Covid-19 coronavirus
Coronavirus Disease 2019 Rotator Graphic for af.mil. (U.S. Air Force Graphic by Rosario “Charo” Gutierrez)

How would you summarize the main keys of the technological solution that they propose.

One of the most important, most private and most protected types of personal data by fundamental rights, by international laws and by private organizations must always be that of a health nature. A pandemic, which is a threat that we have previously faced, although now in a fully digital era, is not sufficient reason to modify this fundamental right of each individual. Justifying the benefits of digitizing everything is not enough reason to renounce inalienable rights that protect us from digital totalitarianism.

Faced with this type of news, I face the two faces of technology, the one that affects me as an individual and the one that affects me as an expert hacker in cybersecurity.

The one that affects me as a person, obliges me to protect at all times the integrity of private data about any other common interest. The common interest should not be achieved by forcing the renunciation of the fundamental rights of each citizen.

As a hacker, I think that everything must be analyzed, all the information must be verified before deciding to use it as the basis of a project of this size. All sources must be questioned and any project must be thoroughly tested before being published.

Looking at the case as a project that aims to help society in the face of the dangers of COVID-19, I think that it would not benefit us so much to live wondering if any person to whom we have been exposed, is the neighbor of the next door, or the dealer of food delivery, or anyone who passes me in the supermarket … may be infected. It does not seem so useful to me, nor do I think it solves too many health problems, although it will, however, force us to grow in paranoia, hatred or suspicion of others. Has it been studied what this would bring to society at the health or psychological level? What if the app constantly detects a positive when I’m at home … maybe a neighbor?

What do you think Google and Apple can contribute if local initiatives such as Singapore or South Korea have not arrived, which have received so much praise?

First of all, as I indicated earlier, when a project of this size is carried out, we can build on the famous initiatives “that have been so successful” in totalitarian countries, as the basis of the virtues for this project. But that means that we now take for “verified and totally valid information” the censored information we receive from these countries regarding the benefits of their digital systems in controlling the epidemic.

And now it turns out that this is “verified information for us”, when we cannot even confirm in a certain way the number of affected, deceased or the real impact of the digital surveillance data of citizens in the fight against the pandemic within these countries. . Therefore, if the foundations that justify this project fail, the project itself is questionable, especially when it comes from digitally totalitarian countries.

Currently the developers, Apple and Google indicate that the user through an official APP of each government would enter the data of being positive in COVID voluntarily and personally. But the legal, privacy and regulatory framework are constantly changing and who guarantees that this does not change in a while and that the government itself enters this data through the health system from the COVID tests of its hospitals and health centers? Recall that this information about Apple and Google that we handle today was already prepared weeks / months ago by manufacturers and that by chance the Spanish regulatory framework changed days ago preparing for this technology.

Do you think that it is possible by pulling the bluetooth and not the GPS to offer an effective tracking of these contacts?

Technically it is. Bluetooth also offers close location technologies that can be related to the GPS of the smart device. We must not forget that it is already geolocated constantly on smartphones by Google and Apple, something that already allows them to constantly obtain the location of any individual. This initiative cannot be valued as something unique and independent. The information obtained can always be added to other sources, such as the real-time geolocation of the devices. If I already have a record of a user’s location, day after day, hour after hour, minute and minute, second after second … I can contrast, compare this information with any other, such as bluetooth to add data that will allow it soon discourage her. Example: I have a list of anonymous mobile identifiers that have passed by me today. Tomorrow I do the same tour again, I bump into the same or similar people and also collect information from anonymous identifiers. On the third day, I do the same, but he informs me that I have stumbled upon a COVID positive. Logically I can mentally identify who it could be. On a digital level, for large companies such as these, it is even easier to de-anonymize the information, since they have enough information to compare this local database with other more powerful ones, such as geolocation of devices by common places, etc.

With the information they have published, can it be assumed that the data is really private and not?

It is difficult to affirm that something determined is private today. Technology indicates that the information stays for fourteen days on each person’s device, until a positive is entered in the application.

This technology is not a simple application but a major modification to the Bluetooth stack of Google’s Android and Apple’s iOS-based operating systems. It is implemented through updates on the phones and not a simple APP that we install, which gives the device full control over what is done, what is collected, what is stored or what is sent. It is a radical change in technology and as such is dangerous.

I have always defended the idea that what today is private, protected or encrypted data does not mean that tomorrow it cannot be converted, through technology or cybercrime, into public and accessible data. A database encrypted with a encryption type of ten years ago can easily be broken today to decrypt and extract your information. Therefore, when handling such private or confidential data, we cannot think from a short-term point of view.

What if another application (such as a gaming APP) accesses the information saved by this protocol and sends it to your cloud, in addition to using your own geolocation of the game to add more data? There would be a risk of data leakage that would have nothing to do with Google or Apple, but that occurs on their devices.

¿Cuáles son las principales dudas que te genera?

Moxie Marlinspike, uno de los principales criptógrafos prácticos actuales y desarrolador del sistema de cifrado de Whatsapp afirma que hay graves dudas de seguridad en este planteamiento. Se podría, desde atacar al sistema generando falsa información, denegar el servicio impidiendo que funcione correctamente, o generar falsos positivos impidiendo que los datos sean fiables y útiles .

Personalmente dudo de las bondades de este sistema, además de la seguridad del mismo en su aplicación real. Además este tipo de tecnologías son muy “fáciles” de implementar pero resultan, por experiencia, difíciles de desimplementar. Si de verdad es una solución provisional para este caso de alarma, se debería dejar claro que se desimplentará definitivamente tras la alarma.

Category: opinions
Yago Hansen avatar

Author: Yago Hansen

Yago Hansen is a recognized authority in IT & cybersecurity topics. He successfully managed projects related to the design of Security technologies and devices for the private corporate (baking, insurance, auditors) and public sectors (government security, defense). Ethical hacker specialized in delivery of infrastructure and network management. During the last years he has focused on wireless and RF technologies, having successfully managed projects in design, architecture, implementation, pentesting and auditing of Wi-Fi wireless networks. He successfully managed hotspot based infrastructure, multi-point and point-to-point-technologies, mesh and other 802.11 based technologies. He successfully managed a lot of projects related to the design of IT security embedded systems (Linux based) IoT. He is an expert trainer for the government security forces, intelligence and defense and he also authored multiple publications and is a frequent speaker in international security conferences and forums. Actually he teaches about offensive hacking and Red Team procedures for the private and public sectors.