That’s what a lot of you have asked us. So, the Q&A team reached out to Quentin Rhoads-Herrera – a security breach specialist.
In mid-April Google and Apple launched a contact tracing app model that would allow people to offer up their location information in order to help stop the spread of COVID-19. But could that decision put users’ personal data at risk?
WUSA9 reached out to Quentin Rhoads-Herrera – Director of Professional Services at CRITICALSTART to find out. Rhoads-Herrera specializes in helping companies recover after they have experienced a security breach.
Does the government need permission from a citizen in order to look at their cell phone data for contact tracing purposes?
ANSWER FROM RHOADS-HERRERA:
Yes. If you look at Google and Apple’s implementation, that they started in mid-April, the government only has access to the information that individual opts in to send. And the only government agency that should technically have access are health organizations.
Before we answer more questions about security, we want you to understand how the Bluetooth contract tracing model works. Take a look at this video:
According to the security company, CRITICALSTART, contact-tracing apps like the one built by Google and will constantly broadcast unique, rotating Bluetooth codes that are derived from a cryptographic key that changes once each day.
If you’re not a techie – according to CRITICALSTART, this is what that looks like in real life.
You’re going on your daily quarantine walk, you pass by a few people that are about five feet away, maybe you wave, then you sit on a bench and watch some dogs play in the park, you stay there for at least 5 minutes.
Then you decide to pop into a grocery store to grab some food for dinner. You’re also there for at least 5 minutes. Along the way, your phone, through the Bluetooth, has been keeping track of where you’ve been and who you’ve been around just in case you or one of the people you came into close contact with test positive of COVID-19.
CRITICALSTART says that at the same time, the app is constantly monitoring other phones within a certain amount of range and time. They said the app doesn’t know the exact longitude and latitude of users, instead, it works off of the unique Bluetooth codes.
When a user reports a positive COVID-19 diagnosis, CRITICALSTART says their app uploads the cryptographic keys that were used to generate their codes based on where they went over the last two weeks to a server.
All of the other app users that they unknowingly came into contact with would be able to download those daily keys and find out if they could possibly be at risk of infection.
According to Apple’s website, if the app finds a match in the codes, it will allow the positive user to generate an “exposure” notification to let other users know that their phones had been in the vicinity of the infected person’s phone during a given period.
CRITICALSTART says that the app can also send the potentially infected person information about self-quarantining or getting tested themselves.
How many people would need to use the app in order to make it an effective tool for tracing the spread of COVID-19?
ANSWER FROM RHOADS-HERRERA:
I’ve heard everywhere from about 70-90% in order for this to be effective across the entire united states. The main problem is that there are so many different implementations, applications being leveraged.
According to Rhoads-Herrera, applications like the one built by Google and Apple are decentralized, which means they don’t store all users’ data in one place.
The data is left on the user’s phone and only combined with the information of other users when a positive diagnosis is confirmed and that the user has allowed their information to be shared. In those cases, the information is sent anonymously through the app.
“However if you look at the UK who has decided to build their own application, they’re going with a centralized model which means everything is being stored in a centralized data set,” says Rhoads-Herrera.
There are pros and cons to a decentralized system.
Rhoads-Herrera says it is safer in terms of security and privacy because all user data isn’t stored in one central hub like in the UK, but it lacks consistency in data because there can be many apps collecting data.
And once data saved to a centralized server is breached, Rhoads-Herrera says the hacker can get access to critical information like the location and identity of the user.
Featured in WUSA9 | May 12, 2020
CRITICALSTART® and MOBILESOC® are federally registered trademarks owned by Critical Start. Critical Start also claims trademark rights in the following: Cyber Operations Risk & Response™ platform, and Trusted Behavior Registry®. Any unauthorized use is expressly prohibited.