Dangerous permissions, 'legitimizing surveillance' -- and a personal announcement
Welcome to my new newsletter
Please allow me to interrupt this newsletter with a brief announcement.
It's been seven years since I set out my own shingle as an independent journalist and started my newsletter and website. It's probably been *ahem/cough/ahem* years since I redesigned them. The email you signed up for looks dated and the website had too many ads and pop-ups, I know. I've been busy.
But that changes today. I'm excited to share that I've re-launched The Red Tape Chronicles as a Substack newsletter. Substack offers a nice clean look and plenty of other handy features. No more clicking from my email to my site; you'll get entire stories in your inbox. (You can still read them on the web, too, at BobSullivan.net and at RedTape.Substack.com). There are no ads. Substack makes the signup process much easier. And Substack provides a way for readers like you to support the work that journalists like me do. You can pay $5 monthly or $50 annually for a subscription to my newsletter.
Don't worry. I'll still send out a free email every week, with full stories and pointers to my best work. Items I think are really important will also be placed outside this paywall for all to read. And for a month or so, I’ll make most posts free while you and I get used to the new system. But soon, paying subscribers will get more Gotcha Capitalism commentary, more spot news, more advice, early access to my new podcast, and other features.
Please consider supporting me and supporting journalism. Substack has so far built a set of features that are thoughtfully designed to help reporters like me. I believe you can trust them with your credit card. If you think otherwise, let me know. Also, if you are a student or a journalist or just a person who really likes my stories but can’t pay, we can work that out. Contact me. Now, back to the story, and the newsletter you expected to get.
Megan DeBlois, who runs Covid19AppTracker.org
"The speed at which this technology is being deployed ...should terrify people"
One app requires permission to disable users' screen locks. Another claims it doesn't collect detailed location information, but accesses GPS data anyway. Still another breaks its own privacy policy by sharing personal information with outside companies. And nearly all of them request what Google defines as "dangerous permissions."
Is this the latest cache of hacker apps sold in the computer underground? No. These stories arise from the 121 Covid-19 apps that governments around the world have released in an attempt to track and control the virus. Security researchers are worried the apps can be used to track and control populations -- long after the pandemic has passed. And even if governments have the best intentions in mind, cybercriminals might be able to access the treasure trove of data collected by these apps. After all, they've been built hastily, under pressure as Covid-19 has raged around the globe.
It makes sense to use technology to fight the virus. Contact tracing -- identifying anyone a sick patient might have infected -- is a staple technique to stem outbreaks. It's easy to imagine a system that uses smartphones to ease this complicated task. But balancing public health with privacy concerns is tricky, if not impossible.
Volunteers who are worried about these dark possibilities recently launched Covid19AppTracker.org. Contributors keep track of security analyses completed of each app and have made their database available for free download. Qatar's Ehteraz app – which is mandatory, and has been already downloaded 1 million times -- allows the developer to unlock users' smartphones, according to the organization’s database. Amnesty International’s analysis discovered a vulnerability in Qatar's app that would have allowed hackers to access highly sensitive information collected by the app.
"The speed at which this technology is being deployed ...should terrify people," said Megan DeBlois, Covid19AppTracker.org's volunteer product manager. "I would argue in a lot of cases (this is) legitimizing surveillance with the lens of a public good, but without a lot of transparency.”
Most of the apps in Covid19Tracker's database are made by governments outside the U.S. Contact tracers have been released rapidly across the E.U. and in places like Saudi Arabia and India. In the U.S., states have been slow to push out tracker apps, partly out of privacy and security concerns.
DeBlois recently presented the group's findings at the virtual DefCon hacker convention in a talk titled “Who Needs Spyware When You Have Covid-19 Apps?”
There were some obvious patterns. While EU apps were less invasive that apps generated by other governments, nearly all of them requested permissions that Google defines as "dangerous," such as precise location information – in fact 74% of the apps in the database ask for GPS data. Fully 16 request microphone access and 44 ask for camera access. Seven try to access phone contacts.
The group's database includes purely information apps, symptom trackers, and contact tracing. It's not going to be easy to build a contract tracing app that respects people's privacy, DeBlois cautioned.
"It's really about the nature of contact tracing … The whole point is to track people, to associate linkages,” she said. “That makes it difficult to build and engineer something that works in the way everyone needs it to work."
(Click to see the full presentation)
Contact tracing apps fall roughly into two categories -- those that share all users' location with a central, government-controlled database, and those that work by merely allowing phones to talk to each other through Bluetooth. In that model, data is only shared with a government agency after a confirmed infection. Google and Apple have recently tweaked their smartphone operating systems to encourage development of this kind of app.
"I'm cautiously optimistic about this minimalistic approach -- that model has a lot of potential," DeBlois said.
Still, she has other concerns.
"I’m a little bit nervous about the way the technology decisions were made,” she said. “A lot of the technology has been dictated by companies. They aren't part of our democratically-elected government."
The proliferation of such apps around the world should concern U.S. citizens, too, even those who don’t plan to download a U.S. tracker app, she said. The Qatar app is mandatory even for visitors, for example. That could have implications for business travelers for years to come.
“There absolutely will be implications that cross national boundaries,” she said. “For folks who do international travel, this should be on their radar.”
In the U.S. and western democracies, where use of tracker apps is expected to be voluntary, the apps will be useless unless a large percentage of citizens download them. That’s going to require a lot of trust – a trust that seems lacking in the U.S. right now. DeBlois cited revelations made by Edward Snowden as one reason: Snowden confirmed some of Americans’ worst fears about government abuse of surveillance technology, she said.
How could U.S. health agencies overcome this lack of trust?
“It starts with transparency,” she said. “Making clear who has access to the information, for how long. All those questions need to be answered, And those answers need to be verified.”
You also might like to read:
Lies and manipulation are lapping the truth right now. She predicted it early. (Paid)
or listen:
Podcast: Why aren't housing prices going down? Bargain hunters, beware
or explore:
The cognitive bias essay collection
Also: My 2,000 or so stories are still available for free at BobSullivan.net, but the Substack versions are ad-free for paid subscribers.