Yesterday Prime Minister Justin Trudeau announced the federal government will begin testing a “completely voluntary” contact tracing app that can be used nationwide. You can get more details here. Every since that announcement concerns around security and privacy controls started to become top of mind. David Masson, Director of Enterprise Security for Darktrace shared with me his security concerns that are associated with contact tracing:
The debate over a centralized or a decentralized approach while using contact tracing apps continues. A decentralized approach would mean that the data stays on an individual’s phone, while a centralized one would mean that all the data from the app goes to one central body. Both approaches have their own merits.
In Canada, a unified approach to contact tracing led by the Federal Government, rather than by the individual Provinces and Territories, will relieve the Provinces and Territories of some legal and financial ramifications. A unified effort would also ensure a more collaborative process for building in security and privacy controls, and it would be more efficient for decision making. As the Federal Government makes declared decisions about the app and its development, security needs to remain a priority. A centralized approach, however, needs to come with caveats and protections.
If it is the Federal Government ensuring that a sick person remains isolated and enforcing quarantine, there will be privacy trade-offs. We must be prepared for the future: what should we do with the data after this crisis is finally said and done? Sunset clauses should be put in place to assure the Canadian public that the highest consideration will be taken and that there will be transparency about what happens once the data is no longer needed.
With regard to the collection of data centrally, scientists and health officials could leverage the data for good. They could use data from the apps to analyze how the virus spreads, how it impacts society, and more, which would improve our ability to deal with the outbreak. However, the Federal Government will need to ensure that any data shared for research is secure.
There will also need to be the ability to have some form of open and transparent redress for all citizens with regard to any contact tracing approach in Canada.
I then asked about the fact that this app will utilize the Apple/Google Exposure Notification API. You can find out more info about that here. The Apple/Google API is billed as best in class when it comes to privacy.does So my question was if the usage of this API made things safer?
I think the question isn’t is it ‘safe’, but does it makes things more secure? Maybe, maybe not.
Privacy and security are not the same things. Privacy is about personal control of your own data, in particular your identity. Security is the tools that will help you control your data and some tools are better than others. Quite frequently when tools or applications are rushed to market without adequate testing, security vulnerabilities subsequently appear.
When rolling out an application that could be used by so many members of the population, governments should use the best available technology with the lowest risk for security or privacy concerns. However, even then it’s impossible to say that without a doubt an application is or is not safe and important to remember that ‘safe’ can mean different things in different contexts.
For it to be a ‘safe’ application, the technology needs to be implemented correctly, and the app needs to be shut off when the pandemic is over. History has shown that both of these assumptions could prove to be flawed.
That’s an interesting view as reading over the details related to the Apple/Google Exposure Notification API would have had me assume that there was nothing to worry about. But clearly from what David Masson has said, I clearly hadn’t considered all the implications of what a contact tracing app like this one are. Thus I thank him for his insights on this. It’s given yours truly, as well as a lot of you a lot to think about.
Apple & Google To Ban Apps Using Location Tracking Tech From X-Mode If Devs Don’t Remove The Tracking Tech
Posted in Commentary with tags Apple, Google, Privacy on December 10, 2020 by itnerdHave you heard of a company called X-Mode? Chances are you haven’t. But it is likely that your apps on your phone use their tech. Here’s how it works. X-Mode obtains location data from apps on the App Store and Google Play Store and sells that information to contractors associated with the U.S. military and national security industry.
Charming.
Both Apple and Google are now taking steps to ban apps with X-Mode tracking tech in them says The Wall Street Journal:
The Journal reported last month that X-Mode was collecting data from phones running its software about nearby “Internet of Things” devices such as fitness trackers and automobiles. That data was being made available to a company called SignalFrame that had received a small grant from the military and had been trying to win other national security-related contracts.
In addition, Vice News reported last month that X-Mode drew some of its location information from apps with a predominantly Muslim user base, such as a dating app called Muslim Mingle and a prayer app called Muslim Pro, though the company also has software embedded in many other kinds of apps.
In response to questions from the Journal, X-Mode said it was re-evaluating its government work and that its contracts prevent anyone from linking a device to personal information such as a name, address or email address.
That didn’t make Apple and Google happy. Google developers have seven days, while Apple is reportedly giving their developers two weeks. If they fail to meet those targets, the apps get banned. Some developers want Apple and Google to reconsider this. But I don’t see either company changing their minds. Nor should they. There is clearly something sketchy going on here and it is good to see both Apple and Google taking action to protect their users.
Leave a comment »