As a hacker for most of my life, I take a keen interest in technology, especially technology that is likely to impact my freedoms and the freedoms of people all over the world. Contact Tracing is incredibly important, but there are critical conversations we are missing that need to happen sooner rather than later. Without these conversations, we risk setting back advances in civil liberties by decades. Even worse, we could empower the enemies of free societies, such as dictators and authoritarian regimes, in ways that could result in mass genocide.

Contact Tracing is a key element to most country’s plans to re-open their economies. As they get control of the spread of the disease, being able to identify new clusters and swiftly contain them is critical to their success.Without a widely available vaccine, ignore new infections, whether from visitors or previously undetected carriers, and you end up right back at square one. Traditional methods of contact tracing haven’t evolved much in hundreds of years. You ask the patient where they have been and attempt to use detective skills to find every possible contact. It’s very labour intensive and not very accurate. Miss one handshake, or a quick stop to grab coffee and entire clusters slide through the net. This is aggravated by the fact that you are likely interviewing someone who is feverish and sick, who may be struggling to breathe.

It’s no surprise that in this world of big data, governments are increasingly turning to technology to fill in those gaps and come up with a more reliable method of tracing infections. Unfortunately, this means developing or leveraging existing surveillance tools. Want to know where someone has been? Surveillance was developed specifically for this purpose. Not all solutions have been created equal. Some countries are attempting to achieve this by working with existing surveillance infrastructure, from CCTV to mobile phone monitoring and even human intelligence (HUMINT). Almost all of these solutions have significant shortcomings, from an inability to see where there are no cameras to uneven technology distribution and areas of poor or no signal coverage. As for HUMINT, people are notoriously unreliable as witnesses and as a solution it is relegated to always being reactive, never realtime. However it’s not these flaws that keep me awake. I’l get into that in more detail later.

Other countries have spotted the flaws discussed above and realized that the best solution is one carried by the target and which is relatively independent of infrastructure to track interactions. This has led them to mobile phones. Nearly everyone has one, they are almost always switched on, and they support a wide range of protocols and wireless signals. In many ways the mobile phone is a gift for surveillance. This is why law enforcement has increasingly relied on devices like “Stingrays”, also known as IMSI catchers, because they track targets based on the IMSI, a type of mobile identity number transmitted by all phones. IMSIs are unique, actively transmitted and relatively easy to listen for passively. However, as a technology it too has flaws. First, you have to know your target’s IMSI and second you have to correlate it with other IMSIs in the area. Even then the correlation does not prove interaction. Just that two devices were in the same place at the same time.

To improve on IMSI catching, groups working on Contact Tracing realized they need a way to

  • Confirm interaction to a greater degree, including how close the targets were.
  • Identify how long that interaction was for.
  • Optionally confirm where this took place.

This has resulted in several reference designs, the two most prominent of which are the OpenSource BlueTrace technology that has been used to create apps like TraceTogether in Singapore and COVIDSafe in Australia, and the Exposure Notification framework being developed by Google and Apple in partnership. Both frameworks have clearly been designed with privacy in mind. They offer cryptographically secured data, rotating keys and rotating IDs to limit 3rd party tracking of users. Both are also currently heavily consent driven, requiring a user to consent to upload their encounter logs for analysis. The Google/Apple Exposure Notification framework offers some significant advantages over the BlueTrace design. Advantages like being a truly decentralized solution with key management taking place on the mobile devices and the lack of a central server storing keys and PII (mobile phone numbers). However, these aren’t really keeping me awake either.

What keeps me awake is two things.

First is the fact that in many countries we have suspended or bypassed traditional privacy legislation and oversight. Previously to track someone to this level you would have needed some form of official warrant likely backed up by substantial probably cause. While you could argue that the potential spread of a deadly infectious disease could amount to probable cause, it is the lack of process inherent in these systems that worries me. The challenge for policy makers is that these systems have to have as little friction and thus process as possible in order for them to work.

What we should be doing is talking about how these loopholes will be closed or managed once the pandemic has run its course. These technologies exist now and the precedent for using them also exists. Unless we build a cage around that use, we are setting ourselves up for a very slippery slope in years to come. Just what is the threshold that makes such close surveillance acceptable further down the line? Do we use it for the next pandemic? How about measles? The flu? Terrorist groups? What is the new process for taking this action and where is the oversight?

The second thing that keeps me awake is that we are building surveillance technology. As discussed above that’s because we have to, if we want this to be effective. Yet this has the potential of being one of the most powerful pieces of surveillance technology created in decades, if not in centuries. The actual implementations we know about have been designed well and are some of the most privacy-centric mobile designs I have seen in a long time. However, it’s not the design that gives me the most concern, it’s the use. The point is, they are surveillance tools designed to track who comes into contact with who, how long they were in contact, and who they came into contact with next. They do this really really well. This technology is like an IMSI Catcher/Stingray on steroids. You can identify a single person and watch almost virally as they connect with people to an almost infinite number of degrees of separation.

We have seen the power of Bluetooth-based tracking beacons in commercial use, from tracking shoppers, to helping with navigation inside buildings, and marketing. The detail you can get from this kind of tracking would shock most people. There are commercial Bluetooth tracking companies that drive around slurping up Bluetooth signals that can tell you where the owners of specific devices live, work, and shop. This new contact tracing technology represents the same risks to privacy and more – from just one person, you could identify every member of a terrorist cell, you could make it incredibly difficult for criminals to hide their associations, or track future diseases. These are all potentially good things. However, on the flip side, the same technology can be used to track innocent people, just to identify who they associate with, or dissidents and journalists as they interact with their sources.

So what do we need to do? Let me be absolutely clear as someone who studied biological sciences for a big chunk of his life, and as a technologist and a father – I believe that robust contact tracing is an important tool for us to develop and use in combating infectious diseases. Rapid, accurate identification of infected people would have prevented the extent and duration of the shutdowns we are now experiencing. With other more visibly symptomatic diseases, it could enable a quick, surgically efficient quarantine to be established and maintained. However, we need to talk about how it’s going to be used going forward. We need to discuss the processes involved in activating these technologies, especially when they become part of the very operating system of our phones. We need to discuss who gets to hold the keys and what oversight there will be for activation and use. We also need to talk about the risk of abuse and how we in more free societies will protect the less advantaged from that kind of abuse. Most of all, this needs to happen transparently and in a way that all concerned stakeholders, including the public can be part of this process.

There are ways that this technology can be managed responsibly. For example Apple and Google can reserve the right to deactivate this technology if it gets abused in any region. Likewise Apple and Google are US companies, so US lawmakers can play a significant role in developing appropriate oversight for this tool. However nothing will happen unless we all force this conversation and ensure that it happens soon.

As a kid I grew up with comic books, and am quite fond of the phrase – “With great power comes great responsibility.”. As a hacker I grew to believe that knowledge and information is power. What we have here is something that intersects both these principles.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

About Marc Rogers

Marc has been a hacker since the 80's and has worked in the security industry for almost 20 years. Some of Marc's professional highlights include a decade managing security in the operator Vodafone plc, and 5 years as working as the CSO for a real estate and asset management conglomerate in South Korea. Known as "Cyberjunky", "Cjunky" or just "CJ" in the hacker community Marc is the Head of Security and part of the CFP review board for DEF CON, the worlds largest hacker conference. After spending more than 15 years wrangling hackers, criminals and spooks Marc has seen it all. Sometimes several times at once. Professionally Marc uses his skills as a whitehat hacker and security evangelist to bring a positive outlook on security to today's global organizations. It's this outlook that Marc used when he helped put together the award winning BBC series "The Real Hustle". Today Marc works as the Principal Security Researcher for Lookout Mobile Security.

Category

Uncategorized