Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/12/2020
02:00 PM
Neil Sweeney
Neil Sweeney
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Using 'Data for Good' to Control the Pandemic

The tech community should unite to develop and distribute a universal COVID-19 contact-tracing application. Here's why and how.

As governments around the world cope and contemplate how to deal with a once-in-a-lifetime health threat, serious questions are being raised about the role of technology in helping to prevent the spread of COVID-19. 

COVID-19 should be gone, but it's not. In fact, we are now awaiting a potential second wave of the pandemic. During this time, it is imperative that our leaders in government, industry, and technology take a closer look at what is and isn't working with COVID-19 tracing applications in order to put the necessary steps in place for more effective tracing before the next wave hits. 

This is a global problem. The current tracing applications are clearly not working throughout the world:

  • The United Kingdom's attempt to implement its tracing application was stopped due to mismanagement.
  • Norway bowed out after it discovered a data breach.
  • Other countries either don't have an application or have a disjointed program such as the United States, where one participant, North and South Dakota, used a former football tailgating application, turned COVID-19 tracer, to monitor the health of its citizens and then were "shocked" to find out that this application was selling user information out the backdoor

With countries attempting to address this individually, it should be no surprise that current contact-tracing practices aren't nearly as effective as they should be. In a global pandemic that has affected 195 countries, developing 195 unique apps — run by government bureaucrats with little to no experience in data, security, and consumer applications — creates an incomplete and inaccurate picture of their users. Who thought this approach was going to work?

Occam's razor suggests that the simplest solution is usually the best, and complicating things typically results in a less desirable remedy. So, why is it so complicated? Apple and Google's proposal, which put forward a shared Bluetooth protocol (BLE) to be used by one party in each country (or health organization), was an attempt to reduce the number of COVID-19 apps in each country while allowing governments to maintain health information on its citizens.

While on the surface, enabling governments seems like a good idea, it's not practical. This raises the question: Why haven't Apple, Google, and other tech companies partnered on building and distributing their own COVID-19 tracing application? First, the benefits. Clearly, many tech companies are experts in creating consumer-facing applications; a quick scan of your phone will prove this point. Additionally, with the Google Play and Apple store available around the world, a consumer application jointly built by industry leaders would have ubiquitous distribution virtually overnight. Lastly, as borders reopen, an application operated by the same entity would assist with the tracking of the virus across borders. But this is where things get dicey.

Tech companies would suggest that they should not be responsible for the creation and distribution of a universal application due to privacy concerns, but this falls short considering Apple, Google, and others collect reams of data on users (for example, via smart speakers)  to power lesser causes (such as advertising). Governments will also pound the table, arguing that they should be the only entity monitoring their citizens. Both of these arguments are feckless and are more political than progressive. This is where these companies have a chance to calm government concerns and use all of the data that they have been scrutinized for collecting over the years for something good. Politicians should also acknowledge that they are Luddites when it comes to technology and consumer products, and defer to the experts.  

This is a rare opportunity for tech leaders to change the narrative that often focuses on antitrust, misuse of data, and perpetual data collection. Turning the story on its head and using "data for good" would go a long way in helping to soften the opinion many in the Department of Justice and Congress think of "big tech." It will not be easy. The commentary will naturally focus on the misuse of data and human surveillance, but this is not a new topic for these firms. One could say that Apple, Google, and others currently do not have a universal tracing application because they did not want to draw more attention to their current data practices and instead would rather arm the government with the protocol and let them bear the brunt of the criticism — which is exactly what is happening. By offering a universal tracing application, big tech companies would be offering a reprieve for their chief executives to get off the hot seat. If they should oblige, I suspect many officials would jump at the opportunity. 

Irrespective of whether building or not building a COVID-19 tracing application was a conscious or unconscious decision, the opportunity for companies in the industry to save hundreds of thousands of lives should warrant them going all in. Here is how they can tackle the next wave and save the planet.  

  1. Create an advisory board of esteemed epistemologists, members of the World Health Organization, and privacy experts to comment on the integrity of the project. Bill Gates to chair.
  2. Continue to support the BLE protocol and provide to governments should they choose to monitor their own citizens and COVID-19.
  3. Apple and Google to co-create a universal application and offer this to a) any country that does not have a tracing application, b) does not feel comfortable with their current solution, or c) wants to pair its current application with this new product.
  4. Apple and Google share this de-identified information with the government and squash the "we don't want to collect private information" argument once and for all when they have been providing 10 times of the same info to the advertising community for years.

This won't be popular. It will dominate the headlines, and it will force CEOs to withstand enormous criticism. We are in a war against a pandemic that is a lot bigger than your next quarter or publicly managing an image. When in battle, leadership is a must. General MacArthur said, "A true leader has the confidence to stand alone, the courage to make tough decisions, and the compassion to listen to others' needs."

Here is hoping that big tech takes note. Millions of lives depend on it.

Related Content:

 

 

In May 2018, Neil launched Killi, the world's first consumer-facing mobile application that allows consumers to opt-in and control their data and monetize it should they choose.  Available to both Apple and Google users, as well as online, Killi is currently available in ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Hunny, I looked every where for the dorritos. 
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
CVE-2020-8569
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
CVE-2020-8570
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
CVE-2020-8554
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...