The Implications of Contact Tracing

In this blog, Telarus and CyberCompass join forces to opine on what “Contact Tracing” might mean in a post-COVID-19 world, especially as it relates to cybersecurity and personal privacy.  Let’s begin with a definition:  what is Contact Tracing?  The term is loose and used very broadly. It essentially means “some authority” (government, law enforcement, medical, who knows!) will have the ability to comb through an individual’s “personal data” to determine who they might have had “direct contact with” should they contract COVID-19.  It’s worth noting that both authors of this post see the implications of Contact Tracing to expand well beyond COVID-19, and the potential abuse of this power could tremendously jeopardize the privacy of global citizens. Take, for example, the term ‘personal data’- these governing bodies in no way define this, and yet is considered mandatory for the “solution” to be effective in tracing direct contact with others.

So that begs the question: what does this mean?  Does it mean location data, tapping into credit card transactions, tracking vehicle telemetry data, travel data, grocery/retail store visits (e.g., through pulling data from “Loyalty Card” usage), social media, email, text, phone and basically any other data that builds a profile of an individual’s activity and real-time location?  If so, who defines the limits, the controls, and who is the governing authority ensuring proper use and protection of that data?  Who defines the standards?

In our view, the most significant challenge will be the rush to collect and use this data without thinking through the ramifications of what the questions above imply.  Yes, we agree the overarching importance is public safety, especially when we’re talking about highly contagious pathogens.  But balancing this with the protection of personal information must also be prioritized.

How do we accomplish this?

In our view, there must be a well-thought-out strategy to allow individuals to know exactly who accessed their information, when, and how it was used.  There must be mechanisms in place to protect this data, and all “administrators” or those with access to the data should be highly vetted with detailed background checks.  We, as individuals, must have the right to approve or deny who has access to our data at any time, in any capacity. And above this, we must have the ability to receive real-time notifications when this particular contact tracing data set, defining the clearest picture of our lives, is accessed and used.

The CCPA (California Consumer Privacy Act) might be a good model to consider, but that’s simply the legal outline (which would undoubtedly need refinement to apply to Contact Tracing).  When we say there must be a “strategy,” we’re talking about the complete picture.  We must define and fully understand the technical, procedural, and human controls and elements that will play the most critical role in this Orwellian reality: control and access to data that could be used to impact every single aspect of our lives. We need to consider what we’re willing to accept fully, and collectively make our voices known that while Contact Tracing is a novel idea with altruistic intentions, we must set explicit boundaries and have a clear understanding of how our “data” is used both in the present and in the future. This is likely the right way to control the spread of highly contagious pathogens.

Our chief concern with Contact Tracing is how slippery this slope can become in a world driven by fear and paranoia.  As Cybersecurity experts, we’ve seen fear and paranoia be both a good and a very bad thing.  It can drive some of the right behaviors. Still when perverted, without a solid grounding in risk evaluations and management, it can lead to deplorable decisions, waste of resources, and egregious behavior with far-reaching implications.  Cybersecurity has often been an afterthought, much like our current situation in the US in regard to respirators and masks, and our concern is that this idea of Contact Tracing lends itself to egregious abuses of power, freedom, and privacy – and even personal safety.  We must mandate, through whatever mechanisms possible (call your Senators & Representatives!), that we must be allowed to know these critical elements BEFORE the program is put in place:

• How is data collected about us?
• How long that data is stored?
• What safeguards are in place to avoid breaches of that data?
• Who accessed our data, why, and for what purpose?
• Who is in charge of maintaining protection of that data?

Maybe we are finally at a stage where Blockchain is an applicable technology in security, in the form of data privacy.  Maybe what we really need is a decentralized system (meaning it is managed and validated by more than one party) that can tag all of our data, from creation to destruction, for us to be able to follow the entire lifecycle of information usage about every aspect of our lives. Or maybe we can create an entire infrastructure where our data is tokenized and must be explicitly approved by the people before being de-tokenized, accessed, and interpreted.

In the end, we believe Contact Tracing is going to become a reality. Still, unfortunately, the implications are enormous, and the ramifications are not well-thought-out in a rush to protect public safety.  In all of this, our main point is to raise the “yellow card” and urge all authorities to slow down, call in the Cybersecurity experts, define a sound strategy, design the right systems and controls, and implement the proper checks & balances.  We implore our decision-makers to understand that while COVID-19 requires a swift response, Contact Tracing requires US citizens (and beyond) to share data that can be used against us in potentially nefarious ways long after this pandemic subsides and therefore must be treated in an entirely different manner than merely a COVID-19 solution.