22 Jun 2020
Our idea of normality has changed beyond recognition in a matter of weeks.
Across the globe, we’ve learned to stay indoors. We’ve transformed our dining rooms into offices. And we’ve accepted the need to sacrifice privacy to save lives.
There’s no doubt that the post-coronavirus landscape is going to take some getting used to. When we do venture outside again, it won’t be into the same world we left behind in the middle of March.
For a start, there will be a lot more surveillance. Government apps will track our movement and our health to keep the virus at bay.
The idea of allowing our governments such power might be uncomfortable for some. But there’s also a danger that this power could fall into more harmful hands. Given the amount of citizen data on these tracking apps, bad actors will view them as the ultimate prize.
That’s why keeping them secure will be a crucial objective in the months ahead.
A new era of surveillance
The Chinese state’s measures to tackle the coronavirus pandemic won’t have surprised many people. After all, they’ve built up a surveillance system over time. A lot of the pieces were already in place.
But people in countries less known for overt surveillance of its citizens have also accepted the need for such a system.
Crises tend to normalise policies that would ordinarily shock us. Not long ago, the announcement of a mass surveillance system would have led to people protesting in the streets.
But our world has changed since then.
As Yuval Noah Harari wrote recently, when people are given a choice between privacy and health, they tend to choose health.
In the UK, the NHS is currently working on an app designed to track people’s movement and how long they stay outside. There’s also talk of the app playing a role in the anticipated immunity passports for those who have already recovered from the virus.
There’s an acceptance that apps like the NHS one might be helpful. That said, people want to know whether governments will stop the surveillance once the crisis is over. There are plenty of examples of other temporary measures that remain in place decades later.
Yet there’s another equally important question that people aren’t asking as much.
Will these new tracking apps be secure?
The threat posed by hackers
It might be the case that citizens simply expect robust security of surveillance apps to be a given. But examples from Asia suggest that we need to stay vigilant.
As much as we’d like to think that everybody buys into the communal spirit of working together to beat the virus, there are those who are looking to profit from it. For bad actors, a government app full of sensitive personal data sounds almost too good to be true.
And to get an idea of the opportunity offered them, we only have to look at privacy leaks from tracking apps in China and South Korea. In both countries, some personal details of those who have tested positive for Covid-19 have accidentally been exposed. The consequence for those individuals has included public ridicule and harassment.
What if a bad actor had a list of those who had tested positive. What damage could they cause to those people’s lives?
Analysts have suggested other apps are at risk, too. One example is Slovakia’s track and trace app. The country announced a few weeks ago that they’d passed a law allowing the state to use data from telecoms companies to track the movements of people suffering from the virus.
We know from IoT that bad actors can cause a company or individual a lot of harm if they’re able to find a weak link in a network. The same is true of a tracking app. If it’s used by millions of people across a variety of devices and networks, there’s a greater risk of hackers finding a weak spot somewhere that hasn’t been locked.
In China, there’s an app that doubles as an immunity passport. A green code means that you don’t have Covid-19 or that you’ve recovered from it. A red one means that you’ve tested positive for the virus. If you have a red code, your movement is severely restricted. But citizens in Hangzhou have reported their codes flickering from green to red and back again without an explanation.
Imagine if a hacker was able to take control of this system and could change a green code red, or vice versa.
Safer surveillance builds trust
Some commentators have pointed out that there’s an awkward truth behind our opposition to tracking apps:
We often let companies track our movement when we download their apps.
Most of the time there’s no need for these companies to know where we are. Instead, they use this information for marketing. And because we want the app, we accept it.
Surely then there’s no problem in letting our governments have this data if it’s going to save lives rather than make money?
The difference is that we’re generally more sceptical about those who govern us. They have to work harder to gain our trust. Governments around the world will be aware of the tightrope they’re walking with these new surveillance apps.
As much as people accept there’s a need for them right now, they will be vocal if they think the government is abusing its power.
And these voices will grow louder still if the apps citizens are using don’t seem safe.
It explains why governments don’t only want to block bad actors for national security reasons. They also know how quickly public trust will evaporate should hackers find a way inside their apps.
That’s why robust protection for tracking apps is a must - while at the same time keeping them as transparent as possible. We have to make sure that they’re safe from static and dynamic analysis, cloning (we’ll cover fake covid-19 apps in a later article), code injections and man-in-the-middle attacks.
Then we can focus on using them safely to beat the virus, without having to look over our shoulder for a very different kind of threat.