he said the Justice Department did not offer evidence an injunction was an appropriate remedy, partly because numerous copies are already in circulation, Spencer S. Hsu and Tom Hamburger report.
“For reasons that hardly need to be stated, the Court will not order nationwide seizure and destruction of a political memoir, U.S. District Judge Royce C. Lamberth of the District of Columbia wrote.
The government is attempting to confiscate any book profits, including a reported $2 million advance, by arguing Bolton violated a nondisclosure agreement.
Bolton has denied that the memoir, which alleges Trump put his campaign for reelection ahead of national security issues including cybersecurity, contains any classified information.
Meanwhile, Twitter started cracking down on pirated copies of the book circulating on the web. NBC News' Kevin Collier:
Well that was fast. https://t.co/XP2cSprTIQ
— Kevin Collier (@kevincollier) June 20, 2020
Tensions are ratcheting up between the U.S. and China over cyberspying.

Secretary of State Mike Pompeo. (Yuri Gripas/Pool/AP)

Secretary of State Mike Pompeo accused the country of pushing disinformation and malicious cyber campaignsto drive a wedge between the U.S. and Europe at an online conference in Denmark, Jan M. Olsen at the Associated Press reports. U.S. officials have accused China-backed hackers of stealing coronavirus vaccine research and spreading disinformation blaming the pandemic on the United States. 
Meanwhile, European allies are feeling the crunch of the United States's assault against Chinese telecom giant Huawei. British security officials recently warned U.K. telecom operators to stockpile Huawei equipment in case U.S. restrictions on the company's access to microchip technologies disrupts their operations, Reuters reports. Mounting U.S. sanctions against Huawei have forced the United Kingdom to reconsider allowing the company to build parts of its next-generation 5G networks. 
China, meanwhile, recently introduced espionage charges against two Canadians, Gerry Shih reports. It’s widely seen as retribution for the country's role in helping the United States target Huawei executive Meng Wanzhou, he reports.
 Australia suspects China in major cyberattacks against its government and industry.

Australian Prime Minister Scott Morrison speaks at a news conference. (Mick Tsikas/AAP Image)
The Australian government hasn’t officially blamed China for the spate of attacks against all levels of government and critical infrastructure but views it as the most likely attacker, sources told Colin Packham at Reuters. 
Prime Minister Scott Morrison told reporters: “We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting,” but declined to officially attribute the attack.
There's a "high degree of confidence" that China is responsible, one government source told Reuters. China's Foreign Ministry denied any involvement and said the nation is "firmly opposed to all forms of cyber attacks." 
Australian intelligence has flagged similarities between the recent attacks and cyberattacks from last year that Reuters reported Australia had attributed to China.

Global cyberspace

Britain will now use contact tracing technology from Apple and Google instead of its own app. 

British Health Secretary Matt Hancock. (Pippa Fowles/10 Downing Street/REUTERS)

The government scrapped plans for its own app after developers found the technology performed poorly with Apple phones, Kelvin Chan at the Associated Press reports.
“Apple software prevents iPhones from being used effectively for contact tracing unless you’re using Apple’s own technology,” Health Secretary Matt Hancock said at a briefing. The United Kingdom initially rejected Apple and Google's software because it does not allow governments to centrally collect location data.

Cyber insecurity

The NSO Group used spyware on a Moroccan journalist days after pledging to stop its products from being used in human rights abuses.

Journalist and activist Omar Radi . (AP Photo/Abdeljalil Bounhar)

The Moroccan government used the company's Pegasus spyware onto the phone of journalist Omar Radi, an Amnesty International investigation found. NSO Group did not confirm or deny it had provided its technology to the Moroccan government, the human rights organization says.
But the investigation found that controversial Israeli spyware firm retained the Moroccan government through at least January of this year. “NSO Group clearly cannot be trusted,” Danna Ingleton, deputy director of Amnesty Tech said in a statement. “If NSO won’t stop its technology from being used in abuses, then it should be banned from selling it to governments who are likely to use it for human rights abuses.”
NSO said it would review the Amnesty International report and will initiate an investigation "if warranted.”
“NSO has undertaken a Human Rights Compliance Policy to comply with the UN Guiding Principles on Business and Human Rights,” a company spokesperson said. “We are the very first in our industry to sign on to these principles, and we take any claim of misuse seriously. ”
The Internet's biggest web tracking database was leaking personal data including emails and home addresses for over six months.

The Oracle Corp. offices in Burlington, Mass.
Oracle-owned BlueKai exposed billions of records dating back to August 2019, security researcher Anurag Sen found. 

While it's impossible to tell precisely how many individuals were affected, the breach could be the largest of 2020 so far, Zack Whittaker at TechCrunch reports. The records included transactions laden with personal information from furniture purchases to esports bets.
Oracle spokesperson Deborah Hellinger said the company determined that two users did not properly configure their services. “Oracle has taken additional measures to avoid a reoccurrence of this issue,” she said. Oracle declined to say whether it informed those whose data was exposed about the security lapse, TechCrunch reports.

Chat room

The Department of Homeland Security sparked controversy this weekend when it accused Politico of misrepresenting a recent bulletin about the threat of an extremist group called the boogaloo movement. Yahoo News' Sharon Weinberger:
This is a weird basis to criticize the article. DHS docs refer to the Boogaloos as "racially motivated extremists," i.e. racists. But everyone else, including Fox News, calls them far-right.
But, no, DHS documents don't claim Boogaloos are violent extremists from "both ends." https://t.co/fnhkxelyCM
— Sharon Weinberger (@weinbergersa) June 21, 2020
Cybersecurity experts pushed back against the apparent politicization of the agency account. Dragos' Lesley Carhart:
Politicizing cybersecurity agencies will hobble important efforts to stop the very real threats we face as a nation.
— Lesley Carhart (@hacks4pancakes) June 21, 2020
Frank Bajak said it was a matter of accountability:
I think that in the interests of accountability the American public deserves to know exactly who wrote this. https://t.co/6UpYm8aqrG
— Frank Bajak (@fbajak) June 21, 2020

Daybook

  • The House Armed Services committee will markup the National Defense Authorization Act for Fiscal Year 2021 on Monday and Tuesday.
  • The Senate Homeland Security Committee will hold an oversight hearing to examine Customs and Border Protection Thursday at 9:30 a.m.
  • Carnegie's Partnership for Countering Influence Operations and  Twitter will host an event on influence operations on Twitter on July 9 at 1 p.m.

Secure log off

John Oliver reminds us the coronavirus still exists:

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.