Cryptography for a COVID-19 Contact Tracing App by Apple and Google

Apple and Google (in alphabetic order) have released a draft of a cryptographic protocol named Contact Tracing (here the specification) for a new Privacy-preserving Bluetooth protocol to support COVID-19 Contact Tracing. As far as I understand (please correct me if I have misunderstood something), it should work as follows:

  • Bluetooth LE is extended on the devices with this new procotol
  • A service provider distributes an App which makes use of the protocol and communicates with a server managed by the service provider or a third party
  • Users install the App on their devices and keep Bluetooth on
  • When two devices with the App installed are nearby, they exchange some locally generated cryptographic key material called Rolling Proximity Identifier: these identifiers are privacy preserving, that is from the identifier alone it is not possible to identify the device which originated it; all Rolling Proximity Identifiers are stored only locally on the devices themselves (both originator and receiver)
  • When a user tests positive to COVID-19, she or he inserts this information in the App which then generates a set of cryptographic key material called Diagnosis Keys corresponding to the days in which the users could have been already infected; the App then sends the Diagnosis Keys to the server which distributes them to all other devices on which the App is running
  • When an App receives from the server some Diagnosis Keys, it is able to compute a set of Rolling Proximity Identifiers and to check if at least one is present in the local storage; if there is a match, the information derived is that on a certain day, in a 10 minutes time interval, the user of the App has been in proximity with a person who later tested positive to COVID-19.

Obviously a Privacy pre-requisite to all this is that neither server nor App manage or store any other information or metadata about the users and the devices on which the App runs.

Trust on online information, Fake News and the Information Operations Kill Chain

Can we trust the information we find online?

The general answer is NO, but we all behave as if it was YES.

Personally I see example of it even when I look online for simple information like train schedules or traffic jam conditions. Ever happened to be warned of a major traffic jam ahead and find no traffic whatsoever? Did everybody hear the news and auto-magically disappear from the road?

At a very high level, we can consider two ways in which untrustable (misleading or plainly wrong) news are posted online:

  1. non-intentional or unwilling mistakes due to careleness, untrustable sources, even technical errors in collecting the data;
  2. intentional fake information, eg. “Fake News”, distributed for a purpose usually not moral or legal and at someone particular advantage.

The first goes in the “mistakes” category that hopefully sooner or later will be fixed, but the second goes in the “intentional attacks” category. Unfortunately misusing people trust and conditioning their opinions and actions with “Fake News” is becoming more and more common (just read the news themselves!), to the point that some of these techniques seem to have leaked also to everyday advertising and political campaigning.

Thinking about this, it came back to my mind the “Information Operations Kill Chain” which I read some time ago in Bruce Schneier’s blog here and which I suggest to read and consider.

PS. I am not aware of further developments on this, but if there are, please point them out.

The evolution of DNS

DNS, that is the Domain Name System protocol and services, is a fundamental pillar of Internet since it allows to resolve domain names in IP addresses. Recently the number and severity of attacks to the DNS infrastructure have increased noticeably (see for example this US-CERT Alert). At the same time, the discussion on who should manage and how this global infrastructure should be managed, keeps expanding.

Alternative proposals to the ICANN overseen global DNS infrastructure have appeared, starting from the “.onion” hidden TOR domains to, among others, the more recent OpenNIC project and the Blockchain-based BDNS system.

The security and privacy of Internet access and navigation depend crucially on the resolution of domain names to IP addresses. Even if the deployment of DNSSEC will help to improve security and privacy, it is badly needed to give more consideration DNS and help designing a forward path for it as a global service which must be able to guarantee access, privacy, security, integrity, fairness etc. It is a lot to ask, but we will really need it.

A Practical Look into GDPR for IT – Final Part 3

I have just published here the third and last article of my short series on the EU General Data Protection Regulation 2016/679 (GDPR) for IT.

In this final article I discuss a few points about the managing of data breaches and of the IT measures required to satisfy the citizens’ rights on their personal data managed by IT systems.

A Practical Look into GDPR for IT – Part 2

I have just published here the second article of my short series on the EU General Data Protection Regulation 2016/679 (GDPR) for IT.

In this article I discuss a few points about the risk-based approach requested by the GDPR which introduces the Data Protection Impact Assessment (DPIA), and a few IT security measures which should often be useful to mitigate risks to the personal data.

A Practical Look into GDPR for IT

I have just published here the first article of a short series in which I consider some aspects of the requirements on IT systems and services due to the EU General Data Protection Regulation 2016/679 (GDPR).

I started to write these articles in an effort, first of all for myself, to understand what actually the GDPR requires from IT, which areas of IT can be impacted by it and how IT can help companies in implementing GDPR compliance. Obviously my main interest is in understanding which IT security measures are most effective in protecting GDPR data and which is the interrelation between IT security and GDPR compliance.

Yahoo Breach and GDPR

The Yahoo breach (see here for example) is almost yesterday news (today we are talking about DDoS: in 8 days the record went from 363Gpbs to 620Gpbs, and finally to almost 1Tbps, scary!), but I am now trying to picture such an event in view of the forthcoming European GDPR. My ideas are not too clear about what could be the consequences of the new Regulation (not of the data breach). I expect that in the next year before the Regulation will go into action, we’ll get a better understanding of its consequences.

On the Privacy of Webcams and Security of IoTs

The article ‘“Internet of Things” security is hilariously broken and getting worse’ of ARS Technica shows how, using Shodan , one can find pictures from millions of open Webcams on internet.

The issue is not new but the scale of the problem is threatening. As the article nicely points out:

  • people do not care about the security or privacy features of the devices they buy
  • the important points are cost and easiness to manage (which means it is better if there are no password to access it)
  • only to throw away the device the day they find themselves on Shodan or in a picture on a newspaper and say “never again”.

But who is going to do something about it? Who should defend the privacy of people and the security of Internet? Should the IoT market be regulated or self-regulated or something in between?

Marketing and Internet Surveillance

The blog post “The Internet of Things that Talk About You Behind Your Back” by Bruce Schneier is really creepy. But it isn’t new, it is just getting worse.

In IT Security, the problem of undetected communication covert channels is old and well known. Also the fact that internet marketing adopts approaches and technologies that some times are close to it, is well known.

What it is worrisome is the extent to which we are getting. There are various aspects to it.

One is the legal aspect, that is what the legislations allow and how much they protect citicizens from excesses: it would be interesting to compare current legislations between different countries, from the USA to EU, Canada, Brazil, Russia, India, China, Japan etc.

On the technical side, devices like PCs and some tablets allow the user some choices like use different browsers (even Tor), manage cookies (in particular 3rd party cookies) etc., even if it is usually difficult to really be anonymous on internet unless extra precautions are taken (and many users will not be able to adopt similar precautions).

On smaller devices, like smartphones and “smart” objects like watches etc., choices are much more limited but with a little bit of effort the user can do something to protect him/herself from this kind of surveillance.

On IoT devices at the moment there seems to be nothing that the user can do, it is either use it and be traced, or do not use / buy it at all. For these devices, legislation could be the only way of giving the user some choices.

Finally, how many users are even aware of this kind of Internet Surveillance? How many would object if they knew?