As a world afflicted by the coronavirus pandemic begins to re-open restaurants, retail stores and more, public-health officials remain concerned about the spread of the virus. Technology for contact-tracing apps, intended to help citizens trace whether they were exposed to someone who has tested positive for the virus, have been created by countries like the U.K. and Italy, U.S. states (like Utah) and by tech giants like Apple and Google.
But behind the public-health benefits of contact tracing are privacy worries, technology issues like interoperability, and other challenges. Threatpost discusses the benefits (and the challenges) of contact-tracing apps with Steve Moore, chief security strategist at Exabeam.
Below find a lightly edited transcript of the podcast.
Lindsey O’Donnell Welch: Hi all, welcome back to the Threatpost podcast. You’ve got Lindsey O’Donnell Welch with Threatpost here today. And we’re going to be discussing contact-tracing apps; what they are, why they’re all over the news recently, and what kind of privacy and security issues many have that people are now talking about. So joining us today is Steve Moore, vice president and chief security strategist at Exabeam. Steve, thanks so much for joining.
Steve Moore: Yeah. Thanks for having me, Lindsey.
LO: Yeah, so, I’m sure Steve you have also been dealing with this, but coronavirus right now continues to be a topic worldwide, even as more U.S. states are opening up. And I know here in Boston, they just started opening up restaurants. But concerns are really still circulating around the virus. And the top question remains, how can we track coronavirus and really flatten the curve? And so with all that said, there’s been a ton of buzz around contact-tracing apps over the past few months. So the idea with contact tracing is to create a type of technology that helps citizens track whether they’ve been exposed to someone else who has tested positive for the virus. And you know, the tech can vary. A few places have apps being rolled out. And Singapore recently revealed that they’re developing a wearable. And then, you know, in Google and Apple’s case, there was an API that public health agencies can integrate into their own mobile apps. So Steve, let’s just start with the big question here: Would you use a contact tracing app and why or why not?
SM: Yeah, I think the first thing is maybe a clear definition for everyone on the difference between contact tracing and exposure notification. And really what we’re talking about, even though we’ve picked up kind of contact tracing as the term, we’re really talking about exposure notification. Contact tracing is something still done by people in lab coats, and you know, something that you might see maybe in the movies, and it can be supported by exposure notifications, like an app on the phone. Would I use it? I believe I would from an academic standpoint, I think that it would be interesting to explore. I’ve spent some time looking into it. There are some concerns that some have. My bigger issue is, not what the app is, but what it is not, for me, and I’ll stop there. But the short answer is yes. I don’t have an issue. I would want to know how the app was built, though, being a security person. That would be one of my concerns.
LO: Yeah. And that’s a really good point to bring up about, you know, how it’s built and the framework it’s being built on and what kind of technology is being involved. And I think at this point, what is really hard to gauge is there’s so many different types of technologies and different types of apps. Some are using Bluetooth technology, some are relying on GPS, some are going about it in a decentralized approach. And I just think that there’s so many different types of technologies that are going into this, it’s hard to really determine what’s going to work and what really isn’t going to achieve those functionalities.
SM: Yeah, first off, I’ll give great credit to Google and Apple coming together to kind of build this framework that’s a decentralized framework. And I think they did it all for the right reasons. I do think that their model is probably the best for, not only is it open, right, you can sort of review much of their documentation. But it’s also decentralized and there’s this anonymous beacon that’s used. It collects a little less information than many of the centralized models. It does not rely on cell phone triangulation or GPS, which has its pros and cons. And so you quickly look at all what you mentioned and there becomes these feature decisions – and almost a choice has to be made – it’s not a religious choice, but it’s along the lines of, well, what’s enough or what’s right. And the answer is there is no right or wrong.
But I think that the decentralized version is probably the best. If you look at the adoption of it across the world, about, I’d say, I think 50 percent or so are utilizing it, where others are sort of rolling their own outside of the Google-Apple framework. So many governments, many countries are sort of torn about which is better. And I think the answer is it just it depends. It depends on the goal in mind. But I really applaud, I like what I’ve seen out of out of Google and Apple with their API. That’s sort of the foundation, as we’ll call it.
LO: Yeah, I remember when they came out with that, at first, I think it was about a month and a half ago, I was really impressed with how they kind of were two big competing tech firms coming together to develop this. I think that really goes to show just how big of an issue coronavirus is and how much of a impact that the tech space feels as though that they have with this. But when you say decentralized, can you talk a little bit more about what decentralized versus adopting a more centralized data approach means and what that means for users of contact tracing apps?
SM: Yeah. So what the way it would work is, with this decentralized model is, for the most part, all the information sort of stays on your phone, or is designed to sort of be with you. And then as you go about your day, you would install an app, you opt in to to sort of utilize it. As you go about your day you exchange these beacons, right. So you think about Bluetooth and its effective range. So as we maybe pass each other on the street that probably wouldn’t generate an exchanged, logged beacon. But if we were at a pub together and sat next to one another for, more than, let’s say 10 minutes, those beacons would register an exchange. So I would have your anonymous beacon and you’d have mine. And then this list then sort of grows and changes. Typically in a 14 day window, because that’s sort of this incubation window. And so what would happen then is if one of us falls, we would report that. And as part of that, it would get uploaded, and then pushed back down to others. And if there’s a match, as you get to sort of list, this sort of loading and matching… you’d get notified, right? So it’s all anonymous. So it’s a very clean way to do things. I think it’s it’s sort of the the right way to do it. So there’s this reconciliation that says, oh, I’ve got a match. And then you know that you’ve been in contact with somebody who has now fallen ill. Now I’ll stop there, because there’s issues, both medically and technically, but I still believe that for what it is, it’s probably the best model.
LO: And I think that preservation of users being anonymous, so not having any personal identifiers, like phone numbers or names or IDs, I think that’s really important from a privacy perspective, to make sure that personal data isn’t being compromised.
I wanted to ask too, it seems to me like there is so many different types of technologies. So there’s Apple and Google’s framework that they had come out with, there is Decentralized Privacy Preserving Proximity Tracing, it’s an open-source framework that’s based on a decentralized approach that had come out earlier. And then also, the Singapore government has backed an open framework which they have based their TraceTogether app as well as Australia has based COVIDSafe, their contact-tracing app on as well. And that uses Bluetooth contact tracing and adopts more of a centralized data approach. So you have those, you have different U.S. states like Alabama, North Dakota, South Dakota, coming out with apps that are using Apple and Google’s contact tracing tech. And then you have Utah who says they have their own app that they’re rolling out.
I mean, do you think that there is going to be some sort of issue where different people are going to be using all these different types of apps and technologies that are popping up and that’s going to create kind of a challenge in the basic functionalities behind these?
SM: It will show you there’s a lot here and that question. My fear, I’m jumping way out into the future, is that in the future, maybe in the near future, we will be required to keep a digital wallet of some kind or at least documentation on our let’s say vaccinations. Let’s say there’s a vaccination for this in a year. And in order to travel, you need to have your vaccination papers much like you would today for many types of illness. But you have this union between these tracing apps or exposure notification apps and in this other variable, my fear is that we’re going to need to show that. So it’s going to be have you been tested? Have you had an exposure in the last 14 days? Do you have your vaccine? And my fear is that now we’re going to need to use data. So somebody may say something as simple as say, “look, in order to gain access to this private company, like in order to return to work, you have to show that you are have not been exposed in the last 14 days and that you’ve had your app installed, and it’s been with you the entire time.” That’s my kind of fear. And even in some circles, private discussion groups that I’m a part of, some are talking about the union between physical security and cyber security, and then how does this play a role into the return to work. So what does the output of a exposure notification app, is that going to be an element that gets checked at the door, programmatically or physically, and logged? Right? And so your question, stepping back a little bit, if you want to travel, are you going to need to install multiple apps? Are you going to need to re-enter your data? Is there going to be the need between multiple countries to share? Australia and New Zealand are talking about sharing the same app, in fact they have. And then, is there a tie in there? And then what about the third country that gets added? So how are we going to reconcile all this data, is a big issue to me. And the other is just the waste. You mentioned Utah. You know, they bought that app. It’s a centralized model, it’s almost $3 million and $300,000 a month to maintain. But the reports I’ve seen is that only 1.4 percent of the people have even downloaded it. We’re not talking about using it, we’re talking about just downloading it. So that’s a, 1.4, 1.5 percent, you have to start thinking like, what’s our ability then to make this effective. You’ve got to have adoption, you’ve got to have confidence in the app and you’ve got to have widespread access to testing, both for antibody and and for the virus. If you don’t have all three of those, I think you’re sort of fooling yourself if you don’t have the three.
LO: Right, and I think that brings up a really good point as well about, you know, whether these contact tracing apps are opt in or voluntary versus mandatory, and in order for many of them to work, I’m sure that it would make it more effective if it was mandatory, but then that opens up a whole can of data privacy concerns about, you know, government overreach and the continued ability to track people and collect personal data, even after the pandemic, as well as kind of lack of user consent and data being misused. So I think it’s kind of a catch 22 there.
SM: Absolutely. You know, right now, we’re still seeing pretty low participation. I think, there’s a master list of country level adoption, I think Iceland actually wins the prize, they win the gold right now about a little under 40 percent participation, or download I should say. Is there a point where a government does make it mandatory where they say, you must have this installed, and it must be with you. You know, I don’t know that we’ve seen that yet. But I could certainly see a private company saying, look, you need to have this app installed, and it’s part of your obligation to the company, to your employment, I could absolutely see that in some places of the world to say and, and at that point, it could be a company made, you know, their own app, that that then tracks – which is extremely interesting – because there’s both a potential privacy invasion, but it could be, you know, there are some organizations talking about, you know, you’re gonna have a shift schedule where I’m in on Mondays and you’re in on Tuesdays, but we’re both not in on the same day. Or, let’s make sure that that Steve stays far enough apart from everyone else. And so, you know, are we spacing our employees out? You can get data like that from an app that’s sort of related to this, that’s sort of the spacing and making sure that your workflow, so even even collecting something like wireless beacons from inside a building, there’s companies that are making one way hallways now and and use every other cube, so you start getting the creative mind can also be one that invades some pretty high degree of privacy as well. So I think, maybe not for COVID, but maybe for the next problem that we have that’s like this, I think that it will become more pervasive.
LO: Yeah, I think that that is a really good point about company utilization of this, and that’s a whole other kind of issue, is how will the workplace be, going back to the workplace once companies start moving back from remote work to more in office work. Should be really interesting to see if contact tracing has any sort of impact at that point. I’m curious too, do we have any data at this point, whether there is any sort of success that is tied to contact-tracing apps? Or is it kind of too soon at this point, in terms of lack of users who are signing up for apps or just that it’s only been a few months and some of these apps have been rolled out? Or they’re still in development?
SM: Yeah, I was actually looking for the good news on this, and I haven’t yet seen it, I’m sure it exists. And to be very clear, if you look at Apple and Google, they’re talking about integrating this. So right now, it’s a platform on which you build other apps, they’re talking about making this native to the phone. I do think that this is something that will have success stories. And I personally, when when we started the show, you know, I intend to utilize that, I would like to know if I’ve been exposed. I do think, though, that people may have sort of alert fatigue on this because even somebody with nefarious goals in mind to say, hey, I want to just stir up trouble. What if they self report that they’ve been infected, and they intentionally go to a packed bar, or they go into a sporting event, or they go into a company function on purpose, there’s sort of these outlets that we may sadly hear about sort of negative stories that are sort of these annoyance type scenarios. You know, there was the guy you probably heard about that put a wagon, you know, the little red wagons that you see the kids have, and filled it full of cell phones and took it down an empty street in the middle of the desert and created a traffic jam on purpose.
LO: Right. Yeah.
SM: So, you know, in the same kind of thing can happen here. But in terms of good news I hope that there’s good stories. I don’t have any to share. I wish I did. I’d be a better guest if I did.
LO: Well, I think it’s so kind of difficult to gauge with all the data that’s out there right now. Looking ahead, what do you see as being the future of contact tracing apps? Do you think that they’ll gain more traction? It seems like you have a cautiously optimistic view of them. Is that correct?
SM: I do. I think that if you begin to look at the future of health and more importantly wellness, you mentioned wearables earlier, coronavirus is a little more difficult because you can – it doesn’t always spread the way we think it will it – you can be asymptomatic and still be a spreader. It takes time before you start to feel the effects. But that’s not the case everywhere. If you look at wearables, you look at the technology that we have, you look at things like the Apple Watch. That is the future where we’re pulling in telemetry from folks and both as an individual and as a tribe of humans. I think that there will be great gains in this of how to trace and track down doing true contact tracing with technology rather than just exposure notification. I think there will be great gains, but again, we’ll still be talking about privacy and security concerns. The concern I have right now is that, there’s all of these independent build outs, you know, think of the waste, and the errors that can occur, especially when you’re in a hurry building a mobile app. That’s where the problem will come from. But to your core question, I am optimistic, cautiously so, but I think that we’re going to see some amazing things related to this for the health and wellness of the world in the future.
LO: Well, Steve, thank you so much for joining us today to talk about contact-tracing apps and the challenges and, on the flip side, the benefits of these apps as they’re being rolled out.
SM: Yeah. You’re very welcome. I enjoyed being here. Thank you so much.
LO: To all of our Threatpost listeners, thank you so much for tuning in with myself and Steve Moore with Exabeam today. Let us know if you would use contact-tracing apps and what concerns you may have about these applications. Give us a shout out on Twitter at our page @Threatpost, and catch us next week on the Threatpost podcast.
Also, check out our podcast microsite, where we go beyond the headlines on the latest news.