Saturday, May 2, 2020

Contact Tracing Privacy Concerns and You

While many are challenging that mandatory stay-at-home orders which have been enacted in many states across the United States are unconstitutional and a violation of our right to assemble, an often overlooked issue is how "contact tracing", tracing who has been in contact with someone infected with COVID-19, is threatening our privacy.

Before diving into the privacy concerns with contact tracing, I'd like to take a moment to say that COVID-19 is absolutely a serious health issue which should not be ignored. People should take reasonable precautions to reduce the chance of infection. Personally, I've been wearing a respirator mask in public since the beginning, as well as frequently using hand sanitizer. I'm not downplaying how serious this situation is. However, I do have concerns that through all this we're losing our ability to freely travel, we're losing many small businesses which have been the lifeblood of our communities for decades, and we're losing our privacy. At some point a line must be drawn, and people must say "enough".

The fact of the matter is, just like with identity theft, you can only reduce the risk, you can't eliminate it. Between social distancing, masks, and frequent hand washing, we've already greatly reduced the risk of spreading infection at a rate which our healthcare system can't handle.

There's an App for That


While the Australian government has released a voluntary app which can be used to quickly identify those who have been exposed, it's much more likely that people in the United States won't so willingly install such an app.

However, what many don't realize is that your smartphone already contains location information, and all of this information is stored by either Google or Apple in the cloud.

Some companies such as Unacast have started leveraging location data and building maps and charts showing what parts of the country are staying home, and what parts aren't.  Even Google and Apple are making "anonymized" data available to determine how much people are moving around. Of course the flaw in all of this is that the data assumes that this travel isn't necessary. This makes rural regions look like they are far worse at staying home than urban regions, but a lot of that is because rural regions have much further to travel to get to the grocery store or other essential services. And yet, urban areas which appear to be more compliant are actually hit harder with COVID-19. Unfortunately with this push for open data, all it will take is one incorrectly formatted data export, or incorrect permissions setting, and everyone's personal data including home address and exact commute path to work could be compromised. This location data could then be used for identity theft, or even burglary.

The Problem with Contact Tracing


Unfortunately contact tracing has the potential to put innocent, healthy people in quarantine just because they were in the wrong place at the wrong time. Imagine going to the grocery store, then getting a knock on your door a few days later that you were at the store the same time as someone who tested positive, and now you're required to quarantine for 14 days. You may have taken every precaution including wearing a mask and washing/sanitizing your hands frequently. You may have never came into contact with this person, probably don't even know this person, but because you were at the store at the same time, you're now "under surveillance" because you could be infected. If you're still working, you will no longer be able to go to work - and the rest of your family will also be considered potentially affected so they can't work either! Terrifying.

With all the recent talk of "enhanced contact tracing", one of my first thoughts was that Apple and Google will use our GPS locations. Most consumers leave this location feature enabled for convenience, such as when they need to use their phone for navigation purposes. Of course GPS has its limitations, and won't work if your signal is blocked by a building even automobile roof.

Another potential avenue which is being explored is the usage of Bluetooth. This idea relies on bluetooth "beacons" to record other beacons they've been in contact with. While this eliminates the GPS signal issue, it assumes that just because your phone came in contact with someone else's beacon, that they could have been close enough to infect you. But considering most phones have a Bluetooth range of 33 feet (or possibly even more) this is not a very accurate measure either.

I get it - I know many companies are rushing to try and find a solve for this serious health issue. However, when people rush, they get sloppy. Many of these measures have the potential to do more harm than good by isolating people who are already stressed out, many of whom are barely getting by due to loss of employment.

Protecting Yourself from Your Phone


So how do you protect yourself from being a victim of haphazard contact tracing?

The obvious best choice is to leave your cell phone at home. Of course for most people that's not an option. The next best option is to disable location services and Bluetooth except for when you absolutely need them.

Disabling Location Services

By disabling location services, you're removing Google and Apple's ability to passively track where you've been. Your phone can still be actively tracked for 911 calls, but that isn't the type of tracking which will be used for contact tracing.

Apple: https://support.apple.com/en-us/HT207092
Android: https://support.google.com/accounts/answer/3467281?hl=en

Disabling Bluetooth

Disabling Bluetooth will prevent your phone from acting as a beacon to communicate with other phones in the area. This will prevent contact tracing apps from knowing who your phone came in proximity to.

Apple: https://support.apple.com/en-us/HT208086
Android: https://support.google.com/pixelphone/thread/4047383?hl=en

By implementing these steps, you'll be less likely to become a victim of "wrong place, wrong time" when it comes to contact tracing.  As an added bonus, your battery will last just a little bit longer.

Ken is a Cyber Security professional with over 10 years experience. He has written multiple books, including "Death by Identity Theft" and his latest upcoming book "Hacking of the Free". All opinions expressed in this post are his own, and do not reflect the opinions of his employer or clients.

Visit his website, and follow him on Facebook and Twitter.

2 comments:

  1. Do I have to do both on my android phone to stay out of this app business you describe? I keep location on, but my Bluetooth stays shut off permanently. Don't want the chance of being hacked! (As much as I can anyway.) Count me in on the number who will be DANGED I'm gonna download an app to trace me! Screw that! BUT...I leave my location on b/c I share my location with my one son, 24/7. We've talked often enough that you know why. If you don't and you're curious, hit me up! So that is too useful to me. I also know that they're going to share my info anyway...*sigh* So what more can I do, or is there nothing else?

    ReplyDelete
    Replies
    1. Unfortunately with your location services turned off, your son would be unable to view your location. This does not keep 911 from locating you in an emergency, however.

      Delete

Looking at X's Grok for Potential Cyber Threat Intelligence and Guidance

I'm playing around with X's Grok from a cybersecurity perspective, and I'm very impressed so far. Because Grok has real-time acc...