Privacy is in the same position as security was five years ago

It has taken years for the technology and telecoms industry to take security seriously, and now we are at the beginning of the same story arc with privacy.

The purpose of a story arc in popular culture is to take the character on a journey, agonising through challenges and failures, and up to success and lessons, ultimately concluding with some sort of resolution. There are seven different types, for example, a Cinderella story arc where the protagonist experiences a rise, then a fall, before a final rise, or an Icarus arc where there is simply a rise before an ultimate failure.

The security segment of the technology and telecoms world has gone through somewhat of a Rags to Riches story arc, with adequate protections being ignored for years before becoming a critical component of the technology landscape. That said, some would argue the arc has not been completed as there is still not enough investment.

Perhaps privacy is treading the same path as security, and it will have to battle moral dilemmas, successes and failures over numerous series before it is finally appreciated. The principles of privacy are certainly being ignored, massaged and bent sideways by private and public organisations today.

One question which might be raised is whether we need to reconsider the definitions of privacy for the new world; are we inappropriately judging digital privacy by the standards of the analogue era?

“In my view, there is currently no case for relaxing the privacy rules. There is a need to embed privacy considerations in design of technology,” said Joann O’Brien, VP of Digital Ecosystems at the TM Forum.

“In many cases architectural design/best practice and the embedding of the citizen at the centre of the design still needs to happen. When this happens, meeting privacy requirements becomes exponentially easier to achieve. In many cases relaxing any privacy policy due to impacts on innovation is really playing into the hands of lazy architectures and exploitative technologies.”

This sounds remarkably similar to the same rhetoric which was positioned around security technologies for years. Experts said security needs to be built into the products foundations, not simply an add-on. It does appear the same mistakes are being made with privacy.

One country which does seem to be taking the right approach to building contact tracing applications to combat COVID-19 is Switzerland. Using the decentralised approach, the app was built around the privacy foundations, with all sensitive operations taking place on the user’s device. Other countries should take note of this example championing privacy rights.

“TM Forum advocates for continuing and upholding the privacy rules as the long-term consequences of not doing so will have a negative impact on society and potentially run the risk of citizens losing trust in technology.”

While any reasonable person should not advocate the dilution of privacy rules, perhaps there is a case for reimagining them.

Should governments be able to ensure the same levels of protections and privacy are maintained, there is a case for rewriting rules to ensure they are fit for the digital society. After all, privacy rules as we know them today were written for a bygone era. It is like trying to fit a square peg through a round hole, it might fit if you try hard enough, but it is more suitable for another hole.

“The problem with the current system is it insists that every company asks for consent at a very granular level, which makes it impossible for people to read and understand what they are agreeing to,” said Ross Fobian, CEO of ResponseTap, a provider of intelligent call tracking software.

“It is also annoying because you are presented with messages on every website, but don’t have the time to really understand each one. This results in the user simply trying to get the box out of the way as quickly as possible. This means that generally people default to simply clicking the ‘I agree’ button, without understanding what they are agreeing to.”

The transfer of data to corporations can benefit both sides, however. Companies more intelligently and appropriately are able to target potential customers, while experience of products and services can be enhanced for the consumer.

“The problem is that some companies or even government entities don’t necessarily use your data just to help you,” said Fobian. “They use your data to manipulate you. Cambridge Analytica is a perfect example of this. Also, companies can get hacked and hackers can use that data in ways it was never intended. For this reason, at ResponseTap we don’t store personal data by default, which minimises the risk. However, this is not always possible.”

There are new privacy rules being created for this era, which are heading in the right direction according to Fobian. Telecoms.com readers generally agree with this statement also, with 32% believing privacy rules should be re-imagined for the digital era and 48% suggesting the user should be given more choice to create own privacy rights.

Privacy is a challenge today for several reasons, most of which can be directly linked back to corporations and governments ignoring its importance. In years gone, security was an add-on, despite what anyone told you, and the exact same position has been created for privacy today.

All these companies are telling us that they are pro-privacy, but eventually they will have to start showing us with actions which back up the rhetoric.

UK Cabinet Office, as well as DCMS and DoH, clueless about COVID app

Some might assume the strategy to combat COVID-19 is being devised on the hoof while patchy delivery suggests there is little communication between departments, and the cynics would be right!

After a week of bouncing from department to department and representatives being unable to offer any clear guidance or in-depth knowledge of the contact tracing application, Telecoms.com is becoming increasingly concerned about the Government strategy, as well as potential implications for privacy and security.

With the information which has been offered from Government representatives to date, it is clear few have any idea what is actually going on.

Last week, the Cabinet Office released new documents which detailed the UK Government strategy to exit the current societal lockdown. Featured in this broad document were 14 projects needed to ensure the country can exit the lockdown effectively, including the creation of a contact-tracing application to monitor the impact and potential spread of the virus.

The following extract is from the bottom of page 39, the section dealing with testing and tracing:

“Information collected through the Test and Trace programme, together with wider data from sources such as 111 online, will form part of a core national COVID-19 dataset. The creators of a number of independent apps and websites which have already launched to collect similar data have agreed to work openly with the NHS and have aligned their products and data as part of this central, national effort.”

Despite this document being published and distributed by the Cabinet Department, and featuring a foreword from Prime Minister Boris Johnson, it was unknown who the ‘independent apps and websites’ are, when the trials of the COVID-19 tracing app on the Isle of Wight would be concluded or how many downloads were being targeted upon release.

Considering the importance of this document and the material in it, one would assume this information would be available, though we were referred to other Government departments, who have not been able to provide insight either.

This is not the first time we have been referred from a department which should have knowledge of the situation and to another. In recent weeks, prior to the beginning of the Isle of Wight trials, the Department of Digital, Culture, Media and Sport (DCMS) stated it was not involved at all with the development of the application, referring us to the Department of Health and Social Care (DHSC), before being directed by representatives of DHSC to the NHS technology unit where communication went unanswered.

Despite the Cabinet Office, DCMS and DHSC presumably being critical Government departments in the development of a contact tracing app to combat COVID-19, there does not seem to be anyone in the know as to what is actually going on.

Unfortunately for everyone involved, the questions posed were not overly complex and should be simple to answer if the information is available, instead one department pointed us to another. Perhaps no-one wanted to muddy their hands with what is quickly turning into a debacle, or maybe no-one could actually answer these simple questions.

If there is little contribution from these departments on the development of the app, how can one ensure there are effective safeguards for cybersecurity or data privacy? The Government has gone against industry advice in pursing a centralised data model, but confidence in its ability to manage this process is increasingly thinning.

The NHS has somewhat of a checkered past when it comes to digital and data projects, and that is putting it politely. Some of these previous attempts to do digital in the NHS has been completely and utterly disastrous, accomplishing nothing, yet the NHS is seemingly blindly trusted as Government departments plead ignorance. The NHS flying solo will have some critics shifting in their seats very uncomfortably.

For the app to work as desired, 60% adoption is a number which has been floated by academia. This is going to be a big ask, therefore delivery will have to be close to perfection. One might hope that the relevant Government departments are a bit more informed moving forward considering the importance of this technology in aiding the UK’s recovery.

Apple and Google release jointly developed exposure notification API

Just over a month after they started working on it, Apple and Google have made their COVID-fighting framework available to public health authorities.

The key to using smartphones for exposure notification and contract tracing is giving them the ability to constantly sense each other. This is best done through Bluetooth LE, but both iOS and Android prevent apps from using Bluetooth unless they’re active, so a special workaround is required. That has been built into this framework, but is only available to apps that use it.

“Starting today, our exposure notifications technology is available to public health agencies on both iOS and Android,” said a joint statement from the companies. “What we’ve built is not an app—rather public health agencies will incorporate the API into their own apps that people install. Our technology is designed to make these apps work better.

“Each user gets to decide whether or not to opt-in to Exposure Notifications; the system does not collect or use location from the device; and if a person is diagnosed with COVID-19, it is up to them whether or not to report that in the public health app. User adoption is key to success and we believe that these strong privacy protections are also the best way to encourage use of these apps.”

The Verge reports that three US states (the response is much more decentralised over there) are already working on apps that use the framework. That piece also contains some handy explanations and links about the underlying tech and privacy implications. Apparently a total of 22 countries have received access to the API.

Turning this around so quickly is a good effort from Apple and Google, as was their quick decision to put business rivalry to the side for the time being, but then this sort of thing is one of their core competencies. The same can’t be said for health agencies, which is why the hubris of those, like the NHS in the UK, is so frustrating. They should stop trying to reinvent the wheel and go with the best technology available, which is almost certainly this.

ETSI gets to work on new contact tracing app standard

With countries across Europe all trying to reinvent the wheel with their own contact tracing apps, standardization is long overdue.

The responsibility for this has been taken by the European Telecommunications Standards Institute, which has created a special group dedicated to developing a ‘standardization framework for secure smartphone-based proximity tracing systems’. It’s called the Industry Specification Group “Europe for Privacy-Preserving Pandemic Protection,” which is mercifully abbreviated to ISG E4P.

“By their nature smartphones are highly personal devices, carrying large amounts of data about individuals,” said ETSI Director-General Luis Jorge Romero. “In ETSI we are committed to support an international development community with a robust standardization framework that allows rapid, accurate and reliable solutions while winning the trust of the population at large.”

Point well made about trust Luis. The UK, for example, currently seems determined to give its National Health Service access to the data created by the national contact tracing app. Not only would this alienate Google and Apple, thus making the app a lot less effective, but it would almost certainly lead to far fewer people using it.

“A primary challenge is collecting, processing and acting on information about citizens’ proximity at scale, potentially representing tens or hundreds of millions of people,” says the ETSI announcement. “This must also be achieved without compromising users’ anonymity and privacy, and while safeguarding them against exposure to potential cyber-attacks.”

Again, Google and Apple seem to have this more or less covered, but there’s no way a mega public bureaucracy like the EU would ever concede the private sector might have the answer to a public problem. So ETSI will probably take weeks to come up with something very similar, at which time the EC will order all its members to use it regardless of any progress they’ve made independently.

UK’s COVID-19 contact tracing app – will it work?

The UK has officially launched its NHS contact tracing app, but there remain many questions about how effective it can be.

The app is called ‘NHS COVID-19’ and is currently being trialled in the Isle of White, presumably to limit its spread, should it turn out to be rubbish. You can read the details of it as explained by the National Cyber Security Centre here. In short, it’s designed to do pretty much the same as all other contact tracing apps – to notify anyone who has been in close physical contact with anyone who is suspected of having COVID-19.

Also in common with other such initiatives around the world, the key point of contention around NHS COVID-19 is whether it uses a centralised or decentralised approach to collecting data. The decentralised method is favoured by Google and Apple, who own the platforms on which nearly all smartphones run and thus have ultimate control over what apps on them can or can’t do.

Under the decentralised system no significant data ever leaves the individual’s phone. All that happens that, when someone tells their version of the app they think they might have the ‘rona, it notifies the apps installed in phones of anyone who has been near them recently. This is all done by Bluetooth LE running in the background and no identity or location data is involved.

NHS COVID-19, however, uses the centralised model. In this case, when someone notifies the app of their possible blight, it passes that bulletin on to an NHS server, which then performs the function of notifying other at-risk punters. The advantage of this approach is that it will also enable a bunch of other clinical and epidemiological activities such as inviting the person to be tested and mapping disease hot-spots.

The centralised model obviously comes with a lot more data privacy and even civil liberty concerns, which is why the UK government has gone to considerable lengths to demonstrate security, transparency and accountability. Ian Levy, the Technical Director at the NCSC has blogged extensively on the matter and you can even read the technical paper. The Information Commissioner’s Office has also blogged and published a formal opinion.

As you would expect, Parliament is having a good look at this app too. Matthew Gould, CEO of NHSX, which is the digital transformation bit of the NHS, got a socially-distanced grilling from the Joint Committee on Human Rights yesterday and the matter of data protection was very much as the forefront.

“The app doesn’t at this stage know who you are, it doesn’t know who the people are you’ve been near, it doesn’t know where you’ve been,” said Gould, with the ‘at this stage’ bit somewhat undermining his attempt to reassure. “We’ve said we will open-source the code, we will publish the privacy assessment and security models.”

That was around 15:05 of the recording of the briefing. At 15:19 Gould is asked about the longer-term use of data shared with the NHS. “If data has been shared by choice with the NHS then it can be retained for research in the public interest,” he said. It remains to be seen how compliant with GDPR and general data best-practice that will be. Furthermore his answer serves as a great illustration of why people may be reluctant to allow their data to leave the confines of their phone.

Which brings us to a major flaw in the decision to go for the centralised approach – trust. The majority of the population will need to download and use the app for it to be effective, so anything that makes them think twice about doing so is surely a major setback. It seems clear the NHS is doing everything by the book and subjecting itself to maximum public scrutiny, but by going down this path is has built an unnecessary element of doubt into the whole project.

The biggest problem of all, however, is likely to stem from the fact that Google and Apple don’t support NHS COVID-19. That doesn’t mean they’re going to block it from their app stores, but it does mean it presumably won’t have access to the Google/Apple Exposure Notification API. The single biggest challenge that presents is how to keep the Bluetooth LE functionality active when the app isn’t on or in the foreground of the phone.

Coincidentally the two tech giants released more details of their API today, with Tech Crunch doing a good job of summarising the rules determining its use. By adopting the strategy it has, it seems the NHS has ensured we won’t get a COVID-19 contact tracing app that uses the Google/Apple API, which is a shame.

NHSX and the government are keen to stress that NHS COVID-19 is not, by itself, a silver bullet, and will form part of a broader set of measures designed to keep a lid on the pandemic once we’re allowed out of the house again. While we should stress that we’re not in any way advising against people doing their bit by downloading and using this app – we certainly will – its usefulness seems very likely to be seriously diminished by the decision to adopt the centralised approach.

Google and Apple begin testing COVID-19 exposure notification API

Just a couple of weeks after revealing their intention to collaborate over a contact tracing app, Google and Apple have made the first API available to developers.

There doesn’t seem to have been a formal announcement, but plenty of US tech media such as Tech Crunch and the Verge are reporting on it, implying they have been notified directly. It’s being called the ‘exposure notification’ API, which seems to be designed to provide a more specific description as well as making the whole thing sound a bit less intrusive and Orwellian.

The reports say more details will be made available tomorrow, but access to the code will remain limited to public health authorities. While this creates concerns about how the apps will function, especially with respect to privacy, it also makes sense as a fragmentation of the contact tracing app ecosystem would massively diminish the effectiveness of each one.

The political implications of this unprecedented collaboration between the two companies the dominate the global smartphone market aren’t limited to privacy concerns. Opinion is divided about whether the decentralised approach advocated here or a centralised one in which governments gather data from smartphones is best.

While it may lose some of the public communication tools offered by the centralised approach, we feel the Google/Apple approach is better for the simple reason of trust. If people think a contact tracing app will be used to spy on them and arbitrarily punish them, they’re much less likely to install and use it. The efficacy of such an app relies on the participation of a large proportion of the population, so the number one priority should be maximising uptake.

UK snubs Google and Apple privacy warning for contact tracing app

Reports have suggested the UK will pursue a centralised data collection approach for its COVID-19 contact tracing app, despite the well-publicised security and privacy risks.

Last week, the National Health Service (NHS) published a blog entry which pointed towards some element of centralised data collection, though the choice was seemingly been offered to the consumer. It now appears this is not the case.

“This anonymous log of how close you are to others will be stored securely on your phone,” Matthew Gould and Geraint Lewis of NHSX, the technology unit of the NHS, wrote in the blog post.

“If you become unwell with symptoms of COVID-19, you can choose to allow the app to inform the NHS which, subject to sophisticated risk analysis, will trigger an anonymous alert to those other app users with whom you came into significant contact over the previous few days.”

Details are of course still thin on the ground, but the BBC is now reporting the NHS will pursue a centralised approach, collating data on NHS servers for analysis and to send out notifications. There are of course advantages to this approach, models can be adapted quicker and additional analysis can be performed, but the question which remains is whether this outweighs the risk to security and privacy; Google and Apple clearly do not think so.

While a centralised approach proposes the collection and storage of all relevant data on NHS servers, an API created between Google and Apple would do the analysis on devices.

Using Bluetooth once again, the decentralised API would store the interaction between device on the user’s device, only sending a key indicating whether that specific user is infected or not to the cloud. Devices would reference the cloud database regularly and should the on-device logs match an infected key, alerts would be sent to other devices which have been logged as contact traces.

The decentralised approach has been embraced by Germany, though this was a surprise, however French authorities has gone the same direction as the UK is seemingly heading. The one which flies in the face of expert advice.

An open letter from cybersecurity specialists and other data scientists has slammed the centralised approach employed by France and, allegedly, the UK.

“All these applications in fact involve very significant risks with regard to respect for privacy and individual freedoms,” the letter states. “One of them is mass surveillance by private or public actors, against which the International Association for Research in Cryptology (IACR) committed itself through the Copenhagen resolution.

“This mass surveillance can be carried out by collecting the graph of interactions between individuals, the social graph. It can intervene at the level of operating systems (OS) of mobile phones. Not only OS producers could reconstruct the social graph, but also the State, more or less easily depending on the solutions proposed.”

The letter has been signed by hundreds of French cybersecurity experts from a range of academic institutions and private research organisations. Support to this position has also been pledged by hundreds of non-cybersecurity technologists also. It is a very comprehensive list of academic experts all condemning the centralised approach as an unneeded risk and an action which undermines privacy principles.

Although the details of the NHS application have yet to be revealed, it does appear the team is heading down the same route as the French. The pursuit of simplicity and flexibility has been deemed more important that the grave warnings to security and privacy offered by experts in the field.

Hopefully the collection of data on centralised servers does not act as too much of a red flag to the hacker community, most of which do not too many invitations to have a crack at stealing information which can be used for nefarious means. Aside from the risk to privacy, collecting millions of datasets of personal information in a single place could be viewed as somewhat of a treasure trove.

Unlike France, Germany decides to do smartphone contact tracing the Apple/Google way

Contact tracing via smartphone is a powerful way to tackle the spread of coronavirus, but it mustn’t be done at the expense of individual civil rights.

This is the dilemma at the core of all attempts to use mobile technology for epidemiological good around the world. Thankfully there is increasing consensus that a decentralized approach, which doesn’t involve tracking the location and movements of individuals, is the best way of balancing those interests.

Leadership on this matter has been shown by the two companies that own the platforms on which nearly all phones run: Google and Apple. A couple of weeks ago they got together to announce a joint effort in this regard and make it available to national governments. Not all of them liked the idea, however, with France demanding Apple loosen its privacy rules for some kind of EU spy app.

France probably hoped its senior partner at the top of The EU, Germany, would have backed its call. But the Germans have always a more pragmatic bunch and, over the weekend, the German government announced it was abandoning the cunning plan unveiled by a bunch of Euro techies at the start of this month, in favour of a decentralised approach, effectively endorsing the Apple/Google method.

To what extent the German decision also contradicts recently-released EU guidelines on this sort of thing will be interesting, but it certainly seems to offer less state access and control over user data than the continental bureaucracy would have liked. In contrast it seems to buy into the concept put forward by UK’s Oxford University, that maintains you don’t need to track location in order to do effective contact tracing.

That might seem counter-intuitive, but only if you think the purpose of such technology is to control the movements of people suspected if being infectious, the sort of thing repressive states like China would have no problem doing in order to lock people in their homes or whatever. The more democratic way is to make a voluntary app available for download, that uses Bluetooth to track other phones that have come near that one. Users of the app can then voluntarily announce their suspected infection in order for those they have been in contact with to be notified.

For example, that seems to be the sort of thing the Australian government has come up with in the form of an app called COVIDSafe. It was only made available yesterday and already has over a million downloads, showing you don’t need to force people to muck in to the collective effort. There have been concerns, however, about the fact that the source code for the app hasn’t been made available, but apparently it will in due course and experts, on the whole, don’t seem worried.

In the absence of widespread testing, using technology to let people know when they have been in contact with anyone who has announced they are showing symptoms seems like one of the best ways to limit the spread of coronavirus in free countries. It’s great to see tech companies, governments and various experts arrive at a best-practice consensus so quickly and we look forward to a UK version of this kind of app being released ASAP.

Europe releases guidelines for building COVID-19 apps

The European Commission has unveiled guidelines for member states creating COVID-19 apps, with perhaps an attempt to prevent mission creep from private industry.

The document, which is available here, suggests the national health authorities take the leadership position in developing the applications, while another recommendation is to store data on devices wherever possible. Minimising data analysis, external storage and the role of private organisations are ways and means to maintain privacy principles but also reduce the risk of data breaches.

“This is the first global crisis where we can deploy the full power of technology to offer efficient solutions and support the exit strategies from the pandemic,” said Vice-President for Values and Transparency, Věra Jourová.

“Trust of Europeans will be key to success of the tracing mobile apps. Respecting the EU data protection rules will help ensure that our privacy and fundamental rights will be upheld and that the European approach will be transparent and proportional.”

Although the guidelines are relatively simple, such a tick-box exercise is critical to ensure the largest possible adoption rates. The apps will assist individuals irrelevant as to how many people install, however for the contact tracing features to be the most effective in slowing the spread of COVID-19, downloads would have to meet critical mass. Oxford University researchers suggest this would be at least 60% of the population.

If any of the apps being discussed are to reach 60% penetration, privacy and security fears would have to be addressed, while legislation would have to be introduced to ensure such tracking activities do not become the new normality and data is not retained after the crisis.

In brief, the guidelines are as follows:

  • Downloading the app should be voluntary not compulsory
  • National health services should own the project and be responsible as the Data Controller
  • Data minimisation principles should be applied
  • GDPR principles of right to deletion should be adhered to
  • Data should be stored on user devices wherever possible
  • Consent should be applied to each element of the application not a catch-all opt-in at the beginning
  • Rules should be introduced for the deletion of collected raw data and the subsequent insight

There are of course multiple other nuances and elements included in the 14-page document, though should the above guidelines be adhered to and the role of private industry limited, there could be trust installed in the apps. Irrelevant to how elegant and sophisticated the apps are, the most important aspect is user adoption.

This is not the first time the world has faced a pandemic to this degree, but technology and insight are tools which we have never had at our disposal before. The contact tracing apps, to warn individuals of potential infection and educate on how to further prevent the spread, should be adopted by every nation. However, privacy and security concerns should not be ignored.

The technology and telecoms industry has a pretty poor record when it comes to privacy and security. Executives might point to policies and features to improve resilience, however these are almost always reactionary additions not proactive. Considering the sensitive nature of the data which is being discussed in relation to these apps, this is the time to be overly cautious in applying privacy and security principles.