With the potential of employees going back into the workplace on the horizon, chief information security officers (CISOs) are mulling applications that utilize exposure notifications in order to track COVID-19’s spread in the office.
Steve Moore, chief security strategist with Exabeam, said he is already hearing from CISOs who have been looking at these types of applications. However, with data privacy issues and HIPPA laws tangled up in COVID-19 contact-tracing technology, workplaces looking to institute these exposure notification applications face a slew of challenges. On top of that, people don’t trust contact-tracing apps in general, as seen in the low adoption rates of various applications worldwide.
In this week’s Threatpost podcast, senior editor Lindsey Welch talks with Moore about the data privacy challenges posed by impending exposure notification implementations in the workplace.
Listen to this week’s Threatpost podcast episode, below, or download direct here.
Below is a lightly edited transcript of this week’s podcast episode.
Lindsey Welch: Welcome back to another episode of the Threatpost Podcast. This is Lindsey Welch, senior editor with Threatpost. And our topic today is the security and privacy implications of COVID-19 contact tracing apps. These are intended to help citizens trace whether they were exposed someone who has tested positive for the virus, and they’ve been created by countries like the UK and Italy and also different states across the US and by tech giants. So I’m joined today by Steve Moore. Steve is the chief security strategist at Exabeam. Steve, thanks so much for joining me today.
Steve Moore: Thank you for having me again.
Lindsey:Yes, yeah. Well, we talked previously on the Threatpost podcast about this same topic. And the last time we talked over the summer, you know, this technology, this contact-tracing tech was just emerging. So that really feels like forever ago, right?
Steve: That it does.
Lindsey: Yeah. And so we’re in full swing with the pandemic right now. And, you know, cases are still surging, but we do kind of have that light at the end of the tunnel in that vaccines are becoming available. And so I think just to start, let’s talk about where contact-tracing apps are now, as opposed to when we previously talked. Steve, what have you seen that’s changed or been updated over the past few months with this particular technology?
Steve: Well, sadly, the participation with, within, the adoption of it really all over the place. And so in the States, it’s kind of all over the place – you’ve got individual states kind of rolling their own, you have this mixed, or limited, participation. And it’s, I’ll tell you, even if you step out of COVID, I think the ability to do exposure notification in 2021 is an important thing. Obviously, privacy is important. But being able to understand if you’ve been exposed to something bad, whether it’s COVID-19, or something else, I think, is a necessary capability. I talked about capabilities all the time for security operation centers, this is a necessary capability for a society, for one that intends to respond to the problems we’re likely to see in the future. So as it stands, it’s very low participation, specifically in the states. Very low efficacy. But in other places of the world, we’re seeing a much higher bit of adoption, and sometimes that’s forced. But it kind of even varies culturally.
Lindsey: Right, that’s a good point about how that is differing across different countries, whether it’s in different states within the U.S., or maybe it’s offered as an app in a different country, or maybe it’s even offered as something mandatory in some places. And I think, also, what’s interesting here, too, is kind of the differences between different contact-tracing apps and the technology behind them and how they’re being offered and distributed and kind of how the data is being collected. I just feel like there’s so much there. You know, what do you think the challenges are behind kind of the participation levels, that we’re seeing that in, that have kind of been pretty low, since this first rolled out at the beginning of the year?
Steve: People have to believe that it’s going to help them or help someone else, more than they are concerned about any negative outcome that may sort of visit them, right. And so there are some that may or may not subscribe, they may not believe that this is a real issue. They may not want to participate due to privacy concerns. You know, the concern for most individuals is that they’ll get tracked or they’ll lose out on some bit of privacy as a result of this, that they’ll be sort of exposed in some way that they don’t like. They may or may not trust their government, they may not believe that it’s worth their time to share and participate. And so there’s a, I think, the higher level of individualism you see – in a country – the probably the lower amount of participation is sort of my you know, my napkin, school of thought scribble there. I do think though, back to my earlier statement, the concern is that they’ve got to trust the program. They’ve got to trust the security of the information. And I don’t know that that’s been, that people have necessarily felt that that level of assurance, I will say that the sort of the Google-Apple program, the way it works using Bluetooth, the way they use the sort of the paired information that gets saved, it’s very safe. And what I’ll say also, is anyone questioning the participation in something like that, they’re giving away way more information to other applications that they have installed, and their cell phone carrier and their email client, than they will ever lose from installing an exposure notification app or opting into it. 1,000-to-1 greater risk than exposure notification, you’re already giving all that information or it’s already available. That exposure notification app is probably one of the safest and least intrusive things you can participate in if someone were asking me advice, and listening to your show.
Lindsey: That’s a really good point. And it kind of brings to mind, you know, what is it about contact-tracing apps that makes, you know, you potential users or just people in general, so wary of, of these apps versus Snapchat or TikTok or whatnot, in terms of the data that’s being collected, or how it’s being stored, or how it’s being used, potentially by the government. I think that’s definitely worth thinking about, in terms of kind of what it means for future utilization and types of applications for this type of technology. So that is a really good point. And, you know, to your point about privacy as well. I do think there is that fear about government collection of data in particular. And I know, in early January, that Singapore’s government recently acknowledged that data collected by its widely-used contact-tracing program could be turned over to police for criminal investigations, for example. So I think this more recently bubbled up that concern, again, in terms of the data privacy issues that might crop up there, versus the necessity of this type of app for tracking COVID.
Steve: Yeah, absolutely. And I think part of the issue is, is that people don’t realize how much of their information is already being collected. So forget about contact tracing for a moment. They don’t even think about, you know, I don’t want to name any organizations, but the things that are likely installed on your phone are collecting an enormous amount of information, typically, for marketing purposes, but there’s also government access that’s given in certain circumstances. And some of it’s being collected just all the time. And most, at least, Americans are sort of ignorant to that fact, where they just don’t care, you know, they’re the almost opt in to that. And so, it’s a bit of education. And it’s a bit of sort of myth busting that we all need to do on this. You know, if you just think about the data that’s linked to you, and you use common chat clients alone, it’s massive. And so you mentioned Singapore earlier, and this is not unlike any other government, you know, they have something there known as the Criminal Procedure Code. And effectively, what it says is, if law enforcement is trying to solve a problem, they have access to whatever’s needed. That includes cell phone information, that includes, you know, sort of Geo-IP information. And so the statement that was made is effectively saying that ‘look, if we need to use it, we can’ and that goes a little bit against the initial message that ‘hey, this is all private, no one else is using this.’ And so that’s the big twist. The other thing I’ll say is, you know, the, the law enforcement officers have been helping identify kind of on the ground, people that may have been exposed. So they’ve been arm in arm with the Singaporean response, which has been managed very well, to try to help keep people safe. And so even to the point that they’ve been reviewing CCTV footage and sort of trying to find, identify people that may have been in contact, and so they’ve been involved in a positive way. And the statement was, and I don’t have proof that it’s been used, I don’t know that anybody does, but that if they need to use it, they could. And then what happened is there sort of this PR person problem that happens as a result of that where, you know, then the TraceTogether team has to sort of reassess and give reassurance to everyone. You know, and that’s a tough spot to be. And so it’s, again, I think the issue where we’re driving toward is this is important. But in the breadth of all the things we need to solve and privacy and security, this is at the long end of tail. And I mean, that professionally and from my heart.
Lindsey: That’s a really good point. And, you know, going even beyond kind of that concern that we’re talking about regarding government data collection, and government surveillance, and whatnot. And I think it’s important too mention to some of these future possibilities around the workplace and individual companies. You know, as I mentioned, before the vaccine is here, it’s on its way, that’s great news. But what this also could indicate is that we’ll very soon see office buildings begin to slowly open up. And I know, there’s been a lot of speculation about contact-tracing apps potentially being utilized by workplaces or even being mandatory in some office spaces. What are your thoughts on that, as it again, concerns data privacy, slash what this means, in general, for kind of technology in the workplace?
Steve: Yeah, I’ll try to keep this as tight as I can. There was recently a stimulus bill; within that stimulus bill and early versions, there were supposed to have been liability protections for employers, universities, hospitals, that didn’t make it in. And so now there’s this onus that will be placed on universities, hospitals, individual businesses, around if somebody gets sick, is the corporation or the entity liable right? There’s a big twist there. And so as a product of that, companies will need to add their own capabilities are rounding exposure notification, and vaccination status. It will be enforced, if not by lawyers, it will be enforced by some sort of regulatory need, or customer demand, or, you know, you can think of all sorts of scenarios.
That means the creation of two things, one, some sort of accessible vaccination wallet, electronic wallet of some type. And it also means organizations will have to maybe even roll their own capabilities around exposure notification. I typically don’t mention stuff like this, I won’t say who is doing this. But even one of the platforms that we provide to the market – think of it as a SIM platform – We have people asking us to help with that. And we’ve succeeded in helping with them. Think of physical access, badge access, wireless access, you know, all these sorts of building access type things that you can use to say, okay, who was in the building at what time, who has been exposed, these are demands that we’re seeing the market asked for that CISOs are having to bear the burden for. And so it affects travel, I spoke with a leading CISO in the airline industry, that CISO is having to work on this problem from a vaccination status. So there’s all sorts of new demand on the CISO. So there’s possible litigation at the feet of employers, if they go back, and they’re sort of needed outcome around exposure notification, and this sort of vaccination status, a wallet need and where that goes, I don’t know. But it is here and it will be needed going into 2021 and throughout, and I think it’s going to be something that we’re going to have a national digital wallet that goes along with your sort of your passport status and TSA status and that kind of thing. I believe that.
Lindsey: So this is something that he says are already kind of currently mulling over or developing plans about in terms of, you know, what it means for their company, is that what you’re seeing?
Steve: Absolutely. They’ve been discussing this since early days and building capabilities or rebuilding their own capability or sort of repurposing an existing capability to support this. No question. And so this is going to be part of our new world. I’m seeing it now.
Lindsey: That’s crazy to think about, you know, just beyond being in theory, what could that mean for employees? How would this kind of play out? I know you mentioned some sort of wallet like, would this be something that would need to go on as a mobile app on the phone? Or more, as you mentioned, like more of a badge?
Steve: Yeah, I think it could play out several different ways, it would certainly be in many ways. Let’s start with vaccination status. Think of someone in the service industry, think of an airline, think of a hotel. You know, they may mandate that certain people need to be vaccinated, or at least they need to know the status. Or they may say before you can travel, and travel, but they wouldn’t let you get on a plane without your passport. If you’re flying overseas, and you’re going to go to Switzerland, and you don’t have your passport, they’re not going to let you on a plane in New Jersey, Switzerland may say, Look, I’m also not going to let them in if you’ve not been vaccinated. So now who owns that burden? In part, it needs to be owned by the airline. In a minimum in a way they can access that information. If you’re thinking of another direction, maybe you own a big company, and you have a data center, or you have an HVAC system, you may say, look, all of my third parties that help run my company, my contractors, all of them must be vaccinated, or all of them must participate in our exposure notification program, or you can’t work here. And so you have these needs, or you may again, have another third party that works there and say, “Hey, I’m not going to continue doing business, I’m not going to come fix your computers in your data center. Unless I know that you have a known good state in your environment. And so I demand in my contract that that be included.” And so you get this very sort of sticky situation. And as part of that you have to prove, okay, you say you’ll do that, how are you going to do it programmatically? And so, you’re going to see attributes on badging systems that say, “Hey, you know what’s your status,” they’re going to be linking your behavior, and your access to certain areas of a building. And so they can know who has been in close contact. And I think you’re going to see back that this wallet, it could be a modification to HR systems, or it could be a mobile app, depending on you know, how the workforce kind of manages itself. But again, now you’re collecting HIPPA covered information, which is a whole sort of long list of things you have to do to protect it. So that’s sort of, again, more sort of burden on the security teams and IT teams. So it’s an interesting thought experiment. But it’s not going to be a fun one to fix.
Lindsey: Right. Right. I was about to say, I can definitely see some challenges there for the rollout. You know, even I’m sure, obviously, this is going to be kind of a boon for large corporations, but even just, you know, SMBs, that might not have kind of the budget there to handle that. I’m very curious how this will play out and kind of real world situations.
Steve: Well, yeah, absolutely. And think of it just in a simpler sense. What if all of this is just too much? What if an individual is says, “look, you know, what, I’ve been a loyal employee. This is too much for me to handle, you don’t need to know what my vaccination status is, I’m just going to work from home, it doesn’t matter anymore. I’m not coming into your office.” You know, what does that mean for the employer? And the employee? Is that means to terminate employment? Is there a way, you know, does this increased even more than the virtual nature of our work for many of us today? What if somebody doesn’t believe in vaccinations, but some contract says everybody in the building must be? There’s a lot of social implications to this as well. It’s a tough one.
Lindsey: That’s a really good point about the relationship between employers and employees. And, you know, what this means in terms of giving up valuable data and, you know, you mentioned HIPPA before, that’s something that’s important to kind of think about there. And, you know, I just think that already the workplace has shifted so much over the past year, you know, the remote work and everything else. I think this might be potentially for some employees enough to potentially push them over the edge. So, I do think that’s a good point.
Steve: Yeah, and I think the silver lining is that maybe this has taught us stepping out of security for a moment. And just thinking about us being humans across the world. Many of us spent a lot of our day traveling into work and driving back home or flying home, maybe we realized that we can do some of our work, or maybe all of our work virtually, maybe it means we get an extra hour or two at home with our, with our family and our pets, right. Maybe there’s this, despite all of this concern, and extra work, maybe there’s also some silver lining that some of us will get to experience as well. And so I don’t mean to present it as all doom and gloom, I think all of what we talked about today, both in the vaccination, and the exposure notification, is a capability that we need to think about, that’s necessary to do to begin to do commerce again. But some people may willingly opt out of all of that, and just say, “I’m going to go live in the woods, and I’ll, you know, get a an internet line, and I’ll do my work from there.”
Lindsey: I won’t lie, I’ve been tempted to do that.
Steve: I will say that the overworked security team is going to have more work to do with this though, we’re seeing people having to create content, and reports out of their security tools out of their SIM and security platform tools and to help boost, sort of the efforts around all of this. And you know, it’s a good opportunity, but it’s also more work.
Lindsey: Steve, before we wrap up, I wanted to ask anything else you wanted to mention, regarding exposure notifications, or contact-tracing apps or anything we should kind of be looking out for any trends that you are seeing in this area?
Steve: You know, I think that it’s that there has to be a strong message at a state level or federal level, especially here in the States, if we want to see any kind of real adoption of it, I think that we need to do a better job of explaining that there really is very little of a privacy problem. And if the data is being used, you’re in much bigger trouble anyway. I don’t believe in overuse of access of personal information. But I think this is part of a mature society to participate in that. I do think one thing to look for, and I’ll be curious to see where it goes, is will private organizations request access, or demand that you notify them if you’ve been exposed?
So will that be a condition of employment or some element there, does that data gets shared with them as an element of employment status? And then how does that affect things like onboarding and offboarding, which again, many CISOs have to manage and HR teams, etc. So that’s kind of what I’m waiting to see. I don’t have a crystal ball on that, though. But that’ll be curious to see where that goes.
Lindsey: Right. Yeah, I’m very curious kind of how that will play out. And you know, even the coming months, and particularly as workplaces do start to think about bringing employees back into the office. So definitely a critical point there. So, Steve, thanks so much for coming on to the Threatpost podcast today.
Steve: Thank you for having me. I appreciate it.
Lindsey: Great. And to all our listeners. Once again, this is Lindsey Welch joined today by Steve Moore. And thank you for listening in to the podcast.
Want more in-depth security interviews and infosec insights? Check out our podcast microsite, where we go beyond the headlines on the latest news.