Podcasts

A common adage in information security is that most startups don’t hire their first full-time security engineer until they’ve got around 300 staff.

If your app only stores public data and has no need to authenticate users, that might not present much of a problem. But when your app needs to be trusted to protect the confidentiality of a person’s political preference, it’s something else entirely.

It’s why Tusk Philanthropies - an organisation devoted to bringing mobile voting to the masses - is playing matchmaker between a half-dozen mobile voting startups and the security experts that can help bring them up to snuff.

On this week’s show Patrick and Adam discuss the week’s security news, including:

• ASD launches offensive action against criminals
• Bio-tech firms working on COVID-19 targeted by ransomware
• Iran targets WHO
• Did you hear there’s a security issue with Zoom? You might not have heard. Don’t worry we’ll tell you about it
• Much, much more
  

Brett’s take on the week’s infosec news. Click through for subscription link.

Internet technologies are set to play a critical role in the 2020 Presidential Election.

State election officials face the daunting task of upholding the most essential function of democracy in the midst of a health pandemic that constrains the movement and assembly of people in public spaces.

This podcast is brought to you by the Hewlett Foundation. They provided us with a grant to support us doing some podcasts about cybersecurity issues that touch on policy. Regular listeners would have heard some of these special podcasts already.

Today’s guest is Jennifer Morrell. She’s a partner with Elections Group and is a recognised expert on election audits.

On this week’s show Patrick and Adam discuss the week’s security news, including:

• KSA uses SS7 to track its citizens in USA
• Governments begin virus tracking through personal devices
• FBI warns of Iran-linked crew in yer supply chains
• Voatz gets booted from HackerOne
• All the cloud and Zoom drama

This week’s show is brought to you by Signal Sciences. Instead of interviewing one of their people, they suggested we interview Andrew Becherer in this week’s sponsor interview.

This is a completely unedited recording of a YouTube livestream broadcast on March 31, 2020. It features Patrick Gray, Dmitri Alperovitch, Alex Stamos and Adam Boileau.

The US Government is tapping the data of mobile advertising companies to identify non-compliance with social distancing measures, according to the Wall Street Journal. The scoop follows reports last week that the White House sought assistance from US tech giants to help monitor quarantine compliance and perform contact tracing.

Last week Risky Business explored what measures might prove effective and published a guest column by Stanford Law’s Albert Gidari suggesting Facebook and Google volunteer their expansive reach to offer privacy-preserving solutions. In the absence of either announcing initiatives, startups are stepping up to the plate.

…

In this (sponsored) podcast Akamai’s CTO of Security Strategy Patrick Sullivan talks us through the basics of identity-aware proxies. With more and more internal applications being served to newly external users, identity-aware proxies are the new hotness.

If Typhoid Mary carried a cell phone, we would all want to know where she’d been over the last few days.

Technology exists right now to trace the historical location and movement of any person who has tested positive for COVID-19. That location history is more detailed and accurate than information the Center for Disease Control (CDC) gets from interviewing people who have tested positive, and it can be used to map the trajectory of the disease over time and place, all while protecting privacy. However, privacy concerns and sufficient resources within public health organizations have hindered development of a location history solution.

These concerns are understandable, because there have been reports about third party location aggregators or surveillance equipment providers trying to sell bulk location information to the government.

A better approach - discussed below - dismisses third party aggregators because they largely are unaccountable, the data sources are speculative and without consent provenance, and the data tends to be less comprehensive and representative of communities.

Over a dozen countries have introduced or deployed tracking technologies, physical surveillance and censorship measures in a bid to slow the spread of the virus. A Digital Rights Index has been published to help stem overreach, promote scrutiny, and ensure that intrusive measures don’t continue for any longer than absolutely necessary.

So how would a location history solution work while protecting privacy? Consider what your device already knows about you. If you use Google Maps, for example, your Timeline can be seen in the Maps Menu. Click and you will see a detailed summary of your daily travels for as long as you’ve stored it, and your actual route is displayed on the adjacent map. My history for January 17th shows that I flew from San Jose to Seattle, took a 1:10pm ferry to Bainbridge Island, went to the barber at 2:30pm, then to the post office at 3pm, then home, and then had dinner at Sawan’s Thai Kitchen at 6:30pm. If I fell sick and tested positive two days later, I doubt that I could relate the details of my movements for two or three days before diagnosis with that degree of specificity.

But if I provide my cell phone number and/or account identifier to the public health official and consent to it, the data could then be sent to CDC - a governmental entity under the Stored Communications Act who can by law request emergency location information from Google or any other platform or provider that maintains my location history.

The emergency request is the same procedure used dozens of times each day where law enforcement submits a request to a provider to disclose user information in emergency cases like kidnappings. It is tried and tested. The infrastructure exists for it right now, including rapid delivery of the data back to the governmental entity.

Privacy concerns can be minimized by ensuring that the user’s opt-in consent for sharing with the CDC solely is for the purpose of tracing potential infectious contacts and cannot be shared with other governmental agencies without the person’s added consent. Further, the CDC can confirm it will destroy the identifiable information promptly upon receipt of the location history - the CDC only needs to know where a person with a positive test traveled and when. Everyone’s location history already is known to their providers; the person who tested positive already is sharing their movements as best as possible with health providers. The person infected is consenting to their information being used to notify others of the risk and for no other purpose. Contact tracing already is being done at the local level with scarce resources.

More can be done once the location history of the infected user is known. Platforms and wireless carriers can use incoming CDC or user data requests to determine how many other users were in the vicinity of the positive case at any given time. This is called geofencing. It is done today in response to search warrants from law enforcement to identify users in and around a crime scene, or, all registered phones on a cell tower serving a crime scene area.

Rather than the CDC simply telling the local community that a person has tested positive in their county, providers instead can tell specific proximate users precise facts by means of a text, email, or device notification: a person who tested positive was on the 9am flight from San Jose, landed at SeaTac at 11:10am and got a cab 10 minutes later, was on the 1:10pm ferry to Bainbridge Island, stopped at various places, and went home. That is actionable intelligence - it relieves the anxiety of people on a later flight or ferry or who ate before the infected person, or all those people who only are told someone has the disease in the community at large. It tells others who were in close proximity that they should self-isolate.

No, this is not a substitute for greater testing, but it may help direct valuable testing resources to a particular at-risk community and to target resources better. Imagine that there were 10 people identified on that 1:10 ferry. With their location maps layered on top of each other, we see a trajectory for the disease throughout the community and further identify the specific risk of immediate contact by others in the vicinity. Perhaps everyone gets directed to shelter-in-place, or, perhaps the proximity map shows only small pockets of concern. Whatever the data shows is immediately actionable at the local level and the CDC will be getting aggregate location data for those in proximity to persons who tested positive.

Knowing that a significant number of persons with the disease were in the general population at a specific time and place is better than any currently available information today, and is more accurate than anecdotal data from those who have tested positive. And again, the CDC (i.e. the government) is only ever getting the opt-in data for the person who tested positive; the providers are doing the rest. Some have complained that this solution is not perfect, doesn’t cover all places or people, isn’t granular enough to avoid “false positives” and requires providers to do something to facilitate it. Right now, the alternative is for everyone to stay home and live with the anxiety that interacting with anyone puts you and your family at risk. That is one big false positive. The approach above is surgical, and most times, good is better than perfect - at least with pandemics.

We also have seen how location information can be used to quarantine or restrict people’s movement in places like China. No one wants a virtual ankle bracelet for quarantine in this country, but those are some of the ideas being floated now. The benefit of the location tracing proposed here is that it is opt-in by those who have tested positive, and privacy protective for the user and all those who were in close proximity to persons so identified. It is better than using a surveillance hammer.

There is some privacy risk to the infected user whose location history becomes part of a map, in that crowdsourcing may identify the individual. But that risk can be lowered by not mapping the end point - if it is a personal residence for example. There is some risk inherent in the use of location data - but again, the degree of specificity for what goes on the map can be determined by the provider and minimized to exclude key data points. A rule might display “post office” but not display “home address”.

It is important to say again that this proposal alone is not a comprehensive solution to the difficult problem of contact tracing. There may be smaller numbers of users with location history enabled on various platforms due to privacy concerns. But if data is drawn from Google, Foursquare, Facebook, Uber, Lyft and other platforms, a comprehensive map will emerge that is sufficient to show trajectory and allow CDC to identify hot spots and resource needs, while simultaneously reducing anxiety in the areas least affected or proximate to individuals who have tested positive.

Albert Gidari is the Director of Privacy at Stanford Law School’s Center for Internet and Society and retired partner at Perkins Coie LLP where he represented wireless companies and Internet platforms.

Read more on proposed contract tracing solutions in the Risky.Biz feature story: ‘The cyberpunk dystopia we feared is here, and just in the nick of time’.