As a world afflicted by the coronavirus pandemic begins to re-open restaurants, retail stores and more, public-health officials remain concerned about the spread of the virus. Technology for contact-tracing apps, intended to help citizens trace whether they were exposed to someone who has tested positive for the virus, have been created by countries like the U.K. and Italy, U.S. states (like Utah) and by tech giants like Apple and Google.
But behind the public-health benefits of contact tracing are privacy worries, technology issues like interoperability, and other challenges. Threatpost discusses the benefits (and the challenges) of contact-tracing apps with Steve Moore, chief security strategist at Exabeam.
Download direct here or listen to the full podcast below.
Below find a lightly edited transcript of the podcast.
Lindsey OāDonnell Welch: Hi all, welcome back to the Threatpost podcast. Youāve got Lindsey OāDonnell Welch with Threatpost here today. And weāre going to be discussing contact-tracing apps; what they are, why theyāre all over the news recently, and what kind of privacy and security issues many have that people are now talking about. So joining us today is Steve Moore, vice president and chief security strategist at Exabeam. Steve, thanks so much for joining.
Steve Moore: Yeah. Thanks for having me, Lindsey.
LO: Yeah, so, Iām sure Steve you have also been dealing with this, but coronavirus right now continues to be a topic worldwide, even as more U.S. states are opening up. And I know here in Boston, they just started opening up restaurants. But concerns are really still circulating around the virus. And the top question remains, how can we track coronavirus and really flatten the curve? And so with all that said, thereās been a ton of buzz around contact-tracing apps over the past few months. So the idea with contact tracing is to create a type of technology that helps citizens track whether theyāve been exposed to someone else who has tested positive for the virus. And you know, the tech can vary. A few places have apps being rolled out. And Singapore recently revealed that theyāre developing a wearable. And then, you know, in Google and Appleās case, there was an API that public health agencies can integrate into their own mobile apps. So Steve, letās just start with the big question here: Would you use a contact tracing app and why or why not?
SM: Yeah, I think the first thing is maybe a clear definition for everyone on the difference between contact tracing and exposure notification. And really what weāre talking about, even though weāve picked up kind of contact tracing as the term, weāre really talking about exposure notification. Contact tracing is something still done by people in lab coats, and you know, something that you might see maybe in the movies, and it can be supported by exposure notifications, like an app on the phone. Would I use it? I believe I would from an academic standpoint, I think that it would be interesting to explore. Iāve spent some time looking into it. There are some concerns that some have. My bigger issue is, not what the app is, but what it is not, for me, and Iāll stop there. But the short answer is yes. I donāt have an issue. I would want to know how the app was built, though, being a security person. That would be one of my concerns.
LO: Yeah. And thatās a really good point to bring up about, you know, how itās built and the framework itās being built on and what kind of technology is being involved. And I think at this point, what is really hard to gauge is thereās so many different types of technologies and different types of apps. Some are using Bluetooth technology, some are relying on GPS, some are going about it in a decentralized approach. And I just think that thereās so many different types of technologies that are going into this, itās hard to really determine whatās going to work and what really isnāt going to achieve those functionalities.
SM: Yeah, first off, Iāll give great credit to Google and Apple coming together to kind of build this framework thatās a decentralized framework. And I think they did it all for the right reasons. I do think that their model is probably the best for, not only is it open, right, you can sort of review much of their documentation. But itās also decentralized and thereās this anonymous beacon thatās used. It collects a little less information than many of the centralized models. It does not rely on cell phone triangulation or GPS, which has its pros and cons. And so you quickly look at all what you mentioned and there becomes these feature decisions ā and almost a choice has to be made ā itās not a religious choice, but itās along the lines of, well, whatās enough or whatās right. And the answer is there is no right or wrong.
But I think that the decentralized version is probably the best. If you look at the adoption of it across the world, about, Iād say, I think 50 percent or so are utilizing it, where others are sort of rolling their own outside of the Google-Apple framework. So many governments, many countries are sort of torn about which is better. And I think the answer is it just it depends. It depends on the goal in mind. But I really applaud, I like what Iāve seen out of out of Google and Apple with their API. Thatās sort of the foundation, as weāll call it.
LO: Yeah, I remember when they came out with that, at first, I think it was about a month and a half ago, I was really impressed with how they kind of were two big competing tech firms coming together to develop this. I think that really goes to show just how big of an issue coronavirus is and how much of a impact that the tech space feels as though that they have with this. But when you say decentralized, can you talk a little bit more about what decentralized versus adopting a more centralized data approach means and what that means for users of contact tracing apps?
SM: Yeah. So what the way it would work is, with this decentralized model is, for the most part, all the information sort of stays on your phone, or is designed to sort of be with you. And then as you go about your day, you would install an app, you opt in to to sort of utilize it. As you go about your day you exchange these beacons, right. So you think about Bluetooth and its effective range. So as we maybe pass each other on the street that probably wouldnāt generate an exchanged, logged beacon. But if we were at a pub together and sat next to one another for, more than, letās say 10 minutes, those beacons would register an exchange. So I would have your anonymous beacon and youād have mine. And then this list then sort of grows and changes. Typically in a 14 day window, because thatās sort of this incubation window. And so what would happen then is if one of us falls, we would report that. And as part of that, it would get uploaded, and then pushed back down to others. And if thereās a match, as you get to sort of list, this sort of loading and matchingā¦ youād get notified, right? So itās all anonymous. So itās a very clean way to do things. I think itās itās sort of the the right way to do it. So thereās this reconciliation that says, oh, Iāve got a match. And then you know that youāve been in contact with somebody who has now fallen ill. Now Iāll stop there, because thereās issues, both medically and technically, but I still believe that for what it is, itās probably the best model.
LO: And I think that preservation of users being anonymous, so not having any personal identifiers, like phone numbers or names or IDs, I think thatās really important from a privacy perspective, to make sure that personal data isnāt being compromised.
I wanted to ask too, it seems to me like there is so many different types of technologies. So thereās Apple and Googleās framework that they had come out with, there is Decentralized Privacy Preserving Proximity Tracing, itās an open-source framework thatās based on a decentralized approach that had come out earlier. And then also, the Singapore government has backed an open framework which they have based their TraceTogether app as well as Australia has based COVIDSafe, their contact-tracing app on as well. And that uses Bluetooth contact tracing and adopts more of a centralized data approach. So you have those, you have different U.S. states like Alabama, North Dakota, South Dakota, coming out with apps that are using Apple and Googleās contact tracing tech. And then you have Utah who says they have their own app that theyāre rolling out.
I mean, do you think that there is going to be some sort of issue where different people are going to be using all these different types of apps and technologies that are popping up and thatās going to create kind of a challenge in the basic functionalities behind these?
SM: It will show you thereās a lot here and that question. My fear, Iām jumping way out into the future, is that in the future, maybe in the near future, we will be required to keep a digital wallet of some kind or at least documentation on our letās say vaccinations. Letās say thereās a vaccination for this in a year. And in order to travel, you need to have your vaccination papers much like you would today for many types of illness. But you have this union between these tracing apps or exposure notification apps and in this other variable, my fear is that weāre going to need to show that. So itās going to be have you been tested? Have you had an exposure in the last 14 days? Do you have your vaccine? And my fear is that now weāre going to need to use data. So somebody may say something as simple as say, ālook, in order to gain access to this private company, like in order to return to work, you have to show that you are have not been exposed in the last 14 days and that youāve had your app installed, and itās been with you the entire time.ā Thatās my kind of fear. And even in some circles, private discussion groups that Iām a part of, some are talking about the union between physical security and cyber security, and then how does this play a role into the return to work. So what does the output of a exposure notification app, is that going to be an element that gets checked at the door, programmatically or physically, and logged? Right? And so your question, stepping back a little bit, if you want to travel, are you going to need to install multiple apps? Are you going to need to re-enter your data? Is there going to be the need between multiple countries to share? Australia and New Zealand are talking about sharing the same app, in fact they have. And then, is there a tie in there? And then what about the third country that gets added? So how are we going to reconcile all this data, is a big issue to me. And the other is just the waste. You mentioned Utah. You know, they bought that app. Itās a centralized model, itās almost $3 million and $300,000 a month to maintain. But the reports Iāve seen is that only 1.4 percent of the people have even downloaded it. Weāre not talking about using it, weāre talking about just downloading it. So thatās a, 1.4, 1.5 percent, you have to start thinking like, whatās our ability then to make this effective. Youāve got to have adoption, youāve got to have confidence in the app and youāve got to have widespread access to testing, both for antibody and and for the virus. If you donāt have all three of those, I think youāre sort of fooling yourself if you donāt have the three.
**LO:**Right, and I think that brings up a really good point as well about, you know, whether these contact tracing apps are opt in or voluntary versus mandatory, and in order for many of them to work, Iām sure that it would make it more effective if it was mandatory, but then that opens up a whole can of data privacy concerns about, you know, government overreach and the continued ability to track people and collect personal data, even after the pandemic, as well as kind of lack of user consent and data being misused. So I think itās kind of a catch 22 there.
SM: Absolutely. You know, right now, weāre still seeing pretty low participation. I think, thereās a master list of country level adoption, I think Iceland actually wins the prize, they win the gold right now about a little under 40 percent participation, or download I should say. Is there a point where a government does make it mandatory where they say, you must have this installed, and it must be with you. You know, I donāt know that weāve seen that yet. But I could certainly see a private company saying, look, you need to have this app installed, and itās part of your obligation to the company, to your employment, I could absolutely see that in some places of the world to say and, and at that point, it could be a company made, you know, their own app, that that then tracks ā which is extremely interesting ā because thereās both a potential privacy invasion, but it could be, you know, there are some organizations talking about, you know, youāre gonna have a shift schedule where Iām in on Mondays and youāre in on Tuesdays, but weāre both not in on the same day. Or, letās make sure that that Steve stays far enough apart from everyone else. And so, you know, are we spacing our employees out? You can get data like that from an app thatās sort of related to this, thatās sort of the spacing and making sure that your workflow, so even even collecting something like wireless beacons from inside a building, thereās companies that are making one way hallways now and and use every other cube, so you start getting the creative mind can also be one that invades some pretty high degree of privacy as well. So I think, maybe not for COVID, but maybe for the next problem that we have thatās like this, I think that it will become more pervasive.
LO: Yeah, I think that that is a really good point about company utilization of this, and thatās a whole other kind of issue, is how will the workplace be, going back to the workplace once companies start moving back from remote work to more in office work. Should be really interesting to see if contact tracing has any sort of impact at that point. Iām curious too, do we have any data at this point, whether there is any sort of success that is tied to contact-tracing apps? Or is it kind of too soon at this point, in terms of lack of users who are signing up for apps or just that itās only been a few months and some of these apps have been rolled out? Or theyāre still in development?
SM: Yeah, I was actually looking for the good news on this, and I havenāt yet seen it, Iām sure it exists. And to be very clear, if you look at Apple and Google, theyāre talking about integrating this. So right now, itās a platform on which you build other apps, theyāre talking about making this native to the phone. I do think that this is something that will have success stories. And I personally, when when we started the show, you know, I intend to utilize that, I would like to know if Iāve been exposed. I do think, though, that people may have sort of alert fatigue on this because even somebody with nefarious goals in mind to say, hey, I want to just stir up trouble. What if they self report that theyāve been infected, and they intentionally go to a packed bar, or they go into a sporting event, or they go into a company function on purpose, thereās sort of these outlets that we may sadly hear about sort of negative stories that are sort of these annoyance type scenarios. You know, there was the guy you probably heard about that put a wagon, you know, the little red wagons that you see the kids have, and filled it full of cell phones and took it down an empty street in the middle of the desert and created a traffic jam on purpose.
LO: Right. Yeah.
SM: So, you know, in the same kind of thing can happen here. But in terms of good news I hope that thereās good stories. I donāt have any to share. I wish I did. Iād be a better guest if I did.
LO: Well, I think itās so kind of difficult to gauge with all the data thatās out there right now. Looking ahead, what do you see as being the future of contact tracing apps? Do you think that theyāll gain more traction? It seems like you have a cautiously optimistic view of them. Is that correct?
SM: I do. I think that if you begin to look at the future of health and more importantly wellness, you mentioned wearables earlier, coronavirus is a little more difficult because you can ā it doesnāt always spread the way we think it will it ā you can be asymptomatic and still be a spreader. It takes time before you start to feel the effects. But thatās not the case everywhere. If you look at wearables, you look at the technology that we have, you look at things like the Apple Watch. That is the future where weāre pulling in telemetry from folks and both as an individual and as a tribe of humans. I think that there will be great gains in this of how to trace and track down doing true contact tracing with technology rather than just exposure notification. I think there will be great gains, but again, weāll still be talking about privacy and security concerns. The concern I have right now is that, thereās all of these independent build outs, you know, think of the waste, and the errors that can occur, especially when youāre in a hurry building a mobile app. Thatās where the problem will come from. But to your core question, I am optimistic, cautiously so, but I think that weāre going to see some amazing things related to this for the health and wellness of the world in the future.
LO: Well, Steve, thank you so much for joining us today to talk about contact-tracing apps and the challenges and, on the flip side, the benefits of these apps as theyāre being rolled out.
SM: Yeah. Youāre very welcome. I enjoyed being here. Thank you so much.
LO: To all of our Threatpost listeners, thank you so much for tuning in with myself and Steve Moore with Exabeam today. Let us know if you would use contact-tracing apps and what concerns you may have about these applications. Give us a shout out on Twitter at our page @Threatpost, and catch us next week on the Threatpost podcast.
Also, check out our podcast microsite, where we go beyond the headlines on the latest news.
iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/14785307/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe
traffic.libsyn.com/digitalunderground/Contact_Tracing.mp3
threatpost.com/apple-google-coronavirus-tracking-privacy-fears/154689/
threatpost.com/google-apple-contact-tracing-system-cyberattacks/155287/
threatpost.com/google-apple-contact-tracing-system-cyberattacks/155287/
threatpost.com/google-apple-contact-tracing-system-cyberattacks/155287/
threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/
threatpost.com/singapore-contact-tracing-wearable-privacy/156397/
threatpost.com/singapore-contact-tracing-wearable-privacy/156397/
threatpost.com/utah-apple-google-covid-19-tracing-startup-app/155742/
twitter.com/threatpost?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor